Forbes Breaking News
  • 2 days ago
The House Homeland Security Committee held a hearing entitled, "Cybersecurity is Local, Too: Assessing the State and Local Cybersecurity Grant Program."

Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:

https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript


Stay Connected
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com
Transcript
00:00:00Committee on Homeland Security, Subcommittee on Cybersecurity and Infrastructure Protection
00:00:03will come to order.
00:00:04Without objection, the Chair may declare committee and recess at any point.
00:00:08Purpose of this hearing is to examine the state and local cybersecurity grant program,
00:00:12which is up for reauthorization this year.
00:00:14Since Congress signed the program into law four years ago, nearly $1 billion has been
00:00:17allocated to bolster the cybersecurity postures of state and local governments.
00:00:21Today, we will assess the program's strengths and weaknesses as we consider next steps.
00:00:26I now recognize myself for an opening statement.
00:00:30The threat of cyberattacks to U.S. networks and critical infrastructure is real and rising.
00:00:35Microsoft's 2024 digital defense report estimates that its customers are targeted
00:00:40with more than 600 million attacks per day from nation-states and criminal actors.
00:00:45For years, the intelligence community has warned of the threat of state-sponsored cyberactors
00:00:49engaging in malicious activities against our critical infrastructure.
00:00:53As we've seen, these warnings have become a reality.
00:00:57With the persistent threat that groups like the typhoons pose to IT and OT assets, any
00:01:01critical infrastructure sector could be the next-to-fall victim to attacks or have its
00:01:06data seized through a phishing scheme.
00:01:10As cyberactors become increasingly sophisticated and persistent, we can no longer be complacent
00:01:14when it comes to securing our critical infrastructure.
00:01:16We must take all steps necessary to ensure our nation's cyber preparedness and resilience.
00:01:22In doing so, it is essential that our state and local government partners are similarly
00:01:26well-situated to respond to these threats.
00:01:29Despite often lacking resources and qualified talent for cybersecurity, state and local
00:01:34governments host the key pieces of critical infrastructure that keep our economy running.
00:01:39If left unprotected, this presents a huge vulnerability.
00:01:43To help state and local governments improve their cybersecurity postures, Congress passed
00:01:48the State and Local Cybersecurity Grant Program in 2021.
00:01:51Since this program began, $838 million has been allocated to address cybersecurity risks
00:01:57and threats to information systems owned and operated by, or on behalf of, state, local,
00:02:02and territorial governments.
00:02:03The State and Local Cybersecurity Grant Program is set to expire this September, at which
00:02:07point the program will not continue to receive federal funding unless reauthorized by Congress.
00:02:12As we have heard from many stakeholders, this program has undoubtedly improved, and sometimes
00:02:16even established, the cybersecurity posture for our states and localities.
00:02:21I am encouraged by the progress and applaud the efforts of our state and local governments
00:02:24to seize this opportunity to prioritize cybersecurity.
00:02:28With that said, we know the program does not come without its challenges.
00:02:32As we consider reauthorization, we want to understand any administrative burdens or barriers
00:02:36to ensure state, local, and territorial governments can focus on cyber resilience and preparedness.
00:02:41To that end, it is also Congress's responsibility to evaluate whether the State and Local Cybersecurity
00:02:47Grant Program is the most efficient and effective means of strengthening the cybersecurity posture
00:02:51of state, local, and territorial governments.
00:02:54I am here with an open mind and a vested interest in understanding how the program is working.
00:03:00Cybersecurity is a whole-of-society challenge, meaning federal government must continue to
00:03:04support and strengthen cybersecurity at the state and local levels to protect our nation's
00:03:08networks and critical infrastructure.
00:03:11State and local governments must also continue to share information with each other.
00:03:15They play an important role in disseminating best practices, which could greatly benefit
00:03:19organizations with less mature cybersecurity programs.
00:03:21I want to thank our witnesses, who have all had first-hand experience with the State and
00:03:25Local Cybersecurity Grant Program, for being here today.
00:03:28I look forward to hearing your perspectives on the program and working with you to strengthen
00:03:32our collective defense against cyber threats.
00:03:34I now recognize the Ranking Member, the gentleman from California, Mr. Swalwell, for his opening
00:03:38statement.
00:03:40Good morning, and thank you to Chairman Garbarino for holding this subcommittee hearing on State
00:03:47and Local Cybersecurity Grant Programs.
00:03:49I also want to thank our witnesses for their participation, a nice blend of private sector
00:03:55and public sector witnesses that we have today.
00:04:00This program was established four years ago as the product of a bipartisan agreement from
00:04:05this committee, and as we consider further authorization, it's important to remember
00:04:12that cyber attacks hit Republican districts and Democratic districts.
00:04:17They're in blue states and red states.
00:04:19They're in urban areas, suburban areas, and rural areas.
00:04:23In my district, the 14th District of California in the Bay Area, the City of Hayward suffered
00:04:28a ransomware attack in the summer of 2023 that shut down the city's computer networks
00:04:33for more than two weeks.
00:04:35And just two months ago, Hayward began notifying individuals that personally identifiable information,
00:04:41including Social Security numbers and sensitive medical information, had been breached as
00:04:45a part of the ransomware incident.
00:04:47I know this story is not unusual, and I'm sure my colleagues have also heard from local
00:04:51governments impacted by cyber attacks and looking for help.
00:04:55With cyber attacks coming from criminal gangs and state adversaries, we cannot leave our
00:05:00state and local governments to fend for themselves.
00:05:03Additional support for state and local governments is necessary to address the national security
00:05:07threat, and the State and Local Cybersecurity Grant Program has always reflected that understanding.
00:05:13By providing $1 billion to state, local, tribal, and territorial governments, Congress took
00:05:18a major step in strengthening our country's cyber defenses.
00:05:23For example, with a $250,000 grant from this program, a water utility can expand real-time
00:05:29monitoring to better detect and respond to cyber incidents, finally addressing a longstanding
00:05:35resourcing challenge in the water sector that we've heard about on this subcommittee for
00:05:39years.
00:05:40When the State and Local Cybersecurity Grant Program was created, our primary concern was
00:05:45that ransomware epidemic that was plaguing our communities.
00:05:49That threat remains, but China's campaign to pre-position on our critical infrastructure
00:05:54for potential future destructive attacks is even more alarming.
00:05:58While much of our critical infrastructure is privately defended, some of our most vital
00:06:02services are provided by the public sector.
00:06:06Publicly owned and operated water and electric utilities, transportation systems, and emergency
00:06:11services could all be targets in destructive attacks by China or other adversaries.
00:06:17Reauthorizing the Cybersecurity Grant Program is necessary to ensure we do not take our
00:06:22foot off the gas at this critical time, and passing a reauthorization bill before this
00:06:28program expires in September is one of my top priorities on the committee.
00:06:32What I've heard from stakeholders is an appreciation for the tremendous value of this program,
00:06:36and we'll hear that today from our witnesses.
00:06:39But they also have a desire for sustained, predictable, and consistent funding levels
00:06:44that will allow state and local governments to build on their progress and budget and
00:06:49plan their futures.
00:06:51The program operates under a partnership between FEMA and CISA, two important agencies that
00:06:56unfortunately have come under attack in recent months.
00:06:59By leveraging FEMA's grants, administration expertise, and CISA's cybersecurity expertise,
00:07:05this program has been able to deliver for state and local governments in ways that would
00:07:09be impossible without that partnership.
00:07:11Trump administration plans to eliminate FEMA and further cut CISA's workforce would devastate
00:07:17Homeland Security's ability to support state and local governments across a range of threats,
00:07:23including cyberattacks.
00:07:24The Cybersecurity Grant Program demonstrates the value of collaboration between DHS's components,
00:07:32and I hope we can work in a bipartisan way to further educate Secretary Nome about the
00:07:37tremendous value these agencies provide the American public.
00:07:40I'm also concerned by reports that FEMA has been pausing distributions of funding to implement
00:07:45cyber grants, along with other programs.
00:07:48China is not pausing.
00:07:50They continue their efforts to target our critical infrastructure, and we cannot pause either.
00:07:55The Trump administration must release cyber grant funds to states, territories, and tribes
00:08:00and comply with court orders against any illegal pauses.
00:08:03Again, I want to thank the chairman for holding this hearing, the witnesses for their participation,
00:08:10and look forward to expertise from both public and private sector as we look to reauthorize
00:08:14this important program.
00:08:15Thank you, Chairman.
00:08:16I yield back.
00:08:17The gentleman yields back.
00:08:18Other members of the committee are reminded that opening statements may be submitted for
00:08:20the record.
00:08:21I am pleased to have a distinguished panel of witnesses before us today.
00:08:25I ask that our witnesses please rise and raise their right hand.
00:08:28Do you solemnly swear that the testimony you will give before the Committee on Homeland
00:08:33Security of the United States House of Representatives will be the truth, the whole truth, and nothing
00:08:37but the truth, so help you God?
00:08:39I do.
00:08:40Let the record reflect that the witnesses have answered in the affirmative.
00:08:43Thank you, and please be seated.
00:08:47I would now like to formally introduce our witnesses.
00:08:50Mr. Robert Huber currently serves as the chief security officer at Tenable.
00:08:54He oversees the organization's global security and research teams to reduce security risks
00:08:58to the company, its customers, and industry.
00:09:02Prior to his private sector career, Mr. Huber served in the U.S. Air Force and Air National
00:09:06Guard for 22 years.
00:09:09Mr. Alan Fuller serves as the chief information officer for the state of Utah.
00:09:13In his role, he oversees all IT functions for state executive branch agencies aiming
00:09:17to improve innovation and government services through technology.
00:09:21He also serves as the secretary and treasurer of the National Association of State Chief
00:09:25Information Officers.
