veterans access to health care services. these events stream live on th free c-span now video app and online at c-span.org. ♪ >> democracy. it is not just an idea, it is a process. a process shaped by leaders elected to the highest offices and entrusted to a select few regarding its basic principles. it is where debates unfold and decisions are made and the nation's course is charted. democracy in real-time. this is your government at work. this is c-span giving you your democracy unfiltered. >> if you ever miss any of c-span's coverage, you can find it anytime online at c-span.org. videos of key hearings, debates and other events feature markers that guide you to interesting highlights.

these points of interest markers appear on the right-hand side of your screen when you hit play on select videos. this makes it easy to get an idea of what was debated and decided in washington. scroll through and spend a few minutes on c-span's points of interest. >> and now a house ally security hearing on threats to u.s. cybersecurity and particular from foreign nations. testimony from former government cyber officials. this is two hours and 35 minutes. >> we will gavel in in just a

few seconds. >> the committee on homeland security well come to order. the purpose of this hearing is to examine the growing cyber threats to our homeland. the actors, the tactics and the trends. specifically we are going to delve into the risks posed by the people's republic of china which has burrowed into our critical infrastructure and compromised our telecommunications networks. we will discuss the threat posed by our other three nationstate adversaries who leverage cyberspace, russia, iran and north korea. i recognize myself for an opening statement. good morning, everyone. now that we are officially organized as a committee, i would like to welcome everyone to the 119th congress. we were discussing earlier the

119. we have a lot of work to do. to support and secure the homeland. that is why cybersecurity is our top priority and it is why the topic of our first full committee hearing is cybersecurity. in today's interconnected world virtually every aspect of american life is impacted by cybersecurity. from our nation's health care system, water supply to simple internet browsing. cyberspace is increasingly becoming a digital battlefield. america's adversaries use cyberspace to undermine our sovereignty and threaten the services and infrastructure that america depends on. the people's republic of china, russia, north korea, iran and critical actors weaponize cyberspace to harm our nation. they are only getting more sophisticated and unfortunately more aggressive. right now the p.r.c. has

burrowed into our infrastructure . let that sink in for a moment. china is repositioned in our infrastructure. we know it. and they have been for years. should we enter into a conflict with the p.r.c., the chinese communist party is ready to shut down our essential services, communications, energy grid, era time ports and our water systems to name just a few. we cannot allow this situation to continue. the american economy, our government, and military depend on the resilience of our networks and infrastructure. it is past time to get a step ahead of the typhoons, list of actors that grow every day. we have played defense far too long and now it is time to go on the offensive. to do this we need to be prepared -- we need prepared cyber professionals. some of these nationstates

issues go beyond what our current defenders can address and this is why one of my top priorities is to pass the cyber pivot act which cultivates the cyber workforce we need at scale. we pass it out of this committee unanimously last year and this year we hope to get it signed into law. we need a coordinated effort to rapidly share information with the private sector. since the private sector owns and operates most of the infrastructure, the collaboration of the organizations i look forward to hearing from our panel of witnesses about how we can improve public-private partnerships for cyber and critical infrastructure issues. so far i've focused on one threat actor, arguably the one that poses the greatest risk to the united states in cyberspace and beyond. however, there are many other threats that we must be prepared to address simultaneously. for example, the iranian revolutionary guard corps has targeted our elections, notably hacking the trump campaign in the 2024 cycle.

it has also repeatedly tried to compromise us water and waterway systems. the intelligence community indicates that moscow uses cyber disruptions to influence the decisions of countries like the united states. north korea is a major culprit of cybersecurity and cybercrimes as well. to devise strategies to address these challenges and threats in cyberspace, we must better understand them. and that's what we're doing here today. our witnesses will provide the insights we need to think critically about tackling current and emerging cyber threats to our homeland. all witnesses are private sector leaders, three of whom bring key insights from their government experience. thank you all for being here to set the scene for us as we dive into the 119th congress. i look forward to the discussion and to a productive congress of enhancing our cybersecurity posture. i now recognize the ranking member for his opening statement. >>

thank you very much, mr. chairman. today marks the committee's first hearing, as you've already indicated, of the 119th congress, and the first hearing the committee will hold during the new trump administration. i'm encouraged by the chairman's interest in devoting more of the committee's time to cybersecurity, this congress. that said, i'd be remiss if i did not express concern about what we will be able to achieve. over 6 years ago, bipartisan members of this committee came together to support legislation. authored by then chairman mccaul

to establish cybersecurity and infrastructure security agency now commonly referred to as cia. when he signed the bill into law, president trump said, and i quote, as a cyber battle space evolves, this new agency will ensure that we confront the full range of threats from nation states, cyber criminals, and other malicious actors, of which there are many, unquote. with the apparent support of president trump, members of this committee worked together to pass legislation authored by both democrats and republicans to ensure cia had the resources and authorities it needed to carry out its important. a federal network and critical infrastructure mission. unfortunately, driven by false allegations and conspiracy theories, president trump and many of his many republican colleagues have soured on cisa. less than a year ago, over 100 of them voted to cut cisa's funding by 25%. some of the loudest and most influential voices on the other side wanted to eliminate sisa entirely. entirely so even relatively minor bills that touch cisa have been difficult to advance.

i'm hopeful that the committee's focus on cybersecurity of this congress will help members understand that cisa does and does what cisa does and does not do so we can return to our bipartisan work of making the digital ecosystem safer and more secure. bearing that in mind, we have to be clear eyed about the enormous task ahead. cyberattacks from china, russia, iran, and cyber criminals are growing bolder and more prolific. last year, former fbi director christopher wray warned that chinese threat actors like boat typhoon pose an imminent threat to the us critical infrastructure because they are prepositioning to physically wreak havoc on our critical infrastructure at a time of its choosing. preparing critical infrastructure owners and operators to defend and build resilience in prc sponsored

cyberattacks requires consistent investment in cia's program. and that is to say nothing of its work to help private sector defend against the espionage threats posed by salt typhoon and silk typhoon or the threats posed by other adversaries during the 116th and 117th congress, this committee worked on a bipartisan basis to right size. cisa's budget, so it would be well positioned to defend federal and critical infrastructure networks against these types of urgent threats. in fact, in 2020, the top republican on the committee advocated that cisa should be a $5 billion agency by 2025. so i was troubled by dhs's secretary nominee's testimony last week that she wants a

smaller cisa. because it's guiding far off mission, although it was not entirely clear what she meant by that comment, committed democrats will oppose any effort to shortchange cisa's mission or its workforce. the biden harris administration left behind a solid foundation for improving the nation's cybersecurity that the new administration can build upon. its national cyber strategy put the country on path to reduce cyber risks systematically by shifting the responsibility for security away from our constituents and on to technology manufacturers and by incentivizing the adoption and integration of better security practices. its executive orders on cybersecurity modernized the federal government's approach to securing its own networks, sought to address supply chain and third party risk and harnessed the security benefits of new technologies.

for its part, cisa launched the successful state and local cybersecurity grant program. led efforts to improve the security of the technology we use through its secure by design program and began to mature its operational collaboration activities through the joint cyber defense collaborative. the new administration should not reverse course on this hard on progress. before i close, i'd also like to express my concern regarding the dismal. dissemination of government members of advisory, i'm sorry, dismissal of non-government members of advisory committees inside the department, including the cyber safety review board and the cia advisory committee. the csrb is in the process of investigating the salt typhoon hack of 9 major telecommunication companies, and

it is a national security imperative that the investigation be completed expeditiously. i'm troubled that the president's attempt to stack the csrb with loyalists may cause its important work on the salt typhoon campaign to be delayed. the american people deserve better. with that, i thank the witnesses for being here, and i yield back the balance of my time. thank you, ranking member. other members of the committee are reminded that opening statements may be submitted for the record. i'm pleased to have a distinguished panel of witnesses before us today and ask that our witnesses please rise and raise your right hand. do you solemnly swear that the testimony you will give before this committee on homeland security of the united states house of representatives will be the truth, the whole truth, and nothing but the truth, so help you god.

let the record reflect that the witnesses answered in the affirmative, and thank you, you may be seated. i'd now like to formally introduce our witnesses. mr. adam meyers currently serves as the senior vice president of counter adversary operations at crowdstrike, where he leads the company's threat intelligence line of businesses. he also oversees the development and deployment of ai, machine learning, reverse engineering, and other technologies to detect suspicious and malicious cyber behavior. before joining crowdstrike, mr. myers was the director for cybersecurity intelligence at sra international. mr. mark montgomery. mr. mark montgomery serves as the senior director of the center on cyber and technology and innovation at the foundation of defense of democracies. mr. montgomery also directs csc 2.0, an initiative that works to implement the recommendations of the congressionally mandated cyberspace solarium commission, where he serves as an executive

director. previously, mr. montgomery. he served as policy director for the senate armed services committee. he served in the united states navy for 32 years as a nuclear-trained surface warfare officer, retiring as a rear admiral in 2017. mr. brandon wells, mr. wells serves as vice president of cybersecurity strategy at centennial i. before his current role, mr. wells served as the acting executive director of cisa, where he supervised the agency's operations and spearheaded its long-term strategy development. mr. wells was also appointed senior response official leading the domestic preparedness and response concerning the crisis between russia and ukraine. he spent almost 15 years at dhs in various leadership roles. ms. kimba walden, ms. kimba walden serves as the president of the paladin global institute, which was founded to bring the private capital perspective into technology policy.

previously, she served as the acting national cyber director and was oncd's inaugural principal deputy. prior to oncd, ms. walden served as assistant general counsel for microsoft's digital crimes unit. she has over a decade of experience at the department of homeland security. i thank all of our witnesses for being here today, and i now recognize mr. myers for 5 minutes to summarize his opening statement. chairman green, ranking member thompson, members of the committee, thank you for the opportunity to testify today. my name is adam myers, and i serve as senior vice president for counter adversary operations of crowdstrike. for over a decade, i've led the company's practice area, monitoring and disrupting cyber threats. today i will share insights into the global cyber threat landscape and highlight steps we can take to strengthen our collective defenses. as a leading us cybersecurity company, crowdstrike has a unique vantage point which gives us unparalleled visibility into adversaries evolving tactics and

allows us to see the full scope of the threats facing our nation. after over a decade of investing in programs to strengthen their cyber capabilities, china has matured to achieve at least parity with other world cyberpowers. they now possess a sophisticated and highly effective offensive cyber capacity targeting every region and every industry vertical across the globe. recent campaigns demonstrate the ability to compromise large, well-resourced, and well defended enterprises operating as providers for the rest of the technology ecosystem. one indicator of this maturation is recent chinese operations aimed at conducting upstream or bulk collection and subsequent downstream targeting of us political and national security officials. some notable china nexus adversaries we've observed recently include vanguard panda, also known as volt typhoon, operator panda, which likely overlaps with an actor elsewhere reported assault typhoon, and liminal pana, which heavily

targets telecommunications and critical infrastructure. some campaigns are suggestive of prepositioning capabilities which could be precursors for disruptive and destructive cyberattacks. over the past year, cyber nexus intrusions increased 150% across all sectors on average compared to 2023. these increases were most significant in the financial services, media, manufacturing, and industrial and engineering sectors, which all experienced between 2 and 300% increases compared to previous years. beyond china, other threats continue to evolve. north korea has engaged in significant financially motivated threat activities since at least 2015. recently they've exploited numerous us companies by pursuing remote working opportunities, earning a paycheck while occasionally stealing intellectual property. russian nexus adversaries continue to prioritize intelligence collection against western military, political, and diplomatic entities, with their operations heavily influenced by the war in ukraine.

