[House Hearing, 118 Congress]
[From the U.S. Government Publishing Office]
CISA 2025: THE STATE OF AMERICAN CYBERSECURITY FROM CISA'S PERSPECTIVE
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
CYBERSECURITY AND INFRASTRUCTURE
PROTECTION
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTEENTH CONGRESS
FIRST SESSION
__________
APRIL 27, 2023
__________
Serial No. 118-9
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
52-983 WASHINGTON : 2023
COMMITTEE ON HOMELAND SECURITY
Mark E. Green, MD, Tennessee, Chairman
Michael T. McCaul, Texas Bennie G. Thompson, Mississippi,
Clay Higgins, Louisiana Ranking Member
Michael Guest, Mississippi Sheila Jackson Lee, Texas
Dan Bishop, North Carolina Donald M. Payne, Jr., New Jersey
Carlos A. Gimenez, Florida Eric Swalwell, California
August Pfluger, Texas J. Luis Correa, California
Andrew R. Garbarino, New York Troy A. Carter, Louisiana
Marjorie Taylor Greene, Georgia Shri Thanedar, Michigan
Tony Gonzales, Texas Seth Magaziner, Rhode Island
Nick LaLota, New York Glenn Ivey, Maryland
Mike Ezell, Mississippi Daniel S. Goldman, New York
Anthony D'Esposito, New York Robert Garcia, California
Laurel M. Lee, Florida Delia C. Ramirez, Illinois
Morgan Luttrell, Texas Robert Menendez, New Jersey
Dale W. Strong, Alabama Yvette D. Clarke, New York
Josh Brecheen, Oklahoma Dina Titus, Nevada
Elijah Crane, Arizona
Stephen Siao, Staff Director
Hope Goins, Minority Staff Director
Natalie Nixon, Chief Clerk
Sean Jones, Legislative Clerk
------
SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION
Andrew R. Garbarino, New York, Chairman
Carlos A. Gimenez, Florida Eric Swalwell, California, Ranking
Mike Ezell, Mississippi Member
Laurel M. Lee, Florida Sheila Jackson Lee, Texas
Morgan Luttrell, Texas Troy A. Carter, Louisiana
Mark E. Green, MD, Tennessee (ex Robert Menendez, New Jersey
officio) Bennie G. Thompson, Mississippi
(ex officio)
Cara Mumford, Subcommittee Staff Director
Moira Bergin, Minority Subcommittee Staff Director
Alice Hayes, Subcommittee Clerk
C O N T E N T S
----------
Page
Statements
The Honorable Andrew R. Garbarino, a Representative in Congress
From the State of New York, and Chairman, Subcommittee on
Cybersecurity and Infrastructure Protection:
Oral Statement................................................. 1
Prepared Statement............................................. 2
The Honorable Eric M. Swalwell, a Representative in Congress From
the State of California, and Ranking Member, Subcommittee on
Cybersecurity and Infrastructure Protection:
Oral Statement................................................. 3
Prepared Statement............................................. 4
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 6
Witness
Ms. Jen Easterly, Director, Cybersecurity and Infrastructure
Security Agency (CISA):
Oral Statement................................................. 7
Prepared Statement............................................. 9
Appendix
Questions for Jen Easterly From Chairman Andrew R. Garbarino..... 41
Questions for Jen Easterly From Ranking Member Eric Swalwell..... 43
Questions for Jen Easterly From Honorable Robert Menendez........ 44
CISA 2025: THE STATE OF AMERICAN CYBERSECURITY FROM CISA'S PERSPECTIVE
----------
Thursday, April 27, 2023
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity and
Infrastructure Protection,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:03 p.m., in
room 310, Cannon House Office Building, Hon. Andrew R.
Garbarino (Chairman of the subcommittee) presiding.
Present: Representatives Garbarino, Gimenez, Ezell, Lee,
Luttrell, Swalwell, Jackson Lee, Carter, and Menendez.
Also present: Representative Clarke.
Mr. Garbarino. The Committee on Homeland Security,
Subcommittee on Cybersecurity and Infrastructure Protection,
will come to order.
The purpose of this hearing is to receive testimony from
Jen Easterly, director of Cybersecurity and Infrastructure
Security Agency, or CISA.
I now recognize Ranking Member Swalwell for the purposes of
seeking unanimous consent.
Mr. Swalwell. Thank you, Chairman.
I ask unanimous consent that the gentlelady from New York,
Ms. Clarke, be permitted to participate in today's hearing.
Mr. Garbarino. Without objection, so ordered.
I now recognize myself for an opening statement.
Welcome back for our second subcommittee hearing of the
Congress. Last month, we hosted industry leaders to give their
perspective on the state of American cybersecurity and
particularly how the Cybersecurity Infrastructure Security
Agency, or CISA, has developed since its creation 5 years ago.
I'm glad that we will hear directly from CISA director Jen
Easterly on her views on CISA's evolution and where it needs to
grow and mature by 2025.
Director Easterly and I have had a fantastic working
relationship since I started as Ranking Member of the
subcommittee last Congress. I look forward to continuing our
strong bipartisan relationship this Congress.
In our last hearing, there were some common themes from our
witnesses that I hope to further explore with Director Easterly
this afternoon.
First, we learned that CISA must work with the industry and
interagency partners to ease compliance, the compliance burden
that industry faces from duplicative regulation. It's clear
that our Nation must increase resilience to cyber risk across
the board, particularly within our critical infrastructure
sectors, but we must find the right balance between regulatory
burden and improving security outcomes.
We also heard a lot about one of CISA's newest initiatives,
the Joint Cyber Defense Collaborative, or JCDC. We heard that
JCDC has the potential to be a value-add to the private sector,
but additional transparency around its mission and processes
would benefit both the JCDC and industry.
Finally, and perhaps most foundationally, we heard about
the need for robust cybersecurity work force. We need not only
enough people but the right people with the right skills and
the right jobs. This is one of my top priorities this Congress,
and I'm looking forward to hearing Director Easterly's
perspective on how CISA can best contribute to the development
of our national cyber work force.
This hearing is timely. It comes as we are evaluating the
President's fiscal year 2024 budget request. CISA is requesting
$3.1 billion, $145 million increase over fiscal year 2023
enacted--fiscal 2023 enacted funding level. The dialog we have
during this hearing will help inform our committee's review of
the budget, particularly the new program CISA proposes within,
including the evolution of the National Cybersecurity
Protection System.
I think I speak for all Members on this dais when I say
that we want CISA to succeed. Its mission is too important to
fail. It is our responsibility to ask pointed but productive
questions about CISA's stewardship of the resources and
authorities Congress has given it. As I said in our last
hearing, Congress intends to be a partner to CISA to ensure the
agency meets its full potential.
Director Easterly, I look forward to your testimony today,
and I thank you for being here.
[The statement of Chairman Garbarino follows:]
Prepared Statement of Chairman Andrew R. Garbarino
Welcome back for our second subcommittee hearing of the Congress.
Last month, we hosted industry leaders to give their perspective on the
state of American cybersecurity and particularly how the Cybersecurity
and Infrastructure Security Agency, or CISA, has developed since its
creation 5 years ago. I am glad that we will hear directly from CISA
Director Jen Easterly on her views on CISA's evolution and where it
needs to grow and mature by 2025. Director Easterly and I have had a
fantastic working relationship since I started as Ranking Member of
this subcommittee last Congress--I look forward to continuing our
strong bipartisan relationship this Congress.
In our last hearing, there were some common themes from our
witnesses that I hope to further explore with Director Easterly this
afternoon.
First, we learned that CISA must work with industry and interagency
partners to ease the compliance burden that industry faces from
duplicative regulation. It's clear that our Nation must increase
resilience to cyber risk across the board, particularly within our
critical infrastructure sectors. But, we must find the right balance
between regulatory burden and improving security outcomes.
We also heard a lot about one of CISA's newest initiatives: the
Joint Cyber Defense Collaborative, or JCDC. We heard that JCDC has the
potential to be a value-add to the private sector but additional
transparency around its mission and processes would benefit both JCDC
and industry.
Finally, and perhaps most foundationally, we heard about the need
for a robust cybersecurity workforce. We need not only enough people
but the right people with the right skills, in the right jobs. This is
one of my top priorities this Congress and I am looking forward to
hearing Director Easterly's perspective on how CISA can best contribute
to the development of our national cyber workforce.
This hearing is timely. It comes as we are evaluating the
President's fiscal year 2024 budget request. CISA is requesting $3.1
billion, a $145 million increase over the fiscal year 2023 enacted
funding level. The dialog we have during this hearing will help inform
our committee's review of the budget, particularly the new programs
CISA proposes within, including the evolution of the National
Cybersecurity Protection System.
I think I speak for all the Members on this dais when I say that we
want CISA to succeed. Its mission is too important to fail. It's our
responsibility to ask pointed but productive questions about CISA's
stewardship of the resources and authorities Congress has given it. As
I said in our last hearing, Congress intends to be a partner to CISA to
ensure the agency meets its full potential. Director Easterly, I look
forward to your testimony today and thank you for being here.
Mr. Garbarino. I now recognize the Ranking Member, the
gentleman from California, Mr. Swalwell, for his opening
statement.
Mr. Swalwell. Thank you, Chairman.
Welcome, Director. It was just 12 hours ago that the
Chairman and I were here early in the morning with our
colleagues voting. I don't think we voted the same way on many
of the amendments yesterday, but on this issue and your
success, there is no daylight between the Chairman and I and my
colleagues. Your success is America's success in this space,
and that is something we are rooting for and want to enable.
I also represent an East Bay California district that is
home to tech giants like TriNet and Workday, but also an
emerging cybersecurity insurance company called Cowbell Cyber,
and have worked with all of them to protect, not just large
companies, but small- and medium-size companies from emerging
threats.
As the Chairman said, CISA is at an inflection point, and
Congress made CISA an operational component of DHS 5 years ago.
Since then, its budget has nearly doubled, and Congress has
provided it with a range of new authorities, from mandatory
cyber incident reporting to persistent threat hunting on
Federal networks to Cyber Century. CISA has ambitiously taken
on new responsibilities to meet the demands of an evolving
threat landscape, building trusted relationships with new
stakeholders in the process.
For that, I and our team commend CISA for its proven
ability to dynamically respond to evolving threats ranging from
election security, to open-source software vulnerabilities, to
the Shields Up campaign. As it relates to election security, I
hope to hear an update from CISA on some recent successes; this
launch promising new initiatives, including the National Risk
Management Center and the Joint Cyber Defense Collaborative, a
collaboration that so many outside organizations, private-
sector folks, are asking how do we get in, how do we
participate, which to me means you are a victim of your own
success in that regard in that there's high interest in growing
and expanding the ability to share information and collaborate
to take on our threats. All of these are worthy efforts. I
support them and am committed to their success.
Today I look forward to hearing how CISA will continue to
deliberate in the new work it takes on and the commitments it
makes to our partners. As more stakeholders become aware of
CISA and its capacity, they have placed more and more demands
on its resources. CISA cannot be, as you know, everything to
everyone, and it certainly does not have the resources to boil
the ocean.
Becoming the powerhouse cybersecurity and critical
infrastructure defense agency, CISA has the potential to be--
requires--what CISA has the potential to be requires clear
strategic direction and determined leadership. I have every
confidence that Director Easterly has both, and I will be
interested in learning more about your vision for CISA moving
forward.
I'm also interested, as I referenced, in the future of
JCDC. Stakeholders have applauded JCDC as an innovative,
flexible tool for CISA to gather and fuse threat information,
foster real-time collaboration, and push out security practices
through initiatives like its Shields Up campaign.
Over the past year-and-a-half, CISA has expanded JCDC's
focus to include open-source software security and protecting
high-risk communities by journalistic or civil society
organizations. Although these are worthwhile efforts, it's
unclear what criteria JCDC is using to select which areas to
focus on, which organizations to partner with, and not how
these activities are tied to the JCPOs original purpose of
streamlining, cyber planning, and operational collaboration.
I look forward to candid conversations about defining
JCDC's core functions, how to ensure JCDC partners are involved
in decisions about its future, and how it can bring a more
proactive posture to CISA's defense activities. Formalizing the
answers to these questions through authorization will ensure
JCDC has enduring value for years to come.
On a related note, I understand that CISA is in the process
of revamping the National Risk Management Center, and look
forward to learning more about plans to make CISA's--to make it
CISA's analytical hub.
Finally, it's critically important that CISA do more to
secure industrial control systems and other operational
technology. I appreciate CISA's support for my legislation that
we passed into law last year, the Industrial Control Systems
Cybersecurity Training Act, which will solidify the existence
of meaningful training courses to ensure OT remains at the
forefront of our security focus.
As I am sure you'll agree, CISA must develop that work
force now, not 5 years from now, while also doing more to
promote threats--to understand threats to OC systems, push out
its cyber performance goals, and grow programs like Cyber
Century that monitor our OT threats.
Thank you again to the Chairman for convening us here
today.
Thank you, Director Easterly, and your team who's worked
with us, for your testimony, and I look forward to a robust
conversation about attacking the threats that we face.
I yield back.
[The statement of Ranking Member Swalwell follows:]
Prepared Statement of Ranking Member Eric M. Swalwell
April 27, 2023
Good afternoon. I want to thank my friend, Chairman Garbarino, for
holding today's hearing on the future of the Cybersecurity and
Infrastructure Security Agency, and echo his appreciation to Director
Easterly for her participation today.
CISA is at an inflection point.
Congress made CISA an operational component of DHS nearly 5 years
ago.
Since then, its budget has nearly doubled and Congress has provided
it a range of new authorities--from mandatory cyber incident reporting,
to persistent threat hunting on Federal networks, to CyberSentry.
And CISA has ambitiously taken on new responsibilities to meet the
demands of the evolving threat landscape, building trusted
relationships with new stakeholders in the process.
I commend CISA for its proven ability to dynamically respond to
evolving threats, ranging from election security to open source
software vulnerabilities to the Shields Up campaign.
It has launched promising new initiatives, including the National
Risk Management Center and the Joint Cyber Defense Collaborative, aimed
at maturing how the Government understands systemic risk and
operationalizes partnerships across agencies and with the private
sector.
All of these are worthy efforts. I support them, and I am committed
to their success.
At the same time, at this critical juncture, CISA must be
deliberate in the new work it takes on and the commitments it makes to
its partners.
As more stakeholders have become aware of CISA and its capacity,
they have placed more and more demands on its resources.
CISA cannot be everything to everyone, and it cannot boil the
ocean.
Becoming the powerhouse cybersecurity and critical infrastructure
defense agency CISA has the potential to be requires clear strategic
direction and determined leadership.
I have every confidence that Director Easterly has both, and I will
be interested in learning more about her vision for CISA moving
forward.
