[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
DIGITAL ACTS OF WAR: EVOLVING THE CYBERSECURITY CONVERSATION
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON
INFORMATION TECHNOLOGY
AND THE
SUBCOMMITTEE ON NATIONAL SECURITY
OF THE
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
JULY 13, 2016
__________
Serial No. 114-138
__________
Printed for the use of the Committee on Oversight and Government Reform
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
______
U.S. GOVERNMENT PUBLISHING OFFICE
25-510 PDF WASHINGTON : 2017
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland,
MICHAEL R. TURNER, Ohio Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio ELEANOR HOLMES NORTON, District of
TIM WALBERG, Michigan Columbia
JUSTIN AMASH, Michigan WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee JIM COOPER, Tennessee
TREY GOWDY, South Carolina GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida TED LIEU, California
MICK, MULVANEY, South Carolina BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina MARK DeSAULNIER, California
ROD BLUM, Iowa BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama
Jennifer Hemingway, Staff Director
Mike Flynn, Counsel
Cordell Hull, Senior Counsel
Sharon Casey, Deputy Chief Clerk
David Rapallo, Minority Staff Director
Subcommittee on Information Technology
WILL HURD, Texas, Chairman
BLAKE FARENTHOLD, Texas, Vice Chair ROBIN L. KELLY, Illinois, Ranking
MARK WALKER, North Carolina Member
ROD BLUM, Iowa GERALD E. CONNOLLY, Virginia
PAUL A. GOSAR, Arizona TAMMY DUCKWORTH, Illinois
TED LIEU, California
------
Subcommittee on National Security
RON DeSANTIS, Florida, Chairman
JOHN L. MICA, Florida STEPHEN F. LYNCH, Massachusetts,
JOHN J. DUNCAN, JR., Tennessee Ranking Member
JODY B. HICE, Georgia ROBIN KELLY, Illinois
STEVE RUSSELL, Oklahoma, Vice Chair BRENDA L. LAWRENCE, Michigan
WILL HURD, Texas TED LIEU, California
C O N T E N T S
----------
Page
Hearing held on July 13, 2016.................................... 1
WITNESSES
General (Retired) Keith Alexander, CEO and President, Ironnet
Security
Oral Statement............................................... 4
Written Statement............................................ 6
Mr. Aaron Hughes, Deputy Assistant Secretary for Cyber Policy,
U.S. Department of Defense
Oral Statement............................................... 12
Written Statement............................................ 14
Mr. Chris Painter, Coordinator for Cyber Issues, U.S. Department
of State
Oral Statement............................................... 18
Written Statement............................................ 20
Mr. Sean Kanuck, Counsel, Legal and Strategic Consulting Services
(Former National Intelligence Officer for Cyber)
Oral Statement............................................... 25
Written Statement............................................ 27
Mr. Peter Warren Singer, Strategist and Senior Fellow, New
America
Oral Statement............................................... 34
Written Statement............................................ 37
DIGITAL ACTS OF WAR: EVOLVING THE CYBERSECURITY CONVERSATION
----------
Wednesday, July 13, 2016
House of Representatives,
Subcommittee on Information Technology, joint with
the Subcommittee on National Security,
Committee on Oversight and Government Reform,
Washington, D.C.
The subcommittees met, pursuant to call, at 1:06 p.m., in
Room 2154, Rayburn House Office Building, Hon. Will Hurd
[chairman of the Subcommittee on Information Technology]
presiding.
Present from Subcommittee on Information Technology:
Representatives Hurd, Blum, and Kelly.
Present from Subcommittee on National Security:
Representatives DeSantis, Russell, Hice, Lynch, and Lieu.
Mr. Hurd. The Subcommittee on Information Technology and
the Subcommittee on National Security will come to order.
Without objection, the chair is authorized to declare a recess
at any time. We expect to be interrupted by a vote series later
this afternoon, and because of that, we're going to be
abbreviated in some of our opening statements.
I appreciate you all being here today. Cybersecurity isn't
a buzzword anymore. It's real. And you all's written statements
were helpful in helping me better understand this issue, and if
we're able to get a whole-of-government talking about this and
making sure that we're all singing off the same page, I think
we're going to be safer as a Nation. And I appreciate such a
distinguished group of folks joining us here today.
And with that, I'm going to yield to Mr. Lynch for his
opening remarks.
Mr. Lynch. Thank you, Mr. Chairman. I would like to thank
Chairman DeSantis, as well, and all the members of the
subcommittee on both sides of the aisle. This is an incredibly
important topic, and I appreciate the all-star panel that we
have here today to help us with our work.
I understand that certain questions that might be raised
today in this forum are best left for a more secure setting if
we're going to get into any detail, and so we know that at the
outset. To this end, I appreciate the willingness of our
administration witnesses to conduct a classified briefing for
committee members at a date to be yet determined. So thank you.
As underscored by National Intelligence Director James
Clapper in his most recent Worldwide Threat Assessment of the
U.S. Intelligence Community, continuous innovation in cyber
information technology has been accompanied by the emergence of
new and complex national security threats. According to
Director Clapper, and this is a quote, ``Devices, designed and
fielded with minimal security requirements and testing, and an
ever-increasing complexity of networks, could lead to
widespread vulnerabilities in civilian infrastructures and U.S.
Government systems.''
These lapses in cybersecurity are highly susceptible to
exploitation by a range of threat sources, including foreign
governments, such as Russia, China, North Korea, and Iran, who
are motivated by cyber espionage. There is also the threat of
cyberterrorism perpetrated by terrorist groups designed to
promote online recruitment, propaganda, and financing activity,
and incite lone wolf attacks.
The SITE Intelligence Group reports that the Islamic State
actually maintains its own so-called Hacking Division, or
United Cyber Caliphate, a group of prominent hackers that has
already published several kill lists of U.S. military personnel
online. Moreover, hackers have repeatedly targeted the U.S.
commercial sector for illegal monetary gain and money
laundering.
The continuous onslaught of massive data breaches in the
public and private sectors here in the United States and
worldwide evidences the complexity, diversity, and far-reaching
implications of these cyber attacks. Our national security and
cybersecurity framework must be equipped to prevent and
mitigate against public sector attacks, such as the critical
breaches of information technology systems at the Office of
Personnel Management back in 2015. These cyber attacks not only
compromised the personal identifiable information of over 22
million individuals, including their Social Security numbers;
rather, as noted by FBI Director James Comey, ``They also
yielded a treasure trove of information about everybody who has
worked for, tried to work for, or works for the United States
Government.''
The past few years have also witnessed breaches of computer
systems at the State Department, the White House, the Internal
Revenue Service, and the United States Postal Service, as well
as reported leaking of sensitive information pertaining to
employees at the Department of Homeland Security and the FBI.
At the same time, our cybersecurity defenses must be able
to deter and respond to threats targeting private sector
companies motivated by illicit financial gain. It's my
understanding that the Federal Reserve is currently leading
other U.S. regulators in developing baseline security
safeguards for U.S. banks in the wake of a February 2016 attack
in which cyber criminals successfully transferred $81 million
out of the Bangladesh central bank to a casino in the
Philippines.
We've also witnessed the infiltration of computer networks
at JPMorgan Chase that compromised the account information of
83 million households and businesses; a $62 million breach at
Home Depot that compromised an estimated 56 million payment
cards; and multiple cyber attacks against the Target retail
chain that resulted in the theft of approximately 40 million
credit and debit card numbers and the personal information of
up to 70 million customers.
Clearly, the national security threat posed by cyber
attacks is multifaceted and demands the continual development
of cybersecurity policies and countermeasures that are
adaptable, modernized, and comprehensive. I look forward to
discussing with our witnesses at today's hearing what steps we
are taking in this regard.
Thank you, Mr. Chairman, and I yield back.
Mr. Hurd. I'd like to thank the ranking member of the
Subcommittee on National Security for his opening statement.
And now I'd like to recognize my friend from the State of
Florida, the chairman of the Subcommittee on National Security,
Mr. DeSantis, for his opening remarks.
Mr. DeSantis. Thank you, Mr. Chairman. I thank the
witnesses. I'm not going to give a full statement in the
interest of time. I'd like to hear from the witnesses and get
as much done until we have votes. But I will say that this is a
very, very important part of our national security challenges
and strategy, and it's only going to continue to be something
that's more prevalent.
So I appreciate the chairman calling the hearing, and I
look forward to hearing from the witnesses. And I yield back.
Mr. Hurd. One of the areas we all talk about when it comes
to national security strategy is the four levers of national
security: diplomatic, intelligence, military, and economic. And
one of the reasons we composed this panel this way is because
of that. And we have DOD here, State Department.
Thank you, Mr. Kanuck and General Alexander, for your
previous time in the intelligence community and now also
representing the commercial sector as well, and, Mr. Singer,
your work in this effort. So I think it's going to be a great
conversation, and it is something important that we need to do.
And we recognize that the intent is to not get into
classified information here, but I think General Alexander said
it best in his written statement, that, ``Without much public
discussion,'' I'm reading from his words, ``of our basic cyber
capabilities, particularly on offense, we face two major
challenges: It is difficult to have a reasoned discussion of
how we might respond--at least in the cyber domain--and it is
that much harder to deter offensive actions by others.'' So I
think having a public discourse is important in the larger
strategy.
And what we will do is, we're going to recognize General
Alexander for your opening remarks, and then we'll have Ranking
Member Kelly deliver hers.
Actually, before we begin, we want to hold the record open
for 5 days for members who would like to submit a written
statement.
And now I would like to recognize our witnesses. I'm
pleased to welcome Mr. Aaron Hughes, deputy assistant secretary
for cyber policy at the U.S. Department of Defense. Mr. Chris
Painter, coordinator for cyber issues at the U.S. Department of
State. Had a long, illustrious career at the Department of
Justice as well, and White House, NSC, you name it.
Mr. Painter. Thank you, Mr. Chairman.
Mr. Hurd. General Keith Alexander, retired, CEO and
president--he's a retired general, but now CEO and president of
IronNet Cybersecurity, former head of the NSA, ran CYBERCOM as
well. Mr. Sean Kanuck, counsel at Legal and Strategic
Consulting Services and former national intelligence officer
for cyber. And Mr. Peter Warren Singer, strategist and senior
fellow at New America.
Welcome to you all. And pursuant to committee rules, all
witnesses will be sworn in before they testify. So please rise
and raise your right hand.
Do you solemnly swear or affirm the testimony you're about
to give will be the truth, the whole truth, and nothing but the
truth?
Thank you. Please be seated.
And let the record reflect that all witnesses answered in
the affirmative.