these actors have evolved their tactics to target mobile devices, reflecting a need for battlefield intelligence. in 2024, motivated by ongoing conflicts in the middle east, iranian nexus adversaries continued to extensively target israeli entities. one threat actor, charming kitten, collected intelligence on regional policy experts while others conducted destructive operations and information operations. they've also begun leveraging artificial intelligence to enhance their capabilities, including vulnerability research and exploit development. from a criminal perspective, ransomware threats continue to impact all geographic regions and industries. hacktivists, for their part, continue to grow in sophistication and also increasingly engage in for-profit e-crime in addition to pursuing social, political, and terrorist agendas. the cyber threat landscape is complex, dynamic, and increasingly interconnected. adversaries are constantly refining their tactics to

exploit vulnerabilities across industries and sectors. to counter these threats, we must raise the cost of cyberattacks. and reduce their impact. this requires investment and a collaborative effort across government, industry, and the cyber cybersecurity community. i recommend that enterprises must take steps to defeat the threats i've outlined today. these include strengthening identity protection, such as through identity threat detection and response. enhancing enterprise visibility through endpoint detection and response and integrating detection and telemetry data through next generation sim capabilities to enable proactive threat hunting. the federal government can enhance national security by doing cybersecurity well, adopting best in class technologies, and more consistently disrupting adversary infrastructure. with respect to the latter, recent coordinated operations have degraded threat actor capabilities. we need to increase the tempo of these operations. for congress's part, it's appropriate to perform oversight to ensure federal agencies are actively pursuing the objective outlined above, as well as

ensuring resource alignment and accountability. further, it's worth contemplating the use of tax credits, rebates, and other incentives to make best in class cybersecurity tools and training more accessible. as the federal government takes on initiatives to modernize and create efficiencies during this period of transition, as well as review and deprecate legacy programs and systems, there's a significant opportunity to move the needle in each of these areas. thank you again for the opportunity to testify today, and i look forward to your questions. >> thank you, mr. myers. i now recognize i guess it's rear admiral montgomery. rear admiral montgomery, yeah, for 5 minutes to summarize his opening statement. thank you. >> thank you, chairman green, ranking member thompson, members of the committee for inviting me here today. since 9/11, every president has stated the defense of the homeland is the nation's number one priority. and despite this attention as president trump takes office this week, the homeland has never been less secure. while america does remain at

risk from physical attack by terrorists and even missile attacks from russia and china, the most persistent vulnerability is the threat of cyberattack. and make no mistake, china is america's most capable and opportunistic cyber adversary. look, china's not alone, as was mentioned, russia, iran, north korea, criminal actors, they all had banner years in 2024 penetrating us networks, conducting espionage, extorting ransoms, stealing sensitive data. but of greatest concern to me is china's volt typhoon operation, which involves chinese hackers installing malware within infrastructures. this malware lies in wait, ready to disrupt and destroy us systems at a time of beijing's choosing. this campaign penetrated numerous critical infrastructures in the united states, including ports, energy systems, and water utilities. as a military planner, i used to call this operational preparation of the battlefield. china's overarching goal in executing an operation like volt typhoon is to disrupt or degrade america's rail, port, and aviation systems so that the us cannot rapidly mobilize military

forces and get military equipment, personnel, and supplies to the battlefield. and addressing these cyber vulnerabilities is going to be really challenging because the defense department does not control the infrastructure on which military mobilization depends. instead, the us military relies on 18 commercial ports, 70 civilian airports, and 40,000 miles of commercial rail lines. that's how we move our troops and our equipment overseas, and these systems are largely owned by the private sector and local governments, and they're often maintained with insufficient levels of cyber resilience. to make matters worse, the energy, financial services, and manufacturing industries that drive economic productivity in our country and the water, food, and healthcare systems that keep americans alive, they're all equally vulnerable to this cyberattack, and both nation states and criminals out for a quick payday take advantage. and while the private sector does own this critical infrastructure, and they've definitely not done enough to invest in cybersecurity, the us

government is also at fault for its poor performance as a partner to the private sector, and many of the federal agencies that are responsible for what we call the public-private collaboration, some are even uninterested, and many of them are under-resourced in the mission. so i think as we look for solutions, the key challenge for the united states is to restore deterrence in cyberspace, making it too hard or too painful for an adversary to disrupt or exploit our networks and systems here in the united states. to do this requires both deterrence by denial, improving our defensive efforts, and deterrence by punishment, which is improving our ability to impose costs on an adversary overseas. in my written testimony, i provide 8 recommendations, but i just want to highlight 4 of them here given the time constraints. first, we need to secure the critical infrastructures that support military mobility. we have to address the vulnerabilities in aviation, rail, and port infrastructure and ensure that the coast guard,

tsa, and faa have the necessary authorizations and appropriations to execute their missions. and the private sector operators of these systems will need technical and financial assistance to combat the chinese cyber attacks and ensure the availability of essential services in a time of crisis. second, we've got to prioritize assets. the united states cannot protect everything everywhere all at once. within critical infrastructure, there are assets and entities that are more critical to us national security. these assets need priority access to intelligence and incident reporting support, incident response support, sorry. in return, the american people should expect these assets to practice a higher level of cybersecurity. third, we need to better utilize the national guard to defend our critical assets. the guard uniquely bridges military and civilian sectors as well as federal and state government authorities, making it ideally suited to respond to a domestic cyber threat. the congress should work with the department of defense to determine the guard's long-term

role in the cyber protection of critical infrastructure and identify any new necessary authorities, which i don't think are many, and resources, which i think will be many to do this. finally, we got to, we have to recruit and develop an effective government cyber workforce. we need to hire more talent for federal, state, and local governments. we need a program that focuses on hiring graduates from vocational schools and community colleges where students can earn skills and certifications. the cyber pivot act from last congress answers this challenge and should be reattacked this congress. in the past, the united states has had the luxury of thinking about how to handle a threat from an adversary state over there in their backyard. things are different today. to make america secure, we'll have to make the investments in cybersecurity and critical infrastructure that america has postponed for far too long. again, thank you for inviting me to speak, and i look forward to your questions.

>> yeah chairman green, ranking member thompson, and members of the committee, thank you for the opportunity to testify today on global cyber threats, a subject that i've spent nearly two decades focused on in government service and in the private sector. the past few years of publicly acknowledged intrusions by china, russia, iran, north korea, and cybercriminal organizations make clear that the us is facing increasingly sophisticated adversaries in ongoing cyber warfare. the intensity of that threat is at an all-time high, driven by a combination of increased geopolitical tensions and the rapid pace of technological change, and it shows no signs of abating. defenders in both the government and the private sector are learning from each breach. however, threat actors are also evolving and innovating. maintaining a strategic edge and building national cyber resilience remains a critical challenge and will require new thinking across the public and private sector.

among the various cyber threat actors, the people's republic of china stands out for its persistence, breadth of operations, and capabilities, and i'll focus the remainder of my testimony here. the threat posed by the prc is nothing new. in 2007, they stole the plans for the f-35. in 2010, they compromised google. in 2015, they hacked opm, and the list goes on. as a result of these and other unprecedented attacks, presidents obama and xi negotiated restrictions on cyber-enabled theft of intellectual property. however, in the wake of that 2015 agreement, the prc retooled, they reorganized. and now they are more dangerous than ever. according to the fbi, their hacking program is now larger than every other major nation combined. and over the past two years, the extent of their strategy has become alarmingly clear. in 2023, microsoft and the us government uncovered that chinese actors associated with

the people's liberation army were prepositioning on us critical infrastructure, preparing to launch disruptive or destructive attacks during a crisis or in the prelude to war. that summer, chinese actors compromised microsoft's signing keys, granting them access to nearly anyone's email on microsoft exchange online. late last year, it emerged that chinese ministry of state security actors had breached major us communications companies. the prc's objective is unambiguous. they are preparing for war on the networks of america's businesses, infrastructure. and government agencies. their goals are to prevent the united states from defending its partners and allies by disrupting our ability to project power into the pacific and to weaken america's resolve by causing societal chaos inside the homeland. our response must be equally clear-eyed through a whole of society effort that combines government resources, authorities, and expertise. with private sector innovation, insights and reach all

underpinned by the support of the american people. which brings me to a series of recommendations. first, the federal government should continue strengthening and centralizing critical cybersecurity capabilities within cisa, streamlining regulatory oversight of industry and regulating smarter rather than simply more. additionally, the government must fully leverage its tools alongside those of our partners and allies to disrupt and deter adversaries wherever possible. second, business leaders, particularly in our nation's critical infrastructure, need to understand that the government cannot save them from all threats. cyber risks are core business risks, and therefore companies are ultimately responsible for their security and resilience. more importantly, if they are not already preparing for a crisis with china, they're late. third, the government, industry, and the public must collectively demand more from technology, product and service providers.

we cannot secure our diverse infrastructure one system at a time. unless the technology we depend on is secured by design, by default, and in operation, we will remain at the mercy of our adversaries. finally, we must be transparent about the sources of the cyber threats we face. vague terms like typhoon or panda are fine for internal actor tracking, but in the broader public discourse, they obscure rather than clarify that foreign military and intelligence agencies are actively planning to attack systems critical to public health, safety, security, and economic well-being. calling these actors by name is essential to fostering public understanding and engagement. and time is not on our side. president xi has instructed the pla to be ready to militarily retake taiwan by 2027. this means the us government, industry, and allies have only 2 years to prepare.

to that end, the actions of the 119th congress could prove among the most consequential in modern history. i applaud the committee for prioritizing this issue first, and i look forward to your questions. thank you. thank you, mr. wells. i now recognize ms. walden for 5 minutes to summarize her opening statement. chairman green, ranking member thompson. distinguished members of the committee, thank you for inviting me to testify today on this important topic. i'm kemba walden, president of the paladin global institute and co-chair of the aspen digital us cybersecurity group. i'm here today in my personal capacity, drawing from my experience from former as former acting national cyber director in my roles at microsoft and at the department of homeland security. the last 4 years have seen new sophisticated cyber threats, each of which has highlighted why cyber remains a significant source of human caused risk to our homeland. we saw the 2020 russian attack on the solar windsor platform and then the 2021 ransomware attack against colonial pipeline. and then in 2022, the first shots fired in russia's

unprovoked war of aggression in ukraine were from a cyberattack targeting an american satellite communications company. each of these incidents represents a clear national security threat in their own right, and i haven't even mentioned the microsoft exchange servers server debacle, log for jy or the billions of dollars spent in the aftermath of change healthcare. yet there are 2 campaigns in the past 4 years that i hope the committee will focus its attention on. the first is the recently uncovered targeting of our nation's critical infrastructure by the people's republic of china. this activity dubbed volt typhoon represents a step change in the prc's cyber operational capability, demonstrating their willingness to preposition in our critical infrastructure in preparation for a future conflict. second, we've now witnessed the prc snooping on our telecommunications networks. salt typhoon shows the prc

investments are paying off in truly a scary fashion. as they have access to the beating heart of the internet itself. i raise these two examples to highlight the stakes we face. the prc's capabilities are rapidly improving. and we have seen from their behavior that they are ready to use cyber tools to attack our critical infrastructure, but despite these threats, there are key steps that congress and the new administration can take to increase our resilience and improve the nation's cybersecurity posture. we must strengthen national cybersecurity by clarifying roles and responsibilities of the private sector and government, upscaling our collective workforce, and embracing technological innovation. on the first, the roles and responsibilities front, there are 3 legislative actions that i would offer as low hanging fruit for you to consider. the cybersecurity and information sharing act of 2015 expires in september. this committee must take action to reauthorize that legislation

to ensure we do not see hard-won progress lost to congressional inaction. i also urge the committee to further clarify liability protections related to the defensive measures to allow for the most proactive defensive approach possible. regulatory harmonization is an enormous challenge that places an untenable burden on business while harming our cybersecurity. last congress, senator peter, senator langford, and congressman higgins introduced legislation to help bring coherence to the multitude of federal regulatory approaches by empowering the national cyber director and and congress should move swiftly to reintroduce and advance this important bill. this committee should also work to codify the cyber safety review board or csrb. which helps to understand the root cause of cyber incidents that keep us from making the

same mistakes over and over. i hope you will consider strengthening the board. by making it full time. independent and nonpartisan. with its own administrative subpoena power. of course, all the policies in the world are meaningless without the workforce implementing them. while there are several successful programs that are helping to put a dent in the hundreds of thousands of unfilled cyber jobs we have in this country, there is absolutely more we can do. to remain sustainable, congress should expand cisa's current cyber workforce programs, increase the number of internships and apprenticeships available to qualifying students with or without college degrees. and provide incentives for cyber professionals to work at under-resourced targets like hospitals and water systems. finally, i urge you to embrace technology, including from venture-backed companies that

are truly at the cutting edge. and allow it to be part of the solution. supporting the use of artificial intelligence, for example, for threat detection and response, can help neutralize sophisticated cyber threats more efficiently. distinguishing between our digital presidents knowing who's who and that you are you is of paramount importance to cybersecurity for the federal, the federal government must update its digital identity guidelines to prevent unauthorized access, phishing, and email-based attacks, and decrease cyber fraud of public benefit programs. in conclusion, the global cyber threat landscape requires a coordinated, proactive approach combining legislative action, technological innovation, and operational collaboration. acting together, we can protect our national security interests while fostering innovation and economic growth. thank you again for the opportunity to appear before you, and i look forward to your questions.

