tonight on c-span3, american history tv in prime time. tonight we'll look at the 100th anniversary of buffalo bill's death. american history tv begins at 8:00 eastern tonight on c-span3. and coming up tomorrow here on c-span3, pluresident trump's long-time attorney michael cohen will testify about russian involvement in the 2016 presidential campaign. that hearing will get under way at 10:00 a.m. eastern. you can see it live here on c-span3, also online at c-span.org or listen with the free c-span radio app. c-span, where history unfolds daily. in 1979, c-span was created as a public service by america's cable television companies, and is brought to you today by your cable or satellite provider.

the house homeland security subcommittee on cyber security held a hearing with officials from the homeland security department and the energy department regarding the federal government's cyber security programs. the subcommittee looked into the security of election systems, the government's i.t. systems, and the security of the nation's electric grid. the committee on homeland security's subcommittee on cyber security and infrastructure protection will come to order. first of all, i'm sure i speak for all of us here on the dais in expressing our deepest condolences to all of the family members and all of the victims of yesterday's tragedy in las vegas. events liking the one yesterday demand the utmost humanity in response to such blind hate and

evil and hopefully will give us all a renewed senses of purpose as we approach the tasks of the day. the subcommittee is meeting today to receive testimony regarding the department of homeland securities cyber security mission. i recognize myself for an opening statement. we're here today at the start of national cyber security awareness month to discuss what i believe is one of the defining public policy challenges of this generation. the cyber security posture of the united states. we've seen cyber attacks hit nearly every sector. of our economy with devastating impacts to both government agencies and the private sector alike. and it is our shared duty to insure that we're doing our very best to defend against the very real threat our cyber adversaries are posing. but make no mistake, the cyber security challenges we face are about much, much more than simply protecting bottom lines or intellectual property or even

our nation's most classified information. they also impact the personal and often irreplaceable information of every american. this year we have seen on a grand scale just how much damage can be done by a single individual or entity looking to conduct a cyber attack. the equifax breach shows that it takes only one bad actor and only one exploitable vulnerability to do something to compromise the information of 145 million americans. this is not the first cyber attack that has garnered national attentions and unfortunately it almost assuredly will not be the last. as the members of this panel and as our witnesses here today know well, there is no silver bullet for guaranteed technology to fix the cyber security problem. rather we need to be part of an ongoing sustained, dedicated

persistent and comprehensive campaign to insure the united states remains the world's cyber security superpower. we will continue to need a sharp work force and collective efforts in public private partnerships and the leadership of our government agencies to leverage our resources and to counter our highly sophisticated cyber adversaries. today the subcommittee meets to hear from the government officials that are charged with meeting these cyber threats. these are the folks on the front lines day in and day out. dhs is the federal government's lead civilian agency for cyber security and within it the national protection and programs direct i can't tell director where nppd leads our national effort to safeguard and enhance the resilience of the nation's physical and cyber infrastructure, helpling federal agencies and when requested, the

private sector harden their networks and respond to cyber security incidents. they partner with critical intrastructure owners and operators and other enterprise stakeholders to offer a wide variety of capabilities, such as system assessments, incident response and mitigation support. and the ability to hunt for malicious cyber activity. this collaborative approach to mitigating cyber incidents is meant to prioritize meeting the needs of dhs's partners and is consistent with the growing recognition among government, academic and corporate leaders that cyber security is increasingly interdependent across sectors and must be a core aspect of all management strategies. this committee has been working hard to ensure that nppd and dhs

in its entirety has the necessary authorizations and organization it needs to combat growing cyber threats. dhs needs a strong and sharp work force. both to protect its cyber security and infrastructure protection missions. earlier this year, the committee marked up and passed hr 3359, the agency act of 2017 to reorganize and to strengthen nppd. as the cyber threat landscape continues to evolve, so should dhs and in doing that, hr 3359 is the tool we'll use to bring nppd to a more visible role in cyber security of this nation. as a committee and a congress we have taken important steps in the right direction with legislation on information sharing, on modernizing the federal government's information

technology and in getting our state and local officials the cyber security support that they need. some of these programs have been years in the making. real-time collaboration between the government and the private sector is a lofty and worth while goal. through the automated sharing program, or ais, dhs has been partnering with industry to create and enhance that broader information-sharing environment. and we've made progress in the right direction. while we know proactive information sharing is only as good as the information being provided, that type of relationship can only be made possible with a strong foundation of trust. i'm looking forward to a robust discussion today, not only how the government can be best organized and equipped to insure we are leveraging the resources of the federal government but how the government it can forge and grow the necessary partnerships to achieve the greater cyber security for our

nation. we have to get this right. because new technologies, the internet of things, driverless cars, artificial intelligence, and quantum computing, they are all rapidly evolving. so we need to be securing at the speed of innovation, and not at the speed of bureaucracy. we are in an era that requires flexibility, resiliency and discipline. and i hope i will hear those values operationalized in the forthcoming testimony. cyberspace plays an increasingly dominate role and it will take continued collaboration across the public, private, international and domestic spaces to keep making the advancements needed to prioritize cyber security for our country. i know this is a responsibility that everyone on this subcommittee takes extraordinarily seriously.

the chair now recognizes the ranking minority leader for his opening statement. mr. richmond, from louisiana. >> thank you, mr. chairman. good morning. i'm pleased we're kicking off cyber security awareness month by talking to the department of homeland security about the cyber security mission and how congress can help ensure dhs is well positioned to prevent from cyber attacks. before i begin i would like to send my condolences to the families of the victims' of sunday night's horrific shooting. to the survivors, you're in our thoughts and prayers. to the brave first responders who were running into danger when everyone else was running away from it, we are grateful. the democrats on this committee have said this before but it it bares repeating. at some point we're going to have to come together and enact sensible gun legislation and as the congressman representing new orleans, i cannot sit silently as the president insults the

hurricane survivors of puerto rico and the san juan mayor who's trying to help them. i've been through katrina and i know what it's like when you're at your most vulnerable moment and you've lost everything and what you're looking for is assistance because it's beyond your capacity to respond to a storm of that magnitude. so having seen the people greave the loss of their homes and businesses and struggle to piece their lives back together, i can tell you the last thing the people in puerto rico and the virgin islands need are insults. i urge the president to take a break from twitter, roll up his sleeves and get to work. turning to the issue at hand, as i mentioned, i represent new orleans, which has significant energy sector assets. last month we heard disturbing reports of a new way to breach energy sector networks in the united states. according tocy man tech, in some

cases, hackers achieved unprecedented access to operational systems. in light of these reports, i'm interested to know how the department of houmd homeland security and the department of energy are working together to secure energy sector networks and make them more resilient. additionally, as a member of this committee, and the congressional task force on election security, i am eager to hear about dhs's activities to secure our election systems. although the administration's commitment to the critical infrastructure designation appeared to waiver earlier this year, i was encouraged when acting secretary duke told committee democrats last month that there are no plans to rescind the designation. with that comment, i look forward to hearing the progress dhs is making to secure election infrastructure and whether the department has adequate resources to carry out its responsibilities in that space.

