[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]



 
    CYBER ATTACKS: AN UNPRECEDENTED THREAT TO U.S. NATIONAL SECURITY

=======================================================================

                                HEARING

                               BEFORE THE

         SUBCOMMITTEE ON EUROPE, EURASIA, AND EMERGING THREATS

                                 OF THE

                      COMMITTEE ON FOREIGN AFFAIRS
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 21, 2013

                               __________

                            Serial No. 113-8

                               __________

        Printed for the use of the Committee on Foreign Affairs


Available via the World Wide Web: http://www.foreignaffairs.house.gov/ 
                                  or 
                       http://www.gpo.gov/fdsys/




                  U.S. GOVERNMENT PRINTING OFFICE
80-123                    WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].  

                                 ______

                      COMMITTEE ON FOREIGN AFFAIRS

                 EDWARD R. ROYCE, California, Chairman
CHRISTOPHER H. SMITH, New Jersey     ELIOT L. ENGEL, New York
ILEANA ROS-LEHTINEN, Florida         ENI F.H. FALEOMAVAEGA, American 
DANA ROHRABACHER, California             Samoa
STEVE CHABOT, Ohio                   BRAD SHERMAN, California
JOE WILSON, South Carolina           GREGORY W. MEEKS, New York
MICHAEL T. McCAUL, Texas             ALBIO SIRES, New Jersey
TED POE, Texas                       GERALD E. CONNOLLY, Virginia
MATT SALMON, Arizona                 THEODORE E. DEUTCH, Florida
TOM MARINO, Pennsylvania             BRIAN HIGGINS, New York
JEFF DUNCAN, South Carolina          KAREN BASS, California
ADAM KINZINGER, Illinois             WILLIAM KEATING, Massachusetts
MO BROOKS, Alabama                   DAVID CICILLINE, Rhode Island
TOM COTTON, Arkansas                 ALAN GRAYSON, Florida
PAUL COOK, California                JUAN VARGAS, California
GEORGE HOLDING, North Carolina       BRADLEY S. SCHNEIDER, Illinois
RANDY K. WEBER SR., Texas            JOSEPH P. KENNEDY III, 
SCOTT PERRY, Pennsylvania                Massachusetts
STEVE STOCKMAN, Texas                AMI BERA, California
RON DeSANTIS, Florida                ALAN S. LOWENTHAL, California
TREY RADEL, Florida                  GRACE MENG, New York
DOUG COLLINS, Georgia                LOIS FRANKEL, Florida
MARK MEADOWS, North Carolina         TULSI GABBARD, Hawaii
TED S. YOHO, Florida                 JOAQUIN CASTRO, Texas
LUKE MESSER, Indiana

     Amy Porter, Chief of Staff      Thomas Sheehy, Staff Director

               Jason Steinbaum, Democratic Staff Director
                                 ------                                

         Subcommittee on Europe, Eurasia, and Emerging Threats

                 DANA ROHRABACHER, California, Chairman
TED POE, Texas                       WILLIAM KEATING, Massachusetts
TOM MARINO, Pennsylvania             GREGORY W. MEEKS, New York
JEFF DUNCAN, South Carolina          ALBIO SIRES, New Jersey
PAUL COOK, California                BRIAN HIGGINS, New York
GEORGE HOLDING, North Carolina       ALAN S. LOWENTHAL, California
STEVE STOCKMAN, Texas


                            C O N T E N T S

                              ----------                              
                                                                   Page

                               WITNESSES

Mr. Christopher Painter, Coordinator, Office of the Coordinator 
  for Cyber Issues, U.S. Department of State.....................     7
Mr. Richard Bejtlich, chief security officer and security 
  services architect, Mandiant Corporation.......................    26
Mr. Greg Autry, senior economist, Coalition for a Prosperous 
  America........................................................    36
Mr. Michael Mazza, research fellow, American Enterprise Institute    46
Martin C. Libicki, Ph.D., senior management scientist, RAND 
  Corporation....................................................    55

          LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING

The Honorable Dana Rohrabacher, a Representative in Congress from 
  the State of California, and chairman, Subcommittee on Europe, 
  Eurasia, and Emerging Threats: Prepared statement..............     3
Mr. Christopher Painter: Prepared statement......................     9
Mr. Richard Bejtlich: Prepared statement.........................    29
Mr. Greg Autry: Prepared statement...............................    38
Mr. Michael Mazza: Prepared statement............................    48
Martin C. Libicki, Ph.D.: Prepared statement.....................    57

                                APPENDIX

Hearing notice...................................................    70
Hearing minutes..................................................    71


    CYBER ATTACKS: AN UNPRECEDENTED THREAT TO U.S. NATIONAL SECURITY

                              ----------                              


                        THURSDAY, MARCH 21, 2013

                       House of Representatives,

         Subcommittee on Europe, Eurasia, and Emerging Threats,

                     Committee on Foreign Affairs,

                            Washington, DC.

    The subcommittee met, pursuant to notice, at 9 o'clock 
a.m., in room 2172 Rayburn House Office Building, Hon. Dana 
Rohrabacher (chairman of the subcommittee) presiding.
    Mr. Rohrabacher. There it is. It is called to order and the 
mic is on. And let me just note that when you are speaking 
through a microphone, you are utilizing the energy that is 
produced some way by someone at some cost. So I call this 
meeting to order. And today's topic is Cyber Attacks: An 
Unprecedented Threat to National Security.
    After the ranking member and I each take 5 minutes to make 
opening remarks, each member present will have 1 minute to make 
their opening remarks, alternating between the majority and 
minority. And without objection, all members may have 5 days to 
submit statements, questions, and extraneous material for the 
record, and hearing no objections, so ordered.
    There have been several congressional hearings on cyber 
warfare, but most have concentrated on the technology involved 
and how we can devise defenses to block hackers from breaking 
into our Government and business computers. The greatest danger 
to our nation, the greatest dangers, however, are not really 
about technology. It is about international relations, foreign 
governments that employ cyber warriors to attack other 
countries, or which allow hackers to attack other countries in 
their behalf.
    And what is it we are we talking about? We are talking 
about something that should be considered as a hostile 
government action against another act. It is as if the 
government was supporting terrorism if they support the same 
type of aggression, cyber aggression. These acts, which put our 
country in severe jeopardy, must be met with the same national 
security and diplomatic measures that we use to meet other 
external threats.
    The type of targets hackers assault are often placed in two 
categories. Strategic targets are those which would be attacked 
by military means in a war. For example, transportation 
systems, power grids, defense industries, communications, and 
government centers. And China, Iran, North Korea, and Russia 
have all used cyber attacks aimed at strategic infrastructure 
targets. Targets that would be attacked in another way if there 
was a war.
    In January, Iran conducted probing attacks on U.S. banks. 
Such potential damaging and brazen attacks on the United States 
should provoke a much more aggressive and powerful response 
than we are currently exercising. We should deter, not just to 
try to block, but we should deter cyber attacks and perhaps 
counterattack. More insidious, however, is the ongoing attacks 
on our economy by the Chinese, among others. This second form 
of attack is in the form of commercial warfare. The scale upon 
which it is being conducted is beyond anything we have 
experienced and far exceeds traditional espionage.
    The Mandiant report which came out last month identified a 
unit of the Chinese People's Liberation Army that has been 
conducting commercial warfare since 2006. A military unit 
hacking business and industry targets, and then we have a 
situation where these targets play a central role in the 
economy of one nation and has a lot to do with the balance of 
power between the nations. So you have a Chinese People's 
Liberation Army involved in an attack that has a lot to do with 
the power between our countries, and is a cyber attack.
    The commander of U.S. Cyber Command, Keith Alexander, 
estimated last year that computer hacking from overseas costs 
the American economy $250 billion a year. He called it the 
greatest transfer of wealth in history. The Mandiant study 
found that the targets ``match industries that China has 
identified as strategic for their growth, including four of the 
seven strategic emerging industries that China has identified 
as part of its 12th 5-year plan.''
    The Chinese firms that compete in these industries are 
dominated by state-owned enterprise which ties Communist Party 
officials and their families to this crime against the United 
States and others throughout the world. It is a matrix that not 
only serves to grow the wealth and power of China but also the 
personal fortunes of its leaders. Yet, even this is only the 
tip of the iceberg. The transfer of wealth by the theft of 
technology and other information vital to the development of 
industry is then used to gain a competitive advantage in world 
trade, which brings even more wealth to China.
    Over the last 10 years, that is 2003 to 2012, the United 
States trade deficit in goods with China totaled over $2.4 
trillion. Entire industries have been moved across the Pacific 
to create what we see as the rise of China. Well, we cannot 
just rely on technology to defend against these type of 
attacks. We must use diplomacy to deter them by telling Beijing 
and others in clear terms that we will not allow their hacking 
to continue without retaliation. We should sanction states that 
support hacking just as we sanction states that support 
terrorism or engage in other hostile actions. This war will not 
just be waged in cyberspace, but across every front and using 
every lever of American power to defeat an aggressor and to 
take the profit out of attacking our businesses, our defenses, 
and yes, our country.
    [The prepared statement of Mr. Rohrabacher follows:]

    
    
    
    
