Skip to main content

tv   Adm. Rogers Testifies on Cyber Command Operations  CSPAN  March 1, 2018 12:14pm-2:06pm EST

12:14 pm
holley-walker, dean of howard university's law school. and peter kirsanow. watch "landmark cases" live monday at 9:00 eastern on c-span, c-span.org, or listen with the free c-span radio app. for background on each case while you watch, order your copy of the landmark cases companion book. it's available for 8.95 plus shipping and handling at c-span.org/landmarkcases. and for an additional resource, there's a link on our website to the national constitution center's interactive constitution. u.s. cyber command commander admiral michael rogers testified earlier this week to discuss the military's cybersecurity readiness. he told lawmakers he's not been directed by the white house to take additional steps to respond to russian interference in u.s. elections. admiral rogers is also head of the nsa. this hearing is about an hour, 45 minutes.
12:15 pm
12:16 pm
the committee meets today to hear admiral mike rogers. you know, you have more titles than anybody else. you really do. commander of the u.s. cyber command, director of the national security agency, and chief of the central security service. given your upcoming retirement, it might be the last time you'll be dropping in. do you think that will happen? we'll miss you. well, as the recent national defense strategy identified renewed great power, competition with russia and china. it kind of goes along with what general dunford said when he said we are losing our qualitative and quantitative edge as we move into this
12:17 pm
two-three national defense strategy. as we approach the eighth anniversary of cyber command, we should recognize the remarkable progress you've made in taking what was a very niche war-fighting concept and establishing around it a full-fledged war fighting command. later this year, we anticipate that you will achieve full operational capability for the 6,200-person cyber mission force. despite the many successes, there are still significant challenges. the committee remains concerned about a hollow cyber force due to the lack of priority across the services to deliver the required tools and capabilities and personnel. efforts have improved, but the fact remains that we have not -- are not where we need to be. we lack the bench strength necessary. and the other area -- and i'll have some questions about this during our question time -- is the fact that we're i think at somewhat of a disadvantage with
12:18 pm
responsibilities that are spread across dod, dhs, and the fbi with little semblance of coordination. we can't just wait for major cyber attack and then try to get this thing right. we look at some of the other countries that they have got this more centralized and coordinated. we need to address that to see if maybe we got some improvements that make structurally. senator reid. . >> thank you very much, mr. chairman, and admiral rogers. since we're holding the confirmation for your successor later this week, this is likely your last appearance before the committee. let me thank you for decades of commitment to the country. one of the great threats facing our democracy is influence operations, a type of information warfare which are mostly conducted through theater
12:19 pm
operations of cyber command. russia engaged in a sophisticated influence campaign during the 2016 election cycle. china has been engaged in information operations against their own citizens in order to control their access to information and their behavior. it's becoming more active abroad. they're also engaged in mass i have theft of intellectual property conducted against u.s. companies for their own economic gain. north korea's attack on sony america was an attempt to silence an entertainment company from exercising its right to free speech and sending a message across the world. these efforts highlight some of our vulnerabilities in this area, which i hope you will address today. while our adversaries are freely conducting information operations, cyber command is still predominantly designed to conduct technical operations to defend ore attack computer systems, to sustain or impede the function of computers and networks. it is not built to deal with the content of the information flowing through cyberspace. with the cognitive dimension of information warfare. cyber command has made important
12:20 pm
strides in the last year in the cognitive dimension against isis but still has a long way to go and most focus on the strategic level of engagement, not merely a tactical strategy. other organizations and officials are responsible for what the department calls psychological and deception operations. but those officials and components in turn have no expertise or capabilities in technical aspects of cyberspace operations. this is a serious handicap when we are confronted with adversaries like russia who combine technical and cognitive dimensions. because we have separated these things organizationally and in terms of policy and strategy, we are greatly disadvantaged when it comes to countering an adversary's integrated operations. the fy-'18 ndaa included a provision cosponsored by senator mccain and myself which directs the secretary of defense to designate a senior official to lead the integration of all
12:21 pm
defense department components and capabilities that contribute the information warfare and to develop specific strategies, plans, and capabilities to operate effectively in this arena. i'm eager to learn how cyber command is responding to this legislation. i stressed the national defense strategy, russia, and others have conducted systematic aggression against the united states and its allies while staying just below the level that would be considered armed aggression or an act of war. as the dni testified recently to the senate intelligence committee, adversaries are using cyber operations to achieve strategic objectives and will continue to do so unless they face clear repercussions. adversaries are achieving strategic effects incrementally by applying constant pressure through cyberspace against our national power. in addition to tools such as sanctions, diplomacy, indictments, and public shaming, we must meet not only russia but all adversaries in the information sphere. as part of this, we need to
12:22 pm
engage in blunt information operations against us at their source by disrupting them in cyberspace as they unfold. the national mission team to the cyber mission force were created to conduct exactly these missions. according to the defense department's official cyber strategy, the national mission teams were created to defend the country by disrupting ongoing si cyber attacks of, quote, significant consequence. some of these operations in cyberspace are directed against the foundations of american democracy, the free expression of americans' political views, the voting booth, and through our political parties and campaign organizations. surely such acts meet the threshold of significant consequences, justifying the use of the teams under the defense department's cyber strategy. the members of the cyber subcommittee have made this point numerous times. i want to thank them for their leadership on this issue. admiral rogers, i'm also interested in your views on this issue. finally, understand the presidential leadership is critical on these issues.
12:23 pm
i raise this matter with the director of national intelligence and each of the intelligence agency director, including you, at a recent public hearing. the very disappointing answer i received is the president has not directed any action on countering these threats. in addition to countering these threats requires not only the defense department integrate all the components of information warfare, it is essential to integrate capabilities and authorities of all the national security and law enforcement organizations across the government as a hole. this requires leadership that so far has been lacking. admiral rogers, thank you again for your service and the service of your family, and i look forward to your testimony. >> thank you, senator reed. i regretfully say that senator rounds, who does chair the subcommittee, will not be here today. or actually this week, with the loss of his father. we bregret that. admiral rogers. >> thank you, sir. distinguished membered of the
12:24 pm
committee, thank you for your enduring support and the opportunity to talk with you today about the hard-working men and women of the united states cyber command. first, i'd like to take a moment to extend our thoughts and prayers to chairman mccain and his family and to voice our support for him as he undertakes this tough health fight. senator mccain, keep fighting. look forward to you getting back, sir. on behalf of the men and women of the united states cyber command, i'm here to discuss the posture and how we prepare for the cyberspace domain. the cyberspace domain that existed when we first established cyber command nearly -- over eight years ago has evolved dramatically. today we face threats that have increased in sophistication, magnitude, intensity, volume, and velocity. threatening our vital national security interests and economic well being. china and russia, whom we see as peer and near-peer competitors in cyberspace, remain our
12:25 pm
greatest concern. rogue regimes like iran and north korea have growing capabilities and are using aggressive methods to conduct malicious cyberspace activities. further, several states have mounted sustained campaigns against our cleared defense contractors to scout and steal key enabling technologies, capabilities, and systems. our adversaries have grown more emboldened, conducting increasingly aggressive activities to extend their influence without fear of significant consequence. we must change our approaches and responses here if we are to change this dynamic. while the domain has evolved, cyber command's three mission areas endure. our first priority is the defense of the department of defense information network, or the dodin. second, we enable others by delivers effects in and through cyberspace. finally, we defend the nation against cyber threats through support to dhs and others when directed to do so by the
12:26 pm
president under the secretary of defense. in concert with the national defense strategy, we are charting a path to achieve and sustain cyberspace superiority to deliver strategic and operational advantage, and increased options for combatant commanders and policymakers. without cyberspace superiority in today's battlefield, risk to mission increases across all domains and endangers our security. since my last update almost a year ago, cyber command has achieved a number of significant milestones. first, joint force headquarters dodin, our subordinate headquarters responsible for securing, operating, and defending the department's complex i.t. infrastructure, has achieved full operational capability. second, joint task force, the organization we created to lead the fight in cyber against isis, has successfully integrated cyberspace operations into that broader military campaign and achieved some excellent results. we will continue to pursue isis in support of the nation's objectives.
