Skip to main content

tv   Defense Officials Testify on Cyberthreats  CSPAN  June 22, 2016 8:00pm-9:53pm EDT

8:00 pm
>> and then we take our fight for social, economic, racial and environmental justice to philadelphia, pennsylvania! >> every minute of the republican and democratic party's national conventions on c-span, c-span radio and c-span.org. the u.s. cyber command deputy commander and assistant defense secretary discussed how the pentagon has been working to counter the presence of isis online. in april, the obama administration directed u.s. cyber command to start conducting cyber attacks on isis. this is a little over an hour and 45 minutes.
8:01 pm
committee will come to order. i would like to welcome our witnesses today as the committee examines military cyber operations. i note that just about exactly two months ago, president obama confirmed for the first time that the u.s. is conducting cyber operations against isis. and as the leadership of the department of defense was discussing this, they said it was the first time that cyber command has been given the guidance to go after isis. just like we have an air campaign, we want to have a cyber campaign. and some of the press went on to discuss that secretary carter was pushing for u.s. cyber command to have greater freedom to launch attacks and to address
8:02 pm
tactical cyber threats against isi isis. >> the department defense capabilities to fight and win the country's wars and be prepared and ready to execute those missions remain on solid footing regardless of which domain we are talking about, including the cyber domain. the department has been developing organizations capabilities and personnel needed to operate in cyber since at least 2010. billions of dollars have been spent. and yet the perception -- and y'all can disagree with this if you think i'm wrong. the perception is that the threat is still multiplying faster and growing faster than at least our laws and regulations, policies, rules of engagement are developing. still a fundamental question. what is the role of the military
8:03 pm
to protect civilian infrastructure in the united states against cyber attack? i do not suggest we're going to get the definitive answer to all of those questions today. but i think that it is important that we discuss not only those, but the tactical use of power. i yield to the distinguish ranking member for any comments he would like to make. >> thank you, mr. chairman i agree with your comments about the complexity and importance of cyber. and the most interesting thing i would like to get out of this hear something how is the organization coming together? i think that's the major challenge. it's been quite a few years
8:04 pm
since we recognized cyber. so we have a lot of people working on it. how coordinated are they? that's the great challenge, making sure we're getting the most out of the resources we're putting into this it is a constantly evolving threat and it threatens everything, every aspect. the least little device can be an entry point to a cyber attack. so, how do you get a comprehensive look at making sure that you control -- control is a bit of an optimistic statement. have some measure of understanding of where the threats are and how best to address them. so how the various branches of the military and our broader cyber vulnerabilities, as the chairman mentioned a lot of those vulnerabilities exist in the private sector and we've had defense contractors who have been hacked before that have created problems. so, how do you we
8:05 pm
comprehensively address this incredibly complex and ever-evolving problem? i think that's the great challenge. i will say that i very much approved of what secretary carter did, where he had the -- i forget what he called it, but basically invited hackers to try to find their way in. you'll learn from that. i think that was one of the best, most cost-effective ways to do it. instead of sending some contract out to somebody, take those people out there who are really good at this and say come at us. show us our vulnerablvulnerabli. that was a very wise way to learn a lot in a cost effective manner. a cost effect approach to an ever evolving and changing problem. as the chairman mentioned, the legalities of it in terms of are our laws and regulations keeping up with it, to make sure that you and the executive branch have the authorities you need to best protect us and, in some cases shall use cyber as an offensive weapon where
8:06 pm
necessary. with that i'll yield back and look forward to the testimony. >> gentlemen, i also want to mention that, of course, on the front lines for oversight of this issue, i very much appreciate the emerging threats and capabilities, sub committee wilson who work in this area day-to-day. i think it is also important, though, for all members to look at these larger cyber issues, which is why we're doing this hearing with the full committee today. let me welcome our witnesses, mr. thomas atkin actth assistant secretary department of defense,
8:07 pm
thank you all again for being here. mr. atkin, the floor is yours. >> i am pleased to testify today, along with my colleagues, lieutenant general kevin mclaughlin and brigadier general moore. in how we are improving. the closed hearing will go into greater detail on some of the challenges we face in cyber space and the department's efforts to address those challenges. i wanted to highlight a few thengs here this morning. first, the threat. today, we face a diverse and persistent threat in cyber space from state and nonstate actors that cannot be defeated through the efforts of any single organization. our increasingly wired and interconnected world has brought prosperity and economic gain to
8:08 pm
the united states. however, our dependence on these systems also leaves us vulnerable and cyber threats are increasing and evolving. posing greater risk to the networking systems of the department of defense and other departments and agencies. our national critical infrastructure and other u.s. companies in interest. dod maintains and uses robust and unique cyber capabilities to defend our networks and the nation, that alone is not sufficient. securing our systems and networks is everyone's responsibility. from the commander down to the individual. and this requires a culture of cyber security. more broadly, preventing cyber attacks of significant consequence against the u.s. homeland requires a whole of government and whole of nation approach. to that end, dod works in close collaboration with other federal departments, our allies and the private sector to improve our nation's cyber security posture and ebber ensure that dod has the ability to operate in any
8:09 pm
environment at any time. since cyber strategy was signed by secretary carter, the department has devoted considerable resources to implementing the goals and objectives outlined within the document. when secretary signed the document, he directed the department to focus its efforts on three primary missions in cyber space. one, defend the department of information, department of defense information networks to assure our dod missions. two, defend the united states against cyber attacks of significant consequence and, three, provide full spectrum cyber options to support contingency plans and military operations. another key part of our strategy is deterrence. dod is supporting a comprehensive cyber strategy to deter attacks on the u.s. and our interests. this strategy depends on the totality of u.s. actions, to include declaratory policy,
8:10 pm
overall defensive posture, effective response procedures, indications and warning capabilities and the resiliency of u.s. networks and systems. i am proud to say that the department has made important strides in implementing dod strategy since it was signed in 2015. my colleagues and i look forward to going into greater detail on our strategy as the hearing proceeds, as well as to discuss how our thinking and incorporation of cyber operations is evolving. the department is committed to defending our u.s. homeland and interests from attacks of significant consequence that may occur in cyber space. i look forward to working with this committee and congress to ensure that the department has the necessary capabilities to keep our country safe and our forces strong. i thank you for your support in these efforts and i look forward to your questions.
8:11 pm
thank you. >> general mclaughlin? >> chairman thornberry, ranking member smith, distinguished members of the committee, i'm honored to appear before you today representing the men and women of u.s. cyber command. it's my pleasure to do so alongside assistant secretary brigadier general moore and thomas atkin, two men who keenly recognize the challenges the department faces in the cyber domain. i would like to focus my opening remarks on the ongoing efforts to build capability and capacity in the cyber mission force. the cyber mission force, with unique teams designed to defend dod information networks, support combat missions give u.s. cyber command and the department a means to apply military capability at scale in cyber space. we recognize that success in accomplishing our missions is dependent on three factors, quality of our people, the effectiveness of their
8:12 pm
capabilities and proficiency that our people bring to bear in employing these capabilities. encompassing a robust, active component along with both national guard and reserve force s being fully integrated. out of a target total of 143 teams that will be part of the cyber mission force we have 46 teams at fully operational capable status and 59 that are initial operating capability status. we will eventually build to 6,187 when we finish. it is important to note that teams that are not fully operational are already contributing to cyber space efforts as the command operates on a full-time and global basis. nation and every combatant commander can call on cyber
8:13 pm
mission force teams to bring cyber space effects and support of their operations. in support of u.s. central command's ongoing efforts to degrade, dismantle and ultimately defeat isil. training them to be prepared is imperative. cyber guard exercise, which concluded last friday provides realistic training in which federal, state industry and international partners can use their skills against a determined opposition force. the response to cyber guard from our public and private partners has been tremendous. dozens of critical infrastructure countries have expressed interest in it. allowing policy makers to observe the types of issues we see in real cyber attacks and helps us generate a playbook that should save the federal government precious time and stress in responding.