00:09:27The Honorable Kevin Cramer is the first vice president of the National League of Cities,
00:09:30where he leads efforts of city, town, and village leaders to improve the quality of
00:09:35life for their residents.
00:09:37Additionally, Mr. Cramer serves as a councilman for Louisville, Kentucky, where he is the
00:09:40chair for the Minority Caucus, vice chair of Budget Committee, and member of the Government
00:09:44Oversight Audit Appointments Committee.
00:09:47Mr. Mark Raymond is the chief information officer for the state of Connecticut, where
00:09:50he oversees the Department of Administrative Services Bureau of Information Technology
00:09:54Solutions and holds operational responsibilities for the state's technology infrastructure.
00:10:01Prior to his public service career, Mr. Raymond spent 21 years in the technology consulting
00:10:04industry, where he supported federal, state, and local clients.
00:10:07I thank the witnesses for being here today.
00:10:09I now recognize Mr. Huber for five minutes to summarize his opening statement.
00:10:12Chairman Garbarino, Ranking Member Swalwell, members of the subcommittee, thank you for
00:10:18the opportunity to testify today and for convening this important hearing.
00:10:22I'm Bob Huber, chief security officer, head of research, and a public sector at Tenable,
00:10:27the cybersecurity exposure management company.
00:10:29Tenable serves 44,000 customers worldwide, including the federal government, as well
00:10:34as state, local, tribal, and territorial governments and critical infrastructure operators.
00:10:40State and local governments play a crucial role in managing and protecting critical infrastructure,
00:10:44such as water treatment facilities, energy grids, transportation networks.
00:10:49They are on the front lines of defending these systems from cyberattacks that could disrupt
00:10:53vital services, erode public confidence, and compromise national security.
00:10:58Protecting essential systems is more urgent than ever.
00:11:01In 2023, the China-backed cyberespionage group Volt Typhoon, known for targeting critical
00:11:06infrastructure, attacked a Massachusetts utility.
00:11:10While disruptions were avoided, the incident showed the growing sophistication of adversaries
00:11:14who could position themselves to perpetrate future attacks on critical infrastructure.
00:11:19In addition, ransomware attacks doubled between 2018 and 2024, causing over $1 billion in
00:11:25operational downtime for state and local governments.
00:11:29These threats highlight the need for robust cybersecurity measures and coordinated efforts
00:11:33among all levels of government and the private sector to detect, mitigate, and recover from
00:11:38these cyber threats.
00:11:41The State and Local Cybersecurity Grant Program, or SLCGP, is a vital tool in addressing these
00:11:47challenges, providing $1 billion over four years to help state and local governments
00:11:51address cybersecurity risks.
00:11:54To receive funds, states have to follow a structured process, including establishing
00:11:58a cybersecurity planning committee that includes state and local officials.
00:12:02Together, they must develop a state cybersecurity plan that incorporates baseline requirements
00:12:07and alignment with cybersecurity best practices and international standards.
00:12:13States created different SLCGP programs.
00:12:16Some provided competitive grants where local governments could apply for funding for cybersecurity
00:12:20projects.
00:12:21Others provide shared services to local governments, such as multi-factor authentication, vulnerability
00:12:26management, or endpoint detection services.
00:12:29States like Connecticut, Utah, and Virginia are successful use cases of the SLCGP program.
00:12:36Virginia's whole-state approach focuses on collaboration, enterprise-level visibility,
00:12:40and efficient resource allocation.
00:12:43Virginia provided free cybersecurity plan capability assessments to local entities,
00:12:47who could then apply for funding to address identified gaps through a streamlined application
00:12:51process.
00:12:52Eighty percent of eligible localities applied for the funding, highlighting the need for
00:12:57assistance.
00:12:58Balanced central oversight with decentralized execution enabled Virginia to increase its
00:13:03overall cybersecurity resilience.
00:13:05SLCGP objectives include continuous monitoring, asset inventory, and vulnerability prioritization,
00:13:12which are all essential components of the exposure management approach.
00:13:16Exposure management shifts organizations from a reactive approach to proactive, risk-informed
00:13:21strategies across monitored attack surfaces, such as operational technology, Internet of
00:13:26Things, as well as cloud configurations.
00:13:29This proactive approach helps state and local agencies anticipate and mitigate risk before
00:13:33they impact vital systems.
00:13:36SLCGP has significantly contributed to enhancing cybersecurity across state and local governments
00:13:42by providing essential funding, fostering collaboration, and encouraging strategic and
00:13:47proactive planning based on best practices.
00:13:50It has notably strengthened relationships between state and local officials through
00:13:54the cybersecurity planning committees and their collective development of the cybersecurity
00:13:58plans.
00:14:00To continue and to build on SLCGP's success, Tenable recommends reauthorizing the program
00:14:06with the following improvements.
00:14:08Ensure sustainable funding by extending the program's duration and enable long-term planning.
00:14:15Maintaining alignment with recognized standards and frameworks, such as the NIST cybersecurity
00:14:19framework.
00:14:21Reducing the administrative burdens and providing clear guidance through simplified applications.
00:14:28And lowering and leveling cost share requirements for effective planning.
00:14:33Continuing to encourage whole-state and proactive exposure management strategies and engaging
00:14:39the private sector and stakeholders to address evolving threats and best practices.
00:14:44Continued success of the SLCGP program also depends on having qualified cybersecurity
00:14:48professionals at all levels to manage it.
00:14:51Tenable supports the enactment of the Cyber Pivot Act to address workforce shortages to
00:14:57re-skill workers and create diverse pathways into government cybersecurity careers.
00:15:02Thank you again for your attention to cybersecurity, continued support of the SLCGP, and for the
00:15:07opportunity to testify.
00:15:08I look forward to working with you to secure our nation's cyber assets, and I'm happy to
00:15:12answer your questions.
00:15:14Thank you, Mr. Huber.
00:15:15I now recognize Mr. Fuller for five minutes to summarize his opening statement.
00:15:21Chairman Garbarino, Ranking Member Swalwell, and members of the subcommittee, it's a pleasure
00:15:25to be with you today.
00:15:26I'm Alan Fuller, Chief Information Officer for the state of Utah, a role to which I was
00:15:31appointed by Governor Cox in March of 2021, and a CIO for the state.
00:15:35I lead the Division of Technology Services, which is the consolidated IT organization
00:15:39for all of the executive branch agencies of the state.
00:15:42As part of my team, I oversee the Cyber Center, which is responsible for defending state IT
00:15:47systems against cybercrime.
00:15:49I'm also the Secretary-Treasurer for the National Association of State Chief Information Officers,
00:15:53or NASIO.
00:15:54NASIO is a national leader and advocate for technology policy at all levels of government,
00:15:58and has championed substantial collaboration between states and the federal government
00:16:02to improve cybersecurity preparedness and protect our nation's critical infrastructure.
00:16:07So as both CIO for the state of Utah and as a NASIO officer, I hope to highlight the many
00:16:11successes of the state and local cybersecurity program, or SLCGP, today.
00:16:17This program has provided significant support to states and to local governments as we have
00:16:21worked together to improve our cybersecurity posture and to address vulnerabilities.
00:16:25Over the past decade in Utah, state, county, and city governments have witnessed significant
00:16:30escalations in cyber incidents.
00:16:32Initially, attacks were less frequent and less sophisticated, often targeting basic
00:16:36vulnerabilities.
00:16:37However, recent years have seen a surge in complex ransomware attacks, data breaches,
00:16:42and phishing campaigns specifically designed to exploit government systems.
00:16:46This evolution reflects a broader trend where malicious actors increasingly target public
00:16:51sector entities seeking to disrupt services, extort funds, and to compromise sensitive
00:16:56data.
00:16:57Local governments, in particular, face challenges in keeping pace with these threats due to
00:17:00budget constraints and limited cybersecurity expertise, making them more susceptible to
00:17:05these evolving cyber risks.
00:17:07In Utah, we applied for SLCGP funds in 2022 and received approximately $13 million of
00:17:14federal funds and $4 million in matching state funds for local cybersecurity efforts.
00:17:20Assessments and audits were conducted to identify the strength of cybersecurity defenses around
00:17:23the state, including cities, counties, and higher education entities.
00:17:27Results found that cybersecurity systems were significantly underdeveloped in many cases,
00:17:31leaving local government entities with serious risks.
00:17:34Note that many of these cities and counties have limited resources with very little or
00:17:37no IT support.
00:17:39The SLCGP is being utilized to address those concerns by providing much-needed tools to
00:17:43local entities.
00:17:45With funding secured through the SLCGP and corresponding state appropriations, a comprehensive
00:17:50cybersecurity initiative has been deployed across 140 governmental entities in the state.
00:17:56These include 23 counties, 94 municipalities, and 23 special districts.
00:18:01Through this effort, endpoint security has been provisioned for over 26,000 devices,
00:18:06and cybersecurity awareness training is being delivered to 31,000 local government employees.
00:18:11The program includes scheduled engagements with local leaders to guide the progression
00:18:14of statewide cybersecurity initiatives.
00:18:16The results have been extremely positive.
00:18:18We have blocked seven major cyber attack incidents in the last six months alone.
00:18:24I will speak to two of these.
00:18:26Shortly before Christmas, the CIO of a local airport urgently contacted me about a cyber
00:18:31attack in progress.
00:18:32Cyber criminals attempted to deploy ransomware on the airport's IT systems, which would have
00:18:36been disastrous, especially during the busy holiday travel season.
00:18:40Our cyber center team immediately worked with the airport's IT team to address the issue.
00:18:44Fortunately, SLCGP funds have provided security tools that were able to detect and interrupt
00:18:48the attack as it was happening.
00:18:50The common tooling and established relationships with local staff enabled a rapid response
00:18:54that limited the impact of the attack.
00:18:57As a result, the airport service was not interrupted and no ransom was paid.