for example, i understand there's a nine-month wait for a risk and vulnerability assessment, and that some secretaries of state have complained about the lengthy clearance process for election officials. i'm concerned that these kinds of challenges may deter some states, particularly those to the critical infrastructure designation from taking full advantage of the resources dhs can bring to bear. from that point, dhs has to build some. relationships necessary to executing its security commission. although i hear dhs is making progress, i'm concerned mistakes made notifying certain secretaries of state that their election infrastructure had had been targeted may have undermined the trust that dhs has sought to build. i will be interested in learning what do you need from congress to address more quickly.

and build trust within the election infrastructure community. finally, when ms. manford testified in march, i asked when i could expect the dhss cyber security strategy. the strategy required pursuant to legislation i authored was due march 23rd. it still has not been submitted to congress. i understand the trump administration did not fill leadership positions relevant to the execution of dhs, cyber security strategy with any real sense of urgency. and ongoing vacancies may be contributing to the delays. but the strategy is six months overdue, and that is not acceptable. with that, i yield back the balance of my time. >> i thank the gentleman. the chair now welcomes and recognizes the chairman of the full committee, my colleague from texas, mr. mccaul, for any opening statement he might have. >> thank you, chairman wry

cliff. >> i also would like to extend my thoughts and prayers to the victims and family members of las vegas. i'm hopeful we can come together to prevent such tragedies from happening in the future. i'm pleased to be here today with our distinguished guest here at this hearing. america's national security continued to be threatened by islamic terrorists. tyrannical regimes. building and proliferating weapons of mass destruction. human traffickers, transnational gang members, like ms-13, who stream across our border. these threats are well-known, and we need to do everything we can to stop them as we see them coming. however, we also find ourselves in the cross-hairs of invisible attacks and sustained cyber war from nation states and other hackers. and as we come become more reliant on computers and smartphones in both our personal

and professional lives, everyone is a potential target, and sadly, many of us have already been victims. over the past few years, we see many successful large-scale cyberattacks take place. in early september hackers were able to breach equifax, a credit reporting agency gaining access to sensitive information on as many as 143 million people. in 2016 we know russia tried to undermine our electoral system and democratic process. and in 2015, we learned that china stole over 20 million security clearances, including mine. and probably some here at this dais. these kinds of violations are simply unacceptable. i'm proud to say over the last few years this committee has recognized these threats and has led the charge in the congress to strengthen the defense of our nation's networks. in 2014, we enacted several

important bills that empowered dhs to bolster its work force, codified dhs's cyber center and updated for the first time in 12 years. a year later, the cyber security act became law. which enhances information-sharing and makes dhs the lead conduit for cyber threat indicators and defensive measures within the federal government. while information-sharing has come a long way, this illustrated just how important and beneficial these relationships are. just last week, rob joyce, the cyber security coordinator at the white house, noted that we need to find a way to provide the private sector with more expansive access to cyber threat information in a controlled setting. something i believe we need to strengthen. moreover, issues relating to the sharing of classified information with the private

sector, like crediting skf space, granting security clearances to key personnel and enabling consistent two-way communications are issues we are learning at closely. in other words, we have made great progress in the way indicators are shared. but i want to examine if we can do more regarding the overall sharing of classified information. earlier this year, i was pleased to see president trump issue an executive order to strengthen the cyber security of federal networks and critical infrastructure. going forward, i'm hopeful that the house can advance legislation that i have introduced to elevate mppd as a stand-alone agency and better support the cyber security mission at dhs. this month is national cyber security awareness month. a time to learn more about these threats and offer ideas on how we can best secure ourselves against these growing threats. while we've had some success on

this issue, we must do more. our cyber enemies, including terrorists are always evolving, looking for new ways to carry out their next attack. unfortunately, this is an issue that i believe transcends party lines. it's not a republican or democrat issue. so let's work together to make our cyber security strong and keep the american people safe. again, i'd like to thank the witnesses for being here today. and thank you for your service. in a very important component of the department that often, as i mentioned in my opening, we focus a lot on counterterrorism and the border and other things. but i consider this mission that the department has to be one of the most important that this nation faces. so i look forward to the conversation and that congress and the executive branch can work together and how we can work with leaders in the private sector to enhance the nation's cyber security. so with that, i'd like to yield back to the chairman. and if i may, submit my questions for the record.

>> i thank the chairman. and the chair now welcomes and recognizes the ranking minority member of the full committee, the gentleman from mississippi, mr. thompson, for his opening statement. >> thank you, very much. good morning. i'd like to thank chairman radcliffe and ranking member richmond, for holding today's hearing to examine the work dhs is doing to shore up our nation's cyber defenses. there's no doubt that our country is facing an evolving array of cyber threats. as we stand here today, our enemies are thinking of new and novel ways to strike at everything from banks to hospitals and chemical facilities. nefarious actors, even want to disrupt some of our most basic institutions. last year, we learned that our nation's election system served as a new frontier for cyberattacks.

with every passing day, we learn of new ways cyber operatives are looking to exploit everything from the media we consume to the databases that store voter registration data. databases that store voter registration data. in this country, there's nothing more sacred than the ability to engage in civic activity and cyber criminals are seeking to undermine our democracy. further more, as i watch the devastation unfold in texas, florida, puerto rico and the virgin islands i'm reminded of the fragility of our systems. the systems we rely on can be deadly regardless of whether it's caused by a cyberattack or a natural disaster. in short, the digital network we rely on for our day-to-day life are facing a multitude of threats. to respond to these threats, congress has put its trust in

dhs. over the past few years, congress by way of this committee has consistently expanded dhs's cybersecurity mission, giving the department a key role in securing federal networks as well as the systems that support our nation's critical infrastructure. the department made huge strides in implementing these new authorities including by standing up an automated system to share cyber threat data and advising the new election infrastructure subsector on how to promote cyber hygiene with election administrators throughout the country. we cannot, however, expect dhs to carry out these responsibilities with both hands tied behind its back. to be successful, the department needs adequate resources, a robust staff, strong leadership and a clear strategy.

