>> today the senate banking committee look at equifax security breach and affected some 145 million americans. senators question from a québec ceo richard smith at 10 a.m. eastern. thursday at 9:30 a.m. eastern mr. smith testified before the house financial services committee. live coverage of both hearings on c-span3, c-span.org and the c-span radio app. federal officials and the department of energy and homeland security talked about government cybersecurity initiatives at a house hearing tuesday. topics include modernizing the federal government i.t. systems and protecting the nation's electricity grid. this household massacre subcommittee hearing is an hour. >> the committee on homeland security subcommittee on cybersecurity, infrastructure

protection, and securitysecuri technologies will come to order. first of all, i'm sure speak for all of us here on the dais in expressing our deepest condolences to all of the family members and all of the victims of yesterdays tragedy in las vegas. events like the one yesterdayic really demand the utmost humanity in response to such blind hate and evil, and hopefully will give us all a renewed sense of purpose today as we approach the task of the h day. the subcommittee is meeting today to receive testimony regarding the department of homeland security is cybersecurity mission. i recognize myself for an opening statement. we are here to today, at the start of national cybersecurity awareness month, to discuss what i believe is one of the defining public policy challenges of ouri generation, the cybersecurityy posture of the united states. we have seen cyberattacks hit practically every sector of our economy with devastating impact

to both government agencies ande the private sector alike, and it's our shared duty to ensure we're doing our best to defend against the very real threat our cyber adversaries pose.y but make no mistake, the cybersecurity challenges we face are about much, much more than simply protecting bottom lines, or intellectual property, or even our nation's most classified information. they also impact the personal, often irreplaceable informationt of every american. p this year, we've seen on a grand scale just how much damage can be done by a single individualee or entity looking to conduct a cyber attack. the equity fax breach shows that it takes only one bad actor and only one exploitable vulnerability to do something to compromise the information of

145 million americans. this is not the first cyber thtack that has garnered national attention and, unfortunately, it almostt assuredly will not be the last. as the members of this panel and as our witnesses here today know well, there is no silver bullet or guaranteed technology to fix the cybersecurity problem.techno rather, we need to be part of an ongoing, sustained, dedicated, persistent and comprehensive campaign to ensure the united states remains the world's cybersecurity superpower. we will continue to need a sharp workforce, the collective efforts in public-private partnerships, and the leadership of our government agencies to leverage our resources and counter our highly sophisticated cyber adversaries. coday, this subcommittee meets to hear from the government sop officials charged with meeting

these cyber threats.mittee these are the folks on the front lines day in and day out. dhs is the federal government's lead civilian agency for cybersecurity, and within it, the national protection and programs directorate, or nppd,in leads our national effort to safeguard and enhance the resilience of the nation's physical and cyber infrastructure, helping federal agencies and, when requested,re the private sector harden their networks and respond to cybersecurity incidents. nppd partners with criticalden t infrastructure owners and operators and other homeland security enterprise stakeholders to offer a wide variety of cybersecurity capabilities, such as system assessments, incident response and mitigation support and the ability to hunt forem malicious cyber activity. this collaborative approach to mitigating cyber incidents isor meant to prioritize meeting the

needs of dhs partners, and is consistent with the growing recognition among government, academic and corporate leaders that cybersecurity is increasingly interdependent across sectors and must be ate core aspect of risk management strategies. this committee has been workings hard to ensure that nppd and dhs in its entirety has the necessary authorizations and organization it needs to combat growing cyber threats. dhs needs a strong and sharp workforce than an efficient organizational structure to support both its cybersecurity and its infrastructure protection missions. earlier this year, this committee marked up and passed h.r. 3359, the cybersecurity ann infrastructure security agency act of 2017 to reorganize and threngthen nppd. as the cyber threat landscape

continues to evolve, so should dhs, and in doing that, h.r. 3359 is the tool we'll use to bring nppd to a more visible role in the cybersecurity of this nation. as a committee, and as a congress, we have taken important steps in the right direction with legislation on information sharing, modernizint the federal government'se rig information technology, and in getting our state and local officials the cybersecurity support they need. some of these programs have been years in the making. real-time collaboration between the government and the private sector is a lofty and worthwhile goal. through the automated indicatorn sharing program, or ais, dhs has been partnering with industry tr create and enhance that broaderg information-sharing environmenta and we've made progress in the right direction.try to while we know that proactive information sharing is only as

good as the information being provided, that type of relationship can only be made possible with a strong foundation of trust. i'm looking forward to a robuste discussion today, not only about how the department can be best organized and equipped to ensure that we are leveraging the resources of the federal government towards this immenser challenge, but also how the government can forge and grow the necessary partnerships to achieve greater cybersecurity t for our nation. we have to get this rightsary because new technologies, the internet of things, driverless cars, artificial intelligence, and quantum computing, are rapidly evolving. we need to be securing at the speed of innovation, not of bureaucracy. because we are in an era that requires flexibility, resiliency and discipline and i hope i will hear those values operationalized in the forthcoming testimony.

cyberspace plays an increasingly dominant role in the fabric of our society, and it will take continual collaboration across the public, private, international and domestic spaces to keep making the advancements needed to prioritize cybersecurity for our country. i know this is a responsibility that everyone on this subcommittee takes extraordinarily seriously, and i look forward to the discussion today with our witnesses. the chair now recognizes the t ranking minority member of the subcommittee, the gentleman from louisiana, mr. richmond force opening statement. >> thank you, mr. chairman. good morning. please we're kicking off cybersecurityin awareness monthy talking to the department of homeland security about its cybersecurity mission and how congress can help ensure dhs ist well-positioned to protect critical infrastructure from cyber attacks. before they can, however, i would like to send my condolences to the families of victims sunday nights horrific

shooting. to the survivors, you'r you in r thoughts and prayers here to the brave first responders who ran into danger when everyone else was running away from it, we're grateful. the democrats on this committee has said this before but it bears repeating. at some point will have to come together and enact sensible gunt legislation. and and as the congressman representing new orleans i cannot sit silently as the president consults the routine survivors of puerto rico, andep the san juan mayor who is trying to help them. i've been through katrine and i know what it's like when you'ree at your most vulnerable moment and you've lost everything. and what you're looking for ist assistance because it's beyond your capacity to respond to a storm of that magnitude. so having seen people grieve the loss of their homes and businesses and struggled to peace their lives back together, i can tell you the last thing

