⚡NIMITZ TECH NEWS FLASH⚡

“Cybersecurity is Local, Too: Assessing the State and Local Cybersecurity Grant Program”

House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection

April 1, 2025 (recording linked here)

HEARING INFORMATION

Witnesses and Written Testimony (linked here):

• Mr. Robert Huber: Chief Security Officer, Tenable, Inc.

• Mr. Alan Fuller: Chief Information Officer, State of Utah

• Hon. Kevin Kramer: First Vice President, National League of Cities; Councilman, Louisville, KY

• Mr. Mark Raymond: Chief Information Officer, State of Connecticut

HEARING HIGHLIGHTS

IN THEIR WORDS

SUMMARY OF OPENING STATEMENTS FROM THE COMMITTEE AND SUBCOMMITTEE

• Chairman Garbarino emphasized the growing threat of cyber attacks, noting Microsoft's 2024 digital defense report estimates over 600 million attacks per day from nation-states and criminal actors. He highlighted the critical importance of securing state and local government infrastructure, which often lacks resources and cybersecurity talent. Garbarino explained that Congress passed the State and Local Cybersecurity Grant Program in 2021, allocating $838 million to address cybersecurity risks for state, local, and territorial governments. He noted the program is set to expire in September and requires reauthorization. Garbarino expressed an open mind about evaluating the program's efficiency and stressed that cybersecurity is a whole-of-society challenge requiring continued federal support.

• Ranking Member Swalwell emphasized the bipartisan nature of the cybersecurity grant program, noting that cyber attacks impact both Republican and Democratic districts across urban, suburban, and rural areas. Swalwell shared a specific example of a ransomware attack in Hayward, California, that shut down city computer networks for over two weeks. He stressed that federal support for state and local governments is necessary to address national security threats. Swalwell highlighted the program's $1 billion allocation to state, local, tribal, and territorial governments as a major step in strengthening cyber defenses. He expressed concern about potential funding pauses and the importance of continued support, particularly in light of threats from China and other adversaries.

SUMMARY OF WITNESS STATEMENT

• Mr. Robert Huber emphasized the crucial role of state and local governments in managing and protecting critical infrastructure like water treatment facilities, energy grids, and transportation networks. He highlighted the increasing sophistication of cyber threats, including the China-backed Volt Typhoon group's attack on a Massachusetts utility. Huber noted that ransomware attacks doubled between 2018 and 2024, causing over $1 billion in operational downtime for state and local governments. He praised the State and Local Cybersecurity Grant Program (SLCGP) as a vital tool, providing $1 billion over four years to help governments address cybersecurity risks. Huber recommended program improvements, including sustainable funding, alignment with cybersecurity standards, and reduced administrative burdens.

• Mr. Alan Fuller discussed the escalating cyber incidents in Utah, noting how attacks have become more complex and frequent over the past decade. He explained that Utah received approximately $13 million in federal funds and $4 million in state matching funds for cybersecurity efforts. The state conducted comprehensive assessments that revealed significantly underdeveloped cybersecurity systems in many local entities. Fuller highlighted their initiative, which deployed endpoint security for over 26,000 devices and provided cybersecurity awareness training to 31,000 local government employees. He shared specific examples of prevented cyber attacks, including stopping ransomware attempts at a local airport and a 911 dispatch center.

• Mr. Kevin Kramer emphasized that local governments are frequent targets of cyber attacks from criminal organizations and nation-state actors. He noted that of the 19,000 municipalities nationwide, over 16,000 have populations under 10,000 and often lack dedicated IT staff. He shared Louisville's experience with the grant program, which helped create a Kentucky Cyber Threat Intelligence Cooperative for sharing real-time threat information. Kramer highlighted the program's importance in fostering collaboration and building awareness among local leaders. He recommended improvements, including a direct funding track for larger municipalities and a simplified application process to encourage participation from smaller communities.

• Mr. Mark Raymond stressed the growing cyber risks facing public service systems that rely heavily on technology and data. He explained Connecticut's approach to the grant program, awarding nearly $3 million in fiscal year 22, with over $2.1 million going directly to local governments. The state partnered with the National Guard to assess cybersecurity risks, discovering that only 27.7% of municipalities were at low risk. Raymond highlighted that grants supported incident planning, multi-factor authentication, and ransomware protections. He suggested improvements such as ongoing dedicated funding, standardizing matching percentages, and making shared services a default position to reduce administrative burdens.

