Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  October 2, 2015 4:00pm-6:01pm EDT

4:00 pm
america. meth, otheroin, prescription drugs, and people are dying. tolose 18-22 veterans a day suicide. a lot of them came back and they didn't get the care they needed but they got handed a bunch of pills and they got hooked. so our job has to be to figure out how to get more prevention, more treatment, more support, so that people can get into recovery. now, 23 million people who are addicted, only one in 10 can get any coverage. so i also think that we've got to do more to have purity with mental health. untreated mental health is an expensive problem and a lot of people and up in prison because they have mental help -- mental health problems that are not treated. so these are expensive and heartbreaking problems. but i am convinced that we can
4:01 pm
tackle them together. i am also convinced that we are going to have to stand up for our fundamental rights, our civil rights, our human rights, women's rights, gay rights, because the other side wants to pull them back. [applause] hillary: so i will defend a women's right -- a woman's right to choose and i will fight against defend in planned parenthood. [applause] hillary: and i will defend and fight for marriage equality and against discrimination. [applause] hillary: and i will fight for voting rights for everybody and against states that are trying to restrict them. [applause] hillary: and i will fight to overturn citizens united which dark,ened the doors to unaccountable money. i will fight to get comprehensive immigration reform
4:02 pm
because i believe it's in the best interest of our country. [applause] hillary: i will fight for criminal justice reform and to move away from mass incarceration because black lives matter! [applause] crowd: hillary! hillary: and i will tell you that i am going to fight for new, effective gun control measures. [applause] hillary: i forgot to tell you -- you, it is just heartbreaking, it is just sickening to me, to see another massacre. people should not be afraid to go to college like this one or go to the movie theater or go to bible study. what is wrong with us that we can't stand up to the nra and the gun lobby and the gun
4:03 pm
manufacturers that they represent? [applause] hillary: you know, this is not just tragic. we don't just need to pray for people, we need to act in we need to build a movement. it is infuriating every time ,here is another massacre republicans and the nra say, now is not the time to talk about guns. yes it is. but more than talk it is time to act. but republicans keep refusing to do anything to protect our communities. ahead ofthe nra american families. make wrong and we need to every politician who sides with them to look into the eyes of parents whose children have been and explain why they
4:04 pm
listen to the gun lobbyists instead. , iowa wellll aware aware that this is a political mountain to climb. but you don't get anything done in this country if you don't start by calling it out. manye have had too much -- murderers, too many people who have gotten guns that should not have in the first place, taking out whatever their rage, their fury, their mental problems are by killing other people. president, as your never relent on trying to work on this. but we need a national movement. here's what the other side counts on. represent thethey majority of americans or even a majority of gun owners.
4:05 pm
havingy count on really thattense, dedicated group scare politicians and say, we will vote against you. the other side who are heartsick, heartbroken, disgusted, they care about a lot of other issues. we care about government carentability and health costs, and we are not single-minded voters, but each of us has to care about this issue. there are a lot of ways for us to have constitutional, legal gun restriction. my husband did it. he passed the brady bill and he eliminated assault weapons for 10 years. [applause] so we are going to take them on. we took them on in the 90's and we are going to take them on again and i will need your help to do that.
4:06 pm
so we have a lot of work to do. that's why we are getting started here in florida. here in broward college. i want each and every one of you to be involved in this campaign because i do think we have to have an agenda for change and then we have to reach as many people as we can to make the case for the kind of change we want to see. to build on what has worked and to take it further and not let the republicans rip away the of date,with their out out of touch ideas, and turn his back -- turn us back. [applause] now i am also well aware we have challenges around the world. my experiencehink as secretary of state and as a senator from new york is especially pertinent to what we
4:07 pm
are going to have to do to make sure that we remain safe and secure and to lead with our values and in pursuit of our interests. but at the end of the day i have to tell you for me, what gets me up and keeps me going is the thought about my granddaughter and not just what kind of life she will have, because we are going to do everything we can to make her life as positive as it can be. but that is not enough. what can of country will she become an adult in? what kind of world will be waiting for her? you know, i am the granddaughter of a factory worker. my grandfather went to work in the scranton lace mills in scranton, pennsylvania. he worked hard. he worked hard to support his family but also because he wanted his son to have a better life. and in fact they did. they all went to college. was a small business
4:08 pm
owner and he worked hard and gave us a good lifestyle. i am asking for you to vote for me for president. that is what is supposed to happen in america whatever your dream might be. don't think it is enough that my granddaughter will have opportunities. the not enough that granddaughter of a former president or a former secretary of state has a chance to live up to her potential. the should also apply to granddaughters of factory workers and the grandsons of truck drivers and every other young person in america and if i am your president i will get up every single day, working to make sure that every child and every young person has that chance to live up to his or her god-given potential. if you help me, that is what we will do together. !hank you all, very much [applause]
4:09 pm
♪ announcer: we lost the signal therefrom florida, but if you want to watch the event, it will soon be our library at c-span.org.
4:10 pm
and then october surprise representative jason chaffetz prepares to run for speaker. sources are saying that in a report that originally came out on politico. this is reported by the blaze and by politico. announcer: the c-span network features a weekend of politics, nonfiction books, and american history. this weekend begins on saturday with the search for extraterrestrial life on mars and the possibility of life in space. sunday evening at 6:30, policy leaders, andhis media personalities discuss the issues driving the national conversation at the washington ideas forum. speakers include mitt romney and valerie jarrett. on don't miss book tv
4:11 pm
words."rds -- "after ande joined by martha kumar afterwards in depth, we're joined by thom hartmann. join our three-hour conversation as we take your phone calls, texts, facebook comments, and tweets with thom hartmann. saturday afternoon at 2:00. afternoon at 2:00, leo frank discusses his book "trial and murder" on a young factory working girl. reel areal america -- merica, the decline and demand of -- the decline of the demand
4:12 pm
of fossil fuels in america. get our complete we can special -- we can schedule on c-span.org. the armed services committee held a hearing. : we will have a full committee level discussion on cyber security. we have a distinguished panel of witnesses to help us with this challenging area. who were ableers to participate in our hearing yesterday, we heard from the academiaector and from think tanks about some of the challenges that we face in cyber. such as, what is the role of the military in defending private infrastructure?
4:13 pm
should private industry be able to hack back against those who may try to steal their intellectual property? what are the deterrence when it comes to cyber? questionsf difficult that we talked about some but we will continue to pursue that in a line today. say, is amany people new domain of warfare, and so what that means for the department of defense and what that means for our country's national security is very much at or near the top of the agenda for all of us who are involved in national security. to ouri turned distinguished panel of witnesses, i yield to artist ingush ranking member for any comics you like to make about today's hearing. >> are outside experts are sort of basically saying that the strategy is sound and the
4:14 pm
limitation is if key, and this is obviously a very difficult area, it is constantly evolving. the threat changes every single day and we are having to be prepared to meet that threat. that means having the right personnel, very smart people who know the right technology, and obviously we have to compete against private industry as we bring those folks in. that is definitely a challenge. coordination is definitely a challenge. there are so many different pieces in the department of defense. who is in charge of cyber strategy and how is it being implemented? as we all know, the big problem with cyber is the classic single point of failure. get absolutely everything right in every one thing, but you can still have disaster. we are to make sure taking into account every single points of failure. that is not easy to do.
4:15 pm
one of the questions from the defensives when our defensive cyberattacks ok? withhappens when we deal china and iran and what happens when we cross those lines? wasow the agreement that reached with china on this is unsatisfactory to many and it is uncertain -- it is unsatisfactory to me. but we need to have those kind of conversations with russia and china and we need to understand what the rules of the road are so that we can get to the point where we don't, you know, stumble into something greater than we had expected.
4:16 pm
chair: i want to thank artist ingush guests for being we have the chief information officer for the department of defense among others. without objection, your full written statements will be made part of the record. thank you for submitting those. mr. secretary, we will turn the floor over to you for any comments you would like to make. thank you for inviting us here this morning to defense in cyberspace. this is an extremely important issue that we grapple with every day. we welcome these kinds of meetings. as you know, cyber meeting -- increaseding has
4:17 pm
grammatically in recent years, and particularly troubling to us as the department of defense and as a nation, is the increasing number of states scaled actors reaching government networks. these adversaries continue to adapt and evolve and they threaten our networks and systems within the department of defense and also companies and other companies globally. these intrusions into opm, the sony hack, and the joint networks by three separate state actors is not just espionage or convenience but a threat to our national security. of our responses to this growing threat, the department released its 2015 dod cyber strategy to strengthen our cyber security and cyber discern -- cyber posture. we have three core missions as defined in our strategy.
