tv Former NSA Director Testifies on Russian Interference Capabilities CSPAN March 30, 2017 2:05pm-4:07pm EDT
and allow companies that are doing business in competitive rketplaces where they have real competition tpay their tax there and then have the flexibility to bring their money back and forth. if cpanies are choosing to locate in a tax haven, getting althe benefits of being a u.s. corporation, choosing to micile a lot of their operations in a place that pays no tax, those companies should be subjecto a minim level of tax. i want to fix the system, which i think is consisten with what you're saying. host: john on t democrats line in maryland. caller: i guess two qstions, the first was, i tught i hrd the speaker say he didn't reay want to just dp the -- >> cl this hearing to order. this morning the committee examed the history and characteristics of russian active measures campaign as it led to this, our sond panel. which will examine thro of cyberoperations play in support
of these activities. i'd like to welcome our from the cybersury company mandia. mr. mandia served in the united stes air force as a computer security officer and later as special agent in the air force officef -- office of special investigations wheree worked s a cybercrime investigator. thank you for being here today. and general alexander serd for 40 years in our armed forces, culminating with his ten qure as the director of the national security agency from 2005 to
20 andoncurrent serve as director of u.s. cybercommand from 2010 to 2014. thank you for being here today. it is an expert ontudies, he worked as the university in jusalem, johns hopkins schl. dr. rid, thank yous well for your expertise and we look .orward to your testimo sen. burr: the levelf cybersecurity in front of us is truly remarkable. eyl be able to provide atn unassified levelome extremy useful texture and
detail to the discussion w ben this morning i feel certain, and i say is to all three of you, that the committee in a closed setting mit want to reach out to u as we begin to d a little deeper so that we can get your thoughts and tapnto your expertise. that we might be able to explore more than in this open setting. for this hear, ewe will be recognized by orderf senior fi for -- seniority for five minute rounds. we are targeted to have a vote somewhere between 4:00 and 4:30. it would be my hope we could wrap up prior to that vote and not hold our witnesses open, that way we would conclude senate business for the week with that vote. vice chairman. >> thank you, mr. chairman. i don't have a statement other than one to welcome all the witnesses and to point out that before mr. mandia's company was
acquired by a california company he was based in alexandria, virginia where he did great work. we'd be hay to have you bng with all due deference to senator harris. sen. harris: stay in the sunsne. sen. burr: i'm going to recognizeou to start. mr.ana: tnkouor allowing me to speak. what i'm going tspeak about today is t cybercapalities and techniques attriteto russian hacke, specifically a group we refer to as a.p.t. 28. i want to talk also about coendations to prevent or mitt gate the -- or mitigate the coromise. i nto give you a little of my bacrod and the background of my company.
as i sit here right n we have hundredsf employees responding to computer security breaches. we thi is critil to own at moment of responding to a breach, collecting the trace ed,ablizing that evidenc so as i give you my narrative todait's based on three things. on what we are learning as we respd to hundreds of breaches a year. we're cataloging that trace evidence and putti it into a linked database, and we have over 150 threat analysts who speak 32 languages, 19 countries, and they're trying to marry up what we're seing in cyberspace to what we're seing in a geopolitical world out there today. then the third source of my dialogue, third source of evidence, is in fact we have 5,000 plus customers relying on outechnology to protecthem on a daily basis. let me first speak to the methodologies being used by a.p.t. group 28. we attribute many intrusions these fks. you might have heard about the worldwide anti-doping agency, the d.n.c. breach, the d.c.c.
breach, the ukrainian central election commission, a i can keep going on. i believe the doctor will mention someore of these victims. but all therehes that we atibuteo apt 2inheast two years iolve the theft of internal data as well as the leaking of this ta by some other pty pottially a.p. 28, potentially some other arm of the organization into the public. during the coursof our apt-28 investations we've had a siificant amount of evidence. we've looked at custom mall wear. we don't see this malware blicly availab. it's n ailable to you to down load and use tomorrow. 's being crafted in a building, shar by pele in a closed lp, it's not widespad or available to anybody. we have identified over 500 do mains or i.p. addresses used by this group when they attack. almost every modern nation that
develops an operational capability in cyberspace, the fit thing they need to do is get an infrastructure they use to then attack their -- the real site of their attacks. the real intent. the real target. so there's a huge infrastructure of compromised machines or false fronts or organizations that are used for these aacks. we found over 500 of those. we have analyzed over 70 documents written in many languages, these are the document you receive during a spearfishing. they're armed documents if you open and perusehem. when you assess e documents, they're related to the subject and interest of the people receiving these documents. a lot of work is going into the backdrop or background of the people being spearfished. i cano on and on. i've got 40, 50 more pages of what they do but i'll focus on a couple of things that also help us attribute apt-28's activities to the russianovernment. in 2015 alone, we saw apt-28
leverage five zero days, and a zero day is an attack thadoes not have a patch available for it, it will work if recved and you execute the file. and the best way to liken the value of a zero day the minute it's used and it's been weaponizedts value goes down incredibly fast. and so when u see these things, mostly inhe -- th'r stly in the toolbox of a nation's data athis point. over the last 10 yrs, the security industry h de a great job ming the cost of ro ds go up,nd we're seeing a-28 deploy tm as needed. they're hard to tect onc th're in your netrkbeuse they rely tothe tools your system administrators derely . say they turno osts almost thminute they're in, your likeliod of deteing them if you don't dett the initial each go downs exponential. they operatesing yr ols
and operate very hard to dect. i want to share with you tee observations i saw emergin 2014 that i did not see prioro reonding to these state actors. i had the privilege of responding to them when i was in the air force. probably a differe group but a grp we attributeto the russian government. and ery time i responded to them on the front lines, if they knew we were watchinthem, they would evab rate. weever got to observe the tool tactics and procedures of russian state sponsored intrusions in the late 1990's darly 20's. ey didn't t us do it. for some reason in august of 2014, we were responding to a each at a government organization and during our response, our frontline responder said, they know we're there. theynow we're observing them. and they'rstill doing their activiti. actually flew in, sat on the ont lines, first i've seen it. to me that was big news because i had a 20-year run from 1993 to about 2014 where they never change the rules of engagement. they changed in august or
september of 2014. second thing they did is started operating at a scale and scope where you could easily detect them. we were obrving and orienting on them. they were letting us do it. but their scale and scope became widely known to many security organizations and we started work together to get better visibility and fidelity. lastly, someing i wouldn't have predicted but we also witnessed for the first time in 2014, a group we attribute to the russian government compromising organizations and then suddenly the documents are being leaked out in a public forum through hacktivist personas we have not seen. foroday and the foreele future, it'our view that united states will continue see these happen. while many organizations are actively trying to counter these attacks, there's sh an asymmetry that is hard for any organization to dernize and prevent these iruons fr occurring when you have a stat sponsored attacker.
therefore we're goingo need to exploreayboth witn and outside of the cyberdoma to help deter these attacks lastly i say if i had five minutes to talto the senate, what would i say? here it is i think weave to firstta with, got to t attbution right. we got to know who is hacking us so we can eablish a deterrent. this gives us a great opportunity to maksure we have the tools necessary and t international cooperaon necessary to havattribution. when you have attribution right, en you can condethe proportional response and the other tools at yo dissal as diplomats to maksu we have the defer ternts need. thank you very much for this opportuny. sen. burr: thank y. general. geral alexander: i want to pick up from where kevin left off. i had the opportuni to see on news, u and the ranking member talk about approaching thiin a bipartisan way.
approaching e solution in a bipartisan way. and when y look thathe probm and what we're fatesing, it's not aepublican problem. it's not a democratic probm. this is an americ problem. and we all have to come together solve it. i think that's very important. if we st back and look at this, i wa to cover several key areas t give my perspective on what's going on. first with spect to technolo. the communications is doubling every year. we're get manager devices attached to the network. this network is growing like azy. and so are the vulnerabilities. our wealth, our future, our country is stored in these devices. we'vgot to figure out how to secure them. th those vulnerabilities, we've seen since 2007 attacks on countries like estonia. georgia. ukraine. saudi arabia. a whole series of attac and thenria and others. and then aacks on the power grid in the ukraine. and what's career -- what's
clear is these network and these tools have going from exploitation for governments and crime to elements of national power. an i tnk fromy perspective when we consider thathiis now an element of national power, we have to step back and say, what's their objective? it's been said, know yourself, know your eny, and y'll be successful in a thousand campgns. what's russiaryg to dand whare they tiing to do i from m perspective as i look a it with my background, is ear it's t just trying to go after the democratic national conventi or others. this is widesprd, a campaign they're looking adoing at willrive wedges between our own political parties and betweeour country and nato and within no and within the european union. why? i lieve when you look at russia, and if youere to play out on a map what's happen over the last 25 or 30 years, they
see e fall of the soviet uni and the pacts on their nr bord a all these as impacts on them. i bring a this up because one of the questions that's out in the press is, do we engage the russians? or do we not? every administrationha i'm familiar with, including the obama administration, started out with, we're going to engage them. it was tchailed reset button. that didn't go far, i believe this administration should do the same. when i look at what's going on here, there's anoer opportunity that we have. when you lookt the characteristics of leaders in this administration, we have pele with great business experience, the president and seetary of state and great national security experice. in addressing the problem that we're now dealing with, this is a new area. we're seeing cyber, it's an element of national power, how do we now engage russia and other countes and set the right framework?