the people in puerto rico and the virgin islands need our in insults. i urge the president to take a break from twitter, roll up his sleeves and get to work. turning to the issue at hand, as an agent of represent new orleans which a significantsleee energy sector assets. last month we heard disturbing reports of a new wave of efforts to reach energy sector networkss in the united states. according to symantec, in some cases hackers achieved unprecedented access toachiev operational systems. in light of these reports i'm interested to know how the department of homeland security and the department of energy are working together to secure energy sector networks and make them more resilient. additionally, as a member of this committee and the congressional task force on election security, i'm eager to hear about dhs is activities to secure our election systems. although the administrations commitment to the critical

infrastructure designation appeared to waver earlier this year, i was encouraged when acting secretary duke told committee democrats last month that there are no plans to resend the designation. with that comment i look for during about the progress dhs is making to help state and localat governments security election infrastructure and whether the department has adequate resources to carry out its responsibilities in that space. for example, i understand there's a nine-month wait for a risk and vulnerability assessment, and that some secretaries of state have complained about the lengthynd clearance process for electionas officials. i am concerned these challenges may deter some states, particularly those i started a critical infrastructure designation come from taking full advantage of the resources dhs can bring to bear. to that point, dhs has struggled to build some of the

relationships necessary to execute its election security mission. although i've heard dhs is making progress in this regard, i am concerned mistakes made notified certain secretaries ofg state that their election infrastructure has been targeted, though it had not been, maeve undermined the trust that dhs has sought to build. i will be interested in learning what do you need from congress to address election infrastructure request more quickly and build trust within the election infrastructure community. finally, when ms. manfra, testified in march i asked what i could expect the dhs cybersecurity strategy. the strategy required pursuant to legislation offered wednesday march 23 to it still has not been submitted to congress. i understand the trump administration did not fill leadership positions relevant to the execution of dhs,

cybersecurity strategy with any real sense of urgency, and ongoing vacancies may be contributing to the delays. but the strategy six months overdue, and that is not acceptable. with that, mr. chairman, i yield back the balance of my time. >> thank the gentleman. the chair now welcomes and recognizes the chairman of the full committee, my colleague from texas, mr. mccaul for any opening statement that he might have. >> thank you, chairman ratcliffe or i would also like to extend my thoughts and prayers to the victims and family members of the horrifying tragedy in las vegas. i am hopeful that as americans, we can come together and prevent such violence from happening again. i'm pleased to be at this important hearing today with our distinguished guests here at this hearing. america's national security is r continually threatened by islamist terrorists, tyrannical regimes building and proliferating weapons of mass destruction, and human traffickers and transnational

gang members like ms-13 who stream across our border. these threats are well known, and we need do everything we can to stop them as we see them coming.members, however, we also find ourselvesl in the crosshairs of invisible attacks in a sustained cyberwar from nation-states and other hackers. and as we become more and morers reliant on computers and smartphones in both our personal and professional lives, everyone is a potential target and sadly, many of us have already been victims.become over the past few years we have seen many successful large-scale cyber-attacks take place. in early september, hackers wer. able to breach equifax, a credit reporting agency, gaining access to sensitive information on as many as 143 million people. in 2016, we know that russiaiato tried to undermine our electoral system and democratic process and in 2015, we learned that

china stole over 20 million security clearances including mine. and and probably some here at this dais. these kinds of violations are simply unacceptable. i am proud to say that over the last few years, the committee on homeland security has recognized these threats and led the charge to strengthen the defense of our nation's networks. in 2014, we enacted severalre important bills that empowered dhs to bolster its workforce, codified dhs's cyber center, and updated fisma for the first time in 12 years. a year later, the cybersecurity act became law, which enhances information sharing and makes te dhs the lead conduit for cyber threat indicators and defensive measures within the federal invernment. while information sharing has come a long way, the wannacry ransomware attack recently illustrated just how important and beneficial those

relationships are. just last week rob joyce, the cybersecurity coordinator at the white house, noted that we need to find a way to provide the private sector with more expansive access to cyber threat information in a controlled setting; something i believe we need to strengthen. moreover, issues relating to the sharing of classified information with the privatecces sector, like accrediting scif space, granting security clearances to key personnel, anw enabling consistent two-way communication, are issues we arl looking at closely. in other words, we have made progress in the way indicators are shared but i want to examine if we can do more regarding the overall sharing of classified information. made earlier this year, i was pleased to see president trump issue an executive order to strengthen the cybersecurity of federal networks and critical infrastructure. going forward, i am hopeful thao the house can advance secur

legislation that i have introduced to elevate nppd as a standalone agency and better support the cybersecurity mission at dhs. this month is national cybersecurity awareness month, a time to learn more about these threats and offer ideas on how we can best secure ourselves against these growing threats. while we have had some success on this issue, we must do more.o our cyber enemies, including terrorists, are always evolving looking for new ways to carry out their next attack. fortunately, this is an issue that transcends party lines. it's not a republican or a democratic issue. let's work together to make ourr cybersecurity strong and keep the american people safe. i would like to thank today's witnesses for their time and their service. a very important component of the department that often, as i mentioned in my opening, with

focus a lot on counterterrorism, on the board and other thingss that i consider this mission the department has to be one of the most important that this nation faces. so i look forward to the conversation about our congress and the executive branch can work together and how we can work with leaders in the private sector to enhance the nation can cybersecurity. with that i would like to get back to the chairman, and if i may, submit my questions for the record. >> thank the chairman, and the chair now welcomes and recognizes the ranking minority member of the full committee, the gentleman from mississippi for his opening statement. >> thank you very much. good morning. i'd like to thank chairman ratcliffe and ranking members richmond for holding today's hearing to examine the work dhsg is doing to shore up our nation's cyber defenses. there is no doubt that our country is facing an evolving

array of cyber threats. as we stand here today, enemies are thinking of new and novel ways to strike at everything from banks to hospitals and chemical facilities. nefarious actors even want to disrupt some of our most basic institutions. last year we learned our nation's election system serve as a new frontier for cyber attacks.ti with every passing day we learn of new ways cyber operatives are looking to exploit everything from the media we consume to the databases that store voter registration data. inthis country there's nothing t more sacred than the ability to engage in civic activity and cyber criminals are seeking to undermine our democracy. furthermore, as i watched the devastation unfold in texas, florida, order rico and the virgin islands, i am reminded of