4:18 pm
foremost, and this is what secretary carter has made a clear number one priority first, and that is to defend dod networks and information. that is job number one. secondly, we would defend the event's ofinst cyber significant consequence, and third, we provide cyber support for our combatants. people may bet allowed to conduct cyber operations in order to deter and defeat strategic events in that domain. statement includes additional details on how where looking to achieve these goals, but i would like to highlight the particular focus, which is bolstering our cyber deterrence. this was discussed yesterday in the senate armed services committee. i want to acknowledge you up front that in the terms of deterrence, we are not where we need to be as a nation or as a
4:19 pm
department. we do believe that there are some things that the department is doing that are working, but we have to improve in this area, and that is why we have improvised -- improved our cyber strategy. this works by convincing a potential adversary that the cost of conducting the attack far outweighs any potential benefits that they may gain from it. the three main pillars of our strategy our denial, resilience, and cost imposition. when we talk about denial, denial means denying a cyber adversary from achieving their objectives. resilience is ensuring that our to performl continue even in a cyber-contested environment or while under attack. cost imposition is our ability to make sure that are at the series pay a much higher price for the malicious activities that they had hoped for. i would like to dive down deep into these three kind of pillars very, very quickly.
4:20 pm
to deny an attacker to adversely impact our military missions first and foremost, we have to defend our own information networks and systems. we have made a lot of movement forward in this regard, and we believe they are starting to bear fruit. but this is not just about technical upgrades. the has nearly all successful network exploitation up to this point can be traced to a single or multiple human error, raising the overall level of individual cyber security awareness and performance throughout the department is absolutely paramount. we are working on trying to transform our cyber security culture for the long-term by improving human performance accountability within our systems. effort, wethis recently published a cyber security discipline and limitation plan and a scorecard, the first of its kind. the first time it was and lamented was in august of this year. we believe these are going to be
4:21 pm
critical towards our strategic goal of securing our data and maintaining risk to our missions. the scorecard is admitted to the secretary and me on a monthly basis and it will hold commanders accountable for -- andng their compliance with overall policy. denial also means defending the nation against cyber events of significant consequences. the president has the dod working in partnership with other agencies to be prepared to stop any kind of attack against our nation and our infrastructure. there may be times when the secretary of defense directs the cyberd others to stop the attack from impacting our national interests. so that means to us we have to build the capabilities to from better stop a cyber attack from achieving its effect. this is an extremely challenging mission that requires high end
4:22 pm
teams, capabilities, and we are building our cyber mission and deepening our partnerships with law enforcement and the --intelligence community. then we must reduce the ability of our avatar it -- of our adversaries ability of attacking us. adversaries unquestionably view dod cyber dependency as a potential wartime vulnerability. to have thee have ability to fight through cyberattacks. that means normal cyber security as part of our mission assurance efforts, old and redundancy into our systems wherever they are vulnerable, and training constantly in a cyber environment. overdversaries have to see time that cyberattacks will not provide them a significant operational advantage and that will be one of the key aspects of deterrence. is third and final aspect
4:23 pm
having demonstrated capability of having to respond to cyber or to impose costs on a potential adversary. the administration has made clear that the united states will respond in a timely manner and place of our choosing, developed cyber options to hold , if required.risk successfully executing our missions in cyberspace requires the whole of the government and the whole of the nation in this approach, and this is a much, much more difficult problem that the debates over nuclear weapons that we had in the 1950's. for that reason, dod continues to work with our partners and other partnerships with agencies and share challenges that we face. think youcarter, i know, has placed particular emphasis on partnering with the private sector. we know that we do not have all the right answers and are working with the industry in order to make sure we have the
4:24 pm
cutting edge of technology as well as best practices and procedures. finally, our relationship with congress is absolutely critical. very much appreciate the support for dod activities, both last year and this year, as we understand, and the 2016 defense authorization act. i encourage you to pass bills on cyber sharing and data breach notification and law enforcement provisions related to cyber security. those are included in the president's legislative proposal submitted earlier this year. the american people expect us to defend against cyber threats of significant consequence, and the department looks forward to working with this committee and congress to ensure that we take every step possible to confront this substantial cyber security risk that we face. thank you for inviting us here today, mr. chairman, and the attention you're giving this urgent matter. c i look forward to all of your
4:25 pm
questions. -- i look forward to all of your questions. all right, mr. smith, you may go forward. i thank you for convening this forum and i am equally pleased to be sitting -- mr. rogers: i thank you for giving in this forum and i'm equally pleased to be sitting in this forum. we can highlight the accomplishments of the uniformed am civilian personnel and i grateful and humbled by the opportunity to lead this cyber team. been given the responsibility to direct, operate, and secure department systems and that ensures the safety of dod missions. prepared to employ these
4:26 pm
missions when significant cyber in events against the nation requires dod support. we are expected to work closely with other combatant commanders on broader military missions. policy makers and military leaders alike look to us for other cyber options in all faces of operation. our military is in constant contact and adversaries have shown the capacity and the to hitness to show -- soft targets in the u.s.. capability online, but we continue to rapidly mature based on real-world experiences and the hard work of the men and women in cyber command and our service cyber component. the secretary of defense of the department of defense cyber strategy defends the united states in this digital age. it is my intent that we move forward quickly with our partners to build our military capabilities, and i have
4:27 pm
provided this guidance in a recently released commander's vision in guidance for cyber command. in light of this guidance, we are deploying cyber forces and conducting exercises with our inter-agency and inter-sector partners in order to respond to crises in-- cyberspace in order to defend the nation's critical if the nation's critical infrastructure from cyber incidents. we support operational commanders around the world every day. beingttom line is we are challenged as never before to defend our nation's interest and values in cyberspace against states, groups, and individuals that are using increasingly significant capabilities to conduct cyber coercion, psych or -- cyber aggression, and the targets of their efforts extend well beyond government and into privately owned businesses and personally identifiable information. i welcome this opportunity to elaborate on the progress we have made today and where we
4:28 pm
should be focusing going forward to ensure that we will continue to stay ahead and deter threats to secure our digital networks and our combat systems and to ensure the ability to operate with the department's systems. that, i thank you for taking the time today to spend on this important topic. and i thank you, sir, understand you do not have a prepared statement but you are available to answer questions? >> that is correct, sir. chair: thank you for being here, sir. admiral rodgers, one of our witnesses made the point that in any challenge of warfare, what counts is the net assessment. in other words, we can talk about what we are doing, but what really count is what the results of that verse is what the adversaries are doing, and so just at the very highest level as you look at cyber as a domain of warfare, how would you describe the net assessment?
4:29 pm
where we are today and where those trends are taking us? are we in a good direction to reduce the vulnerabilities and have the capabilities we need? are the adversaries moving faster than we are? how would you describe that net net in cyber today? rogers: when i look at their level of capability, the russians, and i look at their activity, then we have a set of other nationstates that we pay attention to or who i am watching increase their level of investment, increase their capacity and their capability, and the chinese are probably the ones who get the most attention, if you will, but they are not alone by any stretch of the imagination. the challenge for us in many ways is it we are attempting to overcome literally decades of investment with a very different redundancy,re
4:30 pm
resiliency, and defensibility in terms of our systems, whether they be our networks, whether they be the combat systems and the platforms that they count defensibility, redundancy, and resiliency were never core characteristics. they tended to be things we focused on after we focused on efficiency, cost, speed. i think we have got a good strategy, a good vision for where we need to go. the challenge always is you are never as fast as you want to be. as a commander, the argument i've made it to my team is this is all about prioritization. we have got to step back and assess where the greatest lie.rabilities -- and how do we forestall their ability in broad terms? to summarize,y:
4:31 pm
we are getting better, but not getting better fast enough? mr. work: if i could add something on the net assessment side, we're the most open nation on earth. it is a tremendous competitive advantage but we are much more open on our internet than our adversaries are in their own countries. that makes us inherently more vulnerable. the number of attack services we have to defend against are very much larger. in terms of net assessment, that is one of the things challenging us we are trying to sort through. mr. secretary,: i want to ask you, on the 3 core missions you laid out, one is to defend the nation against cyber attacks. there is been considerable conversation about what that means. if i am a company under cyber attack, when is the government me?g to come help defend
4:32 pm
i realize you cannot put a dollar threshold or something very specific on what that means , a significant cyber event. but can you help clarify for us when the department of defense becomes engaged in defending the country, and what that means, significant cyber event? i'm sorry, mr. secretary, is your microphone on? mr. work: sorry, sir. .ou are exactly right we are obligated to defend the nation against cyber attacks or cyber activities of significant consequence. and that is not a purely defined term. each attack would be looked at. so for example, the attack resulted in death, injury, significant destruction associated with it, was it an
4:33 pm
active espionage, was it an act of cybercrime -- in other words, a nonstate actor who is trying to get pii. a significant consequence would be things which would go against our national critical infrastructure, and this would be decided primarily with the department of homeland security, which would have the lead on attacks within the united states on critical infrastructure. withe would work through the policies to make an appropriate response. admiral rogers works this constantly. i think he would be very well-placed to answer this question, too. mr. rogers: i would agree completely with the secretary. explain why the response to sony is difference from the response to opm. we work on a case-by-case basis and we are working our way
4:34 pm
through some of these broader definitions. i don't think there is any doubt about that. rep. thornberry: i appreciate it. other members may want to follow up. you look at opm, huge consequences for our national security. if you had seen it occurring, there had been action taken to is larget, but it consequences even for the theft of information that did not result in death, we trust. mr. smith. you, and i thank know you cannot talk about this in an open setting on what the response has been to some of these cyberattacks, but can i ask if you feel that response has been effective? attacks?terred more how comfortable are you that our responses to -- and again, there are, as you laid out, levels of
4:35 pm
cyber attacks. when you pass a certain level, we feel like the response is appropriate. have those responses been at all effective at this point? how would you define effectiveness? mr. work: at this point we don't believe our deterrence policy has been effective up to this point, or as effective as it should be. one of the problems is attribution. the first thing is where did the attack comes from? who was the actor that the attack came from? state control the actor or is the actor operating independently? that would tell you whether it is a law enforcement response, whether it should be offense or defense of cyber operations. and i believe what we have to do is have a very strong policy on cost of position, which we are working towards and we have announced, and we have to prove that through our actions. i would say we are not where we
4:36 pm
would want to be in terms of deterrence right now. rep. smith: following up on that come how effective are you at figuring out where the attack came from? i understand the final piece of that is the one that is really most difficult. even if you were to determine who the actor was, would that was the person acting on their own or at the behest of a government -- how effective are you a tracing it back and saying that is the person who did it? admiral rogers: we continue to gain insight and knowledge in that area. if you look at sony, for example, we were able to determine the nationstate and a specific actor within the nationstate. that is one reason, again, why you saw a policy response that was relatively quick. we were able to provide a high level of confidence as to who did it.
