GAO HIGH RISK FOCUS CYBERSECURITY JOINT HEARING BEFORE THE SUBCOMMITTEE ON INFORMATION TECHNOLOGY AND THE SUBCOMMITTEE ON GOVERNMENT OPERATIONS OF THE COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED FIFTEENTH CONGRESS SECOND SESSION JULY 25 2018 Serial No 115–110 Printed for the use of the Committee on Oversight and Government Reform Available via the World Wide Web http www govinfo gov http oversight house gov U S GOVERNMENT PUBLISHING OFFICE WASHINGTON KING-6430 with DISTILLER 32–932 PDF VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00001 Fmt 5011 2018 Sfmt 5011 H 32932 TXT APRIL COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM Trey Gowdy South Carolina Chairman John J Duncan Jr Tennessee Elijah E Cummings Maryland Ranking Darrell E Issa California Minority Member Jim Jordan Ohio Carolyn B Maloney New York Mark Sanford South Carolina Eleanor Holmes Norton District of Columbia Justin Amash Michigan Wm Lacy Clay Missouri Paul A Gosar Arizona Stephen F Lynch Massachusetts Scott DesJarlais Tennessee Jim Cooper Tennessee Virginia Foxx North Carolina Gerald E Connolly Virginia Thomas Massie Kentucky Robin L Kelly Illinois Mark Meadows North Carolina Brenda L Lawrence Michigan Ron DeSantis Florida Bonnie Watson Coleman New Jersey Dennis A Ross Florida Raja Krishnamoorthi Illinois Mark Walker North Carolina Jamie Raskin Maryland Rod Blum Iowa Jimmy Gomez Maryland Jody B Hice Georgia Peter Welch Vermont Steve Russell Oklahoma Matt Cartwright Pennsylvania Glenn Grothman Wisconsin Mark DeSaulnier California Will Hurd Texas Stacey E Plaskett Virgin Islands Gary J Palmer Alabama John P Sarbanes Maryland James Comer Kentucky Paul Mitchell Michigan Greg Gianforte Montana Michael Cloud Texas TROY JULIE SHERIA CLARKE Staff Director WILLIAM MCKENNA General Counsel MEGHAN GREEN Counsel STOCK Information Technology Subcommittee Staff Director DUNNE Government Operations Subcommittee Staff Director SHARON CASEY Deputy Chief Clerk DAVID RAPALLO Minority Staff Director KING-6430 with DISTILLER II VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00002 Fmt 5904 Sfmt 5904 H 32932 TXT APRIL SUBCOMMITTEE ON INFORMATION TECHNOLOGY Will Hurd Texas Chairman Paul Mitchell Michigan Vice Chair Robin L Kelly Illinois Ranking Minority Darrell E Issa California Member Justin Amash Michigan Jamie Raskin Maryland Steve Russell Oklahoma Stephen F Lynch Massachusetts Greg Gianforte Montana Gerald E Connolly Virginia Michael Cloud Texas Raja Krishnamoorthi Illinois SUBCOMMITTEE ON GOVERNMENT OPERATIONS Mark Meadows North Carolina Chairman Jody B Hice Georgia Vice Chair Gerald E Connolly Virginia Ranking Jim Jordan Ohio Minority Member Mark Sanford South Carolina Carolyn B Maloney New York Thomas Massie Kentucky Eleanor Holmes Norton District of Columbia Ron DeSantis Florida Wm Lacy Clay Missouri Dennis A Ross Florida Brenda L Lawrence Michigan Rod Blum Iowa Bonnie Watson Coleman New Jersey KING-6430 with DISTILLER III VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00003 Fmt 5904 Sfmt 5904 H 32932 TXT APRIL KING-6430 with DISTILLER VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00004 Fmt 5904 Sfmt 5904 H 32932 TXT APRIL CONTENTS Page Hearing held on July 25 2018 1 WITNESSES The Honorable Gene L Dodaro Comptroller General of the United States U S Government Accountability Office Oral Statement Written Statement Ms Suzette Kent Federal Chief Information Officer U S Office of Management and Budget Oral Statement Written Statement 4 6 45 47 APPENDIX Response from Mr Dodaro Government Accountability Office to Questions for the Record Response from Ms Kent Office of Management and Budget to Questions for the Record KING-6430 with DISTILLER V VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00005 Fmt 5904 Sfmt 5904 H 32932 TXT APRIL 78 81 KING-6430 with DISTILLER VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00006 Fmt 5904 Sfmt 5904 H 32932 TXT APRIL GAO HIGH RISK FOCUS CYBERSECURITY Wednesday July 25 2018 HOUSE OF REPRESENTATIVES SUBCOMMITTEE ON INFORMATION TECHNOLOGY JOINT WITH SUBCOMMITTEE ON GOVERNMENT OPERATIONS COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM Washington D C The subcommittee met pursuant to call at 2 25 p m in Room 2154 Rayburn House Office Building Hon Will Hurd chairman of the Subcommittee on Information Technology presiding Present Representatives Hurd Mitchell Hice Amash Massie DeSantis Blum Kelly Connolly Raskin Maloney and Norton Mr HURD The Subcommittee on Information Technology and the Subcommittee on Government Operations will come to order And without objection the presiding member is authorized to declare a recess at any time I would like to now recognize my friend and partner in crime the distinguished gentlewoman from the great State of Illinois for her opening remarks Ms KELLY Thank you Mr Chair And not too much crime Thank you Mr Chairman and Chairman Meadows for holding this important hearing Ms Kent welcome to today’s hearing and thank you for testifying today and sharing your vision for cybersecurity as a new Federal COI and it’s great to meet you in my office And Mr Dodaro special thanks to you for the extensive work you and all the dedicated professionals at GAO put into providing this special midcycle high-risk report on cybersecurity and it was nice meeting with you also GAO’s newly issued report raises serious concerns about our Nation’s ability to confront cybersecurity risk GAO found key deficiencies that could hinder the government’s progress in strengthening the Nation’s cyber defenses For example GAO found that the Trump administration’s plans failed to include basic components needed to carry out a national strategy for protecting critical cyber infrastructure Among the missing components were details about performance measurements and milestones for determining whether the country’s cyber objectives are being met and the resources that would be needed to carry out those objectives GAO’s report highlights the need for the administration to develop and execute a more comprehensive Federal strategy for national cybersecurity and global cyberspace It underscores the importance of having a cybersecurity KING-6430 with DISTILLER 1 VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00007 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 2 KING-6430 with DISTILLER coordinator in the White House to develop a more robust cybersecurity strategy for the country But here again the Trump administration is not rising to the challenge Two months ago the President’s National Security Advisor John Bolton eliminated the position of White House cybersecurity coordinator This decision was contrary to a prior GAO recommendation to have a White House cybersecurity coordinator in the Executive Office of the President develop an overarching Federal cybersecurity strategy at a time when our Nation is facing persistent cyber threats ranging from foreign adversaries who seek to undermine our elections to criminal hackers who steal sensitive data The administration’s decision to eliminate the key cybersecurity position in the White House should raise alarm Today’s report also shows that the number of Americans whose personal information has been compromised and government and private sector data breaches is growing And there’s a need for stronger measures and congressional action to protect consumer privacy GAO found that the vast number of individuals potentially affected by data breaches at Federal agencies and private sector entities in recent years increases concerns that personally identifiable information is not being properly protected GAO’s findings is supported by two recent reports that highlight the heightened challenged public and private sector organizations are facing in securing sensitive data In April Verizon issued a report showing that in the past 12 months alone there with over 53 000 incidents and 2 216 confirmed data breaches And just last week the Attorney General’s Cyber-Digital Task Force released a report showing that there were at least 686 data breaches reported in the first quarter of 2018 resulting in the theft of as many as 1 4 billion records Last year data breaches at Equifax in which over 143 million Americans had their personal information stolen and the 2015 breach at OPM which affected approximately 22 1 million individuals illustrates the massive scale of harm to privacy and security that these breaches have To address the growing concerns about privacy GAO recommended that Congress straighten out privacy laws the majority of which were written well before the development of new technologies ranging from the use of social networking sites the facial recognition technologies and many mobile applications Congress should heed GAO’s recommendations and reexamine how our privacy laws can be strengthened to ensure that consumers’ personal privacy is adequately protected I want to thank our witnesses for testifying today And I normally would say I look forward to hearing your testimony but I have to leave But I look forward to reading it on how we can improve the Nation’s cybersecurity And thank you again my friend Mr Chairman Mr HURD Good afternoon y’all Today’s hearing returns to a familiar field for this subcommittee an area of top bipartisan concern and focus and that’s the cybersecurity of the Federal Government The Federal Government and our Federal agencies like everything else in today’s digital society are dependent on IT systems and electronic data which make them highly vulnerable to a wide and evolving array of cyber threats VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00008 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 3 KING-6430 with DISTILLER Federal civilian agencies report over 35 000 information security incidents to the US–CERT last fiscal year This represents a 14 percent increase over the previous year Securing Federal systems and data is vital to the Nation’s security prosperity and wellbeing It should concern all of us therefore that the GAO has concluded in the interim high-risk report that spurred this hearing that urgent actions are needed to address ongoing cybersecurity challenges in the Federal Government In this report the GAO identified four major cybersecurity challenges establishing a comprehensive cybersecurity strategy in performing effective oversight securing Federal systems and information protecting cyber critical infrastructure and protecting privacy and sensitive data To address these four challenges GAO identified 10 critical actions the Federal Government entities need to take I’m looking forward to exploring those 10 items Since 2010 GAO has made over 3 000 recommendations to agencies aimed at addressing these four cybersecurity challenges And as of June of this year nearly 1 000 of those recommendations have not been implemented It’s not acceptable given the threat we face These open lingering vulnerabilities put us at incredible risk as we saw with the devastating data breaches at OPM While I do not expect Ms Kent or anyone else to have all the answers today I want to hear from GAO the most critical open recommendations and from Ms Kent concrete plans to close them I want to commend Mr Dodaro and his team at GAO for issuing this report Midcycle updates to the high-risk list are not common I recommend all agency CIOs read this report and apply the applicable recommendations to the respective agencies and systems because guess what we’re going to be asking you about them And as always I’m honored to explore these issues in a bipartisan fashion with Ranking Member Kelly Chairman Meadows and Ranking Member Connolly The four of us have worked together for years on these issues and I’m honored to be joined here with them throughout today’s hearing Now it’s a pleasure to introduce our witnesses The Honorable Gene Dodaro comptroller general of the United States Government Accountability Office You always hold a special place in my heart because you were my first hearing being in Congress Mr Dodaro is accompanied by Mr Gregory C Wilshusen the director of Information Security Issues at GAO who will also be sworn in And Ms Suzette Kent Federal chief information officer at the Office of Management and Budget I think this is your first time here I don’t think it’s the first time testifying in Congress but welcome Pursuant to committee rules all witnesses will be sworn in before they testify So please stand and raise your right hand Do you solemnly swear or affirm that the testimony you’re about to give is the truth the whole truth and nothing but the truth so help you God Thank you Please let the record reflect that all witnesses answered in the affirmative And in order to allow time for discussion please limit your testimony to 5 minutes The entire written statement has been made part of the record And as a reminder the clock will show your VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00009 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 4 time remaining When it’s yellow you have 30 seconds When it’s red your time is up And remember to press the button And we’ll start with Mr Dodaro You’re now recognized for 5 minutes WITNESS STATEMENTS STATEMENT OF GENE L DODARO KING-6430 with DISTILLER Mr DODARO Thank you very much Mr Chairman Ranking Member Kelly members of the committees that are here today I very much appreciate the opportunity to be here to discuss this important topic This is an area that’s been of long concern to me We at GAO designated cybersecurity across the Federal Government as a highrisk area in 1997 So nobody could say we didn’t warn people that this was going to be a problem In 2003 we expanded