8:14 pm
u.s. cyber command to teams to ensure they have training skills to make an immediate impact in today's fight. our command prides itself in being a learning organization, exercises like cyber guard and other premiere exercise, cyber flag, which is ongoing at this moment, are key lessons learned, opportunities for us. we also look at everything we're learning and the growing set of real-world operations and collaboration from the private sector, academia to provide valuable insights to the command and allow our teams to develop and implement new tactics, techniques and procedures. although our people are undoubtedly our most important aspect i would be remiss not to highlight the tools, infrastructure and capabilities that the force needs to execute its missions. ongoing efforts to develop tools such as the persistent training department, cyber situational awareness and the joint environment must continue to be
8:15 pm
resourced. these capabilities are critical in ensuring that they're equipped to counter. adversaries' changing tactics in cyber space require well trained, well resourced and agile force. with that, thank you again mr. chairman and members of the committee for inviting me to appear before you today. u.s. cyber command is committed to the mission of ensuring the department of defense mission assurance, deterring or defeating threats to our infrastructure and achieving objectives. cyber mission force is adding to our ability to perform this mission. u.s. cyber command team appreciates the support of this committee that it has shown and looks forward to our continuing partnership with congress to address the challenges and opportunities in cyber space. i'm happy to take your questions. thank you. >> general moore? >> thank you, chairman
8:16 pm
thornberry, members of the committee thank you for allowing me to speak on behalf of the joint staff. the inherent global nature of cyber space threats causes and creates numerous challenges for the department of defense. additionally, our war-fighting capabilities are increase iing high-tech weapons, communications systems to our ability to rapidly deploy forces around the globe. trying to keep up at the rate in which technology is advancing in this rapidly changing environment is extremely challenging. potential adversaries continue to increase their capabilities they also sha irthese challenges. all of that said, we have made progress, challenging our adversaries' ability to operate in sieber space and more effectively our networks
8:17 pm
information, weapons systems from malicious cyber space actors. in regards to building our cyber capabilities, u.s. cyber come continue to make great strides in standing up for cyber mission forces, arranged in teams with the objectives to support and combat command requirements, to defend the nation against cyber attack and to protect our department of defense information networks. information and weapons systems. while significant process in all of these areas in the last year, significant challenges do remain to include equiping the force, recruiting and retaining a professional cyber source and cyber mission force command and structure. from an operational perspective, cyber com continues to make great progress. cyber com has not only challenged isil as the president
8:18 pm
and seblingt of defense has publicly stated but built on our lessons learned to date, upon which to expand the scale and effectiveness of our operations. from a broader, strategic view or adversaries, who are always looking for something that can provide them an asymmetric advantage, find cyber space appealing due to low barriers of entry and perceived difficulty of tricks. because of these threats from state and nonstate actors we work vigorously to harden our systems while educating the total force to create a climate of constant vigilance. to strengthen the whole of government, particularly u.s. critical infrastructure, the department of defense routinely engages and works with our department partners and international partners, and there's interest to expand those cyber relationships. finally as our capabilities continue to grow, we continually engage all the combatant commands to make sure cyber
8:19 pm
effects are being considered in corporation to their planning process and benefit all current and future operations. while it is well known we are actively engaged in cyber space against isil, we also recognize that there are other threats in cyber space that must be planned for and addressed. joint staff is working closely with u.s. cyber com to continue to bring cyber-related options to the table to support all our global operations. as i mentioned, cyber domain is constantly changing and we see malicious cyber actors rapidly developing new capabilities at a very high rate. working closely with cyber com, osd, international partners to secure our networks, our information, weapons systems and to support combat and command objectives while we protect the nation against malicious cyber space activities. thank you for the opportunity to appear today. i look forward to answering any questions you might have.
8:20 pm
>> thank you. let me take a second and remind members that we will have our quarterly cyber update this afternoon the 2:00. classifieded, of course, and we will be able to get into greater detail on classified items then. in october 2010, we're nearly six years down the road. isn't it time for cyber com to stand on its own as a combat and command? >> i think the short answer to that is yes. we are continuing to look at that within the department. the secretary is -- has been evaluating whether to stand up or recommend to the president to stand up cyber com as its own
8:21 pm
unified command. we're continuing to look at it. we are getting close to a decision. and we will be getting something to the president here in the near future. >> well, we're trying to help you along because section 911 of the defense authorization bill requires that be done. i note admiral rogers has testified become a combat and command would allow cyber com to become faster which would generate better mission outcomes. i have yet to hear a reason not to do it. and so it seems to me that we shouldn't stew around about this too long because the goal is better outcomes. and if that's what the result is, we ought to be able to agree and get that done without a lot of delay. general mclaughlin, let me ask you. we talked about the tactical use of cyber that's been publicly
8:22 pm
talked about by the president, secretary, deputy secretary. we obviously cannot get into the details of that in this forum. but are there -- what would you say are kind of the broader challenges that have been encountered so far? general moore mentioned lessons learned. at an upper policy level, what have we learned so far with what we've been doing against isis? >> i think what we've learned is as we've described to you the cyber mission force that is being built right now, we've learned that the fundamental building blocks of the forces that are actually supporting combat and commands, as we stated in our mission, one major focus is bringing cyber effects to support our combat and commanders and war on isil is the first at scale opportunity to do that. >> first thing we learned, reinforced that the way we're
8:23 pm
creating our teams, expertise of our teams and how they plug in to the command and control is working. broader challenges we have, this team is still a young force. as we mentioned, we have quite a few of them at initial operating capability. in many cases, this is the first actual live opportunity for these forces to conduct that type of mission. so, the types of lessons we've learned have been a number of just practical lessons about improving the ability for us to do that routinely at scale. the reason the persistent training environment is so important is to give teams like those that are supporting the war on isil more realistic opportunities to do their work and train in realistic environments prior to actually doing it in combat. so we sort of knew that intuitively and the operations have born out how important that capability would be.
8:24 pm
we've learned how quickly that the department in general needs to operate from -- in terms of if there are any policy or anything that needs to be done to support sharing, for example, with partners. and that has happened routinely. so, the osd staff, for example, sits in our twice a week update that we do in this area specifically to want to know is there anything at all needed to make these operations more effective? we've learned how important that broader team is. some people pay not realize how closely coupled we are from that perspective. i think, really, the last is maturity. we've learned more in the last several months since it's been announced publicly that we're supporting this. it's given us the opportunity to learn, mature, plow back in. lessons learned in a real circumstance that it may have taken us several years to learn the things we're learning but it's the nature of military
8:25 pm
operations. in summary, i would just say i believe we're on course, fundamentals of what we're doing are sound and our job is to continue to expand capability and capacity against this enemy. we will talk with you about it, give you practice examples about that in the closed session later this afternoon. >> general, do you have anything to add on lessons learned or what you see from a joint staff perspective? >> no, sir. i think most of those that i would add to were touched on by general mclaughlin. i would piggyback on and say the speed of operations and how we can especially at tactical level, something we're very much focused on, overall combat operations. we've also applied the lessons we've learned from attacks on infrastructure. and how to better protect ourselves and how better to train our people to defend against them. >> okay.