I am also interested in discussing the future of JCDC.
Stakeholders have applauded JCDC as an innovative, flexible tool
for CISA to gather and fuse threat information, foster real-time
collaboration, and push out security practices through initiatives like
its ``Shields Up'' campaign.
Over the past year-and-a-half, however, CISA has expanded JCDC's
focus to include, open-source software security or protecting high-risk
communities like journalistic or civil society organizations.
Although these are worthwhile efforts, it is unclear what criteria
JCDC is using to select which areas to focus on, which organizations to
partner with (and for what reason), and how these activities are tied
to the JCPO's original purpose of streamlining cyber planning and
operational collaboration.
I look forward to candid conversations about defining JCDC's core
functions, how to ensure JCDC partners are involved in decisions about
its future, and how it can bring a more proactive posture to CISA's
defensive activities.
Formalizing the answers to these questions through authorization
will ensure JCDC has enduring value for years to come.
On a related note, I understand that CISA is in the process of
revamping the National Risk Management Center, and I look forward to
learning more about plans to make it CISA's analytical hub.
Like JCDC, I believe NRMC would benefit from authorization and hope
to work with you on that effort as you finalize the restructuring
process.
Finally, it is critically important that CISA do more to secure
industrial control systems (ICS) and other operational technology (OT).
These systems deliver indispensable services--the water we drink,
the energy that powers our home, the gas we put in our cars, the goods
we manufacture, and countless others.
They are also increasingly connected to the internet, uniquely
vulnerable, and require specialized expertise to secure--and we don't
have nearly enough OT security professionals in the workforce today.
CISA needs to be developing that workforce now, not 5 years from
now--while also doing to more to understand threats to OT systems, push
out its Cyber Performance Goals, and grow programs like Cyber Sentry
that help to monitor OT threats.
Thank you, again, Director Easterly, for your testimony.
I yield back.
Mr. Garbarino. Thank you, Ranking Member Swalwell.
I do not see the Chairman or the Ranking Member of the full
committee. So other Members of the committee are reminded that
opening statements may be submitted for the record.
[The statement of Ranking Member Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
April 27, 2023
Good afternoon. I want to thank Chairman Garbarino and Ranking
Member Swalwell for organizing this important hearing and Director
Easterly for coming to testify before the subcommittee today.
The subject of today's hearing is of particular importance to me,
since I was one of a small group of legislators who spent years working
on legislation to remake CISA's predecessor agency--a small, under-
resourced headquarters component known as the National Protection and
Programs Directorate--into the operational cyber powerhouse we know
today.
Since Congress established CISA 4\1/2\ years ago, the agency has
developed a broad range of capabilities to defend critical
infrastructure from cyber and physical threats.
I am proud of the Homeland Security Committee's bipartisan work to
ensure CISA has the authorities and resources necessary to fulfill its
broad and incredibly important mission, and I have been impressed with
how Director Easterly has utilized these authorities to build out
CISA's capabilities and visibility.
As CISA continues to mature as an agency, it is essential that it
maintain a clear vision of the agency's role.
In particular, as the agency determines its priorities, CISA must
ensure that both cyber and physical threats continue to receive the
necessary attention.
I was concerned that the President's budget request included
proposed cuts to vital programs within the Infrastructure Security
Division.
The distinction between cyber and physical threats is not always as
clear as it may seem, and CISA's ability to coordinate security efforts
against all threats is part of what gives it a unique role in defending
critical infrastructure.
Continuing to balance investments across all divisions will produce
the most security benefits.
To that end, I am also interested to hear more about CISA's plans
for the National Risk Management Center, which if utilized properly,
has the potential to become a vital center for risk analysis, serving
CISA, other Federal agencies, and critical infrastructure more broadly.
The Biden administration's new National Cybersecurity Strategy,
released earlier this year, lays out ambitious goals for improving the
state of our Nation's cybersecurity.
The Strategy provides clear objectives for Federal agencies to
implement as they carry out their cybersecurity mission.
CISA's role as the national coordinator for critical infrastructure
security and resilience will make it a central player in bringing
together the Federal Government, State and local governments, and the
private sector in carrying out the Strategy.
But, considering the broad range of stakeholders that CISA serves,
it risks being pulled in too many directions.
I look forward to hearing more about how CISA plans to contribute
to the Strategy's implementation as the administration develops more
detailed plans for implementing its strategic objectives, and how CISA
will prioritize its own goals.
As CISA continues to grow as an agency, I appreciate that it is
working hard to fill the many vacancies in its ranks.
I urge CISA to use the significant hiring it plans to undertake in
the coming year to improve the diversity of its own workforce, just as
it must prioritize efforts to educate and train a more diverse cyber
workforce nationally.
Additionally, expanding the number and diversity of voices CISA
hears from as it consults with outside stakeholders, both formally and
informally, will make CISA better able to address the broad range of
threats our Nation faces.
I hope as the Cybersecurity Advisory Committee continues its work
going forward that its makeup will be more inclusive of the number of
women and people of color with cybersecurity expertise whose
perspective CISA would benefit from hearing.
Thank you again to the Chair and Ranking Member for their on-going
work to strengthen our Nation's cybersecurity and to Director Easterly
for her tireless work at CISA.
I yield back.
Mr. Garbarino. I am pleased to have Director Easterly
before us today to discuss this very important topic. I ask
that our witness please rise and raise their right hand.
[Witness sworn.]
Mr. Garbarino. Let the record reflect that the witness has
answered in the affirmative.
Thank you. Please be seated.
I would now like to formally introduce our witness, Jen
Easterly. She's the director of the Cybersecurity and
Infrastructure Security Agency at DHS. She was nominated by
President Biden April 2021, and unanimously confirmed by the
Senate on July 12, 2021. That's no easy feat.
As director, Director Easterly leads CISA's effort to
understand, manage, and reduce risk to the cyber and physical
infrastructure Americans rely on every day.
Before serving in her current role, she was the head of
Firm Resilience at Morgan Stanley, responsible for ensuring
preparedness in response to business-disrupting operational
incidents and risks. Director Easterly also has a long tenure
in public service, to include two tours at the White House.
Director, thank you for being here today. I now recognize
you for 5 minutes to summarize your opening statement.
STATEMENT OF JEN EASTERLY, DIRECTOR, CYBERSECURITY AND
INFRASTRUCTURE SECURITY AGENCY (CISA)
Ms. Easterly. Thank you so much, Chairman Garbarino,
Ranking Member Swalwell, Members of the subcommittee, for the
opportunity to appear before you today. I'm really excited to
share what we're doing to ensure that the CISA of today and of
tomorrow is the agency that our Nation deserves.
As America's cyber defense agency, CISA leads the national
effort to understand, manage, and reduce risk to the cyber and
physical infrastructure that Americans rely on every day. Since
CISA was established in 2018, the threats we face have become
more complex, more geographically dispersed, and they affect
the entire cyber ecosystem, from Federal civilian government
agencies, to businesses large and small, to State and local
governments and, ultimately, the American people.
CISA's mission has never been more urgent, and it's a sense
of urgency that each of us at CISA feels every day to ensure
that we are making the best use of the resources and
authorities that Congress has generously provided to us over
the past several years in demonstrating a clear return on
investment to both you and to the American people.
As you're well aware, the past 2 years have been pretty
intense, from the Solar Wind supply chain compromise to the
ransomware attack on Colonial Pipeline, from vulnerabilities
exploited in Microsoft Exchange servers to vulnerabilities
mitigated in Log4j software, from our Shields Up campaign to
safeguard critical infrastructure from Russian malicious cyber
activity, to efforts across the Nation to help State and local
election officials secure election infrastructure during the
2022 midterms.
CISA, along with our partners, has been front and center in
each. We've aggressively leveraged all of the authorities that
we've been granted to enhance our operational visibility into
Federal civilian networks through persistent hunting to conduct
planning and operations with our industry partners, including
our operational technology and industrial control system
partners through the Joint Cyber Defense Collaborative; to
identify vulnerable systems through our admin subpoena process
and notify our partners to prevent them from being exploited;
to serve as both a sector risk management agency for eight
sectors and one subsector; and, more broadly, as the national
coordinator for critical infrastructure security and
resilience, working with our sister SRMAs to reduce cross-
sector risk.
Even as we've maintained the highest operational tempo in
an increasingly complex and demanding threat environment, we've
been growing and maturing as a new agency, co-creating a
culture of collaboration to enable us to attract and retain the
best talent in the Nation and, indeed, growing that talented
work force by nearly 1,000 new teammates in the last couple of
years; meticulously executing our rapidly-expanding budget to
ensure we remain responsible stewards of taxpayer dollars.
Last September, we published our first-ever strategic plan,
which outlines our ambitious goals through 2025 across four key
pillars: Cyber defense, risk reduction and resilience,
operational collaboration, and agency unification.
I greatly appreciate this committee's steadfast work to
help CISA achieve these goals. I also appreciate that the
tenets outlined in the CISA 2025 plan, from optimizing the
organization, growing an expert cyber work force, enhancing
operational visibility, advancing our capabilities, harnessing
partnerships, and measuring outcomes to determine progress are
all well-aligned. So our efforts together can advance a shared
vision for cybersecurity in America.
We're aggressively executing this plan, working with our
trusted partners, to enable a collective defense of our
critical infrastructure, to include working with those target-
rich, cyber-poor entities like small businesses and school
districts and water facilities and hospitals and local election
offices, to ensure that they have the resources and tools they
need to improve their cybersecurity and build resilience.
Needless to say, there is much, much more to be done to
protect and defend our Nation's critical infrastructure, from
driving adoption of secure-by-design principles in our
technology products, to championing corporate cyber
responsibility in every board room, to implementing a
groundbreaking cyber incident reporting regime, and much more
to be done to mature our great team and optimize our value to
our partners, with perhaps no partner more fundamental to our
success than you all.
We would not be here today without tremendous bipartisan
Congressional support, especially from this committee and this
subcommittee. We are very grateful for your commitment to
ensuring that CISA is armed with the talent, the resources, and
the authorities necessary to meet our mission of reducing risk
to the critical infrastructure Americans rely on every day.
This is truly a no-fail mission. Thanks to your support, we are
thriving.
While we're proud of what we've accomplished to date, we
recognize the criticality of continued support in terms of
authorities and budget to ensure that we sustain this progress.
We must and we will continue pushing hard, under your oversight
and with your support, to strengthen this agency and, by
extension, the security and resilience of our Nation.
Thank you for the opportunity to appear before you today. I
look forward to your questions.
[The prepared statement of Ms. Easterly follows:]
Prepared Statement of Jen Easterly
April 27, 2023
Chairman Garbarino, Ranking Member Swalwell, and Members of the
subcommittee, thank you for the opportunity to testify regarding the
priorities of the Cybersecurity and Infrastructure Security Agency
(CISA) in the coming year.
In today's interconnected society, our Nation faces a wide array of
serious risks from many threats, all with the potential for significant
consequences that can impact our critical national functions. These
functions are built as ``systems of systems'' with complex designs,
numerous interdependencies, and inherent risks. While this structure
allows for significant gains in efficiency and productivity, it also
allows opportunities for nation-state actors and criminals, foreign and
domestic, to undermine our national security, economic prosperity, and
public health and safety, creating cascading effects across our Nation.
As the Nation's cyber defense agency, CISA is charged with leading
the national effort to understand, manage, and reduce risk to the cyber
and physical infrastructure Americans rely on every hour of every day.
Securing our Nation's critical infrastructure is a shared
responsibility requiring not just a whole-of-Government, but a whole-
of-Nation approach. CISA is only able to accomplish our mission by
building collaborative, trusted partnerships across all levels and
branches of government, the private sector, academia, and the
international community. CISA's Joint Cyber Defense Collaborative
(JCDC), for the first time, enables the Government, the private sector,
and U.S. international partners to come together to develop joint cyber
defense plans and enable real-time information sharing.
As part of this mission, CISA plays two key operational roles.
First, we are the operational lead for Federal cybersecurity, charged
with protecting and defending Federal Civilian Executive branch (FCEB)
networks (e.g., the ``.gov''), in close partnership with the Office of
Management and Budget, the Office of the National Cyber Director, and
agency chief information officers and chief information security
officers. Second, we serve as the coordinator of a national effort for
critical infrastructure security and resilience, working with partners
across Government and industry to protect and defend the Nation's
critical infrastructure. In both roles, CISA leads incident response to
significant cyber incidents in partnership with the Federal Bureau of
Investigation (FBI) and the intelligence community.
I am truly honored to appear before this committee today to discuss
CISA's critical mission and our exceptional workforce that works
tirelessly every day to fulfill it. Since being sworn in as director, I
continue to be impressed with the talent, creativity, and enthusiasm of
the dedicated CISA employees I am entrusted to lead. I have the best
job in Government.
cisa 2023 and 2024 priorities
Looking forward into the coming year, CISA will remain focused on
strengthening our Nation's cyber and physical defenses. We will work
closely with our partners across every level of government, in the
private sector, and with local communities to protect our country's
networks and critical infrastructure from malicious activity and will
continue to share timely and actionable information, intelligence, and
guidance with our partners and the public to ensure they have the tools
they need to keep our communities safe and secure and increase
nationwide cybersecurity preparedness.
Overall, we continue to make critical investments in our mission-
enabling activities and functions that will mature the agency and
better support the execution of our operational capabilities. CISA's
Mission Support program provides enterprise leadership, management, and
business administrative services that sustain day-to-day management
operations for the agency. This is essential to ensure we can hire a
diverse and talented workforce and execute our missions with the
technology and speed that keep us ahead of our adversaries.
CISA is also focused on the work we must do to implement the Cyber
Incident Reporting for Critical Infrastructure Act (CIRCIA). CISA must
ensure that it has the staffing, processes, and technology capabilities
in place to successfully implement and utilize information provided
through CIRCIA. We must engage in additional outreach efforts regarding
the notice of public rulemaking and the planning efforts required to
educate covered entities and CISA stakeholders on the cyber incident
reporting requirements, reporting protocols, and reporting methods, as
well as voluntary reporting options. In addition to the rulemaking
process, CISA must ensure we can receive, manage, analyze, secure, and
report on incidents reported under CIRCIA, maturing our current ability
to receive and analyze incident reports, manage incidents, coordinate
with and notify the interagency, and implement incident data protection
functions required by CIRCIA.
cybersecurity
The Cybersecurity Division (CSD) spearheads the national effort to
ensure the defense and resilience of cyber space. CSD will continue to
build the national capacity to detect, defend against, and recover from
cyber attacks. CSD will continue working with Federal partners to
bolster their cybersecurity and incident response postures and
safeguard FCEB networks that support our Nation's essential operations.
CSD will also continue our critical work partnering with the private
sector and State, local, territorial, and Tribal (SLTT) governments to
detect and mitigate cyber threats and vulnerabilities before they
become incidents.
