[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
CYBER WAR: DEFINITIONS, DETERRENCE, AND
FOREIGN POLICY
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON FOREIGN AFFAIRS
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
SEPTEMBER 30, 2015
__________
Serial No. 114-106
__________
Printed for the use of the Committee on Foreign Affairs
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.foreignaffairs.house.gov/
or
http://www.gpo.gov/fdsys/
______
U.S. GOVERNMENT PUBLISHING OFFICE
96-817 PDF WASHINGTON : 2015
________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON FOREIGN AFFAIRS
EDWARD R. ROYCE, California, Chairman
CHRISTOPHER H. SMITH, New Jersey ELIOT L. ENGEL, New York
ILEANA ROS-LEHTINEN, Florida BRAD SHERMAN, California
DANA ROHRABACHER, California GREGORY W. MEEKS, New York
STEVE CHABOT, Ohio ALBIO SIRES, New Jersey
JOE WILSON, South Carolina GERALD E. CONNOLLY, Virginia
MICHAEL T. McCAUL, Texas THEODORE E. DEUTCH, Florida
TED POE, Texas BRIAN HIGGINS, New York
MATT SALMON, Arizona KAREN BASS, California
DARRELL E. ISSA, California WILLIAM KEATING, Massachusetts
TOM MARINO, Pennsylvania DAVID CICILLINE, Rhode Island
JEFF DUNCAN, South Carolina ALAN GRAYSON, Florida
MO BROOKS, Alabama AMI BERA, California
PAUL COOK, California ALAN S. LOWENTHAL, California
RANDY K. WEBER SR., Texas GRACE MENG, New York
SCOTT PERRY, Pennsylvania LOIS FRANKEL, Florida
RON DeSANTIS, Florida TULSI GABBARD, Hawaii
MARK MEADOWS, North Carolina JOAQUIN CASTRO, Texas
TED S. YOHO, Florida ROBIN L. KELLY, Illinois
CURT CLAWSON, Florida BRENDAN F. BOYLE, Pennsylvania
SCOTT DesJARLAIS, Tennessee
REID J. RIBBLE, Wisconsin
DAVID A. TROTT, Michigan
LEE M. ZELDIN, New York
TOM EMMER, MinnesotaUntil 5/18/
15 deg.
DANIEL DONOVAN, New YorkAs
of 5/19/15 deg.
Amy Porter, Chief of Staff Thomas Sheehy, Staff Director
Jason Steinbaum, Democratic Staff Director
C O N T E N T S
----------
Page
WITNESSES
James Andrew Lewis, Ph.D., senior fellow and director, Strategic
Technologies Program, Center for Strategic and International
Studies........................................................ 4
Catherine Lotrionte, Ph.D., director, Institute for Law, Science
and Global Security, Georgetown University..................... 14
Mr. Bob Butler, adjunct senior fellow, Technology and National
Security Program, Center for a New American Security........... 26
LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING
James Andrew Lewis, Ph.D.: Prepared statement.................... 6
Catherine Lotrionte, Ph.D.: Prepared statement................... 16
Mr. Bob Butler: Prepared statement............................... 28
APPENDIX
Hearing notice................................................... 56
Hearing minutes.................................................. 57
The Honorable Gerald E. Connolly, a Representative in Congress
from the Commonwealth of Virginia: Prepared statement.......... 59
Written responses from Mr. Bob Butler to questions submitted for
the record by members of the committee......................... 60
Written responses from Catherine Lotrionte, Ph.D., to questions
submitted for the record by members of the committee........... 62
Questions submitted for the record to James Andrew Lewis, Ph.D.,
by the Honorable Mark Meadows, a Representative in Congress
from the State of North Carolina............................... 66
CYBER WAR: DEFINITIONS, DETERRENCE, AND FOREIGN POLICY
----------
WEDNESDAY, SEPTEMBER 30, 2015
House of Representatives,
Committee on Foreign Affairs,
Washington, DC.
The committee met, pursuant to notice, at 10:14 a.m. in
room 2172, Rayburn House Office Building, Hon. Ed Royce
(chairman of the committee) presiding.
Mr. Salmon [presiding]. This hearing will come to order.
This morning we will consider the growing threats to U.S.
national security in cyberspace. It is no exaggeration to say
that we are at the dawn of a new age of warfare. Computers and
the Internet have connected people around the world. However,
reliance on these technologies has also made us vulnerable to
cyber attacks from other countries, terrorists, and criminals.
So much so that the Pentagon now counts cyberspace as the
fifth domain of warfare alongside land, air, sea, and space.
Whether or not an all-out cyber war occurs, it is clear that we
are in a state of ongoing cyber conflict. The White House, the
State Department, and the Department of Defense have all been
hacked, and, of course, the Office of Personnel Management had
the sensitive information of more than 21 million Americans
compromised.
In the private sector, hackers have crashed the computers
of Sony executives, seized the personal information of more
than 78 million people from the Nation's second largest health
insurer, and stolen the credit and debit card information of
more than 40 million customers of a major retailer. The
magnitude of this theft is staggering, yet it is said that it
takes companies an average of 205 days to even realize their
system has been breached.
Across the globe, Estonia found itself at the opposite end
of a crippling Russia-backed denial of service attack. A
computer worm shut down the air force and navies of France and
Great Britain for a time. And an attack by North Korea, coined
Dark Seoul, crippled South Korea's banking system.
In the coming years, it is likely that Iran will pour more
resources into cyber weapons. These have already been used
against the U.S. Navy, American banks, a Las Vegas casino, and
Saudi Arabia's largest oil producer, all without setting off
significant retaliation. Indeed, it has been said that it is
exactly the lack of international norms in responding that make
cyber weapons so attractive to Russia, China, Iran, and North
Korea. So we have a lot of work to do.
Our top intelligence officer told Congress earlier this
month that the U.S. lacks both the substance and the mind-set
to deterrence. Indeed, last spring the President issued an
Executive order that would allow him to target individuals or
organizations deemed responsible for computer attacks, but this
new order, similar to the way in which terrorists of nuclear
proliferators are targeted, has yet to be used. So the
President's recent comment that offense is moving faster than
defense is putting it mildly.