12:27 pm
third, we've significantly enhanced our training and cyber operation platforms to prepare the battle space against our key adversaries. and this year we'll bring several additional accomplishments. cyber command will be elevated to a unified combatant commander when i step down later this spring. as a combatant command, we'll have the unique responsibilities of being a joint force provider and a joint force trainer responsible for providing mission ready cyberspace operations forces to other combatant commanders and ensuring that joint cyber forces are trained to a high standard and remain interoperable. in addition, in april we'll start moving into a state of the art integrated cyber center in joint operations facility at ft. immediat meade. this will enhance the whole of government coordination and improve planning and operations against a range of growing cyber threats. within this dynamic domain, it's imperative to continually evolve the training and tools of our operators.
12:28 pm
we've recently delivered the first of several foundational tool kits designed to enable them cyber mission force to work against adversary networks while reducing the risks of exposure as well as equipping jtf in its fight against isis with capabilities designed to disrupt adversary use of the internet. innovation and rapid tech development demand competition and the ability to leverage all partners, including small businesses. we intend in the coming year to create an unclassified collaboration venue where businesses and academia can help us tackle tough problems without needing to jump over clearance hurdles, for example, which for many are very difficult barriers. of course, all these tools require a talented and sophisticated work force to operate and employ them. the cyber accepted service will help us recruit, manage, and retain cyber expertise in a highly competitive talent market. our success also remains entwined with continued integration of the reserve and national guard. our headquarters alone, we
12:29 pm
currently employ more than 300 full-time and part-time reservists, and in addition more than 150 reserve and national guard members are mobilized to lead and execute cyberspace operations. perhaps most significantly, we are nearing completion of the buildout of our cyber mission force with all teams on a glide path to reach full operational capability before the end of this fiscal year. as the teams reach foc, our focus is shifting beyond the build to ensuring those teams are ready to perform their mission and to execute sustained and optimized mission outcomes for the nation year after year for a sustained effort over time. i fully realize that cybersecurity is a national security issue that requires a whole of government approach that brings together not only government departments and agencies but also the private sector and our international partners. over the last year, we've also increased our interaction with critical infrastructure elements within the private sector and the broader set of u.s. government partners supporting them. and as you know, i serve as both
12:30 pm
commander of the united states cyber command and director of the national security agency. this dual hat appointment underpins the close relationship between these two organizations. the if its cafiscal year '17 authorization act includes a provision that describes ending that arrangement. the department is workings way through this question and ultimately the secretary in conjunction with the dni will provide a final recommendation to the president. all of us at cyber command are proud of the roles we play in our nation's cyber efforts and are motivated to accomplish our assigned missions overseen by the congress, particularly this committee. finally, after serving over four years as the commander of cyber commands and after nearly 37 years of service as a naval officer, i'm set to retire later this spring. i will do all i can during the intervening period to ensure the mission continues, that our men and women remain ever motivated, and that we have a smooth transition. i'm grateful for the committee's continued support and confidence of myself and the cyber command
12:31 pm
team, and i look forward to answering your questions today. >> good. thank you, admiral rogers. well, in my opening statement, i addressed this -- the three agency approach we have responsible for defending against the attacks that we have. the fbi as the lead for law enforcement, the department of homeland security as the lead for critical infrastructure and defending government computer networks, and thirdly, the department of defense as the lead for defending the homeland, defending military computer networks, and developing and employing military cyber capabilities. so you've got the dod, the dhs, and the fbi. no one agency has all the authorities required to defend and protect the homeland. so did we set it up wrong to
12:32 pm
start with? what does need to be done to encourage more whole of government? you mentioned that in your opening statement, combatting the cyber threats that are out there. >> so i think the challenge, as i look at the problem, and i'm looking at it from the p perspective of operational commander. i think it's less an issue of people not understanding what their respective roles are within the structure you outline, and instead i think the challenge is how do we integrate those capabilities into a tighter whole, if you will, that's really optimized to execute at the day to day level. that's the area where i look at the future, and with my responsibilities as commander of cyber command, that's where i'd like to see us focus our efforts. how do we get down to integrated structures and organizations at the execution level. because that's where you get speed. one of the challenges with the current structure, as i said, i think people understand their respective roles, it is not
12:33 pm
optimized for speed and agility. one of the things that i see in the world we're living in right now, we have got to get faster, and we have got to be more agile. >> yeah. there's a lot of discussion about the gaps and seams that exist between each leg of the whole of government approach. our adversaries will seek to exploit those gaps and seams, and the confusion that follows an attack as various agencies and departments grapple with the scatter of authorities needed to respond, what are the most dangerous gaps and seams as you look at them? >> so for right now, the time it takes to deploy capability, the time that it takes to coordinate a response across multiple organizations when those well-meaning and hard-working organizations are existing in separate structures, that's not optimized for speed.
12:34 pm
to me, what i think the biggest challenge for us is how do we integrate this more at an execution level. i understand there's a broader policy issue here and a broader legal framework. that's not my role as an operational commander, but where i see the need for speed and agility is really when it gets down to -- >> is someone working on that now? >> oh, there's an ongoing dialogue about -- so what's the right way ahead? i'm the operational guy. i have a voice in that process. there's no lack of opinions on this topic. >> lastly, you said previously, and i'm quoting now, offensive cyber in some ways is treated almost like nuclear weapons in the sense that their application outside of defined area of responsibilities is controlled at the chief executive level, it is not delegated down. has anything changed under this new administration? >> we're currently -- again, i don't want to speak for the policy side, but i will acknowledge we are currently in
12:35 pm
a policy discussion on this very issue. secretary of defense has been very aggressive in articulating this concerns him, that there's an ongoing discussion at the moment that i hope is going to come to a way ahead in the near term. i'll get an input into that as the operational commander. i'm not the primary decision maker here. i understand what my locrole is. >> all right. senator reed. >> thank you very much, mr. chairman. again, thank you, admiral rogers, for not only your testimony but your service. i have a series of questions that i think require yes or no answers. the mission on national mission teams under dod cyber strategy is to blunt cyber attacks against the united states of, quote, significant consequences. is that accurate? >> yes. >> the -- >> although, if i could, i'd phrase it as that's an accurate mission for cyber command. we haven't actually defined it specifically down at a team level, but i understand the point you're trying to make. >> as russia's ongoing campaign to steal and leak confidential
12:36 pm
information from our candidates and political parties, to plant and amplify misinformation on social media, are those of significant consequence? >> certainly, if successful. >> yes. do you agree with the dni coats testimony that they will continue to conduct cyber operations to achieve strategic objectives unless they face clear repercussions? >> yes, sir, that was my testimony as well in that hearing. >> is russia attempting to achieve a strategic objective by influencing u.s. public opinion on elections? >> yes, sir, i believe they're attempting to undermine our institutions. >> aside from our intelligence agencies operating under presidential findings, are there any other organizations other cyber command cyber mission forces that have the authority and capability to disrupt russian election hacking operations where they originate? does the fbi, dhs, or the states, private sector have such authorities or capabilities? >> you could argue probably only the -- again, there's a legal
12:37 pm
aspect to this that i'm not the most qualified. probably you'd argue some combination of dod/doj have the standing authority in that regard. >> but the mission teams, particularly at the origin of these attacks, have the authority to do so. >> if granted the authority. i don't have the day-to-day authority to do that. if granted the authority. >> so you would need basically to be directed by the president through the secretary of defense. >> yes, sir. in fact, i mentioned that in my statement. >> have you been directed to do so given the strategic threat that faced the united states and the significant consequences you recognize already? >> no, i have not. if i could flesh this out, i'll say something. i'd be glad to go into more detail in the classified. based on the authority i have, i have directed the national mission force to begin some specific work i'd rather not publicly go into that using the authorities that i retain as a commander in this mission space. >> the inherent ability of a commander to prepare, plan, and
12:38 pm
structure, but you need the direct authority of the president through the secretary of defense -- >> to do some specific things. >> some specific authority. >> there are some things i have the authority, and i am acting within that authority now. >> essentially, we have not taken on the russians yet. we're watching them intrude in our elections, spread misinformation, become more sophisticated, try to achieve strategic objectives that you recognize, and we're just essentially sitting back and waiting. >> i don't know if i would charact characterize it as we're sitting back and waiting. i will say it's probably -- and again, i don't want to get into the classified here. it's probably fair to say that we have not opted to engage in some of the same behaviors that we are seeing, if i could just keep it at that. >> one searches for historical analogies, but we have in the past seen threats building.