                              ----------                              

    Mr. Rohrabacher. With that I would turn to Mr. Keating for 
his opening remarks.
    Mr. Keating. Well, thank you, Mr. Chairman, and thank you 
for holding today's hearing.
    During the highly publicized Benghazi hearing earlier this 
year, Secretary Clinton warned this committee that cyber 
threats would be at the top of our agenda in the coming months 
and she certainly was correct in that prediction. With the 
number of cyber threats escalating worldwide, the need for 
comprehensive security analysis, assessment, and actions has 
never been greater.
    Although cyber attacks and instances of cyber espionage are 
receiving a great degree of media attention and are undoubtedly 
increasing and really evolving at a highly rapid rate, cyber 
threats are not a new phenomenon. The GAO designated Federal 
information security as a high-risk area in 1997, and in 2003 
expanded this area to include protecting our nation's critical 
infrastructure.
    Ten years later, just this February, it was President Obama 
that signed an executive order to facilitate information 
sharing about emerging threats and solicit new, voluntary 
cybersecurity standards for the nation's power grid, financial 
sector, and other key institutions, yet the price of 
cybersecurity is certainly not cheap. Government agencies would 
need to boost cybersecurity spending more than seven times to 
block 95 percent of hacker attacks according to Bloomberg 
Government study.
    This translates into an annual average spending of $190.3 
million per agency, up from the current $26 million, according 
to the study, based on interviews with officials of 48 Federal, 
State, and municipal agencies. The current combined financial 
impact on public and private sector cyber attacks is unknown 
but estimates are in the billions.
    As we add up the dollars and weigh the risks, we must not 
forget that the greatest attack of all will be on the 
confidence of the American people if even one large-scale cyber 
attack scenario were to materialize. As a former district 
attorney, I believe that our country's efforts toward deterence 
and response to a known cyber attack do matter, even if we are 
not always sure who the aggressor is, their motive is, or where 
they might be. While the issuance of the executive order is a 
welcome development, it will take responsible, legislative 
action to fully address cyber threats and vulnerabilities to 
critical infrastructure, and time is of the essence.
    Further, the Internet is an open, international domain, and 
cyber crimes clearly go beyond traditional law enforcement 
models. For this reason, national policies are incomplete 
without firm international cybersecurity standards and norms 
between like-minded allies.
    The U.S. recently played an incredibly constructive role 
during the World Conference on International 
Telecommunications, and beat back proposals by Russia, China, 
Saudi Arabia, and others that sought to explicitly extend 
International Telecommunications Regulations jurisdiction over 
the Internet. Unfortunately, the U.S. also does not participate 
in many of the concrete initiatives put forth by the 
International Telecommunications Union, the ITU, and other 
international organizations. However, these efforts further the 
connectivity and the interoperability of the world's 
telecommunication networks which, in turn, enhance America's 
defense and intelligence communication capabilities.
    Also just this week, NATO Secretary General Rasmussen was 
in Estonia. As most of us here know, Estonia has experienced 
devastating cyber attacks directed from Russia at its 
Parliament, ministries, banking systems, newspapers, and 
broadcasters, in 2007. This week's NATO meeting alluded to 
these attacks. It highlighted the importance of moving on to an 
interoperability paradigm between like-minded allies. It is 
interesting with Estonia as well, I was informed this week that 
they are going to have the model that the EU is adopting. And 
even in Estonia it is interesting to note as well, they are 
teaching cybersecurity in the first grade.
    I am thankful for the participation of our witnesses here 
today, and look forward to hearing their thoughts on our 
current cyber state of affairs as well as ongoing cyber 
espionage efforts and attacks stemming from China, Russia, 
Iran, and others. And before I close, I would like to note that 
this hearing is taking place at a time when the effects of 
across-the-board spending cuts are just beginning to be 
realized. And I look forward to hearing from you, Mr. Painter, 
about how the sequester and the perpetual uncertainty around 
budgeting impacts might affect our nation's cybersecurity 
efforts. With that I go back to my chairman and yield back 
time, all 5 seconds.
    Mr. Rohrabacher. Thank you very much. You were noting what 
was going on in Estonia, and yesterday, several banks and 
broadcast outlets in South Korea were attacked, and apparently 
the assumption was that the cyber attacks were from North 
Korea. However, the news this morning is that South Korea is 
claiming that these attacks were located, the attacker was 
located in China. And the story is still developing, but it 
raises questions as to whether China and North Korea are 
cooperating in cyber warfare against people that they think are 
their enemies.
    But with that Mr. Duncan has an opening statement, I 
understand.
    Mr. Duncan of South Carolina. Thank you, Mr. Chairman. I 
think that the hearing today is very, very timely, especially 
in light of the director of National Intelligence on 12 March, 
James Clapper, said this, ``We judge that there is a remote 
chance of a major cyber attack against U.S. critical 
infrastructure systems during the next 2 years that will result 
in a long-term, wide-scale disruption of services such as 
regional power outage.''
    So I appreciate you having this hearing. As a member of the 
House Committee on Homeland Security, we are taking cyber 
threats very, very seriously. I know Chairman McCaul is very 
interested in the cyber threats of this country in his role as 
chairman of the House Homeland Security Committee. So I 
appreciate the committee hearing, and I look forward to the 
testimony of the witnesses. Thank you, I yield back.
    Mr. Rohrabacher. Thank you very much. And if the 
microphones go off and the lights go off, we will know someone 
is watching. We are under attack. All right, Mr. Stockman, I 
understand, has an opening statement as well.
    Mr. Stockman. Yes, I was just going to comment that this 
morning--you stole my thunder a little bit. I was going to 
discuss the South Koreans. In fact, the IP address was that of 
China, and now there is some discussion over that. But I think 
it is a critical time that you do this hearing and I appreciate 
it. But also I know our Chinese friends are probably watching. 
I don't think that we should engage in this warfare, but if it 
is started I am sure that the chairman would lead us through a 
victorious end, because this is really alarming to many of us 
in this country. Thank you.
    Mr. Rohrabacher. Thank you very much. Our first panel is a 
single witness. Christopher Painter is Coordinator for Cyber 
Issues at the U.S. Department of State. Mr. Painter has served 
in the White House as senior director for Cybersecurity Policy 
in National Security Staff, and this is on the National 
Security Council, is that correct? Okay. During his 2 years in 
the White House, Mr. Painter conducted the President's Cyber 
Policy Review, and subsequently served as acting cybersecurity 
coordinator.
    Mr. Painter began his Federal career as Assistant U.S. 
Attorney in Los Angeles where he led some of the most high 
profile and significant cyber crime prosecutions that took 
place in our country, then moved onto Computer Crime and 
Intellectual Property Section of the U.S. Department of Justice 
and served there for a short time as deputy assistant director 
of the FBI Cyber Division. He has worked with dozens of foreign 
governments on these issues, and he is a graduate of Stanford 
Law School and Cornell University.
    Mr. Painter, you may proceed.

 STATEMENT OF MR. CHRISTOPHER PAINTER, COORDINATOR, OFFICE OF 
   THE COORDINATOR FOR CYBER ISSUES, U.S. DEPARTMENT OF STATE

    Mr. Painter. Chairman Rohrabacher and Ranking Member 
Keating and members of the subcommittee, thank you for the 
opportunity to testify on the State Department's role in 
countering cyber threats. I commend the subcommittee for 
focusing on this foreign policy imperative, and for your 
support promoting diplomacy as a tool for improving our 
nation's cybersecurity, and by extension, our national security 
and economic interests.
    The State Department plays a leading role in diplomatic 
efforts to stabilize cyberspace and to advance the vision of an 
open, interoperable, secure and reliable Internet articulated 
in the President's 2011 International Strategy for Cyberspace. 
We currently face several kinds of threats in cyberspace. 
First, there are the operational threats, which you just 
described, to our cyber networks that can potentially harm both 
our security and our economic interests, like the recent 
Distributed Denial of Service attacks against our financial 
sector.
    The State Department has worked closely in that instance 
with our Department of Homeland Security and other agencies to 
help share technical data that can then help mitigate the 
threat, and the sharing has been with both our international 
partners in countries and with industry. This kind of 
information sharing not only helps counter the immediate 
threat, but promotes a practice of international cooperation 
that will help prevent future attacks. It creates a norm of 
cooperation, if you will.
    Another kind of threat that has been making the news lately 
is obviously the large-scale wholesale theft, cyber theft of 
intellectual property and trade secrets from the private 
sector. The State Department has consistently raised our 
concerns about these cyber intrusions with senior Chinese 
officials, and we will continue to do so. I welcome recent 
Chinese official statements that suggest a willingness to 
engage in a more sustained dialogue and discussion on this 
important issue.
    It is critical that we continue to emphasize cyber issues 
in all of our international engagements to promote global 
cooperation, to ensure that states take threats seriously, to 
build consensus on norms of responsible conduct in cyberspace 
that enhance international cybersecurity, and to address the 
kinds of malicious activity that have recently received such 
extensive media coverage. Cyber policy issues are on the agenda 
in every major international forum, and in those forums some 
states seem to view the dynamism and innovation of the Internet 
as a threat to the stability of their regimes. They reject the 
successful multi-stakeholder model of Internet governance that 
includes a role for states, for civil society, and for industry 
in favor of top-down intergovernmental control that enables 
both state control and regulation of content.
    The U.S. strongly promotes an alternative vision. We 
believe that a cyberspace that rewards innovation, empowers 
individuals, develops communities, safeguards human rights, and 
enhances personal privacy will build better governments and 
strengthen national and international security. We promote this 
vision by working not only with our closest partners and 
allies, but also with states that are emerging as global 
leaders in this area, and with developing nations looking for 
ways to play a role in the cyber world and even with states 
with whom we do not always see eye-to-eye. The U.S. engages on 
cyber issues with a multitude of states bilaterally, regional 
groups such as the European Union, and NATO.
    In the last year alone we, my office, has launched 
dedicated cyber, whole of government, meaning not just my 
office but all the different agencies in our Government and the 
counterpart governments, senior policy dialogues with India, 
Brazil, South Africa, South Korea, Japan, and Germany in order 
to share perspectives and build a consensus view of the future 
of cyberspace. We continue to seek deeper engagement with 
countries like Russia and China who clearly have a different 
world view and with whom we have challenges but we need to find 
ways to develop a stronger relationship.
    The State Department will continue to focus on both the 
kinds of operational threats that you have identified here 
today, and on the long-term policy efforts that will help 
mitigate them in the long run. In his confirmation hearing, 
Secretary Kerry, then Senator Kerry, cited the importance of 
``cyber diplomacy and cyber negotiations,'' stressing the need 
to affirm `` `rules of the road' that help us be able to cope 
with challenges in cyberspace.'' State is doing just that. We 
are working with other nations on efforts that will not only 
contribute to greater security and stability in cyberspace, but 
will protect freedom of expression, ensure opportunities to 
innovate, and promote economic growth around the world.
    Thank you, Mr. Chairman and Ranking Member Keating, and I 
look forward to your questions.
    [The prepared statement of Mr. Painter follows:]

    
    
    
    
    
    
    
    
    
    
    
    
                              ----------                              

    Mr. Rohrabacher. Well, thank you very much. We also have 
Congressman Lowenthal who has joined us. Thank you very much 
for joining us this morning. Let us just figure out how serious 
people are taking this. Have we gotten beyond the let-us-sit-
down-and-discuss-it phase with other countries, or do we have 
an action plan that if we discover cyber attacks going on that 
there will be some type of retaliation against the criminal 
element or the government itself that is engaged in this cyber 
crime?
    Mr. Painter. So we face a wide range of threats in 
cyberspace from nation states to transnationally organized 
criminal groups. And how we respond to those different threats 
depends on what the threat is. And one of the problems, of 
course, is that attribution is difficult in this area and you 
don't know, often, exactly which group is doing what activity. 
However, speaking first from the cyber crime side, we are 
promoting around the world what is called the Budapest 
Convention on Cyber Crime so that every country will have 
strong laws in this area. They will have the capability to 
actually prosecute those laws, there will be better 
international cooperation. We have something----
    Mr. Rohrabacher. How many people have been prosecuted in 
China for cyber crimes?
    Mr. Painter. I would have to get back to you about it, sir. 
I don't know.
    [The information referred to follows:]

  Written Response Received from Mr. Christopher Painter to Question 
       Asked During the Hearing by the Honorable Dana Rohrabacher

    The lack of reliable or transparent statistical information on 
prosecutions renders it impossible to say exactly how many persons in 
China have been prosecuted for activities that we would consider to be 
cybercrimes. When the U.S. discusses cybercrime, we speak in terms of 
specific conduct criminalized in U.S. criminal laws, such as Title 18 
U.S.C. Section 1030, the Computer Fraud and Abuse Act. China, however, 
takes a very different approach and speaks in terms of ``criminal and 
terrorist activities that use information and communications 
technologies,'' as reflected in the Code of Conduct for Information 
Security that they jointly authored with Russia. The Chinese government 
considers cybercrime to include online speech that it views as 
undermining ``political, economic and social stability,'' categories of 
expression that would in almost all instances be protected in the 
United States by our Constitution's First Amendment, and that is 
protected by the right to freedom of expression in international human 
rights instruments.
    Addressing challenges in cyberspace, including combating 
cybercrime, is a priority for the United States, and we engage 
routinely with other nations to enhance international cooperation in 
these areas. Of note, the U.S.-China Cybercrime Working Group, led by 
the Department of Justice, is working to improve cooperation with China 
on cybercrime cases.