From the private sector to government, our country is
taking body blow after body blow in cyberspace. Why aren't we
hitting back? As one observer notes, we have a deterrence
deficit.
The new agreement between the United States and China on
economic espionage would be a step forward if China actually
abides by it. And others, like Iran and Russia, will be
watching closely how the United States responds to what is
perhaps the greatest theft in history.
We look forward to hearing from our witnesses, what is
cyber war and how does it differ from cyber conflict and cyber
espionage? Could better attribution techniques be developed to
help the United States deter cyberattacks? What is the role of
diplomacy in containing cyber conflict? Do the international
norms surrounding traditional warfare apply? And what are the
foreign policy implications of continued cyber infiltrations
and espionage?
We look forward to our witnesses' testimony as we consider
U.S. responses to one of the most urgent problems facing the
United States.
And I now turn to the ranking member for any opening
comments he might have.
Mr. Engel. Well, thank you very much, Mr. Salmon. And to
our witnesses, welcome to the Foreign Affairs Committee. We
badly need your expertise, because our focus today is a new
frontier when it comes to enhancing American security, and I
agree with everything that my colleague just said.
For years, cyber attacks from overseas have posed a growing
threat to the United States. Cybercrimes, such as a breach of
the credit card systems at Target stores by Russian hackers in
2013, have put millions of American consumers at risk. Cyber
espionage by foreign governments, the recent attack on the
Office of Personnel Management, for example, threatens to
expose national security information and violates the privacy
of many, many American citizens.
Today this committee is focusing on cyber war. That is a
relatively new term and we still don't have a consensus about
what it generally means, exactly means. Generally speaking,
cyber war is understood as something different from the attacks
that the United States has already experienced.
So today I hope we can provide a little clarity on what we
mean by cyber war. When does an act of espionage or vandalism
cross the line and become an act of war? What would it take for
a cyber attack to violate prohibitions against the use of force
under the Laws of Armed Conflict? And regardless of the
terminology we use, what should we be doing to protect the
security of the United States and our citizens?
I think it is urgent that we move quickly to address this
challenge, because it is unlike any threat we have seen in the
past. In recent history, the power of our military and safety
of our shores have kept the violence of conventional warfare at
a distance for most Americans, but technology has made the
world smaller and more interconnected, for better and for
worse.
A conventional war today could easily be accomplished by
cyber attacks on critical infrastructure here at home. Our
power grid, air traffic control systems, water treatment
facilities, or freight infrastructure could all be targeted.
Our private sector is also a likely target. The Governments
of China, Russia, Iran and other nations understand the value
of American business secrets and intellectual property. That is
why the Justice Department indicted five members of the Chinese
military conspiring to steal American trade secrets in the
metal and energy sectors and pass them along to Chinese
businesses. I hope our witnesses can provide some insight about
the best ways to shore up our defenses against these threats.
And as we guard against this danger at home, I think
America has a role to play around the world helping to
establish standards for this cyber activity, bringing
governments together to prevent and put a stop to cyber
conflict. We led the way when it came to conventional conflict,
we can lead the way again. In fact, we have already taken
positive steps.
In 2011, the Obama administration released an international
strategy for cyberspace, calling for stronger diplomacy in
private-public partnership to deal with this issue. A year
later, we pushed to classify cyber activities causing death,
injury, or significant destruction as a use of force under
international law. We worked with Russia and China through the
U.N. to limit the threat of cyberattacks against critical
infrastructure. And we took another big step last week.
Before Chinese President Xi visited the United States,
several members of this committee wrote to President Obama,
singling out the Chinese Government's cyber theft of
intellectual property as a major concern. So I was very pleased
that on Friday, the administration announced a huge win for
U.S. companies. President Obama secured a commitment from the
Chinese Government to stop engaging in state-sponsored cyber
theft of intellectual property, including trade secrets and
confidential business information.
What is more, the Chinese agreed to work with us to
prosecute cyber criminals targeting American assets. This is a
significant achievement, but, of course, we need to make sure
that China holds up its end of the deal. Talk is cheap. We have
to make sure they produce, and we have to produce by being
tough.
Mr. Chairman, let me just add, even though it is off topic,
last week in, my opinion, we achieved another landmark in U.S.-
China cooperation on another critical threat, climate change.
After years of pressure from the U.S. at very high levels, the
Chinese will start a cap and trade system to curb carbon
emissions in their country. I believe it is a very important
step.
Let me close by saying that while we have taken steps at
home and shown leadership around the world, we still have a
long way to go just to understand the nature and threat of
cyber war, let alone what is necessary to contain this threat
and protect our interests.
So, again, let me thank our witnesses. I look forward to a
good discussion and look forward to hearing their expertise.
Thank you, Mr. Chairman.
Mr. Salmon. Thank you.
This morning we are pleased to be joined by a distinguished
panel. First, Dr. James Lewis is a Senior Fellow and Director
in the Strategic Technologies Program at the Center for
Strategic and International Studies. Before joining CSIS, Dr.
Lewis served in both the Department of State and the Department
of Commerce. Welcome.
Dr. Catherine Lotrionte. Is that correct?
Ms. Lotrionte. Yes.
Mr. Salmon. Is the Director of the Institute for Law,
Science and Global Security at Georgetown University, where she
teaches courses on national security law, U.S. intelligence
law, and international law. Welcome.
Mr. Bob Butler is an Adjunct Senior Fellow in the
Technology and National Security Program at the Center for New
American Security. Mr. Butler has led a long career in
information technology, intelligence, and national security in
both the private and public sector. And he is going to the best
State in the country this afternoon, Arizona. So happy to have
that.
Without objection, the witnesses' full prepared statements
will be made part of the record, and members will have 5
calendar days to submit statements, questions, and extraneous
materials for the record.
Dr. Lewis, would you please summarize your remarks.
STATEMENT OF JAMES ANDREW LEWIS, PH.D., SENIOR FELLOW AND
DIRECTOR, STRATEGIC TECHNOLOGIES PROGRAM, CENTER FOR STRATEGIC
AND INTERNATIONAL STUDIES
Mr. Lewis. Thank you, Mr. Chairman, and thanks to the
committee for inviting me to testify.
