we never slowed down. we powered a new reality because media, where built to your head. >> we support c-span as a service giving you of front row seat to democracy . >> joining us is mont mike montgomery with the foundation for defense of democracy . also he was a senior advisor or is a senior advisor for the cyberspace solar in commission . thank you forjoining us . >> a couple things about your organization. what is the foundation for defense of democracy when it comes to cyber issues, what's your main point of interest ? >> the foundation is a non-partisan, nonprofit think tank in washington. it looks at a number of security issues and it's specifically has three centers, one onmilitary ,

economic power and one on technology and innovation i run the technology cyber innovation center at std and we really focus on how do we make our critical infrastructure more secure both from nationstate adversaries but also from criminal actors. >> when it comes to the other, or other titles at cyberspace solarium commission what is that specifically . >> the solarium commission was set up by the fiscal year 2019 national defense authorization act came about because editors like john mccain why work for on the committee were becoming increasingly uncomfortable with our ability to go with cyber security threats particularly below what we call the use offorce. in other words by nationstate or criminal actors that didn't engender a response to the united states . so he's worked with senator mccain came to the conclusion

the deterrence theory was not working throughout all of cyberspace. lower-level malicious actors were able to do quite a bit of damage to our infrastructure so he did what l any congressman would do is commission and the reason you believe in this was he had working for 10 years to try cyber security more secure for working with the executive branch legislative changes and it wasn't. republicans and democrats in the house is at all agree to this commission was set up and answer mccain, he made sure we had four congressional members. senator angus king of maine was in an independent caucus, then sasse, and jim langevin. we had four executive branch

managers to bring a lot of ex information in. the director of the fbi, deputy director of the or excuse me, deputy secretary of defense, homeland security the deputy director of national intelligence and then in addition we had six outside experts. the ceos of companies, for government officials, those 14 commissioners were reported by staff that i studied the cyber security problem and mccain said you have one year to come back with real solutions which is a very fast turn rates and in about nine months we produced a final report of the cyberspace legislation issue in much of 2020 is that we put up six additional white papers but we then spent the last 18 months, to legislative cycles, the fiscal year 2021 and 2022 legislative cycles trying to turn the recommendations of the commission into law and we've been highly successful. we had the two original

recommendations, 50 of which were legislative and we accomplished between 60 and 80 percent of those recommendations are either in law or being carried out by the executive branch which is a very high strike rate in fact the commission itself stood down over the weekend. it reached its natural length by congress and we've now struck a nongovernmental organization called cyber solarium.org led by the same congressman outside experts and oi'm serving as executive director again there's a 501(c)(3), where a nonprofit. we're going to advocate for implementing all those original reports. >> as far as the issues in the world of cyber threats to your many are common to americans today. but you focus particularly in a recent op-ed on cyber threats when it comes to water systems in theunited states . what gotyour interest in this ? >> the commission pointed out on our 60 structures there's

safety critical infrastructures by presidential executive order. you may remember president biden show this list to president clinton and said away from these critical infrastructures but the commission c, several of them served us lately. one was pipelines and another was water. the third was healthcare provisions so the commissioners asked a bunch of us to or different think tanks to take a look at some of these issues in detail. the water one really concerned me and the reason i took it up personally because i think water is a critical infrastructure that the nexus of national security, economic state only public y, health and safety. one of the ways you can become a critical infrastructure, water is in all and it enhances the other informs and enables the other critical infrastructure. our energy infrastructure relies heavily on the water infrastructure .

