Skip to main content

tv   Hearing on U.S. Cyber Command Operations  CSPAN  April 9, 2016 4:15pm-6:21pm EDT

4:15 pm
of people in central and western ukraine. it is terribly significant. it demonstrates a sophisticated use of cyber --pons as a bestie bellies i as a destabilizing capability. we must develop not only an effective deterrence policy but also the capabilities necessary to deter any nation seeking to exploit or colors the united states through cyberspace. after significant urging by this committee, i believe the defense department recognize this need and important progress has been made in cyber command. for the most part, the services appear to be on track to meet the goal for the development of a 6200 --
4:16 pm
unless we see dramatic changes in future budgets, i'm concerned these forces will lack the tools . in short, unless the services they can to prioritize and deliver the cyber weapon systems necessary to fight in cyberspace, we are headed down the path of a hollow cyber force just as it would be unexpected -- an extractable to deprive our cyber forces the basic tools they need. some service budgets are omitted funding for even the most basic tools like those necessary for cyber protection teams to assess and triage a compromise network. i look forward to hearing your assessment of the military services commitment to equipping a cyber force. i also look forward to hearing whether the new acquisition
4:17 pm
authorities we provided cyber command in 2016 will help address some of the service-induced shortfalls. while i'm encouraged by the progress at the department of defense in cyber command, i'm concerned the cyber policy as a detached.ins for years, our enemies have been setting the norms of behavior in cyberspace while the white house sat idly by, hoping to problem will fix itself. administratione provided its response to lead a year and a half later this committee's requirement for a policy.terrence the response reflected a lack of seriousness and focus as it reiterated many of the same pronouncements from years past that failed to provide any returned value or increase the vulnerability of our nation. i applaud the recent efforts of
4:18 pm
for itsice department cyber attacks against our critical infrastructure and financial sector. i remain puzzled as to why it took newly five years after randy and attacking u.s. thanks for the administration to begin doing so. that kind of indecisiveness is antithetical to the terrance and our nation simply cannot afford it. let me close by thanking you for your leadership at cyber command. you have always been very candid and forthcoming before this committee and we appreciate that. we are finally beginning to feel the cyber capabilities we need for the future. committedttee remains to doing everything we can to provide you and the men and women you lead with the tools necessary to defend our nation in cyberspace. i look forward to your testimony.
4:19 pm
>> and i would like to welcome admiral rogers back to the committee and to express my gratitude to you and to the men and women you lead. cyber command is at another set of crossroads. the committee received testimony last fall from multiple witnesses recommending elevation of cyber command. i understand elevation has been discussed and the secretary is considering this recommendation as part of a reform effort. your viewse to hear on the readiness of the command for elevation and on the related issue of sustaining the arrangement under which the commander of cyber command also serves as the director of the national security agency. commands after cyber with established, the military
4:20 pm
services are presenting trained military units to command. more than half the units that reach an operational capability. this is a major milestone but trained individuals are only one part of military residents -- military readiness. the defense department is only at the beginning phase of building a unit level training environment. there are shortages and for thety shortfalls cyber protection teams in the department has not yet developed a plan for or selected a service executive to require foundational situational awareness and command and control systems. i look forward to a status report about the pace of progress in these areas. there are other foundational challenges. the department is the process of acquiring additional centers at all layers of its networks.
4:21 pm
cyber command has dozens of cyber protection teams designed to defend key areas of our network so while the agency has our own computer network defense organizations. integratesk now is to these organizations under joint operational concepts to enable real teamwork. i will be interested in your thoughts on this very difficult issue. i am pleased to cyber commander cyber security and its other missions to keep pace with a rapidly changing threat. it makes sense to partner with an industry that innovate at the same pace. i'm interested in hearing how you plan to apply to acquisition authorities.
4:22 pm
finally, i would note that admiral rogers and his prepared statement today quoted the director of national intelligence to the effect that china is still engaged at economic theft in cyberspace and whether china's commitment moderates attest the knowledge be it's obviously a very serious matter. again, i would be interested in your comments on this issue. thank you for your service and i look forward to your testimony. >> thank you, sir. i can member read and distinguished members, i'm pleased to appear before you to discuss the opportunities and challenges facing u.s. cyber command and i will like to thank you for convening this forum. humbled byul for and the opportunity to lead this impressive team i'm confident you would be extremely proud of the men and women of the u.s. command if you saw their commitment to hard-earned
4:23 pm
basis.while daily my written statement goes into greater detail, i would but to highlight a challenge we face today and the initiatives the command is pursuing. over the last year, we've seen an increase of cyberspace operations by state and nonstate actors. we've seen a wide range of malicious cyber activities aimed against private sectors. we focus on actors that pose a threat to our national interest through cyberspace. theons still represent greatest threat to our nation cyber security but we continue to watch closely for signs of nonstate actors. cyberspacectors used to steal intellectual property and personal information and criminals increasing use of rent somewhere to extort companies is worrisome. malicious actors have also intruded in the networks ranging from the joint staff's unclassified network to networks containing our nation's critical
4:24 pm
infrastructure. they're using cyberspace to shape potential future operations with the view of limiting our operations in the event of a crisis. u.s. cyber command continues to make progress as it emphasizes shift to operationalizing the command and sustaining its capabilities. over the past year, with continued building the capability incapacity of cyber command operating on it -- at an increased tempo. today, we have 27 teams that are fully operational and 68 that have initial operational capability. it's important to note even teams that are not fully operational are contributing to our cyberspace efforts with nearly 100 teams conducting operations today. they can make into new you to support u.s. central command's ongoing efforts to dismantle and defeat isil. last year, we established the
4:25 pm
joint force headquarters dod information networks. i can probably report it has made great strides toward the goal of leading day-to-day security of the department's data and networks. as the dod expands the joint information environment, we will have significantly more confidence in the overall security and resilience of our system. our operations to defend dod networks and the nation's critical infrastructure proceed in conjunction with a host of federal, industry, international partners. recognizing dod is one component of a nation cyber teen, u.s. cyber command zone exercises cyber flagons cyberguard offer unmatched realism. teams and joint cyber headquarters are regular participants in the annual exercises of the combatant commands. while our training is improving, we need a persistent training environment, which the
4:26 pm
department continues to develop to sustain readiness across our force. i'm excited by the innovation, cultural shift, focus on long-term strategy. we've established a point of partnership program in silicon valley to link command personnel to some of the most innovative minds working in cyberspace. our program is aligned with the department of defense of innovation unit. we are building on the synergy among all dod elements. last september, department identified the need to transform the dod cyber security culture by improving individual performance and accountability. the secretary approved the cyber security cultural and compliance initiative to address those concerns. cyber command was identified as a mission lead for this and is working close with the joint staff to build a requisite capacity. fabric command is also actively contributing to the implementation of the new dod
4:27 pm
cyber strategy. a detailedy provides plan to guide the development of dod cyber forces and strengthen dod cyber defense. the pervasive nature of cyberspace throughout all facets of life coupled with a growing cyber threat makes deterrence in cyberspace a problem -- challenge but ever more important. a proactive strategy is required that offers options to include integrated cyberspace operations to deter adversaries from action. this, weith all of requested and received enhanced acquisition and manpower authorities. i think congress and the president for the authorizations granted in the fiscal year 16. this represents a significant augmentation of our ability to provide capabilities to our cyber mission team and our ability to attract and retain a
4:28 pm
skilled workforce. we are studying how to best implement those provisions while evolving a formalized synchronization framework to optimize the employment of our cyber mission force. thank you again, mr. chairman and members of the committee for holding this forum and inviting me to speak. >> general dempsey was asked about our ability to address challenges to this country and he stated that we has significant advantages in every major challenge except one and that was cyber. do you agree with general dempsey's comment about a year ago? >> i do. the phrase i use with him is a cyber area is one we have to have knowledge. -- to acknowledge. >> that i would say emphasizes our need to address this issue in a comprehensive fashion.
4:29 pm
bill we finish the defense , i will spend a great deal this committee will spend a great deal of its time on this issue since the threat is, as admiral rogers just stated -- you stated last year there is still uncertainty about how we would characterize what is offensive and what is authorized. that boils down ultimately to a policy decision and we have tended to do that on a case-by-case basis. we preempt? if we respond, how do we respond? it seems to me those are policy admiral rogers: i guess, chairman, the way i would describe it is we clearly still are focused more on an event by event particular circumstance, and i think in the long run, we clearly -- i think we all want to try to get to is something
4:30 pm
much more broadly defined and well understood. senator mccain: so that you understand, when you detect an attack or -- as the exact word, detect a probable attack, so right now, you are acting on a case-by-case basis? admiral rogers: sure. senator mccain: does russia have the capability to inflict serious harm to our critical infrastructure? admiral rogers: yes. senator mccain: does china have the same capability? admiral rogers: some measure of the same capability, yes. senator mccain: how is china's behavior evolved since the opm breach? admiral rogers: we continue to see them engage in activity directed against u.s. companies. the question is, i think, that we still need to ask is, is that activity then in turn shared with the chinese private industry who we certainly acknowledge that states engage in the use of cyber as a tool to gain access and knowledge. the question or issue we've always had with the chinese is, while we understand we do that for nations to generate insight,
4:31 pm
using that then to generate economic advantage is not something that's acceptable to the u.s. senator mccain: do you agree that the lack of deterrence or repercussions for malicious cyber behavior emboldens those seeking to exploit the u.s. through cyber? admiral rogers: yes. senator mccain: admiral, we are looking carefully at a consolidation of command here, as far as your responsibilities are concerned. i believe that the secretary of defense will also support such a move, so i will be recommending to the committee that we include that consolidation in the defense authorization bill, as we mark up -- i think my friend senator reed also agrees with that. would you agree that probably the issue of cyber warfare is the least understood by all of
4:32 pm
our leadership, including in government, executive and legislative branch? admiral rogers: it's certainly among the least understood. i think that is a fair -- senator mccain: and is part of this problem is that this challenge is rapidly evolving? admiral rogers: i think that's clearly an aspect of it, the speed and the rate of change, as well as the complexity. it can be intimidating. i'd be the first to acknowledge that many find this a very intimidating mission area. senator mccain: if you had a recommend for this committee and congress as to your significant two or three priorities, what would you recommend? admiral rogers: in terms of cyber overall? senator mccain: action that you'd like to see the congress and the executive branch take. admiral rogers: i think we clearly need a focus on ensuring, number one, that we've got our defensive house in order, and that we're able to defend our systems as well as our networks, and we need to think beyond just networks into our individual combat weapons.
