[Senate Hearing 115-597]
[From the U.S. Government Publishing Office]
S. Hrg. 115-597
THE ROLES AND RESPONSIBILITIES
FOR DEFENDING THE NATION FROM
CYBER ATTACK
=======================================================================
HEARING
before the
COMMITTEE ON ARMED SERVICES
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
OCTOBER 19, 2017
__________
Printed for the use of the Committee on Armed Services
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov/
__________
U.S. GOVERNMENT PUBLISHING OFFICE
36-192 PDF WASHINGTON : 2019
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).E-mail,
[email protected].
COMMITTEE ON ARMED SERVICES
JOHN McCAIN, Arizona, Chairman
JAMES M. INHOFE, Oklahoma, JACK REED, Rhode Island
ROGER F. WICKER, Mississippi BILL NELSON, Florida
DEB FISCHER, Nebraska CLAIRE McCASKILL, Missouri
TOM COTTON, Arkansas JEANNE SHAHEEN, New Hampshire
MIKE ROUNDS, South Dakota KIRSTEN E. GILLIBRAND, New York
JONI ERNST, Iowa RICHARD BLUMENTHAL, Connecticut
THOM TILLIS, North Carolina JOE DONNELLY, Indiana
DAN SULLIVAN, Alaska MAZIE K. HIRONO, Hawaii
DAVID PERDUE, Georgia TIM KAINE, Virginia
TED CRUZ, Texas ANGUS S. KING, JR., Maine
LINDSEY GRAHAM, South Carolina MARTIN HEINRICH, New Mexico
BEN SASSE, Nebraska ELIZABETH WARREN, Massachusetts
LUTHER STRANGE, Alabama GARY C. PETERS, Michigan
Christian D. Brose, Staff Director
Elizabeth L. King, Minority Staff Director
(ii)
C O N T E N T S
_________________________________________________________________
October 19, 2017
Page
The Roles and Responsibilities for Defending the Nation From 1
Cyber Attack.
Rapuano, Honorable Kenneth P., Assistant Secretary of Defense for 4
Homeland Defense and Global Security, Department of Defense.
Smith, Scott, Assistant Director for the Cyber Division, Federal 10
Bureau of Investigation.
Krebs, Christopher C., Performing the Duties of the Under 14
Secretary for the National Protection and Programs Directorate,
Department of Homeland Security.
Questions for the Record......................................... 78
(iii)
THE ROLES AND RESPONSIBILITIES
FOR DEFENDING THE NATION FROM
CYBER ATTACK
----------
THURSDAY, OCTOBER 19, 2017
U.S. Senate,
Committee on Armed Services,
Washington, DC.
The committee met, pursuant to notice, at 9:36 a.m. in Room
SD-G50, 13800 Senate Office Building, Senator John McCain,
(chairman) presiding.
Committee members present: Senators McCain, Inhofe, Wicker,
Fischer, Rounds, Ernst, Tillis, Sullivan, Sasse, Reed, Nelson,
McCaskill, Shaheen, Gillibrand, Blumenthal, Donnelly, Hirono,
Kaine, King, Heinrich, Warren, and Peters.
OPENING STATEMENT OF SENATOR JOHN McCAIN, CHAIRMAN
Chairman McCain. The committee meets today to receive
testimony on the U.S. Government's policy, strategy, and
organization to protect our Nation in cyberspace.
To begin, I would like to thank Senators Rounds and Nelson
for their leadership on these issues in our Cybersecurity
Subcommittee. This hearing builds upon the good work that they
and their subcommittee have done this year to tackle the
critical challenge of cyber.
This is a challenge that is growing more dire and more
complex. Not a week passes that we do not read about some
disturbing new incident: cyber attacks against our government
systems and critical infrastructure, data breaches that
compromise sensitive information of our citizens and companies,
attempts to manipulate public opinion through social media, and
of course attacks against the fundamentals of our democratic
system and process. Those are just the ones that we know about.
This is a totally new kind of threat, as we all know. Our
adversaries, both state and non-state actors, view the entire
information domain as a battlespace, and across it, they are
waging a new kind of war against us, a war involving but
extending beyond our military, to include our infrastructure,
our businesses, and our people.
The Department of Defense has a critical role to play in
this new kind of war, but it cannot succeed alone. To be clear,
we are not succeeding. For years, we have lacked policies and
strategies to counter our adversaries in the cyber domain, and
we still do. This is in part because we are trying to defeat a
21st Century threat with the organizations and processes of the
last century. This is true in the executive branch and,
frankly, it is also true here in the Congress. We are failing.
That is why this committee is holding today's hearing and
why we have taken the unorthodox step of inviting witnesses
from across our government to appear today. Our witnesses are
the senior officials responsible for cyber within their
respective agencies, and I want to thank them for joining us
and welcome them now: Ken Rapuano, Assistant Secretary of
Defense for Homeland Defense and Global Security; Scott Smith,
Assistant Director for Cyber Division, Federal Bureau of
Investigation; and Chris Krebs, Under Secretary for the
National Protection and Programs Directorate at the Department
of Homeland Security.
I would also like to note at the outset the empty chair at
the witness table. The committee invited the principal U.S.
cyber official, White House Cybersecurity Coordinator Rob
Joyce. Many of us know Mr. Joyce and respect him deeply for his
significant experience and expertise on cyber and his many
years of government service at the National Security Agency.
Unfortunately, but not surprisingly, the White House declined
to have its cyber coordinator testify, citing executive
privilege and precedent against having non-confirmed NSC
[National Security Council] staff testifying before Congress.
While this is consistent with past practice on a bipartisan
basis, I believe the issue of cyber requires us to completely
rethink our old ways of doing business.
To me, the empty chair before us represents a fundamental
misalignment between authority and accountability in our
government today when it comes to cyber. All of our witnesses
answer to the Congress for their part of the cyber mission. But
none of them is accountable for addressing cyber in its
entirety. In theory, that is the White House Cyber
Coordinator's job, but that non-confirmable position lacks the
full authority to make cyber policy and strategy and direct our
Government's efforts. That official is literally prohibited by
legal precedent from appearing before the Congress. So when we,
the elected representatives of the American people, ask who has
sufficient authority to protect and defend our Nation from
cyber threats and who is accountable to us for accomplishing
that mission, the answer is quite literally no one.
The previous administration's struggle to address this
challenge between DOD [Department of Defense], DHS [Department
of Homeland Security], and the FBI [Federal Bureau of
Investigation], well-intentioned though it was, led to a result
that is as complex and convoluted as it appears in this chart.
Given that no single agency has all of the authorities required
to detect, prevent, and respond to incidents, the model has
created significant confusion about who is actually accountable
for defending the United States from cyber attacks. Meanwhile,
our increasingly capable adversaries continue to seek to
exploit our vulnerabilities in cyberspace.
Facing similar challenges, a number of our allies have
pursued innovative models to emphasize increased coordination
and consolidation. In doing so, they have significantly
enhanced their ability to react and respond to incidents and to
share information across government and with the public. For
example, the United Kingdom recently established its National
Cyber Security Centre, an organization that orchestrates
numerous cyber functions across the British Government under
one roof sitting side by side with industry.
Today's hearing is an opportunity to have an honest and
open conversation. Our concerns are not meant to be critical of
our witnesses' leadership or of your organizations, as each of
you are limited by the policy and legal frameworks established
by Congress and the administration. Our intent is to better
understand the coordination and de-confliction underway between
agencies and to identify where and how we can improve. The last
thing any of us wants is to waste precious time during a major
cyber incident because everyone who rushed to the scene thought
they were in charge, but none had the authority or, even worse,
realizing after a cyber incident, that your organizations were
not prepared and resourced to respond based on a flawed
assumption that someone else was responsible.
I thank the witnesses for their service to our country and
their willingness to appear before this committee as we
continue to assess and address our cyber challenges.
Senator Reed?
STATEMENT OF SENATOR JACK REED
Senator Reed. Well, thank you very much, Mr. Chairman, for
holding this hearing.
I welcome our witnesses today.
Let me also commend Senator Rounds and Senator Nelson for
their great leadership on the subcommittee.
The cyber threat facing our Nation does not respect
organizational or jurisdictional boundaries in the Government.
The Defense Department, the intelligence community, the FBI,
the Department of Homeland Security are all critical in
countering the cyber threat. But each agency functions in
siloes under specialized laws and authorities. In order to be
successful, we must develop an integrated, whole-of-government
approach to strategic planning, resource allocation, and
execution of operations. I think I am echoing the chairman's
points.
This problem is not unique to the cybersecurity mission.
Violent extremism, narcotics, and human trafficking,
transnational crime, proliferation of weapons of mass
destruction, and other challenges require an effective whole-
of-government response that cut across the missions and
responsibilities of departments and agencies. As issues become
more complex, these cross-cutting problems are becoming more
numerous and serious over time.
There have been various approaches to this problem, but
with little demonstrated success. White House's czars generally
have few tools at their disposal, while a lead agency
designated to address a cross-cutting challenge must also
remain focused on the mission of its own organization.
Last year, President Obama signed PPD [Presidential Policy
Directive 41] 41, the United States Cyber Incident Coordination
Policy. It established a cyber response group to pull together
a whole-of-government response in the event of major cyber
incidents. But these are ad hoc organizations with little
continuity that come together only in response to events.
I believe what is needed instead is a framework with an
integrated organizational structure authorized to plan and
cooperate in peacetime against the constant aggression of cyber
opponents. This arrangement has precedent. The Coast Guard is a
service branch in the Department of Defense, but it is also a
vital part of the Department of Homeland Security. It has
intelligence authorities, defense responsibilities, customs and
border enforcement, and law enforcement authority. The Coast
Guard exercises these blended authorities judiciously and
responsibly and enjoys the confidence of the American people.
Therefore, we can solve this problem. We have examples of where
we have solved this problem.
Last year's National Defense Authorization Act created
cross-functional teams to address problems that cut across the
functional organizations of the Defense Department. These teams
are composed of experts from the functional organizations but
rise above the parochial interests of their bureaucracies. The
team leads would exercise executive authority delegated by the
Secretary of Defense. Such an approach might be a model for the
interagency to address a cross-cutting problem like
cybersecurity.
There, indeed, is urgency to our task. Russia attacked our
election last year. They similarly attacked multiple European
countries, the NATO [North Atlantic Treaty Organization]
alliance, and the European Union. The intelligence community
assures us that Russia will attack our upcoming midterm
elections. So far, we have seen no indication that the
administration is taking action to prepare for this next
inevitability.
Finally, the Government cannot do this alone. As former
Cyber Commander and NSA [National Security Administration]
Director General Keith Alexander testified, ``While the primary
responsibility of government is to defend the Nation, the
private sector also shares responsibility in creating the
partnerships necessary to make the defense of our nation
possible. Neither the Government nor the private sector can
capably protect their systems and networks without extensive
and close cooperation.'' In many ways, the private sector is on
the front lines of the cyber threat, and the Government must
work with them if we are to effectively counter that threat. We
need a government strategy, but it must be in cooperation with
the private sector.
I thank Chairman McCain for holding this hearing and for
cosponsoring my legislation that is in the Banking Committee's
jurisdiction, S. 536, the Cybersecurity Disclosure Act, which
through disclosure and our federal securities laws tries to
encourage companies to focus on avoiding cybersecurity risks
before they turn into costly breaches.
Thank you, Mr. Chairman.
Chairman McCain. Welcome to the witnesses. Mr. Rapuano,
please proceed.
STATEMENT OF HONORABLE KENNETH P. RAPUANO, ASSISTANT SECRETARY
OF DEFENSE FOR HOMELAND DEFENSE AND GLOBAL SECURITY, DEPARTMENT
OF DEFENSE
Mr. Rapuano. Thank you, Chairman McCain, Ranking Member
Reed, and members of the committee. It is an honor to appear
before you to discuss the roles and responsibilities of the
Department of Defense and its interagency partners in defending
the Nation from cyber attacks of significant consequence.
I am here today in my roles as the Assistant Secretary of
Defense for Homeland Defense and Global Security, as well as
the Principal Cyber Advisor to the Secretary of Defense, in
which I oversee cyber policy in the Department, lead the
coordination of cyber efforts across the Department and with
our interagency partners, and integrate the Department's cyber
capabilities with its mission assurance and defense support to
civil authorities activities. I appreciate the opportunity to
testify alongside my interagency colleagues because these
challenges do require a whole-of-government approach.
DOD is developing cyber forces and capabilities to
accomplish several missions in cyberspace. Today, I will focus
on our mission to defend the United States and its interests
against high consequence cyber attacks and how we execute that
mission in coordination with our interagency partners.
The Department's efforts to build defensive capabilities
through the Cyber Mission Force, or CMF, play an especially key
role in carrying out this mission. From both a deterrence and
response standpoint, the 133 CMF teams that will attain full
operational capability in September of 2018 are central to the
Department's approach to supporting U.S. Government efforts to
defend the Nation against significant cyber attacks. With the
goal of assuring U.S. military dominance in cyberspace, these
teams conduct operations both to deny potential adversaries the
ability to achieve their objectives and to conduct military
actions in and through cyberspace to impose costs in response
to an imminent, ongoing, or recent attack.
In particular, the CMF's 68 Cyber Protection Teams
represent a significant capability to support a broader
domestic response. These forces are focused on defending DOD
information networks, but select teams could provide additional
capacity or capability to our federal partners, if and when
necessary.
DOD's role in cyberspace goes beyond adversary-focused
operations and includes identifying and mitigating our own
vulnerabilities. Consistent with statutory provisions related
to these efforts, we are working with our U.S. domestic
partners and with foreign partners and allies to identify and
mitigate cyber vulnerabilities in our networks, computers,
critical DOD infrastructure and weapons systems.
While DOD has made significant progress, there is more to
do alongside with our other agency partners in the broader
whole-of-government effort to protect U.S. national interests
in and through cyberspace. The outward focus of DOD's cyber
capabilities to mitigate foreign threats at their points of
origin complements the strengths of our interagency partners as
we strive to improve resilience, should a significant cyber
attack occur. In accordance with law and policy, during cyber
incidents, DOD can be called to directly support the DHS in its
role as the lead for protecting, mitigating, and recovering
from domestic cyber incidents or the DOJ in its role as the
lead in investigating, attributing, disrupting, and prosecuting
cyber crimes.
The significant work of our Departments has resulted in
increased common understanding of our respective roles and
responsibilities, as well as our authorities. Despite this,
however, as a government we continue to face challenges when it
comes to cyber incident response on a large scale, and it is
clear we have more work to ensure we are ready for a
significant cyber incident. Specifically, we must resolve seam
and gap issues among various departments, clarify thresholds
for DOD assistance, and identify how to best partner with the
private sector to ensure a whole-of-nation response, if and
when needed.
DOD has a number of efforts underway to address these
challenges and to improve both our readiness and that of our
interagency partners. For instance, we are refining policies
and authorities to improve the speed and flexibility to provide
support, and we are conducting exercises such as Cyber Guard
with a range of interagency and State and local partners to
improve our planning and preparations to respond to cyber
attacks.
Additionally, the cyber executive order 13800 signed in May
will go a long way in identifying and addressing the shortfalls
in our current structure.
Although the Department has several unique and robust
capabilities, I would caution against ending the current
framework and reassigning more responsibility for incident
response to DOD. The reasons for this include the need for the
Department to maintain focus on its key mission, the
longstanding tradition of not using the military for civilian
functions, and the importance of maintaining consistency with
our other domestic response frameworks.
It is also important to recognize that a significant
realignment of cyber response roles and responsibilities risks
diluting DOD focus on its core military mission to fight and
win wars.
Finally, putting DOD in a lead role for domestic cyber
incidents would be a departure from accepted response practice
in all other domains in which civilian agencies have the lead
responsibility for domestic emergency response efforts. It
could be disruptive to establishing that critical unity of
effort that is necessary for success.
The Federal Government should maintain the same basic
structure for responding to all other national emergencies,
whether they are natural disasters or cyber attacks.
There is still work to be done both within the Department
and with our federal partners to improve DOD and U.S.
Government efforts overall in cyberspace. Towards this end, I
am in the process of reinvigorating the role of the Principal
Cyber Advisor, clarifying the Department's internal lines of
accountability and authority in cyber, and better integrating
and communicating DOD cyberspace strategy, plans, and train and
equip functions. We will also be updating our DOD cyber
strategy and policies on key cyber issues, such as deterrence,
and translating this guidance into capabilities, forces, and
operations that will maintain our superiority in this domain.
The Department is also working to ensure that several
strategic initiatives it is undertaking come to fruition,
including the elevation of U.S. Cyber Command, the
implementation of the cyber executive order, initiating the
cyber excepted service program, and rationalizing the
Department's cyber budget and investments.
Our relationship with Congress is critical to everything we
are doing to defend the Nation from high consequence cyber
attacks. I am grateful for Congress' strong support and
particularly this committee's interest in these issues. I look
forward to your questions and working with you and your staff's
going forward. Thank you.
[The prepared statement of Mr. Rapuano follows:]
Prepared Statement by Mr. Kenneth Rapuano
Thank you Chairman McCain, Ranking Member Reed, and Members of the
Committee. It is an honor to appear before you to discuss the roles and
responsibilities for defending the Nation from cyberattacks of
significant consequence. I appear before you today in my role as
Assistant Secretary of Defense for Homeland Defense and Global Security
and as Principal Cyber Advisor to the Secretary of Defense. In these
roles, I oversee the development and implementation of DOD's strategy,
policy, and strategic guidance to achieve DOD's cyber missions, goals,
and objectives; lead the Department's interagency cyber coordination
efforts, including for cyber incident response; advise the Secretary
and the Deputy Secretary on cyber-related activities that support or
enable DOD's missions in and through cyberspace; and, perhaps most
relevant to today's discussion, ensuring that cyber forces and
capabilities are integrated across all of DOD's priority missions,
including mission assurance and Defense Support of Civil Authorities.
I have been requested to discuss the Department's role as part of
an interagency response to a cyberattack of significant consequence. I
am grateful to testify alongside my interagency colleagues because
adequately addressing these important challenges requires a whole-of-
government approach, of which the Department of Defense and its
developing capabilities in cyberspace are just one part.
This is a timely and important topic because the threats and level
of malicious activity we face in cyberspace are real and growing. This
diverse and persistent set of threats comes from state and non-state
actors who probe and scan United States. networks for vulnerabilities.
The states we watch most closely in cyberspace include China, Iran,
North Korea, and especially Russia.
To address these threats, the Department is developing cyber forces
and capabilities to accomplish three primary missions in cyberspace: 1)
to defend DOD networks, systems, and information to ensure that DOD can
accomplish its core missions; 2) to defend the United States and its
interests against malicious cyber activities and cyberattacks of
significant consequence; and 3) to provide integrated cyber
capabilities in support of operational and contingency plans. Although
all of the missions are important, given your focus today, my intent is
to speak primarily about DOD's efforts to defend the United States and
its interests from cyberattacks of significant consequence and its
efforts to provide Defense Support for Civil Authorities, as these
define DOD's role within a whole-of-government framework.
The Cyber Mission Force (CMF) is the Department's principal
capability to carry out DOD's cyber mission. Consisting of more than
6,000 soldiers, sailors, airmen, marines, and civilians, the CMF
achieved initial operational capability (IOC) in October 2016 and is
projected to reach full operational capacity (FOC) by the end of this
new fiscal year. Today, nearly 80 percent of the CMF's 133 teams have
reached FOC. In recent years, the Department has made significant
investments in building the workforce and systems to develop the CMF,
and it continues to do so consistent with the fiscal year 2018 budget
request. In terms of readiness, as well as operational activities in
support of the campaign to defeat the Islamic State in Iraq and Syria
(ISIS), DOD is already seeing the results of those investments. United
States Cyber Command's increased experience, expertise, and capability
drove the President's decision this summer to elevate U.S. Cyber
Command to a Unified Functional Combatant Command, consistent with
section 923 of the National Defense Authorization Act of for fiscal
year 2017. Among other benefits, elevation of the command will
strengthen command and control and consolidate responsibility for
cyberspace operations under a single commander, reporting directly to
the Secretary.
Although many elements of the CMF contribute to defending the
Nation against malicious cyber activities and cyberattacks of
significant consequence, the Cyber National Mission Force through its
integrated operations plays a key role. This force combines the
capabilities of National Mission Teams (NMTs) that pursue adversaries
into red space; National Support Teams (NSTs) that provide additional
capacity in analysis, linguists, reporting, capability development, and
targeting; and national Cyber Protection Teams (CPTs) that hunt
adversaries in friendly terrain. As the primary counter-cyber forces,
the integration of NMTs, NSTs, and national CPTs enhances our ability
to learn the tactics, techniques, and procedures of our adversaries to
detect malicious cyber activity. These teams develop and, if directed,
undertake operations to deter, delay, disrupt, and defeat an imminent
or ongoing cyberattack or malicious cyber activity. The combined
efforts of these teams give the CMF the capacity to operate on a global
scale against the broad spectrum of adversaries and growing threats.
Additionally, DOD is developing significant cyber capability and
capacity within the Reserve Components, including the National Guard.
The Air National Guard is developing 12 Air National Guard Squadrons to
provide two full-time CPTs through rotations and is also providing
three additional squadrons to deliver a portion of an NMT to the CMF.
The Army National Guard has established the first of 11 CPTs, which
will be built out through 2022. The U.S. Army Reserve will follow by
establishing 10 teams of its own between now and 2024. Likewise, the
Air Force Reserve is contributing personnel to fill three CPTs. All of
these teams benefit from strong relationships with State and local
authorities. To further strengthen these relationships and support
preparedness, National Guard units may coordinate with, train, advise,
and assist governmental entities outside DOD when incidental to
military training in accordance with section 2012 of title 10, U.S.
Code.
From both a deterrence and response standpoint, CMF teams are
central to the Department's approach to cyber operations and to support
U.S. Government efforts to defend the Nation against a cyber incident
of significant consequence. With a goal of ensuring U.S. military
dominance in cyberspace, these teams support the Department's efforts
to deny the adversary the ability to achieve its objectives and, when
directed, to conduct military actions in and through cyberspace in
response to an imminent, ongoing, or recent attack or malicious cyber
activity. Although DOD's focus is on preparing for and defending
against cyberattacks of significant consequence, the President may
determine that a military response to malicious cyber activity below
the threshold of significant consequence or an armed attack is
necessary and appropriate.
DOD's role in cyberspace goes beyond adversary-focused operations
and includes identifying and mitigating our own vulnerabilities. DOD
recognizes its own reliance on cyber-enabled critical infrastructure to
conduct its core missions. The Department therefore understands
congressional concerns regarding current and future cyber
vulnerabilities and congressional efforts to authorize vulnerability
identification programs. In response, we are working with our foreign
partners and allies and our U.S. domestic partners, including the
Department of Homeland Security (DHS), to identify cyber
vulnerabilities in our networks, computers, critical DOD
infrastructure, and weapon systems. In addition to these external
partnerships, the Department is leveraging its own mission assurance
risk-management processes to identify, prioritize, and mitigate the
most impactful vulnerabilities to the critical infrastructure that is
fundamental to DOD's ability to project power and protect the U.S.
Homeland, our people, and our allies and partners.
One last important element of our mission to defend the Nation is
the Department's role as the sector-specific agency for the Defense
Industrial Base (DIB), one of the 16 identified critical infrastructure
sectors. Using voluntary and mandatory reporting requirements, the
Department partners with DIB sector stakeholders to maintain a robust
cybersecurity and information assurance program to protect sensitive
defense information and protect DOD networks and systems.
DOD has made significant progress; however, there is more to do,
and we are only one piece of the broader whole-of-government effort to
protect U.S. national interests in and through cyberspace. The outward,
threat focus of DOD's cyber capabilities complements the strengths of
our interagency partners, as we strive to improve resilience should a
cyberattack of significant consequence occur. As articulated in law and
policy, during cyber incidents, DOD may directly support the DHS's lead
for protecting, mitigating, and recovering from domestic cyber
incidents or, as appropriate and authorized by law, the Department of
Justice's (DOJ) lead in investigating, attributing, disrupting, and
prosecuting cybercrimes. Under DOD's broader Defense Support of Civil
Authorities mission, the Department works closely with these domestic
partners as they carry out their aforementioned responsibilities so
that DOD is prepared to provide support when it is needed and DOD is
called upon to do so. DOD also regularly works closely with domestic
partners through cyber fusion center integration, robust information
sharing arrangements, liaison and detailee programs, development of
national plans, exercises to strengthen our response, and interagency
deliberations on malicious cyber activity.
The significant work of U.S. departments and agencies has resulted
in a common understanding of our various roles, responsibilities, and
authorities. That said, it is clear we have more work to do to resolve
seam and gap issues among various departments and agencies. DOD has
taken a number of steps to address these problems and to improve both
our readiness and that of our interagency partners. For instance, we
are continually refining policies and authorities to improve the speed
and flexibility to provide support, and we organize and participate in
exercises, such as CYBER GUARD, with a range of interagency, State, and
local partners to improve our ability to respond to cyberattacks on
critical infrastructure.
Although DOD has built capacity and unique capabilities, for a
number of reasons, I would caution against ending the current framework
and against reassigning more responsibility for incident response to
the Department of Defense. First, DOD's primary mission is to provide
the military forces needed to deter war and to be prepared to defend
the country should deterrence fail, which requires us to be prepared at
all times to do so. DOD is the only department or agency charged with
this mission, and success in this requires the Department's complete
focus. In this case, any significant realignment of roles and
responsibilities will have opportunity costs, including absorptive
capacity to build mission capability in a new area, especially ones
that could distract the Department from its core warfighting missions.
Second, the United States has a long normative and legal tradition
limiting the role of the military in domestic affairs. This strict
separation of the civilian and the military is one of the hallmarks of
our democracy and was established to protect its institutions.
Designating DOD as the lead for the domestic cyber mission risks
upsetting this traditional civil-military balance.
Third, a primary civil reliance on DOD in the steady-state would
result in increased demands that could not be met without significant
changes in resource allocation. We would expect even greater demand in
a conflict scenario, when there might be a natural tension in the need
to preserve DOD mission capabilities and requests for support to
civilian agencies. Even with such a change in resource allocation, the
addition of a new mission would likely detract from the focus on and
readiness for the warfighting mission.