so that if water isn't functioning in a certain region is likely that very rapidly thereafter energy production will be se functioning. so seeing this as a critical infrastructure, and really the weakest link in these critical infrastructures we went and stuck a study on it. >> so because the op-ed talks a lot about the specifics, you highlight the experiences of one small town in florida. what that experience and what does it say about the larger issue on cyber threats for the system.>> the one we highlight wasn't. florida about 11 months ago before the super bowl . and what happened was dsa malicious cyber actor still us unidentified ad into the system. probably through either a pre-existing flaw or delivery

of a spearfishing that hasn't been revealed yet by the fbi and was able to manipulate the system and what this person targeted was a little unusual in the sense that he or she didn't try to turn the system off and ran somewhere back control of the system or lockout the operators. they instead decided to change the chemical injection settings so the amount of lie that was being, which controls the acidity of water is initially at low levels makes the water more of you to drink. at high levels can make the water poisonous or detrimental to health. and it began to attempt to increase the level of wind and water. he was doing the malicious actor was doing this at the same time that he was moving around the system with cursors in the system the same time operator was

sitting the console so the operator was able to see his inappropriate activity going on. and he saw it twice, the first time you didn't do anything and the second time hour later he did reported in an area to stop this potentially harmful change in the chemistry but it really that was around the block we were able to stop this. i'm glad we were lucky points to the fact that our systems are incredibly vulnerable to malicious acts by either criminal actors or nationstates. and the study was issued more. there's a number of other examples. water hasn't been exploited in the same way financial services out because they are criminals who are going to rob money and there's a much more lucrative to success but the water critical infrastructure is exceptionally vulnerable to cyber penetration. >> our guest with us until 8:45 and if you want to ask

questions about the vulnerabilities that talks about, you can call 2027 48,004 democrats, 748-8000 14 republicans and 202-748-8000 24 democrats. text those thoughts. you can talk about the water aspect but also other vulnerable systems as well what makes them vulnerable generally ? >> akgenerally go with water and take it up generally. what makes possible roles particularly in the water industry is that there's this. first there's the industry spends on its cyber security and the second is how well the government agency that scared me that industry supported? both of those are flawed during that she. in financial services banks are over 20 years have learned we are really

susceptible to being targeted heavily by cyber criminal actors. sosome banks , they're going to spend upwards of 700 million a year, $700 million a year on cyber security. that's more than most federal agencies accept the department of defense. that's more than most countries. an individual us bank will be spending that. they're very highly supported by a heavily regulated industry. there supported by the department of treasury that is apparent leads to very high cyber security. you can't say that across the thousands of banks in america but you can broadly say across the industry and very specifically say anabout our biggest banks. but when we think about water, water utilities are generally more than i think it's about 88 percent publicly owned andbloperated by york county, yorktown . i'm kind of local government organization that is not the

definition of an organization is going to be rich with excess funds for able to rapidly give grants for funding to solve a developing security issue t. so there very much governed by rates that they're allowed to charge. bonds to raise money. it's a very slow not agile response mechanism. and the really congregating factor is about two decades ago he began to heavily automate the water industry. in other words take the man or woman out of the loop and make the valve for the pump or chemical injection system operate my computer order. the time there didn't appear to be a big cyber security threat so one of the things that came from that were invested in other areas . 20 years later there's a big fiber security threat. we heavily wanted these systems and we don't have the excess funds to pay for them so the agency itself has got to do more to spend more money on cyber security.

in that regard, the government the risk management agency which is the environmental protection agency or epa has not been properly resourced or organized to support the utilities and their cyber security effort. the epa is a big federal agency, got a lot of important roles. it spends a lot of effort on important issues like removing the lead-based typing in our water systems and working on climate change is. but they have not focused through multiple ministrations in a bipartisan way. they have not focused on cyber security. as a result they are very ill-prepared to support a week industry. in terms of cyber security and the best example of this is their office of water cyber security probably has other five people in it. and when you compare that to 55,000 water utilities 15,000

wastewater utilities, five people trying to help 70,000 bureaucratic organizations, that's not the kind of way you get there. so what you really have to get is agood government support agency . married with a good, well-funded industry. that's when you'll have type cyber security class mike montgomery with the foundation for defense of democracy, senior director of the center for technology and innovation . ovif you want to ask questions about these concerns, you can call the line or send us a text. james in washington dc, independent line. good morning, you are. >> thank you for having me. my question to mister montgomery's is our energy grid at risk as well and the second question , how do we move forward with legislation ? how do we get our legislative branch to act on this because

