tv House Hearing on Creating a National Cyber Director CSPAN July 15, 2020 12:17pm-3:14pm EDT
jeffn sessions can win that ra and help keep the republicans in the majority in the senate, or he can give in to his perhaps more basic instincts and not extend any sort of helping hand to a man that he really has no interest in helping. so some democrats think that ifd it isis sessions, that kind of nuance betweenen the president d sessions could make the race better for doug jones. on the other hand -- >> and now a hearing on creating a national cyber director in the executive office of the president to stream line the federal government's response to cyber attacks across agencies. the house oversight and reform committee is hosting this hearing. this is live coverage on c-span3. >> -- the warnings we had and decisions made about the most recent worldwide intelligence
committee in january of 2019 and i quote, the united states and the world will remain vulnerable to the next pandemic where large scale outbreak of contagious disease that could lead to massive rates of death and disability, severely affect the world economy, strain international resources, and increase calls from the united states for support. we must ask ourselves what are the warnings and what can we do right now to protect the american people from other threats. before the unthinkable happens in the future, how can we exercise strategic and precisive foresight to the best of our ability today to ensure are a nation prepared for tomorrow. that same worldwide threat assessment cyber attacks is a
top global threat with china, russia, iran, and north korea. raging a silent war capable of shutting down with such information systems and critical sectors in america. the report states, and i quote, our adversaries and strategic competitors increasingly use the cyber capabilities including espionage to attack and seek military advances over the united states and its allies and partners. cyber attacks are a critical, complex, prevalent and growing threat to the nation's safety and economic security touching nearly ever aspect of our lives. this assessment was upheld by reseents findings from the
recent -- national defense authorization act to review the state of our cybersecurity and develop [ inaudible ] against cyber attacks. this commission of congressional executive branch and private sector cybersecurity sounded the alarm and in addition to -- that disrupt operations in america on a daily basis will remain vulnerable if we don't stop attacks that are critical to infrastructure and economic systems that could cause widespread damage and death. the number of the commission's recommendations call for legislative -- this includes what has sparked a high level of interest on both sides of the aisle. recommendations for a cybersecurity position in the white house to develop and
streamline the federal government's strategy for a nation who is prone to cyber attacks. this role was first formalized when george w. bush administration and then elevated and expanded during the obama administration. but in 2018, then national security adviser john bolton eliminating it to reportedly cut another layer of [ inaudible ]. 2019 invited -- as the fifth most cyber secure nation in the world. in 2020 it dropped to 17. today we will review hr-7331 which would implement the commission's recommendation to establish a national cyber director in the executive office of the president. this new position would restore that cyber coordination and
planning function to the white house. in addition, for the first time it would be back for resources and statutory authority to lead strategic planning efforts, cybersecurity budgets and coordinate national [ inaudible ]. a challenge that is the basis of cybersecurity requires that our government be strategic, organized and -- democrats and republicans agree we need a national cybersecurity threat to make sure we are both prepared to and coordinated in our response to cyber attacks as our nation fights a silent war. our mission today is to gain the detailed understanding of the threats we face and to thoroughly examine hr-7331 as the vehicle for [ inaudible ]. i now recognize the
distinguished member, representative [ inaudible ]. >> thank you, chairwoman maloney for holding this hearing to address our national security posture and explore cyberspace sell arian commission to establish a director within the executive office of the president. the federal cyber domain we could all agree is a dynamic and dispersed with varying jurisdictions and expertise across the federal government. these agencies are organized to combat cyber crime, defend against national security intrusions and support the security needs of the private sector critical industries and commercial interests. our nation has become more and more reliant on technology over the last three decades. our reliance on technology and interconnected information systems is move important than ever with the pandemic forcing remotevations in our nation's
workforce pivoting to a work from home posture. increasingly foreign state actors, extremist groups and domestic agitators and criminal enterprises all have a vested interest in exploiting u.s. networks. the remote administrations of pandemic have creed new cyber vulnerabilities for these malacious actors to take advantage of. these are the same actors who also target our private sector partners in state and local institutions. breaches in federal and commercial networks by foreign governments have exposed sensitive intelligence data, proprietary military designs and government personnel data. because of cybersecurity risks we must all do our part to maintain a safe and secure national cyber infrastructure and by continuing to foster relationships across the private sector and our state and local partners we could share a vital cyber threat information that helps secure our critical infrastructure.
we'll hear today from notable subject matter experts who have deep experience navigating the nation's cybersecurity environment. they also have experience with efforts to combat damaging cyber attacks from foreign adversaries like china. historically china has hacked into the fdse, stolen valuable u.s. r&d and paid our university professors to improperly share valuable intellectual property. i welcome the opportunity to work with the majority to hold china accountable for the bad acts as well the deceptive attacks over the course of the pandemic. that would be a great hearing madam chairwoman. we will oversee the cybersecurity planning and operations of the federal government. in evaluating this legislative proposal, we have a beauty to the american people to be a good steward of taxpayer dollars and not create more bureaucracy.
establishing a clear and convincing rationale requires the due diligence and thoughtful commencement that our processes afford. the current and projected cybersecurity landscape is complicated with many actors in operation that must work in harmony. while there have been more than several high-profile cybersecurity incidents over the past decade, recent attempts at targeting the coronavirus biomedical research activities and use of remote work platforms have been taken very seriously by homeland security and law enforcement within the trump administration. the administration has done what has expected of cybersecurity professionals, against harmful cyber incidents whenever threats are found. i think we all want the cybersecurity to be effective. to this end it is imperative that congress and this committee fully evaluate the reasons why
the commission recommended the statutory creation of the cyber director. the main questions i have toward this goal are, is it necessary to create another forward office to have someone truly in charge and, if so, will that official, in fact, have enough authority to make the decisions that immediate to be made. will everyone else fall in line and work in harmony. we know that multiple federal agencies have a piece of the cybersecurity pie so by authorizing a new oversight and coordinating official are we legitimately creating a system for prepared to face growing cyber threats. will the national cyber director utilizing the existing leadership and expertise in our government or do we risk making that pie bigger and creating duplicating functions. will a national cyber director add value to the nation's cybersecurity infrastructure or should we align and support symptoms already in place.
i look forward to hearing about tangible restrains of how they would respond and how this might be better than the system already in place. in a fluid environment, when response team and expertise are para mown, we could not afford to introduce inefficiencies or bureaucratic hurdles to respond in realtime. madam chairwoman, i think we agree our cybersecurity enterprise deserves a supportive public policy that will not hinder dynamic focused and strategic planning and operation. i'm pleased to work with you on this issue, but again i want to ensure we're not foster redundant efforts across the federal cyber sector. in establishing a senate confirmed cybersecurity leader, we need to be comfortable in limiting presidential prerogative to implement preferred policies on behalf of the american people. again, i appreciate this opportunity to review this recommendation and hear from these expert witnesses. i yield back.
>> thank you. i now recognize the distinguished chairman of the subcommittee of -- mr. lynch for opening statement. >> thank you madam chair and thank you for today's important hearing on hr-7331 which allowed for the creation of a national cyber director, which is an idea that is not only reasonable but necessary and long overdue given the world in which we live. i'm well aware of the lengthy review and study that mr. landerman has engaged in over the years on this issue. he has done nothing short of relentless in his mission and i thank him and our friend and colleague mr. gallagher for their bipartisan commitment to defending our nation's cybersecurity and for their testimony before our committee. i also want to take a minute just to thank mr. cat gold, mr.
ruthersberger and mrs. herd who are co-sponsors of hr-7331. for years national experts have considered cyber to be the battlefield of the future and for anyone paying attention that future is already here. back in 2014 hackers likely affiliated with the chinese government reached the information system of the office of personnel management compromising the data of at least 22 million people including most notably federal employees who had either applied for or received security clearances for access to classified information. we're also well aware of russia's sweeping and systemic efforts in 2016 by hacking the computer network of the democratic national committee and penetrating the election infrastructure in all 50 states. to speak to some of mr.
coleman's concerns, most recently our national security subcommittee staff, which i chair, we held a briefing with the federal bureau of investigation and the cybersecurity infrastructure security agency to discuss the latest uptick in cyber attacks during the coronavirus pandemic against the federal government agencies, research and academic institutions and even private citizens during the briefing our committee was told that every institution or agency conducting coronavirus vaccine research is a target for -- is a current target for foreign cyber attackers. as our intelligence agencies warned before 9/11, the system is blinking red. only two years ago then national security adviser john bolton dismantled the position at national security council leaving the u.s. cybersecurity policy rutterless and disjointed.
need for greater leadership and strategic landing and policy coordination to ensure the security of our nation and the cyber demand could not be more urgent or important so i'm pleased to support hr-7331 which would allow for the creation of a national cyber director and i would encourage all of my colleagues to do the same. again, i want to thank the chairwoman for her willing ngs to hold this hearing today and i want to thank all of our witnesses for testifying. i look forward to the discussion and for building greater bipartisanship and consensus around the importance of hr-7331. lastly, i'm also in a mark up over in tni, i'm at the capitol today where i have an amendment pending so i'll have to jump out and jump back in. apologize for that, but that is our schedule. i yield back. thank you, madam chair. >> thank you, mr. lynch. i now recognize mr. grossman for an opening statement.
>> okay. can you hear me? >> yes, we can hear you. >> good. good. i appreciate this opportunity in my role, first of all it is good to see we have a witness here from wisconsin. so i thank you for bringing him in. i appreciate this opportunity in my role as ranking member of the national security subcommittee and oversight to address an issue with major national security ramifications. as ranking member cul mer addressed in the opening comments, our nation's adversaries will stop at nothing to steal our secrets, commercial expertise and sensitive information held on a sprawling computer network connecting public and private sector organizations. chief among the cyber offenders are the chinese government. as president trump said, we have been treated unfairly by the chinese. oftentimes this well intentioned global posture cost the united states our valuable intellectual property which flows out of our nation's research institutions
into chinese hands. the hearing today will help us determine whether our federal government needs support in defending against the high stakes malicious cyber attacks and continuing intrusions. one of the proposals by the cyberspace sol airum commission was the formation of a new national cyber director and senate confirmed official inside of the white house. while i appreciate the commission's desire to ensure that the federal government's cybersecurity infrastructure includes a one stop shop for cyber guidelines, i wonder whether we might be too quick to create yet another new bureaucracy but not considering potential down sides to this reform. we must keep in mind the trump administration success in protecting our last midterm elections from disruptive cyber incidents and the administration's strong stance against those who wish to take advantage of international attempts to exploit the technology challenges presented by the pandemic.
would we be doing a disservice to agencies that have responses for our nation. i want to keep an open mind on the merits of any proposal to improve our national security security and i appreciate today's witnesses and the time and attention that they have each dedicated to protecting our nation's information and critical infrastructures. i look forward to the witnesses' couple and their perspective and whether a national cyber director will add value to the framework to properly deconflict and coordinate responses to cyber attacks against our government and private sector. thank you, chairman maloney, and my counter part on the national security subcommittee ranking member lynch and cul mer in the pressing issues. i look forward to working with you so make sure we strengthen cybersecurity against any types of threats or any foes that wish
to do americans harm. i yield back. >> thank you. i will now introduce our first candidate consisting of our colleagues here in the house of representatives who served on the u.s. cyber commission. congressman jim -- of rhode island commissioner and chairman of the emerging threat and capabilities subcommittee of the house armed services committee who has been championing this effort for many, many years and congressman mike gallagher of wisconsin, proclair of the commission and a proud new father of grace ellen gallagher, congratulations on truly life's greatest experience, becoming a father and it is the best job in the world. so we're very pleased to have you both here today. with that, you are now recognized to provide your
testimony. >> great. well thank you. and good afternoon, chairwoman maloney, ranking member cul mer and distinguished members of the committee. it is always humbling to sit on this side of the table, the witness table even when it is virtual. and i want to begin my remarks by thanking all of you for the important work that you do. i particularly want to thank chairwoman maloney for con veesing this hearing and for her partnership in raising the issue of creating a national cyber director. i join you today as a representative of the cyber solary um commission and i'm proud to be joined by mike gallagher, one of the co-chairs of the commission and congrat limb him on his newest father in the house and congratulations, mike. and i know you're coming off maternity leave to be here for this hearing. so thanks and i commend you for your work.