4:37 pm
we watch actors throughout the world. as they realize we are gaining increased capability through our ability to attribute cyber activity to specific nationstates and specific groups from it is interesting watching the temps to obscure that, create different relationships, use different processes. this is what was indicated in the opening. the dynamics changed so quickly and i don't see that fundamental changing anytime soon. mr. work: and one of the problems as we respond in a time and a place in a manner of our choosing. first we have to go through the attribution phase, and then we have to determine was it cybercrime, was it an independent actor, was the actor responding in charge of the state, and what are the appropriate responses? it might be a law enforcement measure. it might be economic sanctions.
4:38 pm
the nike offensive or defensive cyber operations. it could be military operations, depending on the damage or threat to the nation. this is much, much different from nuclear deterrence, where you can attribute the attack generally, and have specific response options already ready. in this case, it is a much more whole of government approach that takes more time. rep. smith: thank you, mr. chairman. rep. thornberry: thank you. mr. jones. rep. jones: thank you very much. can you give -- you know, this is the new world we all live in, we all know that. it is kind of interesting, i will get to a question in just a moment, but i bank with a credit union here in washington. last saturday i started going calling thebank -- toy four-hour back to find out what was in our account.
4:39 pm
as of today, they are not online. i'm not saying that is a cyberspace division of anything. but it is just the complexities of the world real living in now -- world we are living in now. ien i hear your testimony, want to first say thank you for who you are and what you are doing. my question would be, at this point, knowing that we are constantly here in washington worried about a shutdown, worried about the debt growing , i hadll never forget recent to call admiral mullen recently, because he is retired. on a totally different subject. in my third district, the home of cap lejeune, cherry point, i used many times when he said when he was chairman. the biggest threat to our military is the debt of our nation. what i would like to know, as you move forward to give us the
4:40 pm
very best protection that you can, what type of financial commitment should the taxpayers and the congress understand that we need to make to ensure that we have got the best protection? mr. work: i believe we have been very clear, sir, that the president's request is the absolute minimum needed to provide the security for the united states. i would just like to say, i was talking to the chairman just before this, and we are very, very thankful, or we hope we will avoid a shutdown. this would be externally disruptive. admiral rodgers can tell you the last time we went through a shutdown, it sestak six months in terms of -- set us back six months in terms of preparing our cyber mission force. 6 level is the pb1
4:41 pm
absolute minimum. i would like to say that in the last six years we have been for two of the six years. in essence, we are operating on a nine-month fiscal year. in the unitedo states who could operate under this type of uncertainty. will bethat the cr resolved as quickly as possible. so i fed -- i very much thank the question, sir. thatis an important thing i hope we will be able to resolve our differences on the budget level and provide for national security. could, theers: if i only other comment i would make and it goes to the comment you are trying to make, there shouldn't be doubt in anyone's mind that there is a cost component to this. as a department, we try to prioritize that because we realize there are many competing requirements and resources for
4:42 pm
the nation and we understand that. but there shouldn't be any doubt that there is a cost component to that, and that cost may change over time. i don't think it is going to get cheaper for us, at least in the near term, not with the level of activity that you see out there every day. congressman jones, regardless of the level of our budget, secretary carter has made it clear that cyber defense and cybersecurity is going to be at the very, very top of their priority list. whatever budget we receive, cy ber will receive the attention we believe it deserves. rep. jones: well, i believe the shutdown will probably be avoided. not getting into the politics of that, but i think it probably will be. i think you all have done a great job. i think the american people, like me -- i'm not talking about my colleagues -- have really understood that this threat of cyberspace warfare in any form is probably at the four masked
4:43 pm
foremost, as you said, emerald, will grow more and more. i thank you, generally, and i will yield back the balance of my time. rep. thornberry: thank you. ms. davis. vis: thank you, mr. chairman, and thank you all for being here. we heard from outside groups, private sector yesterday, and you spoke, mr. secretary, to the importance of the partnership. one of the questions i asked them is what hampers the relationship, what hampers that moving forward. they spoke of the regulatory burden that is placed on countries wishing to partner with dod. and particularly for newer companies who don't have a history of working with the government, i am wondering, how can we make the process easier? do you think that is appropriate analysis or response? you may feel he left on --rything you can to assist
4:44 pm
you have done anything you can to assist in that way, but obviously, there is a different response. the other issue is really whether or not we are losing out on working with some of the best minds in the business because we make it so difficult for them to work with the department of defense. congresswoman, i would ask terry halverson, our cio, to answer your question. i think he is the best to do that. mr. halvorsen: i think there is truth that we need to get better at dealing with particularly newer companies. we have to understand, if dod was a fortune 500 committee, we are fortune 1, we are very big. that causes us difficulty with companies who do not have experience with us. in the last year, some of the things we have done to make that better, we have reached out, and as many of you have seen, to silicon valley. we are holding different events
4:45 pm
to make industry -- one of the things we did last year, which i thought was one of the bigger breakthroughs -- you will ask me a little bit later about cloud pit one of the things we did it to make cloud easier for ourstry to get in, we wrote new cloud policy completely with industry, first time we have done that. we convened them, brought them in from the beginning, got very good reviews. we have got to continue to do that. this year we are going to bring some industry players into the dod-cio staff and some of the other service cio staff. we will do exchange with industry. some of that will be focused on the new industries. so we learn how they need to respond and how we need to respond. we have to do better. i think we are doing better in that area. i think you will see more results in the next seven months that will come down that will concretely say what we have done to improve that relationship.
4:46 pm
rep. davis: that is good to hear. we would agree that in the procurement area, there are better ways of doing it, and everybody talks about it, but sometimes it feels like nothing is getting done. i wanted to ask you as well in terms of the hiring as well, because in the personnel areas, we know that we are not as adaptive in hiring, obviously, as the private sector is. what are we doing to make sure that in the field of cybersecurity that we are able to push through nominations to positions so that they don't have to wait so long and go ahead and take those jobs with the private sector? mr. halvorsen: 2 things, and let me thank all of you. the past good legislation that gave mike rogers and i authority to hire people without the normal rules and relations we had to follow so we could compete.
4:47 pm
there is work on additional and we would appreciate that. one fact you have to understand, we are not going to pay exactly as much as industry, in the cybersecurity area and some other areas. one of the things we have going for us is we have an exciting mission. i spent a lot of time talking to those who want to come to work to dod. we are trying to attract them, and we have been able to pull some people in even in the last year to my staff. as long as we can get them in fast and offer them the right wage from which the new authority gives us, i think we will be able to continue -- they want to work this mission. in the legislation recently passed has helped us with that. this is one area where i suspect over time we will come back to you as our experience tells us the things we could be doing differently and the challenges we need your help in overcoming. i always remind people, look, we spent a lot of time focusing on technology. don't ever underestimate the power by men and women.
