H3696 CONGRESSIONAL RECORD — HOUSE July 20, 2021 1833, the DHS Industrial Control Sys- disrupt, extort, and simply wreak curity Information Sharing Act of 2015 (6 tems Capabilities Enhancement Act of havoc. These systems underpin the U.S.C. 1501); and’’. 2021. functions and services we rely on for (2) in subsection (c)— As I have said from day one as rank- our day-to-day lives, and the threats (A) in paragraph (5)— (i) in subparagraph (A), by striking ‘‘and’’ ing member of this committee, we need they face have never been higher. after the semicolon at the end; to continue to bolster cybersecurity Successful disruption of one of these (ii) by redesignating subparagraph (B) as capabilities at CISA to defend our Fed- systems could have dire consequences subparagraph (C); eral networks and the Nation’s critical for public health and safety, public (iii) by inserting after subparagraph (A) infrastructure from cyber threats. confidence, and even the national and the following new subparagraph: The volume of and economic security of the United ‘‘(B) sharing mitigation protocols to attacks in 2021 alone States. counter cybersecurity vulnerabilities pursu- shows that no one is immune from na- CISA is well-positioned to help own- ant to subsection (n); and’’; and (iv) in subparagraph (C), as so redesig- tion-state cyber actors or cyber crimi- ers and operators better understand nated, by inserting ‘‘and mitigation proto- nals. Cyber threats, particularly risks to operational technology and cols to counter cybersecurity vulnerabilities ransomware, are the preeminent na- work with them to close security gaps. in accordance with subparagraph (B)’’ before tional security threat facing our Na- I again want to congratulate the gen- ‘‘with Federal’’; tion today. From Colonial Pipeline to a tleman from New York (Mr. KATKO), (B) in paragraph (7)(C), by striking ‘‘shar- local water facility in Florida, we have my committee colleague and ranking ing’’ and inserting ‘‘share’’; and witnessed the real-world consequences member, on authoring this bill to cod- (C) in paragraph (9), by inserting ‘‘mitiga- cyberattacks can have on our critical ify the role that CISA plays in leading tion protocols to counter cybersecurity vulnerabilities,’’ after ‘‘measures,’’; infrastructure. Federal efforts to secure industrial (3) in subsection (e)(1)(G), by striking the In the against a water control systems. semicolon after ‘‘and’’ at the end; treatment plant in Florida, hackers Enactment of H.R. 1833 will help to (4) by redesignating subsection (o) as sub- were able to gain access to industrial raise our cybersecurity posture across section (p); and control systems, or ICS for short, and the board. (5) by inserting after subsection (n) fol- attempted to alter the mixture of Madam Speaker, I yield back the bal- lowing new subsection: water chemicals to what could have ance of my time. ‘‘(o) PROTOCOLS TO COUNTER CERTAIN CY- been catastrophic fatal levels. BERSECURITY VULNERABILITIES.—The Direc- The SPEAKER pro tempore. The tor may, as appropriate, identify, develop, Cyber incidents are very rarely sec- question is on the motion offered by and disseminate actionable protocols to tor specific. CISA is a central agency the gentlewoman from New York (Ms. mitigate cybersecurity vulnerabilities to in- that can quickly connect the dots when CLARKE) that the House suspend the formation systems and industrial control a malicious cyber campaign spans mul- rules and pass the bill, H.R. 1833, as systems, including in circumstances in tiple sectors. It is vital that we con- amended. which such vulnerabilities exist because tinue to enhance its visibility across The question was taken. software or hardware is no longer supported by a vendor.’’. the critical infrastructure ecosystem. The SPEAKER pro tempore. In the This bill requires the CISA director SEC. 3. REPORT ON CYBERSECURITY opinion of the Chair, two-thirds being VULNERABILITIES. to maintain capabilities to detect and in the affirmative, the ayes have it. (a) REPORT.—Not later than one year after mitigate threats and vulnerabilities af- Mr. BISHOP of North Carolina. the date of the enactment of this Act, the fecting automated control of critical Madam Speaker, on that I demand the Director of the Cybersecurity and Infrastruc- infrastructure, particularly industrial yeas and nays. ture Security Agency of the Department of control systems. The SPEAKER pro tempore. Pursu- Homeland Security shall submit to the Com- mittee on Homeland Security of the House of This includes maintaining cross-sec- ant to section 3(s) of House Resolution tor incident response capabilities to re- Representatives and the Committee on 8, the yeas and nays are ordered. Homeland Security and Governmental Af- spond to cybersecurity incidents and Pursuant to clause 8 of rule XX, fur- fairs of the Senate a report on how the Agen- providing cybersecurity technical as- ther proceedings on this motion are cy carries out subsection (n) of section 2209 sistance to stakeholders. postponed. of the Homeland Security Act of 2002 to co- ordinate vulnerability disclosures, including We must continue to solidify CISA’s f lead role in protecting our Nation’s disclosures of cybersecurity vulnerabilities critical infrastructure from cyber CYBERSECURITY VULNERABILITY (as such term is defined in such section), and threats, particularly the industrial REMEDIATION ACT subsection (o) of such section (as added by section 2) to disseminate actionable proto- control systems that underpin vital Ms. CLARKE of New York. Madam cols to mitigate cybersecurity components of our daily lives. Speaker, I move to suspend the rules vulnerabilities to information systems and This bill is one step in the commit- and pass the bill (H.R. 2980) to amend industrial control systems, that includes the tee’s continued efforts to build up the Homeland Security Act of 2002 to following: CISA’s authorities and resources to ef- provide for the remediation of cyberse- (1) A description of the policies and proce- fectively carry out its mission, and it curity vulnerabilities, and for other dures relating to the coordination of vulner- is a resounding statement to have such purposes, as amended. ability disclosures. heavy-hitting, bipartisan support. (2) A description of the levels of activity in The Clerk read the title of the bill. furtherance of such subsections (n) and (o) of Madam Speaker, I urge all Members The text of the bill is as follows: such section 2209. to join me in supporting H.R. 1833, and H.R. 2980 (3) Any plans to make further improve- I reserve the balance of my time. Be it enacted by the Senate and House of Rep- ments to how information provided pursuant Ms. CLARKE of New York. Madam resentatives of the United States of America in to such subsections can be shared (as such Speaker, I have no further speakers, Congress assembled, term is defined in such section 2209) between the Department and industry and other and I am prepared to close after the SECTION 1. SHORT TITLE. stakeholders. gentleman from New York closes. I re- This Act may be cited as the ‘‘Cybersecu- (4) Any available information on the de- serve the balance of my time. rity Vulnerability Remediation Act’’. Mr. KATKO. Madam Speaker, I have gree to which such information was acted SEC. 2. CYBERSECURITY VULNERABILITIES. upon by industry and other stakeholders. no further speakers. I urge Members to Section 2209 of the Homeland Security Act (5) A description of how privacy and civil support this bill. I yield back the bal- of 2002 (6 U.S.C. 659) is amended— liberties are preserved in the collection, re- ance of my time. (1) in subsection (a)— tention, use, and sharing of vulnerability Ms. CLARKE of New York. Madam (A) in paragraph (5), by striking ‘‘and’’ disclosures. Speaker, I yield myself the balance of after the semicolon at the end; (b) FORM.