    Mr. Rohrabacher. Can you tell me any country in the world 
where we have had the prosecutions and what they have composed 
of?
    Mr. Painter. We have had many prosecutions in the United 
States.
    Mr. Rohrabacher. No, no, not the United States, the other 
countries of the world.
    Mr. Painter. There have been prosecutions, and many of our 
close allies in Australia and England, in Germany and France, 
there have been prosecutions.
    Mr. Rohrabacher. And what happens to someone in Australia 
or----
    Mr. Painter. It depends on their particular legal system. 
Of course, in the United States we have pretty substantial 
penalties based on financial harm for cyber crime. Other 
countries have similar regimes. And what is important about 
this Budapest Convention, this convention that is really the 
only existing instrument and the best instrument for cyber 
crime, is that it creates certain kinds of offenses that didn't 
exist before.
    So you may remember years ago when there was the ``I love 
you'' virus, and they thought they found the perpetrator, and 
the country where they found him didn't have any law that 
criminalized that issue. So the Budapest Convention allows 
countries to modernize their laws so there won't be safe havens 
for this conduct and you can prosecute.
    Mr. Rohrabacher. What would you suggest that we do, for 
example, if we come to the conclusion that a cyber attack both 
in terms of a criminal cyber attack and also strategic cyber 
attacks are actually being blessed, if not perpetuated and 
actually involved in the government of that country?
    Mr. Painter. I think we have to look at all the tools that 
we have at our disposal as a national government. But from my 
perspective, obviously the tools that we employ are the 
diplomatic tools. And those tools, I think, are important to 
make clear to a government that conduct this is a concern.
    Mr. Rohrabacher. And what are those tools, I mean 
diplomatic tools?
    Mr. Painter. Those diplomatic tools, I think, are two-fold. 
One is engaging directly with that government and saying to 
them that this conduct is something that we find unacceptable.
    Mr. Rohrabacher. Well, I am sure that will upset them a 
lot.
    Mr. Painter. Well, but I think you have to look at their 
overall relationship. With a lot of these countries we have 
many different types of relationships--economic relationships, 
other relationships.
    Mr. Rohrabacher. Have we done any of that?
    Mr. Painter. Yes. In fact, just recently the President has 
made clear in his call with the new----
    Mr. Rohrabacher. No, what actual sanctions have we put on 
any country? For example, it is clear that China has been 
deeply involved in this. Everybody knows it, supposedly. What 
have we done to say, okay, here is your deadline and this is 
exactly what is going to happen. You are no longer going to be 
able to purchase certain things from the United States, or be 
able to export to the United States, or whatever retaliation we 
would have.
    Mr. Painter. Sir, I would speak from my perspective and 
what we are doing diplomatically. I would say one thing though. 
I think with any of these threats we would have to be careful 
of looking at this in terms of retaliation, if it is a 
retaliation in terms of in-kind retaliation. We want to make 
sure that we are addressing the problem and addressing it in 
the larger context of any country we are dealing with. But what 
I would say is if----
    Mr. Rohrabacher. We have to accuse the right people, right?
    Mr. Painter. Right. And I do think that if you look at the 
statements just in the last couple of weeks, and let me go back 
a ways. We have engaged the Chinese in a strategic security 
dialogue on sensitive issues. We have only had two meetings of 
that group, last year and the year before. We raised cyber at 
both of those meetings. Secretary Clinton, last year, said that 
the theft of intellectual property and trade secrets was one of 
the greatest concerns of the United States, and we have had 
very frank discussions. And I can't really get into our 
bilateral private discussions in this setting, but I would be 
happy to follow up later on.
    And then recently, of course, you have heard Tom Donilon, 
the National Security Advisor, talk about the great concern 
that this poses for us and say three things. One, we want China 
to understand the scope and seriousness of this problem of this 
activity emanating from China. Two, that we want to make sure 
that it stops. That they actually take some action to 
investigate and stop this activity. And three, that we need a 
sustained dialogue with the Chinese. And we have some dialogue, 
but we don't have a sustained dialogue. And the President said 
that----
    Mr. Rohrabacher. Well, I am sure threatening to have a 
sustained dialogue is really going to deter these fellows along 
with proclamations of great concern. All I know is that I just 
asked you a specific question about specific actions and all I 
got was a list of words that had been spoken. And I am sure 
that words coming out of the mouth of officials of the United 
States is terribly frightening to the Chinese.
    Let me turn to Mr. Keating now.
    Mr. Keating. Thank you, Mr. Chairman. I mentioned in my 
opening remarks, in 2007 our NATO ally Estonia was subject to a 
series of cyber attacks directed at their Parliament, their 
ministries, their banking systems, newspapers, and 
broadcasters. NATO subsequently established the NATO 
Cooperative Cyber Defence Centre of Excellence in Estonia to 
enhance the capability, cooperation, and information sharing 
among NATO and its partners in cyber defense.
    Now does the State Department have any evaluation of the 
effectiveness of that initiative? And furthermore, some of our 
NATO allies have looked to the U.S. to lead on cyber 
initiatives in NATO-member countries. What sort of role has the 
U.S. had in this initiative going forward, and what kind of 
role is it willing to play? What implications does this 
initiative have on information sharing between all of the NATO 
countries?
    Mr. Painter. So a couple of things. The NATO Centre of 
Excellence in Estonia, the U.S. is supporting that effort and 
actually has personnel stationed there, and I think it is an 
important effort to look at some of the larger issues involving 
cyberspace. With respect to NATO, generally, as you know back 
in the Lisbon Summit, for the first time, and this was a 
proposal of the U.S., we made cyber a key part of NATO 
strategic concept. And first and foremost in that concept was 
making sure that NATO's own networks were secure, and that is 
something they have been working on in the last couple of 
years. They have also been promoting information sharing 
between members of NATO.
    Now NATO is not the only way we approach this. We deal 
obviously with the EU who just released an international--well, 
they released a strategy document for cyberspace. And it was 
remarkable because three parts of the EU, the External Action 
Service, the DG Connect as it is called, and their home 
ministry got together and collaborated on this strategy. And 
the strategy, the international part, is very similar to the 
U.S. strategy. It is very consistent with our strategy around 
the world, particularly in terms of promoting norms, and the 
existence and applicability of international law, existing 
international law, including the law of armed conflict to 
cyberspace. Those are critical things.
    So we are working with the EU. We are also working with key 
member states. We are working with the U.K. We are working with 
Germany. We are working closely with France. We are working 
closely with the Netherlands, and many others in that context. 
And we work through other forms, like the G8, for instance, and 
the OECD, and other forms like that. So there has been a lot of 
activity that we have been doing. There has also been our 
Defense Department who works with our allies in making sure 
that they have better defenses and building those defenses.
    And finally, our Homeland Security Department has been 
working with a number of countries and exchanging information 
with their computer emergency response teams. One thing, I 
think, that is a great development not just in Europe but 
around the world is that countries are developing national 
strategies for dealing with cyber. We have one here, and many 
other countries now have them, but in Latin America and other 
places those are being developed.
    The one other thing I would say just to reflect on the last 
question before yours, I do think it is important that we are 
raising this issue at a very high level. I think it makes a 
difference when the President raises this level, when Tom 
Donilon raises this level. And we are also doing things to 
protect us at home, like what DHS is doing to share information 
with the private sector and help harden the targets, make sure 
our defenses are better.
    Mr. Keating. Yes, I am on the Cybersecurity Subcommittee in 
Homeland Security as well. But how well are these other 
countries doing, working with the private sector side? Because 
governments can work all they want, but if we are not having a 
dynamic approach dealing with the private side as well we are 
not going to be successful in this. Are any of the other 
countries you are familiar with, are they doing a better job 
getting that kind of cooperation?
    Mr. Painter. I think we are all trying to make sure that is 
an effective partnership. I think it is extraordinarily 
important because the private sector not only owns most of the 
infrastructure but, frankly, government doesn't have all the 
answers. We have to engage with the private sector and others 
to make sure we go forward.
    When I started this office, a little less than about 2 
years ago now, one of the first things I did was start meeting 
with various private sector groups. Because they may see 
opportunities or dangers that perhaps we don't see in 
government, and it is important to make sure that they 
communicate with us on that, and they often go to some of these 
international meetings.
    Mr. Keating. Well, we are trying to balance here whether or 
not we go through regulations, and government is telling the 
private sector what they have to do. We are trying to balance 
off that to a more cooperative way to see if we could do--what 
are the approaches in some of these countries? Do we have 
countries that you are aware of where they are just having 
their own regulations on the private side and----
    Mr. Painter. I think there are countries that are more 
regulatory in nature, just by their nature. What we try to 
argue when we have our dialogues with other countries is that 
it is important for them to talk to the private sector. Some 
countries, frankly, don't have a history or a culture of 
talking to the private sector the way we do here. I think we 
made great strides in that here. For instance, even building 
our National Incident Response plan with the private sector 
from the ground up, something I don't think we have ever done 
before, and that was just in the last couple of years.
    But one of the things we do is when we do, for instance, 
capacity building, one of the great efforts of our office not 
only to help build capacity, but to try to convince the 
developing world that our way of looking at cyberspace is the 
correct one and will help them, we bring private sector along 
with us. We try to tell those governments, dealing with the 
private sector is critical in actually securing your networks 
in securing cyberspace.
    And I think obviously the executive order is very 
important, it is just the down payment on what we need. We 
still need legislation, as you know, and we still need 
legislation that we have talked about last year and talking 
about this year, and we hope we get it, that allows that both 
voluntary but very important connection between the private 
sector and government.
    Mr. Keating. I yield back, Mr. Chairman.
    Mr. Rohrabacher. Mr. Marino?
    Mr. Marino. Thank you, Chairman. Good morning, Mr. Painter. 
