[Senate Hearing 114-398]
[From the U.S. Government Publishing Office]
S. Hrg. 114-398
UNITED STATES CYBERSECURITY POLICY AND THREATS
=======================================================================
HEARING
before the
COMMITTEE ON ARMED SERVICES
UNITED STATES SENATE
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
SEPTEMBER 29, 2015
__________
Printed for the use of the Committee on Armed Services
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.fdsys.gov/
______
U.S. GOVERNMENT PUBLISHING OFFICE
22-270 PDF WASHINGTON : 2016
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON ARMED SERVICES
JOHN McCAIN, Arizona, Chairman
JAMES M. INHOFE, Oklahoma JACK REED, Rhode Island
JEFF SESSIONS, Alabama BILL NELSON, Florida
ROGER F. WICKER, Mississippi CLAIRE McCASKILL, Missouri
KELLY AYOTTE, New Hampshire JOE MANCHIN III, West Virginia
DEB FISCHER, Nebraska JEANNE SHAHEEN, New Hampshire
TOM COTTON, Arkansas KIRSTEN E. GILLIBRAND, New York
MIKE ROUNDS, South Dakota RICHARD BLUMENTHAL, Connecticut
JONI ERNST, Iowa JOE DONNELLY, Indiana
THOM TILLIS, North Carolina MAZIE K. HIRONO, Hawaii
DAN SULLIVAN, Alaska TIM KAINE, Virginia
MIKE LEE, Utah ANGUS S. KING, JR., Maine
LINDSEY GRAHAM, South Carolina MARTIN HEINRICH, New Mexico
TED CRUZ, Texas
Christian D. Brose, Staff Director
Elizabeth L. King, Minority Staff Director
(ii)
C O N T E N T S
__________
september 29, 2015
Page
United States Cybersecurity Policy and Threats................... 1
Clapper, Hon. James R., Director of National Intelligence........ 5
Work, Hon. Robert O., Deputy Secretary of Defense................ 16
Rogers, Admiral Michael S., USN, Commander, U.S. Cyber Command;
Director, National Security Agency; Chief, Central Security
Services....................................................... 23
Questions for the Record......................................... 61
(iii)
UNITED STATES CYBERSECURITY POLICY AND THREATS
----------
TUESDAY, SEPTEMBER 29, 2015
U.S. Senate,
Committee on Armed Services,
Washington, DC.
The committee met, pursuant to notice, at 9:30 a.m. in Room
SD-G50, Dirksen Senate Office Building, Senator John McCain
(chairman) presiding.
Committee Members Present: Senators McCain, Inhofe,
Sessions, Wicker, Ayotte, Fischer, Cotton, Rounds, Ernst,
Tillis, Sullivan, Lee, Reed, Nelson, McCaskill, Manchin,
Gillibrand, Donnelly, Hirono, Kaine, King, and Heinrich.
OPENING STATEMENT OF SENATOR JOHN McCAIN, CHAIRMAN
Chairman McCain. Good morning. The committee meets today to
receive testimony from Deputy Security of Defense Robert Work,
Director of National Intelligence James Clapper, and Admiral
Mike Rogers, the Commander of U.S. Cyber Command, Director of
the National Security Agency, and Chief of the Central Security
Service. We thank each of the witnesses for their service and
for appearing before the committee.
We meet at a critical time for the defense of our Nation
from cyberattacks. In just the past year, we all know the
United States has been attacked by cyberspace--in cyberspace by
Iran, North Korea, China, and Russia. Indeed, since our last
cyber hearing in March, the attacks have only increased,
crippling or severely disrupting networks across the government
and private sector, and compromising sensitive national
security information.
Recent attacks against the Joint Chiefs of Staff, the
Pentagon, and the Office of Personnel Management are just the
latest examples of the growing boldness of our adversaries in
their desire to push the limits of acceptable behavior in
cyberspace. New intrusions, breaches, and hacks are occurring
daily. The trends are getting worse. But, it seems the
administration has still not mounted an adequate response. They
say they will, quote, ``respond at the time and manner of our
choosing,'' unquote, but then either take no action or pursue
largely symbolic responses that have zero impact on our
adversaries' behavior.
Not surprisingly, the attacks continue, our adversaries
steal, delete, and manipulate our data at will, gaining a
competitive economic edge and improving their military
capability. They demonstrate their own means to attack our
critical infrastructure. And they do all of this at a time and
manner of their choosing. More and more, they are even leaving
behind what Admiral Rogers recently referred to as, quote,
``cyber fingerprints,'' showing that they feel confident that
they can attack us with impunity and without significant
consequences.
Just consider the recent case with China. After much hand-
wringing, it appears the President will not impose sanctions in
response to China's efforts to steal intellectual property,
pillage the designs of our critical weapon systems, and wage
economic espionage against U.S. companies. Instead, last week's
state visit for the President of China simply amounted to more
vague commitments not to conduct or knowingly support cyber-
enabled theft of intellectual property.
What's worse, the White House has chosen to reward China
with diplomatic discussions about establishing norms of
behavior that are favorable to both China and Russia. Any
internationally agreed-upon rules of the road in cyberspace
must explicitly recognize the right of self- defense, as
contained in Article 51 of the U.N. Charter, along with
meaningful human rights and intellectual property rights
protections. The administration should not concede this point
to autocratic regimes that seek to distort core principles of
the international order, to our detriment.
Make no mistake, we are not winning the fight in
cyberspace. Our adversaries view our response to malicious
cyberactivity as timid and ineffectual. Put simply, the problem
is a lack of deterrence. As Admiral Rogers has previously
testified, the administration has not demonstrated to our
adversaries that the consequences of continued cyberattacks
against us outweigh the benefit. Until this happens, the
attacks will continue, and our national security interests will
suffer.
Establishing cyberdeterrence requires a strategy to defend,
deter, and aggressively respond to the challenges to our
national security in cyberspace. That is exactly what the
Congress required in the Fiscal Year 2014 National Defense
Authorization Act. That strategy is now over a year late, and
counting. And, while the Department of Defense's 2015
cyberstrategy is a big improvement over previous such efforts,
it still does not integrate the ends, ways, and means to deter
attacks in cyberspace.
Establishing of cyberdeterrence also requires robust
capabilities, both offensive and defensive, that can pose a
credible threat to our adversaries, a goal on which the
Congress, and specifically this committee, remains actively
engaged.
The good news here is that significant progress has been
made over the past few years in developing our cyberforce. That
force will conclude--will include a mix of professionals
trained to defend the Nation against cyberattacks, to support
the geographic combatant commands in meeting their objectives,
and to defend DOD networks. This is good. But, the vast
majority of our DOD resources have gone toward shoring up our
cyberdefenses. Far more needs to be done to develop the
necessary capabilities to deter attacks, fight, and win in
cyberspace. Policy indecision should not become an impediment
to capability development.
We do not develop weapons because we want to use them. We
develop them so as we do not have to. And yet, in the
cyberdomain, as Admiral Rogers testified in March, quote,
``We're at a tipping point.'' He said, quote, ``We've got to
broaden our capabilities to provide policymakers and
operational commanders with a broader range of options.'' We
must invest more in the offensive capabilities that our
cybermission teams need to win on the cyber battlefield. The
fiscal year 2016 NDAA [National Defense Authorization Act]
seeks to address this challenge in a number of ways, including
a pilot program to provide the Commander of Cyber Command with
limited rapid acquisition authorities.
Finally, we know the Defense Department is in the process
of assessing whether the existing combatant command structure
adequately addresses the mission of cyberwarfare, and whether
to elevate Cyber Command to a unified command. There are
worthwhile arguments on both sides of this debate. I look
forward to hearing Admiral Rogers' views on this question and
his assessment of how an elevation of Cyber Command might
enhance our overall cyberdefense posture.
I also look forward to hearing from our witnesses what, if
any, progress has been made on addressing disagreements within
the interagency on the delegation and exercise of authority to
use cyber capabilities.
I thank the witnesses again for appearing before the
committee. I look forward to their testimony.
Senator Reed.
STATEMENT OF SENATOR JACK REED
Senator Reed. Thank you very much, Mr. Chairman. And let me
commend you for scheduling this very important hearing. It's an
appropriate to discuss a number of important cyber issues with
our witnesses, especially in light of the cyber agreements
announced last Friday between President Obama and the President
of China.
I want to thank Director Clapper, Deputy Security Work, and
Cyber Command Commander Admiral Rogers for their testimony
today and for their service to the Nation. Thank you,
gentlemen, very much.
Let me start with a series of cyber agreements with China.
The apparent commitment by China to cease stealing United
States intellectual property for their economic gain is
notable. And I expect we will have a robust discussion about
China's compliance and our course of action if it does not.
China's leaders must be aware that its reputation and standing
in the eyes of the American people will continue to decline if
this piracy does not stop, which ultimately will have a
tremendously negative impact on our relations with China.
I would also emphasize potential importance of China
embracing a set of international norms in cyberspace developed
by the United Nations which includes a commitment to refrain
from attacks on other nations' critical infrastructure.
Next, I would highlight that we are facing the recurring
issue of whether or when to elevate Cyber Command from a sub-
unified command to a full unified command, and whether to
sustain the current dual-hat arrangement under which the
Commander of Cyber Command also serves as the Director of the
NSA [National Security Agency]. I understand that the
Department may be nearing a recommendation to the President
that the next unified command plan elevate Cyber Command to a
unified command.
The committee, in the past, has questioned whether Cyber
Command is mature enough to warrant elevation to a unified
command, and whether the dual-hat arrangement should continue
when a decision is made to elevate the Command. Put simply, if
Cyber Command is so reliant on NSA that common leadership is
still necessary, is the Command ready to stand on its own as a
unified combatant command? This is an issue that Senator McCain
has drawn attention to, and it's something that I think is very
critical, going forward, for this committee.
Directly related to that question of the maturity of Cyber
Command is the status of the military cyber mission units that
the Department only began fielding over the last 2 years.
Commendably, the Department is meeting its schedule for
standing up these units with trained personnel; but, by its own
admission, the equipment, tools, and capabilities of these
forces will remain limited. Indeed, the committee's proposed
FY16 National Defense Authorization Act includes a mandate that
the Secretary of Defense designate executive agents from among
the services to build a so-called ``unified platform,''
persistent training environment, and command-and-control
systems that are necessary for these forces to operate
effectively. It will take a number of years to build these--
capability.
We are behind in developing these military capabilities for
our cyber forces because the Defense Department was persuaded
that the systems and capabilities that NSA already has would be
adequate and appropriate for use by Cyber Command. This is an
important example of an assumed critical dependency on NSA and
an assumed commonality between intelligence operations and
military operations in cyberspace that, in some cases, has
turned out to be inaccurate.
For a number of years, this committee has been urging the
executive branch to work diligently to identify all practical
methods to deter malicious actions in cyberspace and to
articulate a strategy for implementing them. Some believe that
retaliation in kind in cyberspace is a necessary and effective
component of such a strategy. I look forward to hearing the
views of our witnesses on this matter.
As my colleagues and our witnesses are well aware, the
Senate went into recess for the August break having reached an
agreement for bringing the cyber information-sharing bill to
the floor for debate. I know the Chairman is in full agreement
on the need to debate, amend, and pass that legislation this
year in the interest of national security, and so am I.
We must also recognize the Defense Department and
intelligence community are not operating alone to protect
America's cyber infrastructure, most notably rely on the
Department of Homeland Security for protection of America's
critical infrastructure. The use of overseas contingency
operations funding to avoid the Budget Control Act caps in
defense does nothing to help the DHS [Department of Homeland
Security] or other nondefense partners avoid the effects of
sequestration. This is yet another argument for why we need a
comprehensive solution to the problem of sequestration.
Finally, I think it is important that we hear from our
witnesses on the subject of encryption. Post-Snowden, U.S.
technology companies fearful of losing business at home and
abroad are encrypting communications and offering encryption
services for which even the companies themselves have no
technical capability to unlock. FBI Director Comey has given
multiple speeches warning the law enforcement agencies and
intelligence agencies that they will be going dark, with
serious consequences for public safety and national security.
These and other questions, gentlemen, are vitally
important. And I look forward to your testimony.
Chairman McCain. I thank the witnesses.
Director Clapper, I've tried to impress on members of this
committee to show deference to old age, and so we'd like to
begin with you.
STATEMENT OF HON. JAMES R. CLAPPER, DIRECTOR OF NATIONAL
INTELLIGENCE
Director Clapper. Chairman McCain, Ranking Member Reed,
members of the committee, when I testified on the intelligence
community's worldwide threat assessment at the end of February,
cyberthreats again led our annual threat report for the third
year in a row. We're here today to respond to the several
requests in your invitation letter, and I will focus on an
overview of cyberthreats, briefly, that face our Nation, and
their attendant national security implications. And then
Secretary Work, Admiral Rogers will follow, as well.
We will, as you understand, perhaps run into some
classified aspects that we won't be able to discuss as fully in
this open televised hearing.
I do want to take note of and thank the members of the
committee who are engaged on this issue and have spoken to it
publicly, as the two of you just have.
So, by way of overview, cyberthreats to the U.S. national
and economic security are increasing in frequency, scale,
sophistication, and severity of impact. Although we must be
prepared for a large, Armageddon-scale strike that would
debilitate the entire U.S. infrastructure, that is not, we
believe, the most likely scenario. Our primary concern now is
low- to moderate-level cyberattacks from a variety of sources
which will continue and probably expand. This imposes
increasing costs to our business, to U.S. economic
competitiveness, and to national security.
Because of our heavy dependence on the Internet, nearly all
information, communication technologies, and IT networks and
systems will be perpetually at risk. These weaknesses provide
an array of possibilities for nefarious activity by cyberthreat
actors, including remote hacking instructions, supply-chain
operations to insert compromised hardware or software,
malicious actions by insiders, and simple human mistakes by
system users.
These cyberthreats come from a range of actors, including
nation-states, which fall into two broad categories, those with
highly sophisticated cyberprograms, most notably Russia and
China, are our peer competitors, and those with lesser
technical capabilities, but more nefarious intent, such as Iran
and North Korea, who are also more--but who are also much more
aggressive and unpredictable. Then there are non-nation-state
entities--criminals motivated by profit, hackers or extremists
motivated by ideology.
Profit-motivated cybercriminals rely on loosely networked
online marketplaces, often referred to as the ``cyber
underground'' or ``dark web,'' that provide a forum for the
merchandising of illicit tools, services, and infrastructure
and stolen personal information and financial data. The most
significant financial cybercriminal threats to U.S. entities
and our international partners come from a relatively small
subset of actors, facilitators, and criminal forums.
And terrorist groups will continue to experiment with
hacking, which could serve as the foundation for developing
more advanced capabilities.
Cyber espionage criminal and terrorist entities all
undermine data confidentiality. Denial-of-service operations
and data-deletion attacks undermine availability. And, in the
future, I think we'll see more cyberoperations that will change
or manipulate electronic information to compromise its
integrity. In other words, compromise its accuracy and
reliability instead of deleting it or disrupting access to it.
As illustrated so dramatically with the OPM [Office of
Personnel Management] breaches, counterintelligence risks are
inherent when foreign intelligence agencies obtain access to an
individual's identity information--of course, a problem that
the Department of Defense has encountered. Foreign intelligence
agencies or nonstate entities could target the individual,
family members, coworkers, and neighbors, using a variety of
physical and electronic methods, for extortion or recruiting
purposes.
And speaking of the OPM breaches, let me say a couple of
words about attribution. It is not a simple process, involves
at least three related but distinct determinations: the
geographic point of origin, the identity of the actual
perpetrator doing the keystrokes, and the responsibility for
directing the act. In the case of OPM, we have differing
degrees of confidence in our assessment of the actual
responsibility for each of these three elements.
Such malicious cyberactivity will continue and probably
accelerate until we establish and demonstrate the capability to
deter malicious state-sponsored cyberactivity. And establishing
a credible deterrent depends on reaching agreement on norms of
cyberbehavior by the international community.
So, in summary, the cyberthreats to U.S. national and
economic security have become increasingly diverse,
sophisticated, and harmful. There are a variety of Federal
entities that work the cyber problem in DHS, FBI, NSA, and
other law enforcement, intelligence, and sector-specific
agencies, like Treasury and Energy. Every day, each of these
centers and entities get better at what they do individually. I
believe now we've reached the point where we think it's time to
knit together all the intelligence these separate activities
need to defend our networks, because, while these entities may
be defending different networks, they are often defending
against the same threats. So, that's one reason the President
directed me to form a small center to integrate cyberthreat
intelligence. And I strongly believe the time's come for the
creation of such a center to parallel the centers that we
operate for counterterrorism, counterproliferation, and
counterintelligence and security.
With that, let me turn to Deputy Security Work.
[The prepared statement of Director Clapper follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
STATEMENT OF HON. ROBERT O. WORK, DEPUTY SECRETARY OF DEFENSE
Mr. Work. Chairman McCain, Ranking Member Reed,
distinguished members of the committee, thank you very much for
inviting us here this morning to talk about the threats of
cyber. This committee has led the way in discussing the threats
and the response to these threats, and the Department looks
forward to working with the committee to get better in this
regard.
As the DNI [Director of National Intelligence] Clapper has
said, cyberintrusions and attacks by both state and nonstate
actors have increased dramatically in recent years, and
particularly troubling are the increased frequency and scale of
state-sponsored cyberactors breaching U.S. Government and
business networks. These adversaries continually adapt and
evolve in response to our cyber countermeasures, threatening
our networks and systems of the Department of Defense, our
Nations' critical infrastructure, and U.S. companies and
interests globally.
The recent spate of cyberevents, to include the intrusions
into OPM, the attacks on Sony, and the Joint Staff networks by
three separate state actors, is not just espionage of
convenience, but a threat to our national security. As one of
our responses to this growing threat, we released, in 2015, the
DOD [Department of Defense] Cyber Strategy, which will guide
the development of our cyberforces and strengthen our
cybersecurity and cyberdeterrence posture. That is its aim.
The Department is pushing hard to achieve the Department's
three core missions as defined in the strategy. The first and
absolutely most important mission is to defend DOD network
systems and information. Secretary Carter has made this the
number-one priority in the Department, and we are really
getting after it now. Second, to defend the Nation against
cyberevents of significant consequence. And third, to provide
cybersupport to operational and contingency plans. And, in this
regard, the U.S. Cyber Command may be directed to conduct
cyberoperations, in coordination with other government
agencies, as appropriate, to deter or defeat strategic threats
in other domains.
Now, my submitted statement, Mr. Chairman, contains
additional detail on how we're moving out to achieve these
three strategic goals, but I'd like to highlight the particular
focus on deterrence, especially since I know this is key in the
minds of most of the members here.
I want to up--acknowledge, up front, that the Secretary and
I recognize that we are not where we need to be in our
deterrent posture. We do believe that there are some things the
Department is doing that are working, but we need to improve in
this area, without question. And that's why we've revised our
cyberstrategy.
Deterrence is a function of perception. It works by
convincing any potential adversary that the costs of conducting
the attack far outweigh any potential benefits. And therefore,
our three main pillars of our cyberdeterrence strategy, in
terms of deterrence, are denial, resilience, and cost
imposition. Denial means preventing the cyberadversary from
achieving the--his objectives. Resilience is ensuring that our
systems will continue to perform their essential military
tasks, even when they are contested in the cyber environment.
And cost imposition is our ability to make our adversaries pay
a much higher price for their malicious activities than they
hoped for.
I'd like to briefly discuss these three elements:
To deny the attacker the ability to adversely impact our
military missions, we have to better defend our own information
networks and data. And we think the investments we have made in
these capabilities are starting to bear fruit. But, we
recognize that technical upgrades are only part of the
solution. Nearly every single one of the successful network
exploitations that we have had to deal with can be traced to
one or more human errors which allowed entry into our network.
So, raising the level of individual cybersecurity awareness and
performance is absolutely paramount. Accordingly, we're working
to transform our cybersecurity culture, something that we
ignored for a long time, by--the long term, by improving human
performance and accountability in this regard.
As part of this effort, we have just recently published a
cybersecurity discipline implementation plan and a scorecard
that is brought before the Secretary and me every month. And
they are critical to achieving this goal of securing our data
and our networks and mitigating risk to DOD missions. This
scorecard holds commanders accountable for hardening and
protecting their end points and critical systems, and also have
them hold accountable their personnel, and directs, as I said,
the compliance reporting to the Secretary and me on a monthly
basis. The first scorecard was published in August of this
year, and it is being added to and improved as we go.
Denial also means defending the Nation against cyberthreats
of significant consequence. The President has directed DOD,
working in partnership with our other agencies, to be prepared
to blunt and stop the most dangerous cyberevents. There may be
times where the President and the Secretary of Defense directs
DOD and others to conduct a defensive cyberoperation to stop a
cyberattack from impacting our national interests, and that
means building and maintaining the capabilities to do that--
just that.
This is a challenging mission requiring high-end
capabilities and extremely high-trained teams. We're building
our cyber mission force and deepening our partnership with law
enforcement and the intelligence community to do that.
The second principle is improving resiliency by reducing
the ability of our adversaries to attack us through cyberspace
and protecting our ability to execute missions in a degraded
cyber environment. Our adversaries' view DOD cyber dependency
as a potential wartime vulnerability. Therefore, we view our
ability to fight through cyberattacks as a critical mission
function. That means normalizing cybersecurity as part of our
mission assurance efforts, building redundancy whenever our
systems are vulnerable, training constantly to operate in a
contested cyber environment. Our adversaries have to see that
these cyberattacks will not provide them a significant
operational advantage.
And the third aspect of deterrence is having the
demonstrated capability to respond, through cyber or noncyber
means, to impose costs on a potential adversary. The
administration has made clear that we will respond to
cyberattacks in a time, manner, and place of our choosing. And
the Department has developed cyber options to hold aggressor at
risk in cyberspace, if required.
Successfully executing our missions requires a whole- of-
government and whole-of-nation approach. And, for that reason,
DOD continues to work with our partners and the other Federal
departments and agencies and the private sector and our
partners around the world to address the shared challenges we
face.
Secretary Carter has placed particular emphasis on
partnering with the private sector. The Department doesn't have
all of the answers and is working with industry. We think it
will be very, very critical.
Finally, our relationship with Congress is absolutely
critical. The Secretary and I very much appreciate the support
provided to DOD cyberactivities throughout, from the very
beginning, and we understand, and we are looking forward to the
National Defense Authorization Act to see if there are other
improvements that we have--we can do.
I encourage continued efforts to pass legislation on
cybersecurity information-sharing--we think that is absolutely
critical--data breach notification, and law enforcement
provisions related to cybersecurity, which were included in the
President's legislative proposal submitted earlier this year.
I know you agree that the American people expects us to
defend the country against cyberthreats of significant
consequence. The Secretary and I look forward to working with
this committee and Congress to ensure we take every step
possible to confront the substantial risks we face in the cyber
realm.
Thank you again for inviting us here today and giving the
attention that you have always given to this urgent matter.
I'd like to pass it off now to Admiral Rogers, if that's
okay, Mr. Chairman.
[The prepared statement of Mr. Work follows:]
Prepared Statement by Robert O. Work
Chairman McCain, Ranking Member Reed, and members of the Committee,
thank you for inviting me to discuss Department of Defense (DOD)
efforts in cyberspace. The Department of Defense is currently
implementing the DOD Cyber Strategy, published in April 2015, to
improve our Nation's capabilities to conduct cyberspace operations and
deter potential adversaries from engaging in malicious cyber activity
against the United States.
cybersecurity risks to dod networks and infrastructure
Cyber intrusions and attacks have increased dramatically over the
last decade, exposing sensitive personal and business information,
disrupting government and business activities, and imposing significant
costs to the U.S. economy. State and non-state actors are conducting
cyber operations, expanding their capabilities and targeting the public
and private networks of the United States, our allies, and partners.
These cyber threats continue to increase and evolve, posing greater
risks to the networks and systems of the Department of Defense, our
Nation's critical infrastructure, and U.S. companies and interests
globally.
External actors probe and scan DOD networks for vulnerabilities
millions of times each day and foreign intelligence agencies
continually attempt to infiltrate DOD networks. Unfortunately, some
incursions--by both state and non-state entities--have succeeded. The
intrusion into the Office of Personnel Management security clearance
systems compromised the personal information of millions of U.S.
Government employees, their families, and their associates. In recent
years, there have been several notable cyber intrusions on DOD
networks, to include the Joint Staff intrusion, and interception of DOD
data not residing on DOD networks, e.g. the TRANSCOM and OPM
intrusions.
Cyberattacks also pose a serious risk to networks and systems of
critical infrastructure. The Department of Defense relies on U.S.
critical infrastructure, as well as the critical infrastructure of our
international partners, to perform its current and future missions.
Intrusions into that infrastructure may provide access for malicious
cyber actors who wish to disrupt critical systems in a time of crisis.
Because of the potentially severe consequences, DOD is working with our
partners in the interagency, private sector, and international
community to ensure these systems are better protected and more
resilient.
At DOD we are also increasingly concerned about the cyber threat to
companies in our Defense Industrial Base. We have seen an unacceptable
loss of intellectual property and sensitive DOD information that
resides on or transits Defense Industrial Base unclassified systems.
This loss of key intellectual property has the potential to damage our
national security as well as impede economic growth by eroding U.S.
technical superiority.
cyber threats
Malicious actors are also targeting U.S. companies. At the end of
last year, North Korean actors attacked Sony Pictures Entertainment in
the most destructive cyberattack against a U.S. company to date. North
Korea destroyed many of Sony's computer systems, released personal and
proprietary information on the Internet, and subsequently threatened
physical violence in retaliation for releasing a film of which the
regime disapproves. The President stated that the United States will
pursue an appropriate response to the incident--which he said would be
reserved for a time, place, and manner of his choosing. To date the
United States has publicly attributed the attack to the North Korean
government, and in January 2015 the President signed new sanctions
Executive Order in response to North Korea's provocative,
destabilizing, and repressive actions and policies.
