Skip to main content

tv   Politics and Public Policy Today  CSPAN  April 5, 2016 9:00am-11:01am EDT

9:00 am
captioning performed by vitac
9:01 am
and there is a great irony here if the road forks the classic robert frost road forking when you're a professor, as i am, you can say the mistake was made back in 2003, if only we hadn't done x or y, if only we hadn't invaded iraq. you'd be right, and then go get another cookie from the faculty lounge. your job is to move that second path toward where it should be and it takes a long time, and while you're on that path, there will be people saying see, you're still on the same path. you must be just like the other guys. toward law, or trying to bend it toward justice. we can't go back.
9:02 am
we have to go forward. and that's what, you know, at this point, we're many years past these ormg mistakes, and they were mistakes. they were grotesque mistakes but the job now is to get this into a better frame. what i stated here is, let's not buy into this fiction that there are no rules. there are rules. and let's not be confused if there are times when the rules are violated by the people implementing them because then you can say these rules have been violated. but we should also be clear that there are emerging rules that meet these new situations, and we're not in a law-free zone. >> i wonder whether you wanted to comment on any points but particularly maybe on the cyberspace issue, because last year, the netherlands hosted the global conference on cyberspace,
9:03 am
and there the conference highlighted the need to explore the development of voluntary nonlegally binding norms for responsible state behavior in cyberspace. i wonder such efforts undermine international law by offering states a less rigorous path to dealing with this issue, but whether you might have some thoughts on this. >> i can only give a judicial perspective on how to tackle cyber crime. cyber crime is one of three priorities in the european union. the sites of terrorism and illegal immigrant smuggling is among the top priorities and it is a borderless crime as has been on the line. we see a massive use of the internet and social media, and encrypted messages used by terrorism. we see that traffickings of all kind are taking place.
9:04 am
we had last year some operations run together with the united states in tackle iing different malware producers. this is part of reality. not later than last year the world economic forum established a steering committee with different players from the public and the private sector in order to see how together we can tackle cyber crime, across the borders and across the sectors again this year in davos, a lot of attention was given to the role of law enforcement authorities and judicial authorities. there are different ways to tackle the problem, but the multidisciplinary way of bringing together all the expertise, having being prepared to face the worst case scenario
9:05 am
is part of the exercise monitoring by the steering committee, we have to get prepared all together. defense is indeed having a lot of know-how and expertise. let's benefit from that expertise, let's benefit from the expertise available that has been set for the previous discussions. the solutions might not be found in one way or another. it is by having on a specific problem well-thought and reflected solution. but the solution is certainly to be found in a court operation again. >> we'll take another round of three questions. in front. >> thank you. lou gagliano, i'm an independent consultant dealing with technology. the question i'd like to pose is to take the apple situation and apply it to the eu, where the eu
9:06 am
commission is responsible for establishing regulations as to privacy standards. let's assume for the moment that, in respect to what just happened in belgium that a phone, an apple phone was critical in terms of detection of what may or may not have happened. how would the eu regulations apply to the apple, an apple-like situation in the eu's belgian tragedy? >> then there's the lady, yes. >> hi, i'm a student at american university. professor, you talked about areas of the law that needed to be translated for today's world and areas of law that are law-free zones like you called them and i was wondering if that necessity for translation implies some inherent inadequacy of the law and why there isn't a
9:07 am
concentrated effort to update international law to fit better with the modern world and why we're relying on what seems to be an outdated system or if you disagree and think it's not. >> then we'll go to the back, way at the last row, the gentleman with the red tie in the back. >> yes, my name is david sedny with csis, formerly with the u.s. state defense department. professor ko, you laid out a set of differences between the bush and obama administrations. since i left the u.s. goft government in discussions with people who are not part of the united states government, people have raised the issue over what are called signature strikes, the international crisis group did a paper a year or so ago describing these alleged signature strikes saying there were greater civilian casualties involved with them than other kinds of such strikes. as you laid out your validation
9:08 am
on international law, the use of drones, does that, does your justification for those expand to the so-called signature strikes? i'm not making any statement whether such strikes occur or not. >> thank you. michelle, why don't i start with you maybe on the eu regulations. >> well, i think that there are ongoing discussions and the one who should respond to this caution is certainly the commissioner of justice. now what i do know is from an enforcement perspective, criminal justice perspective is that we have to step up the united states and that.
9:09 am
if you hold that all the service providers are situated on the u.s. soil, that we need rapid access to digital and electronic evidence. this has been something we have been working on and leading on to greater successes for the decision-making at the highest level. i'm not the one who is going to answer. >> there are no law free zones, i distinguish between translated and law free zones, i didn't distinguish. i said people are trying to call it law free zones and there is not. there are human rights and there
9:10 am
nor zones in which human rights law does not operate. why don't we have a better process of updating it? look at our political environment. an i congress that can't legislate, a congress that won't ratify treaties even if they were negotiated. we have international process that rarely renegotiates treaties for the current situation. at the veto system, a u.n. system in which certain states have disproportionate and sometimes precluive power, a formal process of updating rarely occurs. which means that technology moves faster than law, that we have to develop these rules through interpretation and that's what these rules that i laid out were. i mean what i gave you is drawn from lots and lots of different sources, and what i'm saying is, the fact that someone can't
9:11 am
figure this out doesn't mean it's a law-free zone. it means they didn't figure it out or someone did lay out clearly enough. now david said you asked a very good question about signature strikes. so let's be clear that the original theory of targeted killing is personality strikes, in which you know who the person is, and they are a senior leader of al qaeda, who is attacking you. the paradigm case being osama bin laden. the original notion of a signature strike is can you strike at someone when you don't know that 100% sure that they're there, but all their signatures are there, and in that sense the raid against bin laden was a silgt strike because they didn't actually know 100% that he was there. they never saw him. it's just that all of his signatures were present.
9:12 am
so in the original sense, my view is that the genuine signature strike in which the signatures are a substitute for correct identification of a legal target is lawful. what i think has been troubling though is the notion of using the notion okay, signature strikes are lawful to suddenly say okay, then a house draped in a particular way that could be al qaeda means you can attack the house without knowing anybody who is in there. or that certain indicia allow to you do a broad attack without any real sense of who is there. for example two weeks ago, there was an attack on 150 people out in al shabab camp. the defense department said we're not at war with al shabab. this has to be explained by self-defense. they were going from a graduation ceremony to do an
9:13 am
attack. but we don't know more than that. now, if we're in a war with al shabab we should say we're in an armed conflict with al shabab and produce the information that shows all of al shabab is interested in fighting united states as opposed to various internal objectives within africa. if all we're hearing is a signature strike you have to explain why someone there, an individual, a personality met a targeted killing standard and why he believed there's a near certainty of no civilian casualties. so again, i'm not saying that the rules have been perfectly applied in every situation. in fact there may be situations that prove why we need to get these rules even more clearly defined, because otherwise the word signature could be expanded or misused in a way that people can't recognize. >> another round of questions?
9:14 am
>> thank you. i'm jerry bass, retired, one of the few non-lawyers in d.c. regarding you know the wars and wars change now certainly and it's easy for and it's good that we have rules of engagement, et cetera, because i think people should have guidelines and rules, but you know, unless you're there and under stress or attack, you'll see rules differently than others possibly, you know, of how you have to defend yourself, et cetera. and nowadays with what's happening with a lot of hiding behind civilians, you know, i.e. we hit a hospital, i think, in iraq, you know, that's something, because possibly there was something there, but maybe we just made a mistake. in israel we see gaza with you know, missiles being fired and on the other side of that, you
9:15 am
know, having to go back and hit a hospital or hit a school or something that may be hiding those missiles to protect. with hindsight it's easy to sit back and look at things but we do things differently sometimes, too. we probably would have done something different possibly in syria, if we had known 250,000 people would have been killed earlier on. so how do you, you know, there's all these gray areas but how do you justify the gray areas in all of this with setting up the rules of war where now civilian casualties unfortunately happen, i think the drones actually if i recall killed 1,500 or 2,000 innocent civilians it was recorded in the early obama years and maybe they've chakd so changed some of that. >> thank you. and the lady in the back with the pink outfit. then we'll take a third. >> hi, kaitlin master, ph.d.
