Skip to main content

We're fighting for the future of our library in court. Show your support now!

tv   Officials Testify on Protecting Cybersecurity Infrastructure  CSPAN  December 6, 2021 2:40am-6:02am EST

2:40 am
2:41 am
[inaudible conversations]
2:42 am
[inaudible conversations] [inaudible conversations]
2:43 am
[inaudible conversations]
2:44 am
[inaudible] the fact that you probably can't hardly understand me and i'm having trouble. this is the second hearing. the last was industry stakeholders and we heard distressing and serious gaps and lacks of shortages in the personnel and the most basic practices and consensus among the witness that the federal government needed to help the federal government to defend itself from and respond to
2:45 am
attacks with 3684 to provide funding at the local, state and federal level to enhance the issues of cyber security incidents. the principal advisor on cyber security policy and a strategy to identify cyber security and d coordinate a federal response, those are noteworthy steps but there's more to do from federal agencies responsible for transportation and other critical infrastructure and their efforts to help private industry. for the most part we rely upon protecting assets choosing not to mandate standards for
2:46 am
cybersecurity and encompassed in other errors the government has established very robust requirements that would be aviation, drinking water, wastewater and others to make them safer and more resilient but there are many of these industries with other critical industries in the private sector and voluntary cooperation so you have to spend a bunch of money on cybersecurity. why are you spending all that money on cybersecurity. we want to see you just put the money in the bank then of course
2:47 am
the cost, the investment they should have and would have made to prevent that incident but for more basic incidents were ran somewhere that continue. i don't think that implementing basic cybersecurity standards and reporting requirements should be voluntary and should be required in the wake of the colonial pipeline cyber attack the colonial add before the event which might have helped prevent the event but it was voluntary so he said no thanks.
2:48 am
last week tsa issued a basic anc enhancements for the aviation sector and as early as today or this week the department of transportation's office of inspector general who we will hear from today about recommendations related to cybersecurity and federal agencies claiming these recommendations remain to implement the risk management and strategy in the approach to cybersecurity for avionics systems and commercial aircraft.
2:49 am
the information security challenge and some inconsistent software updates and it systems vulnerable to exploitation we look forward to hearing from the expert witnesses today on the best mitigation solutions we can put forward and with that i will recognize the ranking member. >> thank you, mr. chairman. i want to acknowledge your announcement that you're not going to be seeking reelection next term and i want to commend you for your long and distinguished career serving over three decades in the house of representatives i think that says a lot. you will finish your term and work just as hard as ever and i also believe that you and i
2:50 am
agree the transportation infrastructure is one of the best and most important committees in congress and i know you will continue to work diligently to address these before the committee in the coming months i do wish you and your family all the best in your retirement. we will continue in examination on the cybersecurity challenges and the transportation infrastructure sectors for the first hearing on the topic and remember, we heard from the prospective owners and operators these critical assets about the steps they've taken to improve the cybersecurity posture the andthe effectiveness of the cybr activities. now we will hear testimony from some of those to learn how they are providing support to transportation infrastructure operators boosting the cybersecurity preparedness response capabilities. stakeholders have expressed concerns about aspects of those
2:51 am
programs for instance the directives from the tsa and i hope we can get answers on how to improve their implementation. we also will hear today from how federal agencies are protecting their own systems and their own data and infrastructure from changing cyber threats. i look forward to hearing from the witnesses and the panel about the cyber challenges that they've identified and examined for the federal agencies under the commissioners jurisdiction as well as receive updates from those agencies on how they are rising to meet these challenges. to work collaboratively to improve the cybersecurity of the critical infrastructure systems and transportation systems and transportation infrastructure. with that i will yield back.
2:52 am
>> the video does not want to stay on. >> the committee will continue between your leadership and others on the committee. i would like to move to recognizing the chief information officer, cio mr. larry grossman, chief information security officer, federal aviation administration
2:53 am
admiral john assistant for prevention policy coast guard, united states coast guard and inspector general from information technology department of transportation and the director of information technology cybersecurity at the gao. with that i would first recognize you for five minutes. >> good morning. chair defazio, ranking member and members of the committee. thank you for the opportunity to testify before you today and for your support for the department of transportation. i'm the chief information
2:54 am
officer. i am honored to be here with faa chief information security officer larry grossman, u.s. dot office inspector general, assistant inspector general for audits, kevin dorsey and officials from the u.s. coast guard transportation security administration and government accountability office. i was appointed u.s. dot chief information officer on august 30th this year. my testimony today is based on the observation and review of the records during my three months in this position. ..
2:55 am
several multinational technology companies. i've also taught masters level courses in technology and your new york university and at st. peter's university in jersey city new jersey . i believe usda t cyber security program has improved the departments information security posture and we are unsurpassed forcontinual improvement according to government best practices . usda keys executive branch has many conditions filled by professionals with the knowledge and expertise of providing service directlyto the public . this begins with secretary pete buttigieg and many leaders of our operations remotes. they held key elected and appointed leadership
2:56 am
positions incities and states solving problems, protecting citizens and improving the quality of life for their constituents .we now have before us one of the greatest opportunities to improve the quality of life for all americans. we look forward to partnering with congress and our sister federal agencies to implement the landmark bipartisan infrastructure law. on the same day president biden signed the law executed an executive order to insure among other priorities the increased coordination across the public sector to implement it effectively. we commit to that goal. our executive leadership team's experience includes making improvements to systems while they continue to operate. similarly we will continue to improve our existing systems to make them more cyber secure while they continue to operate that the resiliency support dotoperations and the american people . and we want to transparently
2:57 am
acknowledge we have multiple open audit findings for previous oig and gao cyber security audits. we respect and take seriously their assessments. i designated cyber security improvements as the top priority for dot information technology organizations, the office of the chief information officer. we have begun a series of cyber sprints to complete tasks and make plans to meet our federal cyber security requirements and implement test practices includingthose for president biden executive order for improving the nation's cyber security . this cyber sprints prioritized three areas, system access control, website security and improved governance oversight and coordination across dot. these priority activities address oig and gao bindings.
2:58 am
the ot is actively working to lead its responsibility to securely improve the departments information technology infrastructure while implementing our portions of the bipartisan infrastructure law. we will also meet the challenge of continuously improving the cyber security of dot information systems while keeping those systems available for use. we look forward to working with this committee, our agency partners in the white house to strengthen and protect our infrastructure and systems. thank you again for this opportunity to testify. iwill be happy to answer your questions . >> thank you mister schachter or going exactly 5 minutes. i appreciate that. we will now move on tomister larry grossman . mister grossman. >> from control to the
2:59 am
largest airliner, connectivity is the way of the future in aerospace. it's also why we have to constantly raise the bar when it comes to cyber security. chair del fazio and ranking member graves and members of the committee cyber threats are an ongoing concern and are increasing reliance on highly integrated computers and networks is caused for individuals at all levels of the industry this is especially true at aa we are responsible for operating the nation's air traffic control system and overseeing design, manufacture and testing for aircraft systems including avionics and also for me personally as a pilot , flight instructor. but i'm here today to discuss faa's approach to cyber security for those we regulate and for the aerospace community at large. i want to start by noting the importance of this administration's executive
3:00 am
order on improving the nation's cyber security and thank congress for its continuing guidance and direction. the faa's efforts to address cyber challenges benefited from your oversight and the cooperative efforts with other executive branch agencies . we appreciate all input as we strive to make our aerospace systems safer and more efficient current administrator sandoval. here again, they see this turning as a destination the same is true of cyber security. what we do today will not be good enough for tomorrow or the day after. we are always striving. we are constantly updating and evolving faa's cyber security strategies to put into action to cross agency cyber security commitments. the strategy includes protecting and defending faa networks and systems and enhancing our risk management capabilities, building and maintaining workforce capabilities and engaging with external partners. we defend our air traffic
3:01 am
control and other networks by using separate and distinct security parameters and control are theresponsibility of the faa chief security officer information officer . to assess cyber threats and vulnerabilities to our networks we develop cyber test facilities at our william j houston center where we also conduct testing and evaluation. in short cyber resilience and connected aircraft through risk assessments during initial certification process or anytime there is a change to a previous design certification but existing regulations will not provide adequate protection for special conditions. throughout aircraft life we must track cyber security issues in much the same way as all other issues using data-driven methodologies. that allows operators and the faa to take informed risk
3:02 am
management decisions. smart decisions require a dedicated workforce and we continue to invest in our people. congress recognized the importance of this effort and asked the faa to enter into an agreement with the national academy of science. the result of that study which we received in june made it clear there is more work to do although i will say many of the recommendations are consistent with faa's to get defensive and many others aligned with broader unveiling workforce development and recruitment efforts . finally one of the major components of our strategy is to maintain relationships and trust. this is critical critical for defending from a cyber attack and it's why we are a lead agency on the aviation initiative with dhs and dod and is why we work collectively to identify and
3:03 am
assess risks in the ecosystem including stakeholdersranging from airport authority to manufacturers . the technology of the aviation ecosystem evolves we expect cyber security will continue to be a growing challenge and a significant component of aviation safety. we are prepared for this challenge and look forward to giving congressinformed . i'll be happy toanswer any questions . >> thank you mister grossman. you are recognized for five minutes . >> morning chairman defazio, ranking member graves and distinguished members of the committee. my name is tori newhouse and i serve as assistant administrator of policy plans and engagement at the transportation security administration. i greatly appreciate the opportunity to appear before
3:04 am
you to discuss tsa's important role cyber security for our nation's infrastructure. as you know tsa was established by the aviation and transportation security act signed into law november 19, 2001. under that law tsa is still in a mission to oversee transportation security and almost transportation. the net aviation or the nations service transportation system. mass transit and passenger rail, highway motor carrier, a pipeline as well as supporting maritime security with our united states coast guardpartners . as we recently assert tsa's 20th anniversary, we rededicated ourselves to our critical mission to protect our nation's transportation systems. my personal commitment to tsa's important mission to ferociously protect our homeland is fueled by my own personal experience on september 11, 2001 surviving the attack on the pentagon
3:05 am
that fateful day when we all lost over 2977 friends, family members and colleagues . this is not a mission we can accomplish alone. our success is dependent on collaboration and strong relationships with our transportation stakeholders in our federal agency partners including several who are on this esteemed panel today. cyber security incidents affecting transportation are growing, evolving and can persistent threats across us critical infrastructure cyber actors have demonstrated their willingness and ability to conduct malicious cyber activity. targeting critical infrastructure by exploiting the vulnerability of operational technology and information technology systems . malicious directors continue to target us critical infrastructure through transportation systems. for instance as mentioned earlier around somewhere incidents against the colonial pipeline underscores this threat.