the fragility of our systems. disrupting the systems we rely on for power, fuel, food and water and be deadly, regardless of whether it's caused by cyberr attack or a natural disaster. in short, the digital network we rely on for our day-to-day life are facing a multitude of threats. to respond to these threats, congress has put its trust in dhs over the past few years congress by way of this committee has consistently expanded dhs is cybersecurity mission, giving the department a key role in securing federal networks as well as the systems that support our nation's critical infrastructure. the department made huge strides in admitting these new authorities, including by standing up an automated system to share cyber threat data and

advising the new election infrastructure subsector on how to promote cyber hygiene with election ministers throughout the country. we cannot, however, expect dhs to carry out these responsibilities with both hands tied behind its back. to be successful the department needs adequate resources, a robust staff, strong leadership, and clear strategy. unfortunately, this administration has been gravely unfocused when it comes to cybersecurity.tegy. president trump falsely promised to deliver a comprehensive plan to protect america's vital infrastructure from cyber attacks on the first day in office. it took months with the presidenthepresident to get aroo issuing an executive order on cybersecurity. also, a quarter of the 28 person national infrastructure advisory

council resigned in protest of president trump's insufficient attention to cyber threats. president trump floated the idea of an impenetrable cyber unit with russian, at the same time members of his administration were considering and ultimately deciding to ban the use of products on federal networks. within dhs the chief information officer resigned after serving only four months, and the national program and protection directorate, the departments main cyber arm, is still operating without a permanent i undersecretary. whether the men and women in this room are willing to acknowledge in an open setting that they are struggling without this leadership, we can be certain of these gaps are making their job harder. i look forward to hearing from the panel today about how the department is carrying out its

cyber mission, and i hope thatrd you will be candid with us aboua the obstacles you face. indeed, if there are areas where you need additional resources, or legislative clarity, tell us how we can help.h i'm especially eager to hear from ms. hoffman about how dhs works with one of its key partners in securing critical infrastructure, the department of energy. with that, mr. chairman, i yield back. >> i think the gentleman. other members of the committee are reminded that opening statements they be submitted for the record. we are pleased to have distinguished panel of witnesses before us today on this very important topic. mr. christopher krebs is the senior official performing the duties of the undersecretary of the national protection and programs directed at the united states department of homeland security. great to see you today, mr. krebs, great to see you in your new role at dhs.

ms. jeanette manfra is of the assistant secretary cybersecurity and communications in the national protection and programs directorate at dhs. also great to have you back before our subcommittee, ms. manfra. and finally, ms. patricia hoffman is acting assistant secretary for the office of electricity delivery and energy reliability at the u.s. department of energy. thank you for being with usty at today. i would now like to ask the witnesses to stand, raise your right and so i can swear you in to testify.witnes [witnesses were sworn in] give >> let the record reflect each of the witnesses has answered in the affirmative. you may be seated. the witnesses told written statement will appear in the record. that shared a recognizes mr. krebs for five minutes was opening statement. >> chairman ratcliffe, ranking member richmond, ranking them

for thompson, miller's of the committee, good morning thank you for today's hearing. in this month of october we recognize national cyber student awareness month, a time to focus on how cybersecurity is a shared responsibility that affects all americans. the department of homeland security through is a critical role in safeguarding and securing cyberspace, a core element emission. i want to begin by thanking committee for taking action over some of the cybersecurity infrastructure security agency act of 2017. if enacted this legislation would mature instream on the national protection and programs directorate or nppd, and rename our organization to clearly thelect our central mission. the department some support this much-needed effort and a gorgeous swift action by the full house and senate. nppd mission statement is clear. we lead the nation's ever to ensure the security of the h science of our cyber and physical infrastructure.ea we collaborate with other

federal agencies, state, local and tribal tail governments and, of course, the private sector. our three goals are as follows. secure and defend federal networks and facilities, identify and mitigate critical infrastructure systemic risk, incentivize and probably enable enhanced cybersecurity physical practices. no question this is an expansive mission. broadly enable cyber security practices. no question this is an expansive mission. i'm proud to share with you the tireless efforts of so many at nppd. the targeting of our elections, intrusions into energy and nuclear serkt. harvey, irma and, maria. as threats to our critical infrastructure evolve, we're partnerring with owners and

operators throughout the country. the security is truly a shared responsibility. today's hearing is about dhs's cyber security mission. earlier this year the president signed an executive order on strengthsen the cyber security on critical infrastructure. this set in motioning a searase of of undeliverables to lower our risk. dhs working with federal and stieb oar partners. across the federal government agencies have been implementing the agency standard. agencies are reporting to dhs and the office of management and budget on the cyber security risk management. dhs and omb are investigating. in addition to our efforts to protect federal government networks, we're focussed on how government and industry work

together to protect the nation's critical infrastructure. we're developing an inventory of authorities and capabilities. we're prioritizing entities at greatest risk of attack that could result in catastrophic consequences. we call this our section nine efforts. let me discuss our continuing efforts. facing the threat by foreign government during the 2016 elections, dhs conducted unprecedented outreach and cyber security assistance to state and local election officials. it included indicators of compromise, technical data and best practices. before and after election day, we declassified and shared information related to russian malicious cyber activity. these steps have been critical

to enhancing awearness among election ofilthszs and educating the american public. the designation of critical infrastructure is critical infrastructure provides a foundation to institutionalize services and supported. we're working to develop local information, sharing protocols in establish key working groups. yet, there is more to be done and we shall not waver. in the face of increasingly sophisticated threats, nppd is focussed on defending our nation's critical inhad frustructure. technological advances such as the internet of things. however, they also increase access points that could be leveraged to gain unauthorized access to networks. we must integrate cyber and physical risk in order to effectively secure our nation. expertise around cyber security

risk and interdependentancies today and i look forward to your questions. >> iq, mr. krebs.capabi ms. manfra,, you are now recognized for five minutes. >> chairman ratcliffe, rankingiz member richmond, ranking member thompson, members of the committee thank you for holding today's hearing. i also want to begin my testimony by thanking this committee for taking action earlier this summer on the cybersecurity and infrastructure security agency act of 2017. a name for our organization that reflects our mission is essential to our workforce, recruitment efforts and effective stakeholder engagement. we must also ensure nppd is a properly organized to addressin cybersecurity threats both now and in the future and we appreciate this committees cyber leadership. cyber threats even one of the most significant strategic risk for the united states. cyber risks threaten our national security, economic prosperity and public health and safety. our adversaries cross borders at the speed of light. over the past year american side

has persistent threat actors including hackers, criminals and nationstates increase in frequency, complexity and and sophistication. in my role at dhs i had the departments office of cybersecurity and medications which includes our 24/7 watch center and operations, theatio national cybersecurity and communications integrationns center. our role goes live three work streams, instrumenting agency networks through the deployment of sensors, assessing and measuring agency bold abilities and risks as well as critical infrastructure, and directing and advising actions that federal agencies and critical infrastructure entities can take to better secure their networks. as you all know the nccic is a civilian government for cybersecurity information sharing acid incident response in coordination for both critical infrastructure and the federal government. as my colleague noted we are emphasizing the security of federal networks.

