tv Key Capitol Hill Hearings CSPAN September 25, 2015 6:00am-8:01am EDT
our team members at nsa include analysts, collectors, operators, mathematicians, linguists, cryptographers come engineers, computer scientists, and too many of the skills to list you by name. our workforce ranges from high school in terms to junior enlisted members of the military to senior executives at the civilian service and flag rank officers in the military. nsa personnel are well educated with over 75% of our civilians
holding bachelor's degree or higher. our military and civilian linguists working in our foreign intelligence mission of proficiency in over 120 different foreign languages. almost 40% of our employees work in the science technology engine and mathematics fields. they hold the majority of the over 200 patents that have been granted to members of the nsa workforce. more patents than any other federal agency. in addition to working every toy to keep our country safe, our employees help enhance the local communities by doing to much volunteering in classrooms, planting community gardens and helping to clear the appalachian trail. they don't thousands of gallons of blood to the red cross, contribute millions to the federal charity drive, give tons of food to the feds the family hungry drive. nsa and its affiliates our volunteer fireman, marines collected for toys for tots campaign, soldiers coaching little league, sailors volunteering to clean the
chesapeake bay and civilians leading girl and boy scout troops. in short, they are your neighbors. nsa employees work hard, work well to keep our nation safe and protect our civil liberties and privacy. let me explain to me duties and nations in more detail. nsa's information assurance mission is to protect national security systems such as systems that process classified information. we generate ideas for defending these networks and impart valuable security and sides so the public and our allies may benefit. we ensure our nation's leaders and military can communicate securely and that adversaries cannot gain access to our nation's secrets. that work also enables us to develop new opportunities to share warning and cyber insides with the private sector so america can improve its overall security and integrity of its information systems and critical infrastructure. nsa has evolved with the changes
in technology as the world has shifted from analog to digital. following the emergence of networks in our modern mobile society. as a result nsa plays a key role in cyberspace, assisting u.s. government efforts to see, mitigate, and deter cybersecurity threats. in concert with public-private and foreign partners our workouts to ensure users, operators and administrators maintain control of their systems and data. nsa gives our leaders elected, gives our leaders should make insight into the hostile activities of foreign powers and their agents. our people lead the intelligence enterprise defending america and our allies by collecting, analyzing and reporting foreign intelligence and counterintelligence information derived from the interception of foreign signals and communications. nsa does this work in accordance with law and strict guidelines and only by collecting foreign
intelligence in response to specific requirements from u.s. policymakers and senior u.s. commanders which are deemed necessary to advance the nation's policy goals, to warrant an report on strategic and military development around the world, and to prevent strategic surprise. what nsa collects and analyzes is driven by the priorities listed by our nation's political and military leaders, and we work within a framework of law, rules and oversight provided by congress, the executive branch and as appropriate the courts. that system of accountability ensures the privacy and civil liberties of u.s. persons. on a daily basis in essay provides insights into hostile plans and intentions so that our customers and partners can count threats across the globe. our military and its partners will on nsa to help it achieve tactical and operational success. our products are part of the
fight as essential to military operation is food, fuel and ammunition. our requirements include a wide range of -- one of the most important is counterterrorism. discovering terrorist plans, intentions, communications and locations to disrupt and defeat the attack. as a combat support agency nsa directly supports a military with information to perform its mission and to provide force protection, indications and warning and overwatch support to keep our troops out of harm's way. our work helps the united states and its allies capture bomb makers, spot a list of fund transfers, work transnational crime and explain to other nations how terrorists hope to transit their territory. we also worked identify potential threats to u.s. citizens, military personal and embassies around the world. in addition we devote considerable resources to the international campaign to halt the spread of weapons of mass
destruction, tracking reporting ensuring david to keep nuclear, biological and chemical weapon out of the wrong hands and keep the nation safe. we also assist the efforts of the department of homeland security to protect america's critical infrastructure from cyber attacks. and, finally, we support you cyber command which i also read and will continue to command to develop the capability and capacity it needs to accomplish its vital missions. as you well know the threat environment both in cyberspace and in the physical world is constantly evolving. we must keep pace in order to maintain our advantage to generate the insights that our nation is counting on. our nation's networks, communications and data are increasing at risk from diverse and persistent threats. these include rogue states, organized criminal enterprises, and a terrorist who were showing a willingness to and the aptitude to employ sophisticated capabilities against us, our