8:26 pm
mr. smith? >> what do you need to do to get ready for that point to make that move? >> resources, making sure that cyber com has the right resources as they build out their cyber mission force. as we continue to build out the pte that general mclaughlin has already mentioned, unified platform, et cetera, to make sure that they can stand alone and operate as a military force and support the combat and commanders. that's going to be the key. not that we can't do it but make sure we're doing it in a way that we don't hamper anything we have going. and that we continue to gain advantages and do better when we're conducting these operations. so i don't think there's any one
8:27 pm
specific thing that was stopping us. it's more about how we make sure sequenced to get to the right mission. >> what are the coordination challenges there? now there is, obviously -- we've already coordinated into a central. as you look throughout dod a lot of people working on cyber. who you do you round all that have up and get it under one unified combat and command? what are the challenges going to be into pulling in those pieces and working with them? >> well, i think part of the challenge is going to be how we just work within -- internally within the department. i think we have a good way ahead on the principle cyber adviser, which i am. as well as my role as acting assistant secretary for policy. we work it from both those angles within the department internally. under the joint staff and as a commander, they work very closely with the other combat and commands to make sure that
8:28 pm
all the operations are integrated and coordinated. and then we, in policy, also work across the interagency and across the intelligence community to make sure the operations are coordinated and the sequence of activities, whether it's the application resources or training or other operations are coordinating. >> and what, if any, role does the nsc play in your cyber operations? this is a subject that's come up in our hearings, the increasing role of the nsc over the top of, in some cases, the department of defense. how are they involved in that? if they're involved, how much do you integrate them? >> it's an integral part of the whole solution for any of our
8:29 pm
activities. and so we keep them advised of the operations that we have ongoing through the interagency process. we also, when necessary, coordinate and get permission to run operations when his permission is required. >> thank you, mr. chairman. >> we may want to pursue that further. >> thank you, i'm very grateful to the chairman of the committee with extraordinary staff that have worked with everyone here. kevin gates, katie sutton, lindsay cavanaugh. it's been a remarkable exercise bipartisanship. and i'm particularly grateful subcommittee members here who have been so important. a superstar, coming to every meeting. i'm so grateful for our other members here, doug lamburn, vice
8:30 pm
chairman trent franks, duncan hunter. but it's just been terrific to work with each of you. it's been so meaningful on cyber operations. what can be done. but the dangers to the american people. in fact, general mclaughlin, what are we doing to make better use of coalition forces and capabilities in the planning and execution of our cyber space operations? how are we aligning our capabilities with our nato allies? >> mr. wilson, thank you. before i answer your question, we also appreciate the great support from the subcommittee and agree that your staff -- the staff supporting that has been outstanding. they're very knowledgeable and helpful as we work together. the ability to integrate our
8:31 pm
coalition partners into our operations at u.s. cyber command is critical. we have broad latitude and authorities that have been granted to us for that partnership. they are actually primarily today with our partners, we are working and do communicate with nato. right now our focus has been our partners as well as there are some other partners that are really interested in how they actually create the capacity to have their versions of cyber command and to do, you know, military cyber operations in countries that are still, i think, at the verge of trying to decide whether they're going to take the same steps that we've taken. types of practical areas we work today with our coalition partners. one -- some members of the committee congressman lansoven were down last week. we have coalition partners in
8:32 pm
those sessions, training with our people, learning lessons, creating tactics, techniques and procedures jointly and also practically identifying and overcoming any challenges that limit our ability to work together. there are key areas where we are doing development of capability together instead of each of us spending the same money to accomplish a certain task. for our close partners there might be times we share a burden or do work like that together. and then when directed and when authorized, if we have operations where we can actually -- we have a partner that can bring a capability or capacity, we are operating with those partners with shared objectives operationally and conducting operations in a way that each of our, you know, national capabilities are coming -- are being used to accomplish objectives that we share. i think it's a robust environment right now. it's growing. i think you'll see more and more countries want to be part of this partnership. we will embrace them as they show interest. and as they have the capability
8:33 pm
to partner. >> and we have a long-term allies of nato. it's exciting new members such as slovakia, visited different i.t. centers there. very talented people who will be very helpful. additionally, general, how good is the current training exercise and certification process in re approximate. licating the real world challenges using tactical operations, cyber command has recently completed a cyber guard 16 exercise. are there any lessons or highlights from that exercise that can be applied to our ability to effectively apply cyber capabilities to tactical operations? >> sir, that's also a great question. so, i would answer you in two ways. we have the ability. cyber guard is a great example to do high fidelity, highly realistic training where our teams, our tactical forces can be immersed in a simulated environment that looks real to
8:34 pm
them. and have to perform their duties with an actual opposing force. another group of people that are acting as if they're the enemy. and they have to demonstrate that they have the ability to do their job in that realistic environment. so, we can do that. we're doing it down in the suffolk area right now. the issue we have, we cannot do that at scale. we have the program. we mentioned in my opening comments the persistent training environment. that is a focused effort in the department of defense to allow us to actually do that type of training routinely. every week, every day so that the men and women on our teams have the abilities to do the level of training we're doing down in suffolk right now. we only do that a few times a year. our job is to do that consistently in every other domain. >> my time is up.
8:35 pm
>> mr. langechlt vin. >> appreciate the work you're doing, full committee level, mr. smith, ranking member and i agree with my chairman of the sub committee now, mr. wilson, that it's been an exercise in bipartisanship and deeply appreciate the work of the staff. secretary atkin, thank you for your testimony today. along with you, general mclaughlin and general moore. thank you for what you're doing on cyber and, again, being here today. general mclaughlin and general moore, as we have discussed this morning, the cyber guard home defense training exercise just concluded. i was very pleased to be able to attend that exercise. i very much enjoyed being able to witness the exercise take place in person. i was very impressed with what i saw. i wanted to thank you all for being such great hosts for that
8:36 pm
exercise. chairman wilson had asked, not surprisingly, we're on the same page. i wanted to know what your takeaways were from the exercise at the highest level. so, anything else you want to elaborate on lessons learned from the exercise, feel free. but i also would like to know beyond that what lessons have been learned with respect to the cyber mission forces executing operations in a geographic combat and commanders area of responsibility as they pertain to each mission. and our roles and responsibilities of involved entities being refined and solidified as well as command and control of cmf. >> congressman, let me just take both of your questions. i think we, on the first question about high-level lessons learned that we have seen coming out of this year's
8:37 pm
cyber guard, while the full report will be written in the next few weeks, we do have some initial broad insights that come from it. one is an increasing understanding of how many of the other partners -- so, as you mentioned, that is a whole government and international exercise that simulates some attack of significant consequence that occurred outside of the dod networks. what's really been interesting in our lesson is how many players, both within our government, within industry and within -- and i mean broadly beyond dod, within our government and coalition partners are coming to this exercise. it continues to grow because it's an opportunity to tease out not only practical technical ways for our teams to defend and respond but those complex challenges about how different parts of the federal government coordinate in response and how does that work. how do we work with industry.