12:39 pm
at some point, particularly when they manifest themselves, when they already have in 2016, we've taken action, not just continued to watch >> we are doing some things. >> let's go back to the brief time i have remaining to an issue that i think is consistent throughout your testimony and the chairman's comments. that is the technological aspects which you do pretty well, and the cognitive issues, the message versus the medium, we are all over the place in terms of fragmentation. is there any effort to pull that together? and let me maybe focus on a specific point. you're trying within dod to get everybody lined up. then the administration are trying to line up all the other parts. there's one -- from my experience in banking, the treasury department has a -- which is designed to be disruptive of financial transactions, designed to --
12:40 pm
it's not just ideas, it's money that motivated. >> yes, sir. >> so in your view, are you coordinating with them adequately? do they have adequate resources on their own to be an effective force to disrupt illegal financing and to monitor sanctions? >> i'm not knowledgeable enough about the specific level of capability and resources, but i will say we, both cyber command and nsa as well, spent a lot of time working with our treasury counterparts about developing insights and knowledge through cyber and other means that give them insight that enable them to take action. >> do you think they're effective? >> oh, i think the economic broader efforts that i've seen undertake reason positive. you've seen them against a host of actors out there. >> thank you. >> i ask the committee to consider a list of 1288 pending military nominations, all of these nominations have been before the committee the
12:41 pm
required length of time. is there a motion to favorably report this list ? >> so move. >> second. >> all in favor, say, a ye. opposed no. motion carries. senator ernst. >> thank you, mr. chair. admiral rogers, in your opening statement, you rightly noted the importance of national guard and reserve cyber warriors. many of those young men and women bring critical cyber skills from the private sector. very, very important. however, you don't mention how or if the dod plans to track cyber capabilities found in the national guard and reserve force, and we've had this discussion before, but in 2016 the government accountability office report found that, quote, national guard units have developed capabilities that could be used if requested and approved to support civil authorities in a cyber incident. however, the department of defense does not have visibility
12:42 pm
of all national guard units' capabilities for this support, end quote. last year i introduced legislation along with my committee colleague, senators gillebrand and senator fisher, to correct this oversight. unfortunately, it wasn't included in the final version of the 2018 ndaa. and as of july of 2017, dod has not complied with the gao's recommendation. so sir, how do you ensure cyber command is fully tapping into the expertise of our national guard and reserve units when the dod doesn't have visibility of all of the capabilities within the national guard? and what more can we do to correct this at cyber command? >> so i try to work closely with general and the national guard bureau, the national guard team. i compliment them. they just established and released cyber strategy just last month, as a matter of fact. we were part of that dialogue. how do we make sure we're doing,
12:43 pm
you know, an integrated approach within the dod. this can't be an active-only component or civilian-only component. as you and i have previously discussed, the aspects of your question in some ways you nokno are beyond my immediate responsibilities. what identi've tried to work wie national guard bureau is how do we create a structure that enables us access the full range of capability, not just units. it's similar in many ways, putting on my other hat, director of nsa. we've tried to do the same thing over time for language. many people in the department have language skills that have no connection with whatever their job is we've trained them to do. i'm trying to see, can we do the same thing over time with the guard and the reserve. >> certainly. an additional identifier or something that can be tracked. i think we really need to focus on that much more so than we have done in the past just because of the continuing threat that we see in cyber out there.
12:44 pm
as along the same theme, though, it is such an important part of our national defense, and we're going to have to continue to improve our capabilities and readiness in this area. so if you could, in just the couple minutes i have left, what more can we do to make sure we have an adequate pool of really talented individuals that can step up into these fields? we've seen at large military recruiting has been very difficult, even for our regular branches of service. so what can we do to make sure that we're filling the gap with qualified individuals that meet the requirements of today's military? >> so first, to me, you got to look at it as an ecosystem and realize there's different components to this cyber population from civilians to active military, to guard and reserve. each one of those components has different attributes. one of the things we need to do
12:45 pm
is come up with solutions that optimize for each of these subpopulations. the congress, for example, with civilian exemption service, the ces effort. that's a big positive for us on the civilian side. on the dod side, the services for active are working through. so are there other compensation tools, for example, we can use. are there other things we need to do in terms of the commitment we make to individuals when they first enlist or get commission in terms of can we align them early on and offer them extended service in the cyber arena. on the guard and reserve, it's a similar kind of thing. the one that goes to your point, the one thing i've -- it's been a little while since i had this conversation, but outside the army, guard, and the army reserve and the national guard, the other services tend to use reserves on a status as opposed to units. one of the things i'm trying to work on, is there a way to use
12:46 pm
the unit structure that's traditional within the guard but also a cadre kind of thing about how do we access individual skills. we are clearly not there yet. but i'm wondering is that a part of the future structure we need to be looking at that we haven't to date. >> right. and thank you. my time is expired. certainly this is an issue we need to wrangle with and make sure we're coming up with an appropriate answer. so thank you, admiral, very much. >> senator nelson. >> admiral, thank you for your public service, your long service, and we wish you well in retirement. since senator rounds is not here, i will speak for him in that we have the privilege of leading the cyber subcommittee, and i want you to know that we think the public sectors in the
12:47 pm
department of defense are woefully unprepared and split and segmented and not coordinated to be able to handle now what is one of the greatest threats to our national security. the cyber attacks that constantly come. and we feel that about the private sector community as well. now, having said that, mr. chairman, i want to enter into the record a letter that senator blumenthal, senator shaheen, and i sent to the secretary of defense february the 6th. one of the things that we ask is that the national mission teams, which are part of u.s. cyber command's cyber mission force, should be ordered to prepare to engage russian cyber operators
12:48 pm
and disrupt their activities as they conduct clan december tine influence operations against our forthcoming elections. would you into that into the record? >> yes, sir. >> now, admiral, let me ask you, is there any question in your mind that they have -- they, the russians -- have conducted these kind of activities against our past election? >> no, sir. >> okay. and in an answer to senator reed, you had said yes, if the russians were successful, as if there was some doubt in your mind that they had been successful. that's not the case, is it? >> no, sir. i apologize. the quote that senator reed used was from the strategy that talked about acts of significant
12:49 pm
consequence. i was trying to get to the consequence piece of the plan. >> so we have been attacked, and there are a lot of us that feel like we are still being attacked and that we're going to be attacked, particularly with regard to our elections, which we consider as critical infrastructure. and let the record note that you nodded affirmatively. so what's the holdup? >> i'd say there's a series of -- again, this is much broader than the dod, much broader than cyber command. department of homeland security is overall responsible for this particular -- the election infrastructure within the segments that have been identified as critical infrastructure. they're the sector lead. in fact, i've had this conversation with the secretary of homeland security within the last couple weeks, about what we're doing to try to generate insights and knowledge to try to help their effort in their leadership role.
12:50 pm
>> let me be appropriate and respectful, but let me interject, please. because time is fleeting. let's get -- so for someone who is looking out for the common defense of this country, to say well, they've got the lead and this is that and i'm the cyber commander and it's going to be a c combat and command, that doesn't cut it over here. >> yes, sir. the challenge for us is the law and the legal framework, shaping what dod can and cannot do -- >> what you need admiral -- what do you need as the commander to say, go after and punish these guys that are trying to tear apart our critical infrastructure, what do you need? >> i need a policy decision that
12:51 pm
indicates there's specific direct to do that. i would have to then tee up specific options and i would rather not go into the specifics. and they would be reviewed by the chain of command and they would make a recommendation and then based on that, we'd be given specific direction and specific authority. >> so you need a direction and a specific authority from the white house? >> right, the president would make this decision in accordance with a recommendation from my experience and the secretary defense and others. homeland security and others. >> the chain of command is what you need? >> yes. >> let the record reflect that we have written to the secretary of defense, february 6th and would appreciate an answer. thank you, mr. chairman. >> thank you. >> thank you, mr. chairman and admiral thank you for your decades of service.