—The report required under sub- my time to close. (B) by redesignating paragraph (6) as para- section (b) shall be submitted in unclassified I would like to start by thanking the graph (7); and form but may contain a classified annex. (C) by inserting after paragraph (5) the fol- SEC. 4. COMPETITION RELATING TO CYBERSECU- gentleman from New York for his out- lowing new paragraph: RITY VULNERABILITIES. standing leadership in this regard. ‘‘(6) the term ‘cybersecurity vulnerability’ The Under Secretary for Science and Tech- Industrial control systems are a rich has the meaning given the term ‘security nology of the Department of Homeland Secu- target for cyber adversaries looking to vulnerability’ in section 102 of the Cyberse- rity, in consultation with the Director of the

VerDate Sep 11 2014 05:06 Jul 21, 2021 Jkt 019060 PO 00000 Frm 00024 Fmt 7634 Sfmt 0634 E:\CR\FM\K20JY7.039 H20JYPT1 ctelli on DSK11ZRN23PROD with HOUSE July 20, 2021 CONGRESSIONAL RECORD — HOUSE H3697 Cybersecurity and Infrastructure Security GENERAL LEAVE tinuing to work with her and my other Agency of the Department, may establish an Ms. CLARKE of New York. Madam colleagues on the preeminent national incentive-based program that allows indus- Speaker, I ask unanimous consent that security threat facing our Nation try, individuals, academia, and others to all Members may have 5 legislative today. compete in identifying remediation solutions Madam Speaker, I urge Members to for cybersecurity vulnerabilities (as such days to revise and extend their re- term is defined in section 2209 of the Home- marks and to include extraneous mate- join me in supporting H.R. 2980, and I land Security Act of 2002, as amended by sec- rial on this measure. reserve the balance of my time. tion 2) to information systems (as such term The SPEAKER pro tempore. Is there Ms. CLARKE of New York. Madam is defined in such section 2209) and industrial objection to the request of the gentle- Speaker, I yield 5 minutes to the gen- control systems, including supervisory con- woman from New York? tlewoman from Texas (Ms. JACKSON trol and data acquisition systems. There was no objection. LEE). SEC. 5. TITLE XXII TECHNICAL AND CLERICAL Ms. CLARKE of New York. Madam Ms. JACKSON LEE. Madam Speaker, AMENDMENTS. Speaker, I yield myself such time as I I thank the gentlewoman from New (a) TECHNICAL AMENDMENTS.— may consume. York for her leadership, and I thank (1) HOMELAND SECURITY ACT OF 2002.—Sub- Madam Speaker, 5 years ago a Gov- the ranking member of the full com- title A of title XXII of the Homeland Secu- mittee and the chair of the full com- rity Act of 2002 (6 U.S.C. 651 et seq.) is ernment Accountability Office survey amended— found that 12 out of 12 Federal agencies mittee for bringing these matters to (A) in the first section 2215 (6 U.S.C. 665; re- used obsolete information technology. the attention of the Nation. lating to the duties and authorities relating In other words, 12 out of 12 Federal Madam Speaker, I rise in support of to .gov internet domain), by amending the agencies were using software or hard- my bill, H.R. 2980, the Cybersecurity section enumerator and heading to read as ware for which vendors no longer pro- Vulnerability Remediation Act, which follows: vided support, updates, or patches. authorizes the Department of Home- ‘‘SEC. 2215. DUTIES AND AUTHORITIES RELATING The Federal Government is hardly land Security to take actions to TO .GOV INTERNET DOMAIN.’’; counter cybersecurity vulnerabilities (B) in the second section 2215 (6 U.S.C. 665b; alone. It has been widely reported that State and local governments and crit- in our Nation’s critical infrastructure. relating to the joint cyber planning office), Interestingly enough, when we intro- ical infrastructure owners and opera- by amending the section enumerator and duced this bill some years ago, we tors across the country rely on legacy heading to read as follows: called it the zero-day bill, which was to technology. ‘‘SEC. 2216. JOINT CYBER PLANNING OFFICE.’’; presuppose what would happen when We have seen malicious cyber actors (C) in the third section 2215 (6 U.S.C. 665c; everything collapsed. When we intro- relating to the Cybersecurity State Coordi- wreak havoc by exploiting known vul- duced it, it was before the Colonial nator), by amending the section enumerator nerabilities. Pipeline, it was before the Solaris at- and heading to read as follows: H.R. 2980 would authorize CISA to de- tack, it was before knowing about the ‘‘SEC. 2217. CYBERSECURITY STATE COORDI- velop and distribute playbooks to pro- gangs in Russia, cyber gangs that pro- NATOR.’’; vide procedures and mitigation strate- liferate before the activity of China. (D) in the fourth section 2215 (6 U.S.C. 665d; gies for the most critical, known vul- relating to Sector Risk Management Agen- I thank Chairman THOMPSON and nerabilities, especially those affecting cies), by amending the section enumerator Ranking Member KATKO for their lead- and heading to read as follows: software or hardware that is no longer ership in putting the security of our ‘‘SEC. 2218. SECTOR RISK MANAGEMENT AGEN- supported by a vendor. The playbooks Nation’s cyber access first, whether CIES.’’; would be available to Federal agencies, they are computing resources used in (E) in section 2216 (6 U.S.C. 665e; relating to industry, and other stakeholders. voting technology or industrial control the Cybersecurity Advisory Committee), by The bill, as introduced by the gentle- systems that support delivery of elec- amending the section enumerator and head- woman from Texas (Ms. JACKSON LEE), tricity, oil, and gas, or management of ing to read as follows: also authorizes the Department of ‘‘SEC. 2219. CYBERSECURITY ADVISORY COM- transportation systems that are vital Homeland Security Science and Tech- to our Nation’s economic health. MITTEE.’’; and nology Directorate, in consultation (F) in section 2217 (6 U.S.C. 665f; relating to The Cybersecurity Vulnerability Re- Cybersecurity Education and Training Pro- with CISA, to establish a competition mediation Act was introduced, as I grams), by amending the section enumerator program for industry, individuals, aca- said, and passed the House during the and heading to read as follows: demia, and others to provide remedi- 115th and 116th Congresses and has ‘‘SEC. 2220. CYBERSECURITY EDUCATION AND ation solutions for cybersecurity vul- been updated again in the 117th Con- TRAINING PROGRAMS.’’