in the 2019 national defense authorization act congress charged the commission with developing a consensus on a strategic approach to defending the united states and cyberspace against cyber attacks of significant consequence. in our first meeting, however, outside experts on congressional commissions told us that we were attempting the impossible. we were trying to have a 9/11 commission level of impact without the precipitating event of a september 11th. well, madam chair, i reject that cynical view. i believe that if we come together in a nonpartisan fashion to implement the commission recommendations we could alter the trend that sees our cyber risk grow year after year. we could push back on our adversaries who see the cyber domain as the ultimate rain for operations in the gray zone short of war. we could seize the initiative and ensure that we are not left to wonder the day after an
attack what more could we have done. so that is how i view the work of the cyberspace solary um commission and that is the urgency i bring to the table and more so than any of the other 82 recommendations of the commission proposed and the national cyber director is essential to seizing the initiative from our adversaries. it is essential because it permeates every aspect of our society and every aspect of our government. every department and agency from the department of agriculture to the department of veterans' affairs relies on secure information technology to conduct business. yet, very few of them have cybersecurity as part of their mission nor is it their primary focus. because cybersecurity is difficult to measure, we end up with miss aligned incentives, people skimp on cybersecurity because they would invest on operational programs in their
department. we need a strong leader in the white house to defeat the inertia that pushes down the role or until a devastating breach occurs. we need a strong cyber leader in the white house to coordinate strategy. beyond government systems or national and economic security rely on critical infrastructure. most of which is owned and operated by the private sector. where once we could rely on two oceans and friendly neighbors to insolate us, today our banks and hospitals and power plants are on the front lines of shadow campaigns to undermine our way of life. only within the white house could we break down agency silos to ensure that we have a whole of nation efforts to protect our networks. finally, we need a national cyber director in the white house to coordinate incident response. we're living through a public health crisis the likes of which we have not seen in over a century. when our adversaries strike us in cyberspace, we must be prepared to defend early to stamp out the infections from
computer viruses to quarentine effective networks an to inoculate uninfected machines by patching them. this is the only -- this is only possible with the national cyber director. this idea is not new. i worked on it with the csi commission for the 44th presidency in 2008. but as my friend mr. gallagher has taken great pains to describe at length, the solary um process has a way of refining one's thinking. we debated the proposal extensively and we're very deliberate in our decision making. we chose an office in the white house because only the white house could truly reach across departments and agencies to manage a risk so pervasive as cyber. we chose a senate confirmed position because congressional oversight and buy-in is critical to the success of the office. we chose to preserve a coordinated rather than
operational -- to the role because our cyber dooefenders nd advice. just to conclude there are some that argue that the national cyber director is congressional overreach. there are those who say that the president is the ultimate arbiter of the executive office of the president and that congress has no business interfering in these article two affairs. those people respectfully i disregard history as congress has helped to guide white house structure in the past when the moment demanded it such as when krogs created the office of science and technology policy or the u.s. trade representative. but more concerning to me are these people implicitly endorse the status quo and that scares me because every day i wake up and see our adversaries making gains in cyberspace. i saw it under president bush, i saw it under president obama and i see it today under president
trump. they are shaping norms that suit their interest on the international stage, striking out at our partners and allies and attempting to undermine our elections. madam chair, it is time we seize the initiative. it is time we set the agenda pushing back on our competitors and shaping their behavior by improving our resilience and strengthening the cyber eco-system. it is time we empower the national cyber director of the white house. madam chair, serving on the commission with mr. gallagher has been one of the most rewarding experiences of my life. his leadership and that of senator king, and the contributions of our fellow commissioners and enormous dedication of our immensely talented staff are all reflected in the bill that we are discussing today. it is an honor to have the opportunity to present it before you and i look forward to answering any questions you may have. >> thank you so much, congressman. thank you for your leadership and passion for the security of
our nation and i now recognize mr. gallagher. >> thank you, chairwoman maloney and the rest of the committee and thank you for the kind words about my newborn daughter if i pass out during the hearing because it is not only nervous of being on the wrong side of the hearing but because i haven't had much sleep in the last two weeks but we're truly blessed and i appreciate the kind words. we do not keep security to merely defend property or territory or rights abroad or at sea. we keep the security forces to defend a way of life and now emerging technology empowered by digital net kworks is being infused to our government, economy and our way of life. how we navigate the resulting opportunities and challenges will determine the effectiveness of our nation to deal with future cyber driven or cyber enabled contingencies and for the past 20 years commissions
initiative studies and four presidential administrations have been challenge tods define and establish an effective national level model for coordinating cyber strategy, policy and operations. and i believe it is imparive that we have a cyber office and leader within the white house. whether to create the position, however, and what that position would entail was one of the most spirited and important debates we have over the course of the commission. and my colleague jim lang was incredible in his thought leadership and dedication to the integrity and i learned a ton from him throughout. and due to the leadership, we considered, one, how to address the national leadership in coordination and consistent prioritization and three the size and structure and cope of authority for the coordinator and leadership office. we decided that the federal government would be better equipped by strengthening existing department and agency
efforts efforts in cybersecurity rather than the creation of a new department as many advocated for. therefore without a new agency, the commission deemed the institutionalization of a cyber coordinator position in the white house within the executive office of the president to be essential to give the position a high enough level of prominence to coordinate national strategy and provide much-needed leadership internationally with state, local and tribal and territorial governments and with the private sector and in recognition of the need for better collaboration, the chamber of commerce endorsed the act our bipartisan legislation that has been led. the commission spent time weighing the pros and cons of this position and contemplating the stature of the position, we determine that requiring it to be senate confirmed, similar to the trade representative is senate confirmed would signal that congress is committed to cyber issues but afford us as
legislators as level of access to that conversation but also the person that occupies that position a level of political support that bipartisan endorsement would bring while maintaining the discretion of the president in selecting that candidate. making the role senate confirmed in other words would provide greater permanence by institutionalizing the position's existence and ensuring the role with endure throughout presidential transitions and not just be dependent on the whim of a particular president or a particular national security adviser. i understand there are those particularly my republican colleagues who may be skeptical this is an added layer of bureaucracy and i came in with that my ideological prior but unless you believe that the status quo is in deed getting the job done and unless you believe that we are at present well structured to avoid a cyber 9/11 as my colleague referred to, then you have to consider how we could make a meaningful reform of the status quo. and indeed rather than creating
an entirely new agency, which would take years to create, which would be much more complex and would further muddy the bureaucratic waters, i view a single focal point in the white house, a single person or to quote my coach angus king, a single throat to choke, someone who is responsible for the effort to be the least bureaucratic, the least onerous and most efficient of all possible options to give congress a greater window into the discussion as a lewded to and i believe in closing that we in congress must sufficiently enable the federal government to create a cohesive national strategy and defense in the cyber domain as we do in all other domains of battle and we must do so today. so i urge you to support the recommendation on the creation of a national cyber director that in ike's words, when we fight, we will fight in all elements as one single concentrated effort. with that, i will close my comments. i thank you for your time and
consideration. >> thank you, mr. gallagher. this is truly a bipartisan goal to protect our country. we will be limiting questions for the first panel. i now recognize myself for five minutes for questions and mr. gallagher i want to start with you. the current coronavirus crisis has created a systemic shock that have exposed a number of ways in which our country failed to prepare for what many would call the inevitable. and are increasingly connected in technology-driven world, many experts warn that a large scale cyber attack is also inevitable. the commission recently released a white paper examining cybersecurity in the context of the pandemic and your white paper laying out interesting parallels between lessons learning dur the coronavirus pandemic and how these could inform our preparation for
significant cyber attacks. could you share some of these parallels and your recommendations with us. thank you. >> absolutely. obviously they are not perfectly analogous events but i would fe. really three stand out in my mind that we analyzed in our white paper, our pandemic annex. first, both the pandemic and a significant cyberattack can be global in nature, requiring that nation simultaneously look inward to manage a crisis as well as work across borders to contain its spread, both are difficult to contain across borders as well. second, i would argue that both the coronavirus pandemic and a significant cyberattack require a whole of nation response effort and are likely to challenge existing incident management doctrine and coordinating mechanisms as we're discovering right now with every state, every county, every city, government, and a bunch of nonprofits having to figure out how they can all work together in order to slow the spread of
the disease, and finally, and perhaps most importantly, i would argue the similarity is that prevention is far cheaper and preestablished relationships far more effective than a strategy based solely on detection and response. and that's why if you read not only our pandemic annex, but our broader cyberspace solarium report which we had the unfortunate timing of releasing on march 12th, 2020, the last week we were in session in house before shutting down, you'll see that a lot of what we're trying to do is to get left of boom for lack of a better term, figuring out how we can force the federal government in partnership with congress, in partnership with state governments, tribal governments, to think through the unthinkable. think through how we can rapidly restore our economy in the event of a cyberattack to be able to come back stronger and strike back against our enemies and therefore restore deterrence. so, you know, i'll be cautious about extending the similarities between pandemic and a cyberattack too far, but those
three stand out in my mind. >> well, thank you. thank you very much. mr. langevin, the commission recommends establishing a national cyberdirector to coordinate the federal government incident response activities. can you share examples of how the coronavirus pandemic -- have led to additional cybersecurity challenges? >> sure. thank you for the question, madam chair. certainly the pandemic influenza has shown the challenges of needing a coordinated response. and when you have a diffuse response and many people in charge, for example, just leaving it to the states as we have, it makes it more challenging to have a cohesive direction in which to go. so we want to make sure that in -- with respect to a
cyber incident, we are both having so that think about this in terms of replanning, so looking at the most vulnerable areas, say, of potential cyberattacks on critical infrastructure and in the private sector and figuring out how we can make our cybernetworks more resilient and how we would get them back up and running more quickly. but in the actual incident, if it were to occur, that you have a single point of contact that is both the principle adviser to the president, he or she is the coordinator to bring the antinty together to lay out options for a response and have a more coordinated, cohesive and effective response. >> thank you. how would establishing this role have made a difference in our response to the covid-19
pandemic? >> well, i think it is probably more analogous to how we would, say, respond to a cyberattack, intrusions on our elections, but certainly there are elements of cyberresponse to covid. for example, the -- what we know of the chinese and other entities trying to steal intellectual property, for the development of the coronavirus vaccine or therapeutics. we would have a much more focal point which the cyberdirector would be able to coordinate the relevant departments and agencies or private sector entities to effectively coordinate the response that needs to be taken to protect those net works and prevent intellectual property hopefully from occurring in the first place. >> thank you. and now for both of you, is it
your opinion that establishing a national cyber director is an essential step in ensuring the u.s. is in the best position to prevent and if necessary respond to a crisis induced by a significant cyber attack? >> i certainly feel that that is the most effective way to prevent and also respond to a cyber incident of significant consequence. we thought this through very clearly. and as my colleague pointed out, of the various ways we could have gone, having this at an existing department and agency or having the authority in a new cybersecurity agency or having in the -- in the senate confirmed executive office of the president position, we thought this was the best way to go of the various options we would have recommended. and, again, doesn't create a --
an excessive new bureaucracy. i believe it is very streamlined, very focused, it gives strategic guidance and both advice to the president, but it is going to -- the coordinating authority to make sure that all the oars are pulling in the same direction in the event of a cyber incident. >> i would second -- >> mr. gallagher, do you want to add to that? >> well, i would second jim's remarks and say i think of it as a necessary but insufficient recommendation, it is part of a broader suite of recommendations and i think if you read our final report, what you see is a genuine attempt by -- from commissioners on both sides of the aisle to elevate and empower existing agencies rather than create a bunch of overlapping new bureaucratic structures and i do want to commend the work of a lot of great leaders we have at the nsa, who have learned a lot of lessons in the last four years and come a long way. we're not saying they haven't
done good work. we view this as a way to better empower them and build upon the lesson of the last few years. >> i agree with the commissioner and my bipartisan colleagues in congress, but we need a centralized cybersecurity position at the white house to develop and streamline the federal government strategy, coordination and response to cyberthreats and activities taking place now. i thank you all for your hard work and your testimony today. i now recognize the distinguished ranking member for five minutes, for questions, representative pamela. >> thank you, chairwoman. i had a very good conversation with jim yesterday about this legislation. i'm going to direct my questions to my good friend mike gallagher. will the national cyber director legislation create budgetary hurdles and how it works with the office of management and budget, omb, that might
artificially constrain a president's cyberpolicy decisions? >> we examine that in depth. i don't think so. we are giving -- in our construct, giving the national cyberdirector budget certification authority, which effectively means he has the ability to look at various executive branch agencies when it comes to cyber elements within the budget and flag effectively for the president something of concern. but the president still retains the ultimate authority to adjudicate that dispute. if, for example, there was a disagreement between omb and the national cyber director as there is often agreements in different branch agencies, he can choose whether or not to follow the advice of the national cyber director. so while the national cyber director would have the budget certification authority, he can't go in and mess the entire
process up for lack of a better way to describe it. >> okay. i've heard different people describe what they view this might entail, but would the new office comprise a large new staff? i heard between 75 and 100 new staffers, obviously that would create a new bureaucracy and we're always careful about creating new bureaucracies. so what's the -- what's the prediction of a budget, how much will this cost, how many staffers are we talking about here? >> i would say as we estimate 75 is about right. and i understand your concern, that's not nothing. that would replace about the 15 that are there right now. i just would say if you look right now at the let's say the comparison of people and
resources we devote towards offensive operations, nsa and cybercommand versus what ciza has, you'll see an imbalance of the personnel we have, so even though we would be adding anywhere between 75 to 100, that would be a small step towards perhaps correcting that imbalance, giving the white house better purview into defensive operation, what the budgetary impact of that would be we think it would be in the low, you know, about 10 to $15 million, but some of that depends on whether these people are detailees from other agencies, but i'm not suggesting it is not -- it is nothing, it is a growing of an office within the organization. but that's also consistent with precedent for other senate confirmed offices within the executive office of the president. >> and i certainly understand the concern and appreciate the effort here to alleviate that.