8:38 pm
you know better than most the complex issues associated with government forces actually connecting with industry, cyber terrain and how we should do that most appropriately and most effectively. and how we do that at scale with our partners. so, that continues to be a key lesson for us, the scale of people that want to participate. and every time we think we've reached the outer limits of who ought to be there, we realize there are more players that can or ought to come. and then the last thing, really, just to reinforce the question from mr. wilson, the need to be able to train at the level, the men and women that are down at cyber guard are asking us, you know, we would really like to have this capability routinely. this is great training. most of them say it's the best they've ever had. our goal is to let them do the best all the time. >> thank you. >> i think your question regarding what have we learned
8:39 pm
in terms of how and our mission of supporting combat and commanders, broad lessons that we learned and are we adapting to being innovative? we really just started with what we thought would work. and what's been very interesting, and i think a positive step was the department, often led by general moore's team down in the joint staff, has continued to lead and ask how do we refine, change and adapt our command and control processes? we have made a number of adjustments in the last 18 months. we'll talk this afternoon. we've made chang changes in how we command and control our forces in the counter isil operations. so, we really are learning and changing a lot. there's no one saying that's the way we've always done it, because the way we've always done it has only been two or three years. we are changing as we need to. one thing i think is a key
8:40 pm
tenent that all of us need to understand, and we're seeing this play out in the support. cyber capabilities aren't just there to solve cyber problems. there are adversaries that present themselves in a variety of ways that we could hold at risk. they might have a cyber capable that i will use some other tool or capability to counter. and they may have a noncyber capability that we're going to use a cyber tool to counter. that is one thing that i think the whole department department is learning. we bring what's unique that we can offer to our mission as opposed to defining problems as cyber only. that's been a key lesson for everybody and a powerful one for the department. >> thank you, general. thank you and your team for the work you're doing. and i was very impressed, as i
8:41 pm
said, the cyber guard exercise. training, training, training, i agree, has to be a key part of us doing this, going forward and seeing that persistent training environment be maximized and supported in a very robust way. so, thank you mr. chairman. i yield back. >> thank you. mr. lamborn. >> thank you, mr. chairman. thank you all to your service to our country in various capacities. i'm going to build off what representative langevin was asking. general yenstoltenberg said a cyber attack could trigger a response by nato using conventional weapons. that's nato, not the homeland. in this fast-evolving field, what can you tell us? what are you in a position to state publicly are the evolving rules of engagement where something would trigger a cyber
8:42 pm
response from us or a kinetic response from us? >> as i've said before, it's a whole government response. cyber response or cyber attack would not necessarily mean we have to have a cyber response back to that. and each of those actions would be evaluated on a case-by-case basis by the entire interagency and the government. we would look at any cyber attack by a combat and command overseas or here in the homeland on a case-by-case basis and determine the significance of it was and use a whole government approach, whether diplomatic means, economic means, law enforcement or military action to respond to that. >> anything to add to that, generals? >> for our mission, as the general mentioned, job one is defending the dod information
8:43 pm
network. that's ongoing 24 hours a day, seven days a week. we have all the authorities that we need today and are growing the forces. so, any threat that manifests itself. these are short of attacks, formal attacks or wars. but they occur all the time. and so the authorities we need within that domain, which is our main defensive mission set, we have those authorities and we spend a great deal of our time, day-to-day managing and responding to a breath of those activities. in our closed session later today we'll give you insights into the scale of just the daily size and scope of what that looks like. and then a specific example of the operation we conducted recently against a very specific threat so you can see that, you know, a little bit more. >> that's reassuring to me. i'm sure it's reassuring to everyone who might be listening. changing gears, before my time is up, in israel, they are doing
8:44 pm
more with collaborating with the private sector and consolidating everything that they're doing into one location for synergy. what do you see as the future of collaborating with the private sector here in the u.s. with places like silicon valley, seattle, et cetera, to harness the public sector, creativity, expertise in this area? what do you see as the future of that? >> in that regard, the future is here. we are integrated in with the private sector well. we're going to continue to grow that, whether it's through the defense innovation unit, experimental out in silicon valley, that secretary carter stood up. how we lercveraged the skills tt the national guard and sources bring and we leverage those
8:45 pm
skills as integrating those folks into the cyber mission force or continue to work with the private sector in response to cyber attacks through exercises such as cyber guard. so, we already are working with the private sector pretty well, i think. we're going to get better at that. and we're leveraging the skills of the national guard and reserve folks as part of the cyber mission force. >> but you don't see anything in the works like what israel did, for instance, where there would be an actual consolidation into one location? that is a much smaller country, obviously. >> right. i would say that i don't see that. no, sir. i think we have good coordination and collaboration through the department of homeland security, fbi, department of justice as well as the other sector-specific agencies, commerce, et cetera, with their sectors. but i don't see us consolidating all those activities under one -- into one location. >> thank you so much, mr.
8:46 pm
chairman i yield back. >> critical infrastructure that would threaten public safety. i wonder if you could talk about that and whether the dod and national guard would assist in responding to that type of attack as well as what actions are being taken to eliminate those vulnerabilities and to make it so that these types of attacks are not possible. >> that's a great question and great challenge for our country, how we protect our critical
8:47 pm
ininfrastructure. we work closely with the department of homeland security, and have that responsibility to not only provide them with information regarding threats, but to help define how we would respond as a nation to an attack on the critical infrastructure. where dod gets involved is an attack of significant consequence. we have the responsibility to defend against an attack of this significant consequence. >> how do you define significant consequence? >> that would be determined by whether loss of life, physical damage, economic impact or how it might impact our foreign policy. those are some of the factors that we would evaluate. of an attack of significant consequence. >> could i just ask a follow-up to that? >> yes, ma'am. >> as you define loss of life, if there was an attack on electric grid, caused a major power outage, hospitals no longer able to care for people and loss of life in that respect, would that fall under that definition? >> i would have to -- see i'm
8:48 pm
not sure i could answer a hypothetical like that. i think that the factors of the impact would certainly be evaluated or determined. regardless of whether it's an attack of significant consequence or not the department of homeland security would respond. if they needed assistance from the department of defense, they would ask for that assistance and we would respond with assistance through the department of homeland security to help that critical inf infrastructu infrastructure. part of that occurred in cyber guard where we exercise that capability, request for assistance from the department. and we respond. so, the other piece of that is the national guard. they have cyber mission capability. they are being trained to the same capabilities as the rest of the title ten force. they can respond under their own state authorities. we recently completed coordinate, train, advise and assist policy within the department to allow national guard troops to use the
8:49 pm
department of defense resources to respond to a cyber event under state authority. and we're continuing to work other policies. i just recently set up a meeting to work with all the different combat and commands, cyber command, joint staff and office of general counsel to determine exactly how we're going to set up our defense support of similar authorities. more holistically, the policy has been in process for a significant time and we want senior leadership attention on it very directly. >> thank you. i think this is something that, obviously, we're going to have to continue to discuss and understanding the differences of whether a state or nonstate actor were to come and launch a traditional type of military attack on critical infrastructure versus a cyber attack how the dod is involved
8:50 pm
or not in those situations. you know, given the types of attacks that we are already seeing from both state and nonstate actors in the cyber world, you >> i agree. >> thank you, mr. chairman and thank you for testifying and your leadership on this issue. i want to focus my full questions on the panel and the evolution of the cyber threat and how we maintain the edge on a 21st century battlefield. news as you know has been filled with stories about the evolving strategic threats in the cyber recommend like russia and destabilizing threats from both state and nonstate actors within this week.
8:51 pm
just this quadriplegic i read that they've been covering reports from around the world. in march at a hearing on this subject i asked admiral rogers how confident he was moving forward that our cyber capabilities were robust enough to face the few tu on multiple fronts. can you speak specifically to your concerns about adversary cyber capabilities and your comparison in moving forward and the second part of my question is given the unique challenge of prosecuting sigh mustainous threat wrrks do you feel it's seeing risk for readiness? >> so, ma'am, we're not going to address that. we'll get into it when we're in the closed session, but broadly you stated it correctly. the threat today is diverse.