New efforts at CSD will include initiating the Joint Collaborative
Environment (JCE), which will enable CSD to develop an internal
analytic environment that provides more efficient analysis of mission-
relevant classified and unclassified data through automation and
correlation to identify previously-unidentified cybersecurity risks.
The JCE enables CSD to fulfill its mission and better integrate cyber
threat and vulnerability data that CISA receives from our Federal,
SLTT, and private-sector stakeholders, and rapidly work with those
stakeholders to reduce associated risk. To effectively execute our role
as the operational lead for Federal civilian cybersecurity, CSD must
maintain and advance our ability to actively detect threats targeting
Federal agencies and gain granular visibility into the security state
of Federal infrastructure. To effectuate these goals, CSD continues to
mature the National Cybersecurity Protection System (NCPS) and Cyber
Analytics Data System (CADS).
In the coming year, portions of the NCPS will transition to the new
CADS program with intrusion detection and intrusion prevention
capabilities remaining under the legacy program. CADS will provide a
robust and scalable analytic environment capable of integrating mission
visibility data sets, visualization tools, and advanced analytic
capabilities to cyber operators. CADS tools and capabilities will
facilitate the ingestion and integration of data as well as orchestrate
and automate analysis that supports the rapid identification,
detection, mitigation, and prevention of malicious cyber activity.
Together with the Continuous Diagnostics and Mitigation (CDM)
program, these programs provide the technological foundation to secure
and defend FCEB departments and agencies against advanced cyber
threats. CDM enhances the overall security posture of FCEB networks by
providing FCEB agencies and CISA's operators with the capability to
identify, prioritize, and address cybersecurity threats and
vulnerabilities, including through the deployment of Endpoint Detection
and Response (EDR), cloud security capabilities, and network security
controls.
CSD will continue to advance the CyberSentry program, which is a
voluntary partnership with private-sector critical infrastructure
operators designed to detect malicious activity on the Nation's
highest-risk critical infrastructure networks. CyberSentry provides
best-in-class commercial technologies that allow both CSD analysts and
each partner organization to rapidly detect threats that attempt to
move from an organization's business network to impact industrial
control systems. While CyberSentry is intended only for the most at-
risk or targeted critical infrastructure entities, CSD intends to
deploy capabilities to additional critical infrastructure partners to
meet significant demand for the program based upon operational
successes achieved to date.
integrated operations
The Integrated Operations Division (IOD) coordinates CISA
operations at the regional level and delivers CISA capabilities and
services to support stakeholders in preparing for, mitigating,
responding to, and recovering from incidents that impact critical
infrastructure. Additionally, IOD monitors and disseminates cyber and
physical risk and threat information; provides intelligence context to
support decision making; and performs agency-designated Emergency
Support Functions. IOD will continue to enable seamless and timely
support to CISA stakeholders across the Nation, meeting our partners
where they are in communities in every State.
infrastructure security
CISA's Infrastructure Security Division (ISD) leads and coordinates
national programs and policies on critical infrastructure security,
including conducting vulnerability assessments, facilitating exercises,
and providing training and technical assistance. ISD's mission focuses
on efforts such as reducing the risk of targeted violence directed at
our Nation's schools, communities, houses of worship, and other public
gathering locations. In addition, ISD leads programmatic efforts to
secure our Nation's chemical infrastructure through implementation of
the Chemical Facility Anti-Terrorism Standards (CFATS) regulation,
authority for which is expiring on July 27, 2023.
emergency communications
CISA's Emergency Communications Division (ECD) enhances public
safety communications at all levels of government across the country
through training, coordination, tools, and guidance. ECD leads the
development of the National Emergency Communications Plan (NECP) and 56
State-wide Communications Interoperability Plans to maximize the use of
all communications capabilities--voice, video, and data--available to
emergency responders and to ensure the security of data exchange. ECD
also assists local emergency responders to communicate over commercial
networks during natural disasters, acts of terrorism, and other
significant disruptive events. The Emergency Communications program
supports Nation-wide sharing of best practices and lessons learned
through facilitation of SAFECOM and Emergency Communications
Preparedness Center governance bodies.
stakeholder engagement
The Stakeholder Engagement Division's (SED) activities focus on
fostering collaboration, coordination, and a culture of shared
responsibility for national critical infrastructure risk management
with Federal, SLTT, and private-sector partners in the United States,
as well as international partners. SED also executes CISA's roles and
functions as the Sector Risk Management Agency (SRMA) for 8 of the
Nation's 16 critical infrastructure sectors and will lead coordination
with SRMAs, the broader national voluntary critical infrastructure
partnership community, and across all sectors to ensure the timely
exchange of information and best practices. In partnership with the
Federal Emergency Management Agency (FEMA), SED will continue
implementing the State and Local Cybersecurity Grant Program, to
include providing subject-matter expertise and leading program
evaluation efforts to ensure State and local entities can access grant
resources to enhance cybersecurity resiliency and reduce cybersecurity
risk.
national risk management center
The National Risk Management Center (NRMC) develops analytic
insights to identify and advance risk mitigation opportunities that
improve national security and resiliency across critical infrastructure
sectors. These analytic products support investment and operational
decision making throughout the public and private sectors. The NRMC
will continue two critical efforts related to SRMAs and National
Critical Function (NCF) Analytics in the coming year.
First, the NRMC will continue to expand risk analysis and risk
management across high-priority critical infrastructure sectors. This
risk analysis provides insight into cross-sectoral risk and significant
sector-specific risks to support all of CISA in routinely identifying
and prioritizing focused risk-management opportunities to create
tangible risk reduction outcomes. Second, the NRMC will continue our
NCF efforts to enhance analytic capabilities, including methodology and
framework development to identify and characterize critical
infrastructure interdependencies within and across NCFs. This includes
applied analysis to meet specific analytic requirements in the
infrastructure community to enable CISA to understand consequences that
extend beyond a single sector.
conclusion
I am honored to represent my dedicated teammates at CISA who work
indefatigably in support of our mission to understand, manage, and
reduce risk to our cyber and physical infrastructure. The risks we face
are complex, geographically-dispersed, and affect a diverse array of
our stakeholders, including Federal civilian government agencies,
private-sector companies, SLTT governments, and ultimately the American
people. However, CISA stands ready to carry out these critical mission
imperatives.
Before I close, I would like to take a moment to recognize the
Homeland Security Committee's and this subcommittee's strong support
for CISA. For myself, and on behalf of our CISA workforce, thank you
for your support. As one team unified behind our shared mission, we
will continue to operate in an efficient and cost-effective manner.
There is much work to be done and I look forward to working with you
during the 118th Congress to continue strengthening this agency, and by
extension, the security and resilience of our Nation's networks and
critical infrastructure.
Thank you for the opportunity to appear before you today, and I
look forward to your questions.
Mr. Garbarino. Thank you, Director Easterly.
Members will be recognized by order of seniority for their
5 minutes of questioning. An additional round of questioning
may be called after all Members have been recognized.
I'm not going to call myself first because my Vice Chair
has another hearing she has to go to and I know she's got some
very interesting questions, so I would like to yield.
I recognize Ms. Lee from Florida for 5 minutes.
Ms. Lee. Thank you, Mr. Chairman. Thank you, Director
Easterly, for being here today.
In my former role as Florida's secretary of state, I had
the opportunity, of course, to work with you; your predecessor,
Director Krebs; your team over at CISA, in working to secure
election infrastructure. So I'd like to begin there with a
couple of questions about that sector and the work of CISA in
the elections arena.
Starting out, would you please describe for the committee
what CISA does in collaboration with State and local election
officials as it relates to cyber-specific risk assessments, and
then also, where appropriate, the deployment of hunt and
incident response teams to State and local elections offices?
Would you please describe those services, when they are
utilized, and whether you see the need for them increasing or
decreasing?
Ms. Easterly. Yes. Thanks so much. Thank you for your
partnership and your leadership on this issue in particular.
So as you know, we've been in this role now since 2017, and
we have been learning constantly about the demands of election
security--election infrastructure security. Really, I would say
refining our relationships with State and local officials to
ensure that we are meeting their demands. As I think you know,
from 2017 to 2020, our focus was very much on those cyber
services, from vulnerability scanning to remote vulnerability
assessments, to penetration testing, to helping with incident
response. I think actually we are in a much better place in
terms of cyber hygiene and cybersecurity with our election
infrastructure.
One thing that we found, however, going through 2022 was
that the threats were very different now. Not only was there
cyber, but there was also physical security issues, there were
insider issues, and there were issues of concern around foreign
influence and disinformation. So while we continue to provide
those cybersecurity services, we are actually expanding our
full range of services based on the demands that we're getting
from State and local officials.
So one of the things that we did earlier this year was set
up a full road map along five lines of effort, and we provided
it to our State and local election officials. A full range of
those cybersecurity services that you mentioned, Congresswoman,
but also physical security, insider security. Then we're really
pushing hard to get beyond the State and the State election
directors, so we can get down to communities and counties and
parishes and towns, because we see those are the entities that
are truly rich as a target but cyber poor.
So the other thing we did is we put together a place mat of
services so that there was no mystery in terms of what we
offer. We made that available to all of our constituents using
our field forces that we've grown almost double over the past
several years.
Ms. Lee. On that subject, I know one of the challenges that
faces CISA and many other partners across sectors as it relates
to technology and cyber is recruitment and retention of
appropriate talented, trained people. I know CISA launched the
Cyber Talent Management System back in 2021, with the effort,
the intention to be to recruit and retain the appropriate
professionals you need for your work force.
How has CTMS been working? You mentioned the expansion of
your team. Have you been able to effectively and efficiently
recruit? How does your fiscal year 2024 request support the use
of that operation and recruitment?
Ms. Easterly. Yes. Thank you for asking the question. That
was, as you probably know, about 7 years in the making. So
actually implementing it has been something that's been a real
project that we've continuously had to look at how it's working
and ensure it truly streamlines our ability to bring on more
talent.
I think we're at about 80 people with the Cyber Talent
Management System and some really extraordinary talent. At this
point in time, we continue to use our Title V authorities, our
normal authorities to bring on talent. We are hoping to use
CTMS more aggressively this year. But I will tell you, I think
the recruiting that we've done to date is a real success story:
516 people last year, we're on pace to exceed that, our
retention level is between 7 and 8 percent. It's not just
quantity. We are bringing in some of the best talent across the
country.
While our work force has grown every year, the request that
we put into the budget only adds very small increment, I think
maybe 10 people. So what we're doing now is trying to get down
to about 90 percent total, and then, of course, we'll focus on
retention. But to be frank, I am OK if somebody comes to work
at CISA for 3 to 5 years and then goes off to a hospital or a
power company or a bank to help them with their critical
infrastructure security, because at the end of the day, this is
really about collective cyber defense, and we need to work
together hand-in-hand.
Ms. Lee. Mr. Chairman, my time has expired. I yield back.
Mr. Garbarino. The gentlelady yields back.
I now recognize the gentleman from Louisiana, Mr. Carter,
for 5 minutes.
Mr. Carter. Mr. Chairman, thank you very much.
Director Easterly, thank you very much for being here.
Thank you for the incredible work that you do.
In my home State of Louisiana and around the Nation, far
too many higher education institutions are experiencing data
breaches. What steps is CISA taking to protect the privacy and
integrity of our institutions and combat critical
infrastructure cybersecurity issues?
Ms. Easterly. It's a real--it's a real scourge across the
country. One of the focus areas that we did, actually, based on
being asked by the Congress to take a look at the K-12
Cybersecurity Act, was we spent a lot of time putting together
a guide for K-12 schools and school districts across the
country. We worked with a lot of experts to ensure that it was
a guide that schools which were part of those target-rich,
resource-poor entities could actually take advantage of. So we
created this guide, very simple steps about things that can be
done to prevent data breaches and ransomware attacks. We've
seen a lot of that.
Then what we're doing is working with our field forces to
actually do outreach across the country to schools and school
districts to ensure that they understand the resources, the
free resources that we provide, and they can take advantage of
them so they can drive down risk. So we've aggressively started
that outreach at the beginning of fiscal year 2023, so that at
the end of the day, we can measure success by seeing whether we
were able to drive down some of these events that
unfortunately----
Mr. Carter. How does that success measure?
Ms. Easterly. So what we want to do----
Mr. Carter. Are you seeing success marginally?
Ms. Easterly. So we see success based on the feedback we're
getting. The problem is, is we don't know the universe of these
threats at this point in time. This is why the CIRCIA, the
Cyber Incident Reporting for Critical Infrastructure Act, is so
fundamentally important, because we'll finally get an idea of
the universe of ransomware incidents. For right now, it is a
lot of the feedback that we get directly saying, because you
came and spent time with us, we implemented these things and
it's helped us improve our cybersecurity.
Mr. Carter. Tell me about HBCUs. We know that HBCUs have
come under attack. I'm an alumnus of Xavier University. Xavier
University was hit with a substantial cyber attack that
crippled the university and its system for some time. I know
that Howard University and many others, likewise, in almost
sequence, at one point there were like eight HBCUs, I think,
that were hit in succession.
Can you share with us any plans or actions that you've
taken since that to protect or encourage or enhance the ability
to make those institutions safe going forward, or safer?
Ms. Easterly. Yes. Thanks for asking the question. So we've
actually done a lot of work with HBCUs. Unfortunately, much of
that work is about the bomb threats that they have received, to
ensure that their physical security and that they were prepared
for that. At the same time, however, we have been working as
part of our outreach to target-rich, resource-poor entities to
help them understand those steps that they can take to increase
their baseline.
I don't have the information specifically on our outreach
with respect to cyber for HBCUs, Congressman, but I'm happy to
get back to you on that.
Mr. Carter. OK.
Ms. Easterly. The one point I would make is, a recent
program that we just implemented had some real stunning near-
term success, and some of it is with institutions of higher
learning, and that's the Pre-Ransomware Notification
Initiative. We'll get tips from security researchers and from
industry about ransomware getting put down on a system. Before
it actually gets activated, we can actually notify that entity
and they can do something about it before they have a really
bad day. Many of the targets that we've been notifying are K-12
and institutions of higher education. So I'm happy to get you
more details.
Mr. Carter. With the minute, 36 seconds left, I want to ask
you quickly about drones. We know that we see the increased use
of drones. We visited the Southern Border this past weekend. We
know that drone traffic is incredible and a real impediment to
protecting the Southern Border. We also know that critical
infrastructure, pipelines, utility companies, are crime scenes,
and drug trade. Because my understanding is now that the drones
are bigger, they're fuel-operated, so they can go longer,
faster, and they have the capacity to carry up to 50, 60
pounds, which makes them very, very dangerous.
