Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  April 7, 2016 2:00am-4:01am EDT

2:00 am
threat, it makes sense to parter in with an industry that innovates at the same pace. i'm interested in hearing how you plan to working with the information technology sector in particular. finally, mr. chairman, i would note that admiral rogers in his prepared statement quoted the dre director of the national intelligent and that whether china's commitment of last september moderates its espionage remains to be seen. it is a very serious matter if china does not live up to the president's pledge to president obama. again, i would be interested in your comments, sir, on this issue. thank you for your service. i look forward to your testimony. >> admiral roger ez, welcome be a. >> thank you. members of the committee, i am pleased to appear before you to discuss the opportunities and
2:01 am
challenges facing u.s. cyber command. i would like to thank you for convening this forum. it's an honer to represent the individuals of this fine organization. i'm grateful and humbled by the opportunity to lead this impressive team. i'm confident you would be proud of the men and women of u.s. cyber command if you saw their commitment to mission and hard earned successes on a daily basis as i am fortunate to do. while my written statement goes into detail, i would like to highlight the challenges we face in today's environment. and some of the initiatives the command is pursuing to meet those challenges. over the last year, we have seen an increase of cyberspace operations by state and non-state actors. we have seen a wide range of malicious cyber activities aimed against government and private sector. at u.s. cyber command, we focus on actors that pose a threat to our national interest through cyberspace. nations still represent the gravest threat to security. but we continue to watch closely for signs of non-state actors making significant improvements in their cyber cape bills.
2:02 am
malicious actors use cyberspace to steal intellectual property and personal information and criminals use of ran so many wear to export companies is a worry sp trend. malicious actors have intruded in the networks ranging from the joint staffs unclassified networks to networks controlling inf infrastructu infrastructure. they are using cyberspace to shape potential operation ways view to limiting our options. despite this challenging environment, u.s. cyber command continues to make progress as emphasizes shifts to operationalizing the command and sustaining its capabilities. over the past year, we have continued building capability and capacity of cyber command while operating at an increased tempo. we continue to make progress in building a cyber mission force of the 133 teams that will be built and fully operational by 30 september 2018. today we have 27 teams that are operational and 6 that attained
2:03 am
initial operational capability. it's important to note that even teams that are not fully operational are contributing to our cyberspace efforts with nearly 100 teams conducting cyberspace operations today. for example, the command continues to support u.s. central command's efforts to degrade and defeat isil. last year, we noted we had just established the joint force headquarters dod information networks. today i can proudly report it has made great strides towards its goal of leading the day to day security and defense of the department's data and networks. also as the dod expands the joint information environment, we will have significantly more confidence in the overall security and resilient of our systems. our operations to defend d to dw networks and the nation's critical infrastructure proceed with pay host of federal industry and international partners. recognizing that d do is just one component of the nation cyber team, u.s. cyber command's
2:04 am
annual exercises, cyber flag and guard offer unmatched realism as we train with federal, state industry and international partners. additional, cyber mission teams are regular participants in the exercises of all the combatant commands. we need to persist in a training environment when the department is continuing to develop to gain skills and to sustain readiness across our force. i'm excited by the innovation, shift and focus on long term strategy that's emerging in the command and dod. we established a partnership program in silicon valley to link command personnel to some of the most innovative minds. a program is aligned and co-located with the department's defense innovation unit oec experimental. we are building on the synergy among all elements. last september, the department identified the need to transform dod's cyber security culture by improving individual per to form
2:05 am
answer and acount built. the second and chairman approved the dod cyber security culture and compliance initiative to address those concerns. cyber command was identified as the mission lead for this initiative and is working closely with the joint staff and osd to build a requisite capacity and structure. cyber command is also actively contributing to the implementation of the new d do cyber strategy. the strategy released in april of 2015 provides a detailed plan to guide the development of dod cyber forces and strength dod cyber defense and cyber det deterrence posture. the purvervasive nature of cyberspace through all is he fa sets of alive and across boundaries coupled with a growing cyber threat makes deterrence in cyberspace a challenge. but ever more important. a proactive strategy is requires that offers options to the president and secretary of defense to include integrated cyberspace operations to deterred aver varies from action and to control escalation. to help with all of this, we
2:06 am
requested and received enhanced acquisition and manpower authority. i thank congress and the president for the awizations granted and the physical year '16. this represents a significant augmentation of our ability to provide capabilities to our cyber mission teams as well as our ability to attract and retain a skilled cyber work force. we are currently studying how to best implement the provisions and laying the groundwork needed to put them into affect while in parallel involving a formalized singization framework. we that, thank you for convening this forum and inviting me to speak. >> thank you. general dempsey was asked about our ability to address challenges to this country. he basically -- he stated that we have significant advantages in every major challenge except one, and that was cyber. do you agree with general
2:07 am
dempsey comment about a year ago? >> i do. the phrase i use internally with him is cyber is one area we have to acknowledge that we appear competitors who have every bit as much capacity and capability as we do. >> that i would say to my fellow members of the committee emphasizes our need to address this issue in a comprehensive fashion. so after we finish the defense bill, i would -- i will spend a great -- this committee will spend a great deal of its time on this issue since the threat is as admiral rogers stated. you stated last year in the house hearing, there is uncertainty about how we would characterize what is offensive and what is authorized. again, that boils down ultimately to a policy decision and to date we have tended to do that on a case by case basis. in other words, do we -- if we respond, how do we respond? all of those -- it seems to me,
2:08 am
our policy decisions have not been made. is that correct? >> i guess, chairman, the way i would describe it is we clearly still are focused more on an event by event particular circumstance. and i think in the long run, we're clearly we all want to try to get to is something much more broadly defined and well understood. >> so that you understand, when you detect an attack or as the -- or detect a probable attack, so right now you are acting on a case by case basis? >> sure. >> does russia have the capability to inflict serious harm to our critical infrastructure? >> yes. >> does china have the same capability? >> some measure of the same capability, yes. >> how is china's behavior evolves since the opm breach? >> we continue to see them
2:09 am
engage in activity directed against u.s. companies. the question we need to ask is, is that activity then in turn shared with the chinese private industry? we acknowledge states engage in the use of cyber as a tool to gain access and knowledge. the question or issue we have always had with the chinese is while we understand we do that formations to generate insight, using that to generate economic advantage is not something that's acceptable to the u.s. >> do you agree that the lack of deterrence or repercussions for malicious cyber behavior emboldens those seeking to exploit the u.s. through cyber? >> yes. >> eadmiral, we are looking at consolidation of command here as far as your responsibilities are concerned. i believe that the secretary of defense will also support such a move. so i will be recommending that
2:10 am
the committee that we include that consolidation in the defense authorization bill as we mark up. i think my friend senator reed also agrees with that. would you agree that probably the issue of cyber warfare is the least understood by all of our leadership, including in government executive and legislative branch? >> it's certainly among the least understood. i think that's a fair -- >> is part of this problem is that this challenge is rapidly evolving? >> i think that's clearly an aspect of it. the speed and the rate of change as well as the complexity. it can be intimidating. i would be the first to acknowledge that many people find this a very intimidating mission area. >> if you had a recommendation for this committee and congress as to your significant two or
2:11 am
three priorities, what would you recommend? >> in terms of cyber overall? >> action that you would like to see the congress and the executive branch take. >> i think we clearly need to focus on ensuring that we have got our defensive house in order and that we're able to defend our systems as well as our networks. we need to think beyond networks into individual -- >> which means policy. please, go ahead. >> secondly, we need to continue to generate the complete spectrum of capabilities to provide options for our policy makers as well as our operational commanders. so when we have these issues, we have a series of capabilities that we can say, here is capabilities that we can choose from. and then lastly, i think we have just got to -- the other point i try to make is, we've got to figure out how to bridge across not just the dod but the entire u.s. government with the private sector about how we're going to look at this problem in an integrated national way.
2:12 am
>> would you also agree that sequestration could threaten you with a hollow force after you have recruited and -- some of the brightest minds in america to help you? >> very much so. i would highlight in fy-13, i can remember going -- i was in a different job at the time. but still i was doing -- leading the navy cyber effort. as much of my work force explained to me why we should stay with you if this is what we're going to have to deal with on a periodic basis, being told we're furloughed, we're not going to get paid. i can remember telling them in '13, please stay with us. i hope this is a one-time thing. >> sequestration means further hamper -- >> further because -- everything is -- our ability to meet time lines we have been given have been predicated on sustaining of this. i will not be capable of generating that capability in the timely way that right now we're on the hook to do. >> senator reed. >> thank you, mr. chairman.