00:19:00Second, recently a 911 emergency dispatch center in Utah was the victim of a ransomware
00:19:05attack on systems that provide 911 services.
00:19:08Again, SLCGP funds have provided security tools that detected and interrupted the attack
00:19:12as it was happening.
00:19:14Common tooling and established relationships enabled a rapid response that limited the
00:19:18attack's impact.
00:19:19Critical 911 dispatch services were able to continue in one of our biggest counties.
00:19:24Utah's positive experience with this grant program is not an outlier.
00:19:27SLCGP has allowed many states to embrace a whole-estate approach to cybersecurity.
00:19:31By approaching cybersecurity jointly, information is widely shared and incident response is
00:19:35more effective.
00:19:36States have been able to use SLCGP to provide vital technology services that many smaller
00:19:41communities simply would not otherwise be able to implement.
00:19:44The state and local cybersecurity grant program helps stakeholders develop a solid foundation
00:19:49on which to continue to strengthen their defenses and to modernize both their technology and
00:19:53their processes.
00:19:54I encourage the subcommittee to extend funding for the program.
00:19:57I look forward to discussing it today and to answering your questions.
00:20:01Thank you very much.
00:20:02Thank you, Mr. Fuller.
00:20:04I now recognize Mr. Kramer for five minutes to summarize his opening statement.
00:20:08Good morning, Chairman Garbarino, Ranking Member Swalwell, and members of the subcommittee.
00:20:13Thank you for the opportunity to testify today.
00:20:15I am Councilman Kevin Kramer from Louisville Metro Government in Kentucky, and I serve
00:20:20as the first vice president of the National League of Cities.
00:20:23I'm honored to speak on behalf of both my city and the 19,000 cities, towns, and villages
00:20:29represented by the National League of Cities.
00:20:32NLC is committed to strengthening the federal-local partnership that supports our communities.
00:20:38Prior to my current role, I chaired NLC's Information Technology and Communications
00:20:43Committee.
00:20:44I also work as a teacher at a small all-girls high school.
00:20:48I appreciate this subcommittee's focus on reauthorizing the state and local cybersecurity
00:20:53grant program, and I'm here to share both our local experience in Louisville and broader
00:20:59perspectives from cities across the country.
00:21:04Local governments are frequent targets of cyberattacks from both criminal organizations
00:21:09and nation-state actors.
00:21:12We are responsible for sensitive data, public payment systems, and critical infrastructure.
00:21:18When city networks are attacked, emergency services may be disrupted, personal data
00:21:23can be exposed, and entire communities can be impacted.
00:21:28Recovering from these incidents often costs hundreds of thousands of dollars and hundreds
00:21:34of work hours.
00:21:36As the committee has noted in previous hearings, local governments face serious capacity constraints.
00:21:43This is especially true of small and rural communities.
00:21:48Of the 19,000 municipalities nationwide, over 16,000 have populations under 10,000 people.
00:21:56Many have no dedicated IT staff at all.
00:22:00Even larger cities often struggle to hire and retain qualified cybersecurity professionals.
00:22:07Yet smaller size does not equal lower risk.
00:22:10Every community is vulnerable.
00:22:12Louisville Metro government has received funding through the state and local cybersecurity
00:22:17grant program for two fiscal years.
00:22:20The most recent grant helped support the creation of the Kentucky Cyber Threat Intelligence
00:22:26Cooperative, or KCTIC.
00:22:29This is a new platform for sharing timely, actionable cyber threat information among
00:22:36regional governments and private sector partners.
00:22:40We built it to address delays in the existing systems for threat reporting and communication.
00:22:47KCTIC allows anonymous threat data from cooperative members to be shared in near real-time.
00:22:57This grassroots, multi-sector effort strengthens the entire region's cyber resilience, not
00:23:03just Louisville's, and it wouldn't be possible without this grant program.
00:23:09The state and local cybersecurity grant program is a vital component of our national security
00:23:14strategy.
00:23:16It fosters state-local collaboration, builds awareness among local leaders, and enables
00:23:22proactive planning.
00:23:25But for the program to reach its full potential, improvements are needed.
00:23:30First, the one-size-fits-all pass-through model limits efficiency.
00:23:36Major jurisdictions like Louisville are capable of managing direct federal grants and should
00:23:41be able to apply without going through the state.
00:23:45We urge Congress to create a complementary direct funding track for eligible larger municipalities.
00:23:52Second, the application process must be more accessible.
00:23:58Small communities face major barriers, tight deadlines, complex requirements, and limited
00:24:03staff capacity.
00:24:06These are often the very communities that would benefit the most.
00:24:10Simplifying the application process and extending timelines would make participation more realistic
00:24:16for them.
00:24:17We are also encouraged by emerging models like multi-jurisdictional grants managed by
00:24:23state municipal associations.
00:24:26These allow technical services to be delivered to many communities at once, an approach far
00:24:31more efficient than requiring each town to stand up its own cybersecurity team.
00:24:37Just as most people take their cars to a qualified mechanic, small governments need trusted partners
00:24:43to handle complex cyber tasks.
00:24:48Above all, we ask Congress to reauthorize and fully fund this program with predictability
00:24:54and consistency.
00:24:57Without that, local governments are less likely to make the necessary investments in planning
00:25:01and assessment that lead to strong applications and long-term resilience.
00:25:07Cybersecurity is a whole-of-nation challenge.
00:25:10It demands a true intergovernmental partnership.
00:25:12The state and local cybersecurity grant program is a cornerstone of that partnership.
00:25:17Thank you again for the opportunity to testify.
00:25:18I look forward to your questions.
00:25:21Thank you, Mr. Kramer.
00:25:22I now recognize Mr. Raymond for five minutes to summarize his opening statement.
00:25:26I'm Dan Garbarino, Ranking Member Swalwell and members of the subcommittee.
00:25:30I am Mark Raymond, Chief Information Officer for the state of Connecticut.
00:25:34I'm responsible for all the technology of 39 executive branch agencies, including network
00:25:41and internet services for our K-12 schools, our libraries, our universities, and over
00:25:46two-thirds of the state's municipal governments.
00:25:49I'm an active member of NASSEO and the longest-serving state CIO in the country.
00:25:55This history has given me direct involvement with the long advocacy for dedicated cybersecurity
00:26:01funding.
00:26:03The threats posed by criminal actors are numerous and unceasing.
00:26:07Each year, cyberattacks become more threatening, and the risks posed to residents become more
00:26:12dire.
00:26:13State and local governments serve as stewards of a civil society, working to ensure community
00:26:20stability, predictability, and the well-being of our residents.
00:26:24These public servants are the teachers in our classrooms, the police officers who respond
00:26:29to distress, the doctors and nurses that care for our neighbors suffering with addiction.
00:26:34They protect the water we drink, the food we eat, and much more.
00:26:39All of these services, however, rely heavily on technology and data.
00:26:45However, the fast-growing cyber risks have found many jurisdictions unprepared.
00:26:53This program is a valuable resource in addressing this need.
00:26:58Through this grant, Connecticut has expanded offerings to local governments.
00:27:03Equally as important is the spirit of trust that the grant has fostered between state
00:27:08and local governments.
00:27:10Cyber incident responders are collaborating before attacks take place, instead of during
00:27:17them or after them.
00:27:19Preventing attacks is far better than recovering from them.
00:27:24For the fiscal 22 grant year, we awarded close to $3 million, with more than $2.1 million
00:27:31of that going directly to local governments.
00:27:34Awards for the FY23 program year are expected to be over $7 million in total, with $4.3
00:27:41million to local governments.
00:27:42One of the benefits of the program has been a systemic assessment of local government
00:27:48risks.
00:27:49Connecticut partnered with our National Guard to evaluate cybersecurity risks using the
00:27:54NISC cybersecurity framework.
00:27:56Sadly, only 27.7% of our municipalities were assessed at low risk.
00:28:04These periodic assessments that are supported by this grant program ensure that the actions
00:28:09we take produce measurable risk responses.
00:28:15Those with high risks demonstrated a lack of vulnerability scanning, multi-factor authentication,
00:28:22employee cybersecurity training, malware prevention tools, and incident response plans.
00:28:29This grant directly addresses those findings.
00:28:3351 awards were made in Connecticut, of which 19 addressed incident planning and governance.
00:28:4031 improved multi-factor authentication and ransomware protections.
00:28:46The last award supported the Cyber Nutmeg, which is a two-day exercise where all municipalities
00:28:54and critical infrastructure operators are invited to participate.
00:28:59This unique state-level exercise raises awareness to the need to fill this gap.
00:29:04It exercises the incident plans that some are newly created, and improves relationships
00:29:10that are needed when incidents occur.
00:29:13Unfortunately, these grant program funds for FY22 covered less than half of the requested
00:29:19need.
00:29:21We plan to address this growing gap with the remaining grant year funding.
00:29:25Though much has already been accomplished under SLCGP, more can be done, and here are
00:29:31a few of our suggestions.
00:29:33First is that ongoing dedicated funding for cybersecurity would be important.
00:29:39Many local governments are reluctant to start a cybersecurity program without ongoing funding
00:29:44to support it.
00:29:47Standardizing the matching percentage across all of the grant years would also significantly
00:29:52simplify grants administration.
00:29:56And finally, making shared services a default position for states and local government to
00:30:03reduce the administrative burden required for each locality to sign on to the shared
00:30:08solution.
00:30:09This would reduce costs and improve statewide efficiency.
00:30:13We strongly believe that it is better to continue to improve this program rather than to allow
00:30:18it to expire.
00:30:20The grant improves our nation's cybersecurity defenses.
00:30:23As state and local governments take on additional responsibilities for cybersecurity, supplemental
00:30:29funds will help meet this increased burden.
00:30:32Thank you for your time today, and I look forward to answering what questions you may
00:30:35have.
00:30:36Thank you very much, Mr. Raymond.
