[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]
OVERSIGHT OF THE FEDERAL BUREAU OF INVESTIGATION, CYBER DIVISION
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON THE JUDICIARY
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTEENTH CONGRESS
SECOND SESSION
__________
TUESDAY, MARCH 29, 2022
__________
Serial No. 117-60
__________
Printed for the use of the Committee on the Judiciary
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via: http://judiciary.house.gov
_______
U.S. GOVERNMENT PUBLISHING OFFICE
57-420 WASHINGTON : 2024
COMMITTEE ON THE JUDICIARY
JERROLD NADLER, New York, Chair
MADELEINE DEAN, Pennsylvania, Vice-Chair
ZOE LOFGREN, California JIM JORDAN, Ohio, Ranking Member
SHEILA JACKSON LEE, Texas STEVE CHABOT, Ohio
STEVE COHEN, Tennessee LOUIE GOHMERT, Texas
HENRY C. ``HANK'' JOHNSON, Jr., DARRELL ISSA, California
Georgia KEN BUCK, Colorado
THEODORE E. DEUTCH, Florida MATT GAETZ, Florida
KAREN BASS, California MIKE JOHNSON, Louisiana
HAKEEM S. JEFFRIES, New York ANDY BIGGS, Arizona
DAVID N. CICILLINE, Rhode Island TOM McCLINTOCK, California
ERIC SWALWELL, California W. GREG STEUBE, Florida
TED LIEU, California TOM TIFFANY, Wisconsin
JAMIE RASKIN, Maryland THOMAS MASSIE, Kentucky
PRAMILA JAYAPAL, Washington CHIP ROY, Texas
VAL BUTLER DEMINGS, Florida DAN BISHOP, North Carolina
J. LUIS CORREA, California MICHELLE FISCHBACH, Minnesota
MARY GAY SCANLON, Pennsylvania VICTORIA SPARTZ, Indiana
SYLVIA R. GARCIA, Texas SCOTT FITZGERALD, Wisconsin
JOE NEGUSE, Colorado CLIFF BENTZ, Oregon
LUCY McBATH, Georgia BURGESS OWENS, Utah
GREG STANTON, Arizona
VERONICA ESCOBAR, Texas
MONDAIRE JONES, New York
DEBORAH ROSS, North Carolina
CORI BUSH, Missouri
AMY RUTKIN, Majority Staff Director & Chief of Staff
CHRISTOPHER HIXON, Minority Staff Director
------
C O N T E N T S
----------
Tuesday, March 29, 2022
Page
OPENING STATEMENTS
The Honorable Jerrold Nadler, Chair of the Committee on the
Judiciary from the State of New York........................... 2
The Honorable Jim Jordan, Ranking Member of the Committee on the
Judiciary from the State of Ohio............................... 3
WITNESS
Bryan A. Vorndran, Assistant Director, Cyber Division, Federal
Bureau of Investigation
Oral Testimony................................................. 6
Prepared Testimony............................................. 8
LETTERS, STATEMENTS, ETC. SUBMITTED FOR THE HEARING
Materials submitted by the Honorable Sheila Jackson Lee, a Member
of the Committee on the Judiciary from the State of Texas, for
the record
An article entitled, ``Information for over 6,000 Memorial
Hermann patients accessed in security breach,'' KHOU......... 34
An article entitled, ``Medical provider waited months to send
patients letters about ransomware attack,'' KHOU............. 36
An article entitled, ``NBA's Houston Rockets Face Cyber-Attack
by Ransomware Group,'' Bloomberg............................. 39
An article entitled, ``Already in the midst of a crisis, a
Houston hospital was attacked by ransomware,'' Data Breaches. 41
An article entitled, ``Cyberattack briefly shuts down Humble
ISD on first day of remote learning,'' KHOU.................. 43
An article entitled, ``Landry's Warns Customers of Potential
Data Breach,'' NBC DFW....................................... 45
Materials submitted by the Honorable Andy Biggs, a Member of the
Committee on the Judiciary from the State of Arizona, for the
record
An article entitled, ``U.S. Deports High-Profile Hacker to
Russia Before End of Prison Sentence,'' Wall Street Journal.. 50
A document entitled, ``Critical Infrastructure Sectors,'' CISA. 53
An article entitled, ``Biden Actually Gave Putin a List of
Critical Infrastructure Not to Carry Out Cyberattacks on in
US,'' Townhall............................................... 56
An article entitled, ``Ratcliffe: Biden Handed Putin the Wrong
List: `It Should Have Been a List of Our Targets' in
Russia,'' CNSNews............................................ 58
An article entitled, ``Biden gave Putin green-light to
cyberattack US when he listed 16 `off-limits' targets,
experts say,'' The Sun....................................... 61
An article entitled, ``Biden's `off-limits' list for Russian
cyberattacks criticized as `green light' to target everything
else,'' Fox News............................................. 69
An article entitled, ``Russia may target U.S. business with
cyberattacks, Biden warns,'' NBC News........................ 71
An article entitled, ``Biden warns Russian cyberattacks
`coming,' '' Politico........................................ 73
A document entitled, ``Statement by President Biden on our
Nation's Cybersecurity,'' The White House.................... 79
A document entitled, ``Tactics, Techniques, and Procedures of
Indicted State-Sponsored Russian Cyber Actors Targeting the
Energy Sector,'' Joint Cybersecurity Advisory................ 80
A document entitled, ``TRITON Malware Remains Threat to Global
Critical Infrastructure Industrial Control Systems (ICS),''
FBI Private Industry Notification............................ 115
Materials submitted by the Honorable Matt Gaetz, a Member of the
Committee on the Judiciary from the State of Florida, for the
record
A photograph of a document entitled, ``United States Department
of Justice Federal Bureau of Investigation Receipt for
Property,'' Fox News......................................... 132
An article entitled, ``Documents appear to show Hunter Biden's
signature on $85 receipt for repair of laptops left at
Delaware store at center of email scandal--while other
paperwork reveals FBI's contact with owner,'' Daily Mail..... 140
Materials submitted by the Honorable Sylvia Garcia, a Member of
the Committee on the Judiciary from the State of Texas, for the
record
An article entitled, ``Port of Houston target of suspected
nation-state hack,'' AP News................................. 164
An article entitled, ``Sheldon ISD forced to pay nearly $207K
after hackers targeted servers,'' ABC13...................... 166
An article entitled, ``Information for over 6,000 Memorial
Hermann patients accessed in security breach,'' KHOU......... 168
An article entitled, ``Durham Probe Reveals Government Access to
Unregulated Data Streams,'' Wall Street Journal, submitted by
the Honorable Dan Bishop, a Member of the Committee on the
Judiciary from the State of North Carolina, for the record..... 174
APPENDIX
Hunter Biden's emails, submitted by the Honorable Matt Gaetz, a
Member of the Committee on the Judiciary from the State of
Florida, for the record........................................ 204
QUESTIONS AND RESPONSES FOR THE RECORD
Questions to Bryan A. Vorndran, Assistant Director, Cyber
Division, Federal Bureau of Investigation, submitted by the
Honorable Eric Swalwell, a Member of the Committee on the
Judiciary from the State of California, for the record......... 206
Questions to Bryan A. Vorndran, Assistant Director, Cyber
Division, Federal Bureau of Investigation, submitted by the
Honorable J. Luis Correa, a Member of the Committee on the
Judiciary from the State of California, for the record......... 209
OVERSIGHT OF THE FEDERAL BUREAU OF INVESTIGATION, CYBER DIVISION
----------
Tuesday, March 29, 2022
House of Representatives
Committee on the Judiciary
Washington, DC
The Committee met, pursuant to call, at 10:00 a.m., in Room
2141, Rayburn House Office Building, Hon. Jerrold Nadler [Chair
of the Committee] presiding.
Members present: Representatives Nadler, Lofgren, Jackson
Lee, Johnson of Georgia, Jeffries, Cicilline, Swalwell, Lieu,
Jayapal, Demings, Correa, Scanlon, Garcia, Neguse, McBath,
Stanton, Dean, Ross, Jordan, Chabot, Gohmert, Issa, Buck,
Gaetz, Johnson of Louisiana, Biggs, Steube, Tiffany, Massie,
Bishop, Fischbach, Spartz, Fitzgerald, Bentz, and Owens.
Staff present: Aaron Hiller, Chief Counsel and Deputy Staff
Director; Arya Hariharan, Chief Oversight Counsel; David
Greengrass, Senior Counsel; Moh Sharma, Director of Member
Services and Outreach & Policy Advisor; Jacqui Kappler,
Oversight Counsel; Roma Venkateswaran, Professional Staff
Member/Legislative Aide; Cierra Fontenot, Chief Clerk; Gabriel
Barnett, Staff Assistant; Merrick Nelson, Digital Director;
Christopher Hixon, Minority Staff Director; David Brewer,
Minority Deputy Staff Director; Tyler Grimm, Minority Chief
Counsel for Policy and Strategy; Stephen Castor, Minority
General Counsel; Ella Yates, Minority Member Services Director;
Elliott Walden, Minority Counsel; Michael Koren, Minority
Professional Staff Member; Andrea Woodard, Minority
Professional Staff Member; and Kiley Bidelman, Minority Clerk.
Chair Nadler. The House Committee on the Judiciary will
come to order. Without objection, the Chair is authorized to
declare recesses of the Committee at any time.
We welcome everyone to this morning's hearing on Oversight
of the FBI, Cyber Division.
Before we begin, I would like to remind Members that we
have established an email address and distribution list
dedicated to circulating exhibits, motions, or other written
materials that Members might want to offer as part of our
hearing today. If you would like to submit materials, please
send them to the email address that has previously been
distributed to your offices and we will circulate the materials
to Members and staff as quickly as we can.
I will now recognize myself for an opening statement.
This hearing could not be more appropriately timed.
Americans today live at a critical juncture in the history of
cybersecurity. Our schools, businesses, public safety, local
government, Federal government, public utilities, and critical
infrastructure all exist at a nexus of threats from cyber-
criminals.
In the last year, we have experienced attacks that shut
down a gas pipeline along the eastern corridor, infiltrated
government email systems, and froze hospital networks during
the time of greatest need. To tritely describe the threat of
cyberattacks against the United States as simply great or high
as we often do minimize the danger we face as a nation.
Ransomware attacks in which a hacker encrypts a victim's
data and withholds the decryption key in exchange for a ransom
has skyrocketed in recent years with an estimated 105 percent
increase worldwide in 2021. American businesses, healthcare
institutions, and local government entities have borne the
brunt of ransomware attacks in the United States. An estimated
37 percent of businesses and over 2,300 schools, local
governments, and healthcare organizations were hit by
ransomware attacks in 2021.
Ransomware attacks against software companies, such as in
the attack against Kaseya, affect thousands of small business
clients who often feel the most pain from the destruction of
data, loss of business, and damage to customer trust. The
attack against software company Blackbaud, for example,
compromised thousands of downstream clients, like Christ
Hospital in Cincinnati and the Children's Hospital of
Pittsburgh.
Local government entities such as schools, county elections
offices, and police departments are often underfunded and
under-resourced. For many educators, the decision between
patching software systems and acquiring new textbooks is just
one of the many painful decisions they have to make in what is
often a thankless job. In these cases, a grant for new
technology can mean updating systems and increasing
accessibility, but also increasing risks with more
opportunities for hackers to exploit system vulnerabilities.
The Biden Administration has acted to turn the tide on the
ransomware and cyberattack threat and the FBI has played a
central role in shoring up our defensive position. It has even
begun recovering ransom payments from cyber-criminals as in the
case of Colonial Pipeline. These successes have not been
without controversy. After the attack on Kaseya, the FBI
withheld for weeks the decryption key it had recovered, which
left many downstream businesses without the tools they needed
to operate and cost those businesses many millions of dollars
that could have been avoided had the FBI provided it
immediately.
Many people also raised privacy concerns in the wake of the
attack on Microsoft Exchange. After the FBI discovered that the
individual networks of private companies had been compromised
by the Microsoft Exchange intrusion, it obtained warrants to
alter victims' systems without their knowledge or permission.
No sector needs more protection than our critical
infrastructure. In 2021, ransomware was used to attack 14 out
of 16 critical infrastructure sectors including agriculture,
financial services, energy, dams, and other often unseen, but
crucial industries, that buttress American lives and
businesses.
In February of 2021, an attacker attempted to poison the
water in Oldsmar, Florida. In 2017, Russian government-
affiliated cyber-attackers hacked a third-party contractor and
used the company's email to gain access to part of the American
electrical grid.
In April of 2021, Chinese State affiliated hackers reached
New York's Metropolitan Transit Authority network potentially
exposing data and showcasing just how vulnerable our transit
operational systems could be to attack.
These are real threats. Blackouts and loss of electrical
service could cripple our country's economy and paralyze our
ability to respond to an attack. Without significant investment
in IT systems and training, these industries will remain
vulnerable.
The threat does not end there. State affiliated cyber
threat actors from Russia, Iran, and China have engaged in
cyber espionage against our government and political systems,
accessing critical data and loitering on our servers. American
businesses have suffered breaches by cyber-criminals looking
for personal data to sell.
While the Russian invasion of Ukraine has not yet spilled
over into cyberattacks that affect governments and businesses
in the United States, President Biden has warned all Americans
of evolving intelligence that Russia may soon launch
cyberattacks against the United States. Our ability as a
country to respond to such an attack rest in the hands of the
FBI and its partner agencies. The Biden Administration has
encouraged businesses, large and small, to adopt a shields-up
posture to defend against cyber threats.
Because it is the security of private companies, those that
keep our lights on, provide life-saving healthcare and teach
our children that will determine the fallout from an attack, we
must all evolve to better protect our networks. This means
strengthening our cybersecurity systems by patching
vulnerabilities, training users how to recognize phishing
attacks, and increasing network cybersecurity protocols.
When we invest in our schools', local governments', and
health-care' systems cybersecurity, we contribute to a safer
country. We live in a technologically-advanced Nation of early
adopters with private networks and the freedom to maintain our
networks however we choose. There is no easy way to mitigate
all cyber vulnerabilities in the United States, but by engaging
in meaningful oversight of our nation's cybersecurity defenses,
this Committee can ensure we are ready to meet any threat head
on.
I look forward to hearing from Assistant Director Vorndran
on what he and his colleagues at the FBI Cyber Division are
doing to keep our country safe and to engage in an important
discussion about the threats our networks face.
I now recognize the Ranking Member of the Judiciary
Committee, the gentleman from Ohio, Mr. Jordan, for his opening
statement.
Mr. Jordan. Thank you, Mr. Chair. Last week, the President
said a cyberattack from Russia is coming. What has the Biden
Administration been doing? They released Alexei Burkov, a
notorious Russian cyber-criminal.
Here is what has been said about Mr. Burkov. He is an asset
of supreme importance, one of the most connected and skilled
malicious hackers ever apprehended by U.S. authorities. What
did the Biden Administration do six months ago? Put him on a
plane headed to Moscow.
Cyberattack from Russia is coming the President said. What
has our Justice Department been doing? We know they have been
spying on Carter Page and not following the FISA rules. How do
we know that? Because Inspector General Horowitz has done two
different audits, two different reports that he has given to
us. Four hundred errors in 29 randomly-selected FISA
applications, 400 errors in 29 of them. In four of those 29
applications, there wasn't even a Woods File, which is the file
you keep that has the underlying supporting evidence for the
claims made in the application itself.
A cyberattack from Russia is coming the President said.
What has our Justice Department been doing? Not only ignoring
the FISA rules, but they also don't even follow their own
rules. We know that from a story two weeks ago where in
sensitive, investigator matters, special cases dealing with
First Amendment concerns, concerns when they are investigating
religious groups, investigating candidates, and investigating
government officials, or the press, 353 cases, 747 errors in
those cases. Not only are they not following the FISA rule, but
they also don't even follow their own darn rules. That is why
we sent a letter asking for the internal audit. We hope that
will be given to the Judicial Committee, Mr. Chair, so we can
look at that.
Cyberattack from Russia is coming the President said. A
week ago, what has been going on over at the Justice
Department? Well, we know this from Mr. Durham. They were
spying on President Trump's campaign. Mr. Durham just told the
court that last month. Tech Executive No. 1 spying on not only
the President Trump's campaign, looks like spying on him during
the transition period, and potentially even while he was
President of the United States.
Cyberattack from Russia is coming and of course, we learned
just four months ago what was our Justice Department doing?
What are they still doing? Spying on parents, treating moms and
dads as domestic terrorists. We had the Attorney General in
front of this Committee back in October and he misled this
Committee and said it wasn't going on, but we have now had a
whistleblower come forward and tell us it is, in fact, going on
so much so that there was an email sent to FBI agents with a
threat tag designation that you are supposed to put on parents
for simply showing up to school board meetings, voicing their
concerns about what is being taught to their children.
President Biden says a cyberattack from Russia is imminent,
it is coming, and what were 51 former intel officials doing
just a year and a half ago? They were telling us the whole
Hunter Biden story was false. They told us it was Russian
disinformation. The disinformation is what they told us,
something we need to check out. How 51 of them in days before a
presidential election, tell us a story that The New York Times
has now said was absolutely true. The laptop was true. The
eyewitness was real, and the emails and evidence and documents
were real as well.
I look forward to today's hearing, hearing from our
Witness, but I think a fundamental question we have got to ask
is how do you trust the Department of Justice to protect us
from cyberattacks when they have been spying on presidential
campaigns, spying on parents, telling us Hunter Biden was
Russian disinformation, and releasing the most notorious
Russian cyber-criminal we have ever had? The simple question I
am going to have for our Witness is why did we let him go? What
did we get for that? What kind of a trade--what kind of a--what
happened there?
Mr. Chair, I hope we get answers to these key questions and
hope, again, we have talked about this now for months, we hope
we can get the Attorney General back here to answer some
questions about this whole School Boards issue and some of the
other things I raised in my opening statement. With that, I
yield back.
Chair Nadler. The gentleman yields back. Thank you, Mr.
Jordan.
Without objection, all other opening statements will be
included in the record.
I will now introduce today's Witness. Bryan Vorndran has
served as Assistant Director of the Cyber Division of the FBI
since March of 2021. He joined the FBI as a special agent in
the Washington Field Office in 2003 and has held a variety of
positions since then including serving as part of the
International Contract Corruption Task Force in Afghanistan,
Unit Chief in Counterterrorism Division of FBI Headquarters,
and leading the Washington Field Office's Joint Terrorism Task
Force.
Mr. Vorndran also served as Assistant Special Agent in
Charge of the Cyber and Counterintelligence Programs at the
Baltimore Field Office, Chief of the Strategic Operations
section of the Counter Terrorism Division in Headquarters, and
later as a Deputy Assistant Director of the Criminal
Investigative Division.
Prior to assuming his current position, Mr. Vorndran served
as a Special Agent in Charge of the New Orleans Field Office.
Before joining the Bureau, Mr. Vorndran was an engineer for the
Proctor & Gamble Company and for Merck & Company. He earned a
bachelor's degree in Civil Engineering from Lafayette College
and a Master of Business Administration from the Ross School of
Business at the University of Michigan.
We welcome our distinguished Witness, and we thank you for
participating today.
I will begin by swearing you in. I ask that you please rise
and raise your right hand. Do you swear or affirm under penalty
of perjury that the testimony you are about to give is true and
correct to the best of your knowledge, information, and belief
so help you God?
Let the record show that the Witness has answered in the
affirmative. Thank you and please be seated.
Please note that your written statement will be entered
into the record in its entirety. Accordingly, I ask that you
summarize your testimony in five minutes. To help you stay
within that time limit, there is a timing light on your table.
When the light switches from green to yellow, you have one
minute to conclude your testimony. When the light turns red, it
signals your five minutes have expired.
Mr. Vorndran, you may begin.
STATEMENT OF BRYAN VORNDRAN
Mr. Vorndran. Chair Nadler, Ranking Member Jordan, and
Members of this Committee, thank you for providing me this
opportunity to speak to you today about FBI cyber. Although the
FBI investigates a wide range of threats, we are here today to
talk specifically about the cyber threats facing our nation,
the FBI's place in U.S. cybersecurity ecosystem, and the FBI's
valuable role in identify, disrupting, and imposing costs on
America's cyber adversaries.
The FBI Cyber Division turns 20 years old this year and
over that time the American public has invested heavily to
ensure the FBI is staffed where it is needed most. Today, we
have more than 1,000 cyber-trained personnel spread across 56
field offices and more than 350 sub-offices, and we can now put
a cyber-trained agent on nearly any doorstep in this country
within one hour of an attack.
We have agents located in more than 70 countries working
with our global law enforcement and intelligence counterparts.
Some of these agents are dedicated to countering the cyber
threat full time, while others stand ready to support our cyber
mission.