. nerabilities that are no longer sup- gress to meet the ever-evolving nature (2) CONSOLIDATED APPROPRIATIONS ACT, ported. of cyber threats faced by Federal and 2021.—Paragraph (1) of section 904(b) of divi- Importantly, in response to recent private sector information systems and sion U of the Consolidated Appropriations cyberattacks, H.R. 2980 prioritizes ef- our Nation’s critical infrastructure. Act, 2021 (Public Law 116–260) is amended, in forts to address vulnerabilities of in- the matter preceding subparagraph (A), by As I said before, it will be very im- inserting ‘‘of 2002’’ after ‘‘Homeland Security dustrial control systems of critical in- portant that the other body seriously Act’’. frastructure that may be targeted, like considers the cyber threats against (b) CLERICAL AMENDMENT.—The table of water systems and pipelines. this Nation. This bill goes significantly contents in section 1(b) of the Homeland Se- H.R. 2980 is no substitute for invest- further than the first cybersecurity curity Act of 2002 is amended by striking the ing in new technology, but it will pro- vulnerability act that I introduced in items relating to sections 2214 through 2217 vide important support to government the 115th Congress to address the in- and inserting the following new items: and private sector entities that cannot stance of zero-day events that can lead ‘‘Sec. 2214. National Asset Database. replace legacy technology or rapidly to catastrophic cybersecurity failures ‘‘Sec. 2215. Duties and authorities relating patch known vulnerabilities because of of information and computing systems. to .gov internet domain. resource limitations or other system ‘‘Sec. 2216. Joint cyber planning office. It is estimated that 85 percent of ‘‘Sec. 2217. Cybersecurity State Coordinator. complications. critical infrastructure is owned by the ‘‘Sec. 2218. Sector Risk Management Agen- Madam Speaker, I urge all of my col- private sector, and for far too long this cies. leagues to support H.R. 2980, and I re- fact has hampered efforts to establish ‘‘Sec. 2219. Cybersecurity Advisory Com- serve the balance of my time. stronger requirements for cybersecu- mittee. Mr. KATKO. Madam Speaker, I yield rity by owners and operators. ‘‘Sec. 2220. Cybersecurity Education and myself such time as I may consume. Private sector critical infrastructure Training Programs.’’. Madam Speaker, I rise today in sup- failure due to a cyberattack is no The SPEAKER pro tempore. Pursu- port of H.R. 2980, the Cybersecurity longer a private matter when it can ant to the rule, the gentlewoman from Vulnerability Remediation Act. I have massive impacts on the public, New York (Ms. CLARKE) and the gen- would like to thank the gentlewoman such as disruption of gasoline flowing tleman from New York (Mr. KATKO) from Texas (Ms. JACKSON LEE), my to filling stations, which we saw re- each will control 20 minutes. friend, for being a staunch advocate of cently. The Chair recognizes the gentle- CISA and these important cybersecu- My bill, the Cybersecurity Vulner- woman from New York. rity issues. I look forward to con- ability Remediation Act, will expand

VerDate Sep 11 2014 05:06 Jul 21, 2021 Jkt 019060 PO 00000 Frm 00025 Fmt 7634 Sfmt 0634 E:\CR\FM\A20JY7.007 H20JYPT1 ctelli on DSK11ZRN23PROD with HOUSE H3698 CONGRESSIONAL RECORD — HOUSE July 20, 2021 the definition of security vulnerability Ms. JACKSON LEE. Madam Speaker, ical supplies that require refrigeration. Yes, to include cybersecurity vulnerability; as long as there is silence about there are generator backups in hospitals add sharing mitigation protocols to cyberattacks like ransomware, the where supplies are stored, but we already counter cybersecurity vulnerabilities; criminals and terrorists will remain know from the pipeline hack that the fuel establish protocols to counter cyberse- needed to run these generators can be dis- out of reach and continue to feel safe rupted too. It’s also important to note that curity vulnerabilities involving infor- and emboldened in carrying out these hospitals, also considered critical infrastruc- mation system and industrial control attacks, often from the soil of our en- ture, have also suffered from ransomware at- systems, which will include vulnerabil- emies or peer competitors. tacks. In fact, hospitals have had an even ities related to software or hardware I applaud and thank the Biden ad- bigger target on their backs in recent that is no longer supported by a ven- ministration for its quick action in re- months. The connected nature of our critical dor; direct the undersecretary for DHS sponding to the attack against Colo- infrastructure compounds the problem and Office of Science and Technology to nial Pipeline, but it did shut down the potential impacts. To further illustrate how important the stand up a competition to find solu- whole East Coast, and he did it by an tions to known cybersecurity vulnera- power grid is to our citizens, Protect Our executive order. Power, an independent, non-profit advocacy bilities; provide greater transparency Today, our Nation is in a cybersecu- and educational organization focused solely on how the Department of Homeland rity crisis. The attacks against Fed- on driving increased resilience of the U.S. Security CISA is coordinating cyberse- eral, State, local, territorial, and Trib- electric grid to attacks, recently conducted curity vulnerability disclosures al Governments, as well as threats a public opinion poll of 1,095 Americans. through the sharing of actionable pro- posed to private information systems Most notably, the study found: tocols to mitigate cybersecurity vul- and critical information systems make 86 percent of Americans are concerned that nerabilities with information systems the grid is vulnerable to a serious this bill necessary. cyberattack. and industrial control systems owners So I am hoping, along with those who and operators. 