that highrisk designation to include critical infrastructure protection And in 2015 we included the need to protect personally identifiable sensitive information as well Now the government has taken a number of actions especially since the OPM breach Mr Chairman as you mentioned there’s been executive orders strategies document studies but there still needs—much more needs to be done in this area As you referenced in your opening statement since 2010 we’ve made over 3 000 recommendations While two-thirds of those have been implemented there’s still 1 000 recommendations that need action Now the four areas that we identified I think are especially important First is establishing a comprehensive strategy and importantly having effective mechanisms in place to oversee its effective implementation And this is to include global supply chain issues critical workforce issues and in dealing with emerging technologies that are going to bring new risk such as artificial intelligence the internet of things quantum computing Secondly there needs to be more urgent action to secure the Federal information systems There needs to be more effective implementation of governmentwide efforts like continuous diagnostics and mitigation Agencies need to fix their systems There needs to be more attention in responding effectively when incidents do occur Over time we’ve seen agencies be slow to implement the effective actions over times On critical infrastructure protection and this is an area that needs a lot more Federal attention Now in many areas the Federal Government has some regulatory responsibilities in this area but by and large critical infrastructure protection is a voluntary effort by the private sector The National Institutes of Standards and Technology have developed an approach that the private sector can use but it’s all voluntary So there’s really not a clear picture in my opinion across the different sectors And there’s 16 different sectors of the economy that make up critical infrastructure including electricity grid telecommunications nuclear issues utilities et cetera the financial market areas as well So these are vital to our economic health They’re vital to public health and safety And there needs to be more collaboration and a VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00010 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 5 KING-6430 with DISTILLER better understanding of to what extent have these voluntary standards been implemented by the various sectors and what is their state of readiness to deal with these issues The fourth area deals with privacy Now here Federal agencies themselves need to better secure sensitive information We’ve issued reports recently on a need to protect Medicare beneficiary data for example electronic health information systems data on Federal student loans there’s a lot of personal data there financial data that families submit So that needs to be dealt with definitely And we need to think about what information the Federal Government will collect going forward We’ve made some recommendations on need to eliminate unnecessary use of Social Security information for example We also have recommendations to the Congress in this area The Privacy Act that was passed in 1974 The Electronic Government Act was passed in 2002 they need updated as well And I’d also— we’ve recommended since 2013 that the Congress establish a consumer privacy framework for the private sector In those areas the Federal Government has put out in some sectors healthcare and you know credit reporting some requirements for the private sector But by and large the Federal Government has not set requirements for this area particularly as it relates to information resellers as well So again Mr Chairman I want to thank you for the opportunity to be here today I asked our team to put together this special report because I don’t think the Federal Government’s moving at a pace commensurate with the evolving threat in this area and we need all to work harder faster to address this issue Thank you very much Prepared statement of Mr Dodaro follows VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00011 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 6 VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00012 Fmt 6633 Sfmt 6633 States H 32932 TXT APRIL Insert offset folio 1 here 32932 001 KING-6430 with DISTILLER Statement Gene L Comptroller General of the 7 VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00013 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 2 here 32932 002 KING-6430 with DISTILLER Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the Nation 8 Chairmen Meadows and Hurd Ranking Members Connolly and Members of the Subcommittees Kelly VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00014 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 3 here 32932 003 KING-6430 with DISTILLER hearing critical 9 consurners VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00015 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 4 here 32932 004 KING-6430 with DISTILLER devices that sense lnformet1on and communicate lt to In some cases act on that information 10 as c yoerse•cumy of Federal Networks and Security Strategy 7 Department of Homeland Security's DHS May 2018 cybersecurity We then these documents to determine the extent to which they included We desirable characteristics of a national information security industry reports of cvloer·attac ks Based on these actions cvrter sec un V areas in which federal agencies had ex oer·iertce ch lllenaes of entities to address our We then status of our prior surnn1arized the actions needed and recommendations We also identified our ongoing work related to action We conducted the work on which this testimony with accepted government auditing obtain plan and perform the audit 9 1n 2004 we developed a set of desirable characteristics that can enhance the usefulness VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00016 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 5 here 32932 005 KING-6430 with DISTILLER of national 11 conclusions obtained on and the sensitive information about rnarviiJWlls--rrave being and compromised months since its prior report Further the compromise system in just a VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00017 Fmt 6633 Investigation Sfmt 6633 Repor1 11th Edition Apri12018 H 32932 TXT APRIL Insert offset folio 6 here 32932 006 KING-6430 with DISTILLER 2018 Data even 12 seconds but that it breach of VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00018 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 7 here 32932 007 KING-6430 with DISTILLER OMS 13 35 277 total information security incidents VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00019 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 8 here 32932 008 KING-6430 with DISTILLER economic national and persona examples highligr1t impact of VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00020 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 9 here 32932 009 KING-6430 with DISTILLER 14 15 but related incident had compromised related to background for 215 In total OPM estimated stolen with Safeguarding Infrastructures iOCf08Sing rviCP '-h r rl security vulnerabilities government-wide information critical to We further expanded the Information security high-risk in to include the privacy of PIL Since then advances in technology ability of government private sector to amounts which posed of such information In addition highentities 13 See GAO Htgh- Risl' Update Washington D C January 2003 GAO f- igh Risk Series· An Update Washington VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00021 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 10 here 32932 010 KING-6430 with DISTILLER 20'15 16 strong commitment and top Leadership Commitment leadership support VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00022 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 11 here 32932 011 KING-6430 with DISTILLER and resources to 17 Showing High Rlsk Issues are Being Effectively Managed and Root Causes are Being Addressed VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00023 GA0-18-645T Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 12 here 32932 012 KING-6430 with DISTILLER 10 VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00024 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 13 here 32932 013 KING-6430 with DISTILLER 18 VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00025 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 14 here 32932 014 KING-6430 with DISTILLER 19 20 VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Critical actions needed Frm 00026 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 15 here 32932 015 KING-6430 with DISTILLER challenges 21 Oversight 20B VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00027 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 16 here 32932 016 KING-6430 with DISTILLER 14 22 to our recommendation in October 2015 n OMB and the Federal Chief Information Officer issued of 25 in 2004 VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00028 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 17 here 32932 017 KING-6430 with DISTILLER lmrJion1Cmlalion Plan for the Oct 30 2015 23 VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00029 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 18 here 32932 018 KING-6430 with DISTILLER more aii of VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00030 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 19 here 32932 019 KING-6430 with DISTILLER 24 25 persistent weaknesses R1sks J f ecting Federal Agendas 2018 VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00031 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 20 here 32932 020 KING-6430 with DISTILLER 18 26 management requirements in the last 2 years that federal and closed cybersecurity skills gaps chaiienged with recruiting and retaining qualified staff difficulty navigating the hiring to International Development VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00032 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 21 here 32932 021 KING-6430 with DISTILLER 2016 27 sectors In May 2018 the n ''' '' n' identified key findings including VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00033 Fmt 6633 Sfmt 6633 H 32932 TXT immediate and sustained APRIL Insert offset folio 22 here 32932 022 KING-6430 with DISTILLER the U S cybersecurity workforce improvements that 28 loT such as those acquired and used by or that DOD itself smartphones VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00034 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 23 here 32932 023 KING-6430 with DISTILLER vehicles that technology 29 to this cybersecurity federal to identified As of July 2018 48 recommendations recommendations include that they warrant 50 recommendations we· kn ''P''' to which DOD has established training force and efforts the deloartm 3nt its of a trained cyber mission VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00035 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 24 here 32932 024 KING-6430 with DISTILLER to implement cloud service technologies and and have on VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00036 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 25 here 32932 025 KING-6430 with DISTILLER 30 31 VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00037 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 26 here 32932 026 KING-6430 with DISTILLER principles forth in federal laws 47 We noted that although NCCIC sharing information about cyber threats in the it should the that the information was did not metrics to timely by law 32 Enhance the federal that certain For example to not fully implemented controls to del'iciEmcies identified result of 2015 cyber 54 incldents VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00038 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 27 here 32932 027 KING-6430 with DISTILLER DOD had not identified the National Guard's network defense teams or 33 for intrusions conducting analylics and for Commission recornmendations agencies will be limited in ability to PffPcl'ivrmr s of their programs for protecting information and Authorization Management FedRAMP 59 implementation including an of the implementation of authorization process for protecting in cloud VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00039 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 28 here 32932 028 KING-6430 with DISTILLER intended to provide a standardized contmuous monitoring for cloud 34 of and prevention capabilities The federal government has been chaliE'nrred sector to critical infrastructure public critical infrastructure infrastructure protection within the i 6 critical infrastructure sectors to the encountering four ability framework such as being fnfrastructure Cvlwsreumlv IC zmm rsoura fmmework was updated on F iJmevvork for Improving 12 2014 The cybersecurlty VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00040 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 29 here 32932 029 KING-6430 with DISTILLER 27 35 governmental focus VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00041 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 30 here 32932 030 KING-6430 with DISTILLER GA0 18-645T 36 to Given that access to is so pervasive personal privacy hinges databases of PII maintained by nnvAr'nn1Ar1l both from inernr'rror1rr ltA should take two types of actions to this In addition we have previously proposed two