Prior to the Congressional recess, during a House Homeland Security Committee hearing, Rep. Morgan Luttrell (R-TX) questioned witnesses about national security infrastructure, and public-private cooperation to improve cyber security.
Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:
https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript
Stay Connected
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com
Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:
https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript
Stay Connected
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com
Category
🗞
NewsTranscript
00:00Thank you, Mr. Cuddell.
00:04Members will be recognized by order of seniority for their five minutes of questioning.
00:08Additional round of questioning may be called after all members have been recognized.
00:11To start, I'm going to recognize the gentleman from Texas, Mr. Littrell, for five minutes
00:15of questioning.
00:20Ms. Denbo, in your opening remarks, I picked up quickly, but the United States government
00:27is at fault for, can you elaborate or expand on that statement just so I know exactly where
00:32we're sitting today?
00:33Yes, sir.
00:34So, the Department of Homeland Security Chemical Facility Antiterrorism Standards is implemented
00:41by, at this point, CISA, the Cybersecurity Infrastructure Security Agency.
00:47When CFATS, the Chemical Facility Antiterrorism Standards, was first released, those companies
00:54that held large quantities of chemicals, which are considered chemicals of interest,
01:00Appendix A, had to submit top screen analyses.
01:04In addition to that, security vulnerability assessments, as well as other sensitive information
01:10about their operations, chemical quantities, where they're located, how they are used,
01:16and whatnot.
01:17The database that contains that information was breached last year in so many ways.
01:26Other than the fact that it was very disturbing that owner-operators learned about that breach
01:31months later through the media, rather than through the government, we recently were informed
01:36that though there has been no demonstration or evidence that information was exfiltrated
01:42from the database, that the database was accessed for three days, which means that
01:49there is every opportunity that screenshots or other ways that information, sensitive
01:54operational information of our chemicals from across the United States, were accessible.
02:00And so, this is where I say the government is trying very hard to get a better handle
02:08on what needs to be secured.
02:11And I will say, let me step back and say, the CFAS program has been phenomenal.
02:16They have done a great job in improving our nation's chemical security, but this goes
02:22to the part of protecting the sensitive information, and it seems every government entity and the
02:32sister entities all want to have access to operations sensitive information for one form
02:40or another, and thought needs to be given to how that is going to be protected, and
02:46there needs to be a transparency with the owner-operator of the information if that
02:51information is compromised in any way.
02:54Communication is always a huge deal when you're dealing with siloed entities.
02:58Case in point, SMEs across the board are very closed off.
03:01I think the ability for us to operate between the seams, if you will, in order to communicate
03:06properly if we had an attack, or sharing information back and forth with each other
03:11on hey, this is the inevitable result of the attack, don't let this happen to you, is
03:18I think something that we're inevitably working on daily around here, and everybody's so close
03:22hold with their data information, whether or not it's retrospective, prospective, aggregated
03:26data, where it lives and breathes, I'll never vouch for, I'm being careful how I say this,
03:32I don't think anybody's completely protected from any sort of attack whatsoever where we
03:37sit today, but thank you for clarification on that.
03:41So sector-specific data or cyber insurance, and I'm going to toss this one out to the
03:47bunch, anybody grab a hold of it if you want to.
03:50If we want a public-private and a government relationship, and the government to come in
03:55and backfill when necessary, if necessary, what does that look like?
03:59Because when we're talking about cyber security and cyberspace, inevitably a cyber attack
04:04can be a grid hit, it can be an agricultural hit, or it can, you know, inevitably it can
04:12be life or death.
04:14So how, on this committee, how do we, we're on the receiving end of this, we're all leaders
04:19here, okay, because you're the subject matter experts.
04:22But if we're going to play this out, and believe me, I got to pay insurance bills all the time,
04:25but it's very laid out specifically on hey, here's what it is, and here's how we're going
04:29to do this, but we, in the metaverse, in the cyberspace, risk and threat, it changes
04:34every half second of every second of every minute of every hour of every day.
04:39How do we build the proper foundation and move forward?
04:44So we, on this committee and the House, can understand that and then provide the support
04:49needed.
04:50I'm tossing that out to the group.
04:54I'm happy to jump on that.
04:56So it's got to be done collaboratively with industry.
05:00There's a lot of different elements to it.
05:01Number one, you know, industry doesn't speak with one voice.
05:04There's going to be all sorts of insurance voices and opinions given on it.
05:11I think that there's going to be some very crucial elements, like for the cyber incident,
05:17that it shouldn't have a requirement of attribution by the federal government, so it's too hard.
05:21I think it should be determined by impact, and that's the overall size of the loss.
05:25I think that that impact is going to either be set on a percentage level of losses of
05:31300% of an insurer's book or perhaps a fixed dollar number, but that's going to be a conversation
05:39back and forth.
05:41We submitted a response to an RFI where we threw out, you know, a suggested number where
05:47negotiations could begin, and we put it around the 1 in 250 year event, when I say we, I
05:53mean my company Marsh McLennan, put it around the overall impact of a 1 in 250 year event
05:59to just show the magnitude that would have to be for the federal backstop to kick in.
06:05I think it should be voluntary because I don't think that every insurance company is necessarily
06:09going to want to participate, and that's a key distinction from TRIA, that TRIA responded
06:16to a very specific problem, and we're talking about, you know, building resilience here
06:20proactively, and I think that it shouldn't be compulsory to force companies into it,
06:25but I think there's a lot of interest out there.
06:27And my last point I think I would address is that trying to do the entire industry at
06:32one time might be just too big of a bit to chew.
06:37So I would approach sector specifics, and I think the energy sector is a perfect one
06:41where you have a very cohesive sector that interact with one another who are already
06:46very highly regulated.
06:48If we do start with that, and I'm sorry, Mr. Chairman, for going over, if we do start
06:51with that, in the energy sector, I'm not going to say I disagree or agree with you.
06:55Remember that we represent 800,000 people with hundreds of thousands of companies across
06:58the nation.
06:59There's going to be someone that's going to argue with that statement.
07:01So imagine what on the receiving end up here, we got to wade through all this.
07:07So it's going to be the collective group coming together for a stepping off point.
07:10I'm sorry to close you off, sir, I'm two minutes over, Mr. Chairman, I apologize.
07:15Thank you, sir.
07:16The gentleman yields back.
07:17I now recognize the ranking member.
07:18Mr. Swalwell, you have five minutes to question.
07:21Mr. Luttrell, do you want some time?
07:23My answer?
07:24Yeah, no, okay.
07:25Yeah, please, sir.
07:26You continue with your closing.
07:27I would just say for those sectors that are going to come back and say, I don't understand
07:32why they're first, I would say are welcome at the table.
07:34I'm just naming a sector that I think it particularly fits for.
07:38But if financial institutions come forward and say, that's as important it is for us
07:42that it is for them, by all means, those discussions.
07:46This is where the, and I hate to say the masses, but this is where the independent agencies
07:54and companies are going to have to come together and really position themselves in order to
08:00address the government on the way forward.
08:05And I may be speaking out of turn here, but if you just could kind of play out everything
08:09that happens in the country of the United States that we're talking about here, which
08:13every single, I mean, think about it.
08:16Everybody has an iPhone in their pocket.
08:17Everything is digital today.
08:18Everything is touched by the cyberspace.
08:20So if we're going to, if this is something that we really want to expand on, which we
08:23do, we wouldn't be having this hearing otherwise, we just, you're going to have to help us.
08:29We are here to help.
08:31Okay.
08:32Thank you.
08:33Ranking member.
08:34Yeah.
08:35Mr. Swalwell.