4:33 pm
senator mccain: which to me, means a policy. but please, go ahead. admiral rogers: secondly, we need to continue to generate the complete spectrum of capabilities to provide options for our policymakers as well as our operational commanders. so when we have these issues, we've got a series of capabilities that we can say here's some capabilities that we can choose from. and then lastly, i think we've just got -- the other point i try to make is we've got to figure out how to bridge across not just the dod, but the entire u.s. government with the private sector about how we're going to look at this problem set in an integrated national way. senator mccain: would you also agree that sequestration could threaten you with a hollow force after you've recruited in some of the brightest minds in america to help you? admiral rogers: very much so. i would highlight, in fy 13, when we shut down the government, i can remember going -- i was in a different job at the time, but still, i was doing -- leading the navy
4:34 pm
cyber effort. and much of my workforce said, "so explain to me, admiral, why we should stay with you if this is what we're going to have to deal with on a periodic basis being told we're doing to be , furloughed and we're not going to get paid." i can remember telling them in please stay with us, i hope this 2013, is a one time thing. senator mccain: but sequestration means further hampering. admiral rogers: it means further -- because everything is -- our ability to meet the time lines that we've been given have been predicated on the sustaining of the budgets. if we go to sequestration levels, i will not be capable of generating that capability in the timely way that right now, we're -- we're on the hook to do. senator mccain: senator reed? senator reed: thank you, mr. chairman. and one of the issues that has been discussed and i mentioned in my opening statement is raising cyber command to a full unified command and yet, i also , noted and you acknowledged that only half of cyber command's new formed cyber mission forces are initially
4:35 pm
capable of iop -- ioc, i should say. and then some critical elements, such as position training, environment to uniform platform doesn't exist. are you, in your mind, mature enough to be a full uniformed commands now, or? admiral rogers: yes. senator reed: and what would that advantage give you? what would that decision give you? admiral rogers: so generally, when we think about what -- what tends to drive, should something be elevated to a combatant command, broadly across the department, we tend to focus on the imperatives of unity of command, unity of effort and is it either -- in this case, it would be functional, not geographic. and in this case, does the function rise to a global level? and is it of sufficient priority to merit coordination across the entire department? the other issue, i would argue, is one of speed. all of those argue -- again, i just am one input. i realize this is a much broader decision than just admiral rogers, and there's many opinions that will be factored
4:36 pm
in. my input to the process has been a combatant commander designation would allow us to be faster, which would generate better mission outcomes. i would also argue that the department's processes of budget prioritization strategy policy are all generally structured to enable direct combatant commander input into those processes. that's what they're optimized for. i believe cyber needs to be a part of that direct process. senator reed: the other aspect, obviously, is the relationship with nsa, and there are several options. one is to have separate commanders, one is to have one commander with a dual hat or one option -- additional option is to, at least at a future time, have the option to divide the dual hat arrangement. can you comment on that? admiral rogers: so, my recommendation has been, for right now, you need to leave them dual-hatted. part of that is the very premise
4:37 pm
when we built cyber command and , when we created it six years ago, where we said to ourselves, we were going to maximize the investments that the nation's already made in nsa in terms infrastructure and capability. so because of that, we didn't have a huge military construction program. for example, for cyber command, it put these cyber mission forces, the 6,200 and different structures. we said we were going to take nsa's existing spaces to be able to do that. so, my input has been, for right now, based on the very model we created, cyber command. where we really, in many ways, very tightly aligned these two organizations. now, at the current time, it would be difficult, not impossible, first to acknowledge that. senator reed: mm-hmm. admiral rogers: it would be difficult or less than optimal in my opinion, to try and separate them now. but what i have also argued is, but we need to continue to assess that decision over time. and you need to make it a conditions-based assessment as to what some point in the future does it make more sense to do that.
4:38 pm
senator reed: and part of that is the fact that if you are unified command, you will be developing alternatives to nsa capabilities. admiral rogers: yes. senator reed: exclusive to cyber command. so that at some point, you could have an infrastructure that looks remarkably like nsa and the synergies you're talking about now are operational. admiral rogers: as important right? , yes, sir. one of the issues is that as you depend upon the services to provide you a great deal of resources. in fact, it is really i think, interesting to note that only half of these identified units are at least initially capable. and that doesn't seem to be an intense training effort that's standardized and in place right now. senator reed what can you do? : what can we do to accelerate these units in terms of their maturity and their training environment? admiral rogers: so if i could, senator, i'm going to respectfully disagree. reed: read: -- senator that is quite all right. well, you have to be respectful.
4:39 pm
admiral rogers: remember, we started this build process in fiscal year and we said we would 2013, finish it by the end of fiscal year 2018. full capability and ready to fight in a high front -- demand environment. we're pretty much on track, as i've said publicly, if you look right now. in fact, in the last two months, i've actually managed to increase timeliness since the last assessment i did in february, where i publicly had said, based on the data as of the first of february, i believe that we'll meet ioc for 91 % of the teams on time. and that we will meet foc for 93 percent of the teams on time. and in the two months since then, we're up -- i managed to work with the services and for ioc, we're up to 90% of the force and for foc, we're at about 93 -- we're still at 93% of the force. so, my only point is, i'm not critical of the services in terms of they're generating the force. i think they're making a very
4:40 pm
good effort and it's on track. they have also been very willing when i said what we need to do , is ensure we have one, integrated joint capability to how we work cyber. so there's got to be one structure, one training standard. every services agreed to adhere to that. so, in that regard, i'm also very comfortable with what the services are doing. what i think the challenge is for us, as i look over the next few years, is we initially focused on those mission teams, and the men and women in their training. what experience is teaching us, not unlike other domains, is -- and as you both chair and ranking member said in opening statements, that's not enough. so what we're fighting now is, it's the other things that really help enable us and we've got to focus more on. senator reed: thank you, thank you, mr. chairman. senator mccain: senator inhofe. senator inhofe: thank you, mr. chairman. admiral rogers, in december last year, you published an article, saying a challenge for the military cyber workforce, and you discussed, as you did in your written statement today, that the importance of growing, and developing and maintaining
4:41 pm
this force. when you talked about it, well, i guess it was the chairman in his statement. the 120 teams where we are right now, and aiming to 133, what comprises a cyber team? admiral rogers: they come in several, several different types. there's what we call combatant command mission teams. those are aligned with combatant commanders. they are generally designed to create offensive capability, if you will. senator inhofe: yeah. admiral rogers: there are cyber protection. those are about, in that team, ccmts, combatant commander mission teams. there are about 65 individuals on a team. if you look at cyber protection teams, slightly different missions, so, different structure, different focus, there are about 39 individuals per team. each of those two teams, the combatant commander mission
4:42 pm
team, the cyber protection team has a small subset of about 23 , individuals. what we call support teams. so it gives you a sense for the main. senator inhofe: sure, sure. and that -- when you add all that together, that's when you come up with the 6187. as was brought out in the chairman's statement you'd , really have to know. well, first all, you're drawing from institutions that are training these people. this is new. this is brand-new to a lot of people, including a lot of people at this -- this table. i know that in my state of oklahoma, university of tulsa has really made great progress. in fact, your predecessor was out there and working with them. and i understand from senator rounds that there are similar things are happening in south dakota. so, you've got these kids out there. they're learning this, they're determining what they're going to do for a career. now, i think it's a good question when you say -- when we ask the question, can we really
4:43 pm
depend on sustaining in this environment that we're in right now, this -- these teams, this number, or this workforce, so that individuals out there would be aiming their talents toward helping us. in your because there's going to , be a lot of competition for these kids. how confident are you that we're going to be able to maintain the level necessary to attract good people? admiral rogers: so, experience to date says we're doing a good job in that regard, both for our ability to recruit and retain. what tends to drive that, to date, our experience suggests, is the desire of men and women, whether they're civilian or in uniform, to be part of something bigger than themselves, to do something that matters, and to do something on a cutting edge. that, if you will, is really what powers the men and women of the teams. senator inhofe: yeah. admiral rogers: i'm always talking to my fellow leaders about, so what are the advanced indicators that we should be looking at that would tell us that that trend is changing? there are a couple skill sets
4:44 pm
within the mission force that i've mentioned separately, previously that i may, in fact, come back to the committee with to say, look there may be some additional measures here. its like -- senator inhofe: that would be a good thing to do for the record, to come back -- as i'm running out of time here. there are a couple of other things i wanted to get to. i agree with you when you say that the states that we watched most closely in cyberspace remain russia, china, iran and north korea. at the same time i notice there's an effort, , and this came when our fbi director james comey was in contact with these people, that they were -- china is trying to develop a closer relationship with us when, in fact, they're the ones that we're going to be watching. you're not entertaining any -- any kind of a close relationship with them that might impair that, are you? admiral rogers: no, sir.
4:45 pm
senator inhofe: ok. good. yesterday, in the -- an article came out on the gao report that says the pentagon doesn't know who's in charge for responding to a massive cyber attack. they go on to talk about the northern command. they talk about what we are doing. they're talking about homeland security. and you're familiar with this report that came out yesterday? admiral rogers: no, i'm not, but i'm familiar with the broad premise. senator inhofe: ok, well, the conclusion of the report, and i'll just read this, says, "we believe that by issuing or upgrading guidance that clarifies roles and responsibilities of relevant dod officials, dod will be in a better position to plan for and support civil authorities in a cyber incident." this is a gao report, so i suggest that -- that you, you look at that and see if we have reached that -- their conclusion so far. thank you, mr. chairman. senator mccain: senator manchin? senator manchin: thank you, mr. chairman.