unfortunately, this administration has been gravely unfocused when it comes to cybersecurity. president trump falsely promised to deliver a comprehensive plan to protect america's vital infrastructure from cyberattacks on the first day in office. it took months for the president to get around to issuing an executive order on cybersecurity. also, a quarter of the 28 person national infrastructure advisory council resigned in protest of president trump's insufficient attention to cyber threats. president trump floated the idea of an impenetrable cyber unit with russia at the same time members of his administration were considering and ultimately deciding to ban the use of the products on federal networks. within dhs the chief information

officer resigned after serving only four months and the national programs and protection director the department's main cyber is still operating without a permanent under secretary. whether the men and women in this room are willing to acknowledge in an open setting that they are struggling without this leadership, we can be certain these gaps are making their job harder. i look forward to hearing from the panel today about how the department is carrying out its cyber mission and i hope that you'll be candid with us about the obstacles you face. if there are areas where you need additional resources or legislative clarity, tell us how we can help. i'm especially eager to hear from ms. hoffman about how dhs works with one of its key partners in securing critical infrastructure, the department of energy.

with that, mr. chairman, i yield back. >> thank the gentleman. other members of the committee are reminded that opening statements may be submitted for the record. we are pleased to have a distinguished panel of witnesses before us today on this very important topic. mr. christopher krebs is the senior official performing the duties of the under secretary of the national protection and programs directorat at the united states of department of homeland security. great to see you today mr. krebs and great to see you in your new role at dhs. ms. gentleman net man fra is the secretary for cyber communications in the national protections and program directorat. also great to have you back with our subcommittee and finally ms. patricia hoffman is the acting assistant director at the us department of energy. thank you for being here with us

today. i'd now like to ask the witnesses to stand, raise your right hand so that i can swear you in to testify. do each of you swear or affirm the testimony which you will give today will be the truth, the whole truth and nothing but the truth so help you god? let the record reflect that each of the witnesses has answered in the affirmative. you may be seated. the witnesses full written statement. the chair recognizes mr. krebs for his opening statement for five minutes. >> chairman radcliffe, ranking member richman, thompson, members of the committee. good morning and thank you for today's hearing. in this month of october we recognize national cybersecurity awareness month, the time to focus on how cybersecurity's a shared responsibility that effects all americans. the department of homeland security serves a critical role in safeguarding and securing cyber space a core homeland security mission. i want to begin my testimony by thanking the committee for taking action earlier this summer on the cybersecurity and

infrastructure security agency act of 2017. if enacted, this legislation would mature and streamline the national protection and programs dorrat and rename our organization to clearly reflect our essential mission. the department's strongly supports this much needed effort and encourages swift action by the full house and senate. the mission statement is clear we lead the nation's efforts to ensure the security and -- we collaborate with other federal agencies, state, local tribal and territorial governments and of course the private sector. our three goals are as follows. secure and defend federal networks and facilities. identify and mitigate critical infrastructure systematic risk, incentivize and broadly enable enhanced cybersecurity practices. no question this is an expansive mission. as we meet today, i am proud to share with you the tireless efforts of so many at mmppd. in coordination with our

partners to accomplish this mission. the targeting of our elections, wanna cry, intrusions into energy and nuclear sector infrastructure, harvey, irma, maria. self-target attacks in london, barcelona, orlando and las vegas. as threats to our critical infrastructure evolve and in many ways remain the same our people are partnering with owners and operators across america. we are engaging the public to raise awareness because our security is truly a shared responsibility. today's hearing is about dhs's cybersecurity mission. earlier this year the president signed an executive order on strengthening the cybersecurity of federal networks and critical infrastructure. this executive order set in motion a series of deliverables to improve our defenses and lower our risk to cyber threats. dhs is organized around these deliverables by working with federal and private sector partners. we're emphasizing the security of federal networks.

agencies have been implementing the industry standardness cybersecurity framework. agencies are reporting to dhs and the office of management and budget on their cybersecurity management in acceptance courses. they're evaluating the totality of these agency reports in order to comprehensively -- in addition to our efforts to protect federal government networks we're focused on how government and industry work together to protect the nation's critical infrastructure. we are prioritizing deeper more collaborative public/private relationships and partnerships. in collaboratation with civilian, military and intelligence agencies we're developing an inventory of authorities and capabilities. we're prioritizing entities at greatest risk of attacks that could result in catastrophic consequences. we call this section 9 efforts. before closing let me also discuss our continue -- facing the threat of cyber enabled

pragsz by a foreign government during the 2016 elections dhs and our interagency partners conducted unprecedented outreach and provided assistance to state and local election officials. information shared included indicators of compromise, technical data and best practices. through numerous efforts braen after election day, we declarified and share information related to russian malicious cyber activity. these steps have been critical to protecting our elections, enhancing awareness and educating the american public.

technological advances such as the internet of things and cloud computing increase access and streamlined efficiencies. however, they also increase access points that could be leveraged by adversaries to gain unauthorized access to networks. as new threats emerge and our use of technology evolves, we must integrate cyber in order to effectively secure our nation. expertise around cyber physical risk and critical infrastructure is where we bring unique expertise and capabilities. thank you for inviting me here today. i look forward to your questions. >> chairman radcliffe, ranking member richman, thompson, members of the committee thank you for holding today's hearing. i also want to begin my testimony by thanking this committee for taking action earlier this summer on the cybersecurity and infrastructure security agency act of 2017. a name for our organization that reflects our mission is essential to our workforce,

recruitment efforts and effective stakeholder engagement. we must old ensure that mmpd is organized both now and in the future and we appreciate this committee's leadership. cyber threats remain one of the most significant strategic risks for the united states. cyber risks threaten our national security, economic prosperity and public health and safety. our adversaries cross borders at the speed of light. over the past year, americans saw advanced persistent threat actors including hackers, criminals and nation states increase in frequency, complexity and sophistication. in my role at dhs, i had the department's office of cybersecurity and communication which includes our 24/7 watch center and operations, the national cybersecurity and communication and integration center. our role goes along three work streams. assessing and measuring agency