congressional consideration aimed toward protecting Pll Improve federal efforts to protect several reports noting for We in VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00042 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 31 here 32932 031 KING-6430 with DISTILLER GA0-·18-645T 37 at VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00043 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 32 here 32932 032 KING-6430 with DISTILLER 30 38 to the not consistently protect PIL that while these laws guidance set minimum r ec ullem encs Pll in VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00044 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 33 here 32932 033 KING-6430 with DISTILLER We made a of 29 to agencies to address the weaknesses identified As of July 2018 28 recommendations had not been implemented These outstanding recommendations include with 6 priority recommendations to 39 publishing privacy impact assessments and of FBI's face recognition Until these imrJiemE nl ed federal to IRS's agency VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00045 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 34 here 32932 034 KING-6430 with DISTILLER federal indicators and 40 Chairmen Meadows and Hurd statement I would have this time VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00046 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 35 here 32932 035 KING-6430 with DISTILLER Contacts and 41 Federal Agencies April for Assessing C Y'beiSEecuntv 1-rllimqw 'lrk Washington Need for 01-IS to Take Actions to Risks and tviLtna uemtJmand Oversight of VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Defense Civil Requirements DOD Needs to Address Cyber Incident Training Washington November 30 Information Needed Improved Controls Washington D C August Frm 00047 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 36 here 32932 036 KING-6430 with DISTILLER Information 2017 42 Internet of Address Information Enhanced Assessments and Guidance Are NeederJ to Washington July Risks in DOD Control Deficiencies Continue to Limit IRS's Information Security Systems and Information VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00048 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 37 here 32932 037 KING-6430 with DISTILLER 2017 43 GAO Reports Health Information Privacy Guidance and Oversight Federal Hiring A imrom As of Information Security High-lmpDct Systems Information and Issues That Can Facilitate Stalking Privacy VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00049 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 38 here 32932 038 KING-6430 with DISTILLER Information Security OHS Needs to Enhance r HnarrmrrHs and Support of Its System 44 J 4easure GV'Derssrcumv Progress November Critical Infrastructure Protection Gvoe rsc•cumv Continued Attention D C' 2015 Maritime Critical Infrastructure Protection DHS Needs to Efforts Washington D C October to Address Port Cybersecurity 8 2015 Washington 2008 VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00050 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 39 here 32932 039 KING-6430 with DISTILLER 10287$ 45 Mr HURD Thank you Mr Dodaro Ms Kent you’re now recognized for 5 minutes for opening remarks STATEMENT OF SUZETTE KENT KING-6430 with DISTILLER Ms KENT Chairman Hurd Chairman Meadows Ranking Member Kelly Ranking Member Connolly and members of the committee thank you for having me here today I am honored to be here to speak with you and I appreciate all the forums that inspire more aggressive actions towards improving Federal cybersecurity My goal today is to share with you the progress that has been made against the areas highlighted by the comptroller general but more important to share the perspectives on what still needs to be done And I’d like to engage your continued support on that Advancement of our cybersecurity posture both at agency levels and across the Federal enterprise is one of the most important parts of my job Tomorrow will actually mark 5 months serving at OMB as the Federal chief information officer And I joined from the financial services industry where the bar is high for cybersecurity and data protection and I bring that same high bar of expectations to my role as Federal CIO I was fortunate to come into the role when the administration was setting out the President’s Management Agenda that focuses on technology modernization data accountability and transparency and building the workforce of the 21st century Cybersecurity is a core component of the PMA’s IT modernization goals It’s also embedded in the work that we are driving under other goals The goals for sharing quality services and improving IT spending have elements that drive the use of modern technologies and industry best practices to improve our overall cyber posture Additionally the PMA stresses strategies for recruiting retaining and re-skilling our Federal IT and cybersecurity workforce because our current status is as much a people issue as it is a technology issue While the PMA outlines the critical areas of focus OMB’s statutory cybersecurity roles are predominately defined by the E–Government Act of 2002 and the Federal Information Security Modernization Act of 2014 Our roles align to three main things development of policy and oversight for the Federal civilian systems Assisting agencies with data analysis and budget and gathering evidence that promotes solutions that achieve these policies and standards To carry out the responsibilities we work closely with agency technology leaders DHS NIST DOD the intelligence community and the National Security Council But because cybersecurity requires deep expertise both about technology and the mission functions it does take a collaborative approach to address both the agency-specific and enterprise demands I am united with the Federal Inspector General community in the mission of securing our systems and data on a journey that actually doesn’t end The improvements in Federal cybersecurity outlined in GAO’s report are due to a focus on accountability and it’s my goal to further VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00051 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 46 KING-6430 with DISTILLER advance the culture of continuous evolution of our cyber capabilities and our workforce to tackle the things that we still must do In May of 2017 the President signed Executive Order 13800 regarding strengthening cybersecurity of Federal networks This executive order recognized that we need to defend the security of citizen information and ensure the agencies consider cybersecurity as a vital part of their core mission As part of this EO the White House also published a report to the President on Federal IT modernization which included 52 tasks such as safeguarding highvalue assets network consolidation use of commercial cloud solutions and strengthening identity management tactics I share with you today that 37 of those 52 tasks have been completed many of them ahead of schedule and we intend to complete the remaining tasks by the end of the year Executive Order 13800 also directed OMB to develop the Federal Cybersecurity Risk Determination Report and an action plan Together OMB and DHS conducted agency risk management assessments to measure agency cybersecurity capabilities and very specifically their risk mitigation approaches This report did evidence that there’s still much to do to improve the awareness of the threat environment and we’re using these finding to prioritize both the investments and the focus of resources There are other key initiatives I’ll quickly highlight As chair of the Technology Modernization Board I’m excited by the way this vehicle supports acceleration of modernization and we appreciate the funding that Congress provided this year and we hope to receive funding for next year We are focused on enhancing CIO authorities And lastly and most importantly we are updating old policies policies that are not effective given the current state of technology capabilities We’re delivering new policies for high-value assets data centers continuous monitoring cloud technologies and network optimization in the next coming months In closing I’m fortunate to take on this role with a clear and focused technology agenda Cybersecurity has to underpin everything we’re doing from acquisition to operations because the battle is continuous and our effort to raise the bar and outpace our adversaries is a mission imperative for every agency I look forward to working with Congress and the leaders across the Federal Government agencies to be aggressive and relentless about approving Federal cybersecurity And I thank you for the opportunity to talk with you today Prepared statement of Ms Kent follows VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00052 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 47 VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00053 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 40 here 32932 040 KING-6430 with DISTILLER to 48 VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00054 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 41 here 32932 041 KING-6430 with DISTILLER 2014 FISMA Modernization Act of https www conr rcss gov 113 plaws pub 283 PLA N 113pub1283 pdf 49 2 VVhlte House Networks and Order 13800 Presidential Executive Order on Strengthening the Cybersecurity of Infrastructure 201 7 https www whitehouse gov presidential-actions presidential· executive··order-strengthening cybersecur1ty federa -networks criticaHnfrastructure Technology Council Report to the Pres dent on Federal T Modernization 2017 h ttps itmodern izat on cio govI assets report Repo rt%20to%20thc%20P rcsid en tS·QOon%201T%20M od ern 1 zation 20-%20Fina pdf VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00055 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 42 here 32932 042 KING-6430 with DISTILLER 3 50 VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00056 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 43 here 32932 043 KING-6430 with DISTILLER 4 51 VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00057 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 44 here 32932 044 KING-6430 with DISTILLER 5 52 VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00058 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 45 here 32932 045 KING-6430 with DISTILLER look 53 KING-6430 with DISTILLER Mr HURD Thank you Ms Kent Now we’ll go to the first round of questions The distinguished gentleman from Georgia is now recognized for 5 minutes Mr HICE Thank you very much Mr Chairman Thank you both for being here Mr Dodaro good seeing you again And Ms Kent congratulations on your recent position Last year fiscal year 2017 Federal civilian agencies reported over 35 000 information security incidents That’s a stunning number about a 15 percent increase from the previous year This is really to both of you to begin with What’s driving that increase Mr DODARO I think there’s at least two things One there’s a better awareness on the part of the agencies to report incidents which do occur But I also think that it’s being driven in part by more aggressive activity on the part of state and non-state actors to try to penetrate the Federal Government systems This applies to critical infrastructure protection as well And so I think it’s you know both—both factors are at play here at a minimum Ms KENT I concur And we do see an increase across the entire industry in threats but you also see the increase in reporting and that’s something that we need to continue to move more aggressively across all of the agencies Mr HICE All right So it’s both and we’re having more incidents more attacks and we’re also getting better at detecting them Ms KENT Yes Mr HICE All right Can you walk me through some of the various means that attackers use to initiate some sort of cyber attack the threat vectors What’s most common What’s most preventable Mr Dodaro Mr DODARO Yeah There’s—you know phishing attacks have been particularly prominent lately in terms of somebody sending an email to someone in the hopes that they’ll download malicious code or other factors There’s you know social engineering that takes place in those areas as well There’s—one of the largest categories though in the reporting is other And other includes they don’t know what the threat vector was and how people were able to penetrate the system That is one of the most concerning aspects of this Mr HICE All right I want to get there What are the vectors When you talk about vectors what—you’ve got phishing you got— what else What are we dealing with Mr DODARO Yeah we have a pie chart in our testimony Let me just pull that up here Ms KENT Improper usage email and phishing Mr DODARO Right Ms KENT Loss and theft of equipment and other web-based attacks Mr HICE Okay So those comprise more or less 70 percent Then you mentioned 31 percent—— Mr DODARO Right Mr HICE —other So does that mean we have no idea how they’re breaking in or what they’re doing or what does that mean VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00059 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 54 KING-6430 with DISTILLER Mr DODARO That means that there’s—it’s unknown and in some of these cases how these things have occurred I mean that’s the concerning part of this and that’s one of the points that we make in the report That’s why it’s important to have an effort to detect these things when they occur What’s been reported in these cases I mean the attacks happen in a matter of minutes but the detection doesn’t occur for months later