Today, as you know, we are putting the FBI's decades of
expertise countering foreign intelligence and investigating
cyber threats in the United States to work against malicious,
Russian cyber activities. We do not do it alone. Our emphasis
on disrupting cyber adversaries including through sharing
information and enabling our partners and our partners enabling
us is part of the FBI's continued move away from an indictments
and arrests first mentality toward a play book where we work
with the government and industry partners around the world to
execute joint sequence operations and impose the greatest
possible costs on our adversaries.
As this Committee knows more than any others, sometimes an
arrest and prosecution is the most decisive disruption, like
earlier this month when we were able to bring cyber-criminal
Yaroslov Vasinskyi to the inside of the U.S. Federal courtroom
for his role in the Kaseya attack and the willingness of the
Justice Department and the FBI to publicly attribute and expose
damaging cyber intrusions by Russia, China, Iran, and North
Korea has undermined those governments' denials and created a
platform for U.S. allies to condemn destabilizing cyber
activity while also undermining our adversaries' operations.
Our focus though is investigating based on information we
obtain from all sources, victims, foreign intelligence
services, human sources, and our surveillance of adversary
infrastructure and then pushing it to whoever can do the most
good for victims here and cause the most harm to hackers
abroad.
At the risk of making some enemies on this Committee, I
will draw a comparison between the FBI's role in the cyber
ecosystem and an event I attended 30 years ago yesterday when
Duke beat Kentucky in the 1992 NCAA Men's Eastern Regional
Final. Sometimes we are Grant Hill throwing the pass and
sometimes we are Christian Laettner taking the shot. Having
said that, for the FBI to continue supporting our partners and
executing successful operations ourselves, we need your
support, even the Kentucky and North Carolina fans among you.
As one of our key oversight committees and allies, your
backing is crucial for our continued growth of authorities and
resources. First, we appreciate Congress' action to pass a
mandatory cyber incident reporting law. We are looking forward
to working with CISA and others to implement this legislation
in a way that enables law enforcement to use incident reports
to disrupt our cyber adversaries.
At the same time, we need to be postured to continue hiring
and retaining the right people to achieve our goal. At the FBI,
we have been working hard to identify ways to better attract,
train, and retain talented tech minds. Although we promote our
mission to the greatest extent possible, the calling to protect
American people and uphold the Constitution does not equate to
paying off weighty student loans or entitle someone to a salary
competitive with what is available in the private sector. We
have found our struggles to pay those minds market value, even
Federal government market value is often a deal breaker. We
will continue to work with DOJ, OPM, the Administration, and
Congress to ensure we are able to properly pay and incentivize
our cyber workforce.
While we are trying to fill these seats with talent,
passion, and patriotism, we are seeing the cyber threat grow
exponentially and now it touches every program at the FBI.
Cyber spaces where Nation states go to learn our country's
secrets is where criminals are extorting billions of dollars
and it is where wars are being waged. We are now at a critical
juncture. We must keep pace with the expansion of the tools at
our adversaries' disposal and we need to see the same sense of
urgency reflected in funding these programs through increases
in our base budget.
Yes, the people in technology, the FBI Cyber Division needs
to keep pace with these adversaries are expensive. They are
essential investments because cybersecurity equates to national
security.
I look forward to working with this Committee on these
topics and several other issues important to the success of the
FBI and other U.S. government cyber programs.
Chair Nadler, Ranking Member Jordan, and Members of this
Committee, thank you again for inviting me here today and I
look forward to your questions.
[The statement of Mr. Vorndran follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chair Nadler. Thank you for your testimony. We will now
proceed under the five-minute rule with questions and I will
recognize myself for five minutes to start off.
Mr. Vorndran, in September of last year, Howard University
was forced to shut down much of its web services after a
suspected ransomware attack took over its systems. The K-12
schools are also enduring an increase in cyberattacks against
their systems. Ransomware attacks, in particular, surged last
year and continued in January. On average, education victims
pay over $100,000 in ransom payments to decrypt their data and
regain network access.
Why are schools and higher education institutions a growing
target? Who are the most common perpetrators of cyberattacks on
schools?
Mr. Vorndran. Sir, I am sorry, what was the second part of
your question?
Chair Nadler. Who are the most common perpetrators of
cyberattacks on schools?
Mr. Vorndran. Okay. Sir, what we found is that institutions
or organizations with low cybersecurity budgets, and I think
public schools for the most part would fall into that space,
not because they are not trying, but the resources that are
available to a K-12 school may be different than the resources
available to a multinational company. It is hard to keep up
with all the patching requirements, all the new operating
systems. So, what we see is cyber-criminals really preying on
targets of opportunity. We see these criminals looking for
opportunities more than precision attacks against one specific
entity or one specific sector. So, when those criminals find a
vulnerability in a traditional sector, they will continue to
exploit it in hopes that they can make a lot of money off it.
In terms of who the most common perpetrators are, the
bottom line is the most common perpetrators are cyber-
criminals. They are global, but the heaviest concentration is
through Russia and surrounding countries and the Russian
territories.
Chair Nadler. Thank you. In 2016, Russia attacked Ukraine's
Ukrenergo--I hope I pronounced that right--electrical network
succeeding in causing a blackout, but failing to destroy the
system. This attack was noteworthy because it was a case where
the perpetrator attempted to use software to permanently damage
hardware.
Can you describe for us how software could be capable of
destroying a hardware system? Do we know how many entities have
developed or are seeking to develop this capacity?
Mr. Vorndran. One of the questions we typically ask is: Is
there bleed over between what we would define as the IT and OT
system, essentially the information technology and the
operational element of a company of an organization of an
entity. So, firmware and hardware, different than software,
still has the potential to have a lot of vulnerabilities that
can be exploited by cyber adversaries. So, the software bleed
over would really be a question of can the software being
exploited actually affect the operational component?
To your second part, it is a really, really challenging
question to answer what the scope and scale of those are. We
just would point back to the fact that undoubtedly cyber-
criminals are going to work to find vulnerabilities where they
can have the biggest impact, cause the biggest disruption, or
make the most money off those vulnerabilities being exploited.
Chair Nadler. It has been widely reported that on March
18th, the FBI warned the Federal government of Russian hackers
scanning the systems of five U.S. energy companies, as well as
other critical infrastructure. What is the significance of a
foreign power scanning networks in our energy sector? Have
instances of Russian scanning increased in the last month?
Mr. Vorndran. Sir, instances of Russian scanning have
increased. The significance of that is I would draw a
comparison to traditional crime. For a criminal to conduct a
bank robbery, it is undoubtedly true that the criminal is going
to likely conduct reconnaissance and surveillance to understand
when the bank may be open, when the bank may be closed, what
the security posture looks like. In the scanning as you
described it, really is a reconnaissance space to understand
what the net defense side of that company would look like and
whether there are vulnerabilities that can or cannot be
exploited. It is an extremely important part of the overall
attack cycle.
Chair Nadler. Thank you. My final question, can you explain
for us the different ways the FBI is expanding its responses to
cyber threats and how it can better serve victims of
cyberattacks?
Mr. Vorndran. Sure. We always encourage a couple of key
things. The first is to build a relationship with your FBI
Field Office. We are all over this country and international as
well. For companies in this country, organizations, K-12
schools would be included there, we encourage those entities to
build a proactive relationship with their FBI cyber squad in
their area. We would also encourage them to build a proactive
relationship with their CISA rep in the area because CISA is
going to be very helpful as well and has some helpful
resources.
Independently of the government, all those organizations
need to have a defined incident response plan. They need to
know who they are going to call in the moment they become a
victim. They need to know who their insurance company is, who
their attorney is, who they are going to call at the FBI, who
they are going to call at CISA. We recommend that those are
exercised every 90 days, not that they are drafted by a general
counsel and put on the shelf and never thought of again.
Then the third thing we say is if you do become a victim,
we would ask that you report. You can report to CISA. You can
report to the Bureau. It doesn't much matter to us. We will
synchronize on the back side to make sure that those companies
have the weight of the U.S. government.
In terms of things that we can do, sir, the list is
potentially endless. We have been asked to help with the media
before. We are willing to do that. We have been asked to help
with victim services, if somebody is not going to get a
paycheck, we are willing to do that. We have been asked to help
take servers offline. We are willing to do that. We have been
asked to simply take the indicators that compromise that are
provided by that organization's third-party incident response
firm and then move on to our investigation. We are happy to do
that. It really is a menu of options that we can provide in
that moment.
Chair Nadler. Thank you. My time has expired. Mr. Chabot.
Mr. Chabot. Thank you, Mr. Chair. It is estimated that the
FBI's Internet Crime Complaint Center received nearly 2,500
complaints in 2020 which represented a 20 percent increase over
the previous year. Over that same time, there was a 225 percent
increase in ransom payoffs from nearly $9 million in 2019 to
nearly $30 million in 2020. It actually may be a lot worse than
that because my understanding is if the payoffs that were
reported were $30 million, there is a number of experts who
believe it could be 10 times that amount, so we are looking at
$300-350 million. So, in other words, only one out of ten of
the incidents are even reported. Nine out of ten, they actually
pay off the criminals. That same report estimated that
cybercrimes, whether it is phishing or extortion or identify
theft or data breaches of botnets, that they all collectively
cost the American businesses, for all small businesses
especially employed by half the people in this country, about
$4 billion would be.
Again, the Chair mentioned the Colonial Pipeline attack
which my understanding is it was one of the most devastating
ransomware attacks in U.S. history. Eventually to contain that
attack, the Colonial Pipeline made the decision to pay over $4
million to the criminals. It turned out that the encryption
tool that was sent back to them in return for the payment
wasn't particularly helpful in restoring the functionality to
their networks which is my understanding oftentimes the case.
The good news, of course, is that the Department of Justice
was able to track and to seize roughly, my understanding, about
half of the payment that was made to the Russian-based hackers.
That still left about $2 million to the criminals to be used
against future victims of malware crimes. It is likely that the
figures I have just mentioned only represent the tip of the
iceberg of this ever-growing problem. Cybersecurity experts
estimate that ransomware victims made an average payment of
about $300,000 in 2020. They further suggest that when a
company made a ransom payment, less than one out of ten of them
actually regained access in a reasonable amount of time to
their hijacked data.
Undoubtedly cyberattacks are becoming more frequent. They
are having larger impacts and many, unsurprisingly, are
connected to the governments, as has been mentioned, of both
Russia and China.
So, Mr. Vorndran, let me get to my question. First, do you
agree that of their ill-gotten gains, the payoffs basically
that are made to these criminals, some significant portion of
that is likely to go towards targeting the next victim or
victims that they are not donating this money, they are not
donating it to the Red Cross or the American Cancer Society or
the Little Sisters of the Poor. It is more people, the public,
or businesses that are going to be targeted. Would you agree
with that?
Mr. Vorndran. Yes, sir.
Mr. Chabot. That is what I would like to focus on. We have
got to make cybercrime, particularly, the use of malware
extortion less lucrative, less profitable to these internet
thugs. How about making it illegal to pay them off? After all,
giving them money which we know they will use to go after the
next victim is sort of like aiding and abetting the next crime
in some ways. Would you agree with that?
Mr. Vorndran. Sir, if you are asking me if I think it is
right to make the paying of ransoms illegal, I don't think that
is a good decision. The reason is because it creates a triple
extortion model. So, in our current system, ransomware actors,
cyber-criminals can attack a company and hold an extortion or
payment to get a decryption key. They can also extort that
company or that organization to threaten to leak information,
PII of company employees or other sensitive information. That
is the second of the three extortions. If you make the paying
of ransoms illegal, you are creating a third extortion which
means that if a company chooses to pay and they have now broken
the law, then a cyber adversary has the ability to hold them
accountable for that in the public's eye and threaten them even
more with a higher extortion. So, we would actually recommend
that this is not the best decision, but that is certainly just
an FBI perspective.
Mr. Chabot. Okay, well, I think it is something that
certainly ought to be considered because what we are doing
right now certainly has not worked. They are still doing it.
They are getting more money than ever. Companies are actually
allowed to write off on their taxes a payoff. Is that correct?
Mr. Vorndran. Sir, I don't know the answer to that
question. I apologize.
Mr. Chabot. Well, they are. They can do it. I would argue
that it is against public policy to allow that to occur.
Then finally, some insurance companies, I understand,
actually advise their clients that paying off the blackmailer
is the cheapest course of action. Do you understand or have
heard that?
Mr. Vorndran. So, I think that--
Chair Nadler. The gentleman's time has expired. The Witness
may answer the question.
Mr. Vorndran. You want me to answer?
Chair Nadler. Yes.
Mr. Vorndran. Sir, in terms of advisement of an insurance
company to a victim, we think--what we hear is that companies
are put in a position to simply make a business decision.
So, when I go back to my position, before I joined the FBI
or Procter & Gamble and we made very large-scale manufacturing,
I was told, hey, Bryan, listen, an hour of downtime on this
manufacturing line equates to this much revenue, and I think
the business equation for any business that becomes a victim is
simply that.
If we're looking at restoring from backups taking 24, 48,
or 72 hours, and that equates to $4 million of lost revenue and
we can pay a ransom for $3 million, from a business decision,
it's actually cheaper to pay the ransom.
Now, to your first point, that just fuels the fire and that
just causes the criminal enterprise to grow stronger. So, it is
very much a vicious cycle.
Mr. Chabot. Thank you. I yield back, Mr. Chair.
Chair Nadler. The gentleman yields back.
Ms. Lofgren?
Ms. Lofgren. Thank you, Mr. Chair, and thank you, Mr.
Vorndran, for your testimony and for your appearance before the
Committee today.
Most computer systems and transactions with sensitive
information are encrypted in one way or another. I'm sure you
would agree that encryption is important to defending against
cyber threats and that cyber defenses without effective end-to-
end encryption are problematic.
Now, historically, the FBI has called for legally mandated
back doors to allow law enforcement access to encrypted
communications. Is this still the FBI's position and how does
that square so with the importance of encryption to effective
cyber defense and the risks of legally mandated back doors?
Mr. Vorndran. Ma'am, thanks for the question.
I am not an expert on lawful access as we define what
you're describing, but I'll do my best with your question.
When we talk about back doors, we're really talking about
should Federal law enforcement have the authorities through
court-approved warrants to see evidence on a device that is
critical to a criminal prosecution or--
Ms. Lofgren. Well, I understand that, but the question is
do we want to build in vulnerabilities to encryption to allow
that court order to be effective. We understand--we're the
Judiciary Committee. We understand court orders.
Mr. Vorndran. Yeah. I do think that it's important that law
enforcement has access to that data through official court
process.
Ms. Lofgren. Let me ask this. In ransomware attacks, if
hackers have locked companies and institutions out of their own
data and systems, now, in at least one instance, according to
the House Oversight Committee testimony, the FBI reportedly got
a decryption key on its own that could unlock a certain
ransomware but didn't provide the key to the victim, and
according to the testimony that I think you provided the FBI
repeatedly tested the decrypter in different environments and
this is--a quote of your testimony, to avoid introducing new
vulnerabilities and back doors into U.S. infrastructures.
Can you explain this? How might a decryption key create new
vulnerabilities?
Mr. Vorndran. Yes, ma'am. That's my testimony from
Oversight and Reform, I believe, in December with the National
Cyber Director, Chris Inglis.
So, that specific decryption key that you're referencing,
which is an open source as related to Kaseya, when we were able
to obtain that, we, obviously, don't go to Best Buy and
purchase that and have a trusted supply chain.
So, the way we're able to obtain that is littered with
potential points of vulnerability and criminal access to it.
So, when we were able to pull that, it's extremely important
that we put that through a testing environment to make sure
that it doesn't have any additional malware or create any
additional back doors, as you describe it, or vulnerabilities
as we implement it not just in Kaseya but in our downstream
environment.
Ms. Lofgren. Let me ask another question and it really goes
to something that the European Union has just done, which is to
require technology platforms to interoperate with other apps
and services, for example, requiring WhatsApp to connect and
communicate with other chat and messaging systems.
That's a laudable goal, I think, that everybody on the
Committee shares. A concern has been expressed in some areas
about the impact on cybersecurity.
Alex Stamos, who is at the Stanford Internet Observatory,
one of the leading cyber research facilities in the United
States, said this:
There's no way to allow for end-to-end encryption without
trusting every provider to handle the identity manager if the
goal is for all of the messaging systems to treat each other's
users exactly the same, and this is a privacy and security
nightmare.
I'm not asking you to comment on legislation you may not be
familiar with. Generally speaking, do you agree that requiring
private companies to connect and interoperate with other
entities could create new cybersecurity vulnerabilities,
especially if it reduces or eliminates end-to-end encryption or
other security measures that are in place?
Mr. Vorndran. Yes, ma'am.
Ms. Lofgren. What's the answer is, yes?
Mr. Vorndran. Yes.
Ms. Lofgren. Okay. I see that my time is expired, Mr.
Chair, and so I yield back. Thank you.
Chair Nadler. The gentlelady yields back.
Mr. Buck?
Mr. Buck. Thank you, Mr. Chair, and thank you for being
here. Mr. Vorndran.
I am trying to figure something out. What is the purpose of
these cyberattacks on Colonial Pipeline, JBS, SolarWinds, et
cetera, in a short summary?
Mr. Vorndran. Sure. Two different points.
So, on SolarWinds--I'm sorry, on JBS and on Colonial it's
pure financial gain for a criminal element. On SolarWinds the
best answer I can provide you, it's, obviously, Russia State-
backed activity to see what that software as a service and
supply chain attack could get them access to that would be of
interest to them.
So, perhaps, U.S. government information where SolarWinds
is a software platform in any number one of the departments,
but it would be an access point so that they could exfiltrate
or find information that's of interest to them.
Mr. Buck. So, there have also been attacks--cyberattacks on
OPM, on government agencies, gathering data about United States
citizens and former government employees or for other purposes.
I assume that some of the cyberattacks on banks, other
institutions, give the cyber-attackers the ability to gain
information about U.S. citizens.
Mr. Vorndran. Yes, sir.
Mr. Buck. I'm also assuming that at a time of war that
could be used to destabilize our country.
Mr. Vorndran. Certainly, that's one of the potential uses.
Yes.
Mr. Buck. So, we really have sort of two categories, if I'm
not mistaken, and I appreciate Mr. Chabot's questions about how
this money can be used to further the enterprise.
When Procter & Gamble makes toothpaste, they sell it and
they're going to be able to make more toothpaste. When these
folks receive money, they're going to be able to invest in
maybe more intricate equipment or more people and continue
their activities.
There's also this national security implication where you
have citizens are vulnerable as a result of all these--not all
these, but some of these attacks.
Mr. Vorndran. Yeah. I think that when we look at Russia
specifically and their targeting, but if you're okay with it,
I'll expand it to China as well--when we look at their
targeting of what I'll call personally identifiable
information, that is something that they're going to take back
and utilize to craft a more overarching campaign.
It's very hard for me to say what those are here in this
moment, not because it's classified or unclassified--we just
don't know how they're going to potentially use that
information.
I could come up with a use case in my mind that says
perhaps the Chinese are using it in the criminal underground to
generate income off USPII, right. I mean, there's any number of
use cases.
So, I think your terminology of destabilizing is absolutely
fair. It's very hard for me to be precise about exactly what
they're going to do with that information.
Mr. Buck. Well, here's the issue, I guess. We know that
part of a future war would be attacking the infrastructure of
another country, and so if Russia had the capability to shut
down our electric grid, airports, or whatever it is--our
banking system--if there was, in fact, a war--obviously, we all
pray there never is such a thing, but if there was that could
be.
It could also be to make sure that Thomas Massie, for
example, wouldn't have access to his bank account. There's a
lot of money in that bank account, I understand, and so if
there is that type of--and what I'm wondering is, is there that
type of individual capability to not just take out an
infrastructure system but also affect individuals, whether
they're in leadership positions in this country or not.
Mr. Vorndran. Yeah. So, we have seen leadership individuals
targeted precisely, right. We have seen the primary--you can
name them--Russia, China, Iran, North Korea--take precision
action to compromise an email account, to compromise, primarily
an email account, as I'm working through it in my head, of
people that we all know the names of in this country.
For the average American, what we see, both the State actor
side and the criminal side, is overarching campaigns have the
most disruptive capacity that they're capable of, not really
precision targeting of Mr. Massie's bank account, independent
of the amount of money that may be there.
Mr. Buck. Okay. Well, I'm sure he finds that comforting.
I guess my last question is what can Americans do?
Obviously, these major companies have staffs, and they can take
care of themselves, or maybe not. What can Americans do to
protect themselves from an attack like this?
Mr. Vorndran. Yeah. I mean, two basic things, right. Ensure
that your operating system on your home computer is upgraded to
the most current operating system, whether that's traditional
Microsoft or Apple, and number two is two-factor authentication
on all your accounts.