3:06 am
tsa is highly dedicated to protecting our transportation network against these threats but we work collaboratively with public and private stakeholders to drive the implementation of intelligence driven risk-based policies and programs can continue our robust information sharing efforts. as reflected in the cyber security infrastructure testimony provided by our industry colleagues on november 4 this year, we have a vital national interest in understanding, mitigating and protecting its infrastructure from cyber security threats. constantly evolving potential for malicious cyberactivity against transportation infrastructure points to the need for vigilance , information sharing and policies and capabilities to strengthen our cyber security posture. tsa mitigates that degradation and malfunction of systems that control this infrastructure by implanting immediate security
3:07 am
requirements for security policies . after the colonial pipeline ran somewhere in may there was a clear understanding that we need to take more action to prevent another pipeline incident in the future. and in that vein tsa issued to security directives to immediately address these threats . we will require the pipeline operators who transport over 85 percent of the nations energy and assets to take immediate actions to report cyber security incidents to my partner agency cyber security infrastructure and security agency designate a cyber security coordinator and see that that is available 24 seven and implement measures that we continue our work across all our modes as critical cyber information is driving our most recent effort to issue more threats in the spain and as chairman defazio mentioned earlier we are working with our higher risk passenger
3:08 am
rail and rail transit operators andaviation in 4 critical actions. designate a cyber security coordinator ,reporting incidents to the system , developing an incident response plan and conducting self-assessment to address potential vulnerabilities. chairman, we continue our robust engagement with our partners through our transportation. the advisory committee and our aviation security advisory committee along with numerous corporate executives all the way down to the security level. chairman defazio on behalf of my colleagues at tsa we would like to congratulate you on your decades of service and thank you for all of us and our nation. i look forward to taking any questions you may have. >> thank you.
3:09 am
you have quite a history with tsa and i chair the aviation subcommittee it was under our jurisdiction and we had the homeland security committee and we stood up in short order and i can say it's a work in progress. but it's so far ahead ofwhere we were march 9, 2011 .i'd love to go into that at some point and talk about it but anyway, it's not the subject of this hearing. >> good morning chairman ranking of her grades and distinguished members. i am honored to be here to this morning to discuss cyber security and the maritime transportation system . a top priority for the coast guard our national security and economic prosperity are inextricably linked to a safe and efficient marine transportation system or mps. the mts is an integrated network of 361 boards and
3:10 am
25,000 miles of waterways. marine transportation supports one quarter of us ged and provides employment for one inside the working age americans. the mts enables our armed forces to project power around the globe and any substantial disruption to marine transportation can cause cascading effects to our economy to our national security. cyber attacks are a significant threat to the maritime critical infrastructure and while we must continue to work to prevent attacks we must also be clear i attacks will occur and ensure the mts is resilient. protecting critical infrastructure and ensuring resiliency is a shared responsibility. thank you for holding both sessions to allow industry and government to describe our efforts. the coast guard is the nations lead federal agency and in august but, not released a cyber strategic outlook to guide our work ahead. at the core of the strategy
3:11 am
is the recognitionthat cyber security is an operational imperative . both for our service and maritime industry. with support from congress with established coast guard cyber command and built an operational force to execute missions and protect coast guard and dod networks.the coast guard cyber forcesare man trained and equipped in accordance with joint dod standards . have a broad range of authorities to address complex issues spanning national defense and homeland security including protecting the mts. the coast guard's approach to protecting the mts leverages our response framework to prevent incidents we leverage our authorities in the nation's ports to set standards and conduct compliance. we refer to this as cyber risk management and required accountability assessments mitigations and exercises and incident reporting. to prepare for and respond to
3:12 am
cyber incidents coast guard sectors are leading feel loved rocks or sizes with area maritime security committees and have established unified commands with fbi to lead the federal response to cyber attacks . cyber attacks will increasingly have physical impacts beyond computer networks and by incorporating cyber security into our prevention and response framework we provide a comprehensive all hazards approach to this threat but we cannot do this alone. as the risk management for transportation we look to book seaside tsa as its key partners. the mts is dependent on other critical infrastructure . cis a coordinate across sectors, shares owner ability information and provides technical assistance. these efforts build coherence within the agency, foster collaboration with the private sector and enhance our ability to protect the mts in our relationships with cisa and tsa are strong and will continue to mature. iver security is a shared responsibility with the private sector as well. collaboration is paramount
3:13 am
and focus on information sharing and good governance. at the national level we stood up a cyber readiness branch within cyber command as a focal point for maritime monitoring, information sharing and response coordination. at the local level we strengthen communications with our security committees. risk-based regulations which leverage internationally recognized standards are the foundation for goodgovernance . the congressional support to establish the maritime national maritime committee to facilitate consultation with industry on standards development. we work with the international maritime organization or imo's to address risks posed by foreign vessels. we are committed to a transparent approach as we balance the urgency of cyber threats within foreign rulemaking. the cyber threat is dynamic . as we continually evolve to address emerging needs will only congress is continued support. we are grateful for the fiscal year 2021 appropriations .
3:14 am
investments by additional capability for our service and serve a key role in protecting the mts. the establishment of 22 mts cyber advisors in the field are key notes for coordination and collaboration are field units . we look forward to the continued dialogue with congress on this issue and appreciate the opportunity to testify and look forward to your questions . >> mister kevin dorsey. >> chairman, ranking member graves and distinguished members of the committee. thank you for inviting me to testify on securing our nation's infrastructure in an evolving cyber security landscape. transportation relies on the 400 it systems to ensure the safety and efficiency of our nations transportation system
3:15 am
. as you know illicit cyber attacks and other compromises to these systems and dot networks may put public safety, sensitive information or taxpayer dollars at risk. our office has long identified cyber security as one of the top management challenges today i will focus on three key areas. one developing a comprehensive dot cyber security strategy to discuss recurring witnesses and to protecting it infrastructure and sensitive information within dot operating restrictions and three, coordinating with other agencies and industry partners. first on the whole dot has established policies and procedures for cyber security programs that align with federal guidelines . however , we still have
3:16 am
challenges implementing this program in a consistent or comprehensive matter. as a result, dot faces the risk that is mission-critical systemscould be compromised . our office reported on the long-standing efficiencies to dot inconsistent enforcement of an enterprisewide security program and effective communication with this operating administration and inadequate efforts to remediate witnesses. many of these witnesses can be attributed to dot lack of progress in assessing our prior recommendations. including those with 10,000 identified threats. leadership challenges also risk dot's oversight for example the individual irving
3:17 am
as the acting chief of information security officer over the last year was not cast with information security and an official primary duty. that have made it difficult for dot to implement long-term changes. second, dot must better protect the it infrastructure . for example to increase cyber security, faa must finish collecting and implementing more stringent security control for 45 high impact systems that are critical for safely managing our traps. unresolved security controls with management systems could impede its ability to disperse billions of grant dollars. furthermore during joint testing of the it infrastructure, we were able to gain unauthorized access
3:18 am
to millions of sensitive records including personal identifiable information. finally, dot is one of the lead agencies designated to protect the nations transportation infrastructure . as such it must effectively partner with other federal agencies and the private sector on efforts such as securing services and meeting the presidents recently issued executive order on improving cyber security. to that end faa is working with dhs and dod on the aviation cyber industry. but still as the us upgrades the transportation infrastructure dot must continue to strengthen and secure its it systems and networks while working to improve this effort to respond to increasingly sophisticated malicious cyber campaigns. we remain committed to
3:19 am
supporting dot's efforts as it works to remediate the system vulnerabilities and focus on overall cyber security projects. we willcontinue to update you on our work for these and related matters . this concludes my prepared statement. i would be happy to address any questions at this time. >> iq mister dorsey. finally, this is ridiculous. mister marina. >> thank you chairman and ranking member grace for inviting gao to contribute to this important discussion of our critical infrastructure cyber security. our nations infrastructure lies on it systems to carry out operations and the protection of these is vital to public confidence in safety. gao has long emphasized the urgent need for the federal government to improve its ability to protect against
3:20 am
cyber threats to our nation's infrastructure and be designated cyber security as an area since 1997. our most recent high risk updates emphasized the need for the federal government to address security colleges to attend critical actions. today i will focus on two. the first is the need to develop and execute a comprehensive national strategy and the second is the need to strengthen the federal role in protecting critical infrastructure from cyber threats. over the last several decades the federal government has struggled in establishing a national strategy to guide how we plan to engage them ethically and internationally on cyberrelated issues . last year we reported the prior administration's national cyber strategy needed improvement and it was unclear which official was responsible for coordinating the execution of the strategy. we recommended the national security council update the document congress consider passing legislation to designate a position in the white house to lead such an
3:21 am
effort. in january we saw congress passed a law that established the office of the cyber actor within the national office and in june 2 confirmed the director to leave this office. while this is an important step forward until we see the executive branch established a comprehensive strategy our government will continue to operate without a clear roadmap or how it intends to overcome the cyber threats facing nations. we've also long reported the federal government has been challenged in working with the private sector toaddress our infrastructure from cyber attacks . since 2010 we've made 80 recommendations aimed at strengthening the role in critical infrastructure including by enhancing the capabilities and services of dhs cyber security and infrastructure security agency and ensuring that federal agencies with sector specific responsibilities are providing their partners would be effective guidance and support they need. these include important corrective actions within the transportation sector such as improving faa's oversight of cyber security and tsa's oversight of the cyber
3:22 am
security of critical pipelines and passenger rail. finally i'd like to highlight the urgency for federal agencies to implement all the cyber related recommendations that have come out of the work i gao and inspectors general. since 2010 gao has made 700 recommendations on cyber related topics. many of these extend far beyond topics related to critical infrastructure but represent work needed to elevate the entire federal government in its ability to tackle problems and anticipate those we will face in the future. for example they deal with important work issues such as our recommendation to the department of transportation assesses in order to better oversee automated technologies like those control plans and vehicles without human intervention. they also call for improvements to federal agencies on protection such as through recommendations to dhs at work with agencies including faa to better implement cyber security tools that check for
3:23 am
vulnerabilities and secure configurations on agency networks and all that agencies deserve credit for implementing any recommendations over 900 vehicles must be implemented including 50 related to improving critical infrastructure so clearly there is a lot more work to do everything agencies need to move with a greater sense of urgency to improve their cyber security protections. in summary in order for our nation to overcome its ever mounting an increasing array of cyber related challenges our federal government needs to do a better job of implementing strategy and coordination among federal agencies and with the owners and operators on the front lines. this concludes my remarks and i look forward toanswering any questions you may have . >> thank you for your testimony. i will try tosqueak out a couple of questions here . mister grossman, let's briefly say the top three cyber security challenges at the faa and what are you
3:24 am
doing to quickly implement measures to mitigate this? >> thank you for your questions chairman defazio. the faa operates large complex infrastructure of interconnected networksand services . we have many service providers including satellite-based communication , automated communications between aircraft etc. the system has become very complex . you know, most of our challenges really are around the purpose built legacy systems in operation today. these systems are operated 24 seven, 365. they require extensive testing and operate custom-built software. really they don't allow remote detaching capabilities
3:25 am
so keeping up with the cyber it component is a fairly large challenge in faa, from an air traffic control perspective. we protect that system through compensating controls meaning that that network while it's difficult to pass and update, it is very difficult to get too attached to as well. itdoesn't have internet access . there are very mature access control lists. in other words system a can only system b over a very specific port with specific protocols and everything else is not addressed. additionally, ...