nppd assistant to federal agencies includes first providing tools to safeguards of the executive branch networks through our national cyberiding protection system and the continues diagnostic mitigation programs. second, measuring and motivating agencies, and third, serving as a hub for information sharing and incident reporting, and finally providing operational and technical assistance. einstein, the sensitive flood of a part of national cyber protection system refers to the federal governments suite of intrusion detection and prevention capabilities that protects agencies and classified networks at perimeter of eachdet agency.hat today einstein is a signature based intrusion detection and prevention capability that takes action on known malicious activity. our non-signature-based pilot efforts to move your signatures are yielding positive results. these capabilities are essential to discovery of previous unidentified vicious activity. we are demonstrating the ability to capture data that can rapidly be analyzed for anonymous

activities using technology from commercial, government and openb sources. nominized using technologies from a commercial government and open sources. >> they're defining future operational needs as well as the skillsets and personal required to the nonapproach to cyber security. einstein is our tool but it will not detect or block every threat. therefore, we must compliment it with sishms and 25089s inside the agency networks. these tools are enabling agencies to manage risks across their entire enterprise. at the same time these tools are going to proprime dhs. through a common federal dashboard. nppd is working with our

interagency partners. are those systems going to cause a significant impact in the united states. we conduct vulnerability assessments. to determine how an adversary would penetrate a sism to access sensitive data and without being detected. protecting them before an incident occurs. when necessary the department is also taking targeted action to address specific cyber security risk through the issuance of finding operational directives. we're working to enhance cyber across the globe. they prokekt ursystem. by bringing together all levels

of government, international partners and the public, we're taking action to protejt against cyber security risks, enhance information sharing on best practices and cyber threats and to strengthen resilience. i look forward to any questions ms. hoffman, you recognized for five minutes. >> chairman ratcliffe, ranking member richmond and members of the subcommittee, thank you for the opportunity to discuss the continuing threats facing our nation energy infrastructure and the department of energies role. cybersecurity and resilience at the energy sector is one of the secretaries top priorities and a major focus of the department. the department of energy is at the sector specific agency for cybersecurity of the energy sector. d.o.e. works with dhs and join with other agencies, the private sector organizations for a whole of government response to cyber incidents by protecting assets and countering threats. in addition, the department of

energy serves as the lead agency for emergency support function 12, which is energy, under the national response framework.d as the lead, the sf 12 responsible for facilitatingle restoration of damaged energy and infrastructure. the department works with industry, that all state and local partners to facilitate response from recovery. combining d.o.e. his role as fo cybersecurity with national response activity injures incidents both side and physical impacts are recorded in the energy sector. at this moment in time i would like to acknowledge the secretary does express his support for the victims of hurricane harvey, irma and maria. i would also like to express my gratitude for all the utility workers that have been working very hard in the region for restoring power.er in extreme cases the department can also use its legal authority as those in the federal power

act as amended by the fixing america surface transportation act to assist in recovery operations. congress enacted several important new energy security measures in this act as relates to cybersecurity. the secretary of energy was provided emergency, was provided a new authority upon the declaration of a emergency by the president to issue emergency orders to protect or restore critical electric and critical infrastructure or defend critical or electric infrastructure. this authority allows d.o.e. to respond as needed to the threat inucyber and physical attacks to the grid. d.o.e. has collided with the energy sector for nearly two decades and voluntary public-private partnerships that engage owners and operators at all levels are technical, operational, and executive. along with state and local governments, to identify and mitigate physical and cyber risks to the energy systems.

in the energy sector the core partnerships have consisted with electric sector coordinating council and the oil and gas coordinating council. in these meetings interagency partners including dhs, states, international partners come together to discuss important security and resilient issues for the energy sector. the electric sector specifically has been very forward leaning and aggressive in trying to address cybersecurity issues. d.o.e. plays a critical role in supporting the energy sector cybersecurity by building in security. specifically we've been lucky building capabilities in this sector in three areas. the first area is preparedness, enhancing the visibility and situational awareness and operational networks as well as i.t. networks.nal increasing the alignment of cybersecurity preparedness across multiple states and federal jurisdictions. response recovery activities in

supporting the whole of government effort, and leveraging the expertise of the department of energy is national labs to drive cybersecurity innovation. threats continue to evolve the d.o.e. is working diligently to stay ahead of the curve. the solution is an ecosystem of resilience and works in partnership with state local and industry stakeholders to advanca best practices, strategies and tools. h to accomplish this with a six hour information sharing tos. better inform local investment decisions, encourage innovation and the use of best practices to help raise the energy sector security maturity and strengthen local incident response and recovery activities. especially for the participation of training programs and. exercises. i appreciate the opportunity to be a before the subcommittee and represent one of the sectorpr specific agencies and the energy sector cybersecurity capabilities. however, i would be remiss not

to take a moment and stress the interdependent nature of our infrastructure and requires all sectors to be constantly focus on improving their posture. so d.o.e. looks forward to continuing to working with the federal agencies to share best practices and build a defense in depth. so with that i would like to thank you for being here today and look forward to answering your questions. >> thanks, ms. hoffman. i now recognize myself for five minutes of questions. ms. manfra, i want to start with you.ec you mentioned einstein and cdma and your testimony and the role they play in securing federal networks. what to give you an opportunity to provide some public clarity and limitation of cdm specifically. can you give us some idea of how many departments and agencies have fully implement it cdm phase one and am an agency dashboards are up and running, is the dhs dash were up and