70 percent say they would feel unsafe in have been attacked, like the Metropoli- the event of an extended power outage of two b 1330 tan Police Department, the medical weeks or more. H.R. 2980 bolsters the efforts to en- system in Houston—the gang known as 66 percent believe their quality of life will gage critical infrastructure owners and the Babuk group released thousands of suffer from an outage lasting more than seven days. operators in communicating cybersecu- Metropolitan Police sensitive docu- ments, and it goes on and on. 64 percent say they are unprepared for an rity threats and lays the foundation for extended power outage that will last more greater transparency on the real Madam Speaker, I include in the than two weeks. threats posed by cyberterrorists to pri- RECORD four articles regarding this 70 percent say the infrastructure bill vate and government sector critical in- issue. should include funding to address this impor- frastructure and information systems, [From the Forbes Magazine, July 20, 2021] tant issue. Only 16 percent believe the federal govern- which impact the people of this Nation. TURNING UP THE HEAT: A RANSOMWARE AT- ment is doing all it can to prevent an attack This legislation allows the science TACK ON CRITICAL INFRASTRUCTURE ISA on the grid. and technology director, in consulta- NIGHTMARE SCENARIO As most Americans agree, the federal gov- tion with CISA, to establish an incen- (By Richard Tracy, Forbes Councils Member) ernment can and should do more to help se- tive-based program that allows indus- Ransomware attacks in 2020 were up more cure all of our critical infrastructures. try, individuals, academia, and others than 150% compared to the previous year, Recent ransomware attacks against crit- to compete in identifying remediation while ransomware payments were up over ical infrastructure help us understand stand- solutions for cybersecurity vulnerabili- 300%. ards and practices that would have helped. ties to information systems and indus- Over the past six months, we’ve seen a For example, multi-factor authentication trial control systems, including super- number of ransomware attacks against crit- (MFA), a widely recognized best practice, visory control and data acquisition ical infrastructure—from a water treatment may have prevented the Colonial Pipeline systems. facility to a gas pipeline and multiple food hack. According to GAO, greater and more distribution companies—all of which present This bill, when it becomes law, will consistent adoption of the NIST CSF, which clear and present danger to society. The im- was specifically developed to help critical in- put our Nation’s best minds to work on pact was so dire—with recent research find- frastructure manage cyber risk, would ben- closing the vulnerabilities that cyber ing over seven ransomware attacks per efit cyber risk management efforts across all thieves and terrorists use to access, hour—that the Department of Justice ele- critical infrastructure sectors. disrupt, corrupt, or take control of vated ransomware attacks to a similar pri- In summary, we need to secure all critical critical infrastructure information sys- ority as terrorism. infrastructure sectors. The power grid exam- tems. The recent Colonial Pipeline hack, in par- ple used here illustrates how dire the con- In addition to these changes, the bill ticular, appears to have struck a nerve, as sequences could be. It’s time to move. Sum- requires a report to Congress that may there is finally discussion about cybersecu- mer is upon us, and the desert southwest is contain a classified annex. rity standards for the pipeline industry. getting hot. The report will provide information That would be a good start and one that is -- long overdue considering the importance of [From the New York Times, July 19, 2021] on how DHS coordinates cybersecurity fuel distribution for our economy and overall vulnerability disclosures and dissemi- U.S. FORMALLY ACCUSES CHINA OF HACKING way of life. MICROSOFT nates actionable protocols to mitigate However, the oil and gas industry is just cybersecurity vulnerabilities involving one element in a single critical infrastruc- (By Zolan Kanno-Youngs, David E. Sanger) information systems and industrial ture sector—the energy sector. DHS has de- WASHINGTON.—The Biden administration systems. fined sixteen critical infrastructure sectors, on Monday formally accused the Chinese Congress needs to know how preva- and each is deemed critical for the proper government of breaching Microsoft email lent and persistent cybersecurity functioning of our society. Due to the con- systems used by many of the world’s largest nected nature of everything these days, each companies, governments and military con- threats targeting critical infrastruc- tractors, as the United States joined a broad ture and information systems might sector is a potential cyber target. Disruption to any critical infrastructure segment has group of allies, including all NATO members, be, especially if those threats result in potentially dire economic, safety and na- to condemn Beijing for cyberattacks around a payment of ransom. They need to tional security consequences. As such, it the world. know about a payment of ransom. only makes sense to address cybersecurity The United States accused China for the Paying a ransom for ransomware risk management for all sectors, not just oil first time of paying criminal groups to con- emboldens and encourages bad cyber and gas. duct large-scale hackings, including actors and places everyone at greater The threat goes beyond the pipeline. ransomware attacks to extort companies for risk for the financial and societal costs To better understand the need to focus on millions of dollars, according to a statement of increases in threats as others seek all critical infrastructure, let’s look at the from the White House. Microsoft had pointed to hackers linked to the Chinese Ministry of payouts. power grid. Imagine a ransomware attack against the power grid that services highly State Security for exploiting holes in the The SPEAKER pro tempore. The populated areas in the desert southwest. company’s email systems in March; the U.S. time of the gentlewoman has expired. Now, imagine this attack takes place during announcement on Monday morning was the Ms. CLARKE of New York. Madam the hottest part of the summer. first suggestion that the Chinese government Speaker, I yield the gentlewoman an Think about the heat-related deaths that hired criminal groups to hack tens of thou- additional 1 minute. would likely occur and the impact on med- sands of computers and networks around the

