Skip to main content

tv   Hearing on Cybersecurity Policy  CSPAN  October 2, 2015 7:39am-9:59am EDT

7:39 am
>> good morning, we meet today to talk to robert work and the commander of u.s. cybercommand, director of the national security agency and chief of the central's dirty service, we thank the witnesses for their service and for appearing before the committee. we meet at a critical time in just the past year and we all know that the united states has been attacked by north korea, china, russia and the attacks have only increased, crippling our networks and compromising sensitive national security information. recent attacks against the joint chiefs of staff are just the latest examples of the growing
7:40 am
boldness of pushing acceptable behavior in cyberspace. new hacks are occurring daily. trends are getting worse, but it seems the administration has still not mounted an adequate response. they say that they will respond at the time and manner of our choosing but then they either take no action or pursue symbolic responses that have zero impact on our adversaries behavior. not surprisingly the attacks continue and they gain a competitive economic edge in improving the military capabilities. to demonstrate their own need to attack are critical of the structure and they do all of this at a time and manner of their choosing and more and more they are leaving behind what the ad while recently referred to as cyberfingerprints, showing that they feel confident that they
7:41 am
can attack us without mexican consequences. just consider the recent case with china after china's efforts to steal intellectual property and wage economic espionage against u.s. companies. instead last week's state visit simply a amounted to cyberand enabled the rat. what's worse is that the white house has rewarded china with diplomatic discussions about establishing norms of behavior that are favorable to china and russia and any internationally agreed upon with rules must recognize the right of self-defense is contained in article 51 along with meaningful intellectual property rights protections.
7:42 am
the administration should not concede this point to autocratic regimes who seek to distort or principles or detriment. we are not winning the fight in cyberspace. the adversaries put simply, the problem is a lack of deterrence. the administration is not demonstrated to our adversaries that the consequences of cyberattacks against us outweigh the benefits. until this happens the attacks are going to continue and our interests are going to suffer. establishing deterrence hires a strategy to defend and aggressively respond to the challenges to our national security in cyberspace and that is exactly what the congress required in fiscal year 2014 national defense authorization
7:43 am
act. that strategy is now over a year late and counting and while the department of the defense is a big improvement over previous such efforts, it still does not integrate the ways and means to deter the attacks in cyberspace. establishing deterrence also requires robust capabilities both ostensibly in defense of late that can pose a credible threat and a gold in which the committee remains actively engaged. the good news is that significant progress has been made in developing our cyberforce and that will include a mix of professionals trained to defend the nation to support the geographic combatant commands and to defend dod networks. this is good, but the vast majority of resources have gone towards showing up cyberdefenses and far more needs to be done to develop the necessary
7:44 am
capabilities to deter attacks and fight and win in cyberspace. policy and decision should not become an and capability development. we do not develop weapons because we want to use them. we develop them so as we do not have to. we are at a tipping point. he said that we have to broaden our capabilities to provide policymakers and operational commanders with a broader range of options. and we must invest more in the offense and capabilities that our teams need to win on the battlefield. we seek to address this challenge and a number of ways including our pilot program to provide us with limited authorities and finally we know the defense department is in the process of assessing whether the existing command structure can
7:45 am
elevate cybercommand to a unified command. there are worthwhile arguments on both sides of the debate and i look forward to hearing views on this question in his assessment of how and elevation might enhance our overall cyberdefense posture. and i also look forward to hearing from eyewitnesses what if any progress has been made on addressing disagreements within the agency on the delegation to use cybercapabilities. and i think the witnesses appearing before the committee and i look forward to their information. >> it is important to talk about this and i want to thank the director and the cybercommander
7:46 am
for their information. let me start with china. i expect we will have a robust discussion about china's can compliance china's leaders must be aware that the reputation may continue to decline if this does not stop, which ultimately will have it immensely negative impact on our relationship with china. i would also emphasize how important it is to embrace these norms, which include refraining from the tax on the other nations critical infrastructure. and that includes whether we can go to a full unified command and whether the commander of cybercommand also serves as a director of the nsa.
7:47 am
and i understand that the problem could elevate it to a unified command. we have questioned whether or not the arrangement should continue on an arrangement is made and put simply if they are so reliant that, leadership is necessary, is the command ready to stand on its own. this is an issue that the senator has drawn attention to and i think it's something that's very critical for this committee. and directly related to the military cybermission unit that we've had over the last two years. the department is leading this with training for personnel and that includes equipment, tools, and capabilities that remain
7:48 am
limited. and that includes a mandate that the secretary of defense designated this bill with a unified platform. and that includes command-and-control that is necessary for these forces to operate effectively. it will take a number of years to build these capabilities and we are behind in developing this military capability because the defense department was persuaded that the system is an capabilities that we are to have would be adequate to use inside the command. and this is an important commonality between intelligence operations and military operations and in some cases that turned out to be not accurate. and that includes articulating a strategy for implementing them. some believe that retaliation is
7:49 am
a necessary and effective component of an effective strategy and i look forward to hearing the views of her witnesses. as my colleagues and witnesses are aware, having reached an agreement i know that the chairman is in full agreement to pass that legislation this year. we must also recognize the defense department and intelligence community are protecting america's cyberof the structure, lying relying upon the department security protection of america's critical infrastructure and the use of contingency operations to avoid the budget control act helping the dhs or other nondefense partners avoid effective sequestration and this is another solution that we need. and finally i think it's important that we encrypt
7:50 am
communications and offer services for which even the companies themselves have no tactical capabilities. this fbi director has given multiple warnings that they will be going back. these and other questions are vitally important and i look forward to your testimony. >> i think the witnesses and the director, i have tried to impress. ..
7:51 am
i do want to take note of and thank the members of the committee who are engaged on this issue and have spoken to a publicly, as the two of you just half. the cyber threats are increasing in frequency, scale, sophistication, and severity of impact. although we must be prepared for a large armageddonlarge armageddon scale strikes that would debilitate the entire us infrastructure, that is not the most likely scenario. a primary concern is low to moderate level cyber attacks from a variety of sources which we will continue and probably expand.
7:52 am
this imposes increasing cost of the business and us economic competitiveness and national security. because of our heavy dependence on the internet nearly all information communication technologies and it networks and systems will be perpetually at risk. these weaknesses provide an array of possibility for nefarious activity by cyber threat actors, including remoteactors, including remote hacking instructions, supply chain operations to insert compromised hardware software, malicious action by insiders, and simple human mistakes by system users. the cyber threats come from a range ofa range of actors including nationstates which falls in the two broad categories, those with highly sophisticated cyber programs, and those with lesser technical capabilities with more nefarious intent such as iran and north korea but who
7:53 am
are also much more aggressive and unpredictable. then there are non- nationstate entities, criminals motivated by profit, hackers, extremists motivated by ideology. profit motivated cyber criminals we will i hung loosely networked online cyber marketplaces referred to as the cyber underground or dark web that provided a forum for the merchandising and elicit tool services and infrastructure. so on personal information and financial data. the most significant financial cyber criminal threats come from a relatively small subset of actors, facilitators command criminal forms. terrorist groups will continue to experiment with hacking which could serve as the foundation for developing market basket for these. cyber. cyber espionage, criminal and terrorist entities all undermine data confidentiality. denialdenial of service
7:54 am
operation and data deletion attacks undermine availability. in the future, i believe we will see more cyber operations that will change or manipulate electronic information to compromise its integrity. in other words counter intelligent risks are inherent when foreign intelligence agencies obtain access to an individual's identity information. of the problem the department of defense has encountered. they could target the individual, family members,individual, family members, coworkers and neighbors using a variety of physical and electronic methods. speaking of opm breaches, let me say a couple of words about attribution. it is not a simple process that involves three related but distinct determinations, the
7:55 am
geographic? of origin, the identity of the perpetrator, and the responsibility for directing the act. in the case of opm we have differing degrees of confidence in our assessment of the actual responsibility such malicious cyber activity will continue and probably accelerate until we establish and demonstrate the capability to determine malicious state-sponsored cyber activity. establishing a credible deterrent depends upon reaching norms of behavior by the cyber community. in summary the cyber threats have become increasingly diverse, sophisticated, and harmful. other law enforcement intelligence and sector specific agencies. every day each of these centers and entities get better at what they do individually.
7:56 am
i believe we have reached a point where we think it is time to knit together the intelligence's activities need to defend our networks because while they may be defending different networks they are often defending against the great sand threats. they integrate cyber threat intelligence, and i strongly believe the time has come for the creation of such a center toa center to parallel the centers we operate for counterterrorism, proliferation and security. >> chairman mccain, ranking member,mccain, ranking member, distinguished members of the committee, thank you for inviting us. the committee has led the way. the response to the threats and the departmentin the department looks forward to working with the committee to get better in this regard
7:57 am
cyber intrusion and attacks by state and nonstate actors have increased dramatically in recent years and particularly troubling are the increased frequency and scale of state-sponsored cyber actors these adversaries continually adapt and result in response to our counter terror networks. the critical infrastructure and us companies and interest globally. the recent state of cyber events to include the intrusions into opm, the attacksopm, the attacks on sony and the joint staff networks by three separate state actors is not just espionage of convenience but a threat to national security. as oneas one of our responses be released in 2015 the department of defense cyber strategy which will lead the development of our cyber forces and strengthen our cyber security and deterrent posture which is insane. the department is pushing hard to achieve the three
7:58 am
core missions as defined in the strategy. the 1st and most important is to defend department of defense network systems and information. sec. sec.information. secretary carter has made this the number one priority in the department command we are getting after it now. to defend the nation against cyber offense of significant consequence and to provide sever support operational and contingency plans and in this regard the us cyber command may be conducted to have programs along with other nations. now, my submitted statement contains additional detail on how we're moving out to achieve these three strategic goals. especially since i noi know this is key in the minds of most of the members here. i want to acknowledge upfront that the sec. and i recognize that we were not where we need to be in our deterrent posture.