Cybersecurity is a foreign policy problem, so it falls
squarely in the jurisdiction of this committee. While much of
our discussion focuses on domestic solutions, these by
themselves are inadequate to secure our networks against
foreign opponents. Five countries have advanced cyber attack
capabilities: The U.S., the U.K., Russia, China, and Israel.
And several other countries are developing these capabilities.
They include Iran and North Korea, both of which who have used
cyber attacks against American companies.
So far when we look at these countries, they use their
cyber attack capabilities in a manner that is consistent with
their national military strategies and their policies. This
means that cyber war is unlikely outside of some larger
conflict. If that conflict were to occur, however, whether it
was over the South China Sea or over the Russian interventions
around the world, our opponents would use cyber attack to
disrupt command and control systems and the software that
controls advanced weapons. Both Russia and China have probed
the most advanced U.S. weapons systems to prepare for this.
Critical infrastructure is a second order target. Countries
will attack it when they think they control the risk of
escalation or when they are desperate, but it is vulnerable and
it is a target that both Russia and China have probed.
While there is agreement that international law, including
the Laws of Armed Conflict, apply to cyber war, there remains
areas of significant dispute, particularly over what qualifies
as an armed attack or use of force in cyberspace. There is a
gray area since a cyber attack can cause disruption without
causing destruction or casualties. We have seen this with
Iran's attack on Saudi Aramco and North Korea's action against
Sony. How the Laws of Armed Conflict apply to this gray area is
unclear.
The concepts of use and force in armed attack underpin our
treaty obligations for mutual defense. The U.S. has worked with
its allies in NATO and in Asia to modify our existing treaties
to ensure that the use of force in cyberspace is covered by
them, is part of mutual defense.
The definition of armed attack and use of force also
determine deterrence thresholds. And I noted that, I think, the
chairman talked about a deterrence deficit. We clearly have
that. It is a major problem.
In response to Sony and to Iran's actions against the Sands
casino, the administration took steps to strengthen deterrence,
including public discussion of our improved attribution
capabilities and the creation of new cybersecurity sanctions.
The goal was to create a credible threat.
It is too early to tell if this has worked, but traditional
military espionage does not work and will not work against
cyber crime or cyber espionage. The U.S. needs to find
something other than military threats to stop these activities.
Indictments and sanctions can threaten deterrence, but more
work is needed, and this is where the committee can play an
important role.
It could consider, among other things, expanded oversight
of diplomatic activities, including the implementation and
compliance with alliance commitments and bilateral agreements,
such as the recent agreement with China, and the work in the
U.N. to build norms on responsible state behavior. It could
look at legislative actions to strengthen countermeasures.
We won't always go to war over cyber espionage, in fact, we
are unlikely to ever go to war over cyber espionage, but there
are countermeasures such as sanctions or other penalties that
we know have an effect on our opponents. It would be useful to
provide greater clarity into the legal basis for the
authorization of the use of force in cyberspace.
Finally, you mentioned the existing 2011 International
Strategy. This needs to be revised. It was written for a much
different security environment, and it needs a second look,
something that either this administration or the next will have
to do. Cybersecurity poses a difficult challenge for foreign
policy. Congress can help by providing oversight and guidance
on its international and diplomatic aspects.
I thank the committee for the opportunity to testify, and
will be happy to answer any questions.
Mr. Salmon. Thank you.
[The prepared statement of Mr. Lewis follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
----------
Mr. Salmon. Dr. Lotrionte.
STATEMENT OF CATHERINE LOTRIONTE, PH.D., DIRECTOR, INSTITUTE
FOR LAW, SCIENCE AND GLOBAL SECURITY, GEORGETOWN UNIVERSITY
Ms. Lotrionte. Thank you for the invitation to speak to you
today about international law and cyber operations.
Even though there have not yet been discrete cyber
operations that rise to the level of damage to property and
lives equivalent to kinetic attacks, cyber operations are a
part of the traditional military operations today, fast
becoming a part of modern kinetic warfare. Such cyber
operations first appeared overtly in the 2008 armed conflict
between Georgia and Russia, also during the armed conflicts in
Afghanistan and Iraq, and throughout the armed conflict in
Libya and Syria, and recently have played a significant role
during the 2014 armed conflict between Russia and Ukraine.
This emerging reality requires that states examine the
question of how to treat cyber operations under international
law. There appears no alternative at present but to consider a
host of legal propositions in examining the law related to
cyber operations and assessing whether the laws that we
currently have are adequate as cyber operations become
ubiquitous.
Under current international law, cyber operations would
amount to internationally wrongful acts if they were
inconsistent with established international law. To date, there
is only one treaty that explicitly addresses cyber activities:
That is the 2001 Budapest Convention on cyber crime.
There is a growing international consensus that aspects of
international law do apply in the cyber domain, but most of the
details about how it applies remains in flux. Many states have
affirmed the application of existing laws, including the U.N.
Charter and the Laws of Armed Conflict. And while it is well
settled in the U.S. that the U.N. Charter and the Laws of Armed
Conflict apply to cyber warfare, the challenge is determining
exactly how it applies and getting international agreement on
those issues.
In July of this year, the fourth U.N. Group of Government
Experts, under the auspices of the Secretary General and
composed of 20 states, finalized its recent report to the
General Assembly. The report highlighted norms for peacetimes
that states should abide by, including that states should not
conduct or knowingly support actions that intentionally damage
critical infrastructure of other states.
Under the international law related to the use of force, it
remains unclear whether a cyber operation that does not result
in physical damage or injury can nevertheless amount to an
armed attack for purposes of Article 51 of the U.N. Charter,
when it generates severe but nondestructive or injurious
effects.
While the U.S. has asserted in a report to the U.N. that
``under certain circumstances a disruptive activity in
cyberspace could constitute an armed attack,'' it has not
indicated which sorts of disruptive activities would qualify.
And under International Humanitarian Law, or IHL, cyber
operations executed in the context of an armed conflict are
subject to the Law of Armed Conflict. For example, because the
conflict between Russia and the Ukraine is international in
nature, the ensuing cyber operations are subject to IHL.
