this week the senate budget committee of the hearing on income equality and the influence with testimony from former clinton administration labor secretary robert rice another economic experts. include testimony from an amazon from alabama. as part of an effort to unionize workers and fulfillment centers there. blessings are hearing tonight starting at eight eastern on c-span. on tv on "c-span2" top nonfiction books and authors every weekend, saturday at and he talks about his books, unmasked in inside radical plan to destroy democracy. and 9:00 p.m. eastern, actor and advocate michael j fox talks about his life with parkinson's disease in his book, no time like the future. he considers mortality in on

sunday night and 9:00 p.m. eastern, on afterwards, georgetown law professor rosa brooks details her experiences and policing as an armed is our police officer in washington dc and above tangled up in blue. policing the american cities. she's interviewed houston chief association president. ... ...

>> women and girls for one thing are just hungry for role models. we keep hearing representation is important and really the

amount of e-mails and messages we get from very very young girls and/or their mothers saying how either the subjects we cover or just the very fact that they hear to women speaking in that format, how it has really affected them. >> women have typically been the woman behind the man and what we do here is we get to talk about the men behind the women that focus on her life from her point of view. so the fact do we get to do that like beckett said hopes and inspires us to do the same and we know it does.

>> this committee hearing will come to order and i would like to first off banker witnesses for joining us today and for their service to the american people. this hearing will examine the devastating impact of recent cyber attack siggins are central

networks including the dire national security implications of last year's solar wind breach and other recent on line espionage efforts. this was one of the most destructive cyber breaches in american history and there are still many unanswered questions about how it happened and how it went undetected for far too long. both the solar winds in recent microsoft hacks clearly show that our nation is not adequately prepared to tackle this persistent and grave threat. foreign adversaries like china and russia continue to exploit our cyber ulnar ability to access confidential and classified information, disrupt government operations and even target is mrs., tools and critical infrastructure. unless their capabilities are able to match this threat that we face american networks and supply chains remain at risk. last year's solar wind pack and

subsequent breach of federal assistance was incredibly sophisticated and the extent of the damage is astounding. we must prevent an espionage effort like this from ever happening again and ensure that our government has the resources to calibrate our response to these significant breaches. after the solar wind pack likely perpetrated by the russian government are agencies were asked to self analyze and review the effect of the g attack when many did not have the capability to doff so. this haphazard approach made it extremely clear that our ability to respond did not match the severity of the crisis through the process and procedures for responding to cyber attack's desperately needs to be modernized including improving the federal information securities modernization act which has not beenvi up dated since the creation of the department of homeland

security's cyber security and infrastructure security. in order to adapt to evolving cybersecurity threats both the public and private sector need o centralized, transparent and streamlined process for sharing information. in the event of future attacks this will be critical to mitigating the damage. this discussion with her governments for most cyber experts will be critical to understanding how agencies are assessing the damage done by these breaches and what actions they took to notify congress. going forward the federal bureau of investigation and thein cybersecurity and infrastructure security agency will pay -- play a critical role in strengthening our cyber defenses in the security of our federal system and their supply chain. mr. deroche up is the chief information security officer charged with implementing and coordinating its efforts. based under strong record in my

home state of michigan and your extensive experience i i have every confidence that you are up to the task. i have long raise concerns about the national security threats posed by cyber attack's and those challenges that i mention contained a group that and i think has pushedos our lives and communities on line and foreign adversaries and other bad actors continue to target the network of our research institutions and health systems threatening our ongoing pandemic response. that is precisely why his part of the american rescue plan act to help secure nearly $2 billion to update or aging federal information technology system and help address cybersecurity threats. however it is clear from the gravity of this threat that we need to examine where they are the fbi and other agencies have what they need to protect the american people. i'm committed to working on a bipartisan basis with my colleagues on the committee especially ranking member of

portman and with the biden investors and to protect their networks against future breaches for this hearing is the first of several we are going to be holding on this issue and we must tackle this problem and do it swiftly but we must also do it comprehensively. thank you ann with that i will turn it over to ranking member portman for his opening remarks. >> thank you chairman peters and i have appreciated our bikes these issues on even before you sat in the chair and i was ranking member. we have got much more to do certainly. we are here today to focus on this massive solar wind pack the biggest in our country i believe the to analyze its impact on the federal government and discuss what changes are necessary to prevent and mitigate events like this in the future. it's been three months since we learned of this attack and there's a lot frankly that remains unknown. we will learn more today i hope. what we do know is really

chilling. according to the fbii the attackers were likely -- in origin and that's a quote from them in our intelligence service as well. they wereev m also smart and hao detect apparently. othey were patiently careful about directing their targets. they disguise their activity and used stealth techniques to evade detection and becausetl of thatt took over a year to detect the attacks. a lifetime of damage for sophisticated adversaries. second win of the attackers used a software company, a supplier who hacks the u.s. government. the attack comprised -- compromise the security of later patched widely used for solar winds orion i.t. management software so it's good cyber hygiene to have the security patch up the and it's something

that we preach that those practices ought to be followed and yet applying goes up dates and security patches is exactly how this attack occurred. they use the security patch to better protect against hacks to attack rabies patches are safe to install. this should be a wake-up call for all of us who are concerned about our data being compromised. thirdly now this attack was broad. the federal government was hit but also within the federal government this attack could agencies that hold some of our most sensitive data and national cute security secrets. based on public sources this includes the state department that apartment, and security the national institutes of health and the national nuclear security administration which is the agency charged with maintaining our nuclear stock while. the solar winds attack also impacted the private sector and

even cybersecurity firms like fire i the company that discovered the breach. it's one of the firm's folks call when they discover a break so they are the very people that we call when we get hacks got hacked themselves. we know despite the increased funding that has been appropriated for cybersecurity from the legislature and we have worked on in this committee the federal government never caught this attack. the fact that the federal government was hacked is not surprising to me. in june of 2019 is chair of the subcommittee on investigations i released a report for senator carper detailing the extensive cybersecurityy vulnerabilities f a different federal agencies. many of these vulnerabilities remained unresolved for decades. over year later three issues we highlighted in the report were seriously compromised by the solar wind attack. dhs the state and hhs and those are just three that we know of

as of today. unfortunately this was not a big surprise to us. the solar winds attack was one of boast widespread in consequential attacks to date and in response we have to take a hard look at security strategies and what are we doing wrong? wired defense capabilities not up to the task lexus includes the failures of the federal government's frontline defense program called einstein. einstein has cost approximately $6 billion is supposed to detect and prevent cyber intrusions and the federal agencies. clearly it was not effective and even recognizing that it occurred. it's a good time to consider its utility and how it can be improved in any cybersecurity legislation we consider needs to addresson the broad set of risks facing our federal networks and we need to ensure the proper expertise and accountability in the u.s. government. we will talk about that today in

the legislation that was recently passed to establish more accountability within the executive office of the president. in these networks are breached as in the case of solar winds hethere are apt to be consequences. i appreciate the witnesses being here today and your service and look forward to your testimony on these important questions and getting solid ideas as to how we can better defend their federal networks. thank you. >> thank you ranking member portman. it's the practice of the home and the purity and government affairs committee to swear in witnesses so if you'll stand please and raise your right hand do you swear the testimony you will give before this committee will be the truth, the whole truth and nothing but the truth so help you god? you may be seated. our first witness today is mr. chris deroche a.

mr. deroche is the chief information security officer within the office of management and budget. prior to being named federal -- invest in russia he was the chief security officer for my home state of michigan. mr. deroche has over eight years of federal government experience working at the white house and u.s. department of homeland security. he served as a senior cyber security adviser for the obama administration where he led the implementation of the present cybersecurity action plan and advise white house leadership on cybersecurity programs investment and policy decisions. welcome back to the committee and its good to see you again. i now recognize youme for your five-minute openingmm statement. c chairman peter's ranking member portman and members of the committee thank you for the opportunity to testify today on the office of budget and management role and our response

to the solar wind breach. i believe we are at a crossroads for our nation's cybersecurity for the solar winds it sent expose gaps in our ability to identify and manage critical risk not just from the federal government that some of the most well-resourced companies in the world. this instance should serve as a wake-up call in galvanizing opportunities the federal government and industry with problems and partnership can be resolved. as the federal security officer i'm responsible for developing strategies and data. and implementation. immediately they are the agency detected the solar winds incident alone be "made with the cyber ordination group or ucg which is leading the overall response. we continue to work with ecg and agency to collect data on the impact of the event and identify

elites and resource gaps and response and recovery act at the agency. mathis is leveraging its partnership across the federal government identifying common challenges and sharing best practices and coordinating with federal cybersecurity predicted decades of underinvestment federal i.t. this administration is committed to investing in infrastructure systems and people needed. we greatly appreciate the members of this committee which have laid the foundation for a renewed investment in our cybersecurity. with theui additional $650 milln in funding the federal government will be able to provide faster response time when incidents do occur. the additional $1 billion provided for the technology modernization fund will resolve cybersecurity challenges.

