[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
[H.A.S.C. No. 114-128]
MILITARY CYBER OPERATIONS
__________
COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
HEARING HELD
JUNE 22, 2016
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
_____________
U.S. GOVERNMENT PUBLISHING OFFICE
20-795 WASHINGTON : 2017
________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON ARMED SERVICES
One Hundred Fourteenth Congress
WILLIAM M. ``MAC'' THORNBERRY, Texas, Chairman
WALTER B. JONES, North Carolina ADAM SMITH, Washington
J. RANDY FORBES, Virginia LORETTA SANCHEZ, California
JEFF MILLER, Florida ROBERT A. BRADY, Pennsylvania
JOE WILSON, South Carolina SUSAN A. DAVIS, California
FRANK A. LoBIONDO, New Jersey JAMES R. LANGEVIN, Rhode Island
ROB BISHOP, Utah RICK LARSEN, Washington
MICHAEL R. TURNER, Ohio JIM COOPER, Tennessee
JOHN KLINE, Minnesota MADELEINE Z. BORDALLO, Guam
MIKE ROGERS, Alabama JOE COURTNEY, Connecticut
TRENT FRANKS, Arizona NIKI TSONGAS, Massachusetts
BILL SHUSTER, Pennsylvania JOHN GARAMENDI, California
K. MICHAEL CONAWAY, Texas HENRY C. ``HANK'' JOHNSON, Jr.,
DOUG LAMBORN, Colorado Georgia
ROBERT J. WITTMAN, Virginia JACKIE SPEIER, California
DUNCAN HUNTER, California JOAQUIN CASTRO, Texas
JOHN FLEMING, Louisiana TAMMY DUCKWORTH, Illinois
MIKE COFFMAN, Colorado SCOTT H. PETERS, California
CHRISTOPHER P. GIBSON, New York MARC A. VEASEY, Texas
VICKY HARTZLER, Missouri TULSI GABBARD, Hawaii
JOSEPH J. HECK, Nevada TIMOTHY J. WALZ, Minnesota
AUSTIN SCOTT, Georgia BETO O'ROURKE, Texas
MO BROOKS, Alabama DONALD NORCROSS, New Jersey
RICHARD B. NUGENT, Florida RUBEN GALLEGO, Arizona
PAUL COOK, California MARK TAKAI, Hawaii
JIM BRIDENSTINE, Oklahoma GWEN GRAHAM, Florida
BRAD R. WENSTRUP, Ohio BRAD ASHFORD, Nebraska
JACKIE WALORSKI, Indiana SETH MOULTON, Massachusetts
BRADLEY BYRNE, Alabama PETE AGUILAR, California
SAM GRAVES, Missouri
RYAN K. ZINKE, Montana
ELISE M. STEFANIK, New York
MARTHA McSALLY, Arizona
STEPHEN KNIGHT, California
THOMAS MacARTHUR, New Jersey
STEVE RUSSELL, Oklahoma
Robert L. Simmons II, Staff Director
Kevin Gates, Professional Staff Member
Lindsay Kavanaugh, Professional Staff Member
Neve Schadler, Clerk
C O N T E N T S
----------
Page
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Smith, Hon. Adam, a Representative from Washington, Ranking
Member, Committee on Armed Services............................ 2
Thornberry, Hon. William M. ``Mac,'' a Representative from Texas,
Chairman, Committee on Armed Services.......................... 1
WITNESSES
Atkin, Thomas, Acting Assistant Secretary of Defense for Homeland
Defense and Global Security, Office of the Secretary of Defense 3
McLaughlin, Lt Gen James K. ``Kevin,'' USAF, Deputy Commander,
U.S. Cyber Command............................................. 4
Moore, Brig Gen Charles L., Jr., USAF, Deputy Director, Global
Operations (J-9), Joint Staff.................................. 6
APPENDIX
Prepared Statements:
Atkin, Thomas, joint with Lt Gen James K. ``Kevin''
McLaughlin and Brig Gen Charles L. Moore, Jr............... 39
Documents Submitted for the Record:
[There were no Questions submitted during the hearing.]
Witness Responses to Questions Asked During the Hearing:
Mr. Ashford.................................................. 57
Mr. Rogers................................................... 57
Mr. Thornberry............................................... 57
Questions Submitted by Members Post Hearing:
Mr. Aguilar.................................................. 64
Mr. Lamborn.................................................. 63
Mr. O'Rourke................................................. 64
Mr. Rogers................................................... 61
.
MILITARY CYBER OPERATIONS
----------
House of Representatives,
Committee on Armed Services,
Washington, DC, Wednesday, June 22, 2016.
The committee met, pursuant to call, at 10:04 a.m., in room
2118, Rayburn House Office Building, Hon. William M. ``Mac''
Thornberry (chairman of the committee) presiding.
OPENING STATEMENT OF HON. WILLIAM M. ``MAC'' THORNBERRY, A
REPRESENTATIVE FROM TEXAS, CHAIRMAN, COMMITTEE ON ARMED
SERVICES
The Chairman. The committee will come to order.
I would like to welcome our witnesses today as the
committee examines military cyber operations.
I note that just about exactly 2 months ago President Obama
confirmed for the first time that the U.S. is conducting cyber
operations against ISIS [Islamic State of Iraq and Syria]. And
as the leadership of the Department of Defense [DOD] was
discussing this, they said it was the first time that Cyber
Command has been given the guidance to go after ISIS. Just like
we have an air campaign, we want to have a cyber campaign.
And some of the press went on to discuss that Secretary
Carter was pushing for U.S. Cyber Command [CYBERCOM] to have
greater freedom to launch attacks and to address tactical cyber
threats against ISIS.
I know this committee remains committed to ensuring that
the Department of Defense's capabilities to fight and win the
country's wars and to be prepared and ready to execute those
missions remain on solid footing regardless of which domain we
are talking about, including the cyber domain.
The Department has been developing the organizations,
capabilities, and personnel needed to operate in cyber since at
least 2010. Billions of dollars have been spent. And yet the
perception--and you all can disagree with this if you think I
am wrong--the perception is the threat is still multiplying
faster and growing faster than at least our laws and
regulations, policies, rules of engagement are developing.
Still, a fundamental question: What is the role of the
military to protect civilian infrastructure in the United
States against cyber attack? I do not suggest we are going to
get the definitive answer to all of those questions today, but
I think that it is important that we discuss not only those but
the tactical use of cyber, which the President talked about and
which the leadership of the Department has talked about. It is
a significant change just in the past few months.
So we will look forward to hearing from our witnesses about
those and other topics, but, first, I would yield to the
distinguished ranking member for any comments he would like to
make.
STATEMENT OF HON. ADAM SMITH, A REPRESENTATIVE FROM WASHINGTON,
RANKING MEMBER, COMMITTEE ON ARMED SERVICES
Mr. Smith. Thank you, Mr. Chairman. And I agree with your
comments about both the complexity and the importance of cyber.
And I think the most interesting thing I would like to get out
of this hearing is how is the organization coming together,
because I think that is the major challenge.
It has been quite a few years now since we have recognized
the importance of cyber, and different aspects of our national
security apparatus, in addition to the additional different
aspects of the Department of Defense, have attempted to address
that problem. So we have a lot of people working on it. How
coordinated are they?
I think that is the great challenge, is making sure that we
are getting the most out of the resources that we are putting
into this. Because it is a constantly evolving threat, and it
threatens everything, every aspect. You know, the least little
device can be an entry point to a cyber attack. So how do you
get a comprehensive look at making sure that you control--or
``control'' is a bit of an optimistic statement--have some
measure of understanding of where the threats are and how best
to address them?
So how the various branches of the military and our broader
cyber vulnerabilities--as the chairman mentioned, a lot of
those vulnerabilities exist in the private sector. On the
defense committee, we have had defense contractors who have
been hacked before that have created problems. So how do we
comprehensively address this incredibly complex and ever-
evolving problem? I think that is the great challenge.
And I will say that I very much approved of what Secretary
Carter did, where he had the, you know--I forget what he called
it, but where he basically invited hackers to try to find their
way in and, you know, learned from that. I think that was one
of the best, most cost-effective ways to do it, instead of, you
know, doing some contract out to some company and going through
a complex process. Just take those people out there who are
really good at this and say, ``Come at us. Show us our
vulnerabilities.'' I thought that was a very wise way to learn
a lot in a cost-effective manner.
But, again, the real challenge is having a comprehensive
approach to such an ever-evolving and challenging problem, and
then, as the chairman mentioned, the legalities of it, in terms
of, you know, are our laws and regulations keeping up with it,
to make sure that you and the executive branch have the
authorities that you need to best protect us and, in some
cases, use cyber as an offensive weapon where necessary, that
those legal questions are also very complicated and ones that
we would like to be helpful with if we can.
With that, I will yield back and look forward to the
testimony.
The Chairman. I thank the gentleman.
I also want to mention that, of course, on the front lines
for oversight of this issue, I very much appreciate the
Emerging Threats and Capabilities Subcommittee Chairman Wilson,
Ranking Member Langevin, who work in this area day to day. I
think it is also important, though, for all members to look at
these larger cyber issues, which is why we are doing this
hearing with the full committee today.
Let me welcome our witnesses: Mr. Thomas Atkin, Acting
Assistant Secretary of Defense for Homeland Defense and Global
Security; Lieutenant General Kevin McLaughlin, Deputy
Commander, U.S. Cyber Command; and Brigadier General Charles
Moore, Deputy Director of Global Operations with the Joint
Staff.
Without objection, any written material you would like to
submit will be included in the record.
Thank you all again for being here.
Mr. Atkin, the floor is yours.
STATEMENT OF THOMAS ATKIN, ACTING ASSISTANT SECRETARY OF
DEFENSE FOR HOMELAND DEFENSE AND GLOBAL SECURITY, OFFICE OF THE
SECRETARY OF DEFENSE
Mr. Atkin. Thank you, Chairman Thornberry, Ranking Member
Smith, and members of the committee. I am pleased to testify
today, along with my colleagues Lieutenant General Kevin
McLaughlin and Brigadier General ``Tuna'' Moore, on the
Department's efforts in cyberspace and how we are improving
America's cybersecurity posture. It is an honor to represent
the Department, and I am proud of the progress we have made in
this challenging domain.
The closed hearing this afternoon will go into greater
detail on some of the challenges that we face in cyberspace and
the Department's efforts to address those challenges, but I
wanted to highlight just a few things here this morning.
First, the threat. Today, we face a diverse and persistent
threat in cyberspace from state and non-state actors that
cannot be defeated through the efforts of any single
organization. Our increasingly wired and interconnected world
has brought prosperity and economic gain to the United States.
However, our dependence on these systems also leaves us
vulnerable, and the cyber threats are increasing and evolving,
posing greater risk to the network and systems of the
Department of Defense and other departments and agencies, our
national critical infrastructure, and other U.S. companies and
interests.
While DOD maintains and uses robust and unique cyber
capabilities to defend our networks and the Nation, that alone
is not sufficient. Securing our systems and networks is
everyone's responsibility, from the commander down to the
individual, and this requires a culture of cybersecurity.
More broadly, preventing cyber attacks of significant
consequence against the U.S. homeland requires a whole-of-
government and a whole-of-nation approach. To that end, DOD
works in close collaboration with other Federal departments,
our allies, and the private sector to improve our Nation's
cybersecurity posture and to ensure that DOD has the ability to
operate in any environment at any time.
Since DOD's cyber strategy was signed in April 2015 by
Secretary Carter, the Department has devoted considerable
resources to implementing the goals and objectives outlined
within the document.
When the Secretary signed the document, he directed the
Department to focus its efforts on three primary missions in
cyberspace: one, defend the Department of Defense information
networks to assure our DOD missions; two, defend the United
States against cyber attacks of significant consequence; and,
three, provide full-spectrum cyber options to support
contingency plans and military operations.
Another key part of our strategy is deterrence. DOD is
supporting a comprehensive, whole-of-government cyber
deterrence strategy to deter attacks on the U.S. and our
interests. This strategy depends on the totality of U.S.
actions, to include declaratory policy, overall defensive
posture, effective response procedures, indications and warning
capabilities, and the resiliency of U.S. networks and systems.
I am proud to say that the Department has made important
strides in implementing DOD's cyber strategy since it was
signed in April 2015. My colleagues and I look forward to going
into greater detail on our strategy and the state of the Cyber
Mission Forces as the hearing proceeds, as well as to discuss
how our thinking and incorporation of cyber and operations is
evolving.
The Department is committed to the security and resiliency
of our networks and to defending the U.S. homeland and U.S.
interests from attacks of significant consequence that may
occur in cyberspace. I look forward to working with this
committee and the Congress to ensure that the Department has
the necessary capabilities to keep our country safe and our
forces strong.
I thank you for your support in these efforts, and I look
forward to your questions. Thank you.
[The joint prepared statement of Mr. Atkin, General
McLaughlin, and General Moore can be found in the Appendix on
page 39.]
The Chairman. General McLaughlin.
STATEMENT OF LT GEN JAMES K. ``KEVIN'' McLAUGHLIN, USAF, DEPUTY
COMMANDER, U.S. CYBER COMMAND
General McLaughlin. Chairman Thornberry, Ranking Member
Smith, and distinguished members of the committee, I am honored
to appear before you today representing the men and women of
U.S. Cyber Command. It is my pleasure to do so alongside
Assistant Secretary Thomas Atkin and Brigadier General Charles
Moore, two gentlemen who keenly recognize the opportunities and
challenges the Department faces in the cyber domain.
I would like to focus my opening remarks on U.S. Cyber
Command's ongoing efforts to build capability and capacity in
the cyber mission force. The cyber mission force [CMF], with
unique teams designed to defend DOD information networks,
support combatant commander missions, or defend the Nation's
critical infrastructure, gives U.S. Cyber Command and the
Department a means to apply military capability at scale in
cyberspace.
We recognize that success in accomplishing our assigned
missions is dependent on three factors: the quality of our
people, the effectiveness of their capabilities, and the
proficiency that our people bring to bear in employing these
capabilities.