it seems like we are now in the 21st century is basedthis should have been taken care of in the 1990s . >> those are two great questions. energy is in abetter position . couple reasons like that one, a lot of energy is privately owned, not publicly owned so there's the ability to adjust rates which may not always be with utilities but does allow them to respond to these issues more tactilely. and it's more around 10 to 15 percent publicly owned electrical utilities versus the 88 percent i mentioned in the water. there the department of energy has been an exceptionally good sector risk management agency. they apply themselves traded an assistant secretary that deals in cyber security during the administration. so far provided ministration has not appointed somebody on occasion secretary of energy indicated she might drop the

seniority of that job. i hope secretary granholm is unsuccessful in that effort. both senators have pushed back but in general she does make sure there's enough funding for the organization . is literally 20 to 30 times the size of its water equipment when it should be about the same size so i feel better about energy. that does not mean energy is secure. it means it had the opportunity to be more secure . there are still over abilities the same kind of fbi and essay department of homeland security report that came outabout water, warning caused us to write the op-ed . at similar warnings in the energy sector as well so they are under assault . both from criminal actors particularly to try to pick up grants were but also from nationstates that implants malware into our electrical power grid.

we have reports on that so we still need to worry about energy and energy assigned water . water fails energy isn't all. energy has concerns. as far as legislative action also do the legislature has done more, the u.s. congress has done more in the last two yearsand is done in the previous 20 years on cyber security legislation . nzi would consider the last three years of cyber security at bonanza . there have been 40 loss in three years ago, 62 years ago again last year. mostly in the national defense authorization act and also in independent bills. cyber security legislation passed in the bipartisan infrastructure plan for examples though they're doing something but you're correct in saying that they haven't done everythingthey need to do . and in fact in our report on water cyber security media three or four different areas where legislative action is still required andhow give

you one specific one . americans are extremely disappointing and frustrating that while we do set aside $14 billion. that's over a five-year period so 3 billion a year in very specific grants to water utilities, cyber security is at the feet of those but they're competing with is utah water usually can spend this crap on routes l. severe weather issues. natural disasters. rising sea level work cyber security so you basically tell water utility or someone you can spend it on the fourth side of the populace or water cyber security and invariably the money that 99.9 percent are the four sides of the apocalypse. the problem with water cyber security is easy to ignore in short-term and long-term aggravated failure to fund higher security upgrades

means you have simply been vulnerable as if you were having a drought for rising sea levels or actual natural disaster we need to have some fiber security unique funding . so that all the utilities spent on to ensure the utility as we identify risks in the system beyond their ability to fund or or repair, they have a place to go for a grant or a low interest growth loan pending on the size and attributes of that usually. >> some of the recommendations your organization makes when it comes to giving more power to the epa and the sector risk management agency. money to cyber security, and also directs the cyber security and infrastructure security agencies to support for water structures and also increases that federal government support there as well . let's hear from ian in winter park florida,republican line . >> rei mister montgomery. iwanted to thank you first of

all for being here . it's very, i really appreciate the ability to talk to you. so i'm a ucf graduate and i've been in central florida for quite some time. i will say that the water here has been abysmal for quite some time and i'm just curious in your personal opinion, what can the central florida environment do to improve the water here because it's been really absolutely been terrible for quite some time. >> how modern our systems and these critical locations?