it's an innovative funding vehicle that enabled several modernization programs across the government. while providing transparency and accountability and implementation. we look forward to demonstrating what else we can achieve with a new opportunity you have given us. at a one b. we are working to ensure that agency budgets are aligned to immediate response needs to the solar wind incident while hardening i.t. infrastructure against future attacks. we fully acknowledge the security when done properly but it's even more costly when it's --- in addition to funding we must also invest inng her i.. workforce. today federal agencies struggle to track accounts, keep pace with private sector pay and higher quickly enough to replace departing employees. this administration will rely on programs that work such as the scholarship for service cyber core which rings people the

government to start in their carsrsto and continue to grow technology transformation service for gsa producer to programs that recruit individuals with highly sought-after skills from the private sector braided in a world involving technology and press the government has theaf ring together the brightest and talented. in my role as -- i chair the federal acquisition security council. this body is responsible for coordinating efforts to identify and address risks to the federal government supply chain. i look forward to working with my partners to identify opportunities to use the authority to address risks. finally leading agency transition to what we are calling -- zero trust moves us away from the historic approach of detecting i.t. networks of the permit her and instead assumes the network may be compromised at any given time. this new model real-time

authentication tests users blocks suspicious activity and prevent secretaries from the kind of privileged escalation that was demonstrated in the solar winds. many tools we need art exist within the industry and agency environment but successful in clementa's will require a shift in mindset and focus at all levels within federal agencies. they are central for improving federal cyber security but they are not all. to maintain defense along when we must direct the resources where they are most needed across government for the cybersecurity funding in the american rescue plan is extremely important but it's just a down payment party of decades of technical debt to pay off and the modernization must accelerate whatri i commit to bringingre agencies together to coordinate approach to become more resilient and prepared for future challenges and i look forward to working with congress

to update the legislative authorities, securing the necessary funding of building and enhance federal cybersecurity. thank you for the opportunity to testify before this committee and i look forward to your questions.s. >> thank you mr. derusha. their second whisnants -- witnesses brandon weil's acting director of the cybersecurity infrastructure security agency which we all commonly referred to as the above. prior to becoming actingg director mr. wells was the first executive director. mr. wells has served in multiple positions within the secretary's office for dhs including senior counselor to the secretary for cyber resilience acting deputy chief of staff and acting chief of staff for the department. prior to joining the department mr. wales served as the national securitypr aide to the united states senator jon kyl and is a senior associate at the

washington-based foreign-policy and national security think tank. welcome mr. wells and you now may proceed withan your opening statement. >> good morning chairman peter's ranking member portman and members the committee thank you for the opportunity to testify regarding cybersecurity in infrastructure security agency response to the solar winds of light chain compromise. sipa leads the nation's efforts to advance the cybersecurity physical security and resilience of our critical infrastructure could we share information and enable operational collaboration within the federal government state and local governments the private sector international partners and law enforcement intelligence and defense communities. this role has proven invaluable in managing recent cyber incident and i cannot understate the importance of collective defense for cybersecurity. we also know that more work must be done. today we will focus primarily on the solar wind supply chain compromise and much of what i

discuss can be applied such as c the recently announced exploitation and vulnerabilities in microsoft exchange products. these incidents highlight the necessities of modernizing our cybersecurity infrastructure in order to defend today and secure tomorrow. late last year wee became aware of the rod cyber intrusion campaign largely but not exclusively associated with the chip supply chain. more than 16,000 were exposed to the malicious software but the u.s. government estimates a smaller number were compromised. when the threat actor activated the malicious -- they moved into expose networks. once inside the actor was able to use their privileged access authentication method the systems are controlled trust and manage identity. ultimately allowing them to access an ex-filtrate e-mails and other data in compromise networks and microsoft office

355 cloud environment for the primary object if of this actor appears to be gaining access to senate sensitive across a bike mitigation identify opportunities to compromise additional ip supply chains. in response on december 13 the coordinating group or ucg was formed with sipa be up there in the director of national intelligence and securityas agencies the ucg coordinate the investigation and remediation efforts to the federal government. if the lever as that response in the civilian stage set that is providing technical assistance to affected entities who requested as they identify and mitigate potential compromises. this is in response to this campaign falls in the primary mind. one helping to scope the campaign sharing information and detection supporting short-term mitigation and for providing guidance and assistance in long-term network recovery. while these lines are response the centers may frame the --

form the framework. additionally even as we respond to mitigate the impacts of solar winds and microsoft incidents we are looking ahead to ensure that this is appropriate postured for secure tomorrow. to this and we are focused on urgent improvements across four areas of strategic growth and that i'd be happy to discuss more detail. first we must increase cybersecurity risk across the civilian executive branch and were feasible across non-nederland cities. second wee must expand the incident response capacity and third we must improve our ability to analyze large volumes of cybersecurity information in order to rapidly identify emergingo risk and direct mitigation and forth we must adopt a sensible networks as chris laid out. i want to thank this committee for their hard work on

prioritizing cybersecurity investments in the american rescue act. that funding is important down payment on the cybersecurity capabilities that i just described. but we are not stopping there. we are still responding aggressively to this campaign. for example as we go rolled out information resources for best practices for remediating compromise systems and preparing federal departments and agencies for long-term action to build a more secure and resilient network and the sweeper provided federal agencies compromised in this campaign with detailed guidance on the adversary network. we also released a response program multifunction frantic scanning tool to assist. before a closer want to address a more fundamental question what does this all mean? 's the solar winds campaign as well as the recent microsoft expectation highlights the

length to which adversaries will go to compromise our network. they used never seen before tradecraft and vulnerabilities to defeat our cybersecurity architecture. knowing that they must change your game do we need modern cybersecurity governance and capabilities and cybersecurity tools and services that provide a better chance at detecting the most sophisticated tax and rethink their approach inse managing cybersecurity not only crossed the executive branch agencies but also our most critical infrastructure. thank you for the opportunity to testify on this important subject and i welcome yournc questions. >> thankhe you mr. wales. our final -- which has primary responsibility for the bureau's efforts to counter national security related cyberintrusions. prior to her current role it was the deputy assistant director overseeing national level cyber

policies and else's of cyber criminal and national security threats and partnering gauge meant. before joining the fbi she spent three years at the office of the director of national intelligence as the first director of the cyber thread intelligence integration center which he received the national intelligence distinguished service medal. congratulations on that and please you are welcome to offer your opening remarks. >> thank you and good morning chairman peter's ranking member portman and members of this committee. thank you for the opportunity to be here today and to testify on behalf of the fbi on the federal perspective on the solar wind supply chain compromise. as you know this hearing comes at an important time as the cyber community addresses not only this incident but also the recent exploitation of previously unknown microsoft

exchange server pro promo abilities but while each cyber intrusion is unique these two incidents in the thousands of computer intrusions the fbi addresses every day illustrates the persistence and determination of our adversaries cyber means to achieve their goals whether that's for personal profit intelligence for intellectual property or contingency planning for more disruptive or destructive attacks. that's why the fbi's role in disrupting and responding to cyber intrusions is fundamental and unique as a member of the intelligence community and the law enforcement community we integrateino our view of adversy plans and intentions with information we obtain through a variety of means including criminal legal process and national security tools like fisa human intelligence and confidential sources and undercover, operations consent and cooperation form victims strong local relationships built and maintained by her hundreds