In order to allow time for discussion, please limit your
testimony to 5 minutes, and your entire written statement will
be made as part of the record.
General Alexander, you're up first. You're now recognized
for 5 minutes.
WITNESS STATEMENTS
STATEMENT OF KEITH ALEXANDER
Mr. Alexander. Mr. Chairman, distinguished members of the
committee, Mr. Chairman, Mr. Vice Chairman, Mr. Vice Chair,
it's an honor and privilege to be here before this committee. I
think what you're taking on is vital for our country. And it's
also an honor and privilege to be here with my esteemed
colleagues from the past. Aaron, I think we've all been
together, and Peter and I were on a committee just a few months
back. So it's an honor to be here.
I'm going to hit mine rather quick. I recognize the
classification issues that you raised, Congressman. I know that
it's important that we don't raise those in public. But I do
think we have to have a debate. I'm not proposing any red lines
anywhere. I'm proposing that we start the debate in an informed
way, where you, Congress, the administration, and the American
people can engage in how we're going to work in cybersecurity.
There has been a lot of effort in that area with what my
colleagues, Chris and others have done, but I think we have to
go further. I'm going to briefly hit the top issues that I see
that our government and our country need to take on, especially
when you look at what NATO is doing, now recognizing cyber as a
domain of warfare. We need to be out in front.
And it reminds me, when Chris was in the Department of
Justice back in the 1960s, he worked with McNamara, and if you
think about McNamara's approach on the nuclear deterrence, can
we come up with a strategy for cyber that's equal to that?
Congressman Lynch pointed out some great issues that we see
every day in cyber, from Home Depot to Target to everything
that's going on. Companies are being hammered. We passed
legislation recently that helps the companies, commerce, and
government work together. It's a step in the right direction.
But much more needs to be done.
Look at the change in technology, what's going on today,
how rapidly this is changing. And if you look at the
projections for the Internet of Things by 2020, there'll be 4
to 10 times as many devices on the Internet as there are people
on the planet. This is a huge capability and a huge problem.
Now, when we look at, ``So what are we going to do about
it?'' think about the threats that Mr. Lynch pointed out.
Criminal activities in cyberspace are growing and continue to
grow. This year the biggest growth will be in ransomware. I
think we're going to see that come out, and this is going to be
huge for our companies out there, especially the small and
midsize who can't afford world class capabilities.
And so it really gets us to a point where we've had in
other committee hearings, so what do we do, how do government
and industry work together? What's the role of government,
what's the role of industry, and how do we share?
I'm not going to give you my ``you have to do it this way
or this way,'' but I do think from where you sit in this
institution, to help start that discussion and create what you
think from congressional oversight you believe needs to be
done. Some thoughts on that as we move forward.
Who's responsible for defending the Nation when we come
under attack? If you think about Sony being attacked, Sony has
no capability to fire back. In fact, if we think about Sony
firing back, we quickly get to the realization that if Sony
fires back, that could get us into a war on the Korean
Peninsula. We don't want that to happen. That's an inherently
government responsibility.
If it's a government responsibility, that means government
needs to be able to fire back when appropriate, when the
administration, the President and the Secretary, determine. We
can't see what's happening. The government can't see what's
happening to Sony in time to do that.
So the first thing is bridging that gap of sharing
information between government and industry so that government
can do its first job in defending our country. We've got to
start that debate. It's been hampered by Snowden and others,
but it's something that I think it's important for you and the
rest of the administration to take on with our country and with
our allies.
Second, if we get to a point where our country comes up
with the right framework, what would we want to push NATO to
set as theirs? And we, our country, developed the Internet.
We're the ones who started this. We ought to lead in securing
it and coming up with the McNamara approach for how we're going
to defend and deter in the same space.
And so what I really think we need to do is start that
discussion without any preconceived notions about where it will
take us, but put the best minds in there and say: Here's what
we want to do. We want to stop these types of attacks on our
industry. We want to ensure that our allies have the same sense
and purpose, especially where we have alliances, and that we're
all in agreement.
And so from my perspective, Mr. Chairman, I'm glad that
you've taken this on. I see I'm out of time, so I'll cease work
there, and thank you very much.
[Prepared statement of Mr. Alexander follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, General Alexander.
Now it's always a pleasure to introduce my friend and
colleague from the great State of Illinois, Ms. Robin Kelly,
the ranking member of the Subcommittee on IT.
Ms. Kelly. Thank you, my friend.
I'd like to thank Chairman Hurd and Chairman DeSantis for
calling this hearing so that the committee and the American
people can get a better understanding of when a cyber attack
should be considered an at act of war and how the United States
might respond when that happens.
The cyber threats facing the United States are increasing
in severity, opening the Nation to the possibility of extremely
damaging cyber strikes that could potentially threaten the U.S.
Economy and endanger American lives.
General Alexander, in your 2014 testimony before the Senate
Committee on Armed Services you warned, and I quote, ``Those
attacks are coming, and I think those are near term, and we're
not ready for them.''
In fact, we are already seeing the first salvos of digital
attack reaching beyond the cyber realm. In March of this year,
seven members of Iran's Revolutionary Guard Corps hacked into
the control system of the Bowman Avenue Dam in Rye Brook, New
York. In response to the compromise of the dam's cyber network,
Paul Rosenberg, the mayor said, and I quote, ``It's ridiculous
how little that dam is, how insignificant in the grand scheme
of things. We're not talking about something vital to the
infrastructure of the country.''
While May's attack may not have targeted the Nation's vital
critical infrastructure, it's almost certain that future
attacks will, and when that does happen, how do we react? Do we
hack the hackers, or do we respond with physical force? This
isn't the first time Congress and the intelligence community
have tried to answer that question.
It is important that we recognize that the global nature of
the Internet requires the U.S. to establish solid partnerships
throughout the international community so that every nation
understands that there are consequences for unacceptable cyber
behavior. The problem is that by laying out in a public forum
what constitutes unacceptable, we open the possibility that our
adversaries know where the tripwires lie across which they
can't step.
That's why I'm pleased the chairman has arranged for
committee members to receive a classified briefing to better
understand where that line is and how we respond when our
enemies cross that line.
And again, I'd like to thank the chairman for calling this
hearing and our witnesses for being here today.
Mr. Hurd. Thank you, Ms. Kelly.
Now we'll go to Mr. Hughes for your 5 minutes of opening
statements.
STATEMENT OF AARON HUGHES
Mr. Hughes. Thank you, Chairmen Hurd and DeSantis, Ranking
Members Kelly and Lynch, and members of the subcommittees. I'm
pleased to testify today on the Department of Defense's
strategy as it relates to cyberspace and how the Department
approaches cyber incidents. It is an honor to be here, and I'm
proud of the progress we have made in this challenging domain.
Since DOD's Cyber Strategy was signed in April of 2015, the
Department has devoted considerable resources to implementing
the goals and objectives outlined within the document. When
Secretary Carter signed the Strategy, he directed the
Department to focus its efforts on three primary missions in
cyberspace. First, to defend DOD networks, systems, and
information to assure DOD missions. Second, to defend the
United States against cyber attacks of significant consequence.
And to provide integrated cyber capabilities in support of
military operations and contingency plans
Another key aspect of our strategy is deterrence. DOD is
supporting a comprehensive whole-of-government cyber deterrence
strategy to defer attacks on U.S. interests. This strategy
depends on the totality of U.S. actions, to include declaratory
policy, overall defensive posture, effective response options,
indications and warning capabilities, and the resilience of
U.S. networks and systems.
That said, incidents described as cyber attacks or computer
network attacks are not necessarily armed attacks for the
purposes of triggering a nation-state's inherent right of self-
defense. When determining whether a cyber incident constitutes
an armed attack, the U.S. Government considers a broad range of
factors, including the nature and extent of injury or death to
persons and the destruction of or damage to property. As such,
cyber incidents are assessed on a case-by-case basis, and we
would use a whole-of-government approach in responding to and
deterring future malicious activities in cyberspace.
The fact of the matter is that we face diverse and
persistent threats in cyberspace from state and nonstate actors
that cannot be defeated through the efforts of any single
organization. Our increasingly wired and interconnected world
has brought prosperity and economic gain to the United States,
while our dependence on these systems has left us vulnerable to
the evolving threats posed by malicious cyber activity.
While DOD maintains and uses robust and unique cyber
capabilities to defend our networks and the Nation, that alone
is not sufficient. Securing our systems and networks is
everyone's responsibility and requires close collaboration with
other Federal departments, our allies and partners
internationally, and the private sector to improve our Nation's
cybersecurity posture and to ensure that DOD has the ability to
operate in any environment at any time.
The Department is committed to enhancing the resilience of
our networks and systems and defending the U.S. homeland and
U.S. interests from attacks of significant consequence that may
occur in cyberspace. I look forward to working with these
committees and the Congress to ensure that DOD has the
necessary capabilities to carry out our roles and missions in
cyberspace and to keep our country safe. I thank you for the
support in these efforts, and I look forward to your questions
this afternoon.
Thank you.
[Prepared statement of Mr. Hughes follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, Mr. Hughes.
Mr. Painter, you're now recognized for 5 minutes.
STATEMENT OF CHRIS PAINTER
Mr. Painter. Chairmen Hurd and DeSantis, Ranking Members
Kelly and Lynch, members of the Subcommittees for Information
Technology and National Security, thank you for the opportunity
to speak to you today. I will discuss the framework for
stability in cyberspace at the State Department, in particular
it's working to promote internationally, but with our partners.
I will also cover some of the other topics that were raised in
your invitation.
The Department of State, working with our interagency
partners, is guided by the President's 2011 International
Strategy for Cyberspace, which sets out a strategic framework
of international cyber stability designed to achieve and
maintain a peaceful cyberspace environment where all states are
able to fully realize its benefits, where there are advantages
to cooperating against common threats and avoiding conflict,
and where there is little incentive for states to engage in
disruptive behavior or to attack one another.
This framework has three key elements. First, the
affirmation that existing international law applies to state
behavior in cyberspace. Second, the development of an
international consensus on and promotion of additional
voluntary norms of responsible state behavior in cyberspace
that apply during peacetime. And third, the development and
implementation of practical confidence-building measures, or
CBMs, among states.
Although many of the elements of this framework may seem
self-evident to a U.S. audience, especially a sophisticated
one, cyber issues are still new to many states, and there are
also states that hold alternative views of how to promote cyber
stability. Notwithstanding these headwinds, as well as the fact
that diplomatic negotiations on other issues can take many
years, if not decades, the United States and its partners have
made substantial and really big progress in recent years toward
advancing our strategic framework for international cyber
stability.