eventual nerabilities and risks as well as critical infrastructure and directing and advising actions that federal agencies and critical infrastructure entities can take to better secure their networks. as you well know the end take is the civilian government's hub for cybersecurity information sharing and coordination for both critical infrastructure and the federal government. as my colleague noted we are emphasizing the security of federal networks. the assistance to federal agencies includes first providing tools to safeguard civilian executive branch networks through our national cyber protection system and the continuous diagnostics and mitigation programs. second, measuring and motivating agencies and third, serving as a hub for information sharing and incident reporting and finally providing operational and technical assistance. einstein, the refers to the federal government's suite of intrusion detection that

protects agencies unclarified networks. today it takes action on known mishs activity. our yielding positive results. these capabilities are essential to discovery of previously unidentified malicious activity. we're demonstrating the ability to capture data that can be analyzed for activity using technologies from commercial, government and open sources. the pilot efforts are also defining the future operational needs for tact ticks, techniques and procedures as well as the skill sets and personnel required to operationalize the nonsignature base approach to cybersecurity. einstein is our tool to address perimeter security but it will not detect or block every threat therefore we must compliment it with systems and tools working inside agency networks. our continuous diagnostics and mitigation program provides those tools and integration

services to federal agencies. these tools are enabling agencies to manage risks across their entire enterprise. at the same time, those tools are also going to provide dhs visibility in to our enterprise risk across the federal government through a common federal dashboard. mmpd is also working with our interagency partners to identify high assets. as part of this effort we conduct security architecture reviews to help agencies to assess their configurations, in-depth vulnerability assessments to determine how an adversary would penetrate a system, move around an agency's network and exfiltrate such data without being diabeticed. we provide system owners with recommendations to address vulnerabilities protecting them before an incident occurs. when necessary the department also is taking targeted action

to address specific cybersecurity risks through the issuance of binding operational directives. we are work toning hans cyber sharing across the globe. these actions help businesses and government agencies protect their systems and quickly recover should such an attack occur. by bringing together all levels of government, the private sector, international partners and the public, we are taking action to protect against cybersecurity risks, improve our whole of government capabilities and to strengthen resilience. thank you for the opportunity to testify and i look forward to any questions you may have. >> thanks. ms. hoffman you're recognized for five minutes. >> chairman radcliffe, ranking member richman and members of the subcommittee. thank you for the opportunity to discuss the continuing threats facing our nation's energy infrastructure and the department of energy's role.

cybersecurity of the energy sector is one of the secretary's top priorities and a major focus of the department. the department of energy is the sector specific agency for cybersecurity of the energy sector. doe works with dhs to -- and jointly with other agencies, the private sector organizations for a whole of government response to cyber incidents by protecting assets and countering threats. in addition the department of energy serves as the lead agency for emergency support function 12 which is energy under the national response framework. as the lead ef 12 is responsible for facilitating restoration of damage energy and infrastructure. the department works with industry, federal, state and local partners to facilitate response from recoveries. with national response activity ensures that incidents both

cyber and physical impacts are coordinated in the energy sector. at this moment in time i would like to acknowledge that the secretary does express his support for the victims of hurricane harvey, irma and maria and i would also like to express my gratitude for all the utility workers that have working very hard in the region for restoring powers. in extreme cases the department can also use its legal authorities as those in the federal power act as amended by the fixing american surface transportation act to assist in response to recovery actions. congress enacted several important new energy measures in this act as it relates to cyb rr security. the secretary of energy was provided a new authority upon the declaration of a grid security emergency by the president to issue emergency orders, to protect or restore critical electric infrastructure or defense critical electric

infrastructure. this authority allows d.o.e. to respond as-needed to the threat of cyber and physical attacks to the grid. d.o.e. has collaborated for nearly two decades, that engage owners and operators at all levels. technical, operational, and executive. along with state and local governments to identify and mitigate physical and cyber risk to the energy systems. in the energy sector the core partnerships have consisted with the electric coordinating council and the oil and gas coordinating council. in these meetings, partners states international partners come together to discuss important security and resilience issues for the energy sector. the electric sector specifically has been very forward leaning and aggressive in trying to address cybersecurity issues. d.o.e. plays a critical role in

supporting the energy sector by building in security. specifically we have been looking at building capabilities in the sectors in three areas, the first area is preparedness, enhancing the visibility and situational awareness in operational networks as well as i.t. networks. increasing the alignment of cybersecurity preparedness across multiple states and federal jurisdictions. response and recovery activities in supporting the whole of government effort and leveraging the expertise of the department of energy's national labs to drive cybersecurity innovation. threats continue to evolve. d.o.e. is working diligently to stay ahead of the curve. the solution is an ecosystem of resilience that works in partnership with state, local and industry stakeholders to advance best practices, strategies and tools. to accomplish this, we must accelerate information sharing to better inform local investment decisions, encourage

innovation and the use of best practices. to help raise the energy sector's security maturity and strength and recovery activities. especially through the participation and training programs and exercises. i appreciate the opportunity to be here before the subcommittee and represent one of the sector specific agencies and the energy sector cybersecurity capabilities. however i would be remiss not to take a moment and stress the inner dependent nature of our infrastructure and required all sectors to be focused on improving their cybersecurity posture. so d.o.e. looks forward to continuing working with the federal agency to share best practices and build a defense in-depth. so with that i would like to thank you you for being here today and look forward to answering your questions. >> i now recognize myself for five minutes of questions.

ms. man fra. i want to start with you. you mentioned einstein and cdm in your testimony and the role they play. i want to give you some opportunity to provide some public clarity on the implementation of cdm specifically. can you give us some idea of how many departments and agencies have fully implemented cdm phase one and how many agency dashboards are up and running? is the dhs dashboard up and running and give us perspective on that? >> yes, sir. thank you for the question. cdm we are in the process of deploying both phase one and phase two. phase one being focused on hardware, software, asset management, sort of identifying what is on the networks internal to the agencies and phase two looking at whose on the networks. dealing with issues like access and identity management. we can get back to you with the specific numbers of agency deployment.