but if this is staffed by career officials or detailees from other agencies, why won't it become another bastion for employees who refuse to honor the policy prerogatives of an incumbent president, something that this president has been battling, as you knowing for the last three and a half years. >> well, i don't doubt that that is a problem within the executive branch and having worked in executive branch, i think there is always a tendency for, you know, if you're a bureaucrat, you sort of believe in the status quo, the old saying goes where you stand depends where you sit. at the end of the day, that's a broader cultural issue, where everybody that works in the executive branch, whether they're wearing uniform or civilian needs to understand that they work for the president, regardless of that president's party and so i don't think this would -- i don't think this would solve that problem necessarily, i don't think it would make it dramatically worse. >> just out of curiosity, have
you had any conversations with anyone in the white house to gauge their level of support or opposition for this proposal? >> i have had had conversations with the white house. >> okay. >> well, good deal. my time is about to expire. and i have the utmost respect for you, representative gallagher, you and will herd, on our side, certainly the foremost experts on cybersecurity. appreciate what you're doing here. and look forward to further conversations. with that, madam chairwoman, i yield back. >> thank you, mr. comer. i now recognize distinguished ranking member from the subcommittee on national security mr. grossman for his -- >> -- can you hear me?
can you hear me now? can you hear me? >> yes, loud and clear. >> okay. okay. does the commission take a position on whether the nation's nation cybersecurity posture has improved over the years? are things getting better or worse? >> i'll offer my view. i think after a year of extensive conversations with general knanakasoni and chris krebs, i think we have gotten a lot better and a lot of that is due to legislation that we have passed in congress on the armed services committee, we effectively i ddevolved greater authority down to other levels so people can operate in cyber with the speed and agility that is necessary to have an effect. so -- and i think if you look at lessons learned from 2016, there
was a concerted effort in 2018 to protect our democracy. i've been impressed with general nakasone and other cyber warr r warriors in this space. >> if i could add -- i would agree with mike, again, as the chairman of the intelligence emerging threats and capabilities subcommittee, i oversee, both nsa and u.s. cyber command, i see the extraordinary work that general nakasone and his team are doing, also sitting on the homeland security committee and on the subcommittee that helps to oversee cisa, we're getting better and better and more effectively organized to combat this growing threat. so we have been better and i support, for example, the administration's new guidance on cyber and nspm 13. we're more forward leaning. so defending forward, if you
will, i think we're probably too reserved in past years, and now under the current construct we are more forward leaning, so as chris singles likes to say, it is defending early, or you could say as often said defending forward. i think it is the right strategy. our enemies and adversaries are getting more effective and more successful and sophisticated in their ability to carry out cyberattacks with significant consequence and so we need to continue to evolve, and that's why this new added position is helping us to get even better. going from the category of, say, good, better, best -- >> we're getting faster, is that what you're saying? do we have a data bank of breaches or incidents that we feel we're going to try to prevent in the future? can you rattle off the top five problems in the last three years, say? >> just by way of example, this
is an example i use pretty frequently. we're trying to prevent the next opm breach, for example. the breach that occurred that offices personnel management happens because there was a department -- >> that's one. rattle off three or four worst breaches in the last four years that you feel -- >> there was the wannacry incident that occurred, the sony breach that occurred in north korea carried out, of course, the wannacry was probably one of the most costly cyber incidents that occurred in world history and it cost fedex and merck and mersk billions of dollars in lost revenue when their computers were wiped out or damaged. so the amount of intellectual property theft that has occurred over the years, it has cost u.s.
jobs and economic competitiveness to the tune of hundreds of billions if not trillions of dollars. so the list goes on and on, not to mention, of course, the amount of personal pride and information stolen. we're getting better at responding to and protecting against these things, but we're not -- >> -- forwarded to me six or seven ones that we're trying to prevent in the future. i missed something, one you've guys talked about john bolton dismantling some agency or commission or whatever. could you go over that a little bit? >> yeah, if i could -- if i could jump in on that, i know mike is going to want to comment. but under every administration we were making forward progress on cybersecurity. john bolton was the first person really in an administration to take us backward when the cybersecurity coordinator
position, that wasn't senate confirmed, didn't have policy or budgetary authority, but at least it was there. one of the people on the second panel, michael daniel, was the cybersecurity coordinator under president obama, rob joyce under the -- >> it just hits me as odd. i wonder what his logic was, why did he do that? >> i think he sold the president a bill of goods by eliminating the position. i think he did a disservice to the president. >> i think keith might argue he's streamlining the overall nse process and his predecessor or his successor tried to continue that process. i think what we're arguing is that even that status quo ante with the cybercoordinator was not sufficient really to get the overall interagency, interdisciplinary oversight you need of cyber, as well as develop long-term expertise. and, again, to go back to the senate confirm bit, we want this person to not only have the ear of the president, but be, you know, a single belly button that we as legislators can push to get answers when it comes to
congress. as for your earlier question, glen, we -- i'll send you -- throughout our report we go through all of the major infiltrations attributed to china, russia, north korea, ruairan and nonstate actors and lay it out. one that comes to mind for me as a defense guy from 2006 to 2018, advance persistent threat ten, china was conducting systematic cyberespionage campaigns, compromising computer systems containing personal information from over 100,000 u.s. navy personnel. in addition to opm and i have the letter i received from opm framed somewhere here in my basement, saying my records have been hacked, there has been a lot of these little attempts to ex-filtrate data directly from our military and compromise the data of military personnel. >> i don't even know, mike, if someone tries to do that, do we find out right away or may all sorts of things be going on and we have no idea it happened? >> it just depends.
certainly there has been lag time and in detection for some of the major breaches we had. again, i would say we have gotten better in detecting how this happens. we're going to have testimony from a variety of true experts in this space, like our former colleague mike rogers who can speak to that. we're getting better at rapid detection, rapid attribution and better process for response. as jim pointed out, the threats are getting better as well and better anone mizing the origin of the threat. >> thank you. >> thank you very much to my esteemed colleagues for their tireless work on the commission and for sharing their work with us today. would either mr. langevin or mr. gallagher like to stay for panel two, you have been generous with your time. but we would be very happy to waive you in. would you like to stay? >> i would like to stay for a bit, madam chair. if i could ask unanimous consent that a letter of endorsement of
a national cyber director by the u.s. chamber of commerce be added into the record? could i ask for unanimous consent? >> absolutely. so ruled. >> and i too have the tni markup going on now, so i may have to go in and out as well as many diapers i have to change upstairs. so if you'll indulge me with that, i may not be able to attend the whole second session. >> thank you. without objection, the gentleman from rhode island will be permitted to the join the committee for this hearing on the virtual dais and question the second panel. and now i would like to introduce our second panel. the honorable -- and the gentleman from wisconsin, okay. i will now introduce our second panel, the honorable mike rogers, former member of congress, chairman of the house permanent select committee on
intelligence from 2011 to 2015. michael daniel, president and ceo of the cyber threat alliance. and former cybersecurity coordinator for president obama from 2012 to 2017. amit yoran, chairman and ceo of tenable, founding director, u.s. computer emergency readiness team. suzanne spaulding, senior adviser for homeland security at the international security program at the center for strategic and international studies. commissioner, u.s. cyberspace solarium commission. jamil jaffer of george mason university national security institute. the witnesses will be unmuted, so we can swear them in now. so please raise your right hand. do you swear or affirm that the
testimony you are about to give is the truth, the whole truth, and nothing but the truth, so help you god? >> i do. >> i do. >> i do. >> let the record show that the witnesses answered in the affirmative. thank you. and without objection, your written statements will be made part of the record. with that, chairman rogers, nice to see you again, you are recognized to provide your testimony. >> thank you, madam chair, good to see so many colleagues i had a privilege to work with and some new ones as well. and to be on a panel of very distinguished experts in the field of cybersecurity and actually how weigh approach it. this has been a very long journey for me, madam chair, to get to where i would sit in front of the committee and say i support a cyber director. as congressman langevin and my good friend congressman ruppersburger both have reminded me over the years how i was just wrong about this.
they have invited me to dinner under the understanding that they want to watch me eat crow, as i testify today, in my support, my whole hearted support of -- for the national director -- cyber director bill you propose today. i'll tell you why. i looked at it certainly when i was chairman, prior to being chairman on the intelligence committee, and now subsequently in my private sector life, doing both policy work with the center of the presidency looking at the match nations of how we can combat this threat and in the private sector, i have part of several small cybersecurity startup companies that have had the opportunity to view how the government is doing some of these things and offer products out into the commercial market to help defend our private sector from aggressive cybersecurity threats. all of those things have led me to really change my mind. i looked back and have a lot of the same arguments, if it was --
congressman langevin and ruppersburger and myself and representative comer sitting in a meeting in 2008, i think it would have been two people on one side of the table and two people on the other. i was worried about this expansion. so there was a lot of talk about an agency or czar and i didn't think we should go there and we had lots and lots of discussions. what i find this bill does that i think was different than previous discussions is that it doesn't expand government, which i am really concerned about, it focuses government. and if we need anything now in the cyberspace, we need focus on what our government is doing and does it have the right resources. we have taken some important steps in the past and congress, the federal information security management act of 2002 got it started. there was a modernization in 2014, but here is the problem. imagine if you take the quarterback and not let that quarterback train with the football team all year until the first game.
you put him out on the field. we're going to have problems. this is exactly how we set up our ability to monitor, to oversee the largent prize which is the federal government. and if you think about it, i know there has been a lot of talk about incidents and we need to be prepared there and the nsa has that ticket. but think the -- i'll read off three of them, i went on line to the inspector general reports and there are hundreds and hundreds and hundreds of these agencies, by the way who are getting paid auditors to come in and do their basically review of their cybersecurity programs that they're meeting federal guidelines. and we think of the big ones, but we don't think of the foreign credit administration or we don't think of the committee for purchase from people who are blind or severely disabled and think of the information that those organizations have that are sensitive information. the pension benefit guarantee corporation, when you look at this whole -- i have dozens of these i could go through for an hour on all of the agencies who
are absolutely under siege today, billions of times a day, somebody is getting up in the morning with a sole purpose and job to try to penetrate the u.s. government at any level. that happens every single day. every agency i mentioned plus the hundreds others are under siege from cyber espionage or destruction of data. that's happening. it is happening in a pretty big and significant way. and we're going to need to do something. so we're looking at it from the wrong end. i want to tell you two reasons why here, my testimony highlights some of the threats that we have been dealing with. but i want to give you an example why i thought, all right, we have to change the way we're thinking. we can't continue to do it the same way and expect a different outcome here. there was an oig inspection of a particular agency of which we would all be concerned about if that data were exposed. and what they found is they found about 25 serious changes that needed to be made.
this was in 2019. and here is the conclusion. so, remember, outside firm, hired to come in and say these are the things you're doing wrong, we'll be back next year to see if you've corrected them. next year. right? a year in cyberspace is a lifetime. a quarterly report is a lifetime. that means we got lots of exposure there. this is the one that got me. here's one other recommendation, if this agency continues a delay in corrective actions, a material weakness in information technology security control may be reported in 2020. that tells me we are not prepared for the threat that is knocking on our door today. and part of the reason is they have to coordinate through a whole series of bodies. let me just give you a little bit, it is omb, they had to do with dhs, coordinate with all the different agencies to come up with what the guidelines are to move out.