00:30:37I don't think the point about preventing is better than recovering.
00:30:41You know, our county got hit, and they were down for almost a year.
00:30:46So it's very important that you're all here today, and getting this reauthorized and fixed
00:30:51I think is a very important goal that we all have, and I'm really happy that we have members
00:30:55here to ask questions.
00:30:57We're going to start with each member, and go from Republican to Democrat.
00:31:02Five minutes of questioning each.
00:31:04An additional round of questioning may be called after all members have been recognized.
00:31:07I now recognize the gentleman from Texas, Mr. Luttrell, for five minutes.
00:31:11Thank you, Mr. Chairman.
00:31:12Mr. Raymond, when it comes to local governments and their awareness of the grant programs
00:31:15and where they live and breathe or where they exist, how does that work?
00:31:19Does the government itself reach down into these local governments, and which ones are
00:31:23we touching?
00:31:24Are we touching all of them?
00:31:26Thank you for the question, Representative.
00:31:28They're all invited to the discussion.
00:31:30We have formed regional subcommittees that include representatives from state, local,
00:31:38school districts.
00:31:39When you say regional subcommittees, can you elaborate on that, please?
00:31:43Yeah.
00:31:44Connecticut is divided into five administrative regions.
00:31:48So we do not have county government in Connecticut.
00:31:51So it's just the state, and then 169 municipalities.
00:31:55So we have organized our emergency response into five districts, and so each one of those
00:32:01emergency management and cybersecurity groups have their own planning committee.
00:32:07All of the chief executives and emergency management and cybersecurity professionals
00:32:11in that group are invited to the table in those discussions.
00:32:14So it makes it easier for the state to understand what exactly is happening in cybersecurity
00:32:17when it comes to the grant profile.
00:32:19Yes, sir.
00:32:20Mr. Cramer, you got something to add to that?
00:32:24Louisville is the largest city in the state of Kentucky.
00:32:27We do have counties in the commonwealth, and the grant that we are currently using came
00:32:32directly to metro government in Louisville.
00:32:36Is every county aware of the grant system itself and how they can grab a hold of that?
00:32:47Those that are members of NACO, the National Association of Counties, are well aware because
00:32:51NACO is pushing this out as an issue that they should be very much interested in working
00:32:57with.
00:32:58In Louisville, it's not just Louisville that's taking advantage of the grant, though.
00:33:02We're the largest city in the state.
00:33:04We're also very near, being on the river, very near Indiana.
00:33:08We are working across the entire region.
00:33:11We've reached out to the universities, both the University of Kentucky and the University
00:33:14of Louisville.
00:33:15We're working with the National Guard.
00:33:17And so it's a program that goes beyond just what we're doing in Louisville.
00:33:21It captures a good part of our state.
00:33:23Mr. Fowler?
00:33:24Excuse me.
00:33:25Yes.
00:33:26So in the state of Utah, what we're doing is tools.
00:33:31The city of Utah?
00:33:32State of Utah.
00:33:33Ah, okay.
00:33:34Tools, training, and relationship building.
00:33:37And so we're over 75% covered with all the cities and counties, and we hope to get that
00:33:43closer to 100% as we go.
00:33:47The entire state is aware of this?
00:33:48Oh, yeah.
00:33:49That's remarkable.
00:33:51Mr. Hubbard?
00:33:52I have no comment.
00:33:53That's outside my area of expertise.
00:33:54I rely on these gentlemen.
00:33:55I'm a vendor.
00:33:56Welcome to the committee, sir.
00:34:01When it comes to state and, so the relationship between state and local government, would
00:34:07you say that the return on the investment from these grant programs are beneficial?
00:34:11And I'll start with you, Mr. Ramby, because you said that you did not utilize all the
00:34:15assets that were funded amidst the year.
00:34:20We had double the requests than we were able to fund.
00:34:25So we did not have any excess funds.
00:34:28We had double the requests in the first year of the grant program, and we expect that to
00:34:33continue.
00:34:34So I think that does demonstrate both the awareness that we have across the state, especially
00:34:42for our municipalities, and upwards, we took very little funding at the state level.
00:34:49There is a division between what you can take at the state level and what is, and
00:34:55almost all of the funds went to local governments.
00:34:59But absolutely necessary, because this committee is trying to maintain its footing when it
00:35:03comes to grant programs for cybersecurity, cyber risk, cyber threat.
00:35:06We need to hear from those on the other side to say, yes, this is an absolute need, because
00:35:11in my personal opinion, this is the next phase of evolution when it comes to warfare.
00:35:16So, and protecting our citizens is absolute, and as the metaverse is pulling or cutting
00:35:24or freezing grant programs currently, I would hate to see this happen in such an important
00:35:30space.
00:35:31Yeah.
00:35:32Mr. Kramer, did I go to you, if not Mr. Fuller?
00:35:35I would argue that, yes, it is essential.
00:35:39In Louisville, we hired two people to do the work.
00:35:42We were hoping for four.
00:35:44The work that needs to be done is broader than the work we're able to accomplish under
00:35:48the current program, so absolutely want to see this go forward.
00:35:53The plan is to reach out again to the major universities in town, and then ultimately
00:35:59to filter down even to the public school systems.
00:36:02It's amazing how much data is held in the school systems and how much of that data is
00:36:06compromised, and as everyone knows, you know, the bad actors are looking for the easy access,
00:36:13and so we're doing our best to reach down to the level where we can improve security
00:36:17at that lowest level.
00:36:19Mr. Chairman, I yield back.
00:36:23The gentleman yields back.
00:36:25I now recognize the ranking member, Mr. Swalwell from California, for five minutes of questioning.
00:36:29Great.
00:36:31Council Member Kramer of Louisville, you have one of the most important jobs here.
00:36:36You are protecting the nation's bourbon supply, so thank you.
00:36:41I know our chairman and many of my colleagues thank you, but you did in all seriousness
00:36:48mention a weakness of the program as it exists right now, which is it doesn't have much agility
00:36:56or maybe you said like bandwidth to understand like the differences between sizes of cities.
00:37:03How would you structure a future reauthorization to better reflect that and better target where
00:37:12the need is?
00:37:13Thank you for that question.
00:37:14I really appreciate that.
00:37:15I think the first bit of the answer is we need to recognize that the larger cities like
00:37:21Louisville, for example, we do have the resources.
00:37:25We have a person on staff who his primary responsibility is cybersecurity, but we're
00:37:31a half an hour drive from Elizabethtown, there was a movie made about that place.
00:37:37It's a fairly small town out in the middle of bourbon country.
00:37:41They don't have the resources to do this, but we do have a very active state league
00:37:46of cities, an organization of municipalities.
00:37:51Allowing the grant to go through them instead of through the state would assure that that
00:37:55money actually made its way to local governments.
00:37:59It would also allow the state league to work together with those other cities and hire
00:38:07a person that would be able to work with all of them and not just with one city like our
00:38:11own.
00:38:12Again, it reaches into the school systems or some school systems in the state of Kentucky
00:38:17that the highest paid positions in the county are in the school system.
00:38:23I just want to drill home.
00:38:25That's an area that I think folks overlook.
00:38:29There's a lot of data that's handled there, and we need to do the best we can to reach
00:38:33out to that community as well.
00:38:36Absolutely.
00:38:37Mr. Raymond, can I ask, as somebody who has administered millions of dollars of these
00:38:47grants to many jurisdictions, municipalities, agencies, what are some of the weaknesses
00:38:54that you've seen among some of the recipients?
00:38:58If you had a new tranche or a new reauthorization, what have you learned from this that makes
00:39:08a candidate more eligible or makes a candidate least eligible as you're thinking about where
00:39:13these funds should go?
00:39:16Admittedly, the program did have a slow start.
00:39:21I think any kind of new grant program, the clarity around getting people to understand
00:39:27what it is to be eligible and what people really needed within their environment was
00:39:34probably the most difficult challenge for us.
00:39:37Again, the cybersecurity assessments that were part of the first year were absolutely
00:39:44critical for building for all of our municipalities an understanding of what their risks were
00:39:53and how we would address it.
00:39:55I think it goes to the earlier question of, did they know?
00:39:58When we have these assessments, they now know.
00:40:02I would say that continuing that to demonstrate the improvements would be absolutely critical.
00:40:09For additional funding, I do think that I understand the desire in the construct of
00:40:17the program to wean states off the program with the declining match or the increasing
00:40:25state match.
00:40:27However, that's complicated with the change in the funding as well.
00:40:34I think having a stable match over the life of the program makes it far easier to administer
00:40:41as people are working across the different grant years.
00:40:44Should the desire be to still shift some of that burden back to the states through funding,
00:40:50you can do that through the overall funding of the program and not the mix of the two.
00:40:54I think that we had a lot of people applying for the first year at a 90% reimbursement
00:41:01rate and then we're looking at, will we get that same kind of participation as the rates fall?
00:41:09And local government's budgets remain tight.
00:41:13Thanks. Yield back.
00:41:16Gentleman yields back.
00:41:17I now recommend this gentleman from Denison, Mr. Ogles, for five minutes of questions.
00:41:20Thank you, Mr. Chairman.
00:41:22To the witnesses, I believe strongly in federalism, fiscal responsibility, and the importance of
00:41:27empowering local communities and not expanding the bureaucracies of, quite frankly, the federal government.
00:41:32As we assess the state and local cybersecurity grant program, we need to ensure that our
00:41:36limited federal resources are being used effectively and are actually reaching the communities
00:41:41most at risk.
00:41:42And I say that in the context of being a former county executive and Tennessee serves as the
00:41:47CEO of the county.
00:41:48And so I can attest to the fact that some of these pass-through grants administered
00:41:53by the states were incredibly important to my county, which was a rural county.
00:41:57Emergency services, fire, and cyber were all my departments.