However, for the customary legal rules of proportionality and
the requirement to take certain precautions during an attack
under IHL, the meaning of the word ``attack'' for purposes of
cyber operations is contested, and yet it is critically
important in determining if the rules apply.
In conclusion, while there may never be a comprehensive
treaty on cyber operations under international law, verbal
acts, such as diplomatic statements, policy statements, press
releases, military manuals, decisions of national courts,
opinions of official legal advisors, pleadings before
international tribunals, and executive decisions and
regulations, and importantly for this committee, domestic
legislation can also serve to develop customary international
law.
The U.S. can actively work to develop these specific
customary principles that it wishes to prevail internationally
by being outspoken and transparent about what it views as the
law in cyberspace. This, of course, will also require constant
and consistent action along with those words.
Given the existing difficulties involved with adopting a
new treaty in this area, a reinterpretation of existing laws to
accord with the emergence of cyber operations, along with the
development of new customs that serve to adapt existing norms
to cyber operations, will likely be the path states take.
The U.S. can build deterrence by telegraphing or clearly
articulating and promulgating an interpretation of the law it
believes is applicable to cyber operations. Doing this means
being specific and being clear, specifically about the
thresholds for a use of force and an armed attack under the
law. For example, on the issue of what constitutes a use of
force, the U.S. could take the position that cyber operations
executed against certain categories of targets, whether they
are SCADA systems or specific critical infrastructures, creates
a rebuttable presumption that such actions constitute a use of
force for purposes of Article 2 of the U.N. Charter.
The U.S. could explicitly state such a position is a White
House national security strategy, for instance. In making such
legal assertions regarding thresholds and acting in accordance
with those outlined thresholds, the U.S. could also seek
agreement on these explicit thresholds from other States to
develop clearly what the law is. Under such a legal framework,
we can develop methods of countermeasures to hold those
accountable for not complying with the law. This is just one
way to develop deterrence when speaking about cyber conflict.
I thank you, and I look forward to your questions.
Mr. Salmon. Thank you.
[The prepared statement of Ms. Lotrionte follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
----------
Mr. Salmon. Mr. Butler.
STATEMENT OF MR. BOB BUTLER, ADJUNCT SENIOR FELLOW, TECHNOLOGY
AND NATIONAL SECURITY PROGRAM, CENTER FOR A NEW AMERICAN
SECURITY
Mr. Butler. Congressman Salmon, Ranking Member Engel, and
distinguished members of the committee, thank you again for the
invitation to come and talk about cyber war and related topics.
These are my opinions and not necessarily those of the U.S.
Government or the Center for a New American Security.
The bottom line upfront for me is that, you know, we have
done a good job, I think, as a country in building strategy and
developing strategy. We are lagging in implementation. And I
would agree with my colleagues and Congressman Salmon's remarks
about deterrence deficit. We are definitely in a situation of a
deterrence deficit, and we are increasing our risk exposure
over time by not remedying those actions.
I say this from my perspective as a software developer,
that is how I was trained; and from a DOD perspective, where I
served in the United States Air Force for 26 years both as a
computer systems officer and an intelligence officer; from a
policy perspective, having served as a deputy assistant
secretary over at the Pentagon on cyber policy; and from 6
years in the private sector working in both building business
and building security programs globally.
So rather than going through my remarks, I would just like
to summarize some of the salient points and then stand ready
for your questions.
First of all, on the topic of cyber war, I think that is a
misnomer. We are talking more about actions and tools and
capabilities in cyberspace that are used as we move through
cyber conflict, and so the idea within the Department of
Defense of a combined arms campaign where cyber capabilities
are integrated as we go through different phases on the run-up
to conflict and de-escalation.
With regards to the treaties, I think Catherine went
through it in quite good detail. My sense, and from practical
experience, is that the Law of Armed Conflict does apply in
cyberspace, as do other international rule sets. There are
principles, such as proportionality, that do apply.
Treaties are important. What we have with the North
Atlantic Treaty Organization in terms of collective defense is
an important aspect of it. And those kinds of treaties that
fall below the level of war that we are using in law
enforcement, like the Budapest Convention that Dr. Lotrionte
mentioned, are key aspects of how we need to think through this
problem set.
With regards to deterrence, we have mentioned the
International Strategy on Cyberspace a few times. That really
is our declaratory statement. We reserve the right to use all
means to defend ourselves in accordance with international law.
But saying something is not just the only element of
deterrence. We need to be able to display and project force,
whether that be in economic sanctions or in other ways. We need
to have deterrence by denial, where we build up defenses and
avoid things like an OPM breach. We need to look at resiliency
that takes us beyond U.S. Government activity and into the
critical infrastructure. And we need to do more in those areas.
From the standpoint of diplomacy, I think there is
definitely a role in this emerging area of cyber diplomacy--
whether it be bilateral, multilateral relationships as we see
with the North Atlantic Treaty Organization, or multi-
stakeholder kinds of partnerships as we talked about with the
United Nations and the Government Group of Experts, or in
private sector collaboration. More on that in just a few
moments.
In terms of foreign policy implications, certainly I think
there are foreign policy thrusts here. We need to develop
norms. We need to also develop standards and comport to
international standards and ensure others comport to those
international standards as well. We need to have a leveling set
of rules. We need to build partnerships, public-private
partnerships that extend internationally, and we need to find
enforcement mechanisms as we go forward in time.
In terms of the administration and the assessment that I
would have is, again, strategy blueprints have been good, but
our implementation has been lagging. We need from the President
on down a unified vision and a much greater focus on
implementation.
Here we need to look at resources, yes, but also
authorities and, more importantly, accountability within each
of the departments that have responsibilities here. And I do
believe this takes us into new ways of looking at how cyber
activities should be comported over time.
In terms of the laws, we need to update the laws, whether
it be the existing communications laws, such as the Electronic
Communications Privacy Act, the Computer Fraud and Abuse Act,
or the Critical Infrastructure Partnership Advisory Council
authorities. Those all need to be used as updated tools to help
us in this area of building deterrence.
Finally, in terms of the role for the committee, I really
endorse Jim Lewis's comment about the committee taking on a
greater role in reviewing the International Strategy on
Cyberspace. It does need to be updated. The threat has changed
significantly. We need measures of effectiveness, and I think
it would be helpful for the committee to be involved there.