7:59 am
we do believe that there are some things the department is doing that are working, but we need to improve in this area without question which is why we have revised our cyber strategy. deterrence is a function a perception that works by convincing a potential adversary the cost of conducting the attack file way any potential benefits and therefore are three main pillars of our cyber insurance strategy in terms of deterrence, denial, resilience, cost command position. they continued to perform their essential military task even when contested in the cyber environment, and cost and position is our ability to make her adversaries pay a high price i would like to briefly discussed these three elements, to deny the attacker the ability to
8:00 am
adversely impact our military missions we have to better defend our own information networks and data. wewe think the investments we have made are starting to bear fruit, but we recognize the technical upgrades are only part of the solution. nearly everynearly every single one of the successful network exportations that we have had to deal with can be traced to one or more human errors. they allow entry into our network. so raising the level of individual cyber security awareness of performance is absolutely paramount. accordingly, we are working to transform cyber security culture, something we ignored for a long time. long-term by improving human performance and accountability in this regard. we have recently published the cyber security discipline implementation plan and a scorecard that has been brought before the secretary and i every month critical to achieving this goal of securing data and networks and mitigating
8:01 am
risks. this scorecard holds commanders accountable for hardening and protecting their endpoints and political systems and also have them hold accountable the personnel and direct the compliance reporting on a monthly basis. the 1st scorecard was published in august of this year, and it is being added to an improved asend up as we go. denial means defending the nation against cyber threats of significant consequence. the pres. has directed dod working in partnership with other agencies to be prepared to stop the most dangerous cyber events. there may be times when they direct dod and others to conduct defensive cyber operations to stop a cyber attack from impacting national interest which means building and maintaining the capabilities to do just that. this is a challenging mission requiring high-end capabilities and i trained
8:02 am
teams building our cyber mission force and deepening our partnership with law enforcement and intelligence communities to do that. the 2nd principle is improving resiliency by improving the ability of our adversaries to execute mission in a degraded cyber environment. our adversaries view dod cyber dependency is a potential for time vulnerability. therefore, we fight through cyber attacks is a critical mission function which means normalizing cyber security as part of our mission assurance efforts, building redundancy when systems are vulnerable, training constantly. our adversaries have to see that these cyber attacks will not provide a significant operational advantage command a 3rd aspect of deterrence is demonstrating a capability to respond through cyber non- cyber means. the administration has made clear we will respond in a
8:03 am
time, manner, and place of our choosing, and the department has developed options. if successfullyif successfully executed, our mission requires a whole of government and nation approach, and for that nation we continue to work with our partners, agencies, and the private sector and partners around the world to address the challenges that we face. secretary carter has placed particular emphasis on partnering with the private sector. they do not have all the answers. we think it will be critical our relationship is absolutely critical. the secretary and i appreciate the support provided to dod cyber activities throughout from the very beginning, and we understand and are looking forward to the national defense authorization act to see if there are other improvements that we can do.
8:04 am
i encouraged continued efforts to pass legislation on cyber security information sharing. data breach notification and law enforcement provisions related to cyber security which were included in the presence legislative proposal submitted earlier this year. i know you agree the american people expect to defend the country against cyber threats. the secretary and i look forward to working with this committee and congress to ensure we take every step possible to confront the substantial risks we face. thank you for inviting us here and giving the attention that you have always given to this urgent manner. i would like to pass it off now to have more rogers, if that is okay. >> chairman, ranking member, distinguished rumors of the committee come i am honored to appear before you today to discuss us cyber policy. i would like to thank you for convening this forum and
8:05 am
for your effort in this important area. i amarea. i am honored to be sitting aside director klapper and deputy secretary of defense. it gives me great pride to appear before you to highlighting command the accomplishments of the uniformed and civilian personnel. i'm grateful for and humbled by the opportunity i haven't given to lead our team in the important work that they do in the defense of our nation and department. we are being challenged as never before to defend our nation's interest in values in cyberspace against states, groups, and individuals that are using sophisticated capabilities to connect cyber coercion, aggression, and exportation. the targets of their efforts extend well beyond government and into privately owned businesses and personally identifiable information. our military is in constant contact with agile learning adversaries in cyberspace, adversaries --dash on the capacity and willingness to take action against soft targets in the us. our countries integrating cyber operations and were
8:06 am
told strategic concept. they usethey use cyber operations to influence the perceptions and actions of states around the and to shape what we see as our options for supporting allies and friends in a crisis. we need to turn these activities by showing that they are on acceptable, unprofitable, and risky for the instigators. building capabilities that can contribute to cross domain deterrence and make our commitment even more printable. we are hardening our networks and's showing our opponent cyber aggression won't be easy. we are training a mission force that is defending dod networks, supporting joint force commanders and helping to defend critical infrastructure within our nature. partnering with federal, foreign, and industry partners in exercising together
8:07 am
regularly to rehearse concepts and responses to the structure cyber attacks against critical infrastructure. generating options for commanders and policymakers across all phases of conflict and particularly in phase to hold that risk what adversaries truly value the demand far outstrips supply, we continue to rapidly mature based upon real work to have real-world experiences and our service server components. icyber components. i assure the committee us cyber command has made measurable progress and are achieving significant operational outcomes and have a clear path ahead. with that, thank you mr. chairman and members of the committee for convening this forum and inviting all of us to speak. our progress has been made possible in no small part because of the support from this committee and other stakeholders. the stakeholders. the effort within our department and across the government is essential command i appreciate and i welcome your questions. >> thank you, avril, and
8:08 am
think the witnesses. director klapper recently, former chairman of the joint chiefs was askedchiefs was asked about various threats to the united states security and said that in aa range of threats we have a significant advantage accepted cyber. do you agree with that assessment? >> it is probably true. we have not -- we have not exhibited are potential capability. i think that is one of the implicit reasons why i have highlighted cyber threats in the last three years. >> thank you command you have done that with great effect before this committee as a result of the leader, the chinese leader in washington they're was some agreement announced the us and china. do you believe that will
8:09 am
result in an elimination of chinese cyber attacks. >> hope springs eternal. i think we will have to watch what there behavior is, and it will be incumbent upon the intelligence community to depict, portrayed to policymakers with behavioral changes, if any,changes, if any, result from this agreement. >> are you optimistic? >> no. >> thank you. apple rogers, you recently stated, there is a perception there is little price to pay for engaging in some pretty aggressive behaviors. because of a lack of repercussions you see actors, nation states willing to do more. what is required? what action is required to deter these attacks since there is little price to pay? what do we have to do to make it a heavy price to
8:10 am
pay? >> we must clearly articulate in broad terms what is acceptable. we have to clearly articulate that as aa nation we are developing a set of capabilities that we are prepared to use if required. they arerequired. they are not our preference. we clearly wish to engage in a dialogue, but we do have to acknowledge the current situation we find ourselves in. i don't think anyone would agree that it is acceptable or in our long-term interests as a nation. >> i say that with respect. i understand it is not acceptable. what would be, relations and other areas, counter attacks? in other words, what actions would be an hour range of arsenal to respond? >> potentially all of those things. the 1st comment, sony is an extract -- instructive example.
8:11 am
when you think about deterrent much more broadly and not just focused within the cyber arena i thought the response we talked about the economic options as a nation, exercise as a good way to remind the world around us there is a broad set of capabilities and levers available and that we are prepared to do more than just respond in kind. >> one of the things that has been disappointing to the committee is that in the fiscal year defense authorization bill. choir the president to develop an integrated policy the strategy is now one year late.late. can you tell us where we are in the process? what you feel is, what my bring the administration into compliance? >> you are asking me about policy development. >> yes. >> ii think i would defer to the secretary of work on that.
8:12 am
>> mr. chairman, as we have said over and over, we believe our cyber deterrence strategy is constantly evolving and getting stronger. >> i'm talking about a policy, not a strategy, mr. secretary. he required a policy, the fiscal year 14 national defense authorization act. >> a policy is still in development. we believe we have a good cyber strategy. the policy has been outlined in broad strokes by -- >> not broad enough. does it describe whether we deter or respond or whether we -- in other words, as far as i know in the committee's nose there has been no specific policy articulated and compliance with the requirement and the defense authorization act. if you believe that it has i would
8:13 am
be interested in hearing how. >> i believe that broad strokes -- >> i'm not asking broad strokes. suppose there is a cyber attack, do we have a policy is to what we do? >> yes. >> first we deny and then -- 1st we find out can't do the forensics. >> am not asking the methodology. masking the policy. do you respond by counterattacking, trying to enact other measures? what do we do in case of a cyber attack? >> or respond in a time, manner, and place. >> that may be one of the options. >> that is not a policy, secretary. that is an exercise in options. we have not got a policy. for you to sit they're and tell me that you do aa broad stroke strategy is not in compliance with law. >> thank you very much, mr. chairman.