4:48 pm
they are our advantage and that is where we need to make sure we're getting really good talent. today, i would argue that the mission force level, the execution peace for us, we have been able to exceed our expectations in terms of bringing quality people as well as retaining them. rep. davis: perhaps some chart showing the differences as a result of some of these changes would be really helpful in understanding what the impact has really been. thank you. thank you.erry: as i mentioned earlier, we stand ready to work with y'all on those authorities. that is important. mr. forbes. orbes: can i read read what mr. johnson said in thanking each of you -- reiterate what mr. jones said in thanking each of you for what you do for our country? we appreciate and respect your opinions as you come before this committee. i would like to follow up on some questions that the chairman
4:49 pm
offered, specifically related to net assessment. one of the things i just want to ask, as you are aware, some of the best strategy we have developed over the years has been thwarted by the practice of net assessment. has dod done any net assessments of the cyber domain at this particular point? mr. work: as you know, sir, we just had a leadership change in the office of net assessment. it reflects secretary carter's very strong support of that office, providing independent assessments to him and i. jim baker, who is the new director, has just gotten in and is going to come back in cybersecurity and ciber is at the very top of our list. but there are many other strategic challenges, as you know. this one is going to be one that ona is going to help
4:50 pm
us on but i know of nothing at this point as far as an ongoing assessment, but we expect to be able to start asking -- rep. forbes: that is not a criticism, it is an encouragement. nethe chairman talks about assessment, if we haven't.net assessment, it is kind of difficult to know where we are. i think we would encourage the department to do what it can to have that net assessment done, because i do think it helps us in determining what our strategies are going to be. the second part of that is i know you have worked very, very hard and very, very well on the third offset strategy. will bexpect that cyber a part of the third offset strategy? mr. work: absolutely. we assume that the future will be an extremely hotly contested cyber and electronic warfare environment. no matter what strategy we have, that kind of underlying baseline we assume we must be able to contend with. there are a lot of questions on whether or not -- many people
4:51 pm
say if you go to a more network force, are you going to be able to have the certainty that you will have the networks when you need them? for you have the confidence? -- will you have the confidence? it will be critical to the third offset. rep. forbes: the net assessment really helps us inform what we are doing. having that assessment done would be very helpful. admiral rodgers, do you think we need to leverage a wider range of tools, like sanctions or diplomacy, criminal proceedings, to deter cyberattacks with the threat of punishment? can you tell us a little bit more about what options you think would be most effective at imposing costs upon perpetrators? chairman wilson and i have called for legislation calling for targeted economic sanctions. i'm not asking you to address that bill. what do we have, what else do we need to come in your opinion? admiral rogers: that has been part of our strategy today. just because something comes out
4:52 pm
of the cyber domain does not mean that the response has to be primarily or purely in that same arena. you see that reflected in the response to the attack on sony, for example, where we publicly acknowledged the event and publicly attributed the event and talked about the initial set of actions we were going to take in response. in this case, economic sanctions. the president also talked about we will take additional action if that is required at a time and place of our choosing. we have used the legal framework within the last year where we have guided individuals and foreign states, individual actors. we have done the economic peace. -- piece. there is a broad range of options that are ongoing could law enforcement with the fbi definitely rep. forbes: i hate to interrupt you, only have 50 seconds, but secretary work says we have not been effective to date as we would like to be. no criticism, just an observation. what do you attribute that to?
4:53 pm
is it the lack of willingness to use the tools we have or does this committee need to help you et more tools? what would you say is your assessment of how we make that more effective? admiral rogers: there is a broad range of tools effective for several options. one of the responses is to generate several options so that the secretary has options to tee up. we are in the relatively early stages of that journey but we have developed some levels of capabilities already. not going to get into specifics. i think the biggest challenge in some ways is just time. we are in the very early stages of this. if you look at, for example -- rep. forbes: my time is up. if you don't mind, we would summit some questions on the record and maybe you can respond. mr. chairman, thank you. i will yield back. rep. thornberry: gentle men from rhode island has been a leader in this area for some time and
4:54 pm
is recognized for five minutes. ngevin: i thank you for the attention you have put into the area of cyber and i thank you for your testimony today. i think the discussion with having on imposing costs on our enemies and adversaries is critically important. i am not going to ask a question on this today, but i will say that i know the committee will pay a lot of attention on this. we're looking for specifics on what the costs being imposed on our enemies and adversaries will be and what the american people are looking for answers on. up to now, our enemies and & have been eating our -- enemies and adversaries have been eating our lunch, especially when it comes to cyber espionage and defense contracts over the years. we have gotten better and we have a follow-on program that has done a better job defending our defense contracts and the like.
4:55 pm
imposing costs on air enemies an adversaries has to be important part of the equation and they have to know what it is . some of our responses may be classified, but others we need to make public so that our enemies were adversaries know they cannot operate with impunity, which is what is happening right now. it is the wild west out there and they are on the better side of the equation. we've got to flip that so that we have better outcomes on our side. let me just turned to another topic. -- secretary, we'll start with you -- that there is in effect a mechanism in place for recorded cyber security breaches for defense contractors, and could you describe to us the process by which contractors are held accountable? mr. work: congressman, i do believe we have an effective means. we are getting better. we have established our own cyber scorecard. this is one of cio hal
4:56 pm
vorsen's top job so i would ask you to answer the question with more specifics. mr. halvorsen: thank you, sir. we have improved the process which gives and brings the company better ability to share data with us, protects them, gives them some protection when they shared that data with us. that has been very successful. we also improved our ability working with industry to work with the supply chain risk management. i will go into everything we have done there, but we are sharing it -- i won't go into everything we have done our, but we are sharing it and putting it in place with industry to see that data better. we have included working very much with industry to include language that is in all i.t. and cyber contracts that require certain levels of security and reporting. all of those things are beginning to show results.
4:57 pm
one way we impose costs is to raise our basic level of cyber defense and make them pay much higher to play the game. the things we're doing, i believe we are beginning to see some effects in that area about who isn't playing as much anymore and what they are having to pay to play. rep. langevin: thank you. i've been examining the practices and techniques in the financial sectors to determine an address the cyber risks for contractors and vendors, and in many ways they are way out ahead of what the government is doing. to what degree have you cribbed from the civilian sector best practices? mr. halvorsen: sir, very much so. we share a lot. the financial sector in particular, they have published new standards about what they expect from their vendors. if you look at what they wrote and what we wrote, they are very similar.