2:13 am
one of the issues that has been discussed and mentioned in my opening statement is raising cyber command to a full unifies command. and yet i also noted and you acknowledge that only half the cyber command newly formed cyber mission is initially capable to ioc. and then some critical elements such as training environment, uniform platform doesn't exist. are you in your mind mature enough to be a full uniformed command now? >> yes. >> and what would that advantage give you? or what would that decision give you? >> whethn we think -- what tend to drive should something be elevated? across the department, we tnd to focus on the impairties of of command and unity of effort and in -- it would be fungal not geographic. in this case, does the function rise to a global level and is it
2:14 am
of sufficient priority to merit coordination across the entire department. the other issue i would argue is one of speed. all of those argue -- again, i just am one input. i realize this is a broader decision than just admiral rogers. there's many opinions that will be factored in. my input to the process has been a commander designation would allow us to be fast he which would generate better mission outcome. the department's processes of budget prioritization, strategy, policy are all generally structured to enable direct combatant commander into the process. that's what they are optimized for. i believe cyber needs to be a part of that direct process. >> the other aspect, obviously, is the relationship with nsa. there are several options. one is to have separate command. or one option or additional
2:15 am
option is to at least at a future time have the option to divide the dual hat arrangement. can you comment on that? >> so, my recommendation has been for right now you need to leave them dual hatted. part of that is the premise that we built cyber command on, we created it six years ago, where we said to ourselves, we're going to maximize the investments that the nation had made in nsa in terms of infrastructure and capability. so because of that, we didn't have a huge military construction program, for example, for cyber command and put the forces, the 6,200 in different structures. we said we were going to take nsa's existing spaces to do that. so my input has been for right now, based on the very model we created cyber command, where we really in many ways very tightly aligned these two organizations, that at the occcurrent time -- impossible. it would be difficult or less than optimal in my opinion to
2:16 am
try to separate them now. but what i have also argued is we need to continue to assess that decision over time. you need to make it a conditions based assessment as to at some point in the future does it make more sense to do that. >> part of that is the fact that if you are a unified command, you will be developing alternatives to nsa capabilities. >> yes. >> exclusive to cyber command so that at some point you could have an infrastructure that looks like nsa and the synergies you are talking about now operational. >> yes, sir. >> one of the issues is that -- you depend upon the services to provide you a great deal of resources. in fact, it's really i think interesting to note that only half of these identified units are released initially capable. and that there doesn't seem to be an intense training effort that's standardize and in place right now.
2:17 am
what can you do -- what can we do to accelerate these units in terms of their maturity and their training environment? >> so if i could, senator, i'm going to respectfully disagree. >> that's quite all right. you have to be respectful. >> remember, we started this build process in fiscal year '13. we said we would finish it by the end of fiscal year '18. ready to fight in a high demand environment. we're pretty much on track, as i have said publically. if you look right now -- in fact in the last two months, i have managed to increase timeliness since the last assessment i did in february where i publically had said based on the data as of the first of february, i believe that we will meet ioc for 91% of the teams on time and that we will meet foc for 93% of the teams on time in the two months since then we're up -- i managed
2:18 am
to work with the services and for ioc we're up to 95% of the force. for foc we're at about 93% of the force. so my only point is, i'm not critical of the services in terms of their generating the force. i think they are making a very good effort and it's on track. it's not perfect but it's on track. they have also been very willing when i have said what we need do is ensure that we have one integrated joint capability how we work cyber. there has to be one structure, one training standard. every service agreed to adhere to that. in that recogard, i'm comfortab. what i think the challenge for us as i look over the next few years is we initially focus on those mission teams and the men and women and their training. what experience is teaching is not unlike other domains is -- as you both chair and ranking member said in your opening statements, that's not enough.
2:19 am
so what finding now is it's the other things that really help enable that we have to focus more on. >> thank you. thank you, mr. chairman. >> thank you, mr. chairman. admiral rogers, in december of last year you published an article saying a challenge for the military cyber work force. and you discussed as did you in your written statement today that the importance of growing and developing and maintaining this force. when you talked about it -- i guess it was the chairman in his statement, the 123 teams, where you are right now and aiming to 133, what comprises a cyber team? >> they come in several different types. there's what we call combat and command mission teams. those are aliligned with commanders. they are designed to create offensive capability, if you will.
2:20 am
there are cyber protection -- those are about -- that team ccmt teams, they are about 65 individuals on a team. if you look at cyber protection teams, slightly different mission. so different structure, different focus. they are at about 39 individuals per team. each of those two teams has a small subset of 23 individuals on what we call support teams. that just gives you a sense. >> sure. when you add all that together, that's when you come up with the 6,187. >> yes, sir. >> as was brought out in the chairman's statement, you would really have to know -- first of all, you are drawing from institutions that are training these people. this is new. this is brand-new to a lot of people, including a lot of people at this table. i know that in my state of oklahoma, the university of tulsa has really made great
2:21 am
progress -- in fact your predecessor was out there and working with them. i understand from senator rounds, similar things happening in south dakota. you have these kids out there. they are learning this. they are choosing -- they are determining what they will do for a career. i think it's a good question whether you say -- when we ask the question, can we depend on sustaining in this environment that we're in this -- these teams, this number, this work force so that individuals out there would be aiming their talents toward helping us? because there's going to be a lot of competition for these kids. how confident are you that we're going to be able to maintain the level necessary to attract good people? >> so experience to date says we're doing a good job in that regard. both of our ability to recruit and retain. what drives that our experience suggests is the desire of men
2:22 am
and women, whether civilian or in uniform, to be part of something bigger than themselves. to do something that matters and do something on the cutting edge. that is really what powers the men and women of the teams. i'm always talking to the -- my f fellow indicators, what should we look at that will tell us that trend is changing? there are skill sets within the force that i mention separately that i may in fact come back to the committee with to say, look, there may be some -- >> that would be a good thing to do, come back. i'm running out of time. i agree with you whether you say that the states -- that we watch most closely remain russia, china, iran and north korea. at the same time, i notice that there is an effort -- this came when our fbi director james
2:23 am
comey was in contact with these people -- that they were -- china is trying to develop a closer relationship with us when, in fact, they're the ones that we're going to be watching. you are not entertaining any kind of a close relationship with them that might impair that? >> no, sir. >> okay. good. yesterday in the -- an article came out that says the pentagon doesn't know who is in charge for responding to a massive seib area tack. they go on to talk about the northern command. they talk about what we are doing. they are talking about homeland security. you are familiar with this report that came out yesterday? >> no, i'm not. i'm familiar with the broad premise. >> okay. the conclusion of the report -- i will read this. it says, we believe that by issuing or updating guidance that clarifies roles and responsibilities of relevant dod officials, dod will be in a
2:24 am
better position to plan for and support civil authorities in a cyber incident. this is a goa report. i suggest that you look at that and see if we have reached their conclusion so far. thank you, mr. chairman. >> thank you, mr. chairman. thank you, admiral for being here and the work you do. irpree i appreciate it very much. we face terrorist threats and all the underlying. nearly every briefing about our national security i have asked about the issues of cyber security. and protecting our power grids. it's a very important issue to me and the power that our state produces for this country. in the short-term, which cyber threat is most dangerous to the united states? i guess in our grid, our food supply, our water supply? what is most vulnerable that we should be working on?
2:25 am
>> power and basic infrastructure is something that always concerns me because the potential impact on the nation is very significant should we have significant issues there. i would also argue one sector that i worry about a little bit is, you look at the amount of personally identifiable information that is out there in a lot of areas. healthcare is a good example where the amount of data that we have all provided to the medical world that is available out there on all of us and our families, that worries me about -- that's reflected -- you look at opm, look at the anthem health insurance, large data concentrations are now increasingly become an attractive target. because of big data analytics, massive amount of data that we said no one could comb through that to generate insights or
2:26 am
find anything, it's too long, you sure don't have those conversations anymore. >> we talk about cyber, we keep talking about basically our corporate hacking, if you will. for proprietary reasons. look at the military hacking that goes on for our defense reasons. then you look at just everyday life that we have come to expect that could be probably disrupted with quite an alarming -- >> yes, sir. >> alarming concerns. the other thing -- in your testimony you mentioned the reserve forces are being assigned to all levels of u.s. cyber command. and cyber mission forces. can you elaborate on the national guard, what they bring to the table for the cyber mission? >> well, you are able through our guard and reserve teammates, you are able to access a set of manpower that potentially is using these same skill sets in their day to day work in the private sector.