running, and give us some perspective on that. >> yes, sir. thank you for the question. cdm, we are in the process of deploying both phase one and phase two. phase one being focus on hardware, software, asset management, identify what is on the networks integral to the agencies, and phase to look at who is on the networks. so dealing with issues like access and identity management. we can get back to you with the specific numbers of agency deployment.ag they are all in various stages of deployment. we have made it available to all agencies but each individual agency is in a different stage of deploying. we are nearing 20 agencies that have an agency dashboard up and running, and this month, the department of homeland security will be standing up the federal dashboard. so that will be receiving feeds from those agency dashboards. that will then allow us to have

more near real-time understanding of that sensor, what those centers are identifying of those agency networks and allow us to better prioritize vulnerability management for agencies. >> terrific, thanks. one of the of the points i want cover today was last week the weo came out with a fairly critical report on the current state of federal cybersecurity. one of the most would appear to be most troubling aspects of that was a statistic that only seven of the 24th cfo act agencies and programs within any functions, considered effective per the trento standard for cybersecurity control. that doesn't sound very good. i want to give either you, mr. krebs, or you ms. manfra, the opportunity, as a talk about the cybersecurity posture of the dot

gov, reconcile that with the gao report. >> sir, i think that we have, we learned a lot over the years about agency capacity to managee cybersecurity risks and the resources they have to do so. i can say agencies have securit prioritized the management of the cyber risk at their highest level across the government. d what we learned in both the deployment of cdm, engagement in partnership with omb in making agencies is that there remain some significant gaps. we have built over the last couple of years and are i continuing to build technical assistance capabilities, things like design and engineering, architecture reviews, helping agencies getting much more in-depth insight into the networks and providing them with a greater level of assistance both engineering and on the government side to help them ofi address their often very complicated networks with the limited resources we have here

we do see a lot of potential for cdm in the ability to deliver tools at a lower cost across a agencies, and this is the first time that many agencies have ha access to this level ofs have automated data to understand what is on the network. and so we see a lot of potentia for this, but for many agencies there's a lot of capability that has to be built and will continue to take advantage of things like shared service, more capability from dhs to deploy to agencies who need it most. >> so you just comment about shared services and resources. i want to follow-up on that a bit because i think it's a book to look where we are but also look to where we are going. and so looking forward a bit, how do you see dhs federal network protection tools evolving past, say a saynature-based threat detection

tools, and particularly where my conversation with the administration and the cybersecurity advisors to the president really putting emphasis on cloud computing and shared service, shared i.t.s services and resources. so i guess in a sense what is the einstein future generation 10. oh look like? >> i'm not exactly sure what einstein 10. 10. oh will look le it but i can tell you where we n are looking to evolve. as agencies, the presence key initiative around modernizing i.t. and us nudges the technology. there are large challenges with legacy technology but we need to modernize the way we govern and procure.no as we do that we are working very closely to modernize our security processes. m lastly take advantage of things like cloud services we ensure that we are modernizing ourit security approach but also not losing the inside that we haveve into traffic, either

internetworks are in and out of agency networks. importantly, we learned on cdm some key lesson from the first phase of deployment. we now have a new contract vehicle in place that will enable the deployment of cloud and mobile security technologies in addition to the on premise sensing capability that we have right now. we are evolving. capare building on what industry is learning from behavioral-based detection methods, and we've had some successful pilots and look berward to continuing to build that capability. >> terrific. my time is expired. the chair now recognizes mr. richmond for his questions. >> ms. manfra, mr. krebs, either one, you all know that by the legislative the call forqu departmentwide cybersecurity derategy within dhs. that strategy and report was due

in march. we still don't have it. what's the status of it? and if you run into problems in getting it done, what are those problems? how can we help? >> thank you for the question. the office of policy has --quesi strategy. it rolls in components across the department between the secret service, ice, homeland security investigations, u.s. coast guard, transportation security administration as well as nppd. while we don't necessarily lead the development of the strategy because it is a departmentwide strategy, we are a significant player. to speak to the status of the strategy itself, my interest in where it sits is influenced by the president's executive order 13800 that was released back earlier in the spring. that report puts dhs at the

front or in the lead for almost all of the reports particularly in the first two in the fourth work stream. federal networks, critical infrastructure and cyberourth workforce. so while those reports and assessments are underway they are anticipated to have significant impacts and some of the priorities perhaps of theth department including nppd. i believe the decision onon finalizing the strategy has been to let's get to the cybersecurity assessment related to the eo as well as the administrations anticipated national security strategy, national security cybersecurity strategy that are expected in the next several months, and then when we have a broader understanding of where the department is going, that will then feed into the cybersecuritt strategy. that said, rolling at all back to the requirement in the ndaa i that you offered, it is still as

a priority to finalize that, report.st that said, as a department we are moving forward with a number of our priorities. i do want to touch on a couple of things mentioned early. as a senior official performing duties of the undersecretary, what we do not have a permanent undersecretary for nppd, i i hae been authorized and then given a very clear direction by acting secretary duke to move out andma execute every aspect of nppd. so while we didn't have a permanent undersecretary right now, i have all authority that i believe i need to execute the department's mission within nppd. >> with regards to a strategy, i would talk about in terms of report, let me just take that aside. do we have departmentwide strategy with how we're going, how we deal with cybersecurity? and i need challenges that we're

going to continue to face in the near future. >> my understanding is that there is a departmentwide cybersecurity strategy in draft form, yes, sir. >> so again, i don't want to get into the wheat. >> i just saying are you all operating with some comprehensive strategy on a day-to-day basis to protect the cybersecurity?y? >> i understand, yes, sir. going back to my opening remarks i indicated nppd is in the lead for ensuring the nation's critical infrastructure outside as good a physical threats. i mentioned at the top go which is securing our facilities. for me and with the assistant secretary man for, that is at the very top of our minds and recently. the second piece is securing identifying and mitigating systemic risks across the infrastructure, the nation's infrastructure. when i think about that i think about section on critical infrastructure greatest risk.os

bottom also putting election infrastructure integrate as i mentioned, that for me is the number one priority for nppd are critical infrastructureng perspective. we cannot fail there. third and finally is enabling and incentivizing better security practice across the broader critical infrastructure community to include state local, small and medium-size businesses. >> ms. hoffman, there's been a great deal of concern among national could experts that russia's goal in disrupting the ukraine power supply 2015 and 26 he was to test its capabilities in preparation for larger attack on the united states. last month we learned that russia may been responsible dragonfly 2.0, which exploited and targeted some of our energy sector. which how was the energy sector responding and what is their capabilities to prevent a widespread attack? with that i yield back.