00:42:01And so, again, and I get your perspective on the stable match because, again, as a rural
00:42:06county where we have limited funding mechanisms and, quite frankly, an ever-growing school
00:42:11system, there's a friction there of how do you fund these mechanisms?
00:42:16Which, as my colleague stated, the future of warfare is on the cyber battlefield.
00:42:22That being said, Mr. Huber, you've worked to secure systems against the threat from
00:42:26Volt, Typhoon, a CCP-backed group of hackers who both have sophisticated abilities and
00:42:31specialize in targeting the most vulnerable points in its target systems.
00:42:35In your testimony, you mentioned their attack on Littleton Electric, Light, and Water Department
00:42:40in Massachusetts.
00:42:41In my district and across the country, we have a diverse range of electric providers,
00:42:45large corporations, rural providers, as I mentioned.
00:42:48In your experience, how strong is the awareness of cyber threats among smaller, less-resourced
00:42:53organizations that provide critical infrastructure?
00:42:55And, again, I go back to Tennessee, but probably much like rural Kentucky, where we have a
00:43:00patchwork of these smaller communities where we're scrapping for resources to figure out
00:43:05how do we, quite frankly, protect not only our infrastructure but our citizens, sir.
00:43:11Yeah, thank you for the question.
00:43:13So, I've had the pleasure of working with municipalities that the IT person was the
00:43:17IT person and the database administrator and the system administrator and responsible for
00:43:21security as a part-time job.
00:43:23So, as you might imagine, any administrative burden that might be involved in applying
00:43:26for the grant would be significant for an entity such as that.
00:43:29Smaller size, but make no mistake, those smaller rural entities, that could be the hydro station
00:43:34that fuels a larger municipality.
00:43:36That's a national security and an economic impact to the region.
00:43:40So, as we heard from a gentleman here, education and awareness is key to educating those
00:43:47folks who have probably dual roles or multi-hat roles for protecting that piece of critical
00:43:53infrastructure for nation-state attackers.
00:43:55As someone who's been in the trenches and a National Guard member in Title 32 and state
00:44:00active duty supporting state critical infrastructure components, there's a significant
00:44:04shortage of resources and knowledge about nation-state level attackers.
00:44:09So, I think it's important to recognize that this funding is key in raising the bar of
00:44:14foundational cyber controls for all of those entities.
00:44:18And I want to focus primarily with the other three witnesses on rural communities.
00:44:24And one of my concerns, again, my background coming from a rural community, is that
00:44:28competition that you see between, say, a Nashville and my community.
00:44:32But yet, from an assessment standpoint, I would argue some of your rural communities
00:44:36are your most vulnerable points of entry.
00:44:40So, how do we make sure that we're prioritizing, basically, and take size out of it for a
00:44:45moment, but a needs assessment?
00:44:47Understanding that, again, whether it's distribution of broadband, whether it's
00:44:52protecting points of entry, et cetera.
00:44:54Mr. Fuller?
00:44:56Thank you very much.
00:44:57Let me just say, I really appreciate your comment that these attacks are very much like
00:45:00war.
00:45:01And this committee knows very well that we live in a very, very dangerous world.
00:45:06We're constantly under attack, including our smallest and most rural communities.
00:45:10So, with the program that we rolled out, we rolled out tools to all of our communities,
00:45:15including the rural communities.
00:45:17And for the most rural, who don't even have sufficient IT resources, we're able to
00:45:21make resources available to help them install those tools.
00:45:25And then we're also able to provide training for those people.
00:45:28So, we're absolutely committed to getting this program to our small cities and
00:45:33counties and special districts.
00:45:35Mr. Kramer?
00:45:38Again, it's a great question.
00:45:40I think one of the things that we need to recognize, it's a matter of how quickly we
00:45:44share that information as well.
00:45:47When a cyber attack happens, what they're trying to do in one place, one community,
00:45:52is likely happening somewhere else.
00:45:55And again, I think that smaller communities, the rural communities, where my colleagues
00:45:59have testified that you've got a person who has three different jobs, if they aren't
00:46:04aware of what to look for, it makes it much more difficult.
00:46:07They often don't find out until it's too late.
00:46:10So, one of the things we're hoping we can get the federal government to do is recognize
00:46:13that they collect up a lot of this data about cyber attacks, but they collect it up and
00:46:18hold it.
00:46:19It would be very useful to us at the local level if as soon as they knew about a cyber
00:46:24attack, they shared that information with entities as quickly as they could, so that
00:46:28folks at the local level could start looking at their own systems and see if someone's
00:46:31trying to get in the same way.
00:46:32Yes, sir.
00:46:33And I'm out of time, but Mr. Raymond, a final thought?
00:46:38I would just say that we view cybersecurity as a team sport.
00:46:42We view those that are better resourced in a good position to help those that aren't.
00:46:47So, we do have municipalities who help each other, larger ones helping smaller ones, and
00:46:53smaller ones who are relying upon the state to help deliver services.
00:46:58We do run all of the network services, so it provides a unique ability for us to provide
00:47:03specialized security services to everyone in our jurisdiction, which is one way to make
00:47:09the limited dollars we have go a lot further.
00:47:11Sir, thank you to the witness.
00:47:12Mr. Chairman, apologies for going over.
00:47:14No, of course.
00:47:15Not a problem.
00:47:16The gentleman yields back.
00:47:17I now recognize the gentleman from Rhode Island, Mr. Magaziner, for five minutes of questions.
00:47:22Thank you, Chairman.
00:47:23The State and Local Cybersecurity Grant Program is an essential resource to help states and
00:47:29municipalities protect themselves against cyberattacks.
00:47:32This grant program helps secure critical infrastructure like schools, hospitals, electric grids, water
00:47:39systems, and in my home state of Rhode Island, it has been instrumental in providing cybersecurity
00:47:45training, for example, for staff at state agencies and municipalities so they can better
00:47:50protect taxpayer data, securing schools and academic institutions from ransomware attacks,
00:47:56and protecting critical infrastructure from being infiltrated by hackers.
00:48:00I am concerned by reports of potential delays and cuts to these grants by the Trump and
00:48:06Musk administration, and I'm glad to see that, at least on this subcommittee, there appears
00:48:10to be bipartisan support for continuing the program in a robust form.
00:48:16But you would forgive us for being concerned, because in addition to the reports of delays,
00:48:22we have heard that the Trump and Musk administration has been firing staff at CISA and at FEMA,
00:48:30the two agencies responsible for administering this program, and we have also heard from
00:48:35Secretary Nome herself that she plans to, quote, eliminate FEMA and significantly shrink
00:48:41CISA.
00:48:42She said that in her Senate confirmation hearing.
00:48:46This would be a tremendous mistake.
00:48:48The threat that we face from foreign malign actors, from criminal organizations, to critical
00:48:57infrastructure, to cybersecurity, to our cybersecurity, are immense.
00:49:02The Chinese are working overtime, putting tens of thousands of people toward trying
00:49:06to infiltrate every system, even in the smallest towns in this country.
00:49:10Same with the Russians, same with the Iranians, the North Koreans, and of course, criminal
00:49:14cyber gangs as well.
00:49:17We've had significant breaches in Rhode Island as a result.
00:49:20This is not the time to take our foot off the gas, as the Secretary said was her intention
00:49:26during her Senate confirmation hearing.
00:49:28And unfortunately, this is part of a pattern, because when she was governor of North Dakota,
00:49:32Secretary Nome was one of only two governors in the entire country to refuse to accept
00:49:37state cybersecurity grants in 2022.
00:49:40Her administration called them, quote, wasteful spending.
00:49:44In 2023, yet again, she was now the only governor in the entire country to refuse these grants
00:49:50for her home state.
00:49:52And of course, we have seen that the administration is not off to a great start with its own cybersecurity
00:49:57practices, with service members' lives being put at risk from confidential information
00:50:06being discussed in an unsecured group chat, and of course, Elon Musk's army of unvetted
00:50:13interns going through everybody's personal data with very little transparency.
00:50:18But given that backdrop, it is more important than ever that Congress send the message that
00:50:24cybersecurity still matters to us, that we do not consider it to be wasteful spending,
00:50:30and particularly, we want to continue to support states, municipalities, utilities in our home
00:50:38states with this program.
00:50:40So, I have limited time, but Mr. Fuller, can you elaborate on any reports of delays, cuts,
00:50:48or pauses to this program?
00:50:51What have you seen so far, and what would the negative consequences be?
00:50:55Thank you, and I appreciate your point that there's a lot of bipartisan support for this
00:51:00program to continue.
00:51:02Certainly, the risk doesn't take politics into account.
00:51:06One of the concerns we have about the program is some of our states chose not to participate
00:51:12because they were afraid that the funding would not continue on, and they were afraid to launch
00:51:16a program that might then get cut, and that created some hesitation for some states.
00:51:21For us, we're all in with the program, and it has been extremely beneficial.
00:51:26I mentioned in my testimony, we've blocked seven major attacks in the last six months alone.
00:51:31And so, we would hope that we could extend the funding, could be extended by Congress
00:51:38without delays.
00:51:39Those delays could cause serious problems in adoption of the program.
00:51:43Thank you, and Mr. Raymond, if FEMA is eliminated and CISA is significantly cut,
00:51:49as Secretary Noem has promised, what impact would that have on the ability of your state
00:51:55and others to maintain strong cybersecurity and take advantage of programs like this one?
00:52:01I do believe that FEMA and our emergency management in Connecticut, along with CISA on the
00:52:09security side, have been great partners with us on this cyber battle.
00:52:15State and local governments are not prepared to fight this kind of cyber engagement
00:52:21with foreign nations.
00:52:24I would say, in combination with the reductions to MS-ISAC and CISA support, additional
00:52:32responsibilities are falling on the states to fight these battles.