Finally, putting DOD in a lead role for cyber incidents creates an
exception to accepted domestic response practice in all other domains,
which would disrupt our efforts to establish and maintain unity of
effort. Civilian agencies have the lead responsibility for domestic
emergency response efforts; this should not be different for cyber
incidents. The Federal Government should maintain a common approach to
all national emergencies, whether they are natural disasters or
cyberattacks.
I have confidence that the President's Executive Order 13800 signed
in May will address many of Congress's concerns by helping to identify
and address the shortfalls in the present system. Through reports and
other deliverables, the Executive Order specifically targets the areas
of protecting critical infrastructure, strengthening the deterrence
posture of the United States, and building international coalitions. As
a result, the Federal Government--especially DHS and Sector Specific
Agencies--is identifying current and prospective authorities and
capabilities that it could use to support the cybersecurity efforts of
critical infrastructure entities. DOD is contributing to these efforts
and conducting its own review of how best to protect the Defense
Industrial Base from cyber vulnerabilities. Through this process, we
should have a better understanding of the key challenges facing the
U.S. Government in this area and a way forward for addressing them.
Therefore, my vision and highest priority in cyber are to address
the challenges that still face the Department in cyberspace and its
role in the broader interagency response effort. Specifically, I am
working to reinvigorate the role of the Principal Cyber Advisor; to
clarify the Department's internal lines of accountability and authority
in cyber; and to integrate and communicate more effectively DOD
cyberspace strategy, plans, and train and equip functions in cyber. It
is also time to revise our Cyber Strategy, update policy on such key
cyber issued as deterrence, and translate this and other guidance into
capabilities, forces, and operations that will maintain our superiority
in this domain. Meanwhile, the Department must ensure that several
strategic initiatives it is undertaking in cyber come to fruition,
including the elevation of U.S. Cyber Command to a unified combatant
command, implementing the Cyber Executive Order, initiating the Cyber
Excepted Service, and identifying and mitigating vulnerabilities in
DOD's networks, systems, and platforms. I look forward to working with
Congress on these efforts and welcome its feedback.
In conclusion, the Department of Defense is committed to defending
the U.S. Homeland and is prepared to defend the Nation from
cyberattacks of significant consequence that may occur in or through
cyberspace. It has undertaken comprehensive efforts, both unilaterally
and in concert with interagency partners, allies, and the private
sector to improve our Nation's cybersecurity posture and to ensure that
DOD has the ability to operate in any environment at any time. Our
relationship with Congress is absolutely critical to everything the
Department is doing. To that end, I am grateful for Congress's strong
support and particularly this Subcommittee's interest in these issues,
and I look forward to your questions.
Chairman McCain. Thank you.
Mr. Smith?
STATEMENT OF SCOTT SMITH, ASSISTANT DIRECTOR FOR THE CYBER
DIVISION, FEDERAL BUREAU OF INVESTIGATION
Mr. Smith. Thank you, Mr. Chairman, and thanks to the
committee for offering me an opportunity to provide remarks on
the FBI's cyber capabilities.
As the committee is aware, the frequency and sophistication
of cyber attacks on our Nation have increased dramatically in
the past decade and only look to be growing. There are
significant challenges. The cyber domain is unique, constantly
shifting, changing, and evolving. But progress has been made in
improving structures and collaboration in innovation. But more
can be done.
Staying ahead of today's threats requires a different
mindset than in the past. The scale, scope, and complexity of
today's threats in the digital domain is unlike anything
humanity or our Nation has ever experienced. Traditional
approaches and mindsets are no longer suited to coping with the
speed and mobility and complexity of the new digital domain. We
have to include the digital domain as part of the threat
ecosystem instead of separating it as a mechanical machine.
This new era, often called the Fourth Industrial Revolution,
requires the FBI to rapidly assign, align, and engage empowered
networked teams who are purpose-driven and have fierce and
unrelenting resolve to win.
What does this all mean? What are we doing to meet and stay
ahead of the new digital domain, attribute, predict, impose
consequences?
That is where the FBI cyber mission is going. The FBI Cyber
Division and program is structured to address a lot of these
unique set of challenges.
In the field, the FBI is made up of 56 different field
offices spanning all 50 States and U.S. territories, each with
a cyber squad and each developing multi-agency cyber task
forces which brings together technically proficient
investigators, analysts, computer scientists from local, State,
and Federal organizations.
At FBI headquarters, in addition to those field resources,
the Cyber Division offers program management and coordination
and more technically advanced responders in our Cyber Action
Teams. The CAT [Cyber Action Team] teams, our elite cyber rapid
response force, is on call and prepared to deploy globally in
response to significant cyber incidents.
Additionally at FBI headquarters, we manage CyWatch, a 24-
hour watch center which provides continuous connectivity to
interagency partners in an effort to facilitate information
sharing and real-time incident management and tracking,
ensuring all agencies are coordinating.
In addition to these cyber-specific resources, the FBI has
other technical assets that can be utilized in the event of
cyber incidents. These include our Operational Technology
Division, the Regional Computer Forensic Laboratory Program,
and the Critical Incident Response Group providing additional
expertise and capabilities and resources that the FBI can
leverage at a cyber incident.
Partnerships are absolutely a key focus area for the FBI.
We rely on a robust international presence to supplement our
domestic footprint. Through cyber assistant legal attaches, the
FBI embeds cyber agents with our international counterparts in
18 key locations across the globe. The FBI also relies upon
private sector partnerships leveraging the National Cyber
Forensic Training Alliance, InfraGard, and Domestic Security
Alliance, just to name a few.
Building capacity at home and abroad through training,
investigations, and joint operations is where we are applying
our efforts.
The FBI has the capability to quickly respond to cyber
incidents across the country and scale its response to the
specific incident utilizing all its resources throughout the
field, headquarters, and abroad. We have the ability to
galvanize and direct all the available cyber resources
instantaneously.
Utilizing dual authorities as a domestic law enforcement
organization and a member of the U.S. intelligence community,
the FBI works closely with interagency partners within a whole-
of-government effort to countering cyber threats.
The FBI conducts its cyber mission with the goal of
imposing costs and consequence on the adversary. Though we
would like to arrest every cyber criminal, we recognize
indictments are just one tool in a suite of options that are
available to the U.S. Government when deciding how best to
approach this complex cyber threat.
The FBI understands the importance of being coherently
joined with, and we will continue to find ways to work with
interagency partners in responding to cyber incidents. We look
forward to expanding our partnerships with Cyber Command, given
their new and unique capabilities, and with the National
Guard's new cyber program in complementing our field offices
and cyber task forces, all within the confines of current laws,
authorities, and expectations of the American people.
We at the FBI appreciate this committee's efforts in making
cyber threat a focus and committing to improving how we can
work together to better defend our Nation. We also look forward
to discussing these issues in greater detail and answering any
questions that you may have.
Thank you, Mr. Chairman.
[The prepared statement of Mr. Smith follows:]
Prepared Statement by Scott S. Smith
Chairman McCain, Ranking Member Reed, and members of the Committee,
thank you for the invitation to provide remarks on the FBI's role in
defending the Nation against cyber threats.
As the Committee is well aware, the frequency and impact of
cyberattacks on our nation's private sector and government networks
have increased dramatically in the past decade and are expected to
continue to grow. We continue to see an increase in the scale and scope
of reporting on malicious cyber activity that can be measured by the
amount of corporate data stolen or deleted, personally identifiable
information compromised, or remediation costs incurred by U.S. victims.
Within the FBI, we are focused on the most dangerous malicious cyber
activity: high-level intrusions by state-sponsored hackers and global
organized crime syndicates, as well as other technically sophisticated
attacks.
Cyber threats are not only increasing in scope and scale, they are
also becoming increasingly difficult to investigate. Cyber criminals
often operate through online forums, selling illicit goods and
services, including tools that can be used to facilitate cyber attacks.
These criminals have also increased the sophistication of their
schemes, which are more difficult to detect and more resilient.
Additionally, many cyber actors are based abroad or obfuscate their
identities by using foreign infrastructure, making coordination with
international law enforcement partners essential.
The FBI has worked with the rest of the intelligence and law
enforcement community to address the unique set of challenges presented
by the cyber threat. The information domain is an inherently different
battle space, requiring government bureaucracies to shift and transform
to eliminate duplicative efforts and stovepipes and move toward real-
time coordination and collaboration to keep pace with the growing
threat. Considerable progress has been made toward the shared goal of
protecting the country from capable and unrelenting cyber adversaries,
but there is still a lot to be done to ensure our government agencies
have the proper resources, structure, and mission to seamlessly work
together on the cyber threat. The FBI will continue to be a leader in
this area, and we have taken a number of steps in the last several
years to ensure we are adequately structured to respond to threats in
an agile and efficient way.
The decentralized FBI field structure is intended to support the
investigation of crimes across the Nation. The FBI is made up of 56
field offices spanning all 50 States and U.S. territories, each with a
multi-agency Cyber Task Force (``CTF'') modeled after the successful
Joint Terrorism Task Force program. The task forces bring together
cyber investigators, prosecutors, intelligence analysts, computer
scientists, and digital forensic technicians from various Federal,
State, and local agencies present within the office's territory. Our
field-centric business model allows us to develop relationships with
local companies and organizations, putting us in an ideal position to
engage with potential victims of cyber attacks and crimes. Cyber-
trained special agents are in each field office, providing locally
available expertise to deploy to victim sites immediately upon notice
of an incident. Computer scientists and intelligence analysts are also
stationed in field offices to support incident response efforts and
provide intelligence collection and analysis as well as technical
assistance and capability.
In addition to the resources in the field, the FBI has the Cyber
Action Team (``CAT''), Cyber Division's elite rapid response force. On-
call CAT members are prepared to deploy globally to bring their in-
depth cyber intrusion expertise and specialized investigative skills to
bear in response to significant cyber incidents. CAT's management and
core team are based at headquarters, supplemented by carefully selected
and highly trained field personnel. CAT members are available to
supplement the technical capabilities in the field, and they are
typically deployed in support of significant cyber incidents that have
the potential to impact public health or safety, national security,
economic security, or public confidence.
Cybersecurity threats and incidents are occurring around the clock,
which motivated Cyber Division in 2014 to establish a steady-state 24-
hour watch capability called CyWatch. Housed at the National Cyber
Investigative Joint Task Force (``NCIJTF''), CyWatch is responsible for
coordinating domestic law enforcement response to criminal and national
security cyber intrusions, tracking victim notification, and
coordinating with the other Federal cyber centers many times each day.
CyWatch provides continuous connectivity to interagency partners to
facilitate information sharing and real-time incident management and
tracking as part of an effort to ensure all agencies are coordinating.
CyWatch also manages FBI's Cyber Guardian program, through which more
than 5,000 victim notifications were logged and coordinated in fiscal
year 2016.
In addition to these cyber specific resources, the FBI has other
technical assets that can be utilized as necessary to combat cyber
threats. Our Operational Technology Division develops and maintains a
wide range of sophisticated equipment, capabilities, and tools to
support investigations and assist with technical operations. The FBI
maintains a robust forensic capability through its Regional Computer
Forensic Laboratory Program, a national network of FBI-sponsored
digital forensics laboratories and training centers devoted to the
examination of digital evidence. The Critical Incident Response Group
(``CIRG'') provides crisis support and incident management assistance.
These resources can be leveraged throughout the FBI's response and
investigative cycle to respond to cyber threats.
Given the international nature of cybercrime and the reality that
the actors who seek to harm the U.S. through cyber means are often
located abroad, the FBI relies on a robust international presence to
supplement its domestic footprint. Through the Cyber Assistant Legal
Attache (``Cyber ALAT'') program, the FBI embeds cyber agents, who are
trained both at FBI Headquarters and in the field, with our
international counterparts in 18 key locations across the globe where
they build relationships with our international partners. These
relationships are essential to working cyber cases that often involve
malicious actors using computer networks worldwide.
In order to be successful in the mission of bringing cyber
criminals to justice and deterring future activity in the cyber realm,
the FBI relies on partnerships with the private sector. As frequent
targets of malicious cyber activity, the private sector is on the front
lines of defending our nation's critical information infrastructure,
safeguarding its intellectual property, and preserving its economic
prosperity. By building and maintaining partnerships with industry, the
FBI is better able to share information about current and future
threats, provide indicators of compromise for network defense, and
provide context to help companies understand the intent behind the
unnamed actors targeting their systems. These relationships also
provide an optic into what kinds of nefarious activity they are
observing on their systems, which helps the FBI better understand the
threats.
The FBI has the capability to quickly respond to cyber incidents
across the country and scale its response to the specific circumstances
of the incident by utilizing all resources at its disposal throughout
the field, at FBI headquarters, and abroad. Utilizing dual authorities
as a domestic law enforcement organization and a member of the U.S.
Intelligence Community (``USIC''), the FBI works closely with
interagency partners in a whole-of-government approach to countering
cyber threats. Presidential Policy Directive 41, signed by President
Obama in July 2016, designates the Department of Justice, through the
FBI and NCIJTF, as the lead Federal agency for threat response. Threat
response is defined as activities related to the investigation of an
incident and the pursuit, disruption, and attribution of the threat
actor. Through evidence collection, technical analysis, disruption
efforts, and related investigative tools, the FBI works to quickly
identify the source of a breach, connect it with related incidents, and
determine attribution, while developing courses of action.
The FBI is able to collect domestic intelligence on cyber threats,
consistent with our authorities, to help us understand and prioritize
identified threats, reveal intelligence gaps, and fill those gaps. By
combining this intelligence with information from our interagency
partners, the FBI contributes to painting a collective picture of cyber
threats facing the Nation. This threat intelligence is critical to
getting ahead of the threat and providing potential victims with
information to assist them in better protecting their networks from
compromise. The FBI liaises with the other intelligence community
components through standing coordination calls among the various watch
centers; participation in standing interagency groups as well as
incident- and threat-based working groups; through embeds and liaison
officers at other agencies and within the FBI; and through memoranda of
understanding allowing close coordination on topics of high importance.
The FBI along with the rest of the intelligence community
understands the need to share information both within and outside the
Government with the potential victims of cyber attacks. The FBI
disseminates information regarding specific threats to the private
sector through various methods, including Private Industry
Notifications (``PINs'') and FBI Liaison Alert System (``FLASH'')
reports. PINs provide unclassified information that will enhance the
private sector's awareness of a threat, and FLASH reports contain
unclassified technical information collected by the FBI for use by
specific private sector partners. These communication methods
facilitate the sharing of information with a broad audience or specific
sector. The FBI also works with industry partners in forums such as
InfraGard and industry-based Information Sharing and Analysis Centers
(``ISACs'') to relay critical information. The FBI also works closely
with its government partners to put out joint notifications and reports
to help the private sector guard against potential cyber threats.
In some cases, the FBI receives indicators of potential compromise
from various sources, including USIC partners and foreign governments,
that are used in notification to victims of cyber attacks. Victim
notification is critical in preventing continued cyber intrusion
activity and mitigating the damages associated with the theft of
sensitive data, intellectual property, and proprietary information. The
goal of notification is to provide timely and meaningful notification
to the victim while protecting sensitive sources and methods and
balancing investigative and operational equities of the FBI and other
USIC agencies. FBI and the Department of Homeland Security (DHS) have
well defined policies and procedures which guide how victims are
identified and how notification should be made; typically, the FBI, in
coordination with DHS, will notify the individuals responsible for
handling network security for the victim organization to discuss the
necessary information related to the intrusion. The FBI will also
provide open source information that may assist in the detection and
identification of the intrusion. After the initial notification, some
victims will contact the FBI to provide an update regarding the
compromise of their network, while others will not. Typically, any
post-notification engagement between the FBI and the victim is
voluntary and its scope is determined by the company.
The FBI conducts its cyber mission with the goal of imposing costs
on the adversary, and though we would like to arrest every cyber
criminal who commits an offense against a U.S. person, company, or
organization, we recognize indictments are just one tool in a suite of
options available to the U.S. Government when deciding how best to
approach complex cyber threats. Working with the rest of the USIC, the
FBI is able to share intelligence, better understand the threat
picture, identify additional victims or potential victims of cyber
intrusions, and help inform U.S. policymakers. The FBI and the
intelligence community must work closely on cyber threats to provide
leaders with the information necessary to decide what tools are
appropriate to respond to, mitigate, and counter cyber attacks, as well
as deter cyber actors and reinforce peacetime norms of state behavior
in cyberspace.
Using unique resources, capabilities, and authorities, the FBI is
able to impose costs on adversaries, deter illicit cyber activity, and
help prevent future cyber attacks. While much progress has been made
toward leveraging the FBI's unique authorities and resources in real-
time coordination with the interagency to combat cyber threats, there
is still work to be done, specifically in ensuring agile and efficient
incident response, seamless information sharing, and elimination of
duplicative efforts. Although the resources of the FBI and of the
Federal Government are not growing in proportion to the rapidly
evolving threat, we remain steadfast in our resolve to finds ways to
work together better as a government, so that we may respond to cyber
threats with agility, efficiency, persistence, and ferocity.
The FBI recognizes other agencies have technical expertise, tools,
and capabilities to leverage as we work together against cyber
adversaries, and is committed to working through challenges associated
with sharing sensitive law enforcement information and intelligence
with interagency partners. The FBI understands the importance of whole-
of-government collaboration, and will continue to find ways to work
with the interagency in responding to cyber incidents in a coordinated
manner. Given the recent developments in structuring the Department of
Defense to defend the Nation against cyber adversaries, the FBI is
committed to finding ways to partner more closely with U.S. Cyber
Command in its newly elevated role as a Unified Combatant Command and
its Cyber Mission Force teams.
We at the FBI appreciate this committee's efforts in making cyber
threats a focus and committing to improving how we can work together to
better defend our nation against our increasingly capable and
persistent adversaries. We look forward to discussing these issues in
greater detail and answering any questions you may have.
Chairman McCain. Thank you, Mr. Smith.
Mr. Krebs?
STATEMENT OF CHRISTOPHER C. KREBS, PERFORMING THE DUTIES OF THE
UNDER SECRETARY FOR THE NATIONAL PROTECTION AND PROGRAMS
DIRECTORATE, DEPARTMENT OF HOMELAND SECURITY
Mr. Krebs. Chairman McCain, Ranking Member Reed, members of
the committee, thank you for the opportunity to appear before
you today.
In my current role performing the duties of the Under
Secretary for the National Protection and Programs Directorate,
I lead the Department of Homeland Security's efforts to secure
and defend our federal networks and facilities, manage systemic
risk to critical infrastructure, and improve cyber and physical
security practices across our Nation.
This is a timely hearing as during October, we recognize
National Cybersecurity Awareness Month, a time to focus on how
cybersecurity is a shared responsibility that affects every
business and organization in America. It is one of the most
significant and strategic risks to the United States.
To address this risk as a Nation, we have worked together
to develop the much needed policies, authorities, and
capabilities across the interagency with State, local, and
international partners in coordination with the private sector.
The Department of Defense's Eligible Receiver exercise in 1997
laid bare our Nation's cybersecurity vulnerabilities and the
related consequences, initiating a cross-government journey to
respond to the growing cyber threat.
Over the ensuing 20 years, through a series of directives,
executive orders, and other documents, culminating most
recently with Executive Order 13800, we have established an
increasingly defined policy foundation for the cyber mission
space.
Roles and responsibilities have been further bolstered by
bipartisan legislation providing the executive branch, in
particular DHS, much needed authorities to protect federal and
critical infrastructure networks.
We can further solidify DHS' role by giving my organization
a name that clearly reflects our operational mission, and I
look forward to working with you in that effort.
Building on those policies and authorities, the Department
continues to develop the operational capabilities to protect
our networks. Today, the National Cybersecurity and
Communications Integration Center, or NCCIC, is the center of
gravity for DHS's cybersecurity operations. Here we monitor a
federal-civilian enterprise-wide risk picture that allows us to
manage risk across the .gov. More broadly, the NCCIC brings
together our partners to share both classified and unclassified
threat information and coordinate response efforts. Partners
include representatives from the critical infrastructure
community, State, local, tribal, and territorial governments,
sector-specific liaisons from the Departments of Energy, Health
and Human Services, Treasury, and Defense, intelligence
community personnel, law enforcement partners such as the FBI,
and liaisons from each of the cyber centers, including U.S.
Cyber Command. They all sit with one another at the NCCIC.
We know that we cannot stop here and need to accelerate
efforts to develop scalable solutions to manage systemic
cybersecurity risks across the Nation's infrastructure.
Last year's Presidential Policy Directive 41, United States
Cyber Incident Coordination, further clarified roles and set
forth principles for the Federal Government's response to cyber
incidents, including formalizing a cyber response group and
cyber unified coordination group. It also required the
Department to update the National Cyber Incident Response Plan,
or NCIRP, which was completed last January.
Updating the NCIRP, in partnership with industry and State
and local partners, was a critical step in cementing our shared
responsibility and accomplished three main goals. First, it
defines the role and responsibilities of all stakeholders
during a cyber incident. Second, it identifies the capabilities
required to respond to a significant cyber incident. Third, it
describes the way our Federal Government will coordinate its
activities with those affected by a cyber incident.
However, our focus going forward is to build on the NCIRP
with multi-stakeholder operational plans and incident response
playbooks, and then we must train and exercise to those plans
in order to identify and address the seams and gaps that may
exist.
We are building on our cyber mission workforce within the
framework of the NCIRP with our hunt and incident response
teams that exercise the tenets of the NCIRP each day. We work
across the various stakeholders within the NCCIC to accomplish
this mission.
In some cases, DHS teams are augmented with FBI and DOD
personnel to provide a more robust and coordinated response.
This model of collaboration and cross-agency cooperation will
continue taking advantage of the respective strengths of each
agency.
To ensure we are focused on the mission that you, Congress,
have tasked us with, we have prioritized filling all open cyber
positions at DHS, cross training our workforce on instant
response, and creating a cyber incident response surge capacity
force modeled after FEMA's [Federal Emergency Management
Agency] for natural disasters that can rise to meet any demand.
Before I close, I would like to add one last but critical
element. The cyber defense mission is much broader than just
response. It also encompasses preparedness and resilience, and
we must continually assess and improve our cybersecurity
posture against the latest threats, denying our adversaries
opportunities to wreak havoc.
Finally, I would like to reinforce one more time we have
made significant progress since Eligible Receiver, yet there is
no question we have more to do. We must do it with a never-
before-seen sense of urgency. By bringing together all
stakeholders, we are taking action to manage cybersecurity
risks, improve our whole-of-government incident response
capabilities, and become more resilient.
I thank you for the opportunity to testify, and I look
forward to any questions you may have.
[The prepared statement of Mr. Krebs follows:]
Prepared Statement by Christopher Krebs
Chairman McCain, Ranking Member Reed, and members of the Committee,
thank you for the opportunity to be here today. In this month of
October, we recognize National Cybersecurity Awareness Month, a time to
focus on how cybersecurity is a shared responsibility that affects all
Americans. The Department of Homeland Security (DHS) serves a critical
role in safeguarding and securing cyberspace, a core homeland security
mission.
The National Protection and Programs Directorate (NPPD) is
responsible for protecting civilian Federal Government networks and
collaborating with other federal agencies, as well as state, local,
tribal, and territorial governments, and the private sector to defend
against cyber threats. We endeavor to enhance cyber threat information-
sharing across the globe to stop cyber incidents before they start and
help businesses and government agencies to protect their cyber systems
and quickly recover should such an attack occur. By bringing together
all levels of government, the private sector, international partners,
and the public, we are taking action to protect against cybersecurity
risks, improve our whole-of-government incident response capabilities,
enhance information sharing on best practices and cyber threats, and to
strengthen resilience.
threats
Cyber threats remain one of the most significant strategic risks
for the United States, threatening our national security, economic
prosperity, and public health and safety. The past year has marked a
turning point in the cyber domain, at least in the public
consciousness. We have long been confronted with a myriad of attacks
against our digital networks. But over the past year, Americans saw
advanced persistent threat actors, including hackers, cyber criminals,
and nation states, increase the frequency and sophistication of these
attacks. Our adversaries have been developing and using advanced cyber
capabilities to undermine critical infrastructure, target our
livelihoods and innovation, steal our national security secrets, and
threaten our democracy through attempts to manipulate elections.
Global cyber incidents, such as the ``WannaCry'' ransomware
incident in May of this year and the ``NotPetya'' malware incident in
June, are examples of malicious actors leveraging cyberspace to create
disruptive effects and cause economic loss. These incidents exploited
known vulnerabilities in software commonly used across the globe. Prior
to these events, NPPD had already taken actions to help protect
networks from similar types of attacks. Through requested vulnerability
scanning, NPPD helped stakeholders identify vulnerabilities on their
networks so they could be patched before incidents and attacks occur.
Recognizing that not all users are able to install patches immediately,
NPPD shared additional mitigation guidance to assist network defenders.
As the incidents unfolded, NPPD led the Federal Government's incident
response efforts, working with our interagency partners, including
providing situational awareness, information sharing, malware analysis,
and technical assistance to affected entities.
Historically, cyber actors have strategically targeted critical
infrastructure sectors including energy, financial services, critical
manufacturing, water and wastewater, and others with various goals
ranging from cyber espionage to developing the ability to disrupt
critical services. In recent years, DHS has identified and responded to
malware such as Black Energy and Havex which were specifically created
to target industrial control systems, associated with critical
infrastructure such as power plants and critical manufacturing. More
recently, the discovery of CrashOverride malware, reportedly used
against Ukrainian power infrastructure in 2016, highlights the
increasing cyber threat to our infrastructure.