4:58 pm
that was a fairly collaborative effort with the financial industry. we are also doing that with other segments of industry, the logistics companies and other things. we are cribbing a lot from industry. spent a lot of time on mobility policy. that will be completely, again, written with industry might from the beginning to help us get those pieces right so we get the advantage of effectiveness and efficiency while we're using industry practices to raise the level of security. rep. langevin: can you describe the department's progress on the creation on training environments of the type and scale necessary to conduct group and collective training and rehearsed missions at the unit level as well as integrate and exercise the full spectrum of national, state, local, and private sector capabilities? admiral rogers: we identified that as core for us to create the capability we need. work -- said,ry
4:59 pm
hey, boss, i need help in 2015. he was kind enough to generate additional funds for us. we have been using it every year with the guard and interagency to see how we can model different scenarios where dod would be applying capabilities to support critical infrastructure. in addition, we generated capability in the fort meade area that we can increasingly poor out across the framework. this has been a big investment area. we see that in the 2016 budget as well and we thank you for your support on that. pb17 bill,n our secretary carter again, improving training is right up there. this is going to have a very, very high level of attention from the top down. rep. langevin: thank you all. thank you, mr. chairman. rep. thornberry: thank you. as i mentioned to our witnesses earlier, mr. smith and i have to testify ourselves in front of the rules for me so i'm
5:00 pm
pleased to yield the chair on the questions she may cement to the chairman of the emerging threats and keep abilities subcommittee, mr. wilson. rep. wilson: ladies and gentlemen, it is the unique situation where i have been recognize and get to preside simultaneously. the disney an opportunity to thank chairman thornberry, ranking member smith, for their planning this week, cyber week. it is a recognition for the three witnesses, how important when you are doing, protecting american families. i am grateful we had a hearing yesterday on cyber threats to american families, national defense, we have this hearing and later this afternoon we have a briefing. i want the american people to know that we have really good people, like congressman jim langevin, all the way from rhode
5:01 pm
island, the ranking member of the emerging threats subcommittee. this really is a bipartisan issue that we face, of great on our, attacks government, private businesses, on american citizens, and what you are doing is so important. we have got extraordinary staff, people who are here working on these issues. and each one of you in your capacity are making such a difference and we look forward to working with you in the future. work,ticular, secretary during the cyber hearing yesterday, the chairman mentioned in his opening statement the concept and proposal of hack back. when a private company takes retaliation into their own hands and hacks someone who is attacked the network systems. can you outline the concerns you have? back inherently a government function or is there a private role? mr. work: this is a very, very
5:02 pm
important issue for us because cyberattacks on a second and third and fourth quarter consequences that we really have to understand that may cause escalation that were unintended. this is an extremely important policy question for us as a nation to grapple with. deals with this on a daily basis and i would ask him to provide specifics. admiral rogers: i not only acknowledge the policy complications but i also try to point out at the operational level that we have so many actors in this domain already, adding more only, locate things. the second and third order fax, as the secretary has outlined, are significant concern. i would for my perspective be very careful about going down this road. i don't think it is one we truly understand from my perspective. the tendency to complicate and already complicated situation here. as itrk: as complicated
5:03 pm
is, i'm so hopeful that with the expertise you have, to me it would be deterrence with some level of hack back. and thehis is pursued capable people that you are and that you have working with you, i cannot wait to hear of their capabilities as to deterrence, stopping hacking on american families. mr. halvorsen, the department issued a new manual for defense support of civil authorities, the first time addressing cybersecurity-related incidents. could you discuss how dod its requests for such support, especially if it might be coming from a state or local agency? mr. halvorsen: the manual leaves out there are some formal processes we would go through with that. one thing to stress is the informal processes we have put in place. we have scheduled
5:04 pm
routine meetings with industry. hale, who you will hear from later today in a closed meeting, has scheduled meetings with their security officers. to be ableng forward to give them some of our data quicker. mike's work has been superb in being able to lower the classification levels of data so that we can share that much quicker with industry and accept theirs in a similar fashion. i think all of those things plus what is in the manual, or adding -- are to all of us, the industry and government, collection of data and the operational intelligence we can use. admiral rogers: i would also where we is an issue collaborate very closely between the northern command and u.s. cyber command and the department of homeland security, the fbi, about how can we make sure we are most effective and most division on how we are going to
5:05 pm
apply dod capacity within the cyber arena, within the broader defense and civil authority construct, trying to make sure, can we use the existing framework to the maximum extent possible as opposed to trying to create something new and totally complex in the cyber arena. rep. wilson: admiral, thank you for pitching in. withgrateful navy dad, three sons in the army guard, i am very grateful for your service and naval service in general. secretary work, in your testimony, you stated, "the iranian actors have been , 2013ated in the 2012 attacks against u.s. financial institutions, and in february 2014, the cyber attack on the las vegas sands casino." what economic sanctions or legal actions resulted from this activity? are they being maintained? mr. work: sir, i am going to have to take that for the
5:06 pm
record. i don't know exactly what sanctions the attacked you refer to against the financial services was attributed to iran, as well as the sands casino, as you said. i am going to have to get back to you and say exactly what we did as a result of those attacks. no specificrs: sanctions tied to those individual, discrete events. a broader discussion about what is acceptable and not acceptable -- we have seen a change in behavior, the activity we have seen crews the against websites, for example, has decreased, partly because of the broad and public discussion in which we are acknowledging the activity, and partnering between the government and financial sector to see what we can do to work with resiliency to preclude the iranians' ability to penetrate which, knock on wood, we were successful in. rep. wilson: thanks to each of you.
5:07 pm
we proceeded to mr. larsen washington state. larsen: i'm curious, are we still exploring what the outer limits of what constitutes the equivalent of a physical attack against the u.s., when we are looking at cyberattacks -- do we still know what is the equivalent kind of cyber attack that would warrant and size of response that we might do if it was a physical, kinetic attack against the u.s.? re: exploring the outer limits still? mr. work: we have defined an event of significant consequence that has to include loss of life, significant damage to property, serious adverse foreign policy implications or consequences, or serious economic impact. that is a broad statement, and each of them have to be addressed as an individual act, and that is why there is no established redline on what we would say this constitutes a
5:08 pm
physical attack. the question we are often asked is when does a cyber attack trigger an act of war? each of those would be discussed dependent on the type of attack and what its consequences were. as of this point we have not assessed that any particular attack on us constitutes an act of war. admiral,en: can you -- address a little bit, be more specific, about title x versus title 32 responsibilities, working with national guard, or going beyond that, working with national, state, or local law enforcement? what specific criteria do you use to make that distinction? admiral rogers: for me, among the things i look at our the scope of the activity we are dealing with, the nature of the event we are trying to deal with , the capacity that exist within title 32.x arena vs.
5:09 pm
are there specific knowledge or unique insights, for example, a particular guard structure might have that will tell her to deal with this specific issue? again, it is a case-by-case basis. i try to maintain it with my , we need onees integrated workforce between the active and reserve component, train at the same standard using the same basic schema maneuver, so that we can use these capabilities interchangeably. that maximizes affects ability of the department and gives us a broad range of options in terms of how we employ the capability. are you making that largely permanent? at some point in the future you move on to something else and someone is behind you. is it still evolving, how you are trying to establish these relationships as they apply to cyber, or are these going to be largely permanent, changing the
5:10 pm
story? admiral rogers: i think they will be largely permanent. i think we have done the foundational work broadly. remember, nole, plan ever survives contact, and the broad framework we acknowledge as we get into this, we are likely to see things we never anticipated and we have to be flexible and be willing to change as we need to given the specifics of whatever it is we are dealing with. i called them at the guard and the reserved for the way we have partnered on developing cyber capability within the department. it has not been adversarial at all. it has been a great team. mr. work: i would like to jump in on that, sir. we work closely with the council of governors could i would like to give them a shout-out. building cyber capacity in the guard and reserve. we are building 2000 guard and reserves that are associated with this. what we are right now is trying to work out the policy on what our folks can do in terms of
5:11 pm
coordination, training, advising, and assist under title 32 and title x authorities. that policy is working well. we are working well with the governors. we believe this is going to be a great new story for the nation. rep. larsen: and my last few moments here, i have a question. you talked about defensive networks, defense of networks, talked about resilience, denial, the whole deterrence issue. but this issue of hybrid warfare , of course, has come up, and i'm curious about what steps you in aaking to incorporate u.s. response, or even in nato's combate, the role cyber plays in this, and incorporating the response of capability within this hybrid warfare concept that you hear a lot out of general breedlove. admiral rogers: so it is a concept we are partnering with general breedlove as well as the
5:12 pm
nato supreme allied commander and it highlights the work that special operations command team is doing in this regard. i was just down in tampa about 10 days ago. this was part of our broader discussion of how we integrate the full range of capabilities within the department, as we are trying to respond to any evolving world around us. -- an evolving world around us. i think we are starting to have good conversations and a good broad way ahead in the department. the international framework is difficult, fair to say not as far as advanced, and in nato is an area we have talked about we have got to work on. rep. larsen: my time is up. thank you very much. rep. wilson: thank you, mr. larsen. doug lamborn of colorado. : i appreciate your comments to congresswoman susan davis that i would like to follow-up on that on retaining
5:13 pm
top talent. this is your efforts -- for you, and rogers in rogers, in-- admiral particular -- what are your efforts to develop a unique cyber career track for those in the military? services have: the responsibility in terms of they generate the capacity. in the cyber arena, one of the things that has been a real strength is the services have been totally integrated as to how we will develop this, what are the standards, what are the skills, how we create the workforce. that is what i did in my last job. i'm very comfortable with how each service has tried to create a career path that enables us to extend over an entire career both the capabilities as well as generate the insights we need in the workforce. i think that is a big change for us over the last 5, 10 years. that is a real strength for the future. it is not an area i look at now and go, well, i have heavy concerns there.