VerDate Sep 11 2014 06:56 Jul 21, 2021 Jkt 019060 PO 00000 Frm 00026 Fmt 7634 Sfmt 0634 E:\CR\FM\K20JY7.042 H20JYPT1 ctelli on DSK11ZRN23PROD with HOUSE July 20, 2021 CONGRESSIONAL RECORD — HOUSE H3699 world for ‘‘significant remediation costs for the lives of Americans who are cleared to The attacker was not a terror group or a its mostly private sector victims,’’ according keep the nation’s secrets. hostile state like Russia, China or Iran, as to the White House. President Biden has promised to fortify the had been assumed in the simulations. It was Secretary of State Antony J. Blinken said government, making cybersecurity a focus of a criminal extortion ring. The goal was not in a statement on Monday that China’s Min- his summit meeting in Geneva with Presi- to disrupt the economy by taking a pipeline istry of State Security ‘‘has fostered an eco- dent Vladimir V. Putin of Russia last month. offline but to hold corporate data for ran- system of criminal contract hackers who But his administration has faced questions som. carry out both state-sponsored activities and about how it will also address the growing The most visible effects—long lines of cybercrime for their own financial gain.’’ threat from China, particularly after the nervous motorists at gas stations—stemmed ‘‘These contract hackers cost governments public exposure of the Microsoft hacking. not from a government response but from a and businesses billions of dollars in stolen Speaking to reporters on Sunday, the sen- decision by the victim, Colonial Pipeline, intellectual property, ransom payments, and ior administration official acknowledged which controls nearly half the gasoline, jet cybersecurity mitigation efforts, all while that the public condemnation of China would fuel and diesel flowing along the East Coast, the MSS had them on its payroll,’’ Mr. only do so much to prevent future attacks. to turn off the spigot. It did so out of con- Blinken said. ‘‘No one action can change China’s behav- cern that the malware that had infected its Condemnation from NATO and the Euro- ior in cyberspace,’’ the official said. ‘‘And back-office functions could make it difficult pean Union is unusual, because most of their neither could just one country acting on its to bill for fuel delivered along the pipeline or member countries have been deeply reluc- own.’’ even spread into the pipeline’s operating sys- But the decision not to impose sanctions tant to publicly criticize China, a major tem. trading partner. But even Germany, whose on China was also telling: It was a step many What happened next was a vivid example of companies were hit hard by the hacking of allies would not agree to take. the difference between tabletop simulations Instead, the Biden administration settled Microsoft Exchange—email systems that and the cascade of consequences that can fol- on corralling enough allies to join the public companies maintain on their own, rather low even a relatively unsophisticated attack. denunciation of China to maximize pressure than putting them in the cloud—cited the on Beijing to curtail the cyberattacks, the The aftereffects of the episode are still play- Chinese government for its work. ing out, but some of the lessons are already ‘‘We call on all states, including China, to official said. The joint statement criticizing China, to clear, and demonstrate how far the govern- uphold their international commitments and be issued by the United States, Australia, ment and private industry have to go in pre- obligations and to act responsibly in the Britain, Canada, the European Union, Japan venting and dealing with cyberattacks and international system, including in cyber- and New Zealand, is unusually broad. It is in creating rapid backup systems for when space,’’ according to a statement from also the first such statement from NATO critical infrastructure goes down. NATO. publicly targeting Beijing for cybercrimes. In this case, the long-held belief that the Despite the broadside, the announcement The European Union condemned on Mon- pipeline’s operations were totally isolated lacked sanctions similar to ones that the day ‘‘malicious cyberactivities’’ undertaken from the data systems that were locked up White House imposed on Russia in April, from the Chinese territory but stopped short by DarkSide, a ransomware gang believed to when it blamed the country for the extensive of denouncing the responsibility of the Chi- be operating out of Russia, turned out to be SolarWinds attack that affected U.S. govern- nese government. false. And the company’s decision to turn off ment agencies and more than 100 companies. ‘‘This irresponsible and harmful behavior the pipeline touched off a series of dominoes (The Justice Department on Friday did resulted in security risks and significant including panic buying at the pumps and a unseal an indictment from May charging for economic our loss for government institu- quiet fear inside the government that the Chinese residents with a campaign to hack tions and private companies, and has shown damage could spread quickly. computer systems of dozens of companies, significant spillover and systemic effects for A confidential assessment prepared by the universities and government entities in the our security, economy and society at large,’’ Energy and Homeland Security Departments United States between 2011 and 2018. The Josep Borrell Fontelles, the E.U.’s foreign found that the country could only afford an- hackers developed front companies to hide policy chief, said in a statement. ‘‘These ac- other three to five days with the Colonial any role the Chinese government had in tivities can be linked to the hacker groups,’’ pipeline shut down before buses and other backing the operation, according to the Jus- the statement added. mass transit would have to limit operations tice Department.) Mr. Borrell called on Chinese authorities because of a lack of diesel fuel. Chemical fac- By imposing sanctions on Russia and orga- not to allow ‘‘its territory to be used’’ for tories and refinery operations would also nizing allies to condemn China, the Biden ad- such activities, and to ‘‘take all appropriate shut down because there would be no way to ministration has delved deeper into a digital measures and reasonably available and fea- distribute what they produced, the report Cold War with its two main geopolitical ad- sible steps to detect, investigate and address said. versaries than at any time in modern his- the situation.’’ And while President Biden’s aides an- tory. The National Security Agency, F.B.I. and nounced efforts to find alternative ways to While there is nothing new about digital Cybersecurity and Infrastructure Security haul gasoline and jet fuel up the East Coast, espionage from Russia and China—and ef- Agency also issued an advisory on Monday none were immediately in place. There was a forts by Washington to block it—the Biden warning that Chinese hacking presented a shortage of truck drivers, and of tanker cars administration has been surprisingly aggres- ‘‘major threat’’ to the United States and its for trains. sive in calling out both countries and orga- allies. China’s targets include ‘‘political, ‘‘Every fragility was exposed,’’ Dmitri nizing a coordinated response. economic, military, and educational institu- Alperovitch, a co-founder of CrowdStrike, a But so far, it has not yet found the right tions, as well as critical infrastructure.’’ cybersecurity firm, and now chairman of the mix of defensive and offensive actions to cre- Criminal groups hired by the government think tank Silverado Policy Accelerator. ate effective deterrence, most outside ex- aim to steal sensitive data, critical tech- ‘‘We learned a lot about what could go perts say. And the Russians and the Chinese nologies and intellectual properties, accord- wrong. Unfortunately, so did our adver- have grown bolder. The SolarWinds attack, ing to the advisory. saries.’’ one of the most sophisticated ever detected The F.B.I. took an unusual step in the The list of lessons is long. Colonial, a pri- in the United States, was an effort by Rus- Microsoft hacking: In addition to inves- vate company, may have thought it had an sia’s lead intelligence service to alter code in tigating the attacks, the agency obtained a impermeable wall of protections, but it was widely used network-management software court order that allowed it to go into easily breached. Even after it paid the extor- to gain access to more than 18,000 businesses, unpatched corporate systems and remove tionists nearly $5 million in digital currency federal agencies and think tanks. elements of code left by the Chinese hackers to recover its data, the company found that China’s effort was not as sophisticated, but that could allow follow-up attacks. It was the process of decrypting its data and turn- it took advantage of a vulnerability that the first time that the F.B.I. acted to reme- ing the pipeline back on again was agoniz- Microsoft had not discovered and used it to diate an attack as well as investigate its per- ingly slow, meaning it will still be days be- conduct espionage and undercut confidence petrators. fore the East Coast gets back to normal. in the security of systems that companies -- ‘‘This is not like flicking on a light [From the New York Times, Updated June 8, use for their primary communications. It switch,’’ Mr. Biden said Thursday, noting 2021] took the Biden administration months to de- that the 5,500-mile pipeline had never before velop what officials say is ‘‘high confidence’’ PIPELINE ATTACK YIELDS URGENT LESSONS been shut down. that the hacking of the Microsoft email sys- ABOUT U.S. CYBERSECURITY For the administration, the event proved a tem was done at the behest of the Ministry (By David E. Sanger, Nicole Perlroth) perilous week in crisis management. Mr. of State Security, the senior administration For years, government officials and indus- Biden told aides, one recalled, that nothing official said, and abetted by private actors try executives have run elaborate simula- could wreak political damage faster than tel- who had been hired by Chinese intelligence. tions of a targeted cyberattack on the power evision images of gas lines and rising prices, The last time China was caught in such grid or gas pipelines in the United States, with the inevitable comparison to Jimmy broad-scale surveillance was in 2014, when it imagining how the country would respond. Carter’s worse moments as president. stole more than 22 million security-clear- But when the real, this-is-not-a-drill mo- Mr. Biden feared that, unless the pipeline ance files from the Office of Personnel Man- ment arrived, it didn’t look anything like resumed operations, panic receded and price agement, allowing a deep understanding of the war games. gouging was nipped in the bud, the situation

VerDate Sep 11 2014 06:56 Jul 21, 2021 Jkt 019060 PO 00000 Frm 00027 Fmt 7634 Sfmt 0634 E:\CR\FM\A20JY7.012 H20JYPT1 ctelli on DSK11ZRN23PROD with HOUSE H3700 CONGRESSIONAL RECORD — HOUSE July 20, 2021 would feed concerns that the economic re- large part of the country, even if they do not our networks,’’ Chairman Bennie Thompson, covery is still fragile and that inflation is break into the core of the electric grid, or D-Miss., said in a release. ‘‘The legislation rising. the operational control systems that move we reported today was the result of this Beyond the flurry of actions to get oil gasoline, water and propane around the oversight. I am pleased that they received moving on trucks, trains and ships, Mr. country. broad bipartisan support and hope they are Biden published a long-gestating executive Something as basic as a well-designed considered on the House floor in short order that, for the first time, seeks to man- ransomware attack may easily do the trick, order.’’ date changes in cybersecurity. while offering plausible deniability to states The Pipeline Security Act was reintro- And he suggested that he was willing to like Russia, China and Iran that often tap duced by Rep. Emmanuel Cleaver, D-Mo. just take steps that the Obama administration outsiders for sensitive cyberoperations. a day before advancing out of committee, hesitated to take during the 2016 election It remains a mystery how DarkSide first with the Colonial Pipeline ransomware at- hacks—direct action to strike back at the broke into Colonial’s business network. The tack still top of mind. If passed, it will cod- attackers. privately held company has said virtually ify CISA and the Transportation Security ‘‘We’re also going to pursue a measure to nothing about how the attack unfolded, at Agency’s responsibilities in protecting pipe- disrupt their ability to operate,’’ Mr. Biden least in public. It waited four days before lines from cyberattacks and terrorist at- said, a line that seemed to hint that United having any substantive discussions with the tacks. States Cyber Command, the military’s administration, an eternity during a ‘‘The Colonial Pipeline ransom ware at- cyberwarfare force, was being authorized to cyberattack. tack that shut down one [of] our nation’s kick DarkSide off line, much as it did to an- Cybersecurity experts also note that Colo- largest pipelines and triggered fuel shortages other ransomware group in the fall ahead of nial Pipeline would never have had to shut across the northeast has brought new ur- the presidential election. down its pipeline if it had more confidence in gency to our work to protect the country’s Hours later, the group’s internet sites went the separation between its business network critical infrastructure. This attack also fol- dark. By early Friday, DarkSide, and several and pipeline operations. lows a string of disturbing cyberattacks other ransomware groups, including Babuk, ‘‘There should absolutely be separation be- against government entities and the private which has hacked Washington D.C.’s police tween data management and the actual oper- sector,’’ Thompson said. department, announced they were getting ational technology,’’ Ms. Todt said. ‘‘Not The CISA Cyber Exercise Act would au- out of the game. doing the basics is frankly inexcusable for a thorize and require CISA to establish a Na- DarkSide alluded to disruptive action by company that carries 45 percent of gas to the tional Cyber Exercise Program responsible an unspecified law enforcement agency, East Coast.’’ for testing the nation’s cyber readiness. The though it was not clear if that was the result Other pipeline operators in the United bill was introduced by Elissa Slotkin, D- of U.S. action or pressure from Russia ahead States deploy advanced firewalls between Mich., and would direct the agency to create of Mr. Biden’s expected summit with Presi- their data and their operations that only a set of exercises that states, local govern- dent Vladimir V. Putin. And going quiet allow data to flow one direction, out of the ments, and private sector businesses could might simply have reflected a decision by pipeline, and would prevent a ransomware use to test their cyber readiness. the ransomware gang to frustrate retaliation attack from spreading in. State and local governments get a win efforts by shutting down its operations, per- Colonial Pipeline has not said whether it with the advancement of the State and Local haps temporarily. deployed that level of security on its pipe- Cybersecurity Improvement Act. The bill The Pentagon’s Cyber Command referred line. Industry analysts say many critical in- was reintroduced by Rep. Yvette Clarke, D- questions to the National Security Council, frastructure operators say installing such N.Y., on May 12, and a similar version passed which declined to comment. unidirectional gateways along a 5,500-mile in the House in the last Congress. The bill The episode underscored the emergence of pipeline can be complicated or prohibitively would direct the Department of Homeland a new ‘‘blended threat,’’ one that may come expensive. Others say the cost to deploy Security (DHS) to create a $500 million-per- from cybercriminals, but is often tolerated, those safeguards are still cheaper than the year grant program to incentivize state and and sometimes encouraged, by a nation that losses from potential downtime. local governments to work to improve their sees the attacks as serving its interests. Deterring ransomware criminals, which cybersecurity. That is why Mr. Biden singled out Russia— have been growing in number and brazenness The committee also advanced two bills not as the culprit, but as the nation that over the past few years, will certainly be aimed at protecting critical infrastructure harbors more ransomware groups than any more difficult than deterring nations. But and the supply chain after a recent spate of other country. this week made the urgency clear. cyberattacks exposed vulnerabilities in the ‘‘We do not believe the Russian govern- ‘‘It’s all fun and games when we are steal- cybersecurity of each. ment was involved in this attack, but we do ing each other’s money,’’ said Sue Gordon, a Rep. Lee’s Cybersecurity Vulnerability Re- have strong reason to believe the criminals former principal deputy director of national mediation Act would authorize CISA to work who did this attack are living in Russia,’’ intelligence, and a longtime C.I.A. analyst with the owners and operators of critical in- Mr. Biden said. ‘‘We have been in direct com- with a specialty in cyber issues, said at a frastructure on mitigation strategies around munication with Moscow about the impera- conference held by The Cipher Brief, an on- known and critical vulnerabilities. Rep. tive for responsible countries to take action line intelligence newsletter. ‘‘When we are Katko’s Domains Critical to Homeland Secu- against these ransomware networks.’’ messing with a society’s ability to operate, rity Act would direct DHS to do research and With DarkSide’s systems down, it is un- we can’t tolerate it.’’ development around supply chain risks in clear how Mr. Biden’s administration would -- domains that are critical to the nation’s retaliate further, beyond possible indict- [From MeriTalk: Improving the Outcomes of economy. It would then be required to sub- ments and sanctions, which have not de- Government IT, May 20, 2021] mit that report to Congress. terred Russian cybercriminals before. Strik- The next step for all these bills is a vote on HOUSE HOMELAND SECURITY COMMITTEE ing back with a cyberattack also carries its the full House floor. ADVANCES SLATE OF CYBERSECURITY BILLS own risks of escalation. (By Lamar Johnson) Ms. JACKSON LEE. Madam Speaker, The administration also has to reckon I ask my colleagues to support this leg- with the fact that so much of America’s crit- The House Homeland Security Committee ical infrastructure is owned and operated by voted May 18 to advance five bills that would islation because there is a known list the private sector and remains ripe for at- look to improve the nation’s cybersecurity of these attacks from the ISS World to tack. in several areas, including protecting pipe- the $50 million paid. I ask my col- ‘‘This attack has exposed just how poor our line infrastructure, testing cybersecurity leagues to support this legislation, and resilience is,’’ said Kiersten E. Todt, the readiness, and improving state and local cy- I ask my friends in the other body, to managing director of the nonprofit Cyber bersecurity, among others. pass this legislation so it becomes law. Readiness Institute. ‘‘We are overthinking The bills to advance out of committee in- Madam Speaker, I rise in support of H.R. cluded the Pipeline Security Act, the CISA the threat, when we’re still not doing the 2980, ‘‘The Cybersecurity Vulnerability Reme- bare basics to secure our critical infrastruc- (Cybersecurity and Infrastructure Security ture.’’ Agency) Cyber Exercise Act, and the State diation Act,’’ which authorizes the Department The good news, some officials said, was and Local Cybersecurity Improvement Act. of Homeland Security to take actions to that Americans got a wake-up call. Congress Also advanced out of committee were the Cy- counter cybersecurity vulnerabilities in our na- came face-to-face with the reality that the bersecurity Vulnerability Remediation Act, tion’s critical infrastructure. federal government lacks the authority to introduced by Rep. Sheila Jackson Lee, D- I thank Chairman THOMPSON and Ranking require the companies that control more Tex., and the Domains Critical to Homeland Member KATKO for their leadership in putting than 80 percent of the nation’s critical infra- Security Act, introduced by Rep. John the security of our nation’s cyber assets first, structure adopt minimal levels of cybersecu- Katko, R-N.Y., the ranking member on the whether they are computing resources used in rity. committee. The bad news, they said, was that Amer- ‘‘Since the beginning of this Congress, this voting technology or industrial control systems ican adversaries—not only superpowers but Committee has engaged in extensive over- that support the delivery of electricity, oil and terrorists and cybercriminals—learned just sight of these events and how the Federal gas, or management of transportation systems how little it takes to incite chaos across a government partners with others to defend that are vital to our nation’s economic health.