Since 2009, the United Nations Group of Governmental
Experts on International Security Issues in Cyberspace, or the
UN GGE, has served as a productive and groundbreaking expert-
level venue for the United States to build support for this
framework through three consensus reports in 2010, 2013, and
2015. I should emphasize the U.S. has been the leader here. The
conclusions captured in those reports have in turn been
endorsed by political leaders in a range of settings, including
most recently at the G-20 leaders summit in Turkey.
Given the title of this hearing, ``Digital Acts of War,'' I
would like to discuss how the U.S. Government thinks about
these issues, which is consistent with its broader approach to
promoting stability in cyberspace through the prism of existing
international law
As an initial matter, the United States has been clear that
it believes that cyber activities may, in certain
circumstances, constitute an armed attack that triggers our
inherent right to self-defense as recognized by Article 51 of
the U.N. Charter. The United States has described publicly how
it will evaluate whether a cyber activity constitutes an armed
attack under international law. Of primary importance to such a
determination are the actual or anticipated effects of a
particular incident.
When determining whether a cyber activity constitutes an
armed attack sufficient to trigger a state's inherent right to
self-defense, the U.S. Government believes a state should
consider the nature and extent of the injury or death to
persons and the destruction of or damage to property, an
effects-based test.
It is worth emphasizing that this is a case-by-case, fact-
specific inquiry, whether the events in question occur in
cyberspace or elsewhere. As a general matter, states have not
sought to define precisely or state conclusively what
situations would constitute armed attacks in other domains, and
there is no reason cyberspace should be different. In fact,
strategic ambiguity could very well deter most states from
getting close to the threshold of an armed attack.
Finally, I would hasten to note that regardless of whether
a particular incident rises to the level of an armed attack, we
have a range of options for responding. The U.S. Government
uses a whole-of-government approach to responding to and
deterring malicious activities in cyberspace that brings to
bear its full range of instruments of national power and
corresponding policy tools--diplomatic, law enforcement,
economic, military, and intelligence--as appropriate and
consistent with applicable law in particular cases.
As suggested in the invitation for this hearing, public
attribution is one such option. In cases where actors
responsible for a particular incident have been determined, the
U.S. Government will consider whether to identify those actors
publicly when we believe it will further our national interest,
including our ability to hold those actors accountable.
However, the U.S. Government will also maintain flexibility to
avail itself of the full suite of options that we have.
In closing, I would like to thank the two subcommittees for
giving me an opportunity to speak on such a relevant and timely
set of issues. Despite the threats we face in cyberspace, I
know that we are all committed to maintaining and promoting an
open, interoperable, secure, and reliable Internet in the face
of these threats that we can all continue to benefit from.
On a personal note, I've been involved in these issues, as
the chairman has mentioned, for the last 24 years now, almost
25, and I'm very pleased to see that they are getting the
attention as a policy priority both within the U.S. and around
the world, and I certainly think we've made a lot progress in
having the kind of conversation that was discussed earlier. And
I look forward to your questions.
[Prepared statement of Mr. Painter follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, Mr. Painter.
Mr. Kanuck, you're now recognized for 5 minutes.
STATEMENT OF SEAN KANUCK
Mr. Kanuck. Thank you very much, Chairman Hurd, Chairman
DeSantis, Ranking Member Lynch, Ranking Member Kelly, and
distinguished members of Congress. It is indeed a pleasure to
be here and contribute to this important discussion.
Having looked at it as an academic, as a professional
international attorney, and as a national intelligence officer
for 5 years until last May, I come with a genuinely strategic
and analytic approach. I have not been involved in policy
formulation directly in the past. And I concur with my
colleagues about the importance of this topic, and after 15, 20
years of my own experience, I, too, am excited to see the
public and congressional attention being paid to this important
issue.
I will offer, however, that as a Nation we still lack both
a strategic approach to this problem and a practical, effective
set of solutions to deter malicious and adversarial behavior in
cyberspace, and that itself is illustrated by the myriad cyber
attacks we read about each year that are perpetrated by a range
of state and nonstate actors.
In my written testimony, I address several of the questions
that my colleagues have also mentioned, so let me very briefly
say that I concur with Mr. Hughes and Mr. Painter that digital
acts of war will be judged through an effects-based analysis.
In my academic work since 1996, I've held that position, and I
do agree with the U.S. Government representatives here today
that that is the correct approach.
Regarding the issue of attribution challenges, I will note,
in my analytic work for the intelligence community we looked at
two considerations. We looked at the technical or forensic
aspects--network investigations, malicious software, reverse
engineering, and other digital footprints--in addition to what
I term analytic attribution, where you looked at the
geopolitical context within which malicious cyber events
happen.
In many cases, the context, the identity of the target, and
how the information that was stolen, compromised, or made
unavailable is used or leveraged can oftentimes tell you about
the motivation and possibly the actor. That's from the analytic
and technical attribution side.
A completely distinct question is whether or not one would
seek to do public attribution, and that is inherently a policy
question for policymakers. It has three components, in my
opinion.
There's the question about the bilateral relationship with
any entity you may accuse of an action. Cyber does not occur in
its own stovepipe or domain. It's a part of much larger
international and bilateral relationships.
Secondly, the decision of whether or not to compromise
sources and methods of intelligence in order to prove,
evidentiary, why that attribution assessment is being offered
publicly. Obviously, there would be policy reasons to not
disclose certain intelligence capabilities, especially in a
context where those capabilities may be perishable and they may
be the exact same platforms or accesses that one may use for a
retaliatory capability.
So it's almost a double negative potential if you choose to
publicly attribute in that context because you don't have
separate reconnaissance platforms in all cases and separate
retaliatory platforms the way you would have had in a nuclear
context, for example.
Last of all, as I believe Ranking Member Kelly may have
mentioned, the issue of credible threats and credible
deterrents. If you are not prepared or capable of exacting
satisfaction upon accusing or attributing an action to someone,
what does that do for your global reputation and the import of
any of your declaratory statements?
Those three very important policy questions are very
distinct from the technical attribution questions, but equally
important from a policy perspective.
I will also commend the U.S. diplomats who have had what I
think are great successes in the U.N. Group of Governmental
Experts, the G-20, OSCE, and with particularly President Xi and
the People's Republic of China. However, I am not personally
convinced that diplomatic overtures directly translate into
changes of behavior, particularly when Western countries like
the United States continue to have fundamentally different
objectives for international cybersecurity than certain other
nations, such as Russia and China, and my written statement
addresses some of that basal difference.
I will also offer that I see a de facto norm today, which
is: Do cyber operations, do them clandestinely, and try to get
away with them, you might not be punished. And, in fact,
Director Clapper's testimony in 2016 read, ``Many actors remain
undeterred from conducting reconnaissance, espionage, and even
attacks in cyberspace because of the relatively low cost of
entry, the perceived payoff, and the lack of significant
consequences.''
My time has concluded, so I will leave that there for now.
Thank you very much. And once again, thank for the invitation
to participate.
[Prepared statement of Mr. Kanuck follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, Mr. Kanuck.
Mr. Singer, you are now recognized for 5 minutes.
STATEMENT OF PETER WARREN SINGER
Mr. Singer. Mr. Chairman, Ranking Members, and members of
the subcommittee, it's an honor to speak at this important
discussion today designed to reboot the cybersecurity
conversation. This shift is direly needed as there is perhaps
no national security problem more 21st century in its
definition and form than cybersecurity, and yet, to solve it,
too much of our discussion and strategy remains rooted in 20th
century frameworks that don't well apply.
I've submitted written testimony that breaks down the issue
and what we can do about it. It focuses on the debate over
digital acts of war and explains in detail how there are seven
key differences with the cold war that make framing this
problem in the old modes not ideal. It then provides a
suggested new legislative strategy to face our challenge,
breaking it down into key areas I'll focus on today.
Notably, the strategy is nonpartisan, realistic in its
implementation possibilities, and doesn't involve any massive
increase in budget.
The first key part of the strategy is deter through
diversity. This includes improving our offensive cyber
capability, but importantly, understanding that cyber weapons
are not like WMD. They are tools of constant use in everything
from espionage to ongoing operations against ISIS.
Our real challenge here is more in integrating emerging
cyber capabilities with our other conventional capabilities
through improving training, doctrine building, and resolving
command and control questions.
But as we face an array of attacks and attackers, a
military offensive cyber response is not the only tool that we
have to change their calculations. For instance, to respond to
IP theft, it makes no sense to limit ourselves to retaliation
with the exact same action in the same domain. We can also go
after other assets that are valued by the attacker in other
realms and even those valued by influential third party actors,
such as sanctioning companies benefitting from stolen fruit.
Indictments of individuals involved in hacking have value
not so much in actual direct judicial punishment, but as a
different means for surfacing data about attribution.
Creativity and flexibility will beat simplicity in this
dynamic. Indeed, we may even steal ideas from one attacker's
playbook and apply them against another as a deterrence tool.
From Snowden to Sony, data dumps have been among our most
vexing cybersecurity incidents, but they have not threatened
our core national interests. By contrast, threatening to reveal
the private financial data of an authoritarian regime's leader,
his family, or allied oligarchs may be far more potent than a
counter cyber strike. We can sometimes see what regimes fear
most by what they ban discussion of.
The second and arguably most important part of the strategy
is deterrence by denial, making attacks less likely to cause
harm, and thus, less likely to happen. The magic word of
resilience is that it works against any kind of attacker and
attack, and it's perhaps where Congress and this committee can
have the most impact.
The areas that call out for action cover the spectrum. On
the military side, we have spent over $2 billion on
construction alone at Fort Meade, and yet the Pentagon's own
weapons tester found, quote, ``significant vulnerabilities,''
end quote, in nearly every major weapon system program that
would be exploited in any actual war.
In the executive branch, the White House has issued a post-
OPM cybersecurity strategy that describes best practices every
Federal agency needs to put in place. Ensuring their actual
implementation at every Federal Government agency and
encouraging their spread to the State and local level could be
one of the most important things that Congress does on
cybersecurity.
In relation to the business and public, sometimes
government can be a trusted information provider and sometimes
it must go further to help shape individual and market
incentives, as it has in realms that range from public health
to transportation. The government should not merely support
research on basic standards of Internet security, such as the
laudable NIST process, but now work to ensure their use. It can
do so by efforts to spur the nascent cybersecurity insurance
market that both protects business and incentivizes them to
find and maintain best practices.
True cybersecurity resilience is not just about computer
and legal code. It's also about people, and we have a huge
people gap here. The administration has a new Cybersecurity
Human Resources Strategy, but it needs to, one, be overseen to
ensure actual implementation, particularly across
administrations, and two, it will fail if it only puts new
people in old organizational boxes.