2:27 am
you are able to also access at times a very different perspective which works out very well, which is one reason why as we were creating this, we were adamant from the beginning it needed to be viewed as a total force. that if we were just going to make this an active only component, that was not going to optimize the full range of capabilities that are out there. so you have seen in the last six months in particular the guard and reserve capability starting to come online and flesh out as well. >> the thing that i'm saying is i have -- the national guard in west virginia, we don't have a base. our guard is everything to us. being a former governor, i understand the importance of our guard. we have been so active is basically an aggressive recruiting and some of our best and brightest and young empeoes coming into the guard for opportunities, especially educational. they can pinpoint for to you bring in some of the really sharp young talents that could help us in defending ourself
2:28 am
cyber. >> this is -- the guard is doing now. >> okay. >> i spend a lot of time talking about lou do we do this in an integrated way. >> again -- the other thing -- in your fem ytestimony you say sas is focused on propaganda. you can elaborate on this and how they have been successful. >> they have harnessed the power of the information arena to promulgate their ideology on a global basis. to recruit on a global basis. to generate revenue and to move money as well as coordinate some level of activity on a large basis. the challenge i look for or that concerns me when i look at the future is what happens if the non-state actor, isil being one
2:29 am
example, views cyber as a weapon system? that would really be a troubling development. >> in a very simplistic way, people ask why can't we shut down that part of the internet? why can't we interrupt isis' ability to go on social media and attract? why are we not able to infiltrate that more? >> i mean, i would -- the idea that you just are going to shut down the internet given its construction and complexity is just not -- >> i've had people ask me, can't you stop that area of world where the problems are coming from, whether it be in syria or in parts of iraq or iran. things that we might have some input and control over. it's not possible? >> it's just not that simple. i wish i could say there's a pafrt i object part of the internet used by a specific set of users. >> i'm trying to find an answer. that question is asked quite a bit. shut her down, turn off your telephone, but it doesn't work
2:30 am
that way. thank you for your service. >> thank you for your service. you are i believe the right person at a very challenging time. you are in the middle of some decisions that have to be made by the united states as sooner rather than later. our congress passed -- carl levin was chairman then. they evaluate vulnerability of our systems and to issue a report to how to defend those. that time passed. but we have issued another legislation last year that said the secretary of defense shall in accordance with the plan complete an evaluation of the cyber vulnerabilities of each major weapons system of the department of defense not later than december 31, 2019. so we have given an additional
2:31 am
date there. but not later than 180 days after the date of of this enactment which i would believe would be play this year. the department -- the secretary of defense shall submit to the congressional defense committees the plan of the secretary for the evaluation of major weapon systems, including an identification of i'm system to be evaluated an estimate of the funding requires and priority among the evaluations. are you familiar with that? are we on track to -- is the defense department on track to complete that initial report? >> i am familiar with it. i'm sorry i am not in the weapon acquisition business. so i'm not the best informed as to the current status. i know the effort is ongoing because u.s. cyber command is part of that. if i could take that one for the record. i apologize. >> if you would. this has been going on some time. on a bipartisan basis, congress
2:32 am
recognized several years ago that our weapon systems -- it started out for space, missiles and anti-missile systems being evaluated. then we realized, large segments of our defense capability are vulnerable. we have had a broader report. i believe it is important for the secretary to complete this on time if not sooner. i would hope that would you look at that. in light of chairman mccain's questions and senator inhofe's questions, i would refer to this goa report that just came out. the first line of this article is, quote, the pentagon does not have a clear chain of command for responding to massive cyberattack on domestic targets in the united states according to the federal government's principal watchdog goa. does that concern you? >> first of all, i haven't read the report. so i'm not informed as to its specifics. i mean, i would argue, i'm always concerned about a clear
2:33 am
chain of command and clear articulation of responsibilities. >> it lists a number of things that appear to be unclear in how we respond. the chairman asked you when do we -- aren't we going to need to develop a policy for how to respond to attacks and what we might do in response and how to ratchet up responses relevant to the threats we face. i hope that you would look at that. with regard to worldwide situation as commercial and economic as private companies that are a big part of the entire network of cyber worldwide, many of those impact our allies, other friends and many of those could -- many companies could be based in countries that are not friendly to us. and would like to penetrate our systems. are you concerned that all of
2:34 am
our allies, asia, europe need to be aware of this danger? and are we working to make sure that segments of those systems aren't purchased or impacted by entities that could be hostile to our joint interests? >> i share your concern about supply chain vulnerability. >> that's a good word, supply chain vulnerability. >> and it is growing in probability, if you will. given the nature of the economic world we're living in now. we have a process within the u.s. government to address these issues for major purchases, companies, national security priorities. we have a specific process in place for some components of dod infrastructure like the nuclear world, for example. if you look at its proliferation of the issue generally across both our allies and ourselves,
2:35 am
this is an issue that's going to get tougher. >> could go on for decades. do we need to meet with our allies to develop a unified policy to protect our joint systems? >> it is a discussion we have with our allies. it's much -- as you said, this goes across the commercial sector, dod, government at large. it's out there for all of us. >> well, i thank you for your leadership. it will be a lot of challenges like that in the months to come. you are at the focal point of a critical issue. i lhope you will not hesitate t lead and tell us what we need to do to help you. >> roger that. >> thank you, mr. chairman. admiral rogers, i need some clarification of what your responsibilities are in cyber command. are you responsible for protecting this country from cyberattacks on private networks and corporations or is it simply
2:36 am
government? >> dod lahas a responsibilitieso defend against events of significant cyber consequence. >> for example, if may we had three urgent care centers that were hacked. we had main general health, one of our healthcare. they were hacked is that part -- what's the defendant anythiinit critical infrastructure? >> there are 16 seg toctors. the second component of the definition i gave you is not just the sector that was attacked, so to speak. but also the magnitude of the event. dod, we use the phrase significant cyber consequence. the concern being that the department of defense is not resources nor is it tasked with defending every single computer structure within the united states. so we try to identify where can
2:37 am
our finite resources be best applied? so they are focused on the 16 segments designated to the nation's infrastructure. then tripped in those circumstances in which the actions against one of those 16 segments reaches significant cyber consequence. >> in i mean we're being hacked every day in insurance companies, businesses, some of it is cyber espionage but some a criminal. we need to think who is responsible. i understand you don't call out the army, if there is a criminal in one town. you have local police, but there is a gap here. do you see what i'm saying? >> yes, sir. >> there is a gap in our defense because we really don't have the infrastructure of the state police or local police that would protect local interests when they are being attacked and you have the expertise.