U.S. Cyber Command's manpower reflects a true total force
effort, encompassing a robust Active Component along with both
National Guard and Reserve forces being fully integrated at all
echelons, from the highest levels at our headquarters down to
our tactical forces that are represented in the cyber mission
force.
As of June 10th of this year, out of a target total of 133
teams that will be part of the cyber mission force, we have 46
teams that are at fully operational capable status and 59 that
are at initial operating capability status. These teams
currently comprise 4,684 total people that we will build to
eventually 6,187 when we finish.
It is important to note that even teams that are not fully
operational are already contributing to our cyberspace efforts
as the command operates on a full-time and global basis. The
Nation and every combatant commander can now call on cyber
mission force teams to bring cyberspace effects in support of
their operations. Such work occurs daily, for instance, in the
fight against ISIL [Islamic State of Iraq and the Levant],
where our teams are conducting cyberspace operations in support
of U.S. Central Command's ongoing efforts to degrade,
dismantle, and ultimately defeat ISIL.
Training the force to be prepared for its varied missions
is imperative. U.S. Cyber Command's annual Cyber Guard
exercise, which concluded last Friday, provides realistic
training in which Federal, State, industry, and international
partners can use their skills against a determined opposition
force.
The response to Cyber Guard from our public and private
partners has been tremendous. Dozens of critical-infrastructure
companies have expressed interest in participating in it.
Exercises like Cyber Guard allow senior policymakers to observe
the types of issues we see in real cyber attacks and helps us
generate a playbook that should save the Federal Government
precious time and stress in responding.
In this year's exercise, U.S. Cyber Command expects to
certify teams, ensuring they have the requisite training and
skills to make an immediate impact in today's fight.
Our command prides itself in being a learning organization.
Exercises like Cyber Guard and our other premier exercise,
Cyber Flag, which is ongoing at this moment, are key lessons-
learned opportunities for us. We also look at everything that
we are learning in the growing set of real-world operations and
collaboration from the private sector, academia, and partner
nations to provide valuable insights to the command and allow
our teams to develop and implement new tactics, techniques, and
procedures.
Although our people are undoubtedly our most important
asset, I would be remiss not to highlight the importance of
specialized tools, infrastructure, and capabilities that the
cyber mission force needs to execute its missions. Ongoing
efforts to develop tools, such as the persistent training
environment [PTE], the unified platform, cyber situational
awareness, and the Joint Information Environment, must be
continued to be resourced. These capabilities are critical in
ensuring our cyber warriors are equipped to counter
sophisticated and dynamic adversaries.
The accelerated pace of technology, innovation, and our
adversaries' changing tactics in cyberspace require well-
trained, well-resourced, and an agile force to perform all
three of the critical missions we perform in support of the
Department and the Nation.
With that, thank you again, Mr. Chairman and members of the
committee, for inviting me to appear before you today. I assure
you that U.S. Cyber Command is committed to the mission of
ensuring the Department of Defense mission assurance, deterring
or defeating strategic threats to our interests and
infrastructure, and achieving joint force commander objectives.
The growing capabilities and capacity of the cyber mission
force is adding to our ability to perform this mission.
The U.S. Cyber Command team appreciates the support of this
committee that it has shown and looks forward to our continuing
partnership with Congress to address the challenges and
opportunities in cyberspace. And I am happy to take your
questions.
Thank you.
[The joint prepared statement of General McLaughlin, Mr.
Atkin, and General Moore can be found in the Appendix on page
39.]
The Chairman. Thank you.
General Moore.
STATEMENT OF BRIG GEN CHARLES L. MOORE, JR., USAF, DEPUTY
DIRECTOR, GLOBAL OPERATIONS (J-9), JOINT STAFF
General Moore. Thank you, Chairman Thornberry, Ranking
Member Smith, and members of the committee. Thank you for the
opportunity to speak on behalf of the Joint Staff in regards to
the Department of Defense's efforts in the cyber domain.
As all of you are aware, the inherent global nature of
cyberspace operations and cyberspace threats causes and creates
numerous challenges for the Department of Defense.
Additionally, our warfighting capabilities are increasingly
reliant on the cyber domain, and it is integral to the
advantages we enjoy in everything from our high-tech weapons
and communications systems to our ability to rapidly deploy
forces around the globe.
Furthermore, trying to keep up with the rate at which
technology is advancing in this rapidly changing environment is
extremely challenging. It is important to note that, while our
adversaries and potential adversaries continue to increase
their capabilities, they also share these challenges.
All of that said, the Department of Defense is making
significant progress, including the continued build of our
cyber mission force, challenging our adversaries' ability to
operate freely in cyberspace, and continuing to improve more
effectively our ability to defend our networks, information,
weapons systems from malicious cyberspace actors.
In regards to building our cyber capabilities, U.S.
STRATCOM [Strategic Command] and U.S. CYBERCOM continue to make
great strides in standing up our cyber mission forces. These
forces are arranged in teams with the objectives to support
combatant command requirements, to defend the Nation against
cyber attack, and to protect our Department of Defense
information networks, information, and weapons systems.
While significant progress in all these areas has been made
in the last year, significant challenges do remain, to include
equipping the force; establishing a persistent training
environment that is responsive to the many layers of required
training; recruiting and retaining a professional cyber force;
and finalizing the command and control structure for the cyber
mission force.
From an operational perspective, CYBERCOM continues to make
great progress as we continue to see significant results from
our counter-ISIL strategy. In this area, CYBERCOM has not only
challenged ISIL, as the President and the Secretary of Defense
have publicly stated, but they have also built on our lessons
learned to date, establishing a solid foundation upon which to
expand the scale and effectiveness of our operations.
From a broader strategic view, our adversaries, who are
always looking for something that can provide them an
asymmetric advantage, find cyberspace appealing due to the low
barriers to entry and the perceived difficulty of attribution.
Because of these threats from both state and non-state actors,
we work vigorously to harden our networks and weapons systems
while educating the total force to create a climate of constant
vigilance.
To strengthen the whole-of-government effort to protect
U.S. interests, particularly U.S. critical infrastructure, the
Department of Defense routinely engages and works with our
interagency partners. The Department also regularly engages
with our international partners, and there is tremendous
interest to expand those cyber relationships.
Finally, as our capabilities continue to grow, we
continually engage all of the combatant commands to ensure
cyber-enabled effects are being considered for incorporation
into their planning processes and to benefit all current and
future operations.
While it is well known that we are actively engaged in
cyberspace against ISIL, we also recognize that there are other
threats in cyberspace that must be planned for and addressed.
The Joint Staff is working closely with U.S. CYBERCOM to
continue to bring cyber-related options to the table for
consideration to support all of our global operations.
As I mentioned, the cyber domain is constantly changing,
and we see malicious cyber actors rapidly developing new
capabilities at a very high rate. The Joint Staff continues to
work closely with CYBERCOM, the combatant commands, OSD [Office
of the Secretary of Defense], and our interagency and
international partners to secure our networks, our information,
weapons systems, and to support combatant command objectives
while we defend the Nation against malicious cyberspace
activities.
Thank you again for the opportunity to appear today. I look
forward to answering any questions that you might have.
[The joint prepared statement of General Moore, Mr. Atkin,
and General McLaughlin can be found in the Appendix on page
39.]
The Chairman. Thank you.
Let me just take a second and remind members that we will
have our quarterly cyber update this afternoon at two o'clock
in this room. It will be classified, of course, but we will be
able to get into greater detail on classified matters at that
time.
Mr. Atkin, the Cyber Command achieved full operational
capability in October 2010. So we are nearly 6 years down the
road. Isn't it time for CYBERCOM to stand on its own as a
combatant command?
Mr. Atkin. I think the short answer to that is yes. We are
continuing to look at that within the Department. The Secretary
has been evaluating whether to recommend to the President to
stand up CYBERCOM as its own unified command. So we are
continuing to look at it, but I think we are getting close to a
decision and we will be getting something to the President here
in the near future.
The Chairman. Well, we are trying to help you along because
section 911 of the defense authorization bill requires that
that be done. And I note that Admiral Rogers has testified that
becoming a combatant command would allow CYBERCOM to be faster,
which would generate better mission outcomes.
I have yet to hear a reason not to do it. And so it seems
to me that we shouldn't stew around about this too long,
because the goal is better outcomes. And if that is what the
result is, we ought to be able to agree and get that done
without a lot of delay.
General McLaughlin, let me ask you, we talked about the
tactical use of cyber that has been publicly talked about by
the President, the Secretary, Deputy Secretary. We obviously
cannot get into the details of that in this forum, but what
would you say are kind of the broader challenges that have been
encountered so far? General Moore mentioned lessons learned.
Kind of at an upper policy level, what have we learned so far
with what we have been doing against ISIS?
General McLaughlin. So I think what we have learned is, as
we describe to you the cyber mission force that is being built
right now, we have learned that the fundamental building blocks
of the forces that are actually supporting combatant commands--
as we stated in our mission, one major focus is bringing cyber
effects to support our combatant commanders. And the war on
ISIL is the first at-scale opportunity to do that in support of
the U.S. Central Command [CENTCOM].
So the first thing that we have learned is to reinforce
that the way we are creating our teams, the expertise within
those teams and how they plug into our command and control
processes, including to the supported command, is working.
The broader challenges we have is this team is still a
young force. As we mentioned, you know, we have quite a few of
them that are at initial operating capability, and so, in many
cases, this is the first actual live opportunity for these
forces to conduct that type of mission. And so the types of
lessons we have learned have been a number of just practical
lessons about improving the ability for us to do that routinely
at scale.
The reason the persistent training environment is so
important is to give teams like those that are supporting the
war on ISIL, you know, more realistic opportunities to do their
work and train in realistic environments prior to actually
doing it in combat. So we sort of knew that intuitively, and
the actual operations have borne out how important that
capability would be.
We have learned how quickly that the Department in general
needs to operate from in terms of if there are any policy or
anything that needs to be done to support sharing, for example,
with partners. And that has happened routinely. So the OSD
staff, for example, sits in our twice-a-week update, you know,
that we do in this area specifically to want to know is there
anything at all that is needed in order to make these
operations more effective. We have learned how important that
broader team is. Some people might not realize how closely
coupled that we are from that perspective.
I think, really, the last is maturity, you know, continuing
to do this. We have learned more in the last several months
since it has been announced publicly that we are supporting
this. It has given us the opportunity to learn and mature, kind
of plow back in the lessons learned in a real circumstance that
it might have taken us several years to learn some of the
things that we are learning, but it is the nature of military
operations.
And, in summary, I would just say I think we believe that
we are on course, the fundamental tenets of what we are doing
are sound, and, you know, our job is to continue to expand
capability and capacity against this enemy. And we will talk
with you about it and give you some practical examples of that
in the closed session later this afternoon.
The Chairman. General Moore, do you have anything to add on
lessons learned or what you see from a Joint Staff perspective?
General Moore. No, sir. I think most of those that I would
add to were touched on by General McLaughlin. I would piggyback
on and say the speed of operations and how we can increase the
speed of those operations, especially at the operational and
tactical level, is something we are very much focused on and is
going to be critical to continue to support overall combat
operations.
We have also applied the lessons, though, that we have
learned from attacks on our own infrastructure and how to
better protect ourselves and how better to train our people to
defend against that.
The Chairman. Okay.
Mr. Smith.
Mr. Smith. Thank you, Mr. Chairman.
Just following up on the raising it to a combatant command
level, which we would like to see happen, what are the
challenges, what are the steps that you see necessary, Mr.
Atkin, to get to that point where you are ready to make that
move?
Mr. Atkin. I think, sir, our biggest challenges are going
to be resources, making sure that CYBERCOM has all the right
resources as they build out the cyber mission force, as we
continue to build out the PTE that General McLaughlin has
already mentioned, the unified platform, et cetera, to make
sure that they can stand alone and operate as a title 10
military force in support of the combatant commanders. I think
that is going to be the key.
Not that we can't do it; it is just a matter of making sure
that we are doing it in a sequenced way to make sure that we
don't hamper or hurt any operations that we have ongoing and
that we continue to gain advantages and do better when we are
conducting these operations.
So I don't think there is any one specific thing that is
stopping us. It is more about how we make sure it is sequenced
to get to the right mission.
Mr. Smith. And what are the coordination challenges there?
Now, there is obviously--we have already coordinated them into
a central cyber structure. It just hasn't been given a
combatant command status.
As you look throughout DOD, obviously there are a lot of
people working on cyber. How do you sort of round all of that
up and get it under one unified combatant command? What are the
challenges going to be into pulling in those pieces and working
with them?
Mr. Atkin. Well, I think part of the challenge is going to
be how we just work internally within the Department. I think
we have a good way ahead under the Principal Cyber Adviser,
which I am, as well as my role as the Acting Assistant
Secretary for Policy. So we work it from both those angles
within the Department internally. Under the Joint Staff and as
a combatant commander, they work very closely with the other
combatant commands to make sure that all the operations are
integrated and coordinated.
And then we in policy also work across the interagency and
across the intelligence community to make sure the operations
are coordinated and the sequence of activities, whether it is
the application resources or training or other operations, are
coordinated.
Mr. Smith. What, if any, role does the NSC [National
Security Council] play in your cyber operations? This is a
subject that has come up in our hearings, you know, the
increasing role of the NSC, over the top of, in some cases, the
Department of Defense. Are they involved in that? If they are
involved, how well do you coordinate and balance what the NSC
might be doing on cyber versus what DOD is doing on cyber?
Mr. Atkin. Well, the NSC is obviously an integral part of
the whole-of-government solution and the whole-of-nation
solution for any of our activities. And so we keep them advised
of the operations that we have ongoing through the interagency
process. And we also, when necessary, we coordinate and get the
President's permission to conduct operations when his
permission is required.
Mr. Smith. Okay.
Thank you, Mr. Chairman.
The Chairman. Yeah, we may want to pursue that a little
further.