In one recent campaign, advanced persistent threat actors targeted
the cyber infrastructure of entities within the energy, nuclear,
critical manufacturing, and other critical infrastructure sectors since
at least May 2017. In response, DHS led the asset response, providing
on-site and remote assistance to impacted entities, help them evaluate
the risk, and remediate the malicious actor presence. In addition, DHS,
the Federal Bureau of Investigation (FBI), and the Department of Energy
(DOE) shared actionable analytic products with critical infrastructure
owners and operators regarding this activity. This information provides
network defenders with the information necessary to understand the
adversary campaign and allows them to identify and reduce exposure to
malicious activity. In addition, DHS has been working together with DOE
to assess the preparedness of our electricity sector and strengthen our
ability to respond to and recover from a prolonged power outage caused
by a cyber incident.
relationship with the department of defense and intelligence community
Responding to the full range of cyber threats facing government and
critical infrastructure requires a whole-of-government, whole-of-nation
effort. As it does with other stakeholders, DHS partners closely with
the Department of Defense (DOD), FBI, and the intelligence community in
carrying out its cybersecurity mission. DHS, FBI, DOD, and the
intelligence community have multiple ongoing lines of effort. We
continue to refine and mature planning to identify available resources
and outline clear roles and responsibilities. We continue to focus on
sharing cyber threat information relevant to defending against the most
sophisticated malicious cyber actors. When appropriate, we can leverage
existing authorities to provide technical assistance. In the event a
significant cyber incident exhausts existing resources within DHS, DHS
can leverage DOD resources, capabilities, and capacity to assist
domestic response efforts under a well exercised mechanism--defense
support of civil authorities. DHS and our partners also regularly
participate in joint cyber exercises.
cybersecurity priorities
Earlier this year, the President signed Executive Order (EO) 13800,
on Strengthening the Cybersecurity of Federal Networks and Critical
Infrastructure. This EO set in motion a series of assessments and
deliverables to understand how to improve our defenses and lower our
risk to cyber threats. DHS has organized around these deliverables,
working with federal and private sector partners to work through the
range of actions included in the EO.
We are emphasizing the security of federal networks. Across the
Federal Government, agencies have been implementing action plans to use
the industry-standard Department of Commerce's National Institute of
Standards and Technology Cybersecurity Framework. Agencies are
reporting to DHS and the Office of Management and Budget (OMB) on their
cybersecurity risk mitigation and acceptance choices. In coordination
with OMB, DHS is evaluating the totality of these agency reports in
order to comprehensively assess the adequacy of the Federal
Government's overall cybersecurity risk management posture.
Although federal agencies have primary responsibility for their own
cybersecurity, DHS, pursuant to its various authorities, provides a
common set of security tools across the civilian executive branch and
helps federal agencies manage their cyber risk. NPPD's assistance to
federal agencies includes (1) providing tools to safeguard civilian
executive branch networks through the National Cybersecurity Protection
System (NCPS), which includes ``Einstein'', and the Continuous
Diagnostics and Mitigation (CDM) programs, (2) measuring and motivating
agencies to implement policies, directives, standards, and guidelines,
(3) serving as a hub for information sharing and incident reporting,
and (4) providing operational and technical assistance, including
threat information dissemination and risk and vulnerability
assessments, as well as incident response services. NPPD's National
Cybersecurity and Communications Integration Center (NCCIC) is the
civilian government's hub for cybersecurity information sharing, asset
incident response, and coordination for both critical infrastructure
and the Federal Government.
Einstein refers to the suite of intrusion detection and prevention
capabilities that protects agencies' unclassified networks at the
perimeter of each agency. Einstein provides situational awareness of
civilian executive branch network traffic, so threats detected at one
agency are shared with all others providing agencies with information
and capabilities to more effectively manage their cyber risk. The U.S.
Government could not achieve such situational awareness through
individual agency efforts alone.
Today, Einstein is a signature-based intrusion detection and
prevention capability that takes action on known malicious activity.
Leveraging existing investments in the Internet Service Provider
``ISP'' infrastructure, our non-signature based pilot efforts to move
beyond current reliance on signatures are yielding positive results in
the discovery of previously unidentified malicious activity. DHS is
demonstrating the ability to capture data that can be rapidly analyzed
for anomalous activity using technologies from commercial, government,
and open sources. The pilot efforts are also defining the future
operational needs for tactics, techniques, and procedures as well as
the skill sets and personnel required to operationalize the non-
signature based approach to cybersecurity.
State, local, tribal, and territorial governments are able to
access intrusion detection and analysis services through the Multi-
State Information Sharing and Analysis Center (MS-ISAC). MS-ISAC's
service, called Albert, closely resembles some Einstein capabilities.
While the current version of Albert cannot actively block known cyber
threats, it does alert cybersecurity officials to an issue for further
investigation. DHS worked closely with MS-ISAC to develop the program
and considers MS-ISAC to be a principal conduit for sharing
cybersecurity information with state and local governments.
Einstein, the Federal Government's tool to address perimeter
security will not block every threat; therefore, it must be
complemented with systems and tools working inside agency networks--as
effective cybersecurity risk management requires a defense-in-depth
strategy that cannot be achieved through only one type of tool. NPPD's
CDM program provides cybersecurity tools and integration services to
all participating agencies to enable them to improve their respective
security postures by reducing the attack surface of their networks as
well as providing DHS with enterprise-wide visibility through a common
federal dashboard.
CDM is helping us achieve two major advances for federal
cybersecurity. First, agencies are gaining visibility, often for the
first time, into the extent of cybersecurity risks across their entire
network. With enhanced visibility, they can prioritize the mitigation
of identified issues based upon their relative importance. Second, with
the summary-level agency-to-federal dashboard feeds, the NCCIC will be
able to identify systemic risks across the civilian executive branch
more effectively and closer to real-time. For example, the NCCIC
currently tracks government-wide progress in implementing critical
patches via agency self-reporting and manual data calls. CDM will
transform this, enabling the NCCIC to immediately view the prevalence
of a given software product or vulnerability across the Federal
Government so that the NCCIC can provide agencies with timely guidance
on their risk exposure and recommended mitigation steps. Effective
cybersecurity requires a robust measurement regime, and robust
measurement requires valid and timely data. CDM will provide this
baseline of cybersecurity risk data to drive improvement across the
civilian executive branch.
DHS conducts a number of activities to measure agencies'
cybersecurity practices and works with agencies to improve risk
management practices. The Federal Information Security Modernization
Act of 2014 (FISMA) provided the Secretary of Homeland Security with
the authority to develop and oversee implementation of Binding
Operational Directives (BOD) to agencies. In 2016, the Secretary issued
a BOD on securing High Value Assets (HVA), or those assets, federal
information systems, information, and data for which unauthorized
access, use, disclosure, disruption, modification, or destruction could
cause a significant impact to the United States' national security
interests, foreign relations, economy, or to the public confidence,
civil liberties, or public health and safety of the American people.
NPPD works with interagency partners to prioritize HVAs for assessment
and remediation activities across the Federal Government. For instance,
NPPD conducts security architecture reviews on these HVAs to help
agencies assess their network architecture and configurations.
As part of the effort to secure HVAs, DHS conducts in-depth
vulnerability assessments of prioritized agency HVAs to determine how
an adversary could penetrate a system, move around an agency's network
to access sensitive data, and exfiltrate such data without being
detected. These assessments include services such as penetration
testing, wireless security analysis, and ``phishing'' evaluations in
which DHS hackers send emails to agency personnel and test whether
recipients click on potentially malicious links. DHS has focused these
assessments on federal systems that may be of particular interest to
adversaries or support uniquely significant data or services. These
assessments provide system owners with recommendations to address
identified vulnerabilities. DHS provides these same assessments, on a
voluntary basis upon request, to private sector and state, local,
territorial, and tribal (SLTT) partners. DHS also works with the
General Services Administration to ensure that contractors can provide
assessments that align with our HVA initiative to agencies.
Another BOD issued by the Secretary directs civilian agencies to
promptly patch known vulnerabilities on their Internet-facing systems
that are most at risk from their exposure. The NCCIC conducts Cyber
Hygiene scans to identify vulnerabilities in agencies' internet-
accessible devices and provides mitigation recommendations. Agencies
have responded quickly in implementing the Secretary's BOD and have
sustained this progress. When the Secretary issued this directive, NPPD
identified more than 360 ``stale'' critical vulnerabilities across
federal civilian agencies, which means the vulnerabilities had been
known for at least 30 days and remained unpatched. Since December 2015,
NPPD has identified an average of less than 40 critical vulnerabilities
at any given time, and agencies have addressed those vulnerabilities
rapidly once they were identified. By conducting vulnerability
assessments and security architecture reviews, NPPD is helping agencies
find and fix vulnerabilities and secure their networks before an
incident occurs.
In addition to efforts to protect government networks, EO 13800
continues to examine how the Government and industry work together to
protect our nation's critical infrastructure, prioritizing deeper, more
collaborative public-private partnerships in threat assessment,
detection, protection, and mitigation. In collaboration with civilian,
defense, and intelligence agencies, we are identifying authorities and
capabilities that agencies could employ, soliciting input from the
private sector, and developing recommendations to support the
cybersecurity efforts of those critical infrastructure entities at
greatest risk of attacks that could result in catastrophic impacts.
For instance, by sharing information quickly and widely, we help
all partners block cyber threats before damaging incidents occur.
Equally important, the information we receive from partners helps us
identify emerging risks and develop effective protective measures.
Congress authorized the NCCIC as the civilian hub for sharing cyber
threat indicators and defensive measures with and among federal and
non-federal entities, including the private sector. As required by the
Cybersecurity Act of 2015, we established a capability, known as
Automated Indicator Sharing (AIS), to automate our sharing of cyber
threat indicators in real-time. AIS protects the privacy and civil
liberties of individuals by narrowly tailoring the information shared
to that which is necessary to characterize identified cyber threats,
consistent with longstanding DHS policy and the requirements of the
Act. AIS is a part of the Department's effort to create an environment
in which as soon as a company or federal agency observes an attempted
compromise, the indicator is shared in real time with all of our
partners, enabling them to protect themselves from that particular
threat. This real-time sharing capability can limit the scalability of
many attack techniques, thereby increasing the costs for adversaries
and reducing the impact of malicious cyber activity. An ecosystem built
around automated sharing and network defense-in-depth should enable
organizations to detect and thwart the most common cyberattacks,
freeing their cybersecurity staff to concentrate on the novel and
sophisticated attacks. More than 129 agencies and private sector
partners have connected to the AIS capability. Notably, partners such
as information sharing and analysis organizations (ISAOs) and computer
emergency response teams further share with or protect their customers
and stakeholders, significantly expanding the impact of this
capability. AIS is still a new capability and we expect the volume of
threat indicators shared through this system to substantially increase
as the technical standards, software, and hardware supporting the
system continue to be refined and put into full production. As more
indictors are shared from other federal agencies, SLTT governments, and
the private sector, this information sharing environment will become
more robust and effective.
Another part of the Department's overall information sharing effort
is to provide federal network defenders with the necessary context
regarding cyber threats to prioritize their efforts and inform their
decision making. DHS's Office of Intelligence and Analysis (I&A) has
collocated analysts within the NCCIC responsible for continuously
assessing the specific threats to federal networks using traditional
all source methods and indicators of malicious activity so that the
NCCIC can share with federal network defenders in collaboration with
I&A. Analysts and personnel from the DOD, Energy, Treasury, Health and
Human Services, FBI, and others are also collocated within the NCCIC
and working together to understand the threats and share information
with their sector stakeholders.
mitigating cyber risks
We also continue to adapt to the evolving risks to critical
infrastructure, and prioritize our services to mitigate those risks.
Facing the threat of cyber-enabled operations by a foreign government
during the 2016 elections, DHS and our interagency partners conducted
unprecedented outreach and provided cybersecurity assistance to state
and local election officials. Information shared with election
officials included indicators of compromise, technical data, and best
practices that have assisted officials with addressing threats and
vulnerabilities related to election infrastructure. Through numerous
efforts before and after Election Day, DHS and our interagency partners
have declassified and publicly shared significant information related
to the Russian malicious cyber activity. These steps have been critical
to protecting our elections, enhancing awareness among election
officials, and educating the American public. The designation of
election infrastructure as critical infrastructure serves to
institutionalize prioritized services, support, and provide data
protections and does not subject any additional regulatory oversight or
burdens.
As the sector-specific agency, NPPD is providing overall
coordination guidance on election infrastructure matters to subsector
stakeholders. As part of this process, the Election Infrastructure
Subsector Government Coordinating Council (GCC) is being established.
The Election Infrastructure Subsector GCC will be a representative
council of federal, state, and local partners with the mission of
focusing on sector-specific strategies and planning. This will include
development of information sharing protocols and establishment of key
working groups, among other priorities.
The Department also recently took action against specific products
which present a risk to federal information systems. After careful
consideration of available information and consultation with
interagency partners, last month the Acting Secretary issued a BOD
directing federal Executive Branch departments and agencies to take
actions related to the use or presence of information security
products, solutions, and services supplied directly or indirectly by AO
Kaspersky Lab or related entities. The BOD calls on departments and
agencies to identify any use or presence of Kaspersky products on their
information systems in the next 30 days, to develop detailed plans to
remove and discontinue present and future use of the products in the
next 60 days, and at 90 days from the date of this directive, unless
directed otherwise by DHS based on new information, to begin to
implement the agency plans to discontinue use and remove the products
from information systems. This action is based on the information
security risks presented by the use of Kaspersky products on federal
information systems.
The Department is providing an opportunity for Kaspersky to submit
a written response addressing the Department's concerns or to mitigate
those concerns. The Department wants to ensure that the company has a
full opportunity to inform the Acting Secretary of any evidence,
materials, or data that may be relevant. This opportunity is also
available to any other entity that claims its commercial interests will
be directly impacted by the directive.
conclusion
In the face of increasingly sophisticated threats, NPPD stands on
the front lines of the Federal Government's efforts to defend our
nation's critical infrastructure from natural disasters, terrorism and
adversarial threats, and technological risk such as those caused by
cyber threats. Our infrastructure environment today is complex and
dynamic with interdependencies that add to the challenge of securing
and making it more resilient. Technological advances have introduced
the ``Internet of Things'' (IOT) and cloud computing, offering
increased access and streamlined efficiencies, while increasing our
footprint of access points that could be leveraged by adversaries to
gain unauthorized access to networks. As our nation continues to evolve
and new threats emerge, we must integrate cyber and physical risk in
order to understand how to effectively secure it. Expertise around
cyber-physical risk and cross-sector critical infrastructure
interdependencies is where NPPD brings unique expertise and
capabilities.
We must ensure that NPPD is appropriately organized to address
cybersecurity threats both now and in the future, and we appreciate
this Committee's leadership in working to establish the Cybersecurity
and Infrastructure Security Agency. As the Committee considers these
issues, we are committed to working with Congress to ensure that this
effort is done in a way that cultivates a safer, more secure and
resilient Homeland.
Thank you for the opportunity to testify, and I look forward to any
questions you may have.
Chairman McCain. Thank you, Mr. Krebs. I thank the
witnesses.
I am sure you can see that chart over there. Charts are
always interesting, but this one we are going to need someone
to translate for us because it is an example--and I think an
accurate one--of the differences in authorities and
responsibilities, none of which seem to have an overall
coordinating office or individual. Of course, Mr. Joyce's
absence here, whose job it is to do all this, is an example,
frankly, of the disarray in which this whole issue rests.
Mr. Rapuano, to start with, you said that it is not the
Department of Defense's responsibility. Suppose that the
Russians had been able to affect the outcome of the last
election. Would that not fall under the responsibility and
authority, to some degree, of the Department of Defense, if
they are able to destroy the fundamentals of democracy, which
would be to change the outcome of an election?
Mr. Rapuano. Mr. Chairman, specifically the issues
associated with protecting elections from cyber incursion----
Chairman McCain. So you are saying cyber incursion is not
something that requires the Department of Defense to be engaged
in. Is that correct?
Mr. Rapuano. No, Mr. Chairman. I was simply saying that
based on the State authorities and the State control of the
election process in each State, there are issues associated
with Federal authorities to engage.
Chairman McCain. So those issues could be corrected by
legislation. They are not engraved in tablets. Okay? So for you
to sit there and say, well, but it is not the Department of
Defense's responsibility, it is, to defend the Nation. The very
fundamental, the reason why we are here is because of free and
fair elections. If you can change the outcome of an election,
that has consequences far more serious than a physical attack.
So I am in fundamental disagreement with you about the
requirements of the Department of Defense to defend the
fundamental of this Nation, which is a free and fair election,
which we all know the Russians tried to affect the outcome of.
Whether they did or not is a matter of opinion. I do not think
so.
But for you to shuffle off this, oh, well, it is not an
attack, it is an attack of enormous proportions. If you can
change the outcome of an election, then what is the
Constitution and our way of life all about. I think Senator
Rounds will be much more articulate on that issue.
So, one, I disagree with your assessment. One of the
reasons why we have been so frustrated is exactly what you just
said. It is exactly what you just said that, well, it is not
the Department of Defense's job. It is the Department of
Defense's job to defend this Nation. That is why it is called
the Department of Defense.
Mr. Krebs, numerous experts over the past few years have
highlighted the need for a dramatic change. According to the
Presidential Commission on Enhancing National Cybersecurity,
``The current leadership and organizational construct for
cybersecurity within the Federal Government is not commensurate
with the challenges of securing a digital economy and
supporting the national economic security of the United
States.''
General Keith Alexander, one of the most respected men in
the world, said before this full committee in March, ``When we
talk to the different agencies, they don't understand the roles
and responsibilities. When you ask each of them who is
defending what, you get a different answer.''
Admiral Jim Stavridis: ``There needs to be a voice in the
cabinet that focuses on cyber.''
Obviously, there is supposedly one there, but he is not
appearing before this committee. That diminishes our ability to
carry out our responsibilities.
The list goes on and on.
January 2017, the Center for Strategic and International
Studies task force simply concluded, ``We must consider how to
organize the United States to defend cyberspace, and that if
DHS is unable to step up its game, we should consider the
creation of a new cybersecurity agency.''
The list goes on and on.
I would like to have your responses to these assessments
ranging from a presidential commission to General Keith
Alexander to the Atlantic Council to the Center for Strategic
and International Studies task force. All of them are saying
the same thing, gentlemen. All of them are saying exactly the
same thing. I look forward to getting a translator who can show
us what this chart means. I will be glad to hear your
responses. Secretary Rapuano?
Mr. Rapuano. Mr. Chairman, I would say just on the issue of
the election process, the Department is clearly there to
support the response or the mitigation of potential threats to
our electoral process. It is simply that when you look at the
separation of authorities between State and local governments,
the lead for that coordination and support in our current
system is DHS. We provide defense support to civil authorities,
as requested, to support those needs and requirements.
Chairman McCain. That obviously assumes that the Department
of Homeland Security has the capabilities and the authority in
order to carry out that requirement, whereas this cyber is
warfare. Cyber is warfare. Cyber is an attempt to destroy a
democracy. That is what Mr. Putin is all about. So to somehow
shuffle that off onto the Department of Homeland Security--of
course, this goes back to this problem with this organizational
chart. So I steadfastly reject your shuffling off the
responsibilities of cyber over to the Department of Homeland
Security. We have included in the NDAA [National Defense
Authorization Act] a requirement for you to do so.
Mr. Smith, do you want to respond? Or Mr. Krebs?
Mr. Krebs. Sir, I am happy to.
Fundamentally this is a complex and challenging operational
environment. Every one of the agencies represented here at the
table today, as you see in the bubble chart, as it is called,
has a unique contribution across the ecosystem.
Chairman McCain. Without coordination.
Mr. Krebs. Sir, I would suggest that we are getting there,
that we are working on the coordination. PPD 41, the National
Cyber Incident Response Plan, the cyber response group, and the
cyber unified coordination group provide a foundation under
which we can coordinate. We do work closely with Mr. Joyce and
the National Security Council. However, from an operational
perspective, I think the Department of Homeland Security and I
in my role as Under Secretary have the direction and
authorities I need to move out.
Now, the question is whether I have----
Chairman McCain. Are we winning or losing?
Mr. Krebs. Sir, this is a battle that is going to be going
on for many years. We are still trying to get our arms around
it.
Chairman McCain. I repeat my question. Are we winning or
losing?
Mr. Krebs. Sir, it is hard to assess whether we are winning
or losing. I would say that we are fighting this battle every
day. We are working with the private sector. It is a complex
environment, and I look forward to working with the Congress--
--
Chairman McCain. Do you know that for 8 years we have been
trying to get a policy? For 8 years, we have been trying to get
a strategy. For 8 years, we have been trying to get something
besides this convoluted chart. Do you know that?
Mr. Krebs. Yes, sir. I have been in my role for 8 weeks. I
understand your frustration. I share your frustration. I think
we have a lot of work to do, and I think this is going to
require both the executive branch and the Congress working
together to continue understanding exactly how we need to
address the threat.
Chairman McCain. Well, when a coordinator does not show up
for a hearing, that is not an encouraging sign.
Senator Reed?
Senator Nelson. I wish you would consider a subpoena to get
the main witness.
Chairman McCain. I think that has to be discussed in the
committee.
Senator Reed. Well, thank you, Mr. Chairman.
Thank you, gentlemen, for your testimony.
The chairman has raised the issue of Russian involvement in
our last election, but our intelligence community essentially
assured us that they are going to come back with more brio, or
whatever the right term is.
Have you been told to prepare for that, Mr. Rapuano? Has
the Defense Department been given sort of the directions to
coordinate, to take all steps advise the administration on what
you can do to prevent, preempt, or to respond to a Russian
intrusion in 2018?
Mr. Rapuano. Senator, I am not aware of a specific
direction in terms of a specific task associated with the
election process. We are engaging on a routine basis with DHS
and the rest of the interagency community to develop priorities
and consider responses, as well as mitigation measures. As I
tried to note earlier, the competing authorities associated
with the electoral process really do call for a thoughtful
orchestration of how we would direct and task and engage with
those State and local authorities. It really does need to be
coordinated because each agency brings something different.
There is a private sector component because most States get
very significant support in terms of their electoral systems
from private entities. So we are certainly engaged in the
process, and we are certainly available to support----
Senator Reed. But you have not been directed to start
actively planning and coordinating with respect to the
elections specifically.
Mr. Rapuano. No, not to my knowledge, Senator.
Senator Reed. Mr. Smith, have you in your agency, the FBI,
been told to begin actively coordinating with respect to the
2018 election in terms of interrupting, preempting, and
responding to Russian intrusions, which again the intelligence
community practically assures this will happen?
Mr. Smith. Yes, Senator.
Senator Reed. You have been.
Mr. Smith. Yes, sir.
Senator Reed. Can you describe what you have been doing?
Mr. Smith. Yes, sir.
Senator Reed. In general terms.
Mr. Smith. In general terms? Sir, we have not stopped since
the last election coordinating and keeping together an election
fusion cell, which is jointly located at the Hoover Building,
and working with our interagency partners not only on what had
transpired and getting deeper on that but also working forward
as to what may come towards us in the upcoming midterms and
2018 election cycles. So we are actively engaged both with
outreach in the communities and with the DHS and their election
task force, along with every field office has a designated
election crimes coordinator who is on the ground out there in
the event of any information coming towards us or any incidents
that we would need to be aware of and react to.
Senator Reed. Thank you.
Mr. Krebs, the same question basically.
Mr. Krebs. Sir, absolutely. But I will tell you this. I did
not need anybody to tell me to stand up a task force or
anything like that. The first thing I did when I came in 8
weeks ago was assess the state of the election infrastructure
activities underway at the Department of Homeland Security and
establish an election security task force, which brings
together all the components under me within NPPD [National
Protection and Programs Directorate], but also works closely
with the intelligence and analysis component within DHS, as
well as the FBI and out other interagency partners.
I think we have made some progress here. I think there is a
lot more to do, as Director Smith mentioned. We are not just
thinking about 2018. We are thinking about the gubernatorial
elections that are coming up in a matter of weeks. Just last
week, we worked with 27 States, the Election Assistance
Commission, and established the Government Coordinating
Council, a body under which all the State election officials
can come together and provide a foundation which coordinates
security practices and shares information. We are issuing
security clearances to a number of election officials, and, in
a matter of weeks, we are going to establish a sector
coordinating council, which will bring those private sector
elements that provide the systems and technologies and support.
So I think there is still a lot to be done. We certainly
have work ahead of us, and there is no question they are going
to come back, and we are going to be fighting them every day.
Yes, sir.
Senator Reed. You mentioned several times the need to
engage the private sector. That is a challenge. In fact, it
might be more important in this context than in any other
quasi-military context since they lead, whereas in other areas
like missiles, bombers, and vehicles, it is the Government more
than the private sector.
But just quickly, some of the things that we have to
consider are sort of not this committee's responsibility but
the legislation that Senator McCain and I are sponsoring for
the SEC [Securities and Exchange Commission] so that they would
have to designate if they have a cybersecurity expert on the
board or why not is a way in which to disclose to shareholders
but also to provide an incentive for them to be more keyed into
cyber. There have been some discussions. I was talking to Mr.
Rapuano about using TRIA, the Terrorism Reinsurance, as a way
to incentivize. Without that, I do not think we are going to
get the kind of buy-in.
So just very briefly because my time has expired, where are
we in terms of private engagement? At the threshold or some
engagement or it is still----
Mr. Krebs. Sir, I actually came out of the private sector.
I spent the last several years at a major technology company
where I managed a number of the cybersecurity policy issues. So
I have a unique, I think, understanding of what it takes on the
private sector side, as well as working in government.
We do have a number of private sector representatives
within the NCCIC, and we have unique statutory authorities for
coordinating with the critical infrastructure community.
There is a lot of work ahead of us. We need to better
refine our value proposition, I think, to get more companies to
come in and share information with us. But we do have a unique
liability protection capability.
One thing that I think will certainly enable our
advancement, as I mentioned in my opening, I need a name
change. I need to be able to tell my stakeholders, my customers
what it is I do. The National Protection and Programs
Directorate does not tell you anything. I need something that
says I do cybersecurity so I can go out there and I can clearly
communicate what it is on a daily basis that I do. I think that
is a big step forward.
Chairman McCain. You tell us the title you want besides
``President.''
Senator Reed. Yes. We will get you a T-shirt too.
[Laughter.]
Chairman McCain. Senator Inhofe?
Senator Inhofe. Thank you, Mr. Chairman.
The three of you can relax because what I am going to
address is to the empty chair. I know that this message will
get through.