3:26 am
>> we need one more. mister dorsey, you were pretty critical i thought. do you agree with mister grossman's assessment of the job challenges and what do you think they haven't recognized? >> thank you chairman. the keys are to solidify at the key information officer level to provide data oversight and accountability necessary for agencywide improvements to address security weaknesses. 2, the ability to develop a comprehensive cyber security strategy to assess recurring weaknesses and 3, to better protect and secure this it infrastructure to secure it from potential compromise. those are the three key areas to focus on or that we
3:27 am
identified over the last two years. >> mister grossman, arethose things in progress ? >> i am the chief information security officer so there is leadership within faa. we are working with the oig to close these audit recommendations. we believe that we have protections in place while many of the compliance audits have a lot of findings. the actual vulnerabilities are in our opinion most of them are mitigated through compensating areas.
3:28 am
>> i was speaking at the department level. they're responsible for providing oversight including faa. thank you. >> dot and other agencies. >> yes, sir. >>. [inaudible] >> there's no permanent chief information securityofficer at this time . we would be addressing the acting chief security officer. >> thank you. i'm going to yield now to ranking member grades if he can ask questions that are with a voice that i can. >> thank you mister chairman. now the committee, we continue to hear conflicting reports from tsa industry stakeholders regarding process and engaging through the issues of two tsa security directives and furthermore myself and ranking member grades as well as governmental affairs ranking member portland send
3:29 am
letters to dhs, oig's review process in which tsa insists the draft of the directives which i ask unanimous consent to be entered into the record mister chairman . >> without objection. >> i would just like to send ms. neuhaus. how would tsa evaluate implementationof the pipeline security directives ? >> thank you for your question ranking member grades. we continue extensive engagement. that's the hallmark of what we are doing in order to ensure continuous improvements . we have actually developed and implemented an entire surface operational structure to do this. so we have boots on ground and what we are then finding buspar as you mentioned, we have issued to security directives this summer. postcolonial pipeline. we're proud to announce on behalf of us and our
3:30 am
stakeholders that all stakeholders that are subject to that directive have met all the requirements in the very first security directive. it's a very tight guideline, communicated beautifully with us. very vocal and they're very direct with us when they met challenges. >> let me ask you about those challenges. what challenges have you identified during implementation? >> the biggest one and we've taken this to heart is the definition of a reportable cyber security infrastructure. we've taken steps and a great deal offeedback to modify that definition . to not include all potential incidents. we have narrowed that based on industry feedback. >> i recently held the national pipeline requested tsa conduct an advance notice of proposed looking to gather information bibles to draft a proposed revelation to replace arequired security directive .with unanimous
3:31 am
consent for this letter to be entered into the record misterchairman . >> without objection. >> i hate to keep bothering you, i know your throat is killing you. as i stated tsa can leverage the informal process to promote a greater understanding of what our reasonable and sustainable regulations would be. will tsa issue and a npr to gather thisimportant information ? >> thank you for your question. we are considering all of our options including the most transparent option, and a npr and or advanced notice of proposed rulemaking is one tool that we have exercise in the past successfully. and as we have continued robust engagements both at the classified and unclassified level with all of our perfect transportation stakeholders in particular our pipeline, rail, passenger
3:32 am
rail and aviation stakeholders we are considering all of those options . >> as you know we are anticipating the release of the new security directives for rail. it should be as early as this afternoon if iunderstand correctly an unfortunately we were concerned about these directives from stakeholders including from the freight rail industry . at our previous hearing on cyber security in thenovember 4 letter from american public transportation association which i ask unanimous consent to be entered into the record . i apologize for that inconvenience one more time . >> without objection. >> missed neuhaus how much tsa engagement have they directed and how is it incorporating feedbackinto these directives ? >> we have continued robust engagements and frankly we have been working closely with the united states intelligence community, our partners at cisa and
3:33 am
department of homeland security dot to provide that background information. that threat information is driving all these requirements. as recently as this week i along with several of my top leadership have met with freight rail passenger rail executives . with a classified briefing in our facility to show them what we are seeing an illicit impact and input and ask them for more input for either future requirements or other guidelines that we could issue together by just telling them this is what they need to do. so we've been having some successful engagement and as a matter of fact today a number of pipeline individuals with those in other security personnel are receiving briefings as we speak and we do have an apparatus around the united states to support those
3:34 am
briefings. thanks to our law enforcement and intelligence community partners. >> will you consider utilizing a will making process ? >> ranking member, all those options on the table. >> i like the gentleman represented norton to be recognized. >> thank you mister chairman. i hopeeveryone can hear me . my first question is for mister shatner. mister grossman of faa, this new tsa. i'm interested in information sharing among partners. you each oversee critical infrastructure entities with some overlap, some oversight, sorry. especially regarding aviation and surface transportation which i am particularly interested in because i fit i sit on the subcommittee on aviation and serve as chair
3:35 am
of the subcommittee on highways and transit. can you explain to us in some detail how you collaborate to oversee the same sectors and critical infrastructure entities. >> miss shatner, mister schachter, grossman. ms. neuhaus. >> and i unmute? thank you very much for that question. congresswoman. information sharing is vital. to securing the nation's critical infrastructure and the infrastructure that dot is responsible for. we collaborate extensively within the team.
3:36 am
we collaborate with the faa and also with our federal partners in particular. tsa, cisa and even with omd which has the federal chief information security officer. the federal information security officer was one of the first federal officials that i met virtually of course after joining the dot in late august. i have had subsequent sessions with jen easterling as well as chris english and the cisa director and national cyber director and we intend to keep up and open channel of communication as well as following up on various directives and formal
3:37 am
information sharing that dhs has required. >> thank you. mister dorsey, can you highlight cyber security issues that give you the most concern and also explain why you believe the government has repeatedly failed to fully address them? >> yes congresswoman. i can jump in first and perhaps go after. i think the bottom line is that we are constantly operating behind the eight ball. the reality is that it just takes one successful cyber attack to take down an organization and each federal agency as well as owners and operators of critical infrastructure have to protect themselves against
3:38 am
countless numbers of attacks so to do that we need our federal government to be operating in the most strategic way possible so as i mentioned the importance of having next national strategy isn't to just have something on paper but to execute that strategy and that carries forward to those agencies like the department of transportation, tsa and others who have responsibility to do the same . we've seen our work agencies have had challenges in maintaining very up-to-date sector plans that actually would talk about the cyber threats agencies are facing and the infrastructure is facing today so we think it's important for sector specific agencies to work with their industry partners to make sure theiroperating on the same sheet if you will . >> you very much. i yelled back. >> i think the gentle lady for yelling back. i got to yield the chair to frank carson who has been although as a loud and booming voice and will be able to understand them so thank you.
3:39 am
>> thank you chair, hope you feel better. we appreciate you. >> thank you chair. this hearing is the evolving cyber security landscape. federal perspectives and in securingthe nation's infrastructure .i was surprised we would bring in a witness from thesecurity agency . i think it might be a good idea for the future. we have testimony in the past and we know that the coast guard is trying to update your own it systems. the challenges you face in doing that. can you provide us an update on how the coast guard is working to improve this area and it systems and that mandated by congress to do. >> partisan, our approach to protecting the maritime transportation system relies on us having our own ability to defend and operate our networks . so as part of the commandants
3:40 am
strategy for our work ahead, he has put the defendant operate the networks protect maritime critical infrastructure and naval coast guard operations as those three pillars for how we move forward to accomplish all of our missions. with regard to defending and operating our networks, through investments in the cares at with over $65 million in funding we've been able to make significant investments to modernize our infrastructure and push more information out to our mobile users out in the field and are cutters underway all this is premised on it being operational inherited. so the key thing is really driving us more to the establishment of coast guard command as an operational
3:41 am
command under the purview of a two star commander overseas our daily mission execution in the it space. then the coordination with our cios who is driving those investments and modernization projects forward. >> thank you also admiral. if you can expand on the resources you're making available to of course work with our core facilities on their it infrastructure and cyber security. >> congressman, at the port level we're really focused on working across the prevention and response framework to ensure that we have the ability to defend and then also respond resiliently from attacks. this is a shared responsibility between the private sector and the federal agencies involved. so we're doing a number of different things. first we put in standards in place that require them to
3:42 am
conduct assessments. half an accountable person. develop a plan and mitigate that plant and report incidents. all those pieces are important. says assessments we then have the opportunity to drive investments through the port security grant program to update security posture in the ports. until last year $17 million was allocated from the port security grant program for cyber security. these are some of the areas where things that are being done to increase the capability of the commercial infrastructure. while also maintaining our operational abilities. >> also has your role as assistant commandant, you're responsible to the coast guard maritime security programs. what do you say, which side is winning?
3:43 am
increase digital safety operational enhancements, how are we doing in this fight? >> it's not an either/or proposition for us. it's really and all of the above. so as you see prevention policy we make sure that we bring together the best of our ability to secure private industry but then be able to respond as well. so leveraging our prevention response framework , we've made sure that we've taken a multilayered approach to engaging with the industry, sharing information with them at the local level through the area maritime security committee and conducting compliance activities then at the national level engaging across the interagency with our national maritime security advisory committee with the mts buyback and then with other interagency partners to make sure that we are tied together and
3:44 am
providing a comprehensive network and comprehensive approach to this problem. >> i just about out of time and i want to mention i know you got a cyber security expert yourself so hopefully you're aware of that fact and your coordinating with your cyber security people and also in the private sector. i yelled back my time. thank you. >> mister dorsey has the gao investigated the progress of the federal agencies for the private sector in implementing the guidance and requirements laid out in the may executive order from the president to modernize and strengthen the federal technology systems? >> thank you for that question. as the gao investigated i think that question should be directed towards the gao
3:45 am
representatives . that's if i'm not mistaken . >> miscellaneous can answer that. >> happy to. we have looked at efforts of the executive order and have work underway right now looking at the progress that's been made by the administration and actually overseeing whether the many requirements that is placed for the agencies adhere to so there are aspects within it that were passed on including supply chain more recently but we have work underway that's going to be looking at the executive order. >> do you have a timeline laid out for the report already ? >> are expecting to report on the status of implementing the executive order throughout the calendar year so we're looking to provide information on a real-time basis to provide something closer to early spring. >> thank you. mister dorsey, at what point
3:46 am
with the wood the oig get involved? >> we have initiated a review of the dot's efforts to implement cloud-based services with respect to the request or issues that were identified in the presidential executive order for federal agencies to ensure they secure cloud-based services as they migrate forward. we're also hoping to complement efforts to migrate towards a zero tech architecture as outlined in the president's executive order. i've also been in contact with the department's chief information officer and he has informed me that the department is working towards addressing the current initiative and i plan to work with him next year to ensure that they report back to this
3:47 am
administration if necessary. >> thank you. mister grossman the aviation sector is complex. i'm sure that you are considering that complexity as you consider helping the system be less vulnerable to cyber attacks but the testimony from gao in the first part of the hearing a few weeks ago says less than half of the respondents to the global study investigating the cyber security trends within the air transport industry identified fiber security as a top organizational risk. all consider how congress can incentivize the privatesector to address cyber security issues ? >> how congress can? >> to address these cyber security issues. >> we have reached out to the industry through the aviation cyber initiative extensively. we built a community of
3:48 am
interest over 1000 members that cross all of the components of the aviation ecosystem and we're using the bully pulpit to and it seems to be from deviation perspective we seem to be getting a lot of traction. >> can i follow up on that with a particular issue and i don't know if you're handling this but it's chaired fazio and i recently expressed the concerns to the federal indications commission on the telecom industry plan to utilize it broadband service and a potential interference with aircraft radio parameters. i know that administrator dixon is weighing in on this with the fcc. can you update us on what the status of that is and as well are there othertechnologies coming online that we need to be concerned about ?