I am sure that you participate in classified meetings 
concerning intelligence that we accumulate and share with our 
allies, and you are between the devil and the deep blue sea 
here with what you can tell us and what you can't tell us. So I 
am just going to assume that that is the case. But I am a 
member of the NATO Parliamentary Assembly, and on a recent trip 
from a NATO meeting in Belgium it did not appear to me that 
this subject of cyber warfare was a top priority.
    Can you give me a suggestion as to what the administration 
is doing to make this a top priority, and are our allies behind 
us or beside in this and will it have an impact on Russia and 
China?
    Mr. Painter. Okay. So first, just in terminology, rather 
than use cyber warfare I just say the cyber threat and how we 
deal with the cyber threat. And I would say that as I mentioned 
before the fact that cyber is now part of NATO's operating 
concept when it never was before is a key consideration. And it 
is no small task for NATO to actually get its networks to the 
shape that--this is a foundational thing. If you have your 
networks, your own networks, NATO networks, and the member 
states' networks secured, you can build on top of that.
    I just met with Ambassador Iklody, yesterday, from NATO, 
who is their cyber person, and they are doing a lot of activity 
in this area making sure that they are having better security 
of their networks, and they are sharing information between 
member states, and I think that is the most important part.
    Mr. Marino. I understand that. But do you really think we 
are going to--let us get down in the weeds here. If the NATO 
members get together and implement severe sanctions, do you 
really think China and Russia are going to listen to us? I was 
in China and Russia not too long ago and I brought up the issue 
with them. They didn't like it. Actually, China acted like it 
wasn't happening, and Russia simply said so what.
    So let me give you a scenario here. Assume we have an 
attack on Wall Street, the stock exchange, it crashes, and we 
know from where it came. Have you worked out any scenarios as 
to what will happen from that point forward on behalf of the 
United States and some of its allies?
    Mr. Painter. Yes, to the extent that we have actually, just 
recently in the National Level Exercise that was conducted last 
year, for the first time that focused on cyber. So we were 
looking at very catastrophic events in the context of cyber in 
that exercise. And that both exercised how we were going to 
work together, but also we had some of our close allies 
participating in that exercise.
    And as with any other threat, and we lay this out in the 
international strategy, we use every tool at our disposal 
whether it be economic, diplomatic, I think we say 
informational, or even military. Military is a last resort and 
only after we have exhausted other options in law enforcement 
of course too. But we have the full suite of tools and we have 
close allies with whom we are discussing this with all the 
time, and----
    Mr. Marino. I do not mean to be facetious about this, but 
do you think that this has been working to any extent at all? I 
do not see any actual repercussions being implemented or any 
scenarios that would cause the Chinese or the Russians to stop 
it or curtail it at least.
    Mr. Painter. Well, first of all, I would say that we have 
certainly raised the pressure about how serious this issue is 
for us recently, as you have seen from the President's 
statement, from Tom Donilon's statement, et cetera. Other 
countries, I think, are also looking at this issue and how they 
are going to deal with this issue. We have made tremendous 
progress even in the last 2 years in treating this issue as 
much more, not just a technical issue but an economic issue, a 
national security issue, and a foreign policy issue. Other 
governments are doing that too but they are at different 
stages, and we are dealing with them and talking with them. 
Again, I really can't talk about our private conversations as 
you know.
    Mr. Marino. I understand. I have less than 20 seconds now. 
And I am also involved on the Intellectual Property 
Subcommittee, and it is a big issue with me, and we are losing 
billions of dollars and tens of thousands, maybe hundreds of 
thousands of jobs. But I have, maybe a little tongue-in-cheek 
sarcasm remedy is since we owe China so much money for our 
debt, why don't we deduct what they are stealing from us and 
take it away from the debt? I yield back. Thank you.
    Mr. Rohrabacher. Well, then they might have grave concerns 
as well if we did something like that.
    Mr. Duncan, you may proceed.
    Mr. Duncan of South Carolina. Thank you, Mr. Chairman. 
First off, I will just say America needs to realize that this 
is a real threat. And we talk about cybersecurity a lot, and it 
is not just some hacker stealing iTunes downloads or small-
scale intellectual property theft. This is on a grand scale. It 
is not only on grand scale with intellectual property with 
private corporations, but it is also the theft of military 
hardware plans such as some of our fighter aircraft.
    And so it is not just China. It is Iran. It is the 
Russians. It is a lot of different groups, organized crime and 
others that are pinging away at the United States trying to 
find a chink in our cyber armor. And I think it is important 
that we also realize that the electrical grid and a lot of the 
components that keep America operating are also in the sights 
of the cyber criminals and other entities. So I am concerned 
about that. And the reason I brought Mr. Clapper's comments up 
this morning is he also recognizes that this is an imminent 
threat and concern to the United States.
    And so I was reading about a Chinese operative, a scientist 
who was allowed to work with NASA and Langley through a 
contract, and was arrested by the FBI as he boarded an airplane 
carrying hard drives, flashdrives, and computers that most 
likely contained sensitive data that he downloaded. You can 
carry a tremendous amount of information on a thumb drive or a 
computer hard drive. But I think that pales in comparison to 
what can be downloaded through hacking. And something that is 
operating behind the scenes 24/7 without an actual person 
sitting there downloading into a thumb drive, it is going on by 
behind-the-scenes computers.
    And so at what point, in my opinion, does the 
administration consider that type theft, espionage, and damage 
to the U.S. computer systems an act of war?
    Mr. Painter. So again, what an act of war means and what an 
act of war would trigger, I think, is, as I look at the 
threats, as DNI Clapper articulated the threats, we have two 
kinds of conduct. We have the fear of the threat of cyber 
warfare, which is attacks on infrastructure that could be 
crippling, which he said as of this point, is remote, but we 
have to be worried about it, and then we have what we see every 
day which is the large-scale, unacceptable theft of 
intellectual property, and that is a real concern. It is a real 
concern, for me it is a real concern. Throughout our Government 
we are taking actions to try to both prevent that theft by 
making sure we have better security. That is why the executive 
order is there. That is why we are asking for legislation.
    We are talking to countries that we believe are involved in 
this activity. We are talking to our allies about this. We are 
also considering other actions more generally. But I think it 
is not that that is cyber warfare, but that is, I think, 
something that is clearly damaging to the American economy. It 
is the life's blood of these companies. It is taking away our 
future innovation. So we are taking it incredibly seriously, 
and I, certainly, even if I didn't have this job, as a former 
prosecutor who prosecuted intellectual property cases, I think 
this is a really important issue and it has gotten a lot of 
attention, as it should, recently.
    And so our part of this is trying to do a couple of things. 
In the short term, we are working to help mitigate these 
issues, working with DHS, working with other interagency 
partners, and in our diplomatic efforts both bilaterally and 
multi-laterally with other governments. In the long term, we 
are trying to make clear that the norm in cyberspace, the norm 
we are trying to promote is that this kind of theft of 
intellectual property and trade secrets is simply unacceptable, 
and countries that are outside of that core will get 
marginalized much as we did with money laundering back in the 
'70s. So this is something I think is both a short-term and 
long-term effort and we are taking actions on both of those----
    Mr. Duncan of South Carolina. And I appreciate your 
willingness to say that because it is not only damaging our 
economy and our abilities, it is taking our edge away 
militarily, our advantage. If they are stealing the plans of an 
F-35 and so we have to send F-35s against a comparable 
aircraft, that is taking some of that competitive advantage 
away that we have militarily to protect this country. And it is 
taking our economic advantage away with cyber crime that is 
taking intellectual property.
    And so at some point in time I would love for this 
administration to say no more. We are going to hold someone 
accountable. We are going to hold someone accountable for the 
theft. We are going to hold the host countries where the 
operatives are using the cyber attacks, whether it is China or 
Russia, we need to hold those host countries responsible to 
some degree for what is going on within their borders. I think 
we would do that to ourselves. I think the United States ought 
to be responsible for what is going on within our borders with 
regard to cyber crime, and I think we are.
    And so I think at some point in time we need to make sure 
that just a very clear line is drawn and a very clear 
understanding within the international community of what is 
acceptable and what is not acceptable with regard to cyber 
crimes, prosecution, and going forward. So Mr. Chairman, I am 
out of time, so with what I will yield back.
    Mr. Rohrabacher. Yes. What is acceptable and not acceptable 
and what the consequences are, because they don't care what is 
acceptable or not acceptable. They have to know what the 
consequences are, and so far we----
    Mr. Duncan of South Carolina. You are saying it a little 
more eloquently than I did, and I appreciate it.
    Mr. Rohrabacher. No, it has been clear the consequences are 
statements of great concern and statements of something that 
will be sustained. And we will give you a chance to answer that 
one after Mr. Stockman, who is one of our more timid members of 
the committee, also known as being a ferocious patriot, Mr. 
Stockman, you have 5 minutes.
    Mr. Stockman. I just have a concern. My district 
encompasses everything from NASA to petrochemical plants. And 
we were touring some of the plants, and they were stating that 
they were getting very little cooperation from the government 
on helping deter some of the cyber attacks. And they were 
mentioning that it could cripple our nation. Just by turning 
off a few valves it could blow up a plant. And this is 
something that is very serious.
    This reminds me of 9/11 when we knew about the Philippines. 
We picked up documents which showed that they wanted to use 
planes as weapons, yet we ignored all the signs. I feel like we 
are ignoring all the signs. And I have on the ground, plant 
managers telling me their concerns and yet they don't feel we 
are getting any help from the government. And I am asking you, 
is there any kind of game plan to help critical infrastructure? 
Have you identified it and said hey, we are going to talk to 
you guys? Because one plant alone in my district produces about 
600,000 barrels a day. If that were to be taken off the market 
you would see a quick crisis occur. And if you took off several 
plants it would shut down the United States.
    Mr. Painter. So my DHS colleagues deal with this all the 