00:52:37Should further CISA reductions or FEMA reductions, for that matter, be put in place,
00:52:44I would say it would diminish our ability to help the municipalities that are part of
00:52:49our jurisdiction and defend on behalf of the state.
00:52:52All right, thank you.
00:52:53I'm over time, so I'll yield back.
00:52:55Gentleman yields back.
00:52:56I now recognize myself for five minutes of questions.
00:52:59Gentlemen, we've heard from you all today, there's definitely a need for the program.
00:53:05I want to focus on, one, has it been successful so far?
00:53:11Two, what changes would we make?
00:53:15You've all suggested a couple.
00:53:18Mr. Raymond, you started by saying when you first did this in your state, 27 percent of
00:53:25the municipalities were low risk, so 73 percent were not low risk.
00:53:32Now that this program is in place, have you done another review?
00:53:36What number is low risk now?
00:53:39We are currently doing the reassessment now.
00:53:42We do not have an updated set of numbers on that.
00:53:46We do know that the implementation of the 51 grants that we have would directly raise
00:53:53the ratings and lower the risk for folks who are out there.
00:53:57Wonderful.
00:53:58Mr. Huber, you're a vendor, so you're dealing with all these municipalities.
00:54:01You know what they're using, what they needed.
00:54:06Can you please just describe what these grants have been able to help some of the municipalities
00:54:11you've dealt with?
00:54:14What systems have been put in place, what they had and now what they have?
00:54:18We need to hear the actual benefit of what you've done with this grant money.
00:54:26Sure, thank you for the question.
00:54:29One of the first foundational components of any cybersecurity program is having awareness
00:54:33of what you have.
00:54:34You have to know what you have to be able to defend it.
00:54:36It sounds easy.
00:54:37It's a significant challenge for most organizations, even mature organizations.
00:54:40That's a challenge to understand the breadth of the footprint, certainly at a state level,
00:54:44let alone rural areas as well.
00:54:47What we've seen folks do is deploy solutions that allow them to understand what they have
00:54:50in their purview, what's exposed.
00:54:53To the gentleman's point regarding risk assessments, you have to know what you have to conduct
00:54:56that risk assessment.
00:54:57That's step one.
00:54:58We've seen them deploying that successfully.
00:55:00Then you want to take that just a step further.
00:55:02Now I know what I have.
00:55:03What am I vulnerable to?
00:55:05What misconfigurations, weaknesses, and vulnerabilities do I have there?
00:55:08How do I prioritize those from a response perspective?
00:55:11I have limited resources to go and mitigate or reduce those risks.
00:55:15Now I'm looking at what are my resources available to go and reduce the risk across the entire
00:55:20enterprise without regard to the size of the municipality involved.
00:55:24It could be that when they do these risk assessments, some smaller rural regions might have the
00:55:28highest risk compared to larger metros.
00:55:31What we've seen is successfully organizations assess what they have, being able to analyze
00:55:37them, look for exposures across the attack footprint, and then focus on a prioritized
00:55:41process of addressing these vulnerabilities.
00:55:44That's great.
00:55:46They're using the grant money to map their system.
00:55:48Now they're starting, because it's a multi-year grant, so they're mapping their system.
00:55:53They're finding out what doors need locks.
00:55:56They're implementing it and using technology to protect those doors into their system.
00:56:02Yeah.
00:56:03I think a great point is sustainable funding.
00:56:06I hate to say this.
00:56:07I'll use it as an example.
00:56:08Some people, when they wake up, they have a day job.
00:56:10It's not to fix vulnerabilities.
00:56:11That's not their job.
00:56:12Their job is to make the systems run.
00:56:13They go patch the systems, and they're like, hey, mission accomplished.
00:56:16We're done here.
00:56:17Tomorrow you get up and read the news, and you're like, more vulnerabilities.
00:56:20You have to do this again.
00:56:21It's a hamster wheel to an effect.
00:56:23People have to have not only resource and fund for that.
00:56:26It's now a part of your job for some percentage of your time, beyond what your day job is.
00:56:30People just understand that's how life is.
00:56:33Thank you very much.
00:56:34Under the grant program, there's some requirements in the law.
00:56:38One of them is for there to be a submission of a cybersecurity plan.
00:56:43This is for the three gentlemen on the right who actually probably had to determine these
00:56:48cybersecurity plans.
00:56:50There's a lot that's got to be part of it.
00:56:52What is working as part of the plans?
00:56:56Is there something that we should include that's not in it, or is the law overburdensome
00:57:02by including too many things in the plan that's not necessary?
00:57:05What do you all think?
00:57:06Mr. Fuller, we can start with you.
00:57:10I think the good thing about the plan is that it gave states some flexibility to each create
00:57:15their own plan.
00:57:16You can see between Connecticut and Utah, two very separate plans where they primarily
00:57:20put funds down to local entities, and we primarily provided tools, training, and relationships
00:57:26down to local entities.
00:57:28I feel like that part of the law was successful and good.
00:57:31It should not be changed.
00:57:32Mr. Kramer?
00:57:35I'm going to leave that to the folks who actually do the cybersecurity stuff.
00:57:38Okay.
00:57:39Mr. Raymond?
00:57:40I'd say the formation of the cyber plan was really hopeful to focus in a structured way
00:57:48on what the risks were and what we could do together to lower those risks.
00:57:54There was a tremendous amount of collaboration in the development of the plan, which I think
00:57:59furthered the mission of, hey, we're all in this together, and hope to get the message
00:58:04out to all of the municipalities that this was important for their success.
00:58:08So I think the combination of collaboration and structure in those plans and the direction
00:58:15that sat was very hopeful for statewide efforts.
00:58:19Sounds like that part of the statute is something that we should not change.
00:58:23Wonderful.
00:58:24All right.
00:58:25We're going to start a second round of questions.
00:58:26I now recognize the gentleman from Texas, Mr. Luttrell, for his second round of five
00:58:29minutes.
00:58:30Mr. Hoover, I think you hit the nail on the head explaining exactly how the process should
00:58:35work.
00:58:38Is that even a possibility or a probability?
00:58:41Remember, you're talking to the United States of America right now.
00:58:44I want you to think about that.
00:58:46I don't know where you're from.
00:58:47Kentucky, probably.
00:58:48I'm from Texas, obviously.
00:58:49A little bitty town.
00:58:50And the reach, and we hate the federal government.
00:58:53I could throw that out there.
00:58:54Honestly, we don't want them in and around us at all.
00:58:56However, with the threat or the risk to threat when it comes to cybersecurity, cyberspace,
00:59:05how do we make this work?
00:59:07The plan that Mr. Raymond laid out piggybacks exactly what you said, but we have to touch
00:59:13every single person in the United States of America.
00:59:18And I can assure you, the four of you sitting in front of us, you're not the first four
00:59:21that's ever sat in front of us and laid this out.
00:59:24But it keeps, how do we, this is almost the simplest question I ask is how do we fix this
00:59:29problem?
00:59:30Or is it a possibility?
00:59:32Because we can just keep talking about it all day long.
00:59:35We can keep funding these grants and throwing it out there and we're just going to get attack
00:59:38after attack.
00:59:39You said the problem is when the attack happens, we're retrospective.
00:59:43It's done deal.
00:59:44And then we have to raise awareness of those that didn't get hit.
00:59:47Who's doing that?
00:59:48Well, I've had SISA come out to my district.
00:59:50I've had the FBI come out to my district, talk to the nursing homes and schools.
00:59:53And guess what?
00:59:54The things that they laid out a month later, something else showed up.
00:59:58How do, literally, how do we fix this?
01:00:01Yeah, thanks for the question.
01:00:03Great question.
01:00:04We have to raise the bar across the board.
01:00:06There's foundational cyber components.
01:00:08What does the bar even look like?
01:00:10I think the NIST Cybersecurity Framework
01:00:12I knew we were going to have a pretty healthy debate here in 3 minutes and 16 seconds.
01:00:16Because every time, you know, you see where I'm going with this.
01:00:19I do.
01:00:20Absolutely.
01:00:21Yeah, so the NIST Cybersecurity Framework provides excellent foundational controls.
01:00:25But to your point, AI was not on my list of risks three years ago.
01:00:29And now it is.
01:00:30And guess what we're doing?
01:00:31We're developing those foundational components for artificial intelligence and how we defend
01:00:34and how we detect for that type of capability.
01:00:36So we're always going to be in that race of emerging technology, unfortunately, for us.
01:00:40But those foundational components still hold true for the vast majority of threats that
01:00:44exist today.
01:00:45And I think what we heard is very key of getting the message out, which is that communication
01:00:49and collaboration, whether that's through JCDC under CISA or whether that's through
01:00:53some of these fusion centers we heard of at the state level where they're disseminating
01:00:57information.
01:00:58It is a collective sport at the end of the day.
01:01:00And we all need that information to be able to respond as quickly as possible.
01:01:04The sheer processing speed.
01:01:06Now we're like past exascale computing.
01:01:10Magnolia, Texas can't defend against that.
01:01:15We have a, we have nefarious actors that have the computational capabilities to destroy
01:01:21a country.
01:01:22How do I protect District 8 in Texas?
01:01:27I think, and this is not normally how you start a security program, but you should start
01:01:32with incident response.
01:01:33You need to have surge capabilities and resources to respond to an incident.
01:01:37And to your point, unfortunately, it will happen.
01:01:40We have data that shows it will happen to even the most mature organizations.
01:01:43So having those capabilities, and a lot of times those surge capabilities, and I've been
01:01:47in this role, come from the National Guard, they come from CISA and other organizations
01:01:50to provide us intelligence we don't have to collectively respond as an industry, and that
01:01:54also raises the bar.
01:01:55I mean, but how much is that?
01:01:56I can't even, I can't even repave the roads in my forest right now.
01:02:01So now here we're talking about dollar bills, and I can only imagine that protective layer
01:02:08is going to help me fix this problem.