Secondly, I think as an aspect of that, a key aspect, is to
begin to drive international private-public partnerships, to
build trust as well as to build a coalition of interested
stakeholders to help us with norm development, enforcement of
those norms, and understanding of cyber conflict. I think to
get to that particular point, it is important to bring in U.S.-
based multinational representatives and experts to help inform
that discussion and look at things that have been discussed
already from the government side, like the Wassenaar agreements
on export control.
And then, finally, I think from an education standpoint,
there are ways that we can actually increase our understanding
through tabletop exercises, and I would commend that the
committee think about using such types of tabletop exercises to
continue their education and promotion of where they want to go
in helping us with cyberspace.
I stand ready to address your questions.
Mr. Salmon. Thank you.
[The prepared statement of Mr. Butler follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
----------
Mr. Salmon. Well, we will now begin member questions.
Last week President Xi Jinping visited the United States.
Among other things, they came to an agreement on economic
espionage, cyber espionage that neither country's government
will conduct or knowingly support cyber-enabled theft of
intellectual property with the intent of providing competitive
advantages to companies or commercial sectors.
To me, the wording is vague and it gives both the U.S. and
the Chinese side substantial room for interpretation.
Tell me, Dr. Lewis, does this agreement actually mean
anything? Why do you believe President Obama chose to forego
any public discussion of the grievous economic and security
losses from China's previous attacks? And given that China
believes that economic security is a national security
imperative, do you predict whether China will actually
substantially decrease or cease cyber theft in this realm?
Mr. Lewis. Well, I would agree with you. Thank you for the
question.
By the way, the very first time I ever testified 15 years
ago was in front of this committee. I couldn't sleep the night
before, I sweat through my shirt, and I stuttered. So it is a
lot more fun being here as a private citizen.
Mr. Connolly. Dr. Lewis, I have the same problem.
Mr. Lewis. Yeah.
Mr. Salmon. Just stay awake for the answers, and we will be
all right.
Mr. Lewis. That is my advice.
It is a significant step forward, because for the first
time a Chinese leader has addressed the issue of commercial
espionage, and in the past, the Chinese have stoutly denied in
public that they have any concern with this activity. In
private, they have made the argument that for them commercial
espionage is a national security issue, and so therefore they
are legitimate in that kind of espionage.
In talking to administration officials, they know there is
wiggle room in the language. They have told me they will be
watching it closely to see how well the Chinese live up to
their commitments. It is not an on/off switch. This is very
difficult for Xi, in particular because the PLA, which is our
primary actor, makes money. This is a source of extracurricular
income for them, and they are not going to be happy giving it
up.
But we can now count to a degree the number of economic
espionage incidents that occur in the U.S., FBI and NSA can
count them, and so that means if the Chinese live up to their
agreement, the numbers should start to go down; if it stays the
same or it goes up, we know they are not. And what I was told
by, again, administration officials is sanctions are still on
the table. They realize they may have to take action.
Mr. Salmon. Mr. Butler, despite affirmations and
reassurances, we should still be prepared for malicious cyber
incidents, correct?
Mr. Butler. [Nonverbal response.]
Mr. Salmon. With your prior military and government service
and current private sector experience, what do you think our
priorities should be in contingency planning for these attacks
or for continued cyber espionage that targets our military and
economic assets?
And lastly, for anyone on the panel after you address that
question, if this government--or excuse me--if this agreement
doesn't live up to its word, what should the U.S. Government do
besides maybe sanctions? Are there other opportunities to
escalate the severity of the issue? So what are some of the
other options? Mr. Butler.
Mr. Butler. Thank you, Congressman Salmon. I think our
priority is to get our own house in order here. We need to
improve our defenses first and foremost. We can't go through
another type of breach like we have seen of the magnitude and
severity of the OPM breach. So finding ways to, what I would
say, create cyber hygiene and doing that quickly will help us
in a significant way. I think beyond that, it is now thinking
through resiliency within the critical infrastructure. As a
foundational piece, I think we need to continue to improve in
our deterrence by denial activities.
At the same time, we need to think through how to establish
norms much faster and find ways to enforce those norms. Again,
I think one aspect of that is what I was discussing earlier, by
bringing the private sector into the discussion to help us with
understanding their perspective and looking at ways that we can
tie together continuity of government and continuity of
business-type activity.
Beyond that, and in terms of other options, we need to make
sure that we not only speak about the potential for creating
cost on the part of an adversary, but be able to show that. And
that needs to be certainly in the demonstration of force,
things like economic sanctions, but it is also showing the
ability to be able to operate in spite of attacks. And so
finding ways to work across the spectrum of those options, I
think, is absolutely critical.
When we talk about deterrence today, it is cross-domain, it
is the idea of using economic sanctions, potentially some other
tools in the economic inventory that take us from beyond OFAC
work into looking at ways that we could restrict travel of
individuals into our country based on, you know, wrongful acts
that are being prosecuted. It is certainly building the
capability through our law enforcement activities and finding
ways to not only name and shame, but to continue to work with
entities like Interpol to help us with taking down illegal
activity around the world. It is working to continue to grow
the cyber mission forces that we have laid out in the defense
cyber strategy. So I think it is a multi-facetted strategy, it
is cross-domain deterrence.
Ms. Lotrionte. If I can add something to that. I think that
with this agreement, it would be very good if the United States
had a plan in place already for, one, how they are going to
verify this. So, optimally right now, we would have measures in
place and sensors in place that we would be able to basically
approach the Chinese, and we would have to determine now which
forum we would want to approach them in when and if they cheat
in this agreement. Once that happens, though, I think we have
to have, as Bob said, a cross-domain strategy.
And I would activate all those elements at once, meaning I
would use law enforcement tools; I would start prosecuting
those that are violating our domestic law; I would pull out all
the options on sanctions, whether it is financial or others; I
would also look at the WTO; and I would start bringing
immediately--I would have the USTR ready to bring charges or
claims against China for violations in the TRIPS agreement;
and, of course, less spoken of publicly, I would have our
intelligence organizations actively prepared to do
counterintelligence and, in the more covert world, things to
counter their actions.