all of those agencies are under their own attacks, they all have their own cyber operations, by the way, there is no person, no organization set over top of it to say i'm going to be either the cavalry to help you in your deficiencies or help you find out what is wrong and how we fix it in a short order. nothing is steering that. so, yes, we're going to need help on the fact that we -- we are going to have incidents. we are one key stroke away from an incident that has major consequences in the united states. why? because we are just under siege, the chinese has been highlighted in an intellectual property theft and now disruption, they're changing their policy, they like to disrupt things. remember, if american people stop trusting their institutions to the point where it is not governable, guess what, bad guys win. china wins, russia wins, iran wins, north korea wins. and they all know it. matter of fact, i want to read you this quick quote, if i may,
madam chair, this was done by a general garismov of russia. a perfectly thriving state can in a matter of months or days be transformed into an arena of fierce armed conflict, become a victim of foreign intervention, and sink into a web of chaos. humanitarian catastrophe and civil war. the role of nonmilitary means of achieving political and strategic goals has grown. he's talking about cybersecurity and cyber influence operations, and disruption cyber activities for the public to lose trust, and they have -- and in many cases these tools have exceeded the power and force of weapons in their effectiveness. that was 2013. fast-forward what happened since 2013, we watched the russians engage in aggressive information operations, including the attempts to penetrate networks of which are concerned to disrupt things. and public reports show that the electric grid was attempted to
be penetrated. there are reports that they tried to penetrate our stock market, why? disruption leads to chaos, leads to distrust in american institutions. this is a serious problem as we can get. and that conclusion that i came to, an i'll have to eat crow with my good friends mr. langevin and mr. ruppersburger is that if we don't have something, and i don't agree with the big agency, if we don't have something that doesn't expand government but focuses our cybersecurity efforts, we're going to be in for a long run. we had these conversations. we admired the problem. we worshipped the problem. now we have to do something about it. i think that this agency will help all of the agencies get to where they need to go and that's why i'm before the committee today, offering my support for this legislation. >> thank you so much, chairman rogers. that was a very, very powerful and moving presentation. and mr. daniels, you are now
recognized. >> thank you, good afternoon. thank you chairwoman maloney, ranking member comer and other distinguished members of the committee for the opportunity to testify before you today on the topic of this legislation and the national cyber director. i'm happy to be on the panel with people that i consider friends and colleagues, all of whom we worked together and have known each other for many years. as you might imagine, i think about this issue a lot. i served for 4 1/2 years as the special assistant to the president and cyber security coordinator on president obama's national security council staff and i served as the president and ceo of the cyberthreat alliance, a nonprofit threat and talent sharing organization. and cybersecurity is a tough issue for almost any organization to manage. and that is certainly true for the federal government. yet as our digital dependence continues to increase, something we talked about this morning,
this afternoon already, the imperative for the federal government to get better at managing cybersecurity also increases. the rapid shift of certain economic activities online as a result of the pandemic has only heightened this need. one aspect that makes cybersecurity particularly tough for the federal government is that it doesn't fit neatly into one bureaucratic bucket. cybersecurity is a national security, economic security, commercial intelligence, law enforcement, public safety, military, foreign policy issue, all rolled into one. yet at the same time, cybersecurity is highly interdependent. just like the -- just like the internet. all of those aspects i just mention ready all connected and they all affect each other. and they auto fect each other in some unanticipated ways many times. and that means all of the disparate pieces have to coordinate and work together in order for the whole to be effective and not undermine each
other. some of the questions and commentary frifrt panthe first made sclenexcellent progress fo laying the foundation for better cybersecurity. we put in place better policies, we enacted laws that have been mentioned including my -- the cybersecurity information sharing act from 2015. we put in place organizational structures like cisa at the department of homeland security and u.s. cybercommand. but we still face certain structural impediments to improving our cybersecurity. and these include cybersecurities cross cutting nature, the lack of incentives for coordination across agencies and the need for incident response coordination, as well as the issues complexity and the effect on major policy decisions. so after wrestling with these issues for several years, i have come to the conclusion that we need a strong position along the lines of a national cyber director like the solarium commission recommends and like the bill that representative langevin is sponsoring. i don't come to this conclusion
lightly. prior to serving as the cybersecurity coordinator i spent 17 1/2 years at the office of management and budget and i have a career omb natural skepticism for creating new entities in the federal government. but in this case, i think it is the only viable approach that we have, in particular, an eop level organization is really the only one that is will be able to overcome a very significant factor in the federal bureaucracy and that's the you're not the boss of me problem. and that is just rampant among the federal agencies and only something centered at the white house can overcome that. that said, i would urge congress to think through the scope and authorities for this position very carefully. it would be very easy to get something -- to get it wrong and to end up with something that does take up bureaucratic bandwidth and does not focus things like congressman rogers recommended. most importantly, this position has to cover all of the aspects of cybersecurity and not just some of them.
it has to have oversight of law enforcement, military and intelligence related offensive and defensive cyberactivities in addition to network defense. we cannot exclude the position and expect the position to be a success. it has to tightly intergrate with the omb budget process and the nsc policy process or even eop it won't be effective. it has to have a big enough office to get the job done, but not so big that it is tempted to become operational. and it needs to have a clear relationship with a federal cio and federal cisa. at the end of the day, we need a position like the national cybersecurity director. cybersecurity is not just a technical problem. it is also an organizational problem. and so as a result we need to take some additional organizational steps to address it. we have taken the first few steps along that path and now it is time to create a position that can bring it all together. thank you for giving me the opportunity to testify before you today. and i'm looking forward to your questions.
thank you very much. >> thank you. and now mr. yoran, you are now recognized. >> chairwoman, ranking member comer and member of the committee, thank you for the opportunity to testify today. i would like to thank representatives langevin and gallagher for their leadership on the solarium commission and the report and for introducing hr 7331. i also would like to thank chairman maloney for serving as co-sponsor on the bill. tenable has organizations of all sizes to understand and reduce cyberrisks. our solutions serve just about every department and agency of the federal government, and many state and local governments. our customers include over 50% of the fortune 500 and over 25% of the global 2000 and tens of thousands of midsized companies
in every major industry. simply put, we're instrumental to helping the nation and organizations around the world quantify and understand and reduce the cyberrisk. in hr 7331, the committee has the opportunity to significantly improve the nation's cyber preparedness. the creation of the office within the executive office of the president is a critical step forward. my support for this office centers on the need for stronger enterprise risk management practices across the federal government and across the nation. a whole of nation risk requires a whole of nation response and indeed a new expanded attack surface stretches across the entire nation. this includes every aspect of government, as well as private industry. none are immune from the threat of cyberattacks that imperil our national security. government services and the critical functions that citizens
rely on. and efforts to proactively reduce cyberrisk and coordinate responses when needed. the national cyber director is needed to make sure the government holds itself and industry accountable for standards of care with regard to cyber security. today, there remains a lackadaisical approach to understanding cyberrisks and proactively maintaining good cyber hygiene, resulting in a vast super majority of today's breaches and associated losses. this is negligent behavior through learned helplessness on the part of individuals, federal government agencies, and private industry. many of the needed authorities have been outlined in the proposed legislation, in my written testimony, i recommend augmenting the national cyber director's authorities under 7331 to include establishing a national encryption policy that balances the needs of law enforcement, with those of cyber security and public safety, overseeing the vulnerable
equities process, coordinating with regulatory agencies to set policies and practices which can improve understanding of cyber risks, increase transparency, and implement plans to adequately manage risk. focus efforts on cyber workforce development initiatives with emphasis on greater inclusiveness, and develop and maintain international cyber strategy for the nation and lead international cyberengagement efforts. it would be difficult to overstate the cyber risk we face today. governments and businesses use cloud computing, internet of things and operational technologies. all these technologies optimize production, drive innovation, and increase the sustainability, they also expand the overall cyber security attack surface and need to be an integral part. these practices must include services and industries essential to our public safety and well-being, such as power,
water, transportation, and healthcare as well as our industrial production. the risk is more than a technical one. it is political, it is social, it is physical, and it is economic. cyber security can threaten our way of life. there are important steps we can take to improve our cybersecurity posture in advance of the national crisis. those steps include creation of an office of the national cyber director at the white house. i'd like to thank chairman maloney, ranking members comer and members of the committee for their attention to this important topic and i'll be happy to respond to your questions. >> thank you. miss spaulding, you are now recognized. >> thank you chairwoman maloney, ranking member comer and members of the committee. thank you for the opportunity to be here today to testify in
support of the cyberspace solarium commission's recommendation to establish a national cyber director. it is really an honor to be here with my fellow distinguished witnesses and former colleagues and it was a particular honor to serve on the commission, alongside representative gallagher, representative langevin and the other commissioners. and inspiring to see the bipartisan and really nonpartisan approach that all of the commissioners brought to the work of the commission. and this recommendation is no exception. as has been noted, the commission considered alternative approaches to address what we all agreed was an urgent need for stronger coordination across the many entities engaged in cybersecurity for better integration of effort and more robust strategic planning and prioritization to guide those efforts. the first panel addressed the alternatives that we considered,
so i won't go through all of them again, but i did want to emphasize the arguments against the alternative of pulling the various cyber entities out of the departments and agencies where they currently reside, and putting them together in a new department of cyber security. i am strongly opposed to the creation of such a department because it would not solve our key coordination challenges and would cause huge disruption with little to no gain. the most important and challenging coordination issues in the interagency in my experience arise between dod elements including nsa, law enforcement, especially the fbi, and dhs. dod and the ic are not going to relinquish their cyber activities to a new department, nor is fbi going to turn over its law enforcement activity. thus, the new department would still face those key
coordination challenges. a national cyber director on the other hand could and must be empowered to address these key coordination challenges with the backing of the president. to do this, the ncd must have the authority to convene and get information from law enforcement, the military, and the intelligence community as well as dsh and the sector specific agencies about their operational plans and strategies. another important reason i have opposed a new cybersecurity department is the risk it would become singularly focused on new technology. i watched this happen with our wmd efforts in the '90s when i was at the central intelligence agency where folks working nuclear nonproliferation focused on the technical aspects and failed to adequately integrate regional experts and those
studying the leadership in the various countries. i see the same tendencies in cyber. we turn to technical experts and they not surprisingly focus on the technical aspects, even though we know that understanding and mitigating cyber risks requires a much broader approach that fully recognizes the human element, integrates cyber and physical risks, including knowledge of the operational environment, whether it is financial services, electricity or election infrastructure, and that incorporates knowledge of each of our adversaries and what drives them. i've always warned a new cyber department would be staffed by technical experts, this could happen to the office of the national cyberdirector as well. and it is something we must guard against. but sitting within the white house structure having responsibility for interagency coordination and working closely with the other elements like the
nsc and council of economic advisers should help guard against that tendency. another of the key recommendations from the commission is strengthening and reinforcing the great work that is being done by the group i used to lead at dhs, now called cyber security and infrastructure security agency, or cisa. but at present, one of the greatest barriers to effective operations is that numerous federal departments and agencies often compete for resources and authorities. the ncd can support and enable cisa by pushing to decision the ongoing battles that cloud the federal government in cybersecurity. the ncd is not intended to direct or manage day to day implementation of strategy by any federal agency, but responsible for overall integration and execution of defensive strategy across the executive branch through strategic policy operations and budget.
the national security director should only do what others cannot do themselves. deconflict and align cyber missions with national priorities, ensure visibility across the agency and help push the process to active -- into actual decisions. the ncd will fail if it adds further stove piping and bureaucracy to our nation's efforts to reduce cyber risks. instead, the ncd needs to help empower, prioritize and provide much needed support for existing cyber entities within the u.s. government. thank you very much, and i look forward to your questions. >> thank you. mr. jaffer, you are not recognized. >> go to questions? >> yes.