allies and, indeed, anyone who they perceive as a threat or lucrative target. the targets other efforts extend well beyond government into privately owned businesses and personally identifiable information including the privacy and data of all americans at risk. and terrorist tactics, techniques and procedures continue to evolve. those which seek to harm us use the same internet, same mobile fumigation devices and the same social media platforms that we all use in our everyday lives. as terrorists become more savvy, we must keep pace in order to protect the nation and our allies. nsa will continue to rise to these challenges. as an enterprise we've had to reinvent ourselves before and we will do so again. the use of intelligence to protect our nation dates back to
the very origins of the revolutionary war. nsa predecessors working with the world war ii partners found german u-boat. to help turn the tide of the war in the pacific at midway by cracking the japanese codes. today that men and women of nsa fight terrorists around the globe. today we target the communications of terrorist organizations who mean to do us harm, helping to uncover a thwart their efforts to committee with sleeper cells around the world are recruit fighters to their cause. it means a few negations have changed but the requirement to maintain our ability to collect and exploit recommendations of hostile foreign actress remains constant. when the information revolution transformed communications, nsa help lead the way toward information assurance and pioneered intelligence in cyberspace. while enabling military and counterterrorism operations in
real-time. in full compliance with the constitution and the law. every nsa employee takes an oath to preserve, protect and defend our constitution and civil liberties and the privacy of our citizens that the constitution guarantees. we just repeated this oath across her workforce on 9/11. security and privacy are not trade-offs to be balanced but complimentary imperatives and nsa supports both. the complex issues he forced to they represent an opportunity to write yet another chapter in our agencies rich tradition of service to the nation. nsa plays an indispensable role in enabling our leaders to keep the peace and security nation. our value license positive outcomes for the nation and our allies and we have delivered it is for well over 60 years. our unique capabilities are more in demand and more important to the nation security than ever. are rightfully proud of that punishment and while we continue to accomplish, and we're striving to ensure that the
american people take pride in nsa. mr. chairman, madam vice chair the members of the committee thank you again for the opportunity to be with you today, and i look forward to your questions. >> admiral rogers, thank you. members, we will go to five minute rounds based upon seniority. admiral, cyber threats continue to grow both for the public and private sector. nsa faces stiff competition from the private sector at recruiting those individuals with the skills that are needed. what can you offer at nsa that silicon valley can't offer? >> i think the difference for us is, you would acknowledge, chairman, we are competing for much of the same workforce. the vantage that we have in my mind is that unique to the cyber mission. i've experienced this as a uniformed individual for the last 34 years.
it's the power of mission and the sense of serving something bigger than yourself. that ultimate is the energy that we have. that's not something you can easily replicate on the outside. it enables us to attract cutting-edge technology, incredibly motivated and capable men and women, even in the face of the fact that they can earn a tremendously great amount of money working on the outside. but it's about since admission and that the sense of purpose, it's that ethos of culture in compliance the fuel but i think is our greatest advantage. >> nsa plays a significant role in counterterrorism efforts, discovering terrorist plans, intentions, to negations and locations to disrupt or to defeat their attack. obviously we can go into great detail here, but to what extent can you discuss it? please elaborate on what nsa is doing to combat terrorism, and more specifically, something that every american is focused on, and that's isil.
>> so without going into the details of how we do this, we broadly used our ability to work communications in the foreign space, to generate insights into what isil and other groups are doing. largely through our cyber and our signals intelligence expertise. the challenge i would argue in the counterterrorism mission set for us whether it's isil, i've seen the same thing in a tight and al-qaeda in the arabian peninsula, for example, i see more changes in to behave in the last two years probably than any other target. to actively reference some of the compromises and media leaks of the last couple years. we know that they have achieved a level of insight as to what we do, how we do it in the capability we have a quite
frankly they didn't have in the past. as a result of that it has become harder, more difficult to achieve insights as to what they are doing. combined with, in fairness, the broader changes in technology we are seeing, encryption, use of apps that offer end-to-end encryption, more complicated attempts to attempt to hide in the broader sense of the noise out there. the positive side to me though is indian, it's not technology. it is about the motive that men and women of nsa. that's our edge. i always remind them the nature of our profession is that we tend to gain advantage over those advantage over time because their behavior always changes. >> why should the american people care whether you're successful or not? >> because the insights that nsa is able to generate directly help to ensure the security of
every citizen of this nation as well as those of allies and friends. i will not the one that pretend we aren't perfect organization that i'm very proud of mission set, the way we do it and quite frankly the only reason i'm still doing this is because i think the nation that nsa does incredibly important to the nation and our allies. >> what is your greatest resource challenge right now? >> requirements far exceeding resources, whether come to look at the growth of cyber challenges, you look at the proliferation of communications technology, trying to stay on top of this with the workforce that has not grown. we are in our fiscal year, 16, which we will start on october the first, we will set the budget comes out but we project this will be the fifth straight year of decline budget, and so one of my challenges as a leader is how do we continue to generate insights the nation is