8:14 am
director klapper, we are constantly engaged in information operation with many other nations and they are involved with information operations trying to influence the opinion, disguise activities, disrupt, etc. what agencies are under your purview or outside your purview were actively engaged in information operations in the united states and the cyber world? >> actually, sir, from an intelligence perspective we would see -- see that in that we don't, at least what i can speak to publicly, engage in that as part of our normal intelligence activity. theyactivity. they feed other arms, support other arms of the government, normally the state department,department, and is responsible for
8:15 am
messaging. the national counterterrorism center has an office that is devoted to countering violent extremism context, helping to develop themes or recommending themes based upon what we glean from intelligence as potential vulnerabilities and messages that would appear to the various groups to obfuscate the message, disrupted, or compete with it. but generally speaking, intelligence a large does not actively engage. >> are these other agencies that you provide information to adequately resourced and staff so that they can use it effectively? are they getting a lot of good insight and sitting around wondering what they can do? >> i think i would have a much more robust capability from the standpoint of
8:16 am
resource commitment to counter messaging. >> and that would fall outside the purview of intelligence for the state department? >> correct. >> the voice of america when it was a pretty dominant sort of source of information. >> personal opinion only, i would -- i think perhaps, you know, the usia on steroids that would address these messages more broadly and more robustly, but that is strictly personal opinion. >> in terms of what you are observing, particularly some of our competitors have been extraordinarily robust information operation. they don't like the resources or personnel and are constantly engaged in these type of information operations.
8:17 am
enhancing there image, discrediting them to come opponents, actively engaging local groups and other countries of interest, and we are on the sidelines. >> that is quite right. in contrast to us russian intelligence services are very active and aggressively engaged in messaging. >> thank you. admiral, this issue of encryption that was pointed to, your thoughts would be helpful. >> the issue that we find ourselves -- this is less for me on the us cyber command side and much more in the nsa side, communications in the world around us increasingly going to end-to-end encryption where every aspect is encrypted in the data in the communication is protected at a level that with the current state of technology is difficult to overcome. clearly that is in the best interest of the nation, and
8:18 am
strong encryption is important to strong and chinainternet defense and a well defended internet is in our best interest as a nation. within that broad framework the challenge where trying to figure out is realizing that that communication path is used by law-abiding citizens, nationstates command companies engaged in lawful activity. .. in the end i think this is
8:19 am
about how to we get what's best, when i look at our capabilities of a nation there is nothing we can't overcome if we work together. i think that is the way ahead in broad terms. >> thank you very much, mr. chairman. >> thank you mr. chairman. you've given us a good summary on the threats that we face and the threats that are occurring today and i appreciate that. senator mccain asked you about reporting on the policy that congress has passed asked you to report on and that has not been done. the house and senate agreed on requirement that the services need to report on the threats. that is something that came out
8:20 am
of our strategic subcommittee and eventually expanded to include all weapon systems not just satellites and national missile defense. we don't have that final report. this budget, i believe, has $200 million in it to help fund this effort. what can you tell us about that? >> first it may take some time. if it does, i understand. i don't we have had any report from the dod to state what progress you've made and how much longer it will take. >> again, on both points, on the policy we expect it is in the final the liberations. it is an interagency effort. we are trying to establish norms and deterrence which is essential to the policy.
8:21 am
i'm the first to admit that we are the farthest ahead on the denial and the resilience part. those are the areas where we are moving faster. we have elected to attain the retaliatory mechanism just like nuclear weapons because of the risk of escalation. >> what about the other vulnerability to our weapon system? >> it is a big, big problem. many of the weapon systems we have now were not built to withstand a cyber threat. going through every one of the weapon systems, he has prioritized prioritize the weapon systems and is working through very carefully, and i expect this work to be done very soon. we now have new requirements in our key performance requirements. >> so you've indicated an
8:22 am
individual to be responsible for this? >> yes. this individual is working with our cio and the cyber command and all of our cyber experts. he is responsible for taking a look at the weapons system and also requiring key performance parameters to make sure they have security built in from the beginning. >> do they maintain and build the systems and have highly sensitive information -- are we satisfied their insufficiently protected? >> we certainly recognize a vulnerability there. we've made changes to the contractual relationships between us and those companies where they have to meet security requirements and inform us of
8:23 am
penetration. we are clearly not where we need to be but we continue to make progress. >> i think it's a bipartisan commitment on congress to help you with that. if it takes more money, let us know. we will have have to evaluate it and i also understand that some of the protection can be done without much cost and some might require considerable cost. we hope that you will complete that. mr. rogers, i believe last week you reported in the los angeles times about the threat from china. you know one thing they are involved in obtaining u.s. commercial and trade data. they are a foreign nation, nation, advanced ally of ours and i was told one of their company's bid on a contract and the chinese got all of the bid data from the web.
8:24 am
his comment was, it's hard to win a bid when your competitor knows what your bidding. is that kind of thing happening? >> it has been an we've been very public with that. i think that's reflected in the agreement that you raised during the president of china's visit last week when we were very concerned about that. >> my time is up but i would just ask, if you saw an american business being damaged through improper action, you're not allowed to advise them or share any information with them while our adversaries do their business. is that the way it works? >> the way this works is i would provide information and insight. if under that authority i became aware of activity, i would share the insight with dhs and the fbi to interface with the private sector much more than i do.
8:25 am
>> thank you mr. chairman, and pink all three of you for your service and being here today. which country is the most committed successful hacker of the u.s.? >> china has been the one that we have been the most vocal about but they are not the only one. >> last time you were here you had more concerns over russia having the ability or expertise to do less damage. >> i thought your question was focused on valium. if your question is on capability, if you will, then we then we have been very public saying i would put the russians higher than china. >> but it feels like china is more committed and determined to do it. >> they do it at the volume level. >> i understand. i know you just said no, you
8:26 am
don't believe this agreement that the president and our president has made will work. are there any penalties in this agreement if someone violates it? >> in terms of what i have seen, i don't think it treats, certainly there are implied penalty. the threat of economic sanctions is what would meet something to the chinese if they violate this agreement. i think as they were discussing
8:27 am
earlier in terms of sanctions, there is a whole lot of options here. it doesn't have to be and i to an i can be some form of retaliation. i'm not aware of the specific penalties if the agreement is violated. >> that's why i think you're pretty quick to say no i don't think it will work. >> the reason i said no, of course, is the extent of which the chinese have been pervasive in terms of adding our data. whether or not the government orchestrates all of it is still in question.
8:28 am
we are inherently skeptics. >> i have a question for you secretary. the recent news article that examines similarities between china's strike finder and our strike fighter. what they have been able to do in such a rapid time without any r&d, do you believe that gives them a competitive advantage? i understand there might be some differences in the software and weapon tree, but they are making leaps which are uncommon and we know this. we are not taking any actions against them. >> i would like to work this in and follow up with your first question. at the highest levels, we have made it clear that we believe the chinese actions are totally
8:29 am
in acceptable in cyberspace. i would characterize the agreement that we have as something where we are asking them to prove to us that they are serious about what they say and what they will do to control these efforts. there were really for things that we agreed to do. first we would give timely responses to information when we say hey, we believe there is a problem here and we have agreed to exchange information on cyber crimes, we've agreed to collect electronic evidence and mitigate malicious cyber activity that is occurring on our soil. we both agreed that we would not knowingly conduct cyber theft of intellectual property.
8:30 am
we told them there was a problem and it was unacceptable. they have said that they will work to curb that. then we have agreed to have common effort to promote international norms in the final thing is we will have a high-level joint mechanism where we can meet at least twice a year and say, look, this is just not working. you are not are not coming through with what you said. this isn't a treaty or anything like that. they have to prove to us, and we know they have stolen information from our defense contractors and it has helped them develop systems. we have hardened our systems through the initiative. >> we know the j20 is pretty much nearing our weapon. when we know this, why wouldn't we take hard action against them
8:31 am
? i just don't understand why we wouldn't retaliate. >> from a financial standpoint. >> there are a wide variety of options that we have. they are developed through the inner agency. again it's not necessarily tit for tat. it is proportional response and we are working through all of those. >> my time is up. if we could just meet up later and discuss those. >> certainly. >> if i may, just add a word about terminology what this represents, of course, is cyber espionage. of course we to practice cyber espionage in a public forum to say how successful we are, but
8:32 am
were not bad at it. when we talk about what were going to do to counter espionage or retaliate for espionage, i think it's a good idea to at least think about the saying that people live in glass houses shouldn't throw rocks. >> so it's okay for them to steal our secrets that are most important? >> i didn't say that. >> that we live in a glass house , that is astounding. >> i did not say it is a good thing. i'm just saying that both nations engage in this. >> i want to thank all of you for being here. with regard to the chinese, i want to follow up, we talked about the stealing of the highest secrets in terms of our weapon systems, but what about
8:33 am
the 21 million people whose background check and personal information has been associated publicly with the chinese, and the fact that 5 million sets of fingerprints as well, leading to potential vulnerability for our citizens. if you put that in a context of these other issues that we've raised, it seems to me i looked very carefully at some of the language you've been using. you gave a speech in london and said to turn deterrence must be promoted. you said cyber attacks have created a a permissive environment. i'm trying to figure out, based on what you said, how we are not in a permissive environment in light of what they have stolen with our weapon system and the
8:34 am
huge infringement on 21 million people in this country. also, could you you comment on the vulnerability of that data and where we are in terms of how it will be used against us? >> first, that is an assessment of what was taken. we don't know in terms of specifics, but that frames the magnitude of this theft, and it is potentially very serious, has very serious implications. first from the standpoint of the intelligence committee and identifying people who are under covered status, one small example, it poses all kind of potential -- and unfortunately it is the gift that will keep on giving for years.