4:46 pm
thank you, admiral, for being here and for the work that you do. i appreciate it very much. we face a wide range of cyber threats from terrorists groups like isis, criminal hackers and spies and all that -- all the underlying. in nearly every briefing about our national security, i've asked about the issues of cybersecurity and protecting our power grids. and it's a very important issue to me and the amount of power that our little state produces for this country. in the short-term, which cyber threat is most dangerous to the united states? i guess our grid, our food supply our water supply, , what -- what is most vulnerable that we should be working on? admiral rogers: power and basic infrastructure is something that always concerns me because the potential impact on the nation is very significant, should we have significant issues there. i'd also argue one sector that i , i worry about a little bit is you look at the amount of
4:47 pm
personally identifiable information that is resonating out there and the lot of various -- healthcare is a good example where the amount of data that we have all provided to the medical world that is available out there on all of us and our families, that worries me about, you know that's reflected and , you look at pom, you look at the anthem health insurance, large data concentrations are now increasingly becoming a target. because of the power of big data and analytics, massive amounts of data that 10 years ago, we would have said to ourselves, no one could ever really comb through that to generate insights or find anything, it's just too large. you sure don't have those conversations anymore. senator manchin: i mean, we talk about cyber, we keep talking about basically our corporate -- you know, corporate hacking, if you will, for proprietary reasons. then you look at the military hacking that goes on for our defense reasons. but then you look at just
4:48 pm
everyday life. we've come to expect that could be probably disrupted with quite alarming concerns. admiral rogers: yes, sir. senator manchin: the other thing -- in your testimony, you mentioned that the guard and reserve forces are being assigned to all levels of u.s. cyber command and the cyber mission forces. can you elaborate on what the reserve component, specifically the national guard, bring to the table for the cyber mission? admiral rogers: well, you're able, through our guard and reserve teammates, you're able to access a set of manpower that potentially is using these same guilt sets in their day-to-day work in the private sector. you're able to also access at times a very different perspective, which works out very well, which is one reason why, as we were creating this cyber construct for the department, we were adamant from the beginning it needed to be viewed as a total force. that if we were just going to make this an active only component, i was not going to optimize the full range of capabilities that are out there.
4:49 pm
and so you've seen in the last , six months in particular, the guard and reserve capability starting to come online and flesh out as well. senator manchin: the thing i'm saying -- is i'm saying is, i -- the national guard in west virginia, we don't have a base and our guard is everything to us. admiral rogers: right. senator manchin: and being a former governor, i understand the importance of our guard. but we've been so active is basically, the aggressive recruiting. and some of our best and brightest and youngest people are coming into the guard for all the opportunities, especially educational. admiral rogers: right. senator manchin: it's an area they could designate and pinpoint for you to bring in some of these really sharp young talents that can help us defending ourselves, cyber. i didn't know if you all looked at -- admiral rogers: which is the guard -- the guard is doing now. senator manchin: i know -- and you all are in -- ok. admiral rogers: well. general (inaudible) and i spend a lot of time talking about how do we do this in an integrative way?
4:50 pm
senator manchin: again -- well, the other thing. in your testimony, you say that isis' main cyber effort is focused is propaganda, recruiting and radicalization of others. can you elaborate further on this disturbing statement and how they've been successful? admiral rogers: they've harnessed the power of the internet -- of information arena to promulgate their ideology on a global basis, to recruit on a global basis, to generate revenue, and to move money, as well as coordinate some level of activity on a large dispersed basis. the challenge i look for, or what concerns me is when i look at the future, what happens if a non-state actor, isil being one example, starts to view cyber as a weapons system? that would really be a troubling development. senator manchin: in a very simplistic way, people ask why can't we shut down that part of the internet, why can't we interrupt isis' ability to go on
4:51 pm
social media and attract? why are we not able to infiltrate that more? admiral rogers: i mean, i would -- the idea you're just going to shut down the internet given its structure and complexity is just not -- senator manchin: i've had senator manchin: i've had people rogers: right. senator manchin: just stop in that area of the world where all of the problems are coming from, whether it be in syria or parts of iraq or iran. things that we might have some input and control over. it's not possible? admiral rogers: right, it's just not that simple. i wish i could say that there's a part of the internet that is only used by a specific set of but there are all sorts of... senator manchin: i'm just trying to get an answer. admiral rogers: yes, sir. senator manchin: that question is asked quite a bit. admiral rogers: all right, senator. senator manchin: shut it down, like turn off your telephone. but it doesn't work that way.
4:52 pm
thank you for your service. if anyone on this committee can help, i'm sure we'll be there for you. admiral rogers: thanks, senator. senator mccain: senator sessions. senator sessions: thank you, mr. chairman. and admiral rogers thank you for , your service. you're, i believe, the right person at a very challenging time. you're the middle of some decisions that have to be made by the united states sooner rather than later. our -- congress passed -- well, carl levin was chairman then. we passed a requirement that the defense department evaluate vulnerability of our systems and to issue a report to how to defend those. that time passed. but we've issued another legislation last year that said the secretary of defense shall, in accordance with the plan, complete an evaluation of the cyber vulnerabilities of each major weapons system of the department of defense no later than december 31st, 2019. so we've given an additional date, there. but not later than 180 days after the day of this enactment, which i believe is may this year, the department of -- the secretary of defense shall submit to the congressional defense committee. the plan of the secretary for the evaluation of major weapons
4:53 pm
systems, including an identification of each system to be evaluated, an estimate of the funding required and priority among the evaluations. are you familiar with that? and are we on track to -- is the defense department on track to complete that initial report? admiral rogers: i am familiar with it. i'm sorry, i'm not in the weapon acquisition business. so, i'm not the best informed as to the current status. i know the effort is ongoing because we, u.s. cyber command, are part of that broader effort, partnering with at&l. if i could just take that one for the record sir, i apologize. senator sessions: well, if you would because this has been going on some time. so, on a bipartisan basis, congress recognized several years ago, that our weapons systems -- it started out for space, missiles and anti-missile systems being evaluated. and then we realized large segments of our defense capability are vulnerable. and we've had a broader report.
4:54 pm
i believe it is important for the secretary to complete this on time, if not sooner and i would hope that you would look at that. admiral rogers: sure. senator sessions: in light of chairman mccain's and senator inhofe's questions, i would refer to this gao report that just came out. the first line of this article is, quote, "the pentagon does not have a clear chain of command for responding to massive cyber attack on domestic attacks on domestic targets in the united states, according to the federal government's principal watchdog, gao. does that concern you? admiral rogers: first of all, i haven't read the report sir, so i'm not informed as to its specifics. i mean, i would argue hey, i'm always concerned about a clear chain of command and a clear articulation of responsibilities. senator sessions: well, i think the -- let's list of number of things that do appear to be unclear and how we respond. and the chairman asked you when do we -- aren't we going to need to develop a policy for how to respond to attacks and what we
4:55 pm
might do in response and how to , ratchet up responses relevant to the threats that we face. so i hope you would look at that. with regard to world-wide situations, does commercial and economic and private companies that are a big part of the entire network of cyber worldwide, many of those impact our allies, our friends and many of those could impose -- many companies could be based in countries that are not friendly to us and would like to penetrate our systems. are you concerned that all of our allies, asia, europe, need to be aware of this danger and are we working to make sure that segments of those systems aren't adopted -- purchased or impacted by entities that could be hostile to our joint interest?
4:56 pm
admiral rogers: so, i share your concern about supply chain vulnerabilities. that's a phrase we use to describe it. senator sessions: that's a good word. supply chain vulnerability, ok. admiral rogers: and it is growing in probability, if you will, given the nature of the economic world we're living in now. we have a process within the u.s. government to address these issues from major purchases, companies, national security priorities. we have a specific process in place for some components of dod infrastructure like the nuclear , world for example. but if you look at its proliferation of the issue generally, across both allies and ourselves, this is an issue that's only going to get tougher, not easier. senator sessions: could be going on for decades, it seems to me. and do we need to meet with our allies to develop a unified policy to protect our joint systems? admiral rogers it is a : discussion we have with our allies and it's much -- as you said, and this goes across the
4:57 pm
commercial sector, dod, government at large, it is out there for all of us. sessions: i thank you for your leadership. is the critical issue, and i hope you will not hesitate to lead and tell us what you need to do. >> admiral rogers, i need clarification of what your response abilities are in cyber command. are you responsible for protecting this country from cyberattacks on private networks and corporations, or is it simple e-government networks? admiral rogers: so dod has a responsibility to defend critical infrastructure against events of significant cyber consequence. senator king: so critical infrastructure, that -- for example, in maine, in may, we had three urgent care centers that were hacked. we had maine general health,
4:58 pm
which is one of our major healthcare -- they were hacked. is that -- is that part of your -- what's the definition of critical infrastructure? admiral rogers: there are 16 segments that the federal government has identified as having significant implications for the nation's security, but the second component i would , argue, of the definition i gave you of the mission is not just the sector that was attacked, so to speak, but also the magnitude of the event. in dod, we use the phrase significant cyber consequence, the concern being the department of defense is not resourced nor is it currently tasked with defending every single computer structure within the united states. so we try to identify where can our finite resources be best applied, and so they're focused on those 16 segments that have been designated as critical to the nation's infrastructure and then tripped in those circumstances in which the actions against one of those 16 segments reaches significant cyber consequence. senator king: but -- but in terms of national defense, we're being -- it's death by a
4:59 pm
thousand cuts. i mean, we're being hacked every day. insurance companies, businesses. some of it is cyber espionage, as you point out, but some of is just -- some of it is criminal. but it seems to me, we need to be thinking about who is responsible. i mean, i understand you don't -- you don't call out the army if there's a criminal if one town. you have local police. but there is a gap here. do -- do you see what i'm saying? admiral rogers: yes, sir. senator king: there's a gap in our defenses because we really don't have the infrastructure of the state police or local police that would protect local interests when they're being attacked and you have the expertise. we have to work out something between cyber command and local law enforcement, if you will, to protect us from these repeated and continuous and escalating attacks. admiral rogers: although, if i could, i'd urge us to think more broadly than just cyber command. i think the challenge is how do we harness the capacity and capability that is resident within our government structure, teamed with the capabilities
5:00 pm
that are resonant in the private sector? it's much bigger than -- don't get me wrong, we're definitely a part of this. but i always urge people, we have got to think much more broadly than -- senator king: i think that's a good way to articulate it. we keep talking in these hearings. when are we going to have a well-developed and articulated cyber deterrent strategy? and i emphasized in my notes -- i underlined the word articulate. it's not deterrence if it's not articulated. but we need definition of what is an act of war, what is a proportional response, what is a mutually assured destruction situation. this seems to me -- is this in works? and if so, when? admiral rogers: i mean -- sir, i don't have a date for you. that's well beyond the mission set of u.s. cyber command. i am part of those discussions. i'm the first to acknowledge that. i try to provide an input and
5:01 pm
just be one voice as to what i think is the direction, broadly, that we need to go. i apologize, senator, i don't have a specific date or time line for you. senator king: it just seems to me that, as a matter of policy, we -- we really need -- this needs to happen. we've been talking about this as long as i've been on this committee and we aren't there yet, and yet, something terrible is going to happen. a lot of people are going to say, well, why didn't we have a policy why don't we have a , deterrent policy? admiral rogers: yes, sir. senator king: so, i would urge you and counsels of the administration to push for a sense of urgency on this question. because if all we do is defense and there's no , deterrence, ultimately we're going to lose that battle. admiral rogers: yes, sir, it's a losing strategy. senator king: final point, and i know that you talked about this earlier. to justify your holding two -- i'm finding it harder and harder to justify your holding two jobs, given the complexity. i mean this arrangement was , created in 2009, which in technological terms, is a century ago.