counting on even as the resources we use to generate insights continue to decline. >> think you admiral. i will turn to the vice chairman spirit thanks very much mr. chapin. i'm going to try to get through three questions in five minutes. let's go if i might to the usa freedom act. how long did it take one of your analysts to do a query under the old bulk collection system and how long does it take to do a query under the new system at the telecom companies? >> now, if i could companies and asking how long it takes to conduct a quick, that includes both getting court approval and denounce that goes into decided we need to query the data. under the old system there were several different, we had emergency authorities for example, that i could use which were the very quickest. under those authorities generally we could do the analysis, the team could make the case to me as to what i needed to use those emergency
authorities when i believe that there was insufficient time to get to the court. on those handful of occasions in which i have done that, i have notified the attorney general and writing, i notified the fisa court inviting as to what i did what i did what i did with the basis of my determination was. in each case the times i attempted a world driven by the fact that we were getting ready to pursue tactical action somewhere in the world that i was afraid was going to precipitate a reaction from isil and other groups. and as a result i've authorized access to the gate and then inform the court and the attorney general. that process probably anywhere, all the analysis, then briefing me, me approvingly, them going in and look at data, probably something less than 24 hours. if you count everything. the average under the old system, not using that emergency basis, with something, i think the fastest we ever did the entire process was something on
the order of two days using the normal processes. the average was closer to 46. >> are you saying you have to use the emergency more often? >> no. >> you said five or six instances. >> we query the data multiple times through court approval speed so you are saying it is faster now? >> no. you asked me to get their old versus new. let's try to get a framework under the old system. under the new system because it's not implement i can tell you right now. we are in the process of transitioning. the transition must be complete by the end of november 28 so we have not completed the process yet. that's why the legislation we passed, this will take some number of months to work with the provided to make a tactical changes on the provider side. >> second subject. sunday's "new york times" reported that our country ask the chinese to embrace the united nations code of conduct
on principles for cyberspace, that no state should allow activity, quote, that intentionally damages critical infrastructure and otherwise impairs the use and operation of critical infrastructure to provide the services to the public. from your perspective would a cyber arms control agreement along these lines be valuable? would it be enforceable? >> first that's a broad policy question. entrance of the input, my opinion, the devil is always in the details. i'd want to understand the specifics of exactly what we are talking about. >> that is a good duck. it just doesn't like. >> i apologize but there are so many variables in this. >> let's move on. i wanted to ask about the use of encrypted communications by terrorists and criminals. the fbi director came before us as you know and gave us very stark testimony about going dark
and how big the problem was. do you believe that the increased use of this kind of encryption and apps as you pointed out poses a national security threat? >> yes, ma'am. i am concerned that the direction we're going as effectively, if we make the changes, represents a significant challenge for us in terms of our ability to generate insights that the nation is counting on. >> can we make changes? >> it's a complex issue. i make a couple points. first, i don't think you want the government deciding what the right answer is. we've got to collectively get together between the private sector, government, industry, policy from the technical side and sit down and figure out how we are going to work away through this. i'm the first to acknowledge this is an incredible conflux topic and are still simple and easy answers. i believe that anything if we put our mind to it we can ultimate come up with a solution
that is acceptable to a majority. it likely will not be perfect. i'm the first to acknowledge you to want me for intelligence organization making those kinds of decisions. you don't want us able to unilaterally do that, i'm the first to acknowledge that. >> thank you. thank you, mr. chairman. >> senator coats. >> thank you for your service, and appreciate you. follow upon senator feinstein's question. if i heard you're right, under the old system given the procedures you go through, if it's an emergency you can get clearance in less than 24 hours? >> under the previous framework i as asked the director of nsa s delegated the authority in emergency situations authorized access to the data to identity go to the court and the attorney general and put in writing what i did, what i did and what the basis was.
>> what if it's in the? what he did get a call that a plane took off in boston, turned south toward new york was scheduled to go to montréal and you said that will arrive in new york airspace in 15 minutes? >> that's one of the reasons for that emergency authority. so that i have the authority under the current system, now as we kinds -- transition to the new law, i have lost that authority. it is now been raised to the attorney general. i will have to approach the attorney general or why she needs to authorize emergency access speed and so we are adding time to the process? >> it is probably going to be longer but i suspect we will find out. >> based on my question then, your answer is something that imminent probably can't be addressed in time to put up the defense's? >> not in minutes.