And that impairs the ability to determine exactly what happened that led to this attack situation Mr HICE All right Ms Kent do you want to add to that your definition or whatever of other Ms KENT I would just add to the last point that Mr Dodaro made is that we have identified that we have to move much more quickly when an attack is identified to not only share that threat information across agencies but to act and begin immediate remediation of those issues Mr HICE All right Once an attack comes in particularly I’m with you concerned about the other where we have no idea how they’re getting in Is there any way of tracking where they’re coming from Mr DODARO Some of that’s possible with some forensics but in some cases there’s not clear audit trails in the systems that are created in the documentation there One of the big problems Congressman here is that you know the Federal Government and a lot of agencies are saddled with these legacy financial systems that are like a millstone around their neck They’re old systems They were designed before security was a prominent area Some of them at IRS are from the sixties And so there’s not good documentation and therefore there’s not a good audit trail to follow to figure out how things were introduced Mr HICE Which is surprising to me and kind of inexcusable seeing that 10 and 10 and 10 of millions of dollars we give for IT on an annual basis around here It just amazes me that we’re still using such legacy systems It seems like—— Mr DODARO Well of the billions of dollars that you give every year $80-$90 billion 75 percent of it goes to maintain these legacy systems Mr HICE Rather than get updated Mr DODARO Rather than get updated That’s why we added IT acquisitions and operations across the government as a high-risk area in 2015 Mr HICE My time has expired Mr Chairman thank you so much Mr HURD The representative from the District of Columbia Ms Holmes Norton you’re now recognized for 5 minutes Ms NORTON Thank you very much And I must say not only do I appreciate our guests appearing I appreciate the committee for having this hearing because frankly I think Americans are increasingly terrified wondering if anybody is protecting their cybersecurity And the reason I think so is what we’re hearing even on mass media This is really an old problem How many years ago was it this very committee had a hearing on how our Federal employees had been penetrated and the Congress actually at that time gave Fed- VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00060 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 55 KING-6430 with DISTILLER eral employees 10 years of protection against further penetration by way—I’m sure that’s running I’m not sure how long it has to go I have a bill called the Recover Act In light of the negligence of the Federal Government it seems to me that the very least we could do would be to give lifetime coverage And that’s been sufficiently long ago more than 5 years ago I think it’s going to come up against soon and we’re going to be faced with that question for our own employees Now this committee had a recent hearing and if you want to get—if you want to frighten our people the head of the DHS Under Secretary testified that the Russians were already scanning—it’s the word he used—all 50 States He couldn’t tell me that all 50 States they were doing something in all 50 States It sounds like reconnaissance We’re looking to see when to hop and whom to hop upon So I’m very interested I think because I represent so many Federal employers that were among those first implicated And Mr Dodaro I’d like to ask you about Federal strategy I’d like to be able to say I left this hearing and I learned something that should put some of my own constituents at ease Would you tell me what the Federal strategy is for protecting national cybersecurity here and penetration globally from outside of the United States Do you have access to such a national strategy Mr DODARO There are several documents that have been put forward by the executive branch DHS—— Ms NORTON Would you call that a national cybersecurity strategy And what do you mean by documents Would you tell us what a document does Mr DODARO Sure Sure Sure You know—well first of all our main point today is there’s a need for a more comprehensive national strategy Ms NORTON There must be something if you say a more comprehensive—— Mr DODARO Right right There has been a foundation laid by the government for these strategies DHS has a strategy that they put forward they’re responsible for coordinating across the Federal Government and with critical infrastructure protections and they’ve laid out a number of components of that strategy But we found they need—they didn’t identify who the—what resources they needed how they were going to determine they were making progress—— Ms NORTON Since several agencies would be involved who should be in charge of coordinating the development of a strategy— cybersecurity strategy Mr DODARO Well it needs—— Ms NORTON National cybersecurity strategy Mr DODARO Yeah You need to have either an individual or an entity or a process in order to have somebody to coordinate—— Ms NORTON For example with more than a number of agencies involved who would you suggest You the GAO might be—— Mr DODARO Well it needs to be led out of the White House in my opinion Ms NORTON It needs to be led out of the White House Back and forth VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00061 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 56 KING-6430 with DISTILLER Mr DODARO Because you’re dealing with national and global issues in this case Ms NORTON That’s where the coordination needs to happen and I appreciate that Mr DODARO Well it needs to happen at all levels but the—— Ms NORTON Now somebody needs to be in charge My concern Mr Dodaro is I can’t say to my constituents don’t worry about it Either some agency is in charge or somebody in the White House is in charge What about milestones Are there at least and what has been put forward by individual agencies milestones so that I could say to my own constituents well they’re this far along and here’s an example That’s what people are looking for Assure me Reassure me Mr DODARO No we would like to see more milestones DHS has told us for example they’re working on their strategy it’s supposed to be out next month that would identify milestones that would include the resources and the performance measures So we’ll wait to see But that’s supposed to be forthcoming Ms NORTON Ms Kent finally let me ask you because you are dealing with the IT strategy for the Federal Government Do you have milestones And where are we when it comes to helping agencies operationalize these policies so that there is at least governmentwide such an IT strategy Are they milestones Who’s implementing them Who’s in charge Are you in charge You’re the chief financial officer or please detail that Ms KENT There are indeed milestones and many of the points that have been made around deployment of continuous diagnostic and monitoring tools securing agency data modernizing their technology are part of the milestones that we are tracking You did see in the report that we are behind across the agencies on some of those So we have a very specific focus There was a milestone set for deployment of the continuous diagnostic and monitoring tools We have not met that milestone and we’re working very aggressively with the—— Ms NORTON What are monitoring tools please Ms KENT To be able to—for all of the agencies to have implemented tracking capability so that they know what is on their network Ms NORTON Yeah I’m worried about the scanning for example Ms KENT Yes So that we know who is accessing their network—— Ms NORTON Yeah Ms KENT —and what And so we are working very aggressively with DHS And one of the critical things that we did as part of the President’s Management Agenda was reassess high-value assets I am pleased to say that we had 100 percent participation from every agency to identify those assets that are most critical applications and data and we’re working with DHS on those that are most critical for next set of activities Ms NORTON Thank you very much Mr Chairman I think the committee needs to do more to press the milestone notion so that we can reassure the American people VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00062 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 57 KING-6430 with DISTILLER that we’re getting there and how soon we’re going to get there Thank you very much Mr HURD Thank you The gentleman from Michigan is now recognized for 5 minutes Mr MITCHELL Thank you Mr Chair I’d like to pursue a little bit the questioning that my colleague had a few moments ago about these 35 000-plus quote incidents Can you define Mr Dodaro a little more carefully what an incident is in your interpretation Mr DODARO I’m going to ask Mr Wilshusen our expert in this area to explain those Mr MITCHELL Turn your mic on sir Mr DODARO Oh I’m sorry I’m going to ask Mr Wilshusen to explain those He’s our expert in that area Mr MITCHELL Because these aren’t—incidents aren’t just someone tinkering around trying to scan in your system Please define them a little more carefully Mr WILSHUSEN Right These would be incidents that actually have impacted an agency operation or so They were able to gain access and they do this through a number of different mechanisms One of the more common ones it’s just through what is known as a phishing attack Mr MITCHELL Phishing sure Mr WILSHUSEN In which you send an email with a link and someone clicks on it and it sends them to a—— Mr MITCHELL Sends malware Mr WILSHUSEN —or download some suspicious software Mr MITCHELL Okay Mr WILSHUSEN It can also be the loss or theft of equipment that contains sensitive information as well Mr MITCHELL Sure Mr WILSHUSEN So there are a number of different types of incidents but these are ones that do have an impact or can have an impact on the agency Mr MITCHELL Now Mr Dodaro you referenced earlier that state and non-state actors has been suggested as discussions already started that again we’re back to Russia These state actors examples of state actors impacting our systems go far beyond Russia do they not Mr DODARO Yes they do I mean some of the intelligence community has singled out you know Russia China Iran North Korea as you know actors in this area as well Mr MITCHELL I’ll run the risk of offending some people by saying that I believe occasionally some of our allies actually occasionally are trying to wander around our systems too Mr DODARO It could be I mean I would defer to the intelligence community for those responses Mr MITCHELL I’ll let them get into it I want to stress the reality is we face threats both internally and externally through cybersecurity When an incident happens Ms Kent how—what’s the timeframe by which you’re informed we have some level of an incident Ms KENT There are various timeframes depending on the incident and when the agency identifies the particular activity Like VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00063 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 58 KING-6430 with DISTILLER you just heard there’s different types of issues and incidents Some of those may be very quick others may be a longer timeframe And as Mr Dodaro indicated particularly in situations where there is some type of malware or an attempt to—— Mr MITCHELL Let me stop you I appreciate it You’ve got—I understand they can’t inform you until they know about them that’s problem one We’ll get to that in a moment Problem two is that the time from when they have knowledge of the incident what’s the general—what’s the expectation—let me change that—what’s the expectation that you put out the White House has put out to inform you that we have an incident of some form What’s the expectation Ms KENT The expectation is that the agency informed DHS who is looking at our enterprise risk and we are tracking all—— Mr MITCHELL What’s the timeframe on that Once more what is the timeframe on that Ms KENT As immediately as they know Mr MITCHELL So theoretically the same day next day that night whatever the case may be Ms KENT As quickly as they have identified the incident Mr MITCHELL When do you find out about it Ms KENT I find out in reports from DHS Mr MITCHELL Which is—takes what kind of timeframe Ms KENT Depends on the type of incident Mr MITCHELL Go ahead give me examples Ms KENT I don’t actually have an example Mr MITCHELL Okay Let me ask you a question if I can Mr Dodaro The FISMA audits that are done in your opinion are they sufficient and are actions being taken on those audits at this point in time Mr DODARO They’re a starting point because they’re supposed to identify a comprehensive information security system We find that there are deficiencies in all aspects access control segregation duties configuration management contingency planning so—and they’re not remedied as quickly as possible So there are serious security weaknesses that have existed for years and a number of the FISMA audits at the agencies are in place But there needs to be more done because they need to have better response when they find incidents Mr MITCHELL Who’s responsible for those—for that followup Mr DODARO Well each agency is responsible for their own actions and this is an issue because they’re not correcting the problems fast enough in my opinion That’s why we have it as a designated high-risk area across the entire Federal Government Virtually every agency has serious weaknesses And I don’t think enough attention’s focused by agency managers on getting