9:16 am
candidate, cornell university. my question is for professor ko. i'm interested in how you define international norms in regards to international law, and if you or do you see counterterrorism laws ever reaching this threshold? >> thank you. and the third question, second row. >> thank you. lee roberts, senior at george mason university. my question is for both panelists, professor ko listed upon which i did not dwell special operations regarding specific instance. as professor ko alluded to in 2011 the united states launched a raid into pakistan to kill our capture osama bin laden. the service members who conducted the raid were under theard mrtive control of the cia, i believe i'm reasonable in saying this distinction is lost on the world and indeed on pakistan itself who protested a violation of its sovereignty by
9:17 am
the american military but did not protest too loudly or long due to the shakiness of the position. is the raid approved by the preponderance of the global community, does the effective violence of a state's sovereignty by unapproved special operations have implications or is this really yet to be determined? >> thank you. so the question that was asked by my colleague, i think the fog of war is greatly diminished by the internet. we didn't have an internet at the cultural revolution. we didn't have an internet at the bombing of dresden. we didn't have an internet when they dropped atomic bombs on hiroshima and nagasaki and thousands and thousands of innocent civilians died, but it
9:18 am
was placed under the notion of the fog of war. now everybody has a cell phone, everybody has a video camera. many of those people have access to the internet, claims can be rebutted. but also by the way, claims can be repeated without verification. for example, you said x number of people were killed by drone. the united states has not confirmed nor denied those numbers. it's worth having some clarification of this point. it seems to me that we are in a period now in which if someone attacks a hospital claiming it's not really a hospital but is actually a place in which it's a disguised attack center, command and control center you can verify that with modern technology in a way that was not possible before. to my friend from cornell, are you an international relations
9:19 am
major or law student or -- the notion of regime theory, peter katzenstein, norms rules and decision-making procedures, they don't use the word law but the notion of norms is sort of shared principles, when those are embodied into a treaty or customary international law they become law under the statute of the international court of justice. what i'm suggesting here is a set of emerging norms i think should be law and that involves directing them to a law-making exercise or being assertive as a matter of law rather than a matter of discretionary policy. now finally when abbie asked me at the beginning what are the areas of controversy, what's unable and unwilling.
9:20 am
the question was exactly right, did pakistan consent to the raid on bin laden or unable or unwilling to prevent him from attacking the u.s. from abbo abbottabad. in that situation the u.s. action was essentially done it seems with some sort of tacit acceptance by the pakistani government. some people would want more formal approval by the pakistani government. they're unlikely to get it. as you say if the pakistani government is objecting to their sofrt being invaded, why did they let a knowledged leader of al qaeda be in a country where they claimed they were not harboring terrorists? now that explains why some of these concepts can be stated
9:21 am
with some legal precision but the proof of the pudding is in the application, which is a lot harder. >> michelle comment? another round of questions. >> it's an honor, thank you, guys, for coming today. my name is jo are dan barth, senior at american university studying government. my question is for both of you. what do you see as the role of the media in this new 21st century war? >> okay, thank you. good question. >> good morning, my name is dave grasso, retired special operations senior leader and i
9:22 am
appreciate your comments about the united states military not pursuing actions that are unlawful, unconstitutional. my question would be to you, professor, concerning the authorization of military force. does the current provisions and authorization s portend or to cover future continents of africa against boko haram, al shabab, al qaeda and other actions or is there additional work that needs to be done in terms of assessment interpretation of the aumf? thank you. >> good. michelle, any thoughts on the role of the media? >> i like this question very much. we need a proper dialogue with the immediate impact of incorrect information, it would be devastating on the criminal investigations on prosecutions. sometimes you can lead to criminal proceedings and hence
9:23 am
leading to potential risks for future events. also the aspect of the social media where every citizen becomes a journalist without any control, without any frame where a lot of incorrect or correct informations might be disseminated in an amount of time also having an impact. what i hear from law enforcement units being operational in paris and brussels is that operations cannot be hidden from the media anymore and shows the reality, putting in danger the police and men and law enforcement authorities on the spot, uncovering also out of the society at large and hence give more possibilities for terrorism, new ideas creative ideas for terrorism in the future. so a good dialogue.
9:24 am
what are the ways question work together, what do you need to know, what must society know at this point in time that would be i think a very good -- >> i think michelle has done a good job distinguishing, every tool is double edged. the media is a huge human rights enforcement device, and has done an extraordinary job i think in illustrate iing human rights abs unaddressed. on the other hand the media has a role to play in holding accountable. when presidential candidates talk about torturing people if you take an oath to be president you'll swear to uphold the constitution and laws of the united states of america. are you telling me you intend to violate that oath immediately and if so, why don't you let that be known now so people can
9:25 am
decide whether they want to vote for a president who is going to be an outlaw immediately. they don't ask that question. instead they move to other things that are more colorful in their own mind or we get better ratings. i think that's been a failure. to my colleague who worked on special operations, as i said, the authorization for use of military force is supposed to address associated forces, which include cobelligerents, organized armed groups who entered the conflict against the united states and i don't believe that either boko haram or al shabab doesn't entirely meet those standards. the problem though which i know you understand better than anybody is that we have a congress that refuses to vote an authorization for use of military force. this is quite remarkable, because it's the exact same
9:26 am
congress that accused other branches of usurping their power. it's their job to authorize force and set its limits and define who we're fighting against and they absolutely refuse to do that. so obviously they could be too busy doing other things like voting on supreme court candidates, but i guess they're not interested in doing that either. so that's too bad. but i think the point that is absolutely critical, i do not know any military unit of the united states government that has ever gone into the field without clarification from their commanders, what are our rules of engagement, and part of those rules of engagement are set by the geneva conventions and the laws and i don't know of any commander, and we have a large number of extraordinary heroic people who do that, unless it's
9:27 am
absolutely clear that they're conducting things that are consistent with the oath that they took when they joined the u.s. military. so if we're going to hold soldiers to that standard we ought to hold our commander in chiefs to that standard. in fact it would be interesting to know how many of our presidential candidates could give you a recital of the laws under which they're operating. i have an idea of one who could tell you about that and the others who couldn't. i think that makes her an extraordinary figure. >> a final round of questions. >> thanks. >> we will leave this discussion at this point and go live now to capitol hill, the undersecretary of state for political affairs, thomas shannon is testifying at a hearing of the senate foreign relations committee this morning on recent actions of iran and the country's nuclear arsenal
9:28 am
for the u.s. and its allies. this should start in just a moment.