>> you stated in your statement here that nsa works daily to protect privacy and civil liberties. of well over 50 million major insurance companies in my state. we seem bridges everything from retail stores to you name it. obviously, those occur partly because those entities did not have the procedures in place to block that. nsa does. and yet you're criticized, your agency has been criticized, for being too loose on privacy, and trusty. but all the information, and you are collecting phone numbers whose names of individuals you don't know. and the breaches are occurring
with all kinds of information of when you report and what results is pretty number and what your bank account number is and everything else. so give me again for the record just what kind of things in as they went through and continues to go through that protects privacy and civil liberties. and if you can an explanation of why nsa is deemed untrustworthy, holding information, and yet we rely on institutions that leak this stuff by the tens of millions. >> let me answer the second part first. it's one of the great challenges for me as a leader and i would argue for us as a nation. increasingly we find ourselves as a society distrustful of government writ large and in aftermath of the media leaks in a say in broad terms.
i think that's both a part of this broader environment that we could live in right now. usage in fact were unable to achieve, you lives everyday in your political life, are unable to achieve political consensus on difficult issues that face the nation. we have strong opinions and yet we can't seem to come to consensuto aconsensus about howe forward on many things. what is happening to innocent as a part of that broader context. we find ourselves in a position where we acknowledge we must follow the law. we acknowledge we must operate within a legal framework and a set of authorities and policies. we do not indiscriminately collect the evidence we do is driven by the law and the set of priorities as to exactly what we do and what we focus on. those priorities are designed to generate insights to help defend our nation not to violate people's privacy. in the world we're living in now that seems to get lost in the ether in many ways. part of the challenge being is a class that organization, and how we do what we do because i can't
go into great details about, this is exactly why you should feel comfortable, let me walk you through all the things we've done that you have no clue about what you should feel comfortable about. what we put in place to ensure the privacy and civil liberties of our society, you look at the legal framework on the collectively was created for the call data records, usa freedom act if you look at what we've done in terms of complying with court orders. you look at what we've done in terms of nsa has had three major outside reviews of 702, section 215, the call data records of our collection in general. everyone of those reduced has has come back with the same conclusion, you can argue with the law is good or bad but in this is fully compliant with the law to nsa is a systematic system in place designed to which are oversight and protection of the data we
collect. we ensure that not anyone in the workforce can access any one that we collect to call data records, for example, section 215 out of an organization as a told you to my opening statement is close to 40,000 we had limited access to that data to approximate 30 people, by design. we understand the sensitivity and divorce updated that we collect and we need to ensure that we can tell you as our oversight as well as the broader citizens we defend that we are not arbitrarily misusing this data can do when opening it up to just anyone in our workforce who wants to look at it we take those duties and those responsibilities very seriously. each one of the three major independent reviews we've had in the last 18 months have come at the exact same conclusion in that regard. >> senator wyden. >> thank you, mr. chairman. thank you, admiral, or your professionalism. let's see if we can do the first question on bulk collection, the
spread of collecting all the millions of phone records on law-abiding people with just a yes or no answer because i'm a senator feinstein got into some of the questions with respect to implementation. i have heard to comment on this but i'd like to see if we can do this on the record. you expect that anything bulk collection is going to significantly reduce your operational capabilities? >> yes. >> in what white? >> right now bulk collection gives us the ability to generate insights. we called it discovery. gives us the ability to generate insights as to what's going on out there. i'd also encourage the panel as well as the committee as well as the nation to redo the national academy of sciences we view in which they were specifically ask him is there an alternative to bulk collection. is there other things we could do about that could potentially replace nsa's current approach to bulk collection, and that independent an impartial scientc
found a body came back and said no. under the current structure there is no real replacement and that bulk collection as used by nsa generates value. >> passion of the present advisory committee disagrees with you. they had an independent group appointed and they said, and i believe it is paid 104 of their testimony, that there was no value to bulk collection that could not be obtained through conventional means and it specifically cited. by the ascii about encryption, because in my view, this is a problem largely created by your predecessors, general hayden and general alexander, specifically. i believe they overreached with bulk collection, that undermined the confidence of consumers and the companies responded because they were concerned about the status of the products with strong encryption. so at that point i began to be pretty concerned because it looked like the governments
position with companies would be required to build weaknesses into the products. now the discussion has shifted to whether there should be the availability of encryption keys to access these products. now, i don't want to go into anything classified or matters relating to executive branch discussions, but let me ask you about a policy matter. as a general matter is that correct back anytime that are copies of an encryption key, and they exist in multiple places, but also creates more opportunities for malicious actors or for hackers to get access to the keys and? >> again, it depends on the circumstances, but if you want to paint a very broad like that for a yes and no, then i would probably say yes. >> okay. i'll quit while i'm ahead. what concerns me, admiral, seriously is that has this
question access to encryption keys is pursued, and i think that's where we have moved. as i indicated to you in our conversation on the original position which looked like companies would have to build weaknesses into the products, which i think is a staggering development, it seems now it is shifted with the questions that they built a keys. you just told me as a general proposition when there are multiple keys, and there will be multiple keys, that creates more opportunities for malicious actors or foreign hackers. and today the good guys are not going to be the only people with the keys. there are going to be people who do not wish this country well. that's going to provide more opportunities for the kinds of hacks and the kind of damaging conduct by malicious actors that i think makes your job harder. i think you're doing a good shot. i think you've been straight with the congress and certainly with me.