these areas fixed We’ve made recommendations to OMB that they send out more guidance to the agencies to hold senior leaders accountable for getting these weaknesses fixed Mr MITCHELL One of the things that astonished me and my time expired here but let me finish this one comment Mr Chair is that when I first joined Congress and joined this committee I was astonished by the number of agency chief information officers VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00064 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 59 KING-6430 with DISTILLER that—how do you get someone leading when you’ve got all of these people doing their own thing I mean you—— Ms Kent you were in the private sector and I am short on time so I can’t—that didn’t happen in your world now did it Ms KENT It did not And that’s also one of the focuses that we have had both under FITARA as well as the recent executive order to have a single CIO that has accountability responsibility and visibility across the entire agency so that we can move the types of things that we were talking about much more quickly Mr MITCHELL And with that when there’s an incident they should tell DHS and they should tell you at the same time Ms KENT Yes Mr MITCHELL Thank you I will yield back Thank you Mr Chair I’m sorry Mr HURD The distinguished gentleman from Iowa is now recognized for 5 minutes Mr BLUM Thank you Chairman Hurd Mr Dodaro good to see you again Ms Kent good to see you Thank you for appearing today I’m going to change gears a little bit and I’d like to hear from you your expertise on cloud computing I understand the Department of Defense is going to have a private company in the private sector host via the cloud a lot of government data And I don’t know my first reaction is you know it concerns me a little bit it concerns people in my district when they hear that Maybe I shouldn’t assume anything Do you feel confident that this data will be more secure than if it were with the Federal Government and why Mr DODARO Cloud computing offers the potential for first of all cost savings and a more rapidly updating of the systems that are used in place You know as we mentioned you know these legacy systems have been in the Federal Government for a long period of time and that’s a big problem If you go to the cloud then the updating of those systems become the responsibility there Now that being said there are cost efficiencies and other efficiencies that could be gained The security is a paramount issue that needs to be addressed We’re looking now there is a program that’s supposed to ensure that there’s security over the cloud operations It’s called FedRAMP is the acronym for it And we’re looking to see if it’s an effective tool to make sure there’s adequate security in the cloud operations Now the last point I’d make is that the Federal Government’s own record of security is pretty abysmal So you know as a starting point—so I don’t think you know everybody—everybody have a total confidence that everything’s fine now and it may be worse later if we move to the cloud But you have to be careful in making the move to the cloud environment to make sure there’s adequate security Mr BLUM So more secure is what you feel I guess Mr DODARO It could be but we need to take care to make sure the requirements are there they’re set properly there’s adequate testing there’s certification there’s requirements and operations It offers a lot of potential for savings cost savings for the Federal Government and more up-to-date systems that are better patched VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00065 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 60 KING-6430 with DISTILLER properly and in place But the security remains as much of a concern with the cloud environment as it does with the Federal agencies and we need to take due care Mr BLUM Ms Kent Ms KENT Yes sir I agree that it can be—it can definitely be secure And in many cases it is maintained in a way that we’ve— we have seen—we have not necessarily done across some of the Federal systems I would add two other things to what Mr Dodaro said is that there’s a discipline around understanding the data and what we’re moving to the cloud and how we control access to that And that is the discipline that we’re trying to drive with the agencies as they’re considering their transformations and the cloud technologies that they’re using So it’s a combination of the security that’s available with the technology what we’re putting there and how we manage access to that information And so those are the disciplines that we are—that my office is working directly with the agencies as they consider these acquisitions Mr BLUM Mr Dodaro we often hear things like the Federal Government was slow to respond to an emerging threat especially cybersecurity threats What have you found in that regard and why Mr DODARO It brings a new definition of slowness okay In this area you know we first designated it as a high-risk area across the Federal Government in 1997 So I’ve been trying for over 20 years to get attention to this area You know we actually built a computer lab facility that could simulate the operating environment of agencies in the early nineties and actually did a penetration testing to get people’s attention that there could be issues that needed to be dealt with And we very very—it took a long time but we finally convinced the Congress legislation began being introduced in 2000 2002 creating the Federal Information Management Act the FISMA Act that was updated And it really wasn’t until the OPM breach that a lot of—in 2015—this is you know so many years later that agencies began to move and the administration began to move But even then to this day I’m not sure OPM has fixed all the weaknesses that led to the original data breach We went in a couple of times and we haven’t found the problem So it’s perplexing to me that there hasn’t been enough urgency associated with dealing with this issue And I’m pleased to hear from Ms Kent and others that they’re going to sort of up the game here to be aggressive in this area But there’s no question that there has been adequate warnings about these areas that GAO has been given that has been on our top risk list for many years both within the Federal Government but also critical infrastructure protection We put that on in 2003 And concern about the electricity grid the financial markets telecommunications and we’re moving in that area but that’s—you know right now it’s all voluntary on the part of the private sector and I can understand that but we need to have a partnership and more information exchange between the private sector and the other sector VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00066 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 61 KING-6430 with DISTILLER I mean this is a national security issue not just you know a privacy issue And privacy has been slow too You know we’ve recommended that the Congress change the—update the privacy laws The original privacy Act is 1974 E–Government Act in 2002 Many things have changed since then that there needs to be updated information And while the Congress has only identified some sectors of the economy healthcare credit reporting to put in place rights for consumers about data that’s collected about them there is no consumer privacy framework We’ve recommended that Congress consider creating one since 2013 So you know we’ve been urging for a long time now more attention to this area I’m glad that we’re having this hearing but I think the pace of change needs to pick up quite a bit because the threats are evolving way faster than the government’s ability to deal with it Mr BLUM I heard the phrase and I’ll end with this the warfare of the future may not be bombs it may be bits and bytes not bombs And I know we spend a lot of money on bombs and we should but I think we need to give attention to bits and bytes cybersecurity as well Mr DODARO Yeah absolutely Absolutely You know in conventional warfare the first thing people do is take out your communication systems take out your transportation structure your ability to have power But to do that you’d have to physically invade the country Today that’s not exactly the same You can do it from your own country Mr BLUM Thank you for your insights And I yield back the time I do not have Mr Chairman Mr HURD I generally try to have a PMA a positive mental attitude My dad taught me that And I think there has been some bright spots over the last 3–1 2 years since I’ve been in Congress Federal CIOs have more power than they have in the past They’re getting more involved in the procurement process because we can’t hold Federal CIOs accountable if they don’t have the responsibilities on what goes on their network And that’s something that this committee has fought for in a very bipartisan way I believe when we first started this committee there were only four CIOs that reported to the agency head or deputy agency head I think now there’s only four that do not And I believe by the end of the year there would only be one that is probably not reporting So again empowering the men and women in the CIO I’ve been surprised over the last few months I’ve had a number of businesses say that they are happy with improved sharing of intelligence threat information between the Federal and the private sector Now that’s part of DHS’s role and I think DHS is the only entity that can get into that mode of need to share And we are seeing what DHS is able to do And their technical capabilities to help across the other 24 CFO agencies I think are improving And one of the things that is leading to and causing us to see the number of threats increase because guess what DHS is doing their job Right Now having done this kind of work before guess what I’m always going to get in How quickly can you detect me How quickly can you quarantine me and how quickly can you kick me out is VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00067 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 62 KING-6430 with DISTILLER the mentality that we need to be in But why are some basic things—MEGABYTE Act The MEGABYTE Act says every agency should know what software they have on their networks Is that hard to do Mr Dodaro Mr DODARO No Mr HURD Ms Kent is that a hard thing to do to be able to catalog the software that you have on your system Ms KENT No sir we have an opportunity to do much better Mr HURD And so what is the—what more do we need to do to drive that behavior Megabyte is important knowing what your software is and that’s why we’ve added it on to the FITARA scorecard The FITARA scorecard is evolving into a digital hygiene scorecard Naming and shaming is really what we’re doing We’re trying to give CIOs the authority with MGT the Modernizing Government Technology Act to get out of this notion of if you don’t use it you lose it So now there’s motivation to—motivation to modernize What other carrot sticks should we be using or do you need in order to compel compliance on some very basic things like knowing what software you have Ms KENT First I have to applaud and say thank you for the continuous focus on the FITARA scorecard because having that level of transparency does make it a priority To your point on MEGABYTE there are tools and technologies that we can do that with especially if it’s a priority One of the things that I would ask that would be of great assistance is the continued focus on workforce activities In many cases we still have almost a 25 percent gap in the number of cybersecurity resources that we need across Federal agencies and what we actually have in place And particularly we have some gaps in leadership and individuals—places where we have open positions that are key leaders In many cases the individuals when we get them in their tenure is less than 12 to 18 months So there are multiple workforce actions both at entry level and at leadership and there are things that we continue dialogs with the private sector to see if we can fill those gaps Mr HURD Do we still believe it’s—is the number still 15 000 roughly IT positions that are unfilled across the Federal Government Ms KENT Yes Yes sir Mr HURD How is the process going to catalog what those positions are Because we don’t have common job descriptions across the Federal Government This is something that OPM was supposed to be working on I’d welcome an update on this initiative Ms KENT We are making good progress on that at clarifying the specific positions as well as common nomenclature Particularly the CIO Council recently published a CISO Handbook to ensure that we are holding our cybersecurity teams accountable for the same standards of behavior across all of the agencies but we still have work to do to fill those positions And particularly in the entry levels to ensure that potentially we are identifying other skill sets in the Federal Government that we can move into some of those positions VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00068 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 63 KING-6430 with DISTILLER Mr HURD So when will we have a common picture of what positions are open and what these positions are going to be Ms KENT I know that it is in the works and I will get the date back to you Mr HURD Mr Dodaro you mentioned in your written remarks the national initiative for cybersecurity education cybersecurity workforce framework Is that ringing a bell Mr DODARO It will ring Mr Wilshusen’s it will ring his bell Mr HURD It will ring his bell All right Mr WILSHUSEN It does Mr HURD What is that Where are we—you know the report recommends