9:29 am
9:30 am
9:31 am
9:32 am
9:33 am
good morning. committee meets today to receive testimony from admiral mike rogers, the commander of u.s. cyber command director of the national security agency and chief of the central security service. lot of titles, admiral. that's good. thank you for your many years of distinguished service and for appearing before this committee today. threats to our national security and cyberspace continue to grow in speed and severity. new attacks appear in the headlines on an increasingly frequent basis, as nation states criminal organizations and terrorists seek to leverage
9:34 am
technology to steal, coerce and deter. when awe peer before this committee in september, admiral ronnellers, you noted that we "have pure competitors in cyberspace" and that some of them have "already handed that they hold the power to cripple our infrastructure and set back our standard of living if they choose." since that hearing, russia has demonstrated the ability to cut power to hundreds of thousands of people in central and western ukraine. this attack the first confirmed successful cyber attack on a large scale power grid, is terribly significant as it demonstrates the sophisticated use of cyber weapons as a destabilizing capability and an effective deterrence tool with russia, china and other potential adversaries developing capabilities intended to deter us along with other friends and allies we must develop not only an effective deterrence policy but also the capabilities
9:35 am
necessary to deter any nation seeking to exploit or coerce the united states through cybersp e cyberspace. after significant urging by this committee, i believe the defense department recognizes this need and important progress has been made at cyber command, but there's still a lot of work to do. for the most part, the services appear to be on track to meet the goal for the development of a 6,200 person cyber force but unless we see dramatic changes in future budgets, i'm concerned that these well-trained forces will lack the tools required to protect, deter and respond to malicious cyber behavior. in short unless the services begin to prioritize and deliver the cyber weapons systems necessary to fight in cyberspace, we're headed down the path to a hoe low cyber force, just as it would be unacceptable to send a soldier to battle without a rifle, it's unacceptable to deprive our
9:36 am
cyber forces the basic tools they need to execute their missions. some service budgets omitted funding for even the most basic tools like those necessary for cyber protection teams to assess and triage compromised networks. this is unacceptable and i look forward to hearing your assessment, admiral rogers, of the military service's commitment to equipping a cyber force. i also look forward to hearing whether the new acquisition authorities we provided cyber command in the fiscal 2016 ndaa will help address some of these service intuesdayed shortfalls. while i'm encouraged by some of the progress of the department of defense in cyber command, i remain concerned that the administration cyber policy as a whole remains detached from reality. for years, our enemies have been setting the norms of behavior in cyberspace, while the white house sat idly by hoping the
9:37 am
problem will fix itself. then in december, the administration provided its response nearly a year and a half late to this committee's requirement for a cyber deterrence policy. the response reflected a troubling lack of seriousness and focus as it simply reiter e reiteratreiterat reiterated many of the same pronouncements from years past that failed to provide any deterrent value or decrease the vulnerability of our nation in cyberspace. i applaud the recent efforts of the justice department to name and shame iran for its cyber attacks against our critical infrastructure, and financial sector, but again i remain puzzled as it why it took nearly five years after iran began attacking u.s. banks for the administration to begin doing so. that kind of indecisiveness is antithetical to deterrence and our nation simply cannot afford it. let me close by thanking you, admiral rogers, for your
9:38 am
leadership at cyber command. you've always been very candid and forth come before this committee and we appreciate that very much. we're finally beginning to field the cyber capabilities we need for the future as we confront the challenges ahead, this committee remains committed to doing everything we can to provide you and the men and women you lead with the tools necessary to defend our nation in cyberspace. i look forward to your testimony. senator reed? >> thank you. i welcome admiral rogers back to the committee thank you sir and express my gratitude to you and also the men and women you lead, the military and civil yars who support the combatant and commands of cyberspace and defend the nation against major cyber attacks. cyber command is at another set of crossroads. the committee received testimony last fall from multiple witnesses recommending elevation of cyber command to a full unified command. i understand that elevation has
9:39 am
been discussed by the joint chiefs and that the secretary is considering this recommendation as part of the goldwater-nichols reform effort. i would like to hear, admiral, in your testimony and comments your views on the readiness of the command for elevation and on the related issue of sustaining the dual hat arrangement under which the commander of cyber command also serves as the director of the national security agency. six years after cyber command was established, the military services are just now presenting trained military cyber units to command. little more than half of the plan units have reached initial operational capability. this is a major milestone but trained individuals are only one part of military readiness. the other pieces are unit level training and proficiency and equipping the forces. the defense department is only at the beginning phase of building a unit level training environment. there are shortages and capability shortfalls and the tool kits available for the cyber detection teams and the
9:40 am
department has not yet developed a plan for or selected a service executive agent to acquire foundational situational awareness and command and control systems for cyber forces. i look forward to a status report from you, sir, about the pace of progress in these areas. there are other foundational challenges, the department has deployed and is in the process of aquirg additional capable cyber security sensors as all layers of its network. large gateways, the millions of individual computers spread across the globe. cyber command has dozens of cyber protection teams assigned to defend key segments of our networks while the military services and the defense information systems agency have their own computer network defense organizations. major task now is to integrate these sensors and organizations under joint operational concepts to enable real teamwork and admiral again i'll be interested in your thoughts on this very difficult issue. i am pleased that cyber command
9:41 am
is joining the initiatives to leverage the innovation of the commercial information technology industry for both cyber security and its other missions to keep pace with a rapidly changing threat, it makes sense to partner with an industry that innovates at the same pace. admiral, i'm interested in hearing how you plan to apply the acquisition authorities the committee granted to cyber command in last year's defense authorization act to working with the information technology sector in particular. finally mr. chairman i note that admiral rogers in his prepared statement for the hearing today quoted the director of national intelligence to the effect that china is still engaged in economic theft and cyberspace, and that "whether china's commitment of last september moderates its espionage remains to be seen." it's obviously a serious matter if china does not live up to president xi's pledge to president owe what. i welcome your comments on this issue. thank youor your service and i look forward to your testimony.
9:42 am
>> admiral rogers welcome back. >> thank you. i am pleased to appear before you today to discuss the opportunities and challenges facing u.s. cyber command and i'd like to thank you for conveninging that forum. it's an honor to represent the individuals of this fine organization and i'm grateful for and humbled by the opportunity to lead this impressive team. i'm confident you'd be extremely proud of the men and women of u.s. cyber command if you saw their commitment to mission and hard-earned successes on a daily basis as i am fortunate to do. while my written statement goes into greater detail i'd like to briefly highlight the challenges and the initiatives the command is pursuing to meet those challenges. over the last year we've seen an increase of cyberspace operations by state and non-state actors. we've seen a wide range of malicious cyber activities aimed against both government and private sector targets. at u.s. cyber command we focus on actors that pose a threat to our national interest through cyberspace.
9:43 am
nations still represent the gravest threats to our nation's cyber security but we continue to watch closely for signs of non-state actors making significant improvements in their cyber capabilities. malicious actors use cyberspace to steal intellectual property and criminals increasing use of ransomware to extort companies are worrisome trends. malicious activists from the joint staffs unclassified network to networks controlling our nation's critical infracture. the threat actors are using cyberspace i believe to shake future operations with limiting our options in the event of a crisis. the u.s. makes progress as it emphasizes its ships to proigsalizing the xhantd and sustaining its capabilities. over the past year we've continued building the capability and capacity of cyber command while operating in an increased tempo. we continue to make progress in building the cyber mission force of 133 teams that will be built
9:44 am
and fully operational by 30 september 2018. today we have 27 teams fully operational and 60 attained initial operational capability and it's important to note that even teams that are not fully operational are contributing to our cyberspace efforts with nearly 100 teams conducting cyberspace operations today. last year we noted we had just established the joint force headquarters dod information networks. today i can proudly report the jfaq as we call it made great strides toward its goal of leading the day-to-day security and defense of the department's data and network. also as the dod expands the joint information environment, we will have significantly more confidence in the overall security and resilience of our systems. our operations to defend dod networks and the nation's critical infrastructure proceed in conjunction with a host of
9:45 am
federal industry and international partners. recognizing that dod is just one component of the whole of nation's cyber team, u.s. cyber commands annual exercises, cyber flag and cyber guard offer unmatched realism as we train with federal, state, industry and international partners. additionally, cyber mission teams and joint cyber headquarters are regular participants in the annual exercises of all the combatant commands. while our training is improving, we need a persistent training department which the department is continuing to develop to gain necessary operational skills and sustain readiness across our force. i'm excited about i the inno he vasion, cultural shift and focus on long-term strategy emerging in the command and dod and last year we established a point of partnership program in silicon valley to link command personnel to some of the most innovative minds working in cyberspace. they are collocated in the diux and we are building on the
9:46 am
synergy among all dod elements under the umbrella. last september the department identified the need to transform culture by improving individual performance and accountability. the secretary and chairman approved the dod cyber security culture and compliance initiative to address those concerns. cyber command was identified as the mission lead for this initiative and is working closely with the joint staff and osd to build the requisite capacity and structure. cyber command is also actively contributing to the implementation of the new dod cyber strategy, a strategy released in april of 2015 provides a detailed plan to guide the development of dod cyber forces and strengthen dod cyber defense and signer deterrence posture. the pervasive nature of cyberspace throughout all facets of life and across geographic boundaries coupled with a froeg cyber threat makes, excuse me, deterrence and cyberspace a challenge but ever more important. proactive vat gee returns options to the president and