5:02 pm
and i just can't -- i mean, i understand the relationship between nsa and cyber command. but particularly if we move in the direction, which i think we are, of setting up cyber command as its own independent combatant command. to have the same person trying to run those two agencies i just think is impractical and almost impossible. admiral rogers: i've been doing it for two years to date. senator king: and you've been doing it very well. admiral rogers: so, what i -- as i said in my initial comment, i agree that it's something we need to continue to assess. i agree that in the long run, the probably best course of action is to ultimately put both organizations in a position where they're capable of executing their mission in a complementary and aligned way, than in a more separate way. but the reality is, we're just not ready to do that today, i believe. now, don't get me wrong, if i am ordered a directive, i get paid to make things happen and i will , execute it to the best of my ability. senator king: but i take it you
5:03 pm
agree that we should move the -- cyber command should be its own combatant command? admiral rogers: i do, sir. senator king: yes, sir. thank you. thank you, mr. chairman. senator mccain: subject to the will of the entire committee, that would be my intention, and i -- senator reed and i would propose that on the defense authorization bill. right, jack? senator reed: well, i think so, sir. i think that's something we're going to consider. but i think it's valuable to have admiral rogers' comments today and consider them as we go forward. senator mccain: thank you. senator fischer. senator fischer: thank you, mr. chairman. i look forward to the discussion on raising cyber to its own combatant command. and i look forward to our discussions as a committee on the importance of cybersecurity for this country. admiral rogers, in your prepared statement, you mentioned the cyber attack on ukraine's power
5:04 pm
grid, and you also note that you have seen cyber actors for more than one nation exploring the networks of our nation's critical infrastructure. do you believe that our national teams possess the necessary skills relating to industrial data systems to be able to stop or to recover from an attack on our power grid? admiral rogers: we have the skills. the challenge for us at the moment is one of capacity. what i mean by that is, in the two years i've been in command, i have yet to run into a situation where we didn't have the skill set to apply against the problem, but the challenge at the moment -- because we're still in the midst of that build -- is sometimes that skill set is embodied in an incredibly small number of people. and if we had multiple events simultaneously, for example, that gets to be -- under the current -- where we are right now, it's snap the chalk today, so to speak, capacity really is the greater concern to me than capability, if you will, if that makes sense. senator fischer: well, i understand your demands on the force to exceed that capacity.
5:05 pm
but as you add those capabilities, how are you going to prioritize the duties and the responsibilities that you're going to have? how do you plan to prioritize placing that building competency with our industrial control system? is that going to be something you're going to focus on in the near term, or is it going to take a back seat to maybe some of the other areas that you're looking at for the cyber mission forces? admiral rogers: so it's something we're doing right now. i would also highlight that the very construct of the force, by creating a separate section of the force that is focused purely on defending critical infrastructure was designed to account for that. how do you make sure you prioritize this capability and ensure that at least an element of the force that we are building is focused like a laser on the defend the critical
5:06 pm
infrastructure mission set? it's a carved out, separate entity. it's the national mission force we call it. general nakasone is my component commander doing that. senator fischer: you have a plan to work with the services then on building that program? admiral rogers: oh, yes, ma'am. senator fischer: is it near completion? you heard senator king ask about policy. we've been asking about policy for a long time. we don't have a policy. so if we don't have a policy, how are we going to develop plans? admiral rogers: well, what i remind people is look. even as we're trying to get to the broader issues that you have all raised, much of which is outside the immediate mission set of cyber command, hey look. our mission is generate capacity and capability and ensure that we're ready to go as those broader issues are being discussed. so we're trying to deal with the deterrence piece by generating the capabilities that we think will be part of that deterrence discussion. i don't want to wait for everything to fall in place that
5:07 pm
we can just afford to do it. as perfect as it would be in some ways. senator fischer: i agree with you there. we don't have time to wait. admiral rogers: yes, ma'am. fischer: when we look at the department, what level of communication do you have with the different communities within the departments? say the -- with regards to acquisition or installations to ensure that the items we purchase or the facilities that we're building are able to take those threats that we're looking at from cyber into account? admiral rogers: i would tell you the acquisition piece is one of the areas that we still need a lot of work. it's not because people aren't working hard. but i've always been struck by the analogy, we would never by a ship, a tank, an aircraft, without the operational vision driving exactly how we designed it, built it, structured it. and yet, for much of our networks and infrastructure, that has not historically been our model.
5:08 pm
we just built those, we bought those. we focused on efficiency and price. didn't really focus on operational impact. and we really didn't think at the time that we'd be dealing with a world in which intruders, foreign actors and non-state actors, would be using those systems as access points to materially degrade our ability to execute our missions as a department. we just didn't anticipate that decades ago. and that's the world we're in now. we're trying to overcome literally. senator fischer: well, it's happened in private industry. admiral rogers: right, decades of investment we're trying to overcome. senator fischer: and do you -- last question. do you have any knowledge if our adversaries have targeted any infrastructure on our military bases? admiral rogers: yes. senator fischer: thank you very much. admiral rogers: yes, ma'am. senator mccain: senator blumenthal. senator blumenthal: thank you, mr. chairman.
5:09 pm
and thank you admiral rogers for your extraordinary and distinguished service in so many roles over so many years. i want to focus on the challenges of recruiting young people in an age where the best and the brightest who have knowledge in this area have so many opportunities, many of them highly paid and challenging in their professional issues. young americans are entering the workforce with computer technology that has been part of their entire lives. not so much for us of a certain age, but for them, yes. and i wonder if you could tell us how successful you and the obviously incomparably important forces under your command have been in recruiting and maintaining talent in this time and what we can do to help?
5:10 pm
admiral rogers: i'm very comfortable with where we are on the uniformed side. the same things that lead a young man or woman in our nation to decide they want to pick up a rifle and take on that challenge leads men and women to decide they want to put on a uniform and pick up a keyboard. that has not been the biggest challenge. the area that i've -- i've told the team we probably need to take a greater look at is on the civilian side of this because we have got -- our vision is you've got to create a workforce , that is both active and reserve military as well as civilian component to it, so we get that breadth of expertise that that you've referenced. , while we're meeting our targets right now on the civilian side, as i've said, there's a couple skill sets already where i think i'm going to have to come back to the committee to say look, i'm could probably need some help here with -- can i come up with some different processes or options that would
5:11 pm
make things more attractive to particularly some very high-end, very small number of skill sets that i don't have huge numbers of, but they're incredibly valuable for us? that's one area where i'm thinking i'm probably going to have to come back. i have to work this with the department first, but my experiences telling me you know, , mike, we need to step back and take a look at this piece of it. senator blumenthal: is there sufficient -- are there sufficient resources devoted to research, the personnel available to supervise that research, and in effect, planning for the future? admiral rogers: right. i mean, there's -- i'm not going to pretend for one minute that you have all the people and all the money that you would like. it's -- i would argue -- characterize it as reasonable right now. it's not a major issue in the sense that as a commander, i've said to myself, wow, we've got a
5:12 pm
significant deficiency here that will impact our ability to execute the missions. i haven't seen that. senator blumenthal: i -- i know you indicated earlier you haven't read the gao report. admiral rogers: right, right. senator blumenthal: but i wonder, focusing on the local capability, and particularly on the private sector, the infrastructure segment that you mentioned earlier in some of your conversations with my colleague, transportation, financial, electric. how well are they doing in protecting themselves? admiral rogers: i would -- if you look across the 16 segments and the private sector that have been designated as critical infrastructure in terms of impact on the nation's security, i would argue some are a little , some are ahead of others. i'd probably put -- financial, for example, not surprising in the sense that it has access to more resources than some, has come to the conclusion that cyber potentially calls into question their very business model since it is built on the idea of trust and the ability to move funds globally, simultaneously through these
5:13 pm
transactions if you will, that we all believe in and trust. and, on the other hand, there are some industries and in their defense, i look at them and they're quick to remind me. hey, remember, our business model is different. we're a regulated industry for example. in order to generate resources to apply to increase our cyber defense, our cyber capability, the only way for us to do that is raise rates for example. most consumers not really enthusiastic about that, most regulator bodies not necessarily overly enthusiastic about that at the moment. senator blumenthal: and those regulated industries would be, electricity -- admiral rogers: like power is an there's a couple of others that example. fall into that. senator blumenthal: and are there unregulated industries that are also in need of improvement that you would put at the bottom of that list of readiness? admiral rogers: there are some that i think i've publicly, previously talked about. health care, for example, is one of the 16 segments i look at and
5:14 pm
i go, that's an area probably that needs a broader top to bottom. look, i'm the first to acknowledge, its really outside of my immediate mission area. i don't bore into it everyday. but as i look at where -- potentially where we're going to be tasked to provide our capabilities to partner with, it's an area that i pay attention. senator blumenthal: thank you there he much. thank you, mr. chairman. >> thank you mr. chairman. admiral rogers, first of all, thank you for your service. i i find it interesting, that as as you work your way through this, you're in a brand new area and you're trying to determine how to respond and how to protect. it seems that when you lay this out, and you say you have 16 different segments within the realm that you're responding to.