time and, in fact, there have been designations of critical 
infrastructures and ways set up to deal with those industries 
and talk to those industries about cyber, not just about all 
the other issues they face and all the other challenges, but 
about cyber in particular. And certainly it is our goal to make 
sure that those companies understand both the scope of the 
problem, which is often a problem. Many companies don't 
understand, really, what the threat they are facing is, and 
that has been a problem we have had for the last 10 years, but 
they understand that the government does care about this and 
wants to work with them.
    And there have been a lot of activities recently in terms 
of sharing signature information, et cetera, with companies and 
with ISPs and with other providers to better protect that 
critical infrastructure. If you look at the executive order and 
the proposed legislation, that is targeted, again, at critical 
infrastructure. Narrowly defined but critical, because if 
something happens to it, as you say, it could really bring us 
to our knees. And that is extraordinarily important.
    And I would say this also, other countries around the world 
are focusing on critical infrastructure too. Certainly the U.K. 
and Germany or others are looking at this and say, what is it 
that we really need? What are the threats we are facing from 
cyberspace, what can they do to us, and how can we build better 
defenses? Part of it is building better defenses. Part of any 
strategy, any deterrence has to be building better defenses, 
and part of it, and my part of it has to be what we are going 
to do diplomatically.
    But that is only one part. This is a whole-of-government 
effort that includes DHS, it includes DoD, it includes the 
Commerce Department and Justice and the FBI in the full range 
of our activities, but they have to work together. And it is 
important that we have the foreign policy element, but that is 
one of the many elements in our tool kit that has to be 
integrated.
    Mr. Stockman. Can I just do a follow-up question there? Can 
you see from the plant manager's concern if you step in his 
shoes, and this is recent, the frustration he has that he feels 
like he is in a vulnerable situation and he is going to be held 
accountable, but he is not getting any kind of feedback from 
the administration or, quite frankly, anybody in the 
governmental body? He is sounding the alarms and then it is 
falling on deaf ears, so there is a great deal of frustration 
from his viewpoint.
    And I feel like maybe all of us in this committee and maybe 
in Congress are ignoring his concerns. It is a legitimate 
concern. As you know there is clips of things that were done 
remotely that were very devastating, and I will just ask that 
you somehow follow through on your plan to work with the 
critical infrastructure of this nation.
    Mr. Painter. I would just say that that is something that 
has been a priority now for a few years in our Department of 
Homeland Security, and other parts of our Government have been 
working strongly to do that. Before I came to the State 
Department in 2009, the cyberspace policy review we wrote talks 
about this issue exactly, raising awareness and addressing some 
of these concerns with the critical infrastructure.
    And if that plant manager is feeling that way that is 
certainly unfortunate, but we have to make sure that we are 
working with him, and I think we are. And the other thing I 
would say is that compared to even a few years ago the 
awareness level and the coordination among government agencies 
and the priority of this issue is higher than it has ever been.
    Mr. Stockman. Thank you. And I yield back the balance of my 
time, Mr. Chairman.
    Mr. Rohrabacher. Thank you very much. I want to thank the 
witness. And let us just note that we have a huge number of 
targets in our country that can be attacked via this mechanism, 
the cyber attack. And we cannot defend. It would be impossible 
for us to defend all these targets. Thus, the only way that we 
can defend ourselves is if those who are committing crimes 
against us face serious consequences and thus will refrain from 
those attacks.
    At this point, from your testimony--and let me just say you 
are a wonderful person and you take your job seriously. You are 
a former prosecutor, and I am sure that you put people in jail 
for committing crimes against other people and crimes against 
our society, but we can't put in jail the people who threaten 
us today and could do us great harm.
    And people have got to know overseas whether or not there 
is going to be a serious consequence, not just raising the 
words at a discussion between heads of state, but a serious 
consequence if they are found guilty here of being an 
accomplice to a major crime. A crime of shutting down maybe 
that oil refinery in order to give them leverage on some oil 
deals someplace else in the world that they are trying to make, 
or maybe even putting our air traffic control system out of 
whack for a day. There is too many targets to defend, and right 
now those people who could possibly commit these acts don't 
know what those serious consequences are. And that lack of 
definition that we have of what you are going to face if you do 
this, I believe, could cause serious consequences to our 
people. To our people, rather than the people committing the 
crime.
    So as you move forward in your job we wish you well this 
year. This committee is here to work with you in trying to--
because we are supposed to handle emerging threats, and if 
there ever was an emerging threat that is what we are talking 
about. But as a prosecutor, as a tough guy that deals with 
criminals, let us make sure that we are just as tough dealing 
with these cyber threats to our well being.
    And Mr. Keating, do you have a 1-minute summary would you 
like to make?
    Mr. Keating. Well, I think there is a lot of activity 
going. One of the things that we didn't get into that is worth 
mentioning is, as some countries move forward on these areas to 
try and do it under the guise of getting control over cyber 
threats, we have countries that are going to try and inhibit 
communication, social media, the kind of communication that is 
healthy in a democratic country. And so there is a balancing 
act to be made in that respect, and I think it is worth 
mentioning that that makes it difficult.
    But I would just say this. That I hope that this Congress 
can come forward with legislation this year. We will be 
reacting quickly if, indeed, one of our five top financial 
groups is hacked into for any extended period of time. It is 
conceivable they could go bankrupt. And if you compare that 
with what happened with the mortgage crisis, this would have 
far more devastating impact.
    And I do agree, just following up on what the chairman 
said, internationally with our allies, I think we should have 
more concrete sanctions and a ratcheting up once we have 
accountability. Because I think that will indeed help as a 
deterrence as well so people and countries will know what they 
are facing as a result. But I thank you for your testimony and 
your hard work in this area.
    Mr. Rohrabacher. Let us give the witness the courtesy of 
giving him the last comment, but not more than 1 minute.
    Mr. Painter. Not long.
    Mr. Rohrabacher. Not more than 1 minute.
    Mr. Painter. I appreciate that very, very much, Mr. 
Chairman. I would say that look, I am heartened that this has 
gotten so much priority and so much interest. Having spent time 
in this area now for over 20 years, the fact that over the last 
few years it has now become not just a technical issue but a 
real foreign policy priority, a real national priority, and a 
real international priority. It is a huge step, and that is 
something that we need to build on.
    I would also say that taking out of the context of any 
particular actor, even our international strategy, which by 
itself--we were the first country to put together an 
international strategy. We are the first country to create an 
office like mine, and many other countries have now have 
followed suit and that is important too. In international 
strategy we have a deterrent policy there. We say we will use 
all tools that we have. Diplomatic is one of them. It is just 
one of them. Diplomatic, economic, law enforcement, military, 
the full suite of tools in appropriate circumstances given the 
circumstances that are there.
    I think we are making a huge, it is a hugely complex issue. 
We are dealing with the Internet freedom issues. We are dealing 
with governance issues and keeping this a multi-stakeholder 
governments' process. We are dealing with the international 
security issue, the applicability of international law, 
building confidence between countries so things don't escalate 
out of control, so we can actually get some transparency to 
other governments, and we are working on cyber crime. So all 
these are important. It is a big lift over the next few years 
but something, I think, we are really prepared to do. So thank 
you.
    Mr. Rohrabacher. Well, thank you. Life wasn't so 
complicated before, was it? Thank you very much.
    We have a second panel who will be joining us now. So we 
have a very distinguished panel for our second panel. And 
first, what we will do is I will introduce all of you and then 
we will proceed with your statements and then we will go into 
questions after that. And if you gentlemen could make your 
statements around 5 minutes so that we have a little time for 
questions. There are votes coming up in the next hour at least, 
so we will have to adjourn at that point. So we will move 
forward as soon as we can.
    We will start with Mr. Richard Bejtlich is chief security 
officer at--pronounce that for me.
    Mr. Libicki. Mandiant.
    Mr. Rohrabacher. Okay, I am blacking out on that 
pronunciation. He was previously director of Incident Response 
for General Electric. Prior to GE he operated the TaoSecurity 
LLC as an independent consultant, where among other things he 
protected national security interests for Mantech Corporation's 
Computer Forensic and Intrusive Analysis Division. He began his 
digital security career as a military intelligence officer 
working for the Air Force Information Warfare Center and Air 
Intelligence Agency. He graduated from Harvard University, and 
the United States Air Force Academy.
    We have Michael Mazza, a research fellow at the American 
Enterprise Institute, and program manager for AEI's annual 
Executive Program on National Security Policy and Strategy. 
Michael Mazza has studied and lived in China and writes 
regularly on U.S. strategy in Asia and on Taiwanese defense 
strategies. He has a Masters degree in International Relations, 
Strategic Studies and International Economics from the Paul H. 
Nitze School of Advanced International Studies at Johns Hopkins 
University, and a B.A. from Cornell. The second Cornell man we 
have had today with us.
    Greg Autry is a senior economist for the Coalition for a 
Prosperous America. He is the co-author with Peter Navarro of 
the book, ``Death by China,'' and I might add it is a great 
book and a great movie. Considering how many times I was quoted 
in it that is what makes it even better. And Greg holds a B.A. 
in History from Cal Poly Pomona, and an M.B.A. from Merage 
School of Management at UC Irvine.
    And finally, Libicki. I am really bad at making these 
pronunciations. With a name like Rohrabacher you are going to 
have to--anybody can mispronounce my name, and we will make a 
deal. A senior management scientist at Rand Corporation, he is 
the author of Rand's study, ``Cyber Deterrence and Cyber War.'' 
Prior to joining Rand he spent 12 years at the National Defense 
University, 3 years on the Navy staff as program sponsor for 
industrial preparedness, and 3 years as a policy analyst for 
the General Accounting Office's Energy and Mineral Division. He 
has received a Ph.D. in Economics from the University of 
California at Berkeley.
    We will start with you.