Chairman Wilson.
Mr. Wilson. Thank you, Mr. Chairman.
And thank you, Mr. Chairman, for citing the Emerging
Threats and Capabilities Subcommittee. I am very grateful to be
chairman of the committee, with extraordinary staff that have
worked with everyone here: Pete Villano, Kevin Gates, Katie
Sutton, Neve Schadler, and Lindsay Kavanaugh.
And it has also been a remarkable exercise of
bipartisanship working with Jim Langevin. And I am particularly
grateful, there are subcommittee members here who have been so
important. And Elise Stefanik has just been a superstar, coming
to every meeting. And I am just so grateful for our other
members who are here: Doug Lamborn, Sheriff Rich Nugent, Mo
Brooks, Vice Chairman Trent Franks, Duncan Hunter.
But it has just been terrific to work with each of you, it
has been so meaningful, on cyber operations, what can be done,
but the dangers to the American people. And you are trying to
be proactive, and we appreciate that very much.
In fact, General McLaughlin, what are we doing to make
better use of coalition forces and capabilities in the planning
and execution of our cyberspace operations? How are we aligning
our policies, doctrines, and capabilities with our NATO [North
Atlantic Treaty Organization] allies?
General McLaughlin. Mr. Wilson, thank you. And before I
answer your question, we also appreciate the great support from
the subcommittee and agree that the staff supporting that has
been outstanding, and they are very knowledgeable and helpful
as we work together.
The ability to integrate our coalition partners into our
operations at U.S. Cyber Command is critical. We have broad
latitude and authorities that have been granted to us for that
partnership. They are actually primarily today within our Five
Eyes partners. We are working and do communicate with
NATO, but right now our focus has been our Five Eyes partners,
as well as there are some other partners that are really
interested in how they actually create the capacity to have
their versions of Cyber Command and to do, you know, military
cyber operations in countries that are still, I think, at the
verge of trying to decide whether they are going to take the
same steps that we have taken.
---------------------------------------------------------------------------
``Five Eyes'' refers to a five-nation intelligence
alliance involving the United States, United Kingdom, Australia,
Canada, and New Zealand.
---------------------------------------------------------------------------
The types of practical areas where we work today with our
coalition partners--one, some members of the committee,
Congressman Langevin, and the staff were just down at Cyber
Guard down at Suffolk last week. And we have Cyber Flag
occurring now. We have coalition partners in those sessions,
training with our people, learning lessons, creating tactics,
techniques, and procedures jointly, and actually practically
identifying and overcoming any challenges that limit our
ability to work together.
There are key areas where we are doing development of
capability together instead of each of us spending the same
money to accomplish a certain task. For our close partners,
there might be times where we will share a burden or do work
like that together. And then, when directed and when
authorized, if we have operations where we can actually--we
have a partner that can bring a capability or capacity, we are
operating with those partners, with shared objectives
operationally, and conducting operations in a way that each of
our, you know, national capabilities are being used to
accomplish objectives that we share.
So I think it is a robust environment right now. It is
growing. I think you will see more and more countries want to
be part of this partnership. And we will embrace them as they
show interest and as they have the capability to partner.
Mr. Wilson. And we have our long-term allies of NATO, but
it is exciting, new members such as Bulgaria and Slovakia. I
have visited different IT [information technology] centers
there, and so, very talented people who will be very helpful.
Additionally, General, how good is the current training
exercise and certification process in replicating the real-
world challenges using cyber capabilities in tactical
operations?
Cyber Command has recently completed a Cyber Guard 16
exercise. Are there any lessons or highlights from that
exercise that can be applied to our ability to effectively
apply cyber capabilities to tactical operations?
General McLaughlin. Sir, that is also a great question. So
I would really answer you in two ways.
We have the ability--Cyber Guard is a great example--to do
high-fidelity, highly realistic training, where our teams, our
tactical forces, can be immersed in a simulated environment
that looks real to them and have to perform their duties with
an actual opposing force, you know, another group of people
that are acting as if they are the enemy. And they have to
demonstrate that they have the ability to do their job in that
realistic environment. So we can do that, and we are doing it
down in the Suffolk area right now.
The issue that we have is we cannot do that at scale. And
so we have a program we mentioned in my opening comments, the
persistent training environment. That is a focused effort in
the Department of Defense to allow us to actually do that type
of training routinely, every week, every day, so that the men
and women that are on our teams have the ability to do the
level of training that we are doing down in Suffolk right now.
We only do that a few times a year. So our job is to do that
consistently, all the time, like we do in every other domain.
Mr. Wilson. My time is up. Thank you.
Thank you, sir.
The Chairman. Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman.
And, first of all, Chairman, I want to thank you for your
support and your interest in cyber, as you have continued on
when you were chairman of the Emerging Threats and Capabilities
Subcommittee. And I appreciate the work that you are doing now
at the full committee level, along with the ranking member, Mr.
Smith. And I agree with my chairman on the subcommittee now,
Mr. Wilson, that it has been an exercise in bipartisanship, and
deeply appreciate the work of the staff.
Secretary Atkin, I want to thank you for your testimony
today, along with you, General McLaughlin and General Moore.
Thank you for what you are doing on cyber and, again, being
here today.
General McLaughlin and General Moore, as we have discussed
this morning, the Cyber Guard homeland defense training
exercise just concluded. I was very pleased to be able to
attend that exercise. I very much enjoyed being able to witness
the exercise take place in person. I was very impressed with
what I saw. And I wanted to thank you all for being such great
hosts for that exercise.
Chairman Wilson had asked--not surprisingly, we are on the
same page. I wanted to know what your takeaways were from the
exercise at the highest levels. So anything else you want to
elaborate on lessons learned from the exercise, feel free.
But I also would like to know beyond that what lessons have
been learned with respect to the cyber mission forces executing
operations in a geographic combatant commander's area of
responsibility as they pertain to each mission. And are roles
and responsibilities of involved entities being refined and
solidified, as well as command and control of CMF?
General McLaughlin. Congressman, let me just take both of
your questions.
I think we, on the first question about high-level lessons
learned that we have seen coming out of this year's Cyber
Guard, while the full report will be written in the next few
weeks, we do have some initial, you know, I think, broad
insights that come from it.
One is an increasing understanding of how many of the other
partners--you know, so that, as you mentioned, that is a whole-
of-government and international exercise that simulates some
attack of significant consequence that occurred, you know,
outside of the DOD networks. What has really been interesting
and our lesson is how many players both within our government,
within industry, and within--and I mean broadly, beyond DOD,
within our government--and our coalition partners are coming to
this exercise.
It continues to grow, because it is an opportunity to tease
out not only practical, technical ways for our teams to defend
and respond, but those complex challenges about how different
parts of the Federal Government coordinate in response and how
does that work; how do we work with industry, and you know
better than most the complex issues associated with government
forces actually connecting with industry cyber terrain and how
we should do that most appropriately and most effectively; and
then how we do that at scale with our partners.
So that continues to be a key lesson for us, is the scale
of people that want to participate. And every time we think we
have reached the outer limits of who ought to be there, we
realize there are more players that can or ought to come.
And then the last thing is just to really reinforce the
question, I think, from Mr. Wilson--that is, the need to be
able to train at the level--the men and women that are down at
Cyber Guard are asking us, you know, we really would like to
have this capability routinely. This is great training. It is
the best--most of them say it is the best they have ever had.
And our goal is to let them do the best all the time.
I think your question regarding what have we learned in
terms of how--in our mission of supporting combatant
commanders, are there broad lessons that we have learned and
are we adapting and being innovative: When we built the cyber
mission force and our initial command and control models, we
just started with what we thought would work. And what has been
very interesting and, I think, a positive step is the
Department, often led by General Moore's team down on the Joint
Staff, has continued to lead and ask how do we refine and
change and adapt our command and control processes.
And we have made a number of adjustments in the last 18
months. We will talk this afternoon. We have made changes in
how we command and control and focus our forces just in the
counter-ISIL operations. So we really are learning and changing
a lot. There is no one saying, ``That is the way we have always
done it,'' because the way we have always done it has only been
about, you know, 2 or 3 years. So we are changing as we need
to.
The one thing I think is a key just tenet that all of us
need to understand--and we are seeing this play out in the
support to CENTCOM--cyber capabilities aren't just there to
solve cyber problems. There are adversaries that present
themselves in a variety of ways that we could hold at risk.
They might have a cyber capability that I will use some other
tool or capability to counter, and they may have a non-cyber
capability that we are going to use a cyber tool to counter.
So that is one thing that I think the whole Department is
learning, is that you don't pigeonhole cyber capabilities
against cyber problems, is that we integrate broadly with
CENTCOM, we integrate broadly with combatant commands, and we
bring what is unique that we can offer to their mission, as
opposed to defining problems only as cyber-only. And I think
that has been a key lesson for everybody, and I think it is a
powerful one for the Department.
Mr. Langevin. Thank you, General. Thank you and your team
for the work you are doing. And I was very impressed, like I
said, with what I saw at the Cyber Guard exercise. And I agree
that training, training, training has got to be a key part of
us doing this going forward and seeing that persistent training
environment be maximized and supported in a very robust way.
So thank you, Mr. Chairman. I yield back.
The Chairman. Thank you.
Mr. Lamborn.
Mr. Lamborn. Thank you, Mr. Chairman.
Thank you all for your service to our country in various
capacities.
And I am going to build off of what Representative Langevin
was just asking. This month, in a press interview, NATO
Secretary General Jens Stoltenberg said that a major cyber
attack could trigger a collective response by NATO, including a
response using conventional weapons.
Now, I know that is NATO, not the homeland. But, in this
fast-evolving field, what can you tell us, what are you in a
position to state publicly are the evolving rules of engagement
where something would trigger a cyber response from us or a
kinetic response from us?
Mr. Atkin. Sir, as I have said before, you know, it is a
whole-of-government response, so a cyber attack would not
necessarily mean we have to have a cyber response back to that.
And each of those actions would be evaluated on a case-by-case
basis by the entire interagency and the government.
So we would look at any cyber attack, whether it is against
a combatant commander overseas or here in the homeland, on a
case-by-case basis and determine what the significance of it
was. And then we would use a whole-of-government approach,
whether it is a diplomatic means, economic means, law
enforcement, or military action, to respond to that.
Mr. Lamborn. Okay.
Anything to add to that, Generals?
General McLaughlin. Well, sir, I will say for our mission,
as General Moore mentioned, our job one is defending the DOD
information network. That is ongoing 24 hours a day, 7 days a
week.
We have all the authorities that we need today and are
growing the forces, so any threat that manifests itself--and,
you know, these are short of attacks, you know, formal attacks
or wars, but they occur all the time. And so the authorities we
need within that domain, which is our main defensive mission
set, we have those authorities. And we spend a great deal of
our time day to day managing and responding to a breadth of
those activities.
In our closed session later today, we will give you some
insights into the scale, just the daily size and scope of what
that looks like, and then a specific example of an operation
that we have conducted recently against a very specific threat
so you can see that, you know, a little more fully.
Mr. Lamborn. Okay. Well, thank you. That is reassuring to
me, and I am sure it is reassuring to everyone who might be
listening.
And changing gears, before my time is up, in Israel they
are doing more with collaborating with the private sector and
consolidating everything that they are doing into one location
for synergy.
What do you see as the possibility or the future of
collaborating with the private sector here in the U.S., with
places like Silicon Valley, Seattle, et cetera, to harness the
public-sector creativity and expertise in this area? What do
you see as the future of that?
Mr. Atkin. Sir, I would say, in that regard, the future is
here. We are integrated in with the private sector, I think,
well. And we are going to continue to grow that, whether it is
through the Defense Innovation Unit Experimental [DIUx] out in
Silicon Valley that Secretary Carter stood up, how we leverage
the skills that the National Guard and Reserve forces bring
from their private-sector jobs and we leverage those skills as
integrating those folks into the cyber mission force, or
continuing to work with the private sector in response to cyber
attacks through exercises such as Cyber Guard.
So we are already working with the private sector pretty
well, I think. We are going to get better at that. And we are
leveraging the skills of the National Guard and Reserve folks
as part of the cyber mission force.
Mr. Lamborn. But you don't see anything in the works like
what Israel did, for instance, where there would be an actual
consolidation into one location? That is a much smaller
country, obviously.
Mr. Atkin. I would say that I don't see that, no, sir. I
think we have good coordination and collaboration through the
Department of Homeland Security [DHS], the FBI [Federal Bureau
of Investigation], Department of Justice, as well as the other
sector-specific agencies--Commerce, Treasury, et cetera--with
their sectors. But I don't see us consolidating all those
activities into one location.
Mr. Lamborn. Okay.
Thank you so much, Mr. Chairman. I yield back.
The Chairman. Ms. Gabbard.
Ms. Gabbard. Thank you, Mr. Chairman.
Gentlemen, good morning.
I would like to ask you about defense support to civil
authorities, in particular, I think, the vulnerabilities and
the concern about some type of domestic cyber attack on
critical infrastructure that would threaten public safety.
So I am wondering if you can talk about that but also
specifically answer whether or not the DOD and the National
Guard would assist in responding to that type of attack, as
well as, you know, what actions are being taken to eliminate
those vulnerabilities and to make it so these types of attacks
are not possible.
Mr. Atkin. That is a great question and a great challenge
for our country, is how we protect our critical infrastructure.
We work very, very closely with the Department of Homeland
Security, who is primarily interacting with the critical
infrastructure and have that responsibility, to not only
provide them with information regarding threats but to help
define how we respond as a nation to an attack on the critical
infrastructure.
Where DOD gets involved is an attack of significant
consequence. We have the responsibility to defend against an
attack of significant consequence.
Ms. Gabbard. How do you define ``significant consequence''?
Mr. Atkin. That would be determined by whether loss of
life, physical damage, economic impact, or how it might impact
our foreign policy. So those are some of the factors that we
would evaluate of an attack of significant consequence.
But I was----
Ms. Gabbard. Could I just ask a follow-up to that?