Can you share with us what you can about what you guys are
doing relative to critical infrastructure in the drone usage?
Ms. Easterly. It's a real concern of ours as well. We have
a section that's part of our infrastructure security that
focuses on physical security that is taking a hard look at this
issue. We've done a few assessments to date, and we're looking
to update them, working with our partners. But I've spent time,
in particular up in New York, where there's a real concern from
our folks on the ground of nefarious use of some of these
capabilities.
So I'd be happy to follow up with you and get more
information on the kind of things we're doing and get your
feedback on what might be more helpful to your constituents.
Mr. Carter. If there's anything that you can share that we
can share with them in the way of grants, in the way of
resources, in the way of things that they could be doing to
better protect or arm you with facts that are going on, whether
it's at the university level, at the plants or crime scenes or
other critical infrastructures, that there may be resources
that they may not be available or aware of that we could make
available to them would be very----
Ms. Easterly. Yes. I'd love to follow up on that
conversation in particular.
Mr. Carter. Thank you very much. Mr. Chairman, I yield
back.
Mr. Garbarino. The gentleman yields back.
I now recognize myself for 5 minutes of questioning.
Director Easterly, I'd like to start my questions today by
asking you about a fundamental issue: Our cyber work force
challenge. CISA is obviously not the only place where the work
force gap is an issue, and there are many agencies in the
Federal Government and companies across the private sector that
are working to improve the national cyber work force. You know,
we've talked about, and you just said in your answers to Ms.
Lee, how you have been able to make some hires recently. That's
very exciting news.
But I want to know, what do you see as CISA's role in
developing the national cyber work force both public and
private?
Ms. Easterly. Yes. Thanks for the question, Chairman. So I
look at this as, first of all, we've got to make sure CISA has
what we need. Then there's, of course, the Federal work force,
I think probably some 35,000, focus there. In the country
itself 700,000. Cyber is a borderless space, if you look at the
big number around the world with our allies, 3.5 million.
So I'd say a couple of things. First of all, with respect
to the country, I do--just because we serve as America's cyber
defense agency, I do think we play an important role in helping
to build that pipeline, because at the end of the day, I want
to make sure CISA is successful in the next 25, 50, 100-plus
years. That, frankly, has to start from the youngest of ages.
So one of the things that we've done based on a grant that
we received, the Cyber Education Training and Assistance
Program, we've given that grant to the Cyber Innovation Center,
and they make curriculum available to K-12. So that if you are
giving this curriculum to help some of our more younger members
understand that, hey, this cyber thing is not that scary, it is
really interesting, I want to be a part of it, that can
actually start that pipeline. So I think that's one really
important aspect of it.
We also do training, retraining for the Federal work force,
for those who might want to get into cyber. Then we give grants
to organizations, like the NPower and the Cyber Warrior
Foundation, and those are underserved communities. So we're
looking using a myriad of tools. We're also working, of course,
across the Federal Government with NIST, with the Office of the
National Cyber Director that's working on the more fulsome
cyber work force strategy.
Mr. Garbarino. I appreciate that and all the hard work that
CISA's doing. It's definitely--as you said, it's borderless. I
called it the third border the other day, but I got yelled at
by my staff for saying that, so I think I'm not allowed to say
it anymore.
So I do actually want to focus on something that was
brought up by one of our witnesses from--she was from the Bank
Policy Institute. She testified that, Financial Services
Sector, the cyber work force is spending 30 to 40 percent of
their time on regulatory compliance. The SEC--and I just met
with a major bank CISA last week who said by the end of this
year when some other regulations come out it is probably going
to be closer to 50 percent.
The SEC proposed a rule that seems to conflict with the
requirements and the Congressionally-mandated Cyber Incident
Reporting for Critical Infrastructure Act. So I'm wondering--we
had Chairman Gensler in front of the Financial Services
Committee last--2 weeks ago. What steps did you and Chairman
Gensler take to harmonize the proposed SEC rule at the Cyber
Incident Reporting for Critical Infrastructure Act rule making?
Ms. Easterly. Yes. Thank you for the question. Having spent
4.5 years at Morgan Stanley, and I know Heather and very
sympathetic to those views, we don't want to create burden or
chaos. What we want to do is ensure that we get the information
in a streamlined way.
So, of course, we've had discussions across the Government.
As you know, Chairman, one of the things in CIRCIA was, of
course, the Cyber Incident Reporting Council, which is working
to figure out how to best harmonize among the various asks that
we have from the private sector.
I think the good news is, in the legislation that you all
gave us, it very specifically accounts for any crossover. So
very specifically, legislation says that if there's a
requirement to report to another agency and they have a
reporting time line that's similar to ours, if they have
substantially similar information, then you can sign a
memorandum of agreement so you don't have to report twice. We
are working to ensure that that is a streamline process. I
think that is really important, again, from a harmonization
perspective.
Mr. Garbarino. I appreciate that. I know the Council's
supposed to be giving us a report and we are waiting for that.
I did want to follow up. Have you spoken to Chairman
Gensler? From his testimony, it made it sound like you two
speak quite often.
Ms. Easterly. We absolutely have spoken. I think we are
both trying to accomplish the goal of ensuring that we get the
information that we need. His role is different than mine, of
course. The reason why we need the information is so we can
render assistance, and also we can use that to help protect the
wider ecosystem. So I'm sure we'll end up in a--I hope we'll
end up in a good place.
Mr. Garbarino. I hope so too. I'll just say, 50 percent of
your time on having somebody spend 50 percent of their time on
compliance, you know, that means 50 percent of the time they're
not on defense----
Ms. Easterly. One hundred percent.
Mr. Garbarino. So I appreciate that. I yield back.
I recognize the gentlelady and former Chairwoman of this
committee, Ms. Clarke from New York.
Ms. Clarke. Good afternoon. Let me begin by first thanking
our Chairman Garbarino and Ranking Member Swalwell for
permitting me to waive on to the subcommittee for holding this
very important hearing on the state of our Nation's
cybersecurity posture and CISA's role and perspective. Thank
you, gentlemen.
Let me also thank Director Easterly for your leadership and
service and for joining us today.
When I chaired this subcommittee last Congress, I often
remarked that there is a disconnect, an imbalance, if you will,
between the scope of CISA's mission versus its authorities.
Congress expects CISA to carry out one of the broadest, most
ambitious missions in the Federal cyber space. But its
authorities pale in comparison to many of its components and
counterparts.
At least until recently, in the 117th Congress, we worked
across the aisle to pass legislation to empower CISA within the
interagency, grow its visibility into cyber threats, and make
sure CISA can require, not just request, that companies report
cyber incidents to CISA for the benefit of the broader
ecosystem. So I for one am ready to start seeing these results.
So, Director Easterly, my first question is about CIRCIA.
First, is CISA on track to meet the rulemaking deadline and
statute? What would it take for CISA to move faster?
Ms. Easterly. Thank you very much. Great to see you again,
Congresswoman.
I think few people in this country want me to move faster
than me. You know, and we did want an accelerated process, but
we were told to go through the full rulemaking process, and we
are.
You know, you point out an authorities perspective. We
don't do law enforcement, we don't do intel, we are not a
military agency. We're a voluntary agency at the end of the
day. So we felt that the consultative process was really
important, particularly given some of the concerns that the
Chairman articulated, so we did 27 listening sessions, 17 of
those were virtual. We did a request for information. We
received 130 comments.
We used all of that to help create the rule, which actually
now exists in draft, and we are going to have to go through the
process. But that rule should go out, the notice of proposed
rulemaking should go out on time in March 2024. Then the final
rule is on schedule 18 months later, September 2025.
Please trust me, I'm trying to do everything I can to
accelerate that process, but we want to get it right because it
is so important and so groundbreaking.
Ms. Clarke. Yikes. My next question is, what is CISA doing
in the mechanism to make sure that it can hit the ground
running when these rules go into effect?
Ms. Easterly. So it's a really important question, and some
of this was reflected in our budget, because this is not a
trivial task. We need to make sure that we have the people and
the technical infrastructure in place to be able to take these
huge amounts of reports that we're going to get, to ingest
them, to triage them, to analyze them, to respond to them, and
then to use them in an anonymized way to enable us to actually
get that information out to protect the larger sector. So that
is a huge amount of work, not only just the administrative
aspects of the rule making, but actually all of the technical
infrastructure in place across the agency. So we are in the
process of leveraging the funds that we've received and will
hopefully receive to be able to create that.
Ms. Clarke. So I want to thank you, because in responding
to Chairman Garbarino, you spoke about the regulatory
harmonization. That's a really key component. That's the only
way we are going to keep our private-sector partners engaged
and on-board and really feeling as though they're being heard.
Ms. Easterly. Yes, ma'am.
Ms. Clarke. My next question to you is whether CISA has an
approach for Federal regulators, like the SEC or FCC, about
entering into MOUs to share incident reports.
Ms. Easterly. Yes, 100 percent, and that's what I
mentioned. But I think this is a really good part of the
legislation. I mean, specifically it exempts the statute-exempt
companies from reporting to CISA if three conditions are met:
If it's similar information, similar time frame, and if the
other agency agrees to put an MOU in place. So we are very
happy to do that. We just need to negotiate each of those MOUs,
and our intent is to do that between the notice of public
rulemaking and the final rule.
Ms. Clarke. Very well. Well, before I close, I just want to
reiterate how important it is that CISA continue to engage with
stakeholders and hear outside perspectives about how to make
the rules as smart, effective, and tailored as possible to the
goals of CIRCIA. So thank you very much.
Mr. Chairman, I yield back.
Ms. Easterly. Thank you, ma'am.
Mr. Garbarino. The gentlelady yields back. Thank you for
coming. We love having you back here.
I now recognize Mr. Ezell from Mississippi for 5 minutes of
questioning.
Mr. Ezell. Thank you, Mr. Chairman. Good seeing you this
morning--this afternoon, Ms. Clarke and other Members.
Director Easterly, thank you for being here to participate
today in this very important hearing. I'd like to talk about
CISA's partnership with the FBI, especially considering the
Joint Ransomware Task Force recent work to take down these bad
actors.
I understand that JCDC is working to update the National
Cyber Incident Response Plan, which will also address this
partnership. This updated plan, how do you think CISA and the
FBI will work together to address incident responses?
Ms. Easterly. Thank you for the question. I have to say
that, you know, in my almost 30 years in Government, I have
never seen such a great partnership. I say that really
sincerely. Some of that was owing to personalities, but I think
it is very much a result of the mission, it's a function of the
mission.
So we partner very closely with FBI. In fact, the
legislation, the Joint Ransomware Task Force was actually--said
CISA will lead. We made the decision, we said that doesn't
really make a lot of sense. We need to make sure that FBI is
with us, linked arms, and so we made them a co-lead, because
it's really important. As you know, we have the asset
response--responsibilities and FBI has the threat response. So
we work together very symbiotically in everything we do to
ensure that, when there's an incident, we can be there to help
respond and FBI can be there to render assistance but to also
investigate.
So I'm incredibly pleased at the quality of that
relationship, both at the Federal level, sir, but also with
local law enforcement. That's something that our field forces
on the ground have developed really close working relationships
over the past couple years.
Mr. Ezell. Thank you for that. That is just so important
working with, not only the FBI but with our local law
enforcement, which is my background.
So CISA is requesting $98 million for requirements with a
cyber incident reporting for critical infrastructure. Can you
talk just a little bit about how the agency plans to spend this
money?
Ms. Easterly. Yes, absolutely. Thank you for that. So as I
was saying, this is one of the most important groundbreaking
things that I think the Congress has done for cybersecurity,
because for the first time, we will understand much more about
the universe of incidents and attacks; and we really don't.
Anybody that says it's going up, it's going down, is completely
anecdotal. So for the first time, we'll have a better picture
of that.
But it is not a trivial endeavor to set up the
infrastructure to enable us to ingest those reports, to triage
them, to analyze them, to enable a response, and then to use
them in an anonymized way that protects the victim but be able
to provide that as warning to the rest of the sector in the
ecosystem to help them drive down risks.
So that $98 million is both people, but it's also technical
infrastructure that will enable us to do all of those things,
from case management to stakeholder relationship management to
a threat intel platform to an analysis capability. That's what
we are putting in place now, sir, and hope that we get the
additional funding to allow us to do this the right way. It's
important for the Nation.
Mr. Ezell. Thank you. Mr. Chairman, I yield back.
Mr. Garbarino. The gentleman yields back.
I now recognize Mr. Menendez from New Jersey for 5 minutes
of questioning.
Mr. Menendez. Thank you, Mr. Chairman and Mr. Ranking
Member. Thank you for bringing us together here, second time in
this room in less than a couple of hours. So it's just good to
see you all in such a good mood.
Director Easterly, thank you for joining us today. You
know, I'm really thankful to be on this subcommittee. I think
about cybersecurity as often as I can. I'm also on the
Transportation and Infrastructure Committee here, and serve for
the Eighth Congressional District in New Jersey, which is home
to what security experts call the most dangerous 2 miles in the
country, and that was really because of the physical assets and
from a physical security perspective. But increasingly, I think
about all of the challenges from a cybersecurity one. So I'm
fortunate to have you here today and thankful for the work that
you do.
I guess starting off, you know, I think about it a lot but
you deal in it every day. Probably the most significant
position that we have in our country.
How do you feel about America's preparedness from a
cybersecurity perspective addressing, guarding against cyber
attacks today in 2023, on a scale of 1 to 10, let's say?
Ms. Easterly. I think we have made vast strides, even just
over the last couple of years. I think there is much work to be
done, to be very frank. In particular, my big concern is
nation-state adversaries, in particular China.
Mr. Menendez. Yep.
Ms. Easterly. If you read the--which I'm sure you did--the
intelligence community annual assessment that specifically
talks about actions that China may take to disrupt our critical
infrastructure in the event of a conflict, I am motivated every
day on the urgency of ensuring that the country is as prepared
as possible to withstand but really to be resilient too. At the
end of the day, I think our ability to prevent is very, very
difficult. We have to be able to mitigate and to recover and to
have the resilience to get our Nation back up and running if
there is a major attack.
Mr. Menendez. I appreciate that. When you engage with
different stakeholders from industry, you know, government
actors, what is their perception of the risk that cybersecurity
or cyber threat poses to all of us, either from municipalities
who may see their tax department hacked, to infrastructure or
operators of various infrastructure systems, transportation
systems? Where do you see across the board in a blended sort-of
average on a scale of 1 to 10?
I'll let you off, because I'm thankful to have you here,
and I won't make you share with us a specific number. But, you
know, I'm just trying to gauge what the perception is out there
of this threat and how serious people are taking it, because we
need to take it. This is, in my opinion, one of the most
critical threats to the well-being of our Nation.