9:47 am
secretary of defense to approve cyber operations to deter adversaries from action and to control escalation. to help with all of this, we requested and received enhanced acquisition and manpower authorities and i thank congress and the president for the authorizations granted to cyber command in the fiscal year '16 ndaa. this represents a significant augmentation of our ability to pray capabilities to our cyber mission teams as well as our ability to attract and retain a skilled cyber workforce. we're studying thousand best implement the provisions and laying the groundwork needed to put them into effect while in parallel evolving a formalized synchronization flame work to optimize the employment of our cyber mission force. with that, thank you mr. chairman and members of the committee for convening this forum and inviting me to speak. >> thank you, admiral ronnellers. general dempsey was asked about our ability to address challenges to this country and he basically, he stated that we have significant advantages in
9:48 am
every major challenge except one, and that was cyber. do you agree with general dempsey's comment about a year ago? >> i do. the phrase i use internally with him is "cyber is one area we have to acknowledge that we have competitors who have every much capacity and capability as we do." >> that i would say to my fellow members of the committee emphasizes our need to address this issue in a comprehensive fashion, so after we finish the defense bill, i would, i will spend a great deal, this committee will spend a great deal of its time on this issue since the threat is as admiral rogers just stated. you stated last year in the house hearing there's still uncertainty about how we would characterize what is offensive and what is authorized. that boils down to a policy decision and to date we have tended to do that on a case by
9:49 am
case basis. in other words do we preempt if we respond, how do we respond? all of those it seems to me are policy decisions that have not been made. is that correct? >> i guess chairman the way i would describe it is we clearly still are focused more on an event by event particular circumstance and i think in the long run clearly we all want to try to get to something much more broadly defined and well understood. >> so that you understand when you detect an attack as the exact wording a probable attack, so right now you are acting on a case-by-case basis. >> sure. >> does russia have the capability to inflict serious harm to our critical infrastructure? >> yes. >> does china have the same capability? >> some measure of the same capability, yes. >> how is china's behavior
9:50 am
evolved since the opm breach? >> we continue to see them engage in activity directed against u.s. companies. the question is, i think, that we still need to ask is, is that activity then in turn shared with the chinese private industry? we certainly acknowledge that states engage in the use of cyber as a tool to gain access and knowledge. the question or issue we've always had with the chinese is, while we understand we do that for nations to generate insight using that than to generate economic advantage is not something that's acceptable to the u.s. the u.s. >> do you agree that the lack of repercussions emboldens those seeking to exploit the u.s. through cyber? >> yes. >> admiral, we are look carefully at a consolidation of
9:51 am
command here as far as your responsibilities are concerned. i believe that the secretary of defense will also support such a move, so i will be recommending to the committee that we include that consolidation in the defense authorization bill as we mark up i think my friend senator reed also agrees with that. would you agree that probably the issue of cyber warfare is the least understood by all of our leadership, including in government, executive and legislative branch? >> it's certainly among the least understood. i think that's a fair -- >> and is part of this problem is that this challenge is rapidly evolving? >> i think that's clearly an aspect of it, the speed and the rate of change, as well as the complexity. it can be intimidating. i'd be the first to acknowledge that many find this a very
9:52 am
intimidating mission area. >> if you had a recommend for this committee and congress as to your significant two or three priorities, what would you recommend? >> in terms of cyber overall? >> action that you'd like to see the congress and the executive branch take. >> we're able to defend our systems as well as our networks and we need to think beyond just networks. >> which to me is the policy but please go ahead. >> secondly, we need to continue to generate the complete spectrum of capabilities to provide options for our policymakers as well as our operational commanders so when we have these issues, we've got a series of capabilities that we can say here's some capabilities that we can choose from, and then lastly, i think we've just got -- the other point i try to
9:53 am
make is we've got to figure out how to bridge not just -- the entire government about this problem set. >> would you also agree that sequestration could threaten you with a hollow force after you've recruited some of the brightest minds in america to help you? >> very much so. fy-13 when we shut down the government, i can remember going. i was in a different job at the time but i was leading the navy cyber effort and much of my workforce explained to me admiral why we should stay with you if this is what we're going to deal with. being told we're not going to get paid. i can remember telling them in '13, please stay with us, i hope this is a one time thing. >> but sequestration means further hampering -- >> because everything is -- our ability to meet the time lines we've been given have been predicated on the sustaining of the budgets. if we go to see kwquestration
9:54 am
levels, it's not in a timely way. right now that we're on the hook to do. >> chairman reed. >> one of the issues discussed and i mentioned in my opening statement is raising cyber command to a full unified command. yet i also noted and you acknowledged only half of cyber comma commands. initially capable. ioc i should say. and then some critical element such as training, environment, platform doesn't exist. are you if your mind mature enough to be a full uniform command now or -- >> yes. >> and what would that advantage give you? what would that decision give you? >> generally when we think about what tends to drive should something be elevated to a command? broadly across the department,
9:55 am
we tend to focus on the imperatives of unity of effort. functional not geographic. in this case, does the function rise to a global level and is it of sufficient priority to merit coordination across the entire department. the other issue i would argue is one of speed. all of those argue -- again, i just am one input. i realize this is a much broader decision than just admiral rogers. there's many opinions that will be factors in. my input to the process has been combatant commander designation would allow us to be faster. i would also argue that the department's processes of budget prioritization policy are all generally structured to enable those process. that's what they're optimized for. i believe that cyber needs to be a direct part of that. >> the relationship with nsa.
9:56 am
there are several options. one is to have separate command. one option or additional option is to at least at a future time have the option to divide the dual hat arrangement. can you comment on that? >> so my recommendation has been for right now you need to use them dual hatted. the very premise when we created it six years ago when we said to ourselves we were going to maximize the investments the nation already made in term also of infrastructure and capability. so because of that we didn't have a huge military construction program. for example, for cyber command. and put these cyber mission forces, the 6,200, different structures. we said we were going to take nas's existing spaces to be able to do that. my input right now based on the very model we created, cyber
9:57 am
command. that at the current time it would be difficult, not impossible, first to acknowledge that. >> uh-huh. >> it would be difficult or less than optimal in my opinion to try and separate them now. i also argued we need to continue to assess that decision over time. you need to make it a conditioned-based assessment as to some point in the future does it make more sense to do that. >> part of that the fact if you are unified command you will be developing alternatives to nsa capabilities. >> yes. >> exclusive to cyber command. so at some point, you could have an infrastructure that looks remarkably like nsa and the synergies you're talking about now operational. one of the issues that you depend upon the service to provide a great deal of resources. in fact, it is really i think interesting to note that only half of these identified units or at least initially capable
9:58 am
and then it doesn't seem to be an intense training effort that's standardized and in place right now. what can you do -- what can we do to accelerate these units in terms of maturity and their training environment? >> so if i could, senator, i'm going to respectfully disagree -- >> that's quite all right. well, you have to be respectful. >> remember, we started this build process in fiscal year '13 and we said we would finish it by the end of fiscal year '18. full capability and ready to fight in a high demand environment. we're pretty much on track, as i've said publicly, if you look right now. in fact, in the last two months, i've actually managed to increase since the last assessment i did in february where i publicly said based on the data i believe we'll meet
9:59 am
ioc for 91% of the teams on time. in the two months since then, i managed to work with the services and for ioc, we're up to 90% of the force and for foc we're up to 93, we're still at 93% of the force. my only point is i'm not critical of the services in terms of they're generating the force. i think they're making a very good effort and it's on track. it's not perfect but it's now on track. they've also been very willing, when i've said what we need to do is ensure we have one integrated joint capability how we work cyber. there's got to be one structure, one training standard. every service agreed to adhere to that. in that regard, i'm also very comfortable with what the services are doing. we anywherally foe all initiall
10:00 am
teaching teams. and as you both -- chair and ranking member said in your opening statements, that's not enough. what we're fighting now is it's the other things that really help enable and we've got to focus more on. >> thank you, thank you, mr. chairman. >> thank you, mr. chairman. admiral rogers, in december last year, you published an article, saying the challenge for the military cyber workforce, and you discussed, as you did in your written statement today, the importance of developing and maintaining this force. when you talked about it, i guess it was the chairman, his statement. the 120 teams where we are right now, aiming to 133, what comprises a cyber team? >> they come in several, several different types. there's what we call combatant
10:01 am
command mission teams. those are aligned with combatant commanders. they are generally designed to create offensive capability, if you will. there are cyber protection. those are about in that team ccmts. they're about 65 individuals on a team. if you look at cyber protection teams, slightly different missions, different structure, different focus, they're about 39 individuals per team. each of those two teams, the cyber protection team has a small subset of about 23 individuals. what we call support teams. so that just gives you a sense. >> sure, sure. when you add all that together, that's when you come up with the 6,187. as was brought out in the chairman's statement, you'd really have to know. well, first all, your drawing from institutions that are training these people. this is new.