they're all in various stages of deployment. we have made it available to all agencies but each individual agency is in a different stage of deploying. we are nearing 20 agencies that have an agency dashboard up and running and this month, the department -- the department of homeland security will be standing up the federal dashboard so that will be receiving feeds from those agency dashboards. that will then allow us to have more near realtime understanding of that -- that sensor, what those sensor's are identifying on those networks to allow us to better identify vulnerabilities. >> thanks. one other points i wanted to cover today was last week the gao came out with a fairly critical report on the current state of cybersecurity. one of the most would appear to be at least troubling aspects of that was a statistic that's only

seven of the 24 cfo act agencies have programs with any functions considered effective per the nis standard for cyber control. that doesn't sound very good. i want to give either you mr. krebs or you ms. manfra the opportunity as we talking about the cybersecurity posture of the dot gof reconcile that with the gao report. >> we've learned a lot over the years about agency capacity to manage cyber risk and the -- prioritized the management of their cyber risk at their highest level across the government. what we have learned in the both the deployment of cdm, our engagement and partnership with omb is their remains significant

gaps. we have built over the last couple years and are continuing to build technical assistance capabilities, things like design and engineering, architecture reviews, helping agencies getting much more in-depth, insight into their networks and providing them with greater level of assistance both engineering and on the governance side to help them address the often very complicated networks with the limited resources we have. we see a lot of potential for cdm in the ability to deliver tools as lower cost across agencies and this is the first time that many agencies have had access to this level of automated data to understand what is on their network and so we see a lot of potential for this but for many agencies there's a lot of capability that has to be built and we're continuing to take advantage of things like shared service, more capability from dhs to deploy to agencies who need it most.

>> so you just -- you comment about shared services and resources. i want to follow up on that a bit because i think it's important to look where we are but also look to where we're going and so looking forward a bit, how do you see dhs's federal network protection tools evolving past say signature based threat detection tools and particularly where my conversations with the administration and the cybersecurity advisers to the president really putting an emphasize on cloud computing, shared services and resources. so i guess in a sense, what is einstein future generations, einstein 10.0 look like? >> i'm not exactly sure what einstein 10.0 will look like yet but i can tell you where we're looking to evolve. as agencies and the president's key initiative around

modernizing our ent. we need to modernize the way with govern and procure i.t. services within the government. as we do that we're working very closely to modernize our surety processes, so weighs take advantage of things like cloud services, we ensure that we are modernizing our security approach but also not using the insight that we have into traffic, either traversing or in and out of agency networks. importantly we have learned on cdm some key lessons from the first phases of deployment. we now have a new contract vehicle in place that will enable the deployment of cloud and mobile security technologies in addition to the on premises sensing capability that we have right now. we are evolving. we are building on what industry is learning from behavioral based detection methods and we have had some successful pilots.

we look forward to continue to build that capability. >> thank you very much. my time is expired. the chair recognizes mr. richman for his questions. >> ms. manfra or mr. krebs, either one. the legislation called for department wide cybersecurity strategy within dhs. that strategy and report was due in march. we still don't have it so what's the status of it and if you run into problems in getting it done, what are those problems, how can we help? >> sir, thank you for the question. the office of policy has -- strategy. it rolls in components across the department ten the secret service, i.c.e., homeland security investigations, the u.s. coast guard, transportation

security administration as well as mmppd. so why we don't lead the development of that strategy because it is a department-wide strategy we are a significant player. to speak to the status of the strategy itself, my understanding of where it sits is influenced by the president's executive order, 13,800 that was released back earlier in the spring. now that report puts dhs at the front or in the lead for almost all of the reports particularly in the first two with and fourth work stream. federal networks, critical infrastructure and cyber workforce. so while those reports and assessments are under way, they are anticipated to have significant impacts on some of the priorities perhaps of the department including mmppd. so i believe the decision on finalizing the strategy has been to let's get through the cybersecurity assessments

related to the e.o. as well as the administration's anticipated national security strategy and national cybersecurity strategy that are expected in the next several months and then when we have a broader understanding of where the department is going, that will then feed into the cybersecurity strategy. that said, rolling it all back to the requirement in the ndaa that you authored, it is still a priority to finalize that report. that said as a department we are moving forward with the number of our priorities and i do want to touch on a couple things you mentioned early, as the senior official performing the duties, while we do not have a permanent under secretary, i've been theoriesed and given the very clear direction by acting secretary duke to move out and execute every aspect of mmppd.

so while we do not have a permanent under secretary right now, i have all the authority i believe i need to execute the department's mission within mmppd. >> with regards to a strategy and we talk about in terms of report, let me just take that aside. do we have a department wide strategy with how we're -- how we deal with cybersecurity and our needs and challenges that we're going to continue to face in the near future? >> sir, my understanding is there is a department wide cybersecurity strategy in draft form, yes, sir. >> so -- and again, i don't want to get into the weeds. are you all operating with some comprehensive strategy on a day-to-day basis to protect the cybersecurity? >> i understand, yes, sir. going back to my opening remarks, i indicated that mmppd is in the lead for insuring the

nation's critical infrastructure both cybersecurity and physical threats. i mentioned the top goal which is securing our federal networks and facilities. for me and with the assistant secretary manfra that's at the top of our minds every single day. identifying and mitigating systematic risk across the infrastructure, the nation's infrastructure. when i think about that, i'm thinking about the section nine critical infrastructure at greatest risk but i'm also pointing election infrastructure in there. as i mentioned in my opening comments, that for me is the number one priority for mmppd from a critical infrastructure standpoint. we can not fail there and third and finally is enabling and incentivizing better security practices across the broader structure community. >> ms. hoffman, there's been a great deal concern among national security experts that russia's goal in disrupting the

ukraine's power supply in 2015 and 2016 was to test its capabilities in preparation for a larger attack on the united states. last month we learned that russia may have been responsible for dragonfly 2.0 which exploited and targeted some of our energy sector. how is it energy sector responding and what is their capabilities to prevent a widespread attack. with that i yield back. >> thank you, congressman for the question. ukraine attack was a very much an eye opening event for the energy sector and the energy sector specifically, the electric sector got very organized in recognizing that we had to continue to step up our continuous monitoring capabilities. our ability to detect behavior on the system but also building inherent protections as we develop new technologies. recognize that the core of anything is protecting against

spear phishing and passwords and credentials and that's starting to really go after where do we need to be with respect to preventing an attack from occurring on the system. so we've been working very actively with the electric sector to build some tools and capabilities and for protections of their system. >> okay. >> chair now recognizes gentleman from new york, mr. donovan for five minutes. >> thank you, mr. chairman. i just like to ask one question of all of you. in 2015, congress passed the cybersecurity act, in 2017 we passed the cybersecurity and infrastructure security agency act and the president also issued an executive order back in may to strengthen our abilities. what do you guys need? what can congress do to help you protect our nation, our federal agencies, our private entities?