Ms. Easterly. Yes. I agree with you, and I think it's
improving. It's improving because of Colonial Pipeline.
Mr. Menendez. Yep.
Ms. Easterly. It's improving because of the scourge of
ransomware. You know, ransomware has become, sadly, a kitchen-
table issue and, therefore, we are making cybersecurity and
cyber hygiene a kitchen-table issue. It's not where it needs to
be, but it's much better because of those things. So we are
working now with our field force day in/day out with businesses
large and small with some of these entities that weren't really
thinking about their cybersecurity, and telling them, these are
the basics that you need to do. Because it's not--when you're
doing the basics, you can actually deal with the vast majority
of the kind of threats that you would get from a cyber criminal
organization.
Mr. Menendez. You know, definitely let us now how we can
help amplify that message, right? You know, when we do small
business tours, right, we are generally talking about, you
know, tax credits to small businesses, right. But, like, we
should be talking about cybersecurity as well when we're
visiting, you know, all these different institutions, small-
and medium-sized businesses, companies in our districts.
But you're sort-of alluding to the challenge that I'm sure
gives you a lot of concern, that gives me a lot of concern, is
that we're admittedly not where we need to be. The way I see
this threat, especially when you talk about nation-state
adversaries, right, because it's not just China; it's Russia,
it's Iran. They are serious about having this ability to target
our various on-line components, especially our infrastructure,
which concerns me.
But the thing that keeps me up sometimes at night, because
a lot of things on this job keep me up at night, not my friends
here, this cybersecurity subcommittee is great. But the reality
is that the speed of a threat and the way in which it can
develop is exceedingly fast. As we do in this country, we're
thoughtful, but that means that we're not as quick as our
adversaries may be.
What can we do here to enable you, to enable your partners
and various stakeholders to not just be constantly playing
catch-up, which is going to be harder and harder to do the more
compounding that this challenge becomes, but what can we do to
potentially get ahead in the not too distant future?
Ms. Easterly. Yes. Thank you for asking the question. It's
a really, really important one.
First, in terms of how you can help, to help amplify our
message, I think, Chairman, you've done that before in terms
of, you know, I'm a big fan of multifactor authentication. So I
think, Congresswoman, you have as well. So I would welcome all
of you to help us get that message out. That's one thing.
The other thing is, we have done cybersecurity roundtables
in some of your districts, and we would love to do more. So if
that's something we can do to sit down with your constituents,
please let us know. We've got field forces.
Now, to your larger question, I think it's exactly the
right one, at the end of the day what we are doing as a status
quo can help make us more resilient, but I do not think it's
sufficient or sustainable. I think we need to take a different
approach, and this is one of the things we've been doing a lot
of work on.
First and foremost, we need to ensure that the technology
that underpins the critical services and functions that
Americans rely on every day is built secure, secure by design
with a limited number of vulnerabilities, and secure by default
with things like multifactor authentication, built in from the
start. We have, because of misaligned incentives, basically
allowed innovation--and we love innovation--but innovation
should not trump safety and security in a world where we all
rely on tech. So that's a really important message, and I'd
love to talk more about it at a separate time.
The second thing is we need to make sure that every leader,
every CEO, every board room is embracing corporate cyber
responsibility as a matter of good governance. Incredibly
important that that not get delegated to the IT people at a
CISO, but that CEOs see it as their responsibility.
Then, finally, we need to continue pushing hard on
persistent operational collaboration, the kind of things that
we're building with the Joint Cyber Defense Collaborative.
That's about a default to share on malicious activity, knowing
that a threat to one is a threat to all. It's about a coequal
partnership between Government and industry, with reciprocal
expectation of value-add and transparency where the private
sector doesn't have to worry about punitive sanction because
they share information. Then getting rid of the friction. It
has to be a frictionless experience. We have to have shared
analytics, shared platforms. That's what we are building with
our joint collaborative environment and our cyber analytic data
services.
So those three things are different in kind. I believe it's
those kind of things that will really enable us to get ahead of
this very difficult threat.
Mr. Menendez. Chair, I appreciate your generosity on time.
I yield back.
Mr. Garbarino. I thought is was a very important question.
I really wanted that on the record. So the gentleman yields
back.
I now recognize my colleague from Texas, Mr. Luttrell, for
5 minutes of questioning.
Mr. Luttrell. It's what's the best part about going last.
Everybody asked the questions that I was going to ask.
Thank you, Mr. Menendez, that was mine. I've been prepping
that for 2 weeks.
Mr. Menendez. I had been prepping it for 3 weeks.
Mr. Luttrell. All right. Always an overachiever.
Mr. Menendez. Don't worry, you're not last.
Mr. Luttrell. I mimic my colleague from California, Mr.
Swalwell's statement. You are the leading edge. You're the next
phase of combative frontier in the protection of our countries,
the cyber space. We'll no longer fight wars the way that my
colleagues and I did in the military with bombs, planes, and
guns. It's you. So thank you for taking and shouldering that
weight.
To drive a point home real quick, as far as when Mr.
Menendez asked what we can do, I think we just need to stay out
your way and give you the autonomy that you need. Understanding
that in the cyber space, when it comes to threat and risk, we
are so siloed, and that is an issue.
Are you having success in breaking down those silos when it
comes to multidepartment coordination?
Ms. Easterly. Yes, it's a great question. I think one of
the things that the Joint Cyber Defense Collaborative gave us
was the legislation. You know, it's in statute. It's the only
cyber entity in statute that says we bring together the Federal
cyber ecosystem. So not just CISA, but FBI and NSA and CYBERCOM
and other agencies. That's why, you know, it was built to
actually break down those silos, and we've been doing that over
a short period of time, not just bringing in industry, but
bringing in State and local colleagues, bringing in
international partners, and then by design, bringing in the
Federal Government. That is not an easy thing to do, sir.
Mr. Luttrell. I wouldn't think so.
Ms. Easterly. But we are trying really hard. I have to say,
you know, I joined this--I joined this job from the private
sector, and I thought there were a lot of issues with silos and
a lack of cohesion. So we know what the problem is and we are
working hard to enable us to fix it.
Mr. Luttrell. That's great to hear. I'm sure just the sheer
scalability is pretty arduous.
But as far as operating across multiple cloud services, you
know, with our threat-hunting teams, are we having success in
that? Because everyone's different. I mean, the communication
between the two are just completely--they are just Army-Navy to
each other. That's an analogy. I'm sorry.
Ms. Easterly. Be Navy.
Mr. Luttrell. I was waiting on that one, right.
To my point, if we do have a threat or an active attack in
a certain corporation, a department, whatever, do we have
success if it can move across multiple domains, with its
ability to track that, but also notify and prevent?
Ms. Easterly. Yes. I mean, it's another really, really
important question. Let me hit first from the Federal civilian
dot-gov, because we've been looking to make a lot of
improvements there. So we are now--we have radically improved
visibility that we really didn't have in Solar Winds. So
because of the authorities that we have to put endpoint
detection and response capabilities at departments and
agencies, we can do that persistent hunting so we can have that
visibility. We also now have something that gives us a
dashboard level view to say what's going on at those systems.
So that visibility is improving.
On cloud providers in particular, you know, there's
something called the shared responsibility model. I'm thinking,
you know, as a military guy, you know, if no one's in charge,
like, no one's in charge.
Mr. Luttrell. Right.
Ms. Easterly. If everyone's in charge, no one's in charge.
So I have a little bit of concern with the shared
responsibility model, particularly if it's putting the burden
of responsibility on businesses that just don't have the
resources to bear it. So I think at the end of the day, cloud
providers need to bear the bulk of the security burden, and the
visibility should come back to the entity that is contracted
with those cloud service providers.
So very important that things like logging, for example.
Security logs help us understand the nature of a threat and
malicious activity. But oftentimes if a cloud service provider
is charging you extra for that security feature, then the
customer will lack visibility. So there are things that we need
to do to work with cloud providers to ensure that the shared
responsibility model is not misplacing the burden on those who
can't bear it.
Mr. Luttrell. OK. I really would like to see that, not that
it's not doing this, but translate down into my rural district
in Polk County. You know, that's just something that hasn't
come to fruition yet. So I'm hoping this system will continue
to push the envelope and make sure that the--it's the American
public, at the end of the day, that needs protecting, not our--
everyone.
Ms. Easterly. One hundred percent. Yes.
Mr. Luttrell. I thank you so much. I yield back, Mr.
Chairman.
Ms. Easterly. I'd love to come out to your district and----
Mr. Luttrell. Come on.
Ms. Easterly [continuing]. Have a discussion.
Mr. Luttrell. You bet.
Mr. Garbarino. The gentleman yields back.
I now recognize the Ranking Member, Mr. Swalwell, for 5
minutes of questioning.
Mr. Swalwell. Thank you, Chairman.
Director, as you've laid out your mission and your
accomplishments and your challenges, I see it that one of your
greatest challenges is to figure out what are your core
competencies and what you can do well to have the greatest
impact and then what are the gaps that CISA can fill. Also,
what are the most important functions that need to be carried
out, even when doing so is controversial or risks picking a
fight? So I was hoping you could speak to that.
Ms. Easterly. Yes. Thank you for--thank you for asking the
question.
You know, when I came into this job, my predecessor is a
great friend of mine, did a strategic intent document. That
laid out some great priorities for what we do operationally,
but, you know, frankly, we needed a road map. So we spent about
a year actually developing that strategic plan. If you take a
look at that, and I'm sure you've seen it, but it's organized
not by our divisions or our mission-enabling offices. It's
organized by four key principles: Cyber defense, infrastructure
risk and resilience, operational collaboration, and agency
unification. Because I'm a firm believer that if everything is
a priority, nothing's a priority. So we basically laid out,
these are the things that everybody in the agency needs to do,
and we laid out representative outcomes, as well as a
measurement approach.
Now, based on that, every entity, every division, every
mission-enabling office did an annual operating plan that lays
out at a more granular level the measures of effectiveness and
measures of performance that they are responsible for, and I
track them on a quarterly basis. So we are really looking at
being much more rigorous in how we allocate our resources and
how we allocate our time to ensure that we are being good
stewards of the taxpayer dollars.
Mr. Swalwell. Thank you, Director. With respect to JCDC, I
have a similar question. CISA needs to decide, you know, what
are the core capabilities JCDC will focus on where it also can
be most effective and put structure and processes in place to
formalize those functions. So can you help me understand how
you're thinking about some of those questions as it relates to
JCDC's scope and mission moving forward?
Ms. Easterly. Yes, absolutely. I think I just gave them a
copy, you and the Chairman. I'm happy--would love to have a
team come in and brief anybody who's interested, because I
really think this is one of the most important groundbreaking
things that the Congress has given us. So we have the strategy
for the JCDC that we just finished up serendipitously in time
for this hearing.
So the focus is about two fundamental things. One is about
planning and ensuring that we can plan against the most serious
threats to the Nation. The second is collaborative fusion to
help us understand the threat and then to drive down risk to
the Nation.
Now, given the myriad of threats that we face, there are a
lot of demands that we have to enable us to be able to respond
and be proactively prepared for various threats. So we've
operationalized it against a significant vulnerability, Log4j,
with the Shields Up campaign with the elections. But we are
being very deliberate about what efforts we take on, and that
is based on the threat and based on the feedback that we get
from our partners.
So if you look at the planning agenda, it's water, it's
energy, it's open-source software to reduce risk to industrial
control systems. So it's things that our partners asked us to
focus on that we, based on the threat and the risk, we decide
to focus on. But every one of those efforts has outcomes that
are measurable, and then we get feedback from our partners.
Mr. Swalwell. Earlier this week, DHS released its proposal
to authorize the Cyber Safety Review Board, CSRB, a public-
private panel established by Executive Order in 2021 to
investigate significant cyber incidents, as you alluded to
earlier, similar to NTSB.
What would the relationship be between the CSRB and CISA?
How would it interact with CISA's new cyber incident reporting
authorities, specifically, as you referenced in your opening
statement, the subpoena authority? Do you see CSRB as
sufficiently separate from CISA to preserve its voluntary
partnerships with the private sector?
Ms. Easterly. Yes, absolutely. I mean, the CSRB--so I
appoint the members and we actually manage the infrastructure
and the contract for that, but they have a distance from me, so
I'm not part of that decision making, to keep some important,
sort-of, cushion there.
With respect to the admin subpoena, you know, the Congress
very helpfully gave us admin subpoena separate, which allows us
to actually do scanning of infrastructure, and then if we see a
vulnerability, we can do a subpoena to find out who that victim
is so we can tell them.
You know, there is admin subpoena authority that comes with
the CIRCIA as well.
So I think it's probably a helpful thing, for the CSRB to
have it. I don't think that there are any issues with their
admin subpoena power as it relates to CISA's secret sauce,
frankly, which is being seen as a trusted partner, not a
regulator or not anybody who's going to issue punitive
sanction.
Mr. Swalwell. Great. Thank you.
I yield back.
Mr. Garbarino. The gentleman yields back.
I now recognize my friend from Florida and the Chair of the
Transportation and Maritime Security Subcommittee, Mr. Gimenez.
Mr. Gimenez. Thank you very much, Mr. Chairman.
Thank you to the Ranking Member.
Ms. Easterly, two separate subjects I want to talk about.
One of them is, when I was mayor of Miami-Dade, I was
approached and said that there may be some issues with the
cranes at our port, where, I think, out of 13 cranes, 10 of
them were made in China, and now--and then later found out
maybe about 70--maybe 70--70 to 80 percent of the cranes in the
United States are actually made in China.
Now, some of those cranes have--all of those that are made
in China have the skin, the bones, OK, are made in China, but
in some the internal workings, the guts, some of the computer
systems and the operating systems, may be made in Germany or
some other place. But in some it's all Chinese-made. I was made
aware that there may be some threats with this.
I have two things I'm concerned about. No. 1, if the CCP
decides not to replace with replacement parts or spare parts
when they break down, it could hurt our ability to provide
commerce, since most of the stuff that we move moves through
these cranes; or, No. 2, if it's actually Chinese software
reporting back to the CCP so they can track everything that we
do--what cargo is flowing through, to where, et cetera, et
cetera.
Have you assessed that situation in the United States?
Ms. Easterly. Yes, it is a real concern of ours. I think my
head of cyber is going to appear before your committee on the
10th of May.
You know, I think you're referring to Zhenhua, the port
machinery company--70, 80 percent, 23 seaports. We have
significant concerns about supply chain disruption as well as
surveillance. We are working with our partners across the
Government to help with analysis and what we can do about it--
difficult, given the market-share piece of this. But I do think
it is a significant problem that we need to turn our attention
to.
I also would just say, Congressman, that this is a piece of
the larger issue of Chinese technology encroaching into our
national security. I worry about that from a very strategic
perspective.
