b"<html>\n<title> - [H.A.S.C. No. 114-112] HEARING ON NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2017 AND OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS BEFORE THE COMMITTEE ON ARMED SERVICES HOUSE OF REPRESENTATIVES ONE HUNDRED FOURTEENTH CONGRESS SECOND SESSION</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n                                     \n \n                         [H.A.S.C. No. 114-112]\n\n                                HEARING\n\n                                   ON\n\n                   NATIONAL DEFENSE AUTHORIZATION ACT\n\n                          FOR FISCAL YEAR 2017\n\n                                  AND\n\n              OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS\n\n                               BEFORE THE\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n       SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES HEARING\n\n                                   ON\n\n                  FISCAL YEAR 2017 BUDGET REQUEST FOR\n\n                     U.S. CYBER COMMAND: PREPARING\n\n                   FOR OPERATIONS IN THE CYBER DOMAIN\n\n                               __________\n\n                              HEARING HELD\n                             MARCH 16, 2016\n\n                                     \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n                                     \n  \n\n                                 ______\n\n                         U.S. GOVERNMENT PUBLISHING OFFICE \n\n20-064                         WASHINGTON : 2017\n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Publishing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES\n\n                  JOE WILSON, South Carolina, Chairman\n\nJOHN KLINE, Minnesota                JAMES R. LANGEVIN, Rhode Island\nBILL SHUSTER, Pennsylvania           JIM COOPER, Tennessee\nDUNCAN HUNTER, California            JOHN GARAMENDI, California\nRICHARD B. NUGENT, Florida           JOAQUIN CASTRO, Texas\nRYAN K. ZINKE, Montana               MARC A. VEASEY, Texas\nTRENT FRANKS, Arizona, Vice Chair    DONALD NORCROSS, New Jersey\nDOUG LAMBORN, Colorado               BRAD ASHFORD, Nebraska\nMO BROOKS, Alabama                   PETE AGUILAR, California\nBRADLEY BYRNE, Alabama\nELISE M. STEFANIK, New York\n                 Kevin Gates, Professional Staff Member\n              Lindsay Kavanaugh, Professional Staff Member\n                          Neve Schadler, Clerk\n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nLangevin, Hon. James R., a Representative from Rhode Island, \n  Ranking Member, Subcommittee on Emerging Threats and \n  Capabilities...................................................     2\nWilson, Hon. Joe, a Representative from South Carolina, Chairman, \n  Subcommittee on Emerging Threats and Capabilities..............     1\n\n                               WITNESSES\n\nRogers, ADM Michael S., USN, Commander, U.S. Cyber Command.......     3\n\n                                APPENDIX\n\nPrepared Statements:\n\n    Rogers, ADM Michael S........................................    28\n    Wilson, Hon. Joe.............................................    27\n\nDocuments Submitted for the Record:\n\n    [There were no Documents submitted.]\n\nWitness Responses to Questions Asked During the Hearing:\n\n    [There were no Questions submitted during the hearing.]\n\nQuestions Submitted by Members Post Hearing:\n\n    Mr. Lamborn..................................................    49\n    Mr. Wilson...................................................    49\n    \n    \n    \n    \n    \n    \n FISCAL YEAR 2017 BUDGET REQUEST FOR U.S. CYBER COMMAND: PREPARING FOR \n                     OPERATIONS IN THE CYBER DOMAIN\n\n                              ----------                              \n\n                  House of Representatives,\n                       Committee on Armed Services,\n         Subcommittee on Emerging Threats and Capabilities,\n                         Washington, DC, Wednesday, March 16, 2016.\n    The subcommittee met, pursuant to call, at 2:03 p.m., in \nroom 2212, Rayburn House Office Building, Hon. Joe Wilson \n(chairman of the subcommittee) presiding.\n\n  OPENING STATEMENT OF HON. JOE WILSON, A REPRESENTATIVE FROM \nSOUTH CAROLINA, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS AND \n                          CAPABILITIES\n\n    Mr. Wilson. Ladies and gentlemen, I call this hearing of \nthe Emerging Threats and Capabilities Subcommittee of the House \nArmed Services Committee to order.\n    I am pleased to welcome everyone here today for the hearing \non the fiscal year 2017 budget request of the United States \nCyber Command. Since we last met to talk about the work of \nUSCYBERCOM, the news has been filled with stories that remind \nus of the critical job facing the Department of Defense [DOD], \nfrom the intrusion on the Joint Staff networks to the \ncompromise of personal information of millions of government \npersonnel and their families.\n    Cyber is proving to be both a domain of warfare on its own \nas well as a key enabler for all other domains of war. In \nlooking through this most recent budget request, we should be \nasking ourselves some important questions.\n    Do we have the resources, people, cyber tools and training \nneeded to be effective?\n    Do we have the necessary policies and authorities to \nconduct cyber operations?\n    What areas require additional refinement?\n    Are we deterring potential adversaries and contributing to \nour overall national security?\n    As we tackle these tough questions, I would like to take \nthe opportunity to welcome back as our witness today, Admiral \nMichael Rogers, commander of U.S. Cyber Command.\n    One of the major tests that our Admiral Rogers has to \ncontend with is how to operate in an environment in our \ninteragency, international, and industry partners. I am pleased \nto hear that in a major upcoming exercise entitled Cyber Guard \n2016, personnel from the House administration staff will be \nparticipating. I am especially looking forward to hearing the \nplans for that exercise and how we might also apply its lessons \nin defending the House of Representatives' networks.\n    I would like now to turn to my friend, Ranking Member \nCongressman Jim Langevin from Rhode Island, for any comments he \nwould like to make.\n    [The prepared statement of Mr. Wilson can be found in the \nAppendix on page 27.]\n\n  STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM \nRHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS \n                        AND CAPABILITIES\n\n    Mr. Langevin. Well, thank you, Mr. Chairman. I want to \nwelcome Admiral Rogers back before the subcommittee today. It \nis an honor to have you here, Admiral, and appreciate all you \nare doing to protect our Nation's cyberspace and certainly look \nforward to discussing cybersecurity and operational fiscal year \n2017 budget request for U.S. Cyber Command across the \nDepartment.\n    I have been one of the biggest proponents of cybersecurity \nas a critical warfighting domain during my time in Congress. So \nI am pleased to discuss this vital piece of our national \nsecurity here with you today.\n    As we know, cybersecurity and cyber operations are \nparamount in today's world, from defending the DODIN \n[Department of Defense Information Network], to deterring and \ndefending against adversaries, to meeting combatant command \nneeds. Cyber is a key component of all strategies across every \naspect of national defense and security.\n    As such, the total cybersecurity and cyberspace operations \nbudget for the DOD is $6.8 billion for fiscal year 2017 and \nranges from protecting data to operating in the domain.\n    Now, of that investment approximately $505 million is \nrequested for Cyber Command. Now, the funds requested for the \nservice cyber components to mature the command and increase the \ncapacity of cyber mission forces [CMF] make up a substantial \nportion of that request.\n    While we have made tremendous progress in this area, \nsignificant investment over the Future Years Defense Program \nwill still be required. And as the CMF matures we must work to \nsynchronize investments made by services in other agencies.\n    Now today, I look forward to receiving an update on the \nCMF, particularly with regard to the readiness of our service \ncyber components to meet the initial and fully operational \ncapability goal dates for the teams, as well as the challenges \nand risks associated with meeting those mandatory deadlines.\n    We must have the right number of teams, but just as \nimportantly we must also have a ready force that is manned, \ntrained, and equipped to meet the mission.\n    I am particularly pleased that Cyber Command has made \nprogress in measuring readiness. Now, since last year strides \nhave also been made in establishing a persistent training \nenvironment, a necessity for preparedness.\n    Today I hope to hear more about the steps Cyber Command has \ntaken since last year to promote a joint environment with \ncommon standards such as issuing guiding frameworks for \ndoctrine, organization, training, leadership, education, and \npolicy, as well as whether or not capability baselines for \ncyber protection teams have been established to ensure \ninteroperability and aligned investments.\n    With respect to the cyber teams' missions, there is a whole \nhost of policy questions we must address as we continue to \nmature our offensive and defensive capabilities and operations.\n    I believe it is imperative that we understand lessons \nlearned from real world experiences about command and control \nof teams and their various roles in missions, capabilities \nrequired, authorities used, and new authorities that may be \nrequired for more effective operations as well as internal-\nexternal oversight.\n    So finally, Mr. Chairman and Admiral, I look forward to \nhearing about the status of the implementation, acquisition, \nand personnel management authorities that were granted in the \nfiscal year 2016 NDAA [National Defense Authorization Act].\n    So I know it is a lot to cover, Admiral. You have got a lot \non your plate. I appreciate the extraordinary work that you and \nyour team do at Cyber Command or at NSA [National Security \nAgency] are doing to protect our country in cyberspace and \nleverage all the capabilities for the benefit ultimately of our \nwarfighter and our national defense.