SUMMARY OF KEY Q&A

• Rep. Luttrell asked about how local governments become aware of grant programs and their reach across different jurisdictions. Mr. Raymond explained Connecticut formed regional subcommittees that include representatives from state, local, and school districts. These regional groups have planning committees that bring together chief executives, emergency management professionals, and cybersecurity experts. Mr. Kramer explained that Louisville's approach extended beyond the city itself, reaching out to nearby states, universities (University of Kentucky and University of Louisville), and collaborating with the National Guard. Mr. Fuller highlighted that Utah took a comprehensive approach to grant program implementation, focusing on tools, training, and relationship building. The state achieved over 75% coverage of cities and counties, with the goal of reaching close to 100% participation.

• Rep. Swalwell requested a real-time update on the current cyber threat environment from the witnesses. Mr. Huber discussed the complexity of cyber attacks and the rise of "ransomware as a service." Mr. Fuller described a recent sophisticated social engineering attempt targeting Utah's state-controlled alcohol retail stores. Mr. Kramer described a nation-state cyber actor's attempt to infiltrate a network through a provider's chat. Mr. Raymond confirmed the global interest in scanning and exploiting network vulnerabilities.

• Rep. Ogles inquired about the awareness of cyber threats among smaller, less resourced infrastructure organizations. Mr. Huber emphasized the challenges faced by smaller municipalities and the importance of foundational cybersecurity controls. Mr. Fuller discussed Utah's approach to providing tools and training to rural communities. Mr. Kramer highlighted the difficulties faced by smaller communities with limited resources.

• Rep. Magaziner He asked about potential delays or cuts to the grant program and its impact. Mr. Fuller expressed concerns about funding continuity and its effect on program adoption. Mr. Raymond discussed the potential negative consequences of reducing FEMA and CISA support for cybersecurity efforts.

• Chairman Garbarino sought information about the program's success and potential improvements. Mr. Raymond discussed the cybersecurity risks across Connecticut’s municipal governments. The initial assessment showed only 27.7% of municipalities were assessed as low risk, indicating significant vulnerabilities across local government systems. Mr. Huber explained how municipalities are using grant funds to map and secure their systems. The witnesses discussed the cybersecurity planning requirements and their effectiveness.

• Rep. Luttrell challenged the witnesses to explain how to comprehensively address cybersecurity challenges across the United States. Mr. Huber emphasized the need to raise foundational cybersecurity standards and improve communication and collaboration.

• Rep. Swalwell requested a detailed breakdown of current cyber threat origins and types. Mr. Huber highlighted the emergence of "ransomware as a service." Mr. Fuller emphasized that end-users remain the biggest vulnerability, and Mr. Raymond described the threat landscape as constantly evolving, noting that new network devices are scanned within minutes of being connected.

• Chairman Garbarino asked each witness for one key recommendation for improving the grant program. Mr. Huber suggested harmonizing cybersecurity standards. Mr. Fuller advocated for funding continuity. Mr. Kramer recommended direct grant applications for larger municipalities. Mr. Raymond emphasized the importance of ongoing assessments and sustainable funding. 

“Aging Technology Emerging Threats: Examining Cybersecurity Vulnerabilities in Legacy Medical Devices”

House Committee on Energy and Commerce, Subcommittee on Oversight and Investigations

April 1, 2025 (recording linked here)

HEARING INFORMATION

Witnesses and Written Testimony:

• Dr. Christian Dameff: MD, MS, FACEP, Emergency Physician and Co-Director, Center for Healthcare Cybersecurity, University of California San Diego Health

• Mr. Greg Garcia: Executive Director, Health Sector Coordinating Council Cybersecurity Working Group

• Mr. Erik Decker: Vice President and Chief Information Security Officer, Intermountain Healthcare

• Ms. Michelle Jump: Chief Executive Officer, MedSec

• Dr. Kevin Fu: PhD, Professor, Department of Electrical and Computer Engineering, Khoury College of Computer Sciences, Department of Bioengineering, Kostas Research Institute (KRI) for Homeland Security, Northeastern University

HEARING HIGHLIGHTS

IN THEIR WORDS

SUMMARY OF OPENING STATEMENTS FROM THE COMMITTEE AND SUBCOMMITTEE

• Chaiman Palmer discussed the hearing's focus on cybersecurity vulnerabilities in legacy medical devices. He explained that these devices cannot be reasonably protected against current cybersecurity threats, including older devices made before existing requirements and newer devices with outdated software. He highlighted the widespread use of medical devices in hospitals, with 6,000 hospitals having 10-15 connected devices per bed. Palmer noted the challenge of hardware lasting 10-30 years while software becomes obsolete much sooner. He referenced the 2017 Wannacry ransomware attack and emphasized the national security concerns, particularly after the discovery of a Chinese-made patient monitor with a hidden backdoor.