of domestic offices and partnerships with their legal attaches around the world. we do this in order tota understand who the threat actors are wearing how they operate and who supports them and we share that intelligence with many partners including network defenders and our colleagues at sipa an oar tot harden networks and with their military intelligence committee and foreign partners who are able to take the fight to our adversaries overseas. the magnitude and seriousness of this threat is part of why we are so committed to working with partners through the fbi cyber strategy imposed risk and consequences on her cyber adversaries and to do so using the best tools available whether those of the f. ai or someone else. the fbi will continue to innovate to address cyber threats in much the same way we

have adapted to emerging threats over more than a century. for the solar winds incident the fbi has led threat response activity focused on identifyingy the following. first known victims may be targeted, second who conducted the activity and how k and third opportunities to pursue disruptive and hold accountable those responsible. w have conducted this work is part of the cyber unified coordination group established on 13 december under pcb 41 which is currently the favored focus on national security and investigative requirements which the f. the i leads with restoration and recovery. we have leveraged our assets around the country and around the world in response to this incident. we triaged the data and exploit evidence to provide assistance to victims and to work with

industry victims and partners to gather information and i want to take a moment to emphasize that last point. putting together complete picture of the cyber threader incident requires information from many sources. the solar winds incident and the current incident involving the microsoft fixed change vulnerability underscores the e essential value of using law enforcement authorities, voluntary sharing by third parties and system cooperation. as a government we would not know the identity of most of the affected entities without using all of these tools including legal process. and the information we learn from our incident responseho engagement. we reestablish relationships with the public and private sectors throughout the country critical to identifying the threat and understanding its scope and investigating its origins in order to protect others. the sharing and collaboration

across agencies does not just happen at the moment of an incident that requires trust-based relationships built over time. by leaning into those partnerships all of us together were combating malicious cyber activity become stronger when we weaken the perpetrators together. and i want to say i'd surely appreciate the proactive cooperation of the private sector in this incident and all the victims who have come forward. we also appreciate congressional engagement on her mission of imposing consequences on those who seek to harm the american people and to undermined safety securityn and confidence in art digitally connected world. these incidents drive home what we already know that only the whole of society approach will be effective against these threats. the fbi with their fellow ucg members will continue taking every necessary action to investigate this incident,

identify and hold accountable those responsible and share information with our partners and with the american people. thank you again for the opportunity to speak with you today andes i look forward to yr questions. >> thank you ms. ugoretz preopening statements into juvy thank you again for being here and thank you for the work that you are doing on this issue each and every day. mr. wales the recent attacks on solar winds and microsoft exchange as you mentioned in your opening comments very clearly children and adversaries are growing increasingly adept at infiltrating our nations sensitive networks or they want to just cut right to the chase here. what in your opinion was the core reason for the security failures and as the lead cybersecurity agency what specific steps are you taking now to address those failures? the. >> thank you senator. getting right to the heart of it part of the challenges that you can only secure way you can see

in over the past decade our system of protection that has largely relied upon sensors deployed at the part of the network designed by intelligence, by information from the private sector has relied upon detecting known malicious activity. our adversaries have advance. they are no longer using the same infrastructure to target us repeatedly. they have moved quickly from server to server mostly located in the united states. this is designed to ensure that we don't know where they are comingre from and our traditionl systems and their part traditional protection systems are unable to stop them. but that means is we need to look at new ways understanding the nature of how those threats are emanating where they are coming from and we need to deploy different types of systems to make sure we have the right level of insight in terms of where the activities happen. as i pointed out one of the main

areas that they plan on focusing including with the resources provided through the american rescue act we are looking inside of networks from the network inside of networks to the critical servers and workstations deployed throughout the federal government to ensure that we have the right level of insight. again right now those perimeter security sensors are still valuable and we need them to protect and look back and see what activity they have been in conducting investigations that the balance has been too far out of whack and it's not enough inside of network at the host. that's one key aspect. but there are a variety of others that the federal government is working through now including ways in which we can enhance her ability to provide supply-chain security for critical software products

that they federal government purchases. there's a lot of work to do across-the-board and they think in the openings that chris provided in myself at the number varies we believe the federal government needs to move to to provide the level of security that we now expect in the face of these more sophisticated adversaries. >> i'm going to get to the supply-chain issues in a moment that final question to mr. wales you mentioned taking a deeper look in the systems how can we i havess a assurance that the malware has been moved from the federal systems and how confident is so so that they attackers are not lurking in her agencies networks? >> the majority of agencies have been progressing in their initial response to the mediation work. many of them have enlisted sipa as well as third-party agencies to assist them in that effort but as indicated in provided

detailed guidance that they can work through and a checklist to make sure that was already dunn and sipa iss working with them collectively and individually to make sure they have executed the mediation of their networks that provides a degree of confidence that the adversary is no longer present. that inc. said and i've said thisis before a response of the significance will take time. in many cases agencies want to put in place stronger protections and better hardened their systems and improve their defenses and as they do that over time we will gain increasing confidence that the adversary no longer has the ability to access and is no longer present inside of the system. >> thank you. i understand most of the agencies hit by the solar wind pack of completed security as we have heard. can we consider ourselves in the recovery phasede now and this d

when should congress expect the fbi to provide an after-action report to us? >> thank you senator. as part of presidential policy director 41 which guided the establishment of the unified court ab nation group that addresses this incident is an after action provision built-in to that directive. every time we stand up one of these court nation groups to address the significant cyber incident that automatically triggers an interaction report in what has been completed and we'd certainly be happy to discuss with this committee the results of data and how it t mit be share. terms of how they consider what stage of this we are and as i mentioned in my opening statement when we look at the incident response to an incident such ass this there is our concurrent lines of efforts so it's not exactly one phase ends and another begins that the

national security and investigative step that the fbi is taking are running in parallel with the mitigation and recovery effort. i would say both of those efforts are continuing for our part the service of those efforts that we are leading and its attribution and understanding who conducted this activity, why and how. so we can create the widest possible range of her sponsors for policymakers to consider red law enforcement actions might be part of that response such as indictmentsan or infrastructure and other such actions but we find its most powerful when we are able to say with detail and as transparently as possible how exactly adversaries conducted this activity and ultimately who is behind it and the effort to

develop that information investigative lake continues. >> thank you. senator sobel and i'm sure many of my colleagues will ask more questions related to supply-chain issues but i want to in my remaining time ask you about legislation introduced last congress. the supplied chain counterintelligencee act which would assure appropriate officials are trained to identify threats and we were deep able to get that across the finish linesi last session. i know you are familiar with the legislation. would you support that and why is it important? >> guest senator absolute committed to working with your staff on that bill. it's an important bill that focuses on one of the things that i mentioned which is constantly ensuring their workforces trained to follow the trends of our adversaries and for that reason we fully commit to working on that bill. >> thank you.

ranking member portman you are recognized for your questions.ou >> thank you chairman peter's and thank you for your testimony this morning and your hard work on this. one of the concerns that i mentioned in my opening statement is accountability and in particular we have been more active up m here on the legislative side as well as within government to try to figure out how to push back against these attacks and as a result i'm concerned their new entities and the opportunity for confusion leadership and lack of accountability. i saw was solar wind and there was pointing of fingers and the fact is the private sector founded, not even government.t, the question is as we look at legislation to reform some of these existingf laws including fisma the federal information security modernization act which is the legislation that requires

the agencies have better cyber defenses and practices and as i mentioned earlier we had an in-depth investigation and found a number of agencies were not keeping up but as we look at reformingke them the question is how do we do it? mr. derusha between you and the federal in her role as the federal chief of information security officerri and mr. wales you were ahead of sipa and the assistant director for the fbi division and the newly-created national cyber position within the white house there a lot of people responsible. a guest mr. derusha will start with you when a cyber attack happens and we hold accountable? >> well senator as rand and described earlier for response we have leverage currently the ecg which is led by national

security council staff, dhs and fbi and dni and others. for, this particular incident other agencies were brought in. everyone has a key role to play and it's about ensuring we have a pro great government structures in place imagine them togetherer and keeping clear lis of communication as we work through these things. >> so no one is accountable? we can add another wrinkle to this which is someone on the national security council has been designated as the coordinate or in addition to what sipa in a one b. is doing addition to this new role and the national defense authorization bill whichen is called the national cyber threat acquisition. is that accurate? >> center i would characterize it differently. i believe everybody has a key role to play in their authority and we were quite well together. i don't believe it is an issue.