but that's what concerns me about access to malicious keys and i appreciate your answer on the. will take a look at page 104 of the president's advisory committee because on this question of operational capabilities, not only do we not have any cases that indicated that there was a compromise of the abilities of our intelligence community, it was the unanimous finding of the presence experts. that page will give it to you thank you, mr. chairman. >> senator rubio. >> the chinese president of the leader of the chinese communist party xi jinping is going to be in the white house this week. receive the full honors of a state visit but our relationship with china is not a good place. they breached u.s. government databases, continue cyber attacks against other elements of our government. over the last 20 as we've witnessed the single largest financial wealth and a history of the world as chinese companies backed by the chinese government have sole proprietor dashed a proprietary data.
i think we should be disconnecting all scented database of to ensure our agencies that are responsible for protecting government databases are doing their job. i think we need to make the we will respond in kind to deter adversaries by china who will continue to attack us. my question begins by asking you which agreed a public public discussion on an offensive cyber capability would be an effective deterrent speak with i think we as a nation need of a very public discussion about how do we achieve this idea of deterrent because we don't change the current dynamic we are not in a good place and we've got to fundamentally change the dynamic we're dealing with now. >> as the director of nsa and has command of the cyber command have you provided advice to the president -- on the ascii what advice is that you have you provided advice to the president or the white house for
appropriate measures for us to respond to such attacks? >> yes. >> i understand your not charge with grading policy but has the widest thought drippings on policies relating to these matters, specific on a more effective cyber deterrent and best practices for securing u.s. government system? >> yes. i'm very happy in the process in the sense that hey, i'm just one perspective. i've certainly had the opportunity to communicate my views as to what i think we need to do. >> i guess my last question is going back to the points i've raised about expelling chinese spies operating in the us as retaliation and also disconnecting the sense of databases on the internet, are these measures that you think are worthy of exploration, what they have any sort of deterrent effect would be part of a broader public discussion about this issue and? >> certainly in my experience one of the things we found, one of the challenges to get the cyber command, my other hat for
iq with penetration in the department of defense, the department of defense, one of the things we've come to understand is you need to minimize your exposure with what we call public interfacing websites. the flip side though is that there is a requirement in many instances to ensure information flow for the internet into systems. so the idea that you're going to be able to do some of these things with no internet connectivity, making it depends on the situation, can be problematic if you expect to have a flow back and forth spill one last question. i apologize, it's kind of a matter of doctrine mor more or . that doctors of most nations if not all under deserts of the difference between intelligence gathering on government and private entities. clearly multiple nations not all around the world have some sort of intelligence gathering capability at its target private that the government and actors in other nations especially those who we have an official
position with the is it fair to say for the chinese there's no such distinction, for then the notion of intelligence gathering the few commercial intelligence gathering and governmental commercial gathering as all part of their foreign policy and intelligence gathering capability? they don't have the distinction they have or other nations have. >> typically don't have the same lines in the sand without regard. i watched some of my counterparts there do things under our system i could never do. >> exactly. the point i'm trying to drive that because many americans are perhaps not fully aware of his that the chinese government actively encouraged as part of a national policy stf commercial secrets of american companies for purposes of building up their own capability. this is not like a chinese company packing an american company doing this is directed influence and funded by the chinese government itself. >> yes. >> thank you so much for your service. >> thank you, admiral rogers for
your service. let me just add an editorial comment to the chair and vice chair. my hope would be in light of the testimony of admiral rogers, that we could, again, urge respectively and both parties to bring that information sharing built that has passed out of our committee back to the floor. i think we do a great disservice to our country if we don't act on that legislation as quickly as possible spent the vice chair and i can assure we are working aggressively to get that back up and my hope is that members will have an opportunity battled to debate it but to amend it if need be in the month of october. >> thank you, mr. chairman. admiral rogers, i want to spend a couple of moments on the opm breached obviously. 22 million plus individuals now we understand 5.6 million fingerprints. we dug into that and i know you can't comment too much, but we
found, senator collins as i worked on legislation that says as we look at the responsibility of dhs to try to protect the dot gov regime, they don't have the same kind of abilities and responsibility that you have at nsa to defend the dot mil regime when it comes to cyber hygiene that dhs action has the ability recommend but not actually enforce. recognizing this they dashed this may be more asking for editorial review, you want to make a comment on the? >> i would argue those authorities detained dod networks really reside operation more in my cyber controller. are focused o focus on empowerig individuals beckley identified responsibility and authority and holding people accountable.