• Ranking Member Clarke expressed deep alarm about the Trump administration's announcement of terminating 20,000 physicians and closing regional offices at HHS. She criticized the administration's approach to federal employees and the potential chaos it would create. Clarke highlighted concerns about cuts to NIH grant funding and the abrupt termination of research projects. She pointed out the resignation of Peter Marks from FDA, who stated that truth and transparency were not desired by the Secretary. Clarke argued that the hearing about medical device cybersecurity seemed disconnected from the current workforce reduction crisis.

• Chairman Guthrie emphasized the serious risks posed by legacy medical devices to patient safety and healthcare infrastructure. He cited a cybersecurity firm's report indicating that 53% of connected medical devices had known critical vulnerabilities. Guthrie discussed the 2022 PATCH Act, which enhanced FDA authority over cybersecurity for new devices, but left existing devices unaddressed. He highlighted a specific example of a Chinese patient monitor with a backdoor connected to a Beijing university. Guthrie noted instances of medical device vulnerabilities, such as insulin pumps that could be hacked to alter dose limits.

• Ranking Member Pallone criticized the administration's massive workforce cuts, particularly the plan to reduce 20,000 employees from HHS and 3,500 from FDA. He argued that these cuts would severely impact public health and safety, particularly in areas like disease control and medical research. Pallone highlighted concerns about measles outbreaks and the potential disruption to NIH-funded research. He referenced the resignation of Dr. Peter Marks, who claimed the Secretary wished for "subservient confirmation of his mismanagement and lies." Pallone stressed that these cuts would undermine America's scientific leadership and potentially cause Americans to lose trust in federal health agencies.

SUMMARY OF WITNESS STATEMENT

• Dr. Christian Dameff discussed the lack of basic statistics about medical device cybersecurity. He emphasized that medical devices are essentially computers with inherent software and hardware flaws. He highlighted the challenges faced by rural and critical access hospitals in maintaining and securing medical devices. Dameff recommended national healthcare dependency mapping, removing barriers to security research, and building automated resilient systems. He stressed the importance of proactively discovering and patching potential threats.

• Mr. Eric Decker focused on the collaboration needed between the federal government and private health sector. He discussed threats from nation-state actors and organized crime, emphasizing that cyber safety is patient safety. Decker highlighted the Health Industry Cybersecurity Practices (HICP) and the need for incentives for smaller healthcare organizations. He recommended reestablishing critical infrastructure policy advisory committees and leveraging private sector cybersecurity expertise.

• Ms. Michelle Jump discussed the progress in developing more secure medical devices over the past 12 years. She emphasized that people and processes are as critical as technical solutions in addressing cybersecurity challenges. Jump highlighted the complexity of medical devices, which often use multiple software components with limited support lifespans. She recommended that manufacturers commit to regular patching and hospitals leverage cyber performance goals to improve security.

• Mr. Greg Garcia discussed the Health Sector Coordinating Council's role in identifying and mitigating cyber threats. He emphasized the healthcare sector's interconnected nature and the need to scrutinize software and component procurement. Garcia recommended initiating a consultative process between the health sector and government to develop best practices. He stressed the importance of mobilizing government and industry intelligence preparedness to respond to cyber events.

• Dr. Kevin Fu discussed the critical importance of managing cybersecurity risks in legacy medical devices. He highlighted potential life-threatening consequences of device vulnerabilities and emphasized the need for FDA cybersecurity expertise. Dr. Fu stressed the importance of maintaining a strong, experienced workforce at HHS to address these challenges. He called for a bipartisan approach to oversight and maintaining resources devoted to risk mitigation and preparedness.

SUMMARY OF KEY Q&A

• Chairman Palmer asked about estimates of legacy medical devices in use across US healthcare systems. Mr. Decker explained that while the exact number is unknown, estimates suggest around 10 million devices exist, with 8-15 connected devices per hospital bed. Chairman Palmer inquired about the potential for cyber security vulnerabilities to directly harm patients. Mr. Decker discussed how cyber attacks could disrupt hospital systems and compromise device monitoring capabilities.

• Ranking Member Clarke asked about the potential impact of FDA staff reductions on medical device oversight. Dr. Fu expressed serious concerns that losing cybersecurity experts would significantly hinder the agency's ability to respond to emerging threats and manage device vulnerabilities. He emphasized the difficulty of recruiting and retaining specialized cybersecurity talent in the current environment.

• Chairman Guthrie sought clarification about backdoor vulnerabilities in medical devices. Mr. Decker noted the uncertainty of such vulnerabilities in medical devices, while Ms. Jump stressed the importance of proactive risk management and testing to identify potential security weak spots.