>> thank you, congressman, for the question. ukraine attack was a very much an eye-opening event for the energy sector, and the energy sector specifically, the electric sector got very e organized in recognizing we had to continue to step of our continuous monitoring capabilities, our ability to detect behavior on the system but also building inherent protection and as we develop new technologies. recognize that the core of anything is protecting against spear phishing and passwords and credentials, and that's starting to really go after where do we need to be with respect to preventing an attack from occurring on the system. we've been working actively witr electric sector to build some tools and capabilities and for protections of their system. >> the chair now recognizes the gentleman from new york, mr.

donovan, for five minutes. >> thank you, mr. chairman. i would just like to ask one question of all of you. in 2015, congress passed the cybersecurity act, and in 2017 we passed the cyber and infrastructure security agency act, and the president also issued an executive order back in may to strengthen ourture abilities. what do you guys need? what can congress do to help you protect our nation, our federal agencies, our private entities? as mr. richmond said, our energy industries. what do you guys need from us to help you protect our nation better than we are able to douys now? >> thank you for the question.er the very first thing i would start with is come as you make in the cyber scared andld infrastructure security agency act of 2017, passing at a full committee was a significant step forward. what we need is quick action by the full house and the senate.

let me give you ample anecdote about why that's important. that bill will give us three things. one, it will allow us to introduce some operational efficiencies, looking at, infrastructure across thecienci organization, pushed them together so that we are more c streamlined at how we engage and deliver services from a customer service orientation. second, it will help with our si branding and clarify roles and responsibilities, not just within nppd but more important with our federal, state andes local partners and the private sector.ly and finally what that's going to do is give us the ability to attract talent. i think we talked about workforce. we talked about hiring and abou partnership. but on the clarity of roles and responsibilities, let me talk about that. i've been down to puerto rico in the last, twice in the last week. t i was there last monday, and

then i was there last friday with acting secretary duke. on friday meeting with the acting secretary duke, the governor and his key staff, we were discussing a number of other critical infrastructure challenges in puerto rico. when it came around to me iturec talked about the communications infrastructure. as you all know the national fumigation center resides within the office of cybersecurity andt communication. when we talked about the status of things, what i was talking about was how we are assisting the communications carriers, whether it's at&t, sprint, t-mobile, verizon, helping them get back in and prioritize delivery of temporary sprint, capabilities, wheels, light trucks, to help temporarily pop up the key medications coverage but at the same time helping them get resources in for celle towers. as i briefed out where we were on helping those companies get resources back in, i introduced

myself as the senior official perform the duties of the undersecretary for the national protection and programs directorate. now, try repeating that back to it's not easy. someone would never heard that before immediately went on, to t press interview and alongside the tsa administrator, ice, none of the coast guard, effective homeland security, the fema regional administrator, she said we add fema, tsa, coast guard and the communications guy.sa she doesn't know how to describe me. .. she doesn't know how to describe me, when i'm out engaging my stakeholders, they don't understand the mission i deliver. i need help clarifying that and providing very up front clear what i do and what my team delivers. that is a significant advancement. any help i can get there, please help me out. more broadly in terms

>> we're in stock taking where the department sits in cybersecurity. there are significant authorities that come to bear in the event of a great incident. dhs has authority in terms of information response and sharing. thank you to those authorities. going forward we're not quite sure what we need. i tell you this, the cyber security threat is not going away. we need to be staffed, we're not going to use less technology going forward, as you had indicated earlier we are going to the cloud. we are going to share services. we're going to be relying on the cross-cutting capabilities in the internet technology sector. we need to ensure from a digital defense perspective we have what we need. we welcome that conversation and you can believe that you'll see me again and we will be talking about that.

>> i have two seconds left. would you contribute, please? >> yes, sir, very briefly, just to compliment what chris talked about, we're working within the federal government to understand what-- what is the full breadth of our authorities. how can we lean into the existing authorities that you have to deploy more capability with the critical infrastructure sectors, we're working to understand, now that we've identified these both critical assets at greatest risk, are there legal and operational and policy hurdles we need to address to assure we have appropriate authorities in place and we work with you for this analysis. >> please don't wait. mr. chairman, i yield back the time i don't have left. >> thank you. the chair recognizes the gentleman from mississippi, mr. thompson. >> thank you, mr. chairman.

the last two speakers have talked about being resourced and staffed from an agency standpoint. last march we held a hearing talking about staffing at the department. can you give us the number of unfilled positions in the cyber division right now? >> sir, we are currently staffed at 76% of our fully fund funded. >> so we're 24% under. can you tell us why we are understaffed at this point? >> yes, sir, there are a variety of reasons. the first largely thanks to the work in this committee and our

appropriations staff in congress in building the billets are that allocated to my organization, we have grown significantly. we've worked very hard to build according to those-- to that great in billets, we've had some challenges. we've worked with our management colleagues and human capital colleagues to identify areas where we can reduce the time to hire. i can say looking at statistics, from physical year 16 to fiscal year 17 we've reduced the time to hire by 10%. many of these requirements have to do with security clearances. it does take a long time to process people through that security clearance process. we've made significant process. we've worked with our security office to find ways to continue to shorten that. we're also diversifying our recruitment path looking at the

scholarship for service cyber core program it's been a great pipeline to bring-- after the government has scholarships, bringing these individuals in as interns and hiring them full-time, they're already fully qualified for our direct hiring authority and look at other programs, pathways, and following other recent graduate programs. we are looking at partnerships with industry where they-- yes, sir. >> i don't mean to cut you off, but, so, is the problem we have too many programs to task people to or i'm just trying to find out why when we give you the authority to hire, why we've not been able to come closer to whatever that authority is and is that something we need to do to get you to that point? >> sir, i'll separate the authority that we were given by congress to build an accepted

service program. what i was referring to was, i did not believe a couple of years ago we were fully leveraging the authorities we already had and the programs that we already had to bring people in and tightening the time line that it takes to bring people on. the accepted service program is led by our chief human capital officer. i know this is a half priority for her. we did not go to appropriately expedite the development of that program four years ago. we have now done so. it's my understanding we will now be able to hire against that program beginning in fiscal year 19, but there's a regulatory process that we have to do. >> just for the sake of the committee, can you provide us with a timeline between when somebody who's considered for employment and when that is

completed? is it-- get back to us. >> yes. >> whether it's three months, six months, a year? i think that would be instructive for us so we can kind of see if there's-- what's involved. the reason i say that, i think that all of us are constantly bombarded by people looking for employment opportunities and if we have potential opportunities here, is it something we are not doing, we're not going out recruiting and just what, we just need to kind of figure something out. >> right, and i do-- if i could, sir, just clarify. the 76% is just indicating people that are on board right now. if you include the people that are in the full pipeline, that brings us about to 85%. and for us, we're averaging 224 days to hire.