>> thank you, ms. walden. members will be recognized in order of seniority for their 5 minutes of questioning. i want to remind everyone to please keep their questioning to 5 minutes. an additional round of questioning may be called after all members have been recognized. i now recognize myself for 5 minutes of questioning. over the last year, the us government has discovered a number of prc state sponsored threat actors deeply embedded in and across the nation's critical networks. typhoon, salt typhoon, flax typhoon, and most recently silk typhoon have compromised our critical infrastructure, hacked sensitive communications, breached federal workstations, etc. i appreciate mr. whale's comment about these names seemingly masking the real true identity of the threat. and i take that, i take that to heart. um, we need to call china out. aggressively on this. um, it's alarming that most of our critical infrastructure systems have been violated right under our noses.

mr. myers, can you explain the prc's playbook on how each of the typhoon operations or how china's cyber war against the united states is, how they're doing it? thank you, chairman. china has engaged in, uh, as i mentioned, a maturation in how they conduct these operations. today they're using exploits that target external facing devices that are connected directly to the internet that effectively bridge enterprises to the internet. these devices are often unmanaged. in many cases they may be legacy or have proprietary capabilities. that means that they don't run modern security tools. and china's also nationally an example of one of those like, are we talking about a fitbit on your wrist or i mean what are we talking about? sure, like a router or a vpn concentrator, things that are

meant to connect the enterprise to the network or allow remote users to authenticate in are some of the nodes, so to speak, between silos. >> yes sir, and these are highly prioritized and highly valuable targets for these threat actors. they've nationalized their vulnerability research program in 2018, for example, they changed the national security law in china, and all vulnerability research has to be submitted through the chinese government, whereas here in the united states we follow something we call responsible disclosure where if i find a vulnerability in a product, i notify that product vendor in order to try to get it fixed.

they're effectively nationalizing that resource so that they can use that for exploits against american technology and american companies. once they gain that access, they attempt to remain stealthy and either conduct espionage in order to inform political and military decision making or in the case of vanguard panda, also known as volt typhoon, the prepositioning that we've discussed here, which would be potentially useful to bring down some of these networks that mr. montgomery mentioned in time of conflict. one of the questions i have of all of you, and i'm not going to ask for an open answer today, but i'd like to ask if in writing you could give your opinions. and thoughts on how we address the issue of first to market for software and the vulnerabilities that it creates, that incentive to be the first to market. i get the economic benefit, the competitive advantage that comes from being first to market, but what can we do as a government to not suppress, you know, our economic competitiveness, but at the same time address something that's very difficult, and that is the vulnerabilities that come when software companies rush off to market. so again, not for an answer today, but if you would, i think

that's something that's really important and on my, uh, to tackle this congress list, i want to ask or just i only have a minute. rear admiral montgomery, you mentioned the national guard and their importance in the defense of the nation. one of my national defense authorization act amendments last cycle, i'm going to bring it forward again this cycle, is to put a cyber defense unit, national guard unit in every state, as much to help, you know, our own national defense, but really because the states can then you know, put those guys on title 32 and use them in the event that because our local governments and our states are getting hammered just as much as the federal government is. and i wanted to get your thoughts on that while i had a few seconds. so i agree, and i agree for several reasons. one, governors have authorities at the state level that the feds federal government doesn't have. so actually having them local like that's good.

two, they have relationships within the community already. they come from companies there and i do think you need it spread widespread because the state will lend. you know, disaster response to a state 6 or 7 states away because they can look at a weather map and say i'm not going to have the same event. but if a cyber event starts to unleash itself, governors are not going to be that comfortable lending their limited cyber capabilities to a state that doesn't have them. so i do think there's value in having a more robust national guard capacity and having it across all 50 states and 4 territories is probably the right answer. >> thank you. i, my time has expired and i now recognize the ranking member for his 5 minutes. >> thank you very much, mr. chairman, and i applaud your effort on identifying cyber security as a critical area for this committee to look at.

and if with -- capsule the the the testimony, ah, we do have a problem. the question is, are we addressing it in the best manner. one of the things we did was one of the things we did was create cisa as part of the fix. i guess the question is, do you see a continued role for sisa and, and is there some other roles that sisa might play since that's kind of where we are today and i'll start with you, mr. myers, and we'll kind of go down. >> thank you, ranking member. we would happily work with any federal agency that is charged with securing the cybersecurity of the united states.

as far as which agency is appropriate, i'd defer to the federal government on that one. >> i do believe that we need a cisa and the specific one that you all have authorized. you've worked the last 4 years to modify cisa's actual authorities year after year. i do think i'd like cisa to focus on their role as the risk manager for the country. in other words, bringing together risks from all the different sectors and understanding which are the number one risk areas that we need to address. i've pointed out rail, ports, and aviation that cuts across multiple federal agencies. so you do need one quarterback of the team to bring together all the different risks that they've assessed. and provide that guidance. the current brandon, in his last

job, cisa made a recommendation to the white house for that, and the national security memorandum of 22 that came out gave him kind of a lukewarm responsibility. i'd give him the full on responsibility as a sector risk management leader for the federal government and making sure we work well in a public-private collaboration. so yes, we do need a cisa. we probably need a cisa that's envisioned differently than the last two presidential administrations have aligned it. >> sir, i, you know, cisa is essential both because it has unique sets of authorities and resources to tackle this problem. only it has the, the authorities necessary to move the federal government in terms of protection of the .gov, in terms of providing both capabilities to agencies and helping departments and agencies across the government move to a more common baseline. i think we have seen with congressional support in terms of authorities and resources. that since the solar winds attack in 2020, there has been a remarkable change in the degree of, of, of protection and security we have of our federal networks. i think as you look to the private sector again, cisa's

unique authorities in terms of engaging with industry to be able to have protected conversations serve as a focal point, working with other sector risk management agencies. those are unique authorities, capabilities and expertise resident in cisa. and so that needs to continue now. how do we grow it? how do we refine it to make sure that we can tackle the scale and pace of the threat we face today is a challenge that we're all going to need to grapple with, but that all of it continues to point to the urgent need to continue those, those capabilities. >> and i'm going to echo my colleagues here. cisa is absolutely essential to the defense of our critical infrastructure. this committee has done some powerful things for cisa, and i think it needs to continue. one is what i mentioned cisa 2015. the superpower for information sharing that liability protection that encourages the private sector to engage um could be improved, but that is a key superpower.

another is that cisa is, is formed as a national coordinator for federal civilian executive branch agency, uh, defense of critical infrastructure. i think that needs to continue and in fact should be improved. there is language in the homeland security act that allows cisa to provide. technical assistance upon request to anybody that needs it prioritized by critical infrastructure that is key, but also strengthening cia's ability to do that across borders, recognizing that our digital infrastructure is is global in nature. cisa needs maybe some clarity on how to do that, provide that technical assistance when requested internationally as well. >> thank you very much, mr. chairman, i think it's clear

that, whatever, cisa, end up being that it appears that at least 3 of the 4 and maybe the fourth witness say if it's cisa, i'll work with cisa, uh, that we need to make sure that ah that mission. >> that presently undertakes is maintained and with some of the enhancements offered, the coordination and other things, i think is very important. so with that, i yield back. >> i thank the gentleman and i now recognize the former chairman of the committee and the committee or the chairman emeritus, mr. mccall from texas for 5 minutes. >> thank you, mr. chairman. thanks for holding. your first hearing on this very important topic. and as the ranking member stated, a very bipartisan issue. the ranking member and i passed the cybersecurity and infrastructure security agency act in 2018 because it was a

civilian agency we thought best capable to interact with the private sector. since that time, i believe it's stood up its capabilities, its credibility, but the world is on fire today. it's a far more dangerous place than it was in 2018 from a cybersecurity perspective, particularly when you look at china, russia, iran, north korea. i was sanctioned by china. i'm the target of a disinformation campaign by china along with three other members, one of whom now is the secretary of state marco rubio. so i've kind of firsthand witnessed this, but i think one of the most frightening things to think about is this ability to preposition. a malware on critical infrastructure to give them the capability to turn the switch off at any given time and then to bring darkness.

to the entire east coast or to ports, you know, in new orleans or houston. can you maybe admiral start with you. explain how that exactly works and what can we do to fortify and strengthen these these critical infrastructures. thank you for the question. >> i'm sorry, thank you, sir. look, you're, you're right on that to me this was a prompt jump. in other words, what we discussed previously was intellectual property theft. there's been espionage. this is this operational preparation of the battlefield, it is a war-making action, and you know we have to take it much more seriously. i think that we, you know, that the idea that they prepositioned a malware or that they have capabilities that lie in wait that can come out at the right time as we're making a decision to move, you know, to respond to

a crisis in taiwan or a crisis in the baltic states. transcom operates on these unclassified networks with civilian systems. this is why i think former representative waltz is right in the sense that we have to go on the offensive. we now have to actually publicly execute operations against chinese cyber infrastructure to say we know you did this, we know you used this infrastructure to do this, and we're going to remove that infrastructure from your capability. well, we may sacrifice a tool, we may sacrifice an access, but i think the military, you know, cyber command and intelligence committees have lots of tools and lots of accesses, but we need to demonstrate publicly and we should attribute it to ourselves, say we did this because of what you did. otherwise, the chinese are going to keep doing what they're doing. i totally agree. we need to call them out for this. we know that in the event of an invasion of taiwan, they will shut down their entire grid and

shut down all their cyber. and including probably hit the west coast of the united states at the same time, how crazy would we go if we found 20 satchels of explosive strapped to different electrical power grids or port cranes around our country and could attribute it to china or russia? we would, we would seriously be moving forces. and say this is completely unacceptable behavior, but somehow in cyberspace they get a pass. that's not right. we need to be more offensive about this. we, the bar for taking action has got to be lowered down to one that is that makes america and our infrastructure secure right now it's too high. >> i think that physical analogy is always accurate. for instance, when the opm hack occurred, 23 million security clearances stolen on me imagine chinese operatives were caught at opm actually stealing that data in person, and we tend to

think cyber is somehow not. that it's different and it's really not. mr. wales, can you, in my remaining time, this unholy alliance i call between china, russia, iran, north korea, do you see any in this alliance any formation of working together in the cyber threat space? >> yeah, so i'd say that there are very, there are some but limited connections at this point in part because there is not a significant degree of trust amongst those countries despite their willingness to work together in very isolated places. there have also been caught conducting operations against each other, which is one of the reasons why they don't have a kind of an alliance as let's say the united states does with its five eyes partners where it's much closer sharing of information, conducting joint operations, etc. we don't see that yet. amongst our adversaries, but that is changing. we're seeing closer connections in places like ukraine in terms of russia, iran, north korea,

etc. so we obviously have to carefully watch that space very carefully. >> i pass the cyber diplomacy. i had to help coordinate and deal with that on the defensive side, but i know my time has expired. thank you, mr. chairman. >> gentleman yields, i now recognize the ranking member of the cybersecurity and infrastructure subcommittee. mr. swalwell, a gentleman from palo alto, california bay area, bay area. >> thank you, chairman. this is an important topic. it's a bipartisan topic. andrew garburio and i worked very closely together on the subcommittee. but as the senior californian on the committee and a committee that has jurisdiction over emergency management, i just briefly wanted to express my heartbreaks and beats for the people in the los angeles area where 28 have died, thousands of structures have been lost. brave firefighters and first responders continue to battle

the fires today as unseasonable and unpredictable winds ravage the area. and my ask of my colleagues is to just work with the representatives from that area as we have worked with representatives from every area in america that's been affected, been affected by disaster before and we've seen in tennessee, for example, since 2020 $39 billion from disasters since 2020, texas has had $68 billion in disaster damage. louisiana has had $34 billion from hurricane francine. mississippi has had $30 billion. florida hit by hurricane milton and many other hurricanes, has had $30 billion. new york has had $31 billion in damages.