We also have to find ways to tap talent outside of
government. Take the Pentagon's recent 1 month experiment with
bug bounties. It saved millions of dollars, yielded 1,100
reports on how to protect our systems before the bad guys could
attack them, and it talent scouted across the U.S. One of the
hackers working for us was an 18-year-old who did it in his
spare time while taking his AP exams. Yet there is not a
parallel at other Federal agencies, nor at our State and local
partners.
Or consider that we have retasked a number of National
Guard units to become cyber warriors, but there is a wealth of
talent that is either unwilling or unable to meet the legal and
physical obligations that come with joining the U.S. military.
Here I would point to Estonia's Cyber Defense League as a model
to draw on. Think of it as the cybersecurity equivalent to the
Civil Air Patrol, creating a mechanism for citizens to
volunteer their expertise for cybersecurity to aid--for free--
in everything from red teaming to serving as rapid response
teams to cyber attack. They have helped Estonia become one of
the most cyber-resilient nations in the world.
The third role of the strategy, I won't hit. It's norms.
It's in the submission. I think it's been covered well here.
I would end just simply by saying we can either approach
this topic with a new strategy that faces our new needs or we
can continue to talk tough and simple and be victims.
Thank you.
[Prepared statement of Mr. Singer follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, Mr. Singer.
I would now like to recognize Mr. DeSantis for 5 minutes of
questioning.
Mr. DeSantis. Thank you, Mr. Chairman.
General Alexander, how do you view the distinction, if you
think there's one, between the threat from state-sanctioned
cyber attacks versus nonstate actors who are trying to attack
us in cyberspace?
Mr. Alexander. I would not make a distinction based on the
impact to our Nation. And I think that's an extremely important
question you bring out, because it really says: What's the role
of government in protecting this country. And it doesn't matter
who takes down the financial sector, the energy sector, the
healthcare sector. If it goes down, that's critical to our
Nation.
So the consequence and the approach in our strategy has to
discuss both. We learned that in 9/11. While there may not be
direct ties to this or direct linkage back, I think that's the
approach that we should take--look at what the impact to the
Nation would be.
Mr. DeSantis. And I agree with that in terms of trying to
prevent that. How, though, if there is a successful attack, how
do you then respond if there are, in fact, nonstate actors who
are responsible? After 9/11, I think that's actually a good
framework to think about it, the policy was, look, if you're a
state actor, you may not have committed the attack, but if
you're harboring terrorists who are going it, we're going to
hold you liable.
Does that same framework, will that work in cyberspace?
Because it would seem to be difficult that a government would
be able to have a handle on everybody who's operating in
cyberspace.
Mr. Alexander. Right. So you've asked a great question in
that, because it also gets you back to our strategy. And the
strategy can't be: What are we going to do after an attack?
It's really what you're hitting on, is we can't afford to allow
that kind of attack to occur. And so what it really does is it
says we're going to shape our strategy on preventing, not on
forensics.
Now, forensics are important, we do have to go through, but
if everything is based on after-the-fact forensics, then you're
already lost something. And what you're really getting to is we
need a defensive strategy that stops that from happening.
And I would take it one step further. We look at the theft
of intellectual property, the greatest transfer of wealth in
history. That's taking our future away from us. How do we
defend against that? And I believe that's where government and
industry need to work together.
I like Peter's approach about working together with
industry. We need to make a more secure cyberspace. And all the
rules that we could put in with State, with DOD, but it has to
be a linkage to the commercial side. They own the vast majority
of the networks.
Mr. DeSantis. Mr. Kanuck, you talked about how people in
cyberspace could be doing espionage, typical things that
governments do. They could also be doing it, which would be
considered more of an attack along the lines of an act of war.
So do we have the forensic ability to determine whether a
particular measure was meant or compromise was an attack versus
a form of espionage, and how does that impact our ability to
calibrate our response?
Mr. Kanuck. In response to particular incidents, there are
usually ad hoc investigations dealing with the particular
circumstances. It is very difficult to divine the intentions of
would be adversaries or actors in specific instances. Often you
might derive that information from other sources of
information, intelligence collection and other areas, to know
what actors' objectives may have been. Simply looking from the
forensic data, if you are able to see what was exfiltrated and
where it went and how it was later used, that may give you a
sense of the objectives.
I will simply offer that in the real-time context of an
ongoing incident, where you would want to be responding in a
policy or military sense in real time, that will be a very high
challenge for real-time attribution, and to motivation as well.
If you are permitting policy responses days, weeks, months
later when you do have a higher degree of attribution, that may
be possible, but it is not a certainly that you always know who
did it and why.
Mr. DeSantis. Great.
Mr. Singer, we're hearing more about nonstate actors,
terrorist groups, criminal groups using sophisticated toolkits
to launch cyber attacks. So, first of all, are sophisticated
cyber capabilities finding their way to less sophisticated
actors? Are we seeing evidence of that?
Mr. Singer. Yes, they are. They proliferate. However, I
think we still need to recognize that states are the big dog in
this, both because of their higher technical capability, so,
for example, ISIS was mentioned, lethal group in lots of
different ways, but their cyber capability pales compared to
China or Russia.
The second is the scale that a state can bring to the
problem. So it's not just sophistication. It's the ability to
mobilize thousands, tens of thousands or hundreds of thousands
of people in the community if you are carrying out an attack.
States are a fundamentally different challenge here than
nonstate actors. Fortunately, on the good side, states have
interests, and so they can be deferred in a different way than
many nonstate actors can't, so we shouldn't bundle them
together.
Mr. DeSantis. Thanks. My time has expired, and I yield
back.
Mr. Hurd. General Alexander, do you want to answer that?
Mr. Alexander. Yeah, Mr. Chairman. I would recommend, based
on what Chairman DeSantis brought up, that the committee might
consider getting a briefing or a demonstration of the dark Web.
It answers the question that you were just asking: What's
available for hackers out there, what do they do to buy it, and
how are they getting their materials? And there are companies
that have some of these demonstrations that I think you would
find extremely informative on just that question: How is it
proliferating?
Mr. Hurd. Thank you, General.
And we're going to recognize Ms. Kelly for her 5 minutes of
questions, and then we'll go into recess for votes.
Ms. Kelly. Thank you, Mr. Chairman.
Mr. Singer, in a December 2015 article for Foreign Policy
magazine's Web site, you said that government strategies for
responding to cyber threats is based on assumptions and plans
made for the cold war threats that are 30, 40, 50 years old. Is
that accurate?
Mr. Singer. Yes.
Ms. Kelly. Okay.
Deputy Assistant Secretary Hughes, during the cold war, our
strategy of mutually assured destruction was based on the fact
that we could tell instantly if the Soviets fired an
intercontinental missile. Is that correct?
Mr. Hughes. Yes.
Ms. Kelly. Is it equally obvious to figure out where a
cyber attack originates?
Mr. Hughes. I think, as Mr. Kanuck said, there's many
factors that go into that attribution and determination. So I'd
say it's probably not as instantaneous as it was during the
cold war.
Ms. Kelly. And why do you think that is? Just because there
are so many factors?
Mr. Hughes. The number of factors, there's a number of
actors, diverse operators on the Internet, makes it extremely
difficult.
Ms. Kelly. Okay. Thank you.
Mr. Singer, unlike during the cold war, you said, when
considering responses to a cyber attack, and I quote, ``the
defender's best move may well not be to strike back as rapidly
as possible, but to show no outside awareness of the ongoing
attack.''
Deputy Assistant Secretary Hughes, why might the U.S.
choose not to respond to a cyber attack?
Mr. Hughes. Well, ma'am, I think it goes to points that my
colleague Mr. Painter made in terms of what our response might
be. I think there's a number of factors from foreign policy
implications and the like that we want to make a determination
on response on a case-by-case basis.
Ms. Kelly. So the main question of this hearing is, when do
we strike back against an adversary for a malicious cyber
attack? Taking it one step further, when do we respond with not
just a cyber attack of our own, but possibly missiles and
tanks?
Mr. Singer, you said that we need to think differently
about our response to cyber attacks, and I was trying to write
down everything you said. You talked about deter through
diversity, sanctions, indictments, being creative and flexible,
maybe revealing finances of our enemy. Any other strategies you
want to add? You talked about HR and talents to bring aboard.
Mr. Singer. There's a whole series of things, but I think
the key here is to recognize, when we're talking about the
attacks, there is a wide array of them, so the attack on us
might be anything from intellectual property theft to
espionage, stealing of a state secret, to our feared scenario
of something that causes mass loss of life.
The first two, traditionally, have not been defined as acts
of war. The third may meet that definition. And then in no way,
shape, or form would we want to limit ourselves to a merely
cyber response to it. We would want to have all the tools
there.
The other issue here is the timing. Part of why you may
choose to delay your response is not just the normative
questions. It's to complicate the attacker's job. If you know
that they're inside your system, you can then observe them,
steer them into areas where they can't cause harm.
The bottom line here is that we're going to need a very
creative and diverse strategy, and the old kind of cold war
model of whacking back if they hack us just won't be
successful. It won't deliver actual cybersecurity.
Ms. Kelly. Thank you.
Mr. Hughes and Mr. Painter, how do you respond?
Mr. Painter. I'd say a couple of things. First of all--and
this also goes to Chairman DeSantis' question--we do have a
range of tools in our toolkit. So, yes, hacking or using cyber
offensive operations could be one. Using kinetic operations may
be another, depending on what the incident is. We said in our
international strategy in cyberspace back in 2011, we have the
full range of tools we'll use if the incident is significant
enough, including diplomatic, including economic, including
cyber tools, including kinetic tools in appropriate
circumstances. We'll try to exhaust the law enforcement and
network security tool first.
I also quite agree that part of this is--I'd push back
against the view that we are looking at this from a nuclear
perspective or one that's from 50 years ago. I think one of the
things we've been doing and spending a lot of time on is
looking at this whole-of-government approach where we're really
looking at new capabilities, new tools, making sure we're
inculcating this throughout not just our government, but NATO
was mentioned, making sure that NATO has this as part of their
strategic concept, making sure that other countries understand
this and we have more of a collective defense.
That's exactly what we're trying to do. And when you're
talking about the criminal threat, I agree with General
Alexander that it's not--you know, you look at the effects. The
effects might be the same, but the tools you use to respond
might be different. If it's a nation-state, you have certain
tools. It it's a criminal group, you might be using law
enforcement investigatory tools.
Ms. Kelly. Do you have anything much different, because my
time is running out? Is there anything else?