Never use the same email--the same password on any accounts
and--like, think about it this way, right. If people did open-
source research on me, they would understand where I grew up,
probably could get my wife's name, probably could get my
brother's name, probably could understand where I've lived,
where I've worked.
Well, that's, largely, what people use for their passwords.
So, if you do life-based profiling around that, you can really
narrow down how to break a password. So, really obscure
passwords and long passwords is very good advice.
Mr. Buck. Thank you for being here.
Mr. Chair, I yield back.
Chair Nadler. The gentleman yields back.
Ms. Jackson Lee?
Ms. Jackson Lee. Thank you, Mr. Chair, and, Mr. Vorndran,
thank you so very much. I've got a bunch of pithy questions, I
hope, and you will help me get it within the time frame that I
have.
First, I've introduced legislation, H.R. 2980, which is the
Cybersecurity Vulnerability Remediation Act, which has passed
the House, which gives your counterpart, DHS, working with you,
of course, and the FBI just the opportunity to be able to
mitigate against cybersecurity vulnerabilities and to know more
about ransomware attacks and ransom payments, something all our
agencies should ramp up.
We look to the FBI, we look to the Department of Defense
and Homeland Security, to really be our front line. So, as you
answer your question, I would just like your comment as to the
importance of that kind of efforts in various agencies that you
partner with.
I'm giving an answer to the answer, but if you would share
that in your answers, we'd come forward.
This is a question of vulnerabilities and so my question,
and I have a series of them, is to what extent the FBI can
provide early warnings of perceived vulnerabilities and/or
incursions.
Why don't I let you do that and then I have--trying to get
in a bunch before my time.
Mr. Vorndran. Sure. I'll be quick.
So, what you're describing is can the FBI or anyone else in
the U.S. government actually provide what we would consider
tactical warning of an imminent cyberattack. It's a very, very,
very hard threshold to meet.
What we consider currently in the current ecosystem is if
we have absolute strategic warning that Russia plans to hit us,
we will do our best among our interagency partners to provide
more real-time updates, as we already have, through specific
sectors.
Providing what I would call tactical warning that this is
imminent is going to be very, very hard because it assumes that
we see everything, and we don't.
Ms. Jackson Lee. Can you get in the ballpark sometimes?
Mr. Vorndran. We have been in the ballpark in the last
three weeks, yes.
Ms. Jackson Lee. The vulnerability question that I had and
agencies getting abilities to know more about ransomware and
vulnerability is that a good thing that they should be focused
on?
Mr. Vorndran. Anything that makes us stronger through
legislation in terms of information sharing, transparency,
understanding vulnerabilities we're absolutely in support of
and willing to look at.
Ms. Jackson Lee. What do you think about an affirmative Act
or affirmative responsibility, maybe legally, for the companies
that have been attacked to notice the FBI?
I knew that was a problem with Colonial. I was really
shocked how long they waited, or they hesitated. Obviously, it
was a new time frame. What do you think about that?
Mr. Vorndran. So, I think that through the legislation that
just passed Congress and the Senate in the last couple of weeks
through HSGAC, with the mandatory incident reporting bill, we
are hopeful that through the rulemaking period with CISA
specifically that we're able to get real-time access to the
reports that CISA is going to have access to through law, and
so we hope that we're able to accomplish that in the near term.
Ms. Jackson Lee. One of the bottom rock infrastructure or
bottom rock part of the infrastructure of democracy is voting.
In 2021, U.S. Cyber Command acknowledged that in 2020 it
launched an operation against the software TrickBot which posed
a danger to U.S. voting systems.
Are U.S. voting systems in continued danger from malware,
unlike other representations of individuals like TrickBot and
what is the scope of the malware threat going into the 2022
election season? Where is the FBI in this effort of prevention?
Mr. Vorndran. Yeah, absolutely. So, I want to be really
clear. For victims of what we would call cyber interference
operations, targeting election infrastructure, candidates, and
campaigns and other election-related victims, the FBI is lead
on the threat response side through PPD-41. We have two primary
functions there--victim and witness assistance and attribution.
In terms of vulnerabilities going into 2022, all I can say
is that it's something that we started talking about over a
year ago, and when I say we, at the interagency level to
include the agency that you referenced, and we are meeting
routinely on a regular basis to ensure that 2022 is a secure
election.
Ms. Jackson Lee. I would look forward to maybe a briefing
that is separate and distinct that focuses squarely on that
because that is the bedrock of democracy.
Mr. Vorndran. Sure.
Ms. Jackson Lee. We have already heard some accusations
that are far away from the truth but still speak to the issue
of violations dealing with voting.
So, thank you.
Let me just--you're not the Department of Defense, but can
Russia win a war with cyberattacks? Obviously, having just
listened this morning to Ukrainian parliamentarian women who
talked about the--just the sheer brutality and bloodshed and
butchering that's going on, can Russia now just move to cyber
efforts?
Mr. Vorndran. I mean, that's a really hard question for me
to answer, not because I don't want to, but I just don't know
the answer.
Ms. Jackson Lee. In your involvement with them and their
capacity.
Mr. Vorndran. Russia is one of the two most capable cyber
adversaries we face globally. Whether they have the ability to
completely destabilize our country and win a war is a whole
different conversation. They are a formidable foe.
Ms. Jackson Lee. Thank you.
Mr. Chair, I just want to introduce into the record four
articles dealing with cybersecurity, which maybe I'll get a
chance to talk about: The Rockets, Memorial Hospital medical
provider, UMCC--a hospital, as I indicated, cybersecurity.
I think there are one, two, three, four, five that I ask
unanimous consent to submit into the record on cyberattacks in
Texas and in Houston.
Chair Nadler. Without objection.
[The information follows:]
MS. JACKSON LEE FOR THE RECORD
=======================================================================
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chair Nadler. Mr. Biggs?
Mr. Biggs. Thank you, Mr. Chair.
Sir, thank you for being here today. I'm over here. Over
here.
Ms. Jackson Lee. Thank you.
Mr. Biggs. I don't know if you know anything about this,
but on March 21st, myself and several of my colleagues sent a
letter to Director Wray with regard to various issues, and I'm
wondering if you've come prepared to answer questions on his
behalf since he's chosen not to answer our questions.
Mr. Vorndran. Sir, I'm sorry. I didn't hear the last part.
Mr. Biggs. Have you come prepared today to answer questions
that any of my colleagues have--we have sent Director Wray
three letters within the last three weeks on--
Mr. Vorndran. You're referring to the--just so my prep
notes, I have a March 21st letter on the sensitive
investigative matter audit. Is that the one you're--
Mr. Biggs. Yes. Are you prepared to answer questions on
that?
Mr. Vorndran. I am not, sir.
Mr. Biggs. Okay. You are aware of that? Will you take back
to Director Wray that we expect an answer soon?
Mr. Vorndran. Yes, sir.
Mr. Biggs. Appreciate that.
Last June, President Biden gave President Vladimir Putin a
list of 16 critical infrastructure entities that are off limits
to a Russian cyberattack, and then a week ago President Biden
warned that a cyberattack is coming and is imminent. The
entities that he described in June were listed as critical
infrastructure entities.
According to CISA, the 16 entities included commercial
facilities, chemical communications, critical manufacturing,
dams, energy, defense, industrial base, emergency services,
financial, food and agriculture, government facilities,
healthcare and public health, information technology, nuclear
reactors, materials and waste, transportation systems, and
water and wastewater systems.
I think you're probably aware of that list that he provided
because it was in your documentation as well. So, giving a list
of entities that are off limits implies that all other entities
are fair game for cyberattacks, or maybe it is that we haven't
adequately protected other sectors.
As former DNI Ratcliffe suggested in a story that was--
included his comments about it was that he might accidentally
be suggesting that we have vulnerabilities in these areas.
Can you tell me what the President has done--what he's
directed you guys to do to protect these sectors or any other
area, for that matter, from cybersecurity threats?
Mr. Vorndran. Sir, I'll do my best with your question. The
President doesn't tell us anything, what we should or shouldn't
do.
What we have agreed upon internally within the FBI and our
interagency partners and the interagency partners that I think
are notable are Cyber Command.
Mr. Biggs. Hold on. Before you get there, it just occurs to
me that if he doesn't tell you anything to do, did you know
that he was going to give that list of sensitive sectors to
Vladimir Putin?
Mr. Vorndran. No, sir. I did not.
Mr. Biggs. Did anybody on your team know?
Mr. Vorndran. I don't know that answer.
Mr. Biggs. So, there was no communication, no briefing from
the White House, that he was going to share that list of
vulner-
abilities?
Mr. Vorndran. Not--sir, not that made it to me.
Mr. Biggs. Okay. Okay. So, if you can give me a brief
response then, previously, as you were giving.
Mr. Vorndran. Sure. When we look at our primary interagency
partners--State, Treasury the folks at the Ford, CIA, et
cetera--we all have a very, very good working plan related to
the current threat streams about what our priority goals are.
So, there is extremely strong operational coordination
based on strategic and tactical intelligence that I think if
any of them were sitting here today in front of you, separate
from me, they would speak with confidence about what we're
prioritizing.
Mr. Biggs. Those 16 areas that President Biden listed off
to Vladimir Putin, has there been cybersecurity attacks or
breaches in any of those 16 areas since he's given those--that
list to Putin?
Mr. Vorndran. Sir, I don't know the answer to your
question. I apologize. I can certainly take that back and get
that answer for you. I just don't know in this moment.
Mr. Biggs. Okay. I wish you would let us know, and then
also if you can identify--since you don't know that you
probably can't answer the next question, which was have any of
those come from Russia.
So, if you can identify whether they're national actors or
other actors, if you can identify where those threats have come
from and those attacks have come from.
Are you aware of any other cyberattacks to any other
entities outside the 16 sensitive areas that the President
listed and gave to Vladimir Putin?
Mr. Vorndran. Yes, sir.
Mr. Biggs. Can you describe those, please?
Mr. Vorndran. Well, just off the top of my head, certainly,
we have software companies that have been targeted. I'm just
trying to go through my head over the past couple of weeks.
We, certainly, have--there are--sir, as I'm working through
this in my head in real time, there are compromises against
some of those 16 critical infrastructure sectors that you
mentioned. I can't speak specifically to which ones.
Mr. Biggs. You can provide that to the--
Chair Nadler. The time of the gentleman has expired.
Mr. Biggs. Well, Mr. Chair, can I just--I've got some
submissions for the record.
Chair Nadler. Yes.
Mr. Biggs. Thank you.
An article dated September 29th that said, ``U.S. Deports
High-Profile Hacker to Russia Before End of Prison Sentence'';
a series of CISA articles and notifications in memos, as well
as a piece by Leah Barkoukis entitled, ``MARCH 29, 2022 Biden
Actually Gave Putin a List of Critical Infrastructure Not to
Carry Out Cyberattacks on in US''; another piece entitled,
``Ratcliffe: Biden Handed Putin the Wrong List: `It Should Have
Been a List of Our Targets' in Russia.''
Another one on The Sun from June 18th, 2021, ``Biden gave
Putin green light to cyberattack U.S. when he listed 16 `off-
limit' targets, experts say.'' Another one entitled, ``Biden's
'off-limits' list for Russian cyberattacks criticized as `green
light' to target everything else.'' Another piece entitled,
``Russia may target U.S. businesses with cyberattacks, Biden
warns''; another piece entitled, ``Biden warns Russian
cyberattacks are coming,'' another official statement by the
White House and then a series of memos from--that are joint
Cybersecurity--
Chair Nadler. Without objection to everything you're
submitting.
Mr. Biggs. Okay. Got a whole bunch more. Thank you, Mr.
Chair.
Chair Nadler. Without objection.
[The information follows:]
MR. BIGGS FOR THE RECORD
=======================================================================
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chair Nadler. Mr. Johnson?
Mr. Johnson of Georgia. Thank you, Mr. Chair.
A ransomware attack struck the city of Atlanta in March of
2018, causing a disruption to municipal functions and affecting
critical sectors including the drinking water system, the
police department, the judicial system, and other critical
departments.
That attack cost taxpayers nearly $2.7 million in emergency
contracts to recover, and Mayor Keisha Lance Bottoms--then
Mayor Keisha Lance Bottoms later called on the Federal
government to, quote, ``expand programs that share real-time
threat information, which is often critical in avoiding and
mitigating threats,'' end quote.
Now, there are reports of, Mr. Vorndran, that the Federal
government's response to the Atlanta cybersecurity attack was
incredibly lackluster and prompted needed change.
How has the role of the FBI in responding to a municipal
government ransomware attack changed since 2018?
Mr. Vorndran. Sure, sir. Just my records do not indicate
that it was lackluster. In fact, the city of Atlanta engaged
the FBI and the U.S. Secret Service almost immediately. There
was actually a leaked ransomware note, certainly, not by the
FBI, that actually prevented the city of Atlanta from being
able to pay a ransom.
I would note that we have indicted two Iranians for that
activity. To your core question, listen, we strive for
perfection. I'm not saying we're always there, but we strive
for perfection.
Our goal in that moment is to provide any and all available
resources that accompany, in this case, a victim or, in this
case, a municipality city, is in need of.
As I've described, that can include taking a server
offline. That can include victim service support. That could
include support with the media or any number of other things.
To your question about sharing indicators, I think the
velocity of which we share indicators has definitely improved,
and that's not just an FBI statement. That's a U.S. government
interagency statement and, certainly, a goal of ours is to
improve the velocity even more.
Those are some of the foundational goals that we have when
we respond to a victim.
Mr. Johnson of Georgia. Thank you, sir. If Atlanta were to
happen again today, what would the FBI do differently than what
it did in response to the Atlanta attack?
Mr. Vorndran. Sure. Sir, so I, obviously, was not in
Atlanta when that happened so I'm not familiar with the inner
workings of that incident response.
In today's world, if the FBI received the call first we
would first contact CISA, and between CISA and the FBI, perhaps
Secret Service as well, we would go meet with the victim and to
the best of the victim's ability, in this case--use case
Atlanta--ask them what is going on and that how we can help.
We, again, as the U.S. government there are certain
recommendations that we would have for anybody in this position
that Atlanta was in. Probably the most notable one is to
specifically identify a point of ingress and egress into and
out of the organization by the Federal government.
So, that could be CISA. That could be the FBI. That could
be Secret Service. That will help synthesize the flow of
information in this use case with Atlanta and the U.S.
government.I21Mr. Johnson of Georgia. Thank you.
What role, if any, is there for the private sector when it
comes to attacks against governmental entities like
municipalities or government agencies? Is there room for the
private sector? Is there a need for the private sector?
Mr. Vorndran. Absolutely. The private sector is going to
see the threats almost--let's just say nine times out of 10 the
private sector is likely to see the manifestation of the threat
before the U.S. government because remember, when you have
these major multinational companies out there that are all U.S.
based--I don't want to name them in public testimony--but they
are the infrastructure that all of us ride on for our
networking needs and all of us means Americans at the household
level all the way up to the multinational corporation level.
So, they're going to be able to see activity very, very
quickly and so they have an absolutely enormous role, and I
think being part of the ecosystem in the last year has shown
that they have been willing to step very formidably into that
space to benefit the U.S. government and to benefit
victims.I21Mr. Johnson of Georgia. Okay. I thank you for your
responses. My time has wound down and I yield back.
Chair Nadler. The gentleman yields back.
Mr. Massie?
Mr. Massie. Thank you, Mr. Chair. I'll tell the Witness
that I wasn't going to ask any questions today until he brought
up the Duke versus U.K. ball game from ancient history.
I do have some questions that I want to ask now. First, are
you aware of a piece of software named Pegasus that's provided
by NSO Group, Israeli software company?
Mr. Vorndran. Yes, sir.
Mr. Massie. Does the FBI use this program? It looks like
they had a license to it for $5 million.
Mr. Vorndran. Yes, so the FBI has not and did not ever use
the NSO products operationally or in any investigation. We did
buy a limited license for testing and evaluation. Those limited
licenses are part of our normal exploratory process to
understand what other technologies are out there, but, again,
we have never purchased it for use operationally or in an
ongoing investigation.
Mr. Massie. So, your division hasn't used this spyware
domestically?
Mr. Vorndran. No, sir.
Mr. Massie. Have you detected the use of this software
domestically?
Mr. Vorndran. Sir, there is reporting in the media about
Apple filing a lawsuit against NSO, and there is a lot of
information in that article. I can't comment further on your
question truly due to classification. If that is of interest to
you, we could consider a background briefing.
Mr. Massie. I would appreciate that very much. Thank you.
Executive Order 14028, called ``Improving the Nation's
Cybersecurity,'' requires agencies to adopt a zero-trust
architecture and to achieve certain goals by the end of fiscal
year 2024. The FireEye's hack was possible because everybody
trusted that software. So, I think the zero trust architecture
has merit. Can you tell us if the Cyber Division has taken any
steps toward that Executive Order in adopting zero trust
architecture or promoting that?
Mr. Vorndran. Sure. So, I mean, when we look at 14028,
which is really tailored towards DHS's role in the
cybersecurity ecosystem, CISA would be responsible for
multifactor authentication recommendations, zero trust. We are
absolutely supportive of all those topline requests because
they do move us to a better security posture.
From a Bureau perspective, what we are focused on is that
the Executive Order should lead to more transparency between
government and private sector standard operating procedures for
incident response, alignment between the Bureau and CISA on
what incident response is and how to do it effectively.
Mr. Massie. One of the sort of Catch-22s or oxymorons that
I see in cybersecurity is, to be more secure, some platforms
and operating systems require real-time updates. In other
words, the argument is that, if you detect some kind of
vulnerability, you can push out the fix immediately to those
platforms. The problem is hackers use that as a vulnerability
in itself.
So, how do you view that tradeoff? You mentioned before
everybody should have the most recent operating system, and I
think that is good advice. Should we promote, allow, encourage,
or should we discourage operating systems that do their own
updates without user involvement, without sort of a two-factor
authentication, without some user sitting there saying, okay, I
will accept this update?
Mr. Vorndran. Sure. I mean, what you are describing is
exactly how SolarWinds was utilized to catalyze a downstream
attack in terms of a forced update.
What I would simply say is perhaps a third recommendation
for people in America, but for corporations, to have daily
backups. So, if that forced OS update or another update
compromises the system, you or your company has a within-24
backup that would allow you to restore fairly efficiently with
the most relevant data.
Mr. Massie. My final question, when it comes to security
audits, it seems like it is not such a great idea to let the
same vendors that are selling the software do the audits. Do
you think there is any merit into making sure that these audits
are legitimate audits, instead of sort of scripted--that the
vendor provides, the software vendor provides, and then, the
end user runs the script, and then, feels secure because now
they think they have audited it, but they really don't know
what is going on?
Mr. Vorndran. Yes, I just think--
Chair Nadler. The time of the gentleman has expired. The
Witness may answer the question.
Mr. Vorndran. Sure. I just think due diligence of vendors
in understanding your risk profile as an organization is
extremely important. That is based on your own variabilities.
The same conversation we have for doing business in China:
There is going to be risk. What is your risk tolerance and what
is your due diligence to put your organization in the best
position possible?
Mr. Massie. Thank you. I yield back.
Chair Nadler. The gentleman yields back.
Mr. Cicilline?
Mr. Cicilline. Thank you, Mr. Chair, for this hearing, and
thank you to our Witness for being here.
In recent years, we have seen an alarming number of
cyberattacks on our Nation's infrastructure, including election
systems, police departments, local governments, and hospitals.
In fact, a healthcare company in Rhode Island was affected this
year when a contractor of Care New England faced a cyberattack
that disrupted their payroll system, requiring Care New England
to pay its approximately 7,500 employees manually.
So, Mr. Vorndran, my first question is, what is it about
healthcare providers that the FBI and CISA, back in October of
2020, did an advisory warning of an increase in imminent cyber-
crime attack to the healthcare and public health sectors? So,
why is the healthcare industry such a lucrative target for
ransomware attackers, and what is the FBI doing to help
healthcare providers protect against this vulnerability?
Mr. Vorndran. Sure. I appreciate the question, and I say
that sincerely, sir, because it is an area that touches all of
us and people in our families and in our circles of friends.
What we would say is that we saw criminals, ransomware
actors, shamelessly trying to exploit the COVID-19 pandemic by
attempting to extract high payouts from targeted organizations,
like you said, such as hospitals. That can mean disruptions to
patient care are fully on the table to motivate a victim into
paying a ransom for their information or system access.
The reason is because, obviously, those hospitals are life-
safety-related, and hospitals in that scenario, faced with that
set of circumstances, are likely going to be more willing to
pay a ransom more quickly. So, it becomes a very, very target-
rich environment for a financially motivated criminal.
Last June, even on the Nation stateside, hackers sponsored
by the Iranian government compromised a children's hospital.