It has to do with section 881 and 886. They are some
provisions in the Senate's version of the NDAA, specifically
those sections, that have raised concerns among the software
developers critical to our national defense. The purpose of
these provisions are to make available to the public the source
code and proprietary data that is used by the Department of
Defense.
Now, I would like to submit for the record numerous
letters, which I will do in just a moment, and documents from
the industry stakeholders that share my concerns with this
language. While I understand the goals and intentions of the
legislation, it creates some unintended consequences and
impacts, such as limit the software choices available to DOD to
serve the warfighter, increase costs to the Department of
Defense by compromising the proprietary nature of software and
limiting contractor options, and potentially aid U.S.
adversaries and threaten DOD cybersecurity by sharing DOD's
source code by placing it in a public repository, and also
reducing competitiveness of American software and technology
companies by opening the software contractor's intellectual
property and code to the public repository.
As we progress into the conference report, I look forward
to working with the Senate Armed Services Committee on a way
forward on this topic and recommend that we study this issue
prior to instituting new legislation. This is a provision that
is in the Senate bill, not in the House bill.
I would ask unanimous consent to include in the record at
this point, Mr. Chairman, these documents from the
stakeholders.
Chairman McCain. Without objection.
[The information follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Senator Inhofe. Thank you.
Chairman McCain. Senator Nelson?
Senator Nelson. Well, I would not exactly say that the
three of you should relax, but I will address more directly not
only to the empty chair but to General McMaster, to General
Kelly, to the Vice President, and to the President. Did you
realize that you handed out a chart that is 5 years old? The
date on this chart is January of 2013. I mean, why in the
world?
By the way, Senator Rounds is acknowledging this, and I
want to say what a pleasure it has been to deal with Senator
Rounds as the two leaders of the cyber subcommittee. I can tell
you we are alarmed. You heard the alarm in the voice of the
chairman.
Can we stipulate here that State election apparatuses,
State election databases--can we stipulate that that is
critical infrastructure?
Mr. Krebs. Sir, the Department of Homeland Security has
made that designation.
Senator Nelson. Good.
Mr. Krebs. I have an election infrastructure subsection,
sir.
Senator Nelson. Good. Therefore, a tampering or a changing
or an interfering with State election databases being critical
infrastructure would, in fact, be an attack upon our country.
Can we stipulate that that would be the case?
Why is there silence?
Chairman McCain. Let the record show there was silence.
Senator Nelson. Wow.
So do you realize that you can change----
Chairman McCain. Could I just----
Senator Nelson. Please.
Chairman McCain. In deference to the witnesses, they are
not the ones who----
Senator Nelson. I understand. That is why I am referring my
comments not only to the empty chair but to the people behind
that empty chair, which is the National Security Council
Advisor, General McMaster, the fellow who runs the White House
staff, General Kelly, both of whom I have the highest respect
and esteem for, and ultimately the Vice President and the
President.
I would go back and listen. I would defer to the intensity
of the chairman's remarks both in his opening remarks and his
questions. You mess around with our election apparatus, and it
is an attack on our country.
So let me give you an example. It does not even have to be
that the Russians come in or the Chinese or some third party
that is not a nation state. We already know that they are in 20
of our States. We know that from the reports that have been in
the newspaper from the intelligence community. All you have to
do is go into certain precincts. You do not even have to change
the outcome of the actual vote count. You could just eliminate
every 10th registered voter. So when Mr. Jones shows up on
election day to vote, I am sorry, Mr. Jones, you are not a
registered voter. You multiply that every 10th voter, you have
got absolute chaos in the election. On top of it, you have the
long lines that result, and as a result of that, people are
discouraged from voting because they cannot wait in the long
line and so forth and so on.
Now, this is the ultimate threat. I have said so many times
in this committee Vladimir Putin cannot beat us on the land, in
the air, on the sea, under the sea, or in space, but he can
beat us in cyber. To hand out a 5-year-old dated chart as to
how we are going to fix this situation just is totally, totally
insufficient.
I rest my case, Mr. Chairman. I wish you would consider a
subpoena.
Chairman McCain. Would the witnesses desire to respond to
that diatribe?
Senator Nelson. That eloquent diatribe.
[Laughter.]
Chairman McCain. One of the most historic statements in the
history of this committee.
[Laughter.]
Chairman McCain. Go ahead, please.
Mr. Rapuano. Mr. Chairman, I would say just in terms of the
Department of Defense's role, it is important to note that the
National Guard in a number of States, on the authority of the
Governors, trained cyber-capable forces are assisting those
States, and they are addressing, identifying vulnerabilities,
and mitigating those vulnerabilities. Elements of them are part
of the Cyber Mission Force, and we certainly view quite
appropriate the Governor tasking them under State authority
versus the Department of Defense attempting to insert itself
into a process without directly being requested.
Chairman McCain. Could I just say, sir, again we are
appreciative of what the Guard is doing. We are appreciative of
what local authorities are doing. We are appreciative of what
all these different agencies are doing. But we see no
coordination and no policy and no strategy. When you are ready
to give that to us, we would be eager to hear about it.
Senator Fischer?
Senator Fischer. Thank you, Mr. Chairman. Those are hard
acts to follow--your diatribes.
But I would like to focus on something else now with regard
to response. Gentlemen, one of the things that Admiral Rogers
has emphasized is the need to move quicker across the board and
faster threat detection, faster decision-making, and faster
responses.
Mr. Krebs, can you walk us through the process by which an
organization, an operator of a piece of critical
infrastructure, for example, would reach out to you for help? I
know they first have to detect the threat, and that can take
some time. But what does the process look like once they
contact you? How long does it take to begin working with them,
and are there legal agreements that must be in place before a
response team could operate on their network?
Mr. Krebs. Ma'am, thank you for the question.
There are, of course, a number of ways that a victim can
discover they have been breached or they have some sort of
intrusion. That is working whether with the intelligence
community or the FBI can notify them or the Department of
Homeland Security could inform them, or of course, one of their
private sector vendors could discover an actor on their
networks.
Now, how they reach out, there are a number of ways as well
they can reach out. They can email us. They can call us. We
have local official cybersecurity advisors throughout the
region. We have protective security advisors throughout the
region. They could also contact the FBI.
Once we are aware of an incident, we will then do an intake
process. Every incident is going to be different. That is kind
of a truism here. Every incident could be different.
In terms of timing, it all does depend on what the
situation is, what kind of information they want to provide. We
do have to work through a legal agreement just to, for
instance, get on their networks and install government
equipment and take a look. That can take time. It can depend,
of course, on the legal back and forth as hours or even days.
But I would view this as kind of an elastic spectrum. It could
take--we are talking hours. It could take a couple days to a
week. It all, of course, depends on the nature of the breach.
Senator Fischer. If you determine that DOD has to be
involved in the response as part of that team, I assume that is
going to take more time then. That decision currently rests
with the President. Is that correct?
Mr. Krebs. Ma'am, actually we do a fair amount of
coordination with the Department of Defense. In fact, we do a
cross-training on incident response matters. As I mentioned
before, we do have blended teams that go out to the field for
investigations that can be FBI or DOD assets.
In terms of the decision-making process, we do have
agreements in place. We have an understanding in place that we
do not necessarily have to go to the President. We do not
actually have to go to the Secretary level. There are sub-level
understandings that we are able to use each other's resources.
Senator Fischer. Those agreements would also cover what
types of military assistance that is going to be needed?
Mr. Krebs. It is a support function, but we are typically
talking personnel.
Senator Fischer. Mr. Rapuano, are the concepts of
operations that define the specific requirements that DOD
forces could be asked to fulfill and prioritize its assets or
sectors that should be defended from cyber attack if we were
going to have a high-end conflict?
Mr. Rapuano. Senator, the focus of the domestic response
capabilities, defense support to civil authorities when it
comes to cyber, are those protection teams out of the Cyber
Mission Force. Those are skilled practitioners who understand
the forensics issues, the identification of the challenges of
types of malware and different approaches to removing the
malware from the systems.
As Mr. Krebs noted, the DSCA process, Defense Support to
Civil Authorities, is a direct request for assistance from DHS
to the Department, and we have authorities all the way down to
COCOM [Combatant Command] commanders, specifically Cyber
Command. Admiral Rogers has the authority in a number of areas
to directly task those assets. It then comes up to me, and for
certain areas, the Secretary--it requires his approval. But
most of these things can be done at lower levels, and we have
provided that assistance previously to DHS.
Senator Fischer. So do you have that policy guidance in
place? If there is a high-end conflict, it is a first come,
first served? Do you have a way that you can prioritize how you
are going to respond? Is that in place now?
Mr. Rapuano. Absolutely. So a high-end conflict for which
we are receiving cyber attacks and threats in terms of against
our capabilities to project power, for example, would be an
utmost priority for the Department, as well as attacks against
the DOD information system. If we cannot communicate
internally, we cannot defend the Nation. So those are the
equivalent of heart, brain, lung function DOD equities and
capabilities that we prioritize. We have resources that are
available unless tapped by those uppermost priorities, and then
it becomes hard decision times in terms of do we apply assets
for domestic and critical infrastructure protection, for
example, or to protection of the DODIN [Department of Defense
Information Network] or other DOD capabilities.
Senator Fischer. Thank you.
Senator Reed [presiding]. On behalf of Chairman McCain, let
me recognize Senator Shaheen.
Senator Shaheen. Thank you, Senator Reed.
Thank you to all of our witnesses for being here this
morning.
I share the frustration that you are hearing from everyone
on this committee about decisions that have not been made
actually with respect to cyber threats affecting our Nation.
One example is the use of Kaspersky Lab's antivirus
software on U.S. Government systems. Kaspersky Lab has reported
links to Russian intelligence, and it is based in Moscow,
subjects client data to the Kremlin's intrusive surveillance
and interception laws. We just had a recent report of
Kaspersky's role in a successful Russian cyber operation to
steal classified information from an NSA employee's home
computer. They remained on the list of approved software for
way too long.
Now, this committee put an amendment in the NDAA that would
have prohibited the use of that software by the Department of
Defense. I am pleased that finally we have seen the
administration act on that.
But I think it really raises the question of how we got to
this point. So what standards were used in approving Kaspersky
Lab as an appropriate choice to fill the U.S. Government's
antivirus protection needs? Does the Government vet the origins
and foreign business dealings of cybersecurity firms and
software companies before these products are used in our
systems? Are companies looking to contract with the U.S.
Government required to disclose all their foreign
subcontractors, as well as their work and dealings with foreign
governments who may be a threat to the United States?
So I will throw those questions out to whoever would like
to answer them.
Mr. Krebs. Ma'am, thank you for the question.
As you know, the binding operational directive that we
issued several weeks ago, just over a month now, 30 some odd
days ago, require federal civilian agencies to identify
Kaspersky products if they have then and a plan to implement in
over 90 days.
So what that tells me is that we still have a lot of work
to do in terms of the processes that are in place to assess
technology products that are on the civilian----
Senator Shaheen. I agree, and that is why I am asking those
questions. I do not mean to interrupt, but I have limited time.
What I would really like to know is what you can tell me about
what standards we use, how do we vet those kinds of products,
and how do we ensure that we do not have another case of
Kaspersky being used in our sensitive government systems.
Mr. Krebs. If I may suggest, I would like to come back with
the General Services Administration to take a look at that with
you, and I will give you a more detailed briefing on how we do
that.
Senator Shaheen. Thank you. I would appreciate that.
Also, Mr. Rapuano, I appreciate your taking some time this
morning to spend a few minutes with me to talk about the
Hewlett-Packard Enterprise which allowed a Russian defense
agency to review the source code of software used to guard the
Pentagon's classified information exchange network. Can you
tell me: is the disclosure of our source codes to other
entities a usual way of doing business? How did that happen?
Mr. Rapuano. Senator, the details on that--as I shared with
you this morning, we are working that. Our CIO [Chief
Information Officer] is leading that effort with HPE on
ArcSight. I can get you additional details with regard to our
procedures. We have a layered approach to defense of the DODIN.
But we can follow up with those details for you.
Senator Shaheen. Well, thank you. I appreciate that. That
was a rhetorical question to raise the point again that I have
serious concerns about the attention that we are paying to
these kinds of issues.
In April, DOD's logistics agency said that ``HP ArcSight
software and hardware are so embedded'' that it could not
consider other competitors'--``absence and overhaul of the
current IT infrastructure.'' Do you believe that that is what
is required? How are we ever going to address any of these
problems if we say we cannot take action because it would
create a problem in responding throughout other areas where we
do business?''
Again, I appreciate that you are going to respond to the
concerns that I laid out, including that one, at a later time.
I am almost out of time, but I just had one question for
you, Mr. Krebs. That is, on this notice of this hearing, you
are listed as performing the duties of the Under Secretary for
the National Protection and Programs Directorate. You said you
have been on the job for 8 weeks. What does that mean?
Mr. Krebs. Yes, ma'am. Thank you for the question.
I have actually been with the Department since March 2017
where I was a senior counselor to General Kelly. He moved to
the White House, of course. Soon after that, I was appointed by
the President to be the Assistant Secretary for Infrastructure
Protection. In the meantime, we do have an open vacancy at the
Under Secretary position. So as the senior official within the
National Protection and Programs Directorate, I am the senior
official performing the duties of the Under Secretary.
Senator Shaheen. Okay. So tell me what your current title
is, in addition to having that as part of your
responsibilities.
Mr. Krebs. The senior official performing the duties of the
Under Secretary----
Senator Shaheen. No, no, no. I know that is what is on
here. What is your actual title?
Mr. Krebs. Assistant Secretary for Infrastructure
Protection. That is what I have been appointed. Yes, ma'am.
Senator Shaheen. Thank you, Mr. Chairman.
Chairman McCain [presiding]. Thank you.
Senator Rounds, I want to thank you and Senator Nelson for
the outstanding work you are doing on the cyber subcommittee.
It has been incredibly important and very helpful. Thank you.
Senator Rounds. Thank you, Mr. Chairman. Let me just share
with you my appreciation for you and the ranking member for
elevating this particular discussion to the full committee
status. Senator Nelson has been great to work with, and I
appreciate the bipartisan way in which he has approached this
issue.
I wish we had the same type of cooperation this morning
with Mr. Joyce coming to visit with us. I personally did not
see this as an adversarial discussion today. I saw this as one
in which we could begin in a cooperative effort the discussion
about how we take care of the seams that actually exist between
the different agencies responsible for the protection of the
cyber systems within our country.
I just wanted to kind of bring this out. This particular
chart--I believe General Alexander indicated that there were 75
different revisions to this particular chart when it was
created. Let me just, to clear the record. Do you any of you
have a more updated chart than the one that has been provided
today?
Mr. Smith. No.
Mr. Krebs. No.
Senator Rounds. No? No, okay.
For the record, that was done in 2013.
At the same time, for Mr. Krebs, let me just ask. As I
understand it, DHS is responsible for the protection of some
but not all of the critical infrastructure within the United
States. I believe I am correct in my understanding that when it
comes to the energy sector, the Department of Energy is the
lead agency. Is that correct, sir?
Mr. Krebs. Yes, sir. That is correct.
Senator Rounds. Where does it fit in the chart?
Mr. Krebs. So in the column here in the middle, protect
critical infrastructure, there is an updated piece of policy
surrounding this. I mentioned in my opening statement there is
a progressive policy arc. This was a snapshot in time, 2013.
The general muscle movements hold and have been reflected in
Presidential Policy Directive 41.
Senator Rounds. So do you have an updated chart someplace?
Mr. Krebs. I may have something better than a chart. What I
have is a plan and a policy around it, PPD 41 and the NCIRP,
which lay out the responsibilities of our respective
organizations.
Senator Rounds. All of you are working on the same level as
Mr. Krebs has described here with the information that he has?
A yes or a no would be appropriate.
Mr. Rapuano. Yes, Senator.
Mr. Smith. Yes.
Senator Rounds. Yes. Thank you. I appreciate that because
what really would have bothered me is if this thing had not
been updated or that you had not been working on anything since
2013 with all the changes that have occurred.
Let me ask just very quickly. I am just curious. It would
seem to me that there is no doubt that there are three types of
barriers that we need to overcome in order to strengthen the
collective cyber defense of the Nation, legal organization and
cultural. Have any of you identified legislative hurdles that
restrict or prohibit interagency gaps and/or seams for our
collective cyber defense? Mr. Rapuano?
Mr. Rapuano. Senator, I would just note when you look at
the National Response Framework that we use for non-cyber but
kinetic in the range of state actor or natural events, what you
see, particularly since Katrina, is a maturation of a very
similar process, many disparate roles, responsibilities, and
authorities and many different target stakeholders who may
require assistance from local, State, all the way up. This
system, the National Cyber Response Framework, is based very
closely on that National Response Framework. We are obviously
in a more nascent stage when comes to cyber and all the
aspects, but I would just say if you look at the last several
months in terms of very significant multiple hurricanes and
what I think overall, in light of the consequences, was a very
effective federal response, there has been a dramatic evolution
in our ability to work as a whole-of-government team when it
comes to complex problems with colliding authorities.
Senator Rounds. I do have one more question. I get the gist
of what you are suggesting.
Let me just ask this in terms of the overall picture here.
We can either have defense here within our country, or we can
have defense which is to try to stop something in terms of a
cyber attack before it actually gets here. That involves not
only a cyber system which is universal, it involves talking
about systems that are sometimes in our ally's country,
sometimes in countries that are not necessarily our friends,
but then also in areas where there actually are the bad guys
located who are creating the attacks themselves.
What are your views on the sovereignty as it relates to
cybersecurity? Let me just add before you answer this.
In Afghanistan, regardless of what you think about the
strategy, the longstanding undertone that justifies why we are
still there is that fighting the enemy abroad prevents another
major attack at home. In this context, it is a defensive
strategy played out via offensive maneuvering.
As we evolve cyber and the cyber intelligence fields, it is
inevitable that we will start to think of cyber defense in this
offensively minded way.
Given this, I would like to hear from you your thoughts on
the sovereignty and where we ought to be fighting this battle
to stop the attacks before they get here.
Mr. Rapuano. Senator, that is a very important question. As
I think you are aware, the concepts of sovereignty are still
molting to some degree in the sense that there are differing
views with regard to what constitutes sovereignty in what type
of scenario or situation.
Senator Rounds. It is, except for one thing. Mr. Chairman,
if you would not mind.
Here is the key part of this. These attacks are going on
now. Tallin, Tallin 1.0, Tallin 2.0 and so forth are
discussions about what our allies are looking at in terms of
the sovereignty issues outside. But in the meantime, we have
got a gap in time period here in which we have to make a
decision about where we actually defend our country against the
possibility of existing attacks today, tomorrow, and next week.
Now, unless we have got a current strategy with regard to how
we regard sovereignty and where we will actually go to defend
our critical infrastructure--and I guess that is what I am
asking. Do we have that on the books today, and are you
prepared to say that we know where we would defend against
those attacks? Are we prepared to take them beyond our borders?
Mr. Rapuano. So, Senator, yes, we do. The details of our
current posture with regard to those elements I think would
need to be deferred to a closed hearing.
Senator Rounds. Very good.
Mr. Smith, Mr. Krebs?
Mr. Krebs. It is a home and away game. We have got to go
get them over there at the same time we need to be protecting
our infrastructure here. I work very closely, for instance,
with the electricity sector in the Electricity Sector
Coordinating Council. During the hurricanes, I was on the phone
with the CEOs [Chief Executive Officers] of major utilities on
a daily basis. Every 5 p.m. with Secretary Perry, we were
talking about the status of the electricity sector. We have to
start here, network protection, close out the gaps, mitigate
consequences. At the same time, we have to take down the threat
actor. It is a whole-of-government best athlete approach.
Senator Rounds. Thank you.
Thank you, Mr. Chairman. I apologize for going over, but I
think it is a critical issue that we have to address. Thank
you.
Chairman McCain. Senator Rounds, thank you for what you and
Senator Nelson have been doing.
Senator Blumenthal?
Senator Blumenthal. Thanks, Mr. Chairman. Thank you very
much for holding this critically important hearing and to the
excellent witnesses that we have before us today.
This week, the ``New York Times'' published an article--and
I am going to submit it for the record, assuming there is no
objection--which details North Korea's cyber attacks that are
estimated to provide the North Korean Government with as much
as $1 billion a year.
[The information follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Senator Blumenthal. That figure is staggering. It is
equivalent to one-third of that country's total exports. North
Korea's ransomware attacks and cyber attacks on banks around
the world are producing a funding stream for that country,
which in turn fuels its nuclear program. It is a funding source
that must be stopped. At a time when the United States is
leading efforts to sanction exports of coal, labor, textiles,
and other products, in order to hinder North Korea's nuclear
ambitions, we also have to be focusing on additional funding
sources. This cash flow ought to be priority number one. Tough
rhetoric must be supported by tough action and practical
measures that make clear to North Korea that this kind of
conduct will be answered.
So the question is what actions are being taken to combat
their offensive cyber operations and address this cyber
revenue. I know that you may not be fully at liberty to discuss
these steps in this forum, but I would like you to do so to the
extent you can because North Korea knows what it is doing. You
are not going to reveal anything to North Korea. The American
people deserve to know what North Korea is doing and they do
not. So this is a topic that I think ought to be front and
center for the administration and for the Congress and for the
American people. I look forward to your responses.
Mr. Rapuano. I would simply say, yes, Senator, we do have
plans and capabilities that are focused and directed on the
North Korean threat in general and on the specific activities
that you have noted. I think that it would be most appropriate,
if we are going into detail, to do that in closed session.
Mr. Smith. Senator, I would just say that we continue to
work with our foreign partners in information sharing whenever
possible when we are able to assist them in identifying these
types of criminal activities. We provide them also technical
assistance whenever asked or engaging with them in joint
operations. Whenever possible, we are always looking to link it
back or coordinate some indictment or investigative--some joint
operation that would bring to light the people or the nation
states that are conducting those activities.
Mr. Krebs. I will pile on here and actually provide a
little bit of detail on a particular unclassified activity.
Working very closely with the FBI, we designated one effort
called Hidden Cobra. On US-CERT [U.S.-Computer Emergency
Readiness Team], we have a Hidden Cobra page that speaks to a
botnet infrastructure, command and control infrastructure, that
has certain indicators, that, hey, look at this. Go track this
down. Working with federal partners where some of that command
and control infrastructure may be in another country, we share
that information with them, and we are looking to take action
against it. So this is not just a whole-of-government approach,
this is an international problem with international solutions.
We are moving out aggressively. This is recent, last few weeks,
where we have been able to partner some unlikely partners.
Senator Blumenthal. I agree that it is an international
problem with international solutions. But we provide the main
solution, and we are, in effect, victims substantially if not
primarily of the problem. I understand, Mr. Rapuano, that we
have plans and capabilities. I am not fully satisfied with the
idea that those forward-oriented measures of action are
sufficient. I think we need action here and now.
The Lazarus Group, a North Korean-linked cyber crime ring,
stole $81 million from the Bangladesh Central Bank account at
the New York Federal Reserve, which would have been $1 billion
but for a spelling error, a fairly rudimentary spelling error
on the part of North Koreans. They have also been tied to the
WannaCry attack earlier this year and the Sony attack in 2014.
This week they are being linked to a $60 million theft from the
Taiwanese Bank. Measured in millions, given the way we measure
amounts of money and this week with our budget in the billions
and trillions, this may seem small but it is substantial given
the North Korean economy and its size. So I am hoping that in
another setting we can be more fully briefed on what is being
done now to stem and stop this threat.
I appreciate all of your good work in this area. Thank you.
Thanks, Mr. Chairman.
Chairman McCain. Senator Ernst?
Senator Ernst. Thank you, gentlemen, for your willingness
to tackle these issues. I think it goes without saying that
your level of success in these areas will really influence
American democracy for many, many years, as well as decades to
come.
So the conversation today so far has been focused very much
on cyber defense coordination, which we would all say is very
important. However, coordination does not do any good without
the proper understanding of our capabilities across the
Government. That is why I worked with Senators Coons, Fischer,
and Gillibrand to introduce bipartisan legislation requiring
the DOD to track National Guard cyber capabilities. Mr. Smith,
you had given a shout-out to the new cyber program within the
National Guard, and I really do appreciate that.
So for each of you, how do you assess the capabilities of
the individuals and the organizations under your charge?
Because we see this lovely chart which is very old. But you do
have a number of organizations that you are responsible for.
How do you go in and assess what that organization can actually
do and is it effective? So it is great to say, hey, we have a
cyber team in DOJ or whatever, but how do you know that they
are effective? Can you explain how you assess that? We will
start with you, Mr. Secretary.
Mr. Rapuano. Thank you, Senator. That is an excellent
question and it does represent a significant challenge. We have
got a lot of disparate organizations that obviously have cyber
equities and are developing cyber capabilities. Within the
Department of Defense, we have really committed in earnest to
start to better understand the cross-cut in terms of the
services, the commands, the full range, including the National
Guard, what are their capabilities, what specific skills are
they developing, what professional development program do we
have to recruit, train, and develop very attractive career
paths for the best and the brightest.
So we have a number of initiatives, starting with the
budget initiative. So when you start to see our budget
formulations, it is apples to apples instead of what it has
been historically which is each service's or organization's
conception of what constitutes training or what constitutes the
different elements of their budget. We did a first run this
year that was off the budget cycle just to get us in the road
to progress, so to speak, and we found that we really have got
to ensure that there is common definitional issues so we were
defining things the same way.
The other area, in terms of the National Guard, we do track
National Guard cyber capability development, training
capabilities, and how they fit into the Cyber Mission Force.
The one area that we do have a little bit of a challenge with
is under State status, we do not have that same system of
consistent definitions. So that is something that we are
working at, but we definitely recognize the critical importance
of having that common ability of across many different fronts
to define those things so we can apply them----
Senator Ernst. No. I appreciate that. That is good to
understand that now and get those worked out--those details and
discrepancies worked out.
Mr. Smith, how about you?
Mr. Smith. On our technical side, we tend to be on the job
with that routinely. So most of the people who are out are
currently actively engaged in either incidents response and
following up on the threats and investigations. But we spend a
significant amount of effort in enhancing those particularly at
a much higher level on the cyber technical side.