So, I think we need to have that plan now and assume the
worst, assume that they will cheat, so the minute they do, we
have every avenue of the U.S. Government prepared to take
action.
Mr. Lewis. Just to build on that quickly, there was an
intense debate within the administration on how to respond to
the OPM hack, and sanctions were the middle course. Some people
wanted to do more aggressive things, some people didn't want to
do anything. So I think that the Chinese got the message that
we were mad about this and would take action.
And in the future, to both strengthen deterrence and make
sure there is compliance with the agreement, we probably will
need to think about possible punitive actions, whether that is
publishing financial data, leaking financial data on Chinese
leaders, or erasing data on their servers, sanctions,
indictments. There are a range of tools, but we will probably
have to use them.
Chairman Royce [presiding]. We are going to go now to our
ranking member, Mr. Eliot Engel.
Mr. Engel. Thank you, Mr. Chairman.
As your testimony shows, the international community has
not yet formed a consensus on how to reduce cyber conflict. For
example, some of our adversaries in cyberspace have advocated
for an arms control approach, while America is focused on
establishing global norms and confidence-building measures.
So let me ask Dr. Lewis and Mr. Butler, what do you see as
the greatest factors motivating countries to support one
approach over the other, and what are the most significant
barriers to fostering a greater international consensus? Why
don't we start with you, Dr. Lewis.
Mr. Lewis. Thank you for the question.
One of the things that is interesting is that while there
is a wide disparity of views on what we should do, all
countries are afraid of cyber war, and this is from the biggest
to the smallest, and many of them fear Cyber Command quite a
bit. And I always wonder, should I tell them the truth or
should I let them continue to believe that we are omnipotent,
but that is the impression, and so it is that shared fear that
drives the negotiation.
The dilemmas with a traditional arms control approach,
which is the preferred Russian approach, is, it is difficult to
define what is a cyber arm. They clearly would like to include
information in that category. The Russians talked about
information weapons, which doesn't make any sense, right, but
they would like to control information, and they have
supporters in the world.
So the treaty approach has verification problems, it has
definition problems, and that is why the U.S. decided to go
after norms of state behavior. You have to think about how you
would verify compliance with norms and you have to think about
penalties if norms aren't followed, but the arms control
approach has just not been that useful because of its sort of
structural problems that we face.
Mr. Engel. Thank you.
Mr. Butler.
Mr. Butler. Yes, Congressman Engel. I think the incentives
and the factors for driving people into this discussion exist.
Really everyone is affected by some type of malware or
maliciousness that is going on in cyberspace, whether it is
China, Russia, Iran, North Korea, our allies are affected, and
so there is an incentive to come to the table and discuss. The
challenge, as Jim indicated, is there is fear. There are also
problems with taxonomy. We have different doctrines in terms of
what is in cyberspace, and what is not in cyberspace, including
these physical and logical structures.
We also are challenged with regards to understanding our
overall objectives as we come to the table. As we look at, for
instance, you know, the United States, we are trying to create
an open and secure environment that allows for a global
transaction platform and national security. Many countries see
the benefits in that, but they see it as a U.S.-defined
environment, and so going to multi-stakeholder types of venues
actually helps us, the government group of experts, for
instance.
And, finally, I would say that one of the other barriers is
getting folks involved in the global economic system. And here
is where the private sector again comes into play. I think it
is important for nations, whether they are, you know, very,
very developed or underdeveloped, to see where we are heading
and helping folks to begin to see the value of being on the
Internet.
There is this aspect of fear that not only comes from cyber
war for high-end states, but as we think about some of the
underdeveloped countries of the world not understanding exactly
where we are going in terms of an interconnected society.
Mr. Engel. Thank you.
Dr. Lotrionte, let me throw a double-edged question at you.
As international conflict increasingly moves into cyberspace,
we need to be prepared for situations in which our military
engages in hostilities overseas without deploying troops
outside the United States. So in your opinion, would such
activities trigger the congressional oversight and
authorization requirements of the War Powers Resolution, and
what steps should Congress take to ensure that cyber activities
of the U.S. military fall within these oversight and
authorization requirements?
And let me also add, as the United States works to develop
global norms and customary international law governing cyber
conflict, what legal clarifications are needed to ensure that
we are able to prevent and respond to cyber threats by
terrorist groups and other nonstate actors?
Ms. Lotrionte. Okay. Thank you for the two-part question.
First on your question with respect to the applicability of
the War Powers Resolution, so as it is today, the language of
that statute today, for most of the cyber activities that one
could anticipate or think of where the U.S. would be conducting
these activities abroad without soldiers engaged abroad, my
position on that in the current state of the language is it is
not applicable, meaning that if you look at the words within
that statute, there could be a whole scope of cyber activities
that would not trigger. So, if the President is honestly
looking at that statute and trying to fulfill his reporting and
consulting requirements, there are a lot of activities that
would not be triggered.
There are two elements of that resolution that bring me to
that reason. The two triggering elements for reporting are the
words ``armed forces'' and ``hostilities.'' And when you are
talking about, not just cyber, but other emerging technologies,
even drones, nanotechnology, there is a slew of new
technologies in which this resolution is wholly inadequate in
terms of covering.
But particularly with cyber, when you are talking about
armed forces, that language needs to be expanded if you would
like to cover and trigger that consulting and reporting
requirement from the executive branch. As well as the
phraseology with respect to hostilities, that has to also be
expanded.
So, you know, for instance on the armed forces, it is not
so much armed forces will be involved overseas necessarily when
you are talking about the use of cyber tools by the President,
but you need to use the language that would be suitable for
that statute would be something to the effect of adding
capabilities, language about capabilities, oriented provisions
or supplies.
And as far as the phrase in the statute on hostilities, I
would expand that language and not just leave it as it is
today, but expand it to include it is not only engaging in
hostilities, but it is also potentially the violation of the
sovereignty of another nation that may trigger it.
Now, this, of course, would take some consultation, but if
you ask me the original intent of that statute, if we wanted
that original intent to consist today and you want the
reporting and consulting that was envisioned for the
legislative branch in the war-making process with the
President, that is what I would say would need to be changed.
That was the first one. Would you like me to go on to the
second question you had or----
Chairman Royce. Should we do that in writing?
