November 04, 2021

Chair DeFazio Statement from First Committee Hearing on Protecting the Nation’s Infrastructure Amid an Evolving Cybersecurity Landscape

Washington, D.C. — The following are opening remarks, as prepared for delivery, from Chair of the House Committee on Transportation and Infrastructure Peter DeFazio (D-OR) during today’s hearing titled, “The Evolving Cybersecurity Landscape: Industry Perspectives on Securing the Nation's Infrastructure.”

Video of DeFazio’s opening statement is here.

More information on the hearing can be found here.

Chair DeFazio:

Today we will hear about the challenges and gaps in protecting our nation’s transportation systems and critical infrastructure from cyberattacks, and recommendations on how to close those gaps from private industry and cybersecurity experts. Notably, this hearing is largely being conducted online, demonstrating how much we all rely on cyber systems to carry out basic day-to-day tasks. Even with dedicated and superb IT support and lots of experience, getting everything right 100% of the time, is tough.

But when it comes to the nation’s critical infrastructure and transportation networks—pipelines that fuel our economy, water and wastewater treatment plants, shipping, aviation, railroads, and highways that play critical roles in bringing vital supplies to all Americans—getting everything right, every time, must be the goal. Lives are on the line, and each day when you turn on a faucet or flush your toilet, when you board a plane, or fill up your car with gas, you trust that these systems will work. 

But that trust has been shaken in recent years. We have seen headlines about blows to the nation’s economy from ransomware attacks by criminal networks on critical infrastructure, and close calls where disgruntled individual hackers have tried to turn water from our faucets into poison that would do us harm.

These cyber threats and vulnerabilities are diverse, expanding, and constantly evolving, and have the potential to impact everyone. Yet, an estimated 85 percent of the nation’s critical infrastructure is in private hands, owned and operated by private entities.

Too often leaders whose organizations are at risk from cyberattacks weigh the risks of an attack against the cost of increasing cybersecurity protections and they decide to roll the dice, betting they won’t get attacked. The good news is, even basic steps like mandating strong passwords and multi-factor authentication, cybersecurity awareness training, and regularly practicing simple cybersecurity exercises can significantly harden cyber defenses and dramatically diminish a company, utility, or federal agency’s chances that they will fall victim to a successful attack.

Unfortunately, recent surveys have shown that too many public and private entities don’t take these simple steps. In a recent survey of the transit sector nearly 39% of those surveyed had no staff dedicated to cybersecurity and more than 24% provide no cybersecurity training to their staff at all. The water sector is even worse. In a survey published in June of this year, 42% of the water and wastewater utilities surveyed said they conduct no cybersecurity training for their staff and more than 68% of them said they do not participate in any cybersecurity-related drills or exercises.

Many experts believe we don’t have a full and transparent picture of the cybersecurity threats that confront us, impeding our ability to quantify the risks and to learn the lessons from past attacks. Reporting cyber breaches can be harmful to a company’s financial bottom line, endangering a company’s reputation and their stock price, for instance. Overall, the FBI has estimated only 15% of cyber-crimes are actually reported to the government at all. In a recent survey of the transit sector, more than 30% of those surveyed who said they had been the victim of a cybersecurity incident said they never reported the incident to anyone.

With the public’s safety and the national and economic security of the United States at stake, it may be time for voluntary steps by the private sector to give way to mandatory federal reporting requirements.

In 2013, the National Institute of Standards and Technology, or NIST, in consultation with industry, academia, and government, created a cybersecurity risk management framework. Since 2017, that framework has been mandatory for federal agencies, but it has not eliminated all problems, something we will explore more at a future hearing. In the private sector, however, use of the NIST framework remains voluntary, and it is used unevenly. NIST estimated that in 2020 only 50% of private companies were even trying to reach NIST cybersecurity minimum standards.

The Biden administration has finally begun to change things. In May 2021, the president issued Executive Order 14028 to encourage critical infrastructure companies to quote, “follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.” 

In June of this year, DHS’s Cybersecurity and Infrastructure Security Agency issued guidance that addresses complex, networked IT and Operating Technology, or OT, systems and helps to establish standards for preparing and responding to cyberattacks targeting critical infrastructure.

The Biden administration also issued a national security memorandum that called for the creation of cyber-performance goals including establishing baseline cybersecurity performance standards consistent across all critical infrastructure sectors.

In late summer, in the wake of the Colonial Pipeline cyberattack, the Transportation Security Administration abandoned voluntary compliance for pipelines altogether, issuing a directive mandating specific protections to defend against ransomware attacks, along with cybersecurity contingency and recovery plans. The TSA is reportedly preparing similar directives for other critical infrastructure sectors, including rail and aviation.

So, we have an administration that is moving in the right direction. But we need to do more. No single technology, policy, or other action will completely eliminate all cyber threats. But each step can help close the gaps and make success for the cybercriminals and cyberterrorists harder.

I look forward to hearing our witnesses’ ideas about how we can do that. You all have been in the trenches of the silent cyber conflict that goes on each day in our critical infrastructure sectors. And you all have ideas on how government, private industry, or both working together can increase our nation’s cyber resilience to protect our critical infrastructure and the public, and to recover when cyberattacks do occur, despite our best efforts.

So, thank you to our witnesses for joining us. I look forward to your testimony. With that I recognize Ranking Member Graves for his opening statement.