North Korea isn't our only adversary that has engaged in
cyberattacks. Iran has also conducted cyberattacks against private
sector targets to support its economic and foreign policy objectives,
at times concurrent with political crises. Iranian actors have been
implicated in the 2012-13 DDOS attacks against US financial
institutions and in the February 2014 cyberattack on the Las Vegas
Sands casino company. Iran very likely views its cyber program as one
of many tools for carrying out asymmetric but proportional retaliation
against political foes, as well as a sophisticated means of collecting
intelligence.
Chinese cyber espionage continues to target a broad spectrum of US
interests, ranging from national security information to sensitive
economic data and US intellectual property. Although China is an
advanced cyber actor in terms of capabilities, Chinese hackers are
often able to gain access to their targets without having to resort to
using advanced capabilities. Improved US cybersecurity would complicate
Chinese cyber espionage activities by addressing the less sophisticated
threats, and raising the cost and risk if China persists.
Russia's Ministry of Defense is establishing its own cyber command,
which--according to senior Russian military officials--will be
responsible for conducting offensive cyber activities, including
propaganda operations and inserting malware into enemy command and
control systems. Russia's armed forces are also establishing a
specialized branch for computer network operations. Computer security
studies assert that Russian cyber actors are developing means to
remotely access industrial control systems (ICS) used to manage
critical infrastructures. Unknown Russian actors successfully
compromised the product supply chains of at least three ICS vendors so
that customers downloaded malicious software (malware) designed to
facilitate exploitation directly from the vendors' websites along with
legitimate software updates, according to private sector cyber security
experts.
Non-state actors also continue to be very active in conducting
malicious cyber activities. Terrorist groups, including ISIL,
experiment with hacking which could serve as the foundation for
developing more advanced capabilities. Terrorist sympathizers conduct
low level cyberattacks on behalf of terrorist groups and attract
attention of the media, which might exaggerate the capabilities and
threat posed by these actors. With respect to ISIL, since last summer,
the group began executing a highly strategic social media campaign
using a diverse array of platforms and thousands of online supporters
around the globe.
Profit motivated cyber criminals continue to successfully
compromise the networks of retail businesses and financial institutions
in order to collect financial information, biographical data, home
addresses, email addresses, and medical records that serve as the
building blocks to criminal operations that facilitate identity theft
and fraud. These criminals rely on loosely networked online
marketplaces, often referred to as the cyber underground, that provide
a forum for the merchandising of illicit tools, vulnerabilities,
services, infrastructure, stolen personal identifying information, and
financial data.
The combination of these diverse cyber threats results in a complex
and challenging threat environment. To conduct a disruptive or
destructive cyber operation against a military or industrial control
system requires expertise, but a potential adversary need not spend
millions of dollars to develop an offensive capability. A nation-state,
non-state group, or individual actor can purchase destructive malware
and other capabilities through the online marketplaces created by cyber
criminals, or through other black markets. As cyber capabilities become
more readily available over time, the Department of Defense assesses
that state and non-state actors will continue to seek and develop
malicious cyber capabilities to use against U.S. interests.
dod's cyber strategy
In response to the growing cybersecurity threats and to guide the
Department's efforts to defend our Nation against cyberattacks of
significant consequence, we developed the 2015 DOD Cyber Strategy. Our
new cyber strategy, the Department's second, guides the development of
DOD's cyber forces and strengthens our cybersecurity and cyber
deterrence posture.
The strategy focuses on building cyber capabilities and
organizations for DOD's three primary cyber missions: to defend DOD
networks, systems, and information; defend the Nation against
cyberattacks of significant consequence; and provide cyber support to
operational and contingency plans. To accomplish these missions, the
strategy sets five strategic goals:
1. Build and maintain ready forces and capabilities to conduct
cyberspace operations;
2. Defend the DOD information network, secure DOD data, and
mitigate risks to DOD missions;
3. Be prepared to defend the U.S. homeland and U.S. vital
interests from disruptive or destructive cyberattacks of significant
consequence;
4. Build and maintain viable cyber options and plan to use those
options to control conflict escalation and to shape the conflict
environment at all stages; and,
5. Build and maintain robust international alliances and
partnerships to deter shared threats and increase international
security and stability.
In support of these goals, we are building the Cyber Mission Force,
training it to conduct full-spectrum cyberspace operations, and
equipping it with the tools and infrastructure it needs to succeed.
This force is composed of four types of teams: 68 Cyber Protection
Teams to defend priority DOD networks and systems against significant
threats; 13 National Mission Teams to defend the United States and its
interests against cyberattacks of significant consequence; 27 Combat
Mission Teams to provide support to Combatant Commands by generating
integrated cyberspace effects in support of operational plans and
contingency operations; and 25 Support Teams to provide analytic and
planning support to the National Mission and Combat Mission Teams. Once
fully manned, trained, and equipped in Fiscal Year 2018, these 133
teams will execute DOD's three primary missions with nearly 6,200
military and civilian personnel. However, many of these developing
teams are already adding significant cyberspace capabilities to DOD
now, as they actively conduct critical ongoing missions while building
their operational capacity.
As we continue to strengthen the Cyber Mission Force, we recognize
the need to incorporate the strengths and skills inherent within our
Reserve and National Guard forces. Each Service, therefore, has
developed Reserve Component integration strategies that provide a total
force cyber capability and leverage the Reserve and National Guard
strengths from their experience in the private sector. Up to 2,000
Reserve and National Guard personnel will also support the Cyber
Mission Force by allowing DOD to surge cyber forces in a crisis.
As Secretary Carter has stated, the development of a cadre of cyber
experts--both in and out of uniform--is essential to the future
effectiveness of U.S. cyber capabilities, and we are committed to
ensuring that the workforce for the cyber domain is world class. To
that end, we must develop and retain a workforce of highly skilled
cybersecurity specialists with a range of operational and intelligence
skill sets. This cyber workforce must include the most talented experts
in both the uniformed and civilian workforce, as well as a close
partnership with the private sector.
The Department is taking a hard look at barriers and challenges to
recruitment, retention, employment, compensation, promotion, and career
progression for DOD's cyberspace workforce. We are developing
recommendations that could provide the Department, USCYBERCOM, and the
Service Cyber Components with the workforce management authorities and
flexibilities that would strongly enable the successful execution of
their cyberspace missions and responsibilities. Section 1104 of the
National Defense Authorization Act currently under conference is a
vitally important step to help DOD attract, hire, and retain a world
class cyber workforce.
The Department is aggressively implementing our Cyber Strategy
across all three missions and five goals. We have developed detailed
outcomes, milestones, timelines, and metrics for each objective in the
DOD Cyber Strategy. Additionally, in accordance with Section 932 of the
Fiscal Year 2014 National Defense Authorization Act, we have
established a cross-functional, interdepartmental team to support the
Principal Cyber Advisor to oversee its execution, coordinating with all
DOD stakeholders, and proactively addressing potential obstacles. As we
implement the strategy, we are also taking a number of steps to improve
budgeting and accounting for the Cyber Mission Force across the
Department and appreciate your continued support on these issues.
deterrence
Deterrence is a key mission for the Cyber Mission Force in the new
DOD Cyber Strategy. Deterrence is a function of perception; it works by
convincing a potential adversary that the costs of conducting an attack
outweigh any potential benefits. DOD needs the ability to deter or
prevent disruptive and destructive cyberattacks, preempt an imminent
cyberattack, halt an ongoing cyberattack, and respond to cyberattacks.
To do that, DOD must develop on-the-shelf capabilities that could have
the ability to affect an adversary's behavior by shaping the
environment, controlling escalation, and imposing costs. Additionally,
we must strengthen our overall resilience posture so that DOD networks
and systems can continue to operate even while under attack. Denial,
resilience, and response are key components to a holistic deterrence
strategy, expanding well past just the cyber domain.
denial
First, as a part of our strategy we must increase our denial
capabilities to tilt any adversaries' cost-benefit analysis in our
favor. To deny an attack from adversely affecting our military
missions, we must first defend our own information, networks, data, and
systems. We are focused on two aspects of denial: strengthening DOD's
cybersecurity; and defending the nation against cyberattacks of
significant consequence.
As Secretary Carter has said, the first of our three missions is to
defend our own information networks, data, and systems. Without secure
systems, we cannot do any of our missions. So, the DOD is working to
implement best in class technical solutions. We are standardizing our
boundary defenses under the Joint Information Environment, providing
linkages from our intelligence capabilities for early warning, while
including state of the art commercial technologies to create
comprehensive capabilities across the cyber kill chain and enable
dependable mission execution in the face of highly capable cyber
adversaries. As a foundational element to achieve this, we are globally
deploying the Joint Regional Security Stacks (JRSS) to significantly
reduce the avenues of attack into our unclassified and classified
networks, support advanced threat analytics and improve responsiveness
to attack. This will allow increased security and visibility, ensuring
that commanders can see and respond to threats in order to determine
risk to mission. The Department has also embarked on a new scorecard
system that will hold commanders accountable for hardening and
protecting their endpoints and critical systems. However, we also
recognize that technical upgrades and organizational changes are only
part of the solution when it comes to effective cybersecurity. Nearly
all successful network exploitations can be traced to one or more human
errors, so raising the level of individual human performance in
cybersecurity will provide us with tremendous leverage in defending DOD
networks. Accordingly, we are closely considering how we can transform
DOD cybersecurity culture for the long term by improving human
performance and accountability.
The President has directed DOD to work in partnership with other
agencies to be prepared to blunt and stop the most dangerous attacks
from succeeding. There may be times when the President or the Secretary
of Defense may direct DOD and others to conduct a defensive cyber
operation to stop a cyberattack from impacting our national interests.
This is DOD's mission: to defend the nation against cyberattacks of
significant consequence--which may include loss of life, destruction of
property, or significant foreign and economic policy consequences. It
means building and maintaining capabilities to prevent or stop a
potential cyberattack from achieving its effect.
This is a challenging mission. It requires high-end capabilities
and highly trained teams. We are building our Cyber National Mission
Force and deepening our partnerships with law enforcement and the
intelligence community to do it.
resilience
Improving DOD's resilience will reduce the incentive for
adversaries to attack us through cyberspace and protect our ability to
execute missions in a degraded cyber environment. This means
normalizing cybersecurity as part of our mission assurance efforts,
building redundancy wherever our systems are vulnerable, and training
constantly to operate in a contested cyber environment. To deter our
adversaries, they must see that cyber-attacks will not provide them
with significant operational advantage.
DOD also relies on civilian and international infrastructure to
execute its missions. We partner with the interagency, the private
sector, and other countries to ensure the cybersecurity and resilience
of the critical infrastructure on which we all rely. Organizations
across the country are beginning to recognize the importance of
resilient systems. IT companies and critical infrastructure owners and
operators are driving market supply and demand towards more secure IT
products and services, and that is great news.
response
Finally, in the event of a potential cyberattack on U.S. interests,
the United States must be able to respond through cyber or non-cyber
means to impose costs on a potential adversary. Throughout this
Administration, we have made clear that the United States will respond
to cyberattacks in a time, manner, and place of our choosing.
Therefore a key objective of the DOD Cyber Strategy is to develop
cyber options to hold an aggressor at risk in cyberspace if required.
To support our deterrence posture, DOD is investing significantly in
our Cyber Mission Force, including robust intelligence and warning
capabilities to better identify malicious actors' tactics, techniques,
and procedures in order to improve attribution in cyberspace. These
attribution capabilities have increased significantly in recent years,
and we continue to work closely with the intelligence and law
enforcement communities to maintain and continue to improve them
through intelligence collection and forensics.
But in many instances, non-cyber capabilities may provide a more
appropriate or effective response. The Administration reviews the whole
range of options, such as diplomatic engagement, network defense and
law enforcement measures, economic or financial sanctions, or even the
use of kinetic capabilities. Responses will be selected on a case by
case basis, and be conducted consistent with law.
building strong partnerships
Successfully executing our missions in cyberspace requires a whole-
of-government and whole-of-nation approach. DOD continues to work with
our partners in other federal Departments and agencies, the private
sector, and countries around the world to address the shared challenges
we face. We work particularly closely with our partners in the
Department of Homeland Security and Department of Justice to ensure
collaboration in cyber operations and information sharing across the
federal government, and we have seen tremendous advancement in our
ability to work as a single, unified team.
We also work closely with our partners and allies to ensure that we
maintain a strong collective defense against cyber threats. Through
cooperation, shared warning, capacity building, and joint training
activities, international engagement provides opportunities for an
exchange of information and ideas to strengthen our cybersecurity as
well as that of our allies and partners. Our partners are increasingly
prioritizing cybersecurity as a key national security issue, creating
opportunities and new areas for cooperation. We cooperate with, and
assist, a wide range of partners.
Additionally, Secretary Carter has placed a particular emphasis on
partnering with the private sector. We need to be more creative in
finding ways to leverage the private sector's unique capabilities and
innovative technologies. The Department does not have all the answers,
and working with industry will be critical to we remain at the cutting
edge of technology to protect our nation. We are examining ways to
expand our collaboration with industry and are developing incentives
and pathways to bring more cyber expertise into the Department.
Finally, our relationship with Congress is absolutely critical. As
the President has said many times, Congressional action is vital to
addressing cyber threats. I appreciate the support provided for DOD
cyber activities throughout the 2016 National Defense Authorization
Act. And, I encourage continued efforts to pass legislation on
cybersecurity information sharing, data breach notification, and law
enforcement provisions related to cybersecurity, which were included in
the President's legislative proposal submitted earlier this year.
conclusion
It is my job is to make sure that our strategy is effectively
implemented across the Department, and ensure that DOD is moving
forward coherently and comprehensively in performing its assigned
cybersecurity roles. The American people expect us to defend the
country against cyber threats of significant consequence, and I look
forward to working with this Committee and the Congress to ensure we
continue to take every step necessary to confront the substantial
cybersecurity risks we face. Thank you, again, for the attention you
are giving to this urgent matter. I look forward to your questions.
STATEMENT OF ADMIRAL MICHAEL S. ROGERS, USN, COMMANDER, U.S.
CYBER COMMAND; DIRECTOR, NATIONAL SECURITY AGENCY; CHIEF,
CENTRAL SECURITY SERVICES
Admiral Rogers. Chairman McCain, Ranking Member Reed, and
distinguished members of the committee, I am honored to appear
before you today to discuss U.S. cyber policy and the state of
cyberthreats worldwide. I'd like to thank you for convening
this forum and for your efforts in this important area.
I'm also honored to be sitting alongside Director Clapper
and Deputy Secretary of Defense Work.
It gives me great pride to appear before you data--today to
highlight and commend the accomplishments of the uniformed and
civilian personnel of U.S. Cyber Command. I'm both grateful for
and humbled by the opportunity I have been given to lead our
cyber team in the important work they do in the defense of our
Nation and our Department.
We are being challenged as never before to defend our
Nation's interests and values in cyberspace against states,
groups, and individuals that are using sophisticated
capabilities to conduct cybercoercion, cyberaggression, and
cyberexploitation. The targets of their efforts extend well
beyond government and into privately-owned businesses and
personally identifiable information. Our military is in
constant contact with agile, learning adversaries in
cyberspace, adversaries that have shown the capacity and the
willingness to take action against soft targets in the United
States.
There are countries that are integrating cyberoperations
into a total strategic concept for advancing their regional
ambitions. They use cyberoperations both to influence the
perceptions and actions of states around them and to shape what
we see as our options for supporting allies and friends in a
crisis. We need to deter these activities by showing that they
are unacceptable, unprofitable, and risky for the instigators.
U.S. Cyber Command is building capabilities that can
contribute to cross-domain deterrence, and thus, make our
commitments even more credible. We are hardening our networks
and showing an opponent cyberaggression won't be easy. We are
creating the mission force, trained and ready like any other
maneuver element that is defending DOD networks, supporting
joint force commanders, and helping to defend critical
infrastructure within our Nation. We are partnering with
Federal, foreign, and industry partners, and exercising
together regularly to rehearse concepts and responses to
destructive cyberattacks against critical infrastructures. We
are generating options for commanders and policymakers across
all phases of the conflict, and particularly in phase zero, to
hold at risk what our adversaries truly value.
The demand for our cyberforces far outstrip supply, but we
continue to rapidly mature, based on real-world experiences and
the hard work of the men and women of U.S. Cyber Command and
our service cybercomponents, as well as our broader partners.
I'd like to assure the committee that U.S. Cyber Command
has made measurable progress. We are achieving significant
operational outcomes, and we have a clear path ahead.
With that, thank you again, Mr. Chairman and members of the
committee, for convening this forum, inviting all of us to
speak. Our progress has been made possible in no small part
because of the support from this committee and other
stakeholders. Unity of effort within our Department and across
the U.S. Government in this mission set is essential. And I
appreciate our continued partnership as we build our Nation's
cyberdefenses. And I welcome your questions.
[The prepared statement of Admiral Rogers follows:]
prepared statement by admiral michael s. rogers
Chairman McCain, Ranking Member Reed, and distinguished members of
the Committee, thank you for the opportunity to speak to you today
about the implementation of our military strategy in cyberspace. It is
an honor to appear today beside Director James Clapper and Deputy
Secretary of Defense Robert Work as well. Let me also mention the great
and justified pride I take in the privilege of speaking on behalf of
the men and women of United States Cyber Command (USCYBERCOM) and the
vital work they undertake to defend our nation. Their efforts, guided
by the new DOD Cyber Strategy and supported by the indispensable
contributions of the National Security Agency (which I also head), are
improving our cyber security with the Department of Defense (DOD) and
our ability to generate a greater range of options with cyber to
support policy makers and operational commands. All of this helps keep
our fellow citizens safe and advance our national interest overseas.
In line with the DOD Cyber Strategy, USCYBERCOM and its components
perform three primary missions. First, we are responsible for securing,
operating, and defending Department of Defense systems and networks,
which are fundamental to the execution of all Department of Defense
missions. Second, the Department of Defense and the nation rely on us
to build ready cyber forces and to prepare to conduct cyber operations
to deter or defeat strategic threats to the nation. Third, we work with
the Combatant Commands to integrate cyber operations into broader
military missions. Our military is already engaged in cyberspace.
Potential adversaries scan DOD networks for vulnerabilities millions of
times daily. As we have repeatedly seen, vulnerability in one place can
be a weakness across an entire network and systems built as
``administrative'' networks are now on the front lines of our
operations. This reality has serious implications for our nation's
security, as well as for our military.
We are at a strategic inflection point where the great promise and
opportunity offered by cyberspace innovation has also made it easier
for potential adversaries to find vulnerabilities that they can use to
threaten us. The DOD Cyber Strategy seeks to generate and align a
multi-faceted effort within the Department against an unprecedented and
growing challenge. In announcing the Strategy last April, Secretary
Carter noted that threats are proliferating and diversifying. Digital
tools in cyberspace give adversaries cheap and ready means of doing
something that until recently only one or two states could afford to
do: that is, to reach beyond the battlefield capabilities of the U.S.
military. They have demonstrated the capacity to hold ``at risk'' our
military and even civilian infrastructure. In lay terms, that means
that decades of military investment is now imperiled, because as
Secretary Carter says, our forces depend on the functioning of our
military networks and combat systems, without which they, and we, are
far less effective in all domains.
How do we know this, and what does it mean? Recent events have made
this trend clear, and we know it because of our intelligence analysis.
We have recently seen Russian and Chinese-sponsored intrusions in
United States information systems--penetrations that were designed to
(and in some cases did) gain persistent presence in the targeted
networks. And of course, no one missed the North Korean attack on Sony
Pictures Entertainment last year, when a state turned its cyber
capabilities against a private U.S. corporation, stealing its
intellectual property, damaging its property, disrupting its
operations, invading the privacy of its employees and affiliates, and
threatening its customers and suppliers. We have also observed that
energy firms and public utilities in many nations (including the United
States) have had their networks compromised by state cyber actors.
Secretary Carter has also noted the risk of miscalculation and
escalation resulting from malicious cyber actions, and Deputy Secretary
of Defense Work recently told an audience in London that conventional
deterrence is eroding to a worrisome degree. Addressing that risk in
the cyberspace domain is the point of the DOD Cyber Strategy--to
defend, and show we can defend, and thus to preserve the effectiveness
of our ``traditional'' instruments of national power. Let me illustrate
one important way in which we are implementing this strategy, with a
quick historical detour for context.
preparing to respond
Our military has found ways to adapt to new technologies,
strategies, and tactics in the past. For instance, we exercised the U.S
Army in Louisiana in April 1940 and learned that the sort of trench
warfare that had dominated battlefields in the last World War had
subsequently been overtaken by events--or more precisely, by tanks,
dive bombers, and mobile infantry, all coordinated by radio. The Fall
of France to the German blitzkrieg barely two months later showed what
happened to nations that failed to heed recent advances in military
art--a German force with fewer tanks and guns routed the French and
British armies in just six weeks. Our War Department incorporated this
lesson and returned to Louisiana in the summer of 1941 to test its new
concepts. This time the U.S. Army, augmented by National Guard
formations, ran two maneuvers, ultimately involving half a million
troops. The first phase showed that the blitzkrieg could indeed be
stopped, and the second showed that our Army could mount a blitzkrieg
of its own. Those extended exercises gave us invaluable experience,
prompting changes to doctrine, weapons, and concepts.
The Louisiana Maneuvers could not foreordain victory in World War
II, of course, but they helped prepare our military for a new and
global conflict by giving officers and soldiers the opportunity and
latitude to experiment and even fail at employing new weapons, tactics,
and modes of operation. Those maneuvers also drove home the point of
the experimentation: to practice being agile, not just defending but
being ready and able to go on the offensive and hit back, taking the
fight to the opponent. That is just the sort of experimentation we must
continue doing today. Then-Army Chief of Staff George C. Marshall was
questioned about the expense of such large maneuvers by a Senator who
also pointed out that the exercises had witnessed a lot of mistakes by
the forces involved. Marshall characteristically responded respectfully
but firmly: ``I want the mistake [made] down in Louisiana, not in
Europe.'' Discovery learning in the midst of real-world operations, as
the British and French experienced in 1940, can be disastrous. The DOD
Cyber Strategy is intended to enable us to learn in peacetime how to
succeed in cyberspace operations under all conditions. Today we have
``lessons learned'' instead of mistakes, of course, and we are doing so
in Virginia, where last summer we staged for the fourth time our large,
annual exercise that we call CYBER GUARD.
We inaugurated the CYBER GUARD exercise series to test the ``whole
of nation'' response to a major cyber incident affecting the DODIN and
U.S. critical infrastructure. USCYBERCOM offices work with experts from
the Joint Staff and the joint cyber headquarters elements, Cyber
Mission Force teams, U.S. Northern Command, National Guard, the
Department of Homeland Security (DHS), the Federal Bureau of
Investigation (FBI), state governments, allies, and the private sector.
Our defenders battle in the exercise networks against a world class
``opposing force'' to make this nearly three-week event as realistic as
possible. The idea is to train our forces to operate as they would in
an actual cyber crisis--i.e., against live opposition and alongside the
federal, state, allied, and industry partners who would also have
authorities and equities in such an event. Over a thousand
participants, including representatives from critical infrastructure
partners and National Guard teams from 16 states, practice how to
collectively protect the nation along with DOD networks. Participants
from the Department of Defense practice lending appropriate support to
civil authorities, and doing so on a complex exercise network that
takes months to fine tune in advance of CYBER GUARD.
This latest iteration of CYBER GUARD was the largest and most
realistic yet. Participants got to ``maneuver'' in cyberspace--seeking
to see, block, and ultimately expel from the network adept opponents
who had the advantages of knowing what they wanted to take (or break)
and who swiftly learned their way around ``our'' systems. Our defenders
thus experienced some of the fast-paced uncertainty of a real cyber
campaign, when major decisions have to be made on the fly without the
benefit of full insight into the adversary's intentions and
capabilities. Players at CYBER GUARD fought through a relentless pace
of events and learned that they have to trust each other for their
efforts to mesh together and prove effective. To build that trust,
moreover, there is no substitute for the sharing of both their
information and experiences. Exercises like CYBER GUARD not only teach
commanders and units how to see, block, and maneuver in cyberspace,
they teach our Soldiers, Sailors, Airmen, and Marines to be teammates,
both with one another and with colleagues in other parts of the federal
government and private sector who we work beside to make cybersecurity
effective.
CYBER GUARD showed us ways to improve our exercising of the total
force and also highlighted areas where our attention is needed. This
will sound familiar to many Members here assembled. I raise them to
provide you with an accurate picture of the challenges in building
capability and operating in the dynamic cyberspace domain.
A good analogy here is to the way our military has developed
special operations forces. Our special operations forces are as good as
any in the world, as we have seen over the last decade and more. Few
people realize, however, what it takes for a special operations team in
the field to execute a mission. They have an intensive need for
critical enablers. This is the case for any maneuver element, and cyber
teams are no exception. We have through CYBER GUARD and other exercises
and operations a host of mission critical requirements that we are
actively acquiring, building, or seeking. The Department and the
government are reviewing the scope of authority for our cyber forces,
including command and control relationships, manpower guidance, and
development authorities to acquire the specialized tools and service we
require. We are training cyber warriors and educating cyber
professionals, both in the Service schoolhouses and in tailored
settings. We are building out the Cyber Mission Force teams, aligning
them to missions, customizing their intelligence support, assigning
them to commanders, and assessing their readiness (indeed, CYBER GUARD
served as a certification event for several teams; among them were
teams deployed on real-world missions just weeks later). Across the
cyber workforce we are setting the right mix of military and civilian
personnel, and working to harmonize the several civilian hiring and
career systems that take care of our people who work under parallel but
not always equivalent institutional templates.
In particular, we are building a dedicated, persistent training
environment, like DOD utilizes in each of the other domains. Let me
explain what it is that we are doing. CYBER GUARD took place in Joint
Staff facilities in Suffolk, Virginia, giving us the opportunity to
practice in a controlled but more or less realistic cyber environment
that we did not have to set up ourselves and then tear down after the
exercise finished. Nonetheless, this was not the same as exercising in
an environment specifically designed to mimic conditions on the
Internet and the real world of cyberspace, where industry partners, for
instance, are independently taking steps (such as updating malware
signatures and even outing cyber actors) to defend their own systems.