>> okay. i now recognize myself for five minutes for questions. thank you very much to all of the panelists for your testimony and i want to dig a little deeper into the 2017 malware attack executed by north korea. this attack enabled hundreds of thousands of computers, businesses and homes in more than 150 countries. it even shut down a portion of britain's national health service for a week. so chairman rogers, can you describe the potential effects a cyberattack on critical infrastructure like this can have in the united states? >> it was north korea, a ransomware based attack that in some ways didn't even have a way to pay back the -- pay the ransom. so it was probably the least
capable actor, even at a high end, that was able to infect the systems. and it was -- it had a global wide impact and sometimes surgeries were turned off because they -- they couldn't actually access the right and appropriate records for the surgeons to do a surgery. you can imagine it had both health impacts of that sort, financial -- schools -- very widespread and part of it was they couldn't control it. it kind of fed on itself and spread without them directing it. which is a whole problem of probably not top tier nation state actor. they have gotten better since then, that's the scary part. so i would say that when you look at what the threats are, we know where our biggested aer have thierar adversaries are coming. they use diplomacy and if you look at the fact that they
confiscated masks from rightful contract owners that they were going to be delivered to, gave them to entities in china so they could deliver them in a we to try to get credit for their influence operations. they used military defense and intelligence cyber operations, they used cyber operations for espionage. i would look at all the ways they're coming at us. what we know is they love to get access to people's data from a nation state perspective, but also cyber criminals, cyber criminals and others who would love to get the data that the u.s. government collects from u.s. citizens, everything from food stamp participation, think of all of the information you have to give in order to get that program to qualify for that program. it is sitting in a repository at the federal government, that's valuable to a cyber thief. i would look at this, that was a massive attack by a nation state, but we have all of these other attacks underneath it. and, again, that's my argument for the signer director is you want somebody not just to
incident respond, you want somebody for precrisis, how do you help the agencies, help them through what they need to look like in their cyber shops and the kind of tools that we do and by the way, can we do this with a collective defense mentality so that when one gets atacked, everybody knows what the threat is moving forward. that's the way i would look at this, let's try to be precrisis and having that director whose sole job every day so get up and think through all of those problems, my argument would be we're going to be better off because there is lots of talent, i think mr. gallagher and mr. langevin highlighted it, lots of great talent out there. we need to coordinate it, not expand government, but focus it on the problem that helps us the most. >> mr. yoran, i was shocked by the statistics from tenable 2019
report that 90% of critical infrastructure operators missed at least one damaging cyberattack in the last two years. i understand that much of the nation's critical infrastructure is managed by an array of different companies that are responsible for different parts of the process. what would happen if one of these companies was compromised, can you talk about these attacks? >> yes, i think the effects of the attack -- of these attacks vary greatly. in many cases outage can certainly ensue. in other cases, it is more of a preparation where systems are being compromised, information is being stolen, but the adversary has no desire to create an outage, unless perhaps it is during time of crisis. so i think the impacts here could vary greatly and it is one of the reasons why we need a
systemic understanding of risk, and why a national cyber director needs to work closely with the regulatory agencies that do exist, to make sure that we're implementing a standard of care that makes sense. that we don't see the continued negligent behavior where enterprises are not maintaining good hygiene of their systems. they're not providing patches and updates and doing the maintenance that is required to keep them in a secure state and this -- this results in a vast super majority of breaches including the ones that were cited earlier, perpetrated by north korea, and a lot of the damaging ones that we read about in many of these high profile cases. >> do you believe that this hr 7331 would help the federal government address these
concerns more effectively? >> no question in my mind having done cybersecurity for over 25 years and spent time in multiple departments of the federal government as well as serving with cybersecurity products to private sector and now also helping the federal government with technologies to protect itself that a role like this would help provide a coordinating capability and bring the maximum understanding and appropriate resources to bear in a coordinated fashion as a federal government. so i think it was representative langevin or gallagher who said, you know, that the preparation work that we do now can have significant impact on the crisis that we face or how we deal with a crisis we might face down the road. i think the creation of the office in this role is a critical step forward.
>> thank you. i now want to call on jamil jaffer who disappeared for a while, but he's back with us for his testimony. mr. jaffer. >> miss chairwoman, thank you for the opportunity and i apologize for the technical difficulties. chairman maloney, ranking member comer, members of the committee, thank you for inviting me here today to discuss the proposed legislation to create a position of cyber director. it is no overstatement to say for all practical and intents and purposes we are at war in cyberspace. as a nation, we remain woefully underprepared to deal with the serious onongoing conflict. now, lawyers will quibble with if we're at war and point out the united states declare we're at war, but the fact is that for better part of a decade our nation has been involved in the consistent ongoing series of
conflicts in cyberspace, fairly low level. a war or not, there can be no question it had a huge impact on our nation and its allies. china, primarily focused on u.s. private sector, private companies of billions a dollars a year with damages in the trillions. keith alexander says this activity represents the greatest transfer of wealth in human history. chairman rogers on this panel nearly a decade ago called attention to this and said we were in an economic cyberwar ten years ago. there are two types of companies in this country, those that have been hacked and know it and those hacked and don't know it yet. we also have seen countries like north korea and iran engage in data and -- here in the united states. in last half decade. we know that the united states -- iran is preparing for cyberattacks and allies we have seen corrosive effects on our american body of politics,
undermining our elected officials, our rule of law institutions including the justice department, fbi and intelligence community. to be sure, while we played a role in some of this, the russians paid little price for this. we have seen them mucking around with more covert operations on the covid virus and the killing of george floyd. we may see the same players in the election cycle. as chairman maloney noted, over three years ago, cybersecurity poses a greater risk to the safety of our financial system. we know what a serious threat cyber poses to our economy and our people. and with the current coronavirus situation, and the new work from home environment, with over 300 million workers around the globe working from home, including 90% of banking and insurance employees, these efforts represent a uniquely challenging threat to our economy and to our way of life, so the question becomes what should we do about it? and how much of a role can creating a new cyber director of the white house play in this process? while i completely agree with
all the members of my panel as well as congressman gallagher and congressman langevin who i had the pleasure to work with in the past, that having a key strategic leader at the white house is important, i'm skeptical of the need for a large office of 75 people, one third the size of the existing entire national security council, and the need to have that individual senate confirmed. we know that almost any white house whether republican or democrat, this administration or another, would be opposed to the creation of a new yet one more senate confirmed individual and the white house office. indeed, there are other alternatives for the committee to consider. the committee may consider creating a position in the white house office, but not making senate confirmed. they may consider creating an office that is smaller and more leadership oriented. 5, 10, 15 person office. the committee can work with the president tone sure that person has a rank and stature of a deputy assistant to the president and is able to effectively work through the national security adviser who
has full responsibility for the full range of issues in this space to ensure that we have unity and effort. there is no doubt with all the cooks in the kitchen from dhs, cisa, nsa, u.s. cybercommand to the fbi, better coordination, more aggressive coordination of the white house is necessary. the only question to consider is whether that requires senate confirmation and 75 person office and on that note, i'm somewhat skeptical but i recognize there is a lot of my friends and colleagues, my former boss, chairman rogers, who support this. and i have a lot of respect for that position. and with that, thank you, miss chairwoman, apologies for the technical difficulties earlier. i yield back the balance. >> thank you, for your testimony. i would like to ask you about the 2017 russian cyber attack known as not pay ya, it froze computer systems around the world. and in exchange for ransom. in ukraine, the attacks at hospitals, power companies,
airports, banks and practically every federal agency. u.s. was not immune. this attack hit fedex and the direct company merck, costing each more than 300 million 300 business. how great is the risk of a large-scale ransom attack in the united states today. >> i think it's a huge issue. what you see there in that case was a very carefully crafted attack by russia against ukraine. we had collateral damage. these companies, $10 billion worldwide and as you mentioned, over five international companies, mostly in the west, who suffered between 250 to $350 million in damage. even if you think as a company you're not likely to be affected by a nation state attack, the reality is you may be, because you may be collateral damage as
was the case in russia against ukraine. >> thank you. okay. thank you. and i centralized cybersecurity coordinator at the white house seem essential to respond to cyberattacks, i now recognize the ranking member for his questions. >> thank you, chairwoman. my first question will be for mr. daniel. could you walk me through how a major cyber incident currently proceeds through the federal government and how it might change with the advent of a national cyber director? >> sure. i think that right now it really depends on who first becomes aware of that incident. it depends on if that incident is actually disclosed by a
private sector entity and how it comes in, whether they disclose it to cisa or the fbi or the nsa. at some point, if it gets big enough, those entities would eventually share that information with some of the other elements of the u.s. government. and then the government would need to do an assessment on how -- whether that incident actually represents something that is more systemic. in other words, is it going to turn into something else. and the government would need to do an assessment on whether or not a response is warranted based on that incident. i think in that case, that's where you would want -- when you start to look at how the u.s. government responds, that's where you want that coordination
to actually come together. just because an attack comes through cyberspace, does not mean that the only response needs to be back at the adversary through cyberspace. you might want to use other policy tools and means to respond. that's why that coordination factor across all the different elements of national power is so important. >> my next question will be for mr. jaffer. earlier this month in a joint public service announcement by the fbi and dhs's cybersecurity agency, the fbi reported it is investigating, and i quote, targeting and compromise of u.s. organizations conducting covid-19-related research, prc affiliated cyber actors and nontraditional collectors. there's reason to believe china is attempting to exploit the recent pandemic to hack into u.s. businesses conducting
research on the very virus originating in its own country. mr. jaffer, could you please explain some of the methods china is using to steal our critical research into this virus or if you have no insight, ways china accomplishes its many cyber intrusions. >> thank you. the chinese have been engaged in this effort to steal american intellectual property for the better part of a decade and a half. it was only until chairman rogers and general alexandra came out and started talking about what was happening with china that the public became aware of it. it's only in recent weeks and months that we've become aware of our supply chain dependence on china. and so what china is doing, they have literally built their economy on the backs of american
innovation, you wonder why a huawei looks like a cisco router, because it essentially is a cisco router. they repurposed it in china and sold it as a good. they're trying to do the same thing in the covid arena. they're trying to get out ahead of this, trying to have the vaccine first and essentially grow their economy on the backs of your challenges and steal our intellectual property. we cannot allow this to happen. the president has been aggressive in pursuing china on this front. we need to ensure we hold the line and stop them from allowing them to build their country on the back of r&d. >> it's always been clear that cybersecurity is a huge threat to the united states. we talk about china being one of the worst actors with respect to
cybersecurity threats, violations. you look more at china and you see they've been stealing our patents for years, our intellectual property. who knows what all they've done with respect to covid-19. i think we would like to get to know that. i know the select committee is devilli delving into that. we spent a lot of time in this committee investigating russia. i believe that the american people, the american taxpayers would be better served if we spent a little bit of time investigating china. in closing, i would really encourage you to consider devoting a little bit of time in this committee to investigating china whether it be covid-19, whether it be our intellectual property, our patents, whether it be cybersecurity hacks, threats, things of that nature. that's my encouragement to you
as we proceed and hopefully work together in a bipartisan way. but i want to thank all the witnesses for being here today and look forward to further discussion on this proposal. with that, i yield back. . >> thank you. next we will go to ms. norton. >> can you hear me and see me? i want to thank the chair for this really important and timely hearing. because i represent the nation's capital, i have a special interest in this hearing. we are, of course, like most big cities. but we're not just any big cities. and my question goes to what has already happened to some big cities. i don't know who should answer this. perhaps starting with
mr. rogers. i'm not certain. but we've already seen that another big city, new orleans, has actually had its -- ransomware shut down all together, grounding all of their operations to a halt. imagined if that happened to the capital of the united states. so i must ask, if we are fortified here the nation's capital and other cities against similar shutdowns of all operations. blacking out the city all together. any number of you are likely to be qualified to answer this question. but i would begin with mr. rogers. we've seen this ransomware activity for multiple years now. and it became more aggressive
and more aggressive. meaning there was spreading amongst international organized crime groups and others seeking to gain revenue. and the north koreans who used ransomware attacks to gain revenue from the government. and i hate to say about my brethren and the fbi, some of these companies you should probably just pay it because we don't have any way to intercede to do anything about it. and so you had major hospital organizations, you know -- the los angeles hospital system comes to mind. one of the early, early cases where they ended up distastefully to pay for this. and this is one of the problems with cyber protection at large. we have to remember that the nsa doesn't protect the private sector in the country. they're protecting the