georgia has had $49 billion in damages. alabama has had $32 billion in disaster damages. oklahoma has had $30 billion in disaster damages. arizona has had $9 billion in disaster damages. south carolina has had 31 billion dollars in disaster damage. colorado has had $22 billion in disaster damage. pennsylvania $41 billion. in north carolina, $37 billion. it's not a matter of if a disaster will hit your district or area if you are in congress. it's just a matter of when, and the theme has always been. that we come together and i hope that's the case now. last week when i visited one of the affected areas, i stood with a mother at what was once the site where she and her husband raised their two little kids, and as she looked for any

memento that she could take back to the kids, she saw that their lives and their home had been reduced to complete ash. she found a shiny metal piece in the ash and noticed that it was a little bowl that her daughter had played with in her make-believe kitchen, and that was all she walked away with to take back to her kids and she didn't point fingers. she didn't put on a republican jersey or a democratic jersey. she just expects that the people who represent her. will stand with her and help her find relief in the worst time of her life and the lives of her neighbors, and that's, i think, why we all do this job. so mr. chairman, i look forward to working with the committee to make sure that wherever a disaster hits, we stand up for it. i'm going to briefly now just pivot to admiral montgomery, and

i appreciate your service, sir, to the country. i have worked in a bipartisan way, and the chairman has supported this work to try and reform cisa, particularly as it relates to jc dc, the joint cyber defense collaborative, and to set more structure and scaffolding around how individuals are admitted into jcdc and how they could exit if they're not faithful partners to it. do you see any needed reforms at jcdc? >> yes, sir. thank you. and, and i do, i appreciated the provision you put forward last congress. i would only say, i would add to it. we need to move the jcdc beyond a slack channel, which is what it is right now, you know, a non-real time. information exchange. we need to get to real-time information exchange. when the congress actually passed the provision that the jcdc operates off of, it's called the joint cyber planning office. we had other provisions. i was on the cyberspace

commission we put that forward. we had other elements to that that were necessary. those have not yet been passed. i think they need to be authorized because i think the jcdc, to be effective, needs to have a planning element, an information sharing element which at the speed of data. so you can give threat information to private sector companies at the speed of data and then an intel working group together that might be at a more classified level. that information sharing though has to be at the unclassified level. so i think the the improvements in the jcdc through a provision would be an excellent assignment for the 119th congress. that's really helpful. i'll take that back to our team. thank you, admiral. yield back. >> gentleman yields, i now

recognize former chair of the border subcommittee, mr. clay higgins from the state of louisiana. >> thank you, mr. chairman, gentlemen, ma'am, thank you for being here. ms. walden, in your opening, in your testimony, your written testimony. you referenced the cybersecurity bill. he stated that the bill would help bring coherence to the multitude of federal regulatory approaches. the bill would have empowered the national cyber director to convene all of the relevant parties, including independent regulators, to develop a set of cross-sector minimum requirements that would have reciprocity baked in. whereby a business that operates in multiple sectors or that is in the supply chain of many regulated entities would only need to show they met the baseline once. he stated, i'm very confident this approach will both meaningfully improve our cybersecurity posture and reduce compliance costs. i hope congress will continue last year's momentum and move swiftly, swiftly to enact this legislation. i thank you for that statement, ms. walden, because that was my

bill. introducing a 118th congress, the streamlining federal cybersecurity regulation, and we are indeed reintroducing that legislation 119th congress, mr. chairman and my colleagues on both sides of the aisle in this committee, we, we should move forward with that legislation because it allows the industry sector to appropriately position themselves to spend less time and money in compliance with regulatory oversight and more of their energy and focus on actually accomplishing their missions as it regards cybersecurity. ms. walden, could you briefly discuss more in depth how compliance with current cybersecurity regulations frameworks slows down the efforts to actually counter threats. >> thank you for that question and thank you for um

reintroducing that bill. it's quite an important measure i believe for the overall building of resilience in our cybersecurity infrastructure, our digital infrastructure right now across the 16 critical infrastructures, and i would add a few others that haven't been designated, some industries are highly regulated and also have wonderful controls that could do better. but i'm thinking like finance, for example, and other industries are just under the mark, and those are the ones that are the most vulnerable. and so we need to figure out a regulatory approach to bring the minimum baseline up so that we're all solving the same problem and doing it in an efficient and effective way. and so the the proposition that your bill brings forward is not only do federal departments and agencies that have regulatory authority need to fall in line, but the independent agencies need to do so, and they need to find areas where there's duplicity and so we can eliminate that.

areas for reciprocity and then cause all of our infrastructure to have minimum security requirements so that we're not causing them to just spend money on. >> yes, ma'am, i agree. i mean, the federal government should be a partner with the cybersecurity industry and the emerging technologies including ai, we should aggressively support the industry and their ability to actually perform the mission. so regulations and regulatory oversight should not get in the way of that mission. mr. myers, my, my own confidential cybersecurity consultants that have helped me through 8 years in congressional service to we the people happen to be partners with crowdstrike, and they have, they have shared

with me that the their assessment that they have the best technology in their opinion out there and your overwatch team is outstanding. so i'd like to address to you, you, you've been in the business of tracking criminal and state sponsored and nationalist cyber adversary groups across the globe. and you deploy technologies to and you deploy technologies to detect suspicious and malicious cyber behavior and stop increasingly sophisticated adversaries, your words. i would ask you to comment on the lack of ability for the security sector to strike back. would you just address that topic? i yield to the gentleman's answer. >> thank you, sir. the security industry, i think, is primarily meant for defensive posture. one that we take very seriously,

and i appreciate your support there. i think that there's a lot to be done to partner with law enforcement and those that have the intelligence community as well and the military that have the title of authority to take those actions and to support those operations and happy to share with you some of the previous successes in working through that and as i mentioned in the testimony, i think it's time that we increased the cadence of those operations. >> thank you. my time has expired, but just yes or no. if you had the legal authority to strike back, if congress gave the cybersecurity industry the legal authority to strike back, would you be able to effectively identify the bad actor and do so? >> we have the visibility to identify. >> thank you, sir. thank you, mr. chairman, for the indulgence. >> gentleman yields, i now recognize mr. magaziner, who also is a ranking member, and we appreciate his service for 5 minutes of questioning. >> well, thank you, chairman,

and to the ranking member as well and my colleagues. it's great to be back and to be starting out with such an important and bipartisan topic because the united states faces , an incredibly dangerous and growing threat landscape with regard to cybersecurity. we face attacks from international cybercriminal groups such as the brain cipher group, which attacked my home state of rhode island last month, stealing sensitive information from hundreds of thousands of rhode islanders, and we also face increasingly brazen attacks from adversarial nations including china, russia, iran, and north korea. we're all very familiar with the capabilities and increasing aggressiveness. of china's cyber warfare campaign, most notably salt typhoon, which impacted the data of millions of americans, and volt typhoon, which targets our critical infrastructure. and it's also important that we not lose sight of russia's aggressiveness against our country as well.

this past october, the justice department seized 41 internet domains being used by russian hackers known as the callisto group attempting to infiltrate u.s. companies and government agencies. and by the way, small town america is not immune from this threat either. last year, a separate russian hacking group, the so-called cyber army of russia reborn, succeeded in disabling a water system in the town of mushu, texas and a wastewater system in tipton, indiana, among others. so my first question, and i'll throw this out maybe to admiral montgomery or to any of you who have this information, if you had to guess, how many people, how many bodies is china, for example, putting into their cyber warfare campaign across all of the various organizations they have? >> this would be a guess, and i think if you go into a closed

hearing, you might get a more refined answer, but i would say china is around 60,000. to give you some comparison, the united states cyber mission force, our offensive side, is about 6400. >> so china has 10 times as many people targeting us with cyber warfare as we have trying to defend ourselves, and i assume that russia also through their assorted organizations, thousands of individuals. >> first i should say we have an intelligence community element number that we don't discuss, but not, it's not 54,000 to close the gap. russia has a different number , and russia has both military and intelligence services that do actions, and they have contractors through what's called the ira, a contracting group, and there's a mix of people in there who do both, but -- >> global criminal

organizations there are , countless organizations and individuals targeting us with hacks, with ransomware, etc. during governor noams's confirmation hearing to be homeland security secretary, she said that cisa needs to be "much smaller to fulfill their mission." do any of you agree that cisa should be smaller, given the number of threat actors that are targeting the united states every day in the cyberspace? i will take that as a no. i'll also note, by the way, that she was one of only 2 governors who turned down federal grants for her state to strengthen cybersecurity as well. so there's a pattern here that is concerning that i'm sure we will ask her about when she comes before this committee, assuming she is confirmed. i also want to commend, well, a number of the recommendations that have been made, i think are terrific and make great sense. i want to commend you again, admirable, -- admiral for , targeting the issue of critical infrastructure.

i'm the co-sponsor of a bill with congressman crenshaw called the contingency plans for critical infrastructure act. to mandate that we identify and have contingency plans for critical infrastructure in the event of a cyberattack. also the role of the national guard. i want to give a shout out to the 102 cyber operations squadron at the rhode island national guard, who do a phenomenal job, and i actually agree with, i think, a sentiment that the chairman raised and a number of you as well, which is that we need to call cyberattacks what they are. they are attacks. whether they're targeting our data or our critical infrastructure, and i would just suggest that when foreign actors put misinformation into our information sphere as well, with the purpose of trying to influence elections or turn americans against each other by racial lines or religious lines or political lines, it is an attack as well. we need to call that out for what it is. americans have a first amendment right to say whatever we want

online, whether it's true or divisive or not, and that is a constitutionally protected right. but iran, russia, china, etc. do not have that first amendment right when they attempt to influence our domestic condition by turning americans against each other, undermining election integrity, undermining confidence, that is an attack and we need to call that out as well. so i'm over time. thank you, chairman, and i yield back. >> the gentleman yields and i now recognize the chairman of the transportation subcommittee mr. jimenez from florida for 5 minutes questioning. >> thank you, mr. chairman. before i move on to cybersecurity, as the only career firefighter ever elected to congress, i want to share my colleague mr. swalwell's condolences to what has happened in l.a. but i also would like to see if you would consider doing some kind of a fact finding trip by this committee to la to

determine what the conditions were prior to the fire, what the response to that fire was, and also what strategies, what mitigation strategies that we need to take in order to make sure it never happens again. because there are certain things that cause me a little bit concerned about the whole situation. mostly was really about the fuel and the control of the fuel because fire needs three things. an ignition source. it needs oxygen, and it needs fuel. and the ignition source, we have not determined that yet. but when you have hurricane force winds, you certainly have enough oxygen. it certainly appears that they had a heck of a lot of fuel, and they didn't do a very good job of -- >> does the gentleman yield? >> mr. swalwell is not here but i would anticipate that what he would act is -- what he would ask is would you also be , interested in a fact finding. trip or study to see if for example the state of florida has taken adequate steps to reduce flooding in the event of a

hurricane or to reduce damage. for other natural disasters. >> absolutely. i think we are fantastic at what we do in florida. >> i want to make sure it is the same for every state. >> we learn after every hurricane. we learned that we change our codes and everything. so yeah, i wouldn't have any problem in doing that. you want to visit my town, miami-dade county. when i was the mayor, sure, come on. i would be happy to show you what we've done, ok? now back to artificial intelligence. actually, to cybersecurity. does artificial intelligence have applications in cybersecurity and a defense mechanism? so mr. myers or mr. wales, if you want to answer that question. >> yes, and i actually would say that right now we're at a unique moment where artificial intelligence is being integrated into cybersecurity applications far faster than we're seeing adversaries able to weaponize artificial intelligence to launch attacks. so most companies, sentinel one among others, are working hard

to make sure that their technology benefits from the latest and most modern artificial intelligence applications. >> so mr. myers, do you agree? >> yes, absolutely. we've been using machine learning and artificial intelligence for the last 14 years at crowdstrike. >> fantastic. what do you all think about yesterday's announcement of a half a trillion dollars dollar investment in artificial intelligence, stargate initiative, i guess. anyone can answer that if they want. do you know about that? >> i read it in the news. what i would say is it is important, particularly in competition vis a vis china, that the united states be a real leader here. so anything that we are doing as a nation to ensure that artificial intelligence innovation is happening inside the united states is going to be good for both our security and our economic well-being. >> rear admiral, if we win that