There is just endless lists of potential impact to hospitals
that causes deep, deep concern. We have a very, very strong
relationship with the American Hospital Association and with
the Health-ISAC, which is the Information Sharing and Analysis
Center for the health industry and the health sector. We are
very engaged with them in terms of pushing out indicators of
compromise that are specific or vulnerabilities that are
specific to software applications or supply chain software that
is meaningful to the healthcare industry.
So, sir, I hope that provides a good response to your
question.
Mr. Cicilline. Thank you. It does.
I want to just turn to election security. Director Wray
testified back in September of 2020 about his concern about
what he called smaller cyber intrusions and the steady drumbeat
of misinformation and its ability to undermine America's
confidence in our elections.
So, has the FBI seen indications of cyber misinformation
campaigns in the lead-up to the 2022 midterm election, and what
is the FBI doing to prepare for misinformation campaigns,
whether from foreign powers or from within the United States?
Mr. Vorndran. Sure, sir, I will answer your question in two
phases. One is about election security, and one is about
foreign influence.
So, I am previously on the record here today, but I am
happy to repeat it. On election security, from the FBI
perspective, it is all about cyber interference operations
targeting election infrastructure, candidates and campaigns,
and other election-related victims. From an FBI-centric
perspective, the FBI would have threat response lead through
PPD-41, which means that we would provide assistance to the
victims and the witnesses, and we would be squarely focused on
attribution.
More largely on foreign influence, the FBI has really
specific responsibilities and authorities. By design and
necessity, the FBI is just one part of the foreign influence
team. We follow the actor and the activity, and I think that is
really, really important to mention. The problem is, when an
actor masquerades as someone he or she is not and amplifies
disinformation through a coordinated campaign. Over the past
years, we have worked really, really hard to understand how we
can best provide information to our private sector partners, so
they can take appropriate action in terms of service
violations.
I just want to foundationally say this last point. I think
it is really important. The primary goal we have in foreign
influence is ensuring the respectful rights of U.S. persons. As
Americans, we have very broad rights to consume, create, and
spread information, and that is an underpinning of our
democracy. That is very, very important to keep intact.
Leading into the 2022 midterms, sir, we have already
started interagency conversations--they have been underway for
perhaps as much as six or seven months at this point--to ensure
that we are properly prepared if we face any types of threats
to the 2022 midterms.
Mr. Cicilline. Thank you very much. I yield back, Mr.
Chair.
Chair Nadler. The gentleman expired--or the gentleman's
time has expired. God forbid the gentleman expired.
Mr. Cicilline. I hope that wasn't a Freudian slip, Mr.
Chair.
Chair Nadler. The gentleman's time only has expired.
Mr. Issa?
Mr. Issa. Thank you, Mr. Chair. I want to stipulate for the
record the gentleman has not expired.
Director Vorndran, a couple of things, one of them that I
think is timely. Recently, The New York Times reversed its
position on the Hunter Biden laptop being fake or Russian
misinformation. Do you have any reason to believe that is
inaccurate, or would you support that it appears to be an
authentic--I know you have an investigation going--but that the
laptop itself appears to be authentic and always was?
Mr. Vorndran. Sir, I have no background on that
investigation. I am here to talk about the cyber program.
Mr. Issa. I just asked if you had any knowledge of it that
would cause us to believe that it was not authentic. If the
answer is no, that is fine.
Mr. Vorndran. No, sir.
Mr. Issa. Thank you.
Mr. Vorndran. Sir, let me go back. Just parsing words, if
you are asking me if I have any information on the
investigation, the answer is--
Mr. Issa. No, I got the answer I wanted, to be honest.
After 50 well-organized intelligence people, including former
CIA Directors and national security people, all said it was
fake, and we now know it is true, I just wondered if that was,
since that did affect an election, it was worth asking.
Mr. Vorndran. Sir, I want to be really clear. My answer to
your question is, from my perspective, do I have any knowledge
of that investigation--
Mr. Issa. Right. You said no.
Mr. Vorndran. No, sir. Yes.
Mr. Issa. Thank you.
So, moving on, when Russia hacked Viasat early in this
conflict, they hacked into what I would believe would have been
the infrastructure that would have been on the President's list
of 16. As we all here mostly know, Viasat also controls Air
Forces One and other related asset communications out of the
same area and facility that was hacked.
Would you agree to give us an appropriately classified
briefing on the level of penetration and the remediation that
has been done since that time to protect not only assets that
were hacked, but other assets that would be vulnerable,
potentially?
Mr. Vorndran. Yes, sir, I would be happy to do that.
Mr. Issa. Thank you.
Next, the President gave a list of 16 items that were off
limits. Can you give us at least one item that was not on that
list that you believe should be off limits to Russia hacking?
Mr. Vorndran. Sir, I mean, the 16 critical infrastructure
sectors are very, very broad and almost all-encompassing. I
would have to spend some time thinking about what is actually
is not on that list.
Mr. Issa. Would it be fair to say, maybe turning it around,
that the list should be: You may not hack the United States of
America, period?
Mr. Vorndran. Sir, I am not going to get into a
conversation about what the Administration--
Mr. Issa. No, no, no. I am asking what the standard should
be in accepting Russian hacking and disruption of any of our
systems. Is the standard supposed to be they don't do it?
Mr. Vorndran. Our role in this ecosystem is to investigate
when foreign adversaries, criminals, or nation-states
compromise U.S. networks, infrastructure, et cetera. That is my
specific role in this ecosystem.
Mr. Issa. Okay. As of today, currently, in the last 3one
days, has a Russia-based organization hacked or tried to
interfere with any U.S. assets, to your knowledge?
Mr. Vorndran. Sir, can I consult with someone about what is
and isn't classified?
Mr. Issa. Oh, I just want to know whether there is an
existence of any activity by Russia. That seems to be broad
enough that it would fall outside of classified.
Mr. Vorndran. Sir, the threat from Russia in the criminal
sense, in the nation-state sense, is very, very real.
Mr. Issa. Current?
Mr. Vorndran. Yes, sir, very current.
Mr. Issa. Thank you. That is all I needed for today, was
the, quote, ``current.''
Mr. Vorndran. Yes.
Mr. Issa. The last question may be beyond your scope, but
it is important to everyone. Historically, when ransomware has
occurred from Russia, with some regularity, there have been
payoffs. Under current sanctions, wouldn't it, in fact, be a
payment to a Russian entity prohibited under U.S. sanctions,
and therefore, any payment would now be something that the U.S.
person should not be able to do?
Mr. Vorndran. Sir, that is a complicated question. Let me
do my best with it.
When we talk about sanctioned entities, there are a lot of
cyber-criminal entities in and around Russia that are not
currently sanctioned. So, a U.S. government or a U.S. victim,
person, or company, or organization that chooses to pay someone
affiliated with the Lapsus$ ransomware--
Mr. Issa. So, for the record, persons or entities, criminal
entities we may not know much about, that may or may not be
connected to the Soviet Union, or to Russia, could, in fact, be
getting payments, as we speak, based on those attacks, and that
could end up going to the same Russia that is murdering people
in Ukraine?
Chair Nadler. The gentleman's time has expired. The Witness
may answer the question.
Mr. Vorndran. So, the first part of your question, sir, is,
yes, there are people being paid over there right now. Whether
that money flows through to the regime, I am not in a position
to talk about that. I just don't have that information.
Mr. Issa. Could you give that to us for the record, if you
can find it?
Mr. Vorndran. Yes, sir.
Mr. Issa. Thank you.
Thank you, Mr. Chair. I yield back.
Chair Nadler. The gentleman yields back.
Mr. Lieu?
Mr. Lieu. Thank you, Chair Nadler, for holding this
important hearing.
Thank you, Assistant Director Vorndran, for your public
service and for answering questions today.
A few years ago, hackers in German listened in on my cell
phone conversations, and they tracked my movements from
California all the way to the House of Representatives. Now,
the good news is I had a heads-up that this might happen, as
part of an investigative report by ``60 Minutes'' on mobile
security. The bad news is that this problem has not been fixed.
It is known as the Security System No. 7 flaw, also known
as SS7 for short, and actually it stands for Signaling System
No. 7. It allows foreign governments and hackers to access your
cell phone data, exploiting a loophole in our wireless systems.
This past November, a telecom executive did a whistleblower
complaint saying that the NSO Group, a spyware firm, offered to
exchange bags of cash to access wireless systems to spy on
people. We sent the criminal referral to the FBI. I know that
you cannot comment directly on individual cases. So, I am going
to ask you some general questions.
In the last five years, has the FBI investigated cases
where the SS7 flaw was exploited to access cell phone contents?
Mr. Vorndran. Sir, all our information in FBI holdings on
SS7 is at a higher classification. I would be happy to have a
conversation with you in the right forum with that information.
Mr. Lieu. Does the FBI itself exploit the SS7 flaw to
access cell phone contents?
Mr. Vorndran. Sir, I am not in a position to answer that
question. I don't know the answer.
Mr. Lieu. Previously, Congressmember Massie asked you about
a briefing. I just want to make sure, will you commit to a
bipartisan briefing classified on Pegasus, the NSO Group, and
the SS7 issue?
Mr. Vorndran. Sir, yes, and if I can expand, it is very
important for me personally, as a representative for the cyber
program at the FBI, to keep that as an open invitation in both
directions between all of you and me, and from me to all of
you, that whatever information that you would want access to,
we would try to facilitate that.
Mr. Lieu. Thank you.
I am going to ask you a series of questions, and if you
could answer yes or no, and then, you can expound on it
afterwards. It is about infrastructure.
So, is it possible for hackers to take control of a dam and
do an uncontrolled release of water?
Mr. Vorndran. Yes, sir.
Mr. Lieu. Is it possible for hackers to take over a
chemical plant system and do a release of toxic gas?
Mr. Vorndran. Sir, just as a blanket statement, anything is
the realm of possible, if the adversary has the right access.
Mr. Lieu. All right. Is it possible for a foreign
government or hackers to access a transit system, disrupt
railway signals, and cause trains to crash into each other?
Mr. Vorndran. I would imagine so, sir.
Mr. Lieu. Is it possible for a foreign government or
hackers to access an air traffic control tower or airplane
guidance systems and cause planes to crash?
Mr. Vorndran. I don't know that answer, sir.
Mr. Lieu. Okay. Is it possible for foreign governments and
hackers to access a wastewater treatment facility and cause a
release of harmful chemicals into the water?
Mr. Vorndran. To the best of my knowledge, yes, sir.
Mr. Lieu. All right. Does the FBI only investigate these
incidents, if it were to happen, after the fact or does it take
actions to tell these different infrastructure places how to
harden their systems?
Mr. Vorndran. So, when you look at the evolution of the
U.S. government in this space since mid-2018 when CISA in its
current form came into what we know today, I would divide it
into two tiers. When you look at the FBI role, as defined in
PPD-41, it is largely what we would call ``threat response.''
That is the term used in the documentation. What that means is
response to an incident; bilateral information intelligence
sharing with the affected entity, organization, company,
school, dam; it doesn't matter. CISA would be there primarily
to deal with the net defense remediation side, and that is what
is termed in PPD-41 as ``asset response.''
So, I would look at it as, what is on the operational
investigative side, that is the FBI. What is on the net defense
asset recovery side, that is CISA's responsibility. The
information sharing and what investigative can inform that
defense, or what on the net defense side can inform
investigation, is very synonymous.
Mr. Lieu. For the actual hardening of our infrastructure
against cyberattacks, is that something that the Department of
Homeland Security would be doing or is it the Department of
Defense?
Mr. Vorndran. So, the answer is both, depending on the
critical infrastructure sector. So, obviously, within the
Defense Industrial Base, DOD would have a very, very
significant role in that. Within the traditional 15 critical
infrastructure sectors, as defined in CISA's mission statement,
they would largely be on point for the hardening, what we would
call ``resiliency net defense.''
Mr. Lieu. Thank you. I yield back.
Mr. Vorndran. Sure.
Chair Nadler. The gentleman yields back.
Mr. Gaetz?
Mr. Gaetz. So, where is it, the laptop?
Mr. Vorndran. Sir, I am not here to talk about the laptop.
I am here to talk about the FBI cyber program.
Mr. Gaetz. You are the Assistant Director of FBI Cyber. I
want to know where Hunter Biden's laptop is. Where is it?
Mr. Vorndran. Sir, I don't know that answer.
Mr. Gaetz. That is astonishing to me. Has FBI Cyber
assessed whether or not Hunter Biden's laptop could be a point
of vulnerability, allowing America's enemies to hurt our
country?
Mr. Vorndran. Sir, the FBI Cyber Program is based off what
is codified in title 18, section 1030, of the Code, which talks
about computer intrusions, right, using nefarious intent
network--
Mr. Gaetz. Well, you have talked about passwords here.
Hunter Biden's password on his laptop was ``Hunter02.'' He
drops it off at a repair store. I am holding the receipt from
Mac's Computer Repair, where, in December 2019, they turned
over this laptop to the FBI. What now you are telling me right
here is that, as the Assistant Director of FBI Cyber, you don't
know where this is, after it was turned over to you three years
ago?
Mr. Vorndran. Yes, sir, that is an accurate statement.
Mr. Gaetz. How are Americans supposed to trust that you can
protect us from the next Colonial Pipeline if it seems that you
can't locate a laptop that was given to you three years ago
from the First Family, potentially, creating vulnerabilities
for our country?
Mr. Vorndran. Sir, it is not in the purview of my
investigative responsibilities.
Mr. Gaetz. That is shocking, that you wouldn't, as the
Assistant Director of Cyber, know whether or not there are
international business deals, kickbacks, shakedowns, that are
on this laptop that would make the First Family suspect to some
sort of compromise.
Mr. Assistant Director, have you assessed whether or not
the First Family is compromised, as a result of the Hunter
Biden laptop?
Mr. Vorndran. Sir, as a representative of the FBI Cyber
Program, it is not in the realm of my responsibilities to deal
with the questions that you are asking me.
Mr. Gaetz. Has anyone at FBI Cyber been asked to make
assessments whether or not the laptop creates a point of
vulnerability?
Mr. Vorndran. Sir, we have multiple lines of investigative
responsibility in the FBI. They are all available on public
source--
Mr. Gaetz. Well, I would think you would know this one. I
would think that, if the President's son who does international
business deals--referencing the now-President--with the
Chinese, with Ukrainians--have you assessed whether or not the
Hunter Biden laptop gives Russia the ability to harm our
country?
Mr. Vorndran. Sir, again, we can do this back and forth for
the next couple of minutes. I don't have any information about
the Hunter Biden laptop or the investigation--
Mr. Gaetz. Should you? You are the Assistant Director of
FBI Cyber.
Mr. Vorndran. By the block-and-line chart, no, sir, I
should not.
Mr. Gaetz. Who should? Who should we put in that chair to
ask questions about this laptop that FBI has had for three
years?
Mr. Vorndran. Sir, I am not in a position to make a
recommendation of who should sit here.
Mr. Gaetz. So, you don't have it? You don't know who has
it? You don't know where it is? You are the Assistant Director.
Earlier, you talked about whether or not you are the Grant Hill
or the Christian Laettner. It sounds like you are the Chris
Webber trying to call a timeout when you don't have one.
So, who is it? Do you even know who has it? Do you know who
we should put in that chair to ask these questions to?
Mr. Vorndran. No, sir, I don't know who has it.
Mr. Gaetz. Well, could you find out and tell us? You are
going to have to give us briefings, thanks to Mr. Lieu's and
Mr. Massie's question about whether or not the FBI was taking a
$5 million test drive on the Pegasus system that was being used
to target people in politics, people in government, people in
the media, people in American life. So, will you commit to give
us a briefing, as the Assistant Director of FBI Cyber, as to
where the laptop is; whether or not it is a point of
vulnerability; whether or not the American people should wonder
whether or not the First Family is compromised?
Mr. Vorndran. Sir, I would be happy to take your request
back to our office.
Mr. Gaetz. Gosh, will you advocate for that briefing as a--
Mr. Vorndran. Sure.
Mr. Gaetz. You will?
Mr. Vorndran. I will be happy to take your request back to
FBI headquarters.
Mr. Gaetz. Well, do you believe that this is a briefing
that the Congress is worthy of having, I guess?
Mr. Vorndran. Sir, I am not going to answer that question.
I am here to talk--
Mr. Gaetz. The invitation--no, sir.
Mr. Vorndran. The invitation says, ``Oversight of the FBI's
Cyber Division.'' It does not say anything about--
Mr. Gaetz. Well, right, but this is a cyber asset. This is
a point of vulnerability.
Mr. Vorndran. It is not a cyber asset.
Mr. Gaetz. If there are passwords, if there are business
deals, if there are references to things that could harm our
country--like you can't even sit here right now and say that
you know that there is not a point of vulnerability. Maybe
there are other crimes. Maybe there are tax issues, or
whatever. As it relates to the First Family sufficient cyber
infrastructure to protect? You don't even know if they are
compromised.
Tell you what, Mr. Chair. I seek unanimous consent to enter
into the record of this Committee the contents of Hunter
Biden's laptop, which I am in possession of.
Chair Nadler. I am not--
Mr. Johnson of Louisiana. There is no objection to that.
Mr. Gaetz. I have never had such an--
Chair Nadler. We will object, pending further
investigative--
Mr. Gaetz. What is the basis of that objection?
Chair Nadler. It is a unanimous consent request, and I
object, pending--
Mr. Gaetz. I have a subsequent question. Mr. Chair, I seek
unanimous consent to enter into the record the receipt from the
Mac shop--
Chair Nadler. It may very well be entered into the record
after we look at it further.
Mr. Gaetz. Mr. Chair, I have a subsequent unanimous
consent--
Chair Nadler. Ms. Demings is now recognized.
Mr. Jordan. He has got a second unanimous consent request.
Chair Nadler. Oh, I am sorry.
Mr. Gaetz. Mr. Chair, I seek unanimous consent to enter
into the record the receipt from the Department of Justice from
the Mac shop--
Ms. Demings. Mr. Chair, this is Ms. Demings. Am I next or--
Chair Nadler. Without objection.
[The information follows:]
MR. GAETZ FOR THE RECORD
=======================================================================
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chair Nadler. Now, Ms. Demings.
Ms. Demings. Thank you so much, Mr. Chair.
Thank you, Assistant Director Vorndran, for your patience,
your endurance, and most of all, for your service to our
Nation.
In a February 9th Advisory, FBI and partner agencies warned
about the continued prevalence of phishing emails, Remote
Desktop Protocol exploitation, and exploitation of software
vulnerabilities, as attackers' strategies for gaining access to
systems.
Assistant Director, could you tell me why these strategies
have been so effective, are so effective?
Mr. Vorndran. Ma'am, could you restate that question? I
missed a part towards the end. I just want to make sure I am
crisp on the answer.
Ms. Demings. Yes. Yes. Regarding the phishing emails,
Remote Desktop Protocols exploitation, exploitation of software
vulnerabilities, as attackers' strategies for gaining access to
systems, could you please tell us why these strategies have
been so effective?
Mr. Vorndran. Sure. Because Remote Desktop Protocol is
going to going to give any adversary direct access to,
essentially, command-and-control of a server of a user end
computer. That will give them the rights, the administrative
rights, to, arguably, do whatever they need to do to meet the
intent of their attack.
Ms. Demings. Which tactic, phishing emails versus software
exploitation, is most commonly used by cyber-attackers?
Mr. Vorndran. Ma'am, it is any of the above, based on what
is going to work. So, attackers will often look for broad
vulnerabilities and deploy multiple different tools or vectors
of attack to achieve their goal. So, it is very, very
challenging to say, statistically, which one is more prevalent.
The better question is, how have we, as a collective at the
American level, but also at the corporation level, armed
ourselves to defend against them?
Ms. Demings. Okay. Could you answer that question?
Mr. Vorndran. Sure. I mean, it is all about hygiene for
information security. I have mentioned a few of these, right?
Multifactor authentication, two-factor authentication for all
of us at home on general accounts; complicated passwords;
having active backups, those types of standard, what I would
call, hygiene, operating system, routine operating system
maintenance is very, very important.
Ms. Demings. What level of cooperation have you seen from
the private sector in terms of arming their systems and working
with you to do just that?
Mr. Vorndran. We have very, very strong relationships with
the private sector that crosscut pretty much every industry in
this country. I mentioned this earlier in my testimony. I think
the private sector has really answered the bell here in the
last year about coming and being part of solutions, because
they own a lot of the infrastructure that we all use to have
our daily access to the internet. So, they are seeing adversary
activity very, very quickly, and they have been a tremendous
part of the solution in the distant pass, but really in the
recent past.
Ms. Demings. What other type of cyberattacks--or we talked
about the phishing emails; we talked about the software
exploitation--what other types of strategies did you see in
2021?