 STATEMENT OF MR. RICHARD BEJTLICH, CHIEF SECURITY OFFICER AND 
       SECURITY SERVICES ARCHITECT, MANDIANT CORPORATION

    Mr. Bejtlich. Thank you, Mr. Chairman. Thank you, Ranking 
Member Keating, distinguished members of the committee.
    My name is Richard Bejtlich and I am the chief security 
officer at Mandiant. Mandiant is a computer security company 
that has one mission and that is to detect and respond to 
advanced intruders. We have been doing that for 9 years. We are 
unique in that respect that we were founded on the idea that 
you can't stop determined attackers, and there needs to be 
someplace for the private sector, or even in some cases, 
government agencies to call for help. And that is what we do. 
As I am sitting here today, we have teams out at somewhere 
between 12 and 15 customers, helping them recover from 
intrusions. Our software is helping dozens of other companies, 
hundreds of others, actually, at this point. And that is what 
we do as a company.
    So who is APT 1? Who is this group that we outed in our 
report? It is important to realize that APT 1--and APT stands 
for Advanced Persistent Threat. It is a term that was invented 
by an Air Force colonel in 2006 to tie back to Chinese threat 
actors. APT 1 is one of two dozen groups that our company 
tracks. APT 1 is the most prolific of these groups in terms of 
the number of industries that are affected. We estimate there 
is about 20 that we have personally witnessed including 141 
companies, 115 of which are in the United States.
    But there are other groups that we just did not decide to 
document in our report. APT 1 is actually Unit 61398. This is a 
unit of the People's Liberation Army. It is the second bureau 
of the third department. And the third department in the PLA 
General Staff does signals intelligence. So it makes sense. You 
take a signals intelligence unit and you turn them into a 
computer network operations unit. They operate primarily out of 
a headquarters outside of Shanghai that was built in 2007, 
130,000 square feet. And there has been TV coverage recently 
where reporters from CNN tried to take some footage. They were 
chased by soldiers and the footage was temporarily confiscated.
    Why did we release this report? We released the report 
because we wanted to move the discussion about this topic 
forward. As you probably heard, there has been talk of Chinese 
hackers. You couldn't tell if it was someone in his mother's 
basement. You couldn't tell if it was an organized crime group 
or such. We felt that we had been tracking this group for so 
long, for 7 years, and using a combination of technical 
indicators and non-technical indicators we were able to trace 
it back, right to the doorstep of this building, and figure out 
that this was this military unit.
    We wanted to speak for victims. We help hundreds of 
companies and they are all frustrated. They want something to 
be done but they don't want to come forward and say something 
about it. Very infrequently that happens. We have seen that now 
with the New York Times, Google, RSA, U.S. Chamber of Commerce. 
Outside of that no one talks about this. We also felt that the 
time was right. We felt that the time for watching the 
fireworks had passed, and our sense was that the government 
wanted to talk about this and we had the evidence to talk about 
it.
    And the report is completely based on our work, completely 
unclassified, not corroborated with government information. It 
just shows you what a dedicated group of, in this case our 
company is former military, former law enforcement, former 
Intelligence Community, and then just very motivated, highly 
skilled computer security people. This is what you can do if 
you devote yourself to this project. We also felt that if we 
provided the indicators of compromise, that data that talks 
about who these guys are, what they do to Western companies, 
and how they operate that people could defend themselves. And 
that has been fairly gratifying over the last several weeks 
since we released the report.
    People are finding these groups inside their companies and 
they are doing something about it. And it gives you an example 
of what could be done, I think, if the government were more 
forthcoming in sharing what the government knows about these 
actors. It is also important to realize, what are you supposed 
to do with this information? What I would say is, every company 
in the United States that cares about security needs to be able 
to take a report like ours, digest the information in it and 
look for intruders in your company.
    If you look at our report--and it is free. We are not 
charging for it. You download it from the Internet. If you look 
at this report and you can't do that, you can't figure out how 
to find intruders in your company, that is probably job one. 
You need to be able to do that. And secondly, you need to be 
able to see over time how this affects you. We find too many 
companies don't treat this as a business process. They treat it 
as something that engineers and technicians need to deal with. 
You need to realize that dealing with intruders is a fact of 
life in the business world and it needs to be a continuous 
business process that you deal with. I thank you for the 
opportunity to testify today, and I look forward to your 
questions.
    [The prepared statement of Mr. Bejtlich follows:]

    
    
    
    
    
    
    
    
    
    
    
    
    
    
                              ----------                              

    Mr. Rohrabacher. Thank you very much. And let us just note 
that we do rely on the police to protect us, but also 
throughout our country we know that there are companies and 
individuals that seek private protection with security 
services, and they have guards at their gate and such as that. 
And so in this case with this particular threat, we of course 
need to all work together and it will encompass private sector 
investment as well as government action.
    Mr. Autry, you may proceed.

STATEMENT OF MR. GREG AUTRY, SENIOR ECONOMIST, COALITION FOR A 
                       PROSPEROUS AMERICA

    Mr. Autry. Thank you, Chairman Rohrabacher, Mr. Keating, 
and members. I wanted to particularly thank Mr. Marino for your 
strong comments with the earlier panelist.
    Mandiant Corporation's brilliant report has made obvious to 
everyone what we have known all along in that there is a giant 
sucking sound in our economy and it is coming from China. The 
military origin, the billions of dollars in damages, the 
infrastructure, and the focus on technology make it clear that 
this is a 21st century act of war. This is not some petty crime 
happening by a bunch of Internet trolls in China. China 
controls the Internet better than any country on earth. I know 
that from strong personal experience. I guarantee you that if 
they can find my emails to dissidents they can certainly track 
down a giant organized cyber attack happening in their own 
territory.
    China does not view the U.S. as a valued trading partner 
and a model for progress. We have got to give up on this naive 
perception that China is doing everything they can to move 
forward to become the United States. They are not. They view us 
as a ideological adversary who they see as weak and foolish and 
something that needs to be controlled.
    The Internet was developed by the United States Government 
at United States taxpayer expense. We in the United States and 
in the U.S. military have every right to expect special 
privileges in the Internet, and we need to make sure that it is 
not debased by either hoodlums or nations who do not appreciate 
the rule of law. It shouldn't be used by tyrants to repress 
their citizens, and we shouldn't allow those same tyrants to 
attack our corporations and our infrastructure. The Chinese 
Government can't think of enough things to do with the money 
that they have been earning from the economic warfare that they 
have been executing against the United States.
    While we are frustrated over a 2-percent cut, the Chinese 
are launching moon missions, building maglev trains, launching 
the biggest military buildup that we have seen since the 1930s. 
Meanwhile, these cyber attacks against the United States are in 
the same financial class as the 9/11 attacks. They are costing 
clearly, billions, and I believe, hundreds of billions of 
dollars, and this translates to real effect on American 
individual workers, and this results in loss of life to 
Americans as well.
    And so I ask, why does China get a pass on this scurrilous 
behavior and every other form of scurrilous behavior that they 
engage in from economic abuse to human rights? I believe that 
if Unit 61398 were a segment of the Iranian Republican Guard 
located in Tehran that that building would be a smoldering pile 
of rubble before I got a chance to testify, yet there seems to 
be something going on with China.
    And I think that the problem is, frankly, that a lot of 
American corporations are co-opted by the Chinese regime. They 
have such a huge interest in the production capabilities and 
the ability to exploit Chinese labor and the Chinese 
environment to lower their costs, and they are chasing the 
delusional promise of this giant market that they are someday 
actually going to be given access to that they don't dare 
offend their Chinese host.
    They are like the abused partner in an abusive spousal 
relationship. They are not going to call the cops on the 
Chinese, and they are really not going to do it when they know 
that the cops don't show up and that the cops don't have any 
guns, which is the situation that we are in now.
    This is not a technical challenge, it is a military one. No 
amount of locks or alarms could protect your home if there was 
no belief that the police would show up or that the prosecutors 
would do anything if you had burglars working in broad daylight 
against whatever security you had put in place.
    We need to do some serious actions. And I strongly 
recommend, first of all, that we have a tariff on Chinese 
technology that accounts for our governmental cost in 
cybersecurity to defend against the Chinese, and for the 
damages that we estimate against our corporations, until there 
are no further signs of this sort of activity. We should have a 
ban on the import of any Chinese networking hardware, and 
specifically I mean Huawei. We need to stop the revolving door 
at the State, Treasury, and Commerce Departments where 
officials from those Departments come directly from doing 
business with China or look forward to doing business with the 
Chinese as soon as they get out of government service.
    Finally, we need to stop educating our adversary. Our 
computer science departments and engineering departments are 
full of mainland Chinese students, the majority of whom return 
to mainland China. Why are we educating these students of a 
country who are using that technology that we are handing them 
to oppose our interests? Thank you.
    [The prepared statement of Mr. Autry follows:]

    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
                              ----------                              

    Mr. Rohrabacher. Thank you very much.
    Now we have 10 minutes before the vote is actually taking 
place. What we could do is we will have the testimony from Mr. 
Mazza. We will then recess. As soon as the votes are over we 
will come back and have a few questions for the panel, if that 
is all right. We apologize, but we don't have the control over 
when the votes come.
    Mr. Mazza, you have 5 minutes, and then we will have 5 more 
minutes to get to the floor.
    Go right ahead.

   STATEMENT OF MR. MICHAEL MAZZA, RESEARCH FELLOW, AMERICAN 
                      ENTERPRISE INSTITUTE

    Mr. Mazza. Chairman Rohrabacher, Ranking Member Keating, 
members of the subcommittee, thank you for the opportunity to 
testify before you today on China's use of cyber capabilities.
    China, I argue, sees cyber capabilities as a tool of 
statecraft, and like any such tool, it can and should be put to 
use in the pursuit of national interests. What are those 
interests? In brief, the primary goal of the Chinese Communist 
Party, or CCP, is to stay in power. No longer securing its 
legitimacy on a foundation of Marxist ideology, the Party now 
relies on delivering economic prosperity and on its claim to a 
nationalist mantle to ensure its continued rule.
    And in my remarks here I am going to focus on the more 
traditional aspects of security implications rather than 
economics. China's continued rise is crucial if the CCP is to 
validate its claim that it and it alone can lead the country 
back to what it sees as its traditional and rightful place atop 
the Asian hierarchy. And to do so, Beijing must restore 
sovereignty over territory supposedly wrongly taken from it. 
Doing so would not only allow Beijing to complete what it sees 
as an historic mission, but to enhance its own security. 
Controlling islands in the East and South China Seas would 
grant China greater strategic depth, allow it to more easily 
safeguard or control sea lanes, and permit it to more easily 
access the Pacific and Indian Oceans.
    But of course, these waters are also home to U.S. treaty 
allies, long-standing security partners, and new friends. And 
it is in these littoral regions where tensions have been 
running high, where conflict is most likely to break out, and 
where U.S. and Chinese interests clash. Differing visions of 
what Asian and perhaps global order should like have led China 
and the United States into what is shaping up to be a long-term 
strategic competition. For China, cyber capabilities are tools 
to be used in waging this competition and in securing its 
interest in the Asia Pacific. And in particular, I hear that 
China uses cyber capabilities for three related but different 
purposes.
    First, Chinese hackers will engage in espionage activities 
in the pursuit of both strategic and tactical intelligence. 
Such activity is unwelcome but shouldn't be unexpected. The 
United States and China are going to spy on each other. Second, 
the People's Liberation Army, or PLA, will use cyber warfare as 
part of its suite of anti-access/area denial capabilities, or 
A2/AD. The PLA has been developing systems aimed at keeping 
U.S. forces distant from Chinese shores, complicating in 
particular the U.S. Navy's ability to operate freely in the 
Asia-Pacific Theater and thus making U.S. intervention in the 
Taiwan Strait or other conflict more difficult. In the event of 
a conflict, PLA cyber forces would likely aim to disrupt U.S. 
military command and communications networks, essentially 
trying to blind, deafen, and silence U.S. forces.
    Third, and in my opinion, most worrisome is China's 
development of what might be called strategic cyber weapons. 
Recent revelations of Chinese cyber intrusions into U.S. 
critical infrastructure are especially troubling. That an 
attacker a half a world away could threaten our electrical grid 
or transportation security is of course a frightening thought, 
but in my opinion, even more concerning is that China's 
development of these capabilities is potentially destabilizing. 
Because the weapons lack the ugliness of nuclear arms, Beijing 
may come to see them as more usable than nuclear weapons. And 
with such weapons likely to be seen as adding an intermediate 
step on the escalation ladder, Beijing may come to see armed 
conflict as less dangerous than it otherwise would have.
    Fortunately there are steps the United States can take to 
arrest China's use of cyber capabilities and ensure American 
national security going forward. These steps fall into three 
broad categories--legal, diplomatic, and military and that they 
all be suggestions that require further thought, certainly. In 
the legal realm there may be need for new legislation. My 
colleague Dan Blumenthal has recently argued that Congress 
should adopt a cyber attack exception to the Foreign Sovereign 
Immunities Act to allow for civil suits against foreign 
governments acting illegally in the cyber realm. This is 
something that we have done in the realm of terrorism.
    Diplomatically, there are several paths to take. Ideally, 
of course, China will be willing to join in some broad based 
international effort to establish norms and rules of the road 
in the cyber realm, but as you have pointed out, China will 
need incentive to do so. The Obama administration has suggested 
that cyber threats will threaten the overall U.S.-China 
relationship, but it needs to start elucidating just what that 
means. What are the risks? Potential options include limiting 
access to the U.S. market for Chinese state-owned enterprises 
or pursuing action at the WTO.
    In the military sphere the United States should be clear 
about how we will respond to the use of strategic weapons on 
American soil. The Department of Defense should explore whether 
it is possible to conduct cyber exercises that will effectively 
demonstrate U.S. capabilities, much as conventional exercises 
are used, for example, to deter North Korea. If the United 
States limits itself to just playing defense in cyberspace, it 
is likely to find itself on the losing end in a competition 
with China. Playing offense, not just militarily but in the 
legal and diplomatic fields as well, will allow Washington to 
impose costs on Beijing when necessary and enhance national 
security. Thank you.
    [The prepared statement of Mr. Mazza follows:]