i believ we have to engage and confront. engage them in those areas that we can, set up thright path, reachut, and cool this down. i really d. 've got to fix that. at the same time, we've got to let them know what things they can't do and w they cannot do those. set those standds. and i think wt this group can do and what u are doing, chairman and vice chairman is ma this a bipartisan approach. solve this for the good of th tion. wh we look at cybersecurity and what kevin gave you in terms of what dustry sees, and what governmentees, over the last decadeweaveointly worked oncoming up with cyberleglation, how industry angovernment works togher. if we' going to address africks anther iues we also have to set up the way for our industry a sectors to work with the government so thathat attribution and things that the government knows and those
things that industry knows can be used for the common good. it's interesting that sitting on the presidential commission, one of the things that came out when we looked at what's going on was what's our strategy? and at timespeople looked at this as a government issue and it's an industry issue. it's not. this is something that we need to look at as a common issue. for the common defense. it's in the preamble of the constitution. it's something we should all look at. then we should seeow do we extend that to our allies? i would step back and encourage, encourage you to step back and look at thetrategy. what's russia trying to do? why are theyiing to do it? and how do we eage them? at the same time, we need to address our cybersecurity issues and goix those. and get on with that. thank you very much, mr. chairman. se burr: thank you, general mr. rid.
ha -- for giving me the opportuni to speak today about active ases. undetaing cyber operations inhe 21st century is impossleithout first understanding intelligence operations in the 20th century. attributg and countering this information day is thefore also impossie without first derstandin how the united ates and its allies attributed an countered hundreds of active measures throughout the cold war. nobody summarized this dark art of disinformation better than olol -- than the colel who headed department xe said, quote, a powerful adversary can only be defeat through the a sophisticated, methodical, careful, shrewd effort to exploit evenhe smallest cracks ithin our enemies and within
their groups. the tried and tested measure is to use an adversary's measures agait himself, to drive wedge into pre-existingrack. the more polarized a siety, theore vulnerable it is and america in 2016, of course, was highly polarized. with lots of cras to drive wedges into. but not old wedges. improved, high tech wges that allowed the kremlin's operatives to attacthr targets fter, more rctiveland on a f larger scale tn ever befe. but the russian oratives also left behind me cluesnd more traces tn ever before. and assessing these cesnd operations reqres context first in the past six years, we ve talked about this already this morning, active measures became the nor
e cold warsaw more than 10,0 ti msures across the world and this is a remarkable figure. the lull in the 1990's and 2000's i think was an exceptio secondin the past 20 years, aggresve russian digital espiag became the norm. the first was called amber light ma and it started in 1996. in 2000 the shift in tactics became apparenspecially in moscow's military intelligence agency. a once-careful, risk-averse and shrewd and stealthy activity became more careless, risk-taking and error prone. one particularly reveang slipup resulted in a highly granular view of just one sce of g.r.u. targeting between march 2015 and may 26 in the
leadup to the election that contained more than 19,000 malicious links, targetting nearly 7,000ndividuals aoss the wod. third, in the past two years now, coming closer to the present, russi intelligence operations ban to combine those two things, hacng and leaking. byarly015, military intelligence wasarting defense andipmaticntitie at high tempo. among the targets were the privateccounts,orxample, of the currenthaman of the joint cefs of staff, general dunfor or current assistant secretary of the a fce daniel gsbg. or the current u. baador to russia, jn test,nd his predecessor, michael mcfl. a large nber of platic and military officials in ukraine, georgia, turkey, saudirabia, afghanistan, and many countries bordering rusa, especiay the defense attache
l, i add, are legitimate d prictable targets for a mita ielligence agency. russian inteigence curiously al targeted inside russia -- critics inside russia, for ample, theacr group. in early 2015, g.r. breached successfully not just the german polics -- parliames but also the italian militar and saudi reign ministry. between ne 2015 and november 20 at least is six different frt gazations appeared. ve much ld war style, to spread some of the sle infoatn to the public in a rgeted way. finally, in the past year, the meline here in the u.s. election campaign ben align. etween march 10 and april 7, r.u. targeted least 109 full-te clinton campaign staffers.
only full-time staffers, not volunteer these are not counted here. russian intelligence targeted clinton's senior advisor jay sullivan in at least 14 different attempts beginning on 19 march. they targeted even secretary clinton's personal email account bus the data showed she did not fall for the trick and didn't actually reveal her password. military intelligence agency g.r.u. also targeted d.n.c. staffers between march 15 and april 11, the timing lines up nearly perfectly. about one week latering after the events i just mentioned, the d.n.c. website was registered getting ready to spread data ublicly. the timing is nearly perfect. ut of 13 named leak victims,
forensic evidence identified 12 targeted by g.r.u., with the exception of george soros. but a narrow technical analysis would miss the main political and ethical challenge. soviet bloc disinformation specialists preferred the art of exploiting what was then called nwitting agents. there is no contradiction in their reading between being an honest american patriot and at the same time furthering the cause of russia. in the peace movement in the 1980's, we saw that people would genuinely protesting, say, the nato double track decision, but at the same time advancing russian goals there is no contradiction. three types of unwitting agents, wikileaks, twitter, the company itself, and i'm happy to expand later, and overeager journalists aggressively covering the
political leaks will neglecting or ignoring their prove nance. in 1965, the k.g.b.'s grand master of disinformation, general ivan agayons inspected an act i measures outpost in prague, a particularly effective and aggressive one, and he said, quote, sometimes i am amazed how easy it is to play these games. if they did not have -- if they did not press freedom we would have to invent it for them. later, the czech operative he was speaking with at that very moment defected to the united states and testified in congress. and i quote him to close. he said, the press should be more cautious with anonymous leaks. anonymity is a signal indicating that the big russian bear might be involved. thank you.
sen. burr: i want to thank all three of you for your testimony and i think it's safe to say that this is probably a foundational hearing for our investigation to have three people with the knowledge that you do, and i hope when you do get that second call or third call that you -- you'll sit down with us as we have peeled back the onion a little bit and we have technical questions. we've got some expertise on the committee, you can look at a lot of gray hair and realize that my technology campaignabilities are very shallow and that many of us struggle to understand not just what they can do but even the lingo that's use and the dark side of the web and the open side of the web, these things are amazing and would be shocking to most people. i'll turn to the vice chairman for his questions. >> thank you, mr. chairman.
let me echo what you said. i think we've got an incredible panel of experts here. i've got three questions i'd like to try to get through. the first one hopefully fairly quickly. sen. warner: based on your expertise and knowledge, do any of you have any doubt that it russia and russian agents that perpetrated during the 2016 presidential campaign the hacks of the d.n.c. and the emails and the misinformation and disinformation campaign that took place during the election. a short answer will do. do any of you have any doubt hat it was russia? mr. mandia: we can't show you a picture of a building or give you a list of names of people
who did it, we have to look at a lot of other factors, some of which is incredible amounts of detail. but we've got 0 years of observation, we've seen similar behaviors in the past, my best answer is it absolutely stretches credulity to think they were not involved. general alexander: i believe they were involved. dr. d: i believe they were involved as well. sen. warner: it's been reported that some of the techniques, i say with my good friend richard burr, i used to be technologically savvy up until 2000, 2001, which still puts me a decade ahead of some of my colleagues, but it's been reported in the press an elsewhere that by using the botnets and that exponential ability to flood the zone that in the misinformation and disinformation campaign, they were, the russians were able to
flood the zone, actually not in a broad-base -- in a broad base across the wheel country but targeted down to precinct levels in certain states. is that capable to do? if you could have a botnet network that would in effect put out misinformation or disinformation and all the other sites that would then gang up on that and target that down to eographic locations? mr. mandia: i think it's technically possible. i don't think i have enough information to say that was done at each location. i think it's technically possible, if you put enough people on it, yes you could do it. dr. rid: it's technically possible. let me make a distinction between a bot it is net, which is usually controlling somebody's machines, and botts, which is a twitter account that's automated.