because we have these hypotheses we are coordinating a next streamlining all of our response efforts. >> if everyone is in charge no one is in charge, right? exactly who is accountable? >> senator again every agency has its own role and responsibility in cyberresponse. >> okay, well that was the answer you gave me last time and that's great but lett me ask yu a direct question. this is the national cyber director position and it hasn't been filled by the biden of. do you think that position is ionecessary given the fact that you have four oror five differet entities workingti altogether? >> yes, senator we were carefully am looking at the roles and responsibilities across all the different agencies in equities and i know the administration isie connect- dedicated to filling those

positions. what i will say is absolutely there's a need to continue to improve and enhance our court nation and this role will help us do that. >> okay. i wonder if any of you have thoughts on this. it seems to me somebody needs to be in charge and for over a year this attack went unnoticed and when it was finallyfi discovered it was discovered not by the government but by the president and it wasn't even solar winds. it was fire i wish was another supplier. mr. wu wales look like you might be inches and saying something in what you tell me what you think about the national cyber position. sounds like mr. derusha is saying there other important responsibilities to be filled and shouldn't should this be the one that coordinate everything and has the ultimate

accountability? >> i would highlight a couple of various. >> i know you want to protect your own jurisdiction because you are broad-minded person. >> it absolutely absolutely. else a couple of things. one is congress has provided us to the various agencies responsibilities authorities and accountability so for example under fisma every agency is responsible for the security the cybersecurity of the system they operate. i think that is an area that we remain committed. >> those aid is to have not met the basic requirements and yet who is accountable? >> under fisma agency heads are accountable and there is a kind ability in the role that we play in helping to protect secured support those agencies in the management of the federal executive branch networks. i think the idea that congress has for the national cyber

directors away to coordinate at the white house particularly related to coordinating incident response. but i think a lot of this will be determined by how we established the identification of roles and responsibilities could what i will say is the ability forth the government to work together on cybersecurity incidents i would argue has never been stronger in part taste upon a lot of work from our career officials at the fbi, sipa and an essay. where working collaboratively in joining with the private sector and federal agency partners to ensure there is not duplication of effort and we are offering our unique expertise skills and abilities when we have cyber security incidents are help prepare agencies prepare ahead of time and we would hope any new addition to that is strengthening that collaboration that currently exists in making

it stronger. >> i'm glad to hear that and a relative description saying it's never been stronger and you didn't say it's as strong as it needs to be productive so we have the most massive attack in the history for a government that went undetected for over year and was detected by the private sector and not by government and has incurred tremendous damage we believe so let's continue the conversation when we welcome back for the second row but i do think better court b nation is part of the answers you say but also accountability and since you mentioned fisma i had to talk about the fact that we no fisma is not working so let's figure out how we can find the entity or the person in particular who is responsible and therefore accountable. thank you chairman. >> thank you senator portman and i can't agree with you more. there needs to be lines of authority and lines of accountability and as something

we will be looking deeper into. it's an important topic and thank you raising that they are now recognized senator carper for your questions. >> thank you mr. chairman. good morning colleagues and i just want t to say to brandon wales for an easy name to pronounce and for speaking so slowly throughout your testimony. i want to pronounce your name derusha is that how you pronounce it? >> yes senator, derusha. >> is that the way it's always pronounce? >> yes, sir. >> i want to say to tonya my staff iso you pronounce your lastnc name in they told me it was --. >> thank you for asking senator. it's ugoretz.

>> i'm glad i asked. pronunciation on the first syllable. i will never make that mistake again. thank you all for your testimony and thank you for presenting in a way we understand. some people rush through this and thank you for making it almost understandable for a guy like me. i've been on this committee for a long time. and i have worked for years with my colleagues and includingli te ones here today who preceded me. we worked on federal data security in the breach notification legislation that wouldat require companies to set supplied come -- and protect

sensitive information. we have had a hard time moving legislation that provides guidance for our protection and investigation and notification and one of the reasons is there are three or four committees of jurisdiction. theyco are up budget committees that have jurisdictions. it's hard to get on the same page but it's not so much about partisan issues by the jurisdiction issue which is unfortunate but i believe as we move to a more sophisticated cyber threat landscape we face increased ransomware attacks across critical infrastructure. the national data security breach notification standard is more important than ever. according to reference a solar

winds nearly 18,000 malicious versions of their software sustained roughly 100 private sector companies were compromised. director wales do you have any suggestions on what we should include for federal data security and breach notification legislation that would enhance the cyber posture of the private sector please? >> thank you sir and it's an extremely important issue. i have mentioned it before. our ability to ensure broad protection against cyber incidents requires ands relies upon being provided information from victims about what has happened. if victims don'the provide information on their breaches on how they wereac compromised and the hack of the ever series is the adversaries will reuse those tactics and victimize additional companies and public sector entities.

so we are eager to work with congressen on legislation that would strengthen our ability to have the right level of insight into the hack the adversary uses them what's happening from a private sector. i'm not here to describe what that might look like but i do believe it's essential going forward anton he has an additional point should like to address on this. >> thank you for the question. we also agreed that the current regime of what i think are inconsistent and overlapping regimes for the private sect or companies to report breaches causeses confusion for the industry makes it difficult for the federal government to have the consistent consolidatedsi picture of the threats we are facing and pay how they are

affectingti our private citizen. there is previously been legislation introduced and i know this wass a topic taken up by the cyberspace solarium commission which the fbi director, dark director wray was a member that emphasize mandatory dataac breach notificationon and lucky not jut is what i think is the original focus of such legislation which was protecting personally identifiable information of our citizens when it's breached but also looking at how can we receive consistent reporting on breaches of critical network such ass those owned by the private sector in our critical infrastructure sectors as well as any breaches affecting the federal government information. so we would certainly be supportive without specifying any specific piece of legislation. >> thank you. maybe another question if i

could for direct or wales. i believe at sisa which stands for cybersecurity infrastructure security agency a bipartisan group that helped to create -- but sisa has a role to play in enhancing our nation cybersecurity. in your testimony mr. wales believe you state we must increase sisa's across the federal civilian agencies especially after nine governmental agencies have been compromised through the solar winds attacked or they often talk abouthe the importance ofat collaborating to democracy but these federal agencies have requested sisa in responding to the solar winds attacked greater there any agency collaboration

issues that we should maybe work to improve? >> sure, senator. we work in a voluntary way with organizations. we believe we are resourced to them and i think one of the good news stories is that over the past decade federal agencies across-the-board have enhanced their ability to respond to cyber incidents. they put in place contracts for third parties cybersecurity firms all designed to give them enhanceac capacity to protect ad respond to cyber incidents and sisa is there to supplement those capabilities. our work is tailored for each agency depending on the types of support and requirements they have and the majority of our work in one of the more substantial parts of our work

was providing club based forensics helping agencies examined what happened inside of their cloud environment that have been targeted byte this adversary and that i think is a positive story both about where the agencies are in maturation and their ability to deploy tailored customer support for each interagency based on their requirements and skills so i think we are very happy with the degree of collaboration we are getting and what that relationship looks like between sisa and the organic agency when it comes to the those types of compromises. >> think you'd director and mr. chairman thank you for giving me a few extra seconds. i will ask the director how we can make our cyber posture more representative. thank you all for your testimony.es appreciate it. >> thank you senator carper. >> thank you very much chairman

peters peter's and ranking member portman could i want to thank the witnesses not only for appearing today to talk about this important national security issue but for your service. i appreciate it very much. i want to focus on discrete areas where i think we need to do more to improve the cybersecurity of our nation. the first question is asking director wales and mr. derusha asking dr. wales testified at a hearing last week that continuous diagnostic mitigation programs or cbm is the foundation upon which we can build further capabilities to secure the federal network. it's clear that we need tond improve the cdm program and build layers of protection on top of it but before we can make those much-needed enhancements we need cbm to be implemented in the first place or that's why senator cornyn and i introduced the bill last congress to codify cbm however last august a report