8:35 am
it's a very serious situation. what we tried to do is educate people with what to look for and how to protect themselves. again, this is a huge threat of theft and has potentially damaging implications for people in the intelligence agency and other agencies. >> i think what you're hearing is what are we going to do about it as the issue as opposed to shared agreement on generic principles with chinese. this is a pretty significant issue that will impact millions of americans. i'm not hearing what were going to do about it but that may be a higher-level decision going up to the pres., but it seems to me, if a point to talk talk about deterrence, if we don't follow up with action, and if you look at that combined with the testimony we heard last week about the artificial island being built by the chinese and
8:36 am
the fact that we won't go within 12 nautical miles of those islands, if you put that all to the chinese perspective i think one might think we can do whatever we want because we haven't seen a response yet. i'm not asking for all of you to answer that because it probably needs to be answered by the president and his security team, but it seems to me they aren't seeing a response from us and therefore we will continue to see that behavior from the chinese. before i go, i have an important question on another topic. that is, yesterday, we heard public reports about the potential violation of the inf treaty by the russians and that essentially russia tested the new ground launch mission that violates the 1987 inf treaty. of course this is going back
8:37 am
also to the reports as early as 2008 of russia conducting tests of another ground launch cruise missile in potential violation of the inf treaty that we raise with them. when sec. carter came before his committee on his confirmation, he listed three potential responses to these violations. now we have the russians violating the inf treaty yet again and my question is, sec. carter rightly identified that we should respond through missile defense, counterforce or countermeasures. what are we doing about it? >> senator this is a long-standing issue that we have been discussing with the russians. the system is in development and has not been fielded yet. we have had different discussions with them on our
8:38 am
perception of the violation of the inf and they have come back. this is still in discussion and we have not decided on any particular action at this point. >> so are you saying you don't think they violated the inf treaty? >> we believe very strongly that they did. >> we believe that. that's what i thought. now we have another situation going back to 1987. >> we. >> we are still in the mist of negotiating. we are giving our position but if they do feel the system that violates the treaty, i would expect us to take one of the three options outlined before the committee. >> i see a lot of talk and no action unfortunately and people take their cues from that and that worries me. thank you all. >> think you mr. chairman.
8:39 am
mr. clapper you testified recently that while the united states makes distinction between cyber attacks conducted for economic purposes to gain foreign intelligence, that is the espionage arena that you are referring to, or to cause damage , would you consider the opm breach to the extent that we believe it is a state after who did that that that would be in the category of espionage? >> yes. that was the tender of the discussion at the hearing. that that has to do, as a mentioned earlier, the importance of definition nomenclature and the definition
8:40 am
of these terms. the theft of the opm data, as egregious as it was, we wouldn't consider that an attack but rather a form of theft or espionage. >> you say other countries, including our own engage in such activities. my understanding of the recent agreement between the u.s. and china has to do with commercial cyber theft. i think that is a very different category that has to do with obtaining information about corporations, et cetera. therefore that is in the category of economic attacks. so dir. clapper, would you consider that kind of agreement to be helpful? i realize that you are skeptical, but to the extent that we are defining a
8:41 am
particular kind of cyber attack and that we are contemplating through this agreement and ability of these countries to engage in high level dialogue regarding these kinds of attacks is that a helpful situation? >> it would be very helpful if, of course, the chinese actually live up to what they agree to. what the agreement pertain to was theft of data for economic purposes, to give the chinese an advantage or their defense industries and advantage. as opposed to, i don't believe we have agreed with the chinese to stop spying on each other. so there is a distinction.
8:42 am
>> mr. sec., you can weigh in on this as well. they say we created a potential for dialogue or an environment where there is a process to be followed. in cases where we suspect a cyber attack, at least we have a way we can talk to the chinese. you also mentioned, director clapper, clapper, attribution is not the easiest thing although we are getting better at determining who were the actors conducting the cyber attack. one hopes that even with a great deal of skepticism going forward, this may create the space for us to have more than a conversation, but one that would lead to some kind of change in
8:43 am
behavior on the part of these state actors. mr. sec., fill free to give us your opinion. >> i think that's exactly right. as director clapper said, first you have to find out the geographical location of where the attack came from and then you have to identify the actor and whether the government of that space was controlling it. >> that's not the easiest to do. >> we have determined china and in some cases they said this was a a hacker inside our country but we had no control over them. this allows us to say what are you going to do about that? are you going to provide us the information we need to prosecute this person or are you trying to take care of it on your own? i believe this confidence building measure in this way to discuss these things, the proof will be in the pudding. how the chinese react to this. >> secretary, i think you mentioned that this agreement allows contemplated meetings at least twice a year. is there anything that allows for more frequent dialogue between our countries? >> senator i believe there was a significant cyber event that we suspected the chinese of doing
8:44 am
or they suspected us, that we would be able to meet. this will be a high-level joint dialogue. our u.s. sec. of homeland security and u.s. attorney general will lead on our part. we will have the first meeting of this group by the end of this calendar year. i believe we all have some healthy skepticism about this but i believe it's a good confidence building measure and a good first step, and we will see if it leads to better behavior on the part of the chinese. >> thank you. >> i can't help but comment that we have identified the building please don't see this committee as if we don't see who is responsible for it. that's just very disingenuous. there have been public reports that we have identified the pla building in which these attacks come from.
8:45 am
>> thank you mr. chair, thank you for joining us today. mr. rogers, i'll start with you today. two of the president's nine lines of effort in defeating isil our first exposing isis's true nature and disrupting the foreign fighter flow. over the weekend, the new new york times reported that 30,000 recruits joined isis over the past year and that is double the previous recruitment year. earlier this month, the ambassador at large said that isys's recruiting trend is still upward and the information was no surprise to her. she also said the upward trend was primarily due to internet and social media. so, do you believe their effort has succeeded on these two lines of effort in cyberspace and
8:46 am
social media? just please a simple yes or no. >> no. >> okay, and why is that? with the record recruiting numbers for isis, how would you then assess the effectiveness of the u.s. governments counter effort in cyberspace? what specifically is your assessment of the state department think again, turn away program and supportive efforts to counter isis recruiting efforts. >> i am not knowledgeable enough to comment on this. i will say, i have always believed that we must contest isil on the data as much as we
8:47 am
do on the battlefield. we have got to be willing to attempt to fight them in that domain just like we are on the battlefield and we clearly are not there yet. >> i agree. i think we are failing in this effort and some of the programs that we have seen obviously are not working. so, are there areas where you could recommend how the u.s. better partner with various ngos or private entities to more effectively counter the isis propaganda? again,. >> i will say from a technical perspective we are looking at, within our authority in capability, what's in the realm of possibilities, in other words what can we do in this domain.