>> the colors have a great point which is inconsistent and then there's very strong water utilities that have a real challenge in upgrading and improving the quality of both those . the water drinking but also the security systems with it. when i say there's 50,000 printing water utilities which is a phenomenal number, over 40,000 serve communities of less than 3000 people. so you can imagine just getting the payments from the 3000 people la small profit and that there's almost no room for long-term investment . so really that's where the governments got to come in. when you have, when you set up a system like this, where something is distributed as is it is. then the government does have to come in and help a little. water like energy and transportation, one of the things the governmentprovides

is the backbone to private-sector or public utilities . so that's agreat example . let me talk about one of our recommendations just how it helps. we have a program, department of agriculture has this program all the circuit rider program i can't imagine like the marble man on horseback riding around the west advising water utilities. this is for mom-and-pop small water utilities after farms or rural areas. they're out, they're not on horseback, they're probably wanted 150 driving around but they'regiving advice . the problem is this guy's advice isousted by giving the leg down . what is the pressure on this matter. as to be. important stuff like that probably not f on his computer getting cyber security advice so we got a small program in terms of cost but the big impact for these small rural areas that's to fund 50 cyber

security circuit riders this is working with the national rural water association to champion this. one of the associations for these small rural places but now you've got 50 guys men or women running around servicing these rural and farmland areas and probably not in f1 50, they're probably in the previous friday around and they showup with their computer and say let me run some penetration testing . let me examine your system, the cyber security of your system and get it up to see te you are not subject to rent somewhere. these small systems are just as horrible to rent somewhere criminals as they systems are but that kind of program we could run for $5 million a year really enhance those kind of smaller industries kind of help get the water, cyber security on par with some of the other issues that we saw through the circuit rider program. >> from clark in florida, democrat line .

>> i have a lot of care about cyber but i also have a lot of care about industries and pollution and runoff and search and i think it's a much bigger problem and we personally want to have corporations monitored that money going towards that direction . >> host: that's clark, now for debbie in silver spring maryland. >> good morning mister montgomery and washington journal. as the tax credit and a public service since water is inextricably r tied to energy, why do not all that oil companies pay for it? what is that not regulated to the department of energy as the mandatory service tax?

>> out take a whack at this one. i think the use of the water generally associated with energy production and they do pay for the water they get as a cooling medium. there is that requirement and how much that's charged for is something that can be determined but the truth is the water utilities have not been putting the money they have into cyber security so i'm not sure that increasing the rate would necessarily increase ... unless we had a lien on these utilities but it's timeto make that investment . you've got a lot less people standing watch, operating valves and pumps. particularly in these large rural systems but the thousand pumps that are 10, 12, 30 miles awayfrom the headquarters of the distribution manifolds .

you know, near the west bars and such. that's all beenautomated . the benefits, they need to make the benefits in cyber security and i think i would like to keep management of this withthe epa . there are all elements of water the to work on cleanliness . on the lead pipe purity of the water. they do a lot of great work at the epa. they just need to come up to speed on the cyber security. >> host: we saw 1.2 billion infrastructure bill passed by congress and signed into action by the president. how much of that dealtwith cyber security on these critical issues ? >> guest: that a great point and when it came out the president , one of his talking points was this bill does a lot about resilience and cyber security and it's one of the first bills appropriations bills that

highlights cyber security specifically so that's a win. here's where it's less of a win. in the 1.2 trillion which is 1200 billion, there was 2 billion worth of cyber security. when you do that mathematically that's 2/1200. that's a little over 0.1 percent was spent on cyber security so it's great was called out. it's great there's 2 billion in there but i want to put it in perspective. it was a pretty small percentage overall and what it did was specific money to cyber security infrastructure security agency which is a critical agency so department of homeland security, it's kind of the quarterback of the federalgovernment's cyber security response . they work with every federal agency. they work with the private sector. they work with thecyber director at the white house . there kind of quarterback on

workforce issues and they were given billion dollars worth of funds for different things to do including what's called a cyber response and recovery fund which is for providing money after the fact, after there's been some kind of cyber event or crisis to help restore systems rapidly and get them up and going. this is an important thing that our commissioner had been asking for for two years s in congress delivered and it provided $1 billion to state and local governments itfor cyber security of their it systems. some of that could go towards water. i think by not having a direction to do it in the law , it's allotment less than we would hope would go to that. it's going to go to the cyber security and modernization of your state and local governments . this was noticed during the covid response when people were applying for