issued by the accountability office found that someou agencis were having problems deploying cd is so acting director wales and mr. derusha d what are sisa and no one be doing to ensure it gets deployed as quickly as possible across all civilians agencies and they accurately detect and monitor all devices on the network and we can start with either one of you. >> i will start in and turn it over to chris. we believe as i stated last week's cbm is the foundation to ensure we get capabilities out to 102 executive branch agencies and have a common based set of tools and capabilities. i would say we are very focused on the small number of agencies that have had challenges and employing some of the tools. i t would say it's not just one set. the suite of different capabilities that were it provide access management

software and device management and configuration patch management are there different capabilities where deploying and we have had success in getting almost all federal agencies in all parts of all federal agencies to a common baseline. there are does the outliers and you are talking about the scale and scope of the federal government. we are working hard to close up the the two phases this year so we can move into phase 3 and four and build additional capabilities the types of capabilities that weio need to t a deeper insight into what's happening at federal agencies. one additional point that i will add is cbm was created there was division. agencies had object level views meaning they could see into the individual devices on their networks but sisa was not able to. we are seeing the limitation that is poses on the comprehensive understanding and we are hopeful that new guidance

will come out of the administrations soon that will move us towards sisa having broader andd deeper insights ino that level of detail and allow us to have the right level of visibility to provide, to execute a role when it comes to securing.gov. >> thank you. mr. derusha? >> senator that thing brandon's description is very accurate. we are aware of some challenges in implementation. the goal and vision of cbm is right and we will continue to look at implementation make sure the program is successful. at my office we are in tune to that.. this is a priority for sisa and no one be to ensure that cbm is effectively delivered and we get the full visiond he was his -- h is getting the data back to get away from data calls into live real-time monitoring and action

from sisa which is the goal of the program so we look forward to continuing to it advance and learn from the past. >> thank you for those answers and let me check in on a couple of things but are there additional authorities or other assistance that you need from congress to ensure timely deploymently of cbm? do you have the tools you need? >> we don't need additional authority at this time.. >> senator i don't believe we need additional -- what capabilities are you planning on building on top of cbm to ensure networks are protected in the future especially as agencies adopt cloud products?? >> odone of the significant ones that we have highlighted that h are critical and we believe will be a key part of our implementation of the unbanked under the american rescue act is detection and response tools. it would give us the ability to understand what w is happening n

critical workstations and give us the ability to detect more malicious activity to respond more quickly and working with agencies to co-opt an anomalous behavior before it moves broadly into a network or that's just one example of wayss in which we are looking to use cbm to deploy that. agencies didn't even understand their assets on their networks and you can't have been points. become to the point where those sophisticated tools are now within our reach. >> thank you. let me go on to another issue again to acting director wales. he testified last week that the microsoft -- have impacted state and local governments which don't have the same resources our capacity to respond to cyber attack that the federal government does but i'm concerned about the impact it would have on state and local entities particularly when there

are reports of china-based threat actors exploiting the vulnerabilities pretty much at will. wbased on what you've seen from these two recent incidents why do you think it's a national security imperative for the federal government to strongly support state and local governments in improving cyber capabilities? >> yes maam i could not agree more. owe, secretary mayorkas spoke about this as well. want to work with congress in ways which we can identify how to use the same level investment that state and locals need to put in place for cybersecurity architecture at the state and local level commensurate with arelevel of threat they facing. there are proposals for grant programs floating around both houses ofon congress. without describing one we are eager to work with you on what those look like and how they can build capabilities in on the response and another proposal out of the commission was for a cyber response and recovery network that would allow the

states to tap into when they are facing significant cybersecurity incidents. that's another area where we would love to work with this committee and others to make sure we have the right hole of nation architecture in placee ad we don't have -- whether the federal level the state level or the private sector. i appreciate that very much and i'm one of the advocates of the stand-alone cybersecurity grant programs. when you have as many small committees as i do that a bend subject to attacks despite their best efforts and the chief information officers are advocating for this may want to work with us in finding the resources to do it. i look forward to working with you on that. >> would it be all right if i had a briefly to that? i just wanted to note in addition to sisa's cybersecurity efforts the state and locals with regards to defense of networks we are also working quite a bit with state and local officials from the fbi as well as local law enforcement atth tt

level in coordination with the u.s. secret service to see how we can build capacity and capability of state and local officials to respond to cyber incidents in cyber threats. obviously we are eyes bear to let bad assistance but for example the secret service to their national training center we are jointly providing training to state and local officials hosting police executives international cyber investigative task force to provide them a national level insight into cyber threats and we are also inviting state and local law enforcement to be part of our cyber taskforces in her field officers -- office is similar to working those jointly. >> i know in new hampshire how deeply our local officials appreciate their partnership with the fbi and the support you

have provided so we look forward to continuing that relationship too. thank you. >> thank you senator hassan.re senator rosen you are recognized for your questions. g sin thank you mr. chairman and thank you to all the witnesses for being here today. our agencies are growing on reliance of convocation technologies for the federal government is increasingly vulnerable to cyber attack zeleny feed that but it's revealed the risk of the federal government's dependence on widely used commercial software but is a product is compromising go unnoticed for months how many more software supply chain compromises are out there at this very moment? i would like to go to mr. wales. and not sober sisa directed agencies to create disclosure

policies which describe how organizations handle vulnerabilities. are you considering extending the directives from a third-party vendor especially providing i.t. services? >> we have a not considered that this time but it's an interesting idea one that we will want to work through. it's notot clear that we would necessarily do that through directives.ab there's a lot that we needt to did to improve the federal contracting process to ensure the vendors that are providing i.t. part products and services for the federal government have the appropriate level of cybersecurity in place based upon the information and their place within the networks that they are supporting. that is certainly an area we are actively working with omb on another federal agencies to ensure that we put that in

place. >> it seems like there's some vulnerabilities out there so i will continue to work on that. i wonder how quickly we find vulnerabilities they fix them if they can't dictate the federal agencies as the authority you need and then if it's something you do how do you ensure that those agencies have the workforce and expertise that they need to respond quickly and effectively to what it may require.nd >> they are may be additional points from omb. w first is in many cases we have done that so one of the first operational directives thatf sia executed several years ago was to close critical vulnerabilities within 30 days. actually what we saw over the

past several years is agencies have gotten better and better and faster at and faster closing vulnerabilities that are identified and we have lowered the amount of time we have from 30 days to 15 days. we are seeing real progress using her directive authorities when it comes to opposing critical vulnerabilities that agencies are sisa identified that you are exactly right. one of the areas that contained bush which is well sisaa needs additional resources for the american rescue act while we want to ensure we continue to build our capabilities and employ more tools and capabilities and5 agencies there needs to be sustained investment across-the-board so the agencies themselves contend to leverage those enhanced capabilities and take the appropriate action in a timely manner. anything else you'd want to add? >> i wouldld add this cbp progrs are very important to bring in thed very discreet skill set to

the federal government. we have other efforts like i mentioned my testimony where we will expand the digital service technologydi transmission servie ngsa in the goal here is to get a lot of highly-skilled people into government whether that's using flexible vehicles to have shorter periods of time and we will also be focused working on the federal cio the director of personnel management will direct management to make sure we are skilled and ready to face these challenges. >> i'd like to move on to our infrastructure cybersecurity are electric greater water grid and power grid in those kinds of things. when we think about what we have learned from the cybersecurity solarium commission we recommend

significantly increasing the supply chain with critical infrastructure. bipartisan legislation would create a program of department of energy to coincide with our bold power systems. mr. wales but other areas are one. of their ways were utilitis how can they reduce their cyber risk without decreasing a reliance on international supply chains to increase their cybersecurity concerns? >> is not necessarily a matter of domestic versus -- but a risk management approach we are taking to identify potentially problematic vendors or critical products or services that enhance the leveldu of scrutiny. there was a eeo sign that lasted

mr. schmidt continues to work along the department of energy has the lead. it is designed exactly to your point to further scrutinize across the federalk government the critical productss that are going into the bulb power port grid to make sure we have any information that would indicate a higherer security risk that we are able to take action on that. we had a similar executive order focused on the communication sector that the department of commerce is working on it all the agencies are working together to make sure there's a consistent understanding for how we are looking at supply chain management and omb. there's a lot of work the supply chain has across developer of minute love coronation happening and hopefully over time it pays the level of dividends that we need. >> i look forward to seeing some