While we defend DOD networks, of course, we are helping our federal
partners to guard US Government systems as well. We need greater
realism to reflect this reality in our training. With the help of the
DOD Central Information Officer and others, we are now building out and
testing a new exercise environment and working on interagency exercises
and testing environments with partners including DHS.
Last but not least is our requirement for vital cyber
infrastructure improvements to operate DOD systems safely even under
attack. I have explained our need for the Unified Platform and the
Joint Information Environment in previous hearings, but I will
reiterate how important they are to the defense of DOD's systems and
our ability to operate and deliver effects outside the United States.
These improvements are the future, for they represent a revolutionary
and much-needed change to the Department of Defense Information
Networks (DODIN). In addition, though information sharing alone is not
a silver bullet, it is critical that the government and private sector
be able to share information that will enhance the situational
awareness we need to protect our nation and its interests. I am
encouraged by the work that has gone into cybersecurity information
sharing legislation in both the House and the Senate. But it is
imperative that we finish that work and pass a cybersecurity
information sharing bill as soon as possible. Cyber criminals are not
waiting to steal intellectual property or financial data, so neither
should Congress wait to pass this important legislation. These steps
are needed to ensure that cyber remains a strategic asset, not a
liability, at this strategic inflection point.
implementing the dod cyber strategy
Recall Secretary Carter's earlier point: if we cannot defend the
infrastructure that undergirds our DOD bases and forces from foreign-
based cyber threats, then our nation's military capabilities are
weakened and all our instruments of national power diminished. That
leaves our leaders with a need for additional options to pursue short
of open hostilities, and with fewer capabilities in an actual clash of
arms. This raises risk for all by inviting instability and
miscalculation, as the Secretary noted.
Our nation has peer competitors in cyberspace, with other nations
and groups also striving to deploy advanced cyber capabilities. They do
not match our entrepreneurial elan, our manufacturing skill, or our
deep investment in the theory and machinery of cyberspace. Yet they
have already hinted that they hold the power to cripple our
infrastructure and set back our standard of living if they choose. They
know, of course, that we can hit back, and that potentially devastating
cyberattacks against U.S. interests would ripple across the global
economy. But they could well count on deterring us in a regional
crisis, making our leaders hesitate and muffle American responses to
aggression overseas. Such delays could give them time to continue their
encroachments, attain their objectives, and consolidate their gains.
We need to understand the systemic-level implications of what is
happening. We are, in effect, being strategically shaped by potential
adversaries. They also feel entitled to turn the resources of their
states against private business, research labs, academic institutions,
and even individual citizens in the West to steal the fruits of our
creativity, or negatively impact the enjoyment of human rights and
fundamental freedoms, including the freedom of expression.
This context adds the sense of urgency we feel at USCYBERCOM and
across the Department of Defense. How do we prevent potential
adversaries from shaping us and deterring our defense of America's
interests and allies? We know that the DOD Cyber Strategy gained the
attention of countries overseas--this enhances deterrence right here.
But that is only one step of many. We need to take several more steps
as we implement that Strategy.
First, we have to continue the whole-of-government coordination
that makes our words and actions far more meaningful to potential
adversaries. As Secretary Carter stated in announcing the DOD Cyber
Strategy, we need synchronized inter-agency measures to bring all the
powers and authorities of the U.S. Government to bear on malicious
cyber actors. Individual sanctions, indictments and other steps are
effective tools, but they might not be sufficient by themselves because
potential adversaries believe they have too much to gain from continued
cyber-enabled theft of our intellectual property and continued
intimidation of their neighbors through cyberspace (among other
mechanisms, of course).
Second, we must deepen our partnerships. Organizations across the
U.S. Government must create consistent, complementary approaches for
operating with private sector and international partners--leveraging
the comparative advantages of civilian, homeland security, law
enforcement, intelligence community, and military entities. Many
departments and agencies share the authorities and responsibilities to
guard critical infrastructure in the United States, and we look to DHS'
Industrial Control Systems Computer Emergency Readiness Team (ICS-CERT)
for information-sharing, incident response and mitigation. We as a
nation need to enhance governing policies and legal frameworks to
enable a robust defense of the defense industrial base and other
sectors of our critical infrastructure. This could include efforts
across the Government to identify and manage risks to our critical
infrastructure and key resources in the near term, while transitioning
from a reactive to a deterrent posture over the long term.
Finally, we must forge a consensus on when we can and should
respond to cyber activity directed against the United States. Such a
consensus should clarify the proper role of the military in a whole-of-
nation approach to improving our security in the cyberspace domain. The
President has stated that we reserve the right to respond with all
instruments of national power to cyberattacks against our critical
infrastructure. Here is where we particularly need to build trust in
the ability of the U.S. Government--on the civilian and military
sides--to exercise its powers and capabilities responsibly to defend
the nation, consistent with international law and norms. I see my job
in this entailing an effort to better explain certain concepts like
``offensive cyber operations'' and the Cyber Mission Force. I welcome
your ideas on this.
conclusion
Thank you again, Mr. Chairman and Members of the Committee, for
inviting me to speak on behalf of USCYBERCOM about the vital topic of
cyberspace strategy. Our Command is helping the Department and the
federal government mitigate risk while unleashing the promise and
opportunity inherent in cyberspace in ways consistent with our values
as a nation. As you can tell from the foregoing, I take pride in the
accomplishments of our men and women. I know they will give their all
in executing our Command's missions and in forging cyber forces that
offer our nation's leaders a full suite of options in cyberspace and
beyond. With their great efforts and your continued support, I know we
can be positioned for success, despite the seriousness of the current
situation. There is no single technical or engineering fix alone that
is going to solve these challenges, but instead we will require a great
deal of the fortitude, creativity, and determination that we Americans
have repeatedly shown we can muster. I look forward to your questions
and to advancing this important dialogue.
Chairman McCain. Well, thank you, Admiral. And thank the
witnesses.
Director Clapper, recently former Chairman of the Joint
Chiefs Dempsey was asked about various threats to the United
States security, and he said that, in a whole range of threats,
we have a significant advantage, except in cyber. Do you agree
with that assessment?
Director Clapper. It's probably true. We haven't, I guess,
exhibited what our potential capability there is, so I think
that's one of the implicit reasons why I have highlighted
cyberthreats in the last three years of my worldwide threat
assessments.
Chairman McCain. I thank you. And you have done that, I
think, at least great effect before this committee. As a result
of the leader--the Chinese leader in Washington, there was some
agreement announced between the United States and China. Do you
believe that that will result in a elimination of Chinese
cyberattacks?
Director Clapper. Well, hope springs eternal.
Chairman McCain. Yeah.
[Laughter.]
Director Clapper. I think we will have to watch what their
behavior is, and it will be incumbent on the intelligence
community, I think, to depict--portray to our policymakers what
behavioral changes, if any, result from this agreement.
Chairman McCain. Are you optimistic?
Director Clapper. No.
Chairman McCain. Thank you.
Admiral Rogers, you recently stated, quote, ``There's a
perception,'' there is, quote, ``little price to pay for
engaging in some pretty aggressive behaviors, and, because of a
lack of repercussions, you see actors, nation-states, indeed,
willing to do more.'' And that was what you stated. What is
required? What action is required to deter these attacks, since
there's little price to pay? What do we have to do to make it a
heavy price to pay?
Admiral Rogers. So, I think we have to clearly articular,
in broad terms, what is acceptable and unacceptable, norms, if
you will, of behavior. I think we have to clearly articulate
that, as a nation, we are developing a set of capabilities, we
are prepared to use those capabilities if they're required.
They're not necessarily our preference. We clearly want to
engage in a dialogue with those around us. But, on the other
hand, we do have to acknowledge the current situation we find
ourselves in. I don't think there's anyone who would agree that
it is acceptable and that it is in our best long-term interest
as a Nation.
Chairman McCain. Well, I say with respect, I understand
it's not acceptable, but, in other words, what would enact a
price? Would it be relations in other areas? Would it be
counterattacks? What--in other words, what actions would be in
our range of arsenals to respond?
Admiral Rogers. So, I think it's potentially all of those
things. The first comment I would make, I think Sony is a very
instructive example. One of the things I always remind people
of, we need to think about deterrence much more broadly, not
just focus within the cyber arena. I thought the response to
Sony, where we, for example, talked about the economic options
as a Nation we would exercise, was a good way to remind the
world around us that there's a broad set of capabilities and
levers that are available to us as a Nation, and that we're
prepared to do more than just respond in kind, if you will.
Chairman McCain. One of the--Director Clapper, one of the
things that's been disappointing to the committee is that, in
the fiscal year defense authorization bill, as you know, it
required the President to develop an integrated policy. The
strategy is now a year late. Can you tell us where we are in
that process and what you feel is--what might bring the
administration in compliance?
Director Clapper. You're asking me about policy
development?
Senator Reed. Yes.
Director Clapper. I think I would defer to Secretary Work
on that.
Mr. Work. Well, Mr. Chairman, as we have said over an over,
we believe our cyberdeterrence strategy is constantly evolving
and getting stronger.
Chairman McCain. I'm talking about a policy, not a
strategy, Mr. Secretary. It required a policy, the Fiscal Year
'14 National Defense Authorization Act.
Mr. Work. The policy is still in development. We believe we
have a good cyberstrategy. The policy has been outlined in
broad strokes by the----
Chairman McCain. Not broad enough, I would think. Does it
describe what our--whether we deter or whether we respond or
whether we--in other words, as far as I know and the committee
knows, that there has been no specific policy articulated in
compliance with the requirement to--in the Defense
Authorization Act. If you believe that it has, I would be very
interested in hearing how it has.
Mr. Work. I believe the broad strokes are, we will respond
to----
Chairman McCain. I'm not asking broad strokes. Suppose
there is an attack--a cyberattack like the one on OPM. Do we
have a policy as to what we do?
Mr. Work. Yes, we do.
Chairman McCain. And what is that?
Mr. Work. The first is to try--first, we deny and then we
would--we first find out--we do the forensics----
Chairman McCain. I'm not asking the methodology. I'm asking
the policy. Do you respond by counterattacking? Do you respond
by trying to enact other measures? What do we do in case of a
cyberattack?
Mr. Work. We respond in a time, manner, and place of our
choosing.
Chairman McCain. Does that mean that we counterattack?
Mr. Work. That may be one of the options. It's as----
Chairman McCain. That's not a policy, Secretary Work. That
is a--that is an exercise in options. We have not got a policy.
And for you to sit there and tell me that you do, ``a broad-
stroke strategy,'' frankly, is not in compliance with the law.
Senator Reed.
Senator Reed. Well, thank you very much, Mr. Chairman.
Director Clapper, we are constantly engaged in,
euphemistically, information operations with many other
nations, and they're involved with information operations,
trying to, as you indicated in your testimony, influence the
opinion, disguise activities, disrupt, et cetera. What agencies
are--under your purview or outside your purview, are actively
engaged in information operations to the United States in the
cyberworld?
Director Clapper. Actually, sir, in--from an intelligence
perspective, we would feed that, in that we don't, at last in
what I can speak to publicly, engage in that as a part of our
normal intelligence activity. So, we feed other arms, support
other arms of the government, not only the State Department and
those responsible for messaging.
Senator Reed. Right.
Director Clapper. The National Counterterrorism Center has
an office that is devoted to, in a countering-violent-
extremism context, helping to develop themes or recommending
themes based on what we glean from intelligence as--for
potential vulnerabilities and messages that would appear to
various groups, to obfuscate the message, disrupt it, or
compete with it. But, generally speaking, intelligence, writ
large, doesn't actively engage in information operations.
Senator Reed. From your perspective, are these other
agencies that you provide information to adequately resourced
and staffed so they can use it effectively, or are they getting
a lot of good insights and sitting around wondering what they
can do----
Director Clapper. If I were king, which I am not, I think I
would have a much more robust capability from the standpoint of
the resource commitment to countermessaging.
Senator Reed. And that would fall with--outside the purview
of intelligence, more the State Department and some other
agencies.
Director Clapper. Correct.
Senator Reed. And I think we're all going to remember the
Voice of America, when it was a--you know, a pretty dominant
sort of--source of information.
Director Clapper. Well, personal opinion only, not company
policy, I would, I think perhaps, you know, a USIA on steroids
that would address these messages more broadly and more
robustly. But, that's strictly personal opinion.
Senator Reed. But, I think, in terms of what you're
observing, particularly some of our competitors have a--
extraordinarily robust operation. They don't lack for resources
or personnel, and they're constantly engaged in these types of
information operations--enhancing their image, discrediting
their opponents, actively engaging local groups in other
countries of interest, et cetera--and we're sort of on the
sidelines more.
Director Clapper. I think that's quite right. And our--in
contrast to us, the Russian intelligence services are very
active and very aggressively engaged in messaging.
Senator Reed. Thank you.
Admiral Rogers, to this issue of encryption that Director
Comey pointed to, I think your thoughts would be very helpful.
Admiral Rogers. So, the issue that we find ourselves--this
is less for me, on the U.S. Cyber Command side and much more on
the NSA side--is--communications in the world around us
increasingly going to end-to-end encryption, where every aspect
of the path is encrypted, and the data and the communication is
protected at a level that, with the current state of
technology, is difficult to overcome. Clearly, that's in the
best interests of the Nation, in broad terms. And strong
encryption is important to a strong Internet defense, and a
well-defended Internet is in our best interests as a Nation and
the world's best interests.
Within that broad framework, though, the challenge we're
trying to figure out is--realizing that that communication path
is used by very law-abiding citizens, nation-states, and
companies engaged in lawful activity, it is also being used by
criminals, terrorists, nation-states who would attempt to
generate advantage against the United States and against our
allies and partners. And so, we're trying to figure out, How do
we balance these two important imperatives of privacy and
security? And realizing that it's a technical world around us,
and it's changing in a foundational way. And so, we're trying
to come to grips, broadly, with, How do we deal with the
reality of the technical world around us, and yet the broader
legal and social imperatives we have?
I'm the first to acknowledge we do not have a defined way
ahead here. In the end, I think this is about, How do we get
the best minds together as a nation to address this? Because,
when I look at our capabilities as a nation, there is no
problem we can't overcome when we work together in an
integrated way to--in the private sector, industry, business,
the academic world. I think that's the way ahead here, in broad
terms.
Senator Reed. Thank you very much.
Thank you, Mr. Chairman.
Chairman McCain. Senator Sessions.
Senator Sessions. Thank you, Mr. Chairman.
Senator Inhofe is chairing an EPW Committee. That's why he
couldn't be here today.
You've given us a good summary on the threats that we face
and the threats that are actually occurring today. And I
appreciate that.
Senator McCain asked you about reporting on other policy
that Congress has asked you to report on, and that not having
been done. Mr.--Secretary Work, in the 2014 NDAA, the Senate
and House agreed on a provision that required the services to
report on the cyber vulnerabilities of weapons and
communication systems connected by networks. That's something
that came out of our Strategic Subcommittee on a bipartisan
basis, and was eventually expanded to include all weapon
systems, not just satellites and missiles and national missile
defense. We don't have that final report. I believe it's
overdue. This budget, I believe, has 200 million in it to help
fund this effort. What can you tell us about that?
First, let me say, it may take some time. If it does,
that's--I understand. But, I don't think we've had any report
from the DOD to state that--what progress you've made and how
much longer it will take.
Mr. Work. Well, again, on both of the points--on the
policy, we expect that is in the final deliberations. It's an
interagency effort. You know, generally, trying to establish
norms and deterrence is central to the policy. Again, it's the
denial, resilience, and cost-imposition. I'm the first to admit
that we are the farthest ahead on the denial and the resilience
part. Those are the areas where we are moving faster. The cost-
imposition part, because we have elected to retain the
retaliatory mechanism of cyberattacks at the national level,
just like nuclear weapons, because of the risk of escalation--
--
Senator Sessions. What about the----
Mr. Work. As far as the--oh, I'm sorry, sir.
Senator Sessions.--the other----
Mr. Work. Yes, sir. As far as----
Senator Sessions.--the vulnerabilities of our weapon
systems?
Mr. Work. It is a big, big problem. Most of the--many of
the weapon systems that we have now were not built to withstand
a concerted cyberthreat. So, going through every single one of
the weapon systems, what Frank Kendall has done is, he's
prioritized the weapon systems, and he is working through very
carefully. And I expect this work to be done very soon. We now
have new requirements in our KPPs, our key performance
parameters----
Senator Sessions. So, you have assigned a--an individual--
--
Mr. Work. Absolutely.
Senator Sessions.--to be responsible for this?
Mr. Work. Yes. Frank Kendall is the one who is going
through all of the different--working with, obviously, our CIO
[Chief Information Officer], also the Cyber Command, and the--
all of our cyber experts. But, he's responsible for taking a
look at the weapon systems and also requiring KPPs [Key
Performance Parameter], key performance parameters, for new
weapon systems so that, when we build them, they will have
cyberdefenses built in from the beginning.
Senator Sessions. What about our defense contractors,
Admiral Rogers? They maintain and build these systems and have
highly sensitive information. Are we satisfied they're
sufficiently protected?
Admiral Rogers. So, we certainly acknowledge there's a
vulnerability there. We've been very public about our concerns
about foreign nation-states trying to access some of our key
operational technology through penetrations in the clear
defense contract arena for us. We've made changes to the
contractual relationships between us and those companies, where
they have to meet minimum cybersecurity requirements, they have
to inform us, now, of penetrations. We're clearly not where we
need to be, but we continue to make progress.
Senator Sessions. Well, I think it's a bipartisan
commitment on Congress to help you with that.
Secretary Work, if it takes more money, let us know. We'll
have to evaluate it. And I also understand that some of the
protections can be done without much cost; some may require
considerable cost. So, we hope that you will complete that.
Admiral Rogers, you, I believe, last week, reported, in the
Los Angeles Times, about the threat from China. You note one
thing, that they are involved in obtaining U.S. commercial and
trade data in a foreign nation, advanced nation, ally of ours.
I was told that they--one of their companies bid on a contract,
and that the Chinese had got all the bid data from the Web. And
his comment was, ``It's hard to win a bid when your competitor
knows what you're bidding.''
Admiral Rogers. Yes, it is.
Senator Sessions. Is that kind of thing happening?
Admiral Rogers. It has been. We've very--been very public
of it. I think that's reflected in the agreement that you saw
raised during the President of China's visit last week, where
we were very explicit about that concern.
Senator Sessions. Well, my time is up, but I would just
ask----
You're not allowed--if you saw an American business being
damaged through improper action, you're not allowed to advise
them or share any information with them, while our adversaries
do assist their businesses. Is that basically correct?
Admiral Rogers. The way this works right now is, I would
provide information and insight both in my intelligence hat as
the Director of NSA, as well as the Commander of U.S. Cyber
Command. If, under that authority, I became aware of activity,
I would share the insights with DHS and the FBI, who have a
mission associated with interfacing with the private sector in
a much more direct way than I do.
Chairman McCain. Senator Manchin.
Senator Manchin. Thank you, Mr. Chairman.
And thank all three of you for your service and for being
here today.
Admiral Rogers, if--I'll start with you. Which country is
the most committed, determined, and successful hacker of the
U.S.?
Admiral Rogers. Could you say that one more time, Senator?
Senator Manchin. Which country do you believe is the most
committed, successful hacker of the U.S.?
Admiral Rogers. If you look at volume, nation- statewide--
nation-state-wides, I would--China, the PRC, has been the one
that we've been the most vocal about. They're not the only one,
by any stretch of the imagination.
Senator Manchin. I thought the last time you were here you
said that--I recall you saying that you had more concerns over
Russia having more of the ability or the expertise to do us
damage.
Admiral Rogers. I thought your question was really focused
more on volume. If your--if the perspective is capability, if
you will, then we have been very public about saying I would
probably put the Russians----
Senator Manchin. Russians.
Admiral Rogers.--in a higher capability.
Senator Manchin. But, it seems like that China is more
committed and determined to do it.
Admiral Rogers. They certainly do it at a volume level----
Senator Manchin. Gotcha. I understand.
And, Director Clapper, if I may, I know that you just said
no--emphatically no, you don't believe that this agreement that
the President of China and our President has made last week
will work. With that saying--what are the--is there any
penalties in this agreement if one or the other violates it? Or
is it just basically, well, we have agreed, and let it go at
that?
Director Clapper. The terms that I----
Senator Manchin. As you understand it.
Director Clapper. The terms that I have seen, I don't think
it treats, specifically, penalties. There certainly are implied
penalties. I think the threat of economic sanctions that--which
brought Minister Mung to this country, I think is illustrative
of what would mean something to the Chinese if they transgress
or violate this agreement.
And I think, as Admiral Rogers was discussing earlier,
there--with respect to sanctions, there certainly whole- of-
government possibilities here. Don't have to do, necessarily, a
cyber eye for an eye. It can be some other form of retaliation.
But, I don't think--to answer your question, at least what
I'm aware of--that there are specific penalties if the
agreement is violated.
Senator Manchin. And that's why I think you were pretty
quick in saying you don't think it'll work. You said no to
that, I think, when the Chairman asked you.
Director Clapper. Well, the reason I said no, of course,
is--the extent to which Chinese purloining of our data, our
intellectual property, is pretty pervasive. I think there's a
question about the extent to which the government actually
orchestrates all of it, or not. So, I think we're in the--to
model--to borrow a President Reagan term, ``trust but verify''
mode, at least as far as intelligence is concerned. And we are
inherently skeptics.
Mr. Work. Sir, could I add something?
Senator Manchin. If I could--I have a question for you,
Secretary, and then you can go ahead and add to that.
There's a news--the recent news article that examined
similarities between China's J-31 fighter and our F-35 strike
finder and what they're been able to do in such a rapid period
of time, without any R&D. Do you believe that that gives them a
competitive advantage? I mean, you can--I understand there
might be some differences as far as in the software or in the
weaponry and this and that, but they're making leaps, which are
uncommon, at the behest of us. And we know this, I understand,
but we're not taking any actions against them.
Mr. Work. Well, I'd like to work this in to your----
Senator Manchin. Yes.
Mr. Work.--and follow up with your----
Senator Manchin. You go ahead.
Mr. Work.--first question.
At the highest levels, we have made it clear that we
believe that Chinese actions in the cybersphere are totally
unacceptable as a nation-state. And we made that clear in a
wide variety of different ways. And I would characterize the
agreement that we have as a confidence-building measure with
the Chinese, where we are asking them to prove to us that they
are serious about what they say about what they will do to
control these efforts.
So, we--there were really four things that we agreed to do.
First, we would give timely responses to information when we
say, ``Hey, we believe that there is a problem here"--and we
have agreed to exchange information on cybercrimes, we have
agreed to possibly collect electronic evidence and to mitigate
malicious cyberactivity if it's occurring on our soil. We both
agree that we would not knowingly conduct cyber-enabled theft
of intellectual property, which, as you say, Senator, has been
a problem. We have told them it's a problem, that it's
unacceptable. They have said that they will work to curb that.
Then we've agreed to have common effort to promote
international norms. And the final thing is, we'll have a high-
level joint mechanism, where we can meet at least twice a year
and say, ``Look, this is just not working. You are not coming
through with what you've said.''
So, this isn't a treaty or anything like that. It's a
confidence-building measure for us to find out if China is
going to act responsibly. I agree totally with Director
Clapper. They've got to prove to us. And we know that they have
stolen information from our defense contractors.
Senator Manchin. Right.
Mr. Work. And it has helped them develop systems. And we
have hardened our systems through the Defense Industrial Base
Initiative. And we're trying to make----
Senator Manchin. But, I'm saying we know the J-20 is pretty
much mirroring our F-22. We know that their J-31 is pretty much
mirroring our F-35. When we know this and the cost to the
American taxpayers, and let them get--I mean, why wouldn't we
tale hard actions against them? Or why wouldn't we come down--I
just don't understand why we wouldn't retaliate----
Mr. Work. Well----
Senator Manchin.--from a financial standpoint.
Mr. Work. There are a wide variety of cost-imposition
options that we have. They are developed through the
interagency. And again, it's not necessarily kind--I mean, tit-
for-tat. It is proportional response. And we're working through
all of those right now.
Senator Manchin. My time is up, sir.
And if I could just follow up on that later, if we can meet
with you later, I'd----
Mr. Work. Absolutely, sir.
Senator Manchin.--very much appreciate it.
Director Clapper. Senator, if I may just add a word here
about--this is a point Admiral Rogers has made in the past
about, you know, terminology, lexicon, nomenclature definitions
are important. And so, what this represents, of course, is
espionage--economic----
Senator Manchin. Absolutely.
Director Clapper.--cyber espionage. And, of course, we,
too, practice, cyber espionage. You know, in a public forum to,
you know, say how successful we are, but we're not bad at it.
So, when we talk about, ``What are we going to do for--to
counter espionage or punish somebody or retaliate for
espionage,'' well, we--I think it's a good idea to at least
think about the old saw about people who live in glass houses--
--
Senator Manchin. Gotcha.
Director Clapper.--shouldn't throw rocks.
Chairman McCain. So, it's okay for them to steal our
secrets that are most important----
[Laughter.]
Director Clapper. I didn't say that----
Chairman McCain.--including our fighter, because----
Director Clapper. I didn't say that, Senator.
Chairman McCain.--because we live in a glass house. That is
astounding.
Senator Ayotte.
Director Clapper. I did not say it's a good thing. I'm just
saying that both nations engage in this.
Senator Ayotte. I want to thank all of you for being here.
With regard to the Chinese, I want to follow up on--we've
talked about the stealing of the highest secrets, in terms of
our weapon system, but what about the 21 million people whose
background check and personal information has been, of course,
associated publicly with the Chinese, and the fact that we know
that 5 million sets of fingerprints, as well, leading to
potential vulnerability for our citizens? And if you put that
in the context of these other issues that we've raised, it
seems to me--I looked very carefully, for example, Secretary
Work, at some of the language you've been using. You gave a
speech at the Royal United Services Institute in London. You
said, ``Deterrence must be demonstrated to be effective.''