8:48 am
>> we have a larger problem coming forward in regards to isis and isil in the middle east. we seem to see the emergence of a a trifecta between syria, iran and russia. now it seems that iraq has begun information sharing. can you speak to that and the broader implications of russia emerging as a leader in the middle east while we seem to be losing our opportunity with isil questioning. >> i think they have several objectives here. one is that they want to protect their base, their presence in syria. their buildup in the northwest part of syria is clearly one and
8:49 am
they want to prop up ashad. i think a belated motivation is fighting isil. as far as the joint intelligence arrangement is concerned, i can't go into detail in this forum but i will say, each of the parties entering into this are a little bit suspicious of what is entailed here :
8:50 am
what we are trying to do is the conflict, and that is the primary purpose of the discussion. if you're going to act on this battlefield, we have to de- conflict. they would like to do a military 1st followed by a political transition. we believe those two things have to go in parallel. this is early days. we are still in the midst of discussing what exactly this means. i don't have a definitive answer. >> i am concerned we advocated our role in the middle east and in so many
8:51 am
other areas, as has been pointed out earlier. grave concern to all of us. thank you, mr. chairman. >> thank you, mr. chairman. >> gentlemen, thank you for your public service. admiral, i am concerned about all of these private telecoms that are going to encrypt. if you have encryption of everything, how, in your opinion, does that affect section 702 and 215 collection programs? >> it certainly makes it more difficult. >> says the administration have a policy position on this? >> no, we are the 1st to
8:52 am
analyze an incredibly complicated issue. we still are trying to collectively work our way through what is the right way ahead recognizing there is a lot of valid perspective, but from the perspective that i look at the issue, there is a huge challenge challenge that we must deal with. >> a huge challenge, and i have a policy position. and that is that the telecom better cooperate with the united states government, or else it just magnifies the ability for the bad guys to utilize the internet to achieve their purposes. speaking of that, we have a fantastic us military. we are able to protect ourselves. it is the best military in
8:53 am
the world, but we have a vulnerability now. and it is a cyber attack. do you want to see if you can make me feel any better. >> i would tell you that correct to say the capability of the department department if i were to say where we were 18 months to two years ago is . . there capability continues to improve. speed, agility. the challenge is trying to overcome decades of a thought process in which we see defensibility and reliability that were never core design characteristics where we assume that
8:54 am
external interfaces, if you will call with the outside world were not something to be overly concerned with. remotely generating data as to how paragraphs were doing in different states around the world. all positive if you're trying to are trying to develop the next generation of cruiser destroyer for the navy, but a world in which those public interfaces, if you are coming increasingly represent potential points of vulnerability. you get this clash of strategies which is where we find ourselves now. one of the things i try to remind people is, it took us decades to get here. we will not fix this in a few years. the six dedicated prioritization, resources command we must do it in a smart way, prioritize and figure out the greatest vulnerability and concern. >> can i jump in for a 2nd
8:55 am
>> i want to add to that end for us to let our potential enemies understand that we have the capability of doing to them what they did do to us. however, that gets more complicated when you are dealing with a rogue group of a dozen people stuck in a room somewhere that are not being part of the nation state. >> yes sir, mr. sec. >> i i was just going to echo what was said. he said, look, we are absolutely not where we need to the inmate job number one defense of the networks. going from 1500 on place less than 500. going from 1,000 defendable firewalls to less than 200, somewhere between 50 and 200 you are absolutely right. we recognize this is a terrible vulnerability, working to defend our networks, looking our
8:56 am
systems, and trying to change the culture.culture. right now if you discharge of what you are held accountable for that. negligent discharges one of the worst things you can do. do. we need to inculcate culture whereas cyber discharges considered just as bad and make sure it is inculcated throughout the force. >> i agree, but the abnormal is assaulted by the telecoms who want to tie his hands behind his back by doing all of the encryption. >> thank you, mr. chairman. in our state naval warfare center has taken the lead on much of our efforts to protect against the threat of counterfeit electronics. and so secretary working director clapper, the global
8:57 am
supply chain for microelectronics prevents -- presents a growing challenge for cyber security. one of the things we saw recently ibm sold its chipmaking facilities when dod trusted foundry that us to a foreign-owned competitor. i was wondering, your top priorities in managing the risk posed by globalization of our microelectronics manufacturing capabilities and our abilities to protect her systems in that area. >> that is a big question and will be one of the key things that we look at in this fall review because of, as you said, the recent sale of ibm chips. there are two schools of thought on this. some say you do not need a trusted foundry and another group says you absolutely have to have it. having confidence inhaving confidence in the chips that we put in our weapon systems is important, and i would expect that come february we will be able to report out
8:58 am
the final decisions through the fall review on how to tackle this problem. >> who was in the department of defense leadership has primary responsibility for overseeing the supply chain risk management? >> frank kendall and dla. dla has the supply chain, and frank kendall is focused on the trusted chip, that the fabrication of trusted chips. >> one of the areas that we look at in regards to cyber, and in some ways, you know, technology in particular parts is in the nuclear area. and so are there any specific groups that are focus just on protecting our nuclear efforts against cyber? >> there is the national -- the end in sa and and nuclear weapons council
8:59 am
which is cochaired by frank kendall, undersecretary of defense, and vice chairman of the joint chiefs, the ones that work with doe to make sure our weapon system components are reliable and trusted him to make sure that we have ahave a safe, reliable, and effective nuclear deterrent. >> admiral,, when we look at building a force of cyber warriors, how can we use the national guard and reserves to help do that? because it strikes me that that can help us and retaining highly qualified individuals who want to devote part of their life to help oura country command it would seem to almost be a perfect fit for us. >> we have taken a total force approach which
9:00 am
includes both guard and reserve, every service slightly different, not the least of which have different services have different release in regard structures. one of the challenges we are trying to work our way through is under the title three to piece, how we coordinate, how we generate capacity and bring it to bear with maximum efficiency. the two things in partnering because we're taking a total force approach to this, we need one standard for this. we don't want a place where the garden reserve are trained in one standard and the active side is trained to a different. that gives us maximum flexibility in how we apply the capability across the force. and the guard and reserve has done great in that regard. and secondly, we need one comment unit structure. we don't want to build unique capability -- unique one of a kind structures in the reserves that don't match the title 10 side. we want to treat this as one, integrated force. and i would give the guard and reserve great kudos in that regard. we've got a common vision about the way we need to go.
9:01 am
where we bring together the guard, the private sector, the active component, government, and work our way through the specifics of how we're going to make it work. >> director clapper and i apologize if you already answered this. what is the one cyber challenge you are most concerned about? >> obviously, the one to think about would be a massive armageddon-like scale attack against our infrastructure. that is not -- we don't consider that the most likely probability right now that the greater threat or the low to moderate sort of threats that we're seeing. and what i have seen in the five years i've been in this job is a sort of progression where these
9:02 am
get more aggressive and more damaging. and as i indicated in my oral statement at the outset, what i will see, i think, what we can expect next are data manipulation, which then calls to question the integrity of the data which in many ways is more insidious than the kinds of attacks that we've suffered thus far. so, you know, the specter is this massive attack, although it's not likely. >> thank you. thank you, mr. chairman. >> thank you, mr. chairman. annex 3 of the recently signed iran nuclear agreement calls for the participating countries to work with iran to, quote, strengthen iran's ability to protect against and respond to nuclear security threats,
9:03 am
including sabotage as well as to enable effective and sustainable nuclear security and physical protection systems, close quote. secretary clapper, do you read this portion of the iran nuclear agreement, the annex to include cyber threats meaning that the p 5+ 1 countries who are part of this agreement will be expected, will be deemed to have an obligation under the agreement to assist iran in developing systems to prevent other countries from using cyber capabilities to acquire information about or to disrupt the operations of iran's nuclear capabilities, iran's nuclear programs? >> well, in this environment, i will say that i trust that this is not going to prevent us from
9:04 am
gleaning intelligence from our traditional sources in the interests of verifying the agreement, which will be principally monitored by international organization ia/ea. i'm not aware of any strictures on our ability to collect on their behavior and compliance. >> why would we want to give iran the ability to defend against cyber weapons that we or perhaps some of our allies might one day want to use against iran. >> in this open environment, there are aspects here that i can't discuss. happy to talk with you privately or in a classified environment about that. >> okay. but you're not disputing the fact that the agreement says that? we would have to?
9:05 am
>> no. >> okay. now, can you tell me in this environment what specific technical assistance we'll be offering iran in the portion of this agreement? >> i honestly don't know the p answer to that question. i'll have to have that researched. >> now, would any of these capabilities, once acquired by iran prevent or inhibit the united states or any of our allies any other enemy of iran from using a cyber measure against nuclear facilities? >> again, i'm reluctant to discuss that in this setting. >> were you consulted by u.s. negotiators during the nuclear negotiations in connection with this portion of agreement?
9:06 am
>> throughout the negotiations. >> can you describe the nature of any consultation you had with them as to this portion of annex 3? >> with the iranians? >> yes. >> no, i did not engage with the iranians. >> no, that's not what i'm asking. i'm asking if you can describe your discussions with u.s. negotiators as they came to you and consulted with you on the implications of this portion of annex 3. >> i didn't, actually, my lead for this was norm rule who was known to many of you on this committee. and he was the direct participant. and i don't want to speak for him as to the extent to which he was involved or consulted on that provision. i'd have to ask him. >> okay. but you would have been aware of consultation going on. i'm sure he came to you and said, look, this is going to
9:07 am
impact our ability, the ability of the united states to do what we need to do with respect to iran. >> well, again, sir. i would rather discuss what the potential response of ours could be in a closed setting. >> okay. >> secretary, how was the department working to ensure that the hardware and software on some of these major programs that we're developing to future contingencies and technological advances so they can continue to address emerging cyber threats well into the future without major overhauls of the entire system. >> senator, as i said, we are now putting into our kpps our key performance parameters on any new systems, specific requirements, much like during
9:08 am
the cold war when we had emp requirements for many of our systems. the problem that we face is that many of the old systems that are still in service were not built to respond to the cyber threats we're seeing today. >> determining which ones are most vulnerable, prioritize them and make fixes. so it also goes back to senator donnelly's question on the trusted foundry. we try to determine what is the best way to determine we have reliable and trusted microelectronics. >> thank you, mr. chairman. >> thank you, mr. chairman. secretary, if there's a catastrophic attack tonight on the fiscal infrastructure or the financial infrastructure of this country, i do not want to go on cable news in the morning if there is cable news in the morning and say the
9:09 am
administration told us that the policy is still in development. we've got to get on this. a year ago, and the idea that we can continue to simply defend and never have an offensive capability, i just think is ignoring this enormous threat which we all agree. let me ask one word-answer question to each of you. do we need an offensive capability in the cyber realm in order to act as a deterrent? secretary? >> we need a broad range of response options to include -- >> do we need an offensive cyber capability to act as a deterrent? >> i would say, yes, sir. >> secretary, director clapper. >> absolutely. >> yes.