3:49 am
>> thank you for that question. i'm not personally involved with the 5g effort but i am aware that telecommunications companies have all agreed to deployment delay for their five gc band to allow partners. we believe that aviation in five gc band wireless services can safely post this and the fcc and faa are using the site together to exchange information to come up with a path forward. >> i guess implied in the letter that whatever solution you all think you come up with would be very interested in that solution to make some determinations . thank you very much. >> thank you mister perry. >> german. mister schechter and miss brown as, during last month's hearing on cyber security we had an interesting back and forth with mister scott meltzer on the minute
3:50 am
institute in court regarding increased cyber security threats associated with the transition to electric buses and the fact that it brings with it a whole new level of cyber exposure and other security risks not previously anticipated. mister belcher agreed that these increased risks include the ability to degrade batteries remotely, cause fires, manually take over controls of the vehicle at sarah and went on as far as to say we be safer if we were stillrunning diesel buses . i'm a fan of diesel and all of them. just got to be ready to implement love processes to make sure that we're safe. while we were discussing these issues in the context of electric buses, purchased by transit agencies with fda funding these concerns are much more widespread than just buses. in fact the same concerns apply to our electric vehicles. on either by the government
3:51 am
or private citizens. and the associated charging infrastructure. i wonder if either of you can expand on the significant increase in cyber security risks and threats we should expect as the result of the relentless pursuit of electrified vehicle fleets by the majority of this administration and unfortunately some socialist voting members of my own party. can expandon what we can expect ? >> thank you for that question. i think we're conflating two separate and very important issues. one is the fuel that any vehicles use whether it's electric powered, diesel power, inherently they are not more or less at risk from the cyber perspective. what we're really talking about here and the cyber issue is the electronic control system that's on board with not only electric buses but if you were to buy
3:52 am
a new diesel bus for gasoline busor gasoline car , those vehicles all had some sort of electronic control system there communications system which is potentially vulnerable. the correct steps just like in protecting government it systems, the correct steps need to be taken to protect the it systems in that vehicle. and when we're talking about fossil fuel powered vehicles or electric vehicles, we're obviously the administration has identified addressing climate change as a top priority. and if we take the conversation to the subject of this hearing which is cyber security, there are new mechanisms of protecting those vehicles intelligent systems on board and we need to do that and there are several organizations within dot at work on that right
3:53 am
now. >> congressman, we've looked at issues with respect to modern vehicle cyber security overthe last couple of years and indeed , whether the fuel is gas or electric, the reality is that we're seeing an increase in thenumber of interfaces . the number of chips being placed in the systems those tips are powering and in fact that's what we're seeing as one of the challenges in terms of supply chains having those tips to manufacture new cars regardless of the fuel. the reality is if those interfaces are not secured they can be exploited through direct physical access and even remotely as well. the reality and an important element is the need for our workforce is to be able to be in the best position to oversee these automated technologies and as we recorded earlier this year we think that apartment of transportation needs to take a close look at this workforce to make sure that as vehicles become more and
3:54 am
more autonomous that they have the appropriate folks in place to oversee that technology. >> ..
3:55 am
cybersecurity or that executive
3:56 am
order was issued. the audit regarding cloud services were seen as the best practices better protected from the perimeter and if they had previously organized themselves into using a common operating environment unifying all of the operating with the exception of the faa to a single system providing one surface to provide for attacks. that is the best practice. we were there prior -- >> you highlighted the testimony
3:57 am
-- the u.s. water treatment facility, industrial control system and incentive used as a part of the treatment process. the concern is the water system including treatments -- what are your concerns in this area? >> the threats to the water infrastructure is real and comes from the same challenges other sectors including the reliance on the legacy systems that are not only outdated but the vendors that actually created them. these include workforce issues, having appropriate staff within very small organizations that reach these facilities to be able to respond in fact in the
3:58 am
case of the february attack according to reports there was an official there was monitoring and was able to see the efforts as it happened the reality is there needs to be more that is done and we are encouraged by the fact to establish the expectation of the specific agencies and the environmental protection agency is that for the water sector. we think that epa can do more to reach out for the sector to better understand whether the guidance that it provides is adequate to be able to address the challenges that i mentioned. >> would you suggest that they do virtual training? >> i think it's important for them to do that in concert with their partners and there is a good establishment of both government and sector specific
3:59 am
representation as i'm aware based on the hearing that your committee held they were having a thousand or more security threats a day. initially without having to wait months for training. it's about elevating the entire cybersecurity awareness of the nation. until we do that, they will continue to exploit those that have the least knowledge. a. >> what are your biggest concerns in the area? >> making sure the support of the federal agency is providing is the right one and that means doing more to assess and the
4:00 am
plans that they can execute. if that would be the department of homeland security we are still waiting to see a national infrastructure plan get updated in the next couple of years we can move to immediately. you have done that in the wall so congress did pass the law that passed gao with evaluating how effective they are in fulfilling the statutory responsibilities so we will be reporting back to you in the near future. >> many agencies are too small either equipped or trained.
4:01 am
but also what offerings the federal government can provide others to those operators that need the help is very important with oversight i think they should be part of it. a. >> they are part of the sector that has been identified as so they do carry forward to the agencies that have responsibility. >> thank you for your concern and i look forward to talking with you. mr. chair man, i will yield back we understand tsa will reduce transit operators but unfortunately, we've heard concerns about the development from stakeholders at the tsa
4:02 am
including from the industry in the previous hearing on cybersecurity and november 4th letter from the american public transportation association which i ask unanimous consent to insert into the record. >> it's good to see you again. can't wait to see you all in person. unfortunately, the tsa failed to provide a notice of this despite you were coming here despite what we knew of the committee is receiving advanced notice after back and forth by staff i'm told we received in an embargo copy of 9:25 this morning which doesn't give our team or us any time to meaningfully review and
4:03 am
actually figure out what important questions we might have for you today to ask about. the letters were yesterday, december 1, which was i just want you to take a message back that this committee because we have jurisdiction today otherwise you wouldn't be here. we expect to be notified of actions that your agency is going to take just like other committees. if anything you are doing is going to affect the mode of transportation and safety of the mode of transportation in the areas we have jurisdiction over, we expect to be notified here. can you please make sure you send that back to your
4:04 am
colleagues. of these are issues i think we all want to work together on. hope to talk with you again in the future and look forward to the next meeting. it's my understanding the gao is in the process of completing the report on cybersecurity how has the gao pursued access and plan the cyber posture remain secure? >> we appreciate congress tasking us with this and we take the responsibility of performing it very seriously. in terms of how we are protecting information we recognize it is very sensitive but we also have a successful track record of handling the information that we received from government agencies and industries and we will obviously
4:05 am
apply the most rigorous protections we can. as you can imagine access to house data is something we guard very closely however we also recognize the expertise in this area and hope congressional entities are operating to achieve the desire to the annual report. another question, we have seen attacks on the critical infrastructure including the one earlier this year on the colonial pipeline monitoring is critical to thwart the attacks but isn't the end of what the efforts should be and we should have a layered approach to cybersecurity when protecting the most vital assets. can you tell us, and this may be a question, what is the department of transportation doing to fortify the assets in the field such as the traffic control towers that are carrying
4:06 am
hazardous materials and so they can operate effectively what they are already compromising. let's go to you. can you answer that with of the time i have left? thank you very much for the question. so each of these areas that you mentioned working with our private sector partners to improve the cybersecurity practices and as stated before, the cooperation through tsa to those private sector partners we access code sector risk management officials in those areas, so we need the participation from all those parties to become more cybersecurity. >> we continue to work with you on these endeavors and i apologize for mispronouncing your name before. thank you all for being here today and i will yield back the balance of my time.
4:07 am
>> thank you, mr. chairman and to the witnesses for your time and testimony today. during part one of the hearing we learn how our critical infrastructure remains in october of 2021, the dot released a report on the federal transit administration's cybersecurity weaknesses which found that weaknesses in fta's financial management systems could affect its ability to disburse the funds.
4:08 am
the oig report notes that they failed the weaknesses that have been known since 2016 a total of five years while the delay is not unique, it puts us all at risk. why has fta moved so slowly to implement security control fixes? >> thank you for the question, congressman. we've worked with of the the det for a number of years regarding the various cybersecurity weaknesses that we've identified and with respect what the department has informed us to
4:09 am
get the proper guidance with respect to end the fear that the system needed to be operational 24/7. the issues regarding for the six years or so and the responses by
4:10 am
2023. >> for the initiative if you will and require to make sure they prioritize implementation of what we consider to be some of the most significant cybersecurity weaknesses that we've identified over the years and make sure they report on the attempts and the leadership for
4:11 am
the deficiencies so that the cities like atlanta are not detrimentally impacted. a. >> thank you very much for that question and as i specified in my testimony, cybersecurity is our number one priority and i highlighted three areas that we are prioritizing within that to make immediate action. first is access control, second is website security and the third is governance and coordination across the dot. all of those issues are impacted and involved in the situations that you mentioned. we've created cyber spreads that i mentioned in the testimony as a way to expedite improved
4:12 am
performance in all these areas and i believe we will be able to report back that we have made significant improvements. >> thank you. my time is up and i will yield back. as i said that the other week i'm so glad we are having this hearing and are prioritizing this important topic. as we wait on the cybersecurity and critical infrastructure space, it is a great responsibility and one that we should all take a very, very seriously. it's also a very timely topic. right before we went home from thanksgiving, the director told the security committee that, quote, ran somewhere has become the scourge on every facet of our lives and it's a prime example of the vulnerabilities
4:13 am
emerging as the digital and physical infrastructure increasingly converge. she went on to say the american way of life faces serious risks. internet attacks are full-fledged standard feature of the modern day life and hardly a day passes without a story breaking about a cyber attack or at least a threat. they are disruptive, costly, and potentially life-threatening. all of us saw what happened and now lead to gas shortages and interrupted to supply chains. there is a legitimate appropriate role in the federal government to play in protecting the american people and the companies and businesses against theft, espionage and cyber attacks. no question each of you testifying today are fighting for the national security however as you all know, cyber intrusions are hard to track. we've got to be extraordinarily
4:14 am
careful as lawmakers and rule makers that we don't meddle in something that we don't understand and unintentionally created more bloated regulation with overly burdensome requirements that don't truly secure our infrastructure. in any policy we push forward it's got to be aggressive and consistent with of the nations founding principles. meanwhile while at the same time protecting civil liberties and free economic markets. the former director of national intelligence and my former texas colleague and classmate said that we need to attribute these attacks and these are overtly or covertly retaliated against those responsible thereby creating a deterrence for the future. for the long time a strategy of cyber criminals it is a simply pay the ransoms and hope for the best.