But in addition to that, we have taken steps to
significantly elevate the entire workforce in the digital
domain. We have created on-the-job training which allows non-
cyber personnel to be taken offline from investigating other
matters to enhance that cyber capability so when they go back
after a couple of months, they are capable of bringing both
their normal traditional investigative methods along with the
current modern digital investigative requirements.
Looking longer term, though, when we are talking about the
workforce of the future, we have been collaborating on a much
more local level with STEM [Science, Technology, Engineering
and Mathematics] high schools programs in developing and
building a future workforce as opposed to trying to compete
with everybody here and with the private industry, which can
offer things and more benefits at times than we are capable of,
but by building in FBI cyber STEM programs and bringing local
university courses to high school students at an earlier age
and supplementing that with some leadership development in
those high school ranks. So looking long term building a
workforce that will augment and maintain the necessity that we
all require we are talking about here in this digital arena.
Working with the non-cyber elements, our internal cyber
people--they are at a very high level.
Senator Ernst. Yes. I am running out of time. Mr. Krebs, if
you could submit that to us for the record, I would be
appreciative.
[The information follows:]
At the National Protection and Programs Directorate (NPPD), we have
thousands of employees located throughout the Nation who are well
qualified to carry out our mission. We assess the capabilities of these
employees through our rigorous hiring process and continue assessing
their capabilities through annual performance reviews. We also invest
in training and professional development opportunities to ensure our
employees remain at the forefront of the mission.
There is often no single solution to security practices, and
innovation, critical thinking, and diversity of opinion increase our
likelihood for success. Accountability is critical to ensuring success
as a team; success is rewarded, and falling short of goals presents
opportunities to improve and correct. By communicating expectations and
roles to team members, empowering them, and ensuring they have
resources enables them and our organization to be successful. It is
important to focus on putting the right people in the right jobs with
the right responsibilities.
Measuring success for any homeland security enterprise is
challenging because typically success means we have prevented something
from happening. For NPPD, success means we are receiving and sharing
information in a timely manner, deploying resources where requested by
our stakeholders, and providing actionable security recommendations
which will raise the overall level of security across the nation.
However, recognizing that perfect security is virtually impossible, we
will continue moving towards an ``assume breach'' posture, ensuring
that we are prepared to minimize the damage an attacker can inflict.
Useful metrics in this vein are (1) time to detection of the adversary,
(2) time to investigate the attack, and (3) time to mitigate the damage
and evict the adversary. Our goal should be to get these time values to
hours if not minutes, where they may now be weeks or even months.
NPPD also tracks trends that provide insight into our overall level
of security and the usefulness of the products and services we offer,
such as rate of compliance with the Department of Homeland Security's
Binding Operational Directive mandates, our ability to implement
cybersecurity hygiene practices, and use of DHS services and
capabilities by our stakeholders.
Senator Ernst. But, gentlemen, one thing too, as we look
across the board, is really assessing those organizations that
fall under your purview but then making sure that we are not
duplicating services amongst our agencies as well and operating
as efficiently as possible. So thank you very much.
Thank you, Mr. Chair.
Chairman McCain. Senator Hirono?
Senator Hirono. Thank you, Mr. Chairman.
I am glad that we are having a discussion about the
integrity of our elections as being fundamental to our
democracy.
Mr. Krebs, as I look at this chart, even if it is dated,
your responsibility at DHS is to protect critical
infrastructure, and you did say that election systems are
critical infrastructure. You have an election security task
force. So do you consider DHS to be the lead agency on making
sure that our election systems are not hacked?
Mr. Krebs. Ma'am, we need statutory authorities to
coordinate protection activities across the critical
infrastructure, and as a designated critical infrastructure
subsector, yes, ma'am, I lead in coordinating.
Now, I do not physically protect those networks. I enable
State and locals and also the private sector to have better
practices. Yes, ma'am.
Senator Hirono. I understand that, but you would be the
lead federal agency that would have this responsibility to work
with the State and local entities to protect our election
systems.
Mr. Krebs. From a critical infrastructure protection
perspective, yes, ma'am, alongside the FBI, as well as the
intelligence community.
Senator Hirono. What we are just looking for, as we are
wrestling with the idea of who is responsible for what, I would
just like to get down that with regard to election systems, we
should look to DHS. That is all I want to know.
Now, I hope that your task force is also addressing the
purchases of political ads by foreign countries. I hope that is
one of the things that your task force will address and whether
there is a need for legislation to prevent those kind of
purchases.
I want to get to a question to Mr. Rapuano. Data protection
is obviously an important issue with industrial espionage being
carried out by some of our near-peer competitors. The DOD
requires contractors to provide adequate security for our
covered defense information that is processed, stored, or
transmitted on the contractor's internal information system or
network. By December 31st, 2017, contractors must, at a
minimum, implement security requirements to meet the National
Institute of Standards and Technology NIST, standards.
So my question, Mr. Rapuano, can you talk about the
importance of having industry comply with this requirement and
how you are working with industry to get the word out so that
everyone is aware, especially I would say small businesses that
you all work with? They need to know that they are supposed to
be doing this.
Mr. Rapuano. Yes, Senator. Our primary focus is with the
defense industrial base where we have the highest frequency and
most significant DOD programs. But we are engaged with all of
those private sector elements that work with the Department of
Defense. I work that closely with the Chief Information Officer
for the Department, Dr. Zangardi. I can get you additional
details on the processes for doing that.
Senator Hirono. Yes. I would like to make sure that, as I
mentioned, particularly small businesses who may not be aware
of this requirement, that they are very aware and that they
have enough time to comply because December 2017 is just right
around the corner. So whatever you have, fliers, whatever you
use to get the word out.
Mr. Rapuano did not respond in time for printing. When received,
answer will be retained in committee files.
Senator Hirono. For Mr. Krebs, you mentioned in your
testimony how cyber actors have strategically targeted critical
infrastructure sectors with the intent ranging from cyber
espionage to disruption of critical services. Specifically you
identified two malware attacks called BlackEnergy and Havoc. Is
that the right pronunciation?
Mr. Krebs. Yes, ma'am.
Senator Hirono. They have specifically targeted industrial
control systems. It does not take a lot of imagination to think
of how a sophisticated cyber attack to a power plant's
industrial control system could cause a massive disruption with
grave consequences.
What is being done by DHS to encourage the private sector
to harden their defense of industrial control systems?
Mr. Krebs. Yes, ma'am. Thank you for your question, and I
do share your concern particularly with respect to those two
toolkits.
I think I would answer the question two ways. One, an
endpoint protection. So we do work very closely with the
electricity sector, as I mentioned early on, with the
Electricity Sector Coordinating Council, again from a grid
perspective. But then through our industrial control systems
CERT, the ICS-CERT, we do look at kind of more scalable
solutions that I mentioned in my opening statement, not just
kind of the whack-a-mole approach at the individual facilities
but try to understand what the actual individual control
systems are, who manufactures them because it does tend to be a
smaller set of companies. Instead of 100 or 1,000 endpoints, we
can kind of go to the root of the problem, the systemic
problem, as I also mentioned, address that at the manufacturer
or coder level and then from there, kind of break out and hit
those endpoints. So again, we do work at the endpoint, but we
also work at kind of the root problem.
Senator Hirono. So you perform outreach activities then
through ICS-CERT to make sure that, for example, the utility
sector is adequately----
Mr. Krebs. Among other mechanisms, yes, ma'am.
Senator Hirono. Thank you.
Thank you, Mr. Chairman.
Chairman McCain. Senator Tillis?
Senator Tillis. Thank you, Mr. Chairman.
Gentlemen, thank you for being here.
One quick question, and this is really from my perspective
as the Personnel Subcommittee chair. What trends, either
positive or negative, are we seeing? Mr. Rapuano, you mentioned
I think earlier when I was here about the National Guard
playing some role at the State level. But can you give me any
idea, either positive or concerning trends, about the resources
we are getting into the various agencies to really flesh out
our expertise to attract them and retain them and to grow them?
Mr. Rapuano. Well, I would simply say--and I think it has
been a common experience for my colleagues at the table here--
that getting the best talent is a very significant challenge in
the cyber realm for all the obvious reasons.
Senator Tillis. Compensation? I mean, there is a variety of
reasons, but what would you list as the top two or three?
Mr. Rapuano. There is a very high demand signal throughout
the entire economy. The compensation that individuals can get
on the outside of government is significantly greater. We are
trying to address that in terms of our workforce management
process, and we have some additional authorities that we are
applying to that, as I believe other agencies have as well.
But, again, it is a demand versus supply question.
Senator Tillis. We have had this discussed before, and
actually Senator Rounds and I have talked about it. I would be
very interested in feedback that you can give us on things that
we should look at as a possible subject matter for future
subcommittee hearings for retention. I worked in the private
sector, and I had a cyber subpractice, ethical hack testing
practice, back in the private sector. What you are up against
is not only a higher baseline for salaries, but you are also up
against what the industry would call hot skills. These are
very, very important skills. Just when you think you have
caught up or got within the range on the baseline comp, a firm,
like the firm that I worked with, both Price Waterhouse and IBM
[International Business Machines] says, okay, now we have got
to come in with a signing bonus and some sort of retention
measures that make it impossible in a governmental institution
to stay up with. So getting feedback on that would be helpful.
I am going to be brief because we have got votes and I want
to stick to my time.
I do want to just associate myself with the comments and
questions that were made by Senator Inhofe and I think Senator
Shaheen about open source software and some of the policy
discussions we are having here. I will go back to the record to
see how you all responded to their questions, but I share their
concern.
I want to get more of an idea of the scope and the scale of
non-classified software that the Department uses. I am trying
to get an idea of a volume, let us say, as a percentage of the
entire portfolio. What are we looking at at non-classified
software as a percentage of our base? I mean, is it safe to
assume that it is in the thousands in terms of platforms,
tools, the whole portfolio of the technology stack?
Mr. Rapuano. Senator, that is a request that I have in to
our system and to our CIO's office, and I can get that
information back to you as soon as I get it.
Mr. Smith. Yes. I would have to get back with you with more
specifics.
Senator Tillis. I think it would be helpful because I am
sure that we have application portfolios out there--I hope, I
should say--that we are following best practices. Somebody out
there in the ops world knows exactly what our portfolio is and
how they fit in the classified and unclassified realm. I think
that would be very helpful, very instructive to this committee.
I am going to yield back the rest of my time so hopefully
other members can get their questions in before the vote. Thank
you, Mr. Chair.
Chairman McCain. Senator King?
Senator King. Mr. Krebs, I just want to make you feel
better about your title. I enjoyed that interplay with Senator
Shaheen. 40 years ago I worked here as a staff member, and I
was seeking a witness--I think I may have told the chairman
this story--from the Office of Management and Budget from the
administration. They said he is the Deputy Secretary under such
and such. I said I do not know what that title means. The
response was--and you can take this home with you--he is at the
highest level where they still know anything. I now realize, by
the way, that I am above that level. But I appreciate having
you here.
I think you fellows understated one important point, and I
do not understand why the representative from the White House
is not here because I think he has a reasonable story to tell.
On May 11th, the President issued a pretty comprehensive
executive order on this subject that is not the be-all and end-
all on the subject, but certainly is an important beginning.
Now, here is my question, though. In that executive order,
there were a number of report-back requirements that triggered
mostly in August. My question is have those report-backs been
done. Mr. Rapuano?
Mr. Rapuano. Senator, they are starting to come in. As you
note, there are a number that are still due out.
Senator King. Some were 180 days, some were 90 days. So I
am wondering if the 90 days, which expired in August, have come
back.
Mr. Rapuano. That is correct. I do not have the full
tracker with me right here. I can get back to you on that.
Senator King. I would appreciate that.
[The information follows:]
Mr. Rapuano did not respond in time for printing. When received,
answer will be retained in committee files.
Mr. Rapuano. Some have been submitted according to the
original timeline. Others have been extended. But absolutely,
those are the essential elements of information necessary to
fully develop and update the strategy to the evolving threats
and build that doctrine and requirements and plans.
Senator King. You used the keyword of ``doctrine'' and I
want to talk about that in a minute. But by the same token,
this committee passed or the Congress passed as part of the
National Defense Authorization Act last December a provision
requiring a report from the Secretary of Defense to the
President within 180 days and from the President to the
Congress within 180 days. That report would have been due in
June from the Secretary of Defense involving what are the
military and non-military options available for deterring and
responding to imminent threats in cyberspace. Do you know if
that report has been completed?
Mr. Rapuano. Yes, Senator. It was our original intent and
desire to couple the two with the input both into the
President's EO [Executive Order], as well as the input back to
the Senate. Based on the delay of the President's EO, we
decoupled that because we recognize your impatience and we need
to----
Senator King. You may have picked up some impatience this
morning. Do we have it?
Mr. Rapuano. So we will be submitting it to you shortly,
and I will get a specific date for that.
Senator King. ``Shortly'' does not make me feel much
better. Is that geologic time or is that----
Mr. Rapuano. Calendar time, Senator.
Senator King. Please let us know.
You mentioned the word ``doctrine,'' and I think that is
one of the key issues here. If all we do is try to patch
networks and defend ourselves, we will ultimately lose. Mr.
Smith, you used the term ``impose consequences.'' Right now, we
are not imposing much in the way of consequences. For the
election hacking, which is one of the most egregious attacks on
the United States in recent years, there were sanctions passed
by the Congress, but it was 6 or 8 months later and it is
unclear how severe they will be.
We need a doctrine where our adversaries know if they do X,
Y will happen to them. Mr. Rapuano, do you have any thoughts on
that? Do you see what I mean? Just being on the defensive is
not going to work in the end. If you are in a boxing match and
you can bob and weave and you are the best bobber and weaver in
the history of the world, if you are not allowed to ever punch,
you are going to lose that boxing match.
Mr. Rapuano. Yes, Senator. I certainly agree that both the
demonstrated will and ability to respond to provocations in
general and cyber in specific is critical to effective
deterrence. I think the challenge that we have that is somewhat
unique in cyber is defining a threshold that then does not
invite adversaries to inch up close but short of it. Therefore,
the criteria--it is very difficult to make them highly specific
versus more general, and then the down side of the general is
it is too ambiguous to be meaningful as----
Senator King. Part of the problem also is we tend to want
to keep secret what we can do when, in reality, a secret
deterrent is not a deterrent. The other side has to know what
is liable to happen to them. I hope you will bear that in mind.
I think this is a critically important area because we have to
have a deterrent capability. We know this is coming, and so far
there has not been much in the way of price paid, whether it
was Sony or Anthem-Blue Cross or the Government personnel
office or our elections. There have to be consequences,
otherwise everybody is going to come after us, not just Russia,
but North Korea, Iran, and terrorist organizations. This is
warfare on the cheap, and we have to be able not only to defend
ourselves but to defend ourselves through a deterrent policy. I
hope in the counsels of the administration that will be an
emphasis in your response.
Mr. Rapuano. Yes, I agree, Senator. That is the point of
the EO in terms of that deterrence option set is to understand
them in the wider context of our capabilities, different
authorities, and to start being more definitive about what
those deterrence options are and how we can best use them.
Senator King. Thank you.
Thank you, Mr. Chairman.
Chairman McCain. Senator Heinrich?
Senator Heinrich. I want to return to that because I keep
hearing the words, but I do not see something specific in
place. We have struggled with this for years on this committee
now. Imagine that tomorrow we had a foreign nation state cyber
attack on our financial or our banking sector or next month on
our utility or our transmission infrastructure or next year on
our elections. I would suggest that any of those would cross a
threshold. What is our doctrine for how, when, and with what
level of proportionality we are going to respond to that kind
of a cyber attack? Mr. Rapuano?
Mr. Rapuano. First, I would note that obviously our
deterrence options are expansive beyond cyber per se. So cyber
is one of a large number of tools, including diplomatic,
economic, trade, military options, kinetic, and then cyber. So
looking at that broad space----
Senator Heinrich. I agree wholeheartedly. You should not
limit yourself to responding in kind with the same level of--or
with the same toolbox. But do we have a doctrine? Because if we
do not have a doctrine--one of the things that worked through
the entire Cold War is we knew what the doctrine for the other
side was and they knew what our doctrine was. That kept us from
engaging in conflicts that neither side wanted to engage in. Do
we have an overall structure for how we are going to respond?
If we do not, I would suggest we have no way to achieve
deterrence.
Mr. Rapuano. We do not have sufficient depth and breadth of
the doctrine as we have been discussing. That really is one of
the primary drivers of the executive order, the 13800, is to
have the essential elements to best inform that doctrine.
Senator Heinrich. I mean, the chairman has been asking for
an overall plan for I do not know how long. I think that is
what we are all going to be waiting for. I wish I could ask the
same question of Mr. Joyce, but maybe in a future hearing.
For any of you, I spent a good part of yesterday looking at
Russian-created, Russian-paid for Facebook ads that ran in my
State and in places across this country and were clearly
designed to divide this country, as well as to have an impact
on our elections. What is the administration doing to make sure
that in 2018 we are not going to see the same thing all over
again? Do not all speak at once.
Mr. Krebs. Sir, yes, let me start with the election
infrastructure subsector that we have established. So from a
pure cyber attack perspective, we are working with State and
local officials to up their level of defense. But specific to
the ad buys and social media use, it is still an emerging issue
that we are assessing. I can defer to the FBI on their efforts.
Senator Heinrich. Well, it is not emerging. It emerged. We
have been trying to get our hands around this for close to a
year now, and we still do not seem to have a plan and that
worries me enormously. We have special elections in place. We
have gubernatorial elections in place. We are continuing to see
this kind of activity, and we need to get a handle on it.
Let me go back to your issue of election infrastructure
because as a number of people have mentioned, it has been
widely reported that there as cyber intrusion into State-level
voting infrastructure. It is my understanding that DHS, before
you got there, was aware of those threats well before last
year's election but only informed the States in recent months
as to the nature of the intrusions in those specific States.
Why did it take so long to engage with the subject-matter
experts at the State level, and is there a process now in place
so that we can get those security clearances that you mentioned
in a timely way so that that conversation can head off similar
activity next year?
Mr. Krebs. Sir, thank you for the question.
I understand that over the course of the last year or so,
officials in each State that was implicated were notified at
some level. Now, as we continued to study the issue and got a
fuller understanding of how each State has perhaps a different
arrangement for elections--in some cases, it is State-local.
You have a chief election official. You have a CIO for the
State. You have a CIO for the networks. You have a homeland
security advisor. As we continued to get our arms around the
problem in the governance structure across the 50 States plus
territories, we got a better sense of here are the fuller range
of notifications we need to make.
So when you think about the notifications of September
22nd, that was a truing up perhaps of each State opening the
aperture saying, okay, we let this person know, but we are not
letting these additional two or three officials know. So I
would not characterize it necessarily as we just let them know
then. It was we broadened the aperture, let the responsible
officials know, and we gave them additional context around what
may have happened.
Senator Heinrich. I am working on legislation and have been
working with the Secretary of State from my State, who is
obviously involved in the National Association of Secretaries
of State. It is not rocket science. I mean, it is basically
building a spreadsheet of who and at what level. When we see
things happen in a given geographic area, you pull out the book
and you figure out who you need to be talking to. We need to
make sure that that is in place.
Mr. Krebs. Yes, sir. We are actively working that right
now.
Senator Heinrich. Thank you.
Chairman McCain. Senator McCaskill?
Senator McCaskill. Thank you.
To reiterate some of the things that I have said
previously, but the empty chair is outrageous. We had a foreign
government go at the heart of our democracy, a foreign
government that wants to break the back of every democracy in
the world. A very smart Senator I heard say in this hearing
room, who cares who they were going after this time. It will be
somebody else next time. I am disgusted that there is not a
representative here that can address this.
I also am worried----
Chairman McCain. Can I interrupt, Senator, and just say
that we need to have a meeting of the committee and decide on
this issue? I believe you could interpret this as a
misinterpretation of the privileges of the President to have
counsel. He is in charge of one of the major challenges, major
issues of our time, and now he is not going to be able to show
up because he is, quote, a counselor to the President. That is
not what our role is.
Senator McCaskill. I mean, I think in any other situation--
let us take out this President, take out Russia--this
circumstance would not allow to stand by the
United States Senate typically.
Chairman McCain. I agree.
Senator McCaskill. You would know more about that than I
would. You have been here longer than I have. But I just think
this is something that we need--in these times, when there is
an issue every day that is roiling this country, we have a
tendency to look past things that are fundamental to our
oversight role here in the Senate. I am really glad that the
chairman is as engaged as he is on this issue, and I look
forward to assisting.
Chairman McCain. Well, this should not count against the
Senator's time, but we are discussing it and we will have a
full committee discussion on it. I thank the Senator.
Senator McCaskill. That is great.
Mr. Krebs, I am also worried that we have no nominee for
your position. So if the White House reviews this testimony, I
hope they will understand that your job is really important. I
am not taking sides as to whether or not you are doing a good
job or a bad job, but the point is we do not need the word
``acting'' in front of your name for this kind of
responsibility in our government.
Unfortunately, the chairman of the committee that I am
ranking on, Homeland Security, has chosen not to have a
hearing, believe it or not, on the election interference. So
this is my shot and I am hoping that the chairman will be a
little gentle with me because I have not had a chance to
question on some things.
Why in the world did it take so long to notify the States
where there had been an attempt to enter their systems, their
voter files?
Mr. Krebs. Again, ma'am, as I mentioned earlier, at some
point over the course of the last year, not just September
22nd, an appropriate official, whether it was the owner of an
infrastructure, a private sector owner, or a local official,
State official, State Secretary, someone was notified.
Senator McCaskill. But should not all of the Secretaries of
State been notified? I mean, is that not just like a duh?
Mr. Krebs. Ma'am, I would agree. I share your concern. I
think over the course of the last several months we, as I
mentioned, had a truing up and we have opened a sort of
governance per each State. These are the folks that need to be
notified of activity.
Senator McCaskill. So what is the explanation for a State
being told one day that it had been and the next day it had not
been? How did that happen?
Mr. Krebs. I understand the confusion that may have
surrounded the notifications of September 22nd. I think the way
that I would explain that is there was additional context that
was provided to the individual States. So in one case perhaps,
the election system network may not have been scanned,
targeted, whatever it was. It may have been another State
system. I would analogize that to the bad guy walking down your
street checking your neighbor's door to see if they had a key
to get into your house. So it is not always that they are
knocking on the network. They may be looking for other ways in
through other networks or similarities----
Senator McCaskill. That does not change the fact that the
Secretaries of State should immediately have been notified in
every State whether they had been knocking on a neighbor's door
or their own door. The bottom line is--good news--we have a
disparate system in our country so it is hard to find one entry
point. The bad news is if we do not have clear information
going out to these Secretaries of State, then they have no shot
of keeping up with the bad guys.
Mr. Krebs. That is right, and going forward, we have that
plan in place. We have governance structures. We have
notifications. As I mentioned earlier, we have security
clearance processes ongoing for a number of officials. We will
get them the information they need when they need it and they
can act on.
Senator McCaskill. Because they do not want to take
advantage of what you are offering, which is terrific, that you
will come in and check their systems. No mandate, no hook, no
expense. I talked to the Secretary of State of Missouri, and he
was saying, listen, they are not even talking to us. Now, this
was before September.
But I do think somebody has got to take on the
responsibility of one-on-one communication with 50 people in
the country plus--I do not know who does voting in the
territories--as to what is happening, what you are doing, what
they are doing. I am not really enamored of the idea of moving
all of this to DOD because I think what you guys do with the
civilian workforce--I think there would be some reluctance to
participate fully if it was directed by DOD.
But the point the chairman makes is a valid one. If you all
do not begin a more seamless operation with clear lines of
accountability and control, we have no shot against this enemy.
None. It worries me that this has been mishandled so much in
terms of the communication between the States that are
responsible for the validity of our elections.
Let me talk to you briefly about Kaspersky. I do not even
know how you say it. How are you going to make sure it is out
of all of our systems?
Mr. Krebs. So, ma'am, a little over a month ago, we did
issue a binding operational directive for federal civilian
agencies.
Senator McCaskill. They get another 90 days to be able to
get stuff because you are giving them a long time.
Mr. Krebs. Yes, that is a 90-day process to identify,
develop plans to remove. There may be budgetary implications
and we have to work through that and then 30 days to execute.
We have seen a number of activities in the intervening 30-plus
days of actually people going ahead and taking it off.
Senator McCaskill. Let me just ask you. Do you think if
this happened in Russia, if they found a system of ours that
was looking at all of their stuff--do you think they would tell
their agencies of government you have 90 days to remove it?
Seriously?
Mr. Krebs. I have learned not to predict what the Russians
would do.
Senator McCaskill. I mean, really but the point I am trying
to make is, I mean, why do you not say you have got to do it
immediately?
Mr. Krebs. Ma'am, you cannot just rip out a system. There
are certain vulnerabilities that can be introduced by just
turning a critical antivirus product off. So what we need to do
is have a process in place that you can replace with something
that is effective. In the meantime, we are able to put
capabilities around anything that we do identify to monitor for
any sort of traffic.
Senator McCaskill. Is the private sector fully aware and
are our government contractors fully aware of the dangers of
the Kaspersky systems?
Mr. Krebs. Ma'am, we have shared the binding operational
directive with a number of our partners, including State and
local partners, and working with some of our interagency
partners as well. We are sharing risk information.
Senator McCaskill. Yes. Is that a little bit like sharing
with all the appropriate people at the time but not the
Secretaries of State? I mean, I just think there needs to be a
really big red siren here. What about government contractors?
Is the BOD [Binding Operational Directive]--is it binding on
our government contractors?
Mr. Krebs. No, ma'am, it is not. Actually I am sorry. Let
me follow up on that to get the specifics.
Senator McCaskill. Should it not be?
Mr. Krebs. It would make sense.
Senator McCaskill. Since we have more contractors on the
ground in Afghanistan than we have troops, would you not think
it would be important that we would get Kaspersky out of their
systems?
Mr. Krebs. That would be a Department of Defense. My
authority only extends to federal civilian agencies.
Senator McCaskill. Department of Defense, have you guys
told the contractors to get Kaspersky out?