unemployment relief and state and local systems were under duress because they were outdated and outmoded but they also are unsecure so the money in the areas for cyber security. a lot of that billion dollars will be spent on what we call it modernization which will improve security but not perfectly efficiently so that's in there . finally in their is the money i mentioned earlier $14 billion overall for grant programs over five years. for water utilities and as i said my concern there is cyber security was thrown in with the foresight of the apocalypse so historically over the last 15 years when cyber security is kind of an add on the money doesn't get spent and it has a lot to do with how the utilities think but also with how epa is organized to handle these grants. >> host: we will go to ryan in benton harbor michigan, independent line. >> good morning mister montgomery. benton harbor recently had

our water situation was the worst in the wholecountry . it's worse than flint was when flint had their crisis. we are like about an hour or 15 minutes from flint. what i want to doask is i don't see theurgency that's coming in at all . so i want to know how that system works with the money that just got spent on infrastructure. how asdo we follow the money to make sure that we are getting the proper responses we should and in the future, you know, that this doesn't happen again. it should be a system set up to say we need to start getting down and look at the infrastructure whether it's 100 years from now or whatever because i know that infrastructure hasn't been touched and probably 100 years. >> host: thanks ryan.

>> guest: one quick thing, having studied theor infrastructure bill quickly there is money for those sorts of things also . epa is an in a bipartisan way over a number of years has been trying to identify needed investments in infrastructure, in water infrastructure. and there is a significant backlog of hundreds of billions of dollars if you look back at the latest studies. there's also a lot of money in this infrastructure bill and generally in the appropriations for epa to deal with this and i think this administration is taking that very seriously. >> host: this is pat, keyport new jersey, republican line. >> caller: i'm a former it person so my question is why aren't these systems closed to outsiders? owhy do you have a list of extremely limited people able to access these systems and make changes ? how to somebody and on the

outside get access into the system? >>. >> guest: that's a great question and they should be closed. it's connected to your internet because they're talking to systems downrange . but what's generally happening, i think the most likely source or the penetration by the adversary, the cyber criminal actor or malicious actor is spearfishing . emails to the operators who then and able a piece of malware by clicking on the link. and the adversary is now in the system. i would tell you in general there's three thingsyou can do in cyber security that will make you 99.9 percent secure . number one is a complex password. number two is multi factor authentication. number three is don't answer emails from nigerian princes or specifically don't go

spearfishing. if you do those three things don't hit links that come from outside sources. if you do those three you will make yourself and if you work in a company, you will make your company more secure. unfortunately those are not practiced. often multi factor authentication is not required and those are the kinds of things that i think would drive improved cyber security. >> host: this is from stephen in salem oregon, independent line. >> caller: can you hear me? good morning mikemontgomery. for once someone i'd like to talk to . i'd like to say that's the cool thing about sustainable energy and the water and everything that goes with it is it eliminates having to develop a cyber security plan for it and local jobs get developed. and you have people in your own area working on things that they do breakdown and it

eliminates that right there. it alleviates having to worry about it which is so cool but i want to say that also cyber security is going to bethere . but what you just said about spearfishing awesome is given that information is out there and i appreciate you and i want to know i'm hearing from you that i'd like to get ideas and solutions making us think more and i also wanted to say you guys have a great day. >> host: that's stephen and oregon. when it comes to recommendations one of the recommendations you put to government and industry is that putting a cyber security oversight program amongst other things and also to amend the american water infrastructure act and increase wastewater utility risk assessments. to that first point though are there notprograms already between the government and industry on these issues ?