Secretary Clapper, in your prepared statement, you said,
``The muted response by most victims to cyberattacks has
created a permissive environment.''
So, I'm trying to figure out, based on what you've said,
how we're not in a permissive environment, in light of what
they've stolen on our weapon systems, but also this huge
infringement on 21 million people in this country.
And also, could you comment on the vulnerability of that
data and where we are, in terms of how it could be used against
us?
Director Clapper. Well, first, that is an assessment of
what was taken. We actually don't know, in terms of specific--
specifics. But, that's--I think frames the magnitude of this
theft. And it is potentially very serious--has very serious
implications, first, close to home, from the standpoint of the
intelligence community and the potential for identifying people
who may be under covered status, just one small example. And,
of course, it poses all kinds of potential--and, unfortunately,
this is a gift that's going to keep on giving for years.
So, it's a very serious situation. What we've tried to do
is educate people what to look for and how to protect
themselves. But, again, this is a huge threat--theft, and it
has, potentially, damaging implications for lots of people in
the intelligence community and lots of people in the Department
of Defense and other employees of the government.
Senator Ayotte. So, I think what you're hearing from some
of us up here is just a--"Now what are we going to do about
it?'' is the issue, as opposed to a shared agreement on generic
principles with the Chinese. This is a pretty significant issue
that is going to impact millions of Americans. I'm not hearing
what we're going to do about it, but that may be a higher-level
decision, going up to the President. But, seems to me if we're
going to talk about deterrence, if we don't follow up with
action, and if you look at that, combined with the testimony we
heard last week about the artificial islands being built by the
Chinese, and the fact that we won't even go within, I believe
it's 12 nautical miles of those islands--if you put that all
from the Chinese perspective, I think you think, ``Hmmm, we can
pretty much do what we want to do, because we haven't seen a
response.''
Now, I'm not asking for--from all of you--to answer that,
because it probably needs to be answered by the President and
his national security team, but it seems to me that they aren't
seeing a response right now from us, and therefore, we're going
to see--continue to see bad behavior from the Chinese.
Before I go, I have an important question on another topic,
Secretary Work, and that is: Yesterday, we heard public reports
about a potential violation of the INF Treaty by the Russians,
and that, essentially, Russia tested--flight tested a new
ground-launched cruise missile this month that United States
intelligence agencies say further violates the 1987 INF Treaty.
And, of course, this is going back, also, to the reports, as
early as 2008, of the--Russia conducting tests of another
ground-launched cruise missile, in potential violation of the
INF Treaty that we've raised with them. And, when Secretary
Carter came before our committee, on his confirmation, he
listed three potential responses to these INF violations. So,
now we have the Russians violating the INF Treaty yet again.
And I guess my question is: Secretary Carter rightly identified
that we should respond, either through missile defense,
counterforce, or countervailing measures. What are we doing
about it?
Mr. Work. Senator, this is a longstanding issue that we
have been discussing with the Russians. The system that you're
talking about is in development, it has not been fielded yet.
We are--we have had different discussions with them on our
perception of the violation of the INF, and they have come
back. This is still in discussions, and we have not decided on
any particular action at this point.
Senator Ayotte. So, are you saying that you don't think
they violated the INF Treaty?
Mr. Work. We believe very strongly that they did.
Senator Ayotte. That's what I thought. So, what are we
going to do about it? Because they're claiming that they
haven't, going back to the 2008 violations, and now here we
have another situation.
Mr. Work. It's still under--because they have not fielded
the system, we are still in the midst of negotiating this
position. We are giving ours. But, if they do field a system
that violates the INF, I would expect us to take one of the
three options that Secretary Carter outlined before the
committee.
Senator Ayotte. So, my time is up, but I see two consistent
themes here, both with the Chinese and the Russian: a lot of
talk, no action, unfortunately. And people take their cues from
that. And that worries me.
Thank you all.
Chairman McCain. Senator Hirono.
Senator Hirono. Thank you, Mr. Chairman.
Director Clapper, you testified before the House
Intelligence Committee recently that the--while the United
States makes distinctions between cyberattacks conducted for
economic purposes or to gain foreign intelligence, I would--
that's the espionage arena, I think, that you're referring to--
or to cause damage, our adversaries do not. Would you consider
the OPM breach, to the extent that we believe it is a state
actor who did that, that that would be in the category of
espionage?
Director Clapper. Yes.
Senator Hirono. The----
Director Clapper. That was the tenor of the discussion at
the HTSC hearing that Admiral Rogers and I engaged in. And, of
course, that has to do with the--as I mentioned earlier to
Senator Manchin, the importance of definition, nomenclature,
and terms. So--and the definition of these terms--and so,
what--the theft of the OPM data, as egregious as it was, we
wouldn't necessarily consider it as an attack. Rather, it
would----
Senator Hirono. Yes.
Director Clapper.--be a form of----
Senator Hirono. Well, and----
Director Clapper.--theft or espionage.
Senator Hirono. And, as you say, other countries, including
our own, engages in such activities.
My understanding of the recent agreement between the United
States and China, though, has to do with commercial cybertheft.
And I think that's a very different category that has to do
with obtaining information about corporations, et cetera. And
therefore, that that is in the category of economic attacks.
So, Director Clapper, would you consider that kind of an
agreement to be helpful? I realize that you are skeptical, but,
to the extent that we are defining a particular kind of
cyberattack, and that we're contemplating, through this
agreement, an ability of our two countries to engage in high-
level dialogue regarding these kinds of attacks, is that a
helpful situation?
Director Clapper. Well, it would be very helpful if, of
course, the Chinese actually live up to what they agreed to.
So, if--and what the agreement pertained to was theft of data
for economic purposes to give Chinese commercial concerns an
advantage, or their defense industries an advantage, as opposed
to--I don't believe they--that we've agreed with the Chinese to
stop spying on each other.
Senator Hirono. Yes.
Director Clapper. And so, there is a----
Senator Hirono. The----
Director Clapper.--for purely espionage purposes--and there
is a distinction.
Senator Hirono. Mr. Secretary, you can weigh on this also.
To the extent that we've created an--a potential for a dialogue
or an environment where there's a process to be followed, and
the cases where we suspect commercial cyberattacks, that at
least we have a way that we can talk to the Chinese. Because
you also mentioned, Director Clapper, that attribution is not
the easiest thing, although we are getting better at figuring
out who actually were the actors who that did these
cyberattacks. So, one hopes that, even with a great deal of
skepticism, going forward, that this agreement may create the
space for us to have a--more than a conversation, but one that
would lead to some kind of a change in behavior on the part of
these state actors.
Mr. Secretary, feel free to give us your opinion.
Mr. Work. Senator, I think that's exactly right. I mean, as
Director Clapper said, first you have to find out the
geographical location from the--where the attack came from.
Then you have to identify the actor, and then you have to
identify whether the government of that geographic space was
either controlling----
Senator Hirono. Recognize that's not the easiest to do,
yes.
Mr. Work. And what we have done is, we have confronted
China, and China, in some cases, has said, ``Look, this was a
hacker that was inside our country, but we had no control over
him.'' What this allows us to do is say, ``Okay, well, what are
you going to do about that? That's a cybercrime. Are you going
to provide us the information we need to prosecute this person?
Are you going to take care of it on your own?'' So, I believe
this type of confidence-building measure and this way to
discuss these things will--the proof will be in the pudding,
how the Chinese react to this----
Senator Hirono. Mr. Secretary, I think you mentioned that
this particular agreement allows--contemplates meeting at least
twice a year.
Mr. Work. Yes.
Senator Hirono. Is there anything that prevents more
frequent dialogue between our two countries in suspected cases
of commercial cyberattacks?
Mr. Work. Senator, I believe, if there was a significant
cyber event that we suspected the Chinese of doing or they
suspected us, that we would be able to meet this. This is going
to be a high-level joint dialogue. They'll--the Chinese will
have it at the ministerial level. Our U.S. Secretary of
Homeland Security and the U.S. Attorney General will co-lead on
our part. We're going to have the first meeting of this group
by the end of this calendar year, and then at least twice a
year. So, I believe that, as Director Clapper is, I think all
of us have some healthy skepticism about this, but I believe
it's a good confidence-building measure and a good first step,
and we will see if it leads to better behavior on the part of
the Chinese.
Senator Hirono. Thank you.
Chairman McCain. Mr. Secretary, I can't help but comment.
We have identified the PLA [People's Liberation Army], the
building in which they operate. Now, please don't deceive this
committee as if we don't know who's responsible for it. That's
just very disingenuous. There have been public reports that
we've identified the PLA building in which these cyberattacks
come from.
Senator Ernst.
Senator Ernst. Thank you, Mr. Chair.
Thank you, gentlemen, for joining us today.
Admiral Rogers, I'll start with you, sir.
Admiral Rogers. Okay.
Senator Ernst. Two of the President's nine lines of effort
in defeating ISIL [Islamic State of Iraq and the Levant] are,
first, exposing ISIS's [Islamic State of Iraq and Syria] true
nature and, second, disrupting the foreign fighter flow. And,
over the weekend, the New York Times reported that 30,000
recruits joined ISIS over the past year, and that's double the
previous recruitment year.
Earlier this month in reference to ISIS recruiting, the
State Department's Ambassador-at-Large and Coordinator for
Counterterrorism said that ISIS's recruiting trend is still
upward, and this information came of no surprise to her. The
Ambassador also said the upward trend was primarily due to
Internet and social media.
So, sir, do you believe the administration's efforts have
so far succeeded on these two lines of effort in cyberspace and
social media? Just, please, simple yes or no.
Admiral Rogers. No.
Senator Ernst. Okay. In light of that, with the record
recruiting numbers for ISIS, how would you then assess the
effectiveness of the U.S. Government's counter-ISIS effort in
cyberspace? So, what specifically is your assessment of the
State Department's ``think again, turn away'' program in
support of efforts to disrupt ISIS's online recruiting effort?
Admiral Rogers. Senator, I'm not in a position to comment
on State Department--the specifics of their program. I honestly
am just not knowledgeable about it. I will say this, broadly,
to get to, I think, your broader point. I have always believed
that we must contest ISIL in the information domain every bit
as aggressively as we are contesting them on the battlefield,
that the information dynamic is an essential component of their
vision, their strategy, and ultimately their success. And we
have got to be willing to attempt to fight them in that domain,
just like we are on the battlefield. And we clearly are not
there yet.
Senator Ernst. I agree. I think we are failing in this
effort. And some of the programs that we have seen obviously
are not working. So, are there areas in--where you could
recommend how the U.S. Government better partner with various
NGOs [non-governmental organizations] or private entities to
more effectively counter the ISIS propaganda?
Admiral Rogers. Again, the contesting-the-propaganda piece,
much broader than Cyber Command's mission. I will say, from a
technical and operational perspective, we, broadly within the
DOD, Cyber Command, Strategic Command, and CENTCOM, are looking
at, within our authorities, within our capabilities, what's
with--in the realm of the possible, in terms of, What can we do
to help contest them in this domain?
Senator Ernst. Okay.
We have a larger problem coming forward, too, in regards to
ISIS and ISIL in the Middle East. We seem to see the emergence
of a trifecta between Syria, Iran, and Russia. And now it seems
that Iraq has begun information-sharing with Russia, with Iran,
with Syria. Director Clapper, can you speak to that and the
broader implications of Russia emerging as a leader in the
Middle East while we seem to be frittering away our opportunity
with ISIL?
Director Clapper. Well, that's certainly their objective. I
think they have several objectives, here, one of which is
that--I think, protect their base, the--their presence in
Syria, ergo their buildup in the northwest part of Syria;
clearly want to prop up Assad; and, I think, a belated
motivation for them is fighting ISIL.
As far as the joint intelligence arrangement is concerned,
I can't go into detail here in this forum, but I will say there
are--each of the parties entering into this are a little bit
suspicious of just what is entailed here, so we'll have to see
just how robust a capability that actually provides.
Senator Ernst. Okay, I appreciate that.
And, Secretary Work, do you have any thoughts on the
emergence of Russia with the intelligence-sharing, how that
might impact the operations that we have ongoing in Iraq
against ISIS?
Mr. Work. Well, I think we were caught by surprise that
Iraq entered into this agreement with Syria and Iran and
Russia. Obviously, we are not going to share intelligence with
either Syria or Russia or Iran. So, we are in the process--
our--we are in the process of working to try to find out
exactly what Iraq has said. Certainly, we're not going to
provide any classified information or information that would
help those actors on the battlefield. Really what we're trying
to do is deconflict, and that is the primary purpose of the
discussion between President Obama and President Putin
yesterday--is, ``If you are going to act on this battlefield,
we have to deconflict.''
The other thing we have made clear is--they would like to
do a military first, followed by a political transition. We
need--we believe those two things have to go in parallel, and
that has been our consistent message. This is early days. We're
still in the midst of discussing what exactly this means, so I
don't have any definitive answers for you at this point,
Senator.
Senator Ernst. Well, I am very concerned that we have
abdicated our role in the Middle East as--and in so many other
areas, as has been pointed out earlier. Grave concern to all of
us. And I think we need to be working much more diligently on
this.
Thank you, Mr. Chair.
Chairman McCain. Senator Nelson.
Senator Nelson. Thank you, Mr. Chairman.
Gentlemen, thank you for your public service.
Admiral, I'm concerned about all of these private telecoms
that are going to encrypt. If you have encryption of
everything, how, in your opinion, does that affect Section 702
and 215 collection programs?
Admiral Rogers. It certainly makes it more difficult.
Senator Nelson. Does the administration have a policy
position on this?
Admiral Rogers. No, I think we're still--I mean, we're the
first to acknowledge this is an incredibly complicated issue
with a lot of very valid perspectives. And we're still, I
think, collectively, trying to work our way through, ``So,
what's the right way ahead, here?"--recognizing that there's a
lot of very valid perspectives.
But, from the perspective, as Cyber Command and NSA, that I
look at the issue, there's a huge challenge us--for us, here,
that we have got to deal with.
Senator Nelson. A huge challenge. And I have a policy
position, and that is that the telecoms better cooperate with
the United States Government, or else it just magnifies the
ability for the bad guys to utilize the Internet to achieve
their purposes.
Speaking of that, we have a fantastic U.S. military. We are
able to protect ourselves. It's a--it's the best military in
the world. But, we have a vulnerability now, and it's a
cyberattack. Do you want to see if you can make me feel any
better about our ability to protect ourselves, going forward?
Admiral Rogers. So, I would tell you the current stated
capability in the Department, if I just look at where we were
eighteen months ago, two years ago, is significantly improved.
We currently defeat probably 99-point-some-odd percent attempts
to penetrate DOD systems on a daily basis. The capability, in
terms of both the amount of teams, their capability, just
continues to improve. Our speed, our agility. The challenge for
us, fundamentally, to me, is, we are trying to overcome decades
of a thought process in which redundancy, defensibility, and
reliability were never core design characteristics for our
networks, where we assumed, in the development of our weapon
systems, that external interfaces, if you will, with the
outside world were not something to be overly concerned with.
They represented opportunity for us to remotely monitor
activity, to generate data as to how aircraft, for example, or
ships' hulls were doing in different sea states around the
world. All positives if you're trying to develop the next
generation, for example, of cruiser/destroyer for the Navy.
But, in a world in which those public interfaces, if you were,
increasingly represent also potential points of vulnerability,
you get this class of strategies, if you will. And that's where
we find ourselves now.
So, one of the things I try to remind people is, it took us
decades to get here. We are not going to fix this set of
problems in a few years. This takes dedicated prioritization,
dedicated commitment, resources, and we've got to do this in a
smart way. We've got to prioritize, and we've got to figure out
what's the greatest vulnerability and where's the greatest
concern for us?
Mr. Work. Senator, is it okay if I jump in here for a
second?
Senator Nelson. Yes. I just want to add to that. And for us
to let our potential enemies understand that we have the
capability of doing to them what they do to us. However, that
gets more complicated when you're dealing with a rogue group of
a dozen people stuck in a room somewhere that are not part of a
nation-state.
Yes, sir. Mr. Secretary.
Mr. Work. Well, I was just going to echo what Admiral
Rogers said. When Secretary Carter came in, he said, ``Look, we
are absolutely not where we need to be,'' and he made job
number one defense of the networks. So, we're going from 15,000
enclaves to less than 500. We're going to have--we're going
from 1,000 defendable firewalls to less than 200, somewhere
between 50 and 200. So, you are absolutely right, we have
recognized this is a terrible vulnerability. We are working,
first, to defend our networks, as we talked about earlier.
We're looking at our systems. And we're also trying to change
the culture. Right now, if you discharge a weapon, you are held
accountable for that. That's a--you know, negligent discharge
is one of the worst things you can do. What we need to do is
inculcate a culture where a cyber discharge is considered just
as bad, and make sure that that culture is inculcated
throughout the force.
Senator Nelson. I agree. But, now the Admiral is assaulted
by the telecoms, who want to tie his hands behind his back by
doing all of the encryption.
Thank you, Mr. Chairman.
Chairman McCain. Senator Donnelly.
Senator Donnelly. Thank you, Mr. Chairman.
In our State, Naval Surface Warfare Center Crane has taken
the lead on much of our efforts to protect against the threat
of counterfeit electronics. And so, Secretary Work and Director
Clapper, the global supply chain for microelectronics presents
a growing challenge for cybersecurity. One of the things we saw
recently, IBM [International Business Machines] sold its
chipmaking facilities with DOD ``trusted foundry'' status to a
foreign-owned competitor. So, I was wondering your top
priorities in managing the risk posed by the globalization of
our microelectronics manufacturing capabilities and our
abilities to protect our systems in that area.
Mr. Work. That's a big question, Senator. In fact, it's
going to be one of the key things we look at in this fall
review, because of the recent--as you said, the recent sale of
the IBM chips.
Now, there are two schools of thoughts on this. Secretary
Carter personally has jumped into this. And some say you do not
need a trusted foundry. Another group says you absolutely have
to have it. Having confidence in the chips that we put in our
weapon systems is important. And I would expect that, come
February, we'll be able to report out the final decisions
through the fall review on how we're going to tackle this
problem.
Senator Donnelly. Who within DOD's leadership has primary
responsibility for overseeing the supply chain risk management?
Mr. Work. That would be Frank Kendall and also DLA. DLA has
the supply chain, and Frank Kendall is really focused on the
trusted chip, the fabrication of trusted chips.
Senator Donnelly. One of the areas that we look at in
regards to cyber--and, in some ways, you know, technology in
particular parts of it not advancing has been a good thing in
this respect--is in the nuclear area. And so, are there any
specific groups that are focused just on protecting our nuclear
efforts against cyber?
Mr. Work. There's the National--the NNSA [National Nuclear
Security Administration]. And also, we have a Nuclear Weapons
Council, which is cochaired by, again, Frank Kendall, our Under
Secretary of Defense for AT&L, and the Vice Chairman of the
Joint Chiefs. They are the ones that work with DOE [Department
of Energy] to make sure that our weapon system components are
reliable and trusted, and to make sure that we have a safe,
reliable, and effective nuclear deterrent.
Senator Donnelly. Admiral, when we look at building a force
of cyber warriors, a cyber team, how can we use the National
Guard and Reserves to help do that? Because it strikes me that
that can help us in retaining highly qualified individuals who
want to devote part of their life to helping their country. And
it would seem to almost be a perfect fit for us.
Admiral Rogers. So, we have taken a total-force approach to
the force that we're building out. That includes both Guard and
Reserve. Every service slightly different, not the least of
which because different services have different Reserve and
Guard structures. So, that is a part of it.
I'd say one of the challenges that we're still trying to
work our way through is under the Title 32 piece, how we
coordinate what Guard and Reserve are doing, how we generate
capacity and bring it to bear with maximum efficiency. The one
thing--the two things, in partnering with my Guard teammates
and my Reserve teammates--because we're taking a total-force
approach to this, we need one standard for this. We don't want
a place where the Guard and Reserve are trained in one standard
and the Active side is trained to a different. That gives us
maximum flexibility in how we apply the capability across the
force. And the Guard and Reserve has done great in that regard.
And then, secondly, we need one common unit structure. We don't
want to build unique, one-of-a-kind structures in the Guard or
Reserves that don't match the Title 10 side. Again, we want to
treat this as one integrated force. And again, I would give the
Guard and the Reserves great kudos in that regard. We've got a
common vision about the way we need to go, and we've got a
great exercise series, CYBERGUARD, that we're using every year,
where we bring together the Guard, the private sector, the
Active component, and government, and work our way through the
specifics about how we're going to make this work.
Senator Donnelly. Thank you.
Director Clapper--and I apologize if you already answered
this--what is the one cyber challenge you are most concerned
about?
Director Clapper. Well, obviously, the one that I think
about is--would be a massive Armageddon-like-scale attack
against our infrastructure. That is not--we don't consider that
the most likely probably right now, that the greater threat--or
the low-to-moderate sort of threats that we're seeing. And what
I have seen in the 5 years I've been in this job is a sort of
progression, where these get more aggressive and more damaging.
And, as I indicated in my oral statement at the outset, what I
will see--I think what we can expect next are data
manipulation, which then calls to question the integrity of the
data, which, in many ways, is more insidious than the kinds of
attacks that we've suffered thus far.
So, you know, the greater--the specter is this massive
attack, although it's not likely.
Senator Donnelly. Thank you.
Thank you, Mr. Chairman.
Chairman McCain. Senator Lee.
Senator Lee. Thank you, Mr. Chairman.
Annex 3 of the recently signed Iran Nuclear Agreement calls
for the participating countries to work with Iran to, quote,
``strengthen Iran's ability to protect against and respond to
nuclear security threats, including sabotage, as well as to
enable effective and sustainable nuclear security and physical
protection systems,'' close quote.
Secretary Clapper, do you read this portion of the Iran
Nuclear Agreement, the Annex, to include cyberthreats, meaning
that the P5+1 countries, who are part of this agreement, will
be expected--will be deemed to have an obligation under the
agreement to assist Iran in developing systems to prevent other
countries from using cyber capabilities to acquire information
about, or to disrupt the operations of, Iran's nuclear
capabilities--Iran's nuclear programs?
Director Clapper. Well, in this environs, I will say that I
trust that this is not going to prevent us from gleaning
intelligence from our traditional sources, in the interests of
verifying the agreement, which will be principally monitored by
international organization, IAEA. So, I'm not aware of any
strictures on our ability to collect on their behavior and
their components.
Senator Lee. But, why would we want to give Iran the
ability to defend against cyberweapons that we, or perhaps some
of our allies, might one day want to use against Iran?
Director Clapper. Well, sir, in this open environment,
there are some aspects here that I can't discuss. I'm happy to
talk with you privately or in a classified environment about
that.
Senator Lee. Okay. Okay. But, you're not disputing the fact
that the agreement says that, that we would have to----
Director Clapper. No.
Senator Lee. Okay.
Now, can you tell me, in this environment, what specific
technical assistance we'll be offering Iran in this portion of
the agreement?
Director Clapper. I honestly don't know the answer to that
question. I've--have to have that researched. I don't know
exactly what would--what's in mind there.
Senator Lee. Now, would any of these capabilities, once
acquired by Iran, prevent or inhibit the United States or any
of our allies, any other enemy of Iran, from using any
cybermeasure against Iranian nuclear facilities?
Director Clapper. Again, I--I'm reluctant to discuss that
in this setting.
Senator Lee. Were you consulted by U.S. negotiators during
the nuclear negotiations in connection with this portion of the
agreement, the agreement----
Director Clapper. Well, the intelligence community was
deeply involved in--throughout the negotiations.
Senator Lee. Can you describe the nature of any
consultation you had with them as to this portion of Annex 3?
Director Clapper. With the Iranians?
Senator Lee. Yes.
Director Clapper. I--no, I did not engage with the Iranians
on----
Senator Lee. No, no, that's not what I'm asking. I'm asking
if you can describe your discussions with U.S. negotiators as
they came to you and consulted with you on the implications of
this portion of Annex 3.
Director Clapper. I didn't actually--my lead for this was
Norm Roule, who was the--known to many of you on this
committee, the National Intelligence Manager for Iran. And he
was the direct participant. And I--I don't want to speak for
him as--to the extent to which he was involved or consulted on
that provision. I'd have to ask him.
Senator Lee. Okay. But, you would have been aware of
consultation going on. I mean, I'm sure he came to you and
said, ``Look, this is going to impact our ability, the ability
of the United States, to do what we need to do with respect to
Iran.'' That--would that not have been something----
Director Clapper. Well, again, sir, I would rather discuss
what the potential response of ours could be in a closed
setting.
Senator Lee. Okay.
Secretary Work, how is the Department working to ensure
that the hardware and software on some of these major programs
that we're developing to future contingencies and technological
advances so they can continue to address emerging cyberthreats
well into the future without major overhauls of the entire
system?
Mr. Work. Senator, as I said, we are now putting into our
KPPs, our key performance parameters, on any new systems,
specific cyber-hardening requirements, much like during the
Cold War, when we had EMP [Electromagnetic Pulse] requirements
for many of our systems. The problem that we face is that many
of the old systems that are still in service were not built to
the--to respond to the cyberthreats that we see today. So,
we're having to go back through all of those older systems,
determine which ones are most vulnerable, prioritize them, and
make fixes. So--and it also goes back to Senator Donnelly's
question on the trusted foundry. We're trying to determine what
is the best way to assure that we have reliable and trust
microelectronics.
Senator Lee. Okay. Thank you.
I see my time's expired.
Thank you, Mr. Chairman.
Chairman McCain. Senator King.
Senator King. Thank you, Mr. Chairman.
Secretary Work, if there's a catastrophic attack tonight on
the fiscal infrastructure or the financial infrastructure of
this country, I do not want to go on cable news in the morning,
if there is cable news in the morning, and say, ``The
administration told us that the policy is still in
development.'' We've got to get on this. We've been talking
about it for years. And, as the Chairman pointed out, this was
an essential part of our National Defense Authorization Act, a
year ago, And the idea that we can continue to simply defend
and never have an offensive capability, I just think is
ignoring this enormous threat, which we all agree----
So, let me ask a one-word-answer question to each of you.