10:02 am
this is brand-new to a lot of people, including a lot of people with this table. i know in my state of oklahoma, university of tulsa has really made great progress. in fact, your predecessor was out there, working with them. i understand from the senator similar things are happening in south dakota. you've got these kids out there, they're learning this, they're determining what they're going to do for a career. now, i think it's a good question when you say -- when we ask the question, can we really depend on sustaining in this environment that we're in right now this -- these teams, this number, this workforce, so that individuals out there would be aiming their talents toward helping us. because there's going to be a lot of competition for these kids. how confident are you that we're going to be able to maintain the level necessary to attract good people? >> so experience to date says we're doing a good job in that
10:03 am
regard. both our ability to recruit and retain. what tends to drive that to date, our experience suggests, is the desire of men and women to be part of something bigger than themselves. to do something that matters. to do something on the cutting edge. that if you will is really what powers the men and women of the teams. i'm always talking to my fellow leaders about so what are the advance indicators we should be looking at that will tell us if that trend is changing? there are a couple skill sets within the mission force that i've mentioned separately previously that i may, in fact, come back to the committee with to say, look there may be some additional measures here. >> that would be a good thing to do for the report. i'm running out of time here. a couple other things i wanted to get to. i agree with you, you say that the states that we watched most closely in cyberspace remain. russia, china, iran and north
10:04 am
korea. at the same time, i notice there's an effort and this came when our fbi director james comey was in contact with these people, that they were -- china is trying to develop a closer relationship with us when, in fact, they're the ones that we're going to be watching. you're not entertaining any -- any kind of a close relationship with them that might impair that, are you? >> no, sir. >> okay, good. yesterday, in the -- an article came out on the report that says the pentagon doesn't know who's in charge for responding to a massive cyberattack. they go on to talk about the northern command. they talk about what we are doing. they're talking about homeland security. and you're familiar with this report that came out yesterday? >> no, i'm not. i'm familiar with the broad premise. >> okay, the conclusion of the
10:05 am
report, i'll just read this. we believe by issuing or upgrading guidance it clarifies rules and responsibilities of relevant dod officials. dod will be in a better position to plan for and support civil authorities in a cyber incident. this is a gao report. i suggest that you look at that and see if we have reached that, their conclusion so far, thank you, mr. chairman. >> senator manchin. >> thank you, mr. chairman. we face a wide range of cyber threats. nearly every briefing, i've asked about the issues of cybersecurity. and protecting our power grids. >> yeah. >> it's a very important issue to me and the amount of power our little state produces for this country. in the short-term, which cyber
10:06 am
threat is most dangerous to the united states? our grid, our food supply, our water supply, what is most vulnerable that we should be working on? >> power and basic infrastructure, something always concerns me, because the potential impact on the nation is very significant, should we have significant issues there. i'd always argue one sector that i worry about a little bit is you look at the amount of personally identifiable information that is resonating out there. a lot of various health care is a good example. with the amount of data that we have all provided to the medical world that is available out there on all of us and our families, that worries me about, you know -- that's reflected and you look at opm, the anthem health insurance large data concentrations are now increasingly becoming a target.
10:07 am
because of the power of big data and analytics. massive amount of data that ten years ago we would have said to ourselves no one can really comb through that to generate insights or find anything, it's just too large. you sure don't have those conversations anymore. >> we talk about cyber, we talk about basically our corporate hacking, if you will, for proprietary reasons. then military hacking that goes on for defense reasons. then you look at everyday life that we've come to expect that could be probably disrupted with quite alarming concerns. >> yes, sir. >> in your testimony you mentioned the reserve forces are being assign to all levels of u.s. cyber command and cyber mission forces. can you elaborate on what the reserve component, specifically the national guard, bring to the table for the cyber mission? >> well, you're able through our guard and reserve teammates,
10:08 am
you're able to access a set of manpower that potentially is using these same skill sets in their day to day work in the private sector. you're able to also access at times a very different perspectives which works out very well. we were adamant from the beginning it needed to be viewed as a total force. it was not going to optimize the full range of capabilities that are out there. you've seen in the last six months the guard and reserve capability starting to come online and flesh out as well. >> the national guard in west virginia, we don't have a base and our guard is everything to us. being a former governor, i understand the importance of our guard. we've been so active in aggressive recruiting. some of our best and brightest were coming into the guard for all the opportunities,
10:09 am
especially educational. it's an area they could designate and pinpoint for you to bring in some of these really sharp young talents that can help us defending ourselves, cyber. >> the guard is doing now. i spend a lot of time talking about how do we do this in an integrative way. >> you say isis main focus is propaganda, recruiting and radicalization of others. can you elaborate further on this disturbing statement and how they've been successful? >> they've harnessed the power of the information arena to promulgate their ideology on a global basis. to recruit on a global basis to generate revenue. and to move money. as well as coordinate some level of activity on a large basis.
10:10 am
the challenge i look for, what concerned me when i look at the future, what happens if the nonstate act, isil being one example, starts to view cyber as a weapons system. that would really be a troubling development. >> in a very simplistic way, people ask why can't we shut down that part of the internet, why can't we interrupt isis' ability to go on social media and attract? why are we not able to infiltrate that more? >> i mean, i would -- the idea you're just going to shut down the internet given its structure and complexity is just not -- >> i've had people ask me, that area of the world where all the problems are coming from, whether it be in syria or parts of iraq, iran. things that we might have some input and control over. it's not possible? >> it's just not that simple. i wish i could say there's a part of the internet that is only used by a specific set of
10:11 am
users but there are all sorts of -- >> i'm just trying to get an answer. that question is asked quite a bit. shut it down like turn off your telephone. but it doesn't work that way. thank you for your service. >> thank you, mr. chairman. thank you for your service. you're empty min the middle of some decisions that have to be made by the united states sooner rather than later. our congress passed -- well, carl levin was chairman then. evaluate vulnerability of our is its and issue a report how to defend those. that time passed. we've issued another legislation last year that said the secretary of defense shall in accordance with the plan complete an evaluation of the cyber vulnerabilities of each
10:12 am
major weapons system of the department of defense not later than december 31st, 2019. so we've given an additional date there. but not later than 180 days after the day of this enactment, which i believe is may this year, the department of -- the secretary of defense shall submit to the committees the plan of the secretary for the evaluation of major weapons systems, including an identification of each system to be evaluate and priority among the evaluations. are you familiar with that? is the defense department on track to complete that initial report? >> i am familiar with it. i'm sorry i'm not in the weapon acquisition business. i'm not the best informed as to the current status. i know the effort is ongoing. cyber command part of that
10:13 am
broader effort. if i could just take that one for the record, i apologize. >> well, if you would. on a bipartisan basis congress recognized several years ago that our weapons systems -- it started out for space, missiles and anti-missile systems being evaluated. then we realized large segments of our defense capability are vulnerable. we've had a broader report. i believe it is important for the secretary to complete this on time, if not sooner. chairman mccain's questions and senator inhofe's questions. i would refer to this report that just came out. the pentagon does not have a clear chain of command for responding to domestic attacks on domestic targets within the united states according to the federal government's principal
10:14 am
watchdog gao. does that concern you? >> first of all, i haven't read the report so i'm not informed as to specifics. i would argue the chain of command. >> the chairman asked you when are we going to develop a policy, what we might do in response, how to ratchet up responses relative to the threats we face. so i hope you would look at that. does commercial and economic and private companies that are a big part of the entire network of cyberworldwide, many of those impact our allies, our friends and many of those -- many
10:15 am
companies could be based in countries that are not friendly to us. and would like to penetrate our systems. are you concerned that all of our allies, asia, europe, need to be aware of this danger and are we working to make sure that segments of those systems aren't adopt -- purchased by entities that could be hostile to our joint interest? >> i share your concern about supply chain vulnerabilities. >> that's a good word. supply chain vulnerability, okay. >> and it is growing in probability, if you will, given the nature of the economic world we're living in now. we have a process within the u.s. government to address these issues from major purchases, companies, national security priorities. we have a special process in place for some components of dod
10:16 am
infrastructure like the nuclear world for example. if you look at its proliferation of the issue generally across both allies and ourselves, this is an issue that's only going to get tougher, not easier. >> could be going on for decades, it seems to me. do we need to meet with our allies to develop a unified policy to develop our joint systems? >> it is a discussion we have with our allies and it's much -- as you said, this goes across the commercial sector dod, government at large. it's out there for all of us. >> well, i thank you for your leadership. you're at the focal point of a critical issue. and tell us what we need to do to help you. >> roger that. >> thank you, mr. chairman. i need some clarification of
10:17 am
what your responsibilities are in cyber command. are you responsible for protecting this country from cyberattacks on private networks and corporations? or is it simply government networks? >> so dod has a responsibility to defend critical infrastructure against events of significant cyber consequence. >> so critical infrastructure, for example, in may, we had three urgent care centers that were hacked. we had main general health, which is one of our major health care, they were hacked. is that part of your -- what's the definition of critical infrastructure? >> there are 16 segments that the federal government has oi identified. the second components. is not just the sector that was attacked so to speak but also the magnitude of the event. in dod, we use the phrase significant cyber consequence.
10:18 am
the department of defense is not resourced nor is it currently tasked with defending every single computer structure within the united states. we try to identify where can our finite resources be best applied. critical to the nation's infrastructure. and then those circumstances the actions against one of the 16 segments reaches significant cyber consequence. >> in terms of national defense, we're being -- it's death by a thousand cuts. i mean, we're being hacked every day. insurance companies, businesses. some of it is cyber espionage, as you point out. but some of it's criminal. it seems to me we need to be thinking about who is responsible. i mean, i understand you don't call out the army if there's a criminal if one town. you have local police. there's a gap here. do you see what i'm saying? >> yes, sir. >> there's a gap in our defenses because we really don't have the
10:19 am
infrastructure of the state police or local police that would protect local interests when they're being attacked. you have the expertise. we have to work out something between cyber command and local law enforcement, if you will, to protect us from these repeated and continuous and escalating attacks. >> i urge us to think more broadly than cyber command. how do we harn eps the capability that is resonate within our government structure, teamed with the capabilities that are in the private sector? it's much bigger than -- don't get me wrong, we're definitely a part of this. i always urge people, we've got to think more broadly. >> i think that's a good way to articulate it. we keep talking in these hearings. when are we going to have a well-developed and articulated cyber deterrent strategy?