2:38 am
we have to work out something as between cyber command and local law enforcement, if you will, to protect us from these repeated and continuous and escalating attacks. >> although, if i could, just to think more broadly, i think the challenge is how do we harness the capacity and capability that's resident in the government structure, contained with the capabilities that are resident in the private sector? it's much bigger than just, don't get me wrong, we're definitely part of this but i urge people we got to think much more broadly -- >> i think that's a good way to articulate it. don't -- we keep talking in these hearing, when will we have a well developed and articulated strategy and i emphasize the word articulate. it's not detour rans but we need definition what is an act of war, what is a mutually assured
2:39 am
destruction situation. this seems to me is this in the works and if so, when? >> sir, i don't have a date for you. that's well beyond the missions of u.s. cyber command. i'm part of the discussions. i'm the first to acknowledge that. i try to provide an input and be one voice what i think is the direction broadly we need to go. i apologize senator, i don't have the specific date or timeline for you. >> seems as a matter of policy, we really need -- this needs to p haen. we've been talking about this long, we aren't there yet and yet, something terrible is going to happen and a lot of people are going to say why didn't we have a policy, deterrent policy. i would urge counsels of the administration to push for a sense of urgency on this question because if we -- if all we do is defense and there is no
2:40 am
deterren deterrence, we'll lose the battle. >> yes, sir, a losing strategy. >> final point and i know you talked about this earlier. i'm finding it harder and harder to justify your holding two jobs given the complexity -- i mean, this arrangement was created in 2009 which in technology terms is a century ago and i just can't -- i mean, i understand the relationship between nsa and cyber command but particularly if we move in the direction, which i think we are of setting up cyber command as its own independent command to have the same person trying to run those two agencies, i just think is impractical and impossible. >> i've been doing it ten years to date. >> you've been doing it well. >> as i've said in my initial comment, i agree that it's something we need to continue to assess. i agree in the long run the probably best course of action
2:41 am
is to ultimately put both organizations in a position of capable of executing commission in a complementary and aligned way than in a more separate way but the reality is we're just not ready to do that today, i believe. don't get me wrong. i get paid to make things happen and i will execute it to the best of my ability. >> i take it you agree we should move -- cyber command should be its own command. >> i do, sir. >> yes, sir, thank you. thank you, mr. chair. >> subject to the will of the entire committee that would be my intention and i want to read and i would propose that on the defense authorization bill. >> i think so, sir. i think that's something we'll consider but i think it's value with the comments today and to consider them as we go forward. >> thank you, senator fisher. >> thank you, mr. chairman, i look forward to the discussion
2:42 am
on raising cyber to combat and command and look forward to the discussions as a committee on the importance of cybersecurity for the country. rogers, in your prepared statement you mention the cyber attack on ukraine's power grid and note you've seen cyber actors from more than one nation exploring the networks of our nation's critical inf infrastructure. do you believe our teams possess the necessary skills relating to controls and systems to be able to stop or to recover from an attack on our power grid? >> we have the skills. the challenge at the moment is one of capacity. what i mean by that is in the two years i've been in command, i've yet to run into a situation where we didn't have the skill set to apply against a problem but the challenge at the moment because we're still in the midst of the bill is sometimes that skill set is embodied in an
2:43 am
incredibly small number of people and if we had multiple events sign tame tan usely, sna chalk today so to speak capacity is the greater concern than capability, if you will, if that makes sense. >> well, i understand your demands on the force to exceed that capacity but as you add those capabilities, how are you going to prioritize and responsibilities you're going to have? how do you plan to prioritize placing that building competency with our industrial control system? is that something you focus on in the near term or is it going to take a backseat to maybe some of the other areas for the cyber mission forces.
2:44 am
>> something we're doing now. i would also highlight the very construct of the force by creating a separate section of the force that is focused purely on defending critical infrastructure was designed for that. how do you ensure an element of the force we're building is focused like a laser on the mission set? it's a carved out separate entity. the national mission force. the general is my component commander doing that. >> do you have a plan to work with services then on building that -- >> yes, ma'am. >> is it near completion? you hear said ton king ask about policy. we've been asking about policy for a long time. we don't have a policy. if we don't have a policy, how will we develop plans? >> i remind people is look, even as we're trying to get to broader issues you've raised outside the immediate mission,
2:45 am
look, our mission is generate capacity and capability and ensure we're ready to go as the broader issues are being addressed. so we're trying to deal with the piece by generating capabilities we think would be part of the discussion by generating the defensive capabilities we think would be part of the deterrent discussion. i don't want to wait for everything to fall in place. we can't wait as perfect as it would be. >> i agree with you, we don't have time. >> yes, ma'am. >> when we look at the department, what level of communication do we have with the different communities within the departments, say the -- with regard to acquisition of instillation to make sure the items we purchased or facilities that we're building are able to take those threats we're looking at from cyber into account? >> i would tell you the acquisition piece is an area we
2:46 am
need a lot of work not because people aren't working hard but i've been struck by the analogy, we would never buy a ship, tank, aircraft without the operational vision driving how we designed it, built it, structured it skpl yet for much of our networks, that has not historically been the model. we built those and bought those and focus on efficiency and price and really focus on operational impact and really didn't think at the time that we would be dealing with a world in which intruders, foreign actors would be using those systems as access points to degrade our missions as a department. we didn't anticipate that decades ago and that's the world we're in now. >> it's happened in private industry. >> right, decades of investment we're trying to overcome.
2:47 am
>> last question, do you have any knowledge if our adversaries targeted any infrastructure on the military bases? >> yes. >> thank you very much. >> yes, ma'am. >> thanks, mr. chairman and thank you admiral rogers for your extraordinary and distinguished service in so many rolls over so many years. i want to focus on the challenges of recruiting young people in an age where the best and the brightest have knowledge have so many opportunities, many highly paid and challenging in the professional issues. young americans are entering the work force with computer technology that's been part of the entire lives not so much for
2:48 am
us as a certain age but for them yes but i wonder if you can tell us how successful you and obviously the incomperbly important forces have been in obtaining talent and what we can do to help. >> i'm very comfortable where where we are on the uniform s e side. the same things that make a person decide to pick up a rifle leads men and women to decide they want to put on a uniform and pick up a keyboard. that's not the biggest challenge. the area we need to take a greater look at is on the civilian side of this because we got our vision is we got to create a work force that is both
2:49 am
active and reserve military. so we get the breathe of expertise that you've referenced. where i need to come back to the committee, can i come up with some different processes or options that would make things more attractive to particularly some very high-end, very small number of skill sets that i don't have huge numbers of but incredibly valuable for us, that's one area i think i'll have to come back. we need to step back and take a look at the piece of it. >> is there sufficient, are there sufficient resources devoted to research, the personnel available to super vice the research and in effect planning for the future. >> right.
2:50 am
i'm not going to pretend for one minute you have people and money that you would like. it's -- i would argue characterize it as reasonable right now. it's not a major issue in the sense i said wow, we have a significant sensibility to execute. i haven't seen that. >> i know you indicated you haven't read it. >> right, right. >> but i wonder focussing on the infrastructure segment you mentioned, transportation, financial, electric, how well are they doing in protecting themselve themselves? >> if you look across the 16 segments designated as critical
2:51 am
infrastructure, i would argue some are ahead of others i probably put financial has access to more than some and come to the conclusion that the ability to move funds through these transactions, if you will that we believe and trust and in their defense, they are quick to remind me our business model is different. we're regulated for example in order to generate and increase our cyber defense and capabilities. the only way for us to do that is raise rates for example. most consumers not enthusiastic about that. most regulatory bodies not necessarily overly enthusiastic about that at the moment. >> those would be electricity.
2:52 am
>> power is an example. there is improvement that you would put at the bottom of that list of readiness? >> there are some i think i've publicly previously talked about health care is one of the examples of the 16 segments i look at and i go, that's an area probably that needs a broader top to bottom look on the first to acknowledge, really outside our immediate mission and i don't bore into it every day. as i look where potentially we'll be tasked to provide our capabilities to partner with, an area i would pay attention to. >> thank you very much. thank you, mr. chairman. >> thank you, mr. chairman. admiral rogers, thank you for your service. i find it interesting that as you work your way through this, you're in a brand-new area trying to determine how to respond and protect.