5:14 pm
i think we have a good, broadvision, and the capacity and capability -- i have yet to, knock on wood -- i've not yet run into a scenario where we did not have the level of knowledge i mighte challenges have had a handful of people with the right level of knowledge, but we have people with the knowledge. i have to build the capacity out more so we have more of it. rep. lamborn: i appreciate that could that is really encouraging. thank you. secretary work, the department has flowed a number of civilian and military personnel reforms -- compensation, retirement, etc. how would some of these reforms affect the cyber workforce? mr. work: i was going to try to jump in here because this is a huge priority for secretary carter. he came into the department believing that over time we have created these barriers to service in our government, and he wants to really -- as he
5:15 pm
talks, burrow tunnels the chinese berries, or widen -- between these barriers, or widen the aperture. he uses cyber as example where we bring people in the government and then go into this of lean workforce and come back anin. he has challenge us, and the undersecretary for readiness, to see how we can make sure that in areas like a cyber, space, electronic warfare, we have more permeability in the department to make sure we are getting the best ideas from outside the department. i don't have any specifics to give you right now because they are in the process of going through a deliberative -- which ideas are good. but we are right with the intent of your question to improve the ways in which people can come in and out of our government service. halverson said, this is
5:16 pm
an exciting mission for many people, and maybe they don't want to make a 30 having your government career, but if they had a chance to help admiral three-yeara two- or period, they are all in. rep. lamborn: mr. halverson, do you have anything to add? heard that we you are moving forward on pilot programs to bring industry in to the government, for us to put for the first time civilians in the industry. those pilots are moving very well. as we use those, you will see great things coming out of this. rep. lamborn: i thank you for your answers and most of all, thank you for the great work you are doing good mr. chairman, i yelled back at rep. wilson -- id back. rep. wilson: we proceed to tsongas ofan massachusetts.
5:17 pm
tsongas: so much of this is about keeping the people with the skill set and commitment to seeing this through because it is not easy stuff at all. i gather from the testimony that there is a fair amount of comfort level with what dod and the military services have been able to do to put in place appropriate means of training, hiring, and compensating, even though you have -- you may have to come back to us in the future. you commented that this is sort of an interagency effort and you are working with the department of homeland security, law enforcement, the fbi, the intelligence community. sharing across those borders is taking place in terms of the skill set that you need a niche of those aspects of this effort -- in each of those aspects of this effort, and how comfortable are you with the ways in which you are working together and how they are responding to the challenges they face with personnel? admiral rogers: i would argue
5:18 pm
very well. i sat down with the director of .he fbi it is a conversation i had with the private sector, where i argued we are competing with the same pool. what works for you, what might we be able to do differently -- i would make one slight twist . this is a point i wanted to make today. i would tell you on the opposite side, the single greatest perturbation with my workforce in 18 months is even a hint of a shutdown could in the last week i have had more education out of the workforce are doing this would be the second time in two years that we are even having this discussion. even if we don't shut down the government, just the fact that we are even getting this close, the workforce is very open with us about i am not so sure i want to be part of an organization where there is this lack of control and i can't count on stability.
5:19 pm
that really concerns me, because i can't overcome that. rep. tsongas: secretary work, do you have any -- mr. work: this is a very competitive field, as the admiral said. ofare building of a total 133 cyber teams in the cyber mission force. some are focused on protection of the networks. they are called cyber protection teams. some are focused on national infrastructure protection. then we have teams that are supporting our combatant commanders. we want to build to a total of 133 of these teams, it is going to be about 6200 active-duty military, civilians, and some special instances, contractors. we won't get there until 2018. we are in the process of building these. this is a very competitive space. we are on track. we are doing well in our recruitment. , you anyl rogers says hint of shutdown, sequestration, that will set us back. we think we have got a good
5:20 pm
mission that people want to participate in. but we are not where we need to be yet. congresswoman, we still have until 2018 to build up the force to where we just think is the minimum necessary to do our missions. rep. tsongas: you serve on the board of one of the service academies, the board of visitors in one of the service academies. in our discussions we have heard it has been difficult to attract n, in thise instance, to the cyber field, because they come to the economy with a particular idea in mind of where they want to spend their time. it is not always as simple as we would like to thank, given the extraordinary challenge. . have another question as well the department has shown its commitment to leveraging private sector cyber innovation, and we have heard about that here today . i commend secretary carter with making his way out to silicon valley to create some presence
5:21 pm
there, a way in which to interact more easily with that community. i just wonder, how will you expand the program and look to other parts of the country where you have a deep bench of cyber activists, cyber innovators, cyber experts? mr. work: you are referring, congresswoman, to the defense innovation experimental, and it is an experiment or unit. we want to see how we can interact with the private sector in the best way. for example, one of our ideas is to bring people back to the pentagon and show them what we are doing. no, what we really want to do is go to the field and see what your air men, soldiers, marines, sailors, what do they do. we want to help them. once we do the lessons learned there, we expect that to be successful, and it will become a permanent unit, and where do we expand, we go to other innovation centers around the country -- perhaps boston, different places.
5:22 pm
mr. hammerson has been helping us through this also. mr. halvorsen: as the secretary went out to silicon valley, we have also taken a cio team to silicon valley. in december we are doing a similar thing in boston, new york. we hosted just recently a group down in boston and new york, some of the more mature cyber companies and also a group of some of the innovative companies . i think what we are trying to do is take what silicon valley stands for, not the geographic location, and make sure -- the secretary has been clear in his guidance he gives to us it is more about the concept of veneration, reach to wherever that is. it is not just silicon valley. you will see us spend more attention in the northeast, and frankly, in the southwest. rep. tsongas: there is really no substitute for physical presence, and the kind of day today interaction that can take place. thank you, my times a. rep. wilson: thank you,, ms. tsongas.
5:23 pm
we proceeded to congressman brooks of alabama. brooks: the army is establishing research and development with the center that consists of qualified personnel and facilities to provide world-class cybersecurity support to aviation missile systems by using cutting edge research and develop men of cyber security solutions to challenges associated with emerging and legacy technologies. coordinatesmpus cyber activities with industry, academia, and government partners. although an army asset, it is uniquely positioned to integrate the department of homeland security, the department of justice, the space and missile defense command, and the industrial base. additionally, it can provide expertise and reduce the risk of cyber threats posed as it relates to hardware, software, firmware, networks, tests, and
5:24 pm
evaluations, modeling simulations forensics, industrial control systems, supervisory control, and data acquisition systems. with that as the backdrop, and these questions are for each of visionw does the army's integrate with the department of defense's overall cyber strategy? saidork: as admiral rogers from each of the services are developing cyber skills within each -- under their title x isponsibilities, and this one refection of many, many, many such organizations that are being set up. has units down in san antonio. so i would ask admiral rogers to give you more specifics, but each of these are going to have specific skills. in this case, the one u.s. talked about, congressman, really focuses on the aviation systems of the army and how we can make sure they are not
5:25 pm
vulnerable to cyber attacks, that they develop other skills, too. admiral rogers: so every service that the secretary indicated is developing similar kinds of capabilities and relationships. army has chosen to really harness the capabilities in the northern alabama area. is positive thing for me they have got a good, strong collaboration across the services as to who is doing what and where. the question, i think come increasingly for us over time is as we get more experience, do we need to increase investments in certain areas where we are seeing strong results versus other areas where it has not played out as well as we would like? we will generate more insights over time. rep. brooks: thank you. mr. halvorsen, would you like to add anything? mr. halvorsen: policy talks about how we do better with industry and part of that is bringing industry into the area to be part of the solution to the problem. i think they are perfectly
5:26 pm
aligned with what they say with the policy. rep. brooks: follow-up question, is there a consolidated effort centerse that cyber such as the one at redstone are interconnected with other services with the department of defense capably to leverage knowledge sets and not create stovepipes of information or efforts? admiral rogers: i don't know that we have a formal -- i know there is a regular analytic and collaborative venues where they all get together. i participate in my team participates in some of those. i don't know if there is a .ormal process, if you will i try to secure nice that at my level with each of the service components about how we need to look at ourselves as one integrated enterprise, guys did we have to maximize effectiveness and efficiency because there is more requirements and there is money and time. it is about how to maximize outputs. rep. brooks: mr. work? mr. work: sir, i don't believe
5:27 pm
there is a formal program right now. we look at it more in terms of function. right now i can tell you in terms of defense of networks, everything is on the same playing field. , weave the same scorecards grade ourselves exactly the same. to your specific question on whether or not we have a formal program, that is something i will need to go back and research and -- it sounds like a good idea. i just don't know the exactly how we would implement it yet. rep. brooks: mr. halverson. mr. halvorsen: i will check in secret sounds intriguing. rep. brooks: mr. chairman, i yield back . congressman o'rourke of texas. o'rourke: you were talking about the tenets of deterrence. the first two, denial and resilience, i understand pretty well.