as mr. richmond said, our energy, industries, what do you guys need from us to help you protect our nation better than we're able to do now? >> sir, thank you for the question. the very first thing i would start with is as you mentioned the cybersecurity and infrastructure security agency act of 2017. passing out the full committee was a significant step forward what we need is quick action by the full house and the senate. let me give you a little anecdote about why that's important. that bill will give us three things. one, it'll allow us to introduce some operational efficiencies. looking at common infrastructure across the organization, push them together, so that we are more streamlined in how we engage and deliver services from a customer service orientation. second, it'll help with our branding and clarify roles and responsibilities but more importantly with our federal

partners, the state and local partners and private partners. and finally what's that's going to do is give us the ability to attract talent. we've talked about workforce, we've talked about hiring and we've talked about partnership. but on that clarity of roles and responsibilities let me talk about that for just a second. i've been down to puerto rico, twice in the last week. i was there last monday and then i was there last friday with acting secretary duke. on friday meeting with acting secretary duke, we were discussing a number of the critical infrastructure challenges in puerto rico. when it came around to me i talked about the communications infrastructures. the national communication center resides within the office of cybersecurity and communication. now when we talked about the status of things, what i was talking about was how we are assisting the communications

carries whether it's at&t, sprint, t-mobile, verizon, helping them get back in, prioritize deliveries of temporary capabilities, to helping temporary pop-up the communications coverage but at the same time helping them get resources in for cell towers. now as i briefed out where we were on helping those companies get resources back in, i introduced myself as the senior official performing the duties of the under secretary for the national protection and programs directorat. now try repeating that back. it's not easy. someone that has never heard that before immediately went on to a press interview and alongside the tsa administrator, ghost card, the secretaries of homeland security, she said we have fema, tsa, coast guard and the comms guy. she doesn't know how to describe me.

when i'm out engaging my stakeholders they don't understand the mission i deliver. i need help clarifying that and providing very upfront, upfront clear what i do and what my team delivers. that is a significant advancement. any help i can get there, please, help me out. more broadly, though, in terms of additional authorities and clarification of authorities, we are in the process of running that kind of stock taking of where the department sits in cybersecurity. department of energy and the fast act got significant authorities that could come to bear in the event of a grid incident. dhs has authorities in terms of incident response, information sharing. thank you for those authorities. going forward, we're not quite sure just yet what we need but i'm going to tell you this the cybersecurity threat is not going away. our adversaries are getting better and faster and more agile. we need to be resourced. we need to be staffed. we need to be positioned to

respond to that because i also know one more thing. we are not going to use less technology going forward. as you kaled earlier, we are going to the cloud. we are going to shared services. we're going to be relying upon these cross cutting technology capabilities and the information technology sector. we need to be ensured that from a digital defense perspective we have what we need. we will -- we welcome that conversation and you can believe that you'll see me again and we'll be talking about that. >> i have two seconds left in my, would you contribute please? >> yes, sir. very briefly, just to compliment what chris talked about, we're working within the federal government to understand what is the full breadth of our authority. how can we lean in to the existing authorities we have to deploy more capability with the critical infrastructure sectors we are working to understand now that we've identified these most critical assets at greatest risk, are there legal and

operational and policy hurdles that we need to address in order to ensure that we have appropriate prevention. so we look forward to working with you as we conclude these analysis. >> please don't wait till another hearing. please let us know how we can help. mr. chair, i yield back the time i don't have left. >> we recognize the gentleman from mississippi, mr. thompson. >> thank you, mr. chairman. the last two speakers have talked about being resourced and staffed from an agency standpoi standpoint. last march we held a hearing talking about staff at the department. can you give us the number of unfilled positions in the cyber division right now?

>> sir, we are currently staffed at 76% of our fully funded billet. >> so we are 24% under. can you tell us why we're under staffed at this point? >> yes, sir. there are a variety of reasons. the first largely thanks to the work in this committee and our appropriations staff and congress in building the billets that are allocated to my organization. we have grown significantly. we've worked very hard to build according to those -- to that growth in billets but we have had some challenges. we've worked with our management colleagues and our human capital colleagues to identify areas where we can reduce the time to hire. i can say that looking at the statistics from fiscal year '16 hiring to '17 hiring, we've been

able to reduce the time to hire by 10%. we are -- many of these requirements have to do with security clearances. it does take a long time to process people through that security clearance process but we've made significant progress, we're continuing to work with our security office to identify ways that we can continue to shorten that. we're also diversifying our recruitment path, looking at the scholarship for service. it has been a great pipeline to bring -- after the government has funded scholarships, bringing these individuals in as interns and hiring them full time. they are already fully qualified and looking at other programs such as pathways, presidential management fellows and other recent graduate programs. we're also looking at partnerships with industry where they can -- >> i don't mean to cut you off, but is the problem we have too many programs to attach people

to or i'm just trying to find out why -- when we give you the authority to hire, why we've not been able to come closer wherever that authority is and is that something we need to do to get you to that point? >> sir, separate the authority that we were given by congress to build an accepted service program. what i was referring to was i did not -- i did not believe a couple years ago we were fully leveraging the authorities we already had and the programs that we already had to bring people in and tightening the timeline that it takes to bring people on. the accepted service program is led by our chief human capital officer. i notice is a high priority for her. we did not probably appropriately expedite the development of that program four

years ago. we have now done so. my understanding is we'll now be able to hire against that program beginning in fiscal year '19 but there's a regulatory process that we do have to under go as a part of that. >> just for the sake of the committee, can you provide us with a timeline between when somebody whose considered for employment and when that is completed? is it -- not just -- get back to us or is it three months, six months, a year? i think that would be instructively for us so we can kind of see if there's politics involved and the reason i say that, i think all of us constantly bombarded by people looking for employment opportunities and if we have potential opportunities here, is

it something we're not doing, we're not going out recruiting in a broader view or just what, we just need to kind of figure something out? >> right. if i could, sir, just clarify. the 76% is just indicating people that are on board right now. if you include the people in the full pipeline, that brings us to 85%. and so for us we're at averaging about 224 days to hire. that sounds long but that is to include a top secret sci clearance process which is actually a fairly bench mark, we're actually doing quite well. we want to continue to work with you, sir. we'll come back with you. >> just, please get back with us. mr. krebs, we have a congressional task force on election security and we made request of the department to

provide us a classified briefing around this issue and we've been told that it has to be bipartisan, that you can't just brief democrats. are you aware of that? >> sir, i'm not aware of any existing policy. let me say this, i share your concern on election infrastructure. i think i made that clear today and i want to say it directly to you as well that it is my top priority at the department. again, if we can't do this right, if we can't dedicate every single asset we have to safety our state and local partners, then frankly, i'm not sure what we're doing day-to-day. so in terms of what we've done in terms of engagements, we are prioritizing delivery of those briefings, information sharing to our state and local partners. we are doing it in a bipartisan matter. this does tran scend party lines and we should be doing this.