10:20 am
we need definition of what is an act of war, what is a proportion nall response, what is a mutually assured destruction situation. this seems to me -- is this in the works? if so, when? >> sir, don't have a date for you. i am part of those discussions. i'm the first to acknowledge that. i try to provide an input and just be one voice as to what i think is the direct broadly we need to go. i apologize, senator, i don't have a specific date or time line for you. >> it just seems to me this needs to happen. we've been talking about this as long as i've been on this committee and we aren't there yet and yet something terrible is going to happen. a lot of people are going to say, why don't we have a deterrent policy. i would urge you and counsels of the administration to push for a
10:21 am
sense of urgency on this question. because if all we do is defense and there's no deterrence, ultimately we're going to lose that battle. >> yes, sir, losing strategy. >> final point, i know you talked about this earlier. i'm finding it harder and harder to justify you holding two job, given the complexity. this arrangement was created in 2009 which in technological terms was a century ago. i just can't -- i mean, i understand the relationship between nsa and cyber command. particularly if we move in the direction which i think we are of setting up cyber command as its own independent combatant command, to have the same person trying to run those two agencies i just think is impact call and almost impossible. >> i've been doing it two years to date. >> you've been doing it very
10:22 am
well. >> so, what i said in my initial commend, i agree it's something we need to continue to assess. i agree in the long run probably the best course of action is put both organizations in a position where they're capability of completing their mission in a complementary and aligned way than in a more separate way. the reality is we're just not ready to do that today i believe. don't get me wrong, if i am ordered a directive, i get paid to make things happen. >> cyber command should be its own combatant command? >> i do, sir. >> thank you. thank you, mr. chairman. >> subject to the will of the entire committee, that would be my intention and i -- senator reed and i would propose that on the defense authorization bill. right, jack? >> i think so, sir, i think that's something we're going to consider. i think it's valuable to have
10:23 am
admiral rogers' comments today and consider them as we go forward. >> thank you, senator fisher. >> thank you, mr. chairman. i look forward to the discussion on raisie ining cyber to its ow combatant command. on the importance of cybersecurity for this country. admiral rogers, in your prepared statement, you mentioned the cyberattack on ukraine's power grid and you also note that you have seen cyber actor s for mor than one nation exploring the nature of our network's krits call infrastructure. do you believe our national teams possess the necessary skills relating to industrial controls and systems to be able to stop or to recover from an attack on our power grid? >> we have the skills. the challenge for us at the moment is one of capacity. what i mean by that is in the two years i've been in command, i have yet to run into a situation where we didn't have the skill set to apply against
10:24 am
the problem but the challenge at the moment -- because we're still in the midst of that build. if we had multiple events simultaneously, for example, that gets to be -- where we are right now, snap the chalk today, so to speak, capacity really is the greater concern to me than capability, if you will, if that makes sense. >> i understand your demands on the force to exceed that capacity. as you add those capabilities, how are you going to pry or titz the duties and the responsibilities you're going to have? how do you plan to prioritize placing that building competency with our industry control system? is that going to be something you're going to focus on in the near term or is it going to take a back seat to maybe some of the
10:25 am
other areas that you're looking at for the cyber mission forces? >> so it's something we're doing right now. i would also highlight the very construct of the force by creating a separate section of the force that is focused purely on defending critical infrastructure was designed to account for that. how do you make sure you prioritize this capability, ensure at least an element of the force we are building is focused like a laser on the defend infrastructure mission set? it's the carved out entity. >> you have a plan to work with services then on building that? >> oh, yes, ma'am. >> is it -- is it near completion? you heard senator king ask about policy. we've been asking about policy for a long time. we don't have a policy. so if we don't have a policy, how are we going to develop
10:26 am
plans? >> i remind people, look, even as we're trying to get to the broader issues that you have all raised, much of which is outside the command, our mission is to ensure we're ready to go as those broader issues are being addressed. so we're trying to deal with the piece by generating the capabilities we think will be part of that deterrence discussion. by generating the defensive capabilities we think will be part of that deterrent discussion. i don't want to wait for everything to fall into place. that we can't afford to do it that way. as perfect as it would be in some ways. >> i agree with you, we don't have time to wait. >> yes, ma'am. >> when we look at the department, what level of communication do you have with the different communities within the departments? say with regards to acquisition or installations to ensure that the items we purchase or the facilities that we're building are able to take those threats
10:27 am
that we're looking at from cyber into account? >> i would tell you the acquisition piece is one of the areas that we still need a lot work. it's not because people aren't working hard. but i've always been struck by the analogy we would never by a ship, a tank, an aircraft, without the operational vision driving exactly how we designed it, built it, structured it. and yet for much of our networks and infrastructure, that has not historically been our model. we focused on efficiency and price. didn't really focus on operational i paoperation al impact. we didn't really think at the time we'd be dealing in a world in which foreign actors, nonstate actors, would be using those systems as access points to materially degrade our capability. we just didn't anticipate that decades ago. and that's the world we're in
10:28 am
now. we're trying to overcome literally. >> it's happened in private industry. >> right, decades of investment we're trying to overcome. >> and do you -- last question, do you have any many if our adversaries have targeted any infrastructure on our military bases? >> yes. >> thank you very much. >> senator. >> thank you, mr. chairman. thank you for your distinguished service. i want to focus on the challenge s of recruiting young people in an age where the best and the brightest who have knowledge in this area have so many opportunities. many of them highly paid and challenging in their professional issues.
10:29 am
young americans are entering the workforce with computer technology that has been part of their entire lives. not so much for us of a certain age. i wonder if you could tell us how successful you and the obviously important forces under your command have been in recruiting and keeping talent in this time and what we can do to help. >> i'm very comfortable with where we are on the uniform side. the same things that lead a young man or woman in our nation to decide they want to pec up a rifle and take on that challenge leads men and women to decide they want to put on a uniform and pick up a keyboard. that has not been the biggest challenge. the area that i've told the team we probably need to take a
10:30 am
greater look at is on the civilian side of this. because we have got a vision. you've got to create a workforce that is both active in reserve military as well as civilian component to it. you get that breadth of expertise you've referenced. there's a couple skill sets already where i think i'm going to have to come back to the committee to say look, i'm probably going to need help here. can i come up with some different probe sess or options that would make things more attractive to particularly some high-end, very small number of skill sets that i don't have huge numbers of but they're incredibly valuable for us? that's one area where i'm thinking i'm probably going to have to come back. my experience is telling me, mike, we need to step back and take a look at this piece of it. >> is there sufficient -- are there sufficient resources devoted to research the
10:31 am
personnel available to supervise that research and, in effect, planning for the future? >> right. i'm not going to pretend for one minute you have all the people and all the money you would like. i would argue characterize it as reasonable right now. as a commander, i've said to myself, wow, we've got a deficiency here that would impact ability to complete the missions. i haven't seen that. >> i know you indicated earlier you had read the gao report. >> right, right. >> but i wonder, focusing on the local capability and particularly on the private sector, the infrastructure segment that you mentioned earlier in some of your conversations with my colleagues, transportation, financial, electric. how well are they doing in protecting themselves? >> i would -- if you look across the 16 segments and the private
10:32 am
sector that have been designated as critical infrastructure in terms of impact on the nation's security, i would argue some are a little -- some are ahead of others. i'd probably put -- financial for example not surprising in the sense that it has access to more resources than some, has come to the conclusion that cyber potentially calls into question their very business model since it's build on the idea of trust and the ability to move funds globally through these transactions, if you will, we all believe in and trust. on the other hand, there are some industries, in their defense, i look at them and they're quick to remind me, hey, remember, our business model is different, we're a regulated industry, for example, in order to generate resources to apply to increase our cyber defense and our cyber capabilities. the only way for us to do that is to raise rates, for example, most consumers not really
10:33 am
enthusiastic about that. most regulatory bodies not necessarily overly enthusiastic about that at the moment. >> and those regulated industries would be electricity -- >> power's an example. there's a couple of others that fall into that. and are there unregulated industries that you would put at the bottom of that list of readiness? >> there are some i talked about. health care is one of the 16 segments i look at. i go that's an area that probably needs a top to bottom. it's really outside my immediate mission and i don't bore into it every day. we're going to be tasked to provide our capabilities to partner with. it's an area i pay attention to. >> thank you, mr. chairman. >> thank you, mr. chairman. admiral rogers, first of all, thank you for your service. i find it interesting that as
10:34 am
you work your way through this, you're in a brand-new area. you're trying to determine how to response and how to protect. it seems when you lay this out, you have 16 different segments within the area you're responding to. fair to say they break out into either information or data system systems and operating systems in terms of how we look at the data systems that we're looking at as being vulnerable, data system being the collection of information on individuals and operating systems being those systems perhaps necessary for it is infrastructure within our country? a fair way to break out? >> i guess that's fair to be honest, senator, i never really thought of it that way. >> the reason i ask, it would seem while information systems
10:35 am
would be material that would be trade secrets that may very well be information on an individual such as the information we lost at the federal level when our federal systems were hacked. at the same time, we have an operating system out there for the utilities. we have operating systems out there for dams. we have operating systems for nuclear power plants. clearly in those areas if someone with intent could get into an operating system, they could do significant amount of damage. perhaps bodily injury. when you look at your role and the role of cyber command, do you see them protecting, do you see your world different with operating systems versus data and information systems? >> so our protection scheme, if you will, is based on who different pieces of strategy.