9:10 am
>> thank you. >> the second part of that is that it can't be secret. our instinct is to make everything secret. and the whole point it not be secret. i think we need to establish what we have. i suspect we do have significant offensive capability, but part of a deterrent is that it has to be made -- it has to be made public. i think another question that needs to be addressed. we need to define what an act of war is in the cyber area. i don't mean to comply it's
9:11 am
urgent and we can't definite our ourselves saying it was complicated and we didn't get to it. do you believe that the dispersion of responsibility in the federal government is a potential -- it's got agencies and departments and bureaus. you can name 15 of them if you tried that all have some responsibility here. do we make that the central repository of this? >> we have got to simplify the structure. if you're on the outside looking in, and i hear this from the private sector fairly regularly. who do you want me to go to? is that i should talk to the fbi, dhs, why can't i deal with you? do i need to talk to -- if i'm
9:12 am
the financial company, should i be talked into the sector construct that we have created? we've got to try to simplify this for the private sector. >> add to that, senator king, it's one of the reasons why i had a brief commercial of integrating the cyber picture of the common operating picture simply from within intelligence let alone, you know, what we do to react or protect. >> i would hope that would also the leadership and decision making on that has to start with the white house. it has to start with the administration for an all of government approach to dealing with this dispersion of responsibility. i would point out parenthetically there's been a lot of talk about china and our ability to interact with china
9:13 am
and to respond and hold china responsible. and it's not the subject of this hearing. the fact we owe china trillions of dollars compromises our ability to interact with china in a firm way. it's a complicated relationship and that's one of the things that makes it difficult. director clapper, do you have any idea what brought the chinese to the table for this recent agreement with the president? >> well, it appears that the threat of potential economic sanctions, particularly in posing them right before the visit of the president got their attention, and that's why they dispatched the minister to try to come to some sort of agreement which is what ensued
9:14 am
subsequently. >> and i agree that it's not a definitive agreement or a treaty. but i do agree, secretary, that it's a step in the right direction, at least these issues are being discussed. but countries ultimately only act in their own self-interest, and we have to convince the chinese it's in their interest to cut out this activity that's so detrimental to our country. >> can i make one real quick comment? just because we have not published our policy, it is so broad and encompassing going over things like encryption. what are the it toos of authorities we need? does not mean if we did have an attack tonight we would not, we do not have the structure in place right now with the national security team to get together to try to understand who caused the attack, to understand the implications of the attack had and what response we should take. those are in place right now.
9:15 am
>> the whole point of being able to respond is deterrence so that the attack won't occur. dr. strange love taught us if you have a doomsday -- isn't the point i'm trying to get at. the deal is, they have to know how we will respond. and therefore, not attack in the first place. thank you, thank you all, gentlemen. >> on behalf of the chairman, let me recognize senator fisher. >> thank you, senator reid. following up a little bit where senator king was going on this, many of you talked about establishing norms in cyber space. do you think it's possible to establish or maintain that norm without enforcement behaviors? when we look at publicly identifying those who are responsible for an activity or imposing costs on them. can we do that? i'll begin with you, mr.
9:16 am
secretary. >> trying to establish these norms are very, very helpful. in the cold war, there was an agreement we would not attack each of our early warning missile launch. i mean, the warning satellites. and so establishing these norms are very important. but they will be extremely difficult because the enforcement mechanisms in cyber are far more difficult because it's much more easy to attribute missile attacks, et cetera. i believe that this agreement with china is a good first step, that we should strive to establish norms, especially between nation states and establish norms, which we believe are beyond the bounds and to try to establish mechanisms by which we can work these through. but this will be very, very difficult, senator, because i s it's -- because of the -- it's much more difficult. >> and we have the added
9:17 am
problem, of course, of the norms and secretary said really applicable to the nation states. and of course, you have a whole range of nonnation state actors out there who wouldn't necessarily subscribe to these norms and would be a challenge to deal with even if we -- if there were nation state mutual agreement. >> admiral? >> well, i would echo the comments of my two teammates. i'm struck by -- my early days as a sailor before i got into this business at the height of the cold war out there, we knew exactly how far, between the soviets and us, we knew how far we could push each other. and we pushed each other at times right up to the edge. very aggressive behaviors. we developed a set of norms, had a series of -- so we could
9:18 am
communicate with each other. so i'm comfortable we're going to be able to achieve this over time in the nation state arena. but as my teammates have said, it's the nonstate actor that complicates this to me. he's going to make this difficult. >> so when we're attacked in cyber space, how do we impose costs? on those who are attacking us? do we -- do we respond in cyber space? or can we look at other ways to, i think, respond in an appropriate manner, say with sanctions? what would you look at, admiral? >> so what we have talked about previously is we want to make sure we don't look at this just for one narrow perspective, that we look across the breadth of capabilities and advantages and bring all of that to bear as we're looking at options as to what we do, and it's a case-by-case basis. there's no one single one size fits all answer to this. but fundamentally, think more broadly than cyber. not that cyber isn't potentially
9:19 am
a part of this. i don't mean to imply that. >> correct. mr. secretary, would you agree with the admiral on that? do you see a variety of options out there? and wouldn't, wouldn't it be more beneficial to us as a country to be able to have a policy that is a public policy on what those options could be and the consequences that would be felt when we are attacked? >> absolutely. and that is what i say about a broad policy where we will respond in a time manner, time, place and manner of our own choosing. in this case, there's an asymmetry with our nation state potential adversaries, they're all authoritarian states. the attack surfaces they have are far smaller than what we have as a free nation. and we value that, we do not want to close down the internet. but we are more vulnerable to a wide variety of attack surfaces than our adversaries. so we may sometimes have to
9:20 am
respond proportionally but in a different way than a simple cyber response. might be sanctions, might be a criminal indictment, might be other reactions. we believe very strongly this is something it's an inner agency process, the process is established where they are taken care of, handle on a case by case basis. >> and does the administration have a definition on what constitutes a cyber attack? >> well, any type of malicious activity that causes either damage or a theft of information or i.p., all of those are under either cyber, malicious cyber activities, might be espionage, in each case, there's no defined red line for what would constitute. >> what would be the difference between a cyber attack and cyber vandalism?
9:21 am
>> well, have to make a case by case determination and, of course, important consideration here would be retribution. and that, again, would be a case-by-case. >> and cyber vandalism, ma'am, do you believe -- is that stealing information or ip? >> it was described by the president as cyber vandalism. i was wondering on how you distinguish that definition from a cyber attack. >> well, it didn't affect a national security entity. but it certainly did cause damage to the company. and in that case, and this was an important illustration of when could attribute very clearly. and there was uniform agreement
9:22 am
across the intelligence community to attribute that to the north koreans and we did sanction them. >> thank you. >> thank you, mr. chair.jcrf gentlemen, thank you for your service and for joining us here today. and director, before i start on, begin to focus on cyber policy. i think we're all very concerned about the allegations that leadership at central command deliberately distorted the assessments of intelligent officers related to the fight against isil. and i understand that there's an ongoing investigation and i'm going to wait for the results of that investigation. as a member of the committee, i want to in the strongest terms possible impress upon you the importance for all of us to receive absolutely objective and unbiased assessments. and i look forward to the results of the i.g.