8:52 pm
it certainly is representative not only by large nation states that are very, very capable to organizations like isil or criminal or hacker organizations. ta barrier to entry is not that high and the ability to innovate and use technology to continue to evolve is actually there. we on the cyber command side, i this i the key thing we think is important is focused people and technology. i'll do technology first. the ability to have the tools and the capability and sort of an integrated suite. an in-depth approach across cross our whole enter prove has proven to be very effective, and the ability to bring new technology, that's one of the richardsons for the connection to silicon valley. that's why we feel it's so important. we don't feel the secyber cap
8:53 pm
capability will be just for now. it's critical. the most important part, though, are our people. the reason we've talked about the persistent training environment. we haven't even talked about the foundational training that goes into the cyber mission force and some ask why does it take a if you'res to take an initial session and get them to that level is that we're training all of our people to a very, very high standard, a joint standard across the force. in our view it's in the minds of our people that are going to allow them to keep up technologically with what the threats are doing. we're not just training our folks to operate equipment. we're train them to underthe domain, the foundational technologies, the advanced technologies, and in some cases they're advantaging the technology they're having at their fingertips to counter their adversary or develop tools to do that. so i think that's the most
8:54 pm
important part for us to stay ahead is making sure we invest in the people and have those types of skills. >> on the multiple fronts portion of the question, given the fact that there are multiple cyber threats whether there are those in the middle east, where do you feel it is assuming risk to readiness? >> i think the way i'm going to answer your first question if i'm broadly assuming, risk to military force broadly. cyber is a thread through everything we do, our platform, networks, our own critical infrastructure within dod we can't defend everything all the time at the same level. the way we approach this broadly with the department, this is not cyber command decision of our own makes. give it the most important combat capabilities that need to be hardened and defended. where the mission assurance is
8:55 pm
most critical. we don't think about doing that against oneone threat. we defend it at the highest level and we would accept risk if it were not as important or something we felt was lower on the priority because you can't defend all of it to 100% all the time. >> thank you. do other witnesses have -- would you like to add anything? >> on the risk measurement i would say we evaluate the critical infrastructure that's required for the department using our mission assurance strategy and our cyber strategy combined to identified those most critical elements of the inf infrastructure that we need to protect and then we evaluate and prioritize those pieces wchl're not only protecting them from physical damage, but now we're also mapping out the key siper terrain to understand where the
8:56 pm
most critical vulnerabilities are. >> thank you. my time has expired. >> mr. ashford? >> thank you. i'd like to second the comments regarding it on the emerging threats. it's been a very interesting year and a half. i have two topics i'd like to cover. one is deterrence in the cyber world and then secondarily the information technology exchange program and how you see that evolving. if i could start with general mclaughlin on deterrence. when we're dealing with what the public generally thinks about in the deterrence area, we're talking about nuclear weapons. in this case, we're dealing with cyber. we know to a certain extent how many nuclear weapons are out there. we can identify the specific threat and we have decades of experience in dealing with
8:57 pm
deterrents as it relats to nuclear weapons and other matters regarding deterrents. in cyber where we have 80,000 or so attack as year and we have -- it's hard to identify where they're coming from and who has the capabilities at any given time, it's very dynamic, and you've talked about that, can you just kind of define for me what deterrence means in the cyber world and how that's evolving? >> i can jump on that a little bit. from a cyber perspective as we mentioned before -- a cyber attack doesn't always mean a cyber response. attribution is key. and that's probably the greatest challenge in any cyber attack is attributing it to either a state actor or nonstate actor. we look at it as we want to make sure from the assurance policy it's declare torrey, that
8:58 pm
everybody understanding exactly where we stand and we're able to impose costs. so the first part of any deterrence policy and our deterrence policy is denial. we want to make sure we deny the adversary to achieve the effects they're trying to achieve by developing and having good cyber security. the next thing we want to bible to do is have a very resilient system. we want to build a resilient system and if they are attacked as general mclaughlin has already said, we can't protect everything all the time, but if they are attacked, that they'll be able to recover and be resilient and back online, denying the adversary the goals they're trying to achieve. and then the third step of our deterrence policy is to impose costs. whether it's diplomatic, law enforcement, economic sanctions or military actions to include cyber response. those are part of the deterrence policy we would use to respond or to signal to a state or
8:59 pm
nonstate actor. >> general. >> sir, just in accordance with the direction we received from osd. mr. at kin mentioned the secretary signed there are new dod strategy. within that there was direction for us to actually take steps to meet those three goals, and our primary effort has been all the defensive activity and the work we do to make our work more resilient and to make it where an adversary couldn't achieve their goals against our -- that they might try to achieve by attacking our cyber infrastruck tu. many people don't think deterrence involves thaw, but it's really been the anchor of what we're doing, we've been ordered to do and we're accomplishing within the cyber command. it's aimed at bringing options to bear that would be there for the secretary and the president if that was directed. >> thank you. let me -- could i just ask a
9:00 pm
question about the information technology exchange program? i believe in the ndaa we expanded that program a bit and added more slots. is that program -- so take, for example, the sony case where there were issues in the sony technology that made it easier or less difficult to attack the sony technology, whether it's the silos of the various businesses within sony or whatever it is. there are issues in the private sector that are different from dod sector and federal sector, and they're diverse. it depends on the industry and what they do. so is the purpose of the information of the technology exchange program to help to put in place people into the private sector directly torque help them with that, and then vice versa,
9:01 pm
to deal with those threats, and then vice versa, to -- if there's somebody in the private -- if i understand this, in the private sector, we have someone who's really exemplary or efficient in the cyber security that we can bring those people in on a temporary basis to address those issues that we see. is that -- is that essentially what we're doing here? >> sir, i'll have to take that question. i'm not familiar with that program. >> aside from that program are there others in place to allow us to bring private experts in the private sector into the military on a temporary basis and vice versa? is that par of what we're doing? maybe misunderstood the program.
9:02 pm
>> i'm not familiar with that. i know the secretary has talked about that as part of the force of the future, some of the changes, so i know that's something he's beginning to talk about and as we move forward. what i would say is we try to leverage the skills from the private sector through our national guard and reserve forces as we mentioned earlier and the skills that they gain in the private sector and we also do things like the bug bounty where we actually have hackers come in and take look at our dod systems and see if they can hack those systems some of there are different ways we're trying to leverage the private sector to improve our own cyber security. >> thank you. general? >> sir f you're referring to the cyber security information sharing act, i think that's what you're referring to -- >> right. >> -- that the government has passed. that has gone a long way. the two main benefit os that act
9:03 pm
are that it first off reduces the risk of any legal liability to any of those industry partners we have when they share that information and also decreases any economic or business advantage that might be gained through the act of sharing that type of information. so it's really knocking down a lot of those barriers. >> thank you, mr. chairman. >> mister rogers. >> thank you, mr. chairman. this would be a question for all of you. do any of you believe that the department of defense should use equipment provided by wowway or zte, each who have links to kmie sneeze military apparatus and illegal sales to iran and in violation of u.s. sanctions? >> sir, i'm not familiar with those technologies. certainly we would want to take those factors that you just high lighted into consideration if we were us go to use anything like that, and thought would probably
9:04 pm
be -- the risk would have to be evaluated based on those threats and whether we would use those. >> you're not floor with them. >> i've about heard of them, but i'm not a technical expert to make good decision. >> so, sir, i would just say -- so i have heard of the first company that you've mentioned, but what i would say broadly is all of the ee kwimtd that we use or field as par of our dod mission, you know, it's heritage and the supply chain, it's important that we assess based on the equipment, we assess what vendors are appropriate and which ones should be. siem not prepared to tell you because i just doan know what exclusions might be there for both of those companies broadly across the dod, but i know for our core capabilities before we buy it, we buy that capability, it's security and it's our knowledge of the supply chain go into the factors before we make up a broader procurement.