5:15 pm
it's fair to say that they break out into either information or data systems and operating systems, in terms of the way that we look at what the data is or the different systems that we're looking at as being vulnerable -- a data system being the collection of information on individuals and operating systems being those systems perhaps necessary for the infrastructure within our country, a fair way to break out? admiral rogers: i guess that's fair. to be honest senator, i've never really thought of it that way. not that that's a bad way, i just haven't. >> well, the reason i ask, it would seem that while information systems would contain material, or information that would be of a private nature perhaps, that trade secrets that may very well be information on an individual, such as the information we lost at the federal level when our federal systems were hacked. at the same time, we have an operating system out there for the utilities. we have operating systems out there for dams. we have operating systems for nuclear power plants. clearly, in those areas, if someone with intent could get into an operating system, they could do a significant amount of damage.
5:16 pm
perhaps bodily injury as well. based upon that, when you look at your role and the role of cyber command, do you see this as protecting -- do you see them different in terms of how you protect, or do you see your role different with operating systems versus data and information collection systems? admiral rogers: so our protection scheme, if you will, is based on who different pieces of strategy. the first component of our strategy is our intent is to go into foreign space to stop the attack before it ever reaches those systems. the second component of our strategy is to apply defensive capability, working directly with each of the individual elements, if you will. to say, if that fails we'd also , like to work with you on how you might shore up your systems and your vulnerability. the other point i want to make sure i articulate and i probably
5:17 pm
, should have done a better job this morning, as a reminder. u.s. cyber command and dod at large provide our cyber capabilities and defense of critical infrastructure in the private sector in partnership and in support of dhs. dhs has overall responsibility in the federal government for the provision of government support to the private sector when it comes to cyber. so, i don't want people thinking, well, it's just cyber command and just the private sector. there's a broader set of players out there that we integrate with and we support as we execute the mission. senator rounds: an attack in either case would be done in milliseconds, fair to say? so, unless we have the system in place and when we know whether or not we're there to respond or to correct -- to protect, in advance, we don't know whether or not we're going to be able to do it in time. at that point, then we simply respond afterwards. would you say that today, we have systems in place to appropriately protect -- for lack of a better term, i'm going
5:18 pm
to call the operating systems and the information systems that we have -- do you feel that the protocols are there? and i'm going back to what senator king was alluding to earlier. i'm not sure we have the definitions prepared yet to allow you to respond immediately within milliseconds, unless we talk about it and we lay it out. is it there today? admiral rogers: so across the board with every single component of the private sector, no, it is not. the other point i would make is cyber's no different than other domains in the sense that, the importance of intelligence to provide us insight as to what is likely to be coming at us, gives us the knowledge and insight, the warning, if you will, to anticipate and act in advance. it's every bit as true for the centcom commander as it is for me as cyber command. the warning continues to be critical for both of us. senator rounds: today, if our forces were aware of it attack on them, they have the ability to respond. but if it was property or entities that are within the
5:19 pm
united states do you have the , capability to respond today, if it is not a military but a civilian or a civil target? admiral rogers: so, is there a process? yes. is it something i can do automatically, instantaneously? no. senator rounds: if that's the case, then it has to happen first then, because for all practical purposes, the attack will be instantaneous. admiral rogers: well, we have to get the warning in advance. that importance of intelligence. senator rounds: but even if you get the warning in advance, in terms of it, would have to be enough time for you to get out and to have a political discussion for all practical purposes, about whether or not you can -- admiral rogers: again, it would depend by the scenario. because there's some mechanisms where we've got mechanisms in place for the application of capability. it's just a process, if you will, as opposed to a broad... senator rounds: but not one that can be done in milliseconds? admiral rogers: right, no, i'm not going to pretend for one minute that it's something you're going to do in milliseconds. senator rounds: thank you, thank
5:20 pm
you, sir. thank you, mr. chairman. senator mccaskill: thank you, mr. chairman. thank you admiral, for being here. admiral rogers: senator. with your acquisition personnel. -- senator mccaskill: let me start with your acquisition personnel. some of the saddest stories of waste have been in the acquisition of it within the military, frankly within government. a lot of that has had to do with knowing what you need to buy, when you need to buy it, and when legacy systems need to be scrapped and how nimble can you be with off the shelf. i'm not sure the military has been a great example of that flexibility and the ability to move with the technology. so i think these acquisition personnel are pretty important. so do you have the ten in place that are supposed -- that we authorized in order for you to make the wisest acquisition decisions possible in light of a history littered with serious mistakes and lots of -- billions and billions of dollars wasted? admiral rogers: well, first, just as a reminder, i'm member of cyber command. i operate and defend. i don't
5:21 pm
buy. you have been kind enough, the the committee and the congress has been kind enough, to provide, if you will, an initial capability to do this. we're in the process of hiring those 10 individuals that you have authorized. i am very mindful of -- as i remind the team, it is about generating outcomes, guys. that's why we're granted this authority. that's what we need to be mindful of. i'm not interested in spending money for the sake of spending money. it's about generating capabilities that directly impact our mission in a material way. senator mccaskill: well, i would be interested in -- in -- in how you are acquiring, with more detail, if you would. admiral rogers: yes, ma'am. senator mccaskill: provide it, how you're finding the right acquisition personnel. and how competitive are we in finding the right acquisition personnel? because in many ways, i think that's the key to the kingdom. if we're going to have the capabilities in this space, a lot of it is, you know, people being trained, but a lot of it is also underlying -- admiral rogers: yes, ma'am, you have to buy the right
5:22 pm
capabilities. senator mccaskill: capabilities. and -- so i just -- i'm really worried about getting the right people making those decisions, so i would like to stay updated in that progress. what kind of coordination does your command have at this point with our nato allies, with israel, with our arab allies? i'm particularly interested in any coordination you have in cooperation with nga. admiral rogers: so i'm not going to probably say -- senator mccaskill: obviously. admiral rogers: unclassified . i would only tell you we partner with -- we have a handful of nations right now. we have a very direct, very real relationship with with respect to capabilities, real-world operations. i won't go into the specifics of the who. one of the challenges i find is, cyber, like any other mission area, we have got to prioritize. so when i look at foreign partnerships, i ask where is the greatest return for us as a department, as the dod? and where's the greater return for us, u.s. cyber command, in terms of the ability to execute our mission? i spend almost as much time with the discussion with the team
5:23 pm
about what we're not going to do as what i discuss what we are going to do. i always remind them, especially since we're still in the midst of building this capability out, prioritization, prioritization, prioritization, guys. we can't do everything. and so we've identified an initial set of foreign partners, if you will. those partnerships today are generating capability that we're actually using today. senator mccaskill: great. and maybe in a classified setting, i could get more information. admiral rogers: yes, ma'am. senator mccaskill: what is the ratio of civilian versus military within the command at this point? admiral rogers: it's about -- we are trying to build about 80% military, 20% civilian. if you looked at it today as a snapshot, it's probably -- off 70%-30%,op of my head, 70% military, 30% civilian. senator mccaskill: and what about contractors? what is the ratio on contractors?
5:24 pm
and what is your goal on contractors? because this is it -- admiral rogers: right. senator mccaskill: and of course, you know, underlying that is a concern about the actual screening of contractors. what -- what is your -- what is your ratio now of contractors to dod? and what do you want it to be going forward? admiral rogers: we probably, right now -- apologize, i'm trying to do the math in my head. it's probably about 25 percent. we have an -- over and above the government civilian and , military, we have an additional 25% -- off the top of my head, we have about an additional party 5% on the contractor base. senator mccaskill: and is that where you would like to be going forward or do you see more reliance on contractors going forward? admiral rogers: i'm a little bit leery of over becoming reliant on contractors. why? because i try to remind people cyber is a domain in which we conduct a wide range of military operations and in , accordance with the law of
5:25 pm
armed conflict, those operations need to be conducted by military personnel. so i'm not trying to minimize the role of contractors, i'd just try to remind the team it's not one size fits all, so we've got to step back and ask ourselves what is the right allocation. i'm pretty comfortable right now. i wouldn't argue it's among my highest priorities in terms of increasing the ratio of contractors. i would argue right now, probably priority number manpower wise, as i've said, is one the civilian peace. i'm very comfortable with -- we're tracking, and we're going the right way in the uniform piece. the civilian areas, where know i'll be paying more attention to in the coming year. senator mccaskill: thank you, admiral. admiral rogers: yeah. senator mccain: senator graham. senator graham: thank you for your fine work, admiral. can you hear me? admiral rogers: yes, sir. senator graham: ok, what are the threats, nation state wise, in terms of who we're most threatened by? admiral rogers: i would argue russia and, again, probably in terms if you look at capability, the other four that we have publicly acknowledged we pay great attention to china, iran,
5:26 pm
, north korea. and then the non-state actors is the other category where i looked, that could be a game changer, were some of the dynamics to change. senator graham: on the terrorism side, could you give us the top couple of terrorists organizations you're worried about? admiral rogers: it's not that i don't know -- an unclassified forum -- senator graham: ok, well, we won't go down that road. admiral rogers: thank you, sir. senator graham: on the criminal side, what areas of criminality do you worry about the most, what countries? admiral rogers: i would argue right now russia probably has the most active criminal element with the most -- with the greatest capability. graham: do you think the russian government's doing anything constructive in terms of regulating their criminal activity in cyber? admiral rogers: i would only say it doesn't appear to be getting much better. senator graham: what about iran? has iran gotten better in the last year in terms of their cyber activity? admiral rogers: yes. senator graham: are they less threatening? admiral rogers: i apologize, i'm not sure -- senator graham: are they less threatening or just more capable? admiral rogers: i'd argue they're increasing their
5:27 pm
investment, they're increasing their level of capability. we've not seen the same level of activity from them that we've seen historically in the past. i have seen some of that same activity directed at other nations and other groups around the world. senator graham: they're improving their capability? admiral rogers: yes, sir. senator graham: do you know if any of the money they're getting from the iranian nuclear deal has gone into their cyber upgrades? admiral rogers: i don't know for a fact. senator graham: ok. is it fair for the country to establish as a policy cyber dominance over enemies that we want to be -- have a dominance in this area of warfare? admiral rogers: i mean, i want to think -- i would argue we want to have the same level of capability and supremacy in cyber as we have articulated that we want in every other. senator graham: well, i think that is a good goal. so, let's march down that path. and i associate myself with senator king about what we need to do as a nation. the navy. the difference between the chinese navy, the russian navy and the american navy is pretty wide? admiral rogers: yes, sir. senator graham: in the cyber arena, how close is it? admiral rogers: i have publicly stated before, the russians i
5:28 pm
would consider in cyber a pure competitor. china not in the same place, but rapidly attempting to get there. senator graham: so, the gap between the dominance we have on the seas, and cyber is not nearly -- rogers:not nearly the admiral rogers: not nearly the same. senator graham: ok, when it comes to iran, when you compare their air force to our air force, what's the gap? admiral rogers: significant. senator graham: ok. and the cyber arena, less significant? admiral rogers: less significant, but it's still an area of advanced -- significant advantage for us right now. senator graham: are the iranians trying to close it? admiral rogers: oh, they are. senator graham: so from a nato point of view, you're familiar with article five, an attack against one is an attack against all? is there any concept in the cyber arena? admiral rogers: i mean, you've heard nato publicly talk about the fact they believe article five applies to all domains of warfare. senator graham: do they have any rules engagement that would
5:29 pm
identify what a cyberattack is? admiral rogers: they're probably in the same arena we are, still trying to work our way through that. senator graham: when do you think we'll arrive at that conclusion to senator king's question? admiral rogers: boy, i don't graham: whatenator is the biggest impediment to us getting us there? is it congress? is it the dod? admiral rogers: no. it's as much in some ways as -- again, this is just mike rogers opinion. it as is much in some ways, from my perspective, as -- well, this just an intellectual exercise. this is something we can afford to push down... senator graham: the department of homeland security is responsibly basically for protecting us in the financial service power arena, our civilian targets. admiral rogers: sir. senator graham: you're responsible for protect the military infrastructure -- admiral rogers: and we provide support to that commercial infrastructure -- senator graham: that's right. admiral rogers: if requested.