Mr. Atkin. Yes, ma'am.
Ms. Gabbard. As you define loss of life, if there was an
attack on an electrical grid, caused a major power outage,
hospitals no longer able to care for people, and loss of life
in that respect, would that fall under that definition?
Mr. Atkin. I would have to say I am not sure I could answer
a hypothetical like that. I think that the factors of the
impact would certainly be evaluated and determined.
What I would say is, regardless of whether it is an attack
of significant consequence or not, the Department of Homeland
Security would respond. And if they needed assistance from the
Department of Defense, they would ask for that assistance, and
we would respond with assistance through the Department of
Homeland Security to help that critical infrastructure. Part of
that occurred during Cyber Guard, where we exercised that
capability. A request for assistance from the Department, and
we responded.
So the other piece of that is the National Guard, and they
have cyber mission capability. They are being trained to the
same capability as the rest of the title 10 force. And they can
respond under their own State authorities. We recently
completed the coordinate, train, advise, and assist policy
guidance within the Department to allow National Guard troops
to use Department of Defense resources to respond to a cyber
event under State authority. And we are continuing to work
other policies.
I just recently set up a meeting to work with all the
different combatant commands, NORTHCOM [Northern Command], PA-
COM [Pacific Command], Cyber Command, Joint Staff, and our
Office of General Counsel to determine exactly how we are going
to set up our defense support of civil authorities more
holistically. The policy has been in process for a period of
time, and I want to make sure we have senior leadership
attention on it very directly.
Ms. Gabbard. Thank you. I think this is something that,
obviously, we are going to have to continue to discuss and
understanding the differences of whether a state or non-state
actor were to come and launch a traditional type of military
attack on critical infrastructure versus a cyber attack, how
the DOD is involved or not in those situations. You know, given
the types of attacks that we are already seeing from both state
and non-state actors in the cyber world, you know, having
clearly defined roles and responsibilities between DOD and DHS,
I think, is critically important.
Thank you.
The Chairman. I agree.
Ms. Stefanik.
Ms. Stefanik. Thank you, Mr. Chairman.
And thank you to the witnesses for testifying today and for
your leadership on this issue.
I want to focus my questions for the full panel on the
evolution of the cyber threat and how we maintain the edge on a
21st-century battlefield.
The news, as you know, this past year has been filled with
stories about the evolving strategic threats in the cyber realm
from near-peer adversaries like Russia and destabilizing
threats from both state and non-state actors within the Middle
East. Just this week, I read an article that CNN reported that
ISIS has been able to collect information on 77 U.S. and NATO
Air Force facilities around the world.
In March, at a hearing on this subject, I asked Admiral
Rogers how confident he was moving forward that our cyber
capabilities are robust enough to face the threats of the
future on multiple fronts.
Can you speak specifically to your concerns about
adversarial cyber capabilities and your assessment of our own
capabilities in comparison moving forward?
And then the second part of my question is: Given the
unique challenge of prosecuting simultaneous cyber threats from
multiple adversaries, where do you feel the cyber community is
assuming risk for readiness?
General McLaughlin. So, ma'am, within this area--and I can
address that and would also be glad to get into the specifics
on the threat side when we are in the closed session. But,
broadly, you stated it correctly. The threat today is diverse.
It certainly is represented not only by large nation-states
that are very, very capable, to organizations like ISIL or
criminal or hacker organizations. The barrier to entry is not
that high, and the ability to innovate and use technology to
continue to evolve is actually there.
On the Cyber Command side, I think the key thing that we
think is important is focused on people and technology. I will
do technology first.
The ability to have the tools and the capability and sort
of an integrated suite, a defense-in-depth approach across our
whole enterprise, we think, is proving to be very effective.
And the ability to bring new technology--that is one of the
reasons the connection to Silicon Valley and other places is so
important, is we don't field something, like a cyber
capability, that we will use for a decade or a few decades. You
know, we want the latest capability, and as soon as it is not
the latest, we would like to have the next set of technology.
So those tools and capabilities that are throughout the
depth of our network are critical.
The most important part, though, are our people. We have
talked about the persistent training environment, but we
haven't really talked about even the foundational training that
goes into the cyber mission force.
And some people ask why does it take a few years to take an
initial accession and get them to that level, is that we are
training all of our people to a very, very high standard, a
joint standard across the force. Because, in our view, it is in
the minds of our people that are going to allow them to keep up
technologically with what the threat is doing.
We are not just training our folks to operate equipment. We
are training them to understand the domain, the foundational
technologies, the advanced technologies. And, in some cases,
they are adapting the technology that they have right there at
their fingertips in real time to counter our adversary or to
develop tools to do that.
So I think the most important part for us to stay ahead is
making sure that we invest in the people and that they have
those types of skills.
Ms. Stefanik. And on the multiple-fronts portion of the
question, given the fact that there are multiple cyber threats,
whether you consider a near-peer adversary like Russia or non-
state actors in the Middle East, where do you feel the cyber
community is assuming risk to readiness?
General McLaughlin. Well, I think the way I am going to
answer your first question is thinking broadly, assuming risk
to military force readiness broadly. Cyber is a thread through
everything that we do--our platforms, our networks, our own
critical infrastructure within DOD. And we can't defend
everything all the time at the same level.
And so the way that we have approached that, and, to some
degree, broadly with the Department--this is not a decision
Cyber Command on its own makes. But we are given a set of
priorities of the most important combat and military
capabilities that need to be hardened and defended and where
mission assurance is most critical if they were to be attacked,
across a broad front.
And so we don't think about doing that against one threat.
We sort of prioritize the most important things against the
most important threats. And those are the things we think have
to be defended at the highest level. And we would accept risk
if there was an area that was either not as important or
something we felt was lower down the priority, because you just
can't defend all of it to 100 percent all the time.
Ms. Stefanik. Thank you.
Would the other witnesses like to add anything?
Mr. Atkin. On the risk measurement, I would say that we
evaluate the critical infrastructure that is required for the
Department, using our mission assurance strategy and our cyber
strategy combined, to identify those most critical elements of
the infrastructure that we need to protect, and then we
evaluate and prioritize those pieces.
And we are not only protecting them from physical damage,
but now we are also mapping out the key cyber terrain to
understand where the most critical vulnerabilities are.
Ms. Stefanik. Thank you. My time has expired.
The Chairman. Mr. Ashford.
Mr. Ashford. Thank you, Mr. Chairman.
I would also like to second the comments regarding Chairman
Wilson and Ranking Member Langevin for their leadership on
Emerging Threats. It has been a very interesting year and a
half.
I have two topics I would like to cover. One is deterrence
in the cyber world and then, secondarily, the Information
Technology Exchange Program and how you see that evolving. I
probably could start with General McLaughlin on deterrence.
When we are dealing with what the public generally thinks
about in the deterrence area, we are talking about nuclear
weapons. In this case, we are dealing with cyber. We know to a
certain extent how many nuclear weapons are out there. We can
identify specifically the threat. And we have decades of
experience in dealing with deterrence as it relates to nuclear
weapons and other matters regarding deterrence.
In cyber, where we have 80,000 or so attacks a year, it is
hard to identify where they are coming from and who has the
capabilities at any given time. It is very dynamic, and you
have talked about that. Could you just kind of define for me
what deterrence means in the cyber world and how that is
evolving?
Or Mr. Atkin.
Mr. Atkin. I will go ahead and jump on that a little bit.
So, from a cyber perspective, as we have mentioned before,
a cyber attack doesn't always mean a cyber response.
Attribution is key. And that is probably the greatest challenge
in any cyber attack, is attributing it to either a state actor
or a non-state actor.
We look at it as we want to make sure that, from a
deterrence policy, it is declaratory, that everybody
understands exactly where we stand and that we are able to
impose cost.
So the first part of any deterrence policy and our
deterrence policy is denial. We want to make sure we deny the
adversary the opportunity to achieve the effects they are
trying to achieve, and that is by developing and having good
cybersecurity.
The next piece we want to be able to do is have a very
resilient system. And so we want to build the systems to be
resilient. And if they are attacked, as General McLaughlin has
already said, we can't protect everything all the time, but if
they are attacked, that they will be able to be recovered and
be resilient and back on line again, denying the adversary the
goals they are trying to achieve.
And then the third step of our deterrence policy is to
impose cost. And that cost, whether it is diplomatic, law
enforcement, economic sanctions, or military actions, to
include cyber response, those are part of the deterrence policy
that we would use to respond or to signal to a state or a non-
state actor.
Mr. Ashford. General.
General McLaughlin. Sir, just in accordance with the
direction we received from OSD, even in the--Mr. Atkin
mentioned the Secretary signed our new DOD cyber strategy.
Within that was direction for us to actually take steps to meet
those three goals.
And our primary effort has really been all the defensive
activity, the work we do to make our networks more resilient
and to make it to where an adversary couldn't achieve their
goals that they might try to achieve by attacking our cyber
infrastructure. Many people don't think deterrence involves
that, but it has really been the anchor of what we are doing,
that we have been ordered to do and we are accomplishing within
Cyber Command.
The imposed-cost piece as just part of that force we have
is aimed at bringing options to bear that would be there for
the Secretary and the President, if that was directed.
Mr. Ashford. Thank you.
Could I just ask a question about the Information
Technology Exchange Program? I believe in the NDAA [National
Defense Authorization Act] we expanded that program a bit and
added more slots.
Is that program--so take, for example, the Sony case, where
there were issues in the Sony technology that made it easier or
less difficult to attack the Sony technology, whether it is the
silos of their various businesses within Sony or whatever it
is. So there are issues in the private sector that are
different from in the DOD sector and Federal sector. And they
are diverse, and it depends on the industry, and it depends on
what they do.
So is the purpose of the Information Technology Exchange
Program to help to put in place people into the private sector
directly to help them to deal with those threats?
And then, vice versa, if there is somebody in the private--
as I understand it, this is what this is. So if in the private
sector we have someone who is really exemplary or proficient in
a particular aspect of cybersecurity, that we can bring those
people in on a temporary basis to address those issues that we
see. Is that essentially what we are doing here?
Mr. Atkin.
Mr. Atkin. Sir, I will have to take that one for the
record. I am not as familiar with that program.
[The information referred to can be found in the Appendix
on page 57.]
Mr. Ashford. But, okay, aside from that program then, are
there other strategies that are in place to allow us to bring
experts in the private sector into the military on a temporary
basis and vice versa? Is that part of what we are doing? Maybe
I misunderstood the program.
Mr. Atkin. I am not--as far as actually bringing someone
from the private sector into being a member of the military, I
am not familiar with that program at this time. I know that the
Secretary has talked about that as part of the force of the
future, some of the changes. So I know that is something that
he is beginning to talk about as we move forward.
What I would say is that we try to leverage the skills from
the private sector through our National Guard and Reserve
forces, as we mentioned earlier, and leverage those skills that
they gain in the private sector. And we also do things like the
bug bounty, where we actually have hackers come in and take a
look at our DOD systems and see if they can hack those systems.
So there are different ways we are trying to leverage the
private sector and the skills that the private sector has to
improve our own cybersecurity.
Mr. Ashford. Thank you.
General.
General Moore. Sir, if you are referring to the
Cybersecurity Information Sharing Act--I think that is what you
are referring to----
Mr. Ashford. Right.
General Moore [continuing]. That the Congress recently
passed, that has gone a long way towards helping the Federal
Government share threat information with industry and vice
versa.
The two main benefits of that act are that it, first off,
reduces the risk of any legal liability to any of those
industry partners that we have when they share that
information, and also decreases any economic or business
advantage that might be gained through the act of sharing that
type of information. So it is really knocking down a lot of
those barriers.
Mr. Ashford. Thank you, Mr. Chairman.
The Chairman. Mr. Rogers.
Mr. Rogers. Thank you, Mr. Chairman.
This will be a question for all of you. Do any of you
believe that the Department of Defense should use equipment
provided by Huawei or ZTE, each of whom have links to Chinese
military and intelligence apparatus, and each of whom have
links to sales, illegal sales to Iran, in violation of U.S.
sanctions?
Mr. Atkin. Sir, I am not as familiar with those
technologies. Certainly, we would want to take those factors
that you just highlighted into consideration, if we were going
to use anything like that, and those would probably be--the
risk would have to be evaluated based on those threats on
whether we would use those technologies.
Mr. Rogers. So you are not familiar with either of those
two Chinese providers?
Mr. Atkin. I have heard of them, but I am not a technical
expert to make a good decision.
Mr. Rogers. General McLaughlin.
General McLaughlin. So, sir, I would just say, so I haven't
heard of the first company that you mentioned, but what I would
say broadly is all the equipment that we use or field as part
of our DOD mission, you know, it is heritage, and the supply
chain associated with that is something that is important that
we assess. Based on the utility of that equipment, we assess,
you know, what vendors are appropriate and which ones shouldn't
be.
So I am not prepared to tell you, because I just don't know
what exclusions might be there for both of those companies
broadly across the DOD. But I do know for our core
capabilities, it is something that before we buy it, we buy
that capability, its security and that our knowledge of its
supply chain go into the factors before we make a broader
procurement.
Mr. Rogers. General.
General Moore. Sir, I am really just piggybacking on what
the two other gentlemen have said. Supply chain vulnerabilities
are absolutely real and they should be considered anytime we
are looking at any equipment that we might purchase on behalf
of the DOD or the Federal Government.
Mr. Rogers. That was with relation to DOD, you are saying.
What about a U.S. cleared contractor? Do you apply a different
standard to them? What would you advise them if they were
thinking about using equipment from one of those two Chinese
firms?
Mr. Atkin. Sir, I am not--again, I am not on the
acquisition side, and I know that we work very closely on the
acquisition side with the different contractors through the
defense industrial base and to ensure that their systems are
secure. So we are always looking at the supply chain
vulnerabilities and the risk. And so our advice to any of the
contractors that support the Department of Defense or any of
the interagency, I think we would recommend them to take a hard
look at their supply chain vulnerabilities and to ensure that
their information is secure and their operations are secure.