9:05 pm
>> general? >> just piggy backing on what the two gentlemen said, they're real and they should be considered any time we look at a purchase marked dod or the federal government. >> that -- with relation to dod, what about a u.s. cleared contractor? do you apply a different standard to them? what would you advise them if they were thinking about using equipment for one of those two chinese firms? >> sir, i'm not -- again, i'm not on the acquisition side, and i know that we work very closely on the acquisition side with the contractors through the industrial base to ensure that their systems are secure, so we're always looking at the supply chain vulnerabilities and the risk, and so our advice to any of the contractors that support the department of defense or any of the inner
9:06 pm
agency, i think we recommend to take a hard look at their supply chain vulnerabilities and make sure their information is secure and their operations are secure. >> so i guess i'm hearing from you all that you don't have a list of chinese firms that you're concerned about right now or you have a list, you're not familiar with it. >> sir, i'm not familiar with the list. >> do you know if you have a list? >> i do not, no, sir. and we can state that for the record. >> general mclaughlin door you know if yowl all have a list of chinese firms you're concerned about having access to your supply chain? >> sir, i don't, because it's all handled within our acquisition chain of command, the folks that actually procure our equipment which is outside what we do at cyber command. >> if you could do it for the record i would appreciate it. thank you, mr. chairman. i yield back. >> ms. mcsally. >> thank you. i'm not sure if you answered
9:07 pm
this. i was at a homeland security briefing. i do want to talk about the cyber operations against i says starting a few months ago. the caliphate was declared two years ago. i know probably the details would be more in a classified realm, but this is a very important domain and this terrorist organization is using sign never a way we've never seen terrorist organizations use it before and what took so long. how come it was two years before we even would think about fighting in this domain? >> ma'am, that's a great question. i this i the bottom line is that we probably started more than two months ago. i don't have the exact date and time that we began to conduct cyber operations against isis. we continued to respond to isis and their -- both the social
9:08 pm
media, the information about military and their families ochl so it wasn't always a cyber response to isis but certainly a response to their cyber activities. >> i know there's this tension. i was in the military keeping calms running so we can collect versus taking them out so they can't communicate. we know cells in raqqah directing training and operations very specifically charging against americans in real life. why doesn't the internet shut down a rocket. why did we not have operations two years ago going against their commanding control as part of our centers of gravity and using all elements of military power to take them down? >> i know they'll get more into this in the closed hearing later today. the fact is we may have been
9:09 pm
going after them but we didn't necessarily use cyber activities to do thachlt there's also balance between collecting information and shutting it down. and certainly going after specific nodes to hamper and stop the use of the internet by isis is important, but we also have to respect the privileges and rights of citizens to have access to the internet as a whole and as a country. so it's a careful balance even in raqqah or mosul or anywhere on how we balance the need or the rights to have access to the internet versus the use of the internet illegally by folks like isil. >> i'd like to follow up for sure in the classified setting with a little more details. the second question is we were dealing with -- my last assignment was at after ka command, trying to deal with the functional commands and gee graph contact commands. can somebody speak to how the relationship is working and is their duplication of cyber
9:10 pm
capabilities at the geographic command as hound does that work if you're working with operations? >> yes, ma'am. i think it's working pretty well and i don't see any duplication right now. when we -- later we'll give you some great details with regard to u.s. central command. but generally each of those commands have a cyber element that's at the cyber level and their job is to understand it. with very the forces that are actually both defensive and offensive forces that they're using, so the practical way that it's working today for example in real world operations is we have daily, you know, whether it's targeting meetings or planning sessions where the supportive commanders are acting routinely. our job is to support them. and, you know, we deliver the effects on the targets that i need at the time they need. we bring it with the capability.
9:11 pm
>> thanks. the last question is about the laws of iran conflict and the challenges we've had in this domain and identifyinging what's an armed attack and what constitutes the ability to respond and all that kind of stuff. can we have some comment on where we are on that and whether there's still some further definition that needs to happen versus the clear authorities that are needed to operate in this domain? >> i'd say specifically to your question what defines an act of war i think is what your question is regarding the cyber act thachlt has not been defined. we're still working toward that definition across the interagency. as far as an attack of significance consequence which do would respond to in the home land, we don't necessarily have a clear definition that states it but we have loss of life, economical impact and foreign
9:12 pm
policy some of there are some clear lines in the road where we would ee vanilla yat any specific cyber act or incident and how we would respond to that. >> great. time's expired. thank you. >> let me follow up on a few things. if row arguing that is state extends of rocca have some sort of inherent right to access the internet that you all have to try to weigh? >> what i'm trying to explain is when we talk about taking out the internet, there are always challenging to how you do that and where you do that in space some of the internet service providers who provide that enter net service to a a region are
9:13 pm
much broader oop. so how that occurs has greater impact against the adversary and we have to weigh that in when we make our decision. whether that's a kinetic or cyber operations those factors are always weighed in and the impact is very populous. sfloo i think i understand. i got concerned for a second that there was some sort of inherent right to be on the internet that was a factor in your all's decision-making. i want to go back to the general's support in
9:14 pm
decision-making and when you've got to keep them informed and when you've got to get permission. there's been a fair amount written about the air campaign. and i quoted secretary worker ler who said just like we have an air campaign, i want to have a cyber cam bane. some of the things that have been written about the air campaign are that for some sorts of -- so we've got airplanes circling above iraq or syria for some sort of attacks, a certain level of command can make a decision, say it's okay to drop your bomb. others have to go up to sit come, some have to go to the secretary, the president, meanwhile the plane's there circling. and one of the challenges to being more effective against isis is this multi-layered decision-making process which
9:15 pm
has slowed down or hindered the ability of our military to be as effective as they could be. now, that's with bombs and air campaign. i'm concerned, i guess, that we are developing the same sort of multi-layered bureaucracy decision-make progress says when it comes to cyber, which -- and part of the challenge with the air campaign is by the time you get permission to do it, the target is gone. and i have personally talked to pilots that have had that happen. now, when things are moving at the speed of light, if we go through this multi-layered decision process for -- to push the button on a cyber response, then we're going to be hopelessly behind. so i guess if anybody can address where we are with this speed of bureaucracy matching
9:16 pm
the speed of the world that would reassure me, i would like to hear it. >> yes, sir. what i would say is in the area of hostilities, cyber come has the authority in which to conduct cyber effects and make that decision at the cyber come level. so they certainly have those authorities to do that, and i think they can talk more -- in greater detail in a closed session tonight -- or this afternoon on the specific authorities that they do have. >> okay. we'll talk more about it, but, again, just drawing the analogy to the air campaign, i'm not yet reassured. mr. at kin, i want to follow up mr. lamborn's question about the
9:17 pm
nato announcement last week. does that nato announcement indicate nato has agreed that a cyber attack can trigger article 5? >> that is my understanding. >> and so then the question for the nato nations is going to be at what level of cyber attack would trigger article 5 because there are at least media reports of a fair amount of constant cyber activity in some of the baltic and eastern european countries coming from the east. >> right. as far as i know, there has not been a determination made oar a decision made on what would constitute a cyber attack that would trigger article 5. so i would have to take that one for the record. >> okay. and, finally, the questions that
9:18 pm
mrs. gabbard was asking about authorities and a gap of physical consequence, is one of the factors that would be considering in determining whether it's an attack of significant consequence, who the actor is, whether it's a state actor or not. >> that could be a factor, but i wouldn't say it's one of the primary factors. the primary factors are loss of life, economic imparkts how it may impact our foreign policy, and then physical property. so those are the four primary factors that we would evaluate from an attack of significant consequence wlrks that's a state or nonstate actor. >> i guess the question that would come to my mind would be as it relats to terrorism information we may get information that a terrorist attack is in the works. we don't know exactly what the target will be. we don't know exactly what the consequence will be. and if you have to wait to see
9:19 pm
what the consequence is, then it's going be too late, right? >> that's right. i'd also say it's similar to a cyber threat. if you have an unknown -- if you have a known -- i guess i'll back up. if you have the potential for a cyber attack, but you don't know where it's coming from, you don't know who's going to do it. you certainly would alert people to prostliemd an opportunity to maybe heighten their security just like we do in the physical world with a terror threat when we're not exactly sure of the where or when it will happen. it is similar, but we can't necessarily -- if we don't know where it's coming from and who's going to do it and how it's going to happen, it's very hard go in and then stop that from happening. >> no, i understand.