5:30 pm
senator graham: but you're also responsible for going on offense. admiral rogers: yes, sir. senator graham: dhs is not going to attack a foreign nation you would. admiral rogers: yes, sir. senator graham: so how could we, as a nation, given the threats that we face in the cyber arena, mr. graham: who do you talk to, about, hey, guys, let's see if we can get there? mr. rogers: the secretary of defense or the office of secretary of defense. mr. graham: how do they respond? mr. rogers: we understand that's what we need to do. it's generating that consensus -- mr. graham: is there anything congress is doing -- not doing that you'd like us to do to help us resolve this issue? mr. rogers: i can't argue that it's sl something that congress has filed -- that it's something that congress has failed to do. i don't see that. mr. graham: thank you. >> thank you, mr. chairman. admiral, i know that you talked a little about cyberteams app in response to -- cyberteams in
5:31 pm
response to our earlier questions. i think leveraging our national guard in establishing many of these cyberteams is a good idea. as you and your colleagues look to establish additional cyberunits in the future, and while i'm sure you're looking region, meaning the pacific region, i ask that you look closely at the needs of the asia-pacific region. in hawaii, for example, as you well know, we have paycom, n.s.a. hawaii. various component commands and other regional officers that are -- offices that are likely targets for cybercriminals. ms. hirono: as we focus on the rebalance of asia-pacific, obvious. i wanted to get to a question. last september the u.s. and china did agree that neither government would support or conduct cyber and enable intellectual property. now that we are six months down the road, would you say that china is living up to this
5:32 pm
agreement? and i don't know how specific that agreement was, frankly, but it seemed like a good idea for the two countries to enter into that kind of a dialogue and discussion. but really, what is happening with regard to that agreement? mr. rogers: if i could. what the agreement said was neither nation would engage in that activity for the purpose of gaining economic advantage for their private sector. we continue to see chinese activity in this regard. the million-dollar question is, is that activity for governmental purposes or is it being then passed from the government to the private sector? from my mind, the jury is still out in that regard. its activity level is somewhat lower than prior to september of 2015. ms. hirono: is there any way that we can determine whether china is engaging in such activity? are there any parameters, is there anything that we measure
5:33 pm
to determine whether this agreement is being adhered to? mr. rogers: yes, ma'am. i'm not going to go into specifics but, yes ma'am. ms. hirono: one of the areas -- thank you. maybe in another context we can get to some of those questions. with regard to our ability to cyber capabilities, training and retention really important. in that regard, stem education is critical. can you just talk a little bit more about what you are doing to -- any collaborate rapingses, partnerships you're doing with universities or community colleges to train a work force for us? mr. rogers: let's take hawaii as an example. today in fact, the general for the guard in hawaii is meeting in a complex with u.s. cybercommand, n.s.a., and elements from across the aisle
5:34 pm
and on owe a hue to include the academic -- oahu to include the academic sector. how do we include a capable work force to meet elements, how can we partner more effectively in aligning that capability to deal with issues of common interest to us in this case, on oahu specifically, in the state of hawaii, and more broadly, you see that same -- hawaii is an area where we probably are -- have gone further than others, but you can see that same type of activity for u.s. cybercommand right now with what we are doing with a handful of universities across the united states, from the west coast, carnegie melon, some west coast universities, tulsa, you heard there's one -- i want to say something on the order of 60 to 100 right now between n.s.a. and cybercommand. there's one area where n.s.a. and cybercommand tend to partner together a lot.
5:35 pm
ms. hirono: obviously that needs to continue. because our cybercapabilities is something that is going to be an ongoing effort. you mentioned the importance of the private sector and the whole of government plus, you know, outside of government approach to cybersecurity needs. so, how do you envision the private sector's role? mr. rogers: what we've tried to do at cybercommand is, what i think the private sector brings is technical innovation, intellectual innovation, if you will, broad knowledge of alternative and ways to look at problems. those are at a macrolevel the three things. when i look at the private sector i say, wow, you really could add value for us in that regard. what we've done to date is we've create what had we call a point of partnership in silicon valley where i placed a very small element on the ground.
5:36 pm
the part that's interesting to me is, i did not want u.s. cybercommand people out there. instead what i wanted was one individual who is a u.s. cybercommand individual and then i wanted to harness the power of reserve individuals who are currently in the ecosystem in the valley, working in their day to day jobs. we've just started that since last summer. that's starting to work out very well for us. it gives us a chance to get a sense for what technical innovation is going on out there. we approach them with different problem sets and say, hey, here's an issue we're still trying to work our way through. how are you handling this? or would you give us some suggestions on how we might deal with it? i'm trying to see if we can replicate that model that we currently have in place in silicon valley, in other areas. i'm looking at the east coast next, kind of as an example of that. somewhere in the greater boston area metro next. ms. hirono: it sounds like an informal kind of arrangement now. maybe going forward would you want to maybe institutionalize kind of collaboration with
5:37 pm
the private sector. mr. rogers: yes, ma'am. ms. hirono: thank you, mr. chairman. >> i don't envy you with the job you have. the complexity. and then the additional challenges that we have as the chairman has said, about sequestration, thanges are on the horizon, that you have to worry about. in listening to the discussion, i think one thing that's very is we're never going to have the perfect weapon. absence the united states coming up with a game changing offensive or defensive capability of the scale of the manhattan project, you can't possibly get inside the decision cycles of the state actors, the organized crime, terrorists and other people. till till when you think about decision -- mr. tillis: when you think about decision cycles in this realm, you think about every single day you get new malwear, viruses, other technology added to your p.c. to deal with new threats that didn't exist a day or two or a week before.
5:38 pm
so, i'm trying to get my head around how you really even segregate your scope of responsibility, which is largely, you know, the vulnerabilities of say the d.o.d., or however you would like to define that, and how you differentiate that from the broader private sector threat. i mean, you've got 28 million small businesses, you have close to 19,000 businesses with 500 employees or more. you have distributed public sector infrastructure, whether it's electric, water, gas. and the concern that i have is, what we have right now are the equivalent of gorilla sniper fire or mortar attacks. we haven't seen, and i think that we will see, some day, a nation state or organized crime or terrorist organization literally being in a position to execute a multipillar attack that if they're smart, and they are, what they will do is something to disrupt you.
5:39 pm
and then disrupt your ability to react to it by attacking the private sector, which is also integral to your supply chain. so, you know, how are we looking at this on a global basis and understanding that as they continue to increase their abilities, they're going to figure out a way on a multipillar basis to go after communications infrastructure, a supply chain infrastructure, health care, electric, whatever public infrastructure may be vulnerable, how do we actually get these things to could he aless versus finding out -- coalesce, versus finding out, we do a good job in d.o.d., we create a line and they go around it and disrupt you from a different direction. mr. rogers: so you have very succinctly articulated many of the problems and challenges of how you operate in this environment. these arbitrary boundaries that we traditionally consider, this is a d.o.d. function, this is a private function, this is an inherently government -- cyber just blurs these lines. so, even as i focus on the d.o.d. mission, it's one reason
5:40 pm
why i've argued, we have got to think so much more broadly about this problem. within the d.o.d. arena, it's one of the reasons why, for example, if you look at our exercise in training regime that we put in place, we try to do that not just within the d.o.d., but across a breadth of the private sector. cyberguard is our answer exercise, it will be in june of this year. we pick a different segment, if you will, every year, we're going to do the power segment in this year's exersiles. i think it's something like 20 different corporations will be exercising with us. the guard, state, local. mr. tillis: that's what i'm getting to. it's almost as if your military exercises have to involve all of these players, so that they have a better understanding of their vulnerabilities in the nature of the attack that would occur and the other question i had is, to what extent are we looking at state and local governments as a way to at
5:41 pm
least, in north carolina i served in the legislature, we were talking about what we can do to work on cyberthreats. i saw it also an economic advantage. if states became particularly good at grid hartening -- hardening or at securing the physical presences and cyberthreats within their state borders, they create an economic advantage for people to set up business in the state. to what extent are we trying to lead and help make this problem a little less difficult at the federal level by making sure that the states and local governments are stepping up their game as a part of the effort? mr. rogers: it's one of the reasons why there's a big guard component to this effort. to ensure we can also try to address this state and local aspect of this. mr. tillis: thank you. i have a million different questions. i think what i'll probably do is see if i can schedule some time in my office to go over a number of other ones. we may have to do some in a secured setting. thank you very much.