of those suppliers by the gao as we look to see what we are doing. i know we have a lot of work to do in this area and i appreciate what you are doing so far. >> thank you senator rosen. senator romney you are recognized for your questions. >> thank you mr. chairman. mr. wales these things keep happening. we keep having packs of our government systems and also in the private sector. even if you are well-organized and you were doing your very best to prevent hacks from occurring and intrusions like the ones we have described today is this going to keep happening? the says something we expect is a government that yeah we are going to keep getting hacked and they will get information and get into military bases and get

into various other data centers? is this something we have to expect to be happening going forward? >> i would say her adversaries are showing no signs that they will stop using cybersecurity to advance the purposes whether that's criminal, nation-states intel collection or to position for more disruptive -- they met rbl guns? i understand the russians have buildings full of people who are their best and brightest from their best schools who are devoted to hacking into our systems and gathering information. are we outgunned in this country to be able to fight against that or is it simply is almost impossible to plan for every possible attack whacks >> what i would say is what we want to do is put in place a program as well as the capabilities that make it more likely that we will stop them and if they are successful we

can respond more quickly and ultimately make our systems more resilient even if they get inside there is less damage they can do because they can move laterally in other parts of network printers a variety of things we can do on the defensive side to make sure we have cyber security that's commensurate with the level of threat that we face which is significant. >> are you comfortable with the expertise we getf from outside f government to be able to devise strategies to be able to stop these attacks and limit the extent of the attacks and i say that i'm part because my guess is the top graduates from california technology m.i.t. and others in caltech and m.i.t. and others they tend to go into the private sector of their own firms or become hackers themselves and we are not able to attract the same level of talent is maybe the private sector. do we have the skills that we

need to be able to confront what we are facing internationally? >> i think this is a question that all of us can answer in somewhat different ways because we have a lot of effort to ensure we can recruit and retain the right level of talent. that does attract the best and the brightest and i lead a workforce of people who are extremely talented who can do things that no one else can do when it comes to detecting an adversary. but part of our strength is our collaboration from the federal government to the private sector the international partners law enforcement defense communities. that allows us to do things that other countries cannot to bring in that expertise. the fact that we have companies like fireeye who could detect the solar winds incident as soon as they detected it and allow us to do additional actions to find that activity elsewhere as part

of the strength of our system and one that we rely upon and we meet regularly with the private sector to gain their insight in what they are seeing including only have a significant incidence incidents per the first weekend after the microsoft exchange vulnerability came out we are a the call members talking about what they were saying in the united states and seeing globally and how it can inform our protective posture. >> i just wonder whether we have or whether we should engage one, two or three of the top firms in thefi country to look at our systems and to lay out a strategy for how we are going to deal with what is apparently going to be an ongoing threat. let me ask it on a different front. are we as good at the offenses they are and any one of the three of you can answer this but the russians and the chinese and the north koreans and iranians to a lesser extent i believe that the russians and the chinese have massive resources devoted to attacking our systems are there corporate systems are

attacked thousands upon thousands of times a day. are we a good at this as they a basis and dosive we have versions of the same thing we are talking about here? are we accomplishing the same things they are or are we not up to the same level they are in terms of hacking into systems? >> senator i think you need a different set of agencies here in order to address it then that would need to be in a classified setting. >> can you describe which agencies it would be ours that also classified? >> i don't think i would want to specify but i think numbers of ourci intelligence community and department of defense would be some of those. smith thank you. mr. chairman i'll give the time to you. >> thank you senator romney. we are waiting for a couple of

senators. i think they are on their way right now. if you have a question -- >> thank you chairman and senator romney i appreciate your line of questioning but i want to talk about einstein for a moment. the statutory authorization for the einstein program expires in decemberth of 2022 so it gives s an opportunity to look at this but mr. wales recommit read the actors behind the solar winds attack were very sophisticated and hard to detect but clearly someone was able to detect it or we wouldn't be here today. this is again the private sector not government. important by discussing the limitations of the department home security cyber intrusion detection program einstein and acting on why it didn't detect this threat and how we can improve it. mr. wales can you assess einstein's current performance? >> sure. i would say senator einstein continues to perform as it was designed to protect against the things it was designed to

protect against my will note that einstein is an intrusion detection system looking at the perimeter of the network and examining traffic from outside the network to inside the network traits that it was not designed to detect unknown threats. >> that being said. einstein is a suite of capabilities all looking at the traffic moving into and out of federal networks. snag it was not the first to detect with right? it was not the first to detect the threat, correct? >> correct but i would have there's no intrusion protection system anywhere that detected the threat. fireeye does not use an intrusion soon service and they could not. he would not work that way. part of what i indicated earlier was that we need to supplement what einstein does and the perimeter network so what's happening in cyber networks. >> can einstein skin on amazon

web services? >> no. >> within the government are using increases a pot impairments like microsoft 365 in amazon web services for ip services? why about other encrypted internet traffic from government agencies? >> it can see where the traffic is coming from and going to buy the cannot look inside the traffic and that's one of the key areas we need to move away from perimeter security for that level of intrusion protection and move on to the host because of when you're on the host level on the servers the information is unencrypted and systems can detect whether activity is anomalous. snagag it not -- you cannot scan all that data and much of the internet traffic is encrypted. >> more than 90% is encrypted. >> the authorization for einstein expiring gives us a chance to do this.

seems like the invitation to talk about in me to need to work together to address authorizations braidwood you agree with that? >> we need to continue to work and provide transition to those areas that don't. the american recovery act money will provide a down payment to start doing that. >> great, thank you chairman. smith thank you senator portman. the chair recognizes the senator sinema. you are recognized for your questions. send thank you chairman peterson ranking member portman are holdingu this important hearing and thanks to the witness for being here today. solar winds impacted by government networks and the more recent attack against microsoft microsoft -- in arizona we are still recovering from a criminal cyber attack that occurred in

late every. the shows how damaging the results can be in the resources needed to recover. this is a very timely hearing. the federal government must do more to help entities such as kingman and to improve its own system to ensure federal -- has the things they need to respond to future cyber attack through may 1 question is we recently heard from the government at accountability office of its latest list ensuring the cybersecurity for nation was getting significant change me what immediate actions would you take to address the outstanding recommendations for gao and investigations into the solar attacked to help agencies better secure federal systems and protect cyberinfrastructure andbe data? >> senator thank you for the

questions. this committee supporting giving us a down payment in american recovering plan to start on this crucial work so with the billion dollars to invest in the modernization fund we will be a look at top down some of the high-risk i.t. systems across government so we are able to tackle some of the persistent long-term challenges that we've been aware of and just haven't had the resources to address. also the monies are going towardss sisa and gsa and we are looking towards developing managed security services where valuable and also ensuring we are making investments in the agencies through the annual budget process to fill gaps divide benefit to the solar wind since then. we have a lot of work planned and we are looking forward to working collaboratively with sisa to implement across all federal agencies. >> thank you.

my next question is for mr. wales and mr. derusha. we are increasingly -- that manage critical areas such as transportation and health care and energy. how can we avoid cyber attack risks within a more specializeda software provider mitigation -- and if we can howze do we minime risk across these critical supply-chain? spanhe thank you. we do a lot of work and i'll say the outset changing the market is challenging. and the reason those concentrated risk or market conditions that are largely outside of the federal government's ability to control. we do try to work hard particulate withk the vendor community who makes aal lot of these industrial control systems to systems that manage critical infrastructure and operate the systems that we all rely upon.

we work with a vendor committed to strengthen security built into those devices and we actually have a lot of work focused in the industrial control systems space with the owners and operators of those systems to identify what additional protections and security they need to have in place at the cybersecurity and industrial control system is challenging its unique discipline and with although -- it magnifies the couple of times fold the cause of the unique nature of the "empire". it's an area that we have a focused effort on to release a strategic planan focusing on i.. systems. late last year and we are working out the white house and d.o.e. anddd others on additionl work to see what we can do to get better inside and provide additional expertise to help secure those systems. >> thank you.