12:52 pm
you have been nothing but consistent talking about speed and agility. i hope you find a way to continue to nudge us toward that is goal. i have a question to follow up on a couple of questions we had today. recently, the defense science board last year actually, in conclude and there's a quote, at least the next decade the capabilities are likely to far exceed the united states ability to defend key critical infrastructure, do you agree with ta conclusion? >> we were apart of that effort with the dsb. there's no doubt for right now arguing technology favors the offense verse the defense. just the scope of what you're trying to defend, potential vulnerabilities keeps you awake at night. >> so the ability to proinclude it is minimal. and you -- >> from a technical standpoint but it gets into the broader question about are there other
12:53 pm
opportunities thakt be brought to be -- >> our ability to deter these types of activities. we deter by having the threat of mutual e additionallation. in the cyber space, is it adequate to defend against intrusion and i want to add specifically, whether we had questions about election. in your mind, are we capable, the united states of defending our election this coming year? >> now, i'm not an expert on the electoral system as a whole. i haven't looked at it as a target -- >> doesn't that speak to the issue? homeland security is charged wd that. is that capability up to yours in defense. and you have each service has their own growing capability, so the question i have, is who is in charge of getting the highest and best, deterrence, protection and preclusion capability for an
12:54 pm
election? >> in our constitutional structure, states are responsible for the execution of the election process, and the homeland security is responsible for providing government resources to assist the states and the execution and defense of that structure. again, that is a dhs lead role. i'm not talking to individual state officials about walk me through structure and give me your assessment, i'm trying to generate insights and knowledge now that help inform this with a readiness if directed to potentially -- >> do you interact with dhs. >> yes, sir. >> second thing. what are the many of options that you and the department of defense can give the president -- should he choose to respond to the cyber attacks. if we have a deterrent and then the question is is there a like response, similar response and what are the menus, what is
12:55 pm
included in the menu for the president? >> the so first point i would make, someone comes to us and cyber -- i have always urged, we need to think broadly and look at the full range and levers of capabilities as a nation. >> have we ever responded in kind? >> there are specific steps that i cannen -- taken over the last couple of years. i would rather not get into that. >> it's obvious to me that the diplomatic efforts here are failing and. the activity is one sided. >> we are not where we want to be or need to be. >> what can we do about it. we're going to be about 1.8 cyber warriors short -- >> as a nation rjs . >> as a country. we're not going to win that war against china for example, in terms of the ability to put
12:56 pm
cyber war yoriors in the field. in terms of if this were a trigger puller, we'd stand up a number of soldiers against theirs and that's historical. that's the last war. the future war, maybe, who's got the best minds focused on artificial intelligence and robotics. just on this specific case where are we in terms of artificial intelligence and how will it help us face the short fall in the next 5 years? >> we are looking at the technical applications and capabilities out there that enable us to optimize the human capital piece. and to your point, we're not going to industrial age our way out, let's higher 10,000 more people. that's not a sustainable strategy. therefore, among the things we're looking at and we're not the only ones. how can you apply technology to over come the human capital
12:57 pm
piece? the other point i would make is again, don't just focus on cyber versus cyber. how do we put it in place to convince actors out there. nonstate actors. you don't want to engage in this behavior. because you are not going to succeed and if you do, the price you will pay will exceed any benefit you might gain. that's what we got to get to. >> agreed. thank you. >> thank you, mr. chairman and admiral rogers. thank you for your service. we will miss you when you retire. i want to follow up on both senator reed and senator nelson's question about the 2016 election and the administration. i want to be clear. as i understand, you said that is president trump never ordered cyber come to take action or -- russian attempts to medal in the elections this fall. >> i never given specific
12:58 pm
direction to take additional steps outside of my authority. i have taken the steps within my authority trying to be a good proactive commander. >> no one from the administration asked you to take additional steps? >> i haven't been granted additional authorities, capacity or capability. >> is that a confirmation of what i said? >> i thought -- i apologize. >> it comes to my attention that the contracts, that share sensitive source code data, while they do business overseas and at this practice risk exposing sensitive codes to host still governments and as i understand, there aren't any safeguards like discloe showers to protect against these risks. can you confirm if that's the case and the role of cyber com
12:59 pm
and ensuring dod platform? >> first, i have no -- cyber command has no direct role with non-- with civilian users. having said that, i'm aware of this issue and we have worked with others in the apartment to address, the key vendors what are they doing. there are several incidents i dug into execution level and walk me through what you have done with your code and access to it. i want to compare this version that you told me you shared with them to what we are using in the dod. i've done that. your point goes to and several of you raised it already. gone to a broader dialogue about what should the nature of the relationship be between the department and its key infrastructure in the digital world we're living in? and it forces us to step back and look at things differently. we never used to think about
1:00 pm
things 10 years ago. who are you sharing source code with or testing with? in the world we live in now, those are the questions we have to have? >> so who has the responsibility to decide that? if it is not cyber com is it the secretary of defense. >> for the interaction with our contractors, and i will partner with dss and the fbi is involved here. one of the discussions that currently i'm raising within the department is experienced teaches us we need to step back and ask ourselves, do we have this model optimized. i won't go into the specifics. there's a scenario i'm working on now, this is why we need to make fundamental change. and i'm glad to talk about that in a closed -- >> so should cyber com have that responsibility? or should someone else have it?
1:01 pm
>> quite frankly, look at the things we talked about in the last 40 minutes, why doesn't cyber command do this or that, the challenge is about pry orization, aligning mission with resources and what is our role with the broader sense of partner it is. be leavy about viewing cyber command as the end all, be all for everything. if we try to do everything we are going to sub optimize ourself. we need to focus on the priority areas. >> the concern i have is who is in charge? unless there's somebody who is responsible for coordinating activities for dealing with what homeland is doing and what cyber command is doing and what dod is doing and the white house is doing, nobody is going to be in charge. and so it seems that's the challenge we have right now. and as you look at what are both
1:02 pm
defensive and offensive strategy around cyber for the united states. double we have that strategy in place and can you articulate that so we can understand? >> i believe we have a structure in place with well defined responsibilities. my argd would be experience is showing us that we need to be mindful while we understand that structure isn't generating the outcomes that we want and my answer would be, we're not where we need to be. that would argue doing more of the same will not generate different outcomes. i have a defined role, i try to along with others act and we need to focus on this area. >> i would certainly, agree. i don't think a structure and a strategy are the same thing and while we may have a structure in place it doesn't seem to produce a strategy that's easily
1:03 pm
understandable. >> yeah. >> thank you. that's a statement i'm not asking for a response. >> thank you, mr. chairman. good morning, admiral. it is nice to see you. admiral, the nbs highlights cyber importance quite a bit and how does that national defense strategies priorityization of long-term strategic competition with russia and china impact cyber com's mission. >> i like the fact that the strategy calls out cyber as a domain and calls out the fact that we've got pure competitor in here that -- within the cyber arena that we have to be capable of dealing with. i like the fact that the strategy calls out, competition at a level below conflict. the gray area which i think is
1:04 pm
powerful t. goes to much of the discussion we had so far this morning. activity short of conflict generating strategic advantage for others and not in our best interest. the strategy acknowledge that is we are living in the world where it is becoming the norm and we have to figure out how to deal with that. >> with the peer competitors and russia and china, i think that means we're going to have to do more with less and we may see less of the focus on other areas where in the past cyber com has been focused. whether it's with the global terrorist or with iran and their proxies. so with those tradeoffs, i think that brings a lot of risk. how do you propose that cyber com and the department are able to handle that type of risk?
1:05 pm
>> so within the last year, i and others made an argument and the secretary brought off on it we need to treat cyber command as a high command low density resource. we need a priorityization of a risk-based model and we have to assess this. just like with ballistic missile defense and isr and forces. we shouldn't be viewed differently. we put a new process in place. i made an argument and granted authority to reallocate some of our capability against some of the challenges we talked about in the last 40 minutes or so. that didn't exist a year ago. that process didn't exist, it wasn't envisioned. the thought was the cyber forces we created would be permanently aligned. i argue there is just not enough. not going to get us where we need to be. >> do you see an increased focus on a high-end fight?
1:06 pm
is that primarily going to impact the training or is it going to impact operations? >> it's probably a combination of both. i don't view it as a -- >> either/or. >> one or the other. the positive side as i said. i've been in command for your years and i haven't run in a situation where we didn't have some level of capacity and expertise. or some level of capability or expertise. the challenge is capacity. okay, i can deal with this in a reasonable level of places if i get into something larger, that becomes a challenge. no one should think that i'm proud of the capability that cyber command has and confident and ready to execute the mission. there are challenges. >> when you're talking about capacity, you're building a 6,200 strong cyber mission for us. how adequate do you believe that force is going to be compared to
1:07 pm
the threat from today? >> it is almost 10 years ago that we did the ground work -- >> that hasn't really changed. >> no. so we said let's build the force out. at the end of the fiscal year. the argument i'm trying to make is based on the eight years of run time, that suggests to me that the way that we've structured some of the teams, i would like to change. and i told the services i will leave it alone until you complete the mission generation. once that is done, i would like to roadway tool it a little bit. we can take lesson in the investment of the last years. we are going to need some level of additional capacity over time and that's something i will talk to my successor about. that's a key thing in his time of command. >> it seems like we hear this over and over again. a lot of the same challenges and i realize the nds is out and presenting us with a strategy. but, it's frustrating.