\n    So with that, thank you again for testifying here today, \nAdmiral Rogers, and thank you for your service to our Nation.\n    And Mr. Chairman, thank you for your attention, your focus \nand your support on this issue especially. And I yield back.\n    Mr. Wilson. Thank you, Congressman Langevin.\n    I am grateful, Admiral Rogers, that your written statement \nhas been submitted for the record. So we ask that you summarize \nyour comments within the 5-minute rule, which is applicable to \nall of us and being well-maintained by Kevin Gates.\n    Admiral Rogers, please begin.\n\nSTATEMENT OF ADM MICHAEL S. ROGERS, USN, COMMANDER, U.S. CYBER \n                            COMMAND\n\n    Admiral Rogers. Before my clock starts, I would like to \nstart with we should be doing this outside given how beautiful \nthe day is. We should be outside.\n    With that, Chairman Wilson, Ranking Member Langevin, \ndistinguished members of the committee, I am pleased to appear \nbefore you today to discuss the opportunities and challenges \nfacing Cyber Command. And I would like to thank you for \nconvening this forum.\n    It is an honor to represent the individuals of this fine \norganization, and I am grateful for and humbled by the \nopportunity to lead this impressive team. I am confident you \nwould be extremely proud of the men and women of Cyber Command \nif you saw their commitment to mission and hard-earned success \non a daily basis as I do.\n    While my written statement goes into greater detail, I \nwould like to briefly highlight the challenges we face in \ntoday's environment and also some of the initiatives the \ncommand is pursuing to meet these challenges.\n    Since I testified last year, U.S. Cyber Command has seen an \nintensification of cyberspace operations by a range of state \nand non-state actors. We have seen a wide range of malicious \ncyber activities aimed against both government and private \nsector targets.\n    At U.S. Cyber Command we focus on foreign actors that pose \na threat to our national interests through cyberspace. At this \ntime nations still present the greatest or gravest threats to \nour Nation's cybersecurity because they alone can commit the \nsignificant resources needed to sustain sophisticated campaigns \nto penetrate in our best-guarded networks.\n    But we continue to also look closely for signs of non-state \nactors making significant improvements in their cyber \ncapabilities. The states we watch most closely remain Russia, \nChina, Iran, and North Korea. The self-proclaimed Islamic State \nis also a concern, although mainly for their use of cyberspace \npropaganda and recruiting.\n    In general, these actors conduct a range of cyber \nactivities to support their state's interest. They steal \nintellectual property, citizens' personal information, and they \nhave intruded into networks ranging from the Joint Staff's \nunclassified network to networks controlling our Nation's \ncritical infrastructure.\n    These threat actors are using cyberspace to shape potential \nfuture operations with a view to limiting our options in the \nevent of a crisis.\n    Despite this challenging environment, Cyber Command \ncontinues to make progress as its emphasis shifts to \noperationalizing the command and sustaining its capabilities.\n    Over the past year we have continued building the \ncapability and capacity of Cyber Command while operating at an \never-increased tempo. We continue to make progress in building \na cyber mission force of the 133 teams that will be built and \nfully operational by 30 September 2018. Today we have 27 teams \nthat are fully operational and 68 that have attained the \ninitial operating capability landmark.\n    And it is also important to note that even as teams that \nare not yet fully operational or have even met our initial \noperational capability, they are contributing to our cyberspace \nefforts with nearly 100 teams or elements of those teams \nconducting cyber operation to include teams that are supporting \nCentral Command's ongoing efforts to degrade, dismantle, and \nultimately defeat ISIL [Islamic State of Iraq and the Levant].\n    Last year I noted we had just established the Joint Force \nHeadquarters [JFHQ] DOD Information Networks, or DODIN. Today I \ncan proudly report that JFHQ-DODIN has made great strides \ntowards its goal of leading the day-to-day security and defense \nof the Department's data and networks.\n    Also as the DOD expands the Joint Information Environment \nwe will have significantly more confidence in the overall \nsecurity and resiliency of our systems. Our operations to \ndefend DOD networks and the Nation's critical infrastructure \nproceed in conjunction with a host of Federal, industry, and \ninternational partners.\n    No single agency or department has the authority, \ninformation, or wisdom to accomplish this mission alone, which \nis why Cyber Command recently updated our understanding with \nboth NSA and the Department of Homeland Security in a cyber \naction plan to chart our collaboration.\n    Our cyber mission forces continue to operate safely and in \na manner that respects the civil liberties and privacies of \nAmerican citizens. Additionally, cyber mission teams and joint \ncyber headquarters are regular participants in the annual \nexercises of the combatant commands.\n    Cyber Command's only annual exercises, as you have \nhighlighted, Cyber Flag and Cyber Guard offer unmatched realism \nas we train with Federal, State, industry, and international \npartners. And while our training is improving we need a \npersistent training environment which the Department is \ncontinuing to develop to gain necessary operational skills and \nto sustain readiness across the force.\n    Cyber Command is also actively contributing to the \nimplementation of the new DOD cyber strategy. Senior leaders at \nthe command are leading or serving on teams charged with \nimplementing the strategies and the initiatives, particularly \nthe lines of effort regarding the training and proficiency of \nthe cyber mission force and the broader cyber workforce across \nthe Department, as well as the integration of cyber effects and \nDOD and cross-agency planning efforts.\n    To help with all of this we needed enhanced acquisition and \nmanpower authorities, and I thank Congress and the President \nfor the authorities granted to Cyber Command in the fiscal year \n2016 National Defense Authorization Act. This represents a \nsignificant augmentation of our ability to provide capabilities \nto our cyber mission teams, as well as our ability to attract \nand retain a skilled cyber workforce.\n    We are now studying how to best implement the Act's \nprovisions and laying the groundwork needed to put them into \neffect while in parallel evolving a formalized synchronization \nframework to operationalize and optimize the employment of \ncyber mission forces.\n    Let me assure the committee that despite the challenging \ncyber environment we operate in, Cyber Command continues to \nmake significant progress, all while simultaneously conducting \ncyber operations against determined adversaries.\n    Additionally, the command has a clear path ahead and is \nactively pursuing new initiatives and authorities to best \nposition the command to address the challenges and \nopportunities that we will undoubtedly confront.\n    With that, thank you again, Mr. Chairman and members of the \ncommittee for convening this forum and inviting me to speak. \nAnd I look forward to your questions.\n    [The prepared statement of Admiral Rogers can be found in \nthe Appendix on page 28.]\n    Mr. Wilson. Thank you very much. And we now will proceed, \nand Mr. Gates will maintain the 5-minute rule on behalf of all \nof us as we rotate.\n    And Admiral, I want to thank you again. It is a challenging \nenvironment. There are gruesomely capable adversaries, but I \njust appreciate your service and your colleagues and however we \ncan back you up.\n    And in regard to that, currently, is the throughput of the \ntraining pipeline a limiting factor in our ability to get cyber \nmission teams up and running? And if so, do you have any \nsuggestions on how to improve that situation?\n    Admiral Rogers. So it is probably the single greatest \nlimiting factor at the moment. It is a little uneven. It \nimpacts more services than others. I would argue at the moment \nit is probably having more impact on the Air Force probably \nthan any other services.\n    In fact, I just met with all of my service component \ncommanders in February. We reviewed where we are in bringing \nthe mission force online. That review highlighted that to meet \ninitial operational capability for the force we will have 91 \npercent of that completed on time. That means 9 percent behind, \nso I have got between now and the end of the year to figure out \nwhat are we going to do to get that 9 percent back online.\n    I have already seen some improvement just in the 6 weeks, \nand I, in fact, have highlighted the results of that review \nwith the service chiefs as well as the chairman and the vice \nchairman. So we are working collectively as a Department to \nmove forward.\n    That review also highlighted that when it comes to full \noperating capability, which is the final milestone, if you \nwill, that is all 133 teams and at full capability by 30 \nSeptember of 2018, that right now we assess as of February in \nthe last review 93 percent of the force will be delivered on \ntime. And we have 7 percent that we have got to get back \nonline. I have got 2 years to do that.\n    I am confident that we are going to be able to do it. And \nas you have said, I would highlight right now training \nthroughput probably the single greatest limiting factor.\n    Mr. Wilson. And is there anything that we can do to help?\n    Admiral Rogers. At the moment I am still working with the \nAir Force in particular. I am not ready to come to you and say \nI need more external help. I want to make sure we have \nexhausted everything that we can do internally.\n    Mr. Wilson. Well, if there has ever been strong bipartisan \nsupport----\n    Admiral Rogers. Yes, sir.\n    Mr. Wilson [continuing]. It is people who are here today \nwho want to back you up.\n    Additionally, could you explain the capabilities \ndevelopment group and give us highlights of their work?