Mr. Hughes. No, I think Chris hit it right on the head.
There's a diverse way that we can respond, and we need to bring
all those to bear for each event.
Ms. Kelly. Thank you.
Mr. Hurd. So votes have been called, so the chair is going
to declare a recess until immediately following the last vote.
[recess.]
Mr. Hurd. The Committees on Information Technology and
National Security will come to order. Again, for the record,
General Alexander had to depart for a prior engagement.
And now I would like to call on the ranking member of the
National Security Subcommittee, Mr. Lynch, for his round of
questions.
Mr. Lynch. Thank you very much, Mr. Chairman.
And, again, I thank the witnesses.
Mr. Singer, in your written testimony for today's hearing,
one of the ways in which you indicate the United States could
strengthen its cybersecurity protocols is through the continued
development of international norms of conduct between nation-
states. And I think that's correct. But I do know that we have
had a recent problem with the SWIFT network, which is an
international banking network that is critical to our economy
and especially to our international finance community.
The difficulty there is that we've had evidence that there
were several possible points of vulnerability, one being the
Bangladeshi bank that was the principal bank, but also we've
got cooperation by the Federal Reserve Bank of New York in
forwarding $81 million to a Philippine casino. And so these
people actually got away with this. This is $81 million through
the SWIFT network that was actually achieved by the hackers.
I know they tried to transfer about $1.8 billion. They got
way with $81 million. Still, it's very concerning because of
the importance of the SWIFT network.
And I'm just wondering, if you go by the theory that we're
only as strong as our weakest link, there are some suspect
practices in Bangladesh and in the Philippines that people
think may have contributed to that hack. And in addition, I
think there are a dozen banks that have been now identified and
had contact with FireEye, which is the security firm that was
involved at the Bangladesh central bank.
So all of the banks are southeastern banks, Southeast Asia.
None of the banks, except for the Fed, and apparently they have
the right codes and the right protocols from the Bangladesh
central bank, but no banks in the United States, no banks in
Western Europe. The implication could be that those banks in
Southeast Asia did not have the firewalls, did not have the
cybersecurity systems that the European banks and U.S. banks
have.
So how do we approach that? Especially, I mean, you could
take an approach that people are not allowed to participate if
they don't have a robust cybersecurity system in place. But
that would put a lot of developing countries--Nigeria, perfect
example, growing economy--that would shut a lot of people out
from the international banking communities.
So it presents difficulties. But the size of these hacks,
these breaches, is problematic, so we've got to do something. I
was just wondering if you had any thoughts since you raised it
in your written testimony.
Mr. Singer. I'd raise three things.
First, I agree completely with you that the attack on the
SWIFT system is significant to the U.S. because of what it
means, not just for us, but the global financial system. So the
first issue is, at least from colleagues in that world, they
are not yet satisfied that the fixes that are needed to be
made, that the assurance that these kind of breaches can't
happen again, they haven't received it in sort of a third-party
validated manner. The confidence in the system isn't there. So
we need to focus on how do we restore confidence in the system
that these fixes have been made.
Second is the idea of norm building. Norm building is not
just identifying what kind of attacks should or shouldn't be
allowed to happen. It's also for us to figure out identifying
sorts of targets that everyone can agree should be off limits.
So, for example, this is an area of concord that we might have
with a China, with a Russia, and the like, that attacks on the
targets may not be militarily significant, but they harm us
all. So the norm building is going to have to be--the
difference with cold war where any kind of target was allowed,
but the attack didn't happen, now we now have lots of different
attacks, but it's focusing on which targets are allowed.
The third category is actually linked to a different
incident, which we haven't talked about, but I think is crucial
to norm building, essentially, the failure of the U.S. and the
international community to respond to the December hack of the
Ukrainian power grid.
This is the first proven takedown of this kind. It's the
long-discussed nightmare scenario. It's a violation of a widely
agreed norm not to target civilian infrastructure with the
intent to cause widespread and disproportionate damage. And
yet, in the story of action and consequence, we had action. So
far we've had no consequence.
So if we're talking about norm building, SWIFT is a great
example, but the Ukraine one, I think, is even more important
for us to wrestle with.
Mr. Lynch. That's great.
I'm not sure, if Mr. Painter, you have anything you would
like to add?
Mr. Painter. Yeah, if I could.
Mr. Lynch. Or Mr. Kanuck or Mr. Hughes.
Mr. Painter. Part of the solution to this is the long-term
norm building. And this is something we've undertaken and,
frankly, as I've said we've led on. And the idea is, there was
this very high level of cyber war, which we don't see and,
frankly, don't see every day, but there's a lot of conduct we
see below that level. And we've made a lot of progress in a
short time in not only getting countries that are like-minded
to agree, but also getting China and Russia, for instance, to
agree.
And the norms we've been promoting are, for instance, don't
attack the critical infrastructure of another country absent
wartime that provide services to the public, don't attack
certs, don't attack the computer emergency response teams.
Don't use them for bad, use them for defensive purposes. And an
expectation that you if you get a request from another state
and there's malicious code coming or activity coming from that
state, that you're going to mitigate it through technical or
law enforcement means. And then, finally, don't steal the
intellectual property using cyber means of another country for
your commercial benefit.
And that's new, and we're promoting that, and that's some
of the stuff we have been doing in the G-20. If you look at
literally every time the President has a meeting with a foreign
leader, every single time, and the Nordic summit is an example,
the Modi visit just recently is another, you'll see a big
statement on cyber, including these norms. That's a real
priority.
Mr. Lynch. Yeah. Thank you.
Mr. Hurd. I'd like to recognize Mr. Russell for 5 minutes.
Mr. Russell. Thank you, Mr. Chairman.
And, gentlemen, thank you for being here. It's been a
really insightful discussion. And I guess what was mentioned
earlier by General Alexander, I believe, talking about the rise
of ransomware and these bitcoin hostage-taking of servers in
businesses, we see it all the way down to small businesses, as
a preferred method, too difficult to fight, not a big enough
dollar amount to matter, and they're raking the public for
millions of dollars.
Could you speak to that a little bit? And then I've got
another line that I'd like to discuss after that. Whoever would
like to take that, or anyone that wants to comment on that.
Mr. Kanuck. I think one of the issues you point to is the
magnitude of specific incidents. And during my work at ODNI,
and certainly in some of the Director Clapper's testimony in
the past, he's talked about the cumulative effect of low to
moderate level attacks that are already compromising U.S.
economic competitiveness and national security. So I would
simply draw attention to that.
It's analytically recognized that the cumulative impact can
be very significant even if individual events are not that
large. And then that becomes a policy response or a legislative
or regulatory issue for policy determinations of how and when
to respond. But analytically speaking, the mere fact that
you're not seeing singular gigantic events should not put
anyone at ease about the problem, because the cumulative
effects are very, very significant and deleterious.
Mr. Russell. And I'm not even sure that it's due to these
hostile nation militaries. I've actually had constituents that
have, you know, they've been pirated. Their servers have been
frozen. We've seen things like this.
Mr. Singer, and then you, Mr. Painter. Thank you.
Mr. Singer. I would agree completely. And it points, again,
to the value of the resilience node and the strategy where the
way to mitigate these attacks is to spread best practices and,
second, to help spur on the development of the cyber insurance
industry that both backstops these victims, but also help
incentivize them to have the best practices that avoid it.
Second, it's a great example of how it points to the value
of an offensive hit back within the cyber realm wouldn't do
anything to solve this problem. This is why you have to have a
very diverse strategy.
Mr. Russell. Yeah. I agree with that.
Mr. Painter.
Mr. Painter. And I would say three things.
One, hardening the targets, just to emphasize hardening the
targets, which is a difficult job, but so important. And our
colleagues from DHS who are not here can speak to that
especially, but also the private sector.
The second is, this is an evolution of a threat we've seen
before. I remember a case when I was at Justice where then-
Mayor Bloomberg--he wasn't mayor then--when Bloomberg had his
business, someone hacked into his information. They threatened
to expose all of it if he didn't pay them ransom. And he
cooperated with the FBI, and they arrested the guy.
So this is the newest iteration of that kind of a threat,
and it certainly has very damaging characteristics. But one
thing--and, again I'd defer to my Justice colleagues on this--
that we did in the fraud cases, where you had lots of small
frauds, and they end up sometimes being the same actors, if you
look at how to aggregate that, you share intelligence, so you
look at the actors and you go after the actors.
Mr. Russell. Well, and it seems to me--and, Mr. Singer, you
had made mention of best practices and things--there's just
some basic things that could be done. One, report it to the
FBI. It might seem insignificant to them, to the business, but
it is important in a collective thing. And then the other
thing, routine backups, changes, all of that, things that we
kind of take for granted.
Really, we're looking at a sphere of technology not unlike
100 years ago in the electronic warfare sphere. We were using
telegraphs, then we were using wireless, then we had towers in
communication and in satellite, and we saw the maturation of
electronic warfare.
And I would argue that a lot of our systems that we have in
place today with regard to electronic warfare is the same
sphere for cyber attack. They use the same power sources, the
same type of infrastructure to spread out and branch even with
the digital. I see it very much like that, electronic warfare,
a war in the shadows.
Isn't there a way that we could also do strike-back attack
in that war on the shadows that's not public? I leave that with
whoever wants to answer that.
Mr. Hughes. I guess the one comment I would make to that is
we've tried actually do the opposite of that through the
release of our most recent strategy and try to normalize
activities in cyber so it is out of the shadows, so there's
more transparency around what we're doing and a better
understanding both from our allies, the American people, as
well as our adversaries as to what your intentions are.
I think it's when folks view it as being in the shadows
that there's more question about what we're doing to respond to
malicious activity. So I this I we're trying to normalize
activities in the domain and not make it more classified.
Mr. Kanuck. I think Mr. Hughes raises an important point
about increasing transparency. Clearly, certain intelligence
activities, to include covert action, may have their place at
certain times and in certain instances, but normalizing and
increasing transparency could be greatly helpful.
And I offer that what any nation would choose to do sets
precedents that are very difficult to prevent other nations
from copying in the future. So the question would have to be
asked, would you want that to be the rule that all countries
obeyed of operating on partial or medium confidence attribution
to be taking clandestine action with deleterious effects?
That could be a very dangerous environment if everyone is
not acting with very, very high standards of attribution and
preventing collateral damage.
Mr. Painter. And if I may very quickly, I think, we can't
discuss it in this environment, because it's a classified
Presidential directive, but we can say there is a Presidential
directive that deals with this. And it's important for
countries to have doctrine around this, so there is that kind
of predictability that Sean talked about.