1:08 pm
sometimes on our side that i don't know if we're seeing much progress. last question for you. i was a little confused by an earlier statement. i want to clarify. you have testified in the past that you don't support creating a special core or service focused -- >> yes, ma'am. that's true. >> okay. thank you very much. >> senator blumenthal. >> thank you, mr. chairman. admiral, thank you for your service. we will miss you as others have said. have you read the special council's indictment against the russians and several russian entities. >> i haven't, but i have not seen the actual indictment -- >> i recommend that you do so, sir with all due respect. for us as americans. it is an incredibly chilling
1:09 pm
absolutely terrifying account of an attack on our democracy. you refer to it as a series of actions that quote, threaten a foundation of our democracy. i think that's a polite way of putting this act of warfare, in fact, the russians themselves refer to it as informational warfare. that's from them, not from us. and -- so, i feel a sense of urgency about this on going warfare against our democracy that i feel so far is not reflected in the response from our department of defense. that's one of the reasons why senators nielsen and senator sha
1:10 pm
heen wrote and asked for engagement of russian cyber operators and disruption of their activities. and i understand from you that you're feeling that you have not been given authority to take additional action, that's correct? >> sir -- >> have you asked for that authority? >> no i have not. i act within the authority granted to be aggressive. >> why have you not asked for additional authority? >> because i guess my sense right now is i'm not sure that the capabilities that i have would be the optimal or only response to this. i think -- >> wouldn't you agree that it is a necessary response? >> it could be a part of a response. i would certainly dow into that. i think we need to step back and look at this very broadly. because one of the arguments is not just -- this current piece but others is be mindful of
1:11 pm
falling in the trap that just because someone comes at us in cyber, we have to default and doing the same thing. i've always believed, we need to step back and think more broadly about it and don't default. it's because of that that i have not done that to date. >> well, for how long with all due respect are we going to step back and look broadly at this on going attack, i mean, literally last week in the wake of the parkland shooting, the bottoms and fake accounts, again and again disrupting. sewing discord, continuing to attack our democracy in ways that most americans should find absolutely intolerable, may i suggest that seeking that additional authority is appropriate at this point? >> sir, much of what you're asking me. i'm a operational commander, not a policymaker.
1:12 pm
that's the challenge for me as a military commander. >> wouldn't you agree that the president himself is aware of these attacks and should give you that additional authority? >> i think -- imnot going to tell the president what i should and should not do. i will use my chain of commands -- within the dod and the responsibilities that you have allocated as cyber command here is what i think we can and should do. >> without belaboring, would you agree that the russians have been in no way deterred -- >> yes, sir. i think that is true. >> they are doing it in impunity and don't care what we think and continue to attack? >> yes, sir. >> so this on going attack has been inadequate -- >> it hasn't changed the calculus in my sensor the behavior on the part of the russians. >> and it hasn't changed the behavior and paid no price
1:13 pm
foremeddling. >> they haven't paid a price that's sufficient to get them to change their behavior. >> well, they haven't paid any price as far as i can see, have they? >> you can argue that some of the sanctions imposed. and the indictments, again, i don't think it is fair to say nothing has been done. you are getting outside of my lane as an operational commander -- >> it has been inadequate so far? >> it hasn't generated a change in behavior that we know we need. >> thank you, commander. >> so the question is does he think -- declared -- >> thank you. i join my colleagues and thanking you for your service not only in cyber be command and your 37 years of your service in the military. you have been asked a number of questions about the russian interference with our elections and questions about who is in
1:14 pm
charge. and you testified that department of homeland security is the sector lead on combatting russia -- counter russian's to tamper with elections. it seems to me that perhaps cyber command has the best resources and best equipped to do something in this area. you are the operational person. you don't have specific authority from the president or the -- or anyone else for that matter to go forward. you did also indicate that you are -- constant contact with the department -- >> i said regular. >> with the department of homeland security and the sense i have is that i wonder what the department of homeland security which is charged with countering the russian interference, what they are doing. so since you are in regular contact with homeland security, what have you advised dhs to do in this area to counter russia's
1:15 pm
interference? >> what have i did? >> have you given them add viesz? >> that's not my role, ma'am. >> tell me what you're doing and what are the capabilities of cyber command can support you with. those are the kinds of discussions. i make sure the information flow, with are you getting the benefit of the insights based on the action we have taken. >> in regards with those kinds of conversations, then is homeland security doing what they need to be doing to counter russian interference with our elections? >> you need to talk to them, ma'am. i don't have full knowledge of everything the department of the homeland security is doing. >> i understand that. >> it would be an ill-formed opinion -- >> i'm trying to -- we don't get
1:16 pm
the impression that they are doing what is adequate toen counter anything that the russians are doing. certainly not to the point where they will stop doing it. so i hope that at some point and some other committee or in this committee, we can ask those questions of the homeland security secretary. because what they are doing to the elections has an impact on national security and as you say, they are seeking to undermine our institutions. i would like to join senator ernst in the focus of the defense, utilizing the capability of the national guard. that's just a statement. as you leave your command, i am -- wondering, what would be your suggestion that your successor focus on as he or she, it will
1:17 pm
probably be a he, take over cyber command. what are the things that you would want the new person to focus on? >> so, this is what i would say to the individual assuming the nominee is confirmed. you're inheriting a structure that reflects choices we made eight to 10 years ago and we need to step back x ask ourselves are the structures optimized for today and tomorrow. and how do we take the last eight to 10 years working with a private sector, there are insights there that i think we can harness to look at how do we evolve the structure? i would argue that we need to step back and you raised this with me already this morning, how do we better work the dod role and the defense industrial base and the contractors? we've got to get a different dynamic here and got to look at that different.
1:18 pm
and more broadly, cyber command it goes to some of the the points you raised. the role and partnering with others, how do we do it in a integrated way? i hope i can continue to provide opinions on in my next life. >> how to get an integrated structure for speed and agility. different departments, dhs, fbi and treasury. who should take the lead in creating this integrative structure? >> that's the role of the administration in the executive branch. that's their task. they are, working their way. dos d, we're going to support this. there's an on going review on the same question so we'll see. >> is there something that congress can do to enable an agency to take the lead and integrating the structure? >> i -- prefer to give the executive branch time to say something. tell me what you think the plan is.
1:19 pm
imnot trying to minimize the role of the congress, that's not what i'm trying to say. >> thank you, mr. chairman. >> thank you, mr. chairman. admiral rogers this committee has expressed the lack of an effective doctrine to help deter cyber attacks before they happen. the fy '18 daa -- why don't we have one yet? we have been talking this for years. >> right. i don't want to speak for others. i can't tell you why. the point i'm trying to make as a commander, that we need this. not just for the cyber commander or just the department of defense. but for the nation as a whole. i hope it's going to generate the points that you make. i think it's frustrating to all of us. it's not because of willful
1:20 pm
ignorance or neglect or -- >> is it possible to achieve cyber deteerns when we don't have a public facing articulated cyber doctrine that gives our enemies pause? >> well, i think that deterrence has multiple components from capabilities to a sense of what we can and can't do and what we will and won't do. i would argue -- >> we have some inherent deterrence -- we had an articulated document -- >> that would help -- >> and that pointed out that there would be consequences. would that increase our deterrent abilities? >> i think it would increase it. the other point i wanted to make don't think a strategy in and of itself -- i think it's an important component. >> we need tool this, absolutely. >> it's the tools and underpinning. once you get the framework, now
1:21 pm
what do you do to get to actionable outcomes? >> so right now, the russians continues to use bottoms and trolls, and other basically information warfare tools to sew division in this country, no doubt. >> yes, sir. >> has our response been adequate to create any sort of visible deterrence to the activities? >> it has not changed their calculus or behavior. >> it draws a fine point that we need to do everything we can right now to increase the deterrent value because it is not effective. let's take a hypothetical for a moment. tomorrow, there's a nation state cyber attack against our power and energy sector. resulting in power outages and oil and gas pipeline shutting down. take a moment to assume that the other decision makers folks at dhs and the administration that
1:22 pm
this is an agreement and it is an attack and who it is coming from. the white house wants to respond in the cyber domain immediately without talking about what that looks like, are you ready? >> there's so many variables. who is the actor? what kind of capability was used? are we looking to defeat or over come? >> are you confident in your tools and team to be able to respond immediately? >> the tools are optimized for specific actors -- i don't want to -- >> i don't want to give you specific ak tors, but you know what i'm talking bnchts it is optimized for specific actors and configurations. so there's so many variables. and the other thing is time. one of the reasons why, i think we've got to get a more integrated day-to-day approach to this. one of my challenges is look, my
1:23 pm
experience as a military commander teaches me to doing discovery learning i'm being told to foresaw the adversary. -- >> let's make the assumption that it's something we have been planning for for a long time. >> that's a different scenario. >> you mentioned a few in your initial testimony. >> there are capabilities for us. >> okay. you have talked for years about your top three cyber concerns. critical infrastructure, data manipulation and attacks from nonstate actors. quickly compare how you think we are doing on the three versus how you viewed them from a risk point of view when you first took this job. how has it changed? >> so the first critical infrastructure, greater recognition of the problems.