01:02:12I mean, what?
01:02:13Yeah, there's certainly data points available of known exploited vulnerabilities.
01:02:18That's something we use as an industry to prioritize.
01:02:20Like, we know these are actively being exploited against these organizations.
01:02:23You want to make sure that when you're applying resources against the problem, it's a prioritized
01:02:28approach, whether it's through the program assessments that these organizations complete
01:02:32to identify the highest risk, or whether it's vulnerabilities that you see day in and day
01:02:35out, to prioritize those resources.
01:02:37I know within ten, but we have data that says, unfortunately, if a new vulnerability comes
01:02:41out that affects major operating systems, as an example, it takes most organizations
01:02:46a few weeks to address those vulnerabilities.
01:02:48And by the way, they only fix about half of them during the course of that two weeks.
01:02:51So there's a known exposure that we all accept.
01:02:54Like I said, I'll foot stomp this, having that good response plan of how you coordinate
01:02:58reaction to those events becomes critical.
01:03:04I yield back, sir.
01:03:05Gentleman yields back, and I get the gentleman's point about there might not be a way to stop
01:03:09these.
01:03:10How do we stop them?
01:03:11I don't know if we can stop them, but being able to respond and get things back online,
01:03:17I think, is at least part of the goal here.
01:03:21I now recognize the gentleman from California, the Ranking Member, Mr. Swalwell, for his
01:03:25second five minutes.
01:03:27I'd welcome the opportunity with the four of you here to give us a real-time update
01:03:32on the threat environment and what you're seeing as to the type of the attack, the ask
01:03:41of the attack, if it's ransomware, your ability to work with the federal government, for example,
01:03:49the Bureau, when an attack occurs, and the origin of the attack.
01:03:55Is it still primarily Russia, Eastern Europe, criminal gangs for ransomware?
01:04:03And then as far as phishing attacks and intellectual property theft, is that primarily China?
01:04:11So, Mr. Huber, I'll start with you.
01:04:14You each spent about a minute on this.
01:04:16I think we'd get a good cross-sector update.
01:04:21Yeah, I think it's heavily dependent on the sector the entity operates in.
01:04:25You do see all those actors across all sectors.
01:04:28And unfortunately, you know, it's become easier.
01:04:31There's things such as ransomware as a service, as an example.
01:04:33You can buy access to systems and companies at your will without having to conduct any
01:04:38actual attacks themselves.
01:04:39And then, of course, we always have the nation-state actors in there.
01:04:42So you're basically investing in the stock market and just, like, buy an index fund of ransomware attacks?
01:04:46That's exactly it.
01:04:47Yeah, so if I wanted to compromise your machine, I might buy access from somebody who already
01:04:50has access to your machine.
01:04:51So I'm not actually conducting the activity myself.
01:04:53Right.
01:04:54Sorry, continue.
01:04:55Yeah, so I think, you know, we're seeing a mixed bag.
01:04:58And the problem becomes, to Congressman Luttrell's point, is, you know, trying to defend against
01:05:02all of those different types of actors, whether it's, you know, financially motivated, ideology
01:05:06motivated, nation-state motivated, they all have different intents for what their targets are.
01:05:11So you have to understand, to a great extent, what your attackers look like.
01:05:14And that's, again, where some of that information through law enforcement or CISA or JCDC is
01:05:18very useful.
01:05:19JCDC is a part of CISA.
01:05:20We used, they coordinated responses for Log4J.
01:05:23Massive vulnerability.
01:05:24It affected the economy and the world, for that matter.
01:05:26One of the largest ones of my career.
01:05:27They did a fantastic job of sharing what works, what doesn't, and getting us intel quickly
01:05:31that we can action.
01:05:32Great.
01:05:34Mr. Fuller.
01:05:35Thank you so much for the opportunity.
01:05:36So the types of attacks.
01:05:37First of all, the end users are typically the biggest vulnerability.
01:05:41So we see things like phishing attacks, business email compromise.
01:05:45I'd like to give you a very specific example that we just had the last few weeks.
01:05:49Utah is an alcohol control state.
01:05:51We have retail stores that sell alcohol.
01:05:56We had criminals calling these liquor stores, representing themselves as members of the
01:06:02government, and saying that they needed to change settings in their credit card readers.
01:06:06The credit card readers, they were trying to, the settings they were trying to change
01:06:09were trying to make it so the card didn't have to be present.
01:06:12It was a blatant attempt to try to hack the credit card readers of our liquor stores.
01:06:16We've seen, just in the recent past, some business email compromise has been very damaging.
01:06:21We've seen, they try to do things like convince state employees to change bank routing numbers,
01:06:29to redirect funds.
01:06:31So it goes to the criminals instead of to the place it's supposed to go.
01:06:35And the primary attackers come from Russia, China, North Korea, Iran,
01:06:42and we've seen quite a bit from Nigeria.
01:06:45I would also just mention to some of the comments before that with artificial intelligence
01:06:51technology, unfortunately I see the problem getting worse, not better.
01:06:55It used to be with phishing type emails you would see typos, incorrect grammar,
01:07:01you could kind of spot that something wasn't quite right.
01:07:03Unfortunately, the criminals know how to use artificial intelligence as well.
01:07:07And we just had an incident where we had over 400 phishing emails,
01:07:11everyone a different subject line, everyone a different text, all written beautifully.
01:07:17And unfortunately, all bearing malware that could compromise systems.
01:07:22So unfortunately, the world's getting more dangerous, not less.
01:07:26Thank you, that's helpful.
01:07:28Council Member Kramer.
01:07:29So in talking to James Meese, our cybersecurity guy back home,
01:07:33he mentioned some of the same things have been testified to here.
01:07:37There are certain localities that we know when something's coming in,
01:07:42it's probably suspect just because of where it's coming from.
01:07:46In 2023, we had a nation state cyber actor get access to one of our network devices
01:07:53through a provider's chat.
01:07:56You wouldn't think that's a big deal, but in the process of chatting back and forth
01:08:00with other folks on that same system, they were able to get passwords,
01:08:04usernames, and later were able to go in and try to,
01:08:08they got into the network where they could see what was going on.
01:08:12Fortunately, we were able to catch that before they were able to do anything.
01:08:16So it only cost us about 100 hours to fix it.
01:08:19We were grateful.
01:08:20Typically, these things, the problem is, as you guys well understand,
01:08:24if you don't spend the money up front to know what's coming,
01:08:28you're going to spend the money on the back end.
01:08:30And we talked earlier about local governments and rural communities.
01:08:34The real issue there is a lot of the rural communities,
01:08:37they don't have the resources to spend up front.
01:08:40And so they don't, and you don't have a choice about spending on the back end.
01:08:44Time expired.
01:08:45Would you indulge me to allow the CISO from Connecticut, please, Mr. Raymond?
01:08:50I would say the very similar answer,
01:08:53we're seeing global interest in things that we do.
01:08:56If we put a new device on the network,
01:08:58five minutes it's being scanned by someone.
01:09:01So they're looking for the vulnerabilities
01:09:04that were being described for scanning earlier.
01:09:07The threats are data exfiltration, stealing of data of intellectual property,
01:09:12ransomware, extortion of data, business email compromise.
01:09:17I'd say phishing, targeting of leaders for passwords
01:09:20and those kinds of things are very common things that we see.
01:09:25That was helpful across the board.
01:09:27Chairman, I yield back.
01:09:29The gentleman yields back.
01:09:31I'm going to continue along my line of questions from before about changes.
01:09:35CISA and FEMA's role, are they good partners?
01:09:39Are they the ones who should be running this program?
01:09:42I mean, has it worked?
01:09:44Has it not?
01:09:45Jump in.
01:09:48If I may, Mr. Chair, CISA has been an outstanding partner for us.
01:09:52We're really grateful for them and their commitment.
01:09:54We use them in a number of ways.
01:09:56They are active members of our cyber center
01:09:58as well as the Federal Bureau of Investigation.
01:10:00Those relationships are extremely important.
01:10:03When a bad thing happens, it is so good to be able to have experts
01:10:09to reach out to and know who to call.
01:10:12CISA and FBI help provide that role for us.
01:10:14We're very grateful for their support.
01:10:16We also use CISA services to do cybersecurity assessments
01:10:19of each of our agencies in the state across the board.
01:10:22We do that once every three years for all agencies.
01:10:25They've been a tremendous partner for us.
01:10:27Mr. Raymond?
01:10:29Yeah, I completely agree.
01:10:33The CISA team has brought great leadership and insight
01:10:38and expertise in terms of both what we can leverage
01:10:42but to the earlier question, they've been fantastic
01:10:46in getting out to the local governments
01:10:48and helping them raise the understanding of what's available
01:10:52and how they need to be thinking about it.
01:10:54FEMA has been sort of a back office partner
01:10:58for the grant administration.
01:11:00It's less active in the delivery of the technology
01:11:04but they've also been a great partner.
01:11:08I'd say Baseline has been a great partner.
01:11:12Really happy about what's going on so far.
01:11:16But the one size fits all approach has been somewhat limiting.
01:11:20It limits some of the efficiencies.
01:11:22We would hope that Congress would create
01:11:24a more direct competitive grant fund with SLCGP
01:11:28for larger municipalities who can afford to take care of that
01:11:32on their own.
01:11:34I think that would be helpful.
01:11:36The other is we recommend an application process
01:11:38to be simplified to encourage participation
01:11:40in some of our smaller communities.
01:11:42Simplified how?
01:11:44The reporting processes are somewhat burdensome.
01:11:49Again, keep in mind, and some of my colleagues
01:11:51have already testified, very often these aren't full-time
01:11:54employees who are focused on, A, applying for grants
01:11:57in the first place, and B, just the technical nature
01:12:02of it alone.