my next question is for mr. derusha. it's meant to bring more cybersecurity training to federal employees. it's been a challenge [inaudible] what does actions of the congress administration need to take? >> 's senator i can say i'm aware of that challenge and it's definitely going to be a priority ofor our office with te cio to work with personal management to explore all the current hiring authorities that we have in place and ensure that agencies are using them and understand how to use them so you can expect that we will absolutely prioritize this. >> my next question is for

mr. wales. aqap combetta cyber attack his defense information sharing but we continue to hear from the private sectorn entities that they are expecting transformation that the federal government is slow to reciprocate. what are your recommendations for incentivizing companies to notify the federal government when their networks are compromised and how is sisanc to -- working to improve their information systems? >> thanknk you for that and i wl start by saying we have received a lot of positive feedback from companies that have come forward recently to lessen to the federal government. and i want to thank those companies because frankly cyber requires a collective defense and we are only successful if people come forward and work with us but i would also say we worked hard over the past year to improve in which we can provide actionable information when we receive information from the private

sector and again it may not be information back to that same company but the information theo provide is going to raise everyone else's baseline. when we receive information from a company nature that an auto might way other companies are not victimized in the same way and i think both the solar winds case as well as microsoft exchange vulnerabilities the kind of which we are notified and provided information from potential victims in the speed weed get information out publicly is now measured in hours and days and not weeks and months. .. in the value proposition back to those companies that today you share this information but tomorrow you want other people to share information see you can benefit from it you are not victimized by the next cyberattack because someone is sharing information with the federal government to enable the collective defense.

>> thank you senator sinema. >> senator recognize. question. >> you wrote in your testimony adversary goal, it is to use omthat compromise and furtherance of a larger objective. in this case, give us a sense of what that larger objective is or was? >> center to thank you for the question. i think the intelligence community and the unified coordination group that's coordinate the response to this incident has set in its public statements that the intent for the adversaries by the activity was for espionage purposes. to obtain information that would further their insight and their activities. >> do we have a sense have we been targeted as well? or do we think we're the only

ones? is it possible summer european outlines could have been targeted not discovered it, didn't know about her to think this was a standalone attack directed at the united states? >> based on what was seen thus far the majority of the activity appears to have been directed at the united states. however we are where instances add information shared with us fromy foreign partners where some of their networks were affected as well. >> that is interesting. i noticed in february we also uncovered evidence of a separate parallel attack on solar wind software. the site from a group of hackers in china. do we think that this was coincidence? or was it coordinated? is there anything you can tells what the timing of this coming from what appears to be a different source? >> but i can tell it was some of the press reports about solar winds related china -based activity were inaccuratee. for me to w it go into this inaccuracies would requireac classifiedos setting. >> understood. just on this subject, let me

ask you about one of the reports about these attacks, some of the reports indicate they targeted the national finance center to the processing information which processes payroll information for federal workers. you can imagine the compromise and personal data that would entail. what lessons i am wondering should we take specifically to we need to take further steps to rethink how the government stores and protects personal data, especially back kind? >> okay two things. first is that reporting was an accurate the national foundation center is not targeted as far as we know. >> not at any time. >> not part of that campaign or a separate campaign. have had a number of discussions with the u.s. department of agriculture that manages the natural finance that it does not believe they were targeted. but secondly, data loss prevention is with the key capabilities we are coming to work through a phase three and phasese four of the program.

protecting sensitive government data is among the highest priorities we have certainly is on our roadmap to where we want to focus our efforts. systemic let me ask you an adjacent question for you wrote in your testimony that due to the global pandemic the landscape as shifted dramatically over the past year pre-can you give us a sense of why that is true? what is the difference? is it more aboutti work, what has led to the threat and the environment? >> the digital transformation went there where there's much more remote work, many workplacesre have changed their operating environment. they are moving more to cloud -based infrastructure. and that movement has both strengths and weaknesses. in many cases you're moving to an environment that's managed by professionals who can spend full time making sure that is secure. but on the other hand, you need to make sure you're doing it right. it introduces new vulnerabilities that your system administrators may not have experience working with before. and so, this change has

increased and changed our risk calculus. it's going to require the federal government to work with the private sector to adjust. >> just on the question of the vulnerabilities per the wall street journal recently reported sematech knees used by dhec were the equivalent the digital equivalent of a spies to disguise. can you give us a sense of how attackers can disguise themselves on government networks? what is that amount to? one to refer this to tonya i believe this refers using t us-based infrastructure as to operating overseas. >> that may be part of it. i think there are different ways adversaries can try to blend into legitimate traffic. some of that is by using for example virtual private networks which might be caring traffic not only fromm the malicious actors but from legitimate actors as well. brandy referred in his testimony to the fact that iverson's do try to use domestic infrastructure because it is worst trusted by

network defenders. that is not surprising. adversaries try to avoid protection by our services that per focus on overseas collection as well as the fbi anwho collects here domestically. we are always working brick closely with our it partners who are involved in both foreign collection as well as her focus on the domestic collection to try to close that gap and understand how the adversaries are trying to evade us. >> understood very good pay think you will thank you, mr. chairman. >> thank you, senator halley. you're recognized your questions respect thank you mr. chair. i want to thank the three ofue you for your work and your testimonyou today. we'll have many questions for all of you part i will raise a couple issues with mr. wales. my first question is, can you shine some light by it may not always be aware of incidents

or issues in agencies or with their contractors? i phrased that after reflecting on some of your testimony were you shed light on the need for broader visibility t across federal agencies and even non- government entities. so a general question with the perfect precise follow-up as their contractual restrictions that might limit our ability to respond to cyber attack russia or any other adversary for that matter? >> for some to thank you personally for your partnership with her agency during that's our time as secretary of state and california on our project 2020 efforts. on your specific questions, so agencies are required to provide information on incidents affecting their informationio or their infrastructure. so whether it is a contractor for that agency whether data has been compromised, or the

agency network itself that has a security incident, they are required under federal reporting c guidelines to provide that information. we would have perspective on incidents but what i was referring to in terms of visibility is what's happening on thatci network. the system on the network. soso for example in excel -based spreadsheet going back and forth, when we want to know i'm the solar wind devices on federal networks we have to do a data call and ask every federal agency to tallied up and sent into a spread they may have their own tools inside the network that gives invisibility what the systems look like. but does not have access into those but we do not have that level of detail of knowledge into their network. we went to operate and go hunt on their networks we need their permission to deployer sensors deploy additional agents onto their systems so that we can see the cybersecurity information. we want to move to an environment where security information is available. we can't use that for learning, we can use that for

hunting. and do that in a way that is collaborative and cooperative because of the strength of our relationship with those agency should not be sacrificed. maybe some small areas with her contractual requirements that may need to evolve for this is an area we are working with the interagency on now how we need to involve certain contracts to make sure information can be shared appropriately. we expect guided sick come oute on that very near future. >> please let us know how this committee can help you in that regard. and i believe on the information that data you referenced to be separate but runs parallel to the dynamic there's definition of major incidents. a sub to that agencies to make the call on their own whether to reach that threshold or not. [inaudible] >> i did not think that's what

you are referencing but acknowledging that dynamic. a quick comment on supply chain. and then another question for you, so the part of working with the chair and the members of the community to follow-up on the supply chain issues, concerns, i want for the record to status not just a software issue. also a hardware issue with the middleware issue. much higher stakes in this discussion then the toilet paper supply chain in the early covid pandemic. i think given that example people understand what we are talking about here. from a national security perspective. thet big question of today is can you speak to the broader nature of what we refer to as the solar winds attack the calm we refer to as a solar winds attack. the more we learn about the more we recognize it it's much

more sophisticated rates multidimensional, much more pervasive of an incident. what other avenues did the russians use that we have not been talking about enough? >> sure, senator that is a good question. what i can say is, the techniques of compromise networks. they are aware of their use of other techniques. it was more traditional cyber attacks, passwords force attacks on networks try to gain access maze vulnerabilities in vpn software and others. once again access inside the network to compromise systems and these that compromise system to gain broad access to

data storage they waited largely microsoft office 365 cloud per bit at times critical data stores on networks. i mentioned ass an example because the company itself talks but this publicly. when was copyright the adversary was looking for their red teaming tools the tools they used to test the security of some of their client networks. so that is kind of an example of where they're going after sensitive information written other case, other stores of data. it's all because they compromise the systems that manage trust and identity on networks. they had a couple of different pathways to get there. that wasit really the hallmark of that campaign. >> i will end with have asked questions and made comments interagency intergovernmental collaboration. others from our prior experience the need for it not