1:24 pm
i'm not spending a lot of time saying this is what we need to be focused on. it is uneven. some segments doing great work, others not so much. the second area was i apologize -- data manipulation. you are watching it unfold in the world around us. it goes to the influence piece. i would argue that has gotten worse. now you've got a major actor and they're not the only ones in the form of the russians. it is a conscious part of their strategy and doing it on a regular basis, so we've gotten worse and the third was -- >> nonstate actors. >> that surprised me a little bit in a sense -- i'm not talking about criminal, it's still the greatest -- cyber space arena. that has not taken off quite as much as i thought it would be to
1:25 pm
be honest. >> i'm over my time. i apologize, mr. chair. >> thank you, mr. chair and admiral rogers thank you for your service and multiple appearances here. i was interested that in the aftermath of the announcements by director mueller of indictments 13, two fridays ago that the president tweeted out and i'm going to use his words, i normally wouldn't, i'm going to quote, russia is laughing their -- off and he said quote, that russia succeeded beyond their wildest dreams. i think this is going to be a chapter in our life where we're going to have to acknowledge, we have been humiliated as a country. our democracy has been humiliated. wed our pocket picked. we lost the real cyber war that
1:26 pm
the nation has been in. it's going to be characterized as a chapter of failure. the u.s. government failed to protect the u.s. democracy and i want to ask you based on your lengthy experience in this position, but your lengthy experience and service to the country, where is the source of that failure? was it a failure of imagination? was it a failure of will? was it a failure of policy? was it a failure of structure? was it a failure of personnel? was it a failure of leadership? was it a failure of investment? was it more than one of those things? we can learn from failure and we should so we can improve. >> right. >> but i think the history of this, especially the 2016 election which is lead to 19 indictments or guilty pleas by individuals and another three indictments or pleas by entities.
1:27 pm
it's going to be viewed as a chapter where the u.s. government failed the u.s. democracy and i want your best professional judgment and what might be your last appearance in front of the committee is where the source of the failure is so we can fix it? >> i don't think there is one single source of failure. one thing that struck me is if you go back several years we define critical infrastructure from an industrial age approach. does it produce a product of service or outcome? using that methodology -- we're thinking that there's no product or service so to speak that it generates. there's votes and outcomes. so the first thing i was struck by is we need to rethink what does critical infrastructure mean to us in this digital age that we live. and again, i've been in the job for a while and part of multiple
1:28 pm
administrations, i think that the thought initially was we'll go to them and tell them we have awareness of what we're going and this will convince them and we'll take initial steps and convince them that they should stop -- >> under estimating an adversary. >> that hasn't happened. i don't think we anticipated how -- what level of sustained aggressive behavior we were going to see over time. that this wasn't viewed as a one-off. one particular outcome or election. we are looking a the a nation who views this as a strategic imperative over time and value to be achieved and continuing to do this. i don't think we necessarily looked at this that way. and the final thing that comes to my mind and it is symptomatic of cyber as a whole, who do you do when dealing with a challenge
1:29 pm
that crosses so many different lines. in our structure, elections is a state process. cyber capability, dod, doj. that's the executive. that's not state. that's a federal and executive brarch branch. in the private sector, one of my take aways is that cyber is going to force us to think outside of the traditional lines in defining problems and aligning resources. >> let me ask you a question. i was a mayor and governor. why should local and state officials today believe that the united states government will protect the united states democracy in future elections? as i talk to governors and local officials, they have very grave doubt whether the federal government will act in anyway to protect the electoral system from attacks such as those that russia conducted in 2015.
1:30 pm
tell them why they should have confidence? >> i don't interact with them, as a citizen is i hope one of the take aways, they have not achieved the outcomes we want, it is not because there are not motivated hard working individuals trying to do things and hopefully as you said, we want to be a learning adaptive nation here. where we learn and changeover time. i'm hoping that what we are going to see in the coming months and years ahead of us. this is not -- we're not going to deal with this in six months or a year. that's not the way it's going to work. i don't think. >> thank you, mr. chair. >> i'm going to try -- i know this has been gone over. first of all, thank you. i'm a big fan of the work you have done. but, i'm going to try to channel a woman who came up to me in a grassry store no too long ago. she asked me a simple question, is russia at war against our
1:31 pm
democracy? what would you have said to her in the grocery store? >> well, war is by definition as a specific legal document aspect to it. i'm not a lawyer. what i would say to her is, there shouldn't be doubt we are in competition with these guys and they are trying to use every tool to gain advantage and some of that they want to gain is undermining our very institutions. >> that's -- i said yes -- >> i like to talk to people, i apologize. >> they came after our democracy. >> yes, ma'am. >> i can't imagine anything more essential than our democracy. so the next question she asked, are we strong enough and smart enough that we can keep them from doing this again? >> yes. >> okay. so, then the next question she asked me, i said the same thing.
1:32 pm
are we doing that right now? >> we're taking steps, but we're probably not doing enough. >> okay, so she wants to know and i want to know, why not, what is it going to take? >> i'm an operational commander. you're asking a question bigger than me. here is what my role is -- >> it's a problem admiral. >> i don't deny that for one minute. >> the notion that this country came after the essence of what we are, the character and value of our country is about the democracy. the notion that came after us, brai brazenly and nobody can sit in the chair and say we got this. you can do this. you give our americas military a mission and nobody is better. the notion that you have not been given this mission from stopping this from happening this year is outrageous. it is outrageous. and there's no question that
1:33 pm
they know we are not coming after them. and frankly, your response to senator reed's question about cyber command did you wanting the interference. you said we have chosen not to engage in the same behavior as russia. defending is not the same behavior as russia. preventing and deterring is not the same behavior. they came after us, we're not asking you if you are going after them. we're asking you, have you the authority, have you the command, to stop them from doing this again to us in 2018? >> i can not operate out of the dod information network, ma'am. on a dill yaily basis. i don't have the legal authority to defend the stateess -- >> if you don't have the authority to defend our voting structures, then we've got the ability to fix that. correct? i believe mr. chairman and ranking member, we have the
1:34 pm
ability to fix the law to give you the authority to protect the voting system. i guarantee the secretary of state of missouri don't have the ability to go after russia, they can harden but they can't go after them. the only entity that can go after russia is the united states military. that's the only one. and in fact, i mean, effectively, maybe department of homeland security can help around the edges, but their primary mission is not to go after a foreign nation but to protect the homeland. >> i would argue, think respectfully, think beyond sieber and responding and there's a whole economic -- there's tools that we can apply to shape russia's behavior and choices. i'm not arguing that cyber is not a potential part of a broader strategy -- >> i never thought i would see
1:35 pm
the day that russia would go after the heart of our country ever, and that we would be sitting here parsing words on whether or not we've got this. i want somebody with your experience and your courage and your tenacity, i want somebody to sit in that chair and say to the united states of america, we've got this. and until we have that moment, russia is winning. and have that is disgusting, thank you mr. chairman. >> thank you, mr. chairman. guess what question i'm going to ask, sir? will this be a russia associated question? and a deterrence related question. on december 23rd, 2016, the