\n    Admiral Rogers. So it is a capability that we carved out at \nCyber Command because one of my observations was, and I have \nsaid this to the committee before, I believe fiscal year 2016 \nis a tipping point for us as an organization where we will go \nfrom a focus on developing capacity to a focus on actually \nemploying the capacity that we have been developing over the \nlast 3 years. You see that reflected in the range of both \ndefensive and offensive real world operations that we are doing \nright now.\n    And so part of our capability to do that is generating very \nspecific technical and operational capabilities. And so I felt \nwe needed to carve out a segment of the team that was \npartnering with the private sector, the rest of DOD, other \nelements of the government, as well as NSA about how can we \nbring together those capacities to generate actual outcomes in \ncapacities and capabilities that we can employ with the force.\n    Mr. Wilson. Well, so----\n    Admiral Rogers. So we stood that up.\n    Mr. Wilson. Well, again, thank you for being innovative. \nHow are you addressing new and emerging cybersecurity \nchallenges not directly related to the network like \nvulnerabilities to datalinks, weapons systems, industrial \ncontrol systems, or the Internet of Things?\n    Admiral Rogers. Right. So just a few challenges there with \nthat statement.\n    [Laughter.]\n    Mr. Wilson. And I am glad Congresswoman Stefanik is here \nbecause she understood what I asked.\n    [Laughter.]\n    Admiral Rogers. So what I have tried to do is prioritize. I \nhave said industrial control systems and SCADA [Supervisory \nControl and Data Acquisition] probably is the next big area for \nus because we have got to transition from a focus purely on the \nnetwork structure. We have to retain that but we have got to \nmove into other areas.\n    The other areas that really concern me when I look at the \nproblem set are platforms and systems and getting down to \nindividual data concentrations across the Department. We have \nstarted an effort to look at data concentrations, a focus \nindustrial control systems and SCADA.\n    I would highlight in this regard some great work, for \nexample, that the Guard and Reserve are doing. I highlight \nspecifically out in Washington State the Army National Guard is \nreally doing some interesting work that we are partnering with \nthem on. In fact, the Secretary was just out there to take a \nlook at that about 2 weeks ago.\n    The challenge for now, because I want to set everyone's \nexpectations in a realistic way, I mean, what I have told the \nleadership of the Department is I acknowledge that this is what \nwe have to do, but we have finite capacity.\n    So it is all about I have to prioritize and then we have \ngot to figure out who are the other partners that we have who \ncould bring additional capacity to help us in this fight. And \nwe are in the process of doing that.\n    Mr. Wilson. And for the benefit of me, can you identify \nwhat the Internet of Things means?\n    Admiral Rogers. So increasingly what you are finding is in \nthe production of almost--increasingly everything we--\nrefrigerators, automobiles, your iron. I was looking at an \nInternet-connected iron, for example, just a little while ago. \nIncreasingly those everyday devices that we take for granted in \nthe lives we lead are being connected with each other, designed \nto increase their capability.\n    For example, a refrigerator, would you be interested in a \nconsumer if your refrigerator was able to tell you what your \ncurrent milk load is in the refrigerator and when are you going \nto need to buy more? Could it do that automatically?\n    Could you do upgrades, for example, to systems that you are \nbuying now automatically remotely so that you don't have to \nphysically take that device into a dealer or the manufacturer, \nthey can do it remotely. So increasingly you are finding this \nconnectivity proliferating across almost everything that we are \nbuilding and buying these days.\n    Mr. Wilson. Well, thank you so much.\n    And we now proceed to Congressman Langevin.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    Yes, it is a bolder world out there, Admiral, for sure. It \nis just scary, challenging, and fascinating all at once.\n    Well, with respect to cyber mission force issues, policy, \nauthority, and doctrine are paramount to effectively employing \nthe cyber mission force. Yet those key ingredients lag behind \nour talent pool and toolsets.\n    Now, given that the cyber domain is a relatively new \noperating environment and the strategic implications associated \nwith operating in that environment, I understand why policy, \ndoctrine, and authorities have taken time to develop.\n    Now that said, state and non-state actors continue to be \naggressive in this environment, and we must move forward. So \nthis committee must also understand how they are developing and \nbeing formalized so that we can assist where needed and \nobviously conduct oversight of activities.\n    So my question is how are real world events such as the OPM \n[Office of Personnel Management] and Joint Staff incidents and \ncounter-ISIL operations influencing and shaping policy, \nauthorities, and doctrine are required to effectively employ \nour force?\n    Admiral Rogers. So if you take a look at Cyber Command's \nthree mission sets--it is kind of the way I have been doing \nit--so what are the acquisitions and the authorities that we \nrequire to make sure we are able to execute each of those three \nmissions in an effective and efficient manner?\n    So the first mission, defense of the DOD networks, I am \nvery comfortable that we have all the authorities that we need \nand that I can do what I need to do in a timely manner within \nthe Department to defend our networks.\n    The second mission is about our ability to generate \ncapacity and capability to support the combatant commanders \nfrom the defensive to the offensive. That is an area where \nquite frankly we are trying to use our work, which again, I am \nnot going to discuss in any great detail in an unclassified \nsetting, but we are trying to use some of the real world \ninsights that you highlighted several of them, ISIL, the last \nmajor intrusion we dealt with, which is now almost a year ago.\n    We are asking for the authorities we need for that and I \nwould highlight, boy, we are seeing a massive amount of change \nwithin the last 6 months, so I am very comfortable that we have \nidentified the requirements.\n    We have got endorsement for what we need to do and in fact \nI am expecting the last couple of changes we will ask for will \nbe signed out by the end of the month.\n    The one area that I think is still where we still need more \ncollective work, and I need to work on this, too. I don't want \nto make it sound as if I am trying to put anyone else on \nreport. Is how do you apply DOD-generated capacity in the cyber \narena outside the government in the private sector?\n    That is probably the area where I would say we still need \nto do more work. I will be honest. It hasn't been my highest \npriority. As I have told you every time generally when we meet \nI always remind everybody, look, there is such a disconnect \nbetween the requirements of this mission set and where we are \nin capability. It is all about prioritization and making smart \ninvestments.\n    And so I have consciously prioritized along those three \nmissions that I just discussed. So it is the next big area that \nwe really have got to get into.\n    Mr. Langevin. Thank you, Admiral. What does Defense Support \nof Civilian Authorities look like for cyber? And in our current \nframework--is our current framework applicable to the cyber \ndomain?\n    Admiral Rogers. So that is a part of our previous \ndiscussion about this fact. I think it is the area where we \nstill need the most work, as I know you are aware. We have an \nexisting framework, DSCA, Defense Support to Civil Authorities, \nthat we currently have in place that talks about how the \nDepartment will employ its capabilities in support of civil \nauthorities.\n    That structure has been used for decades from tornado and, \nyou know, and hurricane, natural disaster response to a host of \nother capabilities. It does not as currently written explicitly \naddress cyber.\n    So it is one of the areas that we are collectively stepping \nback and asking ourselves, so how does the DSCA construct apply \nto cyber and what is the most effective and efficient way to \nuse it? Because my attitude is, and it is not unique to DSCA, \nlet us start where cyber is very similar to the other \nmechanisms we have already put in place. Don't reinvent the \nwheel every time just because it is cyber.\n    And so we have a framework right now through DSCA for how \nthe Department provides capacity and capability to support \nexternal civil authority. I think it is an area, as again I \nhave said previously though, we have to dig into a little bit \ndeeper about how are we going to do that in the cyber arena?\n    Mr. Langevin. Okay. Maybe to further drill down on this, \nwhat are best practices from capability development to \nleadership development are you seeing from the services? And \nwhat steps are you taking to institutionalize these best \npractices across the services?\n    Admiral Rogers. So I am going to combine that question with \na previous where you asked about, for example, what have you \nlearned from previous events like OPM and the Joint Staff \nintrusion? One, and I will just use this as one example, one of \nour takeaways for our effort on the Joint Staff was we needed \nto do a better job of formalizing a common set of tools, \ndefensive tool capabilities across all the defensive teams that \nwe were creating.\n    And so I went to each of the services and said, so let us \ntalk about what is the best of breed, what are the best of \ncapabilities that we have identified within each service that \nwe can port across the entire enterprise? Let us not spend a \nlot of time and money with everybody independently trying to \ndevelop similar capabilities.\n    So in fact the Air Force has a tool that we were very \nimpressed with, and I am currently working with the services to \nlet us adopt this. This is the standard across the Department. \nWe don't need to do four different funding streams here to go \nafter the same problems sets.