Do we need an offensive capability in the cyber realm in order
to act as a deterrent?
Secretary Work.
Mr. Work. We need a broad range of response options, to
include----
Senator King. Do we need a offensive cybercapability to act
as a deterrent?
Mr. Work. I would say yes, sir.
Senator King. Secretary--Director, go ahead.
Director Clapper. Absolutely.
Senator King. Admiral Rogers.
Admiral Rogers. Yes.
Senator King. Thank you.
The second part of that is that it can't be secret. Our
instinct is to make everything secret. And the whole point of a
deterrent capability is that it not be secret. So, I think we
need to establish what we have--I suspect we do have some
significant offensive capability, but part of a--making it a
deterrent is that it has to be made--it has to be made public.
I think another question that needs to be addressed--and I
don't necessarily think it--in this hearing this morning, but
in this--terms of the policy--we need to define what an act of
war is in the cyber area, whether hitting Sony pictures is an
act of war, or the OPM. And how do you draw those lines? And I
would suggest that that's got to be part of this policy
definition.
And I don't mean to imply, Secretary Work, that this is
easy. But, it's urgent. That's the--and we just simply can't
defend ourselves by saying, ``Well, it was complicated and we
didn't get to it.''
Changing the subject slightly. Admiral Rogers, do you
believe that the dispersion of responsibility in the Federal
Government for cyber is a potential problem? It strikes me
we've got agencies and departments and bureaus--I suspect you
could name 15 of them if you tried--that all have some
responsibility here. Do we need to strengthen Cyber Command and
make that the central repository of this policy?
Admiral Rogers. I would not make Cyber Command or the
Department of Defense the central repository. This is much
broader than just the DOD perspective. But, I will say this. I
have been very public in saying we have got to simplify this
structure for the outside world, because if you're on the
outside looking in--and I hear this from the private sector
fairly regularly--"Who do you want me to go to? Is it--I should
talk to the FBI [Federal Bureau of Investigation]. Should I
talk to DHS? Why can't I deal with you? Do I need to talk to
the"--if I'm a financial company, ``Should I be talking to the
sector construct that we've created?'' We have got to try to
simplify this for the private sector.
Director Clapper. If I might add to that, Senator King,
it's one of the reasons why I had a very brief commercial for--
just within the intelligence community--of integrating the
cyber picture, the common operating picture simply from within
intelligence, let alone, you know, what we do to react or
protect. And that, to me, is one important thing that I have
come to believe. We need along the lines of a mini-NCTC
[National Counterterrorism Center] or NCPC [National
Counterproliferation Center].
Senator King. I would hope that that would also--and that--
the leadership and decisionmaking on that has to start with the
White House, it has to start with the administration, for an
all-of-government approach to dealing with this dispersion-of-
responsibility problem.
I would point out, parenthetically, that--you know, we're--
there's been a lot of talk about China and our ability to
interact with China and to respond and hold China responsible.
And it's not the subject of this hearing, but the fact that we
owe China trillions of dollars compromises our ability to
interact with China in a firm way. It's a complicated
relationship, and that's one of the things that makes it
difficult.
Director Clapper, do you have any idea what brought the
Chinese to the table for this recent agreement with the
President?
Director Clapper. Well, it appears that the threat of
potential economic sanctions, particularly imposing them right
before the visit of President Xi, I think, got their attention.
And that's why they dispatched Minister Maung to try to come to
some sort of agreement, which is what ensued subsequently.
Senator King. And I agree that it's not a definitive
agreement or a treaty, but I do agree, Secretary Work, that
it's a step in the right direction. At least these issues are
being discussed. But, countries, ultimately, only act in their
own self-interest, and we have to convince the Chinese that
it's in their interest to cut out this activity that's so
detrimental to our country.
Thank you, gentlemen, for your----
Mr. Work. Senator, could I just make----
Senator King. Yes, sir.
Mr. Work.--one real quick comment?
Just because we have not published our policy--it is so
broad and encompassing, going over things like encryption--What
are the types of authorities we need?--does not mean that, if
we did have an attack tonight, we would not--we do not have the
structure in place right now with the national security team to
get together to try to understand who caused the attack, to
understand what the implications of the attack were and what
response we should take. Those are in place right now.
Senator King. But, the whole point of being able to respond
is deterrence so that the attack won't occur. Dr. Strangelove
taught us that if you have a doomsday machine and no one knows
about it, it's useless. So, having a secret plan as to how
we'll respond isn't the point I'm trying to get at. The deal
is, we have--they have to know how we will respond, and
therefore, not attack in the first place.
Thank you.
Thank you all, gentlemen, for your testimony.
Senator Reed [presiding]. On behalf of the Chairman, let me
recognize Senator Fischer.
Senator Fischer. Thank you, Senator Reed.
Following up a little bit where Senator King was going on
this, many of you talked about establishing norms in
cyberspace. Do you think it's possible to establish or maintain
that norm without enforcement behaviors? When we look at
publicly identifying those who are responsible for an activity
or imposing costs on them, can we do that? I'll begin with you,
Mr. Secretary.
Mr. Work. Well, I believe that trying to establish these
norms are very, very helpful. In the Cold War, for example,
there was a tacit agreement that we would not attack each of
our early-warning missile--I mean, warning satellites. And so,
establishing these norms are very important. But, they will be
extremely difficult, because the enforcement mechanisms in
cyber are far more difficult than--because it's much more easy
to attribute missile attacks, et cetera. So, I believe that
this agreement with China is a good first step, that we should
strive to establish norms, especially between nation-states--
and establish norms which we believe are beyond the bounds, and
to try to establish mechanisms by which we can work these
through. But, this will be very, very difficult, Senator,
because it's--because of the--just the--it's much more
difficult.
Director Clapper. And we have the added problem, of course,
of--the norms are, as Secretary Work said, really applicable to
nation-states. And, of course, you have a whole range of non-
nation-state actors out there who wouldn't necessarily
subscribe to these norms and would be a challenge to deal with
even if we--if there were nation- state mutual agreement.
Senator Fischer. Admiral?
Admiral Rogers. I would echo the comments of my two
teammates. I'm struck by--we're all captives of our own
experience. In my early days as a sailor, well before I got
into this business, at the height of the Cold War out there, we
knew exactly how far we--between the Soviets and us--we knew
exactly how far we could push each other. And we pushed each
other, at times, right up to the edge. I mean, very aggressive
behaviors. But, at the--we developed a set of norms. We had a
series of deconfliction mechanisms in the maritime environment.
We actually developed a set of signals over time so we could
communicate with each other. But, the--so, I'm comfortable that
we're going to be able to achieve this over time in the nation-
state arena, but, as my teammates have said, it's the nonstate
actor that really complicates this, to me. It's going to make
this difficult.
Senator Fischer. So, when we're attacked in cyberspace, how
do we impose costs on those who are attacking us? Do we respond
in cyberspace, or can we look at other ways to, I think,
respond in an appropriate manner, say with sanctions? What
would you look at, Admiral?
Admiral Rogers. So, what we have talked about previously
is, we want to make sure we don't look at this just from one
narrow perspective, that we think more broadly, we look across
the breadth of capabilities and advantages that we enjoy as a
nation, and we bring all of that to bear as we're looking at
options as to what we do, and that it's a case-by-case basis.
There's no one single one-size-fits-all answers to this. But,
fundamentally, think more broadly than just cyber. Not that
cyber isn't potentially a part of this. I don't mean to imply
that.
Senator Fischer. Correct.
Mr. Secretary, would you agree with the Admiral on that? Do
you see a variety of options out there? And wouldn't it be more
beneficial to us as a country to be able to have a policy that
is a public policy on what those options could be, and the
consequences that would be felt when we are attacked?
Mr. Work. Absolutely. And that is what I say about a broad
policy, where we will respond in a time manner--time, place,
and manner of our own choosing. In this case, there's an
asymmetry with our nation-state potential adversaries. They are
all authoritarian states. The attack surfaces that they have
are far smaller than what we have as a free nation. And we
value that. We do not want to close down the Internet. But, we
are more vulnerable to a wide variety of attack surfaces than
our adversaries. So, we may sometimes have to respond
proportionally, but in a different way than a simple cyber
response. It might be sanctions. It might be a criminal
indictment. It might be other reactions. So, we believe very
strongly that this is something where it's an interagency
process. The process is established where they are taken care
of----
Senator Fischer. And----
Mr. Work.--handled on a case-by-case basis.
Senator Fischer. And does the administration have a
definition on what constitutes a cyberattack?
Mr. Work. Well, any type of malicious activity which causes
either damage or theft of information or IP [Internet
Protocol], all of those are under either cyber--malicious
cyberactivities. It might be espionage. In each case, there's
no defined red line for what would constitute----
Senator Fischer. What's----
Mr. Work.--act of war.
Senator Fischer. What would be the difference between a
cyberattack and cybervandalism?
Director Clapper. Well, I would have to make a--again, a
case-by-case determination. And, of course, important
consideration here would--in terms of our reaction, would be
attribution. And that--again, it would be case-by-case.
Mr. Work. And cybervandalism, ma'am, do you--is that
stealing information or IP or----
Senator Fischer. The attack by North Korea on Sony was
described by the President as cybervandalism. I was just
wondering on how you distinguish that definition from a
cyberattack.
Director Clapper. Well, it didn't affect a national
security entity, but it certainly did cause damage to the
company. And, in that case--and this is an important
illustration of when we could attribute very clearly and there
was uniform agreement across the intelligence community to
attribute that attack to the North Koreans, and we did sanction
them.
Senator Fischer. Okay, thank you.
Thank you, Mr. Chairman.
Chairman McCain [presiding]. Senator Heinrich.
Senator Heinrich. Thank you, Mr. Chair.
Gentlemen, thank you for your service and for joining us
here today.
And, Director Clapper, before I start on--begin to focus on
cyberpolicy, I think we're all very concerned about the
allegations that leadership at Central Command deliberately
distorted the assessments of intelligent officers related to
the fight against ISIL. And I understand that there is an
ongoing investigation, and I'm going to wait for the results of
that investigation. But, I want to say that, as a member of
both this committee and the Intelligence Committee, I want to,
in the strongest terms possible, impress upon you the
importance for all of us to receive absolutely objective and
unbiased assessments. And I look forward to the results of the
IG investigation, and I expect that you will hold accountable
anyone who has failed in their duty in the intelligence
community, no matter how high up the chain that may go.
Director Clapper. Well, Senator, I--you brought up a very
important consideration here, which is a great concern to me.
I'm a son of an Army intelligence officer who served in World
War II, Korea, and Vietnam. And I have served in various
intelligence capacities for over 52 years, ranging from my
first tour in Southeast Asia in the early '60s to my service
now as the longest tenured DNI. And it is a almost sacred writ
in intelligence--in the intelligence profession never to
politicize intelligence. I don't engage in it. I never have.
And I don't condone it when it--it's identified.
Having said that, I--and I completely agree with you--in
spite of all the media hyperbole, I think it's best that we all
await the outcome of the DOD IG investigation to determine
whether and to what extent there was any politicization of
intelligence at CENTCOM.
I will also say that the intelligence assessments from
CENTCOM or any other combatant command come to the national
level only through the Defense Intelligence Agency. That is the
main conduit and, I will say, to the extent evaluater and
filter for what flows into the national intelligence arena.
Senator Heinrich. Thank you, Director.
Turning to you, Admiral Rogers. As the director of U.S.
Cyber Command, your responsibilities include strengthening our
cyberdefense and our cyberdeterrence posture. And I want to
return to a line of questioning several of my colleagues have
begun this morning.
As you know, the breach of OPM computers resulted in an
enormous loss of sensitive personal information. Thus far, to
my knowledge, the U.S. has not responded. And to put it in the
words of Deputy Secretary Work's language this morning, we
haven't imposed a cost, which raises questions about whether we
truly have developed the mechanisms for proportionate response
to cyberattacks against the U.S. Government, even after the
April 2015 publication of the DOD cyber strategy. We know that
if a foreign agent had been caught trying to steal U.S.
personnel files in a less digital age, we would either kick
them out of the country, if they were a diplomat, or we'd throw
them in jail, if they weren't a diplomat. That would be
considered a proportionate response. But, in the case of the
OPM breach, the U.S. Government seems uncertain about what a
proportionate response would look like.
So, I want to ask you three questions, and I'll let you
take them as you may: What constitutes an act of war in
cyberspace? Has the United States decided on a proportionate
response in the case of the OPM cyber espionage case? And what
types of information-gathering by nation-states, by
governments, are legitimate, and what types are not?
Admiral Rogers. Well, first, let me start out by saying,
look, so I'm the operational commander here, and all three of
the questions you've just asked me are much broader than that.
I'm glad to give you an opinion, but I'm mindful of what my
role is.
In terms of the three things--Have we defined what an
active of war is? The bottom line is: clearly, we're still
working our way through that. What are the parameters that we
want to use to define what is an act of war? My going-in
position is, we ought to build on a framework that we have
developed over time in the more conventional domains. That's a
good point of departure for it. It's got a broad legal
framework. It's something that people recognize. And it's where
we ought to start as a point of departure.
The second question was about--just let me read my note to
myself----
Senator Heinrich. Proportional response to the OPM case.
Admiral Rogers. Again, I think that what OPM represents is
a good question about--so, what are the parameters we want to
use? Is it--as the DNI has said, is it--the intent is within
the acceptable realm? Is it scale? Is it--you can do espionage
at some level, for example, but if you trip some magic
threshold, hey, is 20 million records, is 10 million records--
is there some scale component to this? I think we're clearly
still trying to work our way through that issue. And there is
no one- size-fits-all answer. I think there's recognition. I
think that's clearly--is what has driven this broad discussion
between the United States and China, for example. That's been a
positive, I would argue.
And the third, type--what--could you repeat again--the
types of information?
Senator Heinrich. Just--you know, I'll--my time is expired,
so I'll cut to the chase. I think what you're hearing from all
of us----
Chairman McCain. No, go ahead, Senator. This is an
important----
Senator Heinrich.--is----
Chairman McCain.--line of questioning.
Senator Heinrich. We would like to see more transparency in
being able to telegraph our deterrent, because we all know
that--looking back into the Cold War, that our deterrent was
very important. But, the other side knowing what that deterrent
was, was absolutely critical for it to be effective. And so, we
need to be clear about what types of information-gathering by
governments are considered legitimate and acceptable, and where
those red lines are going to be.
Admiral Rogers. I agree. I think that's the important part
of the whole deterrence idea. It has to be something that's
communicated, that generates understanding and expectation, and
then a sense of consequence.
Director Clapper. I think the contrast with the Cold War is
a good one to think about, in that--well, I think what you're--
what--the concern that people are raising is, Should there be
red lines on spying? That's really what this gets down to. We
didn't have red lines during the Cold War. It was freewheeling
as far as us collecting intelligence against the Soviet Union,
and vice versa. There were no limits on that. It was very
difficult, for both--well, more so for us.
And, of course, underlying--the backdrop to all that was
the deterrent, the nuclear deterrent, which, of course,
restrained behavior even though it got rough at times, as the
example that Admiral Rogers cited, in a--just in a maritime
context. But, there were ground rules that governed that.
We're sort of in the Wild West here with cyber, where there
are no limits that we've agreed on, no red lines, certainly on
collecting information, and--which is what the OPM breach
represented.
Chairman McCain. Director and Admiral, I would like to
thank you for your forthright and candid assessment. And also,
I think, the lesson that all of us are getting is that we
really have to have some policy decisions. And you've been very
helpful in fleshing that out for us.
Senator Cotton.
Senator Cotton. Secretary Work, I'd like to return to an
exchange you had with Senator Ayotte about the Intermediate-
Range Nuclear Forces Treaty, also known as the INF Treaty. Is
Russia in violation of their obligations under the INF Treaty?
Mr. Work. We believe that a system that they have in
development would violate the treaty.
Senator Cotton. And you said, just now, ``in development.''
I thought I heard you say, with Senator Ayotte, that it's not
deployed, or it's not yet operationally capable. Is that
correct?
Mr. Work. That's my understanding. I can have--I can get
back to you with a question for the record. But, it is in
development, and we have indicated our concern with the
Russians that, if they did deploy it, we believe it would
violate the INF.
Senator Cotton. Thank you. Could you please do that in
writing. And, if it's appropriate, in a classified writing,
that's fine, as well.
[The information referred to follows:]
The Department finds that Russia is in violation of its obligations
under the Intermediate-range Nuclear Forces (INF) Treaty not to
possess, produce, or flight-test a ground-launched cruise missile with
a range capability of 500 to 5,500 kilometers, or to possess or produce
launchers of such missiles. Russia has built and tested a ground-
launched cruise missile system that violates the Treaty.
Senator Cotton. I'd now like to move to the Cyber Mission
Force. At the Air Force Association Conference a couple of
weeks ago, Major General Ed Wilson, the commander of the 24th
Air Force, stated that DOD's Cyber Mission Force was halfway
through its buildup. How difficult is it to establish the
needed infrastructure and manning across the services to create
the capability that we need to defend and deter cyberthreats?
Mr. Work. Well, I'd like to start, and then I'll turn it
over to Admiral Rogers.
We're building to 133 total teams--68 are cyber protection
teams that are focused on our number-one mission: defense of
our networks. We have 13 national mission teams that we are
building to help defend our Nations' critical infrastructure.
And we have 27 combat mission teams that are aligned with the
combatant commanders and assist them in their planning. To
support those, we have 25 support teams which they can call
upon, for a total of 133. We're building to 6200 military
personnel, civilians, and some specialized contractors, and
another 2,000 in the Reserves, so about 8400.
We expect to reach that in 2018, provided there is not
another government shutdown. The last time, we had a government
shutdown and sequestration, it put us behind by 6 months in
building this. So, as of right now, we are--I think we're on
track.
And I'd turn it over to Admiral Rogers to explain the--how
well we're doing in attracting talent.
Admiral Rogers. And, if I could, first let me accent, if
you will, one particular portion of DEPSECDEF [Deputy Secretary
of Defense] Work's comments, in terms of impact of a government
shutdown or sequestration for us. The last time we went through
this and we shut it down, we assessed that we probably lost 6
months' worth of progress, because we had to shut down the
school system, we went to all stop, in terms of generation of
capability in the--like a domino, the layover effect of all of
that, we think, cost us about 6 months of time. If we go to a
BCA or sequestration level, that puts us even further behind in
an environment in which we have all uniformly come to the
conclusion we're not where we need to be and we've got to be
more aggressive in getting there. And you can't do that if--
when you're shutting down your efforts, when you're cutting
money.
To go specifically, Senator, to the question you asked, I
would tell you the generation of the teams, in terms of the
manpower and their capability--knock on wood--is exceeding my
expectations. The bigger challenge, to me, has been less--not
that it's not an insignificant challenge, but the bigger
challenge has been less the teams and more some of the enabling
capabilities that really power them, the tools, if you will,
the platform that we operate from, the training environment
that we take for granted in every other mission set. The idea
that we would take a brigade combat team--before it went to
Iraq, before it went to Afghanistan, we'd put it out in the
National Training Center, and we'd put it through the spectrum
of scenarios we think they're likely to encounter in their
deployment. We don't have that capability right now in cyber.
We have got to create that capability. It's those enablers, to
me, and the intelligence piece, let--just like any other
mission set, everything we do is predicated on knowledge and
insights. No different for the CENTCOM Commander than it is for
me. Those are the areas, to me, where the challenges are
greater, if you will, than just the manpower. I'm not trying to
minimize the----
Senator Cotton. Yeah.
Admiral Rogers.--manpower----
Senator Cotton. And how important is it that we take
advantage of the existing infrastructure and capabilities that
we have as you're building out the entire mission force?
Admiral Rogers. I mean, that's what we're doing right now.
But, I will say, one of our experiences--Cyber Command has now
been in place for approximately 5 years--one of our insights
that we've gained with practical experience and as we're
looking at both defensive response as well as potential
offensive options, we need to create infrastructure that is
slightly separate from the infrastructure we use at NSA. It's--
so, a unified platform, you've heard us talk about. It's
supported in the funding. That's an important part of this.
Experience has taught us this in a way that 5-6 years ago, we
didn't fully understand.
Senator Cotton. Well, I'd like--my time is up for
questioning, but I'd just like to bring to your attention that
Arkansas Attorney General Mark Barry has requested a cyber
protection team at Little Rock Air Force Base. There is an
11,000-square-foot facility there. It has a SCIF of 8500 square
feet. It's already had $3.5 million invested in it. One of
these facilities, I understand, would cost about $4 million.
It's a request that I support. I think it's harnessed resources
that we've already invested, and it also--it's a capability
that they are ready to support, in addition to the professional
educational center that does a lot of cybertraining for the
National Guard, which is less than 30 minutes away.
Thank you.
Director Clapper. Mr. Chairman, I have to comment. I'm
rather struck by the irony, here, of--before I left my office
to come for this hearing, I was reviewing the directions that
we're putting out to our people for shutting down and
furloughing people. What better time for a cyberattack by an
adversary when much of our expertise might be furloughed.
Chairman McCain. I think that's a very important comment,
Director, and thank you for saying it. There are some of us who
feel it's urgent that we inform the American people of the
threats to our national security of another government
shutdown. I believe that it was an Arkansas philosopher that
said there is no education in the second kick of a mule. So, I
thank you for your comment.
Senator McCaskill.
Senator McCaskill. It was probably a Missouri mule.
Director Clapper, earlier this year I introduced a bill
that would give intelligence community contractors
whistleblower protections as long as those complaints were made
within the chain or to the Inspector General or the GAO. So,
disclosures made to the press would not be protected. I--as you
probably know, Defense Department--I know that Secretary Work
knows this--that we've already put into the law, in recent
years, whistleblower protections for the contractors at the
Department of Defense. And, to my knowledge--and certainly
correct me if I'm wrong, any of you--I'm not aware of any
classified or sensitive information that has made its way to a
damaging place as a result of these protections.
The 2014 intel authorization gave these protections to the
government employees within intelligence. And one of the
challenges we have in government is this divide between the
contractors and government employees. And, frankly,
whistleblower protections--I can't think of a good policy
reason that we would give whistleblower protections to
employees and not give them to contractors. And so, I am
hopeful today that you would indicate that you believe this is
an important principle and that we should move forward with
this legislation.
Director Clapper. Absolutely, Senator. And we have
published, internal to the intelligence community, an
intelligence community directive that includes whistleblowing
protections for contractors. After all, that was the source of
our big problem, here, with Mr. Snowden, who was a contractor.
And so, our challenge--you know, the additional burden we have,
of course, is trying to prevent the exposure of classified
information outside channels. So, that's why whistleblowers
absolutely must be protected, so that they are induced or
motivated to go within the channels, knowing that they will be
protected. This is a program that is managed by the
intelligence community Inspector General, who is, of course,
independent as a Senate-confirmed official.
Senator McCaskill. Thank you. And I'm pleased to see that
you would be supportive of that.
And, Secretary Work and Admiral Rogers, I assume that you
would be supportive of giving whistleblower protections to
intelligence community contractors?
Mr. Work. Absolutely. I agree totally with what Director
Clapper said.
Admiral Rogers. Yes, ma'am, and I say this as the head of
an intelligence agency.
Senator McCaskill. Thank you.
I want to follow up a little bit, Director Clapper, with
your comment about a shutdown. Could you tell us what impact
another government shutdown would have on your progress of
getting the cyber mission force fully operational? Excuse me--
Admiral Rogers. I think that, in political isolation, shutdown
appeals to a certain swath of Americans, and I understand why.
Because sometimes it just feels good to say, ``Well, let's just
shut it down,'' because, obviously, government is never going
to win popularity contests, certainly not in my State. On the
other hand, there's a difference between responsible, in terms
of public policy, and being irresponsible, in terms of
recognizing--I love it when some of my friends wave the
Constitution in my face and then fail to read the part that we
have a divided checks and balances in this country, unlike
other countries. The American people sent a party--a President
of one party to the White House and elected a Congress of a
different party. And that means we have to figure out how to
get along. So, could you talk a moment about what the impact
would be to this important mission if once again we went down
the rabbit hole of deciding the best thing to do is just to
shut down government?
Admiral Rogers. So, if we use our experience the last time,
first thing I had to do was shut down the school system. And
training and education is a core component of our ability to
create this workforce. Just shut it all down, because it was
only mission essential.
The second thing I was struck for, all travel that was
associated with training, all--we had to shut all that down, so
I couldn't send people to generate more insights, to gain more
knowledge.
We had to shut down some of our technical development
efforts because of the closure--again, put that all on hold. At
a time where we have talked about the need to develop more
capability, the need to develop more tools, I had to shut that
all down during the period of the last shutdown. We were forced
to focus our efforts on the continued day-to-day defense, which
is critical--don't get me wrong. As Secretary Work has
indicated, it is priority number one for us.
The other concern I have is--and I have watched this play
out now just in the last 10 days--I've been in command 18
months, and I will tell you, the biggest thing I get from my
workforce, prior to the last 10 days, ``Sir, this happened to
us once in 2013. Is this going to happen again? If it is, why
should I stay here, working for the government? I can make a
whole lot more money in the cyber arena on the outside.'' So,
in addition to the threat piece that the DNI has highlighted,
my other concern is--if we do this again, is the amount of our
workforce that says, ``You know, twice in the course of 2
years? I've got a family, I've got mortgages, I've got to take
care of myself. As much as I love the mission, as much as I
believe in defending the Nation, I can't put myself or my
family through this. I've got to go work in the commercial
sector.'' That would be terrible for us. Because people--
despite all our technology, never forget, it is men and women
who power this enterprise. That's our advantage.
Senator McCaskill. At the risk of sounding like a smart
aleck, which I do from time to time, I would say maybe we need
to open some of those schools so some of my colleagues could do
some math and realize the votes are not there to overcome a
presidential veto. And this is a recipe for dysfunction that
does not help anyone in this country, and particularly our
national security.
Thank you, Mr. Chairman.
Chairman McCain. Senator Tillis.
Senator Tillis. Thank you, Mr. Chairman.