Mr. Rapuano. We have instructed the removal of Kaspersky
from all of the DOD information systems. I will follow up
specifically on contractors.
Senator McCaskill. I would like an answer on the
contractors.
Thank you, Mr. Chairman, for your indulgence.
Chairman McCain. Senator Gillibrand?
Senator Gillibrand. Thank you, Mr. Chairman.
Your agency, Mr. Krebs, declared that Russian-linked
hackers targeted voting systems in 21 States this past
election. Why did it take over a year to notify States that
their election systems were targeted?
Mr. Krebs. Ma'am, as I have stated, we notified an official
within each State that was targeted or scanned. In the
meantime, we have offered a series of services and
capabilities, including cyber hygiene scans, to every State in
the Union and every commonwealth. So not only did we notify the
States, granted, there was a broader notification that we
subsequently made. But we did make capabilities available to
all 50 States and commonwealths.
Senator Gillibrand. Are all 50 States using the
capabilities that you offered?
Mr. Krebs. I do not have the specific numbers of the States
that are using ours, but we have seen a fairly healthy
response.
Senator Gillibrand. I would like a report on whether all
States are using the recommended technology that you offered to
them because I think we need to have that kind of transparency
given what Senator McCain started this hearing with. I think it
is a national security priority. If the States are not doing
their jobs well, we need to provide the oversight that is
necessary to make sure they do do their jobs well.
Do you believe that making these election cybersecurity
consultations optimal is sufficient?
Mr. Krebs. I am sorry. Making them--oh, optional. Optional.
Senator Gillibrand. Excuse me. Optional.
Mr. Krebs. You know, fundamentally there are some
constitutional questions in play here. What we do in the
meantime is ensure that every resource that we have available
and out there, that the State and local governments and
election systems have the ability to access.
Senator Gillibrand. I understand that there is a 9-month
wait for a risk and vulnerability assessment. Is that accurate?
Mr. Krebs. We offer a suite of services from remote
scanning capabilities, cyber hygiene scans, all the way up to a
full-blown vulnerability assessment that sometimes just to
execute that vulnerability assessment, because the breadth and
depth of the assessment, can actually take a number of weeks,
if not months. So we are in the process of looking into whether
that 9-month backlog exists and how to ensure, again, that in
the meantime, we can provide every other tool needed out to the
State and local officials.
Senator Gillibrand. I guess what I am trying to get at is
are we ready for the next election? Do you believe we are
cyber-secure for the next election?
Mr. Krebs. I think there is a lot of work that remains to
be done. I think as a country, we need to continue ensuring
that we are doing the basics right. Even at the State and local
levels, even the private sector, there are still a lot of basic
hygiene activities that need to be done.
Senator Gillibrand. I would like a full accounting of what
has been done, what is left to be done, and what are your
recommendations to secure our electoral system by the next
election? I would like it addressed to the entire committee
because we just need to know what is out there, what is left.
Senator Graham and I have a bill to have a 9/11 style
commission to do the deep dive you are doing, to make
recommendations to the Congress on the 10 things we must do
before the next election, and then have the authority to come
back to us so we can actually implement it because doing it on
an ad hoc basis is not sufficient. I am very worried that
because there is no accountability and because of the
constitutional limitations that you mentioned, that we are not
going to hold these States accountable when they have not done
the required work.
So we at least need to know what have you succeeded in
doing, what is still left to be done, what are the impediments.
Is it delays? Is it lack of enough expertise? Is it a lack of
personnel? Is it a lack of resources? I need to know because I
need to fix this problem.
Mr. Krebs. Yes, ma'am. I will say that we are making
significant progress. We have a working relationship, a strong
partnership with the State and local election officials, and we
are moving forward towards the next election.
Senator Gillibrand. Okay.
Mr. Rapuano, in your confirmation hearing, you said that
the Russian interference in our election is a credible and
growing threat and that Russians will continue to interfere as
long as they view the consequences of their actions as less
than the benefits that they accrue. Given the likelihood of
continued cyber interference in American elections, what are
the immediate steps that you are going to take and that the
Federal Government should take to restore the integrity of our
elections? I know you answered one of the earlier questions
with the work we are doing with the National Guard, but I know
that you are not necessarily doing all the training necessary
or spending the resources to do all the National Guard training
consistently with other active duty personnel.
Mr. Rapuano. Senator, we stand at the ready in terms of the
process that DHS has put into place to support all the States
with regard to the election system vulnerabilities. To date, we
have not been tasked directly to support that effort, but we
certainly have capabilities that we could apply to that.
Senator Gillibrand. Can I just have your commitment that in
the next budget, you will include the full amount needed for
the training of these cyber specialists within the National
Guard?
Mr. Rapuano. What I need to do, Senator, is check on the
status of our current funding for that effort, and I will get
back to you in terms of any deltas.
Senator Gillibrand. Thank you.
Thank you, Mr. Chairman.
Chairman McCain. Senator Warren?
Senator Warren. Thank you, Mr. Chairman.
So I want to follow up, if I can, on these questions about
the attacks on our voting systems. We know that 21 States faced
attacks on their networks by Russian actors during the run-up
to the 2016 election. It seems like the Russians are pretty
happy with those efforts, and I do not see any reason to
believe that they will not try again.
In fact, Mr. Krebs, your predecessor at Homeland Security
recently urged Congress to, quote, have a strong sense of
urgency about Russian tampering in the upcoming elections. I
know that Homeland Security designated our election system as
critical infrastructure earlier this year.
So I would just like to follow up on the question that
Senator Gillibrand was asking and what I think I heard you say.
Are you confident that our Nation is prepared to fully prevent
another round of cyber intrusions into our election systems in
2018 or 2020, Mr. Krebs?
Mr. Krebs. So what I would say is that we have structures
in place. This is not an overnight event. We are not going to
flip a switch and suddenly be 100 percent secure.
Senator Warren. So we are not there now.
Mr. Krebs. We are working towards the goal of securing our
infrastructure. Yes, ma'am.
Senator Warren. It is a simple question. We are not there
now?
Mr. Krebs. I believe there is work to be done. Yes, ma'am.
Senator Warren. Okay. So we are not there now.
Can I just ask on maybe some of the specifics? Have you
done a State-by-State threat assessment of the cyber
environment leading up to the next election?
Mr. Krebs. Are you speaking specific to the election
infrastructure or statewide?
Senator Warren. Election infrastructure.
Mr. Krebs. I would have to check on that.
Senator Warren. So you do not know whether or not there has
been a State-by-State threat assessment?
Mr. Krebs. We have engaged every single State. We are
working with their----
Senator Warren. But my question is actually more specific:
a threat assessment for each State on their election
infrastructure.
Mr. Krebs. I would have to get back to you on that.
Senator Warren. Okay.
Are there minimum cyber standards in place for election
systems?
Mr. Krebs. We do work with the National Institute of
Standards and Technology and the Election Assistance Commission
to look at security standards for voting----
Senator Warren. I understand you work on it. My question is
are there minimum cyber standards in place.
Mr. Krebs. There are recommended standards. Yes, ma'am.
Senator Warren. There are minimum cyber standards.
Mr. Krebs. There are recommended standards. Yes, ma'am.
Senator Warren. All right. In place.
Are there established best practices?
Mr. Krebs. I believe there are best practices.
Senator Warren. Those are in place.
Any plans for substantial support for States to upgrade
their cyber defenses?
Mr. Krebs. If you are talking about investments----
Senator Warren. I am.
Mr. Krebs. Okay. That is a different question that I think
that we need to have a conversation between the executive
branch and Congress about how----
Senator Warren. Was that a no?
Mr. Krebs. At this point, I do not personally have the
funds to assist----
Senator Warren. So that is a no.
Mr. Krebs. That is a resourcing to States that are grant
programs that we can put in place perhaps to improve
capability.
Senator Warren. So you not only do not have the money to do
it. Do you any plans--I will ask the question again--for
substantial support for States to upgrade their cyber defenses?
Do you have plans in place?
Mr. Krebs. We are exploring our options.
Senator Warren. So the answer is no. You do not have them
in place.
Mr. Krebs. We are working on plans. Yes, ma'am. We are
assessing what they need.
Senator Warren. Yes, the answer is no? Okay.
Look, I understand that States have the responsibility for
their own elections and also that States run our Federal
elections. But I do not think anybody in this room thinks that
the Commonwealth of Massachusetts or the City of Omaha,
Nebraska should be left by themselves to defend against a
sophisticated cyber adversary like Russia. If the Russians were
poisoning water or setting off bombs in any State or town in
America, we would put our full national power into protecting
ourselves and fighting back. The Russians have attacked our
democracy, and I think we need to step up our response and I
think we need to do it fast.
Thank you, Mr. Chairman.
Chairman McCain. Senator Peters?
Senator Peters. Thank you, Mr. Chairman.
Thank you to our witnesses for your testimony today.
I think I would concur with all of my colleagues up here
that the number one national security threat we face as a
country is the cyber threat. It is one we have to be laser-
focused on. I will concur with the chairman others who are very
frustrated and troubled by the fact that it does not seem like
we have a comprehensive strategy, we do not have a plan to deal
with this in a comprehensive way integrating both State and
local officials with federal officials, as well as the business
sector which is under constant attack.
We know the risk is not just military. It is not just the
elections, as significant as that is, because it goes to the
core of our democracy, but significant attacks against our
economic security, which also goes to the core of our
civilization. We have just been hit with an absolutely
incredible hack with Equifax that basically has taken now--some
actor out there has taken the most private information
necessary to open up accounts and to take somebody's identity.
You are talking over 100 million people in this country. I
cannot think of a worse type of cyber attack.
So, Mr. Smith, my question to you is do you think we will
be able to determine who is responsible for that hack?
Mr. Smith. Yes.
Senator Peters. When will be able to do that?
Mr. Smith. I would not want to put a specific time frame on
it.
Senator Peters. Generally.
Mr. Smith. Generally within maybe 6 or 8 months. That is on
the far side.
Senator Peters. So hopefully within less than that time. So
we will be able to identify. I know attribution is always very
difficult. Do you believe that we will be able to identify who
was responsible?
Then second, do we have to tools to effectively punish
those individuals or whoever that entity may be? Those are two
separate questions.
Mr. Smith. Correct and two separate issues.
First, on the attribution point, to get it to a certain
destination is easier than the second question, which is
imposing significant consequences on an individual or on a
specific--if it becomes nation state or associate like that. As
you have seen recently, though, with the Yahoo compromise where
we have seen a blended threat targeting our businesses and our
country where you have criminal hackers working at the
direction of Russian intelligence officers, so that is where I
become a little more vague as to my answer on specific, would
we be able to impose consequences.
Senator Peters. Which is a significant problem that you
cannot answer that, I would think, not you personally--you
cannot answer it--that we do not have a plan, we do not have a
deterrence plan that says if you do this, these are the
consequences for you and they will be significant, particularly
if there is a state actor associated with it.
Now, I know, Mr. Rapuano, you mentioned the line. We do not
want to actually put a line somewhere because everybody will
work up to that line. I think we have a problem now, as we have
zero lines right now. So it is like the Wild West out there.
But would you concur that if a state actor, hypothetically
a state actor, was behind an Equifax breach that compromised
the most personal financial information of over 100 million
Americans--would that be over any kind of line that you could
see?
Mr. Rapuano. Sir, I think that the process that we have in
play right now in terms of all the reports being submitted in
response to the executive order, looking at how we protect
critical infrastructure, modernizing IT, develop the workforce,
develop deterrence options, looking across those suite of
issues, what are our capabilities, what are our
vulnerabilities, what are the implications of adversaries that
are exploiting those vulnerabilities, that helps inform that
doctrine and that also helps inform an understanding of how to
best establish what those thresholds are, those deterrence
thresholds, what may be too specific to be useful, but what is
too vague to be useful as well. We are on the path to
developing that.
Senator Peters. Well, having said that, I think it is a
straightforward question, someone who hacks in and steals
information from over 100 million Americans and something that
compromises their potential identity for the rest of their
lives. I would hope the directive would say that that is well
over any kind of line.
Mr. Rapuano. It certainly warrants a consequence,
absolutely. Is it an act of war? I think that is a different
question, and I think there are a number of variables that go
into that. There would be more details that we would be looking
at in terms of understanding what the actual impact is, who the
actor is, what is our quality and confidence in attribution.
Senator Peters. Mr. Krebs, you answered some questions
related to Kaspersky and taking out that software from the
machines of the Federal Government, the United States
Government, because of the risk that is inherent there. If the
risk is there for the U.S. Government, is it not risky for the
average citizen as well to have this software on their
computers when we have millions of Americans that have the
software and potentially access to their personal information
on that computer? Is that not a significant security risk that
we should alert the public to?
Mr. Krebs. So risk, of course, is relative. The Department
of Homeland Security made a risk assessment for the civilian
agencies that we were not willing to have these products
installed across our networks. I think that is a pretty strong
signal of what our risk assessment was, and we have shared
information across the critical infrastructure community and
State and locals on that decision.
Senator Peters. So you say that is an indication of the
seriousness of the problem. So the average citizen also will
take this software off their system?
Mr. Krebs. I think the average citizen needs to make their
own risk-informed decision. Again, the Federal Government has
made the decision that this is an unacceptable risk position,
and we are instructing agencies to remove at present.
Senator Peters. Right. Thank you so much.
Chairman McCain. Senator Reed?
Senator Reed. Thank you very much, Mr. Chairman.
Just quickly, Mr. Rapuano, following up on Senator Peters?
line of questioning, is Cyber Command prepared to engage and
defeat an attack on our critical infrastructure in the United
States? I know there is an issue here of what is the trigger,
but are they prepared to do that right now?
Mr. Rapuano. So Cyber Command is developing a suite of
capabilities against a variety of targets that are--yes, it is
inclusive of responding to attack on U.S. critical
infrastructure.
Senator Reed. The question is--and Senator Peters raised
it--what is, for want of a better term, the trigger? You
suggested act of war. We are still on sort of the definitional
phase of trying to figure out what would prompt this. We have
the capability, but the question is under what circumstance do
we use it. Is that fair?
Mr. Rapuano. That is fair. Absolutely.
Senator Reed. Thank you.
Chairman McCain. I want to thank the witnesses, and I want
to thank you for the hard work you are doing and your candor in
helping this committee understand many of the challenges. I
must say I appreciate your great work on behalf of the country.
But I come back 4 years ago, I come back 2 years ago, I come
back 1 year ago. I get the same answers. We put into the
defense authorization bill a requirement that there be a
strategy, followed by a policy, followed by action. We have
now, 4 months late, a report that is due before the committee.
We have our responsibilities and we are going to carry them
out. We have authorities that I do not particularly want to
use, but unless we are allowed to carry out our
responsibilities to our voters who sent us here, then we are
going to have to demand a better cooperation and a better
teamwork than we are getting now.
Again, I appreciate very much the incredible service that
you three have provided to the country, and I am certainly not
blaming you for not being able to articulate to us a strategy
which is not your responsibility. The implementation of actions
dictated by the strategy obviously is yours.
So when we see the person in charge at an empty seat here
today, then we are going to have to react. The committee is
going to have to get together and decide whether we are going
to sit by and watch the person in charge not appear before this
committee. That is not constitutional. We are co-equal branches
of government. So I want to make sure that you understand that
every member of this committee appreciates your hard,
dedicated, patriotic work and what you are dealing with and
doing the best that you can with the hand you are dealt.
This hearing has been very helpful to us in assembling--not
assembling but being informed as to one of the major threats to
America's security. I thank you for that. I thank you for your
honest and patriotic work. But we are going to get to this
because of the risk to our very fundamentals of democracy among
which are free and fair elections.
So is there anything that the Senator from Maine would like
to editorialize? He usually likes to editorialize on my
remarks.
Senator King. My mind is racing, but I think prudence
dictates no response, Mr. Chairman.
[Laughter.]
Chairman McCain. I thank the witnesses for your
cooperation. I thank you for your service to the country.
This hearing is adjourned.
[Whereupon, at 11:53 a.m., the committee was adjourned.]
[Questions for the record with answers supplied follow:]
Questions Submitted by Senator Deb Fischer
supply chain security
1. Senator Fischer. Beyond the specific actions taken with respect
to Kaspersky products, what is your department doing holistically to
manage the risks cyber risks associated with companies--particularly IT
or telecom companies--that have relationships with foreign governments?
Mr. Krebs. Our supply chain presents a significant source of risk
that is being targeted with growing regularity by our most
sophisticated adversaries. The acquisition or use of equipment or
services from foreign suppliers within U.S. telecommunications networks
without a full understanding of the associated risk may undermine the
security, integrity, and reliability of those networks. To understand
and appropriately mitigate such risks to U.S. telecommunications
networks requires significant collaboration with industry, including
sharing intelligence related to specific risks to U.S.
telecommunications networks and assessments of vulnerabilities.
The Department of Homeland Security (DHS) works in coordination
with other federal agencies to address supply chain risk. Several
agencies have programs in place to assess supply chain risk of
information and communications technology (ICT) purchased by federal
agencies. To address these growing risks, the National Protection and
Programs Directorate (NPPD) is launching a Cyber Supply Chain Risk
Management (C-SCRM) initiative. The objective of the C-SCRM initiative
is to enable stakeholders to make better informed procurement decisions
by providing supply chain risk assessments and mitigation
recommendations. This initiative is focused on closing known
information sharing gaps and supporting DHS's efforts to address supply
chain risk for government and private sector entities.
DHS and other interagency partners have engaged with private sector
entities to better understand supply chain risk and examine options to
mitigating risk. DHS participates in two industry-government working
groups addressing increasing concerns regarding business risk and
commercial threats. Both of these working groups are making near-term
incremental improvements in the identification, communication, and
analysis of third party risk-related information.
DHS is a member of the Committee on Foreign Investment in the
United States (CFIUS). CFIUS reviews transactions which could result in
foreign control of any person engaged in interstate commerce in the
United States. As a member of CFIUS, DHS can identify risks to DHS
equities arising from CFIUS transactions, including those related to
cybersecurity. CFIUS generally takes one of two mitigating actions when
unresolved risk is identified: (1) establishment of a binding national
security agreement with the parties involved in the transaction, or (2)
in rare circumstances, recommend the President prohibit the
transaction.
DHS is also a member of Team Telecom, a working group of federal
agencies who review FCC applications for new service authorizations,
including mergers and acquisitions, involving telecommunications
operators with foreign ownership in order to protect U.S. national
security, law enforcement, and public safety interests. This allows for
dialogue and the sharing of information between DHS and companies with
which Team Telecom has mitigation agreements in an effort to address
any national security risk that may arise from the FCC granting a new
service authorization.
Additionally, DHS implemented a policy to include a requirement to
address supply chain risks as a part of efforts related to the
management and protection of sensitive DHS systems. DHS requires supply
chain risk management principles to be included in the contracting
process for all hardware and software to ensure the confidentiality,
integrity, and availability of government information.
Mr. Rapuano. This is a complex challenge because there is a global
market for commercial information technology and communications
products. Many of the commercial off-the-shelf products used by the DOD
can be purchased by foreign governments as well. It is important to
distinguish such products produced by a U.S.-based company, or by a
company that is headquartered in an allied nation, which can also be
purchased by adversaries, from commercial IT products produced by
companies based in countries whose interests are not always aligned
with United States' interests. One should view such products with
caution. The risk associated with global telecom companies is equally
complicated due to their global customer base. In each of these cases,
DOD has policies in place, or is in the process of putting policies in
place, which govern these complex business relationships. The
Department has implemented a Trusted Systems and Networks (TSN)
strategy as a risk-based approach to address Supply Chain Risk
Management (SCRM) concerns for globally sourced information and
communications technology being integrated into DOD critical systems
and networks. This TSN/SCRM strategy seeks to establish trust and
confidence in our critical systems and DOD's ability to execute its
missions in a cyber contested environment, around the globe and
throughout the system's lifecycle. The DOD Chief Information Officer
(CIO) and the Undersecretary of Defense for Acquisition, Technology,
and Logistics (AT&L) established DOD policy and regulations (DOD
Instruction (DODI) 5200.44, Protection of Mission Critical Functions to
Achieve Trusted Systems and Networks (November 12, 2012)), to enable
robust SCRM processes across DOD. DODI 5200.44 outlines a SCRM approach
for vetting critical components prior to acquiring or integrating them
into national security systems (NSS). The multi-discipline approach
integrates systems engineering, SCRM, security, counterintelligence,
intelligence, cybersecurity, hardware and software assurance, assured
services, and information systems security engineering. DOD CIO leads
the TSN-Roundtable, which meets quarterly with Service and Agency TSN
Focal Points and other stakeholders, to support DOD-wide implementation
of DODI 5200.44 by sharing best practices and defining TSN-enterprise
capability requirements. In support of the TSN strategy, the Department
established enterprise capabilities to support the Services and
Agencies in their implementation: The Defense Intelligence Agency
established the SCRM Threat Analysis Center to provide supply chain
threat assessments to Programs for their critical components. AT&L
established the Joint Federated Assurance Center (JFAC) to manage
sharing of hardware and software (HW/SW) assurance testing capabilities
and foster improved HW/SW test research and development. In addition,
the Department has specialized authorities available to address supply
chain risks by excluding specific sources. More specifically, section
806 of the NDAA for fiscal year 2011, as amended by section 806 of the
NDAA for fiscal year 2013, has been implemented at DFARS Subpart
239.73, ``Requirements for Information Relating to Supply Chain Risk.''
The rule enables DOD components to exclude a source that fails to meet
established qualifications standards or fails to receive an acceptable
rating for an evaluation factor regarding supply chain risk for
information technology acquisitions, and to withhold consent for a
contractor to subcontract with a particular source or to direct a
contractor to exclude a particular source. DOD is also active in
interagency and private sector SCRM efforts. DOD CIO participated in
development of National Institute of Standards and Technology (NIST)
Special Publication (SP) 800-161 on SCRM Practices for Federal
Information Systems and Organizations and co-led with NIST the 2017
update of the Committee on National Security Systems (CNSS) update of
the CNSS Directive No. 505, Supply Chain Risk Management. DOD and other
interagency partners host quarterly Software & Supply Chain Assurance
Forums bringing together industry-academia-government SCRM experts. DOD
CIO also continues to engage trade organizations and standards
development organizations on ``commercially acceptable global sourcing
standards.''
__________
Questions Submitted by Senator Ben Sasse
senate cybersecurity
2. Senator Sasse. How likely is it that Congressional IT systems
have been compromised by hostile foreign intelligence services?
Mr. Rapuano. I respectfully defer to the DOJ (FBI) and DHS, since
the DOD has no jurisdiction or role in the defense of Congressional IT
systems, unless a request for technical assistance (RTA) is issued to
secure DOD support as part of a cyber incident response effort.
Mr. Smith did not respond in time for printing. When received,
answer will be retained in committee files.
3. Senator Sasse. Is it possible that foreign intelligence services
are sitting on our systems right now undetected?
Mr. Rapuano. If by saying ``our systems'' you mean congressional
computer networks, I again defer to DOJ to address the question of
whether or not foreign intelligence services have intruded onto
congressional computer networks.
Mr. Smith did not respond in time for printing. When received,
answer will be retained in committee files.
cybersecurity doctrine and strategy
4. Senator Sasse. Where is the Secretary of Defense's cyber
strategy?
Mr. Rapuano. The Department has begun the process to update the
2015 Cyber Strategy. However, it is necessary that this strategy be
nested within the National Security, National Military and National
Defense Strategies, which are still in development. Therefore, I cannot
provide you a specific date when the updated cyber strategy will be
released, but I pledge to keep Congress updated as this process
progresses.
5. Senator Sasse. Why has this strategy not been produced?
Mr. Rapuano. The Department continuously assesses the efficacy and
scope of its existing Cyber Strategy. Previously, the decision to
update our 2011 DOD Cyber Strategy was made in 2014 and resulted in our
current DOD Cyber Strategy being published in April 2015. The
Department recognizes the need to begin our next cyber strategy update
and is building the framework for a new strategy that not only keeps
pace with the cyber threat but also addresses congressional concerns.
This strategy will be informed by the broader National Security and
National Defense Strategies that the Department is currently working
with the other departments and agencies. We believe the updated Cyber
Strategy must be synchronized with these overarching strategies to
produce the most informed and effective final product.
6. Senator Sasse. When will it be completed and when will the SASC
be able to review it?
Mr. Rapuano. Although I cannot provide a specific completion date
at this time for the reasons stated above, I can assure the Committee
that this is a priority for the Department's efforts in cyberspace and
that substantive work is already underway to produce a final product as
soon as possible.
7. Senator Sasse. Mr. Rapuano, what are the fundamentals of cyber
deterrence--not cybersecurity per se--but, cyber deterrence? How do we
reduce our enemies' desire to conduct cyberattacks against us?
Mr. Rapuano. Deterring enemies in cyberspace requires intensive
interagency policy planning to harmonize (integrate laterally) and
synchronize (sequence over time correctly) the use of all instruments
of national power to persuade adversaries not to attempt to harm us
using cyberspace. First, we must implement world-leading cybersecurity
capabilities to make the networks, systems, and information supporting
our critical infrastructure and our military forces highly resilient in
a cyber-contested environment. This would greatly increase the
difficulty encountered by adversaries in mounting successful
cyberattacks and could serve to discourage them from making such
attempts. At the same time, we must utilize an optimum combination of
messaging (e.g., declaratory policy, diplomacy, and capability
demonstrations); shaping of the strategic environment in ways that are
inhospitable to malicious cyber activities; imposing substantial
consequences such as economic penalties for actual cyberattacks
attributable to particular actors; law enforcement actions; and
building coalitions of like-minded nations to join with us in these
efforts. In addition, increasing our capability to detect, block, and
disrupt or subvert malicious cyber threat activities will minimize any
adversary's success, making such activities less attractive and more
costly. Exposing cyber threat activity as unacceptable behavior, and
attaching civil, criminal or monetary or trade sanctions when we have
adequate attribution can create disincentives and hesitation on the
part of our adversaries. Establishing and enforcing a cyber behavior
threshold with escalating severity will build structure of predictable
and unpredictable consequences that will help shape cyber threat actor
intentions and actions.