\n    We do that with respect to we regularly review training \nstandards and training equivalencies and when Army, for \nexample, has developed some capabilities in terms of the \ndevelopment of training standards where they have come back to \nus and asked that we adopt this, which we have agreed. I have \ntalked about, hey, let us use this across the entire \nDepartment.\n    So we try to do it in a very systematic ongoing way because \nI am a big fan of we have got to be more efficient and, you \nknow, we have got to be faster. And the best way to do that is \nto look across an entire enterprise, both within the Department \nas well as what we are trying to do outside the Department.\n    I won't get into that right now for this question, but I am \nsure you will ask me about that later what we are doing outside \nthe Department to try to do those same kinds of things.\n    Mr. Langevin. Very good. Thank you, Admiral.\n    I yield back, Mr. Chairman.\n    Mr. Wilson. And thank you, Mr. Langevin.\n    We now proceed to Congressman Mo Brooks, of Alabama.\n    Mr. Brooks. Admiral Rogers, how much is the Cyber Command \nrequesting for this year?\n    Admiral Rogers. Slightly over $500 million.\n    Mr. Brooks. How much funding did the Cyber Command receive \nfor fiscal year 2016, the current year?\n    Admiral Rogers. Slightly under $500 million. It was, if my \nmemory is right, $488 million, and the 2017 budget request is \nan approximate 9 percent increase over our 2016 authorization.\n    Mr. Brooks. What was it in fiscal year 2015?\n    Admiral Rogers. I apologize, sir. I don't know it off the \ntop of my head.\n    Mr. Brooks. Do you recall by any chance for fiscal year \n2014?\n    Admiral Rogers. No. I don't. I apologize.\n    Mr. Brooks. My recollection and the reason I was asking \nthis is try to get better information than just my \nrecollection, is that the Cyber Command has had significant \nincreases over the last 3 or 4 years. Would that be a fair \nstatement to the best as you can recall?\n    Admiral Rogers. I would phrase it as our funding has \nincreased in a systematic way over the last few years.\n    Mr. Brooks. The reason I bring this up, and I am not sure \nif you are familiar with it, but America's financial condition \nhas taken a fairly stark turn for the worse.\n    Just to iterate some of the numbers, the Congressional \nBudget Office [CBO] is warning us that in about 6 years we are \ngoing to hit a string of trillion dollar a year deficits until \nsuch time as whatever really bad can happen happens. In my \njudgment it would be a debilitating insolvency and bankruptcy \nof our country.\n    This year the CBO is telling us that our deficit is going \nto be $105 billion worse than last year at $544 billion. In \nterms of our budget, we are right now having some pretty \nintense discussions in Congress about our $1.07 trillion \nbudget. Keep in mind that there is a lot more off-budget \nentitlement programs, debt service, and whatnot.\n    But if you have $1.07 trillion in budgetary items that you \nactually have control over and have to vote on each year, that \nmeans that right now we are being asked to borrow about half of \nwhat we spend, a little bit over 50 percent. Money we don't \nhave; can't afford to pay back once we borrow it.\n    And all this is coming to a head. What efficiency measures \ncan the Cyber Command implement in order to help the taxpayer \nget more bang for the buck for the day when we start seeing \nsizeable cuts across the board in defense and every place else \nsimply because we have run out of money and we have run out of \nborrowing capacity?\n    Admiral Rogers. So we have been doing that since the day \nU.S. Cyber Command was created. It is one of the reasons, for \nexample, why the Department decided to align U.S. Cyber Command \nand NSA very closely. That the idea was don't replicate the \nbillions of dollars of investment that the Nation has made in \ngenerating cyber expertise, for example, at the National \nSecurity Agency.\n    Rather than replicate that scale of investment in U.S. \nCyber Command how can you align them so Cyber Command can take \nadvantage of the investments that have already been made? It \ngoes into the way Cyber Command prioritizes. As I constantly \ntell the team, nobody gets a blank check. Nobody gets a blank \ncheck.\n    Mr. Brooks. Well, if we are improving efficiency normally \nthat means that you are getting more done for the same or less \nor fewer dollars. Why then the request for an increase in \nspending----\n    Admiral Rogers. Because I would argue, sir, look at the \nworld around you.\n    Mr. Brooks. I understand it is a very dangerous place.\n    Admiral Rogers [continuing]. As well. We can't----\n    Mr. Brooks. Okay. Let us assume for a moment then----\n    Admiral Rogers. If I could just finish the thought? Sorry, \nsir.\n    Mr. Brooks. Go ahead.\n    Admiral Rogers. And I, please, don't mean to be rude or----\n    Mr. Brooks. No, that is okay.\n    Admiral Rogers. But just to finish the thought.\n    Mr. Brooks. I get interrupted all the time.\n    [Laughter.]\n    And I apologize for when I interrupt you. Go ahead.\n    Admiral Rogers. This is not a mission set that we are going \nto efficiency our way out of. I just don't believe that that is \nachievable. In no way should you take from that comment, so \nAdmiral, are you telling me that you don't have a \nresponsibility to the citizens of this nation to execute your \nmission in an efficient and effective way? That is not what I \nam saying.\n    But my only point is the investments that we are making in \ncyber reflect the nature of the world we are dealing with from \na threat perspective. Even as we acknowledge that that threat \npicture is occurring in an environment in which resources are \nvery tight. I am the first to acknowledge that.\n    So what I try to do as a commander, what I try to do as a \ncitizen, is make sure that what Cyber Command is doing is \nprioritized, realizing we can't do it all. We try to space \nevents out over a reasonable period of time. That is what I try \nto make sure we do because I think you raise a very valid \nconcern. I am the first to----\n    Mr. Brooks. Okay. I get the argument we have a growing \nthreat matrix therefore we need more funding in order to \nproperly defend against that greater threat.\n    Now, let us assume for the moment that there aren't any \nefficiencies that you can implement that would allow us to have \nthe kind of security we want at current funding. Where do you \nsuggest the money come from in the defense budget in order to \nhelp with Cyber Command?\n    Admiral Rogers. Fortunately, sir, that is not the role that \nI play.\n    Mr. Brooks. I thought I would ask anyway, but I understand.\n    Admiral Rogers. [Laughter.]\n    Mr. Brooks. Thank you, Mr. Chairman. I yield back.\n    Mr. Wilson. And thank you very much, Congressman Brooks.\n    And we now proceed to Congressman Brad Ashford, of \nNebraska.\n    Mr. Ashford. Thank you, Admiral.\n    Admiral Rogers. Sir.\n    Mr. Ashford. And since I have been here it is just amazing \nhow quickly from when we had these discussions when I first met \nyou 8, 14 months ago where we are today is----\n    Admiral Rogers. Right.\n    Mr. Ashford [continuing]. Beyond remarkable. I have a lot \nof questions and I know--well, just training for the moment. Do \nyou see the--and you already have these collaborations with \nacademia and others to help train and increase training \ncapabilities. Do you see an enlargement of that utilizing \nalmost a UARC [University Affiliated Research Center] model? As \nfor an example, I mean, I know where UARC in Nebraska, there is \nMIT's [Massachusetts Institute of Technology's] UARC.\n    Admiral Rogers. Right.\n    Mr. Ashford. They have all these various ones. How do you \nsee--if the mission is training more and more cyber people, is \nthat an avenue to do that?\n    Admiral Rogers. I mean----\n    Mr. Ashford. Or how do you see that happening?\n    Admiral Rogers. I think that is clearly a role. One thing I \ntry and remind people when it comes to training I think one of \nthe important things is we must ensure that the output we \ngenerate is standardized across the entire force.\n    Mr. Ashford. Right.\n    Admiral Rogers. Because if we don't do that, I believe we \nare going to run into challenges when it comes to actually \nemploying that force. So one of the things that I have been \nvery insistent on, even as we partner across the total force in \nDOD and we look at broader partnerships outside the DOD for the \nmission force that we are creating, is that the team standards, \nthe training approaches we take, the certification standards \nthat we put in place, we have got to standardize those.\n    Now, within those standards what I tell the team is, look, \nI am open to what are the options that are out there? And \nclearly academia and the private sector are part of that \nsolution set.\n    To date we have tended to use them more on the capability \nside development, if you will, than we have on the training \nside, although we are doing some things on the training side. \nBut to be honest, I would say to date it has been more on the \ncapability side.\n    Mr. Ashford. What I see in my area, companies like, you \nknow, First Data, Mutual of Omaha, whatever it is, everybody \nhas those kind of corporate presence somewhere in or near their \ndistricts.\n    And then we have STRATCOM [U.S. Strategic Command]. So what \nwe have, for example, in Omaha area is STRATCOM, and numbers of \nemployees at STRATCOM that are contractors, were in the \nmilitary, whatever, with IT [information technology] \nbackgrounds going back and forth either working at STRATCOM or \nto Offutt or coming back into the private sector.\n    And there are just a huge number of these people in varying \ndegrees of capabilities, some younger, some retired. Maybe you \nhave answered this, but how do you organize that? I mean, there \nis a clear force there and a lot of capability. How do you \nbring them and exchange them back and forth? How would that \nwork?\n    Admiral Rogers. So in fact right now one of the things we \nhave started in the last year since our last budget testimony \nto take the idea that you have articulated, which is how do you \nharness the capabilities resonant in the private sector, \nparticularly those people----\n    Mr. Ashford. Right.\n    Admiral Rogers [continuing]. Who either have previous DOD \nexperience----\n    Mr. Ashford. Right.