4:15 am
my question for you all is this and i will open to anyone who would like to answer with time permitting. what are some common sense steps as lawmakers we can take to better protect our infrastructure and encourage better reporting of cyber threats without infringing on people's civil liberties and the free market and i will open that up. i will yield to my colleague. >> thank you, congressman. cybersecurity and responsibility, public sector, private sector and we will either succeed or fail at this
4:16 am
together. it's understanding that new systems need to be secure by design and created with cyber cybersecurity in mind as step one. that would help us achieve our objectives. >> congressman, thank you. i support the comments made. what i would offer is that we have to treat cybersecurity as an operational imperative and it has to be part of an overall risk management approach above the private sector and federal government and so in order to achieve that, they have to be able to do em assessment one is
4:17 am
a minimum that i need to disclose to how can i help protect others as we've heard from testimony already in these incidents cut across so many different infrastructures and reporting helps us. >> absolutely. thank you. we will remember retaliation can occur to help some of this. i will yield back. at this time i will yield back to myself. the aviation sector is composed of aircraft the private sector companies and public agencies including the faa however a cyber attack on one portion of the sector can have cascading
4:18 am
effects on the entire system with devastating impacts. can you describe from a cybersecurity perspective how the faa assists and supports the aviation sector? >> thank you for that question. the faa engages so we engage with much of the aviation community which we are close partners with and the aviation sector coordinating council manufacturers association and of course primary and engagement in the cyber initiative and standards, guidance and we promoted relation sharing.
4:19 am
and to assure they are using industry standards and are building products. a. >> do you believe that it's important to coordinate and cooperate to assist them? >> i think as mentioned earlier cybersecurity and we are all in this together public and private sectors for aviation and the higher ecosystem with operators, manufacturers, other agencies,
4:20 am
public and private sector work together to share information and to try to improve the resiliency. this is for the entire panel. where do you see the biggest cyber threats coming from specific actors like the recent attacks on local government entities with ran somewhere from foreign entities and nonstate actors are there significant threats from even some of the weaknesses like the failure to update and strengthen were poor cyber hygiene what are your insights? >> i don't want to speak for the panel to highlight one over the
4:21 am
other. i think that compromise is certainly still fresh in our mind, but i wouldn't choose that over other actors or vulnerabilities if you're asking me which is worse. it's come up several times transportation not only relies on others to operate but other sectors rely on it as well on the communication sector and transportation sector was one of those that had been identified as one you could not operate without it so while there is the
4:22 am
resiliency built in to show us we need to do more to not only shored up specific sectors but the nations approach as well which is why we emphasized in the recent work the importance of having a cyber strategy so it can be and all of government efforts to bring and elevate. a. >> thank you all. a. >> for the programs related to infrastructure. between the tsa and the coast
4:23 am
guard threats and the transportation system how do you help to manage risks? >> congressman, thanks for that question. of the effort in the coast guard is part of our dna so we take a multilevel approach to share information that the speed of cyber. it's a dynamic threat environment and going forward we need to use a combination of tools and methods to get after the information sharing so for this multilevel approach at the local level, we work through the area of maritime security each of us have established subcommittees that are responsible for that day-to-day
4:24 am
sharing of information for conducting the exercises for reviewing best practices. the same people are integral when they report in the board. at the national level we work through a number and have established the maritime cyber prettiness branch and the coastt guard that becomes a focal point or threat information dissemination technical assistance and we meet regularly with the risk management agency and engage with the information sharing and analysis center and look for every opportunity to continue to share information and communicate threats and understand the vulnerabilities so we can protect the mts.
4:25 am
the united states coast guard has privacy in the nation support however they play an important role to support the transportation system. to that end we have the program that started as a port step security training exercise program that started in the maritime sector we have grown the training and exercise program across all modes of transportation. at the u.s. coast guard is a program where as mentioned we can exercise at a both a national and local level and if an entity is not able to participate we do maintain all of those lessons learned and exercise information in an accessible system to thousands
4:26 am
of local operators, first responders and law enforcement professionals who support the ports and other transportation modes. congress also generously chartered the surface transportation security advisory committee a few years ago and across all transportation modes however we also have 14 federal agencies that serve on the committee. if we have a very active and very live incident, the ability to quickly disseminate that information, so i'm not sure that the security committees or the apparatus that you're describing allows for them to sort of nibble the communication
4:27 am
to the ports and other potential threat entities. can you tell me whether or not you are working to update the system to be able to track and follow through on cyber incidents? >> in terms of communication with the ports, we have 24 hour watches that have access to the information and we share that information but we look forward to the questions and follow-up questions. it was established to be able to respond and we would be happy to provide more information about that and follow-up later on in
4:28 am
the hearing. >> that would've been great it seems like there needs to be some type of mechanism. i will yield back. >> the gentleman yields back. [inaudible] good potential use and there is a variety of companies that are starting to get into this and i think it increases the potential for cyber threats.
4:29 am
i wonder if we coordinate with the commercial space industry i can certainly follow up with you. i realize that isn't directly under what you do and it's worth bringing to the attention of the committee because it is going to become increasingly an issue as
4:30 am
we do more of this. i know that you were instrumental in setting up the program so you were very informed on how this works and we have seen it expand. one of the things that we have heard is they have a hard time coming to get the clearance. >> thank you for your question, congresswoman and for your support as the program. we appreciate the insights that
4:31 am
congress and the stakeholders give us on a daily basis. i do know that the office that runs the program for tsa has endeavored to expand enrollment capabilities as you mentioned to get back with specific answers to those questions on how we are best requiring protection of that information and how we will oversee that information. >> thank you and i would appreciate that. whether it's through tsa i think that it's to be sure it is information in the streaming process because when we want
4:32 am
people to feel secure that that information can't be compromised so i look forward to getting that from you and i will yield back, mr. chairman. >> the gentlewoman yields a back end of the chair weber for five minutes. >> i want to talk a minute i appreciate the phrase about ports and as you all know the colonial pipeline system is attached i think may of this year extremely important to the infrastructure obviously we would argue.
4:33 am
the keystone pipeline or more pipelines to carry stuff with the safety rating all of that is to say from an energy perspective would it sound like we ought to have a system in place to notify the pipeline operators as congressman greaves did and other ways that we move energy if since we have limited time and i know we talk about the speed of cyber space so to speak, but should there be a process in place to the greatest amount of energy protected as early on as possible number one
4:34 am
is that a good idea and number two, is it possible? >> that is a good question and if i understand correctly we talk about coordination and communication between the private sector partners that provide the energy, the tools and the pipeline operators as well as the government and its regulatory capacity. tsa has moved aggressively to improve information sharing and incident reporting from all of those private sector actors and to coordinate a booth with dot
4:35 am
and other regulatory bodies that have an interest in those areas. as you probably know, the ports and pipelines are privately operated so that we have to work with those private sector partners and try to influence them so they are less likely to be attacked. some of that is standard access but moves into the operational technology, which are very specialized and outside of the realm of dot information technology. >> i know there was a discussion about the banks years back but
4:36 am
if we had a system in place whereby if we know something is in the making we can alert them as quickly as possible and protect the infrastructure in terms of the national security and the marketplace if you will. >> intelligence and understanding of what's happening to the threat level is a critical piece of how we protect the nation so we've established procedures by which we can share information rapidly both through the interagency down to the field units and with several cases the private sector through the maritime security
4:37 am
committees. what we are also finding out is that this is a very broad problem and so it's important that we get together and collaborate at the lowest level possible. they've developed a collaborative in the interagency to see those threats and challenges as they evolve and share those rapidly to put the mitigations in place so this is an important issue and we are getting after it. >> let me end with one quick thing if you can prevent the random airline tickets it would be worth everything to me -- >> if you have any questions
4:38 am
about tsa be check or family members, please let me know. >> thank you, madam chair. i will yield back. >> thank you madam chair. in october your office issued a disturbing report about security weaknesses at the federal motor carrier safety administration. you placed malware in the network and the industry failed to detect it, so i was curious to know is this a practice that you do with other agencies and why was this particular agency selected for this exercise, i'm sort of curious of the thought process behind it.
4:39 am
>> thank you very much for your question. we've issued a number of audits with respect to whether the department established secure practices to protect and secure the infrastructure. we initially started in 2016 with an additional report on the department's research and we followed that with respect to assessing the department's
4:40 am
security posture and adjust initiated another review of the highway administrations to determine the proper controls and oversight of their own policies that they have in place where we've identified this persistent security weakness to compromise the departments infrastructure. did the federal highway administration? >> we just initiated that review and it takes about seven to ten months. there is a lack of strong passwords or software that is not updated in the operating
4:41 am
systems and from the lack of encryption and persistent weaknesses is how we were able to penetrate the infrastructure. >> i know you've only been in the department and you said you've been there for three months. certainly 11 years in the city of new york. i would like to ask what grade would you give your self at this particular point, a, b, c, d, f how would you grade your self? >> thank you for the question. i don't have enough information yet to provide that sort of an assessment but what i can tell you is mr. dorsey mentioned you go back to 2016 before the dot
4:42 am
created a central operating environment for the purpose of addressing the same findings related to access control, vulnerability that the common operating environment gives better tools so the performance has already approved and we have a way to go and we are acknowledging that as i did in my opening statement and i think -- >> i only have a few more seconds. you've also mentioned limited resources several times in your answers today so i'm wondering
4:43 am
do you have enough resources to do what you think you need to do and if not, are you planning on making further budget requests in the 2023 budget cycle? >> thank you for that question as well. still new to the position to fully assess whether we have sufficient resources as needed to address this or the resources in the right place with the right expertise and i expect before too long to be able to share that information. >> my time is up. >> the chair now recognizes you for five minutes. >> how do you say your name,
4:44 am
sir? i'm really concerned about the russian efforts to target the cables that carry 99% of communications abroad. you are operated by private companies and i understand a lot of information is classified, but given the coast guard's role of protecting the transportation system can you comment on the ability to respond to cyber attacks against the infrastructure? >> congressman, our transportation infrastructure is dependent on other modes of critical infrastructure and as you've highlighted there are very substantial threats against the maritime critical infrastructure every day so
4:45 am
that's why we've put together and operationalized and made it part of our prevention and response framework to make sure we are getting after this threat at the speed that it demands. i can offer a follow-up brief with regards to cables if you would like. >> out of curiosity how many ribbons are on your chest? [laughter] >> congressman, i don't even know. >> it's very distracting but it's pretty cool. i will always remember the veterans day celebration everybody gets up and sings
4:46 am
their service anthems and my dad was an old marine and there was always just one coast and they would scream out the back and i thought that was pretty cool. this is for missus neuhaus of the tsa. i won't get after you for the charitable service sometimes i see people get because sometimes in knoxville tennessee it's great and a couple months ago they issued plans for that companies. how much time did you give the impacted stakeholders to respond and provide feedback on those directives? >> thank you for recognizing the
4:47 am
officers particularly in tennessee. frankly among the top in the country so thank you for that complement. with respect to the transit we followed a very robust rubric of engagement i will give you an example for aviation we utilize to the requirements into programs into provided ample notice and comment both verbally and in writing in multiple sessions, and we've also as i mentioned in my opening to the ranking member, we've taken that seatback and updated definitions of the cybersecurity incident so we've taken that seriously. with respect to the partners i mentioned earlier in the testimony, we have embarked on a robust engagement at the ceo
4:48 am
level to engage of the classified and unclassified level to describe the ongoing and persistent threats that are driving these policies and we then provide written copies to the regulated parties to have an opportunity to review the circumstances given the persistent threats however what we have done over this last month i can personally tell you we have engaged over the last four weeks within updated based on the feedback particularly from the partners. a. >> has the agency received any concerns from the stakeholders about how the upcoming cybersecurity directives would impact their current operations?