8. Senator Sasse. How is DOD doing in building our nation's cyber
deterrence doctrine?
Mr. Rapuano. Deterring malicious behavior in cyberspace requires a
whole-of-government approach. Consequently, DOD is actively
participating in interagency efforts to develop a report on the
Nation's strategic options for deterring adversaries and better
protecting the American people from cyber threats, as required by the
President's Executive Order 13800, Strengthening the Cybersecurity of
Federal Networks and Critical Infrastructure. That report, when
completed, will shape our deterrence activities in support of national
level cybersecurity policy, which will entail numerous follow-on
implementation efforts by all interagency players. As DOD formulates
its own Department-level cyber deterrence doctrine, an effort currently
underway, we will seek to ensure that it is compatible with, and
supports, the emerging national-level strategy.
threat of cyber attack
Senator Sasse. Mr. Smith, are there any ongoing efforts by Russia,
China, North Korea, or any other State to digitally target U.S.
critical infrastructure or systems?
Mr. Smith did not respond in time for printing. When received,
answer will be retained in committee files.
9. Senator Sasse. On a scale of 1-10 (10 being the most dangerous),
how would you rank the current cyber threat against the U.S.?
Mr. Smith did not respond in time for printing. When received,
answer will be retained in committee files.
10. Senator Sasse. What cyber threat or vulnerability are you most
concerned about these days?
Mr. Krebs. There are a range of high priority risk areas based on
the current threat environment. Adversaries continue to test our
critical infrastructure, and as a result we are focusing efforts on the
interconnectedness and communications reliance of our nation's critical
infrastructure, particularly those services that underpin the essential
functions of our economy and way of life. Over the past year, Americans
saw advanced persistent threat actors, including hackers, cyber
criminals, and nation-states increase the frequency and sophistication
of these attacks. Our adversaries have been developing and using
advanced cyber capabilities to undermine critical infrastructure,
target our livelihoods and innovation, steal our national security
secrets and threaten our democracy through attempts to manipulate
elections. We are working with our partners in the Government and
private sector to defend against and mitigate the risk posed by our
adversaries.
Senator Sasse. All Witnesses: Please provide a one-word answer to
the following question:
11. Is the nation's cyber vulnerability level ``acceptable''
(meaning we have the threat under control), is it ``concerning''
(meaning the threat is rising and may soon pose a significant risk to
our national interests and our way of life), or is it ``critical''
(meaning the threat already poses a significant risk to our national
interests and our way of life)?
Mr. Joyce did not respond in time for printing. When received,
answer will be retained in committee files.
Mr. Rapuano. It is difficult to state definitively the Nation's
level of vulnerability in cyberspace at any one moment. However, the
evolving nature of the cyber threat and the pace and scope at which the
U.S. Government is witnessing cyber incidents against key sectors of
the U.S. economy and infrastructure highlight the continued need to
address our Nation's cyber vulnerabilities as a priority. As
highlighted in my testimony, it is not likely that we can address every
vulnerability and thus must prioritize efforts to protect the most
critical assets and manage risk strategically. In the defense
industrial sector, this threat already poses a significant risk to the
U.S. warfighting capability today and in the future. Recent changes in
acquisition regulations regarding protection of controlled defense
information on contractor information systems will provide some risk
reduction, as will the emphasis on countering insider threats. The
President's Cyber Executive Order directs the Executive Branch to
provide such an updated framework.
Mr. Smith did not respond in time for printing. When received,
answer will be retained in committee files.
Mr. Krebs. Cyber threats remain one of the most significant
strategic risks to the United States, threatening our national
security, economic prosperity, and public health and safety. The level
of vulnerability varies across sectors and fluctuates based on new
technology that is acquired. Instead of focusing on a general score,
DHS is committed to defending federal networks and ensuring the
security of cyberspace and critical infrastructure.
12. Senator Sasse. What concrete steps need to be taken to reduce
our cyber risk to an acceptable level?
Mr. Joyce did not respond in time for printing. When received,
answer will be retained in committee files.
Mr. Rapuano. Individual cyber risks are assessed by evaluating the
combination of criticality, vulnerability, and threat variables. DOD
assesses the cyber risk by following the National Institute of
Standards and Technology (NIST) Risk Management Framework, which
defines risk as a ``measure of the extent to which an entity is
threatened by a potential circumstance or event, and a function of: (i)
the adverse impacts that would arise if the circumstance or event
occurs; and (ii) the likelihood of occurrence.'' DOD is taking a number
of concrete steps to reduce our cyber risk to an acceptable level,
including conducting cyber assessments of its critical assets,
enhancing cyber defensive capabilities, updating contracting rules to
improve accountability and responsibility for protection of DOD data
within the Defense Industrial Base (DIB), updating information systems
security requirements, developing policies to support cyber damage
assessment processes, and focusing on protection of the Department's
critical acquisition programs and technologies. In addition, DOD is in
the process of conducting cyber vulnerability assessments of our major
weapon systems and our critical infrastructure, in response to section
1647 of the fiscal year 2016 NDAA and section 1650 of the fiscal year
2017 NDAA.
Mr. Smith did not respond in time for printing. When received,
answer will be retained in committee files.
Mr. Krebs. Safeguarding and securing cyberspace is a core homeland
security mission. Malicious cyber actors target the paths of least
resistance, lowest effort for the biggest payoff, and simplicity. Many
information technology system compromises exploit basic vulnerabilities
such as: email phishing, insecure password practices, default and
improper configuration, and poor patch management. Continuing to
address these basic vulnerabilities will make significant progress in
reducing the Nation's cybersecurity risk.
Executive Order 13800, Strengthening the Cybersecurity of Federal
Networks and Critical Infrastructure, recognizes that effective
cybersecurity requires entities to identify, detect, respond, and if
necessary, recover from cyber intrusions. We are fully engaged in
outreach to stakeholders to provide cybersecurity threat information
and highlight the need to prioritize and manage cybersecurity risks. We
also promote the standardization of information technology and
cybersecurity capabilities to control costs and improve asset
management, and provide support to improve incident detection,
reporting and response capabilities.
Section 9 of Executive Order (EO) 13636, Improving Critical
Infrastructure Cybersecurity, states that DHS ``shall use a risk-based
approach to identify critical infrastructure where a cybersecurity
incident could reasonably result in catastrophic regional or national
effects on public health or safety, economic security, or national
security.'' Further, section 9 states, ``the Secretary shall review and
update the list of identified critical infrastructure under this
section on an annual basis.'' The National Protection and Programs
Directorate (NPPD) executes this program using a collaborative approach
with expertise from public and private sector partners and Sector-
Specific Agencies.
Identification supports both critical infrastructure needs and
national security objectives by providing the Federal Government with
the ability to more effectively disseminate specific and targeted
cybersecurity threat information to identified cyber-dependent critical
infrastructure. This then supports the prioritization, as appropriate,
of government resources and programs available to identified cyber-
dependent critical infrastructure, helping improve the Government's
understanding of those systems or assets whose incapacity or disruption
would have catastrophic consequences. This understanding helps inform
the Government's planning, protection, mitigation and response efforts
provided in partnership with impacted state, local, territorial, tribal
and private sector entities in the event of a cyber incident.
__________
Questions Submitted by Senator Jeanne Shaheen
removal of kaspersky software from government systems
13. Senator Shaheen. Secretary Krebs, Kaspersky Lab partners with
many well-known companies that specialize in areas beyond anti-virus
protection. How are you ensuring that every bit of Kaspersky software
whether it be on government computers, networks, and TVs is completely
removed from U.S. systems within 90 days (according to the DHS
directive)?
Mr. Krebs. On September 13, 2017, the Acting Secretary of Homeland
Security issued Binding Operational Directive (BOD) 17-01: Removal of
Kaspersky-Branded Products. BOD 17-01 instructs federal agencies to
identify and report to the Department of Homeland Security (DHS) by
October 13, 2017, the use or presence of Kaspersky Lab-branded products
on federal information systems. This process has identified the use of
Kaspersky Lab-branded products on some systems at some agencies. Those
agencies also developed plans to remove such products as required by
the BOD.
DHS provided an opportunity for Kaspersky Lab to submit a written
response addressing the Department's concerns. This opportunity
provided the company a full opportunity to inform the Acting Secretary
of any evidence, materials, or data that may be relevant. This
opportunity was also made available to any other entity that claims its
commercial interests are directly impacted by the directive.
14. Senator Shaheen. Secretary Krebs, what is the standard applied
to agencies working to successfully remove all Kaspersky products from
their systems?
Mr. Krebs. On September 13, 2017, the Acting Secretary of Homeland
Security issued Binding Operational Directive (BOD) 17-01: Removal of
Kaspersky-Branded Products. BOD 17-01 instructs federal agencies to
identify and report to the Department of Homeland Security (DHS) by
October 13, 2017, the use or presence of Kaspersky Lab-branded products
on federal information systems. This process has identified the use of
Kaspersky Lab-branded products on some systems at some agencies. Those
agencies also developed plans to remove such products as required by
the BOD.
DHS provided an opportunity for Kaspersky Lab to submit a written
response addressing the Department's concerns. This opportunity
provided the company a full opportunity to inform the Acting Secretary
of any evidence, materials, or data that may be relevant. This
opportunity was also made available to any other entity that claims its
commercial interests are directly impacted by the directive.
15. Senator Shaheen. Secretary Krebs, do you plant to consult with
this Committee on the directive's progress after the initial 60-day
review?
Mr. Krebs. On September 13, 2017, the Acting Secretary of Homeland
Security issued Binding Operational Directive (BOD) 17-01: Removal of
Kaspersky-Branded Products. BOD 17-01 instructs federal agencies to
identify and report to the Department of Homeland Security (DHS) by
October 13, 2017, the use or presence of Kaspersky Lab-branded products
on federal information systems. This process has identified the use of
Kaspersky Lab-branded products on some systems at some agencies. Those
agencies also developed plans to remove such products as required by
the BOD.
DHS provided an opportunity for Kaspersky Lab to submit a written
response addressing the Department's concerns. This opportunity
provided the company a full opportunity to inform the Acting Secretary
of any evidence, materials, or data that may be relevant. This
opportunity was also made available to any other entity that claims its
commercial interests are directly impacted by the directive.
other agencies
16. Senator Shaheen. Secretary Krebs, have other agencies been
successful in identifying and removing Kaspersky products on their
information systems?
Mr. Krebs. On September 13, 2017, the Acting Secretary of Homeland
Security issued Binding Operational Directive (BOD) 17-01: Removal of
Kaspersky-Branded Products. BOD 17-01 instructs federal agencies to
identify and report to the Department of Homeland Security (DHS) by
October 13, 2017, the use or presence of Kaspersky Lab-branded products
on federal information systems. This process has identified the use of
Kaspersky Lab-branded products on some systems at some agencies. Those
agencies also developed plans to remove such products as required by
the BOD.
DHS provided an opportunity for Kaspersky Lab to submit a written
response addressing the Department's concerns. This opportunity
provided the company a full opportunity to inform the Acting Secretary
of any evidence, materials, or data that may be relevant. This
opportunity was also made available to any other entity that claims its
commercial interests are directly impacted by the directive.
__________
Questions Submitted by Senator Richard Blumenthal
election interference
17. Senator Blumenthal. Mr. Rapuano, Mr. Smith, and Mr. Krebs, do
you agree that Russia must pay a steeper price for its cyberattacks and
interference in our election? Do you agree that our actions so far have
not made Russia realize that they have more to lose than gain with
their behavior?
Mr. Rapuano. Russia is a determined adversary with advanced cyber
capabilities that it is willing to employ to advance Russia's national
interests. Although I think the United States response to Russian
election interference clearly communicated how seriously we took their
actions, I am not convinced that it was sufficient to deter Russia from
undertaking similar activities in the future. If Russia views the
benefits of its actions to be greater than the risks, its unacceptable
conduct is likely to continue. All that said, no single U.S. Government
action, and no single DOD activity, will successfully counter Russia's
malign influence activities. The United States must approach this as a
sustained long-term campaign that leverages all instruments of national
power to deter, counter, and when required, respond to Russia's
attempts to undermine United States national interests and values.
Mr. Smith did not respond in time for printing. When received,
answer will be retained in committee files.
Mr. Krebs. The U.S. Government seeks to leverage our various
authorities and capabilities to secure vital systems and assets,
improve resilience against cyber incidents, and quickly respond to and
recover from incidents when they occur. Regarding Russia or any other
state or non-state actor, deterrence is an important component of
national efforts to change the behaviors of malicious cyber actors and
to protect information and information systems, including critical
infrastructure, from harm. The foundation of our deterrence and broader
cybersecurity efforts includes securing our own systems before an
adversary acts thereby making exploitation of U.S. infrastructure more
difficult and costly. This denies malicious cyber actors any benefit to
less sophisticated attempts at intrusion and reduces benefits to more
sophisticated attacks. Deterrence by denial requires a whole of
Government, and indeed whole of Nation, approach that is coordinated
with our private sector, state and local, and international partners
across all areas of national preparedness.
The Department of Homeland Security (DHS) supports and enables the
security and resilience of non-federal entities through its network
protection efforts. Network protection includes providing entities with
information and technical capabilities they can use to secure their
networks, systems, assets, information, and data, by providing
technical assistance and risk management support as well as
recommendations on security and resilience measures to facilitate
information security and strengthen information systems against
cybersecurity risks and incidents. These efforts are carried out by
DHS's National Protection and Programs Directorate, which includes the
National Cybersecurity and Communications Integration Center (NCCIC).
The NCCIC operates at the intersection of the private sector, civilian,
law enforcement, intelligence, and defense communities.
Network protection is only one component of the Federal
Government's overall effort to deter malicious cyber actors. DHS's law
enforcement agencies and intelligence offices play a key role as well.
Additionally, our interagency partners make important contributions to
overall deterrence efforts through proactive risk reduction efforts,
sanctions, diplomatic actions, and offensive operations.
This year DHS stood up an Election Task Force (ETF) to improve
coordination with and support to our stakeholders. NPPD is leading the
task force, which includes personnel from across the Department, as
well as interagency partners. NPPD is working with interagency partners
to address risk to elections, including countering influence campaigns.
18. Senator Blumenthal. Mr. Rapuano, Mr. Smith, and Mr. Krebs, what
is being done to prevent Russia--or any other state or non-state
actor--from conducting influence campaigns designed to disrupt our
elections?
Mr. Rapuano. Consistent with Mr. Krebs' testimony, the Federal
government is engaging with domestic authorities to ensure they that
have the information and resources necessary to secure their
information systems, databases, and other related election
infrastructure. Although DOD is not directly involved in these
activities, it is prepared to support DHS and the FBI in these efforts,
if requested and where appropriate. Consistent with DOD's mission, DOD
seeks actively to characterize adversary threats to provide advance
warning and, when directed, employ potential response options to
counter adversary cyber activities. Fundamentally, Russia's complex
information operation targeted United States citizens by exploiting
existing political and social divisions, and the digital media
environment. It's important to note that developing and fielding state-
of-the-art cyber defenses alone will be insufficient to counter ongoing
or future nation-state influence operations. Building our nation's
resiliency to these types of actions will require a whole of nation
response that involves working with the private technology sector,
educating the public, increasing awareness, exposing malicious actions,
etc. Many such actions exceed DOD authorities or resources.
Mr. Smith did not respond in time for printing. When received,
answer will be retained in committee files.
Mr. Krebs. The U.S. Government seeks to leverage our various
authorities and capabilities to secure vital systems and assets,
improve resilience against cyber incidents, and quickly respond to and
recover from incidents when they occur. Regarding Russia or any other
state or non-state actor, deterrence is an important component of
national efforts to change the behaviors of malicious cyber actors and
to protect information and information systems, including critical
infrastructure, from harm. The foundation of our deterrence and broader
cybersecurity efforts includes securing our own systems before an
adversary acts thereby making exploitation of U.S. infrastructure more
difficult and costly. This denies malicious cyber actors any benefit to
less sophisticated attempts at intrusion and reduces benefits to more
sophisticated attacks. Deterrence by denial requires a whole of
Government, and indeed whole of Nation, approach that is coordinated
with our private sector, state and local, and international partners
across all areas of national preparedness.
The Department of Homeland Security (DHS) supports and enables the
security and resilience of non-federal entities through its network
protection efforts. Network protection includes providing entities with
information and technical capabilities they can use to secure their
networks, systems, assets, information, and data, by providing
technical assistance and risk management support as well as
recommendations on security and resilience measures to facilitate
information security and strengthen information systems against
cybersecurity risks and incidents. These efforts are carried out by
DHS's National Protection and Programs Directorate, which includes the
National Cybersecurity and Communications Integration Center (NCCIC).
The NCCIC operates at the intersection of the private sector, civilian,
law enforcement, intelligence, and defense communities.
Network protection is only one component of the Federal
Government's overall effort to deter malicious cyber actors. DHS's law
enforcement agencies and intelligence offices play a key role as well.
Additionally, our interagency partners make important contributions to
overall deterrence efforts through proactive risk reduction efforts,
sanctions, diplomatic actions, and offensive operations.
This year DHS stood up an Election Task Force (ETF) to improve
coordination with and support to our stakeholders. NPPD is leading the
task force, which includes personnel from across the Department, as
well as interagency partners. NPPD is working with interagency partners
to address risk to elections, including countering influence campaigns.
19. Senator Blumenthal. Mr. Rapuano, Mr. Smith, and Mr. Krebs, how
do you define a cyberattack? What constitutes an act of war?
Mr. Rapuano. As is the case in all other domains, a determination
of whether a malicious cyber activity constitutes an act of war
(equivalent to an ``armed attack'' or use of force) or a cyberattack
warranting a U.S. response is made on a case-by-case basis by the
President, regardless of the actor. It is the context and consequence,
not the means, of an attack that matter most. Malicious cyber
activities could result in death, injury or significant destruction,
and any such activities likely would be regarded with the utmost
concern and could well be considered an armed attack or use of force.
It is also important to note that malicious cyber activity does not
need to be deemed an ``act of war'' or an ``armed attack'' to warrant a
response. If a decision is made by the President to respond to a
cyberattack on U.S. interests, the United States reserves the right to
respond at a time, in a manner, and in a place of our choosing, using
appropriate instruments of U.S. power.
Mr. Smith did not respond in time for printing. When received,
answer will be retained in committee files.
Mr. Krebs. In December 2016, the Department of Homeland Security
led development of the National Cyber Incident Response Plan, in
coordination with the Department of Justice, the Department of Defense,
Sector Specific Agencies, other interagency partners, state and local
governments, and private sector critical infrastructure entities. While
this plan was not intended to define terms such as cyberattack or act
of war, it did establish a common framework for understanding the
severity of a cyber incident. Included in this plan is a cyber incident
severity schema established by the Federal Government's cybersecurity
centers, in coordination with departments and agencies with a
cybersecurity or cyber operations mission. The schema established a
framework for describing the severity of cyber incidents affecting the
Homeland, U.S. capabilities, or U.S. interests, providing a common view
of the severity of a given incident, urgency required for responding to
a given incident, seniority level necessary for coordinating response
efforts, and level of investment required for response efforts. The
schema has proven helpful in coordinating interagency response efforts
during previous cyber incidents. Additional information regarding the
National Cyber Incident Response Plan and related schema can be found
online at: https://www.us-cert.gov/ncirp.
20. Senator Blumenthal. Mr. Rapuano, Mr. Smith, and Mr. Krebs, in
January, former DHS Secretary Johnson designated election
infrastructure as critical infrastructure. Last month we learned Russia
tried to access voter information in over 20 states, including CT. What
concrete steps have been taken to fortify our election systems? What
will be done differently for the 2018 elections?
Mr. Rapuano. The Department of Defense respectfully defers to the
Department of Homeland Security (DHS) as the Executive Branch entity
with purview over election-related cybersecurity.
Mr. Smith did not respond in time for printing. When received,
answer will be retained in committee files.
Mr. Krebs. The designation of election infrastructure as a critical
infrastructure subsector in January 2017 by the Department of Homeland
Security (DHS) has formalized the prioritization of assistance from the
Federal Government for state, local, tribal, and territorial
governments, and private sector entities in their efforts to reduce
risks to election infrastructure. Participation with the Federal
Government, as part of this subsector, is voluntary. This dynamic is
consistent with the engagements between the Federal Government and
other previously established critical infrastructure sectors and
subsectors, including the chemical, commercial facilities,
communications, critical manufacturing, dams, defense industrial base,
emergency services, energy, financial services, food and agriculture,
government facilities, healthcare and public health, information
technology, nuclear reactors, material, and waste, transportation
systems, and water and wastewater systems sectors.
This year DHS stood up an Election Task Force (ETF) to improve
coordination with and support to our stakeholders. DHS's National
Protection and Programs Directorate (NPPD) is leading the task force,
which includes personnel from across the Department, as well as
interagency partners.
The ETF focuses efforts on:
Improving communication with election officials in
order to provide understanding and actionable information to assist
them in strengthening the security of their election infrastructure as
it relates to cybersecurity risk.
Ensuring coordination of these activities across the
Department.
Increasing coordination with intelligence community and
law enforcement partners.
Supporting regional efforts to ensure they are
coordinated and provide election officials with the support and
expertise they need.
DHS is committed to improving the effectiveness of information
sharing protocols, both from DHS and among state officials. As the
sector-specific agency, DHS is providing overall coordination guidance
on election infrastructure matters to subsector stakeholders. As part
of this process, the Election Infrastructure Subsector Government
Coordinating Council (GCC) was established. The Election Infrastructure
Subsector GCC is a representative council of federal, state, and local
partners with the mission of focusing on sector-specific strategies and
planning. The GCC structure is established under the department's
authority to provide a forum in which the Government and private sector
entities can jointly engage in a broad spectrum of activities to
support and coordinate critical infrastructure security and resilience
efforts. It is used in each of the critical infrastructure sectors
established under Presidential Policy Directive 21 on Critical
Infrastructure Security and Resilience.
foreign software
21. Senator Blumenthal. Mr. Rapuano and Mr. Krebs, last month, DHS
banned Moscow-affiliated company Kaspersky Labs software products and
services from being used by all government agencies. DHS will give
agencies 90 days to discontinue use of Kaspersky products. Senator
Shaheen worked to include a provision in this year's Senate-passed NDAA
to prohibit the use of Kaspersky products across the Government as
well. What efforts has DOD and DHS taken to identify foreign software
products being used within government agency systems?
Mr. Rapuano. DOD has processes in place to systematically identify
software products being used in its national security systems that
present counterintelligence risk, foreign or domestic. While DOD
remains concerned about software that is developed in a foreign
country, that concern is heightened when a foreign government may have
undue influence on the development of software (e.g., inject or modify
code). Additionally, software is often developed in many places around
the globe and is often based on pre-existing software modules. One of
the major tenets of DOD's Trusted Systems and Networks (TSN) Strategy
and policy (DOD Instruction 5200.44) is the use of all-source
intelligence analysis on critical components of DOD's National Security
Systems. The all-source intelligence analyses, performed by the Defense
Intelligence Agency's Supply Chain Risk Management (SCRM) Threat
Analysis Center, performs a deep analysis into the supply chain of the
sub-components that make up a particular product, including embedded
software. The Joint Federated Assurance Center also coordinates the
sharing of hardware and software testing capabilities to assess for
vulnerabilities in these products. Once a specific threat is
identified, DOD has processes to identify and mitigate the threat posed
by foreign software. DOD queries contract tools (System for Award
Management (SAM); Federal Procurement Data System (FPDS); Electronic
Document Access (EDA); and Wide Area Workflow (WAWF)) to identify where
DOD has procured software of interest. DOD can also initiate scans of
software on networks. DOD is continuing to enhance our capability to
investigate our global supply chain and is currently investigating use
of commercial due-diligence tools to identify strategic alliances
between foreign sources with potential foreign intelligence entity
influence and original equipment manufacturers.
Mr. Krebs. On September 13, 2017, the Acting Secretary of Homeland
Security issued Binding Operational Directive (BOD) 17-01: Removal of
Kaspersky-Branded Products. BOD 17-01 requires federal agencies to
identify and report to the Department of Homeland Security (DHS), by
October 13, 2017, the use or presence of Kaspersky Lab-branded products
on federal information systems. This process has identified the use of
Kaspersky Lab-branded products on some systems at some agencies. Those
agencies either removed the products or are in the process of removing
the products.
+22. Senator Blumenthal. Mr. Rapuano and Mr. Krebs, what threats do
foreign goods present to our cyber security?
Mr. Rapuano. U.S. competitors and adversaries increasingly
participate in the information and communications technology supply
chain, making it increasingly untrustworthy. There are supply chain
threats to our systems at every point of the acquisition lifecycle: an
adversary may maliciously introduce unwanted function or otherwise
subvert the design, integrity, manufacturing, product, distribution,
installation, operation, or maintenance of a system so as to surveil,
deny, disrupt, or otherwise degrade the function, use, or operation of
such capabilities. Adversaries may also exploit vulnerabilities in
systems and those in the Defense Industrial Base (DIB) partners to
obtain DOD information. Once a specific threat is identified, DOD has
processes to identify and mitigate the threat posed by foreign
software. DOD queries contract tools to include System for Award
Management (SAM); Federal Procurement Data System (FPDS); Electronic
Document Access (EDA); and Wide Area Workflow (WAWF) to identify where
DOD has procured software of interest. DOD can also initiate scans of
software on networks. DOD is continuing to enhance our capability to
investigate our global supply chain and is currently investigating use
of commercial due-diligence tools to identify strategic alliances
between foreign sources with potential FIE influence and original
equipment manufacturers.
Mr. Krebs. The globalization of the information technology supply
chain introduces additional risks to product integrity and software and
hardware assurance. Goods which are produced in foreign countries or
domestically within the U.S. have the potential for vulnerabilities;
however there are growing concerns associated with foreign ownership,
control, manipulation, or influence of certain products. It is critical
to understand that the problem is not a simple function of geography.
Products with known cyber vulnerabilities or exploitable weaknesses are
also produced by domestic companies.
23. Senator Blumenthal. Mr. Rapuano and Mr. Krebs, are agencies
using Kaspersky still facing a security concern as they've been given
90 days from the DHS directive to discontinue use?