2:53 am
it seems when you lay this out and say you have 16 different segments within the realm that you're responding to, fair to say that they break out into either information or data systems and operating systems? in terms of the way that we look at what the data is or the different systems that we're looking at as being vulnerable, a data system being the collection of information and individuals and operating systems being those systems perhaps necessary for the infrastructure within our country? a fairway to break out, i guess, that's fair to be honest, senator. i never thought of it that way. not that that's a bad way. >> the reason i would ask, it seems while information systems would contain material or information a private nature, perhaps, a trade secret that may very well be information on an
2:54 am
individual such as the information we lost to the federal level and have on operating system for the utilities and operating systems out there for dams and operating systems for nuclear power plants. clearly they can do significant damage and bodily injury, as well. fair enough to look at it. based upon that, when you look at your role and the role of cyber command do you see your role operation different than data and collection systems? >> our protection scheme is based on two different pieces of strategy. the first component of the strategy is our intent is to go into foreign space to stop the attack before it ever reaches
2:55 am
those systems. the second component of the strategy is to apply defensive capability working directly with each of the individual elements if you will to say if that fails, we also would like to work to show up the systems. the other point i want to make sure i articulate and probably should have done a better job this morning is as a reminder, u.s. cyber command and dod at large provide our cyber capabilities and defensive critical infrastructure in the private sector in partnership and in support of dhs. dhs has overall responsibility in the federal government for the provision of government support to the private sector when it comes to cyber. i don't want people thinking well, it's just cyber command and the private sector. there is a broader set of players we integrate with and support as we execute the mission. >> an attack in either case
2:56 am
would be, we don't know whether or not we'll be able to do it in time and respond afterwards. would you say we have operation systems, information systems we have, do you feel the protocols are there? i'm going back to what senator king was eluding to earlier. i'm not sure we have the definitions prepared yet to allow you to respond immediately within mill la seconds unless we talk about it and lay it out. is it there today? >> in every single component in the private sector, no it's not. cyber is no different than other domains in the sense that the importance of intelligence to
2:57 am
provide us insight gives us the knowledge and insight, the warning, if you will to anticipate and act the event. true for the sitcom commander as me. warning continues to be critical for both of us. >> today if our forces were aware of an attack, they have the ability to respond but if it was property or entities within the united states, do you have the ability to respond today if it is not a military but a civilian or a civil target? >> is there a process? yes. is it something i can do automatically instantaneously, no. >> that's the case it has to happen first then because for all practical purposes, the attack will be instantaneous. >> we have to get the warning in advance. the importance of intelligence. >> if you get the warning in advance, it would have to be enough time for you to get out and have a political discussion for all practical purses whether or not you can -- >> again, it would depend by the
2:58 am
scenario. there are some elements with mechanisms in place and it's just a process as opposed to a broad -- >> not one that can be done in mila seconds? >> no. >> thank you, mr. chairman. >> thank you for being here. >> senator. >> let me start with your acquisition personnel. some of the saddest stories of waste within government and a lot of that had to do with knowing when you need to buy and when legacy systems need to be scrapped and how nimble can you be off the shelf? i'm not sure the military with that flexibility to move with the technology. i think these acquisition personnel are important so do
2:59 am
you have the ten in place that are suppose -- that we authorized in order for you to make the wisest acquisition decisions possible in light of a history littered with serious mistakes and lots and billions and billions of dollars wasted? >> i operate and defend. i don't buy. you have been kind enough, the committee and congress has been kind enough to provide an initial capability to do us. we're in the process of hiring. i'm very mindful of as i remind the team it is about generating outcomes, guys. that's why we're granted this authority and need to be mindful of and not interested in spending money for the sake of spending money. it's about generating capabilities that impact the mission in a material way. >> i would be interested in how you are requiring with more detail, if you would provide, how you are finding the acquisition personnel and how
3:00 am
competitive are we in finding the right acquisition personnel. if we have the capabilities in the space a lot of it is people being trained but a lot of it is under lined -- >> yes, ma'am. >> you have to buy the right capabilities. >> so i just -- i'm really worried about getting the right people making those decision sos so i would like to stay updated in the progress. what kind of coordination does your command have at this point with our nato allies, israel, arab allies and particularly interested in any coordination and cooperation you have with nga. >> i'm not going to publicly -- >> obviously. >> classified forum go into specifics. i would only tell you we partner with and have a hand full of nations and have a very direct, real relationship with respect to capabilities, real world operations. i won't go into the specifics of
3:01 am
who. one of the challenges i find is cyber like any other mission, we have to prioritize. when i look at foreign partnerships, i ask where is the greatest return for us as a department, as a dod and where is the greatest return for us in terms of ability to execute the mission. i spent almost as much time with the discussion with the team about what we're not going to do as i discuss what we are going to do and remind them since we're in the midst of build thing capability out, prioritpr. we identified a set of partners if you will. these partnerships are generating capability we're using today. >> great. and maybe in a classified setting i could get more information. >> yes, ma'am. >> what is the ratio of civilian versus military within the command at this point? >> it's about -- we're trying to
3:02 am
build 80% military, 20% civilian. at a snapshot, off the top of my head 70/30, 70% military, 30% civilian. >> what about contractors? is the ratio on contractors and what is your goal on contractors? this could be an area and underlying that is a concern about the actual screening of contractors. what is your goal and to go forward? >> i apologize, i'm trying to do the mat in my head. it's probably 25%. we have over and above the government civilian and military, we have an additional 25% -- off the top of my head, an additional 25% of the contractor base. >> is that where you would like to be going forward or see more relying on contractors -- >> i'm a little leery of over
3:03 am
becoming reliant on contractors, why? because i try to remind people, cyber is a domain to conduct a wide range of military operations and in accordance with the law, those operations need to be conducted by military personnel so i'm not trying to minimize the role of contractors, i just try to remind the team it's not one size fits all. we have to ask ourselves what's the right allocation? i'm pretty comfortable right now. i wouldn't argue it's among my highest priorities. i'd argue now probably priority number one manpower-wise i said the civilian piece. i'm very comfortable with tracking and going the right way in the uniform piece. the civilian area is where i know i'll be paying more attention to in the coming year. >> thank you, admiral. >> yes, ma'am. >> threats nation state wise in
3:04 am
terms of who we're most threatened by? >> i would argue russia and probably in terms if you look at capability, the other four that we have pub welcolicly acknowle china, iran, north korea and non-state actors, the other category where i look that could be a game changer were dynamics to change. >> on the terrorism side, could you give us the top couple of terrorist organizations you're worried about? >> not that i don't know in an unclassified forum. >> we don't end. on the criminal side, what areas of criminality do you worry most about? countries? >> russia probably has the most active criminal element with the most -- with the greatest capability. >> do you think the russian government is doing anything constructive in terms of regulating criminal activity in cyber? >> i would only say it doesn't appear to be getting much better. >> what about iran?
3:05 am
is iran better in the last year in terms of their cyber activity? >> yes. >> are they less threatening? >> i apologize -- >> are they less threatening or more capable? >> i'd argue they are increasing their investment and increasing their level of capability. we have not seen the same level of activity from them that we have seen historically in the past. i have seen some of that same activity directed at other nations around the world. >> are they improving capability? >> yes, sir. >> do you know if the money they are getting is going into the cyber upgrades? >> i don't know for a fact. >> okay. >> is it fair for the country to establish as a policy cyber dominance over enemies that we want to be the dominance of the warfa warfa warfare? >> we want to have the same
3:06 am
capability. >> i think that's the goal. so let's march down that path. the navy is pretty wide? >> yes, sir. >> and the cyber arena, how close is it. >> so the gap of tdominance in seas and cyber is not nearly. >> not nearly the same. >> when it comes to iran when you compare the air force to our air force, what's the gap? >> are the iranians trying to close it? >> they are.