going forward i would encourage any additional briefings and we have provided a series of bipartisan briefings to the house homeland security committee both classified and unclassified. the real crux of this issue, the underpinning issue here is a trusted relationship. now did we have -- >> i appreciate it, but we have established a working group within the democrats on the committee and we're just trying to get a briefing. so i think it's nice to say i don't want to brief you because there's no republicans but we're members of congress and all we're trying to do is get access to the information and if your interest is there, i'm convinced that you'll provide it and that's the spirit in which the request was made, so we'll make it again. >> yes, sir. >> and look forward to you coming back and just bring us

what information you have as members of congress and that's all we ask. >> thank you. >> i yield back, mr. chair. >> thank you. chair now recognizes jim from virginia, mr. garrett. >> thank you, mr. chairman. i want to hit my talk button. my voice sounds better with the microphone on. i want to piggyback on what my friend and colleague thompson said and suggest that i would agree with you that election infrastructure, cybersecurity as it relates to partnering with overseeing conduct elections a priority that crosses and transcends the aisle and i would ask that any briefing that you give to democrat members you perhaps invite me too or give the exact same briefing to republican members which i think is in considerat of your time but i can't fathom why one party should be briefed on cybersecurity as it relates to our elections in the absence of another in the united states of

america. so if you do, in fact, and i hope you will respond to the ranking member's request to brief on election -- electoral security, please invite me because i can't fathom that one party has monopoly on hoping that we can have free and fair trustworthy elections and i'm sure my colleague didn't mean it that way. i want to be very clear that that should not be a partisan issue and perhaps people from both parties or give the same briefing twice, which i think is incarpal tunnelat and shortsighted. transitioning to what we know as it relates to russian cyber activity specifically with relation to estonia and the ukraine, based on my understanding the bulk of the platforms used to infiltrate infrastructure as it platforms malware it would appear based on my ability to speak in this

forum were off the shelf, if you will, black energy were known entities that were discovered as it relates to these attacks as part of a coordinated attack. how well do we stay ahead or try to stay online with? i understand it's a moving target, the malware that might be implemented because to the extent there's any hope -- i understand the format that we're in might limit the conversation that we have, a lot of the malicious activity to this point conducted we presume and data would indicate by the russians has used off the shelf technology. so i guess the question there is, how quickly can we pick up on the advancements in malware and sort of -- into our preventive measures and that's wide open to which can ever one of you wonderful folks would

like to address it. >> if i may, i'll start and provide a bit of a broader approach and defer to my expert colleague from the department of energy on anything specific to the grid and electricity. >> i'm subject to a time limit so i apologize. >> i'll do this quickly. >> yes, sir. >> generally speaking when we've already talked about advanced persistent threat here. when we think about threats it's not necessarily generally speaking advanced. it's just persistent. folks are still, companies -- organizations are still not doing the basic blocking and attacking. some of those explorations were known on open vulnerabilities. the consent of a zero day export it's not the primary exploit that we tend to see in the wild. >> let me interrupt you. and aim big fan of limited government but in this arena because the entire nation hangs in the balance but everything as it relates toll our grid, might

it not be effective to hit the particular power providers where it counts and that is essentially make it cost something, perhaps metaphorically and literally for entities that don't patch those open known threats and that's something that would be within the purview of the government? you will be up to date on next wednesday or it'll cost you? would that be something that's been explored? >> my colleague can speak to the government piece and then we'll talk. >> i'm not trying -- you guys are great, five minutes. >> no problem. very briefly. the first directive we issue was reducing the time to patch vulnerabilities to 30 days. we have seen a complete cultural change as a result of that and we are now seeing the government highly prioritizing patching those critical vulnerabilities. i just wanted to throw that out there. >> there's a carrot on the stick. i'm glad to hear you say you're

draetsing that. i've got 15 seconds, i want to speak to the nature of nirk and whether or not it's a semi-private pseudo entity compromises intelligence, et cetera, procedures? >> i don't think nirk has an organization compromises any sort of intelligence. it does have the information sharing analysis center which is our mechanism for sharing information to the sector at large. it also has capabilities to compel and look at the industry to respond so we can get the information we need. >> thank you all and i apologize for running briefly over. >> thank the gentleman and the chair recognizes my friend from rhode island, congressman. >> thank you, mr. chairman. i want to thank our witnesses for your testimony. before i go into my questions i wanted to mention for publicly and take you to mr. garrett, that some member of the

elections task force that the democrats have put together on how to go forward in approving election security and i would say to my colleague that there was an initial effort in outreach to republicans to make this a bipartisan effort which was not accepted. it was -- we didn't find anyone that was receptive but i would say this, the task force meetings are open to the public. my colleague, mr. garrett is welcome to participate fully with that and with respect to that ranking members' question on the classified briefing, both on russian interference in our elections and how we're better securing our election systems, that is a -- democrats only or democrats and republicans, i would prefer it to be a democrat and republican briefing. however we get the briefing, unless i'm misunderstanding what the ranking member was standias

we just want the briefing. we ask that you provide that to us. >> yes, sir. i do believe we have provided classified briefing in the past and welcomed the full committee briefing on that as well. >> so the other thing i wanted to mention, i appreciate your comments that you have all the authorities and inn your acting role to do the job necessary in cyber. i would reiterate that it is vitally important that we get key people appointed and in place permanently. i respect the work that you're doing and your team and -- but we need permanent people in place, both to inspire confidence and clarity. let me get to my questions very quickly. i'll try to go through them. if there are ones you can't answer fully because of time constraints, either request a follow-up in writing. and so on september 13th, dhs

issue aid binding operational director tif 1701 which directed agencies to remove products from the systems within the next 90 days. and in doing so, dhs first first time issued a public statement to coincide with the establishment of the directive and which i would like to commend the department for this added transparency. i thought that was important. my question is, what analysis led to the removal of -- from federal networks and this is the case -- this answer may be classified in which case i would request that you and your team provide briefing to members on the -- that this committee both sides of the aisle understand what went into that. next, mr. krebs the sec was briefed in late 2016 and we now know that the attackers had

access to corporate filings private to the public release. the announcement of this breach was made nearly a year after it was first discovered. my question was when was dhs informed of the breach and what was dhs's involvement in detecting, responding and recovering from these -- from this attack? and finally, how can dhs improve its integration with the federal agencies to ensure that these types of attacks are detected and notified quicker. >> thank you. let me briefly touch on the ca perskie piece. that determination was based on the totality of evidence including open source information and in terms of classified briefing, i believe we are on the schedule for some point in the next month or so with the full committee, the monthly intel briefing. with that if i may i'd like to turn it over to --