We're actually setting up a counter-PRC cyber effort that
will be led by a very talented person that we're bringing on
through cyber talent management system authorities.
But these are things that we absolutely have to get ahead
of.
Mr. Gimenez. Fair enough. I don't want to give too much
away, because, you know, it's his committee, not my committee.
So I'll bring it to mind.
The other thing I want to talk about is completely
different, and it just came to me: That 80 percent of the
drones that are used in the United States are actually
manufactured in China too. It's come to my attention that, on
occasion, with these drones, you hook it up to try to get a
software update, OK? I was wondering if, when you're doing
these software updates, you're also downloading information the
other way.
So can you imagine--can you imagine if the CCP, the PRC had
all the information gathered, all the images gathered by 80
percent of the drones flying around? That's an incredible
amount of data.
So is that download two-way, or is it one-way? Have we ever
checked out to see if there's information going the other way?
Or is something--I just thought of something nobody thought of?
Ms. Easterly. Yes. No, when you think about the number of
Chinese drones, it makes you worry less about the high-altitude
balloon, in some ways, when you consider that. But, you know,
all of these are significant threats that we need to take
seriously.
I don't know the specifics. What I would tell you from a
technical perspective that I worry more about is not something
being uploaded but if they're saying, download this software,
provide this update, they could be putting something malicious
in that update. That was sort-of what happened with SolarWinds
and the Russians; there was something malicious in that
software update.
So I do think that there are significant concerns, again,
given any sort of oversight or surveillance of a foreign
adversary who's clearly the preeminent threat to this Nation.
Mr. Gimenez. But do you know for sure they're not uploading
information back to the host?
Ms. Easterly. I do not know that. Happy to check it out----
Mr. Gimenez. Yes.
Ms. Easterly [continuing]. Or get you some information on
it.
But, you know, there's Chinese capabilities that are
getting--TikTok, for example. There's a ton of data from the
130 million Americans that use that that is very likely going
back to the PRC.
Mr. Gimenez. What's your agency doing about Trojan horses?
When I say ``Trojan horse,'' it's some kind of malware that's
stuck in a program that just sits dormant until they decide to
unleash it.
Ms. Easterly. Yes.
Mr. Gimenez. That worries me too, that there may be it
Trojan horses all over the place we know nothing about----
Ms. Easterly. Yes.
Mr. Gimenez [continuing]. And then, all of a sudden, you
know, ``OK, unleash havoc on the United States.''
Are we taking steps to try to avert that too?
Ms. Easterly. Well, that sort-of goes to the entire heart
of our mission, sir, really, I mean, because our job is to
protect and defend critical infrastructure. It's our work with
partners across the country to ensure that they're aware of
those types of capabilities that can be used not just for
espionage but also for destruction or disruptive purposes.
So a lot of this comes down to education. But, also, it
comes down to my earlier point. The technology that we rely on
every day was not created with security and safety in mind. I
think it's incredibly important that those technology products
are tested and developed specifically before it comes to the
consumer to look for potential vulnerabilities like that.
Mr. Gimenez. Thank you, ma'am. My time is up.
Ms. Easterly. Thank you, sir.
Mr. Garbarino. The gentleman yields back.
We've finished the first round of questions. I think there
are couple who want to ask a second round.
So don't worry, your doughnut is safe in the back. We still
have it for you.
So we're going to start the second round. I'm going to
recognize the gentleman from Louisiana, Mr. Carter, for a
second round of questions.
Mr. Carter. Thank you, Mr. Chairman.
Director Easterly, as we see technology move as fast as it
does, we know that every day there's some new mode or method to
infiltrate, to damage, to destroy.
On a scale of 1 to 10, what would you say your agency feels
about your ability and capability to remain competitive and
equal to, hopefully a step ahead of, the bad guys?
Ms. Easterly. It's hard to give you a 1 to 10. I would want
to say we're----
Mr. Carter. You can give me a 4 to 6, if you want.
Ms. Easterly [continuing]. At a 7. But, you know, it's an
anecdotal thing. Every day, we work to stay ahead of an
adversary.
I think, to be very frank with you, Congressman, I don't
worry about capability. I think the United States of America
has the most capable cyber forces in the world. I worry about
the asymmetry of values. Because our adversaries--the Chinese,
the Russians, the North Koreans, the Iranians, cyber
criminals--will do things with impunity that we, frankly,
wouldn't do, as a values-based democracy. That's where I think
we have to be concerned.
That's why this idea of the status quo being unacceptable--
we have to ensure that everybody in this Nation, from K through
gray, is aware of what they need to do to stay safe on-line,
that CEOs are taking responsibility, that software companies
are building safe products, and that we are all working closely
together for the good of the Nation.
Mr. Carter. Along that line, the Biden administration's
National Cybersecurity Strategy attempts to shift the emphasis
away from consumers to the provider. This is a big idea that
could substantially impact the price of software, its utility,
cost, and competitiveness for the U.S. software industry and
international markets.
Understanding that much of our economic prosperity for the
past several decades is based on innovation in computer
software, what microeconomic model is DHS proposing to deal
with this?
When we shift the responsibility, there's a lot of risk
that comes with that and a lot of challenge.
Ms. Easterly. Yes. I can't speak to the microeconomic
model. I'm happy to follow up on that. I think----
Mr. Carter. OK. Now, that's No. 3 that you couldn't speak
to today for me. Just keep--just keep a record.
Ms. Easterly. You know, I'm a macroeconomic person. But,
you know, happy to follow up.
Mr. Carter. Fair enough.
Ms. Easterly. But, look, at the end of the day, this is a
big concept, shifting the burden.
Just to kind-of talk about this at a strategic level, it's
been 40 years since the internet came into being, right, with
TCP/IP. You think back to 1983. Nobody thought about security
when creating an internet. Nobody thought about safety security
when creating software. Nobody thought about that when we were
moving fast and breaking things with social media. Here we are
in AI, and we're hurdling into a space that, frankly, we don't
know what the outcomes will be.
So I am a huge fan of innovation. It's one of our core
values. But what I'm saying, Congressman, is, we cannot let
innovation be the most important thing that we look at when
we're thinking about creating products that Americans rely on
every single day.
I want to live in a world where I do not have to teach my
90-year-old mom how to enable multifactor authentication on her
phone. I want to live in a world where I don't have to check
the box that I agree to the 17,000-word contract to turn my
phone on that basically says, ``You're liable for everything
bad that happens here.''
Mr. Carter. Aren't we there? Aren't we there?
Ms. Easterly. Aren't we there in terms of----
Mr. Carter. All of the things that you just mentioned.
Ms. Easterly. No, not at all. None of these things are
baked in. That's the world that we need to live in, where
security and safety is baked in, just as your seatbelt, your
airbags are baked in and come with your car.
Mr. Carter. I find that the more technology moves, the more
sophisticated the basic functions are. You mentioned the
telephone; you mentioned checking the box. That stuff does
exist now, and it's getting more and more complicated for the
average person to use any level of electronics.
I understand the importance of technology moving. Are we
moving in a direction that we're able to combat the threat of
the--the infrastructure threat of ransomware, cyber attacks
that cripple networks?
Ms. Easterly. Yes, I think we are indeed getting more
capable as a Nation. A lot of that is the growth in this agency
that the Congress has generously helped us with.
But, you know, at the end of the--I think we're sort-of
saying the same thing here, Congressman. The complexity--we
should not be putting the complexity on the consumer. The
complexity needs to be put on the provider so everything is
almost seamless and easy for the consumer. The consumer
shouldn't have to figure out how to implement all those
security controls. They need to come baked in.
Mr. Carter. With that, are you concerned about what it does
to the economics of it? I don't want to go deep into the
macroeconomics of it, but the costs associated, what does that
mean to the consumer?
As we shift more responsibility to the provider, it's safe
to assume that we're going to also see some pushback on what it
costs----
Ms. Easterly. Yes.
Mr. Carter [continuing]. The individual.
Ms. Easterly. I would much rather live in a world where I
have much safer products. In a world that everything is
digitized and connected and we are increasingly vulnerable as
we leap into this space where everything is going to be smart
and IoT, I would much rather pay it at the front end and know
that I have a safe product, rather than knowing I'm going to
get attacked with ransomware. Any of that----
Mr. Carter. I could not agree with you more, except we have
to----
Mr. Garbarino. The gentleman's time has----
Mr. Carter. May I just kind-of finish real fast?
But we have to take into consideration that we have a lot
of poor people. There are a lot of people who--that extra fee
that we're talking about that's tacked on to the consumer makes
a big difference to a person that's on a fixed income, that's
unemployed or underemployed.
So I would just ask that as we move forward that we're
considerate of the fact that, while we want to make sure that
the provider does this and there may be an extra cost
associated, let's just be mindful that that extra cost, to many
Americans, can be deal-breakers.
Ms. Easterly. Hundred percent.
Mr. Carter. Thank you.
I yield back, sir.
Mr. Garbarino. Thank you.
I now recognize Mr. Ezell from Mississippi for 5 minutes.
Mr. Ezell. Thank you, Mr. Chairman.
Thank you, Director, again, for being here this afternoon.
It's good to see you and hear all this stuff that is very
complicated.
I live in basically a pretty rural district. How is the
CISA addressing some of the challenges with cybersecurity in
the rural areas, especially with the cyber work force?
You know, we've kind-of talked about that some, but, you
know, out in the rural areas, you know, we need a little help.
Ms. Easterly. Yes. One of the things I'm most excited
about, sir, is the cybersecurity grants for State and local.
Mr. Ezell. Yes.
Ms. Easterly. I think this is a really groundbreaking
program. You know, a billion dollars is not a lot, but I think
if we can prove out the model, we can actually make a real
difference to those entities that, frankly, are not well-
resourced at all.
So I think, as you know, 80 percent of the money goes out
to local, and 25 percent of that goes to rural. So it is very
specifically focused on how to improve cybersecurity in places
that typically don't have resources.
So what we've seen to date is, we've seen requests for
training to improve that cyber work force; we've seen requests
for equipment; and requests for assessment. I think we've got
15 plans in. We have approved all but, I want to say, two of
them. Then seven, I think, have already--the money has already
gone forward.
I think Mississippi actually may be one of them. So I will
check on that. But that money, I think, has already been
disbursed.
So we're working very hard to get that out the door.
Mr. Ezell. Thank you very much.
We plan on having a cybersecurity roundtable in August, and
hopefully we could reach out and maybe you could come out and
help us a little bit.
Ms. Easterly. I would love that.
Mr. Ezell. Very good. Would think you could get some good
seafood down on the Gulf Coast.
You know, we've talked a lot about some of the threats,
but, in your view, what is the greatest cybersecurity threat
that the Congress should be paying attention to right now?
Ms. Easterly. Yes, I think there are two epoch-defining
threats and challenges. One is China, and the other, I think,
is artificial intelligence.
There are some incredible things that AI will do, but we
need to ensure that, just as we're talking about technology
being built with security in mind, we need to ensure that these
fantastic capabilities have the right controls and guardrails
to keep us safe and secure.
So I think those two challenges are things that we're going
to be concerned about over the next 10, 20 years and more.
Mr. Ezell. Thank you very much.
Mr. Chairman, I yield back.
Mr. Garbarino. The gentleman yields back.
I now recognize my colleague from New Jersey, Mr. Menendez,
for a second round.
Mr. Menendez. Thank you, Chairman. I again just want to
express my appreciation for you holding this hearing today.
My colleague from Florida, we have ports in my district. I
was the commissioner of the Port Authority of New York and New
Jersey and seeing our cybersecurity spending go up and up each
and every year because of the importance of our infrastructure
and being very sensitive to how much of our technology is
produced in China.
The other reason I like being here is because: My
grandmother lived to be 98. She only had a high school
education, but into the last years of her life she loved
learning about the new technology and watching it develop. You
can imagine someone who was 98, the technology and the advances
in technology.
She said she loved learning about it and it didn't scare
her at all, but what scared her is how quickly it was changing
and that we weren't giving ourselves the opportunity to think
about what it means for us. So your point about innovation just
brought me back to those conversations, and they're important
ones.
But you also brought up so many good points, so thank you
for your testimony. Thank you for what you're doing in your
role as director.
You know, but going back to the secure-by-design, secure-
by-default, I mean, there seems to be sort-of a challenge there
because of, as my colleague was alluding to, how much of our
technology is produced in China, which you've made several
references to in your testimony. Secure-by-design, secure-by-
default, makes complete sense. But if we're not developing it,
then how do we make sure and hold accountable, you know,
foreign potential adversaries who are developing critical
technology for us?
You also said how much we rely on technology, which we are,
right? So it's becoming a compounding problem, where we are
almost losing the ability to live without this technology and
yet we're not developing it ourselves.
So how, in this sort-of manufacturing, R&D sort-of space
and time that we live in, with the reliance on countries like
China, can we get to a secure-by-design, secure-by-default
future?
Ms. Easterly. Yes. So we are actually very actively
ensuring that, if there is Chinese technology or products
within our supply chain, certainly for the Federal Government
but also in terms of our ability to use a platform for
informing critical infrastructure owners or operators about the
dangers of Chinese technology, we would recommend that that be
replaced or not used, frankly, which----
Mr. Menendez. That's a challenging thing.
Ms. Easterly [continuing]. Which is very--I agree with you,
Congressman.
Mr. Menendez. When you say supply chain and making sure you
go through all the levels of the supply chain to make sure all
the different component pieces are secure-by-design, secure-by-
default----
Ms. Easterly. It is very challenging. You know, as my
friend Kemba Walden likes to say, the word ``easy'' does not
appear in the National Cybersecurity Strategy.
But it's one of the reasons, to be frank, we are pushing so
hard on the instantiation of software bill of materials. You
know, we have to understand what is in our supply chain.
Mr. Menendez. I understand.
Ms. Easterly. Incredible complexity. But, you know, we
can't say that, because I didn't know, I was able to--you know,
our foreign adversaries did these implants and now our
infrastructure has been compromised and disrupted or ultimately
destroyed in the event of a conflict.
So these are all very difficult things, but, you know,
frankly, that's why this subcommittee and this partnership is
so important to the security of the Nation.
Mr. Menendez. Absolutely. And please--and I'm sure you know
this, but please do consider us a partner, and these are things
that we want to work on.
But, you know, if there is a way or almost thinking about
it sort-of as like a way to, as we sort-of onboard technology
or bring it through, just--because I think the going through
the supply chain--because you just see it on the sanctions
front, right, and all the workarounds that there are, from, you
know, different state actors, NDIs that appear on our sanctions
list. That alone is really challenging to track, and then when
you get to technology and being able to do that cross-border, I
feel like that's going to be a challenge.
But this was all really helpful. I went over on my last
time, so I'm going to be mindful this time. My colleague from
Texas just arrived, so I want to make sure she gets to her
questions sooner. Thank you again so much, and I really look
forward to continuing this conversation with you and your
staff.