i think what we want to get you into dot gov domain is something quite similar over time. i think it's fair to say that we are not there right now. >> senator collins and i have legislation that would keep dhs similar type authority painful as that in effect chain of command ar. there still seems to be some lack of clarity about who is in charge and will. constantly including opm that dhs made recommendations about cyber hygiene that were not implemented by opm and a variety of other dot gov regimes. that to me seems not good process going forward. can you speak within this setting, what responsibility you have in protecting cyber, in protecting sensitive but unclassified data on the dot gov side of the house and? >> so i do not have immediate responsibility in the sense that
the structure is that i nsa work through dhs to provide support when it's requested. i am not in those networks. i am not monitoring those networks spirit and those opm has dhs requested your system? >> yes. >> again this is an area that i believe would be addressed this will hopefully with at least an amendment to the information sharing built and something i not senator collins and i and i think most of our colleagues share. we need to give dhs those same tools. let me switch over to them everywhere senator rubio was. i concur with him that while we have not formally identified the source of the opm breached there is speculation amongst members and the press, my comment as well that we do need for deterrence as part of our overall national strategy. i'd like you to make any comments you might have on, again, we are playing a different standards.
the chinese in july pass legislation that required all of their information systems and comfort to do business in china to that systems that were secure and controllable in terms of access by the chinese authorities which not only precludes any other kind of encryption tools american domestic companies are looking at, and to give i think raise huge concern. i agree fully with senator wyden i do think their concerns to be raised. but also this secure and controllable language. wouldn't that be an open to deliver chinese authorities to potentially get into those companies databases for property theft and other activities? >> so the chinese have a fundamentally different construct than we did. they believe in essence that access to the content of two medications and that is a sovereign right. we rejected that notion. it leads to some of the things
we've seen them do. it's why we have very publicly discuss this with our chinese counterparts because they need and we want to get to a place what we can both work together, but the current approach where we are so fundamentally apart, we've been very up front, this is not acceptable. we can't sustain a long-term relationship, a kind of relationship we want to this is the approach. that the privacy of individuals, the access to intellectual property is just viewed as something that's taken to a time and place of its choosing. it goes totally against offering the speed i hope our president will continue to raise this. my hope is summit of the businesses that lease on meeting with president xi the other day in seattle, i hope they will not default to a lower standard interest to try to accept the chinese market. thank you, mr. chairman. >> senator collins. >> thank you, mr. chairman. admiral rogers, let me add my thanks to those of the committee for your dedicated service.
you mentio mentioned in responsa question from senator coats that only 30 nsa employs have access to the metadata, authorized to grade the database. am i correct in assuming that those 30 employees were well-vetted, trained, and that they would be held responsible if there were any misuse of the information? >> yes, ma'am. >> had there ever been any misuse of the information that you are aware of? >> no, men. that's another thing i would highlight in terms of oversight and compliance. for example, for those 30 individuals we monitor every keystroke to use in trying to access the data. we don't do that for every one of our tens of thousands of other employees. we do in this regard because we realize the sensitivity of the data. >> i think that's an point that should have been reassuring. to me it's very iconic that the
usa freedom act was passed under the guise of the increasing privacy protections for the american people, when there are 1400 telecom companies, 160 wireless carriers, not that you're necessary going to have to deal with all of those, but isn't it likely that far more than 30 people will not be involved in this process speak with yes. i would expect that to be the case. >> and given that those companies market and sell a lot of this information, parts of the privacy applications far greater with this new system -- are not -- and a careful system that you describe with only 30 people authorized? >> i would respectfully submit that's for others to decide. >> well, i think from your, understand why you were saying that but i think one just looks at the numbers, the case becomes
very evident. in the usa freedom act does not require the for the telecom companies to retain the call detailed data. and by that i'm not talking about content. i'm talking about call detailed data. that's another misconception that some people have. there's no requirement that that data be held for any particular period of time. companies hold for the own business records purpose. is that a concern to you? >> based on our initial interactions with the providers as we move from the old structure to new structure where the providers of the data, in talking to them there's a pretty wide range. we are right now did with the three largest who really have been the focus of the previous structure. we will bring additional online as you indicated. among those three, a pretty wide range of how long they opt to
choose data, retain data and for what purposes. again under the construct, that's their choice. we will have to work our way through this. one of the things i've always promised in the discussion about that led as part of this legislation was, once we get into this new structure, what i promise will be honest and direct feedback on how this is working. is a detective, is it not effective? what kind of time duration is it taking us? what are the operational impacts what i promise i'll bring that back once we get some actual experience. >> we appreciate that. let me turn to a different issue, and that is the protection of our critical infrastructure from cyber threats and cyber intrusions, which is an issue that's long been a huge concern to me. the department of homeland security has identified more than 60 entities in our critical
infrastructure where damage caused by a single cyber incident could recently result in $50 billion in economic damages, or 2500 immediate deaths, or severe degradation of our national defense. >> is based by sector but on average i'd say right now i can depend on the second republic at a 55 or six. it's not where we need to be. clearly.