1:36 pm
congress passed, the national defense authorization act. in it was a section that required the secretary of defense to file a report on just the questions we've been talking about. within 180 days which was june of 2017 about the definition of a cyber attack, what would be the response. it talks about operational authorities and what authorities delegated to the united states cyber command for military cyber operations and how the law of war applies. a whole list of the purpose of the amendment which was in the law, which is in the law, was to establish a clearly articulated doctrine or response in this kind of situation. i'm asking you as an operator, have you been asked -- have you been tasked with drafting any part of the response to this requirement? >> i've been part of the dialogue about responding,
1:37 pm
particularly on the operational piece of this in terms of overall responsibility and this is the office of the secretary defense is a responsibility -- >> i'm asking is anybody working on this? we're eight months late now. >> i apologize, i don't know the specifics of the time line -- >> were you given a deadline we need this by june -- >> i was apart of this. i honestly don't remember if we were given a time line, can i take this as an action? >> this is frustrating, we are still talking about the issue when the congress made a specific instruction to the defense and the preponderate was required to respond to the congress from 180 days that should have been coming from june of 2017, hasn't come. so we're way late and we keep talking about this. you and i have been in probably a dozen or 15 hearings on this and we don't seem to be further ahead than we were before and the problem is you've testified
1:38 pm
today and i think quite accurately and repeatedly, until we have some clearly articulated doctrine of response to these kinds of attacks. they're going to continue. if we try to patch the software, their going to continue. and you know that and i know that. what's it going to take? is it going to take the destruction of the electric grid? or the financial system for us to finally get to the point of taking this seriously? >> like i said, sir. there's an on going -- i'm participating in this, i apologize, i don't know the specific time lines. >> and i understand you're an operational guy, but you have to understand -- you're the nearest thing that -- >> i know my role. >> you're lucky enough to be here today. this is serious business and -- let me turn to more specific question that i think underlines what we're talking about here. what would happen today if you
1:39 pm
on your way back to the office got a call and said the u.s. financial system has been taken down. all of the computers on wall street are off and the markets are in chaos. i don't mean from a policy point of view, what would be the execution? who is in charge? what would -- what would the results be? >> so dhs would have overall responsibility for the provision of federal support in response to this. my role would be help to make sure i understand number one, who is the actor? can i identify who did this, i need to know who and what i'm responding to. so let's make sure we understand the characterization of activity. who is the actor? what did they do. >> who would take the lead? >> dhs. >> have you wore gamed this? >> yes, sir. in fact, i made it a broad reference that the finance
1:40 pm
sector for example, the scenario you posture here, we've under taken good table tops as i reached out to dhs and the financial sector. we've got to get down to execution level work with your team -- >> and you have repeatedly talked about integration. a follow up is do we have a serious red team war game process to be sure we're not surprised about how to react when one of these things happen? >> i don't know if i would use the phrase if we have a serious read team. is this part of the mission responsibility, yes. is this something we train and exercise against? yes. is this something we assess looking for indicators for this type of activity before it occurs? yes. >> i want to thank you. this may be our last time to talk about this and thank you for your service and your straightforward response, always. and just leave you and you know,
1:41 pm
i hope as you leave this job, you will leave a memo behind that says, we are not adequately prepared. we need a doctrine and need it to be publicly available. we need the adversaryryes to know if they strike us, they will be struck back. it may be a whole range of things. we have not done that right now and i deeply hope this is something you can take on as a kind of exit interview. thank you, mr. chairman. >> thank you, mr. chairman. admiral, rogers thank you for being back before the committee. can you just give me a brief description in your tenure and your current role, where you think things have got -- tell me the positive things that occurred and the things that you wished you made more progress on and your time in the command? >> so the positive thing among
1:42 pm
of things that jump out at me is cyber integration with other operational commands, particularly set come, socom. pacific command. that's a real strength. that's something that i really -- i knew it was a good day when you have those commanders talking about what cyber command is doing. shouldn't you like what we're doing -- that's been a real process, some of the command and control structures, that we put in place, how do you build a structure to intergrade capability and generate affects against isis. it was a slow start. starting from ground zero, but it has taken off. that has worked out very very well. the campaign planning and the structure from a planning perspective that we put in place particularly has been a focus for us over the last calendar year. that's great work. that sets the foundation for the future and we are no different
1:43 pm
in our mission set than set com in terms of the mechanisms and the framework they are using to plan and the european command is doing. that's a real positive. if i ask myself, what are the areas where i would and the force generation, we're going to beat the time line for foc. it took a lot of work by a lot of people. the areas where we're not afar along as i wished we were, tool and capability development and who is going to do what. we have to work it out the role between the services and the command. you have given us -- the congress given us acquisition authority. we've started down that road and i think that's a positive. we have to ask yourself, what the future here? >> do we have the time line with acquisition right with the nature of the developing technology? are we compressing the time to new capabilities to a point that you feel comfortable? >> we're never where we want to
1:44 pm
be. i like the fact that there's recognition and we need to do it outside of the traditional acquisition framework built to generate the capital intensive capabilities that take a decade to develop. that's not our motto. nots what we need. i like the recognition of this. this will be something i will comment on before i leave. i've got some thoughts i want to share on this. >> how well have you done on personnel recruiting and retention -- particularly interested in other things we should be doing as we look at the nda specifically around personnel issues? >> if you look around the uniform side, we're exceeding our expectations. doesn't mean it is perfect. the biggest challenge in the four years has been less the military uniform component and the civilian pieces proven to the harder. retention, recruitment, and part of it now is the process.
1:45 pm
when it comes to the military, we've got a lot of people coming to us. many of who who have skills that i can apply to cyber. in the cyber world it is about going out and finding people with the right skills. it is a different dynamic. so the civilian piece is proven to the harder. >> that's something we are interested in things we can do to make that easier. i can't imagine how you compete with the likes of the forum i worked with recruiting, some of the top tall enthe, i can fill the new talent in threen months that you can take three years to do. thee highly talented people want an environment moving at the pace of the threat. since the time you start third-degree role, how would you describe the number and nature of threats you are dealing with today versus when you began? >> state actors have gotten more
1:46 pm
aggressive not less aggressive. the capability in many states that have concerned us is growing. you can look at the level, we talk about russia, china, iran and north korea. you look at the level of investment they are makes, it is significant. >> how well -- last question, how good have you gotten at knowing what we don't know. i have talked about this before. there's a lot of people who express frustration because when we see milan behavior on the part of a state actor or another organization, the idea is to go out with some sort of a proportionate response in the cyber world. the thing that concerns me is we don't know what we don't know about latent capabilities and can be brought back to us. are we at a point where we have better or holistic idea of the latent threats are out there?