I yield back.
Mr. Garbarino. Thank you.
The gentleman yields back.
I now recognize Mr. Gimenez from Florida for his second
round.
Mr. Gimenez. Thank you, Mr. Chairman.
You know, as we talk about the big threat--and you said the
two big threats are the CCP and AI. We also talked here about
how we need to start to decouple. But if I were to tell you
that I just heard of a major purchase of Chinese computers from
one of our major departments, like, half a billion dollars'
worth, all right, it kind-of makes you start--you know, are
they listening to us? Or are they--who are they listening to,
that they would go and buy half a billion dollars in computers,
computers made in China or by a Chinese company? So I think we
need to get that word out.
I think there's--you know, since I serve on the Select
Committee on China, you know, it's one of the areas that I find
where we have bipartisan support and we kind-of think the same
way. We may not have the same solutions or maybe an iteration
of solutions, but we're on the same path, you know? It's good
to see that America has finally woken up and, collectively,
we're working to address this threat.
I want to go to AI. You know, people are trying to make--
trying to say, ``Hey, we need to slow down AI.'' Frankly, we
cannot slow down AI, because our adversaries are not going to
slow down where they are, and they understand the potential of
artificial intelligence and all sorts of things. But in
military hardware, AI, if they get that advantage on us, it's
huge. Huge. So we can't. We have to keep going.
But, with that being said, AI has the potential to do
incredible good. Unbelievable good. Mankind, womankind, you
know, the human race can just explode, all right, with new
findings, new knowledge, new abilities through the use of this
technology.
But, then, AI can also be incredibly destructive. So the
only defense that we're going to have against AI is AI. So are
we developing that capability too? You have--AI can do good,
but then you also know that AI can do bad, so you have to have
the defensive AI to fight the bad AI.
Are we working on that too?
Ms. Easterly. Yes, I mean, I am not an AI technical expert.
I know that there is a lot of work being done both on the
defensive side and on the offensive side.
I agree with you, Congressman, that there are some amazing
things that can be done with this capability. But I've also,
probably much like you, seen a dark side when I was in the
Army, when I was deployed many times, and when I was the head
of counterterrorism at the White House.
What I worry about are our adversaries, whether it's a
nation-state like China or a terrorist or a criminal, using
these to create malware, cyber weapons, to create bio-weapons,
to do genetic engineering, to do things that, frankly, we may
not do, as a values-based democracy.
I think we need to have those really difficult and
important conversations, because I really do believe in the
power of good for technology, but AI will also be the most
powerful weapons of this century. The most powerful weapons of
the last century, nuclear weapons, were built and maintained by
governments who were disincentivized to use them. This
technology is built by companies, whose job it is to maximize
profits for their shareholders. So it's a different
conversation.
I applaud the efforts to try and get ahead of it, both by
the Congress as well as many across the Federal Government. I
think it's incredibly important.
Mr. Gimenez. Thank you very much.
I yield back.
Ms. Easterly. Thank you, sir.
Mr. Garbarino. The gentleman yields back.
I now recognize the gentlelady from Texas, Ms. Jackson Lee,
for 5 minutes.
Ms. Jackson Lee. Let me thank you for the courtesies
extended and thank the Ranking Member for the courtesies
extended. Appreciate being delayed for other meetings.
But let me welcome you, Director Easterly. I'm hoping to
get some real quick questions in.
I invited you last year--it starts out with an invitation--
to the Energy Braintrust that I host, the Congressional Black
Caucus Foundation. You were kind enough to send someone. But I
am now inviting you for 2023. This Braintrust has been around
now for more than 30 years, and we have enjoyed the
participation of many in the administration.
So someone is taking notes, and I appreciate it very much
that you're doing so.
I want to just continue in the line of questioning. I find
the production domestically of chips--and I wanted to raise
some quick questions.
How important is the manufacturing of chips in the United
States to cybersecurity, the security of our cyber system,
doing our chips--having that manufacturing capacity right here
in the United States?
Ms. Easterly. I think it's hugely important for the United
States to have that chip manufacturing capacity. From a
technology perspective, I mean, certainly in terms of
cybersecurity systems, chips are not a huge piece of the actual
process----
Ms. Jackson Lee. Right.
Ms. Easterly [continuing]. But they're part of the
technology, absolutely.
Ms. Jackson Lee. We remember that during the pandemic, when
phones, cars, and others were not able to be manufactured
because of the supply chain.
Let me quickly move to Houston. The list of critical
infrastructure includes petrochemical companies. In fact, in
years past, when we think about cyber or think about
infrastructure, it was listing these fixed entities, and we
heavily--which heavily rely on automation.
Have petrochemical companies engaged with CISA in order to
develop a good working relationship to deal with their critical
infrastructure problems?
I have another quick question, but go ahead.
Ms. Easterly. Yes, ma'am, absolutely. We service the sector
risk management agency for the chemical sector and have great
relationships with those industries.
Ms. Jackson Lee. One of the gaps in CISA, in terms of
across the Nation, are NGO's, faith organizations, neighborhood
organizations, small businesses, maybe even small colleges. So
I'd be interested in working with the agency for a roundtable
and laying the groundwork of informing that kind of level in
the United States that are not necessarily informed.
Is that a good idea, to make sure that we can have CISA in
our communities talking to that level and to be able to raise
up their understanding of the importance of cybersecurity?
Ms. Easterly. Love it.
Ms. Jackson Lee. We all have had the horrors of ransomware.
We are facing it, the threats over the years, the stories, the
tall tales, if you will. Russia continues to harbor large
numbers of ransomware gangs.
We know this threat will remain forward, but I've been
impressed about what you've done. Do you want to expand a
little bit on how you've gotten your hands around ransomware?
I'm looking at my time, so let me put the second question
in.
AI is here. I was just talking to my seatmate here, and I
was saying it was coming, and he made it very clear that we
both agree it is here.
I'm concerned about large populations--low-income,
minorities, rural persons--out of the circle of even
understanding AI and its good and its dangers. Maybe you could
comment on that as it relates to cybersecurity and maybe the
gaps of knowledge.
So, first, Russia and the ransomware and then, second, the
AI and its accessibility to those low-income communities.
Thank you so much.
Ms. Easterly. Thank you so much, Congresswoman.
On ransomware, we have done so much since the summer of
2022--2021, actually, following the Colonial Pipeline attack.
Specifically, we stood up stopransomware.gov, which is a
one-stop-shop website that brings together all of the Federal
resources of the Government to explain what ransomware is, what
to do if you get hit with ransomware, and, more importantly,
how to build resilience to ransomware.
We also stood up the Joint Ransomware Task Force recently,
and we're very focused on target-rich, resource-poor, those
communities that, frankly, like schools and hospitals and water
facilities, local election offices, that don't have those
resources. So we are very focused on providing things like
ransomware assessments and best practices that they can use to
deal with the scourge of ransomware.
The other thing that we just launched is our Ransomware
Vulnerability Warning Pilot, where entities, no matter what
your size is, can sign up for vulnerability scanning and then
get a prioritized list of where they might have
vulnerabilities, where ransomware actors, like Russian-
sponsored ransomware actors, have specifically leveraged
ransomware, so that allows them to patch those.
Then, finally, our pre-ransomware initiative, where we are
getting tips from industry, from researchers, from threat
intel, that tell us that malware has been deployed but not yet
activated. It's usually hours to days before malware is used to
encrypt. Then we reach out in our field force--we've done it
with K-12 schools, with local towns--to help them prevent, you
know, a really bad day. That is the virtue of the model we've
built with trust with industry.
So those are some of the things that we're doing, and we're
going to continue to drive that forward.
On artificial intelligence, again, there are great
capabilities. I think we need a really hard look at who these
capabilities--who they're being used by, who they can be made
available to, but also the guardrails for safety and security
that are being put in place even as we innovate in this space.
So I think it's a longer, much--you know, a hugely
important conversation, so I appreciate the question,
Congresswoman.
Ms. Jackson Lee. I look forward engaging through this
committee or otherwise. I think it's an important discussion
for Members of Congress.
Ms. Easterly. Thank you, ma'am.
Ms. Jackson Lee. I thank you so very much.
Thank you for the time.
Mr. Garbarino. Absolutely.
Ms. Jackson Lee. I yield back.
Let's do it. Thank you.
Mr. Garbarino. The gentlelady yields back.
The end is almost near, Director. I think, though, the fact
that everybody has been here today for a second round of
questions--I mean, we've never had attendance like this, but
that just shows how much everybody respects your opinion and
how important of an issue this is.
So I'm going to recognize myself for my second round of
questions.
I had a couple on secure by design and default, but I
really enjoyed the questions before. I thought that was a great
conversation. So I'm going to move ahead to--my staff actually
prepared enough questions if we had eight rounds of questions,
so I'll probably submit a couple and have you respond in
writing.
But I did want to get to on the--we talked a lot about the
JCDC in our last hearing, and we talked a little bit about it
today as well. I have spoken to a couple people that are on--or
companies that are on the JCDC. We've heard that some of the
companies are frustrated that information coming out of the
JCDC is frequently already publicly available and isn't as
timely as it could be.
What information do organizations get through the JCDC that
goes beyond what DHS already publishes through other channels
that many JCDC members already participate in or already have
access to?
Let me--I just wanted to add, they all loved the idea--
nobody--they all loved the idea of the JCDC, but they did have
this complaint about it.
So, if you could answer, that'd be great.
Ms. Easterly. Yes. You know, one of our operating
principles at CISA is to treat feedback as a gift, and we are
constantly talking to our partners so that we can improve.
Because, at the end of the day, the model has to be, we're
transparent, we're responsive, and we're adding value. If we're
not adding value to the job of the cyber defender, we should go
away. I know how hard that job is, and we're just trying to
help them.
You know, anecdotally, I think we've heard various flavors
of, you know, ``these products are fantastic'' and ``these
products are things that we've already seen.'' So I don't want
to put too much into the fact that these are all--that you
might hear one or two things. I would like to actually come
back to you maybe with a more fulsome presentation based on
recent feedback. We did two roundtables out at RSA.
I mean, I will tell you, what's substantially different in
the products and the advisories that we've put out over the
past year is, first of all, they're all multisealed. That makes
a difference, to have CISA and FBI and NSA and, by the way, our
international partners on there as well. It's sending, finally,
a coherent signal to industry that this is the voice of the
U.S. Government collaboratively providing you feedback.
Frankly, we have those enriched buyer industry partners who
are giving us information that helps to make those products
better.
So, again, I'll go back and get you more specifics on that.
But I think we've really evolved that into a better place,
to be honest with you.
Mr. Garbarino. Great. And, look, everybody that I've spoken
to, they said, CISA, when they provide information, has been
responsive, much more than other agencies that are involved. So
that's great on your part, so we do appreciate that.
We've also--so how does--there was also some comments about
how membership decisions are made. I know we can--maybe we can
work that into the presentation. But could you talk about how
CISA balances the benefits of having a wider range of partners
at the table with the risk that too large of a JCDC could
reduce the efficiency----
Ms. Easterly. Yes.
Mr. Garbarino [continuing]. Of operational collaboration
and decrease trust between the members?
Ms. Easterly. Yes. Thanks for asking that question.
You just said it: trust. Right? We have a lot of people--
Ranking Member Swalwell mentioned, a lot of people want to join
the JCDC. We want to benefit from their expertise and their
vulnerability and their capabilities, but we also want to make
sure that we have trust groups.
So we started out, when we set this thing up in August
2021, we started out with the Big Tech companies. Why? Because
they have the most global visibility. If you're an
infrastructure provider, a cybersecurity vendor, a software
vendor, they have global reach. We wanted to solve--help solve
that visibility problem that was illuminated in SolarWinds,
where we lacked visibility.
So we started out with a small group, but since that period
of time, we have been adding on hundreds of partners. We're at
231. But the projects that we work on are basically 20 of these
entities. So we are keeping the trust groups small. We're
focused on efforts that address the biggest risks to the
Nation. We are constantly doing after-action reviews to ensure
that we can actually take great advantage of, you know, the
talents, the authorities, the capabilities.
But one other thing I'd say, Chairman, is, we talk a lot
about industry, but the JCDC is actually industry,
international partners, Federal partners, and State and local
partners. So when you think about the tapestry of visibility
that comes together based on the inputs of all of those
partners, I would challenge some of the comments about the lack
of value. I think, as we've evolved, I think we're getting into
a place where that information is enriched and full of a lot
more value than anything we've provided before from the Federal
Government.
Mr. Garbarino. Director, I appreciate that.
Like I said, I have a couple more, but I'm going to let you
off the hook. I'll send them and have you respond in writing. I
appreciate it.
I now yield to the Ranking Member, my colleague from
California, Mr. Swalwell, for his second round.
Mr. Swalwell. Great. Thank you, Chairman.
Just following up on my colleague from the Miami area, he
talked about, you know, the concern about Chinese drones and
Chinese technologies in our infrastructure.
I privately mentioned to him but I'll mention to my other
colleagues that John Garamendi and I introduced legislation
this week called the Airport Infrastructure Vehicle Security
Act, which would prohibit Federal funds from being spent on
Chinese buses.
They are flooding our communities with cheap passenger
buses. It's not just that, you know, this hurts the ability to
``make it in America,'' but, you know, they're wiring these
buses up with WiFi and other abilities to connect to the
network.
So we'll send that around to everyone.
On AI, to kind-of take this to the worst-case scenario, I
understand that a zero-click attack is where I could receive a
text message or an email, and even with the best cyber hygiene,
because it was sent to me, that's it, they're in.
I also understand that, right now, to conduct those zero-
click attacks, they're very resource-intensive, they're very
expensive. So adversaries have to really want to get into
someone's system or device.
Does AI put us at risk of significantly reducing the cost
for the adversary to carry out a zero-click attack?
Ms. Easterly. I mean, I don't have a technical study on
that, but I would assume so. I think, as much as AI can be used
for amazing things, I think it can be used by our adversary to
cause great damage.
You know the saying, Ranking Member, is, you know, you only
have to be right once, as an adversary; as a defender, you've
got to be right all the time. Think about that in terms of the
offense-defense overmatch of an adversary.
Mr. Swalwell. Yes.
Ms. Easterly. So it makes our job even more difficult.
Now, the optimist--and I used to be a big tech optimist,
and now I'm a tech realist--will say, ``Well, we can also
create these incredible defensive AI capabilities.'' And that's
probably true.
Mr. Swalwell. Sure.
Ms. Easterly. But the thing that I worry about is, we are
hurdling into this space driven by competition in business, not
necessarily driven by safety or security concerns.