that sounds long, but that is to include a top secret fbi clearance process, which is actually a fairly, for the benchmark of the rest of the government we're doing quite well. we want to work with you, sir, we'll come back with you. >> please get back. >> yes. >> mr. krebs, we have a congressional task force on election security and we made a request of the department to provide us a classified briefing around this issue and we've been told that it has to be bipartisan. that you can't just brief democrats. are you aware of that? >> sir, i'm not aware of any existing policy. let me say this, i share your concern o on election infrastructure and i want to

say directly to you as well. it's my top priority at the department. if we can't do this right and dedicate every as set to assess our state and local partners, frankly, i'm not sure what we're doing day-to-day. in terms of what we've done we are prioritizing delivery of those briefings, information sharing to our state and local partners. we're doing it in a bipartisan manner, and we should pull in the same direction. going forward, i would encourage any additional briefings that we have provided a series of bipartisan briefings to the homeland security committee, both classified and unclassified. the real crux of this issue, the underpinning issue here is a trusted relationship. now, do-- >> sir, i appreciate it, but we have established a working group within the democrats on a

committee and we're just trying to get a briefing. so, i think-- it's nice to say i don't want to brief you because there are no republicans, but we're members of congress and all we're trying to do is get access to the information, and if your interest is there, i'm convinced you'll provide it and that's the spirit in which the request was made. so, we'll make it again. >> yes, sir. >> and look forward to you coming back and just bring us what information you have as members of congress and that's all we ask. >> thank you. >> i yield back, mr. chair. >> thank you. thank you, ranking member. chair now recognizes jim from virginia, mr. garrett. >> thank you, mr. chairman. i'm going to hit my talk button and my voice sounds better with the microphone is on. i want to piggyback on what my

friend and colleague and ranking member thompson said, i would agree with you that election infrastructure, cybersecurity as relates to overseeing elections is something that crosses and transcends the aisle and anything that you give democrats to or give the exact same to the republican members and would be great for your time given it's redundancy. i don't see why some party should be briefed in the absence of others in the united states of america. if you do bring the request, to electro security as relates to cybersecurity issues, please invite me. i can't fathom that one party has a monopoly on free and fair elections. i'm sure my colleague doesn't mean it that way, i want to be clear that should not be a

partisan issue and perhaps people from both parties are invited or give the same briefing twice, which i think is inconsiderate and short sighted. and what we know about the cyber activity, specifically with relation to astona and ukraine, to my understanding the bulk of the platforms used to infiltrate infrastructure, i said platforms, malware, it would be appear based on my speaking to this forum, kill this, black energy, were known entities were discovered as relating to this, as to the coordinating task, how do we-- how well do we stay ahead or try to stay on-line with it? i understand it's the moving target and to the extent to

there's noi hope -- again, i understand the format we're in might limit the conversation that we have, a lot of the malicious activity to this point conducted, we presume, and data would presume the russians, how quickly can we pick up on advancements in malware and inculcate them into our preventative measures? and that's wide open to whichever one of you wonderful folks would like to address it. >> thank you, sir. if i may, i'll start and provide a bit of a broader approach and defer to my colleague from the department of energy to anything on the good in electricity. i'm subject to the time limit, so i apologize, but so i'll do this quickly. >> yes, sir. >> generally speaking, we have talked about advanced persistent threat here. when we think about threats

it's not, generally speaking, advanced. companies and organizations are not 0 doing the blocking and tackling, and some of the exploitations were based on open known vulnerabilities that weren't patched. the concept of a zero day exploit while it's out there. it's not actually the primary exploit at that we tend to see in the wild. >> let me interrupt you. and i am a big fan of limited government, but in this arena because the entire nation hangs in the balance, not just the elections, but everything that relates to our grid, might not be effective to hit the particular power providers where it counts, essentially make it cost something for entities that don't patch the known threats. you'll be up-to-date on x, y and z and--

ments my colleague can speak to that. >> you guys are great, but time-- >> the first operational direction we issued was reducing the patch vulnerabilities to 30 days. we have actually seen a complete cultural change as a result of that and we are now seeing the government highly testing and patching those critical vulnerabilities. so, i just wanted to throw that out there. >> so there's a carrot and a stick. i had a he-- i'd rather the carrot, but i don't mean to cut you short. i've got 15 seconds. the nature of nerc and whether it's semi private autonomous sued owe entity, compromises tactics, procedures and et cetera. >> so, i don't think that nerc as an operation-- it does have the operations center, sharing information rit

large and capabilities to compel and look at the industry to respond so we can get the information we need. >> thank you all, and i apologize going briefly over. >> thank the gentleman. and the chair recognizes my friend from rhode island. >> thank you, mr. chairman. i want to thank our witnesses for your testimony here. and before i go into my question, i just wanted to mention for just publicly and to mr. garrett, i'm a member of the election task force that certainly the democrats have put together on-- going forward in improving election security and i will say to my colleagues, there was an initial outreach to republicans to make this a bipartisan effort which was not accepted, it was not-- we didn't find anyone that was receptive, but i would say this, the task force to the

public, my colleague, mr. garrett, is welcome to participate fully with that and with respect to the ranking members question on the classified briefing both on russia's interference in our election and how we're better securing our elections systems. i would say that along with democrats and republicans, i would prefer it as a democrat and republican briefing, however we get the briefing, i don't want a misunderstanding of what the representative was asking, we want a briefing. we'd ask that you provide that to us. >> yes, sir, thank you, i do believe we've provided a classified briefing in the past and welcome the full committee briefing or subcommittee briefing on that as well, sir. >> and one thing i wanted to mention, your authority and active role in cyber, but i would reiterate it's vitally important that we get key

people appointed and in place permanently. i respect the work you're doing and your team and, but we need permanent people in place, both for confidence and clarity to what the mission is. so let me get into my questions very quickly, i'll try to go through them. the ones you can't answer fully because of time constraints, i'd request a follow-up in writing. on september 13th, there was a binding operation of directorive 1701 which directed departments to remove from systems in the next 90 days, in nothing so doj issued a public statement to coincide with the establishment of the directive. i'd like to commend the department, it added transparency and that was important.

