CISA Director Discusses Cyber Hygiene and DHS Cyber Attack Response Programs at HSGAC Hearing

WASHINGTON — The Homeland Security and Governmental Affairs Committee examined how state, local, tribal, and territorial governments and critical infrastructure owners and operators can mitigate and protect against persistent cybersecurity threats. The hearing also highlighted the current threat environment, including ransomware attacks and threats from state actors such as Iran.

In his opening statement, Chairman Johnson noted, “The protection of mission-critical systems for state, local, tribal, and territorial (SLTT) governments is an essential component of our nation’s cybersecurity. Last year alone, cybercriminals used ransomware attacks to cripple municipal entities with near impunity. An estimated 966 government, education, and healthcare entities were victims of ransomware attacks in 2019 that cost an estimated $7.5 billion in operational and financial damages.

In addition to the increased frequency of ransomware attacks, heightened tensions between the U.S. and Iran have raised concerns about the extent to which state and local governments, and critical infrastructure owners and operators, are prepared to respond to cyberattacks by state or state-sponsored actors.

“Fortunately …  simple, cost-effective actions can make a tremendous difference. In addition to practicing good cyber hygiene, SLTT governments, and critical infrastructure owners and operators can also leverage Department of Homeland Security resources to help further protect their cybersecurity systems and assets.

“State and local governments and the private sector are on the front lines and grappling with these cyber threats every day. For example, this past August, Texas was hit by a coordinated ransomware attack. The ransom was not paid, but the response effort still cost the state hundreds of thousands of dollars. DHS assisted in the response through reverse-engineering the malware, but according to state officials, additional improvements are needed. We can learn a great deal from the experiences of individual states and businesses, and identify areas for improvement.”

In December, Chairman Johnson introduced the bipartisan Cybersecurity Vulnerability Identification and Notification Act of 2019 with Sen. Maggie Hassan to ensure that CISA has the authority necessary to warn critical infrastructure owners and operators of cybersecurity vulnerabilities. CISA Director Krebs, speaking in support of the chairman’s legislation today, said, “I should be able to work with partners, when we identify vulnerabilities, [to] provide them guidance or remediation to patch their systems.”

Video of the hearing is available here.