\n    Admiral Rogers [continuing]. And who are now operating in \nthe private sector? So we have created out in Silicon Valley \nwhat we call the United States Cyber Command Point of \nPartnership or Point of Presence.\n    We have tied it into the broader DIUx [Defense Innovation \nUnit Experimental] effort, and what we have done is I put one \nactive individual out there, but then we have identified a team \nof prior military individuals currently working in Silicon \nValley in different companies, and we are asking ourselves can \nwe use this as an incubator for a model that we can employ \nelsewhere?\n    We have done it in Silicon Valley in the last year. I was \njust in Boston at the end of last week. We are going to use \nBoston as our second test case because of the IT capabilities \nthere. And then I am looking to see does this scale into \nothers, Omaha, for example.\n    Mr. Ashford. Yes.\n    Admiral Rogers. There are about five that we have \nidentified that are possibilities for the future.\n    Mr. Ashford. Yes, I mean, I think it is an incredible \nconcept and to me it is amazing how quickly you have \nimplemented this because just a year ago when you were talking \nabout it----\n    Admiral Rogers. Yes, sir.\n    Mr. Ashford [continuing]. This idea and there is just this \nabundance--and I will let it go, Mr. Chairman because I am \nbeing redundant a bit here. But is that it is amazing the \nappetite on the private sector that, you know, these major \ncompanies give us a way to help and then we have got all this \ncapability or whatever. But you do have to have standards \nobviously.\n    Admiral Rogers. Right.\n    Mr. Ashford. And then this whole group of retired or, you \nknow, military personnel at STRATCOM, it is just to harness \nthat. And you are capturing that. It is very exciting, and I \nappreciate your efforts. I think the incubator idea is great, \nCenter of Excellence, whatever you want to call it.\n    Thank you, Mr. Chairman.\n    Admiral Rogers. If I could, just one quick comment? I was \nout in the valley 2 weeks ago talking to the team. It is one of \nthe most energizing--I mean----\n    Mr. Ashford. Yes.\n    Admiral Rogers [continuing]. Watching these men and women \ntalking about how they can take advantage of what they are \ndoing every day with company X, Y, or Z in the valley and how \nthey want to harness their knowledge----\n    Mr. Ashford. Yes.\n    Admiral Rogers [continuing]. And their military experience.\n    Mr. Ashford. And I see that. We meet with these companies \nall the time in Omaha. The first question they have is how can \nwe help----\n    Admiral Rogers. What can I do?\n    Mr. Ashford [continuing]. The military, too? Thank you, Mr. \nChairman.\n    [Laughter.]\n    Mr. Wilson. And then thank you, Congressman Ashford, and it \nis encouraging to see Secretary Carter and the public-private \ncooperation.\n    And speaking of good cooperation, Congressman Doug Lamborn \nall the way from Colorado.\n    Mr. Lamborn. Yes, thank you, Mr. Chairman. And you came all \nthe way from South Carolina.\n    [Laughter.]\n    Mr. Lamborn. Anyway, Admiral, I am going to build on some \nquestions that have already been begun by my colleague, \nRepresentative Ashford, but he was talking about you were \nresponding corporations in the private sector and academia.\n    What are ways of just fostering this private-public \npartnership? If there is anything more you could add to that? \nBecause I know there are folks in Colorado Springs that are \nvery keen on this as well.\n    Admiral Rogers. Yes, sir. So a couple things come to mind. \nWe have created an exercise series, you heard it in my remarks \nand the chair mentioned, that we call Cyber Guard where once a \nyear we pick a problem set. We come up with an exercise \nscenario that crosses the Nation so we can bring together \nentities from across the Nation.\n    We bring together private companies, State, local, and \nFederal actors, Cyber Command and the Department of Defense as \nwell as commercial infrastructure providers, for example, and \nwe outline a problem set.\n    We actually create a notional network that reflects if we \nare modeling for example an attack against the power structure. \nWe actually in partnership with some of the power companies we \ndevelop a network simulation that replicates the network \nassociated with a large utility.\n    We have done this in multiple areas. This exercise scenario \noccurs every June. We ask private companies if you want to \nparticipate we would love to have you. We are up to about 100 \nright now. We just started this in the last 3 years.\n    And I can remember the first one we did we had about three. \nIt is getting to the point now where I am starting to run into \na capacity concern where we have got more interest than there \nis room.\n    In addition, I am also doing this more on the NSA side \nfirst, but the other area that I have tried to highlight \npotentially with the private sector is, is there a way to take \nsome of our DOD workforce, have it spend some time in the \nprivate sector, and then come back to us? And is there a way \nalso to have the private sector spend some time with us?\n    That hasn't been a traditional DOD model. And, boy, it \ncertainly hasn't been the traditional Intelligence Community \nmodel in my other job. But my view is that that is kind of \namong the things that we have got to do for the future. We have \ngot to view this as much more of a broader partnership.\n    One of my takeaways is, I mean, this is just the ultimate \nteam activity. I have never done so much private sector and \ninteragency work in 35 years of military service.\n    Mr. Lamborn. Well, and academia as well.\n    Admiral Rogers. Yes, sir, which is why I was just up at \nHarvard on Thursday when I was up there. I have been to \nCarnegie-Mellon, Berkeley, and Stanford in the last 8 weeks \ntrying to talk to the private sector about, hey, what can we \ndo? I am actually in Colorado Springs in 30 days. Going to \nspend some day out there working on a couple things.\n    Mr. Lamborn. That is wonderful. And I like that idea of \nprivate-public partnership, collaboration, teamwork and maybe \nwith some of our allies. What are your thoughts on working with \nallies, you know, Israel or some of the NATO [North Atlantic \nTreaty Organization] allies?\n    Admiral Rogers. Right. So I won't get into the particulars, \nbut in fact today U.S. Cyber Command is hosting a deterrence \nworkshop with one of our allies that you just mentioned. I am \nnot going to say which one.\n    In addition we are doing partnerships and capabilities \ndevelopment probably with, you know, five or so key nations \nright now, foreign nations. In addition, we are also doing \nthings in a much broader front talking about cyber theory, \ncyber defense across the NATO alliance, and literally with \nnations around the world. It is one of the reasons why I spent \nsome time on the road, you know, internationally.\n    Mr. Lamborn. Lastly, with the limited time I have, let me \nshift gears. Everyone knows the Guard and Reserve make a \nwonderful component of this effort. You can do cyber from \nanywhere. And we find Guard and Reserve all throughout the \ncountry.\n    You can do it anytime. And of course their schedules are, \nyou know, 24/7 as well. Given the wealth of knowledge, \nexperience, and certifications in the Guard and Reserve would \nit be prudent to consider a streamlined accessions process to \nget these specialists onto the job quicker?\n    Admiral Rogers. I don't intellectually disagree. The only \ncomment I would make is in my discussions with the Guard and \nthe Reserve segment when I have asked so do you have issues \nthat I can help with in terms of your ability to assess and \nbring into the force, into the Reserve and Guard Components, \nyou know, the kind of skill sets and the people we need? Is \nthat an issue for you?\n    To date the answer I have heard is, no, quite frankly, we \nhave more people trying to get in than we really have space for \nin some ways. I have not heard the leadership come back to me \nand say no, this is really something that is a major issue. I \nam not trying to pretend it is not. I am just trying to \nhighlight it hasn't when I have asked, bubble it to my level.\n    Each service has taken a slightly different approach for \nhow it integrates Guard and Reserves into the broader \nstructure. Some services are looking at Guard and Reserve as a \ncadre to augment the active side.\n    Other services, if you look at Army, for example, they are \ndoing wholesale investments in building cyber capacity in the \nGuard and Reserve over and above what the cyber mission force \nneeds. And Air Force is actually using Guard and Reserve as \npart of their cyber mission force build.\n    Mr. Lamborn. Yes. That is what General Hyten was telling \nus----\n    Admiral Rogers. Yes, sir.\n    Mr. Lamborn [continuing]. Some of us at the space power \ncaucus the other morning.\n    Thank you, Mr. Chairman. I yield back.\n    Mr. Wilson. And thank you very much, Congressman Lamborn.\n    We now proceed to Congressman Jim Cooper of Tennessee.\n    Mr. Cooper. I thank you, Mr. Chairman. Admiral, when a \nCongressman like Mr. Brooks asks you how we could get savings \nfrom the DOD budget, you might want to remind the members of \nthe committee that we have banned the Pentagon from even \nthinking about any possible BRAC [Base Realignment and Closure] \nsavings.\n    It would be illegal even though the Air Force I think has \ntestified that 25 percent of their capacity is redundant \nsurplus. So that is the easy savings that this committee has \nwillfully ignored.\n    I am a little worried that I think on the Secretary's trip \n2 weeks ago to Joint Base McChord, he met some very interesting \npeople there and----\n    Admiral Rogers. Right.\n    Mr. Cooper [continuing]. All the message he received was \nthat it was easier to hire cyber experts before we \nbureaucratized everything. Now there is a requirement that you \ntake a 6- to 9-month course and some of these folks we are \ntrying to recruit could actually teach the course.\n    And they are not going to sit through something like that \njust to get their stripes when they already have all the skills \nthat we are seeking. So I hope that as we seek out these folks \nwe don't discourage them from coming.\n    Admiral Rogers. Can I make a comment on that?\n    Mr. Cooper. Sure.