Mr. Rogers. So I guess I am hearing from you all that you
don't have a list of Chinese firms that you are concerned about
right now, or you have a list, but you are not familiar with
it?
Mr. Atkin. Sir, I am not familiar with a list.
Mr. Rogers. Do you know if you have a list?
Mr. Atkin. I do not, no, sir. And we can take that for the
record.
[The information referred to can be found in the Appendix
on page 57.]
Mr. Rogers. Yeah. General McLaughlin, do you know if you
all have a list of Chinese firms you are concerned about having
access to your supply chain?
General McLaughlin. Sir, I don't. I just--because it is all
handled within our acquisition chain of command--you know, the
folks that actually procure our equipment, which is outside
what we do at U.S. Cyber Command.
Mr. Rogers. If you could do what Mr. Atkin just said, take
it for the record and let me know back, I would appreciate
that.
Thank you, Mr. Chairman. I yield back.
[The information referred to can be found in the Appendix
on page 57.]
The Chairman. Ms. McSally.
Ms. McSally. Thank you, Mr. Chairman.
Thank you, gentlemen. I am not sure if you answered this.
Sorry. I was at a Homeland Security classified briefing. But I
do want to ask about the Secretary of Defense announced we were
doing cyber operations against ISIS just starting a few months
ago. The caliphate was declared 2 years ago. I know probably
the details would be more in a classified realm, but this is a
very important domain, and this terrorist organization is using
cyber in a way that we have never seen other terrorist
organizations use before.
What took so long and what was the decision-making process
that is having almost 2 years go by before even thinking about
fighting in this domain?
Mr. Atkin. Ma'am, that is a great question. I think the
bottom line is that we probably started more than 2 months ago.
I don't have the exact date and time that we began to conduct
cyber operations against ISIS. We continue to respond to ISIS
and their--both the use of the social media, the sharing of PII
[personally identifiable information] about military service
members and their families. And so it wasn't always necessarily
a cyber response to ISIS, but it certainly was a response to
their cyber activities.
Ms. McSally. So I know there is always this tension, I
mean, I was in the military, between keeping comms
[communications] up and running so that we can collect on it
versus taking it out so they can't communicate. But, you know,
we have known cells in Raqqa that are directing training, that
are directing operations very specifically, you know, targeting
against Americans' way of life.
Why isn't the Internet shut down in Raqqa? Like, why did we
not have cyber operations 2 years ago going against their
command and control as part of our centers of gravity and using
all elements of military power to take them down?
Mr. Atkin. Yeah. And I know they will get a little bit more
into this in the closed hearing later today, but the fact is we
were going after their command and control systems. We may not
have been using necessarily cyber activities to do that. There
always is a balance between collecting information and shutting
it down.
And certainly, going after specific nodes to hamper and
stop the use of the Internet by ISIS is important, but we also
have to respect the privileges and rights of citizens to have
access to the Internet as a whole and as a country. So it is a
careful balance, even in Raqqa or Mosul or anywhere, on how we
balance the rights to have access to the Internet versus the
use of the Internet illegally by folks like ISIL.
Ms. McSally. Yeah. I would like to follow up for sure in
the classified setting with a little more details.
The second question is we were dealing with this, my last
assignment was at Africa Command, just trying to deal with the
functional commands and the geographic commands. Can somebody
speak to, I don't know, General McLaughlin, how the
relationship is working and is there duplication of cyber
capabilities at the geographic commands? And how does that work
if you are conducting operations and the coordination with the
geographic commands?
General McLaughlin. Yes, ma'am. I think it is working
pretty well and I don't see any duplication right now. And when
we--later, we will give you some great details with regard to
U.S. Central Command, but generally, each of those combatant
commands has a cyber element within it that is at their
headquarters level, and their job really is sort of
understanding broadly what their command is trying to achieve
in the domain. We have the forces that are actually, you know,
both the defensive and offensive forces that they are using.
And so the practical way that it is working today, for example,
you know, in real world operations is we have, you know, daily,
you know, whether it is targeting meetings or planning sessions
where the supported commander and our staffs and our teams are
interacting routinely.
Our job is to support them, and, you know, we deliver the
effects, you know, on the targets they need at the time they
need, but we bring the capability.
Ms. McSally. Okay. Thanks. My last question is about the
laws of armed conflict and some of the challenges that we have
had in this domain in identifying what is an armed attack and,
you know, what constitutes the ability to be able to respond
and Article 5 and all that kind of stuff. So can there--can we
just have some comment on where we are on that and whether
there is still some further definition that needs to happen
related to the clear authorities that are needed to be able to
operate in this domain?
Mr. Atkin. I would say specifically to your question what
defines an act of war, I think is what your question is
regarding cyber acts, that has not been defined. We are still
working towards that definition across the interagency.
As far as an attack of significant consequence, which the
DOD would respond to, in the homeland, we don't necessarily
have a clear definition that says this will always meet it, but
we do evaluate it based on loss of life, physical property,
economic impact, and our foreign policy. So there are some
clear lines in the road which we would evaluate any specific
cyber act or incident and how we would respond to that.
Ms. McSally. Okay. Great. My time has expired.
Thank you.
The Chairman. Let me follow up on just a couple things.
Mr. Atkin, I understand the concept of proportionality as
you are looking for any sort of military effects. But are you
arguing that the citizens of Raqqa have some sort of inherent
right to access the Internet that you all have to try to weigh?
Mr. Atkin. What I am trying to explain is that I think that
when we start talking about taking out the Internet, there are
always challenges to how you do that and where you do it in
space. So the Internet service providers who provide that
Internet service to a region are much broader, generally, than
just the adversary's single command and control node. And so
how that effect occurs has greater impact than just against the
adversary, and we have to weigh that in when we make all our
decisions. And whether that is a kinetic or a cyber operation,
those factors are always weighed in and the impact to the
civilian populace.
The Chairman. Okay. Well, I think I understand the concept
of proportionality, as I say, throughout warfare. I just got
concerned there for a second that there was some sort of
inherent right to be on the Internet that was a factor in you
all's decision making.
I want to go back. I think both the generals mentioned the
importance of speed of decision making. Mr. Smith asked earlier
about NSC and when you have got to keep them informed and when
you have got to get permission. There has been a fair amount
written about the air campaign, and I had quoted Secretary Work
earlier who said, just like we have an air campaign, I want to
have a cyber campaign.
Some of the things that have been written about the air
campaign are that for some sorts of--so we have got airplanes
circling above Iraq or Syria. For some sort of attacks, then a
certain level of command can make a decision, say it is okay to
drop your bomb. Others have to go up to the CENTCOM, others
have to go up to the Secretary of Defense, some have to go to
the President. Meanwhile, the planes, they are circling. And
that one of the challenges to being more effective against ISIS
is this multilayered decision-making process, which has slowed
down or hindered the ability of our military to be as effective
as they could be. Now, that is with bombs, an air campaign.
I am concerned, I guess, that we are developing the same
sort of multilayered bureaucracy decision-making process when
it comes to cyber. And part of the challenge with the air
campaign is by the time you get permission to do it, the target
is gone. And I have personally talked to pilots that have had
that happen. Now, when things are moving at the speed of light,
if we go through this multilayered decision process to push the
button on a cyber response, then we are going to be hopelessly
behind.
So, I guess, if anybody can address where we are with this
speed of bureaucracy matching the speed of the world that would
reassure me, I would like to hear it.
Mr. Atkin. Yes, sir. What I would say is in the area of
hostilities, CYBERCOM has the authorities by which to operate
and conduct cyber effects and make that decision at the
CYBERCOM level. So they certainly have those authorities to do
that. And I think they can talk more in greater detail in the
closed session this afternoon on the specific authorities that
they do have.
The Chairman. Okay. Well, we will talk more about it. But,
again, just drawing the analogy to the air campaign, I am not
yet reassured.
Mr. Atkin, I want to follow up Mr. Lamborn's question about
the NATO announcement last week. Does that NATO announcement
indicate NATO has agreed that a cyber attack can trigger
Article 5?
Mr. Atkin. That is my understanding.
The Chairman. And so then the question for the NATO nations
is going to be at what level of cyber attack would trigger
Article 5, because there are at least media reports of a fair
amount of constant cyber activity in some of the Baltic and
Eastern European countries coming from the east.
Mr. Atkin. As far as I know, there has not been a
determination made or a decision made on what would constitute
a cyber attack that would trigger Article 5, so I would have to
take that one for the record.
[The information referred to can be found in the Appendix
on page 57.]
The Chairman. Okay. And, finally, the questions that Ms.
Gabbard was asking about defense of civil authorities and
attack of significant consequence, is one of the factors which
would be considered in determining whether it is an attack of
significant consequence who the actor is, whether it is a state
actor or not?
Mr. Atkin. That could be a factor, but I wouldn't say it is
one of the primary factors. The primary factors are loss of
life, economic impact, how it may impact our foreign policy,
and then physical property. So those are the four primary
factors that we would evaluate from an attack of significant
consequence, whether that is a state or non-state actor.
The Chairman. I guess the questions that come to my mind
relate to, say, terrorism information we get. We may get
information that a terrorist attack is in the works. We don't
know exactly what the target will be, we don't know exactly
what the consequence will be. And if you have to wait to see
what the consequence is, then it is going to be too late,
right?
Mr. Atkin. Yes, sir. I would also say it is similar to a
cyber threat. If you have an unknown--you have a known--I guess
I will back up.
If you have the potential for a cyber attack, but you don't
know where it is coming from, you don't know who is going to do
it, you certainly would alert people to provide them an
opportunity to maybe heighten their security, just like we do
in the physical world with a terrorist threat where we are not
sure exactly the when or where it will happen. I would say
very----
So it is similar, but we can't necessarily--if we don't
know where it is coming from and who is going to do it and how
it's going to happen, it is very hard to go in and then stop
that from happening.
The Chairman. Yeah. Well, I understand. And I realize you
don't want to get into hypotheticals. My concern is we know
where it is coming from. Country X, Y, Z that has tremendous
cyber capability is preparing to do something, and the question
is whether we wait and let them do it or try to at least take
defensive action to manage the consequence of it. And to me,
that is where this gets very difficult.
I understand, you know, if we know it is going to have
significant loss of life, yeah, that is pretty easy. But if we
see--and I guess I would say the difference is we know ISIS is
going to do whatever they can get away with, so they are going
to use their full capability to kill as many people as they
possibly can. We don't know that about some state actors who
have tremendous cyber capability. And so waiting to see how
much of their capability they will use and how that fits into
this standard of attacks of significant consequence seems, to
me, to be somewhat problematic.
Mr. Atkin. Well, sir, I think we are maybe talking past
each other a little bit. One is how we respond to an attack and
when we respond under defense support of civil authorities
versus making sure we have a good cybersecurity posture to make
sure that we are defended prior to an attack. So certainly,
there is--we would not necessarily evaluate the potential
before it happens. We would go ahead and provide defensive
measures through DHS, with DHS to help prevent an attack, and
then we evaluate after an attack happens.
The Chairman. Yeah. I realize these terms get a--okay. So
we are going to wait back and defend, but we are not going to
take action to prevent the attack to begin with. And then so
the definition of offense and defense in this situation gets a
little tricky. And I am not trying to pin you down. I am just--
--
Mr. Atkin. No, no. I----
The Chairman [continuing]. Trying to explore some of the
complexities of these challenges.
Mr. Atkin. Certainly, a known threat coming from a known
actor that we know is coming after the United States, I would
say that we would certainly evaluate that. And those decisions
would be made by the Secretary and the President on what kind
of actions we would take to stop that from happening, and that
would be on a case-by-case basis.
The Chairman. Yeah. Okay.
Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman. Again, thank you to
all of our witnesses here.
I just want to go back to the training environment again.
General McLaughlin, the House Armed Services Committee, as you
know, fully funded the persistent training environment
initiative, and I understand other committees did not provide
full funding. So my question is, can you describe the
persistent threat training environment and the impact of
proposed cuts? And what stage is the concept in? Has it been
fully approved by the Joint Staff?
General Moore. Sir, if it is okay, I will attempt to answer
that question for you.
Mr. Langevin. Sure.
General Moore. So as was indicated earlier, persistent
training environment gives us a couple of things that we don't
currently have, like on the Joint Information Operation Ranges.
We don't have the scale of the complexity to truly represent a
realistic and relevant threat, the ones that we are truly
trying to train to. So that is the big advantage that it gives
us, and, of course, as the name indicates, it is permanent.
Right now, the initial capabilities document is under
review, it should be signed within the next 1 to 2 weeks. And
if that happens and the funding stays in line, we expect to
have an IOC [initial operating capability] by fiscal year 2019.
Mr. Langevin. Very good. Thank you.
I know we have talked about this on some point, but General
McLaughlin and General Moore, what role does the Cyber Threat
Intelligence Integration Center, established in 2015, play in
support of cyber operational planning?
General McLaughlin. Sir, in terms of cyber operational
planning, on our day-to-day operations at U.S. Cyber Command,
it is not playing a role in the planning side. It is mostly
playing a role of collecting, you know, integrating
intelligence and information on what the threat is doing and
then at times, you know, providing information back out to all
the rest of the government operation centers. But they are not
playing any operational planning role in support of U.S. Cyber
Command missions today.
Mr. Langevin. Very good. Thank you.
And, General McLaughlin, let me ask you, what lessons have
been learned about the construct of the cyber mission force
over the last year? Is the force manned, trained, and equipped,
and postured correctly to address threats in their respective
mission areas?
General McLaughlin. Sir, I believe we have learned that it
is manned and equipped properly and postured to respond. Some
areas that we have learned, we think, in this space, agility is
really important. And we have found and in many cases we have
task organized sub-elements of teams. We will--each of those
teams is comprised of specific sets of skills. And we have
learned that it is very effective to take sub-elements of
certain teams and task organize them against a specific problem
set or a threat and leverage, you know, smaller, more agile
elements of those teams, whether they be defensive or offensive
teams, to provide you a more immediate and a more tailored
mission capability.