>> thank you. >> sir, welcome to support a briefing on ca perski as far as the sec we're also happy to come in and have a more fulsome conversation with you about that. they did notify us last year on november 4th of an issue. it was at the time the extent of the issue was not well understood and given the time limits here i think it might be more useful if we sat down with you and others staff members as appropriate to walk through specific details. >> and what do you think -- what was the dhs involvement in detecting and responding to the recovery? >> sir, we have very limited involvement with the sec. they did not request our follow-up for a response. >> and on the issue of how they

can work better in the future? >> sir, in addition to this incident as well as several others we are reviewing our procedures to ensure that it's clear that when -- when an incident happens, what role the department needs to play in a response not just at the request of an agency and that foo f we're looking at specific critical services and function, then the department needs to have a more active role in that response regardless of whether the agency requests it. >> thank you. in august, we traveled to deafcon and i think we both were impressed by the willingness to report vulnerabilities in order to improve overall internet

security. one of the things i found -- the pentagon's program was very helpful in identifying security vulnerabilities and getting to the attention of the right individuals to close those vulnerabilities, they want to make the internet work better and -- but they want to know that when they find a vulnerability that there's a path forward and they can report it and someone will do something about it and it's heard. >> we actually have a very long-standing program on both operational technology vulnerabilities so industrial control systems as well as enterprise technologies and we've been working with security researchers in both communities for years to provide them a space for them to identify that vulnerability and also to advocate with the owner of that software for a patch and much of the alerts that we issue are the result of collaboration with security researchers.

we also have our own organization within my group that conducts penetration testing and risk vulnerability assessments to include dhs vulnerabilities assessment across the government to include dhs networks, so while our bug programs can be useful, we need to insure that they're supplemented with the broader risk and vulnerability analysis and testing that my organization does to insure organizations are appropriately prioritizing what they're addressing. >> okay, what about dhs' own systems? >> my organization also supports penetration testing and vulnerability assessments within the dhs, particularly the high-value assets that dhs owns. i do know that our leadership and the management is interested in learning from what the department of defense has done in their bug bounty program and how that might apply to dhs, so we're continuing to work through how that might be applied for

our organization. >> i had one more on election security. can i ask that? so i know we have touched on this a bit, but for the record, i really wanted to dive deeper into this. it's a very interesting to insure that state and local election officials have access to officials from dhs to protect the vital systems that represent the cornerstone of our democracy. can you further describe how dhs is working with election officials to protect networks? do you believe that dhs' response to the unprecedented interference in our elections last year has been sufficient, and how can we improve the relationship and access to resources? are there additional funds or resources that the department needs in this respect? >> so thank you for those questions. let me start at the end with improving relationships. while i was not at the department last summer, as this

all manifested, i can speak to generally the relationships with state election officials. that was not an existing relationship between the department of homeland security and the state and locals. however, we do have strong relationships, of course, with the homeland security advisers and the chief information officers and chief information security officers. but to square the circle on this specific threat, we need to develop partnerships that are, you know, three or four legs on the stool within each specific state. and each state is going to be a little bit different in terms of how, who they designate as the chief election official as well as you roll in the vendors of the technology. so in terms of how to improve relationships, it's going to take a lot of effort and a little bit of time. and those are things that we are working on right now. we don't have much time. but we are dedicating resources. in fact, just this morning i sent out a notice across my organization and ppd reflecting some changes we made

organizationally last week, by establishing an election task force. previously, the election infrastructure piece had been held within the office of infrastructure protection as a program. again, matching my words with our execution, we're elevatingatize a task force, bringing components or pieces across the dhs components including the office of intelligence analysis and resourcing it appropriately. this is speaking to a lot of resources, we're pulling the resources together in recognition that we don't have a lot of time given there thrare three elections this year. >> and the money is committed to this? >> i don't have the ftes on hand right now, but i can get back to you. >> and specifically. >> if i could just make one additional point on the resources. ranking member richmond noted his understanding there was a nine-month wait for risk and vulnerability assessments. i don't know whether that's the exact current number, but that speaks to the high demand that

we're experiencing for our assessment services. that is everything from penetration testing to the cyber hygiene scans that multiple states and localities are participating in and continue to participate in, as well as these more in depth risk and vulnerability assessments. we are growing that program. we have diverting resources. we're building infrastructure so we can more scale that, but these are services we're providing not just to federal agencies but also to state and local governments as well as critical infrastructure. and we're experiencing much more demand for those services, and we're continuing to look for ways to scale that capability. >> thank you. >> thank you for your answers. again, if there is a follow-up you can provide to us in writing on briefings, i would appreciate that. mr. chairman, thank you for your indulgence. >> you're welcome. the gentleman yields back. i want to thank all three of our witnesses today for your

valuable and insightful testimony. thank all the members for their questions today. the members of the committee do have some additional questions for witnesses, and we'll ask you to respond to those in writing. pursuant to committee rule 7-d, the hearing record will be held open for a period of ten days. and without objection, this subcommittee stands adjourned.

american history tv on c-span3 is in primetime this week starting at 8:00 p.m. eastern. tonight, the life and influence of william "buffalo bill" cody on the 100th anniversary of his death. wednesday night, the 60th anniversary of little rock central high school's integration, with former president bill clinton. thursday night, a discussion on the lead-up and response of the 1957 forced desegregation of little rock central high school. and friday night, from american history tv's oral history series, interviews with prominent photojournalists who documented major events throughout american history. watch american history tv this

week in primetime on c-span3. c-span, where history unfolds daily. in 1979, c-span was created as a public service by america's cable television companies and is brought to you today by your cable or satellite provider. >> former equifax ceo richard smith testified before the senate banking committee recently on the company's data breach, which exposed personal information on more than 140 million people. alabama senator richard shelby is the chair of the banking committee. >> this committee will come to order. this morning, we will hear testimony from richard smith, former