sen. warner: but they have the effect, whether it's botnets or botts, they have the ability to push something high thorne news feed. dr. rid spast mostly -- dr. rid: that's mostly done by botts. botnets are a different purpose. mr. mandia: i think you can get perceptions to go different ways based on google searches and automate ways to uplevel people's attention to things with all the social media. the good news is during the election a lot of states had the foresights, let's do shields up, watch all the cybertraffic we can, and we didn't see any evidence, at least in the ddot site or distributed denial of sites, we didn't see anything that harmed the actual election. sen. warner: but the question of targeting -- here's the last
question, and it just -- i've heard and it's been reported that part of the misinformation, disinformation campaign that was launched was launched in three key states, wisconsin, michigan, and pennsylvania, and it was launched interestingly enough ot -- not to reinforce trump voters to go out but actually targeted at potential clinton voters, with misinformation in the last week where they were not suddenly reading, if they got their news from facebook and twitter, but stories about clinton being sick and other things. my final point here, this may be beyond anybody's expertise, my understanding is the russians, they're very good at some of this technology, they might not have been so good at being able to target to a precinct level american political turnout. that would mean they might be
actually receiving some, you know, information or alliance from some american political expertise to be able to figure out where to focus these efforts. dr. rid: i haven't seen a detailed analysis of precinct level target bug that would be good enough to sub stain shate this assumption but this relates to a more fundamental problem. one -- separate, an entire group of actors in some -- and some completely he jate mat within the campaign were taking advantage of social media. it's difficult to distinguish for researchers after the fact what actually is a fake account and what is a real account. ultimately we need the cooperation of some of the media, social media companies to give us heuristics and visibility into the data that nly they have.
general alexander: i would take it a step higher, senator. i think what they were trying to do is drive a wedge within the democratic party between the clinton group and the sanders group and then within our nation between republicans and democrats. and i think what that does is it drives us further apart. it's in their best interest. we see that elsewhere. i'm not sure i can zone it down to a specific precinct but we expect them to create divisions within a framework and destroy our unity. you can see we're actually if you look back over the last year, we didn't need a lot of help in some of those areas. so now the question is, and where i think you have the opportunity, is how do we build that back? sen. burr: i want to clarify what i said about sen. warner's business, my reference -- about senator warner's business, my reference
meant it was about 14 years ago, 15 years ago. someone said, in the future people won't file technological patents because technology will change so quickly that you won't have a year and a half to go through the patent approval process before your patent is obsolete. i think we have reached that point of technological explosion that what we're talking about today, we could have a hearing six months from now and probably alk about somhing different. sen. warner: the cell phones i was involved with in the early 1980's have now become ubiquitous. sen. burr: senator rubio? sen. rubio: one of the people who appeared before us earlier mentioned the 2016 presidential prary, i'm not prepared to comment on that, hopefully
information on that will be reflected in our report, if any. i do think it's important to divulge to the committee because this has taken a partisan tone, not in the committee. but in july of 2016, shortly after i announced i would seek re-election tthe united states senate former members of think presidential campaign team who had access to the internal information of my presidential campaign were targeted by i.p. addresses with an unknown location within russia that effort was unsuccessful. i'd also inform the committee that within the last 24 hours, at 10:45 a.m. yesterday, a second attempt was made again against former members of my presidential campaign team who had access to our internal information, again targeted from an i.p. address from an unknown location in russia. and that effort was also unsuccessful. my question to all the panelists , i have heard a lot on the
radio and on television and advertisement for a firm in the united states actively marketed in best buy and other places kapersky labs. there have been open source reports that say that it has a long history connecting them to the k.g.b.'s successor. i have a bloomberg article here and others. i would ask the panelists in ur capacity as experts in information technology, would any of you ever put kaspersky labs on any device you use and do you think any of us here in this room should ever put kaspersky labs products on any our devices or computers or i.t. material? mr. mandia: the way i'd address that is generally people's products are better based on where they're most located and what attacks they defend
against. mcafee and my company or other companies, we are prominently used in the u.s. we get to see the best attacks from china, cyberespionage campaigns in russia. i think what we're starting to see, there's an alignment where japan won't let a u.s. -- will let a u.s. company secure japan. the middle east will let a u.s. company defend it but you almost see lines being drawn. there's no doubt the efficacy of kaspersky's product that i probably see different things than we see being this relevant. sen. rubio: my question isn't whether it's effective, but whether you'd put it in onyour computer. mr. mandia: plst better software to -- there's better software for you here. general alexander: i wouldn't, you shouldn't either, there are
other u.s. firms that answer and solve problems that will face you for the issues you described earlier, that i think would be better at blocking them. dr. rid: i would, i would also use a competing program at the same time. a bit of redundancy never harms. kaspersky is not an arm of the russian government. kasp rembings sky has published information about russian cyberattack campaigns, digital espionage, about several different russian campaigns. name any american company that publishes information about american digitalest pee naubling? sen. rubio: my second question to the panel is, my concern in our debate here is we're so focused on the hacking and the emails that we've lost, and i think others have used the
terminology, we're focused on the trees and lost sight of the forest. this -- the hacking is a tactic to gather information for the broader goal of introducing information into the political environment, into the public discourse, to achieve an aim and a goal. and it is the combination of information leaked to the media which of course is always very interested in salacious things, as is their right in a free society. the public wants to read about that too sometimes. but it's also part of the effort of misinformation, fake news and the like. would you not advise the panel to look beyond the emails to the broader effort of which the emails and the strategic placement of information into the press is one aspect of a much broader campaign? >> that was part of my point about bringing this up to a broader level. general alexander: to say what's
russia trying to accomplish and driving aedge between those and creating tensions between those countries and ours. if you were to go back and welcome at what's happened to russia over the last 30 years and play that forward and see what they're now doing, you can see a logic to their strategy. i think that's something that we now need to address. i do think we ought to address this with the russians and get the administration to do that. it's not something that we want to go to war on. 's something that we want to address by engagement and confrontation. dr. rid: how active measures today differ from the cold war, this is an answer to your question. in cold war, active measures were artis anal. -- artisal. required a lot of work. they add value to these active
measures and this is important because if we look at the operations in hindsight they appear a lot more sophisticated thanhey actually were. we run the risk of overestimating russian capabilities here. sen. burr: sen. feinstein. sen. feinstein: i want you to know how much your china report was appreciated. i think everybody very much appreciated it. i think it had some good results. so thank you very much. general alexander, this is the first time i've seen you out of uniform. civilian clothing is becoming. and i'd like to personally welcome you, i don't know, our -- i don't know our third gentleman but -- i want to address this to general alexander. you were cyber command for a number of years. you spoke about the fact that
the time has come for us to get tough. and we had talked about that before. we have wikileaks and stream after stream after stream of release of classified information. which has done substantial harm to this nation. and yet we do nothing. and everybody says, well, we'd like to do something but we don't quite know what it is. i never thought we would be in a situation where a country like russia would use this kind of active measure in a presidential campaign the side of this, the enormity of it, is just eclipsing everything else in my mind. and yet there is no response. as you have left now and you've put the cyber command on your desk, what would you do? what would you recommend to this
government? general alexander: i think there are two broad on thives we ought to do. we ought to fix the defense. between the public and private sector. between government and industry. sen. feinstein: you said that. general alexander: we have to fix that because much of what we're seing is impacting the commercial or private sector. yet the government can't really see that. so the government is not going to be able to help out and the ability to take action is to actively mitigate it, therefore -- the about to take actions to mitigate it are therefore nonexistent or after the fact. if you think about sony as an example, imagine that as the attack coming in, the government couldn't see that network's feed and so the government came in and did incident response. everything happened to sony. what you want the government to do is stop a nation state like north korea or russia from attacking us. but the government can't do that
if it can't see it. we have to put this together. we have to come up with a way of share, threaten network intelligence at speed and practice what our government and industry do together and work that with our allies. i believe we can do this and protect civil liberties and privacy. i think we often combine those two but we can separate and show you can do both. sen. feinstein: how? general alexander: first, the information we're talking about doesn't involve personally identify -- identifying information. think about it like radars looking at airplanes. they're not reading eastbound in the airplane. they're seeing an airplane and passing it on to another controller who sees a comprehensive picture. what we see is a what ray car sees today. and so we don't actually -- we're not talking about reading threat information. we want to know what's that pact of information doing? why is it coming here?