I want to just echo the comments of my colleague Senator
McCaskill. I think it's irresponsible. We've had this--the
Secretary come before this committee and say that the number
and severity of threats have not been greater since 9/11. That
should be enough said, in terms of what we need to do to keep
continuity in funding the government. All the other things that
I may have a problem with have to be second to that priority. I
thank you all for your work. And, Director Clapper, I thank you
for your comment.
Admiral Rogers, we've had briefings from you since you've
taken the command. And one of the briefings I'm reminded of is
the trend that you see, in terms of the gap between what tends
to be still an American advantage, overall, narrowing,
particularly with nations like China and Russia, and I think
you may have even mentioned Iran being an emerging threat. Can
you tell me, really in the context of maybe another 6 months
reset on your training, but, more importantly, based on your
current funding streams and your current plan, Are we going to
be able to widen that gap again, or is this just a matter of
staying slightly ahead of our adversaries?
Admiral Rogers. For right now, I think the most likely
scenario is, we're staying slightly ahead of our adversaries,
because we're trying to do so much foundational work, if you
will, as I said previously, trying to overcome a very different
approach over the previous decades. It's not a criticism of
that approach. It was a totally different world. It led to a
different prioritization. It led to a different level of effort
and a different investment strategy. Clearly, we're going to
have to change that. And we're changing that at a time when
budgets are going down and threats--not just in cyber, but more
broadly--are proliferating. I don't envy the choices that
Secretary Carter and the leadership has to make. There's
nothing easy here.
So, I think, in the near term, the most likely scenario for
us is, How can we focus on the best investments that maximize
your defensive capability while continuing to help us retain
the advantage we do right now against most?
Senator Tillis. Thank you.
And this question may be for Secretary Work. The
announcement about the agreement with China, that we're not
going to, basically, attack each other, in the face of the
compelling evidence that we have that China's done it in the
past and they've denied it, why is this agreement a positive
thing if, with the smoking-gun information we have right now on
prior attacks, theft of intellectual property, commercial data,
that we have a pretty strong base of evidence to say that
they're guilty of it, if they deny it, why does this agreement
mean anything?
Mr. Work. On the buildup to this visit, we made it very
clear, through a wide variety of efforts, that this was going
to be something that was foremost in the discussions when
President Xi came. We have made it as clear as we possibly can
in every single level, from the President on down, that the
Chinese cyberactivities are unacceptable. And we believe that
this is a good first step as a confidence-building measure,
where China can either demonstrate that they are serious about
establishing some norms, and going after crimes, et cetera.
But, the proof will be in the pudding. I agree with Director
Clapper and Admiral Rogers, it's going to be up to the Chinese
to demonstrate that they're serious about this.
Senator Tillis. Would the manipulation of commercial data
fall within the definition of theft under this agreement?
Mr. Work. Well, specifically, one part of it is the theft
of IP--intellectual property--for commercial advantage in, say,
for example, a Chinese state enterprise. And we have agreed, at
least at--we have made a tentative agreement that we will not
do those type of activities. China has done those activities in
the past. It will be up to them to prove that they won't do it
in the future.
Senator Tillis. And then, the--for anyone, and then I'll
yield. I know the committee's gone on a while. But, at what
point--I think Senator Heinrich made some very important points
about drawing red lines. But, at what point are we going to
have clear definitions about malign activities in cyberspace
being acts of war or acts of terrorism, and then have
appropriate responses, whether they be through cyber, through
sanctions, or other? When are we going to get that clarity?
Because we don't have it today.
Mr. Work. Senator, I don't believe that we will ever have a
definitive one-size-fits-all definition for these type things.
Every single attack will be--have to--handled on a case-by-case
basis, and you will have to judge the damage that was caused,
who made the attack, was it just a nonstate actor or just a
malicious hacker--we'd have to go after that person, in terms
of criminal activity. So, I don't believe we're ever going to
have a specific definition that says, ``If this happens, we
will trigger this response.'' Each one will be handled in a
case-by-case basis and be proportional.
Senator Tillis. Well, thank you. Mr. Chair, the----
I think the lack of clarity, though, the only concern that
I have is, you're not establishing some level of known
deterrent. And that's why--I understand the complexities of it.
I've worked in the field. But, I think that, without that
clarity, you're more likely to have more things that you're
going to have to look at and figure out how to do a situational
response.
Thank you, Mr. Chair.
Chairman McCain. Senator Sullivan.
Senator Sullivan. Thank you, Mr. Chairman.
And thank you, gentlemen, for your testimony today on a
really important topic.
You know, I believe and I'm--I was looking for the
transcript, but--at the joint press conference between
President Xi and President Obama that--President of China, I
think, publicly stated that they don't engage in these kind of
cyberactivities. Was that an accurate statement, if that was,
indeed, what he said, in terms of cyberwarfare? It's pretty
remarkable, if you're in a press conference with another head
of state, and you just say something that seems to be pretty
blatantly false.
Director Clapper. Well, it is. And I think, apart from the
statements, at least for our part, it will be: What happens
now, what is--will there be a change in their behavior? And as
I said earlier, well, hope springs eternal, but--I personally
am somewhat of a skeptic, but it will be our responsibility to
look for the presence or absence of the--of their purloining of
intellectual property and other information.
Senator Sullivan. And were any of you gentlemen, or all of
you gentlemen, consulted on the terms of the agreement?
Director Clapper. We were aware of the negotiations, but,
at least from--normally, intelligence wouldn't be a voice or
shaper of a policy agreement like this between two heads of
state. It will--I think our responsibility is to report what
they do.
Mr. Work. We participated in the buildup of the visit, in
terms of policy development, et cetera. But, in terms of what
went on between the two leaders of the nations, we were not
directly consulted.
Senator Sullivan. Admiral?
Admiral Rogers. And I was aware of the ongoing process,
and, like Secretary Work, same thing, part of the broad effort
in preparation for the visit.
Senator Sullivan. But, you weren't--you didn't see the
terms of this agreement before the----
Admiral Rogers. No.
Senator Sullivan. Did you, Mr. Secretary?
Mr. Work. No.
Senator Sullivan. Let's assume that, you know, kind of pass
this prologue, here, and, you know, we were talking about
intellectual property. As you know, our country has been trying
to get the Chinese from--to stop stealing United States
intellectual property for decades, really. And it hasn't really
worked out very well. If--let's assume that this agreement--
that there is some additional cybertheft that we can attribute
to China. What would you recommend the actions of the United
States should be, particularly in light of this agreement?
Mr. Work. I wouldn't be able to answer that, as I would
have to know what the degree of the activity would be.
Senator Sullivan. Let's say another OPM kind of activity.
Mr. Work. I think we--the Department of Defense would
recommend a very vigorous response.
Senator Sullivan. And, Mr. Secretary, what would you--I
mean, just give me a sense of what that would be. Sanctions,
retaliation----
Mr. Work. Could be any of those, Senator. Maybe all of the
above. It will depend upon the severity of the activity. But,
again, I know this is--I know this is a big point of contention
with the committee. It is--we are serious about cost
imposition, and our statement is, ``If you participate in
that--this activity, we will seek some type of measure which
imposes costs upon you.'' And we just do not think it's a
proportional cyberattack for a cyberattack. It might be
something entirely different, like a criminal indictment or
sanctions or some other thing.
Senator Sullivan. Let me ask kind of a related question for
all three of you. How--and I know you've been discussing this,
and I'm sorry if I'm kind of going over areas that we've
already discussed, but--help us think through the issue of
rules of engagement here. I mean, we have rules of engagement
in so many other spheres of the military that are well
established. How do we think through these issues, which I
think in some ways are the fundamental aspects of what we do in
response to cyberattacks?
Admiral, do you want to take a stab at that?
Admiral Rogers. So, if you look at the defensive side, I'm
pretty comfortable that we've got a good, broad recognition of
what is permissible within a rules-of- engagement framework.
Senator Sullivan. Do we? I mean, between us and other
nations?
Admiral Rogers. I'm--I wouldn't--if you define it between
us and other nations, I would--no, I apologize. I thought your
question was in a DOD kind of responsive framework.
If you want to expand it to a broader set of nations, then
it's probably fair to say no.
Director Clapper. I would agree. I think, when it comes to
offensive--if you're thinking about offensive cyberwarfare, we
probably don't--do not have rules--defined rules of engagement.
Mr. Work. I agree with what Director Clapper said earlier,
Senator, that this really is the Wild West right now. There's a
lot of activity going on, both from nation- state actors all
the way down to criminals. And so, sorting through each of the
different attacks and trying to attribute what happened and who
it came from and who was responsible for it all demand specific
responses on these attacks.
But, I agree totally with the committee that we need to
strengthen our deterrence posture, and the best way to do that
is continue to work through these things and make sure that
everyone knows that there will be some type of cost.
Senator Sullivan. Thank you.
Thank you, Mr. Chairman.
Chairman McCain. The committee would also like to know when
there's going to be a policy that would fit into these attacks
and would then be much more easily responded to if we had a
policy, as mandated by the 2014 defense authorization bill.
I thank the witnesses for a very helpful hearing. I know
that they're very busy, and we--the committee appreciates your
appearance here today.
Thank you.
[Whereupon, at 11:38 a.m., the hearing was adjourned.]
[Questions for the record with answers supplied follow:]
Questions Submitted by Senator James Inhofe
1. Senator Inhofe. Has the DOD established a pipeline for the
development of a future cyber force?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
Secretary Work. Each of the Military Departments has established
recruiting and retention goals to establish the pipeline for all cyber
officer, enlisted, and civilian specialties. This pipeline supports
both fielding the Cyber Mission Force and the Military Departments core
missions. The Military Departments are projecting an overall increase
in their officer and enlisted cyber specialists over the next few
years. In order to meet a new cyber force sustainment rate, the
increase will be required in order to meet anticipated separations and
retirements from the Services.
On April 17, 2015, the Secretary of Defense signed ``The Department
of Defense Cyber Strategy.'' The first strategic goal in the strategy
is ``Build and Maintain Ready Forces and Capabilities to Conduct
Cyberspace Operations.'' An entire line of effort is dedicated to
fostering a viable career path for military personnel and improving
recruitment and retention processes for the most highly skilled
military cyber personnel. This effort will focus on validating current
career paths, determining future military cyber billet structure and,
within military manpower plans, evaluation of areas where specialized
skills and assignments fit within the overall career progression
structure.
Similar to the military workforce, the ``Cyber Strategy'' requires
the Department to improve civilian recruitment and retention for cyber-
related personnel by the end of 2016. This effort is on track to
deliver the needed governance structure, policies and implementation
plan to meet the 2016 target.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
2. Senator Inhofe. Are universities and technology institutions
graduating both the numbers needed to fill force requirements and
personnel with the right skill sets to ensure we maintain a dominant
offensive and defensive capable cyber force?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
Secretary Work. I have noted that academic universities and
technology institutions are focusing on digital communications,
forensics, and cybersecurity. Many university programs are nascent and
remain focused on computer science. There is also an important element
of cyber operations which involves sociology and ethnography. These
degrees have direct relationship to the Military Department Cyber
workforce and contribute to building a professional and well-trained
team. I have noted many institutions are reluctant to include curricula
on offensive capabilities. In order to understand the cyber domain,
graduates from universities and institutions must be exposed to
offensive, defensive, and sociocultural capabilities during their
course of instruction.
Additionally, the Department supports the National Initiative for
Cyberspace Education (NICE). In the Department of Defense Cyber
Strategy, the Department is tasked to develop policies to support NICE,
and working with interagency partners and educational institutions, the
Department will provide input to NICE, thereby announcing the
Department's requirements to universities and technology institutions.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
3. Senator Inhofe. How are we addressing the recruiting and
sustainment of personnel to eliminate critical cyber expert shortages?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
Secretary Work. The DOD Cyber Strategy, published in April 2015,
challenged the Department to improve recruiting and sustainment under
the heading of Cyber Workforce Development. The subsequent
implementation plan included well-defined objectives and timelines. The
Department's first priority is to develop a ready Cyber Mission Force
and associated cyber workforce to make good on the significant
investment in cyber personnel, and to help achieve many of the
objectives in the DOD Cyber Strategy. This workforce will be built on
three foundational pillars: enhanced training; improved military and
civilian recruitment and retention; and stronger private sector
support.
The Department requires an individual and collective training
capability to achieve the goals outlined in the DOD Cyber Strategy and
to meet future operational requirements. This training capability,
identified as the Persistent Training Environment, is a cornerstone
objective highlighted in the strategy and will contribute to both
recruiting and sustainment of cyber experts. US Cyber Command will work
with other components, agencies, and military departments to define the
requirements and create a training environment that will enable the
total cyber force to conduct joint training (including exercises and
mission rehearsals), experimentation, certification, as well as the
assessment and development of cyber capabilities and tactics,
techniques, and procedures for missions that cross boundaries and
networks.
The second objective addresses military personnel recruitment and
retention. In terms of recruiting, DOD has an operational mission in
cyber that is unavailable in the private sector, a unique mission focus
should be used to motivate people to serve in the DOD. Solving the
Department's shortages for cyber experts is a supply and demand
problem; as such, we must right size our training pipelines to
accommodate those we retain as well as those that will leave for the
private sector.
We have completed recruitment research determining personality and
technical attributes needed for successful cyber operators. Based on
that research, the Department is exploring instruments to identify
those individuals. These instruments are being evaluated in a second
pilot of the Cyber Operators Course which demonstrates a new learning
practice approach for cyber.
To aid retention, DOD must demonstrate commitment via additional
training and development for our cyber workforce. Throughout the course
of this strategy, and following the Cyber Mission Force decisions of
2013, the Department will continue to foster viable career paths for
all military personnel performing and supporting cyber operations.
Another objective of Cyber Workforce Development is to improve
civilian recruitment and retention. In addition to developing highly-
skilled military personnel, the Department must recruit and retain
highly-skilled civilian personnel, including technical personnel for
its total cyber workforce. Civilians must follow a well-developed
career path. The cyber career path will include an advancement track
and best-in-class opportunities to develop and succeed within the
workforce. A related effort is support of exchanges between DOD and
industry.
In January 2016, Congress provided the Department the ability to
adopt Title V Exempted Service hiring authorities for US Cyber Command
and the Service Cyber Headquarters civilian employees. Exempted Service
hiring authorities will help motivate key civilians to serve in the
Department of Defense, and will assist in retaining them for career
service.
The DOD should also leverage public and private partnership to
identify promising candidates within the academic pipeline. To
supplement the civilian cyber workforce, for example, the Department
must employ technical subject matter experts from the best
cybersecurity and information technology companies in the country to
perform unique engineering and analytic roles.
Many of the best practices, both in recruiting and retention, have
already been identified by the National Security Agency (NSA)--who we
are actively working with, to scale those initiatives to support DOD.
We are also looking at more diverse training pathways, including
leveraging universities and their Reserve Officer Training Corps
programs. The Department is working with all appropriate organizations
in pursuit of innovative and effective solutions to recruitment and
sustainment needs of the cyber workforce.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
weapons security
4. Senator Inhofe. How concerned are each of you with cyber
vulnerabilities in our existing weapons systems?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
Secretary Work. I am very concerned about cyber vulnerabilities in
Department of Defense weapons systems. My concern stems from the lack
of efficient opportunities to modernize and update the underlying
electronic infrastructure and operating systems of those weapon
systems. New vulnerabilities are routinely discovered, but the existing
list of known vulnerabilities is both lengthy and costly to mitigate.
Admiral Rogers. Mr. Work will address cyber resilience in weapons
systems development and expanding mission assurance activities at the
Department level.
5. Senator Inhofe. Are we incorporating cyber security into the
development of all our new weapons systems during the acquisition
process?
Secretary Work. Yes. The Department is incorporating cybersecurity
into the development of all new weapons systems during the acquisition
process. DOD Instruction (DODI) 5000.02, ``Operation of the Defense
Acquisition System,'' dated January 7, 2015, contains requirements for
acquisition programs to address cybersecurity countermeasures. Program
Managers, as an element of the Systems Engineering process, have the
responsibility in their Program Protection Plan (PPP) to describe the
program's critical program information and mission-critical functions
and components; the threats to and vulnerabilities of these items; and
the plan to apply countermeasures to mitigate associated risks.
Countermeasures include cybersecurity, secure system design, supply
chain risk management, software assurance, anti-counterfeit practices,
and other mitigations. Program Managers will submit the program's
Cybersecurity Strategy as part of every PPP. In addition, during the
Test and Evaluation phase, Program Managers are responsible for
developing a strategy and budget resources for cybersecurity testing to
support design, development, and deployment decisions.
In addition, the Department is developing a cybersecurity in
acquisition enclosure to DODI 5000.02 in order to more strategically
align cybersecurity activities across the acquisition and operational
communities. This update is intended to synchronize efforts that are
underway to strengthen our cybersecurity posture and enable systems to
maintain critical mission capabilities in a cyber-contested operational
environment. The enclosure, along with the existing PPP for acquisition
programs, further defines DODI 8500.01, ``Cybersecurity,'' and DODI
8510.01, ``Risk Management Framework for DOD Information Technology,''
for defense weapon systems and acquisition programs.
dod roles & responsibilities
6. Senator Inhofe. How does the U.S. deter cyber-attacks?
Secretary Work. The Department of Defense (DOD) seeks to deter
adversaries from conducting malicious cyber activities of significant
consequence; this effort focuses on denying the adversary the ability
to achieve the objectives of a cyber-attack, being able to impose costs
on the adversary, and ensuring that our computer systems and networks
are resilient.
Key elements of a deterrence approach include declaratory policy,
indications and warning, defensive posture, response procedures, and
network resilience. DOD has a number of specific roles to play in this
approach, which are nested within DOD's core cyberspace missions and
the new DOD Cyber Strategy.
Deterrence is a function of perception and convincing a potential
adversary that the costs of conducting an attack outweigh any potential
benefits. The Department must also demonstrate the futility of such
attacks through network defense and resilience and by showing that DOD
will be able to continue its mission even while under attack. DOD must
maintain capabilities to affect an adversary's behavior by shaping the
environment, controlling escalation, and, when necessary, imposing
costs.
7. Senator Inhofe. Do you consider all cyber-attacks against the
U.S. a national security threat? If no, how do you determine what
constitutes a national security threat?
Secretary Work. Not all malicious cyber activities directed towards
the United States constitute a national security threat, but some may
rise to that level. The determination of what constitutes a national
security threat, in or out of cyberspace, would be made on a case-by-
case and fact-specific basis by the President. There would likely be an
accompanying assessment of the seriousness of a particular act. Cyber
activities that cause death, injury, or significant destruction would
be carefully assessed to determine if they should be considered
unlawful attacks or ``acts of war.'' The context for these events would
also be important to consider, and cyber activities should not be
viewed in isolation.
8. Senator Inhofe. What triggers DOD involvement in a cyber-attack
against the U.S.?
Secretary Work. The Department of Defense (DOD) is involved on a
daily basis in countering cyber-attacks against the United States
through the defense of its own networks, which are constantly under
attack.
In addition to defending its own networks, one of DOD's three
missions in cyberspace is to be prepared to defend the United States
and its interests against cyber-attacks of significant consequence. If
directed by the President or the Secretary of Defense, the U.S.
military may conduct cyber operations to counter an imminent or on-
going attack against the U.S. homeland or U.S. interests in cyberspace.
The purpose of such a defensive measure is to blunt an attack and
prevent the destruction of property or the loss of life.
In the event of an attack on domestic interests that are not of
national security consequence, DOD may respond in a supporting capacity
to requests for assistance from the Department of Homeland Security,
the Federal Bureau of Investigation, as well as other departments and
agencies.
9. Senator Inhofe. Do you have the rules of engagement you need or
do they need to be modified?
Secretary Work. Rules of engagement are one of the many factors we
consider when planning cyber operations. The current rules of
engagement do not unduly restrict our ability to carry out current
operations. The Department continually reassesses the rules of
engagement required to complete its assigned missions.
__________
Questions Submitted by Senator Kelly Ayotte
detention facility at gtmo
10. Senator Ayotte. Secretary Work, why does it make sense to this
administration to provide weapons to moderate Syrian fighters but not
to Ukraine--a legitimately elected democracy simply seeking to maintain
their territorial integrity, protect their sovereignty, and choose
their own future?
Secretary Work. Our different approaches towards resolving the
conflicts in Syria and Ukraine reflect our assessment of the most
effective ways for countering threats emanating from each country. In
Syria, countering the Islamic State of Iraq and the Levant (ISIL)
threat requires sustained kinetic strikes against the group and
enabling local forces that defend against and eventually go on the
offense against the group. For this reason, the Department is committed
to its objective of providing support--including weapons and
ammunition--to moderate Syrians fighting ISIL and will focus on finding
ways to enable already successful counter-ISIL operations by groups on
the ground.
As the President has said, the provision of defensive lethal
assistance to Ukraine remains an option; however, assistance to date
has been calibrated towards supporting a diplomatic solution to the
crisis. Since the first of September, a ceasefire has held and the
parties are now moving toward elections and greater implementation of
the Minsk Agreements. While not providing lethal assistance, we have
committed substantial resources to help Ukraine, with more than $266
million in equipment and training committed since the beginning of the
crisis.
vulnerability of dod's weapons to cyber attack
11. Senator Ayotte. As you noted in your prepared statement,
Secretary Work, ``Without secure systems, we cannot do any of our
missions.'' Admiral Rogers and Secretary Work, can we be confident that
America's military systems (IT systems, as well as strategic and
conventional weapons) will function properly if we are forced to engage
in a full spectrum conflict against a near pear competitor employing
sophisticated cyber attacks?
Secretary Work. I cannot say that I am one hundred percent
confident that our military systems will be able to withstand a
sophisticated cyber-attack. That said, we are doing what we can,
through three mission areas, to mitigate this risk and to raise our
level of confidence.
The first mission area is focused on defending our own networks and
weapons because they are critical to what we do every day. We consider
this form of mission assurance to be our top priority, and we have put
in place mechanisms to reduce risk, enhance resilience, and increase
accountability for mitigation of vulnerabilities. Second, we help
defend the nation against cyber threats--especially if they would cause
loss of life, property destruction, or significant foreign policy and
economic consequences. Our third mission is to provide integrated cyber
capabilities to support military operations and contingency plans, if
directed by the President or the Secretary of Defense.
Admiral Rogers. [Deleted.]
12. Senator Ayotte. DOD's Defense Science Board produced a January
2013 Task Force Report entitled ``Resilient Military Systems and the
Advanced Cyber Threat''. Secretary Work, what steps to improve this
situation has DOD undertaken since this January 2013 report?
Secretary Work. Since the study, there have been significant
leadership initiatives to address cyber, as evidenced by Department
policy, investment, and boards. With the participation of the United
States Strategic Command and the Department of Defense (DOD) Chief
Information Officer, the Department has conducted a series of cyber
risk assessments, and we are now proceeding to identify and prioritize
elements of conventional force structure, platforms, and weapon systems
for cyber resilience. In accordance with the DOD Cyber Strategy, the
Department has refocused intelligence to be able to understand,
predict, and attribute cyber capabilities, plans, and intentions of
adversaries. The Department has also established and are manning,
training, and equipping the Cyber Mission Forces (CMF). The Department
is also building both offensive capabilities and capabilities to
respond to cyber-attacks.
To combat mid-tier threats, the Department maintains defense of
information environments as a top priority, and evaluating key cyber
terrain using CMF Cyber protection teams. To change the DOD culture
regarding cyber and cyberspace security, the Department has initiated
accountability scorecards and expanded workforce training. The
Department is equipping program managers, updating policy, and
expanding the capability and use of red teams to evaluate and adjust
designs, acquisition, and operations. In addition, the Department is
continuing to leverage the Defense Science Board's wise counsel through
a number of studies currently underway on the subjects of cyber
defense, supply chain, and deterrence.
13. Senator Ayotte. Secretary Work, how are we incorporating
lessons learned regarding cyber resilience into programs for new DOD IT
systems and weapons systems?
Secretary Work. The Department of Defense (DOD) is implementing
risk-based approaches to manage evolving cybersecurity threats, achieve
mission objectives, and develop resilient weapon systems and
information systems by better integrating cybersecurity activities
during system development. DOD cybersecurity policy \1\ requires that
robust cybersecurity processes be applicable to all systems containing
information technology, including weapons systems. DOD is developing
guidance for a new cyber survivability element of the System
Survivability key performance parameter.
---------------------------------------------------------------------------
\1\ Including DODI 8500.01, ``Cybersecurity,'' dated March 14,
2014, and DODI 8510.01, ``Risk Management Framework for DOD Information
Technology,'' dated March 12, 2014.
---------------------------------------------------------------------------
To achieve stringent DOD mission assurance goals, we are enhancing
system security engineering, expanding early testing to include cyber
resiliency, updating requirements for survivability, and updating how
program protection planning is executed in the defense acquisition
system. In addition, DOD continues to mitigate cyber vulnerabilities in
systems and conducts operational tests assuming a cyber-contested
environment.
14. Senator Ayotte. Secretary Work, is there a systematic process
that requires program managers to incorporate cyber resilience into DOD
programs from the beginning rather than as an afterthought?
Secretary Work. Resiliency is an essential element of an overall
Department cyber defensive strategy. While traditional strategies have
focused on keeping cyber adversaries ``out,'' more effective new
strategies, combined with a resiliency focus, ensure that critical
capabilities continue despite successful attacks. Program managers
address cyber resilience requirements in their system technical
requirements, which are included in technology and product development
solicitations and inform system definition and design. The
cybersecurity risk management guidebook for program managers and the
new cybersecurity enclosure to the Department's acquisition system
policy reinforce incorporation of cyber resilience and cybersecurity
requirements starting from the beginning of the system life cycle.
Program protection plans, supply chain risk management analysis, test
planning, and life cycle management processes are being adjusted and
improved to enhance our systems' ability to operate in a cyber-
contested environment and maintain robustness.