And our doctrine does two things. One, it makes sure that
everything is integrated. We're not just thinking about these
things separately, but we're integrating all our capabilities
and all of the different equities involved. And, two, that
we're going to favor network security and law enforcement as
our first lines of defense and then look at other tools after
that.
Mr. Russell. And as I close, Mr. Chairman, thank you for
your indulgence. I guess there's a part of me and the warrior
in me, do you want to answer a Sony attack with a Stuxnet or do
you want to wish that you had good practices and everybody
cooperates? I personally think there has to be a balance of
both. If we show ourselves weak, this problem is only going to
grow.
And thank you, Mr. Chairman. I yield back.
Mr. Hurd. The gentleman from California, Mr. Lieu, you're
recognized.
Mr. Lieu. Thank you, Mr. Chair.
Mr. Hughes, thank you for your public service. I have some
questions for you.
Earlier this year, Defense Secretary Carter stated that
encryption was absolutely critical to the Department of Defense
in terms of protecting cybersecurity. Would you agree with
that?
Mr. Hughes. Yeah. I mean, Department of Defense systems
rely on encryption for our communication out in the field and
with our partners. Absolutely.
Mr. Lieu. He also stated that he opposed back doors that
would weaken encryption. Do you agree with that as well?
Mr. Hughes. I would support the Secretary's position for
the Department.
Mr. Lieu. And I just want to make sure, the Department's
view is that we need to move to stronger encryption, not weaker
encryption. Is that correct?
Mr. Hughes. I support the Secretary's position on
encryption.
Mr. Lieu. Thank you.
So now I would like to ask you, in your job, do you deal
with telephone networks' communications as part of what you
deal with in your role in terms of cybersecurity?
Mr. Hughes. So I think there's collaborations between what
my office does for operational oversight, international
partnerships, and interagency collaboration of cyber policy and
what the DOD CIO does from oversight from a network security
and telephony perspective. My office, per se, does not cover
telephony protocols or any of the technical specifics.
Mr. Lieu. Okay. Earlier this year it was revealed there was
a flaw known as the Signaling System No. 7 flaw in our
telephone networks. And as I understand it, decades ago when
they set up these networks, and let's say you had to make a
call to Africa, the U.S. network would hand off to a European
network or hand off to the African network. And it was assumed
that these networks would be trusted. It turns out that some of
these networks are owned by foreign adversaries like Russia or
Iran or criminal syndicates related to these foreign
adversaries.
Have you looked at that issue at all?
Mr. Hughes. I'd have to take that question for the record.
It's not something that my office in particular has looked at.
Mr. Lieu. Who in the DOD would be looking at that issue?
Mr. Hughes. I'd have to take that for the record. I would
assume the DOD CIO would look into that, but I would have to
get back to you on that.
Mr. Lieu. If you could, that would be great. Because, as I
understand it, if a foreign government exploits this SS7 flaw,
which any foreign government that has a telephone network can,
it then allows them to listen in on the telephone conversations
of anybody's cell phone just knowing that cell phone number,
track their movements, and get their text messages.
It always struck me as odd when we go on these codels
abroad, we get all these briefings on don't take your
smartphones, have these protections, make sure you follow these
cybersecurity hygiene tips when you're in these foreign
countries, when it turns out these foreign countries can just
listen in on our phone conversations knowing our cell phone
number right here in the United States.
So if we could get some information back on that and
whether the problem has been fixed, it would be helpful.
Mr. Lieu. And then I have some questions related to the
Obama administration's new Cybersecurity Workforce Strategy
that was announced yesterday. One of the proposals is to
increase funding and salaries to recruit and retain talented
cyber professionals.
So the question for you, Mr. Hughes, as well as you, Mr.
Painter, I'd like to know what is the issue with that, how
important is it? And second, what is your sort of view on your
ability to retain people once you get them in the cybersecurity
field?
Mr. Hughes. So I can speak to the Secretary's Force of the
Future initiatives around the Department of Defense. I'm not
familiar with the specific program that the administration just
released writ large.
Specific to Department of Defense, we're always looking at
novel ways to bring in and recruit and retain more talented
professionals across a variety of domains. We understand the
acute challenges of retaining our highly trained and skilled
personnel that operate on the cyber systems.
And so the Secretary's Force of the Future initiative is
looking at a variety of different ways to have more
permeability between private sector and government service, as
well as different ways to bring in folks to serve in different
positions, both military and civilian.
Mr. Lieu. Thank you.
Mr. Painter. And I would say, yes, this is part of the
larger administration attempt to really bolster our
cybersecurity. One of the problems we face, not as much in my
shop because I'm a policy shop, but certainly throughout the
government, is finding qualified people who do cybersecurity
work. Competing with the private sector. It's still a fairly
small pool. I'd say that there are schools, and we have been
working with schools to get programs to have more people
dealing with this.
I should say that I was a 9-year resident of your district,
and I suspect that many of them live in your district, and I do
miss it every day. So if you can convince them to come out
here, that would be great.
Mr. Lieu. Thank you.
Thank you. I yield back.
Mr. Hurd. Mr. Hice from Georgia is recognized for 5
minutes.
Mr. Hice. Thank you, Mr. Chairman.
I want to begin with you, Mr. Hughes, but if others of you
have some input, feel free to jump in here. But what are the
factors that define a cyber act of war as opposed to a cyber
attack?
Mr. Hughes. So, again, as I mentioned in my opening
statement, cyber incidents are reviewed on a case-by-case
basis. We take into account loss of life, injury to person,
destruction of property, and the national security leadership,
and the President will make the determination if it's an armed
attack. But I would defer to Mr. Painter for a more thorough--
--
Mr. Painter. Yeah, I echo that completely. I think it's an
effects-based test, just like it is in the physical world. So
we are not using a separate test for the physical.
Mr. Hice. So at what point do we--what are the rules of
engagement that would determine a response, be it a cyber
response or kinetic?
Mr. Hughes. Again, not to sound cliche, but, again, it will
be on a case-by-case basis. We will evaluate each incident on
its merits and make a determination, again, through a whole-of-
government collaboration, on what the response might be.
Mr. Hice. So who makes that decision? Is it the President
alone or are there multiple agencies or representatives from
the agencies that would be involved?
Mr. Hughes. The national security leadership, in
conjunction with the President, make that determination.
Mr. Painter. But I would say that, as we look at these,
there are a range of different activities. And you use the term
cyber warfare, but the question often is what constitutes an
armed attack under international law that would then give a
right to self-defense. But even if it's below that threshold,
we still have a way--there's a number of ways to respond. It
could be kinetic. It could be through cyber means. It could be
through economic means and sanctions. It could be through
diplomacy. It could be through indictments and law enforcement
actions.
And what we have done, and this is one of the things,
having tracked this for so long, I've seen as a real change and
a really beneficial change, is there is a very, very strong
interagency process that as we're looking at these threats--I
mean, Aaron and I, in particular, we talk all the time--but all
the different interagency colleagues do talk about these
threats, talk about possible responses.
In the end, it's up to the National Security Staff and the
President, but we look at all these different opportunities. If
it's a criminal matter, Justice will take it, for instance. So
we'll look at our tools.
Mr. Hice. I'm concerned with the lack of clarity on this
and the bureaucratic, multilayered involvement to make a
decision. And now we have Cyber Command in Fort Gordon.
If CYBERCOM were elevated to a full combatant command,
would that help?
Mr. Hughes. I think we're always looking at ways to make
the military establishment more efficient and effective. I
wouldn't say that elevation of Cyber Command in and of itself
would help in the determination of a cyber incident being an
armed attack versus other types of malicious activity.
Mr. Hice. Mr. Singer.
Mr. Singer. To weigh in from outside of government,
essentially, in defining whether it's a war or not, many of the
same measures would be used, whatever the means, cyber or
physical. To put it bluntly, it is throughout history it's
decided by does it combine a political intent and mass violence
of some kind, physical violence, death, injury.
So, as an example, there are cyber attacks that steal
secrets, they are incredibly vexing, but no Nation has ever
gone to war over just because their secrets are stolen. The
judgment, though, is a political judgment on when it's an act
of war. And my hope is, and this is the value of this hearing,
that it's not just the President or the NSC, but it's also
Congress traditionally has decided when the U.S. is at war or
not.
Mr. Hice. Well, yes, to some extent. But let's go down that
path a little bit further then. Can a member of NATO invoke
Article 5 for a cyber attack?
Mr. Painter. Yes, they can. In fact, there's been a lot of
activity in NATO since 2012. Cyber is part of NATO's operating
construct. We just had a leaders-level meeting for NATO where
they agreed, among other things--they previously agreed that
international law applies, including the Law of Armed Conflict.
They are doing cyber strategies that Aaron can talk more to.
But one of the things that was agreed to back in, I think it
was 2014, is that cyber could qualify under Article 5.
Mr. Hice. Okay. Well, then, let me ask this. Does NATO have
a definition of what constitutes a cyber attack, seeing that we
don't?
Mr. Painter. First, I think it's not true that we don't
have a definition. We just talked about what would qualify and
the factors you would use.
I would have to go back and look at NATO's doctrine, but I
think they have a lot of focus on this, they understand the
risks out there, and they are building the capability.
Mr. Hice. All right. Well, our definition was not clearly
communicated to me. It was going to be left up to the President
and others based on certain factors and somewhere they're going
to make a decision.
But I assume my time has expired. Mr. Chairman, I thank you
for your indulgence. I yield back.
Mr. Hurd. The gentleman from Iowa. Mr. Blum, you are
recognized for 5 minutes.
Mr. Blum. Thank you, Mr. Chairman. I appreciate it.
And thank you to our witnesses today for providing us some
insights into this growing problem of cybersecurity.
I come from the private sector. I've been operating in the
private sector my entire career. So I would like to chat a
little bit about China and the United States private sector.
And while most of my questions would be toward Mr. Painter from
the State Department, anyone else feel free to jump in.
Mr. Painter, the State Department's Overseas Security
Advisory Council, OSAC, recently concluded that, despite
media's reporting that Chinese cyber attacks are decreasing,
cases of a Chinese espionage campaign against the U.S. private
sector are ongoing. Which sectors, Mr. Painter, do you think
are most at risk for these Chinese cyber attacks?
Mr. Painter. Look, I think the DNI has talked about this,
and we continue to see intrusions in the systems, both
government systems and private sector systems, for espionage
purposes.
What we agreed to with China, which was significant, is
that they would not break into private sector systems to steal
intellectual property or trade secrets or business or
proprietary information for the purposes of benefiting their
commercial sector.