can i or should i share the fact that a threat is coming to us. sen. feinstein: i understand what you're saying but what i'm asking you for is different. it is your expertise based on this, based on the fact that the russian government, including two intelligence services, made a major cyberattack on a presidential election in this country. with a view of influencing the tce. wld you recommend? general alexander: the first step is picture defense. if you take offense and don't have a defense then the second step of going after the power or other sectors puts us at greater risk. so from a national security council perspective, what i would expect any administration to do is look at the consequences of the action this is they take. so when i said engage and confront , in this regard what i would do, what i would recommend is first and foremost a quiet
engagement with the russian government about what we know and why we know it, without giving away our secrets. and say that's got to stop. we need an engagement here. if we're going to confront them, it would be we know you're doing this right now. stop that. and we had a channel in the cold war for doing it. we need a channel to do that and build up the ability to put a stop to things, from my perspective. i would be against using cyberonly as a tool against rumb when we have these vulnerabilitiewe haven't addressed in our own country. i think it would be a mistake until we fix that. so that's why i say we have to do both. and i actually -- it's interesting. we were talking before hand and thomas can add to this. one of the things that as you look at this, i don't believe russia understood the impact their decisions would have in this area. it's far -- with all the discussions going on in our
country today, i'm sure people in russia are saying, oops, we overdid this. now is the time for taos say, not only did you overdo it, we need to set a framework for how we're going to work in the future and we need to set that now. that can only be done by engaging them. face-to-face. and i think that's what has to be done. sen. feinstein: thank you, very helpful. sen. burr: senator blunt. sen. blunt: let's start with general alexander, i asked a question this morning which was after all the discussion of the long history of russian involvement in european elections of things that have happened for a long time andly the last 15 years, why do you think that we were not better prepared for this? general alexander, you just said we need to have a defense. why wouldn't we have had a defense?
what was this about this particular thing that should have been so anticipated that the intedges community, the u.s. government, even the media appears not to have had the defense you just mentioned we should have now? general alexander: senator, this has been a great discussion that you and the other house of congress have talked about and that's how do weut together our country's cyber legislation. right now, we do not have a way for industry and government to work together. so if you think about the d.n.c. or the r.n.c. or the electricity sector and others. when they're being attacked, the ability for the government to see and do something on that doesn't exist. everybody recognizes that we need to do it. we talk about it. in fact, we had the -- at the armed services committee a discussion on it. but we haven't take then steps to bind that together. we allow it but haven't created it. i believe that's the most important thing that we can do
on that one vector that senator feinstein brought up. fix the defense. the reason is the government's not tracking the r.n.c. and the d.n.c. now, industry sees it and kevin brought autosome key points of what was going on, what they were seeing from an industry perfect i. but the reality is, we hadn't brought these two great capabilities together. and the other part, it's my personal experience the government can help an attribution several times greater than what we see in industry. if you put those two together we could act a lot better. sen. blunt: so mr. rid, was there nothing we could have done here? were we not paying the level of attention we should have paid? or we just aren't ready because our structure doesn't allow us to anticipate what we know was happening in elections all over the world before 2015 and 2016 here? particularly in europe. maybe all over the world might
be a stretch, but all over europe, not a stretch. dr. rid: there's a lot we can do in order to increase defenses here as well as minimize measures taking place. let me name an example. let's make this concrete. you as members of the legislature are, and the same as true in europe, the belly of the government of the wider administration and government. because the -- this is true for all parliaments. the i.t. security is notoriously bad. i mean the chip card that many of your staff members carry cox card,ir neck, the here in congress, doesn't actually have a proper chip. it has a picture of a chip. try to feel the chip with your fingernail, it's not a real
chip. it's only to prevent chip envy. that tells you there's a serious i.t. security problem. it should be mandatory and potentially this is something to think about as we move forward. it should be mandatory for all campaigns, just like you have to disclose financial records, should be mandatory by default to have two factor authentication. not just a password but actually a second thing. a number that is generated by an app or a specific -- n. blunt: we had somebody to say it should be mandatory to have a state department say what's true and what wasn't true. there's certain levels beyond what you can require people to do that really don't make that kind of sense. mr. man dia, and i don't mean -- your comment didn't but there are levels now. i also say that soft underbelly is one of the nicer things the legislative branch would be
called these days. but your thoughts on what we -- why we didn't see this coming? the earlier panel had a more robust sense of where we should have been understanding what was going on than this one. -- an dia mr. mandia: when we say fix the problem, we've known about cancer for 4,000 years and haven't cured it yet. when we fix the problem here, we'll still have incidents. people get serious about cybersecurity when they have two things, either a, a compliance driver and take it seriously or b they have the oh, crap, moment, and they've been breached. we published reports in -- my company did in 2014 that had a lot of allusions to what just happened. but sometimes you have to have it happen before you recognize, wow, that was really on the table. i doubt it will happen again. but now we're having the dialogue to make sure that it
doesn't. sen. blunt: thank you, chairman. >> i think you've been a good panel. i want to talk about one of our most significant vulnerabilities as it relates to cybersecurity. i have been working with congressman ted lieu of california a real expert in this field and one of the things that i'm particularly troubled by is our vulnerabilities in what's called sf-7. signaling -- ss-7. signaling system seven. this allows networks to be able to talk to one another. n.wide n: we seem to have -- en. wyden: we seem to have things that would allow those who are hostile to our country to hack, tap, or track an american's mobile phone. and the hackers could be just
about anybody but certainly a foreign government and the victim could be just about any american. i think dr. rid, i'd welcome anyone who would like to talk about it, but i think, dr. rid, you've done serious analysis of these vulnerabilities in ss-7 and i would be interested in hearing, a, how serious you think this is, and b, what do you think our government ought to do about it, particularly in connection to the topic at hand, which is dealing with these russian hacks? dr. rid: thank you for this very specific question although i ave to say i'm not an ss-7 expert and don't want to pretend to be one here. but the technology you're referring to is a weak point and can be exploited, ultimately because it is a trust-based system a trust-based protocol. if you have a landscape with a lot of mobile phone providers, it's relatively easy to
undermine, one entity undermined, can exploit the trust here. there are ways to remedy the problem but i will just add, one observation that if, and i think many people in congress would be doing this, if you use an encrypted app for your communications you will most likely defeat some of that vulnerabilities there. sen. wyden: i hope that's the case, we have been concerned that may not be enough. largely what has happened thus far is there have been self-leg rah -- self-regulatory approaches and that and other approaches weren't pursued. we're going to continue this discussion in depth. as i understood it you had talked to some of our folks. you may not think yourself -- consider yourself an expert but our folks thought you were knowledgeable. dr. rid: if i may respond? we're looking at market failures here.
two-factor authentication, we're looking at a market failure there. it's still an opt-in. if you have an opt-in situation, most people will not opt-in and hence remain vulnerable. there are other -- the market, when we this is the most ethical. the market favors disinformation today and i have to go into specifics and how we can remedy this if you like. senator wyden: well, the congressman and i feel like we need to get the f.c.c., the federal communications commission, off the dime too because it's clear that they have been slow-walking the various kinds of approaches to provide an added measure of security. let me ask this question and any of you three can get into this. the intelligence community assessment said russian intelligence accessed elements of multiple state or local electoral boards. i asked the f.b.i. director then what exactly had been
compromised and what was the nature and the extent of the compromise. director comey responded that the russians had attacked state voter registration databases and taken data from those databases. can you all add anything else to that, any of you three are welcomed to do it, because it sounds to me like pretty alarming stuff? the f.b.i. director in january -- and i wish i had more time to get into it with him, essentially said this is the problem and i would be curious whether you knew anything more abt this topic. we can just go right down. dr. mandia: you brought up the polling data. the data -- registration data is something that's at risk and something the states are looking at so i do think that's important. senator wyden: great.