These efforts to place requirements, develop cyber resilient
systems, expand the Department's testing regime, and equip program
managers to work effectively with industry will enhance the
Department's ability to deliver cyber resilient systems through
acquisition by considering integrated cyber risk management and early
development of plans to proactively ensure that cyber resilience is
maintained throughout the life cycle.
russian inf violations and dod response
15. Senator Ayotte. Secretary Work, you agreed in the hearing that
Russia has violated the INF. Why is DOD waiting for Russia to field the
system in question to respond if Russia has already violated the INF by
flight testing the respective system? Is violation of the treaty not
enough to respond?
Secretary Work. The Administration is not waiting on Russia to
field this system and is examining options to respond to the Russian
violation. The Intermediate-range Nuclear Forces (INF) Treaty has
served the strategic interests of the United States, North Atlantic
Treaty Organization Allies, and Russia since it entered into force. The
Administration is seeking to convince Russia that it is in its interest
to return to compliance. However, American patience is not without
limits; accordingly, the Department is considering an array of
responses to the Russian violation that will ensure Russia gains no
significant military advantage from its violation.
better use of guard and reserve to improve our cyber readiness
16. Senator Ayotte. Secretary Work, in your prepared statement you
note that ``Successfully executing our missions in cyberspace requires
a whole-of-government and whole-of-nation approach.'' Admiral Rogers
and Secretary Work, in light of this growing cyber threat and the need
to respond with a ``whole-of-government and whole-of-nation approach'',
how can we better utilize our nation's Reserve and National Guard
forces to 1) defend DOD systems; 2) defend the nation against major
cyber-attacks; and 3) provide cyber support to operational commanders?
Secretary Work. The Army will implement one full-time Army National
Guard Cyber Protection Team (CPT), and ten part-time Army National
Guard CPTs. The Air Force will leverage 12 Air National Guard Cyber
Operations Squadrons to develop two full-time CPTs, three Air National
Guard squadrons to develop the cyber operations component of one
National Mission Team, and will create one Air Force Reserve unit in a
classic associate unit construct to comprise three cyber mission force
required CPTs. The Navy and Marine Corps will continue to augment
vacancies in their Cyber Mission Force (CMF) teams by leveraging their
Reserve Forces as individual mobilization augmentees.
Continuing to rotate National Guard forces through the CMF and
improving synchronization of federal interagency and the state response
(including State use of National Guard cyber capabilities) provides the
Department a method to better utilize National Guard capabilities.
Integration of the National Guard into the CMF provides surge
capability to the Department. This capability also makes experienced
units available to the Governors for State use when not in federal
service. Continuing to improve synchronization of Federal and State
responses will allow for more effective use of the National Guard as a
state response resource and foster better information sharing across
whole-of-government and whole-of-nation in defense of the nation.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
nsa-like authorities for dhs
17. Senator Ayotte. Director Clapper and Admiral Rogers, the
Federal Information Security Management Reform Act of 2015 (FISMA
Reform) was introduced in July and it would benefit immensely our
federal civilian network security from streamlined and clear
authorities for DHS, which has the lead for safeguarding the cyber
domain for federal civilian agencies (.gov), yet has limited authority
to do so. How important is it to be able to move quickly, decisively,
and with legal authority when an intrusion is detected?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
18. Senator Ayotte. Admiral Rogers, how important is it to have a
clear delineation of responsibilities to act?
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
19. Senator Ayotte. Director Clapper and Admiral Rogers, based on
your experience, what are the most important aspects of robust
detection and mitigation of cyber intrusions?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
Admiral Rogers. Ideally, cyber intrusions are detected and
mitigated at machine speed using automation. End point protection
capabilities, such as Host Based Security System (HBSS), along with
additional layers of defense at various tiers throughout the Department
of Defense Information Network (DODIN) provide a wide breadth of
protection. These multiple layers of protection (i.e. HBSS, Web Content
Filtering (WCF), Demilitarized Zone (DMZ), etc.) provide sensing and
blocking of threats at all tiers within the DODIN architecture along
with the associated command and control (C2) to drive response actions
should automated mitigation fail. In addition to these efforts, the
commercial sector, mission partners, DOD Components, and the
Intelligence Community (IC) all play a crucial role regarding
information sharing and strengthening the security posture of the
DODIN. The other most important aspect of robust detection and
mitigation of cyber intrusions is trained personnel at the network
operations centers, at the Computer Network Defense Service Providers,
and throughout the Cyber Mission Force. If the end point protection
system does not catch the initial download of malicious software, it
takes the operators' keen observation of network activity or the
analysts' scrutiny of security logs to detect adversary activity and
take action to eradicate adversary presence on the network. In
addition, current and effective policy and processes improve our
ability to block potential threats to the DODIN.
genocide in iraq and syria?
20. Senator Ayotte. Director Clapper, according to the United
States Commission on International Religious Freedom's annual report
for 2015, Yazidis and Christians in Iraq and Syria have endured a
``systematic campaign'' of persecution which has included summary
executions, forced conversions, rape, sexual enslavement, child
abduction, and destruction of houses of worship. Do you assess that
ISIS has undertaken a ``systematic campaign'' of persecution against
religious and ethnic minorities?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
21. Senator Ayotte. Director Clapper, article II of the 1948 United
Nations Convention on the Prevention and Punishment of the Crime of
Genocide defines genocide as any act committed with the intent to
destroy all or part of a national, ethnic, racial, or religious group.
Based on your knowledge of the situation in Iraq and Syria, do you
assess that ISIS's actions in Iraq and Syria against religious and
ethnic minorities amounts to genocide?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
u.s. military superiority and chinese cyber theft
22. Senator Ayotte. All witnesses, how would you characterize the
scale and severity of the cyber theft that China is committing against
U.S. defense companies?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
Secretary Work. That is a difficult question to answer. The full
extent or pervasiveness of China's infiltration and persistence within
the Defense Industrial Base, or other commercial entities is unknown.
There are several objectives listed within the Department of
Defense (DOD) Cyber Strategy (objectives 2(m), 2(o), 2(p), and 2(q))
that specifically focus on the problem related to the theft of
intellectual property. Accordingly, the Office of the Under Secretary
of Defense for Acquisition, Technology, and Logistics is well on its
way toward establishing a Joint Acquisition Protection and Exploitation
Cell to link intelligence, counterintelligence, law enforcement, and
acquisition communities to enable Controlled Technology Information
protection efforts across the DOD enterprise. Such a cell would allow
DOD, by the end of 2016, to mitigate future losses proactively and to
exploit opportunities to deter, deny, and disrupt adversaries that may
threaten the U.S. military advantage.
Finally, DOD is not addressing this problem alone. For example,
objectives 2(o) and 2(q) of the DOD Cyber Strategy call for further
voluntary and cooperative engagement between the Defense Industrial
Base and DOD. Through these objectives, the Department is promoting
cyber threat awareness, information sharing, and collaboration on
technical innovations geared toward disrupting and denying the theft of
intellectual property.
Admiral Rogers. [Deleted.]
23. Senator Ayotte. All witnesses, how has this theft impacted U.S.
military superiority relative to China?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
Secretary Work. China's cyber-enabled theft of intellectual
property from U.S. defense companies has likely eroded, though not
negated, U.S. military superiority relative to China. As Secretary
Carter has emphasized, it would take years for any country to build the
military capability the United States has today. Nevertheless, the
Department will continue to make the investments necessary to maintain
military dominance, while continuing to take all lawful measures to
stop the theft of information.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
policy changes
24. Senator Ayotte. Admiral Rogers, what specific policy/statutory
changes are needed to help CYBERCOM?
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
cyber and the reserve component
25. Senator Ayotte. Secretary Work and Admiral Rogers, Secretary
Carter outlined a program to engage with the civilian sector in Silicon
Valley. In terms of cyber, what other efforts are ongoing to capitalize
on the technology center of excellence? How might you use the Reserve
Component to do the same thing?
Secretary Work. The Defense Innovation Unit Experimental (DIUx) has
engaged deeply with the cyber-related companies in Silicon Valley. As
an example, on October 20, 2015, DIUx hosted a Cyber Showcase for ADM
Rogers, where seven newly formed companies presented their technologies
to an audience that included government experts, cyber-related
companies, and Silicon Valley venture capitalists. As a result of this
showcase, the Department is exploring pilot projects with several of
these companies. This is just one aspect of the DIUx mission to engage
with the Silicon Valley innovation ecosystem.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
26. Senator Ayotte. Secretary Work and Admiral Rogers, to protect
our country against cyber theft and attack requires coordination with
many civilian agencies and state governments. How is the Reserve
Component being leveraged to do this?
Secretary Work. The Reserve Component is already engaged in
associate unit roles, training functions, and fully integrated into
Cyber Command and Control and operational units. A key reason these
units are successful is many of the Reserve members are also full time
industry experts in areas such as cybersecurity, digital forensics, and
many other relevant networking essentials. Their commercial experience
and certifications are directly brought to bear when in their Reserve
role supporting States and the interagency. Capitalizing on commercial
best practices is a common thread the Reserve teams bring to the cyber
workforce. Exercises such as US Cyber Command's CYBER GUARD provide an
opportunity for Guard, Reserve, and Active Duty to focus on the cyber
aspect and work with critical infrastructure providers. States and
federal agencies, including the Department of Homeland Security,
determine procedures, requirements, and authorities required for our
national security.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
27. Senator Ayotte. Secretary Work and Admiral Rogers, what has
been done--and what still needs to be done--to assure National Guard
cyber mission forces receive the required number of military school-
house seats, training days and other resources needed to leverage their
civilian-acquired cyber skills for protection of our national security
interests?
Secretary Work. National Guard and Reserve forces are part of the
overall total force's training requirements. Each of the Services
prioritizes its training capacity to ensure cyber mission forces are
brought on-line as quickly as possible. In collaboration with US Cyber
Command, the National Security Agency's Associate Director for
Education and Training (ADET) has increased training capacity,
providing seats for both the Active and Reserve Components.
Additionally, ADET has offered guidance and assistance to the National
Guard's Professional Education Center and to the US Cyber Command
Reserve Force Advisor on how to meet the Reserve Component demand for
general cyber training. This effort continues. Early on in the fielding
of the Cyber Mission Force, the Department recognized the need for a
mechanism to evaluate Services members' skills and experience and
provide credit where appropriate. US Cyber Command's Individual
Training Equivalency Board was created to provide members of the Active
and Reserve Components equivalency based on their civilian acquired
skills. This board minimizes the overall training demand and more
quickly provides the nation with a cyber capability.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
iran
28. Senator Ayotte. Director Clapper, does Iran continue to develop
capabilities useful for an ICBM program? When do you estimate that Iran
will attain an ICBM capability?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
__________
Questions Submitted by Senator Mike Rounds
china
29. Senator Rounds. Director Clapper, Secretary Work and Admiral
Rogers, last week, the President announced that the United States and
China have agreed not to conduct or knowingly support cyber enabled
theft of intellectual property including trace secrets or other
confidential business information for commercial advantage. Isn't this
agreement made meaningless by the fact that China has repeatedly denied
that it engages in the activities this agreement purports to stop?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
Secretary Work. The United States has been clear with the Chinese
Government that the United States is watching to ensure that the
Chinese follow through on their commitment. Should China continue to
engage in cyber-enabled economic theft, the United States can now hold
China accountable for adhering to its own promise, rather than arguing
over China's previous claims that economic theft is no different than
traditional intelligence collection. It is important to note that these
commitments do not take off the table any options that we might use to
defend our companies from malicious cyber threats. As President Obama
stated in September 2015, if China's aggressive cyber actions do not
stop, the United States is prepared to take countervailing actions at
the time and place of our choosing.
Admiral Rogers. The United States and China have reached a common
understanding on the way forward, which is what matters. We have agreed
that neither the United States nor the Chinese government will conduct
or knowingly support cyber-enabled theft of intellectual property,
including trade secrets or other confidential business information for
commercial advantage. We are watching carefully to make an assessment
as to whether progress has been made in this area. The Department is
focused on working with Congress, other U.S. departments and agencies,
and the private sector to strengthen our ability to detect, attribute,
and respond to future cyber intrusions.
30. Senator Rounds. Have you assessed whether you would be able to
adequately verify such an agreement?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
Secretary Work. Yes, the Department and Intelligence Community will
work to verify the cyber agreement reached during President Xi
Jinping's 24-25 September 2015 state visit. The agreement consisted of
four key commitments focused on the provision of assistance and
information on, and investigation of, malicious cyber activities; that
either state would not conduct or knowingly support theft of
intellectual property with the intent of providing competitive
advantages to companies or commercial sectors; to identify and promote
norms of behavior in cyberspace within the international community; and
establish a high level joint dialogue mechanism on fighting cybercrime
or related issues. The ``trust, but verify'' whole-of-government
approach will be implemented through traditional intelligence methods
and enhanced with engagement via open dialogue to ensure transparency.
The United States will have to watch China's behavior, and it will
be incumbent on the Intelligence Community to depict and help portray
to policymakers what behavioral changes, if any, may result from
confronting the Chinese with evidence of any transgression or violation
of this agreement. In addition, the United States will need to continue
to use all instruments of national power to deter this kind of behavior
and work closely with interagency and international partners to explore
additional whole-of-government approaches to impose costs on China in
order to deter unacceptable behavior.
Admiral Rogers. The DOD, in coordination with other Departments and
Agencies, as well as the private sector, continues to improve our
capacity to detect, attribute, and respond to cyber intrusions.
31. Senator Rounds. Are you aware of any commitments by China to
stop stealing personally identifiable information such as the hack
against Anthem that included the information of nearly 80 million
Americans? What about OPM?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
Secretary Work. No. The cyber agreement and associated commitments
reached during President Xi Jinping's 24-25 September 2015 state visit
did not address personally identifiable information (PII). As for the
specific hacking examples given in this question, it should be
acknowledged that these unattributed activities have been characterized
by the Intelligence Community as a form of ``cyber espionage.'' As
illustrated so dramatically by the OPM breaches, counterintelligence
risks are inherent when foreign intelligence agencies obtain access to
an individual's PII and virtual identifiable information. Hence we can
expect foreign intelligence agencies and non-state entities to continue
to target PII using a variety of physical and electronic methods for
espionage purposes.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
response to cyber attacks on u.s. forces
32. Senator Rounds. Admiral Rogers, you have advocated that cyber
could be treated like any other military domain: air, land, sea, and
space. In that context, do you believe the response to a cyber-attack
on the U.S. or our forces overseas should be based upon the same
policies governing response to a kinetic attack?
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
33. Senator Rounds. If not, how should our responses differ for a
kinetic attack versus a cyber-attack?
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
34. Senator Rounds. How might our response vary depending upon
which nation conducted the cyberattack, specifically Russia, China,
North Korea, or Iran?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
35. Senator Rounds. If yes, why have we taken no action against the
Chinese after the devastating cyber-attacks they have conducted against
us?
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
36. Senator Rounds. If yes, how can we attribute the attack? How do
we detect the `fingerprints' of an attacker?
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
__________
Questions Submitted by Senator Ted Cruz
cyber attacks combined with conventional or nuclear attacks
37. Senator Cruz. Director Clapper, would you rank and characterize
the threat level of the cyber capabilities demonstrated by Russia,
China, Iran, and North Korea?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
38. Senator Cruz. Is there a particular signature or methodology to
the cyber capabilities we see each of these countries developing?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
39. Senator Cruz. Admiral Rogers, how robust are the efforts of
Russia, China, Iran, and North Korea to integrate cyber operations into
their conventional or nuclear warfare strategies?
Admiral Rogers. [Deleted.]
40. Senator Cruz. How capable are they of sowing confusion or
casting doubt on the reliability or effectiveness of the radars, space
based systems, and other early warning systems that we or our allies
use?
Admiral Rogers. [Deleted.]
cyberespionage, cybercrime, and cyberwarfare
41. Senator Cruz. Director Clapper, Secretary Work, and Admiral
Rogers, how do you distinguish the difference between cybercrime, cyber
espionage, and cyber warfare?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
Secretary Work. The Department of Defense approaches cyberspace as
a domain, alongside air, maritime, ground, and space. The distinctions
between crime, espionage, and warfare in cyberspace are made similarly
to how they would be made in any other context; taking into account the
nature and effects of an action and the actor initiating it.
Cybercrime refers to any illegal activity that uses a computer as
its primary means of commission. It can take a variety of forms, from
online fraud, to cyberstalking, to data theft.
Cyberespionage is the use of computer systems and/or networks in
order to obtain, deliver, transmit, communicate, or receive information
about national defense with an intent, or reason to believe that the
injury may be used to injure the United States or the advantage of a
foreign nation. Espionage is a violation of Title 18 of the United
States Code and would also be considered a cybercrime.
Warfare in and through cyberspace is typically conceptualized as
state-on-state or state-on-nonstate action equivalent to an armed
attack or use of force in cyberspace that may trigger a military
response with a proportional use of force.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
42. Senator Cruz. Do you believe that gaining access or
infiltrating critical infrastructure is an act of espionage, or an act
of warfare?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
Secretary Work. Critical infrastructure--the physical and virtual
assets, systems, and networks vital to national and economic security,
health, and safety--is vulnerable to cyberattacks by foreign
governments, criminal entities, and lone actors. In cases involving
cyberespionage, the attacker establishes access, periodically revisits
the victim's network, and steals their intellectual property. By
contrast, in cases of cyber warfare, if an adversarial nation launches
a sophisticated, targeted cyber-attack that takes down significant
parts of our critical infrastructure, the consequences could be
significantly disruptive or potentially devastating. Determining
whether such an incident would constitute cyberespionage or an act of
warfare would depend upon the facts of the case.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
43. Senator Cruz. Do you believe that damaging or destroying those
systems constitutes an act of cyber warfare?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
Secretary Work. The United States is vulnerable to cyber intrusions
and potential cyberattack against our critical infrastructure.
Cyberattacks can affect our critical infrastructure, the national
economy, and military operations. Determination of whether an incident
is an act of war should follow the same practice as in other domains,
because it is the severity, not the means of an attack, which matters
most. Whether a particular attack is considered an ``act of war,'' in
or out of cyberspace, requires determination on a case-by-case and
fact-specific basis. Malicious cyber activities could result in death,
injury, or significant destruction. Any such activities would be
regarded with the utmost concern. The Department is pursuing several
initiatives to reduce our vulnerabilities and works in close
collaboration with Department of Homeland Security on protecting
critical infrastructure.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
44. Senator Cruz. How would you classify theft or alteration of
personnel information in a database? How would you classify disruption,
degradation, or destruction of sensors and early warning systems?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
Secretary Work. The Department takes these kinds of actions very
seriously and classification of specific actions such as these must be
made on a case-by-case basis, according to the facts. In the case of
theft or alteration of personnel information in a database, we would
assess the action, the actor, the effects and the possible intent.
Depending on the assessment, such actions would be considered acts of
espionage or criminal acts. We would make a similar assessment for
disruption, degradation, or destruction of sensors and early warning
systems. Such actions could be considered a use of force depending on
the specific circumstances.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
45. Senator Cruz. In instances where these activities might cross
lines or lie across multiple definitions, how will the scope and scale
of the instance be considered?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
Secretary Work. Malicious cyber activity could potentially cross
categories or definitional lines depending on the specific facts of
each case. The scope and scale of a particular act will be an important
consideration for policymakers, for example, the scope/scale of any
impacts on services being provided to citizens or scope/scale of damage
to property.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
46. Senator Cruz. Is there a timeframe or window for that
consideration?
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
Secretary Work. There is no specific timeframe for determining how
a cyberattack should be categorized or defined. While the Department
must be prepared to respond very quickly to blunt or respond to a
cyberattack, the United States reserves the right to respond to
malicious cyber activity at a time, place, and manner of its choosing.
These determinations must be made on a case-by-case and fact-specific
basis, with due consideration for the seriousness of a particular act.
Based on the specifics of the situation, departments and agencies work
as quickly as possible to provide their assessments of a particular
situation to the President and his national security team.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
norms in cyberspace and deterrence
47. Senator Cruz. Director Clapper stated that the absence of
universally accepted and enforceable norms has contributed to cyber
threats we face. However, I would argue that it isn't just an absence
of norms. The Ayatollah in Iran cares nothing for international norms;
neither does ISIS. Similarly, Putin cares little about the
international community and will act if he believes he can get away
with it. We talk of norms, but the Chinese have a long track record of
flouting the legal guidelines for intellectual property. Despite
China's membership in the World Trade Organization, they consistently
fail to fulfill WTO obligations. The glaring reality is that we must
have a means to visibly deter our adversaries and holding them
accountable if they choose to conduct offensive operations against our
national security interests. Admiral Rogers, what do you require in the
form of policy or guidance in order to improve our deterrence
capabilities?
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
48. Senator Cruz. Admiral Rogers, if tasked to do so, do you
possess the capabilities to effectively retaliate against any adversary
in the cyber domain?
Admiral Rogers. (Deleted.]
49. Senator Cruz. Admiral Rogers, if so ordered, could you destroy
networks and devices, or harm physical infrastructure in the states or
regions that choose not to follow norms of behavior? If not, what would
it take to develop those capabilities?
Admiral Rogers. [Deleted.]
50. Senator Cruz. Admiral Rogers, if the Chinese continue to
violate norms of behavior surrounding intellectual property and defense
information, do you possess the capability to tear down the Great
Firewall and reveal to the citizens of China the extent of censorship
the Communist Party imposes on them?
Admiral Rogers. [Deleted.]
51. Senator Cruz. Secretary Work, how do you plan to engage the
other pillars of influence in response to a cyberattack?
Secretary Work. The Administration is pursuing a comprehensive
strategy to confront malicious cyber actors. That strategy includes
diplomacy, law enforcement, and other measures such as sanctions on
individuals or entities that engage in certain significant, malicious
cyber-enabled activities. The Department is fully integrated in the
Administration's efforts to ensure a cyberattack is met with a whole-
of-government response. The Department coordinates closely with the
Department of Homeland Security, the Federal Bureau of Investigation,
and other departments and agencies across the government, as well as
key stakeholders outside of government. The intent of this approach is
to ensure the United States can respond in any manner appropriate at
the time, manner, and place of our choosing as the President has
previously stated.
52. Senator Cruz. Secretary Work, do you have the necessary tools
to isolate and retaliate against the aggressor, particularly if that
aggressor is a non-state actor?
Secretary Work. The Department of Defense has demonstrated its
ability to isolate and remove malicious actors from our networks
effectively, regardless of whether they are a State or non-State actor.
The Department continues to develop tools and capabilities to improve
the timeliness of responses, to harden defenses, and to mitigate any
malicious activity.
The Department continues to develop our cybersecurity response
capabilities, but any response to malicious cyber activity will be at a
time, manner, and place of the President's choosing. Potential
aggressors must know that we will be able to hold them accountable,
using appropriate instruments of U.S. power and in accordance with
applicable law.
adequate resources for cybersecurity
53. Senator Cruz. Admiral Rogers, you coordinate the efforts of the
National Mission Teams responsible for defending the nation's critical
infrastructure. Toward that end, how many state backed adversaries or
groups are you currently monitoring and countering, how many non-state
actors or groups are you currently monitoring and countering, and how
many National Mission Teams currently work full time to counter these
groups?
Admiral Rogers. [Deleted.]
54. Senator Cruz. Admiral Rogers, do you believe that you have
adequate resources to offset the number and volume of threats, and
defend the critical infrastructure and defense networks of this nation?
Admiral Rogers. [Deleted.]
__________
Questions Submitted by Senator Jack Reed
authority for imposing sanctions on china for industrial espionage
55. Senator Reed. Secretary Work, President Obama in April 2015
signed an executive order establishing a process to impose sanctions
for industrial espionage through cyberspace under the International
Emergency Economic Powers Act (IEEPA) and other authorities and
statutes. Prior to this action, Senator Levin and Senator McCain, with
co-sponsors, included a provision (section 1637) in the Fiscal Year
2015 NDAA granting the President under IEEPA to impose such sanctions.
Yet, to my knowledge, the President and his staff have not referenced
this congressional grant of authority that buttresses the order he
imposed. Since the President's power is at its strongest when he acts
with congressional concurrence, and since doing so would help to
persuade China of our seriousness, the President's omission is more
than curious. Do you have an explanation for why the President has not
cited this explicit congressional support for threatening and imposing
sanctions in response to industrial espionage through cyberspace
Secretary Work. My understanding is that the Administration
supports and welcomes section 1637 of the National Defense
Authorization Act for Fiscal Year 2015 and views it as a valuable tool
for compelling foreign countries, including China, to refrain from
economic or industrial espionage in cyberspace.
encryption
56. Senator Reed. Admiral Rogers, twice in the 1990s NSA rang alarm
bells over encryption, predicting that strong encryption would become
ubiquitous. The first time was in the early-to-mid 90s, when NSA
proposed the adoption of the so-called ``Clipper Chip'' that would
enable the government to access unenciphered content through legal
processes. The second time was in the late 90s when companies overseas
began selling strong commercial encryption and U.S. companies demanded
easing of export controls to enable them to compete globally. In both
cases, the dire predictions of NSA and law enforcement officials did
not materialize. What makes this situation different?
Admiral Rogers. Since the mid-90's, encryption has grown in
complexity and difficulty, and it is now used to protect millions of
daily communications across the global network. It is used by friend
and foe alike. However, the National Security Agency (NSA) would not
describe the situation as ``dire.'' The prevalence of encryption across
the global network is good for the nation. It protects our daily
commerce, and is an important element of cyber defense for individuals,
corporations, and government.