4:49 am
>> thank you, congressman. everything we do every day is about the continuous improvement and to complement obligations so we have heard a number of concerns so we continue to look at the feedback. it's a continuous feedback loop. >> i'm going to contact you outside this hearing with respect to the international
4:50 am
airport and i've received some documents from flyers that have an issue with the pre- check but i will do that at a later time. the act of 2008, congress mandated railroads that carried passengers to of sold the systems that work to prevent unsafe movements and accidents by using information network on the new directive concerning cybersecurity and passenger and freight rail and how will this directive help secure?
4:51 am
>> we look forward to receiving the inquiry with respect to the directives we work with our partners to implement with respect to any other operational or informational systems those directives apply to all of it and if i may, we've focused very heavily on reporting. we have to know anything that can reasonably impact whether it is the cpc or ot systems so that is part of the strategy with the directives is to designate that and have a 24/seven availability to report. there is a clearinghouse in addition to multiple reporting requirements or channels that
4:52 am
operators may have to the operating agencies but this is the center of the government to maintain that and disseminate it to go at the national level down to the local level with respect to any system we are requiring them to develop a cybersecurity incident response plan and we are doing that in concert to make sure and we are asking the operators to conduct assessments and vulnerabilities and gaps that help us close the gap. the cyber hygiene is critical to keeping safe and operational. federal agencies must not be
4:53 am
exempt from adhering to the standards. as the chairman of the pipeline subcommittee, the responsibility to ensure the railroad administration makes the evolving threat how should congress better assist agencies to develop and keep go to cyber hygiene practices? >> i think the best method of doing that is your continued respect of the community as well as gao. it's extremely helpful and productive and particular to have support not only during the audit's but following the recommendations that we've made so we are grateful for that support and when it comes to the smaller entities it is to ensure
4:54 am
they have the capabilities to monitor and likewise at the more central level they are doing everything they can to give feedback to the big and small agencies to get better at a cybersecurity. >> thank you for that answer and i will yield back. >> my first question is to mr. grossman. last year the gao offered six recommendations to the faa to strengthen the cybersecurity oversight program. gao report found evolving cyber threats and increasing connectivity between airplanes and other systems could put future flight to safety at risk
4:55 am
if the faa doesn't prioritize oversight. can you discuss what they are doing to ensure that networks and systems are secure from cyber threats? >> good morning or good afternoon. thank you for the question. faa looks at the whole system off the airplane once it is installed to ensure others proper procedures and protections. we've already proposed closure onto two of the three. one of the recommendations that
4:56 am
the faa did not concur with is the periodic independent testing. can you discuss why they disagreed with this recommendation? >> absolutely, sir. it was the independent testing currently flying today and we were concerned that independent testing is how we had discussed the avionics system. >> thank you and i have one more follow-up on the cybersecurity training program. >> avionics cybersecurity training program, i'm not aware of what we have developed but i
4:57 am
can look back to that and get back to you. >> thank you for joining us this afternoon. in december of 2020, gao reported none of the agencies have fully implemented the key foundational practices for managing information and communication to technology supply chains. since 2010, gao has made nearly 80 recommendations to enhance the cybersecurity and as of november nearly 50 of those have not been implemented. while we don't have time to go over all of the recommendations, could you please discuss which of these unimplemented recommendations should be given priority? >> yes, congressman. i appreciate you pointing out the importance of the recommendation that we have outstanding. in addition to the recommendations made on that report that you mentioned earlier in your questioning, and i believe the top recommendation
4:58 am
with respect to critical infrastructure to include making sure the federal agency that has the sector responsibility are doing everything they can to assess what the cyber risks are to the respective sectors, put forward plans with engagement that makes sense on how they are going to support the sectors and execute. most are expressed in a variety of different ways to include things like the grid, financial services into other sectors as well. we also think it's important for the continuous effort to reach the full potential. when congress passed the ball in 2018 establishing the agency that grew out, took on a large set of activities that it had challenged himself to complete by the end of 2020. unfortunately, the report we had at this year showed they were not able to achieve the reports with workforce planning
4:59 am
identifying functions. these are activities we need to complete as quickly as possible and we heard many of those things either by this year or next to the urgency is there for that organization to gain its full potential to provide support to infrastructure and the federal agency as well. >> thank you very much and i will yield back. >> the gentle man yields back into the -- it looks like he might not be on. mr. carter you are now recognized for five minutes. thank you to the participants. both have provided oversight to the strengths and weaknesses.
5:00 am
have any organizations looked at how prepared or vulnerable agencies are to potential cybersecurity attacks around the time of natural disasters and as you know my district in louisiana suffered a substantial storm. the integrity increases and my fear is the critical infrastructure is particularly vulnerable in those periods. can you share your thoughts on the practices to protect the critical infrastructure during natural disasters? i think you noted in the previous hearing the national nl association of the state also identified that as a real threat so i think it speaks to how important it is to consider not only how we can be strong at the most resilient state but the
5:01 am
weakest points that can come with natural disasters. over the course of the last several decades, they've been passed to look specifically at how federal agencies are preparing themselves for man-made or natural disasters to the operations activities and the key part of the planning is to ensure the continual availability of information and you can't do that without thinking about cybersecurity as well. that's an important part of looking at any cybersecurity program at a federal agency is its ability to recover from disasters. i'm not sure if mr. dorsey has more examples to provide, but i'm happy to pass it over to him. >> thank you for the question, congressman. we have initiated a review of the assets and when we found the
5:02 am
high value asset programs are heavily reliant on the department of homeland security efforts to work with the department in assessing these high-value assets there's at least four assessments so the department has initiated its review of the programs and we plan to continue as well as whether or not they are taking additional steps to assess and remediate the potential for the high-value assets. a. >> how do you disseminate that with local governments or states so they are equipped for future
5:03 am
instances? i understand you have several practices were studies to determine. how do you disseminate so the local governments are better prepared? >> how that information is disseminated, i don't have -- >> we have seen the capabilities especially when it comes to the support it can provide to do things like assess their own capabilities. one thing that we have seen to continue its outreach whether they are big or small operators so that there is awareness about what the federal government can
5:04 am
do to share with of the local governments and states you can imagine the devastation. these are becoming far too experienced with state and local governments thank you for your time and attention. any information you can share how we can do better or pushbuttons further to provide resources or awareness so this information is out and we are able to be prepared for future instances as we know they are becoming too constant.
5:05 am
i will yield back. >> mr. fitzpatrick for five minutes. >> thank you mr. chairman when the pipeline suffered, we saw the impacts to get these directives to require the reporting and the plans in 2020 what more is being done to identify in a quicker fashion. >> within 12 hours that is
5:06 am
because of the criticality of the nation's pipelines and the fact that they carry the majority of the resources needed so that's why we are very forward leaning in establishing that and we've updated the definition as i mentioned of what is the reportable cybersecurity incident with the industry. >> to continue to pay ransom to bad actors and if not, do you think the legislation would be needed to make the ransom
5:07 am
payments altogether? >> as referenced earlier, it has likely the highest level of activity and i would to say that through the department of homeland security we work with our law enforcement, the fbi, the federal, state, local law enforcement to identify those opportunities. i would defer to my colleagues how we can best combat from the technical standpoint in addition to the financial aspects as well. happy to take that back and coordinate. >> the chair recognizes you for five minutes. >> thank you so much, mr. chairman. we've all seen the implications
5:08 am
of the cybersecurity attacks on the transportation sector for an example in may of 2021 the ransom where attack on the pipeline resulted in more than 43% of gas stations in my home state of georgia being out of gas. it's clear from the testimony more work needs to be done to strengthen cybersecurity protections in all areas of the sector. in your testimony, you talked about the value of training through participation exercises. my district is home to curiosity lab which is a one-of-a-kind lab designed to provide a real-world test environment to advance the nextgeneration intelligence mobility. what kind of simulations do you run to prepare your staff for cybersecurity attacks and can you talk about the benefits of those simulations? >> absolutely.
5:09 am
thank you for that question. as i mentioned in my testimony, we've developed a cyber test facility that serves as the cornerstone of some of the exercise activities. we regularly conduct the exercises that included the mission support side or the normal it side of faa as well as the operational side. in addition to that, we conduct external exercises and all of government. we've also conducted international exercises with the
5:10 am
caribbean, with mexico and several other countries and this year we've begun looking at the cyber ranges so that we could inject real world cybersecurity threats into the exercises to get a look at what that would look like. >> to follow up with that, are there similar exercises you needed to talk about and what the value is of having that
5:11 am
simulation. >> it gives me an opportunity to discuss the most effective and least expensive type of simulation exercises and that's one where we send a test e-mail encouraging people to click, a technique called fishing and what we see is by repeating that on a regular basis people get much smarter and become more cautious about clicking those links and as was mentioned a while ago, this is a prime way that malware gets introduced into enterprise environments unknowingly by people within the organization. so as i said, this is a very inexpensive need of protecting and providing greater access control. >> i will yield back the balance of my time.