• Ranking Member Pallone asked about the role of subject matter experts in supporting medical device reviewers. Dr. Fu explained the importance of experts who understand both technical and regulatory aspects of medical device cybersecurity, highlighting their crucial role in bridging communication between manufacturers, healthcare systems, and regulatory bodies.

• Vice Chairman Balderson asked about the challenges hospitals face with medical device hardware and software life cycles. Dr. Dameff explained the financial constraints that prevent rural and critical access hospitals from replacing devices, particularly highlighting instances where hospitals resort to purchasing parts from secondary markets to keep old equipment functioning.

• Rep. Tonko inquired about the challenges of identifying cybersecurity risks in devices already on the market. Mr. Garcia discussed the broad mandate of the healthcare sector in evaluating technology, emphasizing the complexity of managing cybersecurity across various systems and devices.

• Rep. Weber explored the potential legal liability for medical device manufacturers. Dr. Dameff explained the complexity of assigning liability, noting that vulnerabilities can emerge after device production and that responsibility could shift between manufacturers and healthcare providers depending on specific circumstances.

• Rep. Mullin asked about the importance of maintaining FDA expertise for medical device innovation. Dr. Fu and Mr. Decker both emphasized the critical nature of in-house expertise at the FDA for evaluating innovative technologies and ensuring patient safety.

• Rep. Dunn inquired about tools available to inform the public about device cyber threats. Dr. Dameff highlighted the limited mechanisms for notifying providers about cybersecurity vulnerabilities, emphasizing the lack of a comprehensive system to track and address such risks.

• Rep. Ocasio-Cortez asked about the FDA's role in ensuring medical device safety. Dr. Fu explained the agency's pre-market and post-market oversight processes, emphasizing the importance of building security into devices by design and managing vulnerabilities after deployment.

• Rep. Dingell asked about the impact of firing FDA safety employees on innovation and cybersecurity. Dr. Dameff expressed uncertainty about the full effects but noted potential negative impacts on device accountability and post-market guidance.

• Rep. Fletcher explored the role of outside experts in FDA device review processes. Dr. Fu discussed how the FDA uses stakeholder meetings, public forums, and expert consultations to gather input and improve device security evaluation.

• Rep. Allen sought clarification about the number of government agencies involved in cybersecurity. Mr. Decker explained the challenges of inter-agency coordination and the need for better information sharing between national security apparatus and critical infrastructure defenders.

“Salt Typhoon: Securing America’s Telecommunications from State-Sponsored Cyber Attacks”

House Committee on Oversight and Government Reform, Subcommittee on Military and Foreign Affairs 

April 2, 2025 (recording linked here)

HEARING INFORMATION

Witnesses and Written Testimony:

• Mr. Josh Steinman: CEO, Galvanick

• Dr. Edward Amaroso: CEO, TAG Infosphere, Inc. Research Professor, New York University

• Mr. Matt Blaze: McDevitt chair in Computer Science and Law, Georgetown University

HEARING HIGHLIGHTS

IN THEIR WORDS

SUMMARY OF OPENING STATEMENTS FROM THE SUBCOMMITTEE

• Chairman Timmons emphasized the critical national security challenge of cyber espionage targeting critical infrastructure. He highlighted that cyber attacks against critical infrastructure increased by 30% globally, with over 420 million attacks in the United States last year. The chairman specifically focused on the Salt Typhoon group, a Chinese state-sponsored hacking group that compromised telecommunication networks operated by Verizon and AT&T. He noted that these attacks were able to intercept real-time calls and messaging data from over a million users, with a particular focus on gathering intelligence from high-value government and political figures. Timmons called for a more proactive approach, urging Congress and federal agencies to collaborate with the private sector in establishing a robust cybersecurity strategy.

• Ranking Member Subramanyan agreed with the need to protect telecommunications infrastructure and expressed deep concern about national security protocols. Subramanyan criticized the administration for breaking basic security protocols by adding a journalist to a Signal group chat containing sensitive military information. He highlighted the serious nature of the leak, which revealed operational details about an upcoming strike and potentially jeopardized future missions and allied trust. The ranking member emphasized the importance of understanding how prevalent the use of third-party apps and private phones was when discussing sensitive information. He called for a thorough investigation into the incident, stressing the need for accountability and transparency from national security officials.

