O&I Subcommittee Chair Griffith on Protecting Critical Infrastructure from Cyberattacks

Washington, D.C. — Subcommittee on Oversight and Investigations Chair Morgan Griffith (R-VA) delivered the following opening remarks during today’s Oversight and Investigations Subcommittee hearing titled “Protecting Critical Infrastructure from Cyberattacks: Examining Expertise of Sector Specific Agencies.”

Excerpts and highlights below:


“Defending our nation’s critical infrastructure from cyberattacks is an increasingly difficult endeavor for federal regulators and cybersecurity experts.

“Over the past few years, escalating geopolitical tensions, an uptick in ransomware use, and increased criminal and foreign cyberattack capacity have raised Congress’ concerns.

“The increased interconnectedness of critical infrastructure, such as hospitals, pipelines, and wastewater plants, has furthered the proliferation of operational technology monitored by, and connected to, online computer systems which has also heightened risks.

“Malicious actors are demonstrating an increasing willingness and growing capacity to execute cyberattacks.

“For example, the Director of National Intelligence reported that China is almost certainly capable of launching cyberattacks that could disrupt critical services in the United States and would almost certainly consider doing so if it feared that a major conflict with our nation was imminent.

“Russia also remains a top cyber threat and seeks to improve its capabilities to target critical infrastructure.

“Also, hacking tools are now widely available to criminal organizations seeking to attack businesses large and small.

“’Critical infrastructure’ is a broad term that refers to physical or virtual systems and assets vital to the United States.

“Their destruction would debilitate the national economy, public health, or security.

“Often used examples include our highways, utilities, dams, food manufacturing facilities, and emergency medical services.”


“According to the Federal Bureau of Investigation’s 2022 Internet Crime Report, of 2,385 reported ransomware attacks, 870 effected critical infrastructure organizations.

“Healthcare and public health infrastructure was the most common type of critical infrastructure attacked.

“Presidential Policy Directive 21 has previously suggested a national framework on monitoring critical infrastructure.

“Under the Fiscal Year 2022 National Defense Authorization Act, there are currently sixteen defined critical infrastructure sectors.

“Each sector is assigned a so-called ‘Sector Risk Management Agency.’

“Importantly, Presidential Policy Directive 21 noted that each critical infrastructure sector possesses unique characteristics and risks, and therefore benefits from the specialized knowledge of federal agencies most familiar with regulating that sector.”


“Joining us today we have the Department of Energy, which carries out the Sector Risk Management Agency duties for the Energy Sector, composed of electricity, oil, and, natural gas segments, including their production, refining, storage, and distribution facilities.

“Nearly every industry depends on electricity and fuel.

“In fact, Presidential Policy Directive 21 identified the energy sector as uniquely critical due to its enabling function for all other critical infrastructure sectors.

“The Subcommittee welcomes Mr. Puesh Kumar, Director of the Department’s Office of Cybersecurity, Energy Security, and Emergency Response.

“Additionally, we are pleased to have Dr. David Travers from the Environmental Protection Agency’s Office of Water.

“The EPA serves as the Sector Risk Management Agency for the Water and Wastewater Sector.

“Safe drinking water is essential to human health and our nation’s economy, but water systems face increasing threats from malicious actors.

“Last, but not least, the Subcommittee welcomes Dr. Brian Mazanec from the Department of Health and Human Service’s Administration for Strategic Preparedness and Response that performs the Sector Risk Management Agency role for the Healthcare and Public Health Sector.

“This sector encompasses a diverse array of both publicly and privately owned entities, such as healthcare facilities, research centers, and the medical materials supply chain.

“Today, we hope to learn more about the emerging cybersecurity challenges that specifically threaten each of these sectors and what actions these agencies are taking to prepare for ever-evolving cyber threats.

“Also, much of our nation’s critical infrastructure network includes many non-Federal entities like municipalities and private enterprises.

“We hope to learn more about how agencies partner with other system operators to share information and coordinate efforts across their sectors.

“We will also examine some of the recent cybersecurity activities at these agencies to identify any legislative opportunities for them to improve their efforts or serve as more effective partners with stakeholders and with those of us in Congress.”