5:12 am
>> admiral, i would love to start with you. number one, thank you for your service in the united states coast guard. i very much appreciate that. want to talk a little bit about if your men and women are physically attacked, do they returned fire? >> we have well established and well trained a process in place for a use of force in the coast guard. it is not my area of expertise and if you want to go into that in detail i would happy to take that for the record or set up a briefing for you. >> not a lot of detail just logically and common sense if
5:13 am
somebody puts a round of a rifle and depresses the trigger and moves the round at a couple feet per second, are they going to return fire? >> congressman, they will execute the use of force policy so if fired on, they will fire back. a. >> this isn't meant to be provocative. it's common sense that they well. understanding that you are not a shooter by your own admission, do you think that they should shoot until they totally eliminate the threat, just opinion on this. i understand you are not a shooter. >> in the general sense, our folks need to ensure their own personal protection and ensure the protection of their colleagues and of any members of
5:14 am
the public so they will continue the use of force policy until that local coast guard women or men are sure things are safe. a. >> i want to layer this on cyber attacks and threats and the reason i ask that is to layer this question should we approach a cyber attack in the same way we would approach a physical attack? there's a moment that it goes from defending myself and seeking a violent course of action to dispatch the threat coming against you and it becomes offensive. should we be pursuing that in every instance of being shot at that we dispatch of the threat so that it can never again pose
5:15 am
that threat to us again. >> as we move this into the cyber landscape, it's important to understand that there are key differences. there's a difference between attributing a shooter right in front of you i think you can see and react to verses somebody in the cyberspace that might be working through a different adversary or venue so attribution in cyberspace is critical. that said, the coast guard released a cyber strategic outlook in august that puts together the first line of effort is defending and operating our networks and dod networks and we bring together the full spectrum of the prevention and response response framework toprotect thn
5:16 am
system. >> do you believe in making that transition however from we were attacked, we are now assessing what happened from the attack and we are now transitioning to eliminate where we assess the origin of the threat and do you become offensive against that threat? >> with support from the administration we are building on the cyber mission capabilities that allow us to take full spectrum operations provided we have the right authorities in place against adversaries. >> full spectrum meaning yes you believe you should have the capability to transition to the offense of against where you
5:17 am
believe the threat originated from. >> we are aligning our training under the standards so that we can work with the department of defense to carry out what the nation needs. >> thank you mr. chair. the chair recognizes himself for five minutes. last month we heard from industries on real-world challenges they face and i look forward to speaking with the witnesses and how the federal government can work to protect and strengthen the digital infrastructure as well. these questions are first for mr. dorsey. my district in massachusetts has two leaders at least in the cybersecurity industry the
5:18 am
company's work on security roadmaps to protect complex operational technologies. has the dot inspector general's office or the gao look tell federal agencies are interacting with companies like this and local transportation agencies thank you for your question, congressman. we do work with the department and ask a series of questions of the risk management area to go
5:19 am
back and determine whether or not they've taken appropriate steps with showing any software they get isn't associated with any kind of counterfeit efforts and also to what extent did they ensure that the component systems and services of external providers are consistent with the slightest security policy that has been incorporated. that is how we communicate as well as how we report to congress gao was tasked to
5:20 am
evaluate the adequacy of the standards and the biggest one in this area is the cybersecurity framework. as part of the scum of the reviews were wrapping up the fourth addressed the next few months. including what kind of engagement with doing a public exposure draft and receiving comments from outside stakeholders and incorporating them into the framework we may not necessarily directly interact with agencies like you mentioned but we evaluate how they are taking in information from folks out there on cybersecurity and whether they can use that and the second thing i would mention is the gao does engage with state and local offices including massachusetts and that's been a good
5:21 am
opportunity because it gives us the chance to have a better chance at how effective the capacities and what are the threats and landscape that they are also seeing. >> the chair yields the balance of his time to mr. johnson for five minutes. >> i will start with mr. grossman. i recently had the opportunity to visit an air traffic control facility in sioux falls and it was dedicated people for sure. i couldn't help but notice how antiquated. there seemed to be many folks
5:22 am
working in the towers so give me some sense the challenges we have linda urso antiquated -- when they are so antiquated. a. >> i think from a cyber perspective, the systems appear to be old and we are able to keep them secure. i would have to take this back to the air traffic organization. even though they appear older, they are certainly secure. >> i will shift gears now. i listened with interest when
5:23 am
you noted that gao has made 3,000 recommendations for improving cybersecurity to the agencies and you noted that there are more than 900 of them that haven't been implemented by those agencies. we haven't had a lot of discussions today about bands under the jurisdiction of this committee. are you aware of any particular recommendations that have been made to the department of homeland security and if so, the cybersecurity for the infrastructure? >> for building off of the question i answered, the cybersecurity framework applies to all sectors as a part of the work of the review that is done, we've gone out and find the other risk management agencies and asked whether they were
5:24 am
finding it useful, are they adopting it so that would include the subsector as well so in those instances we've seen that federal agencies are challenged not only with of the sector and others to be able to have the dialogue with operators big and small within the respective sectors. .. >> they can choose the fiber protection. i think the important thing is for dhs to make sure we were
5:25 am
talking about the systems in place for the faa with the administration of others. anything in particular when it comes to mind with the subsector. >> does it relate to that specific sector but legacy systems are something the operators needs to think about ahead. have a plan to have a moderate rise. as larry pointed out, many of the systems may actually have in some ways better protections if their air gas. if they're not connected to business within the respective companies they may be better suited for the operational control activities that they do. the reality that connection to the federal government. how do the operators know what
5:26 am
those are. that will require a good amount of information to them from to know the posture within the sector. >> that is well said. have they indicated the investment gap, we talk about the legacy systems and as they estimated the size of the gap in the dollars and cents, could you point me towards a particular group that i could learn more. >> i'm happy share information from the federal agency maybe that equates to the private sector but the federal government spends 80% of the it budget on legacy activity not on modernizing. that's an important aspect as well as modernizing with security in mind from the beginning. >> thank you, mr. chairman, i yield back. >> the chair recognizes mr. millan asking for five minutes. >> thank you, mr. chairman i
5:27 am
want to zoom out a bit, pun intended. and talk about the future of transportation, five, ten, 15 years from now and get into how the department is guarding against new and emerging threats and then i'll ask mr. marino's two for his reactions. how would ask both for the reaction. i participated a few days ago on a tabletop exercise that simulated a hostile power taking daughter gps system. something that would obviously have incredibly dire implications, even today for almost all transportation, air, rail, maritime and more. in the consumer automobile
5:28 am
context, some of america's largest companies, tesla, apple, alphabet investing billions of dollars of vehicle technology. i was in a meeting yesterday with the ceo of alphabet. which owns an anonymous driving startup and he reaffirmed his interest to us and being back technology to the market. while there is no expert consensus on when they will be widespread adoption of level four in level five autonomy. it's safe to say that we are going to have a huge number of vehicles on the road, certainly by 2030s. heavily or exclusively reliant on artificial intelligence to make decisions by accelerating, breaking, turning every road decision. today, every car is rolling off the assembly line packed with computers. many have internet enabled
5:29 am
entertainment systems that are preinstalled. there is even more revolutionary technological change to come. including potentially cards that are charged by the highways that they drive on themselves. as all of you know, any product, device, service connected to the internet or otherwise reliant on code will be vulnerable, potentially vulnerable to compromise and the stakes will be incredibly high when we talk about software powered machines that are caring people as 70 miles or more down the freeway. recognizing your primary focus on the internal it management of the department sensually been on
5:30 am
the job a few months. and do not personally writing the regulations related to autonomy or good safety. i want to ask you big picture questions about how you and your colleagues are thinking about the threats that are around the corner. what cyber related challenges does the department expect to encounter in five, ten, 15 years when the technology that we are just talking about today become mainstream. what will keep your successor up at night. what if anything are you doing now to prepare? >> thank you very much for the question. gps and overall positioning, navigation and timing are very important issues that dot is studying in multiple places. the best example i can give you relates back to my expense in new york city where we were one of the three national connected vehicles test locations through the department of transportation
5:31 am
connected vehicle pilot programs. securely communicating with all of the test vehicles and stated up with security credential management system so vehicles were communicating for basic safety information like emergency braking or even traffic signal phase warnings, when you're about to approach a red signal. we want to be sure by the all of those transmissions were from authenticated actors and nobody was actors in causing harm to the people operating vehicles or other road users as well. that is the future technology that is not so far away but certainly demonstrates the issue involved that you're
5:32 am
referencing. those communications need to be secured we need to know on transmitting and receiving and they are from partners we recognize. >> i am out of time, i yield back. >> the chair recognizes ms. gonzales for five minutes. >> thank you, mr. chair. my question will be to larry grossman. the question will be, i want to bring to attention that the faa decision to utilize section 804 to consolidate air-traffic control of operations in miami for the caribbean basing which includes puerto rico within 1970s technology. the flight center handles more than 4000 flights monthly, consisted all flights including arrivals, departures and
5:33 am
overflights for puerto rico to the u.s. bridge virgin islands and to south america due to the 400-mile long airspace which can take commercial airlines about where to travel through. this is the same number of flights that atlanta airspace covers from charlotte to savannah. my question would be, i understand that if this is been done to consolidate operations and for cost savings. my concern is, what are the insurances that i cyber attack on the faa facilities in miami will affect air-traffic control operations for puerto rico and what type of redundancies are put in place for smaller airports in remote places should a larger air-traffic control operation be affected by a cyber attack. considering that we got international airport and small airports around the island.
5:34 am
>> thank you very much for your question. i'm sure that you know i'm not responsible specifically for the consolidations but from a cyber perspective, the protection that air-traffic control system has are virtually identical, whether there is somebody local or whether it is remote and that it is through our secure communication protocols which is a service that we obtain. matt services the same whether the facility, you are dealing with a local facility, the facilities of the same. >> you are talking about the system, this comes to mind what
5:35 am
kind of training to airport and air-traffic control workers get from cybersecurity? >> i can't speak for airport workers that are not specifically contractors. but i tell you all traffic controllers are required to take yearly security awareness training and as our contract employees. contact our employees et cetera. >> after the first hearing we got on this topic some employees last month and the hearing said that they were conducting personal business of word computers or personal cell phones that expose the company that they work for at the cyber
5:36 am
attacks. how can we ensure the same does not happen around airports around the country while while airplanes are in the sky? >> i can assure you there is no personal business done on any mission-critical system or service. individuals, government issued workstation that they get their e-mail on, they are permitted to do limited personal use and that is very limited if someone needed to on their break time log into the bank or something like that. >> thank you. mr. dorsey, if you mind, hmmm often does dot test security controls as part of a risk management issues technology identified in 2021.
5:37 am
what do those testings include? do we have any operating agency experience if a full cyber attack with different types of attacks? >> thank you for your question congresswoman. we assessed the problems and testing controls with private work. we determine whether or not adequately testing security controls around identifying risks, protected in it systems from a configurator configuration standpoint. >> the gentlewoman's time is expired. >> be happy to provide you with an updated response on the record. >> thank you. >> the chair recognizes for five
5:38 am
minutes. >> thank you mr. chair. the shortcoming in our nation cybersecurity readiness are apparent both in the public and private sectors. has evidence by the cyber attacks this year including on the colonial pipeline and gbs foods. we cannot leave ourselves honorable enough to allow bad actors to control essential infrastructure such as energy supply, water management, supply chain and public transit. mr. dorsey as you noted in your testimony. your office has identified information security as the top management challenge in the department of transportation. but yet the dot has not resolved dozens of open recommendations by your office in the last year. in the report done by clifton llp release in october of this year. they concluded the dot must develop and communicate an organizationwide supply chain risk management strategy and
5:39 am
implementation plan to guide and govern the supply chain risks. what you see as barriers to the recommendation being implement in and given the supply chain issues we are currently expressing, how urgent can the department of transportation act on the recommendation to avoid future disruptions? >> i think you need to get on on muted. >> taking for the question, as noted in my testimony three key areas that the department takes immediate steps to address the cybersecurity issues that we identified over the years. supply chain risk management issues applies to all the cybersecurity issues such as in the department. with the department is to
5:40 am
solidify leadership at the department to the security office level to ensure that working with the current and new chief information officer that they establish the right framework and controls to ensure the enforcement of the various recommendations that we made over the years. the second to get the department, develop a comprehensive dot strategy to address our current weaknesses. until they do so, which we made a recommendation, we made an overarching recommendation this year. to the department's credit they admit that recommendation. once they do meet the recommendation, that will go a long ways with addressing the concerns on the supply chain miscreant image might. the last thing to ensure the proper control in place to protect and secure it infrastructure with regard to supply chain risk management,
5:41 am
key argument we focus on burnout enterprise level review this year end continue as we move forward. >> thank you. >> leaving ourselves open to ransom another cyber attacks, puts people's lives in jeopardy. as a national security risk and to enter economy. the need to be a better communication between the private sector and government to ensure we are prepared for future attacks. in our hearing of november 4 we heard concern for the industry representatives that will create a flood of information resulting important information be locked or skipped over by agencies. what steps are being taken by the tsa to ensure reporting mandates are collected and processed pertinent information effective matter. two, he walked me through how tsa takes reported cyber threats and processes for data? >> thank you, congressman. i appreciate that.