Mr. Vorndran. Well, we look at--there is ransomware
botnets. I mean, the list goes on and on. Spear phishing is a
very, very important targeting tool that all the adversaries
use. It is not as simple to say that 80 percent of all cyber
intrusions occur because of spear phishing. I know that
statistic is out there, but there is a lot of
interdependencies, once an adversary has access to a system.
Really arming an organization or institution with understanding
what spear phishing looks like is a very, very helpful step for
any organization.
Ms. Demings. Thank you.
Mr. Chair, I yield back.
Chair Nadler. The gentlelady yields back.
Mr. Jordan?
Mr. Jordan. Thank you, Mr. Chair.
Mr. Vorndran, why did the Biden Administration release
Burkov?
Mr. Vorndran. Sir, Mr. Burkov was investigated by the U.S.
Secret Service, not by the FBI. I don't know specifics. What I
do know is that there was no swapper concession. It is my
understanding that his release--
Mr. Jordan. We didn't get anything for it?
Mr. Vorndran. Sir, to the best of my knowledge, there were
no swapper concessions.
Mr. Jordan. Well, why do you think we--you have said
Russia, your statements today, ``formidable foe,'' ``foremost
adversary,'' and the threat is current.
Mr. Burkov has been described as an asset of ``supreme
importance,'' ``one of the most connected and skilled malicious
hackers ever apprehended by U.S. authorities.'' You don't know
why we let him go?
Mr. Vorndran. No, sir, it is a Department of Justice
question. The FBI didn't have any--
Mr. Jordan. You are the Director of Cyber at the FBI in the
Department of Justice. It is part of the Department of Justice,
right?
Mr. Vorndran. Sir, yes, sir, it is, but, obviously, we are
our own agency--
Mr. Jordan. I read your bio, and other than the degree from
Michigan, it is pretty impressive. You have worked at FBI for
like 20 years, right? You have held all kinds of positions. You
are the Director of Cyber, and you can't tell me why we let the
most notorious Russian hacker go, and you don't know what we
got for it?
Mr. Vorndran. No, sir.
Mr. Jordan. Were you consulted?
Mr. Vorndran. It is not an FBI investigation.
Mr. Jordan. Well, you are the cyber man. Mr. Gaetz just
talked about it; you are the key guy. You are the guy the
Administration sent here today to talk about cyber, in light of
the fact that last week President Biden said the threat from
Russia is imminent. You have confirmed that today. You said it
is current; it is as we speak. You can't answer if it was a
good idea or not or whether you were consulted?
Mr. Vorndran. Sir, I don't actually--no, to your question,
I was not consulted.
Mr. Jordan. You were not consulted? Okay. Do you think it
was a good idea?
Mr. Vorndran. Sir, I am not in a position to comment on
that.
Mr. Jordan. The head of Cyber is not in a position to
comment, the guy in front of the Judiciary Committee, at a time
when the most formidable foe, our No. 1 enemy when it comes to
cyberattacks, with the threat that is imminent and current,
can't answer whether it was a good idea or not to release the
most notorious Russian hacker we have ever caught?
Mr. Vorndran. Sir, it was a Department of Justice decision
through the U.S. courts process, right? I would refer all the
questions on Mr. Burkov--
Mr. Jordan. Mr. Vorndran, why did you come? So, far today,
you have not been able to answer questions about Pegasus; you
can't answer questions about sensitive investigative matters.
Mr. Gaetz just went through the whole thing on Hunter Biden's
laptop. You couldn't answer any questions about that. Can you
answer questions about anything today? Can you answer a
question about the school board situation, spying on parents?
Do you know anything about that?
Mr. Vorndran. Just to correct the record, sir, I actually
did the answer the questions to two Representatives about NSO
and Pegasus. To your point, I have not answered questions about
the Hunter Biden laptop or about the--
Mr. Jordan. Or the sensitive investigative matters.
Mr. Vorndran. I was just going to say that, if you would
let me finish--or about the sensitive investigative matter
audit.
Mr. Jordan. Do you know how many threat tags are on
parents? How many of the threat tags that say EDU officials
have been assigned? How many cases now have that threat tag
designation? Do you know anything about that?
Mr. Vorndran. Sir, no. All those questions should be
referred to the Department of Justice.
Mr. Jordan. Last week, in Mr. Biden's speech, he said this.
I mean, just to emphasize I can't figure this out. He said,
when he was talking to business leaders, ``The magnitude of
Russia's cyber capacity is fairly consequential and it's
coming,'' as we have talked about before, and as you have said
as well. ``We'll help you,'' saying to the business leaders,
``We'll help you any way to deal with cyberattacks.''
Do you think it helps the businesses who the President is
asking to do everything you can to shore up your systems, do
you think it helps to release the most notorious Russian hacker
we have ever apprehended?
Mr. Vorndran. Sir, I am not going to answer any questions
about Mr. Burkov. It is a Secret Service case. As I said, the
decision was made, to my understanding, through the ordinary
course of action by the U.S. courts.
Mr. Jordan. Well, you have agreed to give us briefings on
other issues. Do you think there is someone at the FBI who can
brief us on the Burkov situation?
Mr. Vorndran. Probably not, because it is not our case.
Mr. Jordan. Do you think there is a chance Mr. Burkov's
name was on the Hunter Biden laptop?
Mr. Vorndran. Sir, I have no idea.
Mr. Jordan. No idea? I mean, that says it all. That says it
all. Because we want someone in front of the Committee, as Mr.
Gaetz alluded to, we want someone here who can answer these
questions.
Our constituents come up to me and talk to me about the
school board situation. They come up and talk to me about the
Hunter Biden laptop. They talk about all this. They are
concerned with the fact that we had an FBI that has abused the
FISA process, looks like they have abused the sensitive
investigative matter process, and we have sent letters on it,
not to get a response.
By the way, we did send a letter to the Biden
Administration on the Burkov situation; asked them to respond
by five o'clock yesterday. Got no response from them. Then, the
guy we send today, the guy who comes in front of the Committee
today can't answer any questions about that, either.
It seems to me that would be the most important question
that we would want the Witness, Mr. Chair, to be able to
answer--is the whole, why did the United States of America let
go Aleksei Burkov? Why did we release him, put him on a plane
back to Moscow, when this is the biggest cyber threat we face,
is from Russia?
With that, Mr. Chair, I would yield back.
Chair Nadler. The gentleman yields back.
Ms. Scanlon?
Ms. Scanlon. Thank you. Over here.
Since 2015, we have seen foreign adversaries try to
manipulate our elections and national politics with false and
misleading information being shared online, and sometimes we
have seen domestic politicians amplify that disinformation, and
media hosts.
Using a mix of bots and organic posts on social media,
Russia, China, and Iran have spread or amplified disinformation
in a coordinated attempt to influence the outcome both local
and federal elections. Can you talk to us a little bit about
why disinformation campaigns are so difficult to identify and
take down? How does the FBI work with public and private
partners to neutralize disinfor-
mation campaigns?
Mr. Vorndran. Sure. So, what you are primarily talking
about is what we would term ``foreign influence.'' I am on the
record already saying this, but I am happy to go through it
again.
The FBI has very specific responsibilities and authorities.
By design and necessity, the FBI is just one part of the
solution, among many other U.S. government partners.
It is important to note that we follow the actor and the
activity. The problem is when an actor masquerades as someone
he or she is not and amplifies disinformation through,
obviously, a coordinated campaign.
We have been working really hard over the past couple of
years to build relationships with private sector partners, so
that we can transparently and in a timely fashion take
appropriate action, allow those companies to take appropriate
action in line with their corporate terms of service. We do all
that we consider mindfully, legal process, as appropriate.
I think just underscoring all this is ensuring we are
respecting the rights of possible U.S. persons, as Americans
have had very broad rights to consume, create, and spread
information. So, that is our position on foreign influence as
an organization.
Ms. Scanlon. Okay. Yes, of course, there is the First
Amendment right to consume and spread information, but, of
course, we wish that our people in leadership positions would
not spread disinformation quite so freely.
I want to turn to something that has impacted some of the
retirees in my community, cyber fraud that has impacted some of
our seniors. One couple, in particular, in my district was
targeted by a cryptocurrency scam that, ultimately, defrauded
them of almost a million dollars in retirement funds.
So, it is a nationwide problem. According to the 2020 Elder
Fraud Report, of the 791,790 complaints reported to the FBI
Internet Crime Complaint Center in 2020, about 28 percent of
the total fraud losses were sustained by victims over the age
of 60, resulting in approximately a billion dollars in losses
to seniors. So, this is folks who have worked hard all their
lives and tried to save for retirement.
Can you tell us a little bit about how the FBI is working
to protect seniors from internet scams and what we could do to
help you in that quest?
Mr. Vorndran. Sure. I mean, the Department of Justice, for
as long as I can remember, has had a very, very keen focus on
what we would call elder care fraud and elder care abuse. That
is something that the FBI takes very, very seriously, because
they are among, like children, our most vulnerable.
The fraud schemes that are run against that population are
very, very vast, very complicated, and unfortunately, very
lucrative for the criminals. So, we have dedicated FBI agents,
dedicated analysts; Department of Justice has dedicated
prosecutors dedicated to this problem, and only this problem,
throughout the entirety of the country.
In terms of what you can do to help us, it is all about
awareness, right? I think that all of us who have elderly
people in our lives that may not understand the current trend
of technology and the vulnerabilities that poses are very, very
important from a messaging perspective.
Ms. Scanlon. Thank you.
In 2020, one of the counties that I represent was targeted
by a ransomware attack. The attackers extorted, I think it was
$25,000 in ransom, and it took months of staff time and
resources for the county government to recover from the attack.
So, we have seen these attacks against local governments,
and obviously, they have personal information of folks that
could be at risk. One of the wrinkles that we ran into was
trying to get insurance coverage back. I was wondering if the
FBI has any information about working with these private
insurance companies, or whatever. There were questions about
whether the FBI had negotiated with the ransom attack, and I
understand that is not the position of the FBI. Some insurance
companies are requiring that they appoint a negotiator. So, I
was wondering if you had any recommendations with respect to
that.
Mr. Vorndran. No, I don't, unfortunately. The insurance
industry is a difficult conversation for the Bureau, and
certainly, from a cyber perspective. So, those relationships
that really exist, exist between, generally, retained counsel,
a third-party incident response firm, and then, the insurance
company.
This is why exercising incident response plans are so
important to companies, so that they know what their insurance
company is or is not going to be looking for in that moment,
and they can plan for that effectively.
To look back on it as 20/20 hindsight, and offer a
recommendation, I really don't have one.
Ms. Scanlon. Okay. Thank you for that information.
I yield back.
Chair Nadler. The gentlelady yields back.
For what purpose does Mr. Gaetz seek recognition?
Mr. Gaetz. For a unanimous consent request.
Chair Nadler. The gentleman is recognized.
Mr. Gaetz. Thank you, Mr. Chair.
After a consultation with majority staff, I seek unanimous
consent to enter into the record of this Committee contents
from files from and copies from the Hunter Biden laptop.
Chair Nadler. Without objection.
Mr. Gaetz. Thank you.
[The information follows:]
MR. GAETZ FOR THE RECORD
=======================================================================
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Gaetz. I yield back.
Chair Nadler. The gentleman yields back.
Mr. Johnson of Louisiana?
Mr. Johnson of Louisiana. Thank you, Mr. Chair.
Thank you for being here, Mr. Vorndran.
On page 6 of your written statement today, you concluded
this:
The most significant nation-state threats we face are those
from China, Russia, Iran, and North Korea . . . . They're
coming at us using every element of their national power, . . .
these adversaries become more sophisticated and stealthier.
That sounds pretty ominous. I know that you agree; I assume
you agree we are in a very dangerous time--I think it is
difficult to overstate it--because we have very serious and
fiercely committed foreign adversaries, right?
Mr. Vorndran. Yes, sir.
Mr. Johnson of Louisiana. President Biden said, several
days ago--Ranking Member Jordan noted it earlier--that a
cyberattack from Russia is coming, right?
Mr. Vorndran. Yes, sir, I believe that was in his
statement.
Mr. Johnson of Louisiana. So, here is the problem. Here is
one of the things that has concerned us, and therefore the
questions keep coming back to one of the issues that has not
yet been adequately addressed today. In spite of all that,
according to the records we now have, a significant amount of
DOJ time, attention, and resources is being used to monitor,
and we will say intimidate, the parents of American school
children who have the audacity to express concern over their
local school boards' decisions.
On October 4th of last year, Attorney General Merrick
Garland issued a memorandum, now-infamous memo, directing the
FBI and the U.S. Attorneys' Offices to investigate those
concerned parents. Since then, we have had more and more
information that has come to light about that directive, such
as the fact that the National School Boards Association worked
in conjunction with the White House to write the letter that
spurred Attorney General Garland's memorandum.
The NSBA's letter has led many State school board
associations to call its leadership into question. Many have
since removed their affiliation, including my home State and
the one where you spend a lot of time, Louisiana. They dropped
out.
Unlike, the National Association, those local State
associations understand that parents can and should have a say
in their children's education. They have a right to closely
monitor school curricula. They have a right to try to influence
those choices as best they can. That is our system. That is the
beauty of it. It is not the government's job to raise our
children; it is the parents' job.
So, let me ask you a couple of general questions, because I
know what your responses, I anticipate what some of your
initial responses would be here. Let me ask you just out of the
gates: Do you think it is appropriate for any White House to
commission outside groups to make false or misleading claims
about its political adversaries?
Mr. Vorndran. Sir, I am not here to--
Mr. Johnson of Louisiana. I know. I know you are going to
say you are not here--I am not asking you in your official
capacity. I am asking you under oath, in your personal opinion,
as a general notion, is it okay for the White House to do that?
Mr. Vorndran. Sir, I am here in a personal and professional
capacity under oath because of my job.
Mr. Johnson of Louisiana. Right.
Mr. Vorndran. Okay. So, I am not going to comment on
anything related to the school board or really anything related
to the Administration.
Mr. Johnson of Louisiana. Let me ask you about your job. Do
you think it is appropriate for the Department of Justice,
where you work, to be influenced by a White House's actions in
a case like that?
Mr. Vorndran. Sir, the memo was issued by the Attorney
General, and I would defer all your questions back to him on
this topic.
Mr. Johnson of Louisiana. Oh, we would love to get him back
here, but he won't. He won't be called by the Democrats in
charge.
An FBI whistleblower revealed the Counterterrorism Division
is using threat tags against concerned parents. They were
labeled by some of the parties involved as domestic terrorists,
or at least analogized to them. They have categorized them into
the FBI system, so their so-called crimes could easily be
pulled up for investigation. That was the supposed
justification for it.
In general, does the FBI Cyber Division, your division,
engage in the practice of using of using threat tags?
Mr. Vorndran. Sir, when we talk about threats tags from a
cyber perspective, we could use the current system of Russia
activity and perhaps there would be a tag for that, so that we
could, we could find anything that's relevant. I can't honestly
answer the question right now about whether we're currently
using them or not.
Mr. Johnson of Louisiana. Why not?
Mr. Vorndran. Sir, we have thousands of investigations in
the cyber ecosystem. I just don't know the answer.
Mr. Johnson of Louisiana. The threat tag is a tool that you
use in your division, right?
Mr. Vorndran. I, sir, I don't know that answer, if I'm
being very honest with you. I don't know if we use them in our
division or not.
Mr. Johnson of Louisiana. How many active or closed
investigations does the FBI Cyber Division have regarding any
parents who have voiced concerns at school board meetings, or
via social media, about their children's education?
Mr. Vorndran. Sir, how many active or closed investigations
does the FBI Cyber Division have on school board matters?
Mr. Johnson of Louisiana. On parents. Parents who have come
up on the threat assessment somehow for expressing their views
about their children's education in social media or at school
boards.
Mr. Vorndran. Sir, I don't know that answer.
Mr. Johnson of Louisiana. Who would know that answer? There
is a lot of answers you don't have for us today, and you are
the Assistant Director of the Cyber Division. Who has that
information?
Mr. Vorndran. I mean, organizationally, we probably have
that information. I mean, again, all these questions need to be
directed back to DOJ.
Mr. Johnson of Louisiana. I wish somebody from DOJ would
send the appropriate party here.
Chair Nadler. The gentleman's time--
Mr. Johnson of Louisiana. I yield back.
Chair Nadler. The gentleman yields back.
Mr. Swalwell?
Mr. Swalwell. Thank you, Chair.
Thank you, Director.
We have a very capable adversary in Russia with capable
cyber and nuclear abilities. Europe has seen the largest
invasion since World War II. Millions of refugees are on the
run. Russia could move farther west. I am sorry that, despite
the serious job you have and the serious background that you
bring, that you have been treated to unserious questioning by
some of my colleagues. It is like a ``Greatest Hit'' channel on
Sirius radio of Hillary's emails, Hunter Biden's laptop, and
school board meetings.
What I want to talk to you about are private sector
vulnerabilities right now, in light of what the President said
about Russia. What letter grade would you give America's
private sector readiness as far as a cyberattack that Russia
could bring?
Mr. Vorndran. That's a really tough question to answer, but
I think that the dialog between the U.S. government and the
private sector, especially what we would consider high
vulnerability sectors--finance, energy, these type of sectors--
I would score them very high in terms of preparedness.
That is never going to guarantee absolutely 100 percent
success, but to say that they're engaged with the current
threat picture, that they understand the current threat
picture, and that they're trying to be helpful to the United
States and their fellow companies and their fellow citizens is
an accurate statement.
Mr. Swalwell. Do you agree with former Cisco CEO John
Chambers who predicted that the year 2022 would bring
approximately 120,000 private sector and public sector
ransomware attacks, to the tune of $60,000 for each attack, as
far as the cost to the public and private sector?
Mr. Vorndran. When was that statement made?
Mr. Swalwell. It was made in the fall of 2021.
Mr. Vorndran. Yeah. The current ransom--I believe our
numbers--so, our data is only about 20-25 percent complete
because of the number of complaints/referrals that we receive.
I think, based off of that data, the current ransom payment is
actually higher than that threshold already. That number of
victims is hard to say one way or the other, but I think that's
within the realm of possibility for--
Mr. Swalwell. Because, right now, there is no requirement
that a victim actually notify you that they have been hit?
Mr. Vorndran. Right.
Mr. Swalwell. Now, it is pretty clear in what we have seen
from Russian ransomware attackers, is it that they want to make
it clear, when they are seeking a high ransom, that they are
not associated with the Russian government, because they know
that, if there is any link, then that prohibits the private
sector's ability to pay because the Russian government, many of
them are on the sanctions list.
As we continue to cripple the Russian economy, though, what
are we going to do as more and more Russian actors who are
unable to support themselves and their families resort to
ransomware as a means to try and make money? How are we going
to make sure that our private sector is not inadvertently
paying a ransom that violates the sanctions? I just worry
that--
Mr. Vorndran. Yeah.
Mr. Swalwell. --we could be a victim of our own success in
that realm, and then, put the private sector in a tough
position.
Mr. Vorndran. Sure. I mean, when you look at OFAC's
guidance, it specifically says one of the most important
mitigation criteria is whether the victim, the company, has
engaged federal law enforcement prior to paying the ransom. The
reason for that is that we can very much help that entity who's
having a bad day understand who they're paying, and whether
that is a sanctioned entity. That is looked at as a very, very
significant point of mitigation from a Treasury perspective.
So, that really just draws me back to the need to report is
not just so the FBI and my world has the information. There are
specific things we can do to better position a company, an
organization, who is a victim in that moment, to ensure in this
case, in your question, that they're not paying a sanctioned
entity.
Mr. Swalwell. Director Wray, at the House Intelligence
Committee hearing recently, said that, within about, I think he
said an hour or less, if you report a ransomware attack, you
could have an agent there to assist you.
Could you just kind of describe what that agent would do?
Also, maybe address some fears that the Bureau would be looking
at other nonransomware parts of the business, that a business
may be uncomfortable with the Bureau looking around.
Mr. Vorndran. Sure.
Mr. Swalwell. I mean, we want our businesses to report and
have the benefit of your resources, but can you just talk about
what that looks like, when you get a call?
Mr. Vorndran. So, I mean, when we, when we show up at a
doorstep, a lot of the conversation is about what the victim
company is seeing; when their initial compromise occurred. Do
they have indicators of compromise? Are they seeing tactics,
techniques, procedures, malware signatures, these things of
information? Are there life-safety matters that have been
compromised, in the case of a hospital?
Then, it really becomes an information-sharing proposition,
and what services we can or cannot provide. What it is not in
any way is asking us to sit behind a keyboard with
administrative access to say, ``Give us unfiltered access to
your system, so we can do what we want to do.'' I look at it as
a bilateral exchange in a moment of need. That moment of need
has benefits to the organization, the victim; that having us
engage early can definitely help in the short term and long
term.