    
    
    
    
    
    
    
    
    
    
    
    
    
    
                              ----------                              

    Mr. Rohrabacher. Thank you very much.
    Now we have 4 minutes to go down and vote. And Dr. Libicki, 
I am sorry that we are going to--or are you going to be able to 
hold off? It will be about a half an hour by the time we get 
back here.
    Mr. Libicki. Certainly.
    Mr. Rohrabacher. Thank you very much. So what we will do is 
I will recess the hearing for 30 minutes, and so we should be 
back in a half an hour. And let us just note for the record as 
we recess that we are talking about here a--Mr. Keating, we 
have heard testimony indicating that the cyber attack has been 
traced directly back to a unit of the Chinese army, and this is 
phenomenal that we can actually have evidence of an army of 
another country involved in this type of criminal activity 
aimed at Americans and others.
    We have also heard testimony about the United States, 
through our Chinese student graduate program have perhaps 
educated some of the people in that Chinese army unit, who then 
took the knowledge back that they gained in the United States, 
to attack us. And so we will have some questions for our panel 
along these lines when we come back, and Dr. Libicki will have 
his testimony. So this hearing is now in recess for 30 minutes.
    [Recess.]
    Mr. Rohrabacher. Okay, this hearing is now called to order, 
and we had a 30-minute break. We will now proceed with the rest 
with the final witness, and then we will proceed to have some 
questions, and hopefully we will be adjourned in about a half 
an hour from now.
    Dr. Libicki?

   STATEMENT OF MARTIN C. LIBICKI, PH.D., SENIOR MANAGEMENT 
                  SCIENTIST, RAND CORPORATION

    Mr. Libicki. Good morning, Chairman Rohrabacher, Ranking 
Chairman Keating, and other----
    Mr. Rohrabacher. Someone has tampered with the electronics 
and you are not coming through on that phone, or maybe you just 
need to put it over here.
    Mr. Libicki. Good morning, Chairman Rohrabacher----
    Mr. Rohrabacher. There is a lesson to be learned in that.
    Mr. Libicki [continuing]. Ranking Member Keating, and other 
distinguished members of the subcommittee. Thank you for the 
opportunity to testify today on cyber attacks, an unprecedented 
threat to U.S. national security.
    On September 11th, 2001, terrorists attacked the United 
States. Three thousand people died and the physical damage was 
upwards of $200 billion. On September 12th, the country 
responded. The United States strengthened its homeland 
security. We went to war twice. Over the next dozen years the 
United States lost 6,000 in combat, 10,000 to 20,000 were 
seriously injured. Total additional expenditures exceeded $1 
trillion.
    I point this out not to criticize the policies that 
followed but to indicate that even though an attack on the 
United States may be damaging the cycle of response and 
counterresponse may be far more consequential. Accordingly, 
even though a cyber 9/11 may be costly, it would be short-
sighted to evaluate the threat in terms of immediate damage 
without considering how the United States would manage such a 
crisis in order to yield an outcome that works best for the 
American people.
    We are right to be worried about a 9/11 in cyberspace, but 
we also ought to worry about what a 9/12 in cyberspace would 
look like. Indeed, one of the best reasons for working hard to 
avoid a 9/11 in cyberspace is precisely to avoid having to deal 
with a 9/12 in cyberspace. That noted, because a cyber 9/11 or 
what looks like a cyber 9/11 might happen, it is worthwhile to 
think about what we do the day after.
    The issue of how the United States should manage crisis and 
escalation in cyberspace is addressed in a recently published 
Rand document of the same name. I now want to take the 
opportunity to summarize some of the salient points in the 
document. The first point is to understand that the answer to 
the question, is this cyber attack an act of war?--is not a 
conclusion but a decision. Cyber wars are wars of choice. A 
country struck from cyberspace has the opportunity to ask, what 
would be the most cost effective way of minimizing such future 
suffering? Depending on circumstances it might be to go off to 
war. Alternatively, it might not be.
    The second is to take the time to think things through. 
Computers may work in nanoseconds, but the target of any 
response is not the computer, in large part because even if a 
computer is taken out a substitute may be close at hand. The 
true target of response is those who command cyber warriors, 
that is, people. But people do not work in nanoseconds. 
Persuasion and dissuasion of people are work at roughly the 
same speed whether or not these people command cyber war or 
command another form of war.
    Third is to understand what is at stake before you react, 
which is to say, what you hope to gain by making the attackers 
cease their efforts. This goes for both responding to cyber 
attack and to responding to what may be deemed intolerable 
levels of cyber espionage. Fourth is to not take possession of 
the crisis unnecessarily, or if you do take possession at least 
do so only on your own terms. That is, do not back yourself 
into a corner where you always have to respond whether doing so 
is wise or not.
    Fifth is to craft a narrative that facilitates taking the 
crisis where you want to take it. In some cases, the narrative 
has to allow the attacker to back down gracefully, which is to 
say cease what they are doing. Sixth is to figure out what are 
the norms of conduct in cyberspace, if any, work best for the 
United States. It may be encouraging that last week both the 
United States and China agreed to carry out high level talks on 
cyber norms, but there are a lot of questions to work through. 
Where, for instance, does one draw the many lines among cyber 
war, cyber crime, cyber espionage, and violations of 
international trade law?
    Seventh is to manage the cyber escalation wisely. This not 
only means remembering that the other side will likely react to 
what you do, but understanding what a crude tool tit-for-tat 
counterescalation is when it comes time to influencing the 
behavior of the other side. In sum, while I believe it is 
certainly a worthwhile effort to prevent the future 9/11 in 
cyberspace, similar levels of care and thought need to be given 
to how to manage a potential 9/12 in cyberspace. If not, we may 
find as with the historical 9/11 that the consequences of the 
reaction and counterreaction are far more serious than the 
consequences of the original action itself. Thank you very 
much.
    [The prepared statement of Mr. Libicki follows:]

    
    
    
    
    
    
    
    
    
    
    
    