9:20 pm
i guess -- and i realize you don't want to get into hypotheticals. my concern is we know where it's coming from. country x, y, z, who has tremendous cyber capability is preparing to do something, and the question is whether we wait and let them do it or try to at least take defensive action to manage the consequence of it. and to me that's where this gets very difficult. i understand, you know, if we know it's going have significant loss of life, yeah, that's pretty easy. but if we see -- and i guess i would say the difference is we knee isis is going to do whatever they can get away with. so they're going to use their full capability to kill as many people as they possibly can. we don't know that about some state actors who have tre membership does cyber capability. and so waiting to see how much of their capability they will
9:21 pm
use and how that fits into the standard of attacks of significant consequence seems to me to be somewhat problematic. >> i think we've surpassed one another a little bit. the first is how we respond to an attack and when we respond, how we respond versus making sure we have a good cyber security posture to make sure we're defended prior to an attack, so certainly there's -- we would not necessarily evaluate the potential before it happens. we would go ahead and provide defensive measures through dhs with dhs to help prevented an attack. and then we evaluate after an attack happens. >> i realize these terms -- okay. so we're going to wait back and defend but not take action to defend the attack to begin with,
9:22 pm
so the definition of offense and defense in this situation gets a little tricky. and i'm not trying to pin you down. for some of the complexities of this -- these challenges. >> certainly a known threat coming from a known actor that we know will -- is coming after the united states, i would say that we would certainly evaluate that and those decisions would be made by the secretary and the president and what kind of actions we would take to stop that from happening. that would be on a case-by-case basis. >> okay. thank you. mr. langeman. >> thank you. i would go back to the training environment again. general mclaughlin, the house and services committee and you know fully funded the persistent training environmental
9:23 pm
initiative and i understand other committees did not provide full funding. my question is can dow provide the proposed cuts and what state has it been in? has it been fully approved by the joint staff? >> sir, if it's okay, aisle attempt to answer that question for you. >> sure. >> so as was indicated earlier, it gives us things we don't currently have like on the joint operations ranges. we don't have the scale to truly represent truly and realistic event. so that's the big advantage that it gets us. as the name indicates, it ee pertinent. right now the official capability document is under review. it should be signed in the next one to two weeks. if that happens, we should expect to have an ioc by fiscal year '19.
9:24 pm
>> thank you. i know we've talked about this on some point, but general mclaughlin and general moore, what role does the cyber threat intelligence integration center established in 2015 play in support of cyber operational planning? >> sir, in terms of cyber operational planning, in our day-to-day operations at cyber command, it's not playing a role in the planning side. it's mostly playing the role of collecting -- integrating intelligence and integration on what the threat is doing and then at times providing -- you know, providing information back out to the rest of the government operation centers, but they're not playing any operational planning role in support of u.s. cyber command missions today. >> very good. thank you. and general mclaughlin, let me ask you, what lessons have been learned about the construct of the cyber mission force over the
9:25 pm
last year? is the force man-trained and equipped and postured correctly to address threats in their respective mission areas? >> sir, i believe we've learned that it's manned and equipped properly and postured to respond. some areas, we have learned, we think in the spausz, agility is really important and we found in many cases we have task organized sub elements of teams. we will -- each of those teams is comprised of specific sets of skills, and we've learned that it's very effective to take sub elements of certain teams and task organized them against a problem set and leveraged smaller more average el moneyments of those teams, whether they be defensive or offensive teams to provide you more tailored mission capability. we had very innovative
9:26 pm
commanders that use thad approach. we have used it in other dough may f -- domains. the basic building blocks we think are sound but at times we might source it if a specific problem. >> very good. and going back to the -- in the concept area of the cyber guard exercise that we just had, if we have odd-scale cyber attack that leads to infrastructure damage and dod is called in to assist, what organization within d will take the lead, and in this scenario, what will north come's role beand how is dod getting ready to assist after such an attack? >> so, north come would obviously in the case of a defense authority, they would
9:27 pm
have command and control response. cyber come would be in support of that. it would could be road clearing. it could be helping to transport something from one to another. that could be a north com responsibility and if it's a cyber response, it would be cyber com. >> thank you bchlt ever my time's about to expire, in terms of the -- for the record, building out the training environmental, what is still needed, and how can we be of assistance further? >> so, sir, right now the main thing needed is the broad four elements of the training environmental. we have some parts of it. we have one part of it which is
9:28 pm
the event side of it where we plan all the training events that would need to occur globally, assess the performance of each of the players that are being evaluated. where our dresser force would reside. it's really all the things that might training. that is one of the key things that the fiscal year '17 budget request is the first real year of commitment to that funding is building the technical capability. what we were trying to build is the foundational technical capability to do that routinely at scale and to have the people there that actually provide that training. that's what we want to get started on really seriously in fiscal year '17. >> we look forward to continuing support you in that effort, general, as you build that out. for your me it was time well spent going to see that exercise, and i'd encourage
9:29 pm
others to see the same. and with that, thank you, and i yield back. >> ms. waroski. >> thank you. i understand that ta you're not involved with the acquisition side of the business, from a signer perspective, how concerned are you and what can we best key dend for how can we best defend those threats? >> as mentioned, we second tanltly and consistently look at our siper chain vulnerabilities and ee vat yat working with our zril based partners that provide resources for the department on different vulnerabilities and how we would stop those vulnerabilities to make sure that the only equipment that comes into the supply chain is free of counterfeit or high-risk material. >> thank you. general mclaughlin, i want to direct this question to you but
9:30 pm
i want to give you this quick background. i represent the stagreat state indiana. at the training center, rotational units are able to participate in a real scenario but the most compelling is where the power grid is hack order taken offline. as i consider the devastating consequences with an attack to our grid, e oom wondering if the state department has the ability to prepare. for you, sir, you described the cyber guard and practices earlier. ryu r yo are you fully prepare and what are the gaps, significant gaps in training if there are any? >> ma'am, i would be able to say today i'm not department -- you listed a broad range of
9:31 pm
contingenci contingencies. in fact, i'd love to hear more about the capability you describe in indiana. part of it is being able to replicate each of those unique classes of terrain, industrial control systems are different than platforms. part of what we will build are the hi-fi dealt rep employ kalgss of each of the unique targets we would need to defend against. we're building for them to bring their own connected into that department and then the people that actually do it have the place to sit down, plug into what looks to them to be their realistic replication of what they're trying to defend and then do their job in a realistic scenario against hackers that are trying to do it. so today i wouldn't say we have the scale to do that range. we have a concept. that's why we're prosiding with the program to do that. it has the flexibility to sep
9:32 pm
the ability for other partners. to plug into that environment and do training. 're doing it manually today at cyber guard an i think you'll see us do it at scale with more than u. schs. dod participants. >> i'd love for you to come and see the capability and having the resources, what they've been able to learn, the kind of activities they're running, and what it does for training for all of our forces. so i'd love to extend and invitation for you to see it for yourself. >> thank you. absolutely. >> i yield back, mr. chairman. >> mr. johnson. >> thank you, mr. chairman. and, gentlemen, thank you for being here today to discuss what is really a turning point in what is an approach to our defensive military policy. being a member of the judiciary committee, particularly the i.d.