3:07 am
>> for a nato point of view, we're familiar with article five in attack against one is attack against all. is there any such concept in the cyber arena. >> you believe article five applies to all domains. >> do they. >> we're trying to work our way through that. >> i don't know -- >> what's the biggest impediment to us getting there? is it the congress? is it the -- >> no. >> it's as much in someways as my perspective this is just an exercise. this is something we can afford -- >> the defendant of homeland security is responsible for protecting us and the financial service power arena or civilian
3:08 am
targets. you're responsible for protecting the military infrastructure. >> and provide support to the commercial infratastructure. >> but offense. >> they are not going to attack a foreign nation, you would. >> yes, sir. >> so how can we as a nation given the threats that we face in the cyber arena not really have a good answer as to what's the i'm ped mmpediment to rule engagement. >> sorry, sir, you really need to speak to the policy side. >> yeah, but you're an operator. >> yes, sir. >> who do you talk to about hey, guys, let's see if we can get there. >> the secretary of defense or office of secretary of defense. >> how do they respond? >> intellectually, we realize we need to do. >> is there anything congress is not doing that you would like us
3:09 am
to do to help resolve this issue. >> no, i can't argue it's something congress failed to do. thank you mr. chairman, admiral, i know that you talked a little about cyber teams in response to earlier questions and i think the idea to leverage our outstanding national guard and capabilities and capacity and establishing many of the cyber teams is a good idea. as you and your colleagues and as you look at the region, i ask that you look closely at the knees of the asia pacific. in hawaii we have nsa hawaii, various component commands and other agency regional officers that are, offices that are likely targets for cyber
3:10 am
criminals as we focus on the reboundsf the pacific. i wanted to get to a question. last september the u.s. and china did agree that neither government would support or conduct cyber theft of intell t intellectual property. six months down the road, would you say china is living up to this agreement? i don't know how specific the agreement was, frankly. seems like a good idea for the two countries to enter into that kind of dialogue and discussion but really, what is happening with regard to that agreement? >> if i could, what the agreement said is neither nation would gauge in that activity for the purpose of gaining economic advantage for their private sector. we continue to see chinese activity in the regard. the million dollar question is is that activity for governmental purposes or passed from the government to the
3:11 am
private sector from my mind, the jury is still out in that regard. its activity level is somewhat lower than prior to september of 2015. >> is there any way that we can determine whether china is engaging in such activity. are there any parameters? is there anything we measure to determine whether this agreement is being adhered to? >> yes, ma'am. in an unclassified forum, i won't get into specifics how we go about doing that but yes, ma' ma'am. >> maybe in another context we can get to some of the questions. with regard to our ability to support a our cyber capability, stem education is critical, can
3:12 am
you talk more about what you are do doing to train a work force for us. >> let's take hawaii for example. today for example the general for the guard in hawaii is meeting in the complex with the cyber command and elements across the island to look at and include academic sector, how do we generate and more capable work force to meet guard requirements and command and nsa and other elements. how can we partner more effectively in aligning the capability to deal with issues of common interest on the state of hawaii and more broadly. you see that same hawaii is an area where we probably have gone further than others but we can see that same type of activity
3:13 am
with a hand full of universities across the united states from the west coast, something on the order of 60 to 100 between nsa and cyber command tend to partner together a lot. >> obviously that needs to continue because our cyber capability is something that will be an on going effort. you mentioned the importance of the private sector and outside of government approach to cyber needs. how do you envision the private sector's role? the private sector brings technical invasion, broad
3:14 am
knowledge of capabilities and alternative ways to look at problems. those are three things when i look at the private sector, i say you can really add value for us in that regard. what we have done to date is created what we call the point of partnership in silicon valley where i placed a small element on the ground. the part that's interesting to me is i did not want reserves working in their day to day jobs. we started that since last summer that's working out well for us and gives us a chance to get a sense for what technical invasion is going on out there. we approach them with different problem sets and say hey, here is an issue we're still trying to work our way through. how are you handling this or would you give us some suggestions on how we might deal
3:15 am
with it? . i'm trying to see if we can replicate the model. i'm looking at the east coast next as an example, somewhere probably in the greater boston metro area next. >> sounds like more of an informal arrangement now and maybe going forward ins institutionalize it. >> yes, ma'am. >> thank you. >> admiral rogers, i don't envy you with the job you have, the complexity and then the additional challenges, things on the horizon you have to worry about and list ping to the discussion, one thing that's very important we'll never have the perfect weapon. absent the united states coming up with a game changing offensive or defensive capability of the scale of the manhattan project, you can't
3:16 am
possibly get inside the decision cycles of the state actors that organize crime, terrorists and other people and when you think about decision cycles in this realm, you think about every single day you get new malware, viruses, other technology added to your pc to deal with new threats that didn't exist a day or two or week before. how do you really segregate your scope of responsibility, the vulnerabilities of the dod or however you would like to define your scopebility and differentiate that from the broader private sector threat. you have 28 million small business businesses. you have distributed public sector whether electric water or gas and the concern that i have
3:17 am
is what we have right now, we haven't seen and i think that we will see some day a nation, state or organized crime or terrorist organization literally be in position to execute a multi pillar attack if they are smart and are we will do something to disrupt you and disrupt your ability to react by attacking the private sector. so how do we look at this on a global basis as they increase abilities, they will figure out a way to go after communications infrastructure, supply chain, health care, electric, whatever public in, how do we coalesce, do a good job in d.o.d. and create the line and go around it and disrupt you from a different
3:18 am
directio direction? >> you have articulated the challenges of how to operate because the boundaries that we consider this is a dod function, this is a private function, this is a government cyber blurs these lines. so the dod arena is a reason if you look at the exercise in training regime that we put in place, we try to do it within the dod but across a breath of the private sector, cyber guarders are annual exercise it will be in june. we pick a different segment if you will every year. we'll do the power segment in this year's exercise. i think it's something like 20 different corporations, the guard, state, local.
3:19 am
>> that's what i'm getting to. it's almost as if your military exercises have to involve all of these players so they have a better understanding of their vulnerabilities and the nature of the attack that would occur and to what extend are we looking at state and local governments as a way to at least in north carolina serve in the legislature and we were talking about what we could do to work on cyber threats and i saw it also as an economic advantage. as states became particularly good at grid hardening or at securing the physical presence in cyber threats within the state borders, they create an economic advantage to set up business in the state. to what extend are we trying to lead and help make this problem a little less difficult at the federal level by making sure the state and local government are stepping up their game as part of the effort. >> it's a reason there is a big
3:20 am
guard component to this effort to ensure we can also try to address this state and local aspects of this. >> i'll see if i can schedule time in our office, we may have to do some in a secured setting. thank you very much. >> thank you, mr. chairman. one of the issues is in fact sort of the services being able near resources to fully develop the units that they will detach to you essentially or provide for your operation control since you won't have organic units. can you give an assessment where they are in terms of doing that across the services? >> that really goes to the heart of readiness, if you will. one of the -- so in september
3:21 am
when i was with you, one of the things i said then during that session was that i thought one of the reasons why '16 was going to be a big game changer, i thought we'd get more involved in the total breath of capability sets, which we are and the other reason was because we needed to shift from a focus on ioc and foc, the generation of capability to actual ready n ness. are we ready to employ this? we spent the last six months working our way through how do you define readiness in the cyber arena down to the individual team level so that i as a come bander have an awareness where the force is and using the same mechanisms we use to assess readiness across the dod i can provide policymakers, here is what this force is really capable of doing. we've just started doing that. i've gone through two strong men with the team. we'll do a third and final one this summer and by the end of the summer in september, i will
3:22 am
start providing to the dod on a quarterly basis by team. here is where we are in terms of true readiness. >> is the nightmare scenario that's one of these nations acquires the capability to shut down satellites? >> i mean, that is a -- there is two scenarios that really concern me. one is the physical shut down and enter diction of capability. the other scenario -- >> explain the first one. >> if you were to shut down -- look at it from first dod perspective because much of what we rely on for our enablers as a department are commercial infrastructure, power, ability to move force for example. if you are able to try to take that away or material impact the ability to manage an air traffic control system, to manage the overhead structure and the flow of communications or data for
3:23 am
example, that would materially impact dods ability to impact the mission and economic impact for us as a nation. the other concern i have is to date, most penetrations of systems that we've seen by actors have either been to steal data or to do recognizance. what happens if the purpose of the intrusion is to manipulate data so you can no longer believe what you're seeing. think about the implications if you couldn't trust the military picture that you were looking, that you're using to base decisions on and let alone the broader economic impacts for us as a nation. >> senator? >> thank you, mr. chairman and thank you admiral for being here and for the job that you're doing every day. i wanted to start with does
3:24 am
russia have the ability to inflict serious harm. do we have the capability? >> in a classified discussion, i would rather not get into that. >> let me put it in the context of i assume there is some mutual detouerrence that goes on when we're talking about some state actors. >> again, it's a lot more complicated than just the yes or no. >> i hope we can ask that question in a classified setting. i had the opportunity over the last two weeks to visit astoniya and probably the first victim of a cyber attack by a nation state by russia.
3:25 am
it's been acredited by nato and to hear them talk about how they thi think. can you talk how cyber come works with nato allies? >> i've been there myself and to the center and in brussels for example in december and as u.s. cyber command, i addressed the north atlantic counsel one of the member nations asked to talk to the leaders up at the alliance about implications of cyber and how lengthy and large one voice. i'm the first to acknowledge that. how might the alliance work its way forward as we try to go with the cyber arena. cyber command i tried to partner both with the alliance as a whole as well as specific member nations on specific issues with within. you got to get the house together number one. >> explain a little more what you mean whether you say that.