5:42 am
i am very proud of the fact that we have continued our robust engagement. a lot of engagement with a lot of stakeholders including those who served on the panel the previous hearing. particularly myself and the staff, we had executive level meetings with senior executives and passenger rail on this very topic. we received feedback on her draft security directives. that's better informed her definition of what we were looking for have a cybersecurity incident. we made it more effective, less broad so it's actual or an incident that is reason likely to have a devastating impact on any of their systems. it is also important to note, those reports go to success central, they have a centralized
5:43 am
operations center. i directives mandate reporting of the information to the central. >> thank you, my time is up, i yield back. >> the chair recognizes ms. van dyne for five minutes. >> thank you very much. i want to thank all of you for being with us is morning. my district is to dallas fort worth international airport which is the largest economic driver in the state of texas and the most important airline hubs. over thanksgiving we can we sell passengers numbers 1690% of prepaid debit volume dropped the country. the airport is part of a working group with dhs and tsa. we benefited from transparency and obtain valuable information from working together while also
5:44 am
making positive improvement after tsa conducted a review. ms. hunter many of them were critical systems such as radar systems are hosted by airports around the country. does the faa offer collaboration similar to what we seen at dhs and tsa for airports? the second question, what more can the faa do to expand current collaboration and increase information at airports? >> thank you for the questions. i may have you repeat the first battle into the second verse. we collaborate extensively with airports to the aviation cyber mission as well as the aviation counsel which has airport authorities and aia as members. our collaboration with airports is pretty rich in substance. we share best practices with airports and on many occasions when there was a vulnerability
5:45 am
identified high believe on the airport waiting system that was not faa component, we immediately share that across the airports industry. i would just ask if you could repeat the first question. >> the first question i talked about dhs and tsa inhabit how collaboration working to focus on transparency to better cooperate. i didn't know the question was that the faa had similar working groups with airports that the other to do? >> we participate with tsa on the airports working group. >> okay. >> i have a follow-up question for mr. grossman and victoria neuhaus. everything that we heard from airlines.
5:46 am
in 2022 he could be a record-breaking year in terms of traffic for europe, middle east and south america given the pent up demand. obviously it could throw went into those plans. but cbp staffing for international arrivals will be critical. it could be a significant pinch point if they're not prepared. how is faa preparing for the disruptions of the system as they move closer to the busiest travel time of the year? >> i apologize, that is not a cybersecurity specific question. i believe our staffing numbers are not going to be impacted by that. >> are you expecting for the disruptions? or no? >> i'm not expecting any further disruptions, no. >> okay. so there's no preparations be made then? for the increased travel in 2022 question. >> we are staffed with increased travel. i'm not sure i understand the question specifically.
5:47 am
>> what is the tsa's plan to ensure checkpoints to have proper staffing wait times organize for passengers customer spivak congresswoman we are moving forward very heavily as you may have heard from the ministry to over the past year. we worked very hard to hire as many officers as we can to very competitive labor market. we also focus on real-time reporting. we share that with her airline hanger partners daily and sometimes hourly to ensure any issues in the system whether it's equipment or personnel related is addressed immediately. last we have our deployment force ready and able to deploy at a moments notice to support increased operation around the country.
5:48 am
we seen that successfully for major sporting events such as super bowl , spring-training hand and the other of a natural disaster. were able to put or personnel in for support air operation whether personnel are affected on the ground and the families can evacuate safely. thank you. >> i appreciate that. i again have gone lots of calls and questions from folks who are constituents in district 24. they travel a lot and there's a lot of frustration that they are feeling like the lines are getting much longer and the tsa folks are working. i just want to make sure that the focus are working on. thank you i yield back. >> picture mechanize as mr. lamb for five minutes. >> thank you, mr. chair and thank you to our witnesses. mr. dorsey, i want to start with you. i took from the testimony that while there are several technological and purely cybersecurity issues at play. there seems to be the foundation a personnel issue of maintaining
5:49 am
consistent leadership in the key role in keeping people in place and bringing people up to the systems of the understand it. that's very similar to what i've seen on other committees dealing with cybersecurity and technology acquisition and implementation. it's not an easy problem to solve. i was curious within your work if you saw commonalities of why we were losing people failing to gain them in the first place or any suggestion on how we can fix the personal side of it? >> thank you for your question congressman. our assessments don't necessarily reveal what the workforce related issues are in respect to the cybersecurity pasta. i will not be able to provide you with the correct answer. what i will say, i am very encouraged by the department's current chief information officer in the various
5:50 am
discussions i've had with him regarding the effort and his plans moving forward with respect to the workforce issues. we have found that there has been inconsistency at the top regarding the departments leadership from the chief officer as well as the chief information security officer. as i noted in my testimony, over the last you the department had an active chief security officer who said cybersecurity was not his primary role in 2020. i will say i have expressed from the conversations from the chief information officer that he look forward to working with him moving forward.
5:51 am
>> i appreciate that. do any of our witnesses want to weigh in on this question. basically what i'm getting at is a common problem for us. people with strong cybersecurity management backgrounds are very high demand in the private sector. i don't know if you have any success stories or is just as you could make to us about putting on a firmer foot in a personnel's perspective. you are on mute it sounds like. >> thank you. i would like to respond to that. thank you for the question he gives her the opportunity to say that after noting cybersecurity at dot is our number one priority. our second priority is investing in our workforce. that means investing and helping them develop their careers so they're not only able to perform a higher levels with the current responsibilities but adequately
5:52 am
prepare for future responsibilities. it includes recruitment and making sure that we higher in the right people with the greatest potential hand that were looking at her own people for future professional opportunities. i will refer back to my experience at cto and cio at the new york city department of transportation where i serve 13 years. in that role, we were able to achieve very low levels of attrition due to a robust training program that invested in our staff and make them part of the agency strategic mission where they felt ownership and empowered. even though the private sector often came with higher salaries we lost relatively few people. i understand from industry information. that's a frequent problem. not only for the government the private sector companies losing staff to one another as each tries to outdo each other with
5:53 am
food and health in addition to cash compensation. the government is adding disadvantage when trying to compete in that arena. what we can do is play to our strengths which is the important information. opportunity for people to make a contribution to improving and now with this environment, the united states. i believe will have a compelling story to tell that will both attract good new people as well as help us keep the good ones that we already have. >> i agree we have to appeal to their patriotism and if there's any way we can up agencies do that, you let us know because we know how important it is. thank you for your participation i yield back. >> the chair recognizes ms. steele for five minutes. >> thank you, mr. chairman and ranking member for holding this important hearing. during my tenure of serving as a supervisor and board of director
5:54 am
for orange county transportation authority with the cyber attack on the oct a. hackers brought computer systems for two days and demanded ransom to unfreeze them. we did not pay the ransom and they ignored the demand and we had staff restore all servers. i want to ask ms. neuhaus, are there ways better agencies can improve communication with the state and local government to protect against the cyber attacks and you think the united states has a proper workforce to buy the current and future threats based coming in from china and north korea? >> thank you congresswoman. we are very proud of our relationship with the federal, state and local partners.
5:55 am
many who operate critical transportation throughout the country. we have a very robust field operation and place that focuses solely on service operation. that's one resource available 24/7. each region we divided up into six region and has a responsible team a personnel ready to go to engage one on one. you are absolutely hit on the nail. that continued collaboration and dissemination of information could be anonymized but is important that we provide both threaten indicator information to all operators whether state or local or private and we established a number of mechanisms to do that through our directives we are looking
5:56 am
for reporting so we can filter that makes her get sent out anonymized and work through assistance is essential to make sure the reports are getting disseminated in a timely manner. tsa operations center served as a redundancy. third we do have unique information sharing cells within the united states government. we have groups of individuals for service transportation and aviation that can participate in daily threat briefings. they could do it remotely from the location and that's another opportunity where we provide the persistent and formation, threat and tools. you point out that the nation state actors security bulletin as recently as last week referencing a nation-state actor. that is what tsa, dhs enterprise work very closely with the u.s. intelligence community.
5:57 am
we rely closely and heavily on their intelligence and assessments along with a bureau of investigation and law enforcement entities. we have the workforce in place in the united states government. i have a backward and intelligence operations myself. i can say with personal knowledge we have direct access to the intelligence and law enforcement information. >> thank you very much for your detailed answer. admiral, i've a question. protecting against cyber threats is really critical for the long beach and l.a. right now we have a supply-chain crisis and we have about 175 ships waiting to unload. it's very important. congress has made several changes to better integrate cybersecurity training in response. how is the coast guard conducting vulnerability assessments of maritime critical infrastructure.
5:58 am
can you describe how coast guard builds cyber resilience and the ports of l.a. and long beach and others like it from attacks? >> congresswoman the current supply-chain crisis highlights mts to our national economy into a national security. emphasizes the need to put proper protective measures in place but also be able to be resilient in response to attacks. we put together comprehensive framework that we believe federal maritime regulator across the whole prevention and response framework to make sure port communities maritime infrastructure to prevent attacks and able to respond and be resilient. the port security grant program is a key program for building resiliency into ports and
5:59 am
funding fy 21 we were able to fund 60 project the $18 million in provide such support of l.a. the opportunity to increase her assessment. i'm happy to follow-up with a brief "after words" if desired. >> thank you very much. i have one more question but i'm gonna submit this question. my time is up and i yield back. >> that concludes our hearing i would like to thank each of the witnesses for your testimony your comments have been insightful and helpful. ask for consent remain open until eyewitnesses provided answers to any questions that submitted in writing. i ask i consented the record made open for 15 days for orders or witnesses to be included in the record of today's hearing. without objection the committee stanza during
6:00 am
>> the people featured are familiar names from history, henri adams, t.s. eliot, walter whitman, and whittaker chambers, to name a few. the publisher writes that wasps were people of glamour, power, and privilege, yet, they were unhappy.
6:01 am
>> every day, we are taking your calls on the air and we will discuss policy issues that impact you. coming up, deputy editor previews the week ahead in congress. then we will discuss the latest omicron variant. watch live at 7:00 eastern this morning and c-span, c-span now, our new mobile app. join the conversation with your text messages and tweets. >> c-span is your unfiltered view of government provided by these television companies and more including buckeye broadband.


info Stream Only

Uploaded by TV Archive on