>> guest: surprisingly there's very little in the water and i compare that to where the big banks would tell you don't just have one federal agency regulating, we have three or four. so what i would tell you is that there was a law passed several years ago called the american waterinfrastructure act . in their directed water utilities to pick up risk assessments and create long-term emergency response plans to recover. and it said that epa you can provide guidance on how to do this risk assessment but in the area of cyber security the epa has not only not provided it on their website until recently, they said we are not giving you a standard for doing this risk assessment and i think that's a real fault. they should be providing some kind of standard to be looked at.

it could be scaled based on the size and majority of your systems but i'm at a point now where i think that we need a joint industry government cyber security program. probably there's a l function at the epa but the real nuts and bolts ismanaging the standards development . that needs to be done by the water industry and there are a lot of good water industry associations. there's something called the information sharing assistance group and there's a water, aws ec which is kind of the water sector cyber security. the council that helps work between the government and its associations. they can provide that standard. they can use cisa and nis

which is the national information standards technology at the department of commerce may provide a ton an of recommended standards technology. these can help develop standards and they can work together, consult with the different stakeholders and eventually ntbuild themselves towards a regulatory regime if that's necessary. if you can do it through a joint oversight that would be great . but the epa is years if not a decade away from being positions to regulate this industry because of their current lack of investment and organization. so that's kind of how i see that governments, joint government industry oversight going. it's got to be industry led for the firstdecade . >> we will go from chris in louisiana, democrats line.

>> mark, i want to mention something. in your explanation it seems as if from my understanding that the epa is a malfunctioning organization. because the more i listen to you explain a lot of things and when it comes to what they do i keep hearing how they're not doing this when they could be doing that. and they need to be doing this and they need this and that. this is a malfunctioning organization . what i'm thinking is our folks in washington who sits on these different boards who are in control of the epa, they need to go in there and i would say restructure everything and replace people if necessary because mark, this is so important. i'll give you an example.

>> host: we are a little bit of time, i apologize. go ahead . >> guest: it's a great point. but i wouldn't o sharpen it a little bit. the epa is doing a lot of things well. they're doing this poorly because they don't resource for it and as the caller said they are not organized so i'd recommend reorganizing and funding them. the trump administration had an increase in this office from 8 million to 10 million overa few years . provided administration recommended increasing 10 million. the real amount is 45 to 50 million and you can't do that in one year. you don't. a government agency's budget in a year. it's like burning money and an oil barrel but over a series of 3 to 5 years this office could be the support element to the private sector . there required to be by law as a central risk management agency so they can provide us as citizens good oversight.

we want t high-performing cyber security program at epa and get the support from cisa, get the support from nis and a little from the department of energy they have expertise and i think that the solution but it's going to require money. it's small money in the overall budget but it requires money and organization to get right click. >> host: mark montgomery with the foundation for defense of my democracy. thank you for your time with us today. >> i really appreciate you tackling this issue. >> tonight to look at changes to emergency communications in the 20 years since the 9/11 terror attacks. held by the house homeland security emergency preparedness response and security subcommittee. watch tonight at 10 pm eastern on c-span2, or watch full coverage on c-span now,

our new video. >> one year ago protesters broke through police security and occupy the us capital. on the one-year anniversary of the january 6 attack we look back on that day live on c-span beginning at 7 am eastern on washington journal taking your phone calls and tweets then president joe biden and vice president harris liberal marks from the capital at 1 pm eastern librarian of congress carla hayden leads a discussion with doris kearns goodwin and john meacham on january 6 place in american history and that 2:30 p.m. eastern lawmakers take part in a forum during their thoughts and reflections on that day. at 5:30 p.m. eastern members of the house and senate got on the steps of the us capital for a prayer vigil and following the vigil we will repair fence from the day and take your phone calls . the anniversary of the january 6 attack live thursday on c-span and watch

with our new c-span mobile app. you will find the page with all of c-span's january 6 grabbing including archival coverage from that day. >> c-span is your unfiltered view of government funded by television companies and more includingpodcasts . >>. >> comcast supports c-span as a public service alongwith these other providers giving you a front row seat to democracy . >> wall street journal takes a look at those cases of omicron and highlights that one million-dollar, 1 million figure that was earlier this week saying that the us reported 1