and y’all’s report recommends that this is something that is not being addressed properly Can you give us a little bit more context to this Mr WILSHUSEN Sure absolutely The NIST’s Cybersecurity Workforce is an attempt to kind of have a common language and designation for cybersecurity and IT-related activities And the intent under the Federal Cybersecurity Workforce Assessment Act Federal agencies are required to assess their cybersecurity workforce identify the specific functions associated with each of those positions or their IT and cyber positions and then assign codes to it in the attempt to identify critical areas of need as it relates to cyber We issued a report last month that showed that 13 out of the 23—24 agencies that we examined had not performed all of the activities that they were required to do And we ended up making about 30 recommendations to those 13 agencies We have ongoing work continuing—following up on the status of those recommendations and agencies’ actions to finish implementation of the requirements of that Act Mr HURD Good copy We will come back on a round two And now I’d like to recognize my friend from New York Mrs Maloney for her 5 minutes Mrs MALONEY Thank you very much Mr Chairman and Mr Ranking Member and all of the panelists Mr Dodaro in the high-risk report that GAO issued today it states that the vast number of individuals potentially if affected by data breaches at Federal agencies and private sector outlets increases concern considerably that personally identified information is not being properly protected And I think I agree with you completely too Given the breaches that we’ve seen with Verizon in April they released a report showing that in the past 12 months alone there was a total over 53 000 incidents and over 2 200 confirmed data breaches And then in 2017 we saw the really awful data breach at Equifax which was over 143 Americans had their personal information stolen And the 2015 breach at OPM which affected approximately 22 million individuals It demonstrates the absolute massive scale of harm to privacy and security that data breaches can have and this doesn’t even get into the alleged foreign governments that are hacking into our private material The high-risk reports states and I quote that the laws are currently written may not consistently protect personally identified information in all circumstances of its collection and use end quote VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00069 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 64 KING-6430 with DISTILLER Can you briefly explain how our current privacy laws and framework for protecting individuals’ privacy is not adequate Obviously it’s not adequate with this large number of breaches taking place There’s some reports that every person in government has been hacked That everybody’s breaking in everywhere So could you respond to that Mr DODARO Absolutely First the Privacy Act was originally passed in 1974 so it’s very dated and did not have anywhere near the context of the current computing environment in place and what is likely to occur in the future There was the E–Government Act in 2002 that took a couple of steps but not sufficient Here’s two examples One is that the current definition deals with a system of records that the government’s responsibility is protecting that That doesn’t say anything about data mining it doesn’t say anything about databases that are used and scanned and scraped and whatever definition you want to use So the ability now to be able to manipulate the data doesn’t really—is not contemplated under current law Second it gives the Federal agencies the ability to only you know use the data for quote authorized purposes Now that doesn’t necessarily give the individuals whose data is being collected an understanding of what is an authorized purpose So there’s really not clarity about what the Federal Government’s limits or abilities are to be able to deal with these things Mrs MALONEY What would you say is an authorized purpose Mr DODARO Well it’s—every agency is allowed to define it in their own way which is what—— Mrs MALONEY Well that’s not right Mr DODARO Well that’s what we’re saying Basically there needs to be more clarity on exactly—— Mrs MALONEY Can you get back to the committee with an explanation or a recommended definition of this And you went on to say in your report that—that we needed to strengthen our consumer privacy laws Is that right Mr DODARO Yes Mrs MALONEY Could you get back to us on how you would expect us or to me on how you’d like us to strengthen it And if Congress does move forward with amending and updating the Nation’s privacy laws which we should what are the key changes that you believe must be achieved Mr DODARO Yeah We will definitely provide all that information to you in detail On the consumer privacy framework really there isn’t one except in the healthcare area and HIPAA for example or Federal credit reporting or some other information—everything—nothing else is really covered including information reselling of data And with other technologies facial recognition technology and other things there is no consumer financial privacy—or consumer privacy framework in place and we recommended that it be put in place So we can give you some examples of that Mrs MALONEY Please do Please do give it And I do want to get to OMB for a moment Ms Kent What is the administration’s timeline for implementing GAO’s rec- VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00070 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 65 KING-6430 with DISTILLER ommendations Are you implementing these recommendations they put out RPTR KEAN EDTR HUMKE 3 24 p m Ms KENT We’re in process of many of the recommendations particularly the ones that are in the area of Federal systems and information and actually in the privacy and security area that you just talked about One of the key elements around how we secure data and citizen data is the efforts under IT modernization It is very difficult or complex to secure data in systems that are over 20 years old And as we modernize we have better tools for data encryption and management of the data both at rest and in movement and that is one of the ways that we protect all information that we have within our Federal agency purview against any type of threat Mrs MALONEY And very briefly how can Congress assist you in this really huge effort and very very important one It used to be privacy was utmost concern on everyone’s mind And now with terrorism attacks and other things it’s not taken the really important level that it should in our country And I want to express my appreciation for your report But how can we help you Ms KENT Congress can continue to help us through funding of the teams that focus on these efforts through creative vehicles like the Technology Modernization Fund that let us actually advance the modernization activities much more quickly as well as the efforts that I spoke of earlier on workforce Mrs MALONEY I’m way past time Thank you for indulging Mr Chairman I yield back Thank you Mr HURD The distinguished gentleman from the Commonwealth of Virginia and ranking member is now recognized for his first 5 minutes of questioning Mr CONNOLLY Thank you Mr Chairman Thank you for your commitment to this subject matter Mr Dodaro I want to thank you and GAO for elevating this particular part of the issue to your high risk grouping Because it forces us to at least talk about it hopefully do something about it and you’ve been instrumental in the past in supporting our FATAR legislation and our scorecard efforts and the like And I really credit GAO with helping us make the progress we’ve made Last May the Trump Administration however eliminated the White House cybersecurity coordinator position from the National Security Council In light of your elevation of this as a high risk category in retrospect was that a prudent move Was that a welcome move in the context in which you’ve delineated this subject matter Mr DODARO I think just for clarification we’ve had this on the high risk list since 1997 so this isn’t a recent elevation I’m concerned that there hasn’t been enough progress in addressing this issue I was you know surprised that the position was eliminated I’ve been told that those responsibilities have been divided among two people I haven’t had a chance since it’s a recent activity to look into it more We plan to do that in the future VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00071 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 66 KING-6430 with DISTILLER So once we look into it and see how they’re planning to approach it with the elimination of that position I’ll be in a better position to advise the Congress on what to do We’ve never really evaluated this cybersecurity coordinator role We’ve been more focused on getting a national strategy in place and making clarifications And I haven’t really examined fully what that position did what kind of resources they had available and what their accomplishments were during that period of time So it’s an area that I’m concerned about You always want to have good leadership and you can have good leadership in a number of different ways but I want to look at it more carefully before I advise on exactly what would need to be done differently from what they’re contemplating doing Mr CONNOLLY Yeah you may be right I mean maybe diffusing responsibility or splitting responsibility allows us to have a sum greater—you know the whole greater than the sum of the parts On the other hand you know there was a report in Politico that said since its creation in 2009 the White House cybersecurity coordinator position has been key in resolving conflicts among agencies preparing cabinet leaders to make major policy decisions and responding to crises As you know Mr Dodaro sometimes—maybe more often than not—in government you need a central focus You need some champion who is vested with authority and responsibility for moving an agenda for advocating for a cause And absent that often in big bureaucracies you know something we all think is a good thing just kind of dies on the vine for lack of attention and championship So I would welcome you looking at that because I think we would want to know did the Trump Administration make a good decision or did it make a mistake in abolishing this position Ms Kent do you have views on that I’m sure you do Ms KENT Sir I don’t know that I would—what I would reflect is that the activities for the Federal agencies are directed by Homeland Security Advisor Fears And in fact my chief information security officer has a dual reporting relationship between he and I so that there is no miss or time in translation for things that we need to take action on And I think I have a very clear set of mandates of actions that we need to take across the Federal agencies Mr CONNOLLY Well I’m glad to hear that Do you know how long it took to get a CTO Ms KENT To get a—I’m sorry Mr CONNOLLY A chief technology office or a CIO for the Federal Government Ms KENT Yes sir I do Mr CONNOLLY In this administration it is over a year Ms KENT Yes sir Mr CONNOLLY So I have to tell you given that record it is not exactly confidence-building that you know you’ve got it and you’re moving an agenda—not you personally—but the administration I mean words are nice but actions are important VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00072 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 67 KING-6430 with DISTILLER If I may Mr Chairman because I think I’m going to have to run I have one other subject that is of deep concern to me And again I’m going to ask you Mr Dodaro to look into this And I agree with what you said Ms Kent we’ve been champions about the need to upgrade legacy systems or replace them and to you know come into this part of the 21st Century so that we can encrypt we can protect But what is you know the purpose of technology is to do the job better It’s to be deployed It is to give us capabilities we otherwise might not have One of those capabilities is telework And I can tell you as someone who lived through 9 11 and has lived through lots of hurricanes and other kinds of things here in the Nation’s Capitol telework increasingly becomes critical to continuity of operations without which government shuts down And what has disturbed me is that the Trump Administration seems to be going in exactly the wrong direction with respect to telework The Department of Education issued new guidelines that seem to severely curtail our robust program USDA which is highly touted by Jared Kushner and Chris Liddell—and I met with them and had a good meeting—but I did bring to their attention that I felt Secretary Purdue was going in the wrong direction on telework He actually curtailed that program there And then your office issued guidelines that from the White House that actually would limit as I understand it telework to be defined as no more than one day a week Now I don’t know anyone in the telework profession who would agree with that definition No one Telework is to be encouraged more than one day a week It’s a structured program It’s not a spontaneous like ‘‘gee I feel like teleworking today ’’ That’s not how it works But we want to get the maximum benefits and we want to deploy technology and we want to make sure this is part of the offering for the next generation of Federal employee Because millennials expect that as part of the offering So what is going on here in terms of the reluctance to encourage rather than constrain telework in this administration I have to confess to you