10:36 am
the first component of our strategy is our intent is to go into foreign space to stop the attack before it ever reaches those systems. the second component of our strategy is to apply defensive capability, working directly with each of the individual elements, if you will. to say if that fails, we'd also like to work with you on how you might shore up your systems and vulnerability. the other point i want to make sure i articulate and i probably should have done a better job this morning is a reminder, u.s. cyber command and dod at large provide our cyber capabilities and defense of critical infrastructure in the private sector in partner and and in support of dhs. dhs has overall responsibility in the federal government for the support for the private sector when it comes to cyber. i don't want people thinking, well, it's just cyber command and just the private sector. there's a broader set of players
10:37 am
out there we integrate with and we support. >> an attack in either case would be done in milliseconds, fair to say? so unless we have the system in place and we knower who wrae wht we're there to respond in advance, we don't know whether or not we're going to be able to do it in time. at that point, we simply respond afterwards. would you say that today we have systems in place to appropriately protect, for lack of a better term, i'm going to call the operating systems and the information systems that we have, do you feel that the protocols are there? i'm going back to what senator king was alluding to earlier. i'm not sure we have the definitions prepared yet to allow you to respond immediately within milliseconds unless we talk about it and we lay it out. is it there today? >> so across the board with every single component of the private sector, no, it's not. the other point i would make is
10:38 am
cyber's no different than other domains. what is likely to be coming at us gives us the knowledge and insight, the warning, if you will, to anticipate and act in advance. it's every bit as true for the centcom commander. warning continues to be critical for both of us. >> today, if our forces were aware of it attack on them, they have the ability to respond. but if it was property or entities that are within the united states, do you have the capability to respond today, if it is not a military but a civilian or a civil target? >> so, is there a process? yes. is it something i can do automatically, instantaneously, no. >> if that's the case, then it has to happen first because for all practical purposes, the attack will be instantaneous. >> we have to get the warning in advance. >> it would have to be enough
10:39 am
time for you to get out and to have a political discussion for all practical purposes about whether or not you can -- >> again, it would depend about the scenario. there's some mechanisms where we have the application in place. >> but not one in milliseconds? >> right, no, i'm not going to pretend for one minute it's something you do in milliseconds. >> thank you. >> thank you, admiral, for being here. >> senator. >> let me start with your acquisition personnel. some of the saddest stories of waste have been in the acquisition of i.t. within the military, frankly within government. a lot of that has had to do with knowing what you need to buy when you need to buy it and when legacy systems need to be scrapped and how nick bemble ca be with off the shelf.
10:40 am
i'm not sure the military has been a great example of that flexibility and the ability to move with the technology. so i think these acquisition personnel are pretty important. so do you have the ten in place that are supposed, that we authorized in order for you to make the wisest acquisition decisions possible? billions and billions of dollars wasted. >> i operate and defend. i don't buy. you have been kind enough, the committee and the congress has been kind enough to provide, if you will, an initial cability to do. we're in the process of hiring those ten individuals you have authorized. i am very mindful -- as i remind the team, it is about generating outcomes, guys. that's why we're granted this authority. that's what we need to be mindful of. not interested in spending money for the sake of spending money. it's about generating capabilities that directly impact our mission in a material way. >> well, i would be interested in how you are acquiring with
10:41 am
more detail if you would provide it, how you're finding the right acquisition personnel and how competitive are we in finding the right personnel? in many ways, i think that's the key to the kingdom. if we're going to have the capabilities in this space, a lot of it is, you know, people being trained but a lot of it is also underlying -- >> yes, ma'am, you have to buy the right capabilities. >> so i'm just worried about getting the right people making those decision. i would like to stay updated in that progress. what kind of coordination does your command have at this point with our nato allies, with israel, with arab allies? i'm particularly interested in any coordination you have in cooperation with nga -- >> i'm not going to publicly -- >> obviously. >> in this forum go into specifics. i would only tell you we partner with -- we have a handful of nations right now. we have a very direct, very real
10:42 am
relationship with, with respect to capabilities, real-world operations. i won't go into specifics of the who. one of the challenges, cyber, like any other, we have to prioritize. when i look at foreign relationships, i ask where is the greater return for us as a department, the dod, and where is the greater return for us, u.s. cyber command. with the discussion with the team what we are not going to do as i discuss what we are going to do. particularly since we're still in the midst of building this capability out, priorization, guys, we can't do everything. we've identified an initial set of foreign partners, if you will. those partnerships today are generating capability we're actually using today. >> great. and maybe in a classified setting, i would get more information -- >> yes, ma'am.
10:43 am
>> what is the ratio of civilian versus military in the command at this point? >> it's about -- we're trying to build about 80% military, 20% civilian. if you looked at it today as a snapshot, it's probably -- off the top of my head -- 70/30. 70% military, 30% civilian. >> and what about contractors, what is the ratio on contracts, and what is your goal on contractors? because this could be an area -- >> right. >> and of course underlying that is a concern about the actual screening of contractors. what do you want it to be going forward? >> we probably right now -- apologize, trying to do the math in my head. it's probably about 25%. over and above, we have an additional 25 -- we have about an additional 25% in a
10:44 am
contractor base. >> is that where you would like to be going forward? >> i'm a little bit leery of overrelying on contractors. i try to remind people cyber is a domain in which we conduct a wide range of military operations. those operations need to be conducted by military personnel. i'm not trying to minimize the role of contractors. i just try to remind the team it's not one size fits all. we've got to step back and ask ourselves what's the right allocation. i'm pretty comfortable right now. i wouldn't argue it's among my highest priorities in terms of increasing the ratio of contractors. i'd argue right now probably priority number one manpowerwise is the civilian piece. i'm very comfortable with tracking, going the right way. the civilian areas, know i'll be paying more attention to in the coming years. >> thank you, admiral.
10:45 am
>> thank you for your fine work, admiral. can you hear me? >> yes, sir. >> the threats nation statewise in terms of who we're most threatened by? >> i would argue russia and, again, probably in terms if you look at capability, the other four we have publicly acknowledged we pay great attention to, china, iran, north korea. the nonstate actors, the other category where i looked, that could be a game changer, some of the dynamics to change. >> on the terrorism side, could you give us the top couple of terrorist organizations you're worried about? >> it's not that i don't know -- an unclassified form -- >> all right, we won't. on the criminal side, what areas of criminality do you worry about the most, what countries? >> i would argue right now russia probably has the most active element with the greatest capability. >> do you think the russian
10:46 am
government's doing anything constructive in terms of regulating their criminal activity in cyber? >> i would only say it doesn't appear to be getting much better. >> what about iran? has iran gotten better in the last year in terms of their cyber activity? >> yes. >> are they less threatening? >> i apologize -- >> are they less threatening or just more capable? >> i argue they're increasing their investment, they're increasing their level of capability. we've not seen the same level of capability from them we've seen historically in the past. i have seen some thatch same activity directed at other nations and other groups around the world. >> they're improving their capability? >> yes, sir. >> do you know if any of the money they're getting from the iranian nuclear deal has gone into their cyber upgrades? >> i don't know for a fact. >> okay. is it fair for the country to establish as a policy cyber dominance over enemies that we want to be -- have a dominance in this area of warfare?