And so we initially didn't think about it that way, but we
have some very innovative commanders that use that approach. We
do that in other domains of warfare. We task organize, and it
works really well in the cyber mission force. It is one example
of what we have learned of a way we would employ it. The basic
building blocks, we think, are sound, but at times how we might
sort of tactically organize it for a specific dynamic problem,
that task organization has proven to be a great agile way for
us to think about how we employ it.
Mr. Langevin. Very good. And going back to the concept area
of the Cyber Guard exercise that we just had. If we have a
large-scale cyber attack that leads to infrastructure damage
and DOD is called in to assist, what organization within DOD
will take the lead? And in this scenario, what will NORTHCOM's
role be, and how is DOD getting ready to assist after such an
attack?
Mr. Atkin. So NORTHCOM would, obviously in the case of a
defense support to civil authority, they would have command and
control responsibility. CYBERCOM would be in support of that.
The force that would be responsible to respond would be
determined on what the specific request was from the
interagency. So it could be road clearing, it could be helping
transport something from one location to another, which would
be a TRANSCOM [Transportation Command] responsibility, road
clearing was the Army Corps of Engineers. And if it is a cyber
response where we need to help from a cyber perspective, it
would be CYBERCOM.
Mr. Langevin. Very good. Thank you.
Could we--well, before my time is about to expire, in terms
of, for the record, building out the training environment, what
is still needed and how can we be of assistance further?
General McLaughlin. So, sir, right now, the main thing that
is needed is the broad four elements of that persistent
training environment. We have some parts of it, but the--we
have one part, it is called the event management side of it, is
where we actually plan all the training events that would need
to occur globally, assess the performance of each of the
players that are being evaluated, where our aggressor force
would reside. It is really all the things that make it
training. That is one of the key things that the fiscal year
2017 budget request is the first real year of commitment to
that funding, is building the technical capability to manage
all of that capacity.
And so what you saw last week was really a manual way of
doing that, not at scale. And so what we are trying to build is
the foundational technical capability to do that routinely at
scale and to have the people there that actually provide that
training. And that is what we want to get started on really
seriously in fiscal year 2017.
Mr. Langevin. Well, we look forward to continue supporting
you in that effort, General, as you build that out. As for me,
it was time well spent going to see that exercise, and I
encourage others to do the same. So thank you.
And with that, I yield back.
The Chairman. Mrs. Walorski.
Mrs. Walorski. Thank you, Mr. Chairman.
And I just wanted to follow up, Mr. Atkin, on a question
from Mr. Rogers' line of questioning about China. I understand
that you are not involved with the acquisition side of the
business, but from a cybersecurity perspective, how concerned
are you about counterfeit parts entering into our systems, and
how can we best defend those threats?
Mr. Atkin. As mentioned, we constantly and consistently
look at our cyber chain vulnerabilities and evaluate, working
with our defense industrial base partners and other contractors
that provide resources for the Department, on different
vulnerabilities and how we would stop those vulnerabilities, to
make sure that the only equipment that comes into the supply
chain is free of counterfeit or high-risk material.
Mrs. Walorski. Thank you.
And, General McLaughlin, I want to direct this question to
you, but I want to just give you a really quick background. I
represent the great State of Indiana, where we have Muscatatuck
Urban Training Center. This remarkable training facility
includes its own fully functional power plant. At this training
center, rotational units are able to participate in a number of
real scenarios, but one of the most compelling is where the
power grid there is hacked or taken offline in the exercise. As
I consider the devastating consequences associated with that
kind of attack to our grid, I am interested if the Department
has the training resources necessary to adequately prepare for
one of these scenarios.
So to you, sir, you described the Cyber Guard and Cyber
Flag exercises in your remarks earlier. Are you confident in
your ability to fully stress your forces in a way that prepares
them to respond and defend against any sort of contingency
scenario? And then, what are the gaps, the significant gaps in
training, if there are any?
General McLaughlin. So, ma'am, I would say today we are--I
wouldn't be able to say that I am confident that we are able to
respond to all of those. You listed a broad range of potential
contingencies.
The reason the persistent training environment is so
important, you just--in fact, I would love to learn more about
the capability you just described in Indiana. But part of that
persistent training environment is being able to replicate each
of those unique classes of terrain. Industrial control systems
are different than platforms like airplanes and tanks, and they
are different than just networks. So part of what we will build
are the high-fidelity replications of each of those unique
types of targets that we would need to defend against.
We are building the ability for civil or other partners to
bring their own range emulations and connect into that
environment, and then the people that want to actually do it,
have the place to sit down, plug into what looks to them to be
their realistic replication of what they are trying to defend,
and then do their job in a realistic scenario against hackers
or, you know, attackers that are trying to do it.
So today, I would say we don't have the capacity at scale
to cover that range. We have a concept. That is why we are
proceeding with our program to actually do that. And it has the
flexibility to accept the ability for other partners, non-DOD
partners, to plug into that environment and do training. We are
doing it manually today at Cyber Guard, and I think you will
see us do that more at scale with more partners than just, you
know, U.S. DOD participants.
Mrs. Walorski. I would like to invite you, General, to come
into Muscatatuck in Indiana. I would love to share additional
information with you about their capability and having those
resources there with that fully functioning power plant, what
they have been able to learn, the kind of activities they are
running, and what it does, I think, for training for all of our
forces. So I would love to extend an invitation to you to come
there and see it for yourself.
General McLaughlin. Yes, ma'am. Absolutely. Thank you.
Mrs. Walorski. Thank you.
I yield back, Mr. Chairman.
The Chairman. Mr. Johnson.
Mr. Johnson. Thank you, Mr. Chairman.
And, gentlemen, thank you for being here today to discuss
what is really a turning point in our approach to offensive and
defensive military policy.
Being a member of the Judiciary Committee, specifically the
IP [Intellectual Property] Subcommittee, cyber and tech issues
are at the forefront of my mind, and I am encouraged to see
that we are taking necessary steps to ensure that the U.S.
maintains a comparative and competitive advantage in this
arena.
Mr. Atkin, with respect to--well, I will ask this question
first, because it is related to the previous question that my
colleague, Mrs. Walorski, asked.
With respect to the coordination with civil authorities,
specifically at the State and municipal level, and in
consideration of the fact that U.S. Army Cyber Command is
moving to Fort Gordon, I have heard concerns about how this may
put neighboring communities at risk. For example, if Fort
Gordon is hit with a cyber attack, is it independent enough
from the local energy grid, that it does not down power to the
entire region, affecting hospitals, schools, et cetera? And
what can we do in Congress to help facilitate coordination with
local authorities in the event that such an attack happens?
Mr. Atkin. Sir, for----
Mr. Johnson. And I am sorry. I meant to ask that question
of General McLaughlin.
General McLaughlin. So, sir, I am not aware right now of
any element of the move that you just--you mentioned a concern
potentially with U.S. Army Cyber Command moving to Fort Gordon.
The scenario you described is not one that has been brought to
my attention, so I am not aware of any direct connection of
that move to an increased threat or risk to the local
community.
We do step back and look broadly at the risk to all of our
military installations. Many of them for their critical power
and infrastructure are using, you know, commercially provided
control systems for, you know, electricity, water, and power.
But we haven't really seen any analysis that shows the location
of military installations is driving a higher likelihood that
an attack against them would have some unique impact on the
local community.
So I am not saying that it wouldn't, I am just not aware of
any analysis.
Mr. Johnson. Well, I have heard concerns about it from
State and local officials, and I think it is an area that
reassurance is due, at the very least. So in terms of
coordinating with State and local leaders, I think that that
would be something important for you to consider. And I thank
you for that answer.
Mr. Atkin, with respect to the development of cyber-related
technology, much has been said of the need for DOD to attract
brilliant hacker minds from the private sector. How can we in
Congress help improve the DOD's ability to attract tech
startups who are leading the way in cutting-edge technology?
Mr. Atkin. Thank you, sir, for that question. I would say
the first stop would be, which is something that you have
already provided, which is excepted service opportunities for
the civilian sector or the civilian personnel in the Department
involved in cyber activities. I would say the broader we can
make this excepted service across the entire cyber enterprise,
that would be very helpful. So broadening out the excepted
service for civilian employees would be helpful to be able to
bring in those really smart hackers and other people that have
a cyber background.
Mr. Johnson. I have even heard some suggestions about
creating startup incubators within specific government
agencies. Do you see that as something that can be coordinated
within DOD?
Mr. Atkin. Sir, I am not familiar with the incubator model.
I know that we reach out through our Defense Innovation Unit
Experimental out on the West Coast and how we work with Silicon
Valley and others. I know that we leverage the skill sets of
our Reserve and National Guard force to make sure that we--
those are the young, smart minds that are working in the
private sector and bringing expertise back into the Department
through their Reserve and National Guard status. So I know we
are going that route, but I am not as familiar with the
incubator model that you describe.
Mr. Johnson. Either one of you, General Moore or General
McLaughlin, care to comment about that?
General Moore. One of the brother systems, if you will, or
programs to the DIUx that Secretary Atkin mentioned is the In-
Q-Tel model, which was actually started at the CIA [Central
Intelligence Agency] organization, overt. Right now, there is
about eight governmental agencies or organizations that go
through the In-Q-Tel model specifically out in Silicon Valley.
And you can think of it more of as a venture capitalist type of
organization, where we bring problems that we want innovative
and quick, hopefully, solutions to.
That money is taken by the In-Q-Tel organization and
invested in many times these startup organizations that have
innovative technologies. And we have started that program at
the Department of Defense to help us solve another specific
problem, and I see that program continuing to grow. It has
showed a lot of promise.
Mr. Johnson. Thank you.
Mr. Atkin. One other--our Defense Digital Service recently
ran a bug bounty using a hacker program basically to contract
out for hackers to come in and take a look at DOD systems and
to see if they could hack into it. So that was another model by
which we did reach out to the private sector and leverage the
skill sets they have to improve our own cybersecurity.
Mr. Johnson. Thank you. And thank you for your service to
the Nation.
And with that, I yield back.
The Chairman. Chairman Wilson.
Mr. Wilson. Thank you, Mr. Chairman. As we conclude, I
think it is quite appropriate that Kevin Gates of the Emerging
Threats Subcommittee is seated with the chairman. I really
appreciate, Kevin has an almost 20-year history of working on
these issues, before many of us had ever heard of them.
So, Chairman Thornberry, we are just fortunate to have such
great people who are assisting our country protecting American
families.
General Moore, what legal or policy framework governs
information conflict of the sort evolving from the use of
social media for propaganda and recruitment? As a tactical
matter, how successful are efforts to counteract the use of
social media?
General Moore. Yes, sir. So as I think you are keenly
aware, a lot of what we are doing to counter ISIL in Iraq and
Syria revolves around using cyber as a conduit for military
information support operations, or MISO/PSYOP [psychological]
operations, to specifically get after those types of problems.
We have the authorities to conduct those types of operations,
and I don't see any limitations at this time.
Mr. Wilson. And indeed, sadly, we saw with the San
Bernardino mass murder, with the Orlando mass murder, there was
a direct social media contact and availability that has
resulted in mass murder across our country.
Secretary Atkin, I was grateful, in a deterrence policy you
mentioned multiple responses that are possible. And that can't
be more important than right now because we have had so many
incidents of cyber attacks just in the last month. The
Democratic National Committee came under cyber attack, there
were North Korean attackers of smartphones of South Korean
officials, there were power outages affecting tens of thousands
of people in western Ukraine; over and over again, just
incidents that are incredible.
And then one that got my attention at the very time that
the dangerous Iranian nuclear deal was being put together. In
November 2015, Iran's Revolutionary Guard hacked the email and
social media accounts of a number of Obama administration
officials in an attack. Was there any response to that attack?
Mr. Atkin. I am not familiar exactly with the event and
what our exact response was of all those situations that you
describe, but what I would say is when we are able to have
attribution, that we would respond at a time and manner and
place of our choosing.
Mr. Wilson. Well, it is so obvious it was in such bad
faith, the Iranian Revolutionary Guard would, at a time of
negotiations or implementation, show such bad faith as to
attack the Obama administration that was placing such faith in
them. But we certainly want to be working with you, and there
just has to be multiple responses that make sense.
And I want to thank you all for being here. And I yield
back the balance of my time.
The Chairman. Mr. Atkin, Mr. Wilson prompts me to try one
more question. Okay. The primary job of CYBERCOM is to defend
DOD networks. But in thinking about defense support to civil
authorities, if there is a foreign country that launches some
sort of cyber espionage or cyber attack against a server, a
private server by the Secretary of State, or looking for
information about a leading candidate for President, is that an
attack of significant consequence? It is not against DOD
networks, but it goes to either government officials or someone
who is wanting to be a government official.
Mr. Atkin. Yes, sir. So we would evaluate each attack, if
we were evaluating based on whether it was an attack of
significant consequence on the loss of life, property, damage,
economic impact, and foreign policy. So I would say we would
evaluate each of those attacks based on that factor on whether
and how we would respond.
The Chairman. Seems to me it is pretty tricky when you
start into political campaigns, say somebody is the nominee for
President, if there are further sorts of espionage.
I was just about to adjourn, and Mr. Franks walks in. Do
you have a question?
Mr. Franks. Mr. Chairman, I do, but I will be brief, sir.
The Chairman. The gentleman is recognized.
Mr. Franks. And I appreciate your forbearance, to say the
least. I didn't mean to come in and--you know, sometimes
people, when they walk in, end the party. That is usually the
situation for me.
General McLaughlin, I will be really brief here. In an open
setting, the best you can, how is Cyber Command being employed
to fight against the Islamic State?
General McLaughlin. So, sir, you know, in this setting,
and, again, we will get into more detail with you in the closed
session, our organization and the teams, the tactical forces
that are within U.S. Cyber Command, a subset of those have been
allocated and directed to support operations against the
Islamic State. We are operating in support of U.S. Central
Command. It is, you know, a focused activity that is recurring
and is a major element of what the command is focused on day to
day. We have leaders within our organization who, you know,
subordinate leaders to Admiral Rogers, that it is their only
job. And we are bringing--every capability that we have in this
area that are available to us, we are making available to that
fight.