On that, we have been pushing them very hard. There's a
number of ways we have been doing that. It was really a
remarkable fact that they came to that agreement when President
Xi was here. And we said we are going to hold them accountable.
We are still going to use all the tools we have.
And the jury is still out. I think Admiral Rogers recently
testified, saying we are watching closely. But the jury is
still out.
Mr. Blum. Any other comments on that question?
Mr. Kanuck. Again, I left government on May 9 of this year,
but up until that point, I would concur with what Chris has
just said. Having been the office that was charged with making
those determinations on behalf of the U.S. Government, the jury
is still out or was as of May 9.
And I would just offer two other considerations that one
has to think about, and I mentioned this in my written
statement. Modus operandis may change, so behavioral patterns
may change. And the question of volume or quantity versus rate
of success and quality of foreign activities is something that
needs to be considered.
So I would recommend that if that is an issue that is of
interest to you, sir, that's probably better for closed
hearings with my colleagues or others from the intelligence
agencies in the future. But asking what the current impacts are
and what, if anything, has changed and metrics, that kind of
attribution analysis is very, very difficult and you quickly
get into classified discussions. But it's a worthwhile question
and one we grappled with for my 5 years at ODNI.
Mr. Blum. Mr. Singer.
Mr. Singer. If I understood your question, it was in
essence who is being targeted, and it's a confluence of two
factors. It's, one, what are their national priorities for
economic success. To put it another way, what industries do
they want to be global leaders. And those are industries that
have been most targeted for intellectual property theft in the
past. The agreement may change that.
And the second is vulnerabilities, where are the weak links
and who are they able to get into, and that, again, points to
the value of resilience-based strategy where it's effective be
it against the threat of intellectual property theft to the
threat from cyberterrorist to China in a military means. Good
defense actually is good defense.
Mr. Blum. Mr. Painter.
Mr. Painter. And I would certainly agree with the hardening
of the targeted issue, which we've raised a number of times.
But I would also say, it's not just the U.S. So, one, the
important thing is a lot of other countries have raised this
concern. The U.K. has raised it, Germany has raised it, and
others. And the G-20 statement that I talked about where there
is an affirmation among the leaders of the G-20 that this
conduct was impermissible I think is also important. It sets a
metric that we can hold people accountable by.
Mr. Blum. Relative to China, and since we're talking about
cyber attacks in the private sector, one would think the reason
for China doing this would be economic. But is there any
military reason China would be attacking our private sector?
Maybe Mr. Hughes would have some insight into this.
What are your thoughts? Are these attacks, cyber attacks,
mainly private sector economic or are they also military?
Mr. Hughes. I think they're probably targeting our private
sector companies to enhance their national security apparatus
as well. I'm sure that some of our defense industrial base
companies are being targeted by the Chinese to benefit their
military development in advancement of their technologies.
Mr. Blum. Mr. Painter, any other insights on that?
Mr. Painter. No, I would agree. I would think that you'll
see, just as the DNI set a full spectrum of targets given the
information that's out there.
Mr. Blum. Have, in fact, China's cyber attacks, the amount
of them, decreased over the last 5 years? Is that a fact?
Mr. Hughes. I would defer that question to the closed
hearing and to the intelligence community.
Mr. Painter. I would agree with that. I think that would be
a ripe subject for the closed hearing.
What I can say is, in terms of the theft of intellectual
property for commercial purposes, as Admiral Rogers said, the
jury is still out on that, and I believe the DNI said that too.
But with respect to any more detail, we can get into that in
another setting.
Mr. Blum. Mr. Singer.
Mr. Singer. As to the question on the goal of intellectual
property theft not just being economic, it definitely has a
national security side. And the easy answer to you would be
Google images of F-35 and J-31, and you will see a remarkable
similarity between our most expensive weapons project and their
new jet fighter system. And either it's coincidentally they
look alike or there's something else going on.
Mr. Blum. What can Congress do to provide additional
deterrence to countries like China? It may be criminal law, for
example. What more can we do? What are your suggestions? And
I'm thinking of China specifically here, but it applies to all
nations, obviously.
Here's your chance. Here's your chance. Tell us what to do.
Mr. Kanuck. I would offer that this is really an issue of
strategic reality, incentives, disincentives, and consequences.
We've talked about attribution, public attribution, and that
there may be no bite behind the bark. I would offer you have to
look at very complex bilateral relationships, certainly if
you're looking at United States and China, but also with other
countries, and ask, what would strategically incentivize or
decentivize changes in behavior? Having served 16 years in the
intelligence community, for me it was about what was actually
happening, not what was being said.
And, again, to get at the very particulars of that, about
volumes of activity or impact of activity, that is, again,
something I would say that the current serving members of the
intelligence community and other executive agencies would be
better off discussing in a closed session.
Mr. Painter. I would just add that the fact that in this
case the President, and at the highest levels of our
government, obviously, the President raising this with the
President of China as not just an issue of cyber versus cyber,
but an issue that affected the overall relationship, pattern
had a big impact.
Mr. Blum. And if I have time for one more question, Mr.
Chairman?
I would just like to ask the panel, has there been any
noticeable effect following the Department of Justice 2014
indictment of the PLA officers? Has there been any noticeable
effect?
Mr. Kanuck. From my observation, that became a strong topic
of discussion between U.S. Government and Chinese Government
officials, and I'd defer to my colleagues who are still in
government regarding there. And there were also negative
ramifications for certain U.S. companies who had business
opportunities in China very quickly curtailed.
So it had an economic and business impact on U.S. Entities
and it also certainly was a central part of the discussions, of
the policy discussions, which are better answered by the policy
departments.
Mr. Blum. Mr. Painter.
Mr. Painter. And I'd defer to my colleagues who are not
here from the Department of Justice, but I would say that, yes,
the dialogue we had with the Chinese about deescalation and
norms in cyberspace was suspended--we have now gotten back on
another foot on that--which seemed an odd reaction to that.
But, nevertheless, I think it showed that we were serious,
certainly, and that when, you know, that combined with the
President raising it and the threat of sanctions and other
things, I think likely brought the Chinese to the table. But
that is more an assessment for others.
Mr. Blum. Any insights on that, Mr. Hughes?
Mr. Hughes. Again, I would also defer to the Intel
community for a classified assessment and then Department of
Justice.
Mr. Blum. I have no further questions, Mr. Chairman. I
yield back the time I do not have.
Mr. Hurd. I recognize myself for 5 minutes.
Once again, gentleman, thank you all for being here. Thank
you for your patience. You guys are all very influential in
keeping us safe, and I appreciate that. Sorry to keep you away
from your day jobs too long.
This is a funny topic for me to be the chairman of,
considering I spent most of my adult life in the clandestine
world, right? But having everyone that has a role in this side
by side, there's value to this. And I've taken a lot away from
these conversations, so I really appreciate that.
And I have some basic questions. My first question is to
everybody. And I don't ask this as a yes-or-no question. It's a
really basic question. I'd welcome a little detail.
And I'll start with you, Mr. Hughes. Do the bad guys know
what we can do?
Mr. Hughes. I think, similar to the U.S. national security
infrastructure having intelligence agencies, our adversaries
are also doing collection against us. In some instances, they
are likely tracking our TTPs. So I would assert that they have
some idea of our ability to exploit networks and get
information, absolutely.
Mr. Hurd. Mr. Painter.
Mr. Painter. Yeah. I think also there's a benefit in the
bad guys knowing what we can do to some extent. I mean, we
certainly in, for instance, the criminal law context want to
project that there will be consequences for people's actions,
so we want that, that we have economic tools we can use, we
have other tools we can use. That's part of the deterrence
message, is the bad guys knowing, whoever the bad guy might be,
what you can do.
And in that, I think, what I have seen personally is that
we have made real progress in communicating that. One of the
questions was asked earlier about the Bangladeshi situation.
Part of this is outside the U.S., which is part of my gig,
which is in working with other countries around the world so
they have these capabilities too.
Mr. Hurd. And, Mr. Kanuck, before you get to that question,
I am going to ask you, Mr. Painter, to pick up on something you
just said. Ukraine, Romania, Latvia, where are those countries
where the legal framework is not there to allow the right kinds
of prosecution, because when it's not--we know how many attacks
are coming from these different countries--because there's not
a legal framework in which for them to get prosecuted or sued.
Where are those places of biggest concern to you? What
additional pressures should we be putting on these countries in
order to establish that kind of framework?
Mr. Painter. So the countries--I mean, I think we've made a
lot of progress, especially my Department of Justice
colleagues. And one of the things that we do is capacity
building. We work with DHS and DOJ. We've done things in
Africa, a lot of regional trainings in Africa. We've worked
with the EU and others.
We want every country to have strong cybercrime--you know,
you can remember the ILOVEYOU virus, where the Philippines
didn't have a law to punish this. And now they do. In fact,
they've gone through several iterations of that.
So I don't think it's helpful to single out countries and
saying you're doing a bad job. I think it's more helpful to
help us get in there and work with them, because they also
recognize the economic value of this. If they have good
cybercrime laws, people want to invest in their economy. You
are going to promote innovation.
I think the Budapest Convention, which is the convention--
Budapest Cybercrime Convention--the one that we promote around
the world, there's been a number of new signatories recently.
We're working on getting more in Africa and Asia. Japan joined
about a year and a half ago. So that's part of the push.
Now, there are other countries, and this goes to more of
the policy issue, like Russia and China, who want a global--a
U.N. Convention, and we think that's just wasting time. This is
an urgent issue now and countries need to be prepared for it.
Mr. Hurd. Mr. Kanuck, not only do the bad guys know what we
can do, is there stuff that we should ensure the bad guys know
that we can do? And the third piece is, I think the difficulty
for a lot of us up here is when you talk what is a digital act
of war, the difference between a digital act of war and a gray
area and a red line, what does all that mean. And we've had
conversations about what is off limits. And I think sometimes
part of the public conversation can articulate in a more
granule level what is off limits, right?
And, Mr. Singer, you made a great point about the Ukrainian
grid attack. If you look at, what is it, the U.N.'s Chapter
VII, Article 39, 41, 42, and 51 that talk about those things
and where you can defend yourself, the grid is pretty clearly
articulated there.
What are some of those other gray areas that we should be
exposing? I know there were a lot of questions in there, but
you are a smart guy, Mr. Kanuck, you can follow them all.
Mr. Kanuck. I'll do my best to succinctly hit the three.
Starting with the ones my colleagues have answered, I think our
sophisticated adversaries fully understand the laws of physics,
the nature of telecommunications equipment, how electromagnetic
spectrum operates, and how software logic code does. They may
not know exactly what accesses or we may not exactly what
accesses any foreign government may have on any given day or
what hardware or software implants may exist. I would liken it
to a poker game where everyone knows the cards in the deck, you
don't know who is holding which cards in which hand, and those
capabilities may be fleeting and influx in any given time.