01:12:04If we could make it such that some of our less technical folks
01:12:08who are responsible for these highly technical
01:12:10responsibilities would be able to report more easily.
01:12:14Currently, Louisville, the city of Louisville,
01:12:17has to go through the state to get its grant, correct?
01:12:20It's administered by the state?
01:12:22I don't believe so.
01:12:24I'd have to check.
01:12:26I think ours came directly to Metro Louisville.
01:12:28It may have come through the state.
01:12:30I'll withhold on that one.
01:12:32But you're saying part of this pot of money
01:12:34would be, instead of having to go,
01:12:36it might be worthwhile to have some of the larger cities
01:12:39and municipalities be able to go directly to FEMA
01:12:44to have some of the grants go instead of, okay.
01:12:47Now, you mentioned something about, for rural, the cost.
01:12:52They can't even come up with the cost share.
01:12:54How would we fix that?
01:12:56Again, I think the program, the way that it's designed,
01:13:00if we could get that more quickly, more easily
01:13:03to municipalities.
01:13:05And again, when we talk about cities and rural,
01:13:08municipalities are still in those rural areas.
01:13:12They're just much smaller municipalities.
01:13:14In the state of Kentucky, in all the states, actually,
01:13:17there's leagues of cities.
01:13:19And the Kentucky League of Cities
01:13:21has been awesome to work with.
01:13:23It would be beneficial to local governments
01:13:27if the grant money were funneled
01:13:29or moved through that organization.
01:13:31They're more directly connected to what's going on in cities
01:13:34than the state is.
01:13:36Okay. Mr. Raymond Fuller, you both have rural areas.
01:13:38I mean, what could we do more to help there?
01:13:41Because, again, those are the municipalities
01:13:43that don't have the expertise.
01:13:45Even though the Pivot Act, the chairman is leading,
01:13:47would allow people to hire and be part of the service.
01:13:50That's great.
01:13:52So nice little plug for the chairman's bill.
01:13:54Hopefully he passes. But go ahead.
01:13:56Mr. Chair, if I may, so I felt like it was kind of ingenious
01:13:59to run it through the states because...
01:14:01And 80% of the funding came through the states,
01:14:04but 80% of the funding to go to locals.
01:14:07And that allowed us, the state,
01:14:09to directly help those rural cities and counties
01:14:11and give them the help that they need.
01:14:13In some cases, we've been able
01:14:15even to hire technical resources
01:14:17to help them implement the endpoint software.
01:14:19And we've been able to provide the training
01:14:21that they wouldn't have otherwise needed to do.
01:14:23So we've been able to...
01:14:25We as a state have been able to make it super easy.
01:14:27We've just packaged it up and given it to them
01:14:29and even helped them implement it.
01:14:31So the way it's worked for us has been beautiful.
01:14:33I would add that the match allows for a waiver,
01:14:37depending on certain financial conditions.
01:14:40So I do believe that if people can't come up with the money
01:14:44to meet the match, they have a way to respond to that.
01:14:47However, I think people have been reluctant to use that,
01:14:51and the expectation that that will slow down their award
01:14:55or perhaps not get it...
01:14:57They wouldn't be granted the match.
01:14:59And so I think there's some trepidation
01:15:01for people to put in for that match waiver
01:15:04that's preventing some of the uptake of it.
01:15:06Wonderful.
01:15:08Mr. Huber, you mentioned something
01:15:10in your opening statement
01:15:12about lower the cost-sharing requirements.
01:15:14Did you say that?
01:15:16I did, yeah.
01:15:18I think there's opportunity certainly
01:15:20with state municipalities where it makes sense
01:15:22to provide shared services.
01:15:24So if you have a service provided,
01:15:26as Mr. Fuller mentioned as well,
01:15:28you have expertise at the state level
01:15:30that can also be shared.
01:15:32They can hire additional resources there.
01:15:34So you have a known capacity providing resources
01:15:36to certainly rural and municipalities.
01:15:38I think that makes it more effective.
01:15:40And then the cost-share component,
01:15:42which I mentioned earlier is, like,
01:15:44you don't want to put so much pressure
01:15:46on a small organization that doesn't have somebody
01:15:48whose full-time job is applying for grants
01:15:50trying to do that, right,
01:15:52because it's a highly technologized,
01:15:54protected organization.
01:15:56I'm out of time, but I'm the chairman,
01:15:58so I'm just going to ask one more question.
01:16:00So now we've had this hearing.
01:16:02It's our job to come back
01:16:04and to reauthorize this
01:16:06if we want to make any changes.
01:16:08So you're all the experts.
01:16:10You've all been dealing with this bill
01:16:12or this program.
01:16:14If you could all have...
01:16:16I want to hear from each one of you.
01:16:18If there was one change or fix made to this,
01:16:20what would it be?
01:16:22And we'll start with you, Mr. Huber.
01:16:24I think you'd want to ensure
01:16:26that there's harmonization of any standards
01:16:28and compliance.
01:16:30You want this to be a cybersecurity exercise.
01:16:32Raise the bar for cybersecurity,
01:16:34not a compliance exercise.
01:16:36Simple as that.
01:16:40Mr. Fuller?
01:16:42I would just say continuity of funding.
01:16:44That would be the main thing.
01:16:46It got too...
01:16:48The funding gets cut
01:16:50and then they're left holding the bag
01:16:52and that makes them hesitant to adopt.
01:16:54So the authorization
01:16:56should be longer than four years?
01:16:58Yes, please.
01:17:00I concur
01:17:02with both my colleagues.
01:17:04And then I would add back in
01:17:06to what I mentioned a moment ago.
01:17:08For large municipalities,
01:17:10if we could apply directly,
01:17:12I think that would be helpful
01:17:14and then allow that organizations
01:17:16like Municipal Leagues
01:17:18would have an opportunity to work together as well.
01:17:20Mr. Raymond?
01:17:22I would say the
01:17:24ongoing sustainable funding
01:17:26and then ongoing assessments.
01:17:28You cannot manage what you don't measure.
01:17:30And so understanding what that
01:17:32cyber risk looks like is critical
01:17:34to this ongoing success.
01:17:36Great.
01:17:38Well, I want to thank the witnesses
01:17:40for their valuable testimony today
01:17:42and the members for their questions.
01:17:44The committee may have some additional questions
01:17:46for all of you.
01:17:48And we would ask that you all respond to these in writing.
01:17:50Pursuant to Committee Rule 7E,
01:17:52the hearing record will be held open for 10 days.
01:17:54Without objection, this committee stands adjourned.

Recommended

5:18
Up next
'An Absolute Need': Morgan Luttrell Touts State And Local Cybersecurity Grant Programs
Forbes Breaking News
1:34:55
Andrew Garbarino Chairs House Homeland Security Committee Hearing On Improving Cyber Regulation
Forbes Breaking News
6:18
Andrew Garbarino Asks Experts: How Can We Ensure Information Sharing Happens ‘In The Correct Way’
Forbes Breaking News
5:24
Eric Swalwell Asks Cyber Regulation Experts: What Are The Consequences Of CISA Expiring?
Forbes Breaking News
7:33
Clarke Emphasizes The Need To Strengthen Cyber Security In Order To Protect Critical Infrastructure
Forbes Breaking News
5:08
'We Are More Vulnerable Than Ever': Eric Swalwell Warns Against Cuts To National Cybersecurity
Forbes Breaking News
2:34:04
House Homeland Security Committee Holds Hearing On Cyber Security Workforce Shortfalls
Forbes Breaking News
5:39
'The Administration Is Not Off To A Great Start With Its Own Cybersecurity Practices': Magaziner
Forbes Breaking News
2:27:16
The Senate Finance Committee Holds A Confirmation Hearing For Trump's Pick To Lead Social Security
Forbes Breaking News
5:01
Jack Reed Questions Expert On Impact Of Federal Housing Trust Fund
Forbes Breaking News
3:44
Andy Barr Warns About The 'Unacceptable' Security At The Capitol
Forbes Breaking News
3:06
Andrew Clyde Heaps Praise On Trump Admin For 'Incredible Steps' To Increase Border Security
Forbes Breaking News
1:24:19
House Homeland Security Committee Holds Hearing About DHS Using Drones
Forbes Breaking News
1:42:45
The House Oversight Committee Holds A Hearing On Securing America's Telecommunications
Forbes Breaking News
5:27
Mark Green Asks Witnesses: Is It ‘Reasonable’ That The VA Spent A Billion Dollars On Compliance?
Forbes Breaking News
5:33
Elizabeth Warren Advocates For Her Bill To Address The Nation's Housing Shortage
Forbes Breaking News
4:57
Stacey Plaskett Accuses Trump, GOP Of Gutting Social Security To Allow 'Wall Street To Take It Over'
Forbes Breaking News
6:57
Angela Alsobrooks Calls On Congress To 'Leverage Private Sector Dollars' To Tackle Housing Costs
Forbes Breaking News
41:07
August Pfluger Leads House Homeland Security Committee Markup On Pending Legislation
Forbes Breaking News
5:06
'There's Been A Plot Afoot Here': Whitehouse Confronts SSA Commissioner Nominee About Trump's 'Lies'
Forbes Breaking News
5:14
Russ Fulcher Presses Border Patrol Union Official On Balancing The Environment With Border Security
Forbes Breaking News
5:28
‘A Force Multiplier’: Michael Guest Touts Drone Usage In Homeland Security Operations
Forbes Breaking News
57:28
Senate Armed Services Committee Holds A Hearing On Utilizing AI To Advance DoD’s Cyber Capabilities
Forbes Breaking News
1:46:13
Rep. Michael Guest Chairs House Homeland Security Committee Hearing To Evaluate Biden’s Border Security Policies
Forbes Breaking News
3:12
Tom Homan Defends Deporting Alleged Venezuelan Gang Members Under Alien Enemies Act
Forbes Breaking News