Mr. Franks. Are there any restrictions that might be called
rules of engagement or anything like that on how the command
might be employed against the Islamic State, any restrictions?
General McLaughlin. Well, sir, a bit earlier, one thing Mr.
Atkin described is within the area where we are actually
conducting these operations, we have adequate authorities, the
authorities we need to operate. Our operations in cyberspace
are subject to the same, you know, rules of every operation. So
we are constrained by the law of armed conflict and other
limitations, but they are really not any different for what we
are doing as in any other domain. So within the operation, we
feel like we have the authorities and the flexibility we need
to support that particular operation.
Mr. Franks. One last question, Mr. Chairman.
We know a little about the cyber doctrine and military
structure of adversaries like Russia, China, and others. What
is our understanding of those things related to actors like
Syria, Iran, Israel, or Germany?
General McLaughlin. Well, sir, I would just say, you know,
in this setting, what we know about the cyber aspirations of
our potential adversaries, all I would say is we know that most
of them have realized this is a tool available to them, you
know, as an instrument of power, and it is a tool they can use
without a significant amount of investment, and they can have a
relatively small number of people, or buy expertise.
Our coalition partners, those countries that we partner
with, we are partnering with each of them as they--and many of
them are on their own looking at building military cyber
capability, and we partner with them closely. They visit, they
are looking for advice from DOD and the United States. And to
the degree they want to come see this, we routinely meet with
them and talk with them about how we could help them, you know,
be part of a broader group that can defend themselves and
operate together in cyberspace.
Mr. Franks. Well, thank you.
Mr. Chairman, I yield back my minute and 54 seconds. Thank
you, sir.
The Chairman. I thank the gentleman.
Thank you all for being here and for answering our
questions. We will look forward to seeing you a little bit
later today.
The hearing stands adjourned.
[Whereupon, at 11:52 a.m., the committee was adjourned.]
=======================================================================
A P P E N D I X
June 22, 2016
=======================================================================
PREPARED STATEMENTS SUBMITTED FOR THE RECORD
June 22, 2016
=======================================================================
WITNESS RESPONSES TO QUESTIONS ASKED DURING
THE HEARING
June 22, 2016
=======================================================================
RESPONSE TO QUESTION SUBMITTED BY MR. THORNBERRY
Mr. Atkin. At the NATO Summit in Wales in 2014, Allies affirmed
that cyber defense is a key part of NATO's core task of collective
defense and agreed that a cyberattack could reach the threshold of an
armed attack which could potentially trigger an Article 5 (i.e.,
collective self-defense) response.
NATO did not specify the threshold at which a cyberattack might
constitute an armed attack. Similar to kinetic attack, a cyberattack
and its effects would be assessed on a case-by-case and fact-specific
basis by the victim nation. If the victim nation decided that an attack
were an armed attack, it could then submit a request to the North
Atlantic Council for an Article 5 response.
NATO's lack of specificity regarding the threshold for a
cyberattack is consistent with U.S. policy. When determining whether a
cyber incident constitutes an armed attack, the U.S. Government
considers a number of factors including the nature and extent of injury
or death to persons and the destruction of, or damage to, property.
Besides effects, other factors may also be relevant to a determination,
including the context of the event, the identity of the actor
perpetrating the action, the target and its location, and the intent of
the actor, among other factors. [See page 25.]
______
RESPONSES TO QUESTIONS SUBMITTED BY MR. ROGERS
Mr. Atkin. DOD does not ``blacklist'' suppliers or individual
products. It does create Approved Product or Supplier Lists
(Whitelists) of products or organizations that have been assessed for
use in certain applications. There are currently no Huawei or ZTE
products on the DOD Unified Capabilities Approved Products List (APL).
The fact that a product does not appear on an APL does not mean
contractors cannot offer bids or that the government can still select
outside the APL. Short of suspension and debarment, federal contractors
and vendors are not precluded from competing on DOD contracts. It is
the policy of the DOD to solicit from a broad number of potential
offerors and award contracts based on full and open competition to the
maximum extent possible.
ZTE Corporation is a unique case because the Department of Commerce
added it to the Entity List, which is a list of foreign entities that
are subject to specific license requirements for the export, reexport,
or transfer of items subject to the Export Administration Regulations.
[See page 22.]
General McLaughlin. [The information referred to is classified and
retained in the committee files.] [See page 22.]
______
RESPONSE TO QUESTION SUBMITTED BY MR. ASHFORD
Mr. Atkin. The ITEP program is the only IT/Cybersecurity-specific
personnel exchange program currently available to the Department. At
the end of 2015, DOD-CIO established a management office to oversee the
ITEP program and identified a funding source. The program office has
been able to identify, vet, and place three industry participants in
DOD positions and five DOD Civilian personnel in industry positions.
The program office is working to vet additional candidates and place
another two candidates to meet program capacity allotted in the ITEP
legislation. [See page 20.]
=======================================================================
QUESTIONS SUBMITTED BY MEMBERS POST HEARING
June 22, 2016
=======================================================================
QUESTIONS SUBMITTED BY MR. ROGERS
Mr. Rogers. Do you recommend the Department of Defense rely on
equipment provided by Huawei or ZTE, which are linked to the Chinese
military and intelligence apparatus and have been linked to sales to
the Islamic Republic of Iran, in violation of U.S. sanctions laws?
Mr. Atkin. DOD does not ``blacklist'' suppliers or individual
products. It does create Approved Product or Supplier Lists
(Whitelists) of products or organizations that have been assessed for
use in certain applications. There are currently no Huawei or ZTE
products on the DOD Unified Capabilities Approved Products List (APL).
The fact that a product does not appear on an APL does not mean
contractors cannot offer bids or that the government can still select
outside the APL. Short of suspension and debarment, federal contractors
and vendors are not precluded from competing on DOD contracts. It is
the policy of the DOD to solicit from a broad number of potential
offerors and award contracts based on full and open competition to the
maximum extent possible.
ZTE Corporation is a unique case because the Department of Commerce
added it to the Entity List, which is a list of foreign entities that
are subject to specific license requirements for the export, reexport,
or transfer of items subject to the Export Administration Regulations.
Mr. Rogers. If a U.S. cleared defense contractor came to you and
stated that they were planning to buy IT equipment or network
management services from Huawei or ZTE, what would you advise them?
What are the risks of using such equipment or network management
services?
Mr. Atkin. In addition to advising the cleared defense contractor
that they should conduct commercial due diligence of the provider of
equipment or services, we would recommend they practice supply chain
risk management best practices such as those in the National Institute
of Science and Technology Special Publication 800-161, ``Supply Chain
Risk Management Practices for Federal Information Systems and
Organizations.'' If the equipment or services were for use on or
related to a national security system, DOD would also reference the
policies and procedures in Committee on National Security Systems
Directive 505, ``Supply Chain Risk Management,'' and DOD Instruction
5200.44, ``Protection of Mission Critical Functions to Achieve Trusted
Systems and Networks (TSN).''
Only in limited circumstances would the Department have insight
into or the contractual right to control a cleared defense contractor's
decision to use any particular subcontractor or supplier. Absent
suspension or debarment or a statutory restriction on contracting with
a prohibited source, our cleared defense contractors would generally
not be precluded from using a specific vendor's equipment or services.
However, it is important to note that the Department has several
mechanisms in place to help ensure the security of products or services
delivered to us and the systems that cleared defense contractors use to
store or process sensitive DOD information.
First, the Department requires Program Protection Plans (PPPs) to
address the full spectrum of security risks for the critical components
contained in our weapons systems, including supply chain
vulnerabilities, and to implement mitigations to manage risk to system
functionality. In addition to the security requirements applied to
deliverable products or services, the Federal Acquisition Regulation
(FAR) requires that contractor information systems used to store or
process classified information are compliant with the National
Industrial Security Program Operating Manual (NISPOM). The Defense FAR
Supplement (DFARS) also requires that contractor unclassified systems
that will store or process sensitive DOD information must also provide
appropriate security for that information.
It is important to note that there are additional statutory
authorities available to the Department to limit or exclude vendors in
specific circumstances. For example, section 1211 of the National
Defense Authorization Act (NDAA) for Fiscal Year (FY) 2006, as amended
by section 1243 of the NDAA for FY 2012, and as implemented at DFARS
Section 225.77, prohibits the Secretary of Defense from acquiring
supplies or services that are on the United States Munitions List
through a contract, or subcontract at any tier, from any Communist
Chinese military company. In addition, section 806 of the NDAA for FY
2011, as amended by section 806 of the NDAA for FY 2013, has been
implemented at DFARS Subpart 239.73, ``Requirements for Information
Relating to Supply Chain Risk.'' This clause enables DOD components to
exclude a source that fails to meet established qualifications
standards or fails to receive an acceptable rating for an evaluation
factor regarding supply chain risk for information technology
acquisitions, and to withhold consent for a contractor to subcontract
with a particular source or to direct a contractor to exclude a
particular source.
ZTE Corporation is a unique case because the Department of Commerce
added it to the Entity List, which is a list of foreign entities that
are subject to specific license requirements for the export, reexport,
or transfer of items subject to the Export Administration Regulations.
Mr. Rogers. What if that same cleared defense contractor told you
that because of their relationship with Huawei, they were being asked
or were required to submit information related to their network
security? What would you suggest they do? What are the risks of
providing information about their network security to a firm like
Huawei?
Mr. Atkin. DOD would advise the cleared defense contractor that
they should conduct commercial due diligence of the provider of
equipment or services they partner with. For the specific example of
providing network security information to a company in which they
outsource services, DOD would additionally advise the cleared defense
contractor to conduct a risk analysis based on the type of information,
what type of access to the information is provided (can information be
modified), contractual provisions on how the information will be used
or shared, and information protections, among other factors.
Mr. Rogers. Do you recommend the Department of Defense rely on
equipment provided by Huawei or ZTE, which are linked to the Chinese
military and intelligence apparatus and have been linked to sales to
the Islamic Republic of Iran, in violation of U.S. sanctions laws?
General McLaughlin. [The information referred to is classified and
retained in the committee files.]
Mr. Rogers. If a U.S. cleared defense contractor came to you and
stated that they were planning to buy IT equipment or network
management services from Huawei or ZTE, what would you advise them?
What are the risks of using such equipment or network management
services?
General McLaughlin. [The information referred to is classified and
retained in the committee files.]
Mr. Rogers. What if that same cleared defense contractor told you
that because of their relationship with Huawei, they were being asked
or were required to submit information related to their network
security? What would you suggest they do? What are the risks of
providing information about their network security to a firm like
Huawei?
General McLaughlin. [The information referred to is classified and
retained in the committee files.]
Mr. Rogers. Do you recommend the Department of Defense rely on
equipment provided by Huawei or ZTE, which are linked to the Chinese
military and intelligence apparatus and have been linked to sales to
the Islamic Republic of Iran, in violation of U.S. sanctions laws?
General Moore. [The information referred to is classified and
retained in the committee files.]
Mr. Rogers. If a U.S. cleared defense contractor came to you and
stated that they were planning to buy IT equipment or network
management services from Huawei or ZTE, what would you advise them?
What are the risks of using such equipment or network management
services?
General Moore. [The information referred to is classified and
retained in the committee files.]
Mr. Rogers. What if that same cleared defense contractor told you
that because of their relationship with Huawei, they were being asked
or were required to submit information related to their network
security? What would you suggest they do? What are the risks of
providing information about their network security to a firm like
Huawei?
General Moore. [The information referred to is classified and
retained in the committee files.]
______
QUESTIONS SUBMITTED BY MR. LAMBORN
Mr. Lamborn. Regarding Sec. 1107 of FY16 NDAA, the authority to
create a Title 10 Civilian Cyber Excepted Service Workforce: Since
cyberspace is a warfighting domain, are these civilian personnel lawful
combatants? Should they be? If they are, are we willing to accept that
in a multi-domain military conflict that they could be targeted by our
adversaries no differently than our uniformed personnel?
Mr. Atkin. The great majority of the activities envisioned for our
DOD civilian cyber workforce are support activities, such as, by way of
example, developing information technology strategy and designing
computer systems required to support an enterprise's objectives and
goals, conducting routine network maintenance and security functions,
developing offensive and defensive tools and capabilities, and
providing technical advice or services to members of the armed forces
and to departmental chief information officers. Notably, the great
majority of the activities envisioned for our DOD civilian workforce
are conducted during peacetime, when their role in hostilities is not
in question.
During armed conflict, under the law of war, persons who are not
members of the U.S. armed forces, but are authorized to accompany them,
fall into a special category. Although they are often referred to as
``civilians'' because they are not military personnel, they differ
materially from the civilian population because these persons are
sometimes also authorized--and in some cases, are ordered--to accompany
U.S. armed forces into a theater of operations to support the force.
Persons authorized to accompany the U.S. armed forces may not be made
the object of attack unless they take direct part in hostilities. They
may, however, be detained by enemy military forces, and are entitled to
POW status if they fall into the power of the enemy during
international armed conflict. They also have legal immunity from the
enemy's domestic law for providing authorized support services to the
armed forces.
However, during armed conflict, some civilians who support the U.S.
armed forces may sit at the keyboard and participate, under the
direction of a military commander, in cyberspace operations. The law of
war does not prohibit civilians from directly participating in
hostilities, such as offensive or defensive cyberspace operations, even
when that activity would be a use of force or would involve direct
participation in hostilities; however, in such cases, a civilian is not
a ``lawful combatant'' and does not enjoy the right of combatant
immunity, is subject to direct attack for such time as he or she
directly participates in hostilities, and if captured by enemy
government forces may be prosecuted for acts prohibited under the
captor's domestic law.