>> so there's still a severe problem in this area that makes us very vulnerable and fascination speak with yes, ma'am. >> senator king. >> admiral rogers, greetings. with a shutdown of the federal government next week compromise national security speak with yes, but if i could just to go beyond that, in the last five days or so as when our publicly talk about this possibility of watching the reaction of the workforce of innocent you cyber command, very saying we are going again? who could easily get jobs on the outside and earn significant more amounts of money. this instability, this message to the workforce, ma and this is probably a pejorative, but you're a secondary consideration in a much larger game if you will that drives -- >> no, no. it's a smaller game. >> just drives the workforce. to the point where today i literally was talking to the leadership about we need to sit
down and think of how we go to keep these men and women are ever added to increase his -- >> keeping discounted men and women is hard enough to begin with because of higher salaries outside. there's a survey i commend your attention i was a bit for the record done late last year of national security professionals across the government. one of the fascinating result is that you of political dysfunction they rank as a higher threat to national security than a nuclear-armed iran, vladimir putin, china's military buildup or north korea. the only thing above political dysfunction was islamic extremism. so that it is shocking. let me move on. political dysfunction and national security threat, pogo, we have met the enemy and he is us. a couple of other question. questions. deterrence can be talked about it briefly. i want to emphasize he testified you into an indication with the white house on this issue.
i think this is got to be high priority. deterrence doesn't work as people know about it and it's got to be a strategy because right now we are in a fight, the cyberwar has started. we are in the cyberwar with our hands tied behind our back. we would never build a destroyer without guns. we've talked about this before. i hope you will carry this message back, because we got to fashion a theory of deterrence, otherwise we are going to lose. you cannot defend, defend and never punch back to if your opponent knows you not going to punch back, it should not going to go anywhere. if you can find a question in there you're welcome to it but i think you understand -- >> yes, sir. >> you are a very strong advocate and your the right guy to take that message. another question that's been touched upon is the idea of a cyber nonproliferation treaty. i find that a fascinating
concept. i wish you would expand a bit on that, that we can establish some rules of the road in this field for our mutual protection of the various countries that are cyber capable. >> i certainly think we can get to the idea of norms. formal treaty i don't know. one of the challenges in my mind is how do we build a construct that works for both nation-states and nonstate actors. one of the challenges in cyber is the fact that you are dealing, unlike the nuclear deal, you are dealing with a much greater number of factors, many of them quite frankly i'm not nation-states and have no interest in sustaining the status quo so to speak. if you look at isil and other groups, their vision would be to turn the status quo didn't get they are not interested in stability. >> i just think that this is a
promising area with other nation-states. it's not going to be the whole solution but if there are states like russia or china that are willing to have this discussion, i think it's a profitable discussion, along with the idea of deterrence. because we are asymmetrically vulnerable in this war. we are the most wired country on earth and that makes this the most vulnerable country on earth. i appreciate your testament and the work you are doing. you've testified a few minutes ago that you had a variety of reactions from the telecoms about retention levels. you said they were short to long. what's the shortest that you have been informed of? >> i want to say something on the order of 12 to 18 months. >> okay. so that's on the short end. i hope you let this committee know if it goes below that level. because at that point it becomes very automatic as to whether or not a date had been retained
will be of usefulness in a national emergency. >> i will. >> thank you apple. thank you, mr. chairman. >> admiral kime thanks for being here come your leadership and you were. we've had multiple conversations and appreciate what you bring to this. answer this for me. what else can the nsa do to help other agencies with cybersecurity deficiencies? what assets can the nsa bring to bear to be able to help on this? i think into coming to clinton is as much as you end up trying to defend the how do we get proactive on this? >> what i'd like to do, innocently part of a broader team. what i'd like to do is be proactive and get ahead of this problem set. >> car with the agency is responsibly to take on and make sure that the systems are all protected and it doesn't seem to be accountability the structure. the people advising agencies but what can be done proactively? >> could rebuild a framework
where someone from outside the organization is doing an independent assessment as an example. within the dod, largely underused cyber command authority but i also do this with nsa, i can go into any dot mil network in your infrastructure. i can assess it, test it, attempted penetrated i don't have to give notice. to the network owners come an example, that really does exist on that scale anywhere else in the government. i like to see what we can do to try to again get ahead of the problem set, try to replicate some of the activities we are saying from opponents ahead of time before they do it, test our ability. >> let me ask about auditing and negative equity on people and processes the image in on these 30 folks in the past every keystroke has been monitored. how often do you auditing and how do you ought at that?