                              ----------                              

    Mr. Rohrabacher. Thank you very much.
    Now we have heard some very thought-provoking testimony 
today, and the complications that you just outlined and the 
different levels that we have to consider and the timing of 
consideration, as I said earlier that when we had our first 
witness from the administration, things are a lot more 
complicated now than they used to be basically in terms of 
providing security for our country, but also providing a 
methodology of dealing with criminal behavior on an 
international and global scale.
    We have heard today about especially when we were talking 
originally about the Chinese military itself is engaged in 
cyber espionage and perhaps cyber attacks. Let us note that 
this is different than just having the Chinese army engaged in 
some act of aggression against an enemy or against an adversary 
of China. In this case the Chinese military is engaged in 
activity that has security implications but also economic 
implications, mainly for the leadership of China which is an 
oppressive dictatorship, a cliquism. They may be utilizing this 
apparatus to enrich themselves as well as their clique.
    We also know that this what we are talking about is cyber 
attacks, we are also talking about cyber oppression. That in 
China you have so many people who are engaged in cyber 
operations at the direction of their government, but those 
directions may not be an attack on the United States or on a 
competitor, but they also may be aimed at their own people in 
oppressing their ability to utilize the Internet for a free 
type of communication.
    So we have all of these factors coming to play. Perhaps 
what ties them all together is the fact that the United States 
has been the enabler of all of this. Whether it is positive or 
negative we have enabled this. The Internet is an invention of 
the United States of America. It has been put in place 
basically by our technologists. And on top of that, we have 
trained and continue to train people to have expertise in this 
new arena of human behavior.
    So we have a relatively new arena, the cyber arena, and we 
have indiscriminately, whether or not the people that we are 
training are representing a positive force in the world or a 
negative force in the world, we have been training them at our 
universities and educating them at the highest level of 
graduate studies into these type of scientific endeavors that 
utilize the Internet. We have been training people to go home 
and use them. For example, when we talk about Chinese military 
unit, now are we suggesting that that Chinese unit is just a 
bunch of corporals and privates, or do they have Ph.D.s in that 
unit that you have tracked down? Are there Ph.D. students that 
perhaps were trained in American universities?
    Mr. Bejtlich. Sir, we don't have any specific information 
about that sort of activity. What I will say is that we have 
seen, and this is all through open source again, documents, 
submissions to conferences by Ph.D.s who say their job is 
working for 61398. And when they submit these papers they 
didn't realize that by saying 61398 someone could later on tie 
them to that Chinese military unit. In other words, that was a 
code name that they never thought would be penetrated. So you 
can find documents on the Internet talking about different ways 
to conduct computer security, different ways to write software 
where the authors will say, I am 61398.
    Now I don't know of any case where you have tied that back 
to say well, where did this person study? Did they study at Cal 
Tech or something like that? I don't know of anyone who has 
done that sort of analysis. But clearly you have very well 
trained people. This unit was very focused on hiring English 
speakers. That was the goal of this unit. You had to speak 
English. You had to know computer security, computer science, 
and as a result they were able to take that expertise and 
target English-speaking companies.
    Mr. Rohrabacher. I would suggest, and Mr. Autry, I would 
like your opinion because you are the one who first brought up 
this issue of actual educated individuals. If you provide a 
person with the education in this arena of high technology type 
understandings of physics, et cetera, we are actually arming 
those people to do good things or bad things. And yet we are 
not paying any attention as to whether or not those students 
who we are educating in these graduate level classes, 
especially the Chinese students, are going to go back to China 
and participate in oppressing their fellow Chinese or 
threatening the well being of other countries that are 
considered adversaries by the Chinese Government. And maybe you 
could expand upon that thought.
    Mr. Autry. Yes, thank you, Chairman Rohrabacher. As a 
lecturer and a Ph.D. student at the University of California 
Irvine, I have noticed the ever-increasing predominance of 
Chinese mainland nationals in our classrooms. In the business 
school it is not unusual for the Ph.D. cohort to be fully 50 
percent mainland Chinese students. In the M.B.A. programs I 
often see a quarter of the classes mainland Chinese students. 
My understanding is that in computer science and engineering, 
classrooms with 40 percent mainland Chinese students is perhaps 
the norm.
    This should be of great concern to a nation who prides 
itself on its technological development to drive its economy 
and to make its defense second to none in the world. It is a 
great thing when we open up our schools to students from around 
the world who wish to embrace American values and learn from us 
and take them home and emulate what we have done, but I have to 
say of the Chinese cohort that I work with on a regular basis 
many of them are at best apolitical. They certainly are not 
here to embrace our ideological values, and many of them are 
openly hostile to American ideological values and see any 
criticism of the Chinese Government to be inappropriate and 
something that they don't want to see happening.
    I believe that limiting visas for students in computer 
science to countries that do not engage in cyber attacks 
against the United States is a very realistic option we should 
consider. Thank you.
    Mr. Rohrabacher. I have been aware of this problem for 
awhile, and when I have spoken to presidents of major 
universities like Stanford University, for example, I just get 
the answer that well, that is for the government to worry about 
but not for us, not in academics. Security issues should be 
handled by the Federal Government not by academics.
    I would suggest that this is, what we are talking about 
today is the equivalent of equipping a hostile power, let us 
say, 50, 60, 70 years ago, but helping to equip a hostile power 
with the ability to build a nuclear weapon. I mean if you have 
students from Germany and you say, well, we can't really make a 
decision about the nature of the regime that controls Germany, 
or Stalinist Russia, and then we equip graduate students with 
the knowledge of how to put together a nuclear weapon, that is 
an insane, suicidal, national suicidal policy, and would have 
been then and our people certainly recognize that.
    I guess it is hard today when China is presenting itself as 
our adversary wherever they can, allying themselves with the 
rotten regimes in the world and trying to make hostile 
territorial claims as well as of course their economic, what I 
consider to be economic aggression. But as we just heard that 
the cost of 9/11 was $200 billion. Is that what----
    Mr. Libicki. Yes, correct, the cost of 9/11, roughly, in 
property damage. Somewhere between----
    Mr. Rohrabacher. So the cost of 9/11 is $200 billion, but 
we also heard earlier that your report suggested that there was 
about $250 billion a year lost to cyber attacks of some kind or 
another. So what we have here is a huge issue of security that 
should consider even our major universities as to what kind of 
knowledge that they are permitting to be provided to people who 
might do us harm. And I would think and I would suggest that we 
are not now paying attention to that.
    And again, every time you hear about we are going to bring 
people in, foreign students, and it is all done in the name of 
taming a potential adversary. But if you are bringing these 
people in and they are only taking science classes or 
mathematics classes at the highest level, you are not taming 
them at all. You are just providing them with technical 
knowledge and technical know-how. Perhaps we should insist that 
we do have exchange students coming in from every country 
including China, but they have to be social science majors, and 
they have to be aimed at understanding freedom of thought and 
intersocial interaction and perhaps even economics instead of 
how to make bombs and how to destroy people through the cyber 
system.
    Let me see, some of the other questions that I had here for 
us today. So let me just say, I would like to make this 
statement for if the Chinese people are listening. I would like 
to say something directly to the Chinese people and the Chinese 
cyber intelligence personnel. Intelligence gathering among 
nations has been going on for thousands of years, and I 
understand that and everybody on this panel understands that.
    But what differs with what governments did in the past and 
what they are doing and what is being done now by the leaders 
of China and other countries, is they are using the nation's 
intelligence apparatus to enrich themselves. You have an elite 
in China using the intelligence system including the cyber 
potential to enrich themselves, yes, to to give their country 
leverage, but for the first time we see the enemy has a 
personal motive in committing this aggression and having the 
ability to do so. The elites' use of China's intelligence 
agency is like having a private corporate detective, and 
basically you can have a private detective working for you if 
you have a company, but if you are using it for a personal 
reason you are cheating your company.
    The people of China are being cheated in that the apparatus 
that has been set up to protect them is being used to enrich 
the elite, and at the same time put China into a hostile 
relationship with the United States and other free countries of 
the world. And on top of that, the elite in China are using 
this not to protect China, not to make it more prosperous, but 
also to repress their own people. And do people that work for 
the Chinese Government, do they want to be a cog in a system 
that is designed to destroy the potential for freedom of all of 
their fellow Chinese?
    The elite in China, their vanity and their desire for more 
wealth and power has led China down a wrong path, and I would 
urge those people in China, which is the vast majority, the 
people of goodwill there, to push this elite that is running 
their country that is raping their country and putting us on a 
path to conflict, to push them out of power and to reach out to 
the United States with a hand of friendship as we would reach 
out and want to reach out to them. In the cyber field this is 
vitally important.
    And what I will do is give the witnesses each 1 minute more 
to comment and then we will probably close the hearing. We will 
start at this end because you had to wait for a long time to 
start, so go right ahead.
    Mr. Libicki. I think we need a better understanding of the 
impact of Chinese economically motivated cyber espionage on the 
United States' economy. We hear a lot of numbers being thrown 
around. We don't really know how they are derived or how 
consistent they are with how we know economics works.
    We are fairly confident that terabytes of data go from the 
United States and end up in China. We have very little 
visibility about what happens when they go to China and 
supposedly go to people who can make use of them. So I would 
suggest, in fact, that it is an important issue, because just 
to throw random numbers around here, if it is a trillion-dollar 
problem we treat it one way, if it is a billion-dollar problem 
we treat it another way. Our relationship with China is 
extremely complicated, has many facets, and it is useful for us 
to get our priorities correct, and that kind of information 
will help do so.
    Mr. Rohrabacher. Mr. Mazza?
    Mr. Mazza. Thank you, Mr. Chairman. In my remarks today and 
others have cited this as well, that what is really needed is 
sort of a, I guess a whole-of-government approach you could 
call it, really using all of the arms of American power to 
achieve our ends. But I think it can't be understated how 
important the U.S. military is in this effort. As we heard, the 
PLA is playing a very direct role both in the commercial 
espionage as well as the more traditional in military 
activities, and a military response is needed. We need to 
consider whether or not that needs to be purely cyber in the 
future or not, and what options we will have in the event of 
conflict to put a stop to cyber activities emanating from 
China.
    Mr. Rohrabacher. Mr. Autry?
    Mr. Autry. I concur that it would be great to know more 
about this, but I think that we know enough already in that 
there is hundreds of billions of dollars in damage, which means 
thousands if not millions of American jobs, and consequently, 
American lives lost in this issue. It is not our burden of 
responsibility to prove exactly what the damages is, but it is 
our responsibility to stop this hostile and overt action by the 
Chinese military against the United States of America.
    Mr. Rohrabacher. Mr. Bejtlich?
    Mr. Bejtlich. One of the key elements of our report was the 
finding that this particular group was, on average, present 
inside Western companies for a year before anyone was able to 
find them. There are some cases that stretch up to 5 years. I 
would encourage, when Congress is considering legislation, to 
go beyond just the idea of continuous monitoring. That is a 
term that means essentially checking baselines, looking for 
configuration flaws, and instead go to a more operational model 
where you are looking for intruders on your network.
    You need to have teams of people equipped with the sort of 
privacy-friendly intelligence that is in the Mandiant report, 
using that information, looking for intruders on the network 
and then dealing with them once you find them. It is not enough 
to just be patching your flaws, to have good software. The 
intruders will find a way in. You have to be out there looking 
for them in order to succeed. Thank you.
    Mr. Rohrabacher. And so let me finish it off with it is not 
enough to know that we are willing to go out and find those 
people who are hacking the system, whether it is an organized 
group out of China that represents a government aggression upon 
the other nations and other people or whether it is just 
individual hackers or criminals around the world who are 
engaged in trying to get into people's bank accounts and take 
money or in some way to mess with the system.
    So it is all of these elements, but identifying them is not 
just, we have to also understand what we are going to do in 
response. And I will have to say that so far especially from 
our first witness who is not here to make a further comment 
although I would give him that opportunity now, but I am sure 
that he is doing his job but I don't believe that the United 
States Government is doing its job in making sure that we are 
prepared to deal with a threat as expansive as this threat, 
which is going to get even worse and worse as we become more 
and more dependent on this cyber world for us to remain an 
effective society and a safe society. But at this point I have 
not heard what we will do once we find out all of that 
information.
    Now we know there is a building and we know there is 
People's Liberation Army people in the building and we know 
that that is the source of cyber attacks or cyber oppression 
coming out of that building, so what are we going to do about 
it? Well, I think it has got to be more than well, we are just 
going to--what was the wording we had earlier about raising, 
basically raising the level of rhetoric. And I would suggest 
that raising the level of rhetoric does not mean anything to 
bullies and gangsters. And if you are dealing with bullies and 
gangsters there has got to be some form of retaliation. And we 
have not had any examples of what we can actually do, except 
Mr. Autry, I think, explained something about we can determine 
what the price tag is and maybe put a tariff on goods coming in 
from China or other countries.
    But remember what happened today. What happened today was 
we thought that South Korea, which has been attacked, their 
banking system and other parts of their economy have been 
attacked, today identified not North Korea but China as the 
aggressor in this situation. So you may have China hiding 
behind North Korea, which it has done in many cases, or various 
groups hiding and portraying themselves actually as these 
attacks are coming from someone else.
    Well, we need to know. It is getting more complicated. It 
is not going to get less complicated. But one thing is for 
sure, our Government is not prepared to deal with this threat. 
We are unprepared. And when something happens, if it is of a 
huge magnitude or someone fiddles with the air traffic control 
system or the grid, as Steve Stockman mentioned, even the oil 
industry now they could hack into that and screw up our entire 
production of energy, of oil and gas. If something big like 
this happens and if it is a well thought out plan, if a small 
group of fanatics can organize an effort that caused $200 
billion of damage on 9/11, one can imagine that a country run 
by a criminal element could do even more damage.
    So we are not prepared to meet this threat. We need to have 
more discussions like this. I want to make sure that all of you 
that we keep in touch, because we will have another hearing 
like this probably in about 6 months to 1 year to see if we 
have made any progress in that 6 months. And I will be asking 
you to tell me what you have seen if, there has been any 
progress made.
    With that said I would like to thank the witnesses and 
thank my staff. I appreciate that Mr. Keating, the ranking 
member, had an Appropriations hearing that he had to go to, but 
his participation earlier was much appreciated. So thank you 
all very much and this hearing is adjourned.
    [Whereupon, at 11:37 a.m, the subcommittee was adjourned.]
                                     

                                     

                            A P P E N D I X

                              ----------                              


     Material Submitted for the Hearing RecordNotice deg.




               \\ts\