At the same time, the prevalence of encryption has provided
adversaries of the United States the ability to communicate in a way
that impairs the Intelligence Community's ability to gather information
and understand their actions and motives. There is no one-size-fits all
approach to dealing with the challenge of encryption. NSA continues to
explore new techniques and methods to counter adversary use of
encryption. Continued support of NSA's investment in world class
technical talent, as well as the technology and tools needed to counter
encryption is vital to give us the best chance of success.
elevating cyber command to a unified command and sustaining the ``dual
hatting'' of the commander of cyber command as the director of nsa
57. Senator Reed. Secretary Work and Admiral Rogers: The Committee
understands that the Chairman of the Joint Chiefs is considering
recommending to the President that the next Unified Command Plan
elevate Cyber Command from a sub-unified command under U.S. Strategic
Command to a full unified command. It is rumored that the Department is
not considering alteration of the current arrangement under which the
Commander of Cyber Command also serves as the Director of NSA. The
Armed Services Committee has for several years expressed concern about
this dual-hat arrangement in the context of a decision to make Cyber
Command a new unified command. There are reports that the Department
fears that ending the dual-hat arrangement would result in NSA not
sustaining the necessary level of support for the Command, despite
NSA's designation under the Goldwater-Nichols Act as a combat support
defense agency. Is this a genuine fear? It would be disturbing if NSA
could not be counted upon to faithfully execute orders.
Secretary Work. The National Security Agency (NSA) provides robust
and excellent support to the Department and U.S. Cyber Command
(USCYBERCOM), and I have the fullest confidence in NSA's willingness
and ability to execute its mission. The dual-hat arrangement provides
necessary support to USCYBERCOM as it continues to grow and mature in
its mission execution, and the Cyber Mission Force benefits greatly
from the experience of its NSA partner. The relationship between the
two organizations demonstrates a unity of effort and close
collaboration in a field of growing importance.
The decision to decouple the organizations must rely upon a
conditions-based approach that considers several criteria, including
ensuring that USCYBERCOM is manned, trained, and equipped to fulfill
its missions. One of the key considerations in prolonging the dual-hat
arrangement is the efficiency created when allocating workforce
resources, which are often common for both NSA's and USCYBERCOM's
respective missions. In light of the current fiscal climate, as well as
efforts to develop the DOD cyber workforce, we believe the dual-hat
arrangement remains the prudent course of action at this time. However,
I am grateful to Congress for the budgetary assistance in helping the
Department and USCYBERCOM take on its new mission.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
58. Senator Reed. We have also heard the argument that Cyber
Command is so dependent on NSA that separating these positions would
put Cyber Command's effectiveness at risk. If this reflects the views
of DOD's leadership, what does it say about the maturity of Cyber
Command and its readiness to be a unified command?
Secretary Work. I support the President's decision in December 2013
to maintain the dual-hat arrangement for Cyber Command and NSA. The
dual-hat arrangement has allowed for the unification of leadership for
the organizations responsible for defending the nation in cyberspace
and for signals intelligence. By virtue of their relationship, Cyber
Command is able to fully leverage NSA's resources, enabling a more
coordinated and rapid response to threats in cyberspace. The Department
of Defense is in the third year of an ambitious plan to develop the
Cyber Mission Force and develop additional capabilities as a sub-
unified command. As Cyber Command continues to mature, the Department
will analyze and assess the merits of whether it should be elevated to
a full unified combatant command.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
59. Senator Reed. The Services are just now reaching IOC for the
bulk of the newly created cyber mission force units. Until we began
fielding these units, Cyber Command had very few forces with which to
execute its missions. Moreover, we are a number of years away from
equipping these forces with the tools, weapons systems, infrastructure,
and command and control capabilities they need to operate effectively.
What does the lack of such capabilities say about the maturity of the
Command?
Secretary Work. The Department of Defense (DOD) is in the third
year of an ambitious plan to build the Cyber Mission Force, which
envisions 133 teams as fully manned, trained, and equipped by the end
of Fiscal Year 2018. As part of this plan, DOD closely evaluates Cyber
Command's maturation and its ability to execute its missions. This
includes regularly assessing the resources, tools, infrastructure, and
facilities needed to train, equip, and enable Cyber Mission Force team
personnel to operate effectively. The Department also assesses the
resources required to build and develop cyberspace operations,
intelligence, and planning staffs that support operational and
strategic level headquarters.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
60. Senator Reed. When Cyber Command was established, NSA leaders
asserted that military and intelligence operations in cyberspace
overlapped almost entirely, and argued that Cyber Command for
efficiency and effectiveness should make use of the infrastructure,
planning systems, and tools that NSA had already developed. NSA
expected that a military command would operate much the same way that a
signals intelligence agency would in cyberspace. Five years later, we
know that these assumptions were incorrect. Cyber Command needs
separate and different tools, infrastructure, training ranges, planning
systems, TTPs, and command and control capabilities from those that NSA
has developed for its own use. Cyber Command has surely benefited
substantially from having a uniquely close relationship with NSA, but
it also seems possible that NSA's views and assumptions could have held
back the proper development of Cyber Command. What are your views on
this possibility?
Secretary Work. I do not believe that National Security Agency's
(NSA) views and assumptions held back the development of Cyber Command.
In fact, NSA played a direct role in supporting Cyber Command's
development, providing critical expertise in training, education,
certification, techniques, mission sharing, and capability development.
In addition, by virtue of their relationship, Cyber Command leveraged
NSA's cryptologic enterprise to enable a more coordinated and rapid
response to countering threats in cyberspace. Cyber Command does need
separate tools, infrastructure, and capabilities to conduct certain
missions, but the arrangement between Cyber Command and NSA enabled
Cyber Command to learn key lessons and mature as an enterprise.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
61. Senator Reed. Combatant commanders by design have broad and
extensive command experience and education in combined arms and joint
warfare. Traditionally, combatant commanders have been drawn from the
ranks of combat arms officers or, in Navy parlance, ``officers of the
line.'' NSA Directors, in contrast, are typically selected from the
Service Cryptologic Elements, or at least from the ranks of
intelligence specialists. Maintaining the dual-hat arrangement into the
future will mean that either cyber combatant commanders are going to be
intelligence specialists, or NSA will not be led by career intelligence
officers, which may be a disservice to both organizations. What are
your views on this dilemma?
Secretary Work. The dual-hat remains important to the success of
the Department's mission in cyberspace and thus far the arrangement has
not created any sort of dilemma. I have full trust and confidence in
the capabilities of past, present, and any future National Security
Agency (NSA) Director/Commander, U.S. Cyber Command (USCYBERCOM), and
their ability to fully support and command both organizations. NSA
plays a unique role in supporting USCYBERCOM's mission and helps
integrate capabilities and infrastructure and enable operational
effectiveness while USCYBERCOM continues to build its capabilities and
infrastructure.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
62. Senator Reed. When the CIA Director was also the Director of
Central Intelligence--the head of the Intelligence Community--the
intelligence agencies other than the CIA did not believe that the DCI
was an honest broker. They believed that the DCI favored the CIA, and
resisted centralized control and appeals to jointness. Dual-hatting the
Commander as NSA Director would appear to present the same drawback:
the military service cyber components would likely always see NSA as
privileged and more powerful. Do you think that the dual-hat
arrangement has potentially some unhealthy side effects?
Secretary Work. The comparison between the previous situation when
the Central Intelligence Agency director was also the Director of
Central Intelligence and the current Director, National Security Agency
(NSA)/Commander, U.S. Cyber Command (USCYBERCOM) dual-hatting can
appear to be similar. However, in this case, the authorities, budgetary
lines, and overall missions of USCYBERCOM and NSA are different, which
alleviates risk of preferential treatment. Additionally, USCYBERCOM
follows the same processes for requesting intelligence from the
national intelligence system as other commands and agencies.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
63. Senator Reed. Have you considered the idea of keeping the dual-
hat arrangement only for a certain period of time, perhaps selecting a
``sunset'' date when it would be ended, and Cyber Command would be
expected to be self-sufficient except for those specialized needs that
could and should be met by NSA as a combat support agency?
Secretary Work. The dual-hat remains important to the success of
the Department's mission in cyberspace. The National Security Agency
plays a unique role in supporting U.S. Cyber Command's mission,
providing critical support, including linguists, analysts,
cryptanalytic capabilities, and sophisticated technological
infrastructure. The dual-hat helps integrate capabilities and
infrastructure and enable operational effectiveness while U.S. Cyber
Command continues to build its capabilities and infrastructure.
Building U.S. Cyber Command's capabilities is a top priority of the
cyber strategy. If a decision is made to end the dual-hat arrangement
it will be based on the capabilities and needs of the command rather
than being tied to a set date.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
__________
Questions Submitted by Senator Kristen Gillibrand
dynamic threat response
64. Senator Gillibrand. Admiral Rogers, in March you told us that
one of the issues you have raised internally in the Department is
``that in creating the force, we've allocated all very specifically
across the board. And so one of the implications . . . [is] we perhaps
didn't build in as much flexibility as our experience now is telling us
perhaps we need. So, that's something, to be honest, within the
Department, we're going to be looking at.'' Can you give us an update
on any work you have done to create more flexibility?
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
65. Senator Gillibrand. As we have seen in the past year, many
cyber incidents have come to light that are not necessarily directed at
the military, but at U.S. institutions, including other government
agencies and private businesses. How do you see CYBERCOM supporting a
whole of government approach to these major domestic cyber incidents?
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
66. Senator Gillibrand. What do you need to better support a whole-
of-nation approach to a cyber incident?
Secretary Work. Answer is for official use only and will be
retained in committee files.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
67. Senator Gillibrand. After FY16, how will the people assigned to
CYBERCOM receive the necessary training?
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
68. Senator Gillibrand. How do we ensure that the reserve component
gets equivalent and timely training?
Secretary Work. The Department ensures the Reserve Component gets
equivalent training by continued adherence to the Services' policies
that stipulate that there is to be no differentiation in training
requirements and standards between the Reserve and Active Components.
Additionally, reliance on the Services' force generation models ensures
that Reserve Component forces receive any additional equivalent
training in accordance with timelines established by the Secretary of
Defense (in response to Presidential/ National Security Council
guidance).
69. Senator Gillibrand. Please provide your thoughts on the
relationship between the Department of Homeland Security (DHS) and DOD
in terms of global cyber security roles and responsibilities.
Secretary Work. The Department of Defense (DOD) works very closely
with its interagency partners to ensure that it is building and
implementing a whole-of-government approach to cybersecurity. DOD's
relationships with the Department of Homeland Security (DHS) and the
Department of Justice (DOJ) are and must remain strong, given that DHS
and DOJ have the lead for domestic response to cyber threats. In this
context, DOD has a support role.
DOD and DHS regularly collaborate and share information through a
variety of channels, ranging from daily communication between
operational centers to interagency forums. The two organizations also
exercise together to ensure unity of effort across the departments and
determine what assets and resources DOD may be able to provide to
support DHS and DOJ in an emergency.
We continue to develop ways to improve collaboration and
information sharing to protect and defend U.S. critical infrastructure,
to create consistent approaches to cybersecurity across both national
security and non-national security systems, and to enhance our ability
to prevent, mitigate, respond to, and recover from domestic cyber
incidents.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
70. Senator Gillibrand. What specifically do you see as the
Department of Defense's role in support of the states, DHS and FBI?
Secretary Work. Ensuring the nation's cybersecurity is a shared
responsibility. The Department of Homeland Security (DHS) is the lead
federal department responsible for national protection against,
mitigation of, and recovery from domestic cybersecurity incidents. The
Department of Justice (DOJ) is responsible for the investigation,
attribution, disruption, and prosecution of cybercrimes outside of
military jurisdiction.
As in other domains, the Department of Defense (DOD) supports DHS
and DOJ when necessary and through those agencies, can support the
private sector and state/local governments. For example, DOD is
developing capabilities to respond and defend its own network that
could provide support to DHS and the Federal Bureau of Investigation
during an emergency through the Defense Support of Civil Authorities
process.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
71. Senator Gillibrand. What changes to legislation do you need to
provide a better response to a domestic cyber incident and complement
the efforts of DHS and FBI?
Secretary Work. The Department supports legislation to increase
information sharing between government and industry that will improve
the Nation's cybersecurity posture. While many companies currently
share cybersecurity threat information under existing laws, there is a
growing need to increase the volume and speed of information shared
without sacrificing the protection of privacy, confidentiality, civil
rights, or civil liberties. It is essential to ensure that cyber threat
information can be shared quickly between trusted partners so that
network owners and operators can take the necessary steps to block
threats and avoid damage. The Department also supports other key
provisions, such as data breach and cybercriminal provisions, included
in the President's legislative proposal submitted earlier this year.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
reserves and the national guard/homeland security
72. Senator Gillibrand. DOD put out its report about the role of
the reserve component in cyber last year. Can you please tell us what
capabilities have already been set up?
Secretary Work. As the Department continues to strengthen the Cyber
Mission Force, we recognize the need to incorporate the strengths and
skills inherent within the Reserve and National Guard forces. Each
Service developed Reserve Component integration strategies that embrace
Active Component capabilities in the cyberspace domain and leverage the
Reserve and National Guard strengths from the private sector. Up to
2,000 Reserve and National Guard personnel support the Cyber Mission
Force and allow the Department to surge cyber forces in a crisis.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
73. Senator Gillibrand. When will the reserve component teams be
trained to NSA standards and what are the impediments to getting them
on board?
Secretary Work. Reserve Component teams are already trained to the
National Security Agency's (NSA) standards, the training courses they
receive depend on their individual role within the Cyber Mission Teams.
The Air Force, Navy and Army undergraduate cyber training course, which
the Reserve Component attends, has been accredited by the NSA and meets
all NSA requirements for Cyber Protection Teams mission roles. For
other roles and missions, Cyber Mission Teams and National Mission
Teams, additional training may be required and is conducted by the NSA.
I see no impediments at this time
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
74. Senator Gillibrand. What missions will the reserve component
teams have both at CYBERCOM and at the service level?
Secretary Work. As stated in the Department of Defense Cyber
Strategy, the Department draws on the National Guard and Reserve
Components as a resource for expertise and to foster creative solutions
to cybersecurity problems. The Reserve Component (RC) offers unique
capabilities for supporting each of the Department's missions,
including engaging the defense industrial base and the commercial
sector. It represents a critical surge capacity for cyber responders.
Specific to USCYBERCOM and the Services, the Department is
integrating approximately 2,000 Reserve Component personnel into the
Cyber Mission Force to contribute Cyber Protection Teams (CPT) as well
as to provide surge support. While there are RC personnel qualified to
perform National Mission Team and Combat Mission Team tasks to defend
the Nation and support combatant commander tasks, most RC personnel and
units align most closely with the CPT mission, which is the most
similar to their professional civilian roles. These CPT units are
aligned to the Services to protect Service networks.
Admiral Rogers. The reserve component personnel assigned to U.S.
Cyber Command (USCYBERCOM), while in active duty status, will continue
to play vital roles on the Cyber Mission Force (CMF) teams and in other
areas. Currently, several Air National Guard squadrons are training to
support key Cyber National Mission Force, Service, and Combatant
Command aligned CMF teams. The Army National Guard currently
supplements USCYBERCOM's staff in specialized areas and performs
critical missions. The Army National Guard is currently developing a
method to source cyber professionals nationwide to aid USCYBERCOM in
these roles. Army, Navy, Marines and Air Force reservists have
supported USCYBERCOM from its conception with military and civilian
cyber skills and training. At Camp Parks, California we have maintained
a group of expert reserve intelligence personnel producing high quality
cyber intelligence products for over six years. Our use and planned use
of reserve personnel provide an instant force multiplier for the
Command, DOD and the United States.
75. Senator Gillibrand. Admiral Rogers, you also told us that
``Because we're still really focused on the initial cadre [of cyber
warriors], the challenge is going to be, `So, how do you sustain it as
people come and go? That's something we're going to be in the--in the
next year or two, in particular, spending a lot of time on.' Can you
please explain how you are planning to develop that next cadre?
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
76. Senator Gillibrand. What might be the role of the reserve
component in this next stage of cadre development?
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
77. Senator Gillibrand. As members transition to other positions
both in the military and in the civilian sector, how do you think the
reserve components can help retain the talent of the individuals
already trained?
Secretary Work. This is a key focus area for the Department. Cyber
talent, whether serving in the Active Duty or Reserve Component, is the
same. Ensuring the highest return on investment for our cyber training
is necessary. The ``DOD Cyber Strategy'' challenges the Department to
use the National Guard and Reserves as a resource for expertise and to
foster creative solutions to cybersecurity problems. Retaining that
talent is a focus point for my attention.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
recruitment
78. Senator Gillibrand. It is my understanding that the training
necessary to build a cyber-warrior can take up to 2 years. How do you
envision the development not only of separate specialties for cyber but
also career tracks for these cyber warriors?
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
79. Senator Gillibrand. What direction has been given to the
services regarding recruiting goals and priorities for individuals with
skills and aptitudes relevant to the needs of CYBERCOM?
Secretary Work. The Department of Defense Cyber Strategy Strategic
Goal #1 is to ``Build and Maintain Ready Forces and Capabilities to
Conduct Cyberspace Operations.'' The Office of the Undersecretary of
Defense for Personnel and Readiness and the Office of the Department of
Defense Chief Information Officer, in coordination with the Military
Departments, USCYBERCOM, and the Joint Staff, are leading this line of
effort, which is specifically focused on recruiting, retention,
training and other developmental needs for building viable career paths
for these recruits. We recognize that the talent pool is highly
competitive for each of the Services and U.S. Cyber Command, which
continue to mature their cyber aptitude assessments to better identify
talent with the potential to succeed in the cyber workforce. Recruiting
goals are important, but just as important are viable career paths for
cyber recruits; such career paths are a critical piece of the solution.
Our objective is to create a career path model with established
standards to meet mission requirements and career progression. To that
end, the Department is focused not only on recruiting the appropriate
talent to meet mission requirements at more senior levels, we are also
focused on growing cyber talent at the entry level through a more
robust on-campus recruiting effort targeting students and recent
graduates, which is one of the highest priority civilian workforce
Force of the Future initiatives.
Admiral Rogers.
80. Senator Gillibrand. In your opinion, what can Congress do to
assist DOD in this effort of recruitment and retention?
Secretary Work. The improving economy and scaled-back advertising
campaigns over the past decade have reduced both the number of young
Americans considering military service and their understanding of
military service. Evidence of this trend is the fact that the most
recent survey by the Joint Advertising, Market Research and Studies
(JAMRS) office indicated that only one in four young Americans can name
all the military services. Given this trend, we anticipate that meeting
recruiting goals with high-quality and diverse candidates will become
increasingly more difficult, particularly if the projected budget
constraints persist. As the realities of sequestration and shrinking
defense budgets continue, the impact to force readiness will remain a
significant and constant concern; lost messaging and reduced recruiting
presence further compounds this issue. Absent near-term relief, the
Military Departments will have to choose between maintaining critical
infrastructure and sustaining the All-Volunteer Force.
We have committed to investing in our recruiting data analytics in
JAMRS as part of our force of the future initiatives to help us better
target the qualified candidates in the youth population. Continued
congressional support is essential to maintaining adequate investments
in recruiting resources, which will generate the future force upon
which the nation will depend. Mass marketing in traditional media, as
well as more tailored social media campaigns will provide increased
opportunities to afford both young Americans and their influencers
(e.g., parents, teachers and coaches, clergy) access to accurate
information about military service.
The Department is also looking for greater flexibilities, as
specified in the Defense Officer Personnel Management Act related
legislative proposals submitted to Congress, to assist the Military
Services in attracting, recruiting, and retaining highly skilled
individuals and high performers. Today, we can access exceptionally
skilled and experienced doctors and dentists into the Services and
award constructive service credit up to the grade of colonel in the
Army, Air Force, or Marine Corps, or captain in the Navy. However, as
we look at emerging requirements, we see that this authority may be
equally useful in attracting highly skilled personnel in a wide array
of technical or scientific fields, to include cyberspace, that are
difficult to fill and require extensive training, education, or
experience not widely available within the Military departments.
81. Senator Gillibrand. As we start planning for the FY17 NDAA, are
there any issues with regards to recruitment and retention, the role of
DOD in a whole-of-nation approach, or the role of the reserve component
that you would like to see addressed?
Secretary Work. While the American public clearly has faith in the
efficacy of our military, a disconnect, defined by lack of knowledge,
misperceptions, and an inability to identify with those who choose to
serve, has emerged in today's society. This disconnect threatens our
ability to recruit quality youth with needed skill sets to maintain our
military force. A variety of circumstances have contributed to the
disconnect, such as a shrinking/disappearing military footprint in
parts of our country, declining veteran presence, a perception that
military service will result in disability or Post-Traumatic Stress
Disorder, and reduced recruiting advertising due to budget reductions.
This disconnect is compounded by the number of youth not qualified for
military service (about 71 percent), and the relatively low propensity
for youth to serve (12 percent). Given appropriate resources, the
Department will be proactive and ensure the appropriate recruiting
tools are available to address these changes in the recruiting
environment. Additionally, while the Military Departments have been
successful in achieving their retention goals in recent years, the
improving economy and job market, compounded by tightening budgets,
will make it more difficult to retain many of the most experienced
service members with high-demand skills.
__________
Questions Submitted by Senator Joe Donnelly
hardware assurance
82. Senator Donnelly. Secretary Work, I have been to NSWC Crane in
Indiana on several occasions and have witnessed the efforts on trusted
electronics/high reliability hardware being accomplished there. The
work at NSWC Crane supports our nation's nuclear deterrence programs
such as the Navy's Strategic Systems Program and recently they have
begun collaborating with the Air Force to support that service's
strategic capabilities. What are your thoughts on how this emerging
collaboration within DOD can be extended to a collaborative effort with
DoE to address the emerging threats to our nation's trusted defense
systems?
Secretary Work. The Department is already working in cooperation
with the Department of Energy (DOE) to mitigate supply chain
vulnerabilities. DOE is updating their nuclear security policies to
incorporate a Weapon Trust Assurance program and a Supply Chain Risk
Management program to ensure malicious hardware or software does not
enter the Nuclear Security Enterprise supply chain. DOE recently became
a participant in the Joint Federated Assurance Center (JFAC), which was
established to improve collaboration among hardware and software
assurance capabilities like those that Naval Surface Warfare Center
(NSWC) Crane possesses and to make these capabilities visible to
defense system programs. The JFAC considers Sandia National Laboratory
and other DOE laboratories to be potential service providers. DOE
participation in the JFAC resulted from collaboration between DOD and
DOE leadership on microelectronics assurance activities via the Mission
Executive Council, which is an interagency body chartered to promote
common interests.
83. Senator Donnelly. Secretary Work, Section 937 of the National
Defense Authorization Act for Fiscal Year 2014 established a Joint
Federated Assurance Center (JFAC) ``to serve as a joint, Department-
wide federation of capabilities to support the trusted defense system
needs of the Department to ensure security in the software and hardware
developed, acquired, maintained and used by the Department, pursuant to
the trusted defense systems strategy and the Department and supporting
policies related to software assurance and supply chain risk
management.'' NSWC Crane in Indiana has become one of our nation's
thought leaders on this topic and holds a ``hardware'' leadership role
within JFAC. In general, how is JFAC addressing the critical
requirements of combating threats to the strategic electronics supply
chain and providing assurance to our strategic deterrence?
Secretary Work. NSWC Crane leads the Joint Federated Assurance
Center (JFAC) Hardware Assurance (HwA) Technical Working Group, which
includes representation from the Military Departments, the National
Security Agency, and the Defense Microelectronics Activity. The JFAC
HwA efforts promote coordination, collaboration, and communication in
order to spread best practices in mitigating or countering threats to
the strategic electronics supply chain and to foster sharing of
assurance resources in support of program needs. We have established a
JFAC operational concept and piloted several cases where critical needs
for software assurance (SwA) and HwA have been met. In FY 2016, pilots
will include JFAC efforts within the strategic deterrence enterprise,
promote Department SwA and HwA capabilities, and provide guidance on
how to request and integrate these technical assessments into
acquisition programs. The JFAC will monitor demand for SwA and HwA
support and identify future capability and capacity needs.
84. Senator Donnelly. Secretary Work, more specifically, in light
of the IBM Foundry sale, what is the role of JFAC in assuring the
integrity of integrated circuits not manufactured in a trusted foundry?
Secretary Work. For critical parts not manufactured in a trusted
foundry, the Joint Federated Assurance Center (JFAC) will enable
acquisition programs to evaluate trustworthiness of microelectronics
software and hardware. In light of the IBM Foundry sale, the JFAC plays
an important role in maintaining a library of techniques used to
determine the integrity and authenticity of application-specific
integrated circuits that may now be produced in other foundries. The
JFAC will help acquisition programs plan and implement assurance
activities including vulnerability assessment, detection, analysis, and
mitigation. Through the JFAC, participating organizations will share
information about emerging threats and capabilities, software and
hardware assessment tools and services, and best practices. Assurance
services include inspection, functional verification, physical
verification, vulnerability detection, detailed analysis, assessment,
and, in a growing number of instances, recommendations for remediation.
__________
Questions Submitted by Senator Tim Kaine
u.s. cyber command workforce
85. Senator Kaine. Secretary Work and Admiral Rogers, U.S. Cyber
Command's current manning goals have been reported as 133 cyber mission
teams, requiring approximately 6200 trained personnel by the close of
2016. Does DOD still anticipate reaching this goal by the end of next
year? Please elaborate on challenges experienced hiring sufficiently
skilled operators and whether or not there are unique challenges to the
Armed Services compared to the cyber industry overall. Most
importantly, explain how the full staffing of U.S. Cyber Command will
be affected--numbers and timeline--if a budget agreement is delayed or
not reached by the end of CY15.
Secretary Work. Answer is for official use only and will be
retained in committee files.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
non-defense agencies
86. Senator Kaine. Director Clapper and Admiral Rogers, despite
attempts to use OCO funding to mitigate BCA funding for defense,
sequestration level funding will severely decrease budgets at federal
agencies that closely coordinate with DOD on cyber activities. With DHS
designated as the lead agency for cyber protection of non-defense
domains, it is presumed that any funding loss will hamper cyber
operations at all our government agencies, particularly for non-DOD
efforts related to law enforcement and cyber-related investigations.
Please elaborate on any national security concerns if funding is not
provided for a comprehensive interagency cyber effort for contingency
operations abroad and for ongoing cyber surveillance and protection
programs that rely on both DOD and non-defense agencies to work
effectively.
Director Clapper did not respond in time for printing. When
received, answer will be retained in committee files.
Admiral Rogers. Answer is for official use only and will be
retained in committee files.
[all]