race, would that be able to supplant the manpower advantage that our adversaries may have in that regard in terms of cyberattacks and our ability to defend them? >> i do believe artificial intelligence and machine learning can make a big difference in the speed with which you find accesses and develop tools. one thing i would give congress is as we see that $500 billion get invested, the one area i'm not for regulatory environment here, but the one thing i would regulate, much like we do at our national labs, is i would demand a level of physical and cybersecurity around that most important intellectual property, the model weights and things like that. again, i wouldn't heavily regulate the entrepreneurial spirit. but i would regulate the security so that we maintain any breakthroughs belong to us and belong to the united states companies and eventually to the united states military and aren't easily stolen by our adversaries. >> i believe that the artificial intelligence technology is an national security technology, much as any any weapon system

that we have, maybe even more important than any weapons system that we have, we have to maintain that advantage and keep it in a very, very, very secure place. and hopefully the artificial intelligence will be able to guard itself, ok? finally, do we have any rebound capability? in other words somebody attacks , you and then the response, the rebound to that is even worse than the than the attack. so that you know that if you punch me in the nose, i'll cut your head off? do we have that capability? >> sir, that is what i was talking about. with deterrence, you know, we've talked a lot about deterrence by denial here. that deterrence by cost and position is the punch back and then defensively we do have to have a rapid recovery. one of the things america's good at is getting back up off the mat, you know, when we're hit, but in cyberspace i don't think we're properly organized for that yet. and this is more than fema. this has got to be, we call it continent of the economy planning. we have to get working on that. better offense and a better

ability to recover once we're punched in the face. those are going to be the two things we need to win. >> i know my time's up and just simple yes or no. will artificial intelligence help us in that? yes or no? >> yes. >> thank you and i yield back. >> the gentleman yields and i now recognize mr. goldman, the gentleman from new york for his five minutes of questioning. >> thank you, mr. chairman. and i agree, i'm encouraged by the bipartisan nature of this hearing on what is increasingly an important and dangerous threat to our homeland and our security. in the past, though, it has not been as bipartisan. in fact, in september 2023, more than 100 house republicans, including the chairman, tried to slash sis's budget by $3 billion , which was 25% of the budget.

now this is because many republicans did not like the fact that cisa, the cisa head at the time, said that the 2020 election was not stolen, and "there is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised." that assistant director was chris krebs, who was then immediately fired by donald trump, and mr. wells, you took over. mr. wells, do you agree with mr. krebs's statement that there is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised and that the 2020 election was free and fair? >> yes. >> so part of the problem here is that even though cisa's misinformation and disinformation activities represent less than 0.1% of its

budget, republicans have tried to cut 25% of the budget, and governor noem has made it clear in her hearing that she would like to limit and reduce the size and role of cisa, which seems odd in this time, when all we are hearing from our witnesses here is the increasing danger of cyberattacks and cyber infiltration, exacerbated by artificial intelligence. we know russia used cyber warfare to interfere in our 2016 election. we know china has tried to do the same. but it's not a partisan issue, because iran tried to do the same thing by infiltrating donald trump's campaign.

and it is bewildering to me that, given the crowd strike disaster with the outage which dramatically affected my district, with the microsoft hacking that gave access to china access to senior government officials' information that we would be reducing the budget to address our cybersecurity. one thing i want to address, mr. wells, i will ask you first. what would the impact of reducing cisa's budget or reducing the size of cisa be both in terms of our broader cybersecurity and infrastructure security, as the rear admiral has talked about, as well as election integrity and preventing foreign influence in our elections? >> a lot would depend on how

that cut was allocated, but broadly it would dramatically limit the ability of the agency to conduct critical missions. so that would include its ability to provide technical support to critical infrastructure, and state and local governments who request assistance with actual cyber incidents or conducting pre-incident assessments of their vulnerabilities so they can be hardened. it would compromise its ability to perform its functions across the federal networks in terms of both monitoring and responding to incidents, deploying technology to ensure that federal networks are protected by best in breed technology platforms, but just across the board it would lessen its ability to respond at a time of significant cyber threats has been described today. >> and in terms of the election integrity work that cisa does,

is it accurate that that is primarily focused on foreign actors and foreign interference? >> almost all of cisa's work when it comes to elections is actually focused on cyber and physical security-related work, providing assistance to state and local governments who need assistance, who request vulnerability assessments, scanning for vulnerabilities, conducting training. doing physical security assessments increasingly as state and local election officials are concerned about physical security threats that they may face, that is almost the entirety of the of the election security work. so any cuts to the sisa budget would affect its ability to support those officials. >> and this is the only sort of the only department within any executive branch agency that provides that cybersecurity service to state and local officials who administer our elections. is that right? >> yes. >> thank you. and thank you, chairman, i yield back. >> the gentleman yields back and i now recognize the chairman of

our counterterrorism subcommittee, mr. flugert. >> thank you, mr. chairman, and i appreciate this hearing. i'll get right into it when you look back at volt typhoon, storm typhoon, or sorry, storm 558 salt typhoon. the list goes on and on. i'm obviously worried about critical infrastructure, not just in my own district that includes energy production but , every other aspect of our lives. so i'll start with you, mr. whales. in last congress, i introduced the 7 act, which was, and i hope that we can mark it up in this committee this year and send it to the floor because it's a coordinating piece of legislation that ask our federal agencies to do the hard work of coordinating so who is the lead government agency when it comes to responding immediately to a cyber threat? >> different agencies are going to bring different authorities to the table, and you're going to want all those authorities to deal with the challenges that we have. so cisa has certain authorities in being able to help an entity

recover from an incident, making sure they understand what's happened, but you also want at the same time the fbi that has can use its law enforcement authorities to figure out who the adversary is and are the things that could be done to disrupt their infrastructure, impose consequences. there's coordination with the intelligence community that's going to be tracking adversaries overseas. so there's not necessarily going to be one person because no one agency has all the authorities, resources and capabilities that we're going to need to tackle that problem. and what you want are those agencies working closely together. and i would argue from my time in and having just left, the operational coordination amongst the agencies working on cybersecurity is better now than it has ever been. >> ms. walden, how would you grade the response to, let us say salt typhoon to the , cyberattack? i want to pull this threat a little bit that there's no single agency that's in charge. there's a lot of stakeholders, but how was our response to salt typhoon? >> well, sir, i was, i think the response to salt typhoon was adequate and appropriate. i was not in government as part of the apparatus at the time that salt typhoon was

discovered, but i do think it was adequate and appropriate. >> admiral montgomery, good to see you. let's go on that. how was our response? what could be better and do we need a lead agency to help coordinate? >> so hearing those answers, you know, as of 35 years in the military, i kind of learned you need one leader. one agency needs to be in charge. i've never seen a military organization work with two leaders in charge. so the right answer is cisa. i think we have to create that condition. look, do i think other people contribute to it? the sectorist management agency that's responsible for that industry, sure, but there in the end there can be only one. and that leader, i think, needs to be sisa. i think the biden administration missed a great opportunity to do that in national security memorandum 22, even though sisa was telling them to do it and asking for that lead responsibility. they did not get it. i think we need to, as we redo national security memorandums and things, i think an upgrade to that to put sisa in charge. this is a bipartisan issue, you know, this committee created

cisa. you need it to be the leader -- the leader on the hill. in the aftermath of the loper bright decision, the chevron deference precedent, mr. chairman, i think this is a perfect opportunity for us to be specific in this committee and to take what admiral montgomery is saying and designate a lead agency and actually tell the agencies what we want them to do, not just give them the open blank chalkboard to write what they think is best, but for congress to take an oversight role. in your written testimony, admiral montgomery, you used the term lying in wait when you're referring to the volt typhoon attack who is lying in wait now , and what is the next attack

that keeps you up at night? and then mr. myers, i want you to comment on the same thing. >> i think all of the axis of authoritarians could lie in wait. that's china, russia, india, and north korea. but i think realistically the countries that are thinking about that they need to stop an american ability to mobilize forces or really weaken our economic productivity. it's china and russia. i think china's the predominant actor right now. i think russia's distracted by the things. i have no doubt that there's russian malware in our systems with access, with an ability to be accessed at a later date. so it's china, russia, and we've got to keep our eye on. if i had to choose one, i'd choose china. >> thank you, mr. myers. i'll give you the last 30 seconds. >> thank you, sir. these incidents are not over. salt typhoon is an ongoing activity by an adversary, as is volt typhoon or what we call a vanguard panda. so this is something that we need to continuously engage. we need to continuously identify it, root them out, and put a stop to them and cut off their access. so i would say that i just want to make that point that this is something that's ongoing and we need to remain focused on it. >> thank you for your testimony,

mr. chairman. >> the gentleman yields. i now recognize ms. ramirez for her 5 minutes of testimony. >> thank you, chairman green. thank you, ranking member. truly grateful to be back in my second term serving in this committee that i believe will need the leadership of all of us and certainly those of us who have personal experiences with a lot of the work that we do here. so i want to talk to you, mr. wells, a little here. you served as cisa's executive director from 2020 until august of last year, and in that capacity you oversaw the execution of the agency's operations. so you're well aware of how cisa was investing its resources, correct? >> yes. >> governor noem, trump's pick to lead dhs, has stated that cia was far off mission from its work to combat mis and disinformation, and that in they were "using their resources in ways that were never intended." mr. wales, i want the record to be clear about how cisa spends its resources.

to the best of your recollection, mr. wales, how much of cisa's budget is spent on mis and disinformation work? >> the last time we looked at this, it was something less than $2 million. >> so what would that be percent over the entire budget? >> far less than 1% of the $3 billion budget. >> and has cisa or disinformation work ever interfered with its ability to execute cybersecurity mission? >> i don't believe so. >> thank you. as part of the bipartisan infrastructure law passed in 2021, congress provided $1 billion in new grants to state and local governments to enhance their cybersecurity. state and local governments have struggled, we know, to adequately defend their networks, exposing them frequently to cyberattacks and putting critical public infrastructure at risk. as funding for this program flows to state and local governments, we're also seeing the important progress it is having and addressing in long standing underinvestment in state and local cyber defense.

unfortunately, this program expires in september. at the same time, we continue to see a rise in global cyber threats. so this is a question i have to all witnesses and the time that i have left. do you agree, yes or no, that the state and local cybersecurity grant program should be reauthorized? >> yes. >> thank you. and let me ask you a follow up question, and this one would get a sentence or two from each of you, and we're going to be fair here, so we want to make sure everyone gets a little time. what are the national security implications if we fail to adequately defend state and local government networks? >> i'll start with you. >> thank you. threat actors target state and local governments very

frequently, and they understand that those are axes that can lead to strategic or tactical objectives that will secure their their goals. and so i think that we need to make sure that we ensure that the state and local entities and to include school districts are well protected from a cyber perspective. >> thank you. mr. montgomery? >> state and local governments are the low hanging fruit. they usually don't have two wood nickels to rub together to increase their, you know, to spend on their utilities because we as voters don't like to let them increase their rates. but i will tell you, the number one thing they need is workforce. the best way to get it, that's the pivot act. so if you bring that back this cycle, i think you're going to attack the number one issue state and local governments have. >> mr. wales? >> i would just say that state and local government agencies are the closest to the american citizens, so disruptions at the state and local level are ones that people feel quickly in their schools, and their utilities that are provided, in the public services that they often get.