SUMMARY OF WITNESS STATEMENT

• Mr. Josh Steinman delivered a simple but pointed message about cyber threats to critical infrastructure. Steinman emphasized that these threats were not confined to the telecommunications industry but were an endemic problem across multiple critical infrastructure sectors. He noted that executive branch leaders had repeatedly testified about threats from countries like Russia, China, Iran, and North Korea. Steinman argued that the time had come for Congress to take action in concert with the executive branch to defend critical aspects of American life against foreign cyber actors. His statement underscored the urgent need for a comprehensive approach to cybersecurity.

• Dr. Edward Omarosa discussed his background as a long-time cybersecurity expert, having spent 31 years at AT&T and currently running a research and advisory company. Omarosa used a metaphor of driving on a road with potholes, suggesting that while current issues are important, the real concern lies in the "sinkholes" ahead. He warned that future challenges would come from adversaries increasingly using AI, and unless the nation found a way to deal with this at a national level in a coordinated way, current threats like Salt Typhoon might seem minor in comparison. Omarosa stressed the need to think about future problems and design new infrastructure to address emerging cyber threats.

• Mr. Matt Blaze provided a historical context for telecommunications infrastructure vulnerabilities, tracing back to the 1994 Communications Assistance for Law Enforcement Act (CALEA). Blaze explained how CALEA mandated that telecommunication service providers incorporate wiretap capabilities into their infrastructure, shifting the technical burden from law enforcement to the communication networks themselves. He highlighted that many technologists had warned about the security implications of such universal wiretap capabilities. Blaze described how telecommunication infrastructure had changed radically over 30 years, becoming more automated and virtualized, which expanded the potential attack surface for malicious actors. He argued that something like the Salt Typhoon attack was inevitable and would likely happen again without significant changes to infrastructure and protection approaches.

SUMMARY OF KEY Q&A

• Chairman Timmons asked Mr. Steinman to describe the significance of the Salt Typhoon breach and its impact on national security. Mr. Steinman carefully discussed the challenges of critical infrastructure vulnerabilities, emphasizing the need for a wartime-like approach to digital infrastructure protection.

• Ranking Member Subramanyan asked about the vulnerabilities of Signal and other communication apps, particularly focusing on potential quantum computing threats. Mr. Blaze explained that end-to-end encryption makes communication more secure but is not a perfect solution, with endpoint attacks remaining a significant risk.

• Rep. Cloud asked about the potential for Signal messages to be exposed by the Salt Typhoon attack. Dr. Omarosa noted that nation-state actors might already have capabilities to break current encryption methods, especially with potential quantum computing advances.

• Rep. Lynch asked about the impact of laying off 130 CISA personnel on national security. Mr. Blaze explained that CISA is a critical clearinghouse for threat intelligence, and any diminishment of its capability would harm national cybersecurity efforts.

• Rep. Biggs asked about the challenges of information sharing between government agencies and the telecommunications industry. Mr. Steinman and Dr. Omarosa discussed the complexities of regulatory frameworks and the need for simplified, more effective information-sharing mechanisms.

• Rep. Garcia focused on the Signal chat incident, asking about the potential consequences of sharing sensitive information on unsecured platforms. Mr. Blaze confirmed that such actions would typically result in immediate revocation of classified information access and potential termination.

• Rep. Crane inquired about the difficulty of identifying and removing cyber threats from infrastructure. Dr. Omarosa explained that completely removing sophisticated malware is nearly impossible and suggested changing infrastructure design as a more effective approach.

• Chairman Timmons sought clarification about Signal's security during the Salt Typhoon attack. Mr. Blaze confirmed that end-to-end encryption would prevent infrastructure-level attacks from revealing message content.

• Rep. Subramanyan continued to press for details about the Signal chat incident, asking about potential device compromises. The witnesses acknowledged that they had no definitive evidence about device security.

• Rep. McGuire asked about information sharing gaps between government agencies and telecommunications companies. Mr. Steinman highlighted challenges related to liability and insurance policies that hinder effective information sharing.

• Rep. Cloud discussed the balance between cybersecurity and maintaining American freedoms. Dr. Omarosa provided an example of how AI could potentially reduce phishing risks through intelligent email management.

• Rep. Biggs inquired about the notification of victims in large-scale cyber attacks. The witnesses agreed that comprehensive victim notifications are rarely implemented.

• Rep. Crane asked about the cybersecurity capabilities of different countries. Mr. Steinman argued that the Chinese Communist Party and their military intelligence apparatus are already operating at what could be considered a "wartime footing" in cyberspace. Dr. Omarosa noted that China has a more comprehensive strategy, viewing everything as a potential weapon.

ADD TO THE NIMITZ NETWORK

Know someone else who would enjoy our updates? Feel free to forward them this email and have them subscribe here.