thank you, mr. chairman. senator burr: senator cornyn. senator cornyn: thank you for coming here testifying. i think people know more what we are talking about than they actually do so i'd like to get basic maybe for my benefit and maybe some other things will learn as well but i think we referred to something that's called spearphishing and so i'd like to have one of you explain what that is. let me just tell you, by the way, occasionally my junk email box on my personal email, i'll get emails that purport to be from the f.b.i. director or the army chief of staff, mt now th army chief of staff, or maybe from apple telling me i need to reset my password or from google saying i need to execute some sort of maneuver. and then there's a link for me
to click on. is that what is commonly known as spearphishing and once you click on that link then they basically can take over your machine? >> yeah, you basically got that right. we did nearly 1,000 investigation noose computer intrusions and we have a skewed vice president because no one hires us to respond to intrusion when they are five minutes behind the hack. mr. mandia: 91% of those breaches victim zero was in fact speerphishing meaning that's how the russian groups, the chinese espionage campaigns and threat actors are breaking in. it in fact a link -- it's a link or an attached document that comes to you. it looks like it's coming from someone that knows you and has something relevant attached or the link is something you consider relevant to what you do for a living and that's what we were talking about earlier, that's how we kind of know what the russians were targeting is they're doing very specific spearphishes to very specific
people but that's a number one way. human trust is being exploited and that's how folks are breaking in. korn korn would you be surprised if -- senator senator cornyn: would you surprised if a senator is -- general alexander: i was going to add what kevin said. they'll do research on you, know who your friends on. you know mark millie from texas, key things about you. perhaps you golf and you have a friend that golves and they'll send something, how about this golfing thing, click here and do this and that's how they do. spearphishing is done on an individual and do more things to go after you as a person. senator cornyn: dr. rid, you talked about poor i.t. and hygiene in the government space. think some of this can be as simple as updating your anti-virus software, scanning
your machine periodically and the like. let me mention the specific act of o.p.m., office of personnel management. 21 million americans had their personal information stolen in government custody. so even though they may have considered it private information they were forced to give it to the government for security clearance or some other purpose. and now some foreign state actor through a cyberhack has access to 21 million private records, including more than five million sets of fingerprints. is that the kind of information that cyberactors, either criminals or espionage agents, foreign governments would use to further collect espionage or put it in a machine or business and shake them down for money? dr. rid: yes, absolutely. the more information -- the
more confidential information you have the ooze easier it is to have a spearphishing targeted email, forged email, so to speak. in my written testimony i included a number of samples, a number of exhibits, including john podesta. senator cornyn: thank you for doing that. we don't have control over everybody's private computer or what kind of software they use but we do have something to say, i think, about what the united states government does and i think one of the things we need to be attentive to is to make sure the united states government networks are adequately protected. i know general alexander, you had something to do about that at the n.s.a. but you didn't have the ability to protect all of this other information. let me just ask, i just have a couple of seconds, and since you're here, general alexander, we have to take up the re-authorization of the foreign
intelligence surveillance act, particularly section 702. and i just would like to ask you since we have you here, a little bit about its importance to detecting and encountering foreign cyberactivity and if you could also include in your answer the privacy protections that are very, very important part of that and oversight that you got to see firsthand in your capacity as head of n.s.a. and cybercommand. general alexander: i think that's the most important program out there, especially in counterterrorism. and i can give you a real quick example. one in denver was detected by that specific authorization. n.s.a. saw that, provided it to the f.b.i. and naja was the individual in 2009 who was driving across the country to new york city when they arrested the individual in new york city based off of the other program. and they found several backpacks and various states of
readiness -- in various states of readiness to attack the new york city subway done by that program. i think that's the most effective counterterrorism program we have and i think it will be also effective in some areas for cybersecurity although i don't have any examples off the top of my head here. senator cornyn: and could you talk about minimumization and other privacy protections, because i think that's important to the american people to know we're very vigilant and diligent in that area as well? general alexander: we did a series of presidential review group on n.s.a. after the snowden leaks about these programs. and at the time one of the board members of the aclu, jeffrey stone, was on that panel. i was kind of skeptical about this individual being on there, and i'm sure he looked at me somewhat ascans. after five weeks of sitting down with our people and going through every one of those he came up to me and said your people had the greatest integrity of any agencies i've
ever seen. i said, don't tell me, tell the american people, tell congress, tell the people of n.s.a. and tell the white house and he did. and so there are some key statements by jeffrey stone that shows that we can protect civil liberties and privacy and i think it's important to see some of his statements there because what it did, he also asked me to right an op ed. so imagine an army officer and a board member of the aclu righting an op-ed on re-authorizing the metadata program with some changes and we did. and the reason -- i asked him, why are you doing that? and he said the reason i'm doing this is if we don't have programs like this and we're attacked, we won't have civil liberties and privacy. and the mechanisms and the capabilities you have here to protect it are overseen by congress, overseen by the courts and overseen by the administration. everything has 100% review on it, and i think that's the best way to do it.
and, you know, he is right. if we do get another attack, they are going to ask congress, they are going to ask the administration why we didn't stop those. i think this is exactly why we have to move down. i do think we have to more transparent. i think as we bring cybersecurity in here, having a discussion like this, open hearing about how we can protect these is absolutely critical for our country. and i have some statements but i think your folks can pull those off the web from geoffrey tone with a g. >> let me start by saying that i guess i can take some comfort now knowing senator rubio and senator cornyn and quite a few of us had these sort of ophisticated targeting examples where you end up having to make sure that everything's in place, that your devices were not
penetrated. senator heinrich: i had family members had these sophisticated spearphishing and other kinds of approaches. sometimes you know where the i.p. address is coming from because your provider tells you, oh, by the way, if you didn't try to reset your account from russia yesterday at 3:22 p.m., let us know. so, you know, in having been through that a few times, one of the things i certainly shared with my colleagues -- and you mentioned this, dr. rid, is the importance of two-step authentication and i don't think it can be oversold to the public. do you want to just a couple more words about that and why that's so important? dr. rid: had john podesta had two ought thentcation, the last month of the campaign -- the last month of the campaign would have looked very different. i think that says it all. senator heinrich: that says it
all. i could not agree more. if given what we saw in 2016 and how easy it is to sometimes drive these wedges withiour own society, what should we be expecting in 2018 and how should we be preparing for that? and that's open for any of the three of you if you want to share your thoughts. >> it took about 18 years for me to figure out as i responded to breaches that reflected geopolitical conditions but they actually do. what i think we're going to serve in 2017, 2018, the exploits will -- mr. mandia: we've seen russia use and the chinese government use. i think it's what's fair game to espionage and i think governments will define what industries are fair game, what activities are fair game and what aren't because every
nation can get sucker punched in cyberspace. senator heinrich: and how do you send the signals what is over the line and the consequences of what crossing that line is? mr. mandia: we have to have doctrine. we have to let people think what are the right activities and wrong activities. the private sector will participate. we will get alignment with some nations and misalignment and we'll add to that. general alexander: can i add to that? i think what you can do and encourage is with the states setting up an exercise program between the state governments and the federal government about how you're actually going to improve the security of that and what they need to do, set the standards. so i'd go beyond the national institute of standards and technology, how do we know we're protecting voter registration databases and what are the standards that we're holding them to and who is watching that and setting the controls in place? i think the states would greatly appreciate, so what are you going to do while we're
being pummeled by a persistent threat? now the government, the federal government needs to step in. and that's part of senator feinstein's question. so how do you -- well, we haven't practiced that. we should practice that. dr. rid: with a very concrete suggestion i think would actually make a difference. how many of the social media interactions, specially twitter interactions, during the campaign of the most important twitter accounts were created by botz, were created by automated scripts and not humans? the answer to that question, we don't know the answer to that question, because twitter and other social media networks have not provided the data. you could write a letter to these companies and ask them to provide the data. how much of a problem is botz and -- senator heinrich: that's very much in line to the next question which i was going to direct to you. in addition to looking at the
data, are there things that we should be doing, working in concert with those social media companies to dampen the effectiveness of this feedback loop in the media cycle that's being exploited? dr. rid: absolutely. so you could, for instance, ask social media companies to provide detailed data, including a methodology how they arrived at those data. it's very difficult for us to get to the answer to these questions. how much of a problem are bots? and i think it's a very significant problem. when you sign up for a new twitter account today, you can say, you know the new accounts all have an egg, you can say, i don't want any eggs, people won't change their account picture. no egg is a good thing. you can say -- bots are more of a problem than eggs, i believe. we should be in position by default move into an environment where we switch out abuse and bots out of our
vision, if you like. senator heinrich: very helpful. thank you all very much. senator collins: thank you, mr. chairman. general alexander, first of all, it's nice to see you once again. ction 501 of the fiscal year 2017 intelligence authorization bills which regrettably has not yet become law, requires the president to establish an interagency committee to counteractive measures by russia, including efforts to influence people in government through covert and overt broadcasting. the purpose of this committee would be to expose falsehoods, agents of influence, corruption, human rights abuses carried out by the russian federation or its proxy.