government and then they're doing collection activities targeted at our overseas adversaries to do something bad to the united states. and so we have this really uneven ability to stop this in cities across america. and candidly, i think most cities in america are not prepared for this. they have old systems, legacy systems, they haven't spent the money to upgrade their systems and provide a level of protection that would keep that data safe. that's why people are going to cities because they believe that they're the most vulnerable. and, remember, it's not the nsa's job to protect new orleans or detroit, michigan. that's not what they do. it's up to the private sector and those cities trying to develop systems they can put in place much like the companies i'm involved with who are looking at collective defense and other things to try to protect it. this is why in my mind a coordinated effort out of the
white house all of our agencies in the right direction. maybe it helps the department of homeland security get the word out to these cities, the problems that they really have. and so we are a long way, i guess is the short answer to that, we're a long way from those cities being protected. take on -- we're seeing that. we're seeing that leeching of nation-state quality in cyberspace leech into the organizations. we're up for a really bumpy road coming up in cyber in the next few years outside of the u.s. government across both private sector and local and state governments. >> i guess new orleans did pay up. it's really unnerving to hear you say at the moment, it's so great that you pay up --
>> we all know what happens when you pay it. guess what, more people are deciding they want to try to extract you from the money and that's the problem we're running into. >> that makes us vulnerable to paying up. i can't help ask about the election. we have already had perhaps most of our primaries and i'm wondering if any of you perhaps beginning with you, mr. rogers, have seen any interference with our elections? we've seen it with financial institutions worldwide. how about interference with our elections such as, for example, any alteration in election results could occur? >> i can tell you in my work in some of the private work that i do, including being vice
chairman, we haven't seen any flip one vote to another vote. we have not seen that. we have, in fact, going into 2018 that our adversaries tried to influence elections by creating chaos and i think we need to be careful about saying republican versus democrat. they're trying to create chaos. they don't care. they don't like democrat americans any more than they like republican americans. they're trying to create chaos in the elections. the general and his team did a phenomenal job in 2018 playing that whack-a-mole game to push them back. the russians, the chinese have said this is very effective, very low consequences, so we're going to kind of ramp up our engagement and try and create this chaos going forward. it is something that i think we absolutely have to pay attention to. it's very cheap for them. they don't have to go buy a
carrier, develop a naval fleet and stock it -- >> are states and cities aware enough so that when they see this right now, it's just interference, it's not had consequences. are states equipped to fight back. >> i think it's difficult for states and local governments to do this. i do think we need to look -- we need to ask ourselves, what do we want our high-tier performing agencies to do for us. i think this is where they can be helpful in trying to stop this across the united states. mainly because it is a very sophisticated nation state actor, activity. there are some other groups out there that are trying to get into this game that are worrisome. but i think we should employ all the tools that we have and this
is where i think congressional oversight is important. know what it is, talk to them about what they're doing, and encourage them. it's not always going to go the way we want. you have to encourage them to get out there and help them back with those activities. >> we've got a lot -- >> i now call on -- >> i just wanted to follow up on that. we have a lot of tools at our disposal. i would be careful to try and solve all problems with the nsa. i know the department of homeland security and cisa in particular working with non-profits have done a tremendous job laying the groundwork for improving election security and election security response capabilities for the -- each of those jurisdictions. but there are other things. the state and local governments have very significantly limited expertise and limited resources
and those -- and the resource restrictions have been exacerbated by their response to corona and with a heightened threat environment. this is an area where even a modest amount of funding, coordination, and policy directed from the federal government can have a disproportionate impact on better protecting the nation. >> thank you very much. madam chair, i yield back. >> i'm here. >> okay. good. you're recognized. >> thank you, chairwoman. i'm going to go back to you, mr. jaffer. i want to have you walk
through -- you made some -- gave us some ideas of maybe this wouldn't be appropriate at the presidential level. can you walk us through that a little bit more. >> sure. as you may know, there are four senate confirmed individuals today in the white house office. the director of omb, the u.s. trade rep, the head of drug control policy and the head of science and technology policy. of those two things, trade and the power of the purse, omb, that's why those two have been successful. on this one, you have the challenge you have is that this is an area where the president feels strongly. this is a national security responsibility. this is war making in a lot of ways. the idea that any president, democrat, republican, trump or otherwise would be willing to give up a significant portion of authority is going to be a
challenge. i think you're going to face challenges with the white house. i think the better approach is to find a path forward to work with the president, emphasize the importance. the congress did this here in the last few years with the issue of interference in elections and the like and they prioritize it, made a national security council. that's a good example the way that congress is able to work with the white house on solving these problems rather than a senate-confirmed individual. >> so mike rogers, looking from the outside, you've been part of the matrix of congress. do you agree with anything that mr. jaffer has brought forward in that aspect? >> i do. i had the same sensitivities about do we really want to impose on a president some structure on a national security
within the national security council at the white house? and i wrestled with this a lot. and the reason i think i have come full circle on this is because i have seen it from the private sector side as well as being chairman of intel when candidly, i thought, no, we can do this. this really isn't a republican or democrat thing. the bush administration had an effort at this, the obama administration had an effort at this. the trump administration took a very different take on how they wanted to do it. none of it really worked to our advantage. and so when you look at the series of challenges, this is why, this is not to me some kind of semantic argument, every major adversary, china, russia, north korea, iran, there are others, are ramping up the u.s. of cyber because they know it has low consequence and high impact. if you look at kim jong-un who said the thing that's going to keep me in charge are nuclear
weapons and cybersecurity, offensive cybersecurity. he's investing in it. the chinese are spending billions of dollars. they've announced they're going to spend a trillion dollars to try to have a technological edge in quantum competing, 5g buildout, ai and ai research, including cyber capability and data control. so they're looking -- they're moving away from building large defensive military posture, don't get me wrong, i'm for that, but what they're doing is trying to spend it targeting us and my concern is, if we keep doing it the same way, we are going to keep having the same response and the ig response that we have now is basically, i caught you for the last 12 months doing something wrong. i'll come see you in the next 12 months to see if you get it right. that's not working. it will not work. let's have some office that has
that authority. you have some big personality, dod, nsa organization. i'm not talking about the individual leaders. it's their big personalities to deal in this. nobody wants to listen to anybody. you have to have a committee to settle on the way forward. i think you need somebody to say, i'm here to help you. we're going to get that piece right. we're going to fix this piece. i'm going to reach over to nsa talent and who knows, the department of agricultural figured this out last week. we don't have that today in that regard. and that to me has to change. if we could figure out another way, great, but i like this idea because it's a radical change and puts it at the feet of an individual to fix this problem. >> looking at the legislation as is, do you see any additions or subtractions to it that would keep it on the desired pathway,
mike? >> here's where i agree with jamel and he and i had these conversations often when we were working together in the intelligence committee. you want to make sure we're not plopping a bureaucracy here. if everybody gets to say no and sign off, we lose. it has to be smaller and more agile. i would worry about the body count. maybe it's 50. i don't know. but we need to make sure that it is agile enough in its strategic advice that it can do something. it needs to say department "x," you haven't performed. not that i'm going to beat you with a stick, i'm going to help you get where you want to go. that's what this needs to be. and how it looks in text and legislation as we all know, the devil is in those details. but if we don't do something pretty radical, we are already behind the eight ball.
and i'm talking even offensive policy, defensive policy, and then all of these agencies that nobody knows are out there working that have all of the sensitive data that nobody thinks that loves them are great targets for cybersecurity. all of that -- that's why you need somebody to pay attention to it every single day. >> thank you, chairwoman. i yield back. >> chairman conlnolly is recognized. >> thank you, madam chairwoman. thank you to our panel. fascinating conversation. and i don't know if jim langevin is still with us, but congratulations on the work on the cyberspace solarium.
i spent all 12 years of my life in congress focused on federal i.t., modernizing federal i.t. and we spent $96 billion a year on i.t., at least. 80% of which is spent simply maintaining legacy systems. many of which cannot be encrypted. they can't be updated for the 21st century cyber protection. and i want to raise some concerns and, mr. daniel and ms. spaulding, you both kind of touched on it. mr. daniel, you were in the white house. we have a cio in the white house, a cto in the white house, we have a chief information security officer in the white house, and we have the office of science, technology adviser. all four of those offices right
now, their responsibility in some measure for i.t. investments in the federal government, trying to modernize and to protect in terms of cyber. how will the creation of a cyber czar work with those other offices? and what authority will he or she have to help upgrade? to upgrade a legacy system, it's going to cost at least billions of dollars, multiple years. we've been trying for five years through the legislation that came out of our committee to exhort federal agencies to make those investments. will the cyber czar have superseding authority with respect to the kinds of investments that get made? will he or she be required to coordinate with the cto and the cio who are charged with setting
certains types of goals for the federal government that includes cyber but not limited to cyber? and i say all of this supportive of the intent of the legislation but worried about its execution, worried about overlap and the -- what could go wrong with this in terms of coordination. and maybe i can start with you, mr. daniel. given your experience, do you share the concerns and what protections can we take in creating this position to avoid the inevitable conflict -- bureaucratic conflict that could ensue? >> well, thank you, congressman. i certainly agree that this position would need to work very closely with the federal cio and the federal cisa. the way i look at it is, you would want to have this position work with -- those offices are designed to focus exclusively on
the security of federal networks. and that would be one element of a national cyber director's portfolio. and so what you would want is, you would want that position working very closely with those individuals to be able to highlight the threats to federal networks across the broader policy space, to advocate on behalf of investments. certainly one of all the challenges that agencies have is that it is relatively easier to get operational money, to keep the old stuff going and it's much, much harder to get procurement money to actually upgrade things. there's a structural problem in the budget process for how we go about funding, you know, upgrades in i.t. that creates an incentive for agencies to keep old stuff around for forever which is inherently harder to secure. what you would hope is that a national cyber director would also be able to help bring in expertise from the private
sector to help the federal government do better. and then lastly to look at, what are the structural changes we can make across the federal government. at some level, it's ridiculous to expect the deally commission to really focus is and be good at cybersecurity. we need to work on cross agency support for cybersecurity so we're not expecting every agency to be really, really good at their cybersecurity and instead think about the -- you know, the economic principle of comparative advantage. >> well, i certainly agree with you that we would hope and expect that they would work closely together. but we're addressing a bill here. we're codifying a position. and i want to do more than hope that they coordinate. i want to make sure we get it right so that this person, this position can hit the ground running with defined responsibilities. because if we don't get this
right, you're going to build up bureaucratic resistance. we certainly have seen that in cios. you mentioned bringing people in from the outside. we've done that with cios and their lunch gets eaten. the bureaucracy gangs up on them because they're outsiders, they're alien, they're presuming to tell you what to do. as a result they fail. not all of them. but it -- i just want to share that concern. thank you. >> the witness can respond to your question. >> thank you. yes, i certainly agree that -- you know, requiring some coordination with the federal cio and the federal cisa could
be useful. and that, again, this would just be one aspect of something that a national cyber director would have to be concerned about. >> thank you. >> thank you, madam chairwoman. my first question, which i think should be everybody's first question is, what is the budget for this proposed office of the national cyber director and the second part of that question is, in addition to the 75 employees that are anticipated, how many -- what percent of the money is going to go to contractors? anybody can answer that question, if there's an answer to it. >> we don't know what the budget is. there's no authorization for appropriations in the bill as far as i can tell. and we don't know what the committees will give it. that being said, the 75 fte that are in there are a significant number.
there's authority to bring other parts of the government in and hire outside experts and the like. this number could grow beyond that now. to be fair, the legislation says up to 75 for the full time equivalent. there's a lot of other room in there. depending on what the various committees have appropriated, that's a good question. >> let me go onto my next question for ms. spaulding. you were on the commission that recommended this position, is that correct, ms. spaulding? >> that's correct. was there an advocate for civil liberties and privacy on that commission? if so, why is there not in this proposed legislation -- i know you probably didn't write the legislation. there's two deputy directors but i don't see a deputy director for civil liberties or an advocate for privacy in here. should there be one and was that discussed in the commission?