While I am--to Congressman Menendez's point earlier, I am
concerned about China, but look at the difference. China is
focused on implementing AI with a huge amount of regulation,
right? So that's the difference. They are actually being very
purposeful about how they're controlling and evolving that
capability. We are not.
So I think we need to just think about what AI looks like
in China and what AI looks like here and how it could be used
for nefarious purposes.
Mr. Swalwell. Shifting to insurance, you know, there's not
a lot of insurers in the cyber market. One insurer told me that
the most successful insurer is not the person who has the most
policies, because you would not be able to cover the risk if
there was a significant, wide-spread attack.
I know in the cybersecurity strategy that you put out, you
do conceive or at least contemplate, you know, a TRIA-like
system. I just wanted to know if you could just speak more to
cyber insurance.
Particularly, I'm thinking of, you know, the giants.
They're going to figure it out, and they're going to have,
sort-of, the best left-of-boom defenses. I really do worry,
though, about the SMEs, you know, the small and medium-size
businesses, who you have described as target-rich, cyber-poor.
So could you just wrap up here, with my final minute, and
just to speak to cyber insurance?
Ms. Easterly. Yes, absolutely. You know, we are doing this
study based on the National Cybersecurity Strategy.
I think it's--the difficulty kind-of goes back to the fact
that we do not have a comprehensive view of the landscape
because, heretofore, we don't have that legislation--or, we
don't have that implementation on CIRCIA. I think that hinders
cyber insurance companies from being able to price insurance
policies, if you don't understand what your baseline is for
cyber incidents and attacks.
That's also, you know, some of the discussion on--I think
Lloyd's made the decision that they exclude state actors----
Mr. Swalwell. War exceptions.
Ms. Easterly [continuing]. Policies from state actors, the
war exception, which would make it difficult if you connect,
like, NotPetya and state-sponsored criminals.
So it's a space that I think will benefit from a better
understanding of the ecosystem and, I think, a robust sort of
TRIA-like study. I welcome that work to come. But it's also
something I'd love to dig more deeply into----
Mr. Swalwell. Great.
Ms. Easterly [continuing]. Especially because you've got
Cowbell in your district----
Mr. Swalwell. Yes.
Ms. Easterly [continuing]. And we have talked to them
before.
Mr. Swalwell. Great. Thank you.
I yield back.
Mr. Garbarino. Thank you.
The gentleman yields back.
I almost made a ``cowbell'' question--or, joke, but I
didn't.
I love the idea on cyber insurance. I think, even though we
don't have direct oversight here, I do see it also on the
Financial Services Committee, the Insurance Subcommittee. So,
if we could somehow work out a hearing on that, I think it'd be
great.
But I want to thank Director Easterly for the valuable
testimony and the Members for their great questions today.
The Members of the subcommittee may have some additional
questions--I know I do--for you. We would ask the witness to
please respond to these in writing.
Pursuant to committee rule VII(D), the hearing record will
be held open for 10 days.
Without objection, the subcommittee stands adjourned.
Ms. Easterly. Thank you, sir.
[Whereupon, at 3:47 p.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions for Jen Easterly From Chairman Andrew R. Garbarino
Question 1. In our last hearing, I asked Ms. Tina Won Sherman from
GAO whether CISA's ability to support the Sector Risk Management
Agencies (SRMA) had grown commensurate with its budget. She answered
that we really can't tell.
What metrics do you all use to measure and evaluate CISA's support
to the SRMAs?
Answer. Response was not received at the time of publication.
Question 2a. The administration is re-writing Presidential Policy
Directive-21, which sets Executive branch policy when it comes to
Sector Risk Management Agencies.
Where do you think CISA's role starts and stops when it comes to
supporting the SRMAs?
Answer. Response was not received at the time of publication.
Question 2b. What are you doing in the mean time to support the
SRMAs as you prepare to re-write the National Infrastructure Protection
Plan and they prepare to re-write their sector-specific plans?
Answer. Response was not received at the time of publication.
Question 3a. CISA's foundational mission is to administer Federal
civilian Executive branch (FCEB) cybersecurity requirements, a daunting
but hugely important task. It's my sense that your agency struggles in
part with how other departments and agencies in the Government perceive
it.
How do you view CISA's role in the FCEB? Do you think CISA should
be a Service provider? Operational partner? Advisor? Something else?
Answer. Response was not received at the time of publication.
Question 3b. What can Congress do to support and develop CISA's
position in the interagency?
Answer. Response was not received at the time of publication.
Question 4a. We have been talking about revamping one of CISA's
flagship Federal cybersecurity programs, the National Cybersecurity
Protection System, which includes EINSTEIN, for a long time. It's an
outdated program that has faced problems, including struggles to fully
implement the requirements.
How does CISA plan to overcome the issues that have plagued
previous iterations of NCPS?
Answer. Response was not received at the time of publication.
Question 4b. As you build this new program, how do you envision it
fitting into a very dynamic environment as agencies implement
requirements from the May 2021 Cyber Executive Order, including the
Zero Trust Strategy, and other specific capability requirements? How
are you ensuring it isn't duplicating those efforts?
Answer. Response was not received at the time of publication.
Question 5. Director Easterly, as you know, Executive Order 14028
from May 2021 required all Federal agencies to adopt endpoint detection
and response or EDR technologies, with CISA charged with that
deployment.
Can you provide us with an update on the status of deployment
across the FCEB? How many agencies has it been deployed on? Who has not
deployed it yet?
Answer. Response was not received at the time of publication.
Question 6. The committee is aware that CISA is currently paying
for the first 2 years of certain Continuous Diagnostics and Mitigation
(CDM) shared services for agencies, after which the agencies must pay.
Is that accurate? Please explain how this process is working and if
there are any agencies who are not planning to pay for those services
in year 3.
Answer. Response was not received at the time of publication.
Question 7. We have heard that CISA has narrowly defined what it
considers as an endpoint to only workstations or desktops and has left
out others like mobile devices and cloud environments.
Is CISA going to add mobile and cloud to the program? If not, why
not?
Answer. Response was not received at the time of publication.
Question 8. Director Easterly, has CISA considered operating EDR as
a shared service? If not, why?
Answer. Response was not received at the time of publication.
Question 9. As you know, DHS has provided CDM services to agencies
for several years now. So far, CDM's attention has been primarily on
larger agencies.
What is your perspective on how the CDM program might evolve to
provide the same level of attention to smaller and independent
agencies?
Answer. Response was not received at the time of publication.
Question 10. According to BlackBerry's just-released quarterly
Global Threat Intelligence Report, governments face an ever-growing
number of cyber threats that are increasing in sophistication. Earlier
this month, you observed that terrorists, cyber criminals, and
adversary nation-states could make use of advancements in artificial
intelligence (AI) technologies to weaponize cybersecurity.
In the face of this threat, are Federal civilian Executive branch
agencies adequately leveraging advanced AI-enabled cybersecurity tools
to enhance the defense of Federal networks, especially against AI-
capable adversaries? If not, why not?
Answer. Response was not received at the time of publication.
Question 11. According to BlackBerry's just-released quarterly
Global Threat Intelligence Report, the Russia-linked malware PIPEDREAM
recently attempted to compromise industrial control systems in U.S.
energy and gas infrastructure.
How concerned are you about the recurrence of such threats within
the energy sector, and across other critical infrastructure sectors--
and what can industry do to better prepare itself for such incidents?
Answer. Response was not received at the time of publication.
Question 12. It is vital to increase cybersecurity across all
sectors in the United States, but how are you currently supporting more
mature sectors, such as the financial services industry?
How will CISA support cross-sector risk identification and
mitigation planning for more cyber-mature sectors?
Answer. Response was not received at the time of publication.
Question 13. Based on a report issued by Expert Insights in March
of this year, 71 percent of ransomware attacks are targeted at small
businesses, companies that are in your own words, ``Target-Rich and
Resource-Poor.''
Besides issuing guidelines, what else can CISA be doing to help
small businesses respond to these attacks?
Answer. Response was not received at the time of publication.
Question 14. Watching the various cyber activities leading up to
and during Russia's war on Ukraine, what do you see as cyber-based
indicators that countries like China may exhibit before an invasion of
a sovereign country like Taiwan?
Answer. Response was not received at the time of publication.
Question 15. The FBI, DHS, and CISA as well as other Government
agencies are charged with protecting the American public from cyber
attacks and tracking down cyber perpetrators. But to do that, data is
key.
Where do you see reconciliation between their duties to identify,
defend, and prosecute cyber criminals and the data/tools needed to do
so, and privacy of citizens?
Answer. Response was not received at the time of publication.
Question 16a. CISA has been working on a set of cybersecurity
performance goals (CPG). There is concern in the private sector that
these voluntary performance goals will wind up being treated like the
presumably voluntary NIST CSF--as a de facto template for mandatory
requirements.
Can you tell us how these CPGs fit into this construction that
liability should be on the provider?
Answer. Response was not received at the time of publication.
Question 16b. Can you describe how CISA engaged the private sector,
including the operational technology community, and other stakeholders
to gain feedback and make changes?
Answer. Response was not received at the time of publication.
Question 16c. If an entity wants CISA to consider changes to the
CPGs, what systems exist to provide input to CISA?
Answer. Response was not received at the time of publication.
Question 16d. With what periodicity does CISA plan to update the
CPGs?
Answer. Response was not received at the time of publication.
Question 16e. How will CISA measure and evaluate the effectiveness
and impact of the CPGs on reducing cyber risk and enhancing resilience,
and how will those measurements guide future CPG updates?
Answer. Response was not received at the time of publication.
Question 17. CISA is leading in the Federal space in providing
support to educators on school security and safety. Given the differing
needs of schools throughout the Nation, how does CISA's school safety
teamwork with regional or local institutions like the New York State
Center for School Safety to ``train the trainer'' and disseminate
Federal resources?
Answer. Response was not received at the time of publication.
Question 18. In the Cybersecurity Best Practices for Smart Cities
document released by the ``Five Eye Nations'' on April 19, 2023, the
guidance suggests that ``Organizations should use only trusted
information and communications technology (ICT) vendors and
components.''
How does a business become a trusted ICT vendor and what is CISA
doing to expand partnership opportunities with businesses and
organizations?
Answer. Response was not received at the time of publication.
Question 19. Last November, you announced that CISA plans to expand
the Cybersecurity Education and Training Assistance Program (CETAP)
Nation-wide after a successful program in the State of Louisiana
training educators for K-12 cybersecurity education. Congress believes
strongly in this program--having codified it into law and appropriating
resources despite successive budget requests that have zeroed out the
funds.
What is CISA's plan to scale CETAP to get more teachers trained so
these teachers can help train the next generation of the cyber
workforce and the entire citizenry to be more cyber aware?
Answer. Response was not received at the time of publication.
Question 20a. In February 2020, Executive Order No. 13905 was
issued by the Executive Office of the President. This Executive Order
required that the Secretary of Homeland Security support resilient
positioning, navigation, and timing (PNT) solutions by working with
sector-specific agencies to develop contractual language for Federal
contracts for products, systems, and services that support or utilize
PNT services.
Critical infrastructure resilience is a top priority for this
committee as it works to help support DHS and CISA's goals for
improving our Nation's cyber posture. Can you provide an update on the
state of PNT implementation?
Answer. Response was not received at the time of publication.
Question 20b. We understand that PNT profiles were established in
accordance with the Executive Order. What is the next step for DHS in
relation to EO13905 implementation, and are there significant barriers
to completing the requirements of EO13905?
Answer. Response was not received at the time of publication.
Question 20c. The EO requires the development of ``contractual
language for inclusion of the relevant information from the PNT
profiles in the requirements for Federal contracts for products,
systems, and services that integrate or utilize PNT services, with the
goal of encouraging the private sector to use additional PNT services
and develop new robust and secure PNT services.'' In the development of
such contractual language, how will CISA tailor sector specific
requirements to encourage private-sector use in a manner that does not
encourage any single solution?
Answer. Response was not received at the time of publication.
Question 20d. We also understand that the National Risk Management
Center (NRMC) is taking the lead on this effort. Does the CISA budget
request provide the agency with enough discretionary support to fulfill
the requirements of EO13905? If not, what further resources or
information would be required by NRMC to make progress on working with
sector-specific agencies to develop contractual language?
Answer. Response was not received at the time of publication.
Questions for Jen Easterly From Ranking Member Eric Swalwell
Question 1a. CISA recently announced a plan to establish a
Systemically Important Entities Office, with the goal of identifying
``target rich, cyber poor'' entities, targeting K-12 schools,
hospitals, and water and wastewater sectors. CISA also plans to
establish an ``enhanced engagement'' program with these sectors. This
is an extension of an effort DHS has been trying to accomplish for
nearly two decades, through efforts like the Section 9 list and the
National Asset Database--but has been unsuccessful.
Please describe the remit of the Systemically Important Entities
(SIE) Office and where it will fit into CISA's organizational
structure.
Answer. Response was not received at the time of publication.
Question 1b. How will this SIE effort, and the program office,
differ from previous efforts to identify the critical of the critical,
such as the Section 9 list and the National Asset Database?
Answer. Response was not received at the time of publication.
Question 1c. More specifically, what is the relationship between
SIEs and entities on the Section 9 list? What do you see as the
difference in the scope of these two designations?
Answer. Response was not received at the time of publication.
Questions for Jen Easterly From Honorable Robert Menendez
Question 1a. CISA has previously touted efforts with private
entities like CYBER.org, the Girl Scouts of America, and Girls Who Code
as examples of partnerships that can help amplify educational
opportunities and grow the pipeline of cybersecurity workers.
Has CISA experienced any successes or challenges in public-private
partnerships for cybersecurity workforce development? Please describe
the successes and challenges and detail how the agency overcame any
challenges.
Answer. Response was not received at the time of publication.
Question 1b. Please provide a list of private-sector entities,
including academic and non-profit organizations, with which CISA
partners to strengthen the cybersecurity workforce. Please describe the
nature of the partnership, the activities jointly engaged in, and the
demographic groups each of these partnerships seeks to reach.
Answer. Response was not received at the time of publication.
Question 1c. If the agency requires additional resources such as
funding or authorities to better engage non-governmental entities for
cybersecurity workforce development, please describe what those may be.
Answer. Response was not received at the time of publication.
Question 2a. As you know, CISA issued $2 million in grants to
NPower and the CyberWarrior Foundation as part of a 3-year pilot
program announced in October 2021.
Please provide an update on these activities. How have NPower and
CyberWarrior started executing their grants? What plans do they have to
continue spending their award over the 3-year period? How will CISA
track and monitor their performance?
Answer. Response was not received at the time of publication.
Question 2b. How will CISA measure success for these grant awards,
and what criteria will be used to determine success or failure? Does
CISA have a process in place to incorporate any lessons learned into
future grant-making activities?
Answer. Response was not received at the time of publication.