If a company wants to bring us in and say, ``Hey, can you
just walk through this journey with us?'' and then, in a day or
in two days, we'll give you the evidence that our third-party
incident response room has obtained, we're absolutely fine with
that. So, I very much look at it as a malleable engagement to
serve multiple priorities.
Mr. Swalwell. Great. Thank you.
I yield back.
Chair Nadler. The gentleman yields back.
Mr. Steube?
Mr. Steube. Thank you, Mr. Chair.
While much has been said about cyberattacks coming from
Russia and China today, Mexico is also a growing cyber threat.
Mexican cartels have increased their involvement in
cybercrimes. For instance, the Bandidos Revolutions team stole
nearly $15 million from financial institutions in 2018. Drug
cartels are increasingly buying synthetic opioids using the
dark web.
Do you agree, yes or no, the Mexican cybercriminal
organizations are a growing threat?
Mr. Vorndran. I would just say the Mexican cyber or Mexican
criminal cartels have always been a threat and will use
whatever means they need to financially grow. So, yes.
Mr. Steube. To make matters worse, these Mexican criminal
organizations can gain physical access to the United States. We
have had over two million illegal crossings since Joe Biden has
been President. We had 160,000 illegal crossings last month. We
are on pace to get 200,000 illegal crossings on the southern
border.
The ongoing border crisis is putting Americans at risk in
countless ways, including cybersecurity. Month after month, we
have seen increased illegal border crossings since Biden took
office.
Do you agree, yes or no, that the ability of the Mexican
cyber-
criminals to physically enter the United States make them an
increased threat?
Mr. Vorndran. Sir, I'm not here to talk about Southwest
border crossings by the cartels. I'm here to specifically talk
about computer intrusions using network architecture to
catalyze a cyber-
attack.
Mr. Steube. Yes, but you just said that--and correct me if
I am wrong--that Mexican cartels are a cyber threat, correct?
Mr. Vorndran. Mexican cartels, to the best of my
understanding, right--and this is not my area of expertise at
all, right? Specifically, to the dark web, which you
referenced, there is, in my investigative portfolio, activity
on, investigative activity on the dark web. Yes, there are
synthetic opioids and other drugs sold on there, which
undoubtedly, come back to the cartels.
Mr. Steube. So, wouldn't you agree, as a law enforcement
official, that if you have those individuals illegally
operating in your country, that is more a threat to the union
than it would be if they were operating in Mexico?
Mr. Vorndran. Sure. Cartel activity in the United States
is, obviously, not helpful in any way.
Mr. Steube. So, the more cartels and illegals and folks
that come across the border that are operating in the dark web,
doing this type of things as it relates to drug activity, is
obviously not helping the United States and hindering law
enforcement efforts, and increasing the amount of fentanyl and
criminal activity that would occur in our country?
Mr. Vorndran. Sir, again, I'm here to talk about the cyber
program, right? If you want to talk about the--
Mr. Steube. Well, we are talking about cybercrimes and
related--
Mr. Vorndran. If you want to talk about the dark web
specifically, right, there is activity on the dark web related
to opioids and every other illegal narcotic, illegal drug,
that's consumed in this country. That, those drugs that are
provided on the dark web are sourced, to the best of my
knowledge, both domestically and internationally, right? Do
some of them come back to the cartels? I would presume yes.
Mr. Steube. How long have you been in law enforcement?
Mr. Vorndran. Nineteen years.
Mr. Steube. So, in your 19 years of law enforcement
experience, if you have a bad guy operating in a different
country on the internet versus operating here in this country
domestically--again, we are talking cyber--knowing what things
are going on in Texas, knowing what is happening in the United
States, knowing what is going on here in our country, don't you
think that this is an increased threat to the safety and
security of the American people versus them being in Mexico and
not coming into our country domestically?
Mr. Vorndran. Yeah, they are, but in the traditional drug
world, right, that you're describing, they are distribution
channels to users here in the country. So, yes, they are not a
mandatory--they are a necessary element of the supply chain.
Mr. Steube. All right. Switching subjects quickly, big
tech. As has been discussed today, cybercrimes are growing at
an alarming rate in a wide variety of activities. While some
take place entirely on the dark web or involve sophisticated
hacking operations, many occur on common online platforms like
Facebook and Twitter. Such crimes can involve the exploitations
of children; communication and coordination between terrorists
or cartels, and even the organization of smash-and-grab thefts.
If an online brick-and-mortar business openly serves as
meeting space for criminal organizations, that business and its
owners may face criminal liability. At what point do online
platforms, like Facebook and Twitter, face criminal liability
for openly allowing criminal conduct on their platforms?
Your mic is not on.
Mr. Vorndran. I apologize, sir.
I don't know the answer to that question. I have to
apologize; I truly don't know the answer to that question.
Mr. Steube. So, can you get us--so, aren't you the head of
cybersecurity for the FBI?
Mr. Vorndran. Not for cybersecurity, sir, no.
Mr. Steube. So, what is your position title exactly?
Mr. Vorndran. Investigations on the cyber system and--
Mr. Steube. Investigations on the cyber system, and you
don't know--
Mr. Vorndran. If you want--
Mr. Steube. --if crimes committed on online platforms, say,
child porn, child exploitation, that there is no liability on
behalf of the platforms that allow that activity to--
Mr. Vorndran. Sir, the reason I--
Chair Nadler. The gentleman's time has expired. The Witness
may answer the question.
Mr. Vorndran. So, the reason I'm saying I don't know is
because I don't know where the line of civil liability and
criminal liability starts and stops in the example that you're
providing me. So, Facebook, as you mentioned, right, do they
have liability for conveying child sexually exploitive
material? The answer is likely yes, but I don't know where the
civil and the criminal bleed over, and I would need to get a
better answer on that.
Chair Nadler. The gentleman's time has expired.
Ms. Garcia?
Ms. Garcia. Thank you, Mr. Chair, and thank you for
convening this very urgent hearing on our nation's cyber
resiliency.
Cyberattacks are at an unprecedented high level. Our small
businesses and our critical infrastructure around the country
are under relentless siege. The consequence of ransomware
ramifies throughout our economy, public health infrastructure,
and national security.
Making things worse, of course, is that ransomware has and
continues to be increasingly become a multi-dollar criminal
history--industry.
In 2020, more than 2,300, U.S.-based entities were affected
by Ransomware and including billions of dollars of economic
damage. So, I want to focus on a few of those, sir, and I know
you said you're here to talk about intrusion so let's talk
about a few of those, getting back to the topic.
Several of these events have happened in my district. One
that comes to mind is a cyberattack on the Port of Houston. The
Port of Houston, of course, is a critical piece of
infrastructure in my district and it's important to the
national security of our country.
It was subject to a cyberattack by a foreign Nation state.
They were able to resist the attack. How often does something
like this happen where it's a major piece of infrastructure
like a port?
Mr. Vorndran. So, we don't know because there are no
mandatory reporting requirements from victims. So, I'm very,
very familiar with the incident that you're describing and
would credit the SISO associated with the Port of Houston for
being a tremendously productive and transparent partner in that
moment and I do believe that if you spoke to that SISO he would
be very complimentary of the U.S. government's role in helping
them gain restoration of the situation they faced.
What we see, though, is when an adversary finds a
vulnerability, a zero day vulnerability in a specific piece of
software, and that software may be consumed or used routinely
by the same industry, so in the case you're providing, if there
was a piece of software in the Port of Houston compromised that
you're describing that's used in other ports, it's likely that
the foreign adversary would go after them in the immediate
aftermath.
We, generally, lack some understanding about why the
adversary may be interested in that target. That would be the
best answer I could give you today in terms of how these things
stack up and sequentially evolve.
Ms. Garcia. Right. Then, I had a school--a high school, a
superintendent--I mean, the district's offices hijacked. This
is not a big major school district. This was in an
unincorporated area, which is semi-rural, outside of Houston,
less than 10,000 students and there were hacked, and they had
to spend--I think it was $207,000 in Bitcoin was the ransom.
How often and why are schools under such attack?
Mr. Vorndran. Ma'am, what I would say is that the criminal
adversaries that we face--the criminals that we face that are
going to specifically look at financial motivations, which is
the example that you're providing, they are going to go after
targets who are the most vulnerable and so school districts,
perhaps some other entities at the municipality level, it's
very important for them to keep their budget requirements where
they need to be, to maintain operating systems that are current
to ensure that patches are passed for operating systems or for
other vulnerabilities, to ensure that their employees do
understand what spear phishing is and is not.
What we see criminals do is where can they get the most
ease of access to guarantee some generation of money back? So,
I'm not saying that it is a resource issue, but they are going
to go after the areas that--
Ms. Garcia. So, it's not just the big banks, it's not just
the big companies.
Mr. Vorndran. It's everyone.
Ms. Garcia. It's happening everywhere.
Mr. Vorndran. Everyone.
Ms. Garcia. I mean, like, again, this school district is a
small school district. The $207,000 may not sound like a lot--
Mr. Vorndran. It's a lot of money.
Ms. Garcia. --but for them it is and then they want it in
Bitcoin, which I think from what my reading, that is a current
trend where they're using crypto currency for ransom.
Mr. Vorndran. That's correct. Yeah, it is industry
organization agnostic, right. The criminals will go and find
vulnerabilities where they can, where they believe people are
going to pay.
Ms. Garcia. Right. I do have a couple of other questions
that I'll submit for the record, Mr. Chair, because I see my
time is gone. I do want to submit for the record three
articles. First, ``Port of Houston target of suspected nation-
state hack,'' and the second one is ``Sheldon ISD forced to pay
nearly $207,000 after hackers attacked,'' and the last one is
information for over 6,000 Memorial Hermann Hospital System
patients access a security breach.
Chair Nadler. Without objection.
[The information follows:]
MS. GARCIA FOR THE RECORD
=======================================================================
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Ms. Garcia. Thank you.
Chair Nadler. Mr. Bishop?
Mr. Bishop. Thank you, Mr. Chair.
Director Vorndran, has the FBI taken new steps since 2017
to ensure that private government contractors do not abuse
access to sensitive U.S. government data stores for self-
serving purposes, including political purposes?
Mr. Vorndran. Sir, I'm not familiar with the background of
your question. Can you--
Mr. Bishop. Well, the DOJ claims in court that Rodney
Jaffe, AKA Tech Executive-1, exploited sensitive DNS data
reflecting internet traffic to and from Trump Tower, to and
from Donald Trump's personal residential apartment building,
and the Executive office of the President.
He allegedly affiliated with Clinton campaign officials,
including Michael Sussman, who had been a cyber lawyer at DOJ,
and tech researchers at Georgia Tech to fabricate plausible
sounding but false allegations about connections between Trump
and a Russian bank before the election in 2016 and then after
the election about the use of a Russian-made phone.
Both were scams. Mr. Sussman fed them to the FBI at the
highest levels while concealing his political motives. So,
that's the background, and the question is has the FBI taken
new steps since 2017 to see that these awesome stores of
sensitive data that U.S. has are not being exploited for
political purposes by private contractors?
Mr. Vorndran. Sir, I mean, compliance is, obviously,
important to us and just taking a little bit broader view, we
have obviously taken a lot of reform steps over the past couple
years. Many of them have been in the public, whether it's FISA
Woods 702.
So, I can't speak specifically to your question. I don't
know the answer. The Bureau has taken a lot of reform steps
through that time period that all have been discussed in public
forums such as this and in the media.
Mr. Bishop. You mentioned FISA Woods 702. So, I think
you're talking about the Woods file abuse in the FISA
applications.
I don't think I'm asking about that. Can you think of any
reforms that have been taken specifically to see to it that
this kind of private contractor abuse of these data stores
can't happen?
Mr. Vorndran. Sir, not at this moment. I cannot.
Mr. Bishop. Oh. What are the cybersecurity implications of
a private company being able to intercept internet traffic to
and from the White House?
Mr. Vorndran. Sir, I'm not here to talk about those
matters.
Mr. Bishop. Look, you've said what you're here not to talk
about. A Member of Congress asking you for something within
your knowledge is a question you're bound to answer, sir. Do
you know what the cybersecurity implications are of data being
intercepted into and out of the White House?
Mr. Vorndran. Do I know what the cybersecurity implications
are? If you're asking me if I know what the policy is that
backs up when we can and cannot--
Mr. Bishop. That's not what I'm asking you. I'm asking you
what the implications are--the national security implications
of intercepting data in and out of the White House and a
private company having access to that.
Mr. Vorndran. Yes, in general terms. Yes.
Mr. Bishop. There are exposures from that, wouldn't you
agree?
Mr. Vorndran. Yes, sir.
Mr. Bishop. This article from The Wall Street Journal
entitled, ``Durham probe reveals government access to
unregulated data streams,'' February 26, 2022--have you seen
that article?
Mr. Vorndran. No, sir, I have not.
Mr. Bishop. It relates that the latest developments in the
high-profile criminal probe by Special Counsel John Durham show
the extent to which the world's internet traffic is being
monitored by a coterie of network researchers and security
experts inside and outside of government.
There are concerns, obviously, about the privacy
implications of private cybersecurity companies being able to
tap into the web traffic and then give that data to government
at any particular level without warrants or court orders. In
what ways does the FBI rely on this kind of data in their
investigations?
Mr. Vorndran. Sir, as I've said earlier today, when you
look at private sector, broadly defined, but when you look at
private sector a little bit more narrowly defined about who
provides infrastructure for network servers, computers, et
cetera, those network providers obviously see a lot of traffic.
They see my personal traffic. They see your personal
traffic on a very routine basis. We have subpoena processes
that we go through to request that information when it's
relevant to an investigation. So, that is how we interact with
those companies on a routine basis from an investigative
perspective.
Mr. Bishop. Well, my time is about expire. What this
article relates is that a lot of that information can be
accessed without warrant and that's exactly the problem I'm
talking about.
You've spoken two times to the priority given to the FBI at
the highest level to the imperative of protecting the rights of
Americans, particularly First Amendment rights, Fourth
Amendment rights, and I'm looking for some indication that
those are more than empty words, more than just a platitude.
I'm stunned that above all the things we have talked about
today that you can't even speak to something that--an abuse
that is out in public, based on allegations of the Department
of Justice involving the use of cyber data.
Is there anything that you can offer the American people to
improve their confidence that the FBI is, indeed, protecting
their rights beyond just platitudes?
Chair Nadler. The time has expired. The gentleman--the
Witness may answer the question.
Mr. Vorndran. Sir, you're very familiar with the legal
process that we have to go through to obtain information from
any number of companies or even from victims in certain cases.
That is our baseline protocol of how we do business. I'm
unfamiliar with the article, so I cannot speak to what it
actually says in there.
Mr. Bishop. Mr. Chair, I ask unanimous consent to submit
for the record the article from The Wall Street Journal
entitled, ``Durham probe reveals government access to
unregulated data streams.''
Chair Nadler. Without objection.
[The information follows:]
MR. BISHOP FOR THE RECORD
=======================================================================
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chair Nadler. Mr. Jeffries?
Mr. Jeffries. Well, thank you very much, Mr. Chair and to
the Witness, thank you so much for your presence and for the
work that you and the FBI do.
I'm sorry that you've been subjected to so much pro-Putin
pro-insurrection pro-conspiracy rhetoric, as if Donald Trump is
a victim, not the perpetrator of perhaps the most significant
ongoing crime spree in the history of the American presidency
from Russia's interference in the election explicitly designed
to artificially place him in 1600 Pennsylvania Avenue, to his
corrupt abuse of power when he pressured a foreign government,
Ukraine, to target an American citizen, Joe Biden, by
withholding $391 million in military aid to a country, Ukraine,
under Russian threat in order to try to extract phony political
dirt as part of his aim to artificially interfere in the 2020
election.
Then to cap it off, he incited a violent insurrection and
attack on the United States Capitol to try to halt the peaceful
transfer of government.
Donald Trump is not a victim, despite what some of my
colleagues from the other side of the aisle have endeavored to
project. He is a perpetrator, a one-man walking crime spree.
I'm sorry you've been subjected to this.
Now, let me ask a question or two that relates to everyday
Americans. According to a recent report by the FBI Internet
Crime Complaint Center, I guess, in 2020 alone approximately 30
percent of fraud losses reported to the FBI was sustained by
victims ages 60 or over. Is that correct?
Mr. Vorndran. Sir, I don't have the exact number in front
of me. That number sounds appropriate, based on both the 2020
and 2021 annual report.
Mr. Jeffries. Is it fair to say that we have seen an
increased trend of cyber-criminals targeting older Americans?
Mr. Vorndran. Sir, the--what we would call elder care fraud
has been a priority of the Bureau for many, many years. We have
dedicated analyst agents, prosecutors in the Department of
Justice, that work just this.
So, it's a very important threat, a very important victim
set for us to protect. So, whether there has or has not been an
increase, I don't know the specific answer.
I think what I would say, perhaps, more meaningfully is
that it's at unacceptable levels, even if it's decreasing,
because it's targeting some of our country's most vulnerable.
Mr. Jeffries. What are some of the steps that the FBI is
contemplating taking or that you are taking to deal with what
you describe as this unacceptable threat that appears to have
intensified as we have been navigating our way through this
once in a century deadly pandemic?
Mr. Vorndran. Sir, I'm not sure I understood your question.
Did you say what is the FBI specifically doing?
Mr. Jeffries. Right. What steps are you contemplation? It
appears to be intensifying. You've indicated that it,
obviously, is unacceptable and troubling. So, just trying to
get a sense of what you're doing.
Mr. Vorndran. Sure. Again, we have dedicated agents
investigating these types of crimes across the country, a lot
of them tied to international criminals and working with our
international law enforcement partners.
We have FBI agents in 70 countries and very, very good
relationships in many of those 70 countries that allow us to
get closer to these criminals.
Then the second piece of it is public awareness campaigns
for those who are elderly and who may not understand the
current threats that pose--they're facing in terms of
technology.
So, it's a multi-faceted approach and something that's
very, very important to us today, no different than it was in
the past.
Mr. Jeffries. Now, you have public education campaigns that
are designed in part to be preventative and, of course,
proactive FBI action to kind of take down these cyber-
criminals.
Once, you've sort of uncovered criminality and prosecuted
it successfully in partnership with the DOJ, could you comment
a little bit in the time that I have remaining on your
restitution efforts?
Have you been successful or is part of the FBI's work
designed to recover money that has been stolen so that these
older Americans who are adversely impacted can gain back some
semblance of what was taken away from them?
Mr. Vorndran. Sure. Of course, recovering money is always
important to us and that restitution back to victims, quite
frankly, is what drives many of us to come to work every day
and drove many of us to apply to this organization. It's very,
very challenging, especially in the international landscape of
how money is transferred.
I'll just give you some statistics that may not relate
specifically to elder care fraud but does relate to business
email compromise.
In terms of business email compromise, when we receive
reports of BEC fraud, we do have a 75 percent success rate when
those transfers are domestic, and so I think if you know you've
become a victim of a fraud, independent of what time, that
reporting timeline is extremely, extremely important, and many
of these frauds hit individual Americans and I think that makes
it even more relevant for the audience.
Mr. Jeffries. Thank you, sir.
Chair Nadler. The time of the gentleman has expired.
Mr. Tiffany?
Mr. Tiffany. Thank you, Mr. Chair.
First, sir, thank you for being here, and I'm sorry you
were subjected to scurrilous comments about the previous
President who gave us peace through strength, kept us out of
wars, who took crime seriously, who gave us energy
independence, which we have given up in just a little over one
year, and had kept illegal border crossings down to a level
that we had not seen in a long time, and we wish for those days
to come back when we had a strong America.
I think Mr. Bishop's testimony showed that, I would say to
the Chair, that it is time to bring the director back in.
There's a lot of questions to be answered.
As we heard from the Witness here, there's things that he
could not answer. I would hope that the FBI director would be
able to answer some of those questions that we'd like to have
answers to.
As you follow social media and efforts to facilitate
illegal immigration, does it raise concern for you when you
have people like the vice President of Facebook who openly
admits they facilitate illegal immigration?
FBI is in the business of stopping illegal activities,
breaking the law here in the United States. Does that raise
concern for you?
Mr. Vorndran. Sir, again, I'm not familiar with that post
or what you're referring to. Any violations of U.S. law we are
interested in exploring, right, and those referrals should come
into the bureau.
They can either come to the local field office. If there is
a violation of U.S. law, that is, obviously what we're here to
do.
Mr. Tiffany. So, if I show those to you, will the
cybersecurity division follow up on them?
Mr. Vorndran. It's not going to be a cybersecurity
responsibility. What you're describing is going to, largely,
fall in the Criminal Investigative Division. If that's what you
want to do, you want to make a referral to the bureau that we
can get it to the right people.
Mr. Tiffany. So, it should be a criminal investigation if
they're posting things that facilitate illegal immigration. Is
that what you're saying?