\n    Admiral Rogers. We have created a capability in the regular \nforce that we call our equivalency board, because my concern \nwas, look, we don't want to do a cookie cutter approach, one \nsize fits all, in which we have a formalized process that we \ngive equivalent credit to people based on experience and not \njust, hey, did you go to military course X, Y, or Z?\n    So far I think we have approved almost 500 individuals \nwhere we have just granted credit for equivalent experience.\n    We are in the beginnings of an initial discussion with the \nGuard and the Reserve about couldn't we use the same thought \nprocess on the Guard and Reserve side so we give people \nequivalent credit, if you will, for real life experience so we \ncan be faster and more efficient?\n    Mr. Cooper. I also hope the Guard and Reserve will get up \nto speed on the locational advantages. I was under the \nimpression from a briefing yesterday that one of the top Guard \nefforts in cyber will be located in Arkansas. And I don't \nbelieve you mentioned that on the list of your visits.\n    Admiral Rogers. I didn't, but I am aware of it.\n    Mr. Cooper. And I would think, and I have got nothing \nagainst Arkansas, but it would not be as target-rich an \nenvironment as some other parts of the country. But it is we \nhave got to make sure we are doing the right thing here.\n    Another question is this. If you were in command and it \nturned out in retrospect that during the duration of your \ncommand it had been hacked, and yet you were in charge of that \nthroughout your tenure, you are retired now, what consequence \nshould there be?\n    Admiral Rogers. I don't like speaking in theoreticals, sir. \nWhat I generally tell people is, look, we all should be held \naccountable for our actions. I am the first to acknowledge as a \ncommander I have accountability for the missions. And I don't \nduck that for one minute. I would rather not get into \nhypotheticals.\n    Mr. Cooper. Well, unfortunately, it may not be a \nhypothetical. I am not speaking of your case, but in the case \nof other folks.\n    Admiral Rogers. Well, who knows, sir? It could be at some \npoint in the future----\n    Mr. Cooper. Well----\n    Admiral Rogers [continuing]. Rogers isn't at the job \nanymore and I am the first to acknowledge that.\n    Mr. Cooper. Well, this is an increasing challenge because \nit is hard to know necessarily when you have been hacked or not \nand what the consequences of that----\n    Admiral Rogers. Yes, sir.\n    Mr. Cooper [continuing]. Are. So it is a very ambiguous \narea. Is it currently against the Uniform Code of Military \nJustice to use improper computer hygiene? Like, it is my \nimpression that you can be a commanding officer and lose your \ncommand if you commit adultery, but you can pollute the SIPRNET \n[Secure Internet Protocol Router Network] and it is really not \na legal infraction.\n    Admiral Rogers. I will say we are having an ongoing \ndiscussion about we have a very, as you have highlighted, we \nhave got a very formalized and long practice mechanisms of \naccountability for performance in a lot of other areas.\n    How do we ensure that we do that same approach in cyber, \nbecause one of the concerns that I have, and I have mentioned \nthis to the committee before, is you can have the greatest \ndefensive structure in the world but the individual actions of \nevery individual user that we have can make our ability to \nactually take full advantage of those investments and those \ncapabilities very difficult.\n    And you saw that in the Joint Staff intrusion, for example, \nwhere ultimately we were able to defeat the attempt in almost \n60 other networks simultaneously except in this one particular \nnetwork. The final defense is the user. In this case we had \nusers who clicked on a link that I said what? What would lead \nyou to do this? You know, read this. It doesn't make any sense.\n    And as a result of this, we are spending time, we are \nspending money. We have got mission operational impact here. We \ncan't afford to have this sort of thing. It is one of the \nreasons why the previous vice chairman in particular felt very \nstrongly we have got to create this culture of accountability.\n    So we have created an initiative. We call it DC3I [Defense \nCybersecurity Culture and Compliance Initiative] and U.S. Cyber \nCommand is the lead for the Department, about what are the \nkinds of steps we have to do to create that culture of \naccountability.\n    Mr. Cooper. Thank you. I see my time has expired.\n    Mr. Wilson. Thank you, Congressman Cooper.\n    And now I will proceed to Congresswoman Elise Stefanik, of \nNew York.\n    Ms. Stefanik. Thank you, Chairman Wilson and thank you \nChairman for the great question on the Internet of Things where \nwe are facing unique challenges as mobile devices and household \ndevices become more interconnected. That increases the \nlikelihood of cyber vulnerabilities. So it is a great question \nand I want to continue working with you on that issue.\n    Admiral Rogers, thank you for being here today, and thank \nyou for your service to our country. Through the posture \nhearings from the past few months, we have heard about the \nevolving strategic threats in the cyber realm from a resurgent \nRussia, destabilizing threats from both state and non-state \nactors in the Middle East, and overt provocative cyber activity \ncoming out of the Pacific region.\n    So today I want to focus my questions on the evolutions of \nthese threats and how we maintain the edge on the 21st century \nbattlefield. How confident are you moving forward that our \ncyber capabilities are robust enough to face the threats of the \nfuture on these multiple fronts? And then can you speak \nspecifically to your concerns about adversarial cyber \ncapabilities and your assessment of our own cyber capabilities \nmoving forward?\n    Admiral Rogers. So I feel comfortable with our level of \ncapability. I have yet to run into a threat scenario that we \ndidn't have the expertise to deal with. What concerns me is \ncapacity, how much of it do you have?\n    And as the threats proliferate, our ability to deal with \nhigh-end simultaneous complicated threats. That is probably the \nbiggest limiting factor for right now, which is why generating \nthe mission force is so critical. That gives us that capacity \nas well as the tools and the other investments we are asking \nthe committee and the Nation to support to get us to that \ncapacity.\n    In terms of evolution of the threat as I look into the \nfuture I am going to riff off for just a little and if it \ndoesn't get to your question, ma'am, you please just tell me.\n    As I look at the evolution of the threat what concerns me \nis you are seeing the last 18 months data in massive quantities \nnow in and of itself has a value that previously we would have \nsaid to ourselves, look, this dataset is so large nobody can \nreally do anything with it.\n    OPM, Anthem, those are good examples to us of data now is a \ncommodity that has a value for a variety of purposes, whether \nthat be counterintelligence, whether it be social engineering \nand helping to refine cyber activity, you will see increased \nattacks against big data concentrations is a trend of the \nfuture.\n    You are watching nation-states right now create \nrelationships in many cases with a much broader range of actors \nout there than we traditionally had seen. I think this is in no \nsmall part an attempt to obscure what the real originator and \ndirector of the activity is.\n    It potentially or theoretically makes it more difficult for \nus to go to country X and say, hey, we see this activity going \non. You are doing it. This is unacceptable to us.\n    And their ability to say, it is not us. It is a criminal \ngroup. It is some other actor. You have criminals in the United \nStates, don't you? You don't control all that. We don't control \nall that.\n    So you are watching nation-states create these \npartnerships, I think in no small part to try to obscure our \nability to highlight that their activity. Criminal activity \ncontinues to get more sophisticated. You are going to see a lot \nmore ransomware. You watch over the next year you will see a \nlot more ransomware activity.\n    Ms. Stefanik. So based on the fiscal year 2017 requested \nincrease in funding for cyber capabilities, development, and \noperational support that you noted before, where do you feel \nthe cyber community is assuming risk for readiness?\n    Admiral Rogers. So we are still taking more risk than I \nwould like. You look at individual platforms and weapons \nsystems. Just because of the scale of the investments, because \nliterally you are trying to overcome decades of investment in \nwhich redundancy, reliability, and defensibility against a \ncyber threat were just not core design characteristics.\n    And just as you highlighted in your comment about the \nInternet of Things, this increased connectivity and eternal \nconnections that we developed in our system, not for bad \nreasons. I am not trying to criticize that for one minute.\n    If you are interested in designing--as a naval officer if \nyou are in there interested in designing hull forms for future \nservice combatants, you are interested in understanding how \nhull forms today are responding to different sea states around \nthe world.\n    So you put telemetry and measurement devices and then now \nyou are measuring it remotely. That also represents a potential \nthreat vector now for someone to gain access.\n    So we are literally trying to overcome decades of \ninvestment in a very different threat world. So it is all about \nprioritization, and it is going to take us some measure of time \nto overcome or change that investment strategy.\n    So that would probably be the biggest area in some ways \nwhere you never have all you want. And particularly in this \nmission we are only 6 years old. In May, we will celebrate our \nsixth birthday, so, you know, we are new to this.\n    Ms. Stefanik. Well, as you need those resources it is \nimportant for you to continue telling us on this committee to \nmake sure that we are able to maintain the capabilities for our \ncyber capabilities moving forward. So thank you so much for the \nthoughtful answer.\n    Mr. Wilson. And thank you, Congresswoman Stefanik.\n    We now proceed to Congressman Joaquin Castro, of Texas.\n    Mr. Castro. Thank you, Chairman, and thank you, Admiral \nfor----\n    Admiral Rogers. Sir.