Most, if not the great majority, of our civilian cyber workforce
involved in providing support to cyberspace operations during armed
conflict will not be serving on the battlefield where they may be the
object of attack or risk being detained by the enemy. Instead, most
will be providing their support remotely from areas outside the area of
hostilities, are not easily identifiable as an individual, and are
likely serving in the United States. DOD practice has been to permit a
broad range of civilians to be authorized to accompany U.S. armed
forces, such as, by way of example, DOD employees, employees of other
government agencies sent to support the U.S. armed forces, and other
authorized persons working on government contracts to support the U.S.
armed forces. The DOD civilian cyber workforce is another category of
DOD employees who may support the armed forces on the battlefield and
elsewhere. DOD expects its commanders to exercise care in placing any
civilian accompanying U.S. armed forces in situations in which an
attacking enemy may consider their activities to constitute taking a
direct part in hostilities. It would be an exceptional situation where
any member of the DOD civilian cyber work force would be subject to any
greater risk than other civilians accompanying the armed forces.
Mr. Lamborn. Regarding Sec. 1107 of FY16 NDAA, the authority to
create a Title 10 Civilian Cyber Excepted Service Workforce:
Acknowledging that civilians are vital to our cyberspace activities,
were the Sec. 1107 authorities sufficient, or are others needed?
Mr. Atkin. The Section 1107 authorities provide the Department with
new capabilities to improve recruiting and retention of cyber personnel
that DOD is in the very initial stages of implementing. In our view,
there is a potential issue with the scope of the authority. It appears
somewhat limited, depending on its interpretation. A broader and more
clearly defined scope that includes positions held by elements of the
Department of Defense supporting the Department's cyberspace mission
would be helpful as well as authorities that provide enhanced
recruiting, training, professional development, and retention
capabilities to the Secretary of Defense through a centralized Cyber
Workforce Development Fund. The authorities in title 10 provided to the
Secretary for a similar fund, the Department of Defense Acquisition
Workforce Development Fund, dedicated to the development and
sustainment of the defense acquisition workforce and managed by the
Under Secretary of Defense for Acquisition, Technology and Logistics,
provide a useful model.
______
QUESTIONS SUBMITTED BY MR. O'ROURKE
Mr. O'Rourke. 1) How large is the CYBERCOM workforce? Please break
down by civilian, Active Duty, and contractor.
2) How is DOD competing with the private sector to get high-quality
talent to fill cyber security positions? Do you anticipate DOD becoming
more dependent on the contracted workforce for this purpose? How do our
potential adversaries deal with this problem?
Mr. Atkin. NDAA FY16, Sec 1107 will improve DOD's competitive
posture for cyber talent. The Department will use this new authority to
address hiring challenges by establishing a new DOD Cyber Excepted
Service. Using a phased approach, the Department will implement the new
personnel system for United States Cyber Command and supporting
organizations to recruit and retain highly skilled cyber personnel. It
is too soon to tell whether the Department will become more dependent
on the contracted workforce at this time.
Mr. O'Rourke. 1) How large is the CYBERCOM workforce? Please break
down by civilian, Active Duty, and contractor.
2) How is DOD competing with the private sector to get high-quality
talent to fill cyber security positions? Do you anticipate DOD becoming
more dependent on the contracted workforce for this purpose? How do our
potential adversaries deal with this problem?
General McLaughlin. [The information referred to is for official
use only and retained in the committee files.]
Mr. O'Rourke. 1) How large is the CYBERCOM workforce? Please break
down by civilian, Active Duty, and contractor.
2) How is DOD competing with the private sector to get high-quality
talent to fill cyber security positions? Do you anticipate DOD becoming
more dependent on the contracted workforce for this purpose? How do our
potential adversaries deal with this problem?
General Moore. [The information referred to is classified and
retained in the committee files.]
______
QUESTIONS SUBMITTED BY MR. AGUILAR
Mr. Aguilar. In the testimony presented, you mentioned the
``Cybersecurity National Action Plan'' released by the President. One
of the proposals mentioned in the plan was ``enhancing student loan
forgiveness programs for Cybersecurity experts joining the Federal
workforce.'' You mention the ``need to keep our best employees,'' in
your testimony. From what you have seen, do you believe enhanced
student loan forgiveness would assist us in retaining the best
personnel? Why? Also, do you know of any current efforts to implement
any enhanced loan forgiveness programs within the DOD?
Mr. Atkin. Given the significant rise in the cost of higher
education, as well as the number of students who graduate with a
student loan burden, this could be an attractive recruiting tool to get
young, highly talented cybersecurity personnel into the Federal
Government and develop them as long term employees. Its usefulness as a
retention tool for individuals already in federal service is unknown,
without knowing the details of the program. An enhanced loan
forgiveness program within DOD would likely require a legislative
proposal.
Mr. Aguilar. In our efforts to identify, recruit, and retain
qualified cyber operations personnel, what would you all say, each of
you, are the three biggest obstacles?
Mr. Atkin. The three biggest obstacles are: 1) Cyber operations is
a high demand skill area across the federal government, private sector,
etc., creating significant competition across all sectors for
experienced personnel. 2) DOD does not provide competitive salaries,
although the new Section 1107 authorities will help in that regard. 3)
The lack of a Cyber Workforce Development Fund that mirrors the Defense
Acquisition Workforce Development Fund (CWDF). The CWDF would strongly
support the Department's efforts to recruit, train and develop a system
to carefully manage our civilian cyber workforce.
Mr. Aguilar. You mention in your testimony that ``one of the
Department's key policy goals in cyberspace is to deter cyberattacks.''
And while I agree that such a goal is a worthy endeavor, one of the
attributes of other weapons is that they have a clearly defined ``home
address.'' We can tell where a missile is shot from. Cyberattacks,
however, are far more ambiguous and real questions exist about the
ability to accurately trace the source of an attack. I understand the
limits of what can be discussed in such an open forum, but could you
all speak a little to the steps we are taking to improve our ability to
correctly attribute attacks to actors?
Mr. Atkin. Attribution is a fundamental part of an effective cyber
deterrence strategy, as anonymity enables malicious cyber activity by
state and non-state groups. Intelligence and attribution capabilities
help unmask an actor's cyber persona, identify the attack's point of
origin, and determine tactics, techniques, and procedures. Public or
private attribution can play a significant role in dissuading cyber
actors from conducting attacks in the first place. Attribution also
enables the Defense Department or other agencies to conduct response
and denial operations against an incoming cyberattack, and ensure that
any response targets the responsible actor and is discriminate and
proportional and in accordance with international and domestic law--
just as we do in any domain.
This is why DOD and the intelligence community have invested
significantly in all source collection, analysis, and dissemination
capabilities, all of which reduce the anonymity of state and non-state
actor activity in cyberspace. DOD is also collaborating with the
private sector and other agencies of the U.S. government to strengthen
attribution capabilities.
Mr. Aguilar. In the testimony presented, you mentioned the
``Cybersecurity National Action Plan'' released by the President. One
of the proposals mentioned in the plan was ``enhancing student loan
forgiveness programs for Cybersecurity experts joining the Federal
workforce.'' You mention the ``need to keep our best employees,'' in
your testimony. From what you have seen, do you believe enhanced
student loan forgiveness would assist us in retaining the best
personnel? Why? Also, do you know of any current efforts to implement
any enhanced loan forgiveness programs within the DOD?
General McLaughlin. The fight for cyber talent requires a full
arsenal of hiring flexibilities. Benefits like loan forgiveness give
hiring managers and additional tool to entice potential new hires.
Beyond the Secretary of Defense's direction to delegate approval
authority for hiring flexibilities (such as loan forgiveness) to the
service cyber component commanders, I am unaware of any additional
effort to expand loan forgiveness throughout the department.
Mr. Aguilar. In our efforts to identify, recruit, and retain
qualified cyber operations personnel, what would you all say, each of
you, are the three biggest obstacles?
General McLaughlin. We believe competition, lack of
professionalization (not to be confused with professionalism) and
operations tempo are the biggest obstacles to identifying, recruiting
and retaining qualified cyber operations personnel.
Competition:
Highly qualified cyber professionals continue to be in high demand,
but low quantity. Many candidates simple don't have the patience to
wait on the lengthy federal hiring process, which includes gaining
security clearances; nor do they have the desire to accept lower wages
set by federal compensation rules. New personnel often wait many months
prior to starting, even after completing training and reporting to
their duty stations. Many of the young qualified people we are
recruiting are also being targeted by colleges and private industry
that provide many other competitive opportunities, often paying more
money. Additionally, once many of our military have served their
initial term, they have received high-quality training that makes them
desirable to the private sector, causing many of them to consider
leaving the services.
Professionalization:
A ``cyber warrior'' can be molded from a host of different career
fields. From on-net operators, to linguists and operational planners,
cyber professional' career paths are intermingled with other
professional specialties. Unlike the intelligence or special operations
community, cyber does not have a well-worn path to career advancement.
As such, many in our community feel isolated and have difficulty seeing
advancement within what could be a lifelong profession.
Operations Tempo:
The cyber domain is growing exponentially, and it has quickly out-
paced the department's ability to match manpower to mission. The
workforce at every echelon, across occupational specialties, is tasked
to [the] hilt, and task saturation is compounding the issue of
retention.
Mr. Aguilar. You mention in your testimony that ``one of the
Department's key policy goals in cyberspace is to deter cyberattacks.''
And while I agree that such a goal is a worthy endeavor, one of the
attributes of other weapons is that they have a clearly defined ``home
address.'' We can tell where a missile is shot from. Cyberattacks
however, are far more ambiguous and real questions exist about the
ability to accurately trace the source of an attack. I understand the
limits of what can be discussed in such an open forum, but could you
all speak a little to the steps we are taking to improve our ability to
correctly attribute attacks to actors?
General McLaughlin. Attribution is a fundamental part of an
effective cyber deterrence strategy, as anonymity enables malicious
cyber activity by state and non-state groups. Intelligence and
attribution capabilities help unmask an actor's cyber persona, identify
the attack's point of origin, and determine tactics, techniques, and
procedures. Public or private attribution can play a significant role
in dissuading cyber actors from conducting attacks in the first place.
Attribution also enables the Defense Department or other agencies to
conduct response and denial operations against an incoming cyberattack,
and ensure that any response targets the responsible actor and is
discriminate and proportional and in accordance with international and
domestic law--just as we do in any domain.
This is why DOD and the intelligence community have invested
significantly in all source collection, analysis, and dissemination
capabilities, all of which reduce the anonymity of state and non-state
actor activity in cyberspace. DOD is also collaborating with the
private sector and other agencies of the U.S. government to strengthen
attribution capabilities.
Mr. Aguilar. In the testimony presented, you mentioned the
``Cybersecurity National Action Plan'' released by the President. One
of the proposals mentioned in the plan was ``enhancing student loan
forgiveness programs for Cybersecurity experts joining the Federal
workforce.'' You mention the ``need to keep our best employees,'' in
your testimony. From what you have seen, do you believe enhanced
student loan forgiveness would assist us in retaining the best
personnel? Why? Also, do you know of any current efforts to implement
any enhanced loan forgiveness programs within the DOD?
General Moore. Given the significant rise in the cost of higher
education, as well as the number of students who graduate with a
student loan burden, this could be an attractive recruiting tool to get
young, highly talented cybersecurity personnel into the Federal
Government and develop them as long term employees. Its usefulness as a
retention tool for individuals already in federal service is unknown,
without knowing the details of the program. An enhanced loan
forgiveness program within DOD would likely require a legislative
proposal. There is no effort in progress of which we are aware.
Mr. Aguilar. In our efforts to identify, recruit, and retain
qualified cyber operations personnel, what would you all say, each of
you, are the three biggest obstacles?
General Moore. 1. Compensation disparity. DOD is hard pressed to
compete with the private sector in terms of salaries for highly
qualified cyber operations personnel. For both DOD civilians as well as
military service members, private companies and corporations offer
significantly higher salaries for the same level of expertise. This
exacerbates the problem of recruiting and retaining individuals with
these skills within the DOD.
2. Also, compounding the problem further is the fact that the more
training and experience the DOD provides to its employees, the more
marketable they become and the greater the gap between their military
or GS-civilian pay and the corresponding private sector pay.
3. Supply vs. Demand. Within the United States there is currently a
gap between the demand for qualified cyber operations and security
personnel, and the supply of workers with these skills. The U.S. simply
does not have enough graduates in STEM and Computer Science fields to
meet the booming demand from both the public and private sectors. In
competing for this scarce resource of human capital, the DOD is up
against not only Silicon Valley companies such as Apple, Facebook, and
Alphabet, but also large corporations across many other sectors of the
economy, as well as other federal and state government agencies.
Mr. Aguilar. You mention in your testimony that ``one of the
Department's key policy goals in cyberspace is to deter cyberattacks.''
And while I agree that such a goal is a worthy endeavor, one of the
attributes of other weapons is that they have a clearly defined ``home
address.'' We can tell where a missile is shot from. Cyberattacks
however, are far more ambiguous and real questions exist about the
ability to accurately trace the source of an attack. I understand the
limits of what can be discussed in such an open forum, but could you
all speak a little to the steps we are taking to improve our ability to
correctly attribute attacks to actors?
General Moore. Attribution is a fundamental part of an effective
cyber deterrence strategy, as anonymity enables malicious cyber
activity by state and non-state groups. Intelligence and attribution
capabilities help unmask an actor's cyber persona, identify the
attack's point of origin, and determine tactics, techniques, and
procedures. Public or private attribution can play a significant role
in dissuading cyber actors from conducting attacks in the first place.
Attribution also enables the Defense Department or other agencies to
conduct response and denial operations against an incoming cyberattack,
and ensure that any response targets the responsible actor and is
discriminate and proportional and in accordance with international and
domestic law--just as we do in any domain.
This is why DOD and the intelligence community have invested
significantly in all source collection, analysis, and dissemination
capabilities, all of which reduce the anonymity of state and non-state
actor activity in cyberspace. DOD is also collaborating with the
private sector and other agencies of the U.S. government to strengthen
attribution capabilities.
[all]