like the u.s. information agency, there once was an active measures working group that worked to counter covert disinformation from the soviet union, and that was disbanded. is this a recommendation as we search for ways to counter the ssian attempts to spread propaganda, outright lies, influence our people? is this the recommendation that you believe should be implemented? general alexander: i do. i think i would look at giving the administration a sweep of capabilities from diplomatic through cyber what you said through active measures, what we can do to expose that. i think we need to give them the freedom to determine what's shared and what's not shared in terms of protecting the nation in that regard. sharing it all with congress,
of course, but how you publicize that if you know something is going on and you got two other means. i think those things you would want the administration at least be reasonable about. i do think those are the things that should be put on the table. you know, i would have to go back and look at all the tools that you're give them and say, does that meet the objectives of engaging russia and confronting them when they cross the line on something? and i think in this case, this is something that would give them a tool if they crossed that line to say, stop, here's what we know, and here's the consequences. senator collins: because one of the aspects of this investigation that i found troubling that we already learned is how weak our response is when we have a disinformation campaign and it seems to me that this working group could be useful. i realize it's a delicate issue
in some ways because you don't want to sweep up legitimate -- you don't want to be trying to set the rules for journalists, for example. but that brings me to another issue for professor rid and that is, in your testimony you talked about how russian sinformation specialized the act -- specialists -- sorry -- perfected the act of exploiting the unwitting agent. and i assume by that you mean that individuals or entities who don't know or realize that they are being used by the russians but nevertheless are. nd in your testimony you use examples of twitter and journalists who cover political leaks without describing the
origins of those leaks as examples of unwitting agents that were involved in the russian influence campaign in 2016. you also list wikileaks. i would put wikileaks in a different category, personally. but what can we do about the unwitting agent? and i mean the truly unwitting agent. dr. rid: yes, i agree in the case of wikileaks it's unclear if they are unwitting indeed or just witting, so to speak. senator collins: right. the id: i think we are western mind is trained in contradictions. it's either this or there. but here i think we areking at a situation and this has been a pattern throughout the cold war where active agents, this could be journalists and politicians even, members of parliament in the past that has been the case, just because
they are genuinely so passionate and engaged and activist in their outlook further the russian cause. i think we have to recognize this will continue to be a problem. we cannot simply get rid of that problem. it is something -- so, for instance, we have documents rom the cold wartime where disinformation active measures operated say they actually want conflict between the unwitting agent and the actual adversary. say, wikileaks and the u.s. government. conflict is good so that's how far you can take. if the goal is driving wedges, then the unwitting agent is the trump card in your sleeve. senator collins: thank you, mr. chairman. senator kaine: following up on that, it seems the unwitting agent is a key part of this entire process, particularly where you're talking about disinformation and i think you make the point in your prepared
tatement that anonymity, anonymous leaks, there should be more on where that comes from, is that correct? dr. rid: yes, absolutely. so the anonymity, wikileaks was purposely built to hide the source. that was the goal of the platform. and i do take it seriously when initially at least historically it was just an activist. he was -- >> he was a clearing-house but now he's a selective leaker. dr. rid: that seems to be the case, yeah. >> senator alexander, we have been talking about this for at least four years -- one of the problems and you talked about this with senator collins, this country has no strategy or doctrine around cyberattacks. senator king: isn't that correct and isn't that part of the problem? we need to have a doctrine and
our adversaries need to know what it is. general alexander: we would add rules of engagement. the consequence is, if there were a massive attack, we'd have to go back and get authority to act where if it were missiles coming in, we already have rules of engagement. i think we need to step that up as well. senator king: and ironically it's transparency because if we have a capability that acts as a deterrent and if our adversaries don't know it is not a deterrent? general alexander: that's correct. if i could add something because thomas brought up another issue and i think it would be good, also, for the american people to know the vulnerabilities our government has pushed out to industry that's been identified by government because often that's opaque. so what you wouldn't see is how much of that is actually being pushed to industry and how
that's cleared. but you could get a collective summary from the departments and agents that have pushed those out and see what's being shared. i think that's a good thing and it's a good way to start that dialogue. senator king: that's a positive development but i still believe we need to develop a deterrence 2.0 to deal with the nature of the threat. it doesn't have to be cyber for cyber. it can be sanctions. but there needs to be a certain response, a defined response and a timely response. otherwise it's not going to have the effect. general alexander: that's right. we have to get the rules and responsibilities of the different agencies. who's actually going to conduct that response? and i think that has to be set straight and cleared. we discussed that in the other hearing. that's something that also means if we had to react we wouldn't have the right people set up to react. senator king: mr. mandia, one of the things that's been touched on in the hearing is the state election systems and
we know that the russians were poking around, if you will, in our state election systems. i learned recently that more than 30 states now allow internet voting and five have gone completely paperless. doesn't this create a significant vulnerability? mr. mandia: it also creates an opportunity to do things even better. at the end of the day, when we look at -- i go right to estonia and what they do in their election process, i am not totally imminent with it but they have an identity management that's far better than our nation. when you have anonymity it's hard to secure the internet and obviously we will have attacks on these areas but what we are seeing is every election year -- and i responded to breaches every election year since 2004. both sides get targeted. things happened. we are still going up and to the right and i am confident in modernization and probably others could speak better to that, would reserve the tool of tweaking electoral votes or ballots to the last resort. and i've never seen evidence of
that and i think we will always have a natural risk profile to show great diligence in how we secure the election process and to go forward. senator king: my understanding of the intelligence is, it doesn't appear they changed votes or vote tallies in this election but they weren't going in those state election systems just for recreation. there was some purpose. mr. mandia: right. senator king: i think one question which i think any of you could answer but you can answer, 2016 wasn't a one-off. this is a continuing, ongoing and certainly future threat, is it not? mr. mandia: i think so. i think right now when you think of intelligence, it's been totally redefined by the internet. people are searching youtube every day to see what operations are going on by isis. the intelligence we have today has not existed in the past. we saw russia break rules of engagement they have traditionally followed in that they added collections with computer intrusions, stealing documents and leaking them.
yeah, i think this is a tool that everybody will use. senator king: dr. rid, do you want to respond? dr. rid: it will be studied in intelligence schools for decades to come. not just in russia, of course, but in other countries as well. senator king: not only will it be studied, it will be attempts made to replicate it? dr. rid: that we can only assume but it will certainly be studied. senator king: thank you. thank you, mr. chairman. burr burr -- senator lankford: you have gone through background and looked at the d.m.c. hack and the exfiltration of their data. i want to repeat what you said orally and in your statement and any details you can give us. you felt this was russian intelligence. you have answered that yes but much what you have put in your written statements seems to be a circumstantial look at it, that you are basically eliminating other things. let me ask you a question. is this a process of elimination much like a doctor
doing a diagnosis, saying it's not this, this, this and it must be this or do you think something that zeros in and says, no, this is really it and this is what links it? general alexander: i think it's different for atrishation -- attribution than it is in the government. we will not -- mr. mandia: we have to do it by process of elimination. we have to do it by deduction but at the same time frame we hope this level of he want tude needed will come from the intelligence communities. we have done this with china. china with just got lucky. their security broke down so we could get an exact building and people. russia's operational security on the internet is better than that. senator lankford: there has gossifer 2 that was linked? mr. mandia: here's what we do know. i would attribute the russian government to the breaches. we cannot all the dots from the breach.
at least with the observables available to our company and our investigators. we can't go from breach and leaked data to suddenly goosifer 2.0. senator lankford: do you think it's consistent? mr. mandia: yeah. it's a.p.p. 28 being stolen by anonymous poll and a bunch of other what we call fake personas or false personas. senator lankford: how confident are you there are no false flag operations involved in this? mr. mandia: we observed this since 2007. i'm confident that a.p.p. 28, the hacking group, is in fact responserd by the government or the russian government. senator lankford: ok. fair enough. the ongoing dialogue we have here all the time. how do you find any difference what's thrown around commonly is we had a cyberattack or has been used in this conversation, they crossed the line? we continue to talk about cyberdoctrines, giving clear boundaries.
we don't have any of those things, and this has been an ongoing conversation who would set them, how they would be set but at some point we have to have a clear statement of what is crossing the line. so earlier you made a statement it would depend on the state. it would depend on the situation and such. can you give me an example -- obviously, this is an example, so other than this one but give me an example of what it means to have a cyberattack that we can communicate to the american people, this is not just a nuisance hacker stealing information, this is an attack from a foreign government on our sovereignty. mr. mandia: somebody made a comment, pornography, we know it when we see it. it's hard to delineate the cyberattack. i'll give you an example though. i received a phone call once from one of our intrusion responder, we think china hacked sony pictures. we did the work. we were shocked as anyone we even attributed via our means to most likely north korea. and then you start wondering
what levers do we have on north korea to change their behaviors? and that's why i think, a, attribute ution is critical. got to know who did it but i think the response will probably depend on the relations with those nations. senator lankford: talk about the difficulty identifying who did it and be able to hide it in different ways, it is it more difficult or easier based on the tools we have or the tools they have to be able to hide their location? mr. mandia: it's the private sector, we respond to hundred of intrusions a year but 2010, six years of doing this, we only had 40 buckets of evidence. every time we responded to a breach to figure out what happened and what to do about it, the trace evidence of what happened, claim in the 40 buckets. now we are in the thousands. the malware is changing. the infrastructure is changing. i would say actors are getting smarter about remaining anonymous in their attack. senator lankford: mr. rid, a
matter of an attack is not going into deleting files and chaos. it's ma anybody lating an existing file where you lose trust for it or adding a file that was never there. and to suddenly there's something that appears your computer somebody added. so the threat of the attack out there, what could it look like? dr. rid: we have concrete examples. re recent one is a critic of president putin in london was hacked allegedly and i think the evidence is quite good. illegal child abuse imagery was uploaded to his computer as an active measure to undermine his -- to make him into a criminal in the u.k. senator lankford: so they added child pornography? dr. rid: they didn't download it in case of the d.n.c. hack but they uphoaded something. senator lankford: thank you. senator burr: senator manchin. senator manchin: thank you for your testimony today and helping us as much as you can.