10:47 am
>> i want to think -- i would argue we have the same level of capability and supremacy in signer as we articulated we have in every other. >> let's go down that path. i associate myself with senator king about what we need to do as a nation. the navy. there's a difference between the russian navy and the american navy, is pretty wide? >> yes, sir. >> and the cyber arena, how close is it? >> i have publicly stated before, the russians i would consider in cyber pure competitor. china not in the same place but rapidly attempting to get there. >> the gap between the dominance we have on the seas, in cyber is not nearly -- >> not nearly the same. >> okay. when it comes to iran, when you compare their air force to our air force, what's the gap? >> significant. >> okay and the cyber arena, less significant? >> less significant, but it's
10:48 am
still an area of significant advantage for us right now. >> are the iranians trying to close it? >> oh, they are. >> so from a nato point of view, you're familiar with article five, an attack against one is an attack against all? is there any concept in the cyber arena? >> publicly talk about the fact they believe article five aplies to all domains of warfare. >> do they have any rules engagement that would identify what a cyberattack is? >> we're still trying to work our way through that. >> when do you think we'll arrive at conclusion to senator king's question? >> boy, i don't know the -- >> what's the biggest impediment to us getting there? is it the congress? is it the -- >> no. it's as much in some ways as -- again, this is just -- it is much in some ways from my perspective as well this is an
10:49 am
intellectual exercise. this is something we can afford -- >> basically for protecting us and the final service power arena, our civilian targets. >> sir. >> you're responsible for protect the military infrastructure -- >> and provide support to that infrastructure if requested. >> you're also responsible for going on offense. >> yes, sir. >> dhs is not going to attack a foreign nation, you would? >> yes, sir. >> how can we as a nation, given the threats we face in the cyber arena, not really have a good answer as to what's the impediments to creating rules of engagement? >> i apologize, you really need to speak to the policy side. >> yes, but you're an operator. >> yes, sir. >> so who do you talk to about, hey, guys, let's see if we can get there? >> the secretary of the defense or the office of the secretary of defense. >> how do they respond?
10:50 am
>> i think intellectually we all realize that's what we need to do. >> is there anything congress is not doing that you would like us to do to help resolve this issue? >> thank you, mr. chairman. admiral, i know you talked a little about cyber teams in response to earlier questions. establishing many of these cyber teams is a good idea. as you and your colleagues look to establish additional cyber units in the future and while i'm sure you're looking at this region, meaning the pacific region, i ask that you look closely at the needs of the asia-pacific region. in hawaii for example as you well know we have paycom, nsa
10:51 am
hawaii, very kpoebt commands and other agency regional officers that are, offices that are likely targets for cybercriminals and as we focus on the rebalance of asia-pacific, obvious.cybercrim on the rebalance of asia-pacific, obvious. last september the u.s. and china did agree that neither government would support or conduct cyber-enabled theft of intellectual property. now that we are six months down the road, would you say that china is living up to this agreement? i don't know how specific that agreement was, frankly. but you know, it seemed like a good idea for the two countries to enter into that kind of a dialogue and discussion. but really, what is happening with regard to that agreement? >> so if i could, what the agreement said was neither nation would engage in that activity for the purpose of gaining economic advantage for their private sector. we continue to see chinese activity in this regard, the
10:52 am
million-dollar question is, is that activity for governmental purposes or is it being then passed from the government to the private sector? from my mind, the jury is still out in that regard. it's activity level is somewhat lower than prior to september of 2015. >> but is there any way that we can determine whether china is engaging in such activity? really are, there any parameters? is there anything that we measure to determine whether these, this agreement is being adhered to? >> yes, ma'am. in an unclassified form, i'm not going into get into specifics of how we go about doing that. but yes, ma'am. >> so, one of the areas -- thank you. maybe in another context we can get to some of those questions. with regard to our ability to support a our cybe
10:53 am
cyber capabilities, training and retention really important. in that regard, s.t.e.m. education is critical. can you just talk a little bit more about what you are doing to any collaborations, partnerships you're doing with universities or community colleges to train a workforce for us? >> let's just take hawaii as an example. today in hawaii, the ajudant general for the guard in hawaii is meeting with the cyber command nsa an elements from acrows the island on owe waugh oahu to meet cybercommand, nsa and other elements. how can we partner more effectively in aligning that capability to deal with issues of common interest to us, in this case on oahu specifically on the state of hawaii and more broadly. you see that same hawaii is an area where we probably have gone
10:54 am
further than others, but you can see that same type of activity for u.s. cybercommand right now with what we're doing with a handful of universities across the united states with the west coast, carnegie mellon, west coast universities, tulsa, you heard one. i want to say there's something on the order of 60 to 100 right now. between nsa and cybercommand. there's one area where nsa and cybercommand tend to partner together a lot. >> obviously that needs to continue because our cybercapabilities, is something that is going to be an ongoing effort, you mentioned the importance of the private sector and whole of government, plus outside of government approach to cyber, cybersecurity needs. how do you envision the private sector's role. >> what we've tried to do at cybercommand, what i think the
10:55 am
private sector brings is technical innovation, intellectual innovation, just broad knowledge of capabilities. and alternative ways to look at problems, if you will. those are at a macro level the three things. when i look at private sector, i say wow you could add value for us in that regard. what we've done to date is created a partnership in silicon valley where i placed a very small element on the ground, the part that's interesting to me is i did not want u.s. cybercommand people out there. instead what i wanted was one individual who is a u.s. cybercommand individual and i wanted to harness the power of reserve individuals who are currently in the ecosystem in the valley, working in their day-to-day jobs. we just started it since that summer. that's started to work out very well for us, it gives us a chance to get a sense of what technical innovation is going on out there. we approach them with different
10:56 am
problem sets, and say here's an issue we're trying to work through, how are you handling this? would you give us some suggestions on how we might deal with it. i'm trying to see if we can replicate that mod that will we currently have in place in silicon valley in other areas, i'm looking at the east coast next as an example of that. probably somewhere in the greater boston metro area next. >> it sounds like more of an informal kind of arrangement right now. maybe going forward, you would want to maybe institutionalize this kind of collaboration with the private sector. >> yes, ma'am. >> thank you, mr. chairman. >> thank you, mr. chairman. admiral rogers, i don't envy you with the job you have, the complexity and the additional challenges that we have as the chairman has said about sequestration things that are on the horizon that you have to worry about. in listening to the discussion, i think one thing that's very important is we're never going to have the perfect weapon. absent the united states coming
10:57 am
up with a game-changing offensive or defensive capability of the scale of the manhattan project, you can't possibly get inside the decision cycles of the state actors, and organized crime, terrorists and other people, and when you think about decision cycles in this realm, you think about every single day, you get new malware, viruses, added to your pc, to deal with new threats that didn't exist a day or two or a week before. i'm trying to get my head around how you segregate your scope of responsibility, which is largely the vulnerabilities of say the d.o.d. or however would you like to define your scope of ability anltd how you differentiate that from the broader private sector threat. you've got 28 million small businesses. you have close to 19,000 businesses, with 500 employers
10:58 am
or more. you have distributed public-sector infrastructure, whether it's electric, water, gas. and the concern i have is, what we have right now is the equivalent of guerilla sniper fire or mortar attacks, we haven't seen and i think that we will see some day, a nation state or organized crime or terrorist organization, literally be in a position to execute a multipillar attack, that if they're smart, and they are, what they will do is something to disrupt you, and then disrupt your ability to react to it by attacking the private sector, which is integral to your supply chain. how are we looking at this on a global basis an understanding, as we continue to increase their abilities, they're going to figure out a way on a multipillar bases, going after a communications infrastructure. health care, whatever public infrastructure may be vulnerable. how do we actually get these
10:59 am
things to coalesce, versus finding out we do a good job in d.o.d. we create the magino line and they go around it and disrupt it. >> you've articulated much of the problems and challenges of how you operate in this environment. because these arbitrary boundaries that we traditionally consider a d.o.d. function, a private function, this is an inherently, cyber just blurs these lines. so even as i focus on the d.o.d. mission, one reason why i've argued, we have got to think more broad pli about this problem set. the d.o.d. arena is one of the reasons why for example if you look at our kpe size and training regime that we've put in place, we try to do that not just within the d.o.d., but across the breadth of the private sector. we pick a different segment every year. we're going to do the power segment in this year's exercise,
11:00 am
i think it's something like 20 different corporations will be exercising with us, the guard, state, local. >> that's what i'm getting to. it's almost as if your military exercises have to involve all of these players. so they have a better understanding of their vulnerabilities and the nature of the attack that would occur. and the other question i have is to what extent are we looking at state and local governments as a way to at least, in north carolina i served in the legislature, we were talking about what we could do to work on cyber threats. i saw it also as an economic advantage. if states became good at grid-hardening or at securing the physical presences and cyberthreats, within their state borders, they create an economic advantage for people to set up business in those states. to what extent are we trying to

23 Views

info Stream Only

Uploaded by TV Archive on