5:42 pm
>> thank you, mr. chairman. one of the issues is in fact sort of the services being able , within your resources, to fully develop the units that they will detach to you or provide through operational control. mr. reid: can you give an assessment of sort of where we are -- where they are in terms of doing that? across the services? mr. reed: so, that really goes to the heart of readiness, if you will. and one of the -- so in september, when i was with you, one of the things i said then during that session was, that i thought one of the reasons why 16 was going to be such a big game changer was, i thought we'd get more involved in the total breadth we needed to shift from a focus
5:43 pm
to actual readiness. are we ready to employ this? we have spent the last six through, how do you define readiness in the cyber arena down to the team have an that i awareness of the true capability of forces. provide policymakers a true picture of this. mr. reed: a nightmare scenario, one of these nations acquires the capability to shut down satellites? mr. rogers: there's two
5:44 pm
scenarios that really concern me. one is the physical shutdown and interdiction of capability. the other scenario -- mr. reed: explain the first one. mr. rogers: if you were to shut down -- look at it from a d.o.d. perspective, much of what we rely on for our enablers as a department are commercial infrastructure, power, our ability to move force, for example. if you were able to try to take that away or materially impact the ability to manage an air traffic control system, to manage the overhead structure and the flow of communications or data, for example, that would materially impact d.o.d.'s ability to execute its mission. let alone the broader economic impact for us as a nation. the other concern i have is to date most penetration of systems by actors has either been to steal data or reconnaissance. what if the purpose of the
5:45 pm
intrusion becomes to manipulate data so you can no longer believe what you are seeing? think about the implications of that, if you couldn't trust the military picture that you were looking at, that you're using to base decisions on. let alone the broader economic mpacts for us as a nation. >> i wanted to first start with a statement you made earlier, i think, to a question from senator mccain about does russia have the capacity to inflick series harm on infrastructure and you said -- inflict serious harm on infrastructure and you said yes. do we have that capacity to do to russia's infrastructure? mr. rogers: in an unclassified hearing i'd rather not get into that, if i could, ma'am. ms. shea-porter: let me put it in the context -- ms. shaheen: let me put it in the context, i assume there's mutual deterrence that goes on when
5:46 pm
we're talking about some state actors. mr. rogers: it's a lot more complicated than a yes or no. ms. shaheen: i hope we will be able to ask that question in a classified setting. i had the opportunity over the last two weeks to visit he is to enyarks which is -- estonia, which is one of the most wired countries in the world and also the -- probably the first victim of a cyberattack by a nation state. by russia. i had the opportunity to visit the cybercenter that's been accredited by nato and to hear them talk about how they think about cyber issues. could you talk about how cybercom works with our nato allies? mr. rogers: i've been there myself. i've been to the center. i was just in brussels, for example, in december and as u.s. cybercommand, i addressed the north atlantic council as one of the member nations was
5:47 pm
asked to talk to leadership of the alliance about implications f cyber and how lengthy and -- [inaudible] -- how lengthy alliance will work its way forward as we try to deal with the cyberarena. cybercommand, i try to partner both with the alliance as a whole, as well as specific member nations on specific issues within the alliance. what i suggested to nato is, i think the real key is, you have to get the defensive house together, number one. and then secondly -- ms. shaheen: explain a little more what you mean when you say that. mr. rogers: much like we've seen on the u.s. side, i said, look, i see nato as spending a lot of time and it's a good thing, focused on defense of nato's fixed infrastructure. but i also remind them that i think there's value in spending time thinking about, for example, as nato is creating additional capability, additional force constructs to be able to apply traditional
5:48 pm
capability in a much faster way . i've also been part of discussions where i remind them, even as you're generating that additional force, that additional capability, you need to be thinking about what are the cybervulnerabilities and cyberdefense implications of that. because we can spend a lot of money ognjen rating new capability. but if it has vulnerabilities that quickly negate its ability to be used, that's not a good situation for the alliance or for us. we're dealing with the same challenges. i've had those discussions with the alliance writ large. ms. shaheen: how do we increase their participation in training exercises like sigh -- like cyberflag? mr. rogers: cyberflag, for example, we have some nato nations that participate in cyberflag which is u.s. cybercommand's largest exercise. i won't say we have all 28 member nations at cyberflag. we -- over time you'll see more and more nations participating.
5:49 pm
one of the things i've talked to nato about, although we haven't yet fleshed out the how, is how might we go about taking a look at a cyber exercise or training regime. this is just a preliminary discussion. when i was there in december, i said, hey, look, i think this is something we need to be thinking about. ms. shaheen: one of the things i was really interested in was hearing about the estonian defense league. you were talking about earlier in your testimony, about the effort to take advantage of the expertise in the private sector. to help us as we're looking at cyberissues. i was very interested, one of the things i heard was that distribute reality is, we can't -- the reality is, we can't completely prevent a cyberattack. what we've really got to do is be prepared to respond to that attack. in the way that is most effective and most -- and fastest. and they were talking about
5:50 pm
their defense league as one way that they are able to do that. is that something that -- recognizing that we're probably not talking about -- but is that what you're looking at what you're talking about the teams that are being set up to help respond? mr. rogers: it's a little different in the sense that -- the idea behind the cyberleague for estonia is you have private citizens who volunteer -- on a voluntary basis will apply themselves at specific problem sets. as they emerge. kind of after hours, after work, on their own time. that's kind of the model for the cyberleague in estonia. they use that to augment their government and private sector capabilities. on the u.s. side, for us and the d.o.d., that cyberleague, i would argue, is a cross for us and our structures between the digital service arena that d.o.d. is creating, as well as the kind of guard construct. although the difference is, when the estonians do it,
5:51 pm
you're doing it purely on your own time, purely as a citizen, not as a uniformed member of the guard or reserve so to speak. so it's not exactly the same. but the thought process -- the idea of trying to tap that is similar. ms. shaheen: thank you. thank you, mr. chairman. >> thank you, chairman. i want to thank you, admiral rogers, for your service to the country. i wanted to just ask you abouta basic question. you have a substantial responsibility in your position. what keeps you up at night? what is your most worry -- what is it you're most worried about that we need to understand? mr. rogers: based on the work load, i have no problem sleeping. but secondly, there's three things generally i highlight. number one, actions taken against critical infrastructure in the united states, damage or manipulation. number two, what happens when actors start to no longer just enter systems to do
5:52 pm
reconnaissance or to steal, but actually to manipulate or change data so that we no longer can believe what we're seeing. and the third and final thing in the cyberarena is, what happens when nonstate actors start to view cyber as a weapon system. and they want to use it as a vehicle to inflict pain and -- against the united states and others. >> to the third point you made about nonstate actors using cyber as a weapon system, how grave a threat is that to us currently? mr. rogers: i would argue that it is not -- you know, it's one of these you say it and tomorrow something will change. today what i will tell you is, i have not seen groups yet make huge investments in this. but i worry that it's a matter of time. because it wouldn't take long. one of the challenges of cyber, in addition to what we previously talked about today about how it doesn't recognize boundaries, it doesn't take billions of dollars of
5:53 pm
investment, it doesn't take decades of time and it doesn't take a dedicated work force of tens of thousands of people, like you see most nation states deal with. cyber is the great equalizer in some ways. yotyot what will the greatest -- ms. ayotte: what are the greatest risks as you can describe them? mr. rogers: in that regard, what i worry is, based on the accesses and the activity that i've seen of some nation state actors out there, what happens if they decide that they want to -- for some period of time -- disrupt the things we take for granted. the ability to always have power. pumps. ms. ayotte: power systems. financial systems. mr. rogers: to move money. if you take a look at the scenario of the ukraine on the 22nd of december, imagine had a scenario like that unfolded in the united states. i'm not going to argue that someone's capable of making the united states totally go dark.
5:54 pm
but i would argue there's capability there to cause significant impact and damage. ms. ayotte: that's why you discussed the need for the coordination between government, private sector and across the whole of government. mr. rogers: right. ms. ayotte: i wanted to ask you , the law that was changed by congress, in terms of the n.s.a., holding of information, u.s.a. freedom act. can you give us an update on what is happening with that and whether that's working and any concerns you have? i think it's an important question for us to check back in with you on. mr. rogers: yes, ma'am. if i could in an unclassified hearing, i'm not going to go into great detail. what i say is, we have been able to comply with the act and to do it on time. there has been some level of slowness, but that -- in terms of difference from the old
5:55 pm
system and the new system, but that -- ms. ayotte: of how quickly you can get information -- mr. rogers: that time duration is minutes or hours. it's not days or weeks. so it hasn't yet gotten to the point where i felt i've needed to come back to the congress or the administration and say, look, i'm seeing a significant material impact on our ability to generate timely insights because i made that commitment. i said, if i saw that, and i believe i owe it to the nation to make that point, i have not seen that yet. ms. ayotte: there's no doubt that the taking longer? in some ways? mr. rogers: in some ways. it takes longer. ms. ayotte: i think it is important for us to come to us with that. give than minutes and hours can make a difference when it comes to terrorist attacks and preventing them and taking action, i think this is really important for all of us to understand, given the world that we are living in. i wanted to ask you a final question about the jcpoa or the iran deal. in there there's a provision that said that the u.s. must
5:56 pm
cooperate with tehran through train and workshops to strengthen iran's ability to protect against sabotage of its nuclear program. from a cyber perspective, has the u.s. helped tehran strengthen its ability to protect against sabotage of its nuclear program? mr. rogers: i cannot speak for the u.s. government as a wlole. i can tell you u.s. cybercommand has not participated in any such efforts. ms. ayotte: thank you. >> thank you, mr. chair. thank you, admiral rogers. i have missed some of the discussion. i don't want to be needlessly repetive. but i've met -- i want to go back to an interchange that you had with the chair in the opening questions. i met recently with a senior military leader who kind of tried to basically summarize his sense of things and he said, we have no plans but no strategy. and i have been thinking about that. i think in your back and forth with the chair, you talked about, and i think others may have asked you about this a little bit, this notion that we are kind of reacting case by case to cyberattacks and kind
5:57 pm
of deciding in each instance what we want to do. cabecabe -- mr. kaine: the development of a broader doctrine, whether it's, you know, what will a terrence policy be that we might communicate, how do we view a cyberattack under article five of nato in terms of triggering a collective self-defense, collective defense obligation, that we're assessing those things but we're kind of not at the end point of answering those questions. could you talk to us about the kind of development process and working on these questions, they're so important, what might we expect from the pentagon, from cybercommand in our interaction, in our oversight, in terms of the development of doctrines that have greater clarity and that aren't just kind of pragmatically reacting? rodgerooge you'll knee in the d.o.d. cyber-- mr. rogers: you'll see in the d.o.d. cyberstrategy about how we're going to both develop capability and then employ it. we're part -- cybercommand is part of the broader dialogue
5:58 pm
within the department about how do we align the capabilities of force with the world that we're seeing today, one of the arguments that we've made over the course of the last six months is, we need to take an element of the cybercapability we're generating and focus it very much on the deterrence piece. how do we shape potentially -- shape, potentially drive opponent choices and behavior before we get to the crisis scenario. we're in the early stages of that. but i'm very heartened by the fact that we now have broad agreement, that that's an important part of our strategy and we need to be doing that. so we're just starting the early stages of that journey. the department participates in the broader dialogue within the u.s. government about how from a national policy perspective, how we're going to move forward in addressing some of the issues that you have all raised today. what i remind our team is, we know that capability is going to be part of that deterrent strategy.