let me ask this question. can russia made a difference in the outcome if they wanted to? could they -- did they got to the level where they stopped and we fell in the trap? mr. mandia? mr. mandia: in regards to -- senator manchin: i understand they got more aggressive then they ever have been. could they have done more than they stopped and we fell in the trap? mr. mandia: i don't know if we fell in the trap. senator manchin: the trap is what we are doing right now. mr. mandia: i think 90% of the cybercapability, maybe 80% they reserved their upper echelon to -- senator manchin: could they changed the outcome of the election? do you think they're capable of doing that? mr. mandia: i'm an engineer. i think in ones and zeros. could they have altered the votes, i think we would have seen that. i think we will see the shot across the bowel on so much of the most severe attacks.
things where we have lots of observation. see the shot the -- shot across the bowel. senator manchin: what about countries in the past, is it to the level they gotten to with the united states this past 2016 election? are they that involved in france, belgium, germany? dr. rid? dr. rid: depends on how far you want to go back in history. we know it affected the outcome in ne vote of no confidence buned stat which kept chancellor in power. senator manchin: what about in france? dr. rid: we don't have a single example in europe to my knowledge where hack and leak were combined in the way it happened in the united states. senator manchin: but their involvement in the election has shown they desired to get people that are more friendly towards the russians? dr. rid: i am not saying nothing is going on.
there are active measures but different kinds at this stage than what we saw in 2016 here. more old school. more forgeries like the case that senator rubio mentioned earlier. senator manchin: from the technology end of it, cyber end of it, do we have the ability to stop and you're saying what can we use and will it be cyber warfare back to them is something we can do to russia that would stop this behavior they would be concerned about how we could intervene or interfere with their system? mr. mandia: i think general alexander should comment on that. i think in the private sector, a hockey analogy. it's like going up against gretzky on the penalty shot when the russian organization -- government gets in your organization, they have a better chance of putting the puck in the net. general alexander: there are a couple things, senator, we need to do. we talked about fix the defense. i think what we're doing right now with this committee and
others, we have highlighted that we know they did this. they know that we know, and now the issue is they they've been put on notice and now it's the path forward and we have an opportunity to engage and confront them on different issues. i think that in and of itself was something that perhaps they miscalculated. now what we need to do is fix the defense and see what other actions we should take to defend our infrastructure, including the electoral infrastructure. senator manchin: general putin, the statement he put out today claiming no responsibility, no knowledge whatsoever, and we know and the whole world should know. we made it -- we made it official. how do you -- i mean, he seems to have a very high rating in russia so i don't think they're going to believe us. do we have the ability to show from a technical aspect what was done? general alexander: so i think one of the benefits of his
actual active campaign is it's had a great impact on his popularity in russia. he's taken us on in these areas. i think saying it wasn't us is something he would say add inif i night up. e saw -- ad infinitum. oney light, russia was involved. senator manchin: do you know what the greatest retaliation for -- what would you recommend? how would we retaliate and make sure we harm them or hurt them to the point they won't ontinue this type of behavior? dr. rid: that's a tough question. senator manchin: militarily? dr. rid: i don't think militarily. i think it's entirely inappropriate. senator manchin: economically.
dr. rid: i believe it was the d.h.s. publication at the end of 2009, then obama government pointed out the -- the administration pointed out r.t. -- major outlet of russian at this stage r.t. has a license in the united states. general alexander: so i think we need to step back, senator, and say, what is our objective with russia? this was a single event. this is where the administration, secretary of state, secretary of defense and others should get together and we should give them the opportunity and time to do this. and say, what's our strategy going to be with russia? which includes what you're asking. because i don't think we want o do it tid for tat on these things. what we want to is, how do we get an engagement with russia that puts us and the world in a better place? and i think it's part engagement saying, here's what we want to do. we know this and we have to
figure out how to stop and here's what will happen if we don't and put those on the table. but i think that needs to be done more in private than in public if we're going to have a chance of success. you know, it's in our interest to address these problems. now, when you look what's going on in the middle east, what's going on in eastern europe and all the other problems we have, we got to solve some of these by allowing the administration to engage in that area. i would push it over to the administration. they have good people in this area. mr. mandia: a lot of comments here. i got a very simple -- there's money or the 82nd airborne. not time for that. i would caution the response if it's just in cyberspace. he asymmetry, if our tools win against them and their tools win against us, russia wins. based on our economy, relying on it, our communications relying on it, our free press, they can do an invasion on the
privacy of everybody in this room. we can't really resipry indicate that. hack putin's emails and post it and get the same results. i would advise cyber on cyber, it feels like we are in a glass house throwing rocks at a mud hut. we will not pan out there. nator harris: mr. mandia, so one main reason that we're doing this public hearing is so the american public can actually understand what happened. and so if we could just take a step back, because this is a fairly complex issue and particularly when we talk about bots and some of these other things, some people want to know if it's a short form for a robert. i want to think -- for a robot. i want to think -- americans may have field they have been played if they made their decision in this election based on fake news. how can they know that they are receiving fake news? how can they detect it so they
can ultimately make decisions like who will be their president based on accurate information? mr. mandia: that goes beyond my expertise as a cybersecurity individual. they have to vet it against multiple sources. but i simply don't have the right tools to be an expert on how do you determine fake from nonfake news. senator harris: do any of you feel experienced enough to answer that question? dr. rid: it's a simple answer. if it's in "the new york times" or "the washington post" it's not fake news. i mean, we have to believe in the center, so to speak. if we contrast the mainstream media any more we lost. general alexander: i think part of it we sensationalize inflamed and not informed. how do we get a more informed set of reports out to the american people on some of these issues? and that's something i don't have an answer to but that's part of the problem. and we've got to figure out how
to address that as we go into this next age of having all the information available at an instant. you saw the attack on the white house, the theoretical attack about a year ago. it turned out to be fake news. i any we got to take another few steps on that and that's where the news agencies, social media and governments have to work together to help get the facts out there. just the facts, ma'am. senator harris: tell me -- i'll start with mr. mandia, but whoever can answer this question if you feel you have an answer. how can we tell if bots manipulated a google search to elevate the placement of fake news in the 2016 elections, and what partnerships might we take with google or any other search engine to avoid that happening in the future? mr. mandia: i any that's a great question. i think google probably has the answer. here's the reality, even it's going to be difficult for them. there's a lot of ways. what you're describing is astroturfing. it's a way to manipulate public
opinion. it depends on the platform. it's a complex challenge for us to pierce anonymity behind. is that a bot or a human, because bots keeps getting smarter replicating that. general alexander: i think google has great folks in this area and i think that's something you get folks at google, facebook, twitter together, along with the other social media and ask that question -- how can we jointly solve some of these issues? i think it's a great question and one that they would fake on. dr. rid: social media companies are the market basis on the active user base. now, if a certain amount of your active users are simply bots, that -- there's a commercial interest in not revealing the fact that, you know, a 10th, a third of your user base is actually machines. senator harris: thank you.