5:28 pm
there are questions about the third one, cost imposition. i'm interested in knowing how we communicate or advertise the consequences of cyberattacks to toential adversaries, and the degree you can talk about it, how does that change their have some of how the consequences we have imposed best far changed their behavior? in other words, however we don't done on that third tenet, cost imposition? mr. work: the first is to have a strong policy statement that we will respond in a time and place and manner of our choosing, and then we have to communicate, primarily with state actors. i think admiral rodgers said yesterday that we are good at stopping 99.5 percent of these attacks, getting rid of the basic hacker. but it is the state adversaries that pose the biggest challenge. i would like to weave in -- i think the chairman mentioned
5:29 pm
president obama and president xi, the cyber agreement, and that came about from intensive discussions with the government of china saying this behavior is acceptable and we have got to come to grips with it. specific aspects of what i would consider a confidence building measure. the first one is that we have to have timely response for information and assistance if we go to china and say, hey, there is an actor inside china that is conducting these activities. we have agreed to share that information. both the united states and china have agreed that they will not knowingly conduct cyber related theft of intellectual property for commercial gain. effort toing common develop these state norms of behavior, which we have never done before. and then we agreed to a high level joint dialogue. now, people say there is no enforcement mechanism, but it is a confidence building measure,
5:30 pm
and it is the first time that the president of china has said i will commit my government to these things. we believe it is very, very significant, and it came about from high-level dialogue where we were saying we find your behavior on a separable, and we do have option -- on acceptable, and we do have options, but how can we work this out? i believe in the sony case we activated, we did sanctions -- attributed, we did sanctions. i believe those types of activities will prove the united and may lead to better norms of behavior between nationstates. >> what are you seeing in changed behaviors? i understand the agreement, the statements of intent. what are you seeing in terms of number and severity of intrusions and cyberattacks following, letting our adversaries know we will choose the place and time of a response, and having responded
5:31 pm
in some cases, what has that done? to the degree that you can. >> you have not seen the north koreans attempt another offensive act against u.s. infrastructure since november in the aftermath of our economic sanctions and public attribution discussion. that the denial of service activity we saw the iranians doing in 2012, 2013, we have not observed that of late. i would argue, for other nationstates the impact today has not seen significant changes. it is early with respect to the prc. we will have to see how this plays out, and trust people will be paying great attention. >> that's something that i and other members of the committee would be interested in receiving a briefing on going forward, just to look at how behaviors
5:32 pm
are changing and whether that third tenet of making sure adversaries understands costs and consequences is working. i appreciate your answers. i yield back. >> we now proceed to congresswoman jackie walorski. rep. will risky: you said russia -- rep. walorski: you said russia is a competitor in the cyber threats that is out there. i'm sitting here, and i have been watching through the course of this hearing the russian bombers let loose today in syria with one hour of notice to our generals in baghdad, and striking non-isis targets. i think this is a reprehensible activity happening today, and i have many questions as to how we to here. but i'm curious from you. with this development of an
5:33 pm
overaggressive russia, how in the world do we go forward talking about sharing intel information and trusting anything that comes from putin and russia? isiral rogers: your point much broader. orski: i think it is related. admiral rogers: it is related. rep. walorski: is there not an element of trust that has to prevail here when we saw what happened this morning? for many of us who sat on this committee for a long time, we saw a red line not upheld in syria, all these gaps with all these countries around the world with an administration that seems to not have any strategy or contiguous plan. how would we take a step forward today? i know you are talking about the broad context, but i don't understand. the gap is going to continue to emerge.
5:34 pm
how in the world do we breach that, and how do we say to the american people, with all seriousness, looking our constituents in the eyes, that we have their back and we are looking at for the security of the united states and our allies, watching vladimir putin come right into the middle east next to our cohort and friend we want to protect, israel. does that not change the equation of having any semblance of trust? admiral rogers: i would only argue the latest issue fits in a broader context with the ukraine and others. this is not a new phenomenon with this actor. that's why we have been very direct with them. i know the secretary had conversations with his counterpart. i have not had specific cyber discussions with him. 1.i tried to make in internal discussions is, watching the russians used cyber, it is increasingly aggressive. lorski: this is alarming
5:35 pm
to me. ouraid, stay out of airspace, we have a one-hour warning. they are a mainstay player and we are screwing around, fighting back and forth over all kinds of things. we just had the pope here, and seemingly using a phenomenal window of opportunity for another major push in syria. the alarm, not only for lawmakers today, but the citizens of our country we are vowing to protect, is we have watched him establish himself in syria, in the middle east. he believes he is following his national interest. we are alarmed by what happened this morning. what was agreed by the presidents was that our militaries would talk so we would de-conflict operations. rep. walorski: have we seen a failure? hourhe is here, one
5:36 pm
of notice, with all our forces there? would we not see this as a failure? mr. work: i don't believe it is a failure. it is aggressive action by russia in advance of our discussions between our militaries. rep. walorski: are you leaders have those a strategy and we are holding up our end of the bargain? are you confident the administration is looking at this as, we expected this to happen? i represent three quarters of a million people, looking at their tv's like i am, and the official response from the pentagon, taken aback by strikes? we are all taken aback. is there a strategy that is supposed to prevent this, or is our attitude that we know they are going to do their thing, and we will see what form we can contain them. mr. work: they want to be able
5:37 pm
to do military action first, followed by a political agreement. rep. walorski: they are doing military action. in ukraine, they have been doing military action, and today we are watching live bombing. from the perspective of the administration, we expected that? mr. work: the russians made clear they would support the assad regime with airstrikes, and we made an agreement to have lk so thereies ta; would be no problem between our interactions between our forces -- you walorki: you think one hour is legitimate? what is our response? mr. work: i don't know exactly what has happened over the last hour. we heard about the attacks this morning, and they asked us to avoid the area where they would be operating. we continue to fly throughout
5:38 pm
syria. rep. walorski: are we continuing to talk to our russian counterparts? mr. work: we agreed for a meeting, and the meeting has not occurred. so we are trying to find out where we will meet, where it will be. rep. walorski: would you not agree this is a crisis? for the first time, they have entered the middle east, and for the first time we have watched the broadening of putin's powers who was just here on american soil, next to a hotbed of war and our dear ally israel. have we watched this elevate to a point where it is a crisis? russia has just gone from their position, throug the ukraineh, looking at eastern europe, and has now landed inside of syria. mr. work: i don't believe it is a crisis. it is a disagreement in
5:39 pm
strategy, and that is what we are trying to work out. i: i believe it is a crisis. we have had a president with no foreign policy. red lines crossed, this has played at all by itself, and sis, we are, back in a cri wondering who the world is defending our country. with that, i yield back. >> thank you very much. we now proceed to mr. takai. rep. takai: i would like to rebalance and refocus to cyber strategy, if i may.a lot of people have talked about deterrence today. this is something i'm concerned about after recent events. with the current threat to our cyber network, we need to d iscuss creating and maintaining a persistent training environment, the development of a unified platform, and bui lding the joint information
5:40 pm
environment to secure the dod enterprise. the development of these priorities can not only serve as a deterrent in their own right, but they will enable our cyber mission force readiness to be the best in the world. so, admiral rodgers, where is dod in allocating resources for these priorities, if you can address each one? persistent training environment, unified platform, and joint information environment. persistenters: training will take us several years to finish. fiscal 17 represents the third year of funding for it, we are working through 17 internally within the department. i have strong support for this. i have not come to an issue yet where i have problems with the way ahead. terry comment. unified platform is a new idea
5:41 pm
for us, based on five years of practical experience as an organization. department needs a capability separate from nsa to execute operations. unified platform is the program in terms of our ability to do that. we are starting with the 17 built. as we gain more experience and do this over time, we have to continually reassess and ask assumptions,e are they proving to be what we thought they were, or do we need to make changes? the first action is the assessment of the joint regional security stacks, funded in 17 and fully operational by the end of 17. rep. takai: i want to go back to the integration of personnel. the secretary mentioned it. i want to focus on defining where the role of the national
5:42 pm
guard fits into the cyber strategy. i'm a member of the guard in hawaii, and all of us here on this committee have constituents in the guard. of the touch upon some points where the guard can increase their role in the larger cyber mission? work: this cyber force we are building two is about 6200 active and civilians, and in some special cases, contractors. you did not mention national guard when you said that. mr. work: 2000 national guard and reserves on top of that. some are part of the cyber teams, and others are extra capacity that might help the states. the council of governors and we have been working closely together. our policy shop is working through the aspects of what we can do under title 32
5:43 pm
and title x in support of states, but the guard will be essential to the cyber mission force. about a quarter of the entire n reserveve and 2000 o in national guard, they are essential. rep. takai: i am the son of a guardsman. my father was a member of the national guard for 27 years. i watched him every month, every summer participate in guard activity, and spent a lot of time playing in armories as a little boy. every service has used a slightly different construct. in the case of air force, they use the guard answer to fill out a part of the -- and reserve to fill out a part of the 6200. the army has decided that the guard and reserve are an additional to have capacity above the 6200. the navy and marine corps do not have a guard.it is a little
5:44 pm
different for them. discussions today have been very good as the secretary said. we, have to work our way through he additional capacity, how to view this as one integrated enterprise so we are maximizing capabilities the department and states are investing in. takai: i understand that there may be, in fact, opportunities for these teams to the wholly guard. rogers: in the case of the air force, they are creating a small number of teams that are wholly guard. rep.takai: one more question. how resilient are our military networks to cyberattacks, and how do you measure and qualify resilience?