and so absolutely this is an area where adversaries target, particularly ransomware groups, but as well as nation states, so it is an area that needs attention. >> thank you, mr. wales. ms. walden? >> i agree with all of my colleagues. i want to point out, in addition to everything that they've said, is that state and local entities really need to work on their technical debt, figuring out how to resolve some of their legacy technologies so that they are able to withstand cyberattacks that are happening in their backyards every day. >> thank you, ms. walden. it's clear that reauthorizing is going to be critical for this moment. thank you so much. with that, chairman, i yield back. >> the gentlelady yields. i now recognize our chairman of the cybersecurity subcommittee mr. garberino, the gentleman from new york, for 5 minutes. >> thank you, chairman. thank you very much for holding, sir. i love how you had him place the pivot act in his last answer and say how he had to pass it again. that was well placed there. [laughter] thank you all to the witnesses for all being here. it's great to see you all again. this hearing is very important, i think your focus on china has

been, you know, it just, it's obvious that they are our number one adversary, and if we can combat and defend against china, we can probably defend against everybody else because they're they're, they're the best at what they do. we have to be better. i want to talk about what cisa should be doing and are they , doing what they're, what they should be doing? what else, what other authorities should we give them? mr. wales you were there for a , very long time. you were executive director and acting director. what should cisa be doing that it's not doing, and should we give them any more authorities that they don't currently have to step up their game and defend against china? >> i would say that looking at

cisa's two primary missions in cyber, one is to help protect the federal government's networks, and two, to help support the security and resilience of our critical infrastructure networks. in the federal government's face, thanks to a lot of resources and authorities from the government, i think cisa needs to continue the momentum. we are in a much different place than we were in 2020 during solar winds. the federal government is far more secure today. it's the reason why federal government agencies identified compromises at places like microsoft because of the investments that congress has made in both cisa and across the federal government. i think there, it's about building momentum and keeping that going. when it comes to critical infrastructure, it's a much more challenging problem. it's a much more crowded space. cisa's real role is to be that focal point, to coordinate amongst all of the other agencies that are working in this space. i do think cisa has sufficient authorities, but it's really an issue of scale. can we meet the scale of the challenge with both technical assistance, training? do we have the right tools to bring to bear, to meet the challenge? i do think that there are areas that need work, and i'm hoping that the trump administration will focus on how do we improve the operational collaboration, build on the framework that exists today with the joint

cyber defense collaborative, but take it to the next level, continue to drive improvements in our ability to work side by side with industry on day to day operational cyber threats, and i think that is where the most urgent need is. >> you talk about defending against the federal networks. the executive order that was signed last week tried to do that with hunting -- red hunting a lot of agencies don't like . >> does the executive order go far enough, or is it something we have to act legislatively to tell and everybody can jump in here to tell these agencies, hey, you have to let cisa do its job and fred hunt here. you know this builds on authorities that congress gave to cisa in the fy21.

national defense authorization act that gave them the ability to threat hunt on federal agencies without permission. that was important. then supplemental funding allowed the deployment of endpoint detection and response technology that gave the security sensors the ability to actually hunt on. this executive order requires agencies to actually provide that sensor information to cisa that allows them to conduct that threat hunting. it is absolutely essential. that is the way that you spot adversary campaigns early. it is the way you look consistently across agencies, so you're not dependent upon the differences in capabilities at various agencies. so i do think that part of the executive order is strong. i don't necessarily know that they need additional legislative authority, but it is something that is going to be important for the next administration to continue to push agencies to ensure that cisa has the level of visibility it needs to conducting the threat hunting that gives you the cybersecurity outcomes that you want. >> thank you. ms. walden, did you have

something to add? it looked like you were getting ready to speak. if you don't, that's fine, i have other questions. ok. and you talked also about information sharing, i think is what you were getting at between private and public sector when it comes to critical infrastructure because 80% or 85% of critical infrastructure is controlled by private sector do we have that type of . information sharing now? i don't think we do, and i think sometimes it happens as well and sometimes it doesn't happen very well. >> i've been talking about information sharing since i joined the department in 2005 for starting on counterterrorism, that in cyber. there are always ways that we can improve information sharing. it has improved dramatically over the past 8 years, but there is a long way to go, and it's also a question of do you have the right private sector in the room? are you sharing information at a speed at which it can be effective in the cybersecurity context?

and are people capable of using that information to improve their security in real time? and i think there is a lot of work to do to make sure that that happens, going both ways, and i'm out of time, but i did just want to say beforehand, rear admiral, your comments on continuation of the economy in your written statement is 100%, i think, on point. we directed the biden administration to come up with a plan. they failed, and i think this is a huge thing that we need to work on with the trump administration. we have to come up with a real continuation of the economy plan just like congress bipartisanly directed the administration to do so. with that, i yield back. >> the gentleman yields. i now recognize ms. poe for 5 minutes of questioning. and welcome to the committee. >> thank you. thank you, chairman green and ranking member thompson for holding today's hearing. i am proud to be among the newest members of the committee on homeland security. my north jersey district is just across the river from new york city.

so many constituents remember well the horrific, unprecedented terrorist attack that occurred there two decades ago. i take my appointment to this committee very seriously, and i am excited to work with my colleagues on both sides of the aisle and collaborate with stakeholders and experts to advance solutions to improve the safety and security of new jersey and our nation. the cyber security information sharing act of 2015 is set to expire this year. since its enactment 10 years ago, this law has created critical information sharing partnerships and collaboration between the government and the private sector. these relationships have enabled america to to better respond to rapidly evolving cyber threats, making the country safer. to each of our four witnesses, can you please describe the benefit of the cyber information sharing act, but please detail, if you would, how would a lapse in this authority affect our nation's security?

ms. walden? >> so the importance of the cybersecurity information security act, unfortunately the same name acronym cisa 2015. it is paramount, because it gives liability protections to industry to share with dhs and through cisa to share amongst each other in order to be able to at least at a minimum, get rid of the low hanging fruit. they're allowed to share cyber threat indicators and defensive measures for a cybersecurity purpose. they are protected from foia. they're protected from antitrust litigation. they're protected from sunshine laws and etc. this is a key underpinning law that enables the jcdc, for example, that enables other vulnerability assessments that take place, that enables us to be able, the government to be able to interface with industry at the speed of data. >> thank you. >> i would just add that most

importantly it provides assurance to the industry that they will be protected. some people may be willing to share without this law, but the reality is many won't because they don't have 100% certainty that they're not going to suffer any consequences, whether through some type of litigation or suit. and so ensuring that it is reauthorized is critical for enabling cyber information sharing to happen between the private sector and the federal government as a whole. >> thank you. >> i would support its reauthorization. i'd also remind that back, you know, 9 years ago it was weakened significantly in the senate. before it was passed, i think you should take a look at strengthening the liability protections for the companies in that legislation. and at the same time, i would take advantage of the opportunity to integrate cisa, the cybersecurity infrastructure security agency, into it, strengthen its ability. as i said earlier, we have to get off a slack channel. we have to get into us. we have to have authorized a system for actual speed of data transmission.

and we've got to push the intelligence communities to figure out how to get that down to the unclassified level so that there's a benefit and burden to this to the private sector. they both benefit from much better intelligence from the government, and the burden is they have to report what they're seeing and work closely with the government to pass on their information. >> thank you. very quickly, mr. meyer. >> thank you. information sharing is critical for our success. it's us. it's the vendors. it's our customers. it is our partners and the government versus the adversaries. it's versus china, iran, north korea. and so information sharing is really the essential building block of how we secure our infrastructure. >> thank you. thank you so very much. i yield back. >> the gentlelady yields. i know recognize the gentlelady from georgia, ms. greene, for 5 minutes of questioning. >> thank you, mr. chairman. before i get into some questions, i'd just like to point out that mr. wales, in your testimony you talked about iran's cyber hacking attempts

against president trump's campaign this past election cycle aimed at undermining president trump's candidacy and sowing discord within the united states electoral process. so thank you for pointing that out. while cyber threats from our foreign adversaries must absolutely be protected against. we also can't forget that our own independent cybersecurity agency cisa was more focused on conducting its own large scale election interference campaign through its censorship laundering complex against our own people, rather than bolstering our cybersecurity efforts and working to protect our critical infrastructure. just some brief stats, the average cost of a data breach in the u.s. amounts to 9.36 million, almost double that of the global average. as you, mr. montgomery, testified, the fbi received reports of 12.5 billion in

cybercrime losses in the united states in 2023, an increase of nearly 20% over 2022, which is definitely alarming. ransomware attacks rose 74% from 2022 to 2023. cyberattacks on critical infrastructure globally increased 30% in 2023. one in three americans were affected by health care data breaches last year. government agencies were the 3rd most targeted sector from ransomware attacks in 2023, and there are roughly 500,000 vacant cybersecurity jobs in the united states. mr. chairman, that is a serious issue. most cyberattacks fall into a never ending pattern. a threat actor often sponsored by a nation state exploits vulnerabilities in the system. they exfiltrate sensitive data or encrypt it for ransom. then there is an investigation into how it happened, who was involved, and what measures should be taken to prevent it

from happening again. and then it happens again and the cycle repeats and we're all in a very serious dilemma. mr. montgomery, in your testimony, you talk about some specific offensive and defensive solutions that we can take to address the needs of our cybersecurity shortfalls. could you elaborate a little more on that, please? >> sure, thank you. i would highlight in that first we absolutely have to invest in our sector risk management agencies to make sure they're doing their job. it's shocking sometimes when you look at a department of energy spends what i think is probably the right amount, somewhere 50 and $100 million a year on being a sectorist managed agency helping energy companies protect themselves. then you go to the department of agriculture and they're spending $500,000 or department of education they're spending $250,000. most of us understand that's two full-time equivalents or one full time, you know, it's one human or two humans. and that's just website management. you're not helping the 8000 farms and food distribution

networks out there with one person manning a website, and you're not helping our k through 9000 districts out there with one person manning a website. we need more consistent focus, leadership from the top down, cabinet members down on cybersecurity is a responsibility they have as a cabinet member and then when appropriate, the funding to do that kind of thing. so that is number and i spoke one. earlier about military mobility. if i could only focus on three things, it would be rail, aviation, and ports, because if we do not get that right, china, russia, doesn't matter, if they initiate combat operations that we're going to be involved in, we won't get there fast enough. >> thank you. i completely agree with you. those are very critical infrastructure things that we have to protect. with ai being the biggest emerging industry in the technology industry, i'd like to

ask each of you how, how can we protect americans, protect our government, protect ourselves from cyberattacks, and how do you see ai playing a role in that, maybe for the good or for the bad? >> i'll start. artificial intelligence can be one of the solutions to a lot of the problems that you highlighted. and when we think about the cyber workforce, artificial intelligence can take more junior analysts and make them more senior analysts by automating and helping them deal with complex problems at scale and at speed. i'll also say that artificial intelligence in the security domain can be used to identify and quickly remediate these attacks. so there is a huge opportunity there. the one caution i'll say is that i think in the next 1 to 3 years

we'll be seeing more and more organizations and businesses employing their own artificial intelligence, and that will create a situation where there's what we would call ai workloads that need to be protected, so we need to be thinking about how can we proactively start talking about protecting those ai workloads today before they become a problem in the future. >> that makes sense. mr. chairman can we allow our , witnesses to each answer? >> very quickly, yes or no, but then we need to move on. >> yes. >> yes. >> thank you for coming to the committee today. mr. chairman, i yield back. >> the gentlelady yields. i know recognize mr. turner from texas. also, welcome to the committee, sir, for your 5 minute questions. >> thank you, chairman green and ranking member thompson. it's good to be with everyone. what i've noticed is that they are same running themes from each and every one of you. let me just say that the small city of houston, we face thousands of cyber threat every

year. cyber workforce, critical. the grants to state and local government, critical. and cities and states under constant attack, a coordinated approach, collaboration all , important, and that's why i'm a strong supporter of cisa. in fact, when it came into existence, we went thumbs up. aviation, the port, utilities, our water systems are a constant -- are under constant threat, and as a mayor, that is something that kept me up every night. when we saw what happened in atlanta when the ransomware gangs took over, municipal police costing the city a great deal. we all tried to intensify our efforts, built layers and layers, but we simply didn't have enough money to do enough.

so let me applaud each and every one of you because each one of you said, i think mr. myers, the threat has increased 200-300%. i think rear admiral, you indicated a persistent vulnerability that exists, and each one of the same things over and over again. let me just go directly to the office of national cybersecurity director, ms. walden, and during your time at oncd both as a principal deputy national cyber director. and as acting national cyber director, you are part of the development of this new office. how has the creation of oncd strengthened our national cybersecurity, and what additional steps should the new administration take for a coordinated approach to cybersecurity across the federal government? >> thank you. so the national cyber director's office was created to provide strategic cybersecurity advice

to the president so that, just as admiral montgomery said, we have some accountability and some responsibility from the very top all the way down, and that should be true in the federal government, as well. and there were a couple of things that we sought to achieve. the first is to make sure that we have a more defensible, more resilient digital ecosystem. and that includes state and local entities. that means that we needed to do two things one, shift cybersecurity risks so that it is not solely the burden of cities and counties and educators and shift that so that it's more the burden of the federal government, of large enterprises, of producers, etc. and then with that residual risk once we buy it down to build in resilience, not just in the technology, but the technology is important. the backbone of the internet salt typhoon showed us is important, but in the workforce and the people and the ability to be able to maintain all the new technology. and doctrinally, who's in charge

of what, when, how, so that the work that we did there came with it, that strategic work came with it a full action plan. and that full action plan allowed each department and agency to take on responsibility for a particular provision of that strategy that allowed state and local governments to plug in, that allowed companies to plug in and to move the needle forward. that was the strength of the national cyber director's office, and i'll point out the national cyber director was able to with the office of management and budget prioritize the federal departments and agencies how to ask for federal funding in order to be able to pursue that mission. that kind of central activity within the white house was important in the last administration, and i see it going forward. >> thank you. and mr. montgomery, in your role with the cyberspace solarium commission, you advocated for the creation of oncd.