>> so excellent question, congressman. and i have a long record of being an advocate for civil liberties and for privacy throughout my career. i think a number of us on the commission came to the table with those sensitivities and equities very much in mind. there was no specific person designated for that. but a number of us, as i say, brought those sensitivities to the discussion. certainly privacy is one of the values and interests that cybersecurity is very much intended to protect. so i think in many respects, privacy is very much built into the efforts to strengthen our cybersecurity. but there are times in which the way in which you approach security issues may have implications for privacy and
civil liberties. i think your point is very well taken. there ought to be an emphasis. i'm not sure a director specifically for that. certainly when i was at the department of homeland security as the undersecretary for what is now cisa, i valued very highly having a specific individual and staff focused on privacy and civil liberties issues as did the department as a whole and found their input and insights extremely important and valuable. >> i would like to see that, if we create this office, define legislatively because there's always seems to be a bias in the other direction. i think we need an advocate there. thank you for being one. mr. jaffer, what does it mean to have a list of trusted vendors when those vendors are putting back doors intentionally into their hardware and software? how can you have a secure cyber
system when we're sometimes encouraging those vendors to put back doors in? >> i think it's an important that you raise, congressman. at the end of the day, we have legislation that permits the government to obtain certain access to telecommunication systems, the communications systems, that's the way in which law enforcement gets access to telecom systems. other systems, that's a harder question. more often than not, what typically happens in the government, the government will come to a provider with a court order, for the foreign intelligence court or for a federal court or a subpoena authorized by congress to get access. it's not typically happening in a cooperative manner. because the companies are learned that it's important to have that kind of process if they ever get -- if it comes out or their sued, they have the protection of the law to help protect them. that's how we see it happening. there's a judge involved. if not, some sort of administer that congress oversees, sir. >> i think there's a little bit
of an oxymoron creating a list of trusted vendors and asking them to put back doors in their products. i'm concerned about that. my final question is, what's the real responsibility of the government to provide security for a company like sony who has over 8 trillion yen in revenue every year? >> time is expired. the gentleman may answer the question. >> it's a great question, congressman. one of the challenges we have is that today in our country, we expect every company, large, sony, morgan chase, or the small mom and top, we expect all of those companies that run our economy and are the engines of innovation, we expect all of them to defend themselves against russia, china, iran, that have unlimited human and monetary resources to flthrow a
this problem. we need to create a structure with multiple industries working with one another and the government provides all of the intelligence to help industry to protect themselves. we owe them better and we're not doing that right now. >> i think that there's maybe a misperception here. i don't think we're dealing with sophisticated adversaries. many of these companies are falling victim through simple negligence, not applying a standard of care with their system. and the line of questioning is important. why it's important to have this cyber director position is to balance the equities of law enforcement where there's proposals to create back doors and weakness and weaken the encryption in commercial progress. there's loss decisions that are made on a daily basis. there's law enforcement
considerations in creating norms of behavior here. and all of these things are being done without having a national policy thought through at the white house level that can balance and consider all of these different equities. each department and agency often running on their own in a fairly uncoordinated fashion. >> thank you, madam chairwoman, i yield back. >> representative raskin is recognized. >> thank you, madam chair, and i want to salute our colleagues for an extremely compelling presentation and for their hard bipartisan work on this legislation. i'm kind of puzzled by the history of this and i was hoping that mr. rogers might start off by clarifying some things for me. we got hit in 2014 with the massive cyber breech at opm by china and that caused massive
damage to our country. in 2016 we experienced a sweeping and systematic cyberattack on our election by vladimir putin that caused incalculatable damage. now, of course, in 2020, we have been kaugcaught totally unaware seemingly unprepared for the coronavirus epidemic which was denied and dismissed and trivialized and wrapped in magical thinking and now we lead the world in case count and death count while our european allies totally have the virus on the run. we're spiraling out of control. so if everybody is responsibility for something, nobody is responsible. and it seems overwhelming compelling and clear to me that
the purpose of this legislation is absolutely right which is we need someone who is coordinating our cyber defenses at a time when all of these weaknesses and vulnerabilities have been repeatedly demonstrated by different attacks. so i guess my first question for you, mr. rogers, why has it taken us so long to get to this point? what has slowed us down? >> that may be the million-dollar question, congressman. when we went back and looked -- think about this. the first time that china was publicly named as this increased actor in cyber intellectual property theft, even though we had known it was going on for years was 2010. why? because the bush administration said, no way, we're not disclosing that yet. even the early days of the obama administration, they said it's too early. we gave a pretty forceful
argument about making this public. we've only been talking about it publicly for ten years. and i think the public has slowly coming around. now there was a recent gallup poll that said 81% of americans believe that there will be a cyberattack of significance on the united states. we didn't have anything like that in 2010. people thought we were crazy. they didn't understand what we were talking about. and so public opinion has been slow to catch up. i think we're in a very different place. public opinion is probably more with us now than its ever been to try to defeat this thing. remember, there is no system out there that is completely inpentable. if it's connected to the internet, you're vulnerable. any time we break up our efforts to try to do this, meaning if the nsa has one mission set and the fbi has another and they're not talking to each other, guess what, that seam means somebody is going to win. and that happens in private sector, local and state government and happens in the federal government.
if you look at what the chinese were able to do, this was a very typical -- in the omb breech,ac. i forget what the number is, the very sensitive information to get a clearance, i got a letter saying mine was breached. all of that information was taken back and think about what they're doing now with their ability through algorithms to collate that data and find people they're interested in spying on. either you're with the government and have a classification or in the defense realm. that was unfortunately a brilliant government espionage activity. and so we have to understand -- we really have to change the way we think about these threats. they're looking -- >> can i follow up with you just for one second. i have time for one more question. what's terrifying to me is that our failed response to the
coronavirus pandemic has exposed a lot of vulnerabilities to foreign governments that may mean to do us harm and figure we don't have the governmental preparedness, the social cohesion to respond to a massive threat. if you would just put this in a geopolitical competitive context, what is the imperative here to act now? >> well, there's two -- i think that's two conversations. one is on the supply chain. >> the witness may answer the question. answer the question. >> security and supply -- security is a very important discussion congress is going to have to weigh in on. i couldn't kill international trade, but i would protect our ability to surge on protected items. these nation states are big adversaries, have refocused their efforts. remember the quote that i used from russia, they realized, i
don't need to build an aircraft carrier, i'm going to invest in cyberoperations. if i can shut down their electricity or cause distrust of the american people with their government, we win. it has an outsized impact on what they're trying to do and all of them have stepped up their game. russia, china, iran, north korea, others, that's why to me this is so important. and candidly, we're in a cyber war today. folks who say it's not really, i disagree. they are causing destruction, disruption and adding chaos. i don't know what else you call it. and we need to act that way and i think we ought to have one focus on this so that we coordinate all of the good activities around the government and focus, don't expand government, focus it in this solution. >> thank you, madam chair. >> the other lesson from the pandemic, of course, is the -- is what happens if we don't have strong coordination and a coherent response in a crisis.
confront china or russia about this, what do they say? what is their response when we bring this up to them? >> well, congressman, i can -- having engaged them on this topic directly, i can tell you that most of the time, of course, they deny it. and they say that -- >> have we ever caught them red handed, them or china? >> of course. and naturally they deny it and they will -- at most they would say it must be -- we must be mistaken and could we please provide them all of the detailed evidence for how we found that out so we can expose our intelligence methods to them so they can prevent them from doing it to us in the future and, you know, at most they might say it's a rogue element that they weren't really in control of and it wasn't really them. they never will accept responsibility for doing that. that said, you know, we have
engaged with them in other ways to try to push forward and push back on their activity. >> that's fine. i have a question for ms. spaulding. we asked this earlier. how a major cyber incident proceeds through the government. i want to kind of expand a little bit on that. step by step, based on your experience, what happens when an incident is reported by either the privacy sector or a government agency? what happens from discovery to response, kind of walk me through the u.s. cyber command authorities that are triggered and how would this change if we got a national cyber director? >> thank you, congressman. as michael daniel explained, some of it depends on how this information first comes into the government. so it might come in first to national cybersecurity communications integration center or the ops center at the
department of homeland security. we would often get reports usually from private sector companies that they are seeing malicious activity. it's equally likely to come into the fbi, for example. and then the players, dhs, cisa, the bureau, fbi, and usually the nsa would get on the phone together, though there are often reps sitting at the op center at dhs and the information would be shared. and a decision has to be made very quickly depending on the nature of the event on what is most important. do we go first and sometimes you will try as you can to do these at the same time. but you often have to prioritize. are we going to try to go in and mitigate the problem, address the malicious cyber activity and the damage that's being done to
that private sector business, for example, or are we going to put our priority on getting law enforcement in there to figure out who's behind this. both of those are legitimate equities. sometimes they can't both happen at once. conversations ensue to determine how to prioritize that. the advantage that a national cyber director can bring to bear on this, obviously, is to deconflict those competing equities quickly. time is of the essence to make sure we can get in there and do what is most important first, even as we're trying to accomplish all of the other equities. >> thank you. next question, one of you mentioned, we talked about russia and china, north korea and iran, and you said other countries, one of you. can you expand what other countries we have to worry about other than those four? does anybody want to -- >> yeah, i can take a shot at
that. >> one of you said there was more than the four. >> there are countries who are engaged in ramping up their cyber capabilities that might not be friendly to the united states. leaked nation state capability from russia into former eastern bloc criminal organizations perform like a state, they may not look like a state. there are other countries that are probably best not discussed in an open forum that some would argue, aren't they friendly countries. >> next question, one of you said they were involved in this george floyd incident. some of our enemies were involved in that. could you expand on that? >> it was me, congressman. what we've seen, we've seen reporting that the chinese -- you saw the chinese foreign ministry from the platform in an open setting refer to the plight
of black americans -- we know the chinese don't care about black americans. they're interning a million muslims. it's an effort to influence our own discussions here in the united states. we know what they're doing overtly. we've seen them operate covertly in similarly related spaces. having watched what the russians did successful in our 2016 elections, are involved in this effort. their gaslighting these debates -- >> could you give us a specific example. >> i don't know that we've seen sort of, you know, point on point examples. but i would bet in the next six months, we will see very specific examples coming out of facebook, twitter and the like. i can't prove it to you right now today, sir, but i put my life on it. >> the gentleman's time is expired. >> thank you much.
>> do you recognize me? >> yes, i did. >> i apologize, i did not hear you. thank you, madam chairwoman, for convening this hearing. i would also like to thank the commission for their detailed report. and i want to focus on one key area that has been previously discussed but i would like to dig a little bit deeper and it's about the loss of hundreds of billions of dollars in intellectual property theft to nation state sponsored cyberespionage. obviously the chief country responsible for that cyber ip theft has been china. we know china actively works with state-owned and civilian corporations and universities to steal ip from foreign sources including the united states. and according to a report released by the united states trade representative. theft of intellectual property
by china cost our country up to $600 billion a year. let me repeat that. $600 billion a year. the long-term damage of these losses cannot be quantified. ms. spaulding, let me turn to you first. in developing your recommendations for the national cyber director, did the commission structure the role and its office with this persistent problem in mind and can you provide any specifics as to how the director would address this issue? >> yes, absolutely, we did. and the situation that you've described really is addressed by a number of recommendations in the report. the private sector and the government both have a critical role to play in stopping this theft of intellectual property. and it requires a true collaboration. we need to -- we're the ones in government that have the
national technical means and intelligence capabilities to collect information about what nation states like china are engaged in and the kinds of techniques that they're using, as does the private sector. the privacy sector businesses that are developing this intellectual property are in the best position to defend their networks armed with information from the government. so we have a number of recommendations to make sure that we are -- that the government is obligated to get that information to those private sector companies and the national cyber director will have a key role in making sure that that's happening. that has to be part of the metrics, right, that is evaluated by this national cyber director. we need to have proactive plans, strategies, for addressing this and that planning capability across the interagency has been lacking. that is another key role for this national cyber director
largely using the joint planning organization at cisa. >> thank you. chairman rogers, you've talked about how long americans have been struggling to protect its ip, virtually every administration has dealt with this issue and we have not been successful. do you envision this bill would finally allow us to successfully defend and protect our ip. >> it would put us in a better position. i think this is something we're going to have to continue to invent a better way to defend ourselves as we get into 5g and what that means for pushing what we used to defend the core out to the edge of a 5g network, quantum, ai, all of that is going to change the way we look at security. i think it gives us the best possibility to take all of these new challenges and bring everyone in the federal enterprise up to snuff. everybody keeps talking about
that one incident. we want to prevent that incident. here's the other piece, i would argue, if you look at the recent level of arrests by the fbi for chinese espionage in the united states, the number -- the interesting high level of taskings for those assets, those s spi spies is to steal kcredentials o get around fire walls. the nature of espionage is changing dramatically. they don't want you to just steal the secrets. they want you to steal the guy next to you's credentials for a more sophisticated penetration of your network. it makes it hard to put your arms around. >> one last question for mr. jaffer. is there a concern that if we as a country are unsuccessful in providing appropriate protection, that we could see
companies move their ip and businesses to foreign countries that do provide protection? >> thank you, congressman. look, i think there's so many benefits to being an american company, whether it's our labor laws or tax policy, that it's unlikely to see a tremendous flood of intellectual property out of the united states. that being said, we have to recognize, this is the core of your innovation base in this country. we have moved to an innovation economy. if we allow it to talk out the back door, china or anywhere else, we are undermining the capability of your economy to survive and make it to the next stage. even as we think about rehoming american technology and bringing some of the jobs back here, we got to protect the core things that makes america so protective as a country which is the innovation, the ability to invent, reinvent. that walks out the back door, we've got nothing. >> thank you, i yield back. >> the gentleman's time is expired. representative ro khanna is now
recognized. ro khanna, are you with us? >> yes, i am. thank you, madam chair. i appreciate and want to just thank representative langevin and representative gallagher for their extraordinary work in helping come up with such a detailed proposal and their work with the commission on a bipartisan basis. i know in particular representative langevin has been working on this for many, many years and this is a passion of his. i'm glad to see it come to fruition. let me ask the panel, are there additional authorities that you think the national cyber director should have? >> well, certainly, representative, i think that it is important that as we
structure this position that we make sure that it not be just restricted to network defense. it's got to be able to have the full suite of capabilities that the federal government can bring to bear. including military operations and intelligence and law enforcement and all the way across the board. if we cannot just restrict this position to looking at the kinds of things that cisa already does. chris does not need another boss. he's got one in the secretary of homeland security. this really has to be able to look across the entire federal government and all of the tools of national power that we have. >> if i might, congressman, i totally agree with michael on this point and i think the distinction here is between having visibility, the national cyber director has to have
visibility across the entire government, cybersecurity activities, in order to make sure and deconflict, even between offensive and defensive operations. that's different from giving the national cyber director directive authority. you don't want law enforcement activities being directed out of the white house, for example. >> no. >> and you don't want this director getting in the way of war-fighting plans or daily intelligence collection, those kinds of activities. but it's criminal thtical that be excluded from the meetings in the white house where these offensive, for example, activities are being discussed and that they have visibility. they need to be able to deconflict. they cannot deconflict in this way. i'll give you an example. let's say our banks are fending off -- they're in the middle of fending off lots of malicious activity from north korea trying to steal money from their system. that might not be in the midst of that crisis, might not be the
best time to have -- ask the banks to impose sanctions to implement sanctions that -- new sanctions against iran because we know iran retaliated in the past against because we know they retaliated in the past against our banks. that kind of deconfliction is something that the national cyber director needs to deal with. >> are there additional things we should be considering, including those that the report came up with? >> i think there are a couple of really important ones, reinvolving around a joint collaborative environment, sharing the information in real time with industry.