my question was what analysis led to this removal from the federal networks and i understand this may be classified in which case i request that you and your team provide briefings to members on operations behind it, i think it's vitally important this committee on both sides of the aisle understand what went into that. next, mr. krebs, sec was breached in late 2016 and we now know that the attackers had access to corporate filings, profit, public release. the announcement of this breach was made nearly a year after it was first discovered. my question was, when was dhs informed of the breach? and what was dhs's involvement in detecting, responding and recovering from these-- from this attack? and finally, how did dhs

improve its integration with federal agencies to assure that these types of attacks are identified and notified quicker in the first. >> let me briefly touch on the first piece and then i'll kick it over. that was based on totality of evidence including by the most part open source information and in terms of a classified briefing, i believe we are on the schedule for some point in the next month or so with the full committee, the monthly intel briefing. so with that, if i may, i'd like to turn it over. >> thank you. >> sir, welcome to support a briefing on it. as far as the sec, we're happy to come in and have a more full conversation with this about that. they didn't notify us last year on november 4th of an issue. it was at the time the extent of the issue was not well understood and given the time limits here, i think it might

be more useful if we sat down and other members as appropriate to walk through specific details. >> and what do you think that-- what was the dhs's involvement in detecting and recovering? >> we have limited involvement with the sec. they did not request our assistance for response. >> and on the issue of how to make it work better in the future? >> sir, in addition to this incident as well as several others we are reviewing our procedures to ensure that it's clear that when an incident happens, what role the department needs to play in the response, not just at the request of an agency. and then, if we're looking at specific critical services and functions, then the department needs to have a more active

role in that response regardless of whether the agency requests it. >> thank you. in august, congressman herd and i traveled to def-con and we were looking at the willingness to report vulnerabilities to improve overall security. and what if they establish a vulnerable process for dhs sites and software. again, one of the things i found with-- about the program was very helpful in identifying security vulnerabilities and getting to the right individuals on the vulnerabilities and talking to security researchers. one of the things that impressed me most, they want just want to make the internet better and want to know when they find a vulnerable that they pass forward, they report it and somebody is going to do

something about it and actually going to be heard. what progress has dhs made in this respect? >> we have a longstanding program on vulnerabilities and control systems as well as enterprise technologies, and we've been working with security researchers in both communities for years to provide them a space for them to yief that visibility and also to activate with the owner of software for a patch and much of the alerts we issue are with researchers. we also have our own organization within my group that conducts penetration vulnerabilities and risk assessment across the government to include hds networks. we need to assure that they're supplemented with broader risk and vulnerability analysis and testing to make sure that

they're addressing-- >> and what about the dhs owned systems? >> my organization also supports penetration testing and vulnerability assessment within the dhs. particularly the high value assets that dh schs owns. and and that the management in interested in what the department has done and how that might apply to dhs. so we look at how that might be applied. >> mr. chairman, i had one more on election security. and can i ask that? i know we've touched a bit, but for the record i want to dive deeper into this. it's interesting that state and local officials have access to resources from dhs to protect systems that represent the cornerstone of our democracy. so, can you further describe how dhs is, would working with

officials to protect networks? i believe the response to unprecedented interference in our elections last year to be sufficient, and secondly how can we improve access to resources? there are additional funds and resources that the department needs in this respect? >> so, thank you for those questions. let me start at the end with your improving relationships. and with the department last summer, this all manifested. i can speak to generally the relationships with state election officials. that was not an existing relationship between the department of homeland security in the state and locals. however, we do have strong relationships, of course, with the homeland security advisors and officers and chief information security officers. but to square the circle on this specific threat, we need to develop partnerships that are, you know, three or four legs on the stool within each specific state and each state

is going to be a little bit different in terms of how, you know, who they designated as the chief election officials and as well as the vendors of the technology. in terms of how to improve relationships, it's going to take a lot of effort and a little bit of time and those are things that we are working on right now. we don't have much time, but we are dedicating resources. in fact, just this morning, i sent out a notice across my organization reflecting some changes we made organizationally last week about a task force. previously, the election piece has been held within the office of infrastructure as a program. again, matching my words with execution, we're elevating with a task force and across them and resourcing it appropriately. and this is speaking to the resources, we're pulling the resources together in recognition that we don't have

a lot of time, given there are pre-elections this year. >> fte's that are committed to this? >> i don't have the fte's on hand. and i believe that-- and specifically. >> if i can make one additional point on resources, ranking member richmond noted that his understanding was that there was a nine-month wait for risk and vulnerability assessments. i don't know whether that's the exact current number, but that speaks to the high demand that we're experiencing for our assessment services and that is everything from penetration testing to the cyber hacking scans that multiple states and localities have participated and continue to participate in, as well as the more in depth risk and vulnerability assessments. we are growing that program and we are diverting resources, we're building infrastructure so that we can more scale that and that's service that is we're providing and not just the federal agencies, but to state and local governments and

critical infrastructurement and we're experiencing much more demand for those services and we're continuing to look for ways to upscale that. >> thank you for that. and any answers you can give in writing, i appreciate that. thank you for your indulgence. >> you're welcome, gentleman. yield back and i want to thank all three of our witnesses today for your valuable and insightful testimony. thank all the members for the questions today. the members of the committee have additional questions for witnesses and we'll ask you to response in writing. pursuant to committee 7-d the hearing record will be held open for ten days and without objection the subcommittee stands adjourned.

[inaudible conversations] [inaudible conversations] [inaudible conversations] >> u.s. senate about to gavel in to get business underway today. senate lawmakers continuing consideration of executive nominations. today eric hargan for deputy

hhs security we should see a vote throughout the day. live coverage of the u.s. senate here on c-span2. the presiding officer: the senate will come to order. the chaplain will lead the senate in prayer. the chaplain: let us pray. almighty god, we're grateful that your will prevails when reliance on humanity is futile. give our senators the wisdom to