\n    Mr. Castro [continuing]. Your testimony here today. I \nrepresent San Antonio, Texas, of course a very big military \ntown, and my district includes Lackland Air Force Base, very \nproudly home of the 24th Air Force.\n    And so I want to ask a question about the cyber operators. \nHave you encountered any issues within the security clearance \nprocess in recruiting cyber operators?\n    Admiral Rogers. I won't say there is none. Nothing that has \nled me to believe we have got a systematic problem that \nrequires fundamental change. We always are looking to see can \nwe accelerate or make this faster.\n    If you have been doing this long enough it is--I just had a \ndiscussion with a brand new hire about a month ago who \nexpressed frustration to me. And I said I know. We are working \nour way through it. I would only tell you that we will make you \nhappy, young man.\n    Boy, compared to where we were 3 years ago, 5 years ago we \nare in a much better place. So it is something we continue to \nlook at, but there is no easy answer here because it is all \nabout that balance.\n    Mr. Castro. Right.\n    Admiral Rogers. You are concerned about threat. On the \nother hand you realize, look, you can't execute the mission \nwithout good people. And you can't get good people in to do the \nwork unless you get them through your system.\n    Mr. Castro. Sure. And you mentioned, you know, the speed of \nprocessing. Do you see a merit in fast-tracking for certain \ncritical positions?\n    Admiral Rogers. There might be for some. There are a \nhandful of--if you look across the cyber mission force there is \nprobably I would argue a handful of skill sets where it is \neither very difficult for us to replicate it in a military \nenvironment, so we look to the civilian sector.\n    Or the skill, the level of knowledge and experience really \nnarrows down the population that is qualified to do the job, so \nto speak. Those might be a couple things worth looking at.\n    Mr. Castro. Sure. And we would love to hear your \nsuggestions, you know, at the appropriate time if you do come \nup with them.\n    Admiral Rogers. Yes, sir.\n    Mr. Castro. So thank you. I yield back, Chairman.\n    Admiral Rogers. And if I could, I am actually going to be \nin San Antonio with the 24th and the 25th Air Force----\n    Mr. Castro. All right.\n    Admiral Rogers [continuing]. In about 10 days, so----\n    Mr. Castro. Well, welcome.\n    Admiral Rogers. Sir.\n    Mr. Wilson. And thank you very much, Congressman Castro, \nand Admiral, thank you for being here today. We had a really \ngood turnout from members of the subcommittee because what you \nare doing is so important for our country and what your \ncolleagues are doing. And however we can be supportive and it \nis obviously, remarkably, incredibly bipartisan.\n    Admiral Rogers. Sir. Thank you.\n    Mr. Wilson. We are now adjourned.\n    [Whereupon, at 2:59 p.m., the subcommittee was adjourned.]\n\n\n      \n=======================================================================\n\n\n\n\n                            A P P E N D I X\n\n                             March 16, 2016\n\n      \n=======================================================================\n\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                             March 16, 2016\n\n=======================================================================\n\n \n [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n   \n      \n=======================================================================\n\n\n              QUESTIONS SUBMITTED BY MEMBERS POST HEARING\n\n                             March 16, 2016\n\n=======================================================================\n\n      \n\n                   QUESTIONS SUBMITTED BY MR. WILSON\n\n    Mr. Wilson. What are the most common and consequential types of \ncyber incidents that affect public safety or critical infrastructure \nsecurity in the United States? Do the Department of Defense and \nNational Guard assist with response to domestic cyber incidents that \nthreaten public safety or critical infrastructure security, or do you \nexpect that they will need to do so in the future? If so, how are they \npreparing for these incidents?\n    Admiral Rogers. Consequential cyber incidents affecting the public \nsafety or critical infrastructure security in the United States include \nattacks which degrade or disrupt major functions of the 16 critical \ninfrastructure sectors identified in Presidential Policy Directive 21 \n(PPD-21), Critical Infrastructure Security Resilience. According to \nPPD-21, each sector ``. . . provides the essential services that \nunderpin American society.'' Disruption of any of these services for a \nsignificant period of time would have an impact on public safety. \nPotential cyber incidents include attacks which achieve unauthorized \naccess, destroy data or system function, or result in release of \nsensitive information.\n    The Department of Homeland Security (DHS) is the lead for domestic \nincident response to cyber incidents. If unable to address a cyber \nincident, the DHS may submit a Defense Support to Civil Authority \n(DSCA) request which potentially could task resources through the DOD, \nUSSTRATCOM, and ultimately USCYBERCOM. Currently this scenario is \nviewed as a last resort situation.\n    The National Guard assigned cyber forces are available to support \nany federal response in Title 10 status or State response in either \nState Active Duty (SAD) or when authorized in Title 32 status. Ensuring \nthe National Guard cyber forces are properly manned, trained, and \nequipped for any particular mission set, is key. The DOD, National \nGuard, and DHS have trained to respond to cyber incidences, as part of \na Whole-of-Nation approach, through exercises like CYBER GUARD.\n    Mr. Wilson. To what extent has U.S. Cyber Command collected \nmeasures of performance or measures of effectiveness to demonstrate \nthat the dual-hatted position with the National Security Agency is the \nmost effective and most efficient approach to both agencies missions?\n    Admiral Rogers. USCYBERCOM has focused its assessment efforts on \nevaluating its growing resource requirements, increasing support to the \nGeographic Combatant Commanders' plans, named cyber operations, and the \nDepartment's requirements for information network security. Our \nassessment program reviews and analyzes progress towards achieving \ncampaign plans objectives but has not studied alternative command \nstructures. To date, we have not collected measures of performance or \neffectiveness to demonstrate that the dual-hat approach is the most \neffective and efficient approach. USCYBERCOM is reliant on the National \nSecurity Agency to accomplish large portions of our missions, which \nrequires close and continual technical coordination.\n                                 ______\n                                 \n                   QUESTIONS SUBMITTED BY MR. LAMBORN\n    Mr. Lamborn. Given the rapidly growing demand for CMF training, do \nyou think DOD needs to begin to look at other ways to deliver training, \nincluding through greater influencing courses offered at university, \nand by developing commercial training opportunities?\n    Admiral Rogers. DOD continues to examine the most effective means \nto deliver joint training for the Cyber Mission Force (CMF). CMF \ntraining provided by the Services and the National Security Agency \n(NSA) Cryptologic Training System (CTS) rely on both government and \ncontractor provided training courses. Currently 60% of the NSA offered \ncourses that are on the CMF Training Pipeline are instructed by \ncommercial vendors. We are working with NSA to continue to leverage \ntheir robust academic outreach programs to connect with government \n(e.g., National Defense University, Defense Cyberspace Investigation \nTraining Academy, service academies, war colleges) and universities/\ncolleges.\n    Mr. Lamborn. What standards do CPT personnel have to meet in order \nfor them to be fully qualified cyber defenders? Please provide a copy \nof the standards to the Committee.\n    Admiral Rogers. In accordance with the Cyber Mission Force (CMF) \nTraining Model, Cyber Protection Team (CPT) personnel must meet the \nstandards for individual proficiency contained in the USCYBERCOM Joint \nCyberspace Training and Certification Standards (JCT&CS) and team/force \nproficiency in the Training and Readiness (T&R) Manual in order for \nthem to be fully qualified cyber defenders. The JCT&CS provide the \nspecific knowledge, skill and ability standards for each CMF work role \nat the apprentice, intermediate and expert levels. The T&R Manual \nprovides the development, execution, and assessment of collective \n(squad, team, headquarters) training to support force development and \nreadiness.\n    The CMF Training Model is a phased training process based on \nmission-specific requirements and tasks. Personnel assigned to a CPT \nbegin with a mix of foundation training or Service equivalent training, \nthen move to specialized technical/tradecraft instruction, and \nlocalized individual technical joint qualification record (JQR) and on \nthe job training (OJT), coupled with an intensive staff and collective \ntraining and exercise program to achieve mission readiness. Collective \ntraining activities are an extension of individual proficiency to team \nand unit proficiency. An example of a collective training event for CPT \nTeams is the CYBER GUARD exercise, which is focused on exercising a \nwhole of nation defense of U.S. critical infrastructure from \ndestructive cyber attack.\n    When a CPT member has met their JCT&CS work role specific \nindividual tasks, JQR/OJT, and participated in team collective training \nevent assessed using the T&R manual, they are then considered a fully \nqualified cyber defender.\n    Mr. Lamborn. Who is responsible for training CPTs, and do you \nbelieve the CPTs have enough training to effectively protect our \nnetworks against advanced cyber adversaries like Russia and China? How \ndo you plan to get the CPTs capable of defending against such threats? \nAre the Services doing their part to train the CPTs?\n    Admiral Rogers. The military Services and U.S. Cyber Command, \nworking with the National Security Agency (NSA), are responsible for \ntraining CPTs. No, we do not yet believe CPTs have enough training to \neffectively protect our networks against advanced cyber adversaries. \nHowever, we are making significant progress in maturing and expanding \ntraining to achieve required levels of operational readiness for CPTs.