Secondly, is there a benefit to letting anyone know what we
can do in certain instances? Again, while I appreciate
clandestine intelligence activities as a 16-year intelligence
professional, there may also be reasons in certain cases to
declare or show certain capabilities akin to having a standing
navy or other armaments that are known for a credible deterrent
effect. However, the nature of cyber tools differs in that, if
you reveal the particularities of a capability, an adversary
may be able to develop countermeasures. So there would be a
very sensitive balance there, certainly at least against your
most sophisticated adversaries.
Regarding gray areas and red lines, I'd actually like to
draw attention to two important points which are on the margins
of some of the discussion we've heard today. A lot of
discussion has focused on act of war. I actually think that's
the wrong focus, as I stated in my written statement.
Most of what we have seen foreign state actors doing has
been intentionally designed to operate below the threshold that
would trigger Articles 2, 4, Article 51 of the U.N. Charter, or
Articles 4, 5 of the Washington Treaty. There is cognizance by
many actors to use cyber technologies in an asymmetric coercive
tool for influence with the express interest of avoiding
military conflict. So that is actually how these weapons and
tools are being most utilized.
Mr. Hurd. So, Mr. Kanuck, on that, should we be lowering
the bar?
Mr. Kanuck. Again, that's a policy decision. I think, for
starters, we need to be cognizant of these low- to moderate-
level activities and their cumulative effect, like we were
discussing earlier with one of your colleagues. Where you
actually draw red lines, that is a policy question. I think
there are certain casualty levels and certain property damage
levels that under an effects-based analysis would constitute an
armed attack or an act of war. But that analysis, as has been
stated earlier by the executive branch representatives here, is
the same that you would use for noncyber modalities.
The last thing I'd like to, if I may just mention, focus
is, we need to pay more attention to what will be a problem
more and more in the future of attacks on the integrity of
data, not on its confidentiality and not on its availability.
Director Clapper has made reference to that in his last two
worldwide threat assessments. And I fear, if ransomware is
today's news, the future news is going to be integrity,
integrity, value of information, not access to it.
Mr. Hurd. Turning 10,000 into 1,000 or changing----
Mr. Kanuck. Changing what's seen on an air traffic
controller's screen. Changing information in the Twittersphere
that will affect investors' actions. Changing the situational
awareness that a military commander is seeing. Can you trust
the information you're seeing to make actions upon it? That is
actually the value of information, and that is what,
unfortunately, this conflict space will turn to in the future
more and more.
Mr. Hurd. And, Mr. Singer, I'm going to add a question to
you as well. We talked about effects-based approach. Does an
effects-based approach include intended effects or only the
actual effects? Can we determine intended effects? Should we be
trying to determine intended effects? And should our response
be based on the interpretation of what we may think those
intended effects are?
Mr. Singer. So I'll hit that question first, because that's
where I do believe the idea that we solely use an effects-based
judgment is just not--it's not the way we actually approach it.
So to use a noncyber example, a bullet crosses the border into
your district and kills someone--effect--but we will judge
whether we are at war or it is an act of war from Mexico as to
whether it is fired by Mexican Government with intent to kill
or is it an accidental discharge, be it by a Mexican government
individual. Then we would ask the same question if it was a
civilian or not.
Intent does matter. It's one of the things that will be, at
least in the political judgement, the kind of political
judgment that would be made in the White House, to
deliberations in Congress. If it's going to make a declaration
of war, it will judge intent as much as effect. The challenge,
kind of figuring out the intent, sometimes is going to be
unclear.
Mr. Hurd. Well, over the last couple of weeks we've learned
a whole lot about intent.
Mr. Singer. Yeah. But the second thing to hit your question
about awareness. My belief is that the bad guys have no doubt
of our offensive cyber capability. If they had any confusion
about it, we had a series of policymaker leaks about the
Stuxnet operation, and then we had a massive dump from Edward
Snowden, which caused us a lot of problems, but it also showed
off we are quite good in this realm.
The challenge is, if you look at the data, there is no
evidence that that raised awareness of our offensive capability
actually deterred attacks. Overall, data loss to America, in
general, citizens, went up 55 percent the year after the
Snowden leak. To many of the cases that we've talked about
today, whether it's OPM, to ones we haven't talked about, the
attacks on the Joint Chiefs' email system, those all happened
afterwards.
But that's not to say that deterrence isn't working. So,
for example, there's lots of things that a China, a Russia, an
Iran could do in this realm. They don't, in large part not
merely because of our offensive cyber capability hit back, but
because we can hit back in other realms.
Mr. Hurd. Well, I'd like to thank the ranking member for
indulging me in going over.
And I'm going to ask this last question to all of you all.
I recognize the difficulty in the question that I'm asking.
It's probably not as difficult for Mr. Singer to answer, and
Mr. Kanuck has not been out of government long enough to be
able to answer this question easily. You all are involved in
policy, you all are involved in operational activity.
But I'm going to ask you, what is the best next action for
this House, for Congress on this topic to move the conversation
to where we are having a whole-of-government response or
improving a whole-of-government response? You know, not the end
goal, right? What's the next step? What would you all like to
see this legislative body do?
And you don't need to take forever. We've already run out
of time.
But, Mr. Singer, I think it's going to be easiest for you
to answer this question. So let's start with you and go in
reverse order.
And, Mr. Hughes, you get to have the last word.
Mr. Singer. I'll just hit, again, the written testimony
points, particularly about how do we build up our resilience.
And there's a series of things that Congress could do, and some
of they are quite as simple as, for example, holding a hearing
on the cybersecurity insurance industry and how could we
bolster it, to there's actual small step mechanisms that could
help it go on, to the examples of are there organizations that
could be created and the like.
Maybe to sum it up, the question for the Congress is, we
know there's a series of best practices out there in private
sector and government. How do you help aid their spread and/or
where the executive branch has made a commitment to implement
them, how do you hold their feet to the fire to ensure that
they are actually doing it, particularly across another
administration?
Mr. Hurd. And we've got the bipartisan part down in your
testimony. I think this is one of the things that has been
great about this committee.
Mr. Kanuck.
Mr. Kanuck. It's been mentioned by a couple of my
colleagues already, but I want to fully add my support to the
discussion about resilience, and as one aspect of that, the
growing insurance market in this space. When we did our
analytic exchanges and outreaches we quickly learned from my
old office that resiliency was a necessary component for policy
options. If you are not safe, you will be restricted in what
you can be doing offensively, defensively, and otherwise.
I'd also like to add, if we're talking from a legislative
perspective, I do believe that Congress can have an impact on
the Federal workforce. And as a couple of my concluding
statements in my written statement said, this is a qualitative
not a quantitative game. Cyber expertise is about having the
highest level of competence.
The greatest breakthroughs in information technology have
not been because there were a thousand people in the room. The
greatest breakthroughs in encryption, in hardware, in software
have been by small entities. We need to ensure that some of
those cyber Olympians are working in the Federal workforce and
stay there.
Mr. Painter. Amen.
Mr. Kanuck. My last comment will be, it's wrong to think
about this as cybersecurity. There is no solution for perfect
cybersecurity if you are up against determined, well-resourced
adversaries. This is about risk management and risk mediation.
The future discussions would be most served for the public good
if they were about a cyber risk discussion, or even better,
information risk, to include integrity concerns.
Shifting that intellectual framework to information risk
will help you a long way towards addressing some of the issues
that this panel has raised today.
Mr. Hurd. Thank you.
Mr. Kanuck. Thank you.
Mr. Hurd. Mr. Painter.
Mr. Painter. So I think the number one thing, and given my
experience, is to maintain the momentum and the focus on this
issue and the education on this issue.
Look, even 5 or 6 years ago, at the end of the Bush
administration, there was a conference of national cyber
initiatives. Back in 2003, we had a cybersecurity strategy that
became shelfwear, because people at the time weren't ready to
deal with it.
I think now we're in a different place, but I think it
needs to be made a priority and continue to be a priority not
just for this administration, but whoever the next
administration is. Now, I think we're in good shape there,
because I think now, because there are hearings like this and
your Senate colleagues in SFRC, I've testified before them,
we've done a report to Congress about all of our activities
across the board in cyber, including throughout the different
range, I think that's all important. But the focus really needs
to continue on this and be seen as a priority.
Five years ago, when my office was created at the State
Department, there was no real cyber diplomacy program. We now
have 22, I think, countries around the world that have
counterparts to me that didn't exist, where we can actually not
just have dialogues about policy, but when we have an attack
like these denial-of-service attacks against financial
institutions, I can reach out to counterparts and I can say:
Look, this is important. This is not just the normal technical
issue. So that's important.
What I'd say we don't need from my Department, because we
really crosscut among all the different parts of our
Department, is I know there is some proposed legislation to
kind of stovepipe this issue and put it into one particular
chain and then create more bureaucracy, in my opinion. I'd say
that's not helpful to us. What we really need is to be able to
mainstream this throughout the Department and really throughout
our foreign policy.
Mr. Hurd. Mr. Hughes, you get the last words. No pressure.
Mr. Hughes. Well, first and foremost, as my panelists have
said, continue the dialogue. I think awareness across the
United States and the American people of cyber threats and
vulnerabilities is important. The adversaries aren't using
sophisticated tactics to steal data, they're using the low-
hanging fruit, and there's such a lack of basic hygiene that
they don't need to resort to nation-state level capabilities to
steal information.
So continuing the dialogue and awareness is important,
because the interdependencies between government networks,
private sector networks, foreign entities, I mean, we are all
so intertwined that a vulnerability in one can lead to a
vulnerability for all.
And then, tactically, I would second, again, what Mr.
Kanuck said in terms of workforce--workforce improvements,
workforce management. I know the most recent NDAA provided the
Department of Defense a little bit more flexibility with the
cyber excepted service provisions. We plan to take advantage of
that to improve our ability to hire and retain talented cyber
professionals.
Mr. Hurd. Excellent.
Mr. Painter. I would just like to add that also, I want to
thank Congress for the recent cyber information-sharing
legislation. That has helped.
Mr. Hurd. You're welcome.
Without objection, I'd like to enter my full opening
remarks for the record.
So ordered.
And I would like to thank our witnesses today for taking
the time to appear before us. This is a very important
conversation that needs to continue.
And if there's no further business, without objection, the
subcommittees stand adjourned.
[Whereupon, at 3:43 p.m., the subcommittees were
adjourned.]
[all]