Mr. Vorndran. Sir, I don't know what the post says. What
I'm saying is that if there is a violation of U.S. law, a
criminal allegation that you think warrants investigation, then
we'd be happy to take a look at it.
Mr. Tiffany. Absolutely spread the word at FBI. It needs to
be done. By the way, it wasn't a post. It's numerous posts, and
as you know how social media works, it spreads like wildfire
and that's what's happening down on the southern border where
the big tech companies are helping facilitate illegal
immigration.
In February 2022, the Biden Administration--yeah, just
recently last month--decided to scuttle its China initiative
program launched by the Justice Department during the Trump
Administration to protect America from national security
threats posed by the PRC.
I'm troubled that is's going away. What comments do you
have? Isn't that something that is important to protect
Americans and American interests?
Mr. Vorndran. What I would say about China is from a cyber
perspective they are the top overall cyber threat that we face
as a country. That poses both security and economic--
Mr. Tiffany. So, in other words, when we hear from the
other side Russia, Russia, Russia, Russia, it's actually China
is the biggest threat. Is that correct? Not diminishing that we
should pay attention to Russia also. You just said China is the
biggest threat. Is that right?
Mr. Vorndran. We have a big four, right. China, Russia,
Iran, and North Korea. They're all formidable adversaries. From
a cyber perspective, we would assess that China is our most
formidable adversary.
Mr. Tiffany. Does the Biden Administration scuttling the
China initiative bring you any concern?
Mr. Vorndran. Sir, we operate fairly autonomously,
independent of what the Biden Administration did or didn't say.
Our investigative posture on cyber threats posed by China has
not diminished in any way and we have the largest percentages
of our organization dedicated to those types of investigations.
Mr. Tiffany. Thank you for that answer.
It was recently reviewed at the start of the Russia-Ukraine
conflict that information that President Biden passed on to
General Secretary Xi in China that it was compromised. That
information was sent on to Russia.
Do you know if any of our foreign assets and/or
infrastructure was compromised?
Mr. Vorndran. Sir, I don't know that answer.
Mr. Tiffany. Who do I go to get that answer?
Mr. Vorndran. What I would say is let me take that back and
we'll get that answer for you. I don't know that answer in the
moment.
Mr. Tiffany. Yeah. Deeply concerning, Mr. Chair, that we're
seeing information just simply passed on to our number-one
adversary, China, and the Russians are able to use it, and just
another thing where it seems this Administration, the Biden
Administration, is giving away the keys to the castle here in
the United States.
I yield back.
Chair Nadler. The time of--the gentleman yields back.
Ms. McBath?
Ms. McBath. Thank you, Mr. Chair. Good afternoon, Assistant
Director Vorndran. Thank you so much for coming before us
today.
As it's been mentioned by my colleagues earlier, the
nation's cybersecurity is just likely one of the most important
security fronts that our Nation actually faces. It's also
quickly becoming a major threat at the individual level for
everyday Americans.
My district--I represent Georgia's Sixth Congressional
District. It's the headquarters to the Colonial Pipeline, and
that's one of the largest pipeline systems for refined oil
products in the United States, and it was victim to one of the
most--one of the worst ransomware attacks that our nation's
energy sector has seen.
So, this attack, really, affected not only just Georgians,
my constituents, but it affected Americans throughout the
country.
Americans--they were racing to fill up their tanks at the
gas stations before they ran out of fuel and Americans that are
relying on their vehicles to perform their jobs, and there are
many people that are ride share drivers and delivery drivers.
They wondered whether or not they were going to actually be
able to get to work the next day, and this was just not to--
this happened just fairly recently.
These cyberattacks aren't just restricted to large
corporations, and the city of Dunwoody, Georgia, which is also
in my district, which was subject actually to ransomware on
Christmas Eve of 2019 and this forced the shutdown of all
department networks for several days and it was just really
preventing the most important work, necessary work, that needed
to be done in our Atlanta suburbs.
Additionally, my local school district of Cobb County,
Georgia, was also subject to cyberattack on its emergency alert
system, which placed all 112 of its schools--of our schools in
lock down.
So, I know that we have really--as has been expressed, we
really have to make sure that we're doing all that we can to--
within our powers to keep America's towns and our businesses
secure and just really making sure that we're allowing America
to keep running.
Assistant Director Vorndran, my first question for you is
this. How is the FBI's cyber division ensuring that America's
towns and cities like my city, Dunwoody, in Georgia have the
tools and the resources that they need to respond to these
cyberattacks quickly and appropriately?
Because I'm assuming that this will continue to happen. So,
what do we do to assure that they are prepared?
Mr. Vorndran. Sure. Well, a couple things. First, we would
recommend that all those municipalities have active
relationships in the U.S. government to the best of their
ability that would cross cut the FBI, U.S. Secret Service, and
CISA as well, because FBI and/or U.S. Secret Service can fill
the threat response side of PPD-41 and CISA can fill the--as
the response side.
CISA, specifically, to the net defense resiliency piece,
has a lot of online resources available for those towns and
municipalities to ensure that they're aware of the latest
vulnerabilities and by mission design and, I believe, by EO
that is one of CISA's core responsibilities is to maintain
those vulnerability lists to ensure that those entities like
you described have access to that information about how to
ensure resiliency of their systems.
A few other points I would make are, it is important that
these municipalities have incident response plans built and
that they're in a position to exercise those so if they do
become a victim, they can call people they know and engage in
meaningful dialogue with the bureau, with Secret Service, or
with CISA to ensure that the latest information is in their
hands.
As I've described here already today, there's a whole host
of things that the U.S. government can do leading up to a
compromise and on the back side of becoming a victim.
Probably most important is to ensure that the U.S.
government interagency level that would be inclusive of,
certainly, the FBI, Secret Service, CISA, NSA, to name a few,
that we are disseminating information about indicators of
compromise, known vulnerabilities, in a timely fashion, and I
think that's an area that, collectively, as the interagency we
have made tremendous progress in in the past year.
Ms. McBath. Thank you so much.
I know I'm quickly running out of time. On September 24th
of last year, Ciox Health, which is also in my district--it's a
health-
care information management company--they discovered that they
had an authorized individual--an unauthorized individual also
had access to sensitive patient information.
What are ways in which the FBI cyber division is ensuring
that patient data posted by various health information
management companies is also protected?
Chair Nadler. The time of the gentlelady has expired. The
Witness may answer the question.
Mr. Vorndran. Sure, sir.
Ma'am, that's a fairly complicated question because from an
FBI perspective, our role is asset recovery in terms of if
something's been lost, in this case data.
So, in these scenarios that you describe, such as Ciox
Health, we're actively engaged to try and prevent that data
from being pushed out or being used for other nefarious
purposes, and I believe that was the exact reason that Ciox
engaged us.
Again, I would point back to, like, what is the U.S.
government doing. It's really a focus on the resiliency and
that defense training side to make sure that operating systems
are updated, that there's active backups for all these
corporations, all these things that are very, very much within
CISA's roles and responsibilities by mission and EO, very much
relevant on their website, are things that they should pay--
they, being the entities in your district, should pay attention
to.
Chair Nadler. The gentlelady's time has expired.
Ms. Fischbach?
Ms. Fischbach. Thank you, Mr. Chair, and Assistant
Director, thank you for being here.
I'm going to just ask some questions about that have to do
with rural areas, and my district is very rural and has large
amounts of farmland. Very big. It goes from half of Minnesota,
from Canada to almost Iowa.
Does the FBI categorize the cyberattacks or cyber threats
by geographic location.
Mr. Vorndran. So, the answer is yes, but not in a way that
we use it to drive resourcing. So, when we look at the threats,
we're looking, really, at who is conducting the activity that's
causing people in your district problems.
Obviously, almost entirely, I'll throw a figure out there--
close to 100 percent are outside of the U.S. that are
adversaries to us in the cyberspace.
In your example, whenever there is a compromise, we will
have the FBI engage with the organization or the entity or the
company, and because of that, we certainly have information
that indicates how many victims have been relevant in a
district or in a sState.
Ms. Fischbach. Do you think that it should be categorized,
so that people in rural areas understand that they are at risk,
too? Because, obviously, do we know if there's more in big
cities? That's kind of what I'm asking about and--
Mr. Vorndran. I don't know the answer. It's an interesting
question. What we see is that a lot of these attacks will be
indiscriminate in terms of who they're going after just to find
access points or vulnerabilities, and then to see what value is
there, and like we have talked about here today on the
ransomware aside, specifically, the bottom dollar is the bottom
dollar, right.
If they can get money out of a victim they're going to
continue to go back to that industry. You described farmland.
We know that certain industries within AG have been
targeted through known vulnerabilities. I don't believe in
Minnesota but, perhaps, more in the Midwest where we have seen
a trend of specific AG industries being targeted.
As we have talked about here today, that usually happens
because those industries or those companies are using the same
software packages that have the same vulnerability in them.
Ms. Fischbach. Okay. So, maybe it was going to be a follow
up. So, you kind of answered because I was going to ask if you
understand how much of a threat cybercrime and cyberattacks are
to agricultural businesses big or small. So, it sounds like you
are addressing those.
Mr. Vorndran. They are--absolutely. Absolutely.
Ms. Fischbach. Okay.
Mr. Vorndran. By ``we'' it's not just the FBI. It's the
inter-agency of the U.S. government that has roles and
responsibilities in this space. Certainly, FBI is a big part of
that.
Ms. Fischbach. Do you think that there is any way,
Assistant Director, to get the information about it being
either rural or metro? Because I know that there was a
hospital--a small hospital in my district that was--I believe
it was ransomware.
Mr. Vorndran. Yeah.
Ms. Fischbach. So, I'm just wondering if there is a way to
determine that.
Mr. Vorndran. So, I'd be happy to take that back to our
team and to see what we can come up with that could answer that
request for you. That's not a problem.
Ms. Fischbach. Okay. Well, thank you very much. I
appreciate that. Then just one last question. The FBI maintains
the Internet Crime Complaint Center for reporting cybercrime.
Unfortunately, it's online. Is that correct? It's only online?
Mr. Vorndran. Correct.
Ms. Fischbach. In my district, internet signals can be
weak, and we have been working on deploying broadband. It does
make it difficult for victims to always report cyberattacks or
seek help from the FBI.
Is there something that the FBI can do differently or take
into consideration to do to mitigate this so there is an option
to--if they don't have good internet available?
Mr. Vorndran. I mean, they can simply call our field office
or the local resident agency to report that. That's not a
problem.
Ms. Fischbach. Is that generally something that would be--I
mean, if you see something that says reported here,
www.whatever, would then a phone number be with that same
information or is it something that should be added?
Mr. Vorndran. IC3 is a very, very valuable resource. I was
looking at some statistics here. What I would say is our focus,
and it's been very, very core of our message, is we'd actually
rather have a personal relationship with a company, an
organization, a municipality, than we would receive a random
report through an internet portal, right.
So, yes, IC3 is available. Please note that personal
relationship is extremely important to us, and if there's
anything I can do to facilitate that or if you think we're
missing out on important data because we're only offering an
internet portal, I'd be more than happy to have that
conversation about how to improve that.
Ms. Fischbach. Well, and just one more.
I'm just concerned that when there are those attacks,
whether it be in agriculture or a small hospital, that they are
able to reach out immediately.
Mr. Vorndran. Sure.
Ms. Fischbach. So, that they know where to reach out to.
So, thank you very much. I appreciate that.
Mr. Vorndran. Of course.
Ms. Fischbach. Mr. Chair, I yield back.
Mr. Neguse. [Presiding.] The gentlelady's time has expired.
The gentlelady yields back. I recognize myself for five
minutes of questions.
Director Vorndran, thank you for attending this hearing
today, for helping us understand how we may better address this
serious issue. In my home State of Colorado, local government
entities have been hit hard by ransomware attacks as have large
organizations like the University of Colorado, which is in my
district.
One of my biggest concerns is the link between some of
these attacks and hostile foreign entities. The University of
Colorado, for instance, was affected by an attack on Accellion,
a third-party vendor used by the university in 2021.
The university refused to pay the ransom request and over
300,000 records containing personal information was ultimately
released on the dark web.
It turns out the hackers, at least as we understand it,
were part of a ransomware consortium known as CL0P. They were
arrested in Ukraine, as you know, and the Ukrainian authorities
believe the group may have caused half a billion dollars in
financial damages around the world.
I wonder if you might be able to share some additional
information on this particular organization and what the
potential links are between groups like this one and the
Russian government.
Mr. Vorndran. Okay. So, CL0P is a very well--in my world
CL0P is a very well-known ransomware variant. We have heard
them referred to as ransomware gangs.
I, personally, don't like that terminology because it
infers that you have a dedicated group of people under the
banner of one variant. We know that's not true.
We know that many of these actors, many of whom are in
Russia or the surrounding region, are affiliated with multiple
variants because when we look at it, really the ecosystem
breaks down this way.
You have key services, you have malware and delivery, you
have infrastructure, you have communications, and you have
financial, right. Those five key services are paramount to
catalyze and bring home any cyberattack.
So, actors crosscut those services. So, there may be an
actor who's great on the financial side. That individual may
decide to service four, five, six, or even more of the
ransomware variants. The ransomware variants are simply a brand
name.
To your core question, sir, CL0P is a very, very well-known
ransomware variant that the entire interagency in the U.S.
government has been aware of as well as technology researchers
and technology--cyber threat intel companies know.
Mr. Neguse. I do think the point--and thank you for your
answer--and the point you make is a salient one with respect to
the cross currency of these variants, right, and the fact that
they may be operating under multiple different banners.
I guess I wonder--more of an open-ended question. I've
reviewed your written testimony and appreciated a lot of the
exchanges that you've had today. This is, clearly, a pervasive
issue across the country, certainly, in Colorado.
Across our State, we have had attacks on Children's
Hospital in Colorado, which was attacked in 2017, exposed the
personal data of more than 3,000 patient families. The Fort
Collins-Loveland Water District--of course, the Colorado
Department of Transportation, the University of Colorado, as I
mentioned. Entity after entity impacted by these cyberattacks.
Congress has proposed a series of solutions. We have a
bill, a bill that I introduced last year, the State and Local
Government Cybersecurity Act, that would expand DHS
responsibilities to provide education and assistance to State
and local, Tribal, and territorial governments along the lines
of what you've described today, as well as the general public,
right on cyber threat indicators and on defensive measures that
they can take, right, to better kind of determine their own
vulnerabilities and their incident response, which you
referenced in response to a question from one of my colleagues.
I don't know if you would care to opine on that particular
bill. It's passed the United States Senate. We're trying to get
it through the House.
Also, on a more open-ended question, what other tools you
might recommend the Congress legislate? New statutes that you
might recommend that we consider?
Mr. Vorndran. Sir, I appreciate the question and the
opportunity.
Certainly, on the proposed legislation that you mentioned,
we'd be more than happy to have a look at it and offer you more
refined thoughts.
In terms of your question about what legislation would be
helpful, first, would be to give prosecutors stronger sticks to
prosecute, using RICO charges for cyber-criminals, enhance
punishments for damaging critical infrastructure.
Second, would be equipping courts and law enforcement with
more tools to disrupt large-scale cybercrime. So, criminalizing
selling infrastructure access to botnets, injunctions to stop
ongoing or imminent mass cybercrime.
Last would be to improve DOJ's forfeiture authorities so
that we increase our ability to our authorities to seize
cybercrime critical infrastructure--network infrastructure,
that is.
So, those are just a few thoughts that are very relevant.
Mr. Neguse. Thank you, Director, for your service, for your
hard work, to your team for the work that you're doing each and
every day to protect our country, our States, our local
governments from these pernicious attacks, and we'll certainly
take your recom-
mendations under advisement.
With that, the Chair now recognizes the gentleman from
Oregon, Mr. Bentz, for five minutes.
Mr. Bentz. Thank you, Mr. Chair, and thank you, Mr.
Vorndran, for your patience.
So, it would have helped me had there been a definition of
cybercrime at the very onset of the hearing, because it appears
that the definition I quickly looked up here in the dictionary,
which says cybercrime criminal activity carried out by means of
computer or the internet, is a far broader definition than that
which your portion of the FBI is dealing with.
Do I have that right?
Mr. Vorndran. Sir, when we look at cyber within the FBI, I
would split it as computer-enabled crime in cyber. Cyber we
would define specifically as network intrusions or computer-
enabled crimes, such as, child exploitation on the internet,
elder care fraud facilitated by the internet, these types of
things.
Those are different investigative programs within the FBI.
Mr. Bentz. This is still within the FBI because you're the
lead agency, are you not, when it comes to all the other
subagencies we have heard about today?
So, one way or the other, the FBI is in charge, and I
guess, though, you would carve yourself out from responsibility
for some of the things we have heard about today.
The one that comes most readily to my mind is the situation
on the border where we see and heard from the Border Patrol
that the internet is being used to attract thousands of folks
to the border, and we know it's being done illegally but, yet
nothing's being done about it.
That's outside the scope of what you believe your portion
of the agency is dealing with?
Mr. Vorndran. That is inaccurate statement.
Mr. Bentz. Okay.
Mr. Vorndran. As I mentioned to, I believe, to Mr. Tiffany,
if there's a belief that there is a violation of U.S. law, then
that referral should be made. I'm not specifically familiar
with the issue you're talking about. Certainly, not saying it's
not out there.
Mr. Bentz. Well, it's out there and it has been referred
and it's being ignored. That's not your, apparently, scope of
purpose.
So, let's shift to what you do, and it sounds to me like
what--if we looked at this cyber situation as a continuum and
the cyber event occurs in the middle, your primary focus in
prevention would be to point at those who are in the business
of writing software in the private sector to try to head off
attacks of malware and other things, as opposed to you--because
you're--the FBI isn't writing that software? Or am I wrong? Are
you--do you have your own division that's trying to write
software that's going to head-off some of these things?
Mr. Vorndran. Not to my knowledge, no.
Mr. Bentz. Okay. So, going back to my continuum, what we
have is a situation where the FBI is saying we're alerting
people, hey, we have had an attack over here, get ready. It
could happen.
Go buy some new protective software. Then the event
happens, and then you come in afterwards and say, hey, look
what just happened. We'll try to help you clean up the mess and
we'll try to find whoever did it and prosecute.
Have I summarized the nature of your department
appropriately?
Mr. Vorndran. Yes. In my opening statement I gave some
really important notes that we're not an arrest first,
indictments first, organization when it comes to our cyber
ecosystem role.
We're very much interested in understanding who in the
interagency has the most impactful operational play to impose
the most significant costs on the adversary.
At times, that may be an arrest--an indictment and arrest
and extradition, but at times that may be degrading the
infrastructure that these adversaries are riding on--
Mr. Bentz. Right. I understand that you have tools, and you
have different ones you might use after the event.
Now, I want to go to a question of great interest to me and
that is your assessment of the quality and ability of our
private sector to head off that which is happening in China.
So, tell me, how good a job are we doing in that private
sector? Are you seeing an increase in attacks? Are you seeing
the private sector doing a good or a bad job?
Mr. Vorndran. So, and I want to try to be consistent. I've
answered this question twice. I try to be really consistent. My
interactions and our organizational interactions in cyber
relative to the private sector have been very positive in the
last year that I've been here. It's hard for me to speak to the
time before that. I was in New Orleans.
In the last year, these infrastructure providers, these
major server providers, they have been very, very good
partners, and if you go and do some research, you'll see
they're actually writing their own blogs and disseminating
their own products to the American public, largely, before
sometimes anyone else outing adversarial activity.
So, I think they've been tremendously transparent and
tremendously proactive in that space in terms of--
Mr. Bentz. That's all very good, but I haven't heard you
tell me how well we're doing when it comes to keeping up with
China.
Mr. Vorndran. Sir, my statement covers China, it covers
Russia, because the private sector sees a lot of the activity
from all those countries.
Mr. Bentz. So, you're saying we're doing just fine?
Mr. Vorndran. Sir, there's always room for improvement,
undoubtedly. What I'm saying is the private sector is very
proactively engaged and been a very good partner in that space
to us.
Mr. Bentz. Thank you. I yield back.
Ms. Dean. [Presiding.] The gentleman yields back.
The gentleman from Arizona, Mr. Stanton, is recognized for
five minutes.
Mr. Stanton. Madam Chair, thank you very much, and thank
you to Mr. Vorndran for your service at the FBI and for
testifying at today's very important hearing.
In recent years, we have Witnessed cyber threats and cyber-
attacks as they become more sophisticated, more targeted, and
more harmful. These attacks not only are directed at strategic
national security operations but also essential infrastructure,
educational institutions, and local governments.
For instance, in my home State of Arizona, one of our local
community colleges was forced to cancel classes when a cyber
threat was detected in their network. Luckily, they were
prepared. They took preventative measures, and they safeguarded
their students' and their employees' information.