general alexander, as a former general, i asked the question of the earlier panel, the investment in our military and soldiers as part of our defense system and rightly but russia seems to be investing a great amount in its cybersecurity as a tool of warfare. what would you recommend we do in terms of the united states government to meet those challenges in terms of how we're investing in infrastructure to be able to combat both on the point of deterrence but also resilience after we do detect -- when and if we do detect we've been hacked, how we can step back up and pick back up as quickly as possible and what we need to do in terms of any sort of retaliation? general alexander: so i think there are several key points we have to do. one, we have to fix the relationship between industry and the government for sharing information so they can be protected. we have to set up the rules of engagement and the rules of each of the departments are going to dooned they have to
understand and agree to those. we have to rehearse that between the government and between government and industry. senator harris: i only have a few seconds left. i'd like you to direct your response -- and i appreciate your points earlier on this point. we have a budget coming up. what would you advocate in terms of the budget that is going to be before us to vote on. it's called the skinny budget. there's a whole lot of discussion where the limited resources and dollars are going to go on this point. what would you advise us in terms of how we distribute those limited resources to meet these challenges, the challenges in terms of the russian government and the finding by the f.b.i. and n.s.a. and c.i.a. that they hacked our systems? general alexander: well, i think we definitely need to continue and increase the investment of what we have in our cyber capabilities. the forces and the infrastructure and the tools that we create. that's needed. i think we also have to look at -- and one of the members over here brought up government. our i.t. in government's broke. we need to fix it. we need to look at how we
secure it. o.p.m. was a great example that they used. i think that's something this administration is already looking at but we need to help them get there and figure out the best way to do that. and when you think about it, they don't have the i.t. resources or the cybersecurity professionals actually to defend them. the solution has got to look at what we do at the commercial sector and how we add that to government. i think those are the key things. senator harris: i appreciate that. thank you. senator burr: do any other members seek additional questions? >> i would just like to add one quick one. i think this line of questioning we heard about how we can interact. very briefly because the chairman hasn't asked his questions yet. i do wonder, we saw the example that somebody did hack into rmer prime minister medved's files, was showed luxury
properties around the world. that resulted in a series of protests across russia over unfortunately protesters were arrested. senator warner: but comment on that very briefly since the chairman hasn't had his questions. dr. rid: i am not sure i understand the question properly. are you implying that -- senator warner: the challenge -- and i agree with kevin that the notion that a simply tid for tat, real actions in cyber because we're so more technologically dependent but there are activities kind of ound active measures where prime minister -- former president and now president medved in russia -- i may be mispronouncing his name. but suddenly his extensive
property holdings became public which caused a series of protests. dr. rid: now, we know from publicly available information that the president -- vladimir putin believes the panama papers leaked which broke on the third of april in 2016 so right in the middle of the ramped up targeting. targeting on their side ramped up before panama papers broke as a story but we have to assume they knew about panama papers, that it was coming. putin seems to believe panama papers was an american active measure against him. i mean, i don't think that was the case but that puts the entire investigation into a slightly different light and it's important to consider that. senator burr: thank you, vice chairman. listen, we really are grateful for the three of you for making yourself available. and keep your guy that the
committee has looked up to, not just because of the stars on your shoulder but it's the knowledge in your head and how you have had a way for years to convey to the committee in a way that we can understand what the threat was, what our capabilities needed to, the actions we needed to take, why we needed to take them and the objective of the effort. i think what concerns me is that this thing's speeding so fast. now it's like you pulled the string on the top when we were kids and over time it's the top slowed down and it looks like now the top starts spinning faster and faster and faster once you pulled the string. so i want you to understand that we're probably going to invite you back in an informal setting. robably not a public setting
where some of the things we got into today we couldn't dig much deeper. and thank you for showing the constraint of doing that. and for that reason i am not going to include you in my other two questions because it might put you on the spot. i'm going to turn first to dr. rid. we have any idea how russia transmitted emails to wikileaks , and if that's the process that everybody assumes happened, then how could wikileaks be, as you referred to, unwitting? dr. rid: gossifer 2, the front that was created, tweeted that they gave it to wikileaks. wikileaks tweeted they received from gossifer 2 before it was
attributed to russia. that's the only evidence we have publicly and i think it's quite strong. it was notable. is wikileaks an unwitting agent? in truth we can't answer the question because they haven't spoken on it. we can't assume they are an unwitting agent. it doesn't matter because they are very effective unwitting agent. senator burr: kevin, do the forensics that you are able to have done suggests that wicky to s -- wikileaks continues have information that they have not released? mr. mandia: what we have seen publicly released is % what we attribute to the russian government's dealings. senator burr: we're trying as a committee come up to speed on
not just terminology but what that terminology means. so i'd like to give you an opportunity to walk us through how you identify an actor like a.p.p. 28. mr. mandia: yeah. we started getting better software in place before-hand so it's you can see key stroke by key stroke what they're doing. most senators don't do command line execution but there are different commands you can type. there's different letters you type in different orders. you start getting to know the attackers when you get that command level access to them. and it's the malware they created, the i.p. addresses they used, the infrastructure they used, the people they actually target, the inscription algorithms, the password uses and the list goes on and on. we created a scheme in about 2006 on how you categorize the
intelligence or the evidence or the forensics from an intrusion investigation and we had over 650 different categories. i can't go into all of them today. but trust me, you observe a group for 10 years or more, after a while we got the bucket right. a.p.p. 28 to us is a bucket. every time we respond to them there's enough, you know, criteria to gather that a.p.p. 28 is a.p.p. 29 is a.p.p. 29. a.p. 1 was p.l. 698. e couldn't see g.r.u. or f.s.b. it isn't available to us in trace evidence. i will give you one last example because it's understandable. when you look at the malware that's been used in these attacks and their compile times, 98% or higher is compiled during business hours in moscow or st. petersburg. that's a pretty good clue. and whoever's doing it speaks russian. senator burr: if you'd rather
not answer this or don't know the answer, punt it and i'll forget it. ad the d.n.c. decided to provide their system for f.b.i. to do forensics on, would we ave gotten more information? mr. mandia: i don't know. i can't speak specifically to this one but over the first to six years we respond to breaches where the f.b.i. is there. and they are not the ones traditionally doing the friendsics. they are relying on the private sector forensicators, that's a made up word. our clients are using to share that with the f.b.i. i think the group that responded to the d.n.c. is highly technical, highly capable, they got it right. senator burr: it was a diplomatic way of asking, do we have different capabilities than the private sector and you said -- mr. mandia: we have tremendous
help. maybe they're cleansing intel from another agency or not, but there's been numerous case where is we're showing up and we know maybe three things to look for. and the f.b.i. says, here's another 80. go look for those as well. so we are -- and i have bean doing this 20 years. it's more likely than not when the intrusion is there that f.b.i. is there responding with us. senator burr: so i leave this hearing not having heard a word that i think we will heard going on and that's dox. it's the 21st century term for steal and leak. am i going to hear dox in the future? mr. mandia: it's an irritating word. that's the technique -- it looks like a state actor is using it. i can tell you the first time we saw north korea delete things in the united states, that felt like it crossed the red line. doxing is the thing that
crosses the line with the russian activities. dr. rid: one thing on what kevin just said about the f.b.i. there. usually in an investigation of the kind he was describing, you would make a so-called image of the computer. hard disk. and if the f.b.i. has these images, which i understand they may have, then you don't have to physically be there. it's as good as being there physically. but under doxing observation, yes, just to make another observation that may be personal for many of you here in this room. ut the ethic rules -- ethics rules in congress may actually and embers of congress the senate more vulnerable because it forces you to use different devices. sometimes as many as three devices, i understand, to make different calls and different communications. so even if the main work device is actually secured properly,
then it would push you down into a more vulnerable area. that's a problem that possibly cannot be fixed. senator burr: one last general statement and i heed the advice you gave, general, you backed up thomas and i think, kevin, you supported as well. our response has to be well-thought through and it's not just what we do in reaction to. it's what we do as we set the course for some better defensive mechanism in the future. but you can't neglect the fact that russia over a period of time has done things outside of ukraine, asion of muldova, presence in syria, presence in egypt. it continues on. that we might look at this today in the rear-view mirror
and say, boy, they miscalculated. the only way they miscalculated neglect of aken our reaction to what they did as an opportunity to push a little harder on the accelerator. so not being critical but we've done nothing to russia when they've made aggressive moves. and now all of a sudden this happened at home. it happened with elections. when you look at it from a standpoint of impact, i think the ukrainian people would tell me what happened to them is much worse. and if it happened in the united states, we would think that's much worse. but the fact is that this is going to require a global response because the globe is just as exposed as the united states. it was our election system in 2016. it is the french, the germans.
i won't get into the long list of them, but we're within 30 days -- we're within 30 days of what is a primary election in france. it could be the russians have now done enough to make sure that a candidate that went to russia recently and a socialist make the runoff and they end up with a pro-government -- a pro-russian government in france. they've won. that was their intent, i feel certain. we're not sure what the effects are going to be in germany, but we've actually seen them build a party in germany. not tear down but build up a party and exploit things when you look back on them, fake news. not that we didn't create but germany that thin never was news but they used
it, they exploited it and look at what it's turned into. we may have been the first victim but we may not be -- have been victimized as much as others are going to be in the short term and we certainly should heed the warning and not be an additional victim in 2018 or 2020. let me move to senator king real quick. . tell me more about guccifer 2, is it a human being, is it an officer and is there any question that guccifer is an agent or somehow working for the russian government? dr. rid: we know from the evidence that's available, not all of it public but in private sector sources and academic sources, guccifer is not just one individual, because in private interactions with journalists, we can see
different types of human play that some use specifically at a ecific time, lots of smileys and all communicating through the same channel. , the links guccifer -- ap 28 what evidence in the written testimony hacked 12 of the targets that were on leaks. they provided a password that was not publicly known, provided password to the smoking gun to the outlet. that is a strong forensic link there that the dots can be connected. senator king: is guccifer 2 an agent of russia? dr. rid: an organization, could be a subcontractor or a team --
senator king: affiliated with the russian government? dr. rid: yes. senator burr: i thank all the members and i thank our panel today. you have provided us some incredible insight and knowledge. we are grateful to you. his hearing's adjourned. [captions copyright national cable satellite corp. 2017] captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org