9:23 am
investigation. and i expect you'll hold accountable anyone who has failed in their duty in the intelligence community no matter how high up the chain that may go. >> senator, you brought up an important consideration here, which is a great concern to me. i'm a son of an army intelligence officer served in world war ii, korea and vietnam, and i've served in various intelligence capacities for over 52 years ranging from my first tour in southeast asia in the early '60s to my longest tenure at dni. and it is a almost sacred writ in the intelligence profession never to politicize intelligence. i don't engage in it, i never have, and i don't condone it when it's identified. having said that,w;jé i -- and completely agree with you in spite of
9:24 am
hyperbole, i think it's best we await the outcome of the d.o.d. i.g. investigation to determine whether and to what extent there was any plitization of intelligence. i will also say that the intelligence assessments of any other combat and command come to the national level only through the defense intelligence agency. that is the main conduit. and i will say to an extent evaluator and filter for what flows into the national intelligence arena. >> thank you, director. turning to your admiral rogers, as the director of u.s. cyber command, your responsibilities include strengthening our cyber defense and our cyber deterrence posture. and i want to return to a line of questioning. several of my colleagues have
9:25 am
begun this morning. and as you know, the breach of opm computers resulted in an enormous loss of sensitive personal information. thus far to my knowledge, the u.s. has not responded. and to put it in the words of deputy secretary works language this morning, we haven't imposed a cost. which raises questions about whether we truly have developed the mechanisms for proportionate response to cyber attacks against the u.s. government. even after the april 2015 publication of the dod cyber strategy. we know that if a foreign agent had been caught trying to steal u.s. personnel files in a less digital age, we would either kick them out of the country, if they were a diplomat or we'd throw them in jail if they weren't a diplomat. that would be considered a proportionate response. but in the case of the opm breach, the u.s. government seems uncertain about what a proportion response would look
9:26 am
like. so i want to ask you three questions, and i'll let you take them as you may. what instituconstitutes an act in cyber space? has the united states decided on a proportionate response in the case of the opm cyber espionage case? and what types of information gathering by nation states, be i governments, are legitimate, and what types are not? >> well, first, let me start off by saying, look, so on the operational command here and all three of the questions you've just asked me are much broader than that. i'm glad to give you an opinion, but i'm mindful of what my role is. in terms of the three things, have we defined what an act of war is? the bottom line is clearly we're still working our way through that. what are the parameters that we want to use to define what is an act of war? my going in position is, we ought to build on the framework we have developed over time in
9:27 am
the more conventional domains. that's a good point of departure. a broad legal framework, something that people recognize and where we ought to start as a point of departure. the second question was about -- my note to myself. >> proportional response of the opm case. >> again, i think that what opm represents is a good question about -- so what are the parameters we want to use? is it as the dni has said? is it the intent is within the acceptable realm? is it scale? is it you can do espionage at some level, for example, but if you trip some magic threshold, hey, is 20 million records, 10 million records, is there some scale component to this? i think we're clearly still trying to work our way through that issue. and there is no one size fits all answer. i think there's recognition. i think that's clearly what has driven this between the united states and china, for example,
9:28 am
that's been a positive, i would argue. and the third type. could you repeat again the types of information? >> my time has expired. i'll cut to the chase. i think what you're hearing from all of us. >> go ahead, this is an important -- >> line of questioning. >> we would like to see more transparency in being able to telegraph our deterrent. because we all know that looking back into the cold war, our deterrent was important but it was absolutely critical for it to be effective. we need to be clear about what types are considered legitimate and acceptable. and where those red lines are going to be. >> i agree. i think that's an important part of the whole deterrence idea. it has to be something communicated and generates understanding and expectation and then a sense of consequence. >> i think the contrast with cold war is a good one to think about in that, well, i think
9:29 am
that the concern people are raising is should there be red lines on spying? that's really what this gets down to. we didn't have red lines during the cold war. it was free wheeling as far as us collecting intelligence against the soviet union and vice versa. there were no limits on that. it was very difficult. for both sides, more so for us. and, of course, underlying the backdrop to all of that was the deterrent, the nuclear deterrent, which, of course, restrained behavior even though it got rough at times as the example that admiral rogers cited and just in a maritime context. but there were ground rules that governed that. we're sort of in the wild west here with cyber. where there are no limits that we've agreed on. no red lines, certainly on
9:30 am
collecting information. which is what the opm breach represented. >> director and admiral, i would like to thank you for your forthright and candid assessment. and also, i think the lesson that all of us are getting is that we really have to have some policy decisions. and you've been very helpful in flushing that out for us. senator? >> secretary, i'd like to return to an exchange with senator ayotte, known as the inf treaty. is russia in violation of their obligations under the inf treaty? >> we believe that a system that they have in development would violate the treaty. >> and you said in development. i thought i heard you say it's not yet deployed. is that correct? >> that's my understanding. i can get back to you with a
9:31 am
question for the record, but it is in development and we have indicated our concern with the russians. >> could you please do that in writing and if it's appropriate in classified writing, that's fine, as well. i'd like to move to the cyber mission for us at the air force association conference a couple of weeks ago. the commander of the 24th air force stated that the cyber force was half way through the build-up. how difficult is it to establish the needed infrastructure and manning across the services to create the capability that we need to defend and deter cyber threats? >> well, i'd like to start and then i'll turn it over to admiral rogers. we're building to 133 total teams. 68 are cyber protection teams that are focused on our number one mission, defense of our networks. we have 13 national mission teams that we are building to help defend our nation's critical infrastructure, and we
9:32 am
have 27 combat mission teams that are aligned with the combat and commanders and assist them in their planning. a total of 133. we're building to 6200 military personnel civilians and some specialized contractors. and another 2,000 in the reserves. so about 8,400. we expect to reach that in 2018 provided there is not another government shutdown. the last time we had a government shutdown and sequestration, it put us behind by 6 months in building this. so as of right now, we are, i think, we're on track. and i'd turn it over to admiral rogers to explain how well we're doing in attracting talent. >> first let me accent on one
9:33 am
particular portion comments. in terms of impact of government shutdown or sequestration for us. the last time we assessed we lostz 6 months worth of progress. we had to shut down the school system. we went to all stop in terms of generation of capability in the like a domino. the layover effect costs us about 6 months of time. if we go to a bca or sequestration level that puts us further behind in an environment in which we have all uniformly come to the conclusion we're not where we need to be and we've got to be more aggressive than getting there. and you can't do that if when you're shutting down your efforts, when you're cutting money to go specifically to the question you asked, i would tell you the generation of the teams in terms of the manpower and their capability, knock on wood is exceeding my expectation. not that it's not an insignificant challenge.
9:34 am
>> the tools, if you will, the platform that we operate from. the training environment that we take for granted and every other mission. the idea that we would take over a combat team that before went to iraq and afghanistan, we put it out in the national training center and put it through the spectrum of scenarios they're likely to encounter. we have don't have that capability right now in cyber. we have got to create that capability. it's those enablers to me and the intelligence piece just like any other mission set, everything we do is predicated on knowledge and insights. no different for the commander than it is for me. i'm not trying to minimize. >> how important is it that we take advantage of the infrastructure and capabilities that we have as you're building out the entire mission force? >> that's what we're doing right now. but i will say, one of our experiences, cyber command has been in place for approximately 5 years.
9:35 am
one of our insights we've gained with practical experience and as we're looking at both defensive respon response. that is slightly separate from the infrastructure we use at nsa. so unified platform you've heard us talk about, it's supported in the funding. that's an important part of this. experience has taught us this in a way that five, six years ago we didn't fully understand. >> well, my time is up for questioning, but i'd like to bring to your attention that arkansas general has requested -- there's an 11,000-square-foot facility. it's already had $3.5 million invested in it. one of these facilities would cost about $4 million. it's a request i support. it's harnessed resources we've invested. they are ready to support in addition to the education center that does a lot of the cyber training for the national guard, which is less than 30 minutes
9:36 am
away. thank you. >> mr. chairman, i have to comment, i'm rather struck by the irony here of before i left my office to come for this hearing, i was reviewing the directions that we're putting out to our people for shutting down and furloughing people. what better time for a cyber attack by an adversary when much of our expertise might be furlough furloughed. >> i think that's an important comment, detector, and thank you for saying it. some of us feel it's urgent that we inform the american people of the threats to our national security of another government gourn. i believe it was in arkansas philosopher that said there's no education in the second kick of a mule. i thank you for your comment. senator? >> it was probably a missouri mule. director clapper, earlier this
9:37 am
year i introduced a bill that would give gejs community contractors whistle blower protections as long as those complaints were made within the chain. so disclosures made to the press would not be protected as you probably know, defense department, i know that secretary work knows this that we've already put into the law in recent years, whistle blower protections for the contractors at the department of defense. and to my knowledge and certainly correct me if i'm wrong, any of you, i'm not aware of any classified or sensitive information that has made its way to a damaging place as a result of these protections. >> the 2014 intel authorization gave it to the government
9:38 am
employees with the intelligence and one of the challenges we have in government is this divide between the contractors and government employees. and frankly, i can't think of a good policy reason that we would give whistleblower protections to employees and not give them to contractors and so i'm hopeful today that you would indicate you believe this is an important principle and we should move forward to this legislation. >> absolutely. >> and we have published a directorive that includes whistle blowing protections for our contractors. . our challenge the additional burden we have, of course, is trying to prevent the exposure of classified information outside channels so that's why
9:39 am
whistleblowers absolutely must be protected so they are motivated to go within the channels knowing they'll be protected. this is a program managed by the intelligence community and inspector general who is, of course, inspent as a senate confirmed official. >> thank you, and secretary work and admiral rogers, i presume you'd be supportive of giving whistleblower protections to intelligence community contractors? >> absolutely, agree totally with what the director said. >> and this is the head of an intelligence agency. >> thank you. i want to follow up a little bit with your comment about a shutdown. could you tell us what impact another government shutdown would have on your progress of getting the cyber mission force fully operational? excuse me, admiral rogers.
9:40 am
i think that in political isolation, shutdown appeals to a certain swath of americans and i understand why. sometimes it just feels good to say, well, just shut it down because obviously government is never going to win popularity contests, certainly not in my state. i love it when some of my friends wave the constitution in my face and fail to read the part that we have a divided checks and balances in this country unlike other countries. the american people sent a pa y party, a president of one party to the white house and elected a congress of a different party. could you talk a moment about
9:41 am
this mission if once again we went down the rabbit hole? >> if we use our experience the last time first thing we had to do was shut down the school system. it was only mission essential. all travel that was associated with training, had to shut all that down. couldn't send people to generate more insights to gain more knowledge. we had to shut down some of our technical development efforts because of the closure. again, put that all on hold. at a time when we have talked about the need to develop more capability, more tools, had to shut that all down during the period of the last shutdown. we were forced to focus our efforts on the continued day-to-day defense. the other concern i have is, and i have watched this play out now just in the last ten days.
9:42 am
i've been in command 18 months. and i will tell you the biggest thing i get from my workforce prior to the last ten days, sir, this happened to us once in 2013. is this going to happen again? if it is, why should i stay here working for the government? i could make a whole lot more money on the cyber arena on the outside. in addition to the threat, my other concern is if we do this again, is the amount of our workforce that says, you know, twice in the course of two years i've got a family, i've got mortgages, i've got to take care of myself as much as i love the mission and believe in defending the nation i can't put myself or my family in this. i've got to work in the commercial sector that's our vaj. advantage. >> at the risk of sounding like a smart aleck, i would say we need to open some of those schools so some of my colleagues could do some math.