Mr. Rapuano. DOD is following the principles associated with the
DHS Binding Operational Directive to identify and remove Kaspersky Lab
software. As long as the software is in use on agency networks and
mitigations have not been taken, they are at risk of Kaspersky having
access to files and elevated privileges on computers on which the
software is installed. This information could be used to compromise
federal information and information systems.
Mr. Krebs. On September 13, 2017, the Acting Secretary of Homeland
Security issued Binding Operational Directive (BOD) 17-01: Removal of
Kaspersky-Branded Products. BOD 17-01 requires federal agencies to
identify and report to the Department of Homeland Security (DHS), by
October 13, 2017, the use or presence of Kaspersky Lab-branded products
on federal information systems. This process has identified the use of
Kaspersky Lab-branded products on some systems at some agencies. Those
agencies either removed the products or are in the process of removing
the products.
24. Senator Blumenthal. Mr. Rapuano and Mr. Krebs, what additional
authorities do you need to secure our networks?
Mr. Rapuano. The Department currently assesses that it has all the
authorities it needs from Congress to achieve its missions in
cyberspace. However, DOD constantly evaluates its ability to conduct
these missions, and I will reach out to the Committee should additional
authorities be needed to secure DOD networks.
Mr. Krebs. The Department of Homeland Security (DHS) appreciates
the opportunity to continue its work with Congress to fully authorize
and fund DHS's efforts to safeguard and secure cyberspace, a core
homeland security mission. The National Protection and Programs
Directorate (NPPD) at DHS leads the Nation's efforts to enhance the
security and resilience of our cyber and physical infrastructure. DHS
will continue to work with Congress regarding legislation that would
mature and streamline NPPD's authorities and rename our organization to
clearly reflect our essential mission and role in securing cyberspace,
in a manner that protects privacy and civil liberties. DHS strongly
supports this much-needed effort.
25. Senator Blumenthal. Mr. Rapuano and Mr. Krebs, how are you
ensuring the commercial sector is adequately protecting its networks so
that highly sensitive information linked to DOD is protected?
Mr. Rapuano. With the release of the Binding Operational Directive
(BOD), DHS has encouraged private sector entities and the public to
assess their cybersecurity risk and to take actions they deem
appropriate. DOD has briefed Information Technology Sector and Defense
Industry Base members on the threat associated with Kaspersky's
antivirus products over the past year (prior to the BOD release)
through formal public-private partnerships. In a September 28, 2017,
notice to National Industrial Security Program (NISP) Contractors with
Authorized Information Systems (i.e., classified information systems),
the Defense Security Service (DSS) directed the removal of all
Kaspersky Labs software or hardware from classified information systems
under DSS cognizance.
The DSS uses the National Institute of Standards and Technology
Risk Management Framework (RMF) to oversee the protection of DOD
classified information and technologies. RMF provides companies a
standard and comprehensive structure for managing cybersecurity risks
across their enterprises, enabling them to devise, implement and
monitor security measures to address any identified risks. Industry
networks that process or hold classified information operate under DSS
authority and oversight, use the National Security Agency-approved
encryption, and function independent of the unclassified internet. DSS
continually collects information from U.S. Government organizations,
cleared contractors, and commercial sources on threats to that
information. Those threats may operate directly against the information
system or against unclassified networks that give the adversary
information concerning classified programs it can use to determine,
define, and execute intelligence activities through cyber and human
means.
DOD continues to engage and share information with direct support
contractors on cyber security and supply chain risks. DOD has a range
of activities that include both regulatory and voluntary programs to
improve the collective cybersecurity of the nation and to protect
sensitive DOD information on private sector networks. These activities
include securing DOD's information systems and networks, codifying
cybersecurity responsibilities and procedures for the acquisition
workforce in defense acquisition policy, implementing contractual
requirements through the Defense Federal Acquisition Regulation
Supplement (DFARS), sharing cyber threat information where appropriate
through DOD's voluntary Defense Industrial Base (DIB) Cybersecurity
Program, and leveraging National Institute of Standards and Technology
(NIST) security standards.
In October 2016, DOD updated DFARS Clause 252.204-7012,
Safeguarding Covered Defense Information and Cyber Incident Reporting.
DFARS Clause 252.204-7012, required in all contracts except for
contracts solely for the acquisition of COTS items, requires
contractors to provide ``adequate security'' for covered defense
information that is processed, stored, or transmitted on the
contractor's internal information system or network. To do so, the
clause requires contractors to, at a minimum, implement National
Institute of Standards and Technology (NIST) Special Publication (SP)
800-171, ``Protecting Controlled Unclassified Information in Nonfederal
Information Systems and Organizations,'' not later than December 31,
2017. The clause also requires defense contractors to report to DOD
cyber incidents that affect covered defense information or the
contractor's ability to provide operationally critical support; to
submit malicious software associated with the cyber incident; to
facilitate damage assessment processes; and to flow down the clause to
subcontractors when the contract performance will involve covered
defense information or operationally critical support. Since
publication of the final rule in October of 2016, the Department has
embarked on an extensive outreach effort to inform and assist the
defense industrial base in implementing DFARS Clause 252.204-7012 and
NIST SP 800-171.
Since 2008, DOD has partnered with companies in the Defense
Industrial Base (DIB) through the cyber threat information sharing DIB
Cybersecurity (CS) program. This voluntary program has add steadily
expanded and has matured as a model for public-private cyber
collaboration. The program is codified as a permanent DOD program in 32
Code of Federal Regulations part 236. During fiscal year 2017 the DIB
CS program expanded by 37 percent during with participants now totaling
over 250 companies. DOD's approach to safeguarding DOD and DIB
controlled unclassified information DOD is intended to raise the bar on
cybersecurity in the DIB and better protect unclassified DOD
information residing in or transiting DIB networks or information
systems.
Mr. Krebs. The Department of Homeland Security (DHS) supports and
enables the security and resilience efforts of the commercial sector
through its network protection efforts. Network protection includes
providing organizations with information and technical capabilities
they can use to secure their networks, systems, assets, information,
and data, by reducing vulnerabilities, ensuring resilience to cyber
incidents, and supporting their holistic risk management priorities.
These efforts are carried out by DHS's National Protection and Programs
Directorate, which includes the National Cybersecurity and
Communications Integration Center (NCCIC). The NCCIC operates at the
intersection of the private sector, civilian, law enforcement,
intelligence, and defense communities. DHS also works with government
partners, including the National Institute of Standards and Technology,
to support the adoption of the NIST Framework for Improving Critical
Infrastructure cybersecurity, which is a voluntary, flexible, risk-
based approach an organization can use to manage its cybersecurity
risks.
russian interference with nato troops
26. Senator Blumenthal. Mr. Rapuano, earlier this month, the Wall
Street Journal reported that Russia is targeting NATO troops' personal
smartphones in an effort to intimidate them, as well as glean
operational information. What is being done to protect our
servicemembers and counter Russia's intrusions? What are you doing to
educate our servicemembers?
Mr. Rapuano. The Department of Defense (DOD) is mitigating the risk
of Russian targeting of the personal smartphones of NATO personnel
through a combination of cybersecurity training and procedural
controls. DOD continues to update and disseminate its Identity
Awareness, Management, and Protection Guide to enable service members
to harden their personal devices from any malicious activity, whether
by a nation-state or non-state actor. For Force Protection purposes,
DOD also provides guidance to its personnel on how to protect their
personally identifiable information. Additionally, the DOD continues to
integrate cybersecurity best practices related to personal devices into
its annually required cybersecurity/information assurance refresher
training. Procedurally, DOD continues to enforce and improve procedural
controls for where and how service members utilize their personal
smartphones in and around military sites and facilities. DOD also is
considering a range of options to ensure that we are best postured
against this threat as it evolves.
27. Senator Blumenthal. Mr. Rapuano, while Russia's targeting of
servicemembers for intelligence is not new, personal smartphones
provide significantly more knowledge about a person than was easily
accessible in the past. In what ways are you ensuring this
vulnerability is not having an impact on our efforts in Eastern Europe?
Mr. Rapuano. The Department of Defense (DOD) is mitigating the risk
of Russian targeting of the personal smartphones of NATO personnel
through a combination of cybersecurity training and procedural
controls. DOD continues to update and disseminate its Identity
Awareness, Management, and Protection Guide to enable service members
to harden their personal devices from any malicious activity, whether
by a nation-state or non-state actor. For Force Protection purposes,
DOD also provides guidance to its personnel on how to protect their
personally identifiable information. Additionally, the DOD continues to
integrate cybersecurity best practices related to personal devices into
its annually required cybersecurity/information assurance refresher
training. Procedurally, DOD continues to enforce and improve procedural
controls for where and how service members utilize their personal
smartphones in and around military sites and facilities. DOD also is
considering a range of options to ensure that we are best postured
against this threat as it evolves. The DOD has also emphasized training
for service members regarding social media use; this training includes
education of privacy and security settings as well as operational
security considerations before posting, tagging, etc. to social media
sites.
28. Senator Blumenthal. Mr. Rapuano, what precautions are being
taken to address the risk of a compromised phone being able to collect
information from its surroundings?
Mr. Rapuano. The Department of Defense continues to integrate
personal device cybersecurity best practices within its annually
required cybersecurity/information assurance refresher training.
Procedurally, DOD continues to enforce and improve procedural controls
for where and how service members utilize their personal smartphones in
and around military sites and facilities. This includes the powering
off and secured storage of personal smart phones before entering secure
official work spaces. These procedures are also being evaluated and
considered for other military sites and areas, including official
unclassified work spaces.
__________
Questions Submitted by Senator Tim Kaine
interagency international cyber coordination
29. Senator Kaine. Who is your direct peer at the Department of
State that you consult with regularly or would consult with on
international cyber threats and do you believe it is within U.S.
strategic interests to move the State Department's Cyber Coordinator
office under the Bureau of Economic and Business Affairs, from a
national security standpoint?
Mr. Rapuano. My current counterpart at the State Department is the
Assistant Secretary of State for Economic and Business Affairs. I
believe the State Department plays an indispensable role in promoting
U.S. interests in cyberspace. I would respectfully defer the State
Department about how it can and should be best organized to play this
role.
Mr. Smith did not respond in time for printing. When received,
answer will be retained in committee files.
Mr. Krebs. The Department of Homeland Security (DHS) works closely
with the Department of State, and other interagency partners, as well
as foreign governments, regional and international organizations, the
private sector and civil society, to foster collaborative efforts to
accomplish national and homeland security objectives and to advance an
open, interoperable, secure, and reliable cyberspace. At the Under
Secretary level, this work is done by the State Department's Under
Secretary for Economic Growth, Energy and Environment. NPPD works
closely with the State Department's Deputy Assistant Secretary for
Cyber and International Communications and Information Policy. DHS
defers to the State Department on how best to organize itself to carry
out its authorities. Regardless of organizational structure, DHS will
continue to work closely with all appropriate offices at the State
Department in order to achieve our mission of safeguarding and securing
cyberspace. The State Department serves a key role in enabling DHS's
international efforts.
30. Senator Kaine. A 2013 Council on Foreign Relations Task Force
report titled Defending an Open, Global, Secure, and Resilient
Internet, written by a bipartisan group of officials, recommended
elevating State Department's Cyber Coordinator position to an Assistant
Secretary position and to be the lead of a cyber bureau. Do you feel
that Economic and Business Affairs is in an appropriate place, with
effective lines of communication with your offices to ensure that you
will have all of State Department's equities with a peer level input
when you consider options to respond to an international cyberattack?
Mr. Rapuano. I believe the State Department plays an indispensable
role in promoting U.S. interests in cyberspace and agree with many of
the recommendations in this report. As stated previously, I
respectfully defer to Secretary Tillerson on matters about how the
State Department can and should be best organized to contribute to U.S.
Government efforts in cyberspace.
Mr. Smith did not respond in time for printing. When received,
answer will be retained in committee files.
Mr. Krebs. The Department of Homeland Security (DHS) works closely
with the Department of State, and other interagency partners, as well
as foreign governments, regional and international organizations, the
private sector and civil society, to foster collaborative efforts to
accomplish national and homeland security objectives and to advance an
open, interoperable, secure, and reliable cyberspace. At the Under
Secretary level, this work is done by the State Department's Under
Secretary for Economic Growth, Energy and Environment. NPPD works
closely with the State Department's Deputy Assistant Secretary for
Cyber and International Communications and Information Policy. DHS
defers to the State Department on how best to organize itself to carry
out its authorities. Regardless of organizational structure, DHS will
continue to work closely with all appropriate offices at the State
Department in order to achieve our mission of safeguarding and securing
cyberspace. The State Department serves a key role in enabling DHS's
international efforts.
31. Senator Kaine. Do you believe it is more or less in U.S.
national security interests to gain international agreements on cyber
policy compared to when the 2013 Council on Foreign Relations Task
Force report titled Defending an Open, Global, Secure, and Resilient
Internet report was published?
Mr. Rapuano. There has been a marked increase in the number and
severity of disruptive and damaging cyber activities undertaken by
States since the 2013 Council on Foreign Relations report. The May 11,
2017 Executive Order on Strengthening the Cybersecurity of Federal
Networks and Critical Infrastructure recognizes that the United States,
as a highly connected nation, depends on a globally secure and
resilient internet. The Executive Order directs the Department of State
to develop an engagement strategy for international cooperation in
cybersecurity. The Department of Defense is working closely with the
Department of State to develop this strategy and I would be happy to
discuss this further when the strategy is completed.
Mr. Smith did not respond in time for printing. When received,
answer will be retained in committee files.
Mr. Krebs. A secure and resilient cyberspace is essential to
support critical national functions, enable economic prosperity for the
United States, and support American values at home and abroad. Strong
cybersecurity is therefore as key element of homeland security. The
Department of Homeland Security (DHS) carries out its cybersecurity
mission by leading Federal Government efforts to secure its civilian
government information systems; working with the private sector to
enhance critical infrastructure cybersecurity and resilience;
leveraging the Department's law enforcement authorities to prevent,
counter, and disrupt cyber criminals; responding effectively to cyber
incidents; and strengthening the security and reliability of the cyber
ecosystem through research and development. Each of these DHS
cybersecurity missions has an international dimension.
Robust international engagement and collaboration are vital to
accomplish the Department's cybersecurity objectives. Poor
cybersecurity practices in other countries threaten both federal
civilian government information systems and the information systems of
non-federal entities, including the owners and operators of critical
infrastructure. Insecure devices abroad can be leveraged to directly
target networks in the United States. U.S. critical infrastructure is,
in particular, increasingly interconnected and dependent on a global
infrastructure with widely varied cybersecurity practices.
Other nations and international organizations must therefore be key
partners for DHS risk management, network protection, law enforcement,
and research and development efforts. Although DHS recognizes that
international engagement is essential to achieving its cybersecurity
mission, it also understands that this engagement must always be
considered in the context of larger national economic and security
goals and foreign policy objectives. Accordingly, DHS works closely
with the Department of State, other interagency partners, foreign
governments, regional and international organizations, the private
sector, and civil society, to foster collaborative efforts to
accomplish national and homeland security objectives and to advance an
open, interoperable, secure, and reliable cyberspace.
securing information systems
32. Senator Kaine. Secretary Rapuano, can you please describe the
effectiveness of the SharkSeer program and your plans to bolster it
going forward?
Mr. Rapuano. SharkSeer is highly effective at real-time Active
Cyber Defense. It employs advanced near real-time detection, analysis,
and mitigation for both known and unknown threats. This includes strong
detection and mitigation of zero-day malware and advanced persistent
threats (APTs). SharkSeer also includes identification of malicious
attachments and links in any email coming from the public internet to
DOD users. SharkSeer is already deployed across DOD's unclassified
(NIPR), collateral Secret (SIPR), and Top Secret (JWICS) domain
boundaries. Leveraging behavioral-based and cloud technologies,
SharkSeer provides an integrated solution that stops complex or
obfuscated zero-day malware attacks. This includes first order triage
of anomalous network traffic and delivery of quick reaction
capabilities for critical operational needs. By all accounts, SharkSeer
is performing well at desired levels of functionality. The National
Security Agency (NSA) and the Defense Information Systems Agency (DISA)
are partnering on the development and execution of plans to transfer
the SharkSeer Program to DISA under a phased transition plan. Phase I
of the transition was successfully achieved on April 20, 2017 with DISA
assuming operational C2 and execution of 24/7 SharkSeer perimeter
defense operations to include: event triage and malware analysis,
countermeasure analysis, mitigation approval, and operational
reporting. As the operator of the SharkSeer system, DISA should provide
the official evaluation of SharkSeer's effectiveness. Under Phase I of
the transition, NSA continues to operate, maintain, and sustain
SharkSeer systems and infrastructure. The SharkSeer Program is in
sustainment mode pending transfer of the SharkSeer Program to DISA and
DISA defining their Perimeter Defense Strategy. Potential future plans
for this program include its expansion to the intelligence community,
civil, agencies, and mobile device pilots for a comprehensive
coordinated defense.
countering adversaries in the cyber domain
33. Senator Kaine. Do any of you participate in war-gaming
exercises to better anticipate the ideas and concepts our adversaries
may develop for use in the cyber-domain to challenge our national
interests both at home and abroad and can you provide some examples
that your teams have come up with?
Mr. Rapuano. The Department of Defense regularly engages in
wargaming exercises to improve our ability to anticipate the ideas and
concepts our adversaries may develop for use in the cyber-domain to
challenge our national interests both at home and abroad. Such games
typically involve ``red teams'' that attempt to emulate adversary
actions in the context of the scenario at play. These games occur at
all leadership levels of the Department, including within and across
combatant commands, Services and components. The rank and make-up of
participants are determined by the wargame's objectives. Such games are
typically classified, but one example would be the wargame the Chairman
of the Joint Chiefs of Staff, in consultation with the Principal Cyber
Advisor, conducted as directed by section 1646 of the National Defense
Authorization Act for Fiscal Year 2016. A second example is a wargame
conducted at the OSD level in May of 2017 that focused on the cyber
resiliency of the GPS Operational Control System.
Mr. Smith did not respond in time for printing. When received,
answer will be retained in committee files.
Mr. Krebs. Exercises are a core component of the Department of
Homeland Security's (DHS) efforts to safeguard and secure cyberspace, a
core homeland security mission. DHS conducts or participates in
exercises with our interagency partners, including the Department of
Defense.
DHS's National Cybersecurity and Communications Integration Center
(NCCIC) includes the National Cyber Exercise and Planning Program
(NCEPP). The full portfolio of exercises range from small-scale,
limited scope, discussion-based exercises to large-scale,
internationally scoped, operations-based exercises, such as the
biennial Cyber Storm exercise. In addition to Cyber Storm, DHS is a
full participant in the annual Cyber Guard exercise. Exercises are
designed to assist organizations at all levels, including federal and
non-federal entities, in the development and testing of cybersecurity
prevention, protection, mitigation, and response capabilities.
public-private interaction in cyber response
34. Senator Kaine. Does the Government have a formalized process to
evaluate reports generated in the private sector to utilize within
government, or is that dependent on personal relationships between
public and private officials working in the cyber arena?
Mr. Rapuano. I respectfully defer to my DHS colleague regarding the
details of broader public/private information sharing activities. For
DOD, we maintain a robust information-sharing relationship with the
private sector and in particular the Defense Industrial Base (DIB)
using both formal and informal channels. DOD partners with companies in
the DIB through the DIB Cybersecurity (CS) program, sharing both
classified and unclassified cyber threat information with industry,
including voluntary cyber threat reporting. Additionally, DOD requires
defense contractors to report cyber incidents that affect DOD
controlled unclassified information, or the contractor's ability to
provide operationally critical support. These requirements are
implement through Defense Federal Acquisition Regulation Supplement
(DFARS) Clause 252.204-7012, ``Safeguarding Covered Defense Information
and Cyber Incident Reporting''. DOD's partnerships with the private
sector combined with regulatory activities help DOD and its private
sector partners maintain awareness of the threat environment, track
malicious cyber activity relevant to DOD, and inform efforts to harden
and protect networks, systems, and information. DOD also benefits from
robust information sharing across the Federal Government.
Mr. Smith did not respond in time for printing. When received,
answer will be retained in committee files.
Mr. Krebs. Collaboration between the public and private sectors is
necessary to successfully safeguard and secure cyberspace. Information
sharing is a key part of the Department of Homeland Security's (DHS)
mission to create shared situational awareness of malicious cyber
activity. The National Protection and Programs Directorate's (NPPD)
National Cybersecurity and Communications Integration Center (NCCIC)
serves as the round the clock operational center that executes the
Department's core cybersecurity and communications mission and, as
such, facilitates multi-directional information sharing between the
Federal Government and the private sector.
There are many formalized processes used to evaluate and share
reports generated in the private sector. These processes vary based on
the type of report. For instance, the NCCIC has formalized processes
for receiving reports of cyber threat indicators, or technical data,
which can be shared broadly with network defenders to assist them with
their efforts. Through coordinated vulnerability disclosure, the NCCIC
regularly receives reports of software vulnerabilities from non-federal
entities. By working with partners to identify, validate, mitigate, and
disclose these vulnerabilities, DHS leverages formalized processes in
its cybersecurity efforts. Finally, the NCCIC has a formalized process
for receiving reports of cyber incidents generated by the private
sector. DHS and interagency partners follow processes laid out in the
National Cyber Incident Response Plan to coordinate our efforts. These
are only a few examples of formalized processes. Many others exist to
enable successful collaboration between the public and private sectors.
35. Senator Kaine. WannaCry was one of the most effective and
timely public private internet attack responses. Was there an
institution in place to facilitate this response for us to replicate
elsewhere in government, or did this rely on personal relationships?
Mr. Rapuano. The response to WannaCry followed the U.S.
Government's existing framework for incident response, with the
Department of Homeland Security functioning as the lead for asset
response and the Federal Bureau of Investigation as the lead for threat
response. DOD was postured to assess and respond to the incident within
DOD and the Defense Industrial Base (for which DOD is the sector
specific agency) as well as to support DHS's and the FBI's efforts. In
addition, the DOD Cyber Crime Center development and distributed cyber
threat products to the DIB.
Mr. Smith did not respond in time for printing. When received,
answer will be retained in committee files.
Mr. Krebs. The WannaCry incident is one of many examples where
sectors have demonstrated a willingness to work closely with the
Department of Homeland Security, a civilian government agency. During
WannaCry, the Department of Homeland Security (DHS) led coordination of
Federal Government incident response efforts by working with partners
in industry, other Federal agencies, state and local governments, and
international partners to share information related to WannaCry
ransomware. In addition to the regular information sharing prior to the
WannaCry ransomware incident, the DHS NCCIC implemented enhanced
coordination procedures after learning of the incident in order to
coordinate incident response actions across the Federal Government.
Through a coordinated federal effort, the NCCIC worked with private
sector critical infrastructure owners and operators to assess exposure
to the vulnerability exploited by WannaCry ransomware and to share
information, including technical data. If requested, NCCIC was also
able to provide technical assistance. Relevant private sector outreach
included Sector-Specific Agencies for the purposes of engaging their
sectors, the information technology sector, the health sector, and
small businesses, among others.
During cyber incidents, the Federal Government's roles and
responsibilities are guided by statutory authority, Presidential Policy
Directive 41, the National Cyber Incident Response Plan, and other
presidential direction. When a cyber incident affects a private entity,
federal agencies undertake three concurrent lines of effort: threat
response, asset response, and intelligence support and related
activities. During significant incidents, the Department of Justice,
acting through the Federal Bureau of Investigation and the National
Cyber Investigative Joint Task Force, is the federal lead agency for
threat response activities; the Department of Homeland Security, acting
through the National Cybersecurity and Communications Integration
Center, is the federal lead agency for asset response activities; and
the Office of the Director of National Intelligence, through the Cyber
Threat Intelligence Integration Center, is the federal lead agency for
intelligence support and related activities. Sector-Specific Agencies
for affected critical infrastructure sectors contribute to the
interagency response effort by leveraging their well-established
relationships within their sector and understanding the potential
business or operational impacts on private sector critical
infrastructure.
36. Senator Kaine. Mr. Krebs, using WannaCry response as an
example, have you found certain sectors or companies less willing to
engage in information sharing with civilian government agencies as
opposed to Intelligence Community or DOD?
Mr. Krebs. The WannaCry incident is one of many examples where
sectors have demonstrated a willingness to work closely with the
Department of Homeland Security, a civilian government agency. During
WannaCry, the Department of Homeland Security (DHS) led coordination of
Federal Government incident response efforts by working with partners
in industry, other Federal agencies, state and local governments, and
international partners to share information related to WannaCry
ransomware. In addition to the regular information sharing prior to the
WannaCry ransomware incident, the DHS NCCIC implemented enhanced
coordination procedures after learning of the incident in order to
coordinate incident response actions across the Federal Government.
Through a coordinated federal effort, the NCCIC worked with private
sector critical infrastructure owners and operators to assess exposure
to the vulnerability exploited by WannaCry ransomware and to share
information, including technical data. If requested, NCCIC was also
able to provide technical assistance. Relevant private sector outreach
included Sector-Specific Agencies for the purposes of engaging their
sectors, the information technology sector, the health sector, and
small businesses, among others.
During cyber incidents, the Federal Government's roles and
responsibilities are guided by statutory authority, Presidential Policy
Directive 41, the National Cyber Incident Response Plan, and other
presidential direction. When a cyber incident affects a private entity,
federal agencies undertake three concurrent lines of effort: threat
response, asset response, and intelligence support and related
activities. During significant incidents, the Department of Justice,
acting through the Federal Bureau of Investigation and the National
Cyber Investigative Joint Task Force, is the federal lead agency for
threat response activities; the Department of Homeland Security, acting
through the National Cybersecurity and Communications Integration
Center, is the federal lead agency for asset response activities; and
the Office of the Director of National Intelligence, through the Cyber
Threat Intelligence Integration Center, is the federal lead agency for
intelligence support and related activities. Sector-Specific Agencies
for affected critical infrastructure sectors contribute to the
interagency response effort by leveraging their well-established
relationships within their sector and understanding the potential
business or operational impacts on private sector critical
infrastructure.
[all]