5:59 pm
both offense and defense. that's what we get paid to do. we have got to focus ognjen rating that capability today -- ognjen rating that capability today. so -- on generating that capability today. we can't wait for the broader discussion to complete itself. it's just a losing strategy for us. that's been the focus for u.s. cybercommand, at the operational level that i and the team really focus at. mr. kaine: let me ask you another question. i think senator shaheen may have asked this with respect to nato. another item that's very common in this committee is we look at the postures of other commands, joint training exercises. india does more joint training with the united states than any other nation. we have marines deployed throughout africa and these special purpose magazine tags doing train. what's our posture vis-a-vis sort of partners in the cyberarea, in the training that we do together in the development of giant resiliency strategies. mr. rogers: we do some level of training with key allies. one of the challenges for us is
6:00 pm
how do you maximize capacity, so it's all about prioritization. you cannot do everything you would like to do with every nation that would you like to do it. so part of our strategy is, how do you focus the greatest return and we have done that. find itr challenge i is, and this is part of an ongoing internal discussion for us. based on where we are in the journey right now, i cannot do so much with the external world that it negatively impacts our mission. in some cases, there are literally decades of experience. we don't have that. the same forcing capability i am using -- i am still building every day. that part of the challenge for us right now. will be as much of an issue in the future as a capacity fleet comes online but we are not there yet. aviators out of
6:01 pm
other service ranches and then we created an air force academy in 1954 and we decided to train aviators -- not that we don't train aviators in the other service branches but we created an air force after world war ii. i have wondered about whether this cyber domain would eventually become those significant that there may be the need to consider creating a dedicated cyber academy, much like the air force was created in the 1950's. you can train cyber folks everywhere and have them percolate through the service branches or you can focus on a particular cyber expertise and those folks could go into the different service branches. has there been any discussion about that? mythere has, but contribution has been -- not right now. to maximizes,
6:02 pm
effectiveness in cyber you have to understand how it hits in a broader context. at times when i deal with elements in our own workforce are incredibly technically savvy and smart of the -- regarding the mission that i try to remind them that we are applying this as a broader strategy and context. and you don't understand the broader context you are not as effective. that is my concern about that approach. it will start to make us very narrow and siloed. >> thank you. you foral rogers, thank appearing again. if i heard you correctly, you your fears were threats to our infrastructure, the ability to manipulate systems such that we may not have faith in their operations, and third, non-state using cyber as a weapon against the united states. is that accurate?
6:03 pm
or either the islamic state al qaeda able to do either of those -- any of those three things at this point? the islamic state has a reputation for being very effective online. that online recruiting and propaganda is a distinct skills get from the use of -- l set from the use how hard would it be for a nonstate actors like the islamic state to develop that skill set? is it nothing more than recruiting the right person? >> it would not be hard. it certainly is not beyond their ability. when we think about other potential nonstate actors, are those -- do those groups who have that capability or are approaching the capability tend to be associated with state
6:04 pm
actors? >> in some cases, yes but not in all. not in all. >> i want to turn now to the ongoing debate about encryption. and cyber security are critical in the modern world. most people in this world -- in this room have a smart phone. has one.ather head of senator graham. [laughter] come cyber data and cyber security are essential. physical security is also essential. americanste to see blown to pieces because we have --n in balance of security cyber over physical. had we strike that balance --how do we strike that balance? be that weent would
6:05 pm
don't serve either viewpoint particularly well. we casted as all or nothing when it is either or. over time we have been able to integrate ground changing technology in the course of our nation and to do it in a way that enables the nation under the right or comes ansys with the right level of control to be able to access that. for me, my starting position is -- what is it that is different about this that would preclude that from applying here? i don't personally see that even as i acknowledge that there is no one simple answer or one silver bullet. it is not a all. i look at the innovation and the can-do approach that we have as a nation. i think we can solve this. >> like for instance, communications systems for law enforcement. telecom companies of any size
6:06 pm
with they want to construct a telephone system in this country it has to be susceptible to a wiretap pursuant to a court order. similarly, we all expect privacy in our bank accounts. we have to maintain systems in where we turn over information. is there any reason our society should treat data or tech companies differently than how we treat telephone companies? >> that is a much broader issue than cyber command. like you, i would say that we have frameworks in other areas -- why can we not apply that here? >> these questions have been about the larger issue of encryption going forward. there was a case recently involving apple and the fbi and the san bernardino shooter in which the fbi were tested apple's assistance to override a
6:07 pm
feature of an iphone. apple refused. a third party capable and the case has been withdrawn. should america be alarmed at this vulnerability? isthe way i would freeze it - -- the way i would that boehner ability is part of the world we live in. >> do you know if we have shared that vulnerability with apple? >> i don't know. that know for a fact baghdad he is sending young man -- young men into the refugee flow to commit acts of terror wherever they can locate. is it true, or likely, that they also know of a website to come
6:08 pm
up on secure so they can baghdadite back with and his tech? >> yes. >> there was a media report that 400 young men had been sent into the refugee flow. i would assume then that at or areome of them have armed with a website to come up on one's they get to a preferred destination so that they can coordinate acts of terrorism? >> it is probably likely. >>. is a bit concerning, isn't it? >> yes, sir. towhat should we be doing counter that besides taking out isis? nationald a broader
6:09 pm
dialogue with what we are comfortable with terry it is not either or. we have to have security and privacy. we are in a dialogue that seems to paint it as it is one or the other. i don't see it that way. and yet, we know of a direct threat of an attack in europe or ae united states and technical capability to enhance their ability to commit this act of terrorism. -- wethat a pretty tough need a national conversation? do we need more hearings? do we need to urge the administration to come up with a policy? what are our options here? >> the worst-case scenario to me
6:10 pm
is we don't have the dialogue and then we have a major event and in the aftermath of that, we decide to do something and in the breadth of time, we step back and wonder how we got there. >> i don't have any doubt that is a likely scenario. >> to date, we have been unable to achieve that kind of consensus. we have got to figure out how we are going to do this. you don't want law enforcement individuals or intelligence individuals dictating this just as i don't think you want the private sector dictating this. it is to in. -- it is too important. -- is awareness of this threat important for the american people to know how serious this threat is? >> yes.
6:11 pm
>> senator king -- king: hearing this dialogue, it strikes me that it underlines the foolishness of continuing to be governed by budget decisions made six years ago when this threat was nothing like the magnitude it is today. we are dealing with a major new threat and trying to shoehorn it within a budget structure that was clearly -- that clearly did not take account of this new threat and a serious one that we are facing. and will take resources to confront. i can't help but make that point. it underlines the fact that we are being governed by decisions made at a time when circumstances were different than they are today. senator king but admiral rodgers has made it clear in his testimony that sequestration will prevent him
6:12 pm
out completely the missions he has been tasked with. is that correct, admiral? >> yes, sir. is this what i want to be aligned with? i can replace equipment. it takes us years to replace people. >> and there is a real likelihood if we continue the sequestration that you will have able tou will not be continue to employ these outstanding and highly select it individuals. >> yes. admiral,ow, sometimes, i do not want the american people to see what goes on at these hearings. the old line about laws and sausages -- i certainly wish the american people could hear and see your statements that you are
6:13 pm
making today rather than as you just indicated, and attack and then we always overreact. that is what democracies are all about. and so, i thank you for your good work that i also want to thank you for your straightforward answers to questions that were posed by the members of this committee. we thank you. the meeting is adjourned.
6:14 pm
6:15 pm
6:16 pm
6:17 pm
6:18 pm
theonight on c-span, supreme court cases that shape our history come to life with the c-span series "landmark cases: distort supreme court cases." our 12 part series explores real life stories and the dramas be trying -- behind some of the most significant decisions in our history. >> during times of war. it puts before the court central themes in the conditions that the president can do things that may not be expressed in the constitution and the limits of congress -- that congress can place on it. >> the case has come to be accepted by the culture. >> it was a sweeping decision. as one ofd the u.s. only four nations across the globe that allows abortion for any reason. and yet come it has not settled
6:19 pm
the issue at all. >> tonight, it is roe versus wade. however, it allows states to restrict that right aced on the viability of the fetus. watch landmark cases tonight at 10:00 p.m. eastern on c-span and in his weekly address, the president discusses the economy, corporate tax in versions, and retirement savings. doldsentative bob delivers the republican response. president obama: hi everybody. over the past seven years, we haven't just been recovering from crisis, we've been rebuilding our economy on a new foundation for growth growth that benefits everybody, not just folks at the top. our businesses have created jobs for 73 straight months 14.4 million
6:20 pm
new jobs in all. we've covered another 20 million americans with health insurance. we've helped more americans afford college, and invested in industries that create good jobs that pay well, like clean energy. and wages are finally rising again. but there will always be more work to do. and this week, my administration took two big steps that will help make sure your hard work is rewarded, and that everybody plays by the same rules. first, we're helping more americans retire with security and dignity. right now, if you go to a retirement advisor for investment advice, some of them don't have to act in your best interest. instead of telling you the best way to save your hard-earned money, these advisors can get backdoor payments from big companies for steering you toward investments that cost more and earn you less. as a result, when you retire, you might be missing out on tens of thousands of dollars because your advisor got paid more to give you bad advice.


info Stream Only

Uploaded by TV Archive on