3:26 am
>> much like we've seen on the u.s. side, i've said look, i see nato as spending a lot of time and that's a good thing focused on the defense of nato's fixed infrastructure but remind them there is value in as nato is creating capability, additional force constructs to be able to apply traditional capability in a much faster way. i've also been part of discussions where i remind them even as you're generating that additional force, that additional capability, you need to think what are the signer vulnerabilities and defense implications of that. we can spend a lot of money on generating capability but inherent vulnerabilities, that's not a good situation for the alliance or us. we're dealing with the same challenges. i had those discussions with the allegiance at large. >> so how do we increase their
3:27 am
participati participation? >> we have some nato nations, the large st and not all 28. over time you'll see more and mo more. we talked about how we might take a look at cyber exercise or training regime. when i was there in december, i said this is something we need to think about. >> one of the things that i was really interested in in estonia is hearing about the defense league. >> defense league. >> and you were talking about earlier in your testimony about the effort to take advantage of the expertise in the private sector to help us as we're looking at cyber issues and i
3:28 am
was very interested in one of the things i heard was that the reality is we can't prevent a cyber attack. we got to be prepared to respond to that attack in the way that is most effective and most fastest and they were talking about their defense league as one way that they are able to do that. is that something that recognizing that we're probably not talking about, but is that what you're looking at what you're talking about the teams that are being set up to help respond? >> it's a little different in the sense that the idea behind the cyber league for estonia is you have private citizens. >> right. >> who on a volunteering basis will apply themselves at specific problem sets as they emerge. kind of after hours, after work on their own time. >> that's kind of model for the cyber league in estonia and use
3:29 am
that to argument. aside from us, that cyber league is a cross for us and our streak tours between the digital service arena, the dod is creating, as well as the kind of guard construct, though, the difference is when the uniformed member of the guard or reserve so it is not exactly the same but the thought process, the idea of trying to tap that is similar. >> thank you, thank you, mr. chairman. >> thank you, chairman and thank you admiral longers for your service. i wanted to ask you a basic question. you have substantial responsibility in your position. what keeps you up at night?
3:30 am
is your worry? >> i have no problem sleeping but secondly, there is three things generally i highlight. number one is actions taken against critical infrastructure in the united states, damage or manipulation. number two, what happens when actors start to no longer just enter systems to do recognizance or steal but actually to manipulate or change data so that we no longer can believe what we're seeing and the third and final what happens when non-state actors view cyber as a weapon system? and they want to use it as a vehicle to inflict pain and against the united states and others. >> and to the third point you just made about non-state actors using cyber as a weapon system, how grave a threat is that to us k currently? >> i would argue it is not --
3:31 am
i'll say but tomorrow will change. today i will tell you i have not seen groups yet make huge investments in this but i worry that it's a matter of time because it wouldn't take long. one of the challenge of cyber in addition we proeviously it doesn't recognize boundaries, it doesn't take billions of dollars of investment. it doesn't take decades of time and doesn't take a dedicated work force of tens of thousands of people like you see most nation states deal with. cyber is the great equalizer in someways. >> what are the greatest risks to the extent you can describe them here to our critical infrastructure, the first issue? >> just based on the activity i've seen in some nation state actors, what happens if they decide they want to for some
3:32 am
period of time disrupt, pumps. >> power system, financial system. >> to move money. if you look at the scenario, have one unfold in the united states. i'm not going to argue someone is capable of making the united states go dark but there is capability to cause significant impact and damage. >> that's why you discuss in your opening testimony the need for the coordination across the government. >> right. >> i wanted to ask you the law changed by congress in terms of the nsa -- >> the freedom act. >> yes, ma'am. >> can you give us an update on what is happening with that and whether that's working and any concerns you have? it's an important question for
3:33 am
us to check back in with you on. >> yes, ma'am, unclass hearing i won't go into great detail. i'd say and what i've said to the intelligence oversight committees we have been able to compile and on time. there has been some level of slowness from the old system or new system. >> in terms of how quickly to get information. >> the time duration is minutes or hours. it's not days or weeks. so it hasn't yet gotten to the point where i felt i needed to come back to the congress or administration and say look, i'm seeing a sigma tnificant materi impact because i made the commitment. if i saw that and i believe i owe it to the nation to make that point. i have not seen that yet. >> there is no doubt it's taking longer in someways? >> in someways. it takes longer. >> well, i think it is important for you to come to us with that
3:34 am
because given minutes and hours can make a difference in terrorist attacks and preventing them and taking action, this is important for all of us to understand given the world we're living in. i wanted to ask you a final question about the jcpoa or iran deal and in there there's a provision that said that the u.s. must cooperate with teheran through training to strengthen to protect against sabotage in the nuclear program. admiral rogers as the u.s. helped t-- >> i can't speak for the u.s. government as a whole. u.s. cyber command has not participated in any such effort. >> okay. thank you. >> i missed some of the discussion, i don't want to be needlessly repetitive but want to go to an interchange you had
3:35 am
with the chair in opening questions. i met recently with a senior military leader that tried to basically summer rise his sense of things and said we have o plans but no strategy. i've been thinking about that. i think in your back and forth with the chair you talked about and i think others may have asked you about this, this notion we're kind of reacting case by case to cyber attacks and kind of deciding in each instance what we want to do but the development of a broader doctrine, whether it's, you know, what will a detoerrence policy be in terms of triggering and collective defense obligation, that we're assessing those things but kind of not at the end point. could you talk to us about the kind of development process and working on these questions, they are so important. what might we expect from the pentagon, from cyber command in
3:36 am
our interaction, in our oversight in terms of developme development of doctrines. >> you'll see in the dod cyber strategy for example, a broad over arching frame work from the department how we'll both develop capability. we're part cyber command is part of the broader dialogue within the department about how do we align the capabilities of force with the world that we're seeing today and one of the arguments that we've made over the course of the last six months is we need to take an element of the cyber capability we're generating and focus it very much in the deterrence piece. how do we shape potentially drive opponent choices and behavior before we get to the crisis scenario. we're in the early stages of that but i'm very heartened by the fact we have a broad agreement that's an important part of the strategy and we need
3:37 am
to be doing that. we're just starting the early stages of that journey. the department participates in the broader dialogue within the u.s. government how from a national policy perspective, how will we move forward in addressing some issues you have all raised today. for me as u.s. of the issues that you have all raised today. meanwhile, for me as u.s. cyber command. what i remind our team is we know that capability is going to be part of that deterrent strategy, guys tharks what we get paid to do. we've got to focus own generating that ability today. that's kind of been if you will the focus for u.s. cybercommand at the operational level that i and the team really focus at. >> let me ask you another question, i think senator shaheen may have asked you this with representative nato. another item that's common in this committee, as we look at the postures of other commands, joint training exercises, india does more joint training with the united states than any other
3:38 am
nation, we have marines deployed throughout africa and special purpose of training of african militaries. what's our posture vis-a-vis partners in the cyber area, in the training we do together, in the development of joint resiliency strategies? >> so we do some level of training with key allies. one of the challenges for us, quite frankly is how do you maximize capacity. you cannot do everything with every nation that you would like to do. part of our strategy is how do you focus the greatest return? what are the nations you want to start with? we have done that, the other challenge i find is, this is part of an ongoing internal discussion for us, based on where we are in the journey right now, i can't do so much with the external world that it negatively impacts our internal ability within the department to generate. unlike some mission sets where we have decades of infrastructure capability, capacity and experience, we don't have that in the
3:39 am
cyberarena. the same force and capability i'm using to help train and partner with foreign counterparts, i'm still building every day. that's the challenge for us right now. i don't think it will be as much an issue in the future as that capacity fully comes online. but we're not there yet. >> uh-huh. we trained aviators out of other service branches and then we created an air force academy in 1954 and decide weird going to train aviators, not that we don't train aviators in the other service branches. i think senator mccain may have had some training somewhere in his past we created an air force after world war ii. i've wondered whether the cyber domain would have eventually become so significant that there may be the need to consider creating a dedicated cyber academy. much like the air force was created in the '50s.
3:40 am
the question is you can train cyber folks everywhere and have them percolate throughout the service branches or you can focus on a particular cyber expertise and those folks could go into the different service branches. has there been any discussion or thought about that? >> it's been a discussion. my input to that discussion has been i'm not right now based on my experience and what i see a proponent of that approach. my concern is to maximize effectiveness in cyber you need to understand how it fits in a broader context. and i watch at times when i deal that elements in our own workforce, who are incredibly technically savvy, incredibly smart about the aegis of the mission, when i try to remind them, remember we're applying this as part of a broader strategy and a broader context. when you don't understand the broader context, you're not in my experience, not as effective. that's my concern about that approach it will start to make us very, very -- >> siloed. >> narrow and siloed. i'm concerned about the potential implications of that. >> admiral rodgers, thank you for appearing again before the
3:41 am
committee. if i heard you correctly, you testified to center ayotte that your three main they'res were krets to our critical infrastructure, the ability to manipulate systems such that we might not have faith in their operations and third, nonstate actors using cyber as a weapon against the united states. is that accurate? >> yes, sir. >> are either of the islamic state or al qaeda able to do any of those three things at this point? >> i haven't seen them yet. but my concern is that's now. the islamic state has a reputation of being effective online. we we infer online recruiting and propaganda is a skill set from the use of cyber against electrical power grids and so forth? >> yes, sir. >> how hard would it be for a nonstate actor like the islamic state or al qaeda to develop that skill set? is it nothing more than recruiting the right person?