1:47 pm
and the private sector of all of government? >> we are better. but on the other hand -- >> they are better too. >> as a broad operation gnal approximately, we must be capable of acting on knowledge -- my experience teaches me it doesn't always work that way. >> well, thank you and again i encourage you to get feedback to the committee staff in my office on anything that we can do at least on the recruiting and retention piece for resources going into the nda. thank you for your service. >> yes, sir. >> thank you, senator tillis. let me make a comment before we go to senator peters. i was thinking about this -- these comments that have been made. i just returned last night from 12, 13 days in pay com. everyone from admiral harris,
1:48 pm
and all of the rest i talked to, all the way to and including the dmc between south and north korea. so all them were there. i have to say, pay com they are complimentary on the work and process you have made. senator peters. >> it is wonderful to have you here again and i'll join in saying thank you for your service. we're going to miss you and it's great to have you before this committee and i appreciate your attention to this issue. i'd like to talk more about the future of warfare and the future of technology and there's been questions related to machine learning and artificial intelligence which is going to change everything and not just the military space but the commercial side. i am on the commerce committee and we had a hearing on artificial intelligence and how it's going to change business and commercial activities in
1:49 pm
general and i asked one of the leading executives of one of the leading technology companies in the country, what did he fear most about artificial intelligence, we had a hearing of all of the positive aspects and i was surprised about his answer. the manipulation of elections and the manipulation of public opinion that can undermine democracy. which i thought was an interesting response from a leading tech company. so i wanted to ask you a bit about that and the department of defense and more broadly our posture when it comes to investing in these technologies and how are we working to increase innovation and work with those commercial companies to intergrade it into defense systems and i guess i'll ask you that question as well. what do you fear, if we don't get it right, what is a fear of an adversaryry requiring ai system in advance our own
1:50 pm
capabilities? >> from a military perspective is that you can lose speed and knowledge. that's a combination, they are and one of the concerns is that if we are not careful, a.i. gives opponents speed and knowledge better than ours if we are not careful and not arguing it is going to happen, but i acknowledge that we have to look at it. and aapologize, what is that -- >> well, i want to picket up t it is moving through the commercial side faster than military side. and so usually it is the military that is the leading industry, but that is not the case of all, and soy am concerned about adversaries to buy the technologies from the startup companies. aa frm working right now in trying to fill the gaps on the sifous process which of foreign
1:51 pm
entities to buy companies and perfectly legal to get that information and use it for commercial application, and use it to weaponize that type of technology as well. so my question to you is how can we better integrate the missions of the cyber come as it is going to relate to the sifius sphere, and how we can capitalize on that? s >> i am not concerned about the review process in the cybersecurity, and it is that we are so co-located to each other, but my bigger concern is that i cifius to me is the indication of the environment of the past and not the future, and so it is clear to me that some nation states have spent a lot of time
1:52 pm
studying the cifius state and developing strategies to overcome it. i don't have to buy the corporation overright, but who are the subsidiaries and the provide rears and who else has access to the intellectual property to this, and i will acquire, that and that, but that is not what it was built to do. so i a applaud the efforts that we need a different construct and not that we don't want to get rid of cifius, but we have to think of it more broadly of the national security challenges of the foreign and investment areas for national and strategic areas for us. >> is there a role for scyber conn to be involved in that process, and i mean, you aware of what is happening and the things that you are concerned about, and how do you see a potential role there if any? >> my role on the nsa side, because we are tasked with
1:53 pm
generating knowledge and insight is much greater. cyber command helps to feed the effort, because we generate the knowledge and the insight on the cyber side that we are doing, and putting out the reporting to put it in the broader effort, but it is not a primary mission for cyber command, but it is much more a primary mission on the nsa side. >> thank you for your testimony. we appreciate it. >> thank you, mr. chairman, and your admiral and the 37 years of service. >> when you say that i just feel like -- >> no, no. you should feel proud and strong. and you probably picked up on a theme today that this committee is feeling a sense of urgency about the russian threat to our elections. this is not a personal criticism of you. >> i understand. >> we are frustrating that this administration has not lived up to its responsibility to do something about the russian cyber action. now, you told senator
1:54 pm
blumenthal, and senator mccaskill that not every cyber attack requires a cyber response, so i'd like to follow up on that a little bit here. the pentagon scybersecurity strategy says and i will quote it to you, in response to certain attacks and intrusions the united states may undertake dip llomatic actions, take law enforcement actions and consider economic sanctions, and so i want to focus on just a moment on that last piece, sanction, and congress overwhelmingly passed a law last year that in part required sanctions on the individuals and companies that knowingly are engage in malicious activities on behalf of the russian government. and those sanctions are freezing access and restricting the travel. the trump edadministration has t imposed these required sanctions. and admiral rogers, i know it is not your primary responsibility -- >> yes, ma'am -- >> -- to impose the sanctions, but i want to ask a different question. what message does it send to
1:55 pm
vladimir putin that the united states has not fully implemented sanctions sanctionses to the counter known russian cyber attacks? >> you know, more broadly and not just the sanctions, but more broadly, my concern is, i believe that president putin has clearly come to the conclusion that there is little price to play here. >> bingo. >> and therefore i can continue this activity. >> exactly. >> and the director of nsa and what i am seeing on the cyber command side lead ms. toe believe if we don't change the dynamic r here, we will continue, and 2016 is not going to be isolated, but it is something sustained over time. so i think that the challenge for all of us is so what are the tools available to us, and as the strategy says, diplomatic, economic, and some scyber the things. there are tools available to us. and again, i think that it in fairness, you can't say that nothing has been done, but my point is that it has not been
1:56 pm
enough. >> it has not been enough. >> and clearly what we have dnen is not enough. i am mindful of my role as an operational commander. >> i appreciate that it is not enough, and it is not going to help if you don't have tools in the tool box the pick them up and use them, and russia going to keep trying to interfere in the election, and if the trump administration does not fully implement sanctions, then we are not using every tool we can to effectively deter russia from undermining dem kocracy in the future. let me ask you one other question if i can, and mirl. it is clear that the united states needs to step up its s cyber game. i want to follow up on the question from senator tillis. we previously discussed the question of how to build a skilled cyber force, and you said that the improving d.o.d.'s network defenses and building a cyber control is to attract the most talented people out, there and this committee is now considering reforms to the
1:57 pm
defense officer of the personnel management act r or dopma which is another great act, and i love to talk about that. and how we recruit and frtrain r military officers and with that in mind, and mirl, you could me one change to dopma, what would you change? >> and to be true we use dopma instead of pronouncing dope-ma, because it sounds better. and so this is something that can't be viewed, we give you training and you do it for a few years and do something else, and we bring you bangd you are gone again.
1:58 pm
that not going to get us where we need to b. and the services are going to be doing the man training and equip and doing the capability that i do as joint, commander then harness the mission outcomes as the joint commander, and that is the biggest thing. >> thank you. it is helpful to know. i know that the 2017 defense bill gave the pentagon a lot of flexibility in how the recruit. but i remain concerned that our recruiting system is so focus on recruiting for the military of today that we are not effectively targeting the best talent and best suited talent to execute the missions we will face tomorrow. and so, how we think about that, i think it is really important. >> yes. >> and so thank you again. thank you for ur your servi-- f your service and your help. thank you. >> thank you.
1:59 pm
>> and it is chair's intent to close the remarks of the ranking member. is that all right? >> first, i would like to clarify, there are russian-inspired cyber operations ongoing against our election process, sir? >> yes, sir. i am speaking more as the commander of joint command. >> and with the national mission teams, can they the disrupt the point of attacks at the point of origin. >> we could be tasked to do that but i don't want to overpromise. >> it is legal and can be done? >> yes. >> have you been asked to make a recommendation with respect to deploying these teams? >> no, but i have certainly provided my -- nobody is directly asked me, but i have provided my opinion in ongoing
2:00 pm
discussions. >> what is your opinion? >> my comment has been to be mindful of defaulting to the the cyber piece here. i'd like for us to think about it more broadly and how this potential cyber piece, and cyber command could play how it fits into something broader. >> so to conclude, you not been formally asked for recommendation? >> no, sir. >> you have expressed your opinion to the secretary of defense and to white house about the possible use of this, but not in any for mall way? >> yes, sir, i have not put anything in writing for example. >> and the final point and i guess that this goes, do you feel as a professional officer you have an obligation to make a formal recommendation to this? >> i feel that the system provides me the opportunity to provide my recommendation to provide my insights, to provide my opinions that people listen to what i have to say, and i acknowledge other opinions out there, and i acknowledge other perspectives, but i feel comfortable that there has been
2:01 pm
a dialogue on the topic, and that dialogue continues. >> thank you, mr. chairman, thank you very much. and thank you, admiral. >> thank you, a shg, admiral, f patience in what is perhaps your last event here. thank you. we are adjourned.
2:02 pm
2:03 pm
transportation secretary elaine chow testified before congress on the trump infrastructure plan and how the pay for updating roads and bridges and reducing regulation on the frain frastructure projects. we will show her testimony tonight at 8:00 p.m. on c-span 2. and the coffin of the late reverend billy graham is returning to north carolina after spending a day in the rotunda. we will have live coverage tomorrow on c-span at noon eastern. and tomorrow night, this week's oral argument over the government uniyons and whether they can require the unions to pay union fees. in janus versus the afscme, he does not want to pay the union
2:04 pm
fees, but he benefits from the union ne goegotiations. you can hear these arguments tomorrow on c-span. this week, c-span's cities tour takes you the shawnee, ooklahoma. the growth was spurred by the rail road industry, and settled by native american tribes w. the help of our broadband cable partner partners, we will explore the area. and also, carol sue humphreys with the book "the american revolution and the press" the promise of independence. >> in the years between the french and indian war and the american revolution, the fight, the actual fighting started, and the newspapers again, they played an important part in letting people know what the arguments were and what the issues were and also getting them involved in standing up against britain when they were mad about taxes or other issues.
2:05 pm
>> and then on sunday at 2:00 p.m. on american history tv, a v visit to the citizen pottawatomie nation cultural n center, and hear about the people, and the forced removal of the native land into indian territory. >> this is the particular section of the museum, we highlight one particular removal which is what we refer to as the trail of death. it happened the same years of the cherokee trail of tears and we left our homelands within a few days of each other. this is a particularly heartbreaking and gut-wrenching removal. our ancestors who were moved on this particular removal were ones who had refused to negotiate with the federal government. so, agents, called a treaty council and asked the people to meet at monomonies village in what is today,

25 Views

info Stream Only

Uploaded by TV Archive on