Katko Opening Statement in Colonial Pipeline Hearing
Ranking Member Katko’s Opening Statement (as prepared for delivery)
I thank the Chairman for calling this timely and important discussion, and I thank him for his continued partnership in the joint effort to increase American cybersecurity resilience. From data integrity on federal systems, to pipelines, to meat processing, to key transportation assets – the connected systems that underpin our very way of life are under constant attack by cyber adversaries. It’s been getting worse, and it must stop. This isn’t hypothetical or the plot of a Hollywood film. These attacks on our critical infrastructure are happening right in front of our eyes.
The next steps we take are of vital importance. They should be a mix of short-term tactical and longer-term foundational policy shifts. The government will need to take the lead in certain areas. For other responsibilities, the onus will be on industry. Throughout all of this, however, we must work together.
Foundational to the work of this committee must be maximizing the role of CISA. We must mature the relationship between CISA – as the nation’s lead civilian cybersecurity agency with centralized capacity and tools – and the Sector Risk Management Agencies, who have the sector-specific relationships and expertise. Optimizing, not eroding, these relationships between CISA and the various SRMAs will be critical going forward. Now is not the time to relitigate previous turf battles.
I am hopeful that the recent TSA security directive is an important step forward in strengthening both TSA and CISA’s ability to respond to these rapidly evolving cyber threats, although there’s a valid question of why it took so long for TSA to finally leverage this authority. It’s vital that TSA be relentless in its focus going forward to secure the nation’s 2.7 million miles of pipelines. TSA needs to continue to involve industry in the implementation of this security directive and future ones.
As we continue to provide clarity and confidence in federal roles and responsibilities, we also must keep on the full court press to provide CISA with the resources it needs to help the critical infrastructure community. I recently introduced H.R. 1833, the DHS Industrial Control Systems Capabilities Enhancement Act of 2021, a bill with bipartisan support that is designed to protect critical infrastructure from cyberattacks and further bolster the deployable and scalable pool of resources CISA offers to assist stakeholders. I am pleased that this bill passed out of committee unanimously and look forward to its prompt consideration on the floor of the House.
Make no mistake – the federal government has some significant execution challenges on the horizon where it cannot afford to fumble. I recently worked with the Chairman to sound the alarm on the implementation timeline of Continuity of the Economy planning as mandated by last year’s NDAA. This is a provision we supported that was designed exactly for moments like this. Where is it now when we need it the most?
Following the devastating SolarWinds hack in December of 2020, I created a 5 pillar plan to enhance American cybersecurity. I am encouraged to see that the software heavy provisions of the Administration’s new Cyber Executive Order track very closely to my suggestions. But again, we must hold the Administration’s feet to the fire to ensure the aggressive, but necessary, deadlines are met.
The federal government also faces a moment of reckoning when it comes to deterrence. While many of the recent hacks have come from so-called “apolitical” organizations, certain countries, in particular Russia, are creating safe havens for these bad actors. The President has a meeting with Putin next week. I hope to see the President send a clear message that turning a blind eye to cyber criminals who attack our critical infrastructure is completely unacceptable. He must make it abundantly clear what the continued harboring of these groups will mean. Ultimately, strength only respects strength, and that’s what we need to project now.
As we learn from incidents like the Colonial Pipeline ransomware attack, I do believe the private sector also must look hard in the mirror. While I don’t think a culture of blaming the victim is ultimately constructive, clearly we can all do better to protect our critical networks. I appreciate Colonial Pipeline’s identification of places where they are now hardening systems in response to the devastating ransomware attack in May, but this begs an obvious question. If your pipeline provides fuel to 45% of the east coast, why are you only hardening systems after an attack? Again, I’m not interested in blaming the victim here, but we all must learn from these incidents to prevent future destruction.
As we’ve painfully witnessed a string of even more ransomware attacks since Colonial, it’s clear to all of us that we must break the ransomware business model once and for all. We cannot default to accepting extortion. As an industry leader there is certainly heavy pressure to get your own systems up and running when facing a frightening cyber attack, but the easy fix of today only funds the ransomware attacks of tomorrow. Everything should be on the table here, with Know Your Customer and cryptocurrency reporting requirements being the low hanging fruit. While it is encouraging that the FBI was able to recover the majority of the Bitcoin ransom in this instance, we can’t rest on this capability as free pass going forward.
Finally, this string of devastating cyber incidents with real world impacts has reinforced that we need a codified process of identifying Systemically Important Critical Infrastructure. I look forward to working with a wide range of stakeholders to get this right.
I anticipate that much of today’s hearing will highlight just how much time is of the essence. I’m heartened to see that tomorrow the Senate will hold confirmation hearings for the CISA and National Cyber Directors. Let’s keep our foot on the gas pedal. There is no other option.