9:33 pm
subcommittee, cryber is at the forefront of our midnight and i'm encouraged to see we're taking necessary steps to make sure the u.s. is taking a compareton and competitive advantage with this arena. mr.ed mr. atkin, i would ask this question. it's in relation to my colleague miss jaworski asked. with rocky mountains to civil authorities specifically at the state and municipal level and in consideration of the fact that u.s. army cyber command is moving to ft. gordon, i even heard concerns about how this may put neighboring communities at risk. for example, if ft. gordon is hit with a cyber attack, is it independent enough from the
9:34 pm
local energy grid that it does not down the entire region, cetera, and what do we do to help request local authorities in the event such an attack happens? >> i'm sorry. i meant to ask that question of general mclaughlin. >> sir, i'm not aware of any element of the move that you just -- you mentioned a concern potentially with u.s. army cyber command moving to ft. gordon. it's not one that's been brought to my attention, so namet aware of any direct atekz of that move. we do step back and look broadly at the risk toll of our military installations. many of them where using them
9:35 pm
for electricity, water, and power, but we haven't seen any analysis that shows the location of military installations is driving a higher likelihood that an attack against them would have some unique impact on the local community. so i'm not saying that it wouldn't. i'm just not aware of any analysis. >> i heard concerns about it from state and local officials, and i think it's an area that reassurance is due at the very least. so in terms of coordinating with state and local leaders, i think that that would be something important for you to consider, and thank you for that answer. mr. atkin, with respect to the development of cyber-related
9:36 pm
technology, much has been said of the need for dod to attract brilliant hacker mienl eer mind private sector. how can we in congress help improve the dod's ability to attract tech startups who are leading the way in cutting-edge technology. >> thank you, sir, nar question. i would say the first thought would be something that you already provided, which is the accepted service opportunities for the civilian sector or the civilian personnel involved in the cyber activities. the broader we can make this across the entire cyber enterprise, that wouldbe very helpful. it would be able to bring in the very smart hackers and those with a cyber background.
9:37 pm
>> i've even heard the suggestion of startup incubators within government agencies. do you see that as something that can be coordinated within dodsome. >> sir, ienl not familiar with the incubator model. i know we reach out through our defense incubation unit and how we work with silicon valley and others. i know we level the skill sets to make sure that we -- those are the young smart minds that are working in the private sector and bringing expertise back into the didn't through their reserve and national guard status. so i know we're going that route, but i em not at as familiar with the incubator model that you describe. >> do either yof you, general
9:38 pm
mclaughlin or general moore care to comment about that. >> one of the programs is the incue tell model which is actually -- starting a cia organization, overt. they go through the incue tell model specifically out in silicon valley and you think of it more of a venture capital ieft organization where we bring problems that we want quick hopeful solutions to. that money is invested many m times in organizations that have that. we use it to solve another specific problem and i see that program continuing grow. it's shown a lot of promise. >> thank you, everyone. our defense digital service ran a bug bounty, using a hacker
9:39 pm
program. that was another model by which we did reach out to the private sector and increase the skill set to improoch our own cyber security. >> thank you. thank you for your service to the nation and with that i yield back. >> chairman wilson. >> thank you. as we conclude i think it's important that kevin gates is sate seated with the chairman. i appreciate it. kevin has an almost 20-year history. well're just fortunate to have such great people who are assisting our country, protecting american families. general moore, what legal or policy framework of the sort evolving from tl use of social media for propaganda or recruitment. as a tactical measure, how that
9:40 pm
r they used to counter alkt social attacks? >> i think you're familiar with what wi oar doing. it revolves under operations to specifically get after those types of problems. we have the thormt to connect those types of operation. i don't see any limitations at this time. >> indeed sadly we saw with the san bernardino mass murder w the orlando mass murderer. there was a direct social media contact and availability that has resulted in mass murder across our country. i was grateful. you mentioned multiple responses that are possible. that can't be more important than right now because we've had so many incidents of sipecyber
9:41 pm
attacks just in the last months. the democratic national committee came under attack. there were north korean attackers of smartphones of south korean officials. there were power outages affecting tens of thousand of people in the western you crane. over and over, incidents that are just incredible and one that got my attention at the very time that the dangerous iranache nuclear deal was being put together in november 2015, iran's iran revolutionary guard hacked the i'm and social media accounts of a number of obama administration officials if an attack. was there any response to that attack? >> i'm not familiar exactly with that event and what our exact response was. all of those situations that you
9:42 pm
desi design. what i would say is when we're able to have attribution, we would respond at a time and manner and place of our choosing. >> it's so obvious. it was in such bad faith, the iranian revolutionary guard. to show bad fact to attack the obama administration that was placing such faith in them. but we certainly want to be working with you. there just has to be a response that makes sense and i want to thank you all and yield the remainder of my time. >> i'm prompted to ask one more question. okay, primary job of cyber come is to defend dod ned works.
9:43 pm
but in thinking about defense support to civil authorities, if there is a foreign country that launches some sort of cyber espionage or cyber attack against a server -- a private server by the secretary of state or a -- looking for information about a leading candidate for president s that an attack of significant consequence? it's not against dod networks, but it goes to government officials or someone who's wanting to be a government official. >> yes, sir. so we would evaluate each attack, if we were evaluating them base wlond it was a significant attack on loss of life, property damage. for policy. so i would say we would evaluate
9:44 pm
each of those attacks based on that factor, whether and how we would respond. >> seems to me it's pretty tricky when you start into political campaigns. say someone is the nominee for president. i was justen to adjourn and mr. franks walks in do you have a question? >> mr. chairman, i do. but i'll be brief, circumstance and i appreciate your forbearance to say the least. i didn't mean to come in -- usually when they walk in, they end the parties. that's usually the situation for me. general mclaughlin, i'll be brief here. in an open setting the best you can, how is cyber command being employed to fight against the islamic state? >> so, sir, you know, in this setting and again we'll get into more detail with you in the closed session, our organization
9:45 pm
and the teams, the tactical forces that are within u.s. cyber command, a subset of those have been allocated and directed to support operations against this islamic state. we're operating in support of u.s. central command. it is, you know, a focused activity that's occurring and that it's a major element of what the command is focused on day to day. we have leaders within our organization, that it's their only job. and we're bringing every capen't that we have in this area that are available to us or make it available to that fight. >> are there any restrictions or -- that might be called rules of engagement or anything like that on how the command might be employed against the islamic state in any restrictions? >> well, sir, mr. atkin
9:46 pm
described the operations. we have the adequate authority to operate. they're subject to the same rules of every operation. so we're only constrained by the law of our own conflict and other lematiimitation. so within the operation, we feel like we have the authority and flexibility we need to support that particular operation. >> my last question, mr. chairman. we know a little about the cyber doctrine and military structure of adversaries like russia, china, and others. what is our limitation with respect to iran, italy, or germany. >> i would say in this setting, what we know about the cyber operations of our adversaries, most of them know realize it's l
9:47 pm
they can use. it's a power. they can have a relatively small number of people or buy expertise. our coalition partner, many of them are on their own looking at building military cyber capability and we partner with them closely. they visit. they're looking for advice from dod and the united states and to the degree they want to come see us, we routinely meet with them and talk with them and tell them how they can be pa rt of a broader group that defends themselves and operate in a cyber space. >> thank you, mr. chairman. i yield back my 1:54. >> thank you all for being here and for answering our questions. we'll look forward to seeing you later today. the hearing stands adjourned.
9:48 pm
9:49 pm
9:50 pm
[ indistinct conversation ] [ indistinct conversation ]
9:51 pm
[ indistinct conversation ] [ indistinct conversation ] [ indistinct conversation ]
9:52 pm
c-span's "washington journal" live everyday with policy issues that impact you. coming up thursday morning, virginia republican congressman dave brat will be on to discuss the fiscal challenges facing congress, he's also his thoughts on the political climate and campaign 2016. also michigan democratic congresswoman brenda lawrence will talk about the latest on the flint michigan water crisis. she'll discuss a letter from the epa to michigan governor rick snyder and flint mayor karen weaver calling on flint administration officials to provide stable, reliable, and quick support essential to a well functioning drinking system. and michael geary, global center -- fellow at the wilson center about the brexit. be sure to watch "washington journal" beginning at 7:00 a.m. eastern thursday morning. join the discussion. on thursday, voters in the united kingdom will decide if their country should stay or leave the

39 Views

info Stream Only

Uploaded by TV Archive on