we've had rogue folks in the past take information. >> auditing very spirit as i said those 30 individuals, a call data record database, that's probably the area we put more extra monitoring and controls in any other part of our structure. on the other hand, in the aftermath of the media leaks we've sat back and asked ourselves, so how could this have happened, what have we filled it as an organization and what do we need to do to ensure it doesn't happen again. we've put a series of capabilities in place where we can monitor behavior, capabilities in place will look at personal behavior more. although i will tear this is another issue that often can provoke a strong reaction from the workforce who says, so let me understand this, because the actions of one individual, you are now monitoring me, you're not watching may behave in a way that you didn't necessarily do before. do i want to work in a place like that?
atreides september the workforce and walk the here's what we do and here's why we do it. there's a reason behind district each one of us as involuntary except access to the information that we are given, we hold ourselves to a higher standard we hold ourselves to a different level of accountability as part of a quid pro quo if you're going to be an nsa professional, if you're going to be an nsa employee. but it is not lost on our workforce at times. >> let's talk about cyber and what we did with internationally at this point. biggest threats that we have, stay active, nonstate actors international? >> let me answer it this way if i could the greatest amount of activity is still criminal base. but when i look at from a national security perspective i would argue at the moment the nation-state represents a greater national security challenge if you will. went i look at the future there's three things and i've said this publicly that
concerned him most when it comes to cyber. number one is something directed, activity directed at conferences such. number two is passionate at the moment most of the activity has been left. what if someone gets in the system and start to manipulate and to the point where as an operator can all longer believe what you are seeing in your system. and a third area that i think veterans are concerned about the future really go to your question is what happens when the nonstate actor decide that the web now is a weapons system, not just something to recruit people, not just something to generate revenue, not just something to share their ideology? >> of the relationship between private industry and infrastructure both state and local utilities and the federal government, where do you think we are on the conversation level at this point? >> we are having the conversations click dhs is in the lead. were having the conversations. it's a little uneven. some sectors more than others.
we are all victims of the culture. the culture i'm from as informed individual is, it isn't enough to talk you must physically get down to execution level detail about how you're going to make this work. how are we going to courtney this. i don't want to get into the crisis and for some of you with some of his weather network is penetrated. i'm watching david strain at the end i can say something about your basic structure that's not the time to have this dialogue. >> okay, thank you. >> senator hirono. >> thank you, mr. chairman. admiral kime thank you for your service and for being here today. you and director clapper had testified before a house committee that data manipulation of which her perch as data destruction is probably on the horizon and while we can't do very much about those kinds of behaviors on the part of nonstate actors, is it a very
incumbent on us to engage in discussions, and have some of my colleagues have referred to, as proceeding toward the goal of a cyber arms control agreement with certain state actors who have that capability? >> i don't know if an arms control agreement isn't the right answer, but speed whatever it is we've come to some kind of understanding so that state actors to engage in manipulation and destruction of data. i think that would be just totally -- >> i would agree. we have been able to store going, as i said i could remember at the height of the cold war we know exactly how far we could push each other out of there. we've got to get to the same level of understanding in this domain and we are not there right now. >> do you know whether, with the president of china's visiting whether the cyber issues would e discussed by the two leaders of? >> i think the national security advisor and the president and republicans think they will raise the full spectrum of issues to include cyber with
their chinese counterparts. >> i have a question relating to the opm breach. our understanding is that 19 or 20, of 24 major agencies have declared cybersecurity is a significant deficiency further agencies. you indicated that the nsa doesn't have immediate responsibility to help those other agencies, but that you would respond at the request of dhs. so has dhs made such a request to nsa that you become engaged in helping these other dot gov agencies to become, well, cyber safe? >> not in terms of the day-to-day per se. there has been a major penetration in the federal government in the last 18 months that nsa hasn't been called in to respond. i think the challenge, and i no dhs shows this, is we've got to move beyond the cleanup in aisle nine scenario, to come a ghost
in my response to senator lankford, how do we get ahead of the problem and start talking to our position about what other steps you need to take now to ensure they can't get in. not, they are in spirit are you engage in the process now with the 19 agencies? >> not with every agency, no. >> why not? >> under the current construct dhs has overall responsibility of the.gov back to me from you have to be as. >> so it's up on agency by agency bases that dhs asks you. and if they were to ask you to do with all of the dot gov agencies, would you have the resources speak with my first comment would be we have to prioritize. i'm expected to all of the dot mil another there's an expectation the same capacity as also going to work on the dot gov. my first comment would be we've got to prioritize, what's the
most essential things we need to protect spent as in all things we have to prioritize, i think it would behoove dhs, well, it would help, it could make such a request and then you can engage in prioritizing. speaking of resources i want to thank you for your frank assessment of what would happen if there's a government shutdown. ..