\n    We have a strong program in place for Cyber Mission Force (CMF) \nindividual training and qualification to joint standards for personnel \nassigned to CPTs. Personnel begin with Service-provided training in a \nprimary specialty, and then once assigned to a CPT each person \ncompletes work role-specific training and qualification to rigorous \njoint standards under a system managed by U.S. Cyber Command, working \nwith the National Security Agency's Cryptologic Training System. This \nindividual training process provides the baseline for individual \nproficiency. We continue to mature the individual training process as \nwe grow the CMF and the Services are fully involved in that process and \ndoing their part. The Services are expanding Service-provided training \nto deliver outcomes that meet joint standards for the CPTs.\n    We do not yet have sufficient collective training capacity for CPTs \nbecause we still lack a Persistent Training Environment (PTE) for DOD \ncyberspace forces. CPTs are not groups of trained technicians, but \nmaneuver forces that must operate as a disciplined fighting force to \nperform assigned missions against determined adversaries. That requires \nCPTs conduct collective training in a closed network environment in \nrealistic operational scenarios against an opposing force simulating \nadvanced cyber adversaries. That enables our forces to train as they \nfight. We currently use limited, existing DOD capabilities to conduct \nperiodic collective training and exercises, such as CYBER FLAG and \nCYBER GUARD. However, we don't have sufficient training capability or \ncapacity to train continuously to achieve or sustain the levels of \nrequired readiness for all CPTs. The PTE for cyberspace forces that is \nincluded in the President's FY17 Budget Request is essential to \nproviding the capability needed to train CPTs, along with the entire \nDepartment of Defense cyberspace workforce. The PTE will enable us to \ntrain CPTs to effectively protect our networks against advanced \nadversaries.\n    Beyond training, we are preparing CPTs to address threats by \nleveraging expertise from across the government, including NSA and the \nServices' network defenders that have experience in this area. We are \nbuilding capability to better posture our teams against high level \nmalicious cyber actors through the utilization of incident response \nteams, increased use of intelligence to understand the threat, \nidentification of unique network technology in specialized systems \n(Industrial Control Systems/Supervisory Control and Data Acquisition, \netc.), and by building a more detailed understanding of critical \ninfrastructure and key resource vulnerabilities. Finally, we are \nstrengthening partnerships within government, with allies and the \nprivate sector to train and operate together. We believe that these \ninitiatives, along with training, will ensure the CPTs achieve and \nsustain readiness to defend against such threats.\n    Mr. Lamborn. On a yearly basis, how many hours of live, on-network \ntraining with a realistic cyber-adversary do CPT personnel receive in \norder to ensure they can hone their defensive cyber skills? Do you \nthink this training is sufficient, and if not, how do you plan to \nincrease the amount of realistic training the CPT personnel receive?\n    Admiral Rogers. At this time, it is difficult to quantify the exact \nnumber of live, on-network hours our Cyber Protection Team (CPT) \npersonnel receive on an annual basis as we continue to mature CPT \ntraining/methodologies and work through certifying teams currently in \nthe build phase. USCYBERCOM hosts two major cyber exercises (CYBER \nGUARD and CYBER FLAG) and numerous team-level exercises (CYBER KNIGHT) \neach year, which offer a certain degree of realism against an advanced \ncyber-adversary. In CYBER GUARD and CYBER FLAG, a CPT receives a \nminimum of 60 hours in each exercise of live, on-network training \nagainst a realistic cyber-adversary. Combatant Command Tier 1 level \nexercises provide additional opportunities for training the Cyber \nMission Force (CMF) via red teams emulating advanced adversary tactics, \ntechniques, and procedures (TTPs). The intelligence community works in \ncoordination with the red teams to ensure realistic cyber adversary \nTTPs are utilized and that defenders are exposed to current and future \ncyber adversary TTPs to ensure quality training is continuously \nachieved. The realism these exercises offers is limited, in part \nbecause the teams operate on simulated networks that do not come close \nto approximating the scale and complexity of the Internet.\n    USCYBERCOM recognizes there is currently a capacity issue in terms \nof realistic training opportunities for our CPT personnel, which is why \na Persistent Training Environment (PTE) and all of its elements are \ncritical to the training and readiness of the CMF. The PTE, a \ngeographically distributed, federated system of interconnected \ncapabilities (not just a coalition of cyber training ranges), provides \nan integrated common training capability to deliver individual and \ncollective training outcomes for DOD cyberspace forces to generate and \nsustain force readiness across the full spectrum of operations from the \ntactical to strategic level of conflict. The DOD cyber forces require a \nJoint PTE with sufficient capacity to ensure geographically dispersed \nteams across the total force are fully prepared to conduct current \ncyberspace operations and future scenarios involving cyberspace \noperations consistent with approved plans (e.g., CONPLANs, OPLANs, \netc.).\n    Mr. Lamborn. As the Department moves toward JIE and a government-\nowned, contractor-operated model for its core infrastructure, what is \nthe plan for the thousands of civil service IT professionals currently \nmaintaining this infrastructure? Will they be retrained for assignment \nto a CPT or CMF, and do current legal authorities allow for civilian \nparticipation in these Title 10 activities?\n    Admiral Rogers. A tenant of JIE is to align DOD Component IT \ncapabilities by bringing them together under an enterprise services \nconstruct to leverage economies of scale in terms of IT resources, \nmoney and manpower. Traditionally, DOD Components are responsible for \ndeploying capabilities, as well as manning, training and equipping \ntheir IT workforces to meet mission requirements. Workforce \nefficiencies gained as a result of JIE would be available for DOD \nComponents to repurpose. There may be a need for retraining of duties, \nre-scoping of responsibilities or leveraging existing skills with no \nadditional training required.\n    The Department is in the process of developing and implementing \ninitiatives which could assist the DOD components to identify options \nfor reassigning personnel. The DOD Cyberspace Workforce Framework \n(DCWF) provides descriptions for 54 cyber work roles and was developed \nfrom the National Initiative for Cybersecurity Education, Cybersecurity \nWorkforce Framework, and the USCYBERCOM Joint Cyberspace Training \nCertification Standards (JCT&CS). Additionally, the DCWF contains a \ncross-functional analysis that identifies the knowledge, skill and \nability deviations between each role. Furthermore, CMF training will be \nmore widely available as the Services continue to advance on the \ntraining transition plan. The availability of additional training such \nas CMF training will assist with personnel transitioning from \ntraditional IT and network operations roles into cybersecurity or \ncyberspace effects roles. The CMF would benefit from a workforce \ntrained in network engineering, incident response, and other cyber \ndisciplines. IT professionals' careers may be re-scoped to support \ntasks within the Defend the Nation (DTN), Offensive Cyberspace \nOperations (OCO) and Defensive Cyberspace Operations (DCO) missions. \nDOD civil servants currently serve across the CMF and can, consistent \nwith law and policy, participate in the CMF's Title 10 activities.\n    Additionally, DOD Components may leverage their civil service IT \nprofessionals to support emerging IT initiatives, including protection \nof Industrial Control Systems/Supervisory Control and Data Acquisition \n(ICS/SCADA) and enabling mobility capabilities. Portions of a DOD \nComponents' workforce can be retrained to perform Defensive Cyberspace \nOperations--Internal Defensive Measures (DCO-IDM) actions such as \nCybersecurity Service Provider duties.\n    Some examples of USCYBERCOM's vision for possible manpower \nrealignment:\n    --Retrain and Repurpose within the Combatant Commands, Services and \nAgencies: Support to emerging IT initiatives, including protection of \nIndustrial Control Systems/Supervisory Control and Data Acquisition \n(ICS/SCADA) and enabling mobility capabilities may require a degree of \nretraining. Portions of a Component's workforce can be retrained to \nperform defensive cyberspace actions such as Cybersecurity Service \nProvider duties and augmenting cybersecurity capability readiness.\n    --Retrain and Repurpose of the Cyber Mission Force (CMF): The CMF \ncould benefit from a workforce trained in network engineering, incident \nresponse, and other cyber disciplines. Careers may be re-scoped to \nsupport tasks within the Defend the Nation (DTN), Offensive Cyberspace \nOperations (OCO) and Defensive Cyberspace Operations (DCO) missions.\n    --Migrate to an IT-focused Combat Support Agency (CSA): The Defense \nInformation Systems Agency (DISA) and the National Security Agency \n(NSA) have large roles in architecting, engineering and maintaining JIE \nEnterprise Services. Portions of the workforce formerly operating IT \ncapabilities on behalf of a DOD Component could be leveraged by CSAs to \ncontinue supporting the global DOD Cyber Operations Mission.\n    --Reduction in Force: Personnel who decline to undertake one of the \nabove options could be reassigned into other mission areas, or reduced \nthrough attrition. It is at the discretion of the individual DOD \nComponent to determine how to best undertake this option.\n    The move toward JIE provides an opportunity for the existing IT \nworkforce to retrain, re-scope and realign high-demand low-density \npositions with emerging mission requirements.\n\n                                  [all]\n</pre></body></html>\n"