and then I’ll shut up I was really particularly bothered by this because we actually had a good meeting at the White House where we found common ground And I reassured Mr Kushner and Mr Liddell that frankly if they continued going in the direction they described they would have our support which is not an every day occurrence And then this happened And this seems to fly in the face of the kind of progress we thought we were going to make in common Ms KENT Sir I’m not informed on the specific decisions that the agencies made around their policies I do know that one of the things that we are focused on as part of the President’s management agenda and specific goal is the elimination of paper across the various processes in the government to actually free up the ability for individuals to not be dependent on being in a specific physical spot to do that work and drive other efficiencies VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00073 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 68 KING-6430 with DISTILLER In addition some of the investments that we’re making in digital capabilities and new workforce tools actually enable work to be done from a broader reach of locations Mr CONNOLLY Well I mean there’s actually explicit policy guidance that has been drafted that would curtail telework in your administration And I’ll be glad to get it to you if you haven’t seen it Mr Dodaro I would just ask that you look into this because I think it flies in the face of the progress we’ve tried to make And you know the whole point here is to deploy the capability not constrain it and would welcome GAO to look into this and see if we can’t—— Mr DODARO I’d be happy to do so Mr CONNOLLY I thank you so much And Mr Chairman thank you for your indulgence I’m sorry Mr HURD Mr Mitchell round two Mr MITCHELL Thank you Mr Chair Mr Connolly you may want to stay for this conversation—it’s the beginning of it—because we’re talking about legacy systems Mr Dodaro have you looked at or done any analysis—— Mr CONNOLLY I would say to my friend I would but I belong to two committees that believe no human problem cannot be improved with another hearing And my other committee is practicing that as we speak Mr MITCHELL Only two committees are doing that I’m shocked It’s getting near district work period and it’s gone the wheels have come off the bus around here okay Let’s talk about legacy systems for a moment Have you done any analysis any examples of the current cost of maintaining legacy systems versus just making a transition to a new system and what is the comparison If you could give me some examples that would be great Mr DODARO Well overall what we’ve said of the annual Federal investment which is about $80 $90 billion a year 75 percent of that goes to support the legacy systems as opposed to you know making investments and modern approaches in systems So you know we’ve looked at a lot of individual cases and I’d be happy to provide those for the record but you know it definitely you know the government’s track record in implementing new systems and being able to retire legacy systems isn’t you know very good But it needs to be better And I think the legislation this committee has sponsored is helping move in that right direction And you know I had always approach this with a PMA as well a positive mental attitude but I also have a view of what the realistic track record has been of the agencies I’m hoping they do better I hope the CIOs will do better in this area but we need to make a better job in those areas So the short answer to your question is the legacy systems involve a lot of spending and are sucking up a lot of the Federal government’s investment and we need to get new systems in place But every time there’s an effort to do that there’s a failure on the part of many agencies VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00074 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 69 KING-6430 with DISTILLER Now hopefully with Ms Kent’s leadership and elevating the CIOs to have more responsibility in the agencies we’ll see a different outcome going into the future I certainly hope so Mr MITCHELL Well I would like to see those examples so if you can get those to the committee with things you’ve looked at we would like to look at Because at some point in time what we’re doing is we’re paying costs workforce costs to work on legacy systems that should in fact be better—— Mr DODARO Yeah I mean a good example We just issued a report about the Coast Guard system that was supposed to be put in place that failed The VA they spent you know over $1 billion dollars trying to improve the current electronic healthcare system that hasn’t been successful as well I mean we’ve got a long list of activities where money has been invested you know in a lot of cases millions hundreds of millions of dollars and it hasn’t produced the new system yet properly to retire the legacy system So we’ll get you a list I’m confident we have one and it will touch virtually every agency in the Federal Government Mr MITCHELL We just had a hearing a bit ago on the Census And as you are well aware they are well behind in terms of developing it’s what they do in systems and they’re over-budget So it doesn’t surprise me but we need to start to look at that so I’d like to see it Ms Kent could I ask you you mentioned the vacancies you have about 15 000 vacancies of technical cybersecurity personnel is that connect Ms KENT Yes sir Mr MITCHELL What are the primary drivers of those vacancies Ms KENT I’m sorry Say that again Mr MITCHELL What are the primary drivers causes of the—— Ms KENT Of the vacancies Mr MITCHELL Yes Ms KENT The primary drivers of the vacancies is that cybersecurity skills are one of the hottest skills in the industry right now and we’re competing with the private sector as well as the cybersecurity professionals have an expectation of quick mobility large challenges and some ability to move very quickly in their profession And some of those things don’t align well Mr MITCHELL We’ve got big challenges I can guarantee that Ms KENT It is a very big challenge but it’s an area where there are many avenues that we’re pursuing both at entry-level positions as well as leadership positions and continuing to explore exchanges with private sector to fill those gaps Mr MITCHELL When we had people leave my company we always did a survey of kind of get an idea of why you’re going I mean I’m sure you did as well What is the primary—average 10 years about 18 months and they’re gone What’s the primary causes that people are up and leaving once you get them here Ms KENT It is a highly valuable set of skills in the private sector industry So many times it is a question of compensation VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00075 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 70 KING-6430 with DISTILLER What we have to offer is an exciting mission and the ability— we have many very motivated professionals that come in because they believe in the missions that our agencies are focused on Other times they are leaving because they want more mobility And mobility as they progress through you know the professional ranks Mr MITCHELL Have there been many recognitions made Mr Dodaro on what we do in terms of compensation skill or a career structure for cybersecurity personnel in the Federal system Mr DODARO No I mean this is an area where we’ve had strategic human capital management on high risk since 2001 You know one of the areas—— Mr MITCHELL What have you not had on high risk since 2001 Mr DODARO Well there are things that aren’t high risk You know we—— Mr MITCHELL Okay Mr DODARO But you know the problem here is the classification system that OPM has in place I mean there’s really not been I mean that system was created many years ago It didn’t contemplate cybersecurity They’ve not adapted over time And so right now the phase 1 of what the administration is currently doing is to take stock of what cybersecurity skills exists across the government I mean we should have known this for years earlier and developed new systems in place Now Congress has been very good where they’ve given a lot of special authorities to the agencies But we found that they have over 100 special hiring authorities but they only use about a dozen or so And so it’s really OPM hasn’t looked at whether or not the special hiring authorities are being effective or not And so you know this means more attention I’m very glad that the President’s reorganization proposals focused on cybersecurity workforce Mr MITCHELL Can you share with OPM at least my opinion— not necessarily the committee opinion—but my opinion that—I ran a fair-sized company The chief technology officer reported to me They reported to me for a reason And we had a deal His phone never went off And as soon as something went sideways you know he gave warning systems and you’re well aware Ms Kent what those are And the deal was he immediately went in and dealt with the issues And the next thing he did was he called me Because there is nothing that’s more important than securing our data We’re a school group We have the information on 6 500 students at any point in time their financial information their parents’ financial information And that getting hacked is a serious issue never mind the issues we have here So suggest to OPM they may want to up the anti on this and make it a little more important because people aren’t trusting the government because they don’t believe their data is secure Never mind the issues it creates for us in terms of national security Thank you I am out of time as well Thank you sir VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00076 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 71 KING-6430 with DISTILLER Mr HURD Ms Kent one of the recommendations that GAO suggests needs to be improved is this global supply chain of information that’s on our Federal infrastructure So if we take the narrow view of the supply chain of software or hardware that is put on a system responsible in the dot-gov domain who is responsible for making sure that those widgets are secure Ms KENT One of the things that I agree with the point around supply chain is ensuring that we have a mechanism not only to know what is on our network but to allow Congress and other bodies to make recommendations and have a structured way that we identify both hardware and software where is it being used and we have a structured way to pull those things out As we worked through the Kaspersky situation we had to create an entire process communicate that information and manage it one-by-one across all of the agencies And we did not have a systematic way to do that Since we have now had additional concerns and you know those may continue what we would like to have in place is a structured way to do that in ongoing identification by agencies Mr HURD So let me rephrase the question Right now can you tell right now agency X You’ve got to remove all this stuff You as the Federal CIO can make that directive and X-agency would have to comply with that Ms KENT We have been taking directives from the National Security Council or from others but yes that is the way that we have been executing the ones for which we’ve been given a directive to date Mr HURD Can the CIO for that agency make that decision and say All this stuff is coming out Ms KENT The CIOs have responsibility for the security posture of their agencies so if they decide to take a more aggressive stance on some situation or you know for some reason that aligns with their mission that is within their authority Mr HURD So let’s say an agency has a device on their network that they shouldn’t have who should be in trouble Who is responsible for having allowed that to happen Or not finding that out in advance Ms KENT That’s a good question We do hold agencies accountable for knowing what is on their network And if there has been a directive to remove actions and a specific date by which to act we are holding them accountable from an oversight perspective Mr HURD Mr Dodaro do you have any opinions on this Critical infrastructure I mean excuse me supply chain within the dot gov space Let’s start with that Mr DODARO Yeah right right I think you know individual agencies are always the first line of responsibility in these cases to know what they’re buying and what is in place DHS has responsibility and has the ability to issue binding operational directives to agencies across government if need be to remove devices or to do certain things as well So DHS has some responsibilities I would ask Greg to come up He just testified on a supply chain issue recently see if he has any additional thoughts VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00077 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 72 KING-6430 with DISTILLER Mr HURD While he is coming up describe your vision the future state that needs to happen in order for this to be removed from the GAO high risk report Mr DODARO On supply chain or the whole—— Mr HURD On supply chain over dot-gov Mr DODARO Yeah there needs to be you know a clearer plan for determining the supply chain operations you know in terms of identification of vulnerabilities and there needs to be greater accountability for enforcing that over time Mr HURD Who should do that Mr DODARO It has to be led by DHS or out of the White House to be enforced I mean it has to be I mean you know—and there are separate issues at DOD all right on this issue you know for national security purposes and they hold the prime contractors responsible But there is a lot of subcontractors kind of