Chairman Guest, Chairman Ogles, and Ranking Member Correa, thank you for the opportunity to testify today. I am Megan Stifel, Chief Strategy Officer at the Institute for Security and Technology. We are a 501(c)(3) non-profit critical action think tank focused on the implications of technology for our national security. Our cybersecurity program focuses on addressing misaligned incentives in the technology ecosystem that leave our critical infrastructure vulnerable. At IST, I also serve as Executive Director of the Ransomware Task Force.
To begin, I’ll ask you to think back to spring 2021. Five years ago next week, the Ransomware Task Force released its report with 48 recommendations for a comprehensive anti-ransomware campaign. Two weeks later, Colonial Pipeline was shut down by a Russian ransomware gang, endangering 40 percent of the gasoline supply east of the Mississippi. Government agencies were forced to warn Americans not to put gas in plastic bags, as gas lines in some states brought back memories of the 1970s. Since Colonial, we’ve seen attacks on the meat processor JBS, the LA Unified School District, Common Spirit hospitals, Change Healthcare, CDK Global and more. Ransomware had risen to the level of an urgent national security threat that demanded our attention.
Today, I’m pleased to report that we are making progress in the fight against cybercrime. The national security threat posed by ransomware has decreased, thanks in part to the work of this committee.
But we cannot rest on our laurels. Criminals are constantly evolving–and so must we. Cyber fraud, from extortion-based intrusions to business email compromise, continues to cost our economy billions each year, with significant impacts on small businesses. Nation-state adversaries are leveraging the cybercrime ecosystem to target our critical infrastructure. And rapid advancements in artificial intelligence-enabled cyber tools threaten to erode many of the gains we’ve made in cybersecurity in the last few years.
Recent actions by the administration have emphasized the importance of countering cybercrime. However, challenges with cuts to the federal workforce and funding, as well as organizational upheaval, all threaten to stall progress. In addition, the administration’s strategic approach risks leaning too heavily on disruption, at the expense of shoring up our defenses at home. In fact, for the first time, we have seen material steps backward when it comes to implementing recommendations from the Ransomware Task Force. This committee in particular should continue its bipartisan oversight of the administration to ensure that CISA is able to carry out its mission in the face of significant cuts to its workforce.
Beyond the immediate changes needed, we must also look to the future. We will never achieve our strategic goals in cyberspace without moving upstream to make system-level changes. This requires a firm foundation for efforts like the Common Vulnerabilities and Exposures (CVE) Program, which helps the entire ecosystem understand and defend against cyber threats—and which is coming under increasing pressure from AI-discovered vulnerabilities. It demands more accountability for services, like residential proxy networks, that are regularly abused by criminals and nation-state adversaries. And it requires strengthening relationships among government agencies—and between government and industry—that are built on trust and emerge from truly collaborative engagements. Without these system-level changes, we will remain vulnerable.
I have several recommendations for this committee.
- The Committee should pass legislation authorizing key programs, including the CVE Program and the Critical Infrastructure Partnership Advisory Council, to ensure they are not interrupted.
- I encourage members of the committee to work with your counterparts to pass long-term (or permanent) extensions of cybersecurity authorities, including the Cybersecurity Information Sharing Act of 2015 and the State and Local Cybersecurity Improvement Act of 2021.
- The Committee should strengthen the ability of private sector and government actors to work together to disrupt cyber threats by authorizing the Joint Cyber Defense Collaborative (JCDC) and clarifying lawful defensive measures that private-sector actors can take when countering ransomware or other cybercrime.
- And finally, I hope the committee will continue to conduct effective oversight and investigative hearings, covering topics such as residential proxy networks, the Cyber Response and Recovery Fund, the rise of product security regimes, measures to disincentivize extortion payments, and the effect of AI on vulnerability disclosure.
As leaders in the House on cybersecurity issues, I also hope you will work closely with other committees on cross-jurisdictional issues, including CISA funding, cyber insurance, expanding the E-Rate program to include cybersecurity, and additional oversight of the “Salt Typhoon” incidents carried out by the People’s Republic of China, which targets the telecom networks that form the backbone of our everyday communications.
2026 is a decisive moment. We can see the potential opportunities and dangers from AI on the horizon, but there is still time to act. As Americans, what we need today more than anything is leadership. When we move decisively, we can seize the initiative from adversaries and materially change the cybercrime landscape. I hope today’s hearing is an opportunity to jumpstart a new wave of bipartisan, effective, and transformative cybersecurity policy.
Thank you again for the opportunity to testify. I look forward to your questions.