what success have you seen from this new office and how important is it that the new administration empower oncd going forward? >> i think kemba did a great job as acting national cyber director, and i think as did chris inglis and harry coker as national cyber director. so i think the most important things are the budget control. in the end we all know resources are what drive things. so having maintaining that budget control, what i wish they could do is expand it to make sure that the sector risk management agency functions are being paid for. the second thing i think they're really good at is the workforce, protecting those so again, , they'll be critical when we do get the pivot act passed. and the third thing i think they're most important for is getting this harmonization of regulation. we've got to reduce the regulation on our industries. and so i think if they're able to do all three of those things, the next administration's nasa director will be successful. >> thank you very much. i yields back. >> the gentleman yields. i now recognize mr. luttrell

from texas for his 5 minutes of questioning. >> thank you, mr. chairman. admiral, i've got a small nursing home. it's located in one of my little small towns in my district, and they had a cyberattack and we called in cisa. we started going through the checking the boxes and the fbi came in and what it ended up happening is when the fbi came on board and cisa were working in parallel with each other, it turned kind of into a proverbial fistfight, who was in charge. and as this thing kind of inched along the result was that the , nursing home didn't get any results, and you mentioned earlier, if you follow the chain of command, inevitably it has to be one leader, one person in charge. and the net has been cast out very wide, given just kind of the proverbial threat when it comes to cyber risk, cyber threats, cyberattacks. can you give me some refinement on the best course of action on how to decrease that problem set? >> first, thanks for bringing that up, and i think you highlight that rural health care

right now and small health care facilities are probably the greatest risk we have in the utility area. and the reason i say that is that if they get a ransomware attack, most of them have about 5 or 6 weeks of float. that is, if they don't end the ransomware attack and fully recover their systems within 456 -- within 4, 5, 6 weeks, they could be out of business and then the community loses its healthcare. so hhs has to do a much better job supporting these guys left a boom. and one of the things we're pushing hard there is like a fractional cisa program. what that means is i guarantee you're talking about a clinic that hospital you're talking about a clinic could not afford a full-time ciso to prevent this ran and recover from it. >> correct. >> what we need to do is have a program where they can access a pot of sisos who come in who've done ransomware hundreds of times, help that hospital get back on its feet and recover, not just pay the ransomware. that's the easy part. it's restructuring the systems,

but you need specific sisos to do that, but you can only afford about 10 days of that siso. not 365 days of his or her $400,000 salary. so to do this, we need a virtual fractional siso program for rural health care. so that's the first thing i do. that's stuff you plan left a boom. and you're asking me about the cluster that was right of boom. that starts with the white house. that starts with the national security memorandum that clearly states who's responsible and who's in charge. now a very localized one like that, it, you know, it can be done by, you know, there'll be some who have a better regional footprint, but a larger one, it's clearly to me it's sisa. you have to have a rule set for it, just like you and i had rule sets operating in the navy, and without that kind of like structured command, i think we're going to continue to have failures like you saw, but i would say there's things we can do left of boom to prevent these

from being the small business killing events that they are, -- they are. >> yeah, because that facility was networked, so not only did it touch that, a touch them all. it took them to a knee. thank you for that. ms. walden, i thought your opening statement was amazing, very point driven, and i appreciate that. you oversaw a digital crimes unit. can you give me some background and find information on exactly what that entailed? where i'm going with this is, we talk about russia, china, iran, north korea, but make no mistake about it there's some proverbial , bad actors in the continental united states as well. and in my district, and i represent a small portion of harris county, and sex trafficking in houston, houston is actually the number one city in the country. can you kind of talk me through, because what i would like to do, we are in 2025. there's just no way in hell we're going to go back to analog. i mean, the digital revolution is here. we're not going to get away from

it and as great as it is, it's terrifying in a sense. can you give me a course of action moving forward that this committee and this administration can jump on top of to decrease the problem set? >> sure. first i want to correct something, for the record. you've given me a promotion. i was not in charge of the digital crimes unit. >> you're welcome. [laughter] >> an incredible mission set. if you can imagine the large enterprises like microsoft or like google, like, etc. see millions of signals a day and they have within that their data set a lot of information that allows us to see when there is a threat after. crowdstrike can do the same. and we can go after them using legal means, which is what i was in charge for, but also technical means cleaning up our own networks because cybersecurity risk was borne by the larger enterprises should be. and they need to buy them down for all of its customers. so what i would suggest is that we employ policy solutions. so this committee can employ

policy solutions to shift that cybersecurity risk burden to those that are more capable of buying them down. that means microsofts of the world should be coordinating with cisa and sharing information back and forth. microsofts of the world should be able to identify when there are threat actors to immediately deliver that information. >> yes ma'am. thank you. mr. chairman, i yield back. >> gentlemen yields. i now recognize the new ranking member of, i think, transportation, right? ms. mciver, congratulations, and you're recognized for 5 minutes for your question. >> thank you, mr. chairman. thank you, ranking member, and to our witnesses for joining us today. cybersecurity is no longer just a technical issue. it is a critical national security challenge that touches every part of our daily lives. i represent new jersey's 10th

congressional district and i see firsthand the importance of protecting our communities. whether it's safeguarding sensitive information for small businesses, securing local hospitals or ensuring that critical infrastructure like power grids and transportation systems remain resilient against cyber attacks. with that being said, in my district, which is home to critical infrastructure such as ports, transportation hubs, and energy facilities that are vital not only to our state but also to our entire nation, can you elaborate on what congress can do to better protect and work with local governments and private sector stakeholders and districts like mine to secure these critical assets from cyber threats? that's to anyone who would like to answer. >> i can start. i would recommend that congress continue to explore state and local grant giving opportunities to be able to reduce some of the legacy technical debt that exists across critical infrastructure.

i would also encourage that you explore opportunities to expand internships, externships to to qualifying students and sfs programs, for example, or cybercorp, to be able to deliver to state and locals the talent that they need in order to be maintained systems to bend systems and respond to incidents. >> thank you. >> can i add onto that two things? one, we need bottom up support, and what i mean by that is there are places where the federal agencies are just too small or too under-resourced to regulate. we've noticed this in water, the 55,000 water. we've been pushing for something called a water risk and resilience organization. representative crawford introduced it in the last legislation. what that does is allow trade associations to work with like federal agencies in order to establish the right level of standards.

if i could give one more, it is clinics. we've seen this at, for example, google sponsors them, but in addition to other areas of spending, and what that does is allow local community colleges and vocational schools to run programs where their cybersecurity future professionals can work with the local governments and authority and utilities to improve cybersecurity. >> thank you. >> and if i may also, as we just heard about the clinic or the nursing facility in texas and similar to the small businesses and the critical parts of the transportation infrastructure that you just mentioned, there are two issues that i think we can address. one is that there is a lack of cyber workforce, which we've also heard about earlier today. some of this can be countered by relying on technology like artificial intelligence, but we can also work to bring more interns and bring more stem into the lower levels of schools down to the junior high school level, even to start to train the next wave of workforce and also, as

mentioned in my recommendations, i think there are things we can do to incentivize these businesses to invest in the right cybersecurity by incentivizing them to use managed security services that can help protect them left of boom, as we've heard, there's a lot of work that can be done today that will will have payoff in dividends. >> thank you for that. it's interesting that you brought up the idea about the talent, you know, making sure that we have folks in the pipeline who are trained in this field, especially as an git, which is a large university in my district, they have wonderful programs and i am sure they would love to partner and collaborate in any way to make sure that we are pumping out the future employees to work in this field. winky so much for answering those questions. with that, mr. chairman and

rigging member, i yield back. >> the gentlewoman yields. i'd like to thank chairman green, ranking member thompson, and our witnesses for being here today. i'd like to recognize myself for five minutes. as my colleagues have discussed the threats of our nation, our nation security and how it has evolved over time, becoming more sophisticated and in many cases more dangerous. most alarming is the ability of cyber adversaries to cause chaos without even stepping foot on american soil. we have seen reports of adversarial nations, state hackers such as china, and north korea working together to attacks against global infrastructure. i saw it firsthand as the chairman of the madison county commission in huntsville, alabama, creating total chaos and you think about a multimillion dollar option that we ended up rebuilding our

system more cost-effective than paying ransomware. are you concerned about the cooperation among cyber actors that use the same tactics? >> i am. i'm not as concerned about aggressors sharing tools with each other like we see with north korea providing munitions or trips to russia and ukraine. i am worried that the sophisticated nationstate tools are becoming increasingly available to nonstate actors and criminal actors within the u.s. and overseas. and it is not lost on us that russia's ransomware attacks against the rest of the world went down from three months after the invasion of ukraine because those same criminals were acutally state

actors. that has returned with a vengeance. it means the nationstate and criminal actors share tools and that makes it much tougher on our companies. >> thank you. although all cyber actors have their objectives, there is one goal they share, harming the united states. do you foresee the emergence of a cyber axis of evil? >> as i mentioned, i think you are seeing it with the criminal actors starting to get tools that the nationstate actors. and if you asked me as a military officer 10 years ago would north korea send troops to ukraine, i would say no. the rules have changed. they are clearly operating in a more integrated and aggressive way.

it's only natural that this will devolve to cyber tools and techniques and the sharing of worst practices in that case. >> state actors appear to be undeterred from targeting us in cyberspace, whether it is iranian hackers or chinese sponsored threats to critical infrastructure, it is time our national security advisor -- start going on offense and imposing a higher cost and consequences. and given the severity and scope of these threats is it clear that cybersecurity must be at the heart of our homeland security strategy? >> yes. i think we all said cybersecurity is rapidly becoming the most significant threat to our homeland and there

is stiff competition there. there are physical attacks but cyber attacks are a clear and present danger to our industry and government and military. >> how can the u.s. better harness the cyber toolkit to go on offense? >> the u.s. has some amazing capabilities in this area and i think what we have seen is it works best when it's done in tandem, where we see what the adversary is doing and that information is fed into cyber command and allows them to target adversaries in a more precise way. it has worked best where they are targeting ransomware operators because of the number of those attacks and we can prevent cleat -- we can quickly provide information on additional targets but we need to find ways to make sure that

what they are learning is being fed here. >> thank you all. the gentleman from tennessee is recognized for five minutes.

both in cyber and cryptographic intelligence sharing but i would have to put israel high on the list. we share information smoothly and fluidly. we share with each other probably not on the same level as the u.s. and united kingdom but close. we have a common shared threat and iran. thankfully they have done a lot to deter iranian action over the last six months with their extensive strikes in israel both kinetic and non-kinetic but our cooperation with them is at the highest level. >> arguably israel is our eyes and ears on the ground. so as you look at our relationship with the u.k., what should we be doing with israel to enhance and increase that partnership, understanding we have a commonly shared enemy?