issues But in the civilian side of the government I think it’s got to come from DHS primarily would be where I would start Mr HURD Mr Wilshusen Mr WILSHUSEN Yeah It would need to be I think also DHS but also certainly with input collaboration with the intel community as well as DOD as they collect intelligence and information about the particular supply chain direct to particular components or systems that might be in use at Federal agencies DHS has used its authority under the Federal Information Security Modernization Act to issue binding operational directives to require and compel all Federal agencies to remove Kaspersky Labtype products as was referenced earlier We have been requested and we plan to start an engagement later this year to look at the process by which DHS determines when to issue a binding operational directive how it comes about that decision and then what oversight mechanisms it has to ensure that its directives are actually being implemented and implemented effectively by the agencies Mr HURD Shifting gears on privacy If the IRS database got hacked—and let’s say a portion of American citizen’s information was stolen—what is the responsibility of IRS to notify those individuals and notify Congress What is the breach notification rules that IRS would be following in that case Mr WILSHUSEN It depends IRS would need to make—and this is under guidance provided by the Office of Management and Budget indeed on how to respond to particular data breaches Part of it is to conduct at first a risk assessment in which it looks at the scope of the breach and the potential harm that could occur to say in this case taxpayers if their information is indeed compromised And then it’s supposed to make a risk assessment and then determine what type of actions to take Part of that could include notification to those individuals that their information has been breached It could also include providing some other remedies such as credit monitoring services and others—— Mr HURD So this is the standard written by OMB Mr WILSHUSEN That’s correct VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00078 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 73 KING-6430 with DISTILLER Mr HURD So if students’ loan information at Department of Education was stolen would that be the same notification responsibilities and privacy—— Mr WILSHUSEN Yes those guidelines are for all Federal agencies Mr HURD So OMB has issued breach standard notification across the Federal Government to include intel and militaries across all Federal agencies or is it just the dot-gov space Mr WILSHUSEN I guess it would be dot-gov space Mr HURD Ms Kent do you have any opinions on this topic Ms KENT It is not a topic that I am familiar with all the specifics I do recognize though in the description is the process is very similar to industry and the notification process identifying risks understanding the risk of the individuals and then determining if there are other mitigating factors that should be offered to those individuals Mr HURD Ms Kent changing gears here OMB released its agency self-reported data on the status of their information security controls We have found that agencies tend to present a prettier picture than their own IGs in those FISMA audits Have you noticed this discrepancy Are you working to make this accurate reporting Are you acknowledging these problems How do we plan to work with agencies to implement some of these basic cybersecurity requirements Ms KENT I concur with your assessment That was actually when I looked at the reports one of the early things that I asked in joining It is actually a conversation that I have had with the GAO team about how we can automate and actually extract data on some of the specific points versus asking for a self-reporting mechanism And we’ll continue the dialogue about how to improve that Mr HURD This is one of my final questions It’s a very broad basic question and it’s broad and basic for a reason And we’ll start with you Ms Kent and then we’ll go down the line Who is responsible for defending the digital infrastructure of the Federal Government Ms KENT Say that again Mr HURD Who is responsible for defending the digital infrastructure of the Federal Government Ms KENT The agencies are responsible for defending the digital infrastructure at their agency and DHS is responsible for defending across the enterprise And there’s an interlock of responsibilities between the agencies and their communication with DHS in ensuring that DHS has visibility to issues incidents and what they are detecting going on in those individual agencies Mr HURD What is the role of the Federal Government in helping to defend the 16 areas that we consider to be critical infrastructure Ms KENT I don’t know that I’m following your question Are you talking about the external industry Mr HURD So the 16 areas that we think are critical infrastructure financial services utilities election infrastructure go down the line what is the Federal government’s role in helping to defend those infrastructures VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00079 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 74 KING-6430 with DISTILLER Ms KENT I see those as the responsibility of DHS So I don’t know that I am informed to comment DHS and our National Security Council And from a Federal agency perspective I know when we expect that they are sharing threat information from those industries with us inside the Federal agency side so that we can react to those Mr HURD Got you Mr Dodaro who’s in charge Mr DODARO Well in the Federal space I would agree I mean the agencies are primarily responsible according to FISMA That’s the agency heads I mean Congress has established that in law It has given DHS responsibility and law And OMB sort of passed that responsibility to DHS years ago and without the authority Now Congress corrected that and gave DHS the authority gives them the ability to issue these binding operational directives And then OMB has responsibility as well for policy matters in a lot of these areas So in the Federal space I think that’s pretty clear In the critical infrastructure protection space less so Now in some of the critical infrastructures for example in the nuclear area there are regulatory responsibilities So the Federal government’s role is a little clearer in that area They have more authority to put in place requirements But for by and large for most of the 16 sectors for critical infrastructure it’s voluntary And what we found is that the—there each has a Federal coordination point and a lot of the Federal coordinators really didn’t know what the status was of the implementation of the voluntary standards When we talked to a number of people in the sectors you know they were basically saying that they had challenges They didn’t have enough people they didn’t understand all the requirements So that’s the area I’m most concerned about Mr HURD So describe that future state when it comes to critical infrastructure that if we achieved you would pull this off as one of the four major challenges facing the Federal Government Mr DODARO Yeah Well number one I would have to have some metrics and measures to know what the state of readiness really is in those areas Right now you don’t have that No one can answer that question I believe to say across the 16 sectors were ready And here is why I believe that So to me you need that in place to provide the level of assurance that would be necessary in order to do that And so that’s you know a tall order And then you would need to have you know a clearer understanding of information sharing You know our understanding of what’s going on you referenced this earlier about businesses being happy with information they’re getting from DHS I’m not too sure that that information flow is going two ways And I think we need to from the Federal Government standpoint need to have greater assurance that there’s a two-way dialogue here and that we’re really communicating and understanding what’s going on with the risk in those areas So to me you need a clear metric understanding of what the status of readiness is for each of the 16 areas and there would be different metrics for different sectors I’m not suggesting there would VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00080 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 75 KING-6430 with DISTILLER just be one sector but somebody has got to be in that position to know that And right now that’s very sketchy at best And as a result I think we’re very vulnerable in the Nation I know there’s a lot of policy issues about the Federal role respecting the private sector whatever But I think we’re getting to a point with the threats from state and non-state actors that we need to have more of a grownup conversation about the real risk to the country in those areas and a meeting of the minds on how best to protect our country for everybody Mr HURD Has GAO thought through what are those Doomsday scenarios that we should be prepared for Because if there are unclear roles between the public and private sectors in response to a Doomsday scenario we need to be thinking through what are those Doomsday scenarios that we need to be prepared for Have you all spent some time on that Have you all seen an entity that has designed that Ms Kent you have seen stuff I know there are some exercises DHS does a few But I feel like we haven’t done enough because if we’re truly going to escape to a future state we need to figure out what that is we’re trying to be prepared for If we’re going to develop contingency planning what contingency are we planning for And Mr Wilshusen you came up here so I hope you have some interesting things to say Mr WILSHUSEN I hope I can interest you One is DHS has developed a response plan and it’s tested annually in which it is a test against different types of scenarios And I do believe in some of the guidance at least—well from the National Institute of Standards and Technology and some of its guidance it does identify different threat scenarios for different types of potential attacks that can affect organizations and systems Now that’s generally guided towards Federal agencies but those same types of attacks can also be applied against critical infrastructure owners and operators in the systems that they operate And so there are different threat scenarios that have been identified and those are things that both I think DHS and NIST has identified Mr HURD Well Mr Dodaro you’ve heard me say this before I’m a big fan of GAO Whenever there’s a new topic I am working on I always start with whatever reports you all have developed So thank you for you and your team and you all’s service to making sure our government is responsive to the people that we serve It’s always a pleasure to have you here Ms Kent any final words Ms KENT I thank you for the opportunity And as I said in the opening every chance that we have to elevate the conversation around cybersecurity and the resources that we need to be in a position to protect our security posture I greatly appreciate Thank you Mr HURD Well I thank our witnesses for appearing before us today VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00081 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL 76 KING-6430 with DISTILLER The hearing record will remain open for two weeks for any member to submit a written opening statement or questions for the record And if there’s no further business without objection the subcommittee stand adjourned Whereupon at 4 01 p m the subcommittee was adjourned VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00082 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL APPENDIX MATERIAL SUBMITTED FOR THE HEARING RECORD KING-6430 with DISTILLER 77 VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00083 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00084 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 46 here 32932 046 KING-6430 with DISTILLER 78 79 assessment as to how the elimination of the affect implementation ll0' IE U''I1E rlf t1 V in n and VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00085 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 47 here 32932 047 KING-6430 with DISTILLER why VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00086 Fmt 6633 Sfmt 6633 H 32932 TXT APRIL Insert offset folio 48 here 32932 048 KING-6430 with DISTILLER 80 81 Questions for Ms Suzette Kent Federal Chief Information Officer Budget Office of Questions from Representative Gerald E Connolly Ranking Member Subco Timittc e on Government Operations July 25 20 8 Hearing Regarding eliminate the White House special Coordinator position from Security Council May 20 8 ln mid- cycle High-risk report on cybersecurity the Government Accountability Office GAO reported it had recommended that the White Coordinator the Executive Office of the President that included all clements a In White House's decision to eliminate the of White House Cybersecurity Coordinator who at the White House level broad authority res ponsibi ity for coordinating cybersecurity strategies across govcrnment 0 The Assistant to the President and National nthc ·it i and responsibility for coordinating cybersecurity strategies With respect to non-national systems agencies the Director of the Office of Management and Budget and responsibility for overseeing agency information security policies b Were you consulted beforehand the not VerDate Nov 24 2008 11 51 Nov 29 2018 Jkt 000000 PO 00000 Frm 00087 Fmt 6633 Sfmt 6011 H 32932 TXT APRIL Insert offset folio 49 here 32932 049 KING-6430 with DISTILLER Æ