VerDate Sep 11 2014 06:56 Jul 21, 2021 Jkt 019060 PO 00000 Frm 00028 Fmt 7634 Sfmt 9920 E:\CR\FM\A20JY7.016 H20JYPT1 ctelli on DSK11ZRN23PROD with HOUSE July 20, 2021 CONGRESSIONAL RECORD — HOUSE H3701 The Cybersecurity Vulnerability Remediation Congress needs to know how prevalent and University of California San Francisco (US) Act was introduced and passed the House persistent cybersecurity threats targeting crit- paid an estimated $1.14 million. during the 115th and 116th Congresses and ical infrastructure and information systems There are likely many other attacks that are has been updated again in the 117th Con- might be, especially if those threats result in a not publicly known and this must change if we gress to meet the ever-evolving nature of payment of ransom. are to defeat this threat. cyber threats faced by federal and private sec- Paying a ransom for ransomware Ransomware is becoming the tool of choice tor information systems and our nation’s crit- emboldens and encourages bad cyber actors for those seeking a payout because it can be ical infrastructure. and places everyone at greater risk for the fi- carried out against anyone or any entity by This bill goes significantly further than the nancial and societal costs of increases in perpetrators who are far from U.S. shores. first Cybersecurity Vulnerability bill that I intro- threats as other seek payouts. The Colonial Pipeline incident is just one in duced in the 115th Congress, to address the As long as there is silence about cyber-at- a long line of successful attacks or infiltrations instance of Zero Day Events that can lead to tacks like ransomware the criminals and ter- carried out against domestic information sys- catastrophic cybersecurity failures of informa- rorists will remain out of reach and continue to tems and critical infrastructure with increasing tion and computing systems. feel safe in carrying out these attacks often consequences for the life, health, safety, and It is estimated that eighty-five percent of crit- from the soil of our enemies or peer competi- economic security of our citizens. ical infrastructure is owned by the private sec- tors. CEO Joseph Blount testified before the U.S. tor and for far too long this fact has hampered A company cannot stand up to Russia or Senate that the attack occurred using a legacy efforts to establish stronger requirements for China, but the United States can and has Virtual Private Network (VPN) system that did cybersecurity by owners and operators. not have multifactor authentication. done so to protect our national interest. Private sector critical infrastructure failure In other words, hackers were able to gain I applaud and thank the Biden Administra- due to a cyberattack is no longer a private access to this critical infrastructure as a result tion for its quick action to respond to the at- matter when it can have massive impacts on of a single compromised password. the public such as the disruption of gasoline tack against Colonial Pipeline in issuing a new There would be no need for the Cybersecu- flowing to filling stations. Executive Order. rity Vulnerability Remediation Act if owners The Jackson Lee Cybersecurity Vulnerability Today, our nation is in a cybersecurity cri- and operators were succeeding in meeting the Remediation Act will: sis. cybersecurity needs of critical infrastructure. Expand the definition of security vulnerability My concern regarding the security of infor- I know that there is more that should and to include cybersecurity vulnerability; mation networks began in 2015 when the Of- ought to be done to address the issue of Adds sharing mitigation protocols to counter fice of Personnel Management’s data breach cybercrime and I will be pursuing this avenue cybersecurity vulnerabilities; resulted in the theft of millions of sensitive per- under the jurisdiction of the House Judiciary Establish protocols to counter cybersecurity sonnel records on federal employees. Committee, as the chair of the Subcommittee vulnerabilities involving information systems The attacks against federal, state, local, ter- on Crime, Terrorism and Homeland Security. and industrial control systems, which will in- ritorial, and tribal governments, as well as Madam Speaker, I ask that my colleagues clude vulnerabilities related to software, or threats posed to private information systems, vote in support of H.R. 2890. hardware that is no longer supported by a and critical infrastructure systems makes this Mr. KATKO. Madam Speaker, I have vendor; bill necessary. no further speakers, and I urge Mem- Direct the Under Secretary for the DHS Of- On May 13, 2021 it was reported that the bers to support this bill. I yield back fice of Science and Technology to standup a DC Metropolitan Police Department had expe- the balance of my time. competition to find solutions to known cyber- rienced the worst reported cyberattack against Ms. CLARKE of New York. Madam security vulnerabilities; and a police department in the United States. Speaker, I yield myself the balance of Provide greater transparency on how the The gang, known as the Babuk group, re- my time. Department of Homeland Security’s Cyberse- leased thousands of the Metropolitan Police Madam Speaker, our adversaries are curity and Information Security Agency (CISA) Department’s sensitive documents on the dark showing no signs of slowing their ef- is coordinating cybersecurity vulnerability dis- web because the department would not pay. forts to undermine U.S. interests in closures through the sharing of actionable pro- Cyberthreats are not limited to information cyberspace. tocols to mitigate cybersecurity vulnerabilities related to government employees. Most often, hackers exploit known with information systems and industrial control In February 2021, a cyberattack on an vulnerabilities. The Federal Govern- systems owners and operators. Oldsmar, Florida water treatment facility in- ment can and should support efforts to H.R. 2890 bolsters the efforts to engage volved increasing the levels of sodium hydrox- address and mitigate known vulnera- critical infrastructure owners and operators in ide from 100 parts per million to 11,100 parts bilities. communicating cybersecurity threats; and lays per million in drinking water. H.R. 2980 would do just that. the foundation for greater transparency on the However, the levels of this chemical in the I thank the gentlewoman from Texas real threats posed by cyberterrorist to private water produced by Oldsmar, Florida was in- for her foresight, and I urge my col- and government sector critical infrastructure creased to levels that would cause harm to leagues to support the bill. Madam Speaker, I yield back the bal- and information systems. people if they drank or used it. The legislation allows the Science the Tech- ance of my time. This is just one example of how terrorists nology Directorate in consultation with CISA to The SPEAKER pro tempore. The can attack critical infrastructure and cause establish an incentive based program that al- question is on the motion offered by threats to health, safety and life. lows industry, individuals, academia, and oth- the gentlewoman from New York (Ms. Cyber terrorists and cyber criminals are also ers to compete in identifying remediation solu- CLARKE) that the House suspend the motivated to attack information networks in ex- tions for cybersecurity vulnerabilities to infor- rules and pass the bill, H.R. 2980, as change for money. mation systems and industrial control systems amended. The sources of revenue from cyberattacks including supervisory control and data acquisi- The question was taken. has moved from demands of payment for tion systems. The SPEAKER pro tempore. In the This bill when it becomes law would put our thieves not to release information—to the sale opinion of the Chair, two-thirds being nation’s best minds to work on closing the of stolen information on the dark web and now in the affirmative, the ayes have it. vulnerabilities that cyber-thieves and terrorists to a sophisticated denial of service attack in Mr. BISHOP of North Carolina. to use them to access, disrupt, corrupt, or take the form of ransomware that locks a system Madam Speaker, on that I demand the control of critical infrastructure and information using encryption until the victim pays. yeas and nays. systems. A list of known ransomware attacks in 2020 The SPEAKER pro tempore. Pursu- In addition to these changes, the bill re- that are suspected of paying ransoms, in- ant to section 3(s) of House Resolution quires a report to Congress that may contain cluded: 8, the yeas and nays are ordered. a classified annex. ISS World (Denmark) paid an estimated Pursuant to clause 8 of rule XX, fur- The report will provide information on how cost: $74 million; ther proceedings on this motion are DHS: Cognizant (US) paid an estimated $50 mil- postponed. Coordinates cybersecurity vulnerability dis- lion; f closures; and Sopra Steria (French) paid estimated $50 Disseminates actionable protocols to miti- million; CISA CYBER EXERCISE ACT gate cybersecurity vulnerabilities involving in- Redcar and Cleveland Council (UK) paid an Ms. CLARKE of New York. Madam formation system and industrial systems. estimated $14 million; and Speaker, I move to suspend the rules

VerDate Sep 11 2014 05:06 Jul 21, 2021 Jkt 019060 PO 00000 Frm 00029 Fmt 7634 Sfmt 0634 E:\CR\FM\A20JY7.018 H20JYPT1 ctelli on DSK11ZRN23PROD with HOUSE