just federal but federal, state, local and private sector communication and collaboration. starting from this incident is techniques and tactics we have not seen before. so it truly is an all hands on deck moment to state one step ahead of the bad guys if you will. so just underscores for improving our models for centralizing and sort of monitoring the bad traffic we are much better in real time they give us a chairperson >> thank you, senator padilla, senator ossoff you are recognized for your questions. >> thank you to our panel today. grateful for your work and for your testimony. would you say that cybersecurity in this context, where it has been reported in

unclassified settings, including confirmed in this hearinged today, that the principal objective of the threat appeared to be espionage. that cybersecurity in this context and counterintelligence effort? >> server, speaking from my perspective, i am a career intelligence analyst for almost 20 years. a lot of my work has been focused on not only getting intelligence to decision-maker cities act out about understandingg the motive behind various threat actors. so when it comes to cyber threats, i think it's important to consider cyber cyber threat intelligence as distinct from the people who are actually using it. so you are correct, among those who are using it, in addition to cyber criminals are foreign intelligence

services and elements of foreign adversarynd governments who are using cyber intrusions as one of many means to support their strategic objectives which may be to gain insights and information into u.s. policy perspectives and priorities. or for other purposes. so in that context, yes i would consider how foreign adversaries easy cyber intrusion to support their ends as a counterintelligence concern. >> thank you for that answer. it would be correct, would it night and of course correct me if i'm wrong to state that when it comes to counterintelligence in the context of human intelligence, that the fbi is clearly the agency and the leaders in the federal government with collaborationn elements and the collaboration with state and local law enforcement were

appropriate paired but counterintelligence my human intelligence standpoint as the fbi's responsibility, is that correct? >> i believe counterintelligence at large here domestically not only confined to human intelligence, yes. it is under the fbi's authority. >> thank you and given the scope of the apparent breach and the number of federal agencies affected and vulnerable to this attack, is this a counterintelligence failure? >> so center, again drawing on my experience as a career intelligence analyst, i will note i joined the fbi as an intelligence analyst inhe november 2001 when the term intelligence failure became a part. i do understand the context of your question and the concern.

based on that perspective, when i think of an intelligence failure i think of a few different things. the first is a failure of imagination. forward leaning analysis that goes be on the fragmentary intelligence that we as u.s. government have in any point in time to be able to forecast a specific threat incident. secondly, i think about a failure to share. there are many different u.s. government agencies who have pieces of the intelligence puzzle. especially with the private sector has one of the biggest pieces of the puzzle about what our adversaries are doing against the private network. that's the second way think about intelligence failure is a failure to share what we have. thirdly, i think about failure owes different pieces we have that i described.

none of those things have information that was held and threatened tensions was shared across the inner agency, there were no assessments that were not shared. in fact publicly, but the fbi have warned of a variety of adversaries including russia and china both attempting and succeeding to conduct a supply chain compromises. including most notably the russians compromise which is still considered the most globally damaging. >> if i might, the reason i am asking this question in this way, in the human intelligence context, there were compromise so broadly across a range of federal

agencies, i think it is safe to say, my question was a specific counterintelligence failure. we have established that cybersecurity in the context is a counterintelligence admission. it is a human intelligence threat. able to x filtrate this potential degree of sensitive data think we would unambiguously view that as a failure of counterintelligence , and operational failure per that's not expecting perfection. we recognize that in the cyber context offenses cheaper the defense. the threat is persistent. and there will be breaches of networks pretty find it troubling we cannot simply establish at this hearing that operationally, this kind of breach is a counterintelligence failure. >> senator, intelligence and intelligence analysis in the prevention of threats requires thee integration of information from i a variety of sources

derive not only domestically, but from our foreign intelligence collection as well. which members of the intelligence community other than the fbi conduct but as you are likely aware, our insight into adversary threat activity especially among our most sophisticated cyber adversaries and foreign intelligence services is fragmentary. and the fbi in order to pursue collection on those fragments requires information on which we can predicate that collection. we cannot for example conduct wholesale collection on a broader class of u.s. domestic infrastructure or domestic agencies just in case we see something. it requires as building blocks of intelligence with the entire u.s. intelligence community is responsible for in order to direct that intelligence and that insight. >> thank you for engaging in this discussion. mr. chairman i yield back.

select thank you senator ossoff. i would like to thank our witnesses once again for your testimony here today and taking our questions but it's clear we are dealing with a major threat. a threat that continues to grow, requires a very complex response in its clear we are not there yet. and have a long ways to go. so this'll be a continuing conversation. going to continue to hold hearings in this committee. were going to continue to meeting directly with folks in the respective agencies as we look at way congress can support your efforts to protect our networks. to both the federal and broadly across the economy. so, i look for to speak for the members of the committee we look forward to your engagement in this process. because it is a necessary one. we are confident we can deal with it. but it's going to take a lot of effort. we are going to work together in a bipartisan way in this committee to achieve that

end. with that, the hearing record will remain open for 15 days until april 2 at 5:00 p.m. for the submission of statements and questions for the record. this hearing is now adjourned. [background noises] [background noises] >> thank you, thank you so much. thank you. [inaudible] [background noises] [background noises]

[background noises] [background noises] irs commissioner charles reddick announced this week that the 2021 tax filing deadline has been extended until may 17 but he also addressed backlogs from the 2020 tax filing season. the coronavirus pandemic and the irs, and the american rescue plan pretty much his testimony before the house ways and means subcommittee on oversight tonight starting at 8:00 p.m. eastern on cspan2. this week the senate budget committee held a hearing on income and equality in the decline of union influence with testimony from former clinton administration labor

secretary and other economic policy experts. included testimony from an amazon employee from alabama who is part of an effort to unionize workers and a fulfillment center there. watch the entire hearing tonight starting at 8:00 p.m. eastern on c-span. ♪ ♪'s macbook tv on cspan2 has top nonfiction books and authors every weekend. saturday 6:55 p.m. eastern, and he talks but his book on masks insight ntfs radical plan to destroy democracy. and 9:00 p.m. eastern, hector and healthcare advocate michael j fox oxbows life with parkinson's disease with this book no time like the future optimist considers mortality. sunday night at 9:00 p.m. eastern on "after words", georgetown law professor rosa brooks details her experiences in policing as it armed reserve police officer in washington d.c. in her book tangled up in blue. policing the american city

purchase interview by houston police chief and major cities chief association president. watch book tv this weekend on cspan2. ♪ ♪ >> cohosts of the history checks podcast assuming weider and beckett graham talk about the podcast origin and growing popularity over the years covering women and u.s. history. >> women and girls for one thing are hungry, hungry for role models. we keep hearing representation is important. that really is so true. the amount of e-mails and other messages that we get from very, very young girls and or their mothers saying how either the subject that we cover or just the very fact that they hear two women speaking in that format, how it has really affected them.

all threat history women have typically been the woman behind the van. but we get to do here, as we get to talk about the man behind the women. but focus on her life and tell the story from her point of view. so the fact that we get to do that, like beckett said hope it inspires people do the same part and we know it does. >> the history checks send it 8:00 p.m. eastern on c-span's q&a pretty listen to q nasa podcast where you get your podcasts. >> this is c-span's new online store at cspanshop.org. to check out the new c-span products and with the weathered 17th congress in session we are taking preorders for the congressional directory. every c-span shop purchase help support c-span's nonprofit operations. shop today cspanshop.org.

>> at today's white house covid 19 briefing it was announced that nearly 4 million vaccinations would be quote lent to mexico and canada per the also announced that more than 100 million vaccinations have been administered to date meeting the president's goal. this briefing is about half an hour. >> they give for joining us today. today we will get a state of the pandemic update. and doctor fauci will highlight the latest science. but first, i want to start with the important announcement the president made yesterday. we reached our 100 million shots goal in just 58 days. weeks ahead of schedule. achieving this goal is a direct result of deliberate aggressive action guided by the presidents whole of government national strategy in the pandemic. now, thanks to the american resc