Mr. Engel. I guess we can do that in writing.
Ms. Lotrionte. Okay.
Mr. Engel. Thank you.
Chairman Royce. Yeah. Thank you.
Let me ask a quick question to Dr. Lewis. We had the cyber
attack on Turkey's electric grid. That was on March 31 of 2015.
That was a 12-hour power outage, affected 40 million people in
Turkey. You had the Iran cyber attack against American
companies and the 2012 cyber attack on Saudi Arabia's oil
conglomerate that destroyed the data on tens of thousands of
computers.
So the question I have is what impact could the
administration's lifting of sanctions on Iran have on Iran's
cyber capabilities going forward?
Mr. Lewis. It is a very good question and one that I think
people, particularly in the financial sector, have been paying
close attention to. The theory that most folks had was that
Iran would be on its best behavior while the nuclear deal was
being negotiated.
Chairman Royce. But they were hacking during the--they were
doing the attacks during the deal.
Mr. Lewis. Well, they weren't doing it as much as they were
doing it against U.S. banks. They toned back a little bit. And
the question is once this is completed, will they resume their
activity, and so I think that is something that we are all
watching.
My assumption is that Iran will be aggressive in the
Persian Gulf. And the whole point of much of the discussion
around the Sony episode----
Chairman Royce. Okay. I have got to stop you right there--
--
Mr. Lewis. Okay.
Chairman Royce [continuing]. Because James Clapper says
that Iran used cyber to attack U.S. military networks in
December 2014. That would be in the middle of the Iranian
nuclear negotiations. I don't know how you can present this
thesis if they are in bad behavior in the middle of a
negotiation where they are trying to get us to do what they
want us to do, and now you say, well, now afterwards, after we
have lost the leverage, they are going to change their
behavior. And let me go to another question.
Mr. Lewis. Oh, change their behavior for the worst.
Chairman Royce. Yeah.
Mr. Lewis. This is not--one of the changes in the last few
years has been significant improvement on Iran's attack
capabilities.
Chairman Royce. Yeah.
Mr. Lewis. So the concern is will they use them against the
U.S.? And they used them against Sands.
Chairman Royce. Yeah.
Mr. Lewis. You know, so----
Chairman Royce. Yeah. Well, very good. I appreciate that,
Dr. Lewis.
I have got a question for Bob Butler. The DNI, our Director
of National Intelligence, says he doesn't think that the
agreement announced last week during the visit of President Xi
is going to impact the bottom line in how China attempts to
access U.S. computer systems, including our intellectual
property. I was going to see if you agree with that. How do you
gauge that agreement? Is it going to affect the cyber conflict?
Are they going to honor the agreement?
Mr. Butler. I think the proof is in the pudding. We are
going to have to wait and see. We had an agreement on Friday.
We have also had an informal announcement about the Chinese not
being very happy with some of our positions on U.S. Internet
policy since then. I think we need to see from a validation and
verification standpoint with regards to the follow-through on
this.
My sense is the wording is important. You know, there was
no agreement, of course, on espionage writ large, specifically
on commercial secrets and how that is interpreted. So I think
we need to put in place immediately some type of validation and
verification scheme that takes advantage of our national
intelligence apparatus, but also capabilities that we have in
the private sector to understand what exactly is changing and
how it is changing as we go forward in time.
Chairman Royce. Let me ask a question of Dr. Lotrionte.
Which U.S. Government agencies are responsible for addressing
cyber-war-related threats and response and recovery efforts?
Because the point I want to make is should the Department of
Defense protect the cybersecurity of the U.S. homeland from
significant cyber attacks? And is it really time for us to look
at this just as, you know, during the second world war, we
stood up the Air Force as a separate branch in order to give
that responsibility, give that authority? Is it time to do
something like that?
Ms. Lotrionte. So I think there are multiple agencies and
departments that have underneath their legal mission or
authority a role to play both in preventing, but also
countering and responding.
First I would start with State Department, the significant
role in the diplomacy. In order to have a form of deterrence,
we need to have the establishment of some agreements, these
norms, right, to make a link----
Chairman Royce. You know what, what I am going to ask you
to do, as an attorney, you have a great background in this:
Could you delineate that in writing for me, because I am about
to be out of time and I wanted to ask Bob Butler one more
question?
If a cyber attack took down our financial system or took
down the electrical grid, would the United States consider it a
use of force, and if so, how would we determine who to strike
back and who to strike against?
And, Dr. Lotrionte, I am going to ask you that too, but,
Bob?
Mr. Butler. Sure. Mr. Chairman, certainly from the vantage
point of taking down life safety systems, the grid, water
treatment systems, and looking at our financial services, I
think that would be of serious consequence. We are planning,
from a DOD standpoint, national teams to support that.
In terms of figuring it out, you know, I think we have to
understand what the ``roll-up'' is to cyber conflict, and maybe
I will just take 30 seconds here to explain how that takes
place.
I mean, initially we see reconnaissance activity, right? We
see people scanning networks. We then see people crawling on
networks. Then we see focused targeting of activity based on
our knowledge--based on the adversary's knowledge from what
they have done on reconnaissance and surveillance activities.
Then potentially we see exploitation through malware that could
lead to stealing things. It could also be an implant that
basically positions someone for a further attack, whether it is
disruptive or destructive.
We would need to find and ``lay in'' intelligence both on
the national security side and with commercial sensors to help
us understand what is ``going on,'' on the network.
Chairman Royce. Well, okay. So here is what I am going to
do. I am out of time, but----
Mr. Butler. Yes.
Chairman Royce [continuing]. If any of the three witnesses
for the last two questions have some ideas here in terms of
attribution techniques and how we could follow up on that,
because that is what you are getting to, that would be helpful
to the committee.
We now go to Karen Bass of California.
Ms. Bass. Thank you, Mr. Chair.
In listening to your testimony, I wanted to know if either
one of you, you know, out of the three could give me examples
of where you think other countries are doing a good job in
terms of cybersecurity, and maybe there are some lessons that
we can learn from there.
And then I believe it was you, Mr. Butler, that were
talking about the consequences and maybe imposing sanctions on
individuals. But then, how do we address it when a lot of this
is state run?