3:42 am
>> it would not be difficult. recruiting the right people with the right focus. it's certainly not be on beyond their ability. i believe. it's not beyond their ability. if they made that decision. >> when we think about other potential nonstate actors, are those, do those groups that have that capability or approaching the capability tend to be associated with state actors? >> in some cases, yes, but not in all. not in all. >> i want to turn now to the ongoing debate about encryption. think data security and cybersecurity is obviously critical in the modern world. most people in this room probably have a smartphone in their pocket. even my 70-year-old father got a smartphone recently. we keep emails, text messages, phone calls, financial information, health information. many other sensitive data. >> he's ahead of senator graham. >> on our phones, i think data and cybersecurity is essential. i think physical security is
3:43 am
essential, i would hate to see americans get blown to pieces because we had an imbalanced priority of cybersecurity over physical security. how do we strike that balance as a society? >> my first comment would be i don't think it's either/or. >> my argument would be we don't serve either viewpoint particularly well when we cast this as well. it's all or nothing, it's either/or. my view is over time we have been able to integrate ground-changing technology in the course of our nation, and to do it in a way that enables the nation under the right circumstances with the right level of control, to be able to access that. for me, my starting position is, what is it that is different about this, that would preclude that from applying here? i don't personally see that. even as i acknowledge there's no one simple answer, there's
3:44 am
probably no one silver bullet. it's not going to be a one size fits all. but i look at the innovation and the can-do approach we have as a nation and i'm thinking we can solve this. >> like for instance a decades-old law known as the communications assistance for law enforcement act. which tells telecom companies of any size if they want to construct a telephone system in this country, it has to be susceptible to a wiretap pursuant to a court order if the court finds probable cause to order a wiretap against a terror suspect or a human trafficker or a drug dealer or so forth. similarly we all expect privacy in our bank accounts, but banks must maintain systems that they it turn over financial information subject to a court order on a potential money launderer. is there any data that says we should treat tech companies different than telephone companies or banks. >> i like you, i just say look, we've got frameworks in other areas, why can't we apply that here? >> these questions have been about the larger debate about
3:45 am
encryption going forward, the way smartphones are designed, messaging systems are designed there was a case recently involving apple and the fbi and the san bernardino shooter in which the fbi requested apple's assistance to override a feature of an iphone, apple refused, fbi found a third party capable of doing so and has withdrawn that case. should americans be alarmed at this kind of vulnerability in such a widely-used device? >> the way i would phrase it is -- vulnerability is an inherent nature of the technical world that we live in today. and if you desire is to live in a world without vulnerability i would say that is probably highly unlikely. >> do you know if we've shared that vulnerability with apple? >> as u.s. cybercommand, sir, i apologize, i don't know. >> admiral, one other point.
3:46 am
we know for a fact that baghdadi is sending young men into the refugee flow to commit acts of terror. wherever they can locate. is it true or very likely that they also know of a website to come up on. secure so that they can communicate back with baghdadi and his tech? >> yes. >> so right now there's a media report that 400 young men had been sent into the refugee flow i would assume then that at least some of them have are armed with a website to come up on once they get to a preferred destination so that they can coordinate acts of terrorism.
3:47 am
>> a website or encrypted app. yes, that's probably likely. >> that's a bit concerning, isn't it? >> yes, sir. >> so what should we be doing to counter that? besides take out isis? >> i think we need a broader national dialogue about what are we comfortable with it's not either/or. we've got to have security and we've got to have safety and privacy, and at the moment we're in a dialogue that seems to paint it as well it's one or the other. and as the dialogue we just had with senator cotton, i don't see it that way. >> yet we know of a direct threat of an attack in europe or the united states technical capability to enhance their ability to commit this act of terrorism. isn't that a pretty tough -- so we need a national conversation?
3:48 am
do we need more hearings? do we need to urge the administration to come up with a policy? what are our options here? >> the worst-case scenario to me is we don't have the dialogue and we have major event and in the aftermath of a major event we decide to do something that perhaps that in the breadth of time we step back and ask ourselves, how did we ever get here? >> i don't think there's any doubt that that's a likely scenario. >> that's what i hope it doesn't come to. to date for a variety of reasons we've been unable to achieve that kind of consensus. we've got to figure out how we're going to do this. and you don't want a law enforcement -- i believe, you don't want a law enforcement individual or an intelligence
3:49 am
individual dictating this. just as i don't believe you don't want the private sector, a company dictating this. this is too important from my perspeive. >> is awareness of this threat important for the american people to know how serious this threat is? >> yes. >> senator kipg? >> mr. chairman, hearing this dialogue and the discussion you've just been having, it strikes me it underlying the foolishness of continuing to be governed by budget decisions made six years ago. when this threat was nothing like the magnitude that it is today. and here we are dealing with a major new threat and trying to fit it within, to shoehorn it within a budget structure that was, that clearly did not take account of the fact that we've got a major new threat and a serious one, and it's going to take resources to confront.
3:50 am
i just can't help but make that point. it underlying the fact that we're trying to be governed by decisions made at a time when circumstances were very different than they are today. >> i think senator king, but admiral rogers has made it clear in this testimony that sequestration will prevent him from carrying out completely the missions that he's been tasked with. is that correct, admiral? >> yes, sir. my greatest concern if you went to sequestration would be the impact on the workforce, particularly the civilians. who would argue is this what i want to be aligned with? i can replace equipment. it takes us years to replace people. >> there is a real likelihood that if we continue the sequestration, that you will have to -- you will not be able to continue to employ these outstanding and highly selective individuals? >> yes. >> sometimes, admiral, i do not want the american people to see what goes on at these hearings. the old line about laws and
3:51 am
sausages. i certainly wish the american people could hear and see your statements that you're making today. rather than as you just stated, an attack and then we always overreact. that that's just democracies are all about. and so i thank you for your good work. but i also want to thank you for your straightforward answers to questions that were, that were posed by the members of this committee. we thank you. the hearing is adjourned. >> thank you.
3:52 am
3:53 am
3:54 am
3:55 am
3:56 am
>> olivia golden talks about workmandates that are taking effect in over 20 states and may cause as many as $1 million americans to lose their food stamps. then patrick mclaughlin, senior research fellow at the george mason university center on their report that ranks 50 states and the district of columbia by the effect of federal regulations on a state's economy.
3:57 am
anticipate brian simon, state government reporter on the articles of imimpeachment filed in the alabama state legislature against governor robert bentley, following reports of an inappropriate relationship with a former staffer. be sure to watch c-span's washington journal beginning live at 7:00 a.m. eastern thursday morning. consumer financial pro-protection bureau richard cordray on his semiannual report before congress. it will star live 10:00 a.m. eastern on c-span.
3:58 am
>> what we see is new factors making emancipation desirable. all kinds of obstacles falling by the wayside with the result that by august lincoln will announce a new war effort. >> wheaton college history professor tracy mckenzie on the evolving war goals of the civil war. and on "real america" -- >> how was it possible for america to achieve such pro-duction and at the same time build an army? 20% of american industrial manpower was woman power.
3:59 am
legions of american women were amassing to stop advance across the world. >> this 194 4 war department film documents how women in world war ii helped the war effort, alluding that the hidden army of american women working in war manufacturing are a main reason germany lost the war. sunday evening at 6:00 on kp american artifacts" we visit the daughters of the american museum. >> one thing that stands out in this time period is this creation of this imagery of the apotheosis. that's an old concept that goes back to ancient times from a warrior is made god-like by
4:00 am
lifting him up and celebrating him. it is worth highlights key facets james madison who followed jefferson as the fourth president of the united states owns over 100 slaves while he occupied the white house. he exposes expanding the 3/5 compromise, which guaranteed the south held a disproportionate influence on congress to preserve and uphold slave-owning interest. >> tyler perry, african-american studies professor at california state university fullerton on the 12 american presidents who were slavee in office. >> defense secretary ashton


info Stream Only

Uploaded by TV Archive on