>> i think there's probably a level of classification that we can increase to even higher but i would say i think we do a good job and frankly the israelis to a great job providing information but this is an alliance on all but paper. we share information closely, we share a common threat, provide weapons to israel in a very useful way so i think we are doing great work. the real worry is continuing what we are doing. >> in the post october 7, when i was in cisa, we were sharing every day with the israeli cyber directorate information in terms of potential actors looking to target israel, from nationstates, non-nationstates in that environment looking to pile on and that information was

consistent and build on a decades long relationship we established. >> in light of the typhoon intrusion at the treasury department, how would you assess the adequacy of the treasury's cybersecurity posture? >> the compromise was interesting because going after a third party security application beyond trust, i think treasury's security has dramatically improved but i would say that we are forcing adversaries to go after more complex targets to launch more complex operations, which is good but it also puts an increased burden on us as a country to make sure we are looking for those more complex attacks, that we are managing third-party risk and

understanding how they used supply chains to target critical systems and what we can and should expect to ensure their software and the technology they provide to government and industry is as secure as possible. >> we look at the third-party providers and obviously there's a vulnerability with respect to treasury and other agencies. how do they compare in mitigating that risk? >> i would refer you to people who are in government now to get a better sense of where treasury stacks up but i was impressed with their level of capability. >> i yield back. >> i want to recognize mr. burke from oklahoma. i want to lay out some numbers. i think it is intriguing.

cybersecurity hacks are costing us $320 billion a year, about 1% of our gdp. this has been talked about and at the individual level people have to worry about their bank accounts and you have statistics that say that one in three americans have been affected by health care data breaches alone just in 2024 and so there is so much to gain not only from our national security being hindered but, mr. wells, you said that they are preparing for war, talking about china and their desire as it pertains to taiwan. i want to throw an interesting concept out. the constitution talks about letters of marquis enterprises, something that not i alone am talking about but something that goes back to legislation from a few years ago and when you think

about we have to go on the offensive, we realize we have a massive debt. there is a limitation to how much we can spend and throughout history, knowing that private entities were being attacked, our government would issue limited in scope information for private entities to go out and be able to capture, to hack back , versus waiting on government to respond. and as the saying goes in terms of companies there's two types of companies in this world, there's a delay. why would we not empower the free market to hack back under specified regulated rules letters of marquis and reprisal, go on the offense and employ what we know are intelligent

people and we make it hard for people to want to go after america bauk americans under the specific details we immediately hit back and it is a great deterrent for aggression from foreign nations. who would like to speak to that? >> i will start only because i'm from the navy in the last ship seizure was in world war ii under a similar theory. what i will say is i would prefer that we actually developed a cyber force that could do this when we were robust enough so i first have to acknowledge that the right long-term answer, just like with special forces after 9/11 was to grow our special forces. and on occasion you may need to use contractors to bring yourself to that point but the long-term preference is we have

military actors. but those actors don't have to be wearing a uniform and we don't have to recruit people that looked like what chairman cramer looked like when he first joined the navy. they can have unusual drug usage. >> so in the absence of that we need to look at the use of contractors. >> people say you would open up the wild west and it is the wild west already. some would say you don't know what would happen. so for anybody that says there's a risk to this, you are right. but there was the same amount of risk. the problem is we are in a place where we think government is the solution to everything and that's why we have a $36 trillion gross national debt.

i love what you are saying but maybe we don't just need to be looking at the status quo. our founding fathers knew there were risks but they put it in the constitution and they were brilliant. anyone else want to talk about this? >> just agreeing with mr. montgomery here, i would caution there's higher potential collateral damage as a result >> is there anybody willing to think outside the box on this not from a government background? you think they also thought this thing through and thought it could be dangerous for privateers? think about dunkirk. there's a timely when government cannot solve your problems and they hired boats to help out. it would have been a collapse absent utilizing the free market. >> i will leave myself out.

>> i'm pushing pretty hard and with that i yield. >> i now recognize myself for five minutes. thank you for showing up today. it's unfortunate that we don't have the fbi and anyone from homeland security to testify before the committee. and you have all discussed numerous attempts to hack into our critical infrastructure. we have been talking about our health care system, the power grid, water infrastructure, etc.. i know director ray of the fbi has even been here in front of congress testifying along these lines. i believe his quote chinese hackers are looking to cause harm to american citizens and communities if and when china decides the time has come to strike.

and one thing my constituents often asked me is why is nobody in the federal government ever held accountable for their failures? i want to point out that i believe it was you, mr. myers who before -- who appeared before this committee and actually took accountability for some of your company's failures. is that correct? >> yes. and that is one of the things the american people are so frustrated about. rarely does anybody take any ownership of their failures. you think some of your counterparts from the federal government today should take some ownership of some of the failures that have led to many of our adversaries acquiring access to our critical infrastructure that we have been talking about today?

would you like to see that? >> i would like to see us move to a position where we can stop these things before they happen. >> so you don't want to see any accountability, any government officials may be sitting on this panel take some ownership? >> my role is to -- >> thank you. to that point, i want to give other members to take ownership of some of the failures that have allowed the chinese and others to hack into some of her critical infrastructure. does anybody want to since you have been doing this for a long time? >> i would say that when i was in government we were clear about where we needed to make improvements. we had not invested enough in the right areas. to look back as the solar winds

campaign was discovered, we identified the federal government had over invested in some areas and they came to congress and said we need additional funding and since then we have made dramatic improvements in the overall level of security, so i think where we needed to be honest about the lack of capability in certain areas that has allowed attacks to happen, we have been clear about that. >> i was part of the office that created national cyber directors so congress would only have one throat to choke when something went down. i think what mr. wells said is absolutely true. we made movements to make sure we are all singing the same

music, playing in the same game, whatever analogy you want, but i think the failure was a lack of coordination. >> do you take any ownership of that? >> i will own that i worked to make sure that we had better coordination. >> thank you. are you familiar with this report? i believe this was the judiciary committee. >> and do you think it's appropriate for silencing americans? do you think that's appropriate? >> i think americans have free speech rights and can say what they want. >> did you ever oversee the

censorship of any americans for whatever views they might have held whether you agreed with them or not? >> we have been talking about some of the things we can do to increase and bolster our cybersecurity efforts and i agree we need to go on the offensive. and i believe it was you, mr. montgomery who talked about how if we had foreign state actors placing satchel charges and explosives on our energy grid or anywhere else we would raise hell and it would be an act of war. my final question is why are we not doing it? >> i think for too long we have seen cyber as a nonmilitary tool and we saw it as a nuisance, a

criminal actor tool and that has dampened our response. satchel charges, you would not be leading the charge to find out who did this. i just think with cyber, we take on this tempered approach that it does kill people even though we know it does. and there are mobile -- there are more -- morbidity attacks that increase. and i think on a bipartisan basis we didn't see things this way. i hope on a bipartisan basis going forward we can see we need to go on the offensive and holy country that does this kind of operational preparation accountable for their actions. >> one more follow-up question. if you were not censoring american citizens why was it going on?

>> i do not believe it was. >> so you disagree with the report? >> yes. >> thank you. i yield back. the real chairman is now back. >> let me say thanks to the witnesses for being here. i think it is time to recognize you for our closing statement. >> absolutely. >> i asked for unanimous consent to enter into the record a report entitled cybersecurity policy recommendations for the new administration.

>> so ordered. >> it's been very good >> we are almost on track and we are getting there and i want you to work with us. and i complement the chairman on looking at this as a priority for the committee. you will get there and i just think that we have to plow through it in order to get to the finish line and we ask your indulgence, if you have something that i think is of note for the committee to consider, i would encourage you to share it with us. i yield back. >> thank you for your comments on the bipartisan nature of this.

it is really one team on this one because this is critically important. i want to thank the witnesses. all of you have been fantastic, pretty much echoing each other's comments, which is a good slate of witnesses when that happens. i also want to thank the members for their thoughtful comments on both sides. i have stated my priorities on the cyber arena and since this is our first hearing and it is our first hearing on cyber i want to restate those. i think our greatest issue is the workforce shortage and when we have 500,000 empty jobs and the fbi director testifies that he -- that if he took every single cyber person he had and put them on the china desk he would still be outnumbered 50 to one, that circumstance cannot continue.

that's why i will be reintroducing the pittman act. many of you have mentioned it if not by name. and then this harmonization of what is out there in the government. i think we are spending a lot of time, especially private industry, and we know much of our infrastructure is managed by private businesses. i think the rear admiral mentioned that in his testimony. we ask of private businesses all these different things and every agency publishes things and often times they contradict one another and there's this compliance checklist and this one and they end up spending all this time on compliance when they should really be spending time on cybersecurity. and so finding a way to harmonize the government regulations that are in this space i think will free up a lot of energy and money to do

cybersecurity. and i can give example after example but we talked about the liability issue. you brought that piece of it up. on the one hand we are granting one group liability and then the sec is telling people, ok, it takes seven days to repair a breach but you have to tell your shareholders and make a public announcement in four days. why would you announce in four days that you have a breach if it takes seven to fix it? some of the stuff coming out of the bureaucracy and maybe even out of congress too has to be synchronized and that is my second priority. my third is we have to rethink -- and this is why i asked each of you this and i am reiterating my question for written feedback on how we address the economic problems in the production of our software and our technology

because first to market is creating vulnerabilities that are costing the government as a vendor and costing private industry millions of dollars a year. and we have to get to a place -- i don't know if it is certification. there are multiple courses of action here. liability could be one. i know businesses don't want to hear that, right? it's ok. it is my turn. but i ran health care company. i get being first to market but if you throw that piece of software out there and you have rushed it to market and it has a hole in it, we could all be screwed. so we have to figure out how to reverse this economic model. another model is it takes $3000 at a laptop in russia for a kid to get $5 million out of a rural

nursing home. he has no risk. he's not going to be extradited to the united states. we have to fix that model and make it more expensive for him or her to hack us on a $3000 laptop so economic models have to be adjusted. we will reenact the cyber subcommittee i started last cycle where we get the various subcommittees of -- we are siloed in congress and this whole cyber thing. we have cyber subcommittees in financial services and others. we tried to get those together. we got them together last year on about a quarterly basis. we will start that again and start taking a whole of government approach to cyber. i might ask all of you at some point to come back and present what you did today to that group

because we need a whole of government approach. and i agree on the unity of command issue that you mentioned, admiral. that is critical. i spent 24 years in the military and studied the principles of war at west point so i get that and you are right. clearly defining who is in charge, that is really us, congress, finding those authorities, so we will work on that. one of the things that worries me a little bit is if you use chemical weapons against the u.s., we have a written strategic response to that. if you use nuclear weapons -- we have a first use nuclear, right? we don't have a cyber response strategy. if you hit the u.s., this is what will happen. and i hope the new administration will take that on

and come out with a statement that says if you do x we will do y. and it's well known and articulated throughout the world because you can have all the capability in the world. if you there are some comments made about secretary gnomes refusal to --, that is not a reflection of her commitment to cyber security. she just believes in federalism, and she spent millions of south dakota and dollars to create this's cybersecurity in her own state, implying that she is somehow opposed to cyber security, cyber protection because she chose not to take federal dollars, i think it is a mistake. the committee can also ask additional questions to you and they have a few days to do so. i is that you guys respond in writing. pursuant to committee rule 70, the hearing record would be held

open for such for 10 days. thank you again, and without objection, this committee stands adjourned. [captions copyright national cable satellite corp. 2025] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org] >> democracy, it isn't just an idea, it's a process, a process shaped by leaders elected to the

highest offices and entrusted to a select few with guarding its basic principles. it's where debates unfold, decisions are made in the nation's course is charted. democracy in real time. this is your government at work, this is c-span, giving you your democracy unfiltered. >> c-span's washington journal, a live forum involving you to discuss the latest issues in government, politics, and public policy. from washington, d.c. and across the country. coming up this morning, lisa gilbert of public citizen shares insight on the group's efforts to push back on several aspects of the trump administration. in the heritage foundation discusses the trump administration's efforts to dismantle federal dei programs. c-span's washington journal. join the conversation live at 7:00 eastern this morning on

c-span, c-span now or online at c-span.org. >> live tuesday on c-span, at 10:00 ame stern a senate subcommittee heari will discuss the strategic importance of the panama canal and its impact on u.s. trade. on c-span to live at 8:00 a.m. eastern, congressional republicans will hold a ns conference at their annual retreat in florida. at 10:00 a.m. eastern the senate returns to continue work on the nomination of sean duffy to be secretary of transportation. a final vote is scheduled later in the day. on c-span three, at 10:30 a.m. eastern, former service members and advocates discuss the community care program and president trp's executive order on a government hiring freeze that uld impact veterans access to health care services. these events stream live on the free c-span video app and online at c-span.org. >> nonfiction book lovers,

c-span has a number of podcasts for you. listen a best-selling nonfiction offers -- authors and influential editors on the afterwards podcast. on q&a hear wide-ranging conversations with nonfiction offers and others who are making things happen. book notes our weekly hour-long conversations that regularly feature fascinating authors are nonfiction books on a wide variety of topics. in the about books podcast takes you behind the scene of the non-book publishing industry with insider interviews, industry updates and bestsellers list. find all of our podcasts by downloading the free c-span now app or wherever you get your podcasts, and on our website, c-span.org/podcasts. >> missouri's governor gave his inaugural address after taking the oath of office. he talks about reducing crime and investing in agriculture. prior to becoming governor he served as the