These smaller incidents don't always get the national
attention like the bigger attacks on Colonial or JBS. The
threats are no less real and neither are the disruptions they
cause to our daily lives.
So, Mr. Vorndran, I want to ask you about these lower
profile attacks. In February of 2022, the Cybersecurity and
Infrastructure Security Agency published an alert that the FBI
had observed some ransomware groups shifting away from so-
called big game hunting in the United States and instead
increasingly targeting smaller victims to avoid scrutiny from
the Federal government.
Do you believe that this change was due to the
Administration's crackdown on ransomware attackers?
Mr. Vorndran. No, sir. I just think that we are seeing an
evolution of the criminal enterprise that instigates and
catalyzes ransomware attacks, and they are going to go where
they can find the most routine financial gain on a routine
basis. So, they're going to go where the money is and that's
the bottom line.
Mr. Stanton. Why are small to mid-sized victims a safer bet
for ransomware groups?
Mr. Vorndran. Sir, my opinion on that question is that
smaller entities are not as well-resourced as some of these
larger entities. That resourcing really covers the resiliency
and that defense side, whether that's patching, multi-factor
authentications, zero trust architecture, whether that's
training for spear phishing, keeping your operating systems
patched and updated, any number of these things that tie back
to resources.
My assessment, personally, would be that these types of
organizations, entities, municipalities, are not as well-
resourced as some of your major multinational companies, and
because of that they're likely, potentially, more vulnerable.
Mr. Stanton. Are you concerned that by cracking down on the
hackers of bigger, wealthier companies that the FBI has sent a
message that smaller targets will be met with less force?
Mr. Vorndran. The way we work our investigation, sir, we
look at the conglomerate of all the victims that,
unfortunately, become victims and tie them back to the
adversarial activity that's perpetrated by groups of people,
almost all are overseas.
So, the ability for us to investigate or for the
interagency to include the bureau to run offensive operations
really isn't impacted in any way.
So, it would be hard for me to see a scenario where we're
encouraging smaller targets to be hit because it's just not
tied to our investigative or our interagency operational
calculus.
Mr. Stanton. How would the FBI adjust its attack plan to
better ensure that small and medium-sized businesses are
protected as they are with some of the larger entities?
Mr. Vorndran. Sir, so the FBI is always available for these
entities, and we would encourage those relationships to start
if they're not already present.
This exact question is why CISA was stood up and it's
codified in the Executive Orders. They are there for the
purpose of improving what we would define as resiliency in net
defense, and they have these resources in their mission
statement or as part of their mission and available for the
exact type of groups that you're talking about.
So, they are in the U.S. government, the best entity for
those small businesses to really work with to improve their net
defense plans. The FBI and CISA have a tremendously strong
operational day-to-day and week-to-week relationship.
What we can do is we're sharing indicators of compromise,
latest intelligence, that can better inform the net defense
side that CISA carries forward.
Mr. Stanton. I appreciate your testimony today, and I will
yield back.
Ms. Dean. The gentleman yields back.
Now the gentleman from Wisconsin, Mr. Fitzgerald, is
recognized for five minutes.
Mr. Fitzgerald. Thank you, Madam Chair.
Mr. Vorndran, on February 23, 2022, Department of Justice
announced the end of the China initiative, despite an internal
review finding no indication of racial bias.
Mr. Vorndran, what is your division doing to absorb all the
activities that were part of that China initiative that we all
thought was being very successful in countering national
security threats posed by China?
Mr. Vorndran. Sir, our workload in terms of cyber division
has not changed as a result of that initiative that you
referenced.
As I've said already on the record here today, we do
consider China our top overall cyber threat to the United
States and to our allies. We have an enormous amount of our
workforce dedicated to that cyber threat. That has not changed
in the last six months, the last 12 months, the last 18 months.
The problem with China is that they're very indiscriminate
about who they target. It's not just the U.S. government--I
just have a few notes here--think tanks, academia, CDC,
journalists, medical, and COVID-19. The list goes on. They're
very indiscriminate.
So, we would say that they're the biggest national security
and economic threat. To your question, has my workload changed?
It has not. We have had a lot of people dedicated to that
problem, certainly, over the past year.
Mr. Fitzgerald. So, in relationship to the initiative,
there had to be some items that, I would assume, would have to
be picked up in some form by your division. You're saying that
did not happen?
Mr. Vorndran. No, sir. That didn't happen for me. Again,
this gets into some of the Bureau's structure,
counterintelligence division. They may have a different answer
to that question. I'm unsure. For me, personally, under oath,
my workload has not changed or been altered in any way as a
result of that.
Mr. Fitzgerald. There was some discussion earlier by other
Members about Alexei Burkov and--the cyber-criminal. Now, that
he is kind of out there, and we're not sure exactly, I guess,
and it'd be difficult for you to tell us how you're tracking
that.
Can you tell us today that you're confident that there
aren't currently cyberattacks that are being coordinated or
launched as a result of his release?
Mr. Vorndran. I don't have any information that would
indicate that's happening. That's as much of a refined answer I
can provide to you.
Mr. Fitzgerald. Okay. REvil, a Russian-based criminal,
cyber-criminal group, claimed responsibility for one of the
biggest ran-
somware attacks on the information technology management and
security software company Kaseya, which I'm sure you're aware
of.
Reportedly, victims, including schools and hospitals, many
lost millions of dollars in recovery. Is it accurate that the
FBI withheld a digital decrypter tool that could have unlocked
the system subject to the ransomware attack in the case of
Kaseya?
Mr. Vorndran. Yes, sir, it is. I'm on--myself and National
Cyber Director Chris Inglis are in open testimony in December
on Oversight and Reform where we're on the record about this
exact topic.
So yes, that is an accurate statement. I'd be happy to
explain our decision on that if that would be helpful right
now.
Mr. Fitzgerald. Let me just tell you, is it also accurate
that the goal of withholding this tool was to disrupt the
hackers--the Russian hackers--without alerting them? Was that
what the goal was?
Mr. Vorndran. There were multiple derivative elements to
the operational plan that were being evaluated during that time
period to include the validity of the decrypter tool and
ensuring that it didn't have Malware or introduce other
vulnerabilities into the supply chain.
Mr. Fitzgerald. Is it fair to say that the mission overall
was not successful?
Mr. Vorndran. Sir, my pause is because I'm trying to
remember specifically on that operation.
Mr. Fitzgerald. Let me ask you this. Did you or anyone in
the FBI caution against withholding the decrypter?
Mr. Vorndran. Did we caution against withholding the
decrypted? We had a series of variables that were under
consideration in that moment that ranged from providing the
decrypter key immediately to letting an operational plan play
out in infinite time period. Once we had indications that
operational opportunities were not going to be valid, we
immediately moved towards deploying the decrypted.
In parallel, from the moment this started, we were testing
the decrypter to ensure that it didn't have any malware because
as I already described, we don't go buy this from Best Buy,
right. This is touched by many, many criminals, developed by
criminals, and many hands in the supply chain.
So, to get that we, obviously, have to put it through a
testing environment, knowing that Kaseya is going to deploy it
in a supply chain environment and we don't want them to
introduce vul-
nerabilities downstream.
Mr. Fitzgerald. I'm out of time but I'm going to follow up
with a letter trying to dig into this a little bit deeper. So,
thank you, Madam Chair.
Ms. Dean. The gentleman yields back.
Now, the gentlewoman from Washington State, Ms. Jayapal, is
recognized for five minutes.
Ms. Jayapal. Thank you, Madam Chair.
Mr. Vorndran, thank you so much for your commitment to
ensure security in light of new and evolving cyber threats. I
wanted to focus my five minutes on the data breaches of
critical infrastructure, namely, our hospital systems.
Hospital attacks against healthcare facilities are becoming
more frequent as the pandemic and workforce shortages created
new vulnerabilities.
Just this past June, Sea Mar Community Health Centers, a
nonprofit community-based provider in my district, learned that
the sensitive personal health data of nearly 700,000 patients
were compromised.
Names, addresses, and Social Security numbers were stolen
from its internal network. The FBI has stated its deep concern
about the increase in ransomware attacks on hospitals and other
critical infrastructure. Can you elaborate on why these attacks
on healthcare systems have become so frequent?
Mr. Vorndran. Sure. One second here. So, we have seen
excessive targeting of the healthcare industry during the
COVID-19 pandemic.
We would assess that the reason for that, more than
anything else, is because adversaries, criminals, know that
those hospitals, healthcare providers, are in a very, very
vulnerable position in terms of continuing to provide care, and
as a result of that, are likely to potentially pay an extortion
payment or a ransom more quickly.
So, it's really a sad State of affairs when criminals
really are looking to disrupt patient care, and that's actually
on the table of viable options for them as criminals and how
they're going to affect us here in the United States.
So, that would be the primary reason that we would assess
that there's been an escalation.
The other point that I would really highlight--I've talked
about this several times today--what we see is industries--
hospitals in this use case, it could be any industry, though--
have common software platforms that they all generally use, and
when an actor finds a vulnerability in one of those software
platforms, that is, obviously, likely to be pervasive or
potentially pervasive across other hospitals.
So, you may see a surge of activity against a traditional
or a specific sector until that is closed. I hope that answers
your question.
Ms. Jayapal. It does. What's really terrible, and you
referenced it, is that these attacks are just leaving patients
so vulnerable and delay first responders from responding to
emergencies or prevent hospitals from accessing life-saving
equipment.
In fact, 22 percent of healthcare organizations that
suffered a ransomware attack this year experienced increased
patient mortality after the attack.
So, what are your best thoughts on how hospital systems
that are suffering from cyberattacks can mitigate negative
patient outcomes?
Mr. Vorndran. So, again, when we look at the cyber
ecosystem, what you're describing specifically as
cybersecurity, within the U.S. government CISA is on point for
those recommendations.
Largely, what you would hear from them is cyber hygiene is
really important. That includes multifactor authentication,
implementing zero trust architecture.
That includes making sure that your patch management is
where it needs to be, updated operating systems, et cetera. It
also includes strong passwords, but also strong discipline of
users, specifically, administrators.
All that information is available on CISA's websites and
that's a really good one-stop shop for hospitals like you're
describing to kind of get to a best of checklist.
Ms. Jayapal. Is the FBI launching your own special
initiative to make sure that hospitals that are struggling with
access to sufficient cybersecurity defenses because they have
low budgets or staffing restraints?
What are the ways that the FBI can help elevate this for
healthcare providers to reinforce their defenses against
ransom-
ware attacks?
Mr. Vorndran. I appreciate the opportunity to answer that
question. We have very, very strong relationships with the
American Hospital Association and with the Health ISAC. ISAC is
the Information Sharing Analysis Center.
We do very routine podcasts with the American Hospital
Association and their director and some of our personnel on
both the analytical and the operational side to try and
reemphasize this message.
We're very much prioritizing the investigations that hit
critical infrastructure overall to include hospitals. So, I
hope those few additional items helped.
The only other thing I would say is for CISA to do its job
well all of us on the investigative side have to do our job
well because we're seeing new indicators compromised, new
malware signatures, new tactics, techniques, and procedures,
all which reinforce and inform in that defense side.
So, that's how we would plug into it and what we have been
doing to amplify it.
Ms. Jayapal. Thank you, sir, for elevating that. I really
appreciate it.
Madam Chair, I yield back.
Ms. Dean. The gentlewoman yields back. I now recognize the
gentleman from Texas, Mr. Gohmert, for five minutes.
Mr. Gohmert. Thank you, Madam Chair, and appreciate your
being here. Looks like we may be last and maybe somebody else
did ask questions.
There was an internal review done at the FBI in 2019 to
gauge compliance with FBI rules for handling high profile
delicate cases known as Sensitive Investigative Matters--SIMs.
Generally involved activities of domestic public officials,
political candidates, religious organizations, and the FBI's
audit, turns out, found that in auditing 353 cases there were
747 compliance errors in violation of FBI rules.
To your knowledge, were any aspects of those 353 cases
handled by the cyber division?
Mr. Vorndran. Sir, to the best of my knowledge, there were
a handful of cyber cases that were part of that audit.
Mr. Gohmert. Well, I know Jamie--well, Members of Congress,
Jamie Raskin and Nancy Mace have requested a review of the
FBI's domestic operation. Will the cyber division comply with
that request?
Mr. Vorndran. Sir, are you referring to the DIOG, the
Domestic Operations Guide? I'm not sure.
Mr. Gohmert. Well, they've made a request to review
domestic operations.
Mr. Vorndran. Any requests that's supported by the
department and by the director of the FBI, obviously, will
support.
Mr. Gohmert. Well, then I guess that's the question. Are
they supporting--the question is would you support them to the
director?
Mr. Vorndran. Sir, I'd be happy to take back your request.
I'm actually not familiar with what you're referring to.
Mr. Gohmert. I'm not asking for any specifics, just
numbers. How many cyber cases have been involved with warrants
for surveillance of any American citizens from the FISA court?
Mr. Vorndran. Sir, I couldn't even hazard a guess. I
apologize.
Mr. Gohmert. So, there would be a lot?
Mr. Vorndran. Of U.S. citizens?
Mr. Gohmert. Right.
Mr. Vorndran. Sir, I don't know that answer off the top of
my head. I apologize.
Mr. Gohmert. Well, how about generally speaking? More than
a thousand?
Mr. Vorndran. No, sir.
Mr. Gohmert. Less than a thousand?
Mr. Vorndran. My best guess would be absolutely the latter.
Mr. Gohmert. Do you know if there's been any internal
review like that one that we just found out about from 2019?
Has there been any internal audit for 2020 or 2021?
Mr. Vorndran. Not that I'm aware of, sir.
Mr. Gohmert. The cybercrime website on fbi.gov says the FBI
is the lead agency for investigating cyberattacks and
intrusions, and the division collects and shares intelligence
and engages with victims while working to unmask those
committing malicious cyber activities.
According to a Department of Justice audit in 2017, the FBI
disrupted or dismantled 262 high-level criminal operations
targeting global U.S. interests. In 2014, we know that
cybercrimes disrupted--your division disrupted 2,492, but in
2017 just 262.
Has the track record improved since 2017? What was the
reason for having so few compared to what your division has
done before that?
Mr. Vorndran. I'm unsure about the 2014 number and what
that is or isn't referencing.
Mr. Gohmert. More concerned about 2017 when you didn't
disrupt too many.
Mr. Vorndran. I guess my point, though, would be, I'm
unsure of how the metrics were pulled in 2014 on that website.
Mr. Gohmert. Okay. If you don't know, but I would sure like
to find out and I'd like to yield the rest of my time to Mr.
Jordan.
Mr. Jordan. I thank the gentleman for yielding.
Mr. Vorndran, were you involved in the original indictment
and prosecution of Alexei Burkov?
Mr. Vorndran. No, sir.
Mr. Jordan. Okay, thank you. I'll yield back to the
gentleman.
Mr. Gohmert. Okay. Just quickly, does cybercrime division
pay informants as part of cybersecurity investigations?
Mr. Vorndran. Sir, I'm not going to go into specifics about
our source operational activity.
Mr. Gohmert. Well, I just asked you a general question. Do
you?
Mr. Vorndran. I understand. That is always an option that
we would consider if the circumstances are appropriate.
Mr. Gohmert. Okay. My time has expired.
Ms. Dean. The gentleman yields back.
I now recognize myself, the Member from Pennsylvania, for
five minutes.
Director Vorndran, I'm very thankful to you for your
service. It's such an important critical time in our country.
I'd like to turn to voting.
There is a concerning level of apathy among American
voters. Citizens on both sides of the aisle believe more and
more that their vote doesn't matter and, of course, I couldn't
disagree more.
So, restoring our faith in the voting system in our
democracy requires greater investigation into the ways to
protect the integrity of our voting system, and protected
against misinformation, cyberattacks. They've become a tenement
of the American voting system. I believe America deserves
better. We deserve better.
Director, why are disinformation campaigns so difficult to
identify and take down, and what does that process look like?
Mr. Vorndran. I mean, they're so difficult to identify and
take down because the rights of U.S. people in the United
States are very, very broad in terms of their rights to
consume, create, and spread information, even disinformation,
and so it's a very, very, very, very nuanced conversation.
To your question about how we handle this, the FBI has very
specific responsibilities and authorities. It's important to
note that we're just one part of the U.S. government team that
looks at that. Specifically, we follow the actor and the
activity more so than identifying a piece of disinformation.
We don't do that. We really are following the actor and the
activity. The problem is when that actor masquerades as someone
he or she is not and understanding the amplification the
disinformation campaign and to deal with the coordination of
that, from an adversarial perspective, proves to be pretty
challenging.
We work really hard to understand how our private sector
partners like to receive information from us and other partners
in the U.S. government so that they can take appropriate action
in lines with their terms of service violations.
I think we do it all very mindfully. We use core process
when appropriate. I cannot underscore more that, like, the
underlying principle is in respecting the rights of U.S.
people, right, and we all know that their rights to consume,
create, et cetera, are very, very broad from a First Amendment
perspective.
Ms. Dean. Absolutely. I know that is the challenge. That's
part of the beauty of our democracy but also the challenge.
Is the FBI doing processes to combat misinformation
campaigns, not just domestically but also foreign?
Mr. Vorndran. Are we doing a campaign?
Ms. Dean. To combat disinformation campaigns foreign?
Mr. Vorndran. When you say campaign to me, I think of
media. So, not to my knowledge. We are doing a lot of work in
this space to investigate actors and activity to deal with that
appropriately through what we would consider foreign influence.
That work is done in complete collaboration with our
interagency partners who have very specific responsibilities
and authorities in that space as well.
Ms. Dean. In a roomful of politicians, I probably shouldn't
use the word campaign because I think of something else.
I'm a former teacher. I was a professor for 10 years before
I came to public service. I was surprised to learn that
schools, K-12 schools, are some of the most common targets of
ransomware attacks.
I have a school district in my suburban Philadelphia area
Souderton, PA, and in September 2019, they suffered a cyberware
attack.
I don't think we even know--and maybe you could offline get
back to me if there's anything more you would know about the
Souderton, PA, cyberattack.
Why schools, and are they particularly easier to attack?
Mr. Vorndran. I do think--my personal assessment, based on
where I sit on a daily basis, there are very mature
cybersecurity organizations in this country. There are also--
and I don't use this term maliciously at all--cyber immature
organizations.
They may not have the resources. They may not have the
funding. They may not have a culture of cybersecurity in place.
Those second batch of companies, organizations, entities,
municipalities, school districts, become very, very vulnerable,
and the best practices are really on the net defense resiliency
side, ensuring that the employees of Souderton High School,
which I'm familiar with, by the way, are well prepared in terms
of identifying spear phishing campaigns. Very, very important.
We see these targets becoming targets, generally because
they're immature from a cyber perspective. Again, with all due
respect to school districts, municipalities, they're just not
as well-resourced as a multinational bank when it comes to
Cybersecurity.
Ms. Dean. I see my time is expiring. Maybe we could connect
offline and allow me to learn what we can learn. Thank you for
your answers. I yield back.
For what purpose does Ms. Jackson Lee seek recognition?
Ms. Jackson Lee. I thank you so very much, and I would like
to engage the FBI offline on--what I'm going to just read the
headlines into the record, please, and thank you so very much
for your testimony and as well your very keen effort in trying
to answer our questions of substance.
Let me just read information for over 6,000 Memorial
Hermann patients excess and security brief. These are all
Houston in Texas. This goes to the question of healthcare.
Medical provider waited months to send patient letters
about ransomware. Of course, this goes to the seeming
intimidation that firms have about letting people know what has
happened to them.
NBA's Houston Rockets faced a cyberattack by a ransomware
group, and I would argue that this had some impact. They would
have been in the finals had they had that ransomware attack.
Already in the midst of a crisis. Houston Hospital was
attacked by ransomware. This was during the midst of the
pandemic COVID-19. Cyberattack briefly shuts down Humble ISD on
the first day of remote learning.
That was really devastating during the pandemic, and then
restaurant Landry warns customers of potential data breach.
That's all the credit cards and things of that sort.
So, it is pervasive, and I look forward to some further
discussions. I wanted Houston's impact to be in the record and
let them know that we're fighting to thwart these kinds of
attacks. I thank you so very much. Again, I thank you for your
service and yield back.
Ms. Dean. Without objection, they shall become part of the
record.
Ms. Dean. Mindful of the Chair that is here, this concludes
today's hearing. We thank you, Director Vorndran, for
participating, for all the time that you have given us.
Without objection, all Members will have five legislative
days to submit additional written questions for the Witness or
additional materials for the record.
Without objection, the hearing is adjourned.
[Whereupon, at 1:28 p.m., the Committee was adjourned.]
APPENDIX
=======================================================================
The Hunter Biden's emails are not available at the time of
publication.
QUESTIONS FOR THE RECORD
=======================================================================
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]