At a House Homeland Security Committee hearing before the Congressional recess, Rep. LaMonica McIver (D-NJ) pushed to reauthorize $1 billion in funds toward a cybersecurity grant that supports publicly funded transportation and industrial infrastructure.
00:00Gentle lady from New Jersey, Ms. MacGyver, for five minutes of questions.
00:04Thank you so much, Chairman, and thank you to our ranking member.
00:08My district sits at the heart of our nation's largest metropolitan area and is home to a major airport,
00:15one of our nation's busiest ports, numerous railroads and pipelines,
00:19and key industrial facilities, among other critical infrastructure.
00:23Securing these facilities requires resources, and for publicly-owned critical infrastructure,
00:30those resources have often been lacking.
00:32As part of the Infrastructure Investment and Jobs Act, Congress provided $1 billion to establish the state and local cybersecurity grant program.
00:41State and local governments can use this funding to strengthen the OT security of publicly-owned critical infrastructure.
00:48Unfortunately, under current law, the program is set to expire in just over two months.
00:55Ms. Bolton, I have a question for you.
00:57How important is it to continue funding for the state and local cybersecurity grant program?
01:05I think it's critical to continue that funding.
01:07I mentioned in my testimony that most, a third of districts around the country are rural districts,
01:16and obviously that's not the case for your district, but I think it's still incredibly important.
01:21There are not only large ports and airports in your district, but also smaller entities,
01:27and those are the ones that really desperately need help.
01:29I will add to your question earlier as well that CISA has released a top five OT cybersecurity guide,
01:38so I think that also can help to provide guidance to those entities as to what they can use their cybersecurity spend on.
01:49And at OTCC, we're also working on guidance as well.
01:54Can you just elaborate a little bit more on how should state and local governments prioritize their resources to strengthen their OT security?
02:02So I think it's very important to start at the very beginning.
02:06We do know some of the controls that work, and so we should put those in place.
02:10Multi-factor authentication, segmenting, even micro-segmentation of networks, making sure that we are securing remote access.
02:18And also I'd add that most of the attacks that are happening on our critical infrastructure aren't zero days.
02:26They're not the most sophisticated vulnerability or the most sophisticated attacks.
02:33They are using things that we've seen before, sometimes not changed at all, sometimes mildly changed,
02:40and we continue to be hit by these attacks.
02:44I think, for example, CISA releases a top 12 cyber vulnerabilities, top 12 routinely exploited vulnerabilities list.
02:53Why would the government or any state entity still be able to buy those products off of that list?
03:00If one side of the government is saying these are commonly and routinely exploited, we should never be allowed to buy those.
03:08So things like that I think are extremely important.
03:10Thank you so much.
03:13I want to thank the witnesses for being here today for providing testimony, and I really do appreciate the chairman and the ranking members' steadfast focus on this issue
03:24and also being supporters of the reauthorizing of the state and local cybersecurity grant program.
03:30So I look forward to continuing to work with both of you in this committee to provide state and local governments the resources they so desperately need to secure their critical infrastructure.
03:41With that, I yield back.
03:42Will the gentleman yield?
03:43Can I borrow your minute?
03:44Sure.
03:45Just piggybacking off one of the questions you asked.
03:48You said CISA listed five things as well.
03:51Is it the exact same list as what you're saying?
03:56Yeah, it is not.
03:58This is another issue that we have.
04:00Okay, so there's a problem.
04:01Now I'm taking two lists and saying, here you go, and then that is an issue.
04:09Absolutely.
04:10On top of those two and the $10,100 million that everybody else brings to you, and for a poor district like ours, here we go.
04:20Thank you very much.
04:21Well, and I will say this, the cybersecurity industry as a whole is aligned on things like implementing multi-factor authentication, network segmentation, continuous monitoring and detection.
04:33But there are sort of these conflicting guidances that do exist.
04:38Same with frameworks, conflicting frameworks for OT.
04:41So the people in your district or the operators in your district that are trying to just do the right thing, they don't know where to start.
04:48Correct.
04:48And especially when it's like NIST cybersecurity framework 2.0, there's like 80 pages, right?
04:56People who are running these OT networks don't have the knowledge to read through an 80-page document and know where to start.
05:04So one of the things is like NIST is creating some quick start guides.
05:08I think that would be very important to do for OT security.
05:11I yield back.
05:12Thank you, ma'am.
05:14General Leahy yields.
05:14And thank you very much for your enthusiasm about State Local, the grant program.
05:19I hope it's something that we can get reauthorized right away.
05:22I think it could be a very big bipartisan issue.
Be the first to comment