information sharing, that's something the commission was really focused on. that part of the report was really critical, and they got some great recommendations in that space. and continuity of economy, and other areas. there are some great recommendations from the commission. >> i 100% agree. but the brush cleaning would be huge, congress needs to pay attention, chairman pai has done this, rip and replace, we have lots of gear around the country. i know people want to beat on him for it, it was legal at one point, but how do we get rid of that? it helps our own infrastructure, ecosystem. and number two, it gets out gear
much more quicker. those are things we can do almost immediately that would have a huge advantage for us, putting us in a competitive position. >> and as suzanne spalding said, each corporation is in the best position to defend themselves. there are opportunities and i think some of the recommendations of the commission, things like increasing transparency, having the interpretation by the s.e.c. requiring an attestation by public company ceos, just the fact that they've look at their cyber risk, and they're managing the risks associated with their business. when you get things like that in place, you will increase the level of hygiene and attention,
it will increase each enterprise's ability to defend themselves. and the amount of noise and economic loss will go way down. that's probably the single greatest move we can do as a nation to improve our cyber resilience and preparedness. >> i just want to thank again the representatives, they come out to stanford, and talking about the cyber pearl harbor, the big fear. and so many of the companies have talked about how we shouldn't have every company in the country to basically have private armies, we need a national response. i will be supporting this legislation, and i appreciate everyone who helped put it together. >> thank you. and representative, you are
recognized. >> thanks very much, madam chair. can you hear me? excellent. i appreciate the panel, and i certainly want to thank my colleagues, not just for their testimony this morning, but for their efforts on this proposal, which i support very strongly. i want to welcome back chairman rogers, and thank the rest of the panelists for their testimony. obviously, one key responsibility of the national cyber director is establishing and implementing a national cyber strategy. in 2018, the trump administration released a national cyber strategy that aims to integrate cyber into all elements of national power. chairman rogers, could you speak to how the 2018 national cyber strategy has been successful or
not successful in that goal, and how would the national cyber strategy that is required by this bill that we're talking about today be different from that? could you maybe compare and contrast those for us? >> i think what that strategy was meant to do in 2018 for sure was bring us to a better place about coordination, and understanding that our adversaries are using all the nation-state power they can bring to bear. diplomacy, intelligence, cyber, and economic, which is arguably the most important. i know china steals economic data to try to influence its trade negotiations, as an example. they're using cyber and intelligence to influence all of those pressure points that a
government has to bring to bear on a country. it's my understanding that the 2018 rule was to say, okay, we're finally getting to understand, it's multidomain. how do we have everybody rowing the boat in the same direction, understanding our adversaries are using that against us? th that's what they were trying to do, and we can talk about what is offensive cyber? are we allowed to protect ourselves if they know they'll shoot at us in cyber space? folks will say we've solved that question over the last 15 years, i don't believe we have yet today solved that question.
i think the 2018 policy was trying to say, we're going to, again, use all the nation-state power we have, and trying to understand all the tools that we have. we really didn't and i don't think still to this day have a good explanation of what we can can do today to defend. we need to understand what that is. >> i'm interpreting you saying that the 2018 legislation is leading in the direction of a director, with a more coordinated and structural place. one key to the bill is the
position would be empowered with new authority to monitor implementation across the government. resource allocation, and certifying the annual budget proposal for each department or agency is consistent with the strategy. mr. daniel, i understand you spent 17 years at omb before assuming a cyber security coordinator role. do you think it's important for the national cyber director to have this authority, and how do you think the relationship with omb would work in practice? >> yes, sir, thank you. i think that it's critically important that the office have a very good understanding of the budget and be empowered to work in that budget process.
a former director once said policy without resources is a a hallucinati hallucination. as a practical matter, i think what you would want to see is very close collaboration between any staff associated with this office, and the line program m examiners at omb. it's better when it works across the entire white house complex to make sure the budgets support the president's policies. so you might even imagine a situation where you have program examiners from omb detailed over to this office to provide that connectivity, and you want them working hand in glove to shape
that president's budget. so i think having a lever like that authority in 7331 would be very helpful to the position. >> thanks very much. i yield back. >> i now yield to katie porter. representative porter? >> hi, thank you. under hr 7331, the first duty for the national cyber director is serving as the principal a adviser to the president. mr. daniel, can you give me any concrete examples of how having a principal cyber security adviser was essential to the president's work, and why it's important to formalize the role as in the bill? >> thank you, representative porter. when you look at an issue like cyber security that affects so
many different policy areas, from national security policy to our economic policy, you want the president to have an adviser who focuses on this issue as part of her time. the main thing that they focus on every day. because it pervades so many of our policy issues now. if you're trying to decide what the u.s. policy should be on everything from 5g to relations with china to how we're dealing with the middle east, cyber shoots through all of those things. you want to have the president be able to draw upon somebody with expertise in those areas that can bring the cyber perspective to that area. knowing what the effect may be, for good or for ill. sometimes you'll make decisions for a greater positive gain
somewhere else, but you do it with full knowledge and not by accident. that's why it's so critically important that a senior adviser in the white house focus on this. >> i appreciate your flagging the important of expertise in the cyber security role. i want to ask some more questions about how senate confirmation would help us assure that. do you remember anyone who the president appointed as one of his cyber security advisers in 2017? >> sure. rob joyce, and tom bossert, very good on cyber. >> i would agree with you on the important of expertise. he also appointed mr. giuliani. i think like so many of us, and we're seeing this during work from home, technology is frustrating and hard and we're
all struggling to get our level of expertise up to where it needs to be, to be cyber secure. i completely relate to the fact that mr. giuliani, after being appointed, got frustrated with his iphone and went into a public apple store in san francisco within a month of being appointed a principal cyber security adviser, because he was locked out of his iphone for entering his password wrong ten times. that points out the need for a true expert at the top of that. would you agree? >> i totally agree. we're bringing technologists to
george washington university, you're exactly right, there's no substitute for expertise. >> and i know hr 7331 would require the position to be senate confirmed. can you explain why the commission made that recommendation? and how would you respond to concerns that has the potential to create distrust between the president and the national cyber director, or is that concern misplaced? >> thank you, congresswoman. yes, with respect to that latter question about the potential impact on trust in the national cyber director within the white house, i would point out that there are lots of -- a number of senate confirmed positions within the white house,
including the omb director. i don't think, i do think that concern is misplaced. we talked a lot about the pros and cons of having this person senate confirmed, and the consensus was, yes, we should recommend confirmation. if congress doesn't have the ability to hold someone accountable and really have somebody that they can turn to, to get a coordinated and coherent picture of what is happening, it's going to be very hard for congress to have effective oversight. so that is important. that senate confirmation gives congress a greater ability to conduct oversight of those activities. >> i really appreciate it. and i think it's important to note it's bipartisan oversight.
i yield back. but thank you so much. >> thank you. the gentlelady yields back. representative, would you like to ask an additional question or make a closing comment? representative comer? >> i think that, just to wrap it up, i want to thank the witnesses again for their testimony. this is certainly an issue that is bipartisan that we all care about, when we're talking about cyber security. the question that many of my colleagues have is whether we want to create another government bureaucracy, and what is the total cost going to be? and how is this bureaucracy going to be able to work with the administration, whichever administration that would be moving forward. so i do think this was very helpful. i appreciate the conversation
and the questions. madam chair, with all due respect, i hope that we can focus on china, there's a huge demand across america to hold china accountable for not just covid-19, but also the cyber security breaches that are at the hands of china. so, again, i would encourage future hearings with a sole focus on investigating china and holding them accountable for their violations. again, thank you for the hearing today, and with that, i yield back. >> thank you. because this august marks 100 years of women's suffrage, i want to close with one final question. your written testimony addresses the lack of diversity in the cyber security sector, and how it contributes to the overall shortage of talent in the cyber
security work force. you point out that women make up just 14% of the cyber security work force in north america. you say the nation needs a bold new cyber work force strategy that develops and advances the ranks of people from all walks of life. how would the federal government, my question is, how would the federal government effort to promote diversity in the cyber work force benefit the private sector? and i mean more minorities, gender diversity. how would it benefit the private sector, more diversity? >> well, the most important thing when it comes to cyber security is recognizing the fact that what we're doing isn't getting the job done. we can't just have a continuation of the same mode of
thinking, the same solutions from years past to deal with the threats that continue to evolve. as we deploy new technologies, there are new vulnerabilitievul. we need experts from diverse backgrounds, from training, with diverse backgrounds, and minorities which are underrepresented in the cyber field and the cyber domaidomain. and i think the government has the responsibility to promote diversity of thinking and diversity of talent. it will help us move faster and think outside the box, and there are a series of programs, and i'd love to have a conversation with you about it and perhaps a follow-up. >> do you believe such an effort
would advance innovation and give us a competitive edge globally? >> absolutely, chairman. i couldn't agree more with the comments. and the commission has a series of recommendations that include diversity. and just from a very basic perspective, from my time at dhs, we have an urgent need to build the number of cyber talent and people that we have available to come into the work force. we can't afford to leave any part of our population on the sidelines of this effort. >> well, i agree with you. and we can and must do more in this regard. i want to thank my colleagues for their participation and leadership, and our witnesses for your passion, knowledge, and all the information you gave us
today. the creation of a national cyber director is not something any of us take lightly, after what we've heard here today, i think it's clear, this is something we can't afford to delay. i also want to thank all of my colleagues across the aisle, particularly, for their questions and engagement. it's not every day that we can find areas of bipartisan consensus, and we have it here. we have to agree on our national security, protecting our innovation and protecting our people. i look forward to working together to get this bill passed, and on other items brought up today. without objections, members have five additional days to submit written questions to the witnesses and the chair, which will be forwarded to witnesses for their response. i ask witnesses to respond as
promptly as you are able to. this hearing is adjourned. thank you all. the u.s. house and senate return on monday to resume legislative business following their state work period. the u.s. house considers the 2021 national defense authorization act with votes expected as early as 11:30 a.m. eastern. the senate resumes debate over the nomination of russell vought. the senate limited debate and advanced his nomination july 2nd. at 5:30 p.m., the senate votes on confirmation of the vote nomination. tonight on american history tv, our series landmark cases,
produced in cooperation with the national constitution center. we explore the issues, people, and places involved in some of the most significant supreme court cases in our nation's history. at 8:00 p.m. eastern, we begin with schenck versus the united states. and at 9:30 p.m., from the 1944 case, korematsu versus the united states. watch landmark cases, tonight on c-sp c-span3 and anytime on cspan.org. steven mnuchin appears, live
coverage begins friday at 10:30 a.m. eastern on c-span. and later this month, william barr appears, on tuesday, july 28th. watch live coverage of the mnuchin hearing friday at 10:30 a.m. eastern. and now, a house energy and commerce committee hearing on federal resources for tribal communities. focusing on disparities such as broadband access, health care, and clean water. this is just under 2 1/2 hours. the committee on energy and commerce will now come to order. today we're holding a hearing entight