9:43 am
and this is a recipe for dysfunction that does not help anyone in this country, in particular national security. thank you, mr. chairman. >> thank you, mr. chairman. i want to echo the comments my colleague. i think it's irresponsible. we've had this -- the secretary come before this committee and say that the number and serverty of threats have not been greater since 9/11. all the other things i may have a problem with have to be second to that priority. i thank you all for your work and director, i thank you for your comment. admiral rogers, we've had briefings from you since you've taken the command and one of the briefings i'm reminded of is the trend you see that tends to be
9:44 am
still an american advantage overall narrowing. particularly with the nations like china and russia. and i think you may have mentioned iran being an emerging threat. can you tell me really in the context of maybe another 6 months reset on your training, but more importantly, based on your current funding streams and your current plan are we going to be able to widen the gap again? or is this a matter of staying slightly ahead of adversaries? >> i think the most likely scenario is we're staying slightly ahead. as i said previously, a different approach. this is not a criticism of that approach. it led to a different investment strategy. we're changing that at a time when budgets are going down and threats, not just in cyber but
9:45 am
more broadly are proliferating. i don't envy the choices that secretary carter and the leadership has to make. there's nothing easy here. so i think in the near term, the most likely scenario for us is how can we focus on the best investments that maximize your defensive capability while continuing to help us retain the advantage we do right now against most? >> thank you. and this question may be for secretary werk. the announcement about the agreement with china that we're not going to basically attack each other. in the face of the compelling evidence that we have, that china's done it in the past and they've denied it. why is this agreement a positive thing if with the smoking gun information we have right now on prior attacks, theft of intellectual property, commercial data, that we have a pretty strong base of evidence to say they're guilty of it. if they deny it, why does this agreement mean anything? >> well, the build-up to this
9:46 am
visit, we made it very clear through variety of methods this was going to be something that was foremost in the discussions when president xi came. we have made it as clear as we possibly can at every single level from the president on down that the chinese cyber activities are unacceptable. and we believe this is a big first step as a confidence building measure where china can either demonstrate that they are serious about establishing some norms and going after cyber crimes, et cetera. but the proof will be in the pudding. i agree with the director and admiral rogers, it's going to be up to the chinese to demonstrate they're serious about this. >> would the -- would the manipulation of commercial data fall within the definition of theft under this agreement? >> well, specifically, one part of it is the theft of ip, intellectual property for
9:47 am
commercial advantage in, for example, a chinese enterprise. and we have made it a tentative agreement we will not do those type of activities. china has done those activities in the past and will be up to them to prove they won't do it in the future. >> and then, for anyone and then i'll yield. i know the committee's gone on a while. but at what point, i think, senator henrik made some very important points about drawing red lines. at what point about malign activities in cyber space being acts of war or terrorism and have appropriate responses whether they be through cyber, through sanctions or other. when are we going to get that clarity? because we don't have it today? >> senator, i don't believe we'll ever have a definitive one-size-fits-all definition for these types of things. every single attack will be handled on a case by case basis, and you'll have to judge the damage that was caused, who made the attack, was it just a
9:48 am
nonstate actor, or just a malicious hacker. we'd have to go after that person in terms of criminal activity. i don't believe we're ever going to have a specific definition that says if this happens, we will trigger this response. each one will be handled in a case-by-case basis and be proportional. >> thank you. mr. chair, i think the lack of clarity. you're not establishing some level of known deterrent. and that's why i understand the complexities of it. i've worked in the field. but i think that without that clarity, you're more likely to have more things that you're going to have to look at and figure out how to do a situational response. thank you, mr. chair. >> thank you, mr. chairman, and thank you, gentlemen for your testimony today on a really important topic. now, i believe, and i was looking for the transcript, but at the joint press conference between president xi and president obama that president of china, i think, publicly
9:49 am
stated they don't engage in these kind of cyber activities. was that an accurate statement? if that was, indeed, what he said? in terms of cyber warfare? >> it's pretty remarkable if you're in a press conference with another head of state and you just say something that seems to be pretty blatantly false. >> well, it is. and i think apart from the statements, at least for our part, it'll be what happens now? will there be a change in their behavior? and as i said earlier, hope springs eternal, but i personally am somewhat of a skeptic. but it'll be our responsibility to look for the presence or absence of intellectual property. and other information.
9:50 am
>> and were any of you gentlemen or all of you gentlemen consulted on the terms of the agreement? >> we were aware of the negotiations. but at least from at least from intelligence wouldn't be a voice or shaper a policy agreement like this between two heads of state. i think our responsibility is to report what they do. >> we participated in the buildup of the visit in terms of policy development. but in terms of what went on between the two leaders of the nations, we were not directly consulted. >> admiral? >> and i was aware of the ongoing process. and like secretary work, same thing, part of the broad effort in preparation for the visit. >> but you weren't -- you didn't see the terms of this agreement before -- did you, mr.
9:51 am
secretary? let's assume that, you know, kind of -- past is prolong here. we're talking about intellectual property. the u.s. has been trying to get the chinese to stop steeling this for decades. and it hasn't worked out very well. let's assume that this agreement -- that there is some additional cyber theft that we can attribute to china, what would you recommend the actions of the united states should be particularly in light of this agreement? >> i wouldn't be able to answer that. i would have to know what the degree of the activity would be. >> let's say another opm kind of activity. >> i think the department of defense would recommend a very vigorous response. >> and mr. secretary, give me a sense of what that would be,
9:52 am
sanctions, retaliation. >> could be any of those, senator. maybe all of the above. it will depend upon the severity of the activity. but, again, i know this is -- i know this is a big point of contention with the committee. it is, we are serious about cost imposition. our statement is if you participate in that, this activity, we will seek some type of measure which imposes costs upon you. and we just do not think it's a proportional cyberattack for a cyberattack. it might be something entirely different like a criminal indictment or sanctions or some other thing. >> let me ask kind of a related question for all three of you. i know you've been discussing this. i'm sorry if i'm kind of going over areas that we've already discussed. help us think through the issue of rules of engagement here. we have rules of engagement in so many other spheres of the mim
9:53 am
te military that are well established. how do we think through these aspects which are the fundamental aspects in what we do in response to cyberattacks? admiral? >> if you look at the defensive side, i'm pretty comfortable that we've got a good, broad recognition of what is permissible within the rules of engagement framework. >> do we? between us and other nations? >> if you define it between us and other nations, i would -- i apologize. i thought your question was in a dod kind of responsive framework. if you want to expand it to a broader set of nations, then it's probably fair to say no. >> i would agree. i think when it comes to offensive -- if you are thinking about offensive cyber warfare, we probably do not have rules -- defined rules of engagement.
9:54 am
>> i agree with what director clapper said earlier, that this really is the wild west right now. there's a lot of activity going on both from nation state actors all the way down to criminals. and so sorting through each of the different attacks and trying to attribute what happened and who it came from and who was responsible for it all demand specific responses on these attacks. but a degri agree toettally wit committee. best way to do that is to work through these things and make sure that everyone knows that there will be some type of cost. >> thank you, mr. chairman. >> the committee would also like to know when there's going to be a policy that would fit into these attacks and would then be much more easily responded to if we had a policy as mandated by
9:55 am
the 2014 defense authorization bill. i thank the witnesses for a very helpful hearing. i know that they're very busy. and the committee appreciates your appearance here today. thank you. >> thank you, mr. chairman. utah governor gary herbert will talk about anticipate initiative. we will have his remarks live at 1:00 p.m. eastern on c-span. weekends full of politics, non-fiction books and american history. saturday morning at 10:00 eastern on c-span, with nasa's announcement of liquid water on mars, we talked to the experts about the announcement and the possibility of life in space.
9:56 am
sunday evening at 6:30, we discuss the issues driving the national conversation at the washington ideas forum. speakers include former massachusetts governor mitt romney and valerie jarrett. on book tv, saturday night at 10:00 eastern on off wards, martha kumar discusses her book. she's interviewed by mac mclarty. we're live sunday with tom hartmann who authored several books. join our conversation as we take your phone calls, texts, e-mails, facebook comments and tweets for tom. on american history tv on c-span3, saturday afternoon at 2:00, in his book "and the dead shall rise," steve oni explores the murder of 13-year-old mary
9:57 am
fagan in georgia and the arrest and lynching of a jewish factory owner. sunday afternoon at 4:00, on reel america, the 1975 federal energy documentary on the supply and demand of fossil fuels in the u.s. and alternative energy sources. get our complete schedule at c-span.org. at the u.n. general assembly, mahmoud abbas accused israel of breaching all agreements and accords. he said action long as israel refuses to adhere to agreements, then his government could not continue to be committed to the same agreements, including the oslo accords. the foundation for the middle east peace agreement. >> translator: due to time constraints i shall not be able to discuss how many israeli nati violations are being committed against our people, how many
9:58 am
repress receive laws have been issued by successive israeli governments. the latest of which is the instruction -- governmental instructions given to fire live ammunition at and arrest and repress peaceful palestinian demonstrators. where do you see this happening? why is it happening? mr. president, ladies and gentlemen, we do not respond to the israeli occupation's hate and brutality with the same. instead, we are working to spread the culture of peace and co-existence between our people and in our region. we are anxious to witness the day when our people and all peoples in our region will enjoy peace, security, stability and prosperity. this cannot be

33 Views

info Stream Only

Uploaded by TV Archive on