5:45 pm
better,: we are getting but we are not where we need to be. that's why secretary carter said defense of our networks is absolutely job number one. now, that will come through a lot of different things. as i said in my opening statement. first, get the network as defendable as possible. the jie, the joint regional security stacks, will take 1000 firewalls down to less than 200. the number of enclaves will be dropped. with, make your network the fewest services possible and as defendable as possible. second, build up these teams, another big part. the third, a cyber scorecard telling us exactly how well we are doing. mr. halvorsen was the creator of
5:46 pm
the scorecard, and i would ask him to be able to tell you how we are going to track this. : cyber resiliency is a measure on the scorecard that we are actively developing. >> a gentleman's time has expired. secretary work and admiral mike rogers, good to meet you. telecommunications, either one of you, telik communications equipment manufactured by huawei in your office? work: in the office of the secretary of defense, absently not. i don't believe we operate any systems in the pentagon. admiral rodgers: no. >> why do you not using? admiral rogers: it is a broader
5:47 pm
decision as we look at supply chain and vulnerabilities in the system. >> secretary work? what about cleared defense contractors could should they wei according? mr. work: i will have to take that for the record. i don't know of any defense contractors using huawei acquit but i justnt, don't know. admiral rogers: the contracts we have, we specify security standards you have to meet, specify requirements to notify us. we have to take the question. i don't know if current language specifies specific vendors, if you will. i know in the national security systems we are very specific about making that standard, in nuclear and other areas we are very explicit that is not allowable. >> i would appreciate if you
5:48 pm
could get back to me on if you have any cleared defense contractors compelled to use huawei telecommunications equivalent. my next question has to do with recognizesthat vietnam-era helicopters that provide security are woefully antiquated and inadequate. they said we need to get modern helicopters to get to airfields. we are talking about nuclear weapons. based on a meeting i had with the air force, i am very concerned the aforesaid acquisitions approach will take four or more years to get these helicopters. these are icbm fields. i had a hearing on this issue. it's alarming, the concern we are told by commanders about security of these fields. what can you tell me about why we are looking at such a long period of time? mr. work: this is a
5:49 pm
high-priority, and we are dealing with it right now. last year, the air force's plan to replace the helicopters 60a's andke thier uh- upgrade them to uh-60l's. the a's available in the force were too old and tired, and it became cost primitive. that's why -- cost prohibitive. that's why -- now we have to find new build, whatever helicopter we decide, whether we decide if we can do sole source or a competition. u.s. strategicf command has said that we cannot years, andait four we are looking at a wide variety of measures to mitigate the problem until we can get new
5:50 pm
helicopters built. it's a high priority issue for us, and i will be able to give you a little m information was we work through all the different options. rep. rogers: i want you to understand, i really believe that we should see an immediate reprogramming for the fy 17 budget. with that, i will close by i would like to talk with you off-line about our new ,ngine to replace therd 180 privately. with that, i yield back my time and go to ms. speier. rep. speier: thank you. we are dealing with very, very varioustors in these foreign countries that have been hacking into us.
5:51 pm
on the agreement with china, you seemed somewhat elated by the agreement, yet i have reason to be very skeptical about them complying with what they agreed to comply with. more importantly, i would like to ask you, what is it in the agreement that you would have wished was in the agreement? not. work i would characterize my reaction as elation. so much as i believe it was a very good first step. it's the first time the president of china committed himself and his country to address the issues that have been of such high concern to our government, so i consider that -- er: i have very limited time, so please answer the question. mr. work: there were no enforcement mechanisms. that is the key thing people
5:52 pm
pointed out. china is going to prove if they were serious or not, and they can take action. hack was devastating. it is clear that china did it. they denied it. they have information about people with top-secret status. went onhing they just recently of the joint chief of staff unclassified e-mail worries me greatly. access to that personal information is such that if they know who your family members are, who your next or neighbor is, and they can pretend like they are your family member or next or neighbor, you are more ick on thelect -- cl
5:53 pm
e-mail, and then they can get in. what steps are being got to deal with -- are being done to deal with phishing, in terms of greater cap ability to those who hold those physicians who end up clicking by punishing them, or coming up with a system so that we can anticipate that fishing going on and prevent it? of these have occurred because of simple operator error, bad cyber hygiene. they clicked on a attempt. we're going after that.
5:54 pm
rep. speier: is there any penalty on the people who clicked on them? mr. halvorsen the simple answer is yes. we have a cap ability on that, and action has been taken for people who have misbehaved in a cyber way. secondly, we increased training frequency of phishing training, and have taken certain actions to eliminate the ability to clicked on links, and at least have a warning that says that you must think about this link. in some cases, you can no longer physically clicked on links on any of our networks. admiral rodgers: i implemented nine specific changes were i said, i will make your life harder, if this is what it takes to drive a change in behavior. to preclude this from happening. rep. speier: briefly, what is keeping you up at night? admiral rogers: three things in
5:55 pm
cyber concern me. are we going to see offensive activity against u.s. critical infrastructure? are we going to see the focus shift from theft of intellectual property to theft of information, to manipulation of the data in our systems, so we no longer can trust what we see? third thing that worries me, are we going to see nonstate actors, terrorist groups are at the forefront of my mind, start to use the web as an offensive weapon. mr. work: i would add two things. we have a large number of systems built in an era, like admiral rodgers said, the systems were not built to withstand the cyber environment we are in now, so what keeps me up at night is, can we get through all of our systems and make sure they have cyber heartening -- hardening? we have to go through this risk mitigation on every one of our systems and say, what is the
5:56 pm
critical cyber folder ability? i would like to echo, the manipulation of data, since we rely upon our networks, really keeps me up at night. >> the chair recognizes chairman whitman. wittman: i want to begin with getting your perspective on how we address the cyber threat. we have constructed a military that is adept and capable of addressing kinetic threat. we have generalists, specialist. when in listees -- enlistees come in, they learn what to do. officers learn tactics and strategy in that environment. yet we have a very myopic or piecemeal element with the cyber threat. give me your perspective. shouldn't we have the same top cyber?om capacity for
5:57 pm
shouldn't enlisted men and women come in and also get training in the cyber realm? shouldn't our curriculums at service academies include robust and extensive instruction and education within the cyber realm? how do we constructive force that is as capable genetically as it should be -- kinetic ally as it should be in the cyber realm? how should we do that, is that valuable to do, and what are you doing to get to that point? mr. work: the first thing is to include what we call improving the cyber hygiene of the entire every single member, active-duty, civilian, contractor, and reserves, to understand the cyber threat we face each day and to understand the simple actions they can take to improve our security. , in of the things you say all our education and schools, ciber is now an important part of our curriculum. red teamsad teams --
5:58 pm
going out and helping commanders understand where vulnerabilities are and where they can improve. we have means by which we hold people accountable. negligente a discharge with a weapon, that is a bad thing. we want everyone to know that a negligent discharge in cyber could be as dangerous. so i totally agree with what you are saying. this is a big, big cultural shift that apple rogers spoke to earlier. admiral rogers: that is the approach we are taking. this is so foundational for the future for us in being able to execute missions the nation is counting on. we have to do this foundational he. mr. halvorsen we don't you the same amount of training the dedicated mission has, but there has to be basic training on the force, regardless of rank. this is one environment where if you have access to a keyboard, you represent vulnerability.
5:59 pm
everyone in our department, contractors, civilians, reservists, guards, everyone is an operator in that environment. rep. wittman: where are we allocating resources? it is reflecting not only what you are doing from a doctrine standpoint, philosophy standpoint, training standpoint, but where are you dedicating resources to make sure you are successfully meeting that objective? mr. work: when secretary carter was deputy secretary, the job i have now, starting around fy 13, there was a concerted effort to try to increase the investment in cyber forces. i believe we are doing very well
6:00 pm
in this regard. we could always do more. it is budget dependent. as i said earlier in testimony, secretary carter says that were ever our budget ends up, cyber will be a top priority. the one area where we could do better is in tools. i think -- we had to build the human capital first, which we have been doing very well. if there's one area where we could do better for admiral rodgers and the team, it's to invest more money in tools that would create better options for the force. admiral rogers: we are doing a very good job in the dedicated cyber mission force in the commitment to bringing it online. what we need to look at is, the things i raise our tools, situational awareness, the unified platform, and asking yourselves over time, is the command and control structure we put in right? this is part of an ongoing process.

20 Views

info Stream Only

Uploaded by TV Archive on