And then finally, sorry to load up all my questions, but
when I think of some of the major terrorist groups that we are
dealing with, whether it is Al Qaeda or ISIS, or the Taliban,
what level of involvement do they have in cyber attacks?
Mr. Lewis. I will start. Let me come back briefly to the
earlier question, though, which is to if you want to get the
Iranians to change how they think about this, you don't want to
take a passive approach, and that has been one of our
problems----
Ms. Bass. Are you----
Mr. Lewis [continuing]. One of our problems in
cybersecurity. We need to make credible threats and we need to
have countries believe that we will respond with some punitive
action.
Not a lot of people are doing a good job on this. The
Israelis have done a good job, but not perfect. The Russians
have done a good job, the French, and to some extent the
British. That might be it in the world. We do okay, but one of
the things we need to do is make people believe that if they
hack us, there will be punishment, and that is maybe the most
important thing we can do.
Ms. Bass. And are any of our intelligence agencies
cooperating or taking lessons and implementing practices from
the countries you just mentioned?
Mr. Lewis. We have really close relations with the British.
We have okay relations with the Israelis and the French, good
relations, but not as close as the British. So there is an
effort in the context of our alliances to build a collective
defense.
Ms. Bass. Thank you.
Mr. Butler. Let me go to your first question with regards
to states that are doing good work in the area of
cybersecurity. I think the U.S. model and allied models
continue to grow. And when I look at really good work going on
around the globe. I think of the partnerships that we have in
place.
So, if I look at the Japanese Computer Emergency Response
Team, which is really the APAC Computer Emergency Response
Team, they have taken lessons learned from what we have done
and others, and are really doing a pretty good job in tracking
advanced persistent threats.
When I think about, for instance, what are we doing on the
global transaction platform, the Financial Services-ISAC, or
Information Sharing and Analysis Center, has broadened their
approach to where they are now looking globally as opposed to
just within the country.
There is a new activity that has stood up in Singapore that
is an extension of Interpol--Global Center for Innovation.
Here, a model that we, I think, pioneered, maybe some others
were involved in terms of botnet takedowns, proactive botnet
``takedowns,'' is being worked on on a global basis.
So I think both on the proactive/prevention side as well as
on the prevent, or on the response side, there are models that
we can look at. And, again, we have been involved with helping
others in that area, but we can also learn from that as well.
In terms of sanction enforcements, I think, again, it is a
combination of trust and verify. So there are different
economic and trade remedies that could be employed. We need to
look at the impact as best we know it would have on the nation-
state, and then we need to think through the enforcement, the
verification mechanism, and certainly intelligence is involved
in there, but we could also ensure validation through a partner
working in conjunction with us against that potential
adversary.
In terms of looking at the terrorist issue, deterrence is
different. I like to talk about tailored deterrence against
nation-states, a nation-state, and what is required to deter
that particular actor. A lot of the things we have been talking
about lately really are focused on determined resource nation-
states as opposed to terrorist groups.
And in this space, we need to think hard about, you know,
for instance, in ISIS, that is growing in social media
campaigns and recruiting and creating challenges for us. How do
we deter those kinds of actors and how do we deter actors that
are really where we don't know a lot about their doctrine?
Ms. Bass. Thank you. I appreciate it.
Dr. Lotrionte?
Ms. Lotrionte. In terms of other countries working well on
the cybersecurity front, I would put in a word for the Brits in
terms of what I have seen they do. Now, a lot in the awareness
area and also working with their universities. They have less
than we do in this country, but they have done a lot of good
work, the government has, in reaching out and coordinating to
understand what resources on that, the higher education level,
and putting in R&D as well.
I think they are not better than us, but they have followed
our lead in most of the ways that we have communicated with the
private sector. I think they also are working on getting better
at that, sending out warnings to their companies about the
nature of the threat.
But I would say in general, and this is not always the
case, I think the U.S. is the lead in this, and the Europeans,
I have heard the Europeans say that. And I have often had,
whether it is the Japanese or the Germans or other East Asian
countries, when they come into town, the officials are coming
into town and going to the State Department, they often come to
me and they have asked me, talk to me about how the U.S. is
handling and doing their cybersecurity work. And they are
looking to us for good examples, for models. So I think that
might be my general sense.
On the sanctions, over the years watching how under
international law targeted sanctions, while slow in terms of
their effectiveness, can ultimately be effective. I think you
can do very targeted, smart sanctions against individuals. You
know, I personally like the thought of freezing assets. When
people lose their money and they no longer can get their money,
you usually see some effect.
Ms. Bass. Thank you.
Ms. Lotrionte. And terrorist groups are also definitely, as
Bob has already said, a consideration we have to deal with.
Ms. Bass. Thank you very much.
Chairman Royce. We go now to Mr. Dana Rohrabacher of
California.
Mr. Rohrabacher. Thank you very much, Mr. Chairman.
I guess we are talking about a number of approaches to this
sort of new subject. I don't think anybody talked about this
10, 20 years ago. And what you just said when we were talking
about a retaliation, I was thinking in terms of retaliation
versus sanctions.
Would it not be better to try to set up a system where we
are not offering some sort of economic sanction, but instead if
we catch you and your people, how do you say, disturbing our
system, our economic system in some way or our weapons systems,
that we will just retaliate against your systems? That the
Chinese banks will have to experience some problems if people
keep hacking into our banks? Isn't that what--wouldn't that be
more effective than telling the Chinese Government, you are
going to not be able to deliver anymore widgets over here that
you have manufactured?
Ms. Lotrionte. I can----
Mr. Rohrabacher. And we will ask our whole panel that. Go
right ahead.
Ms. Lotrionte. I can say something about the law, at least
international law. Well, first, absolutely correct: 10 years
ago we weren't dealing with the level of threats, and
therefore, it wasn't really a conversation about talking about
responses, right, and how to react to this. But since then,
luckily, a lot of people have given a lot of their time
internationally to think about the rules that we had and have
today, can we actually use them effectively to actually respond
in a pretty effective and meaningful way?
And, yes, it is sometimes economic, you try to use the, if
you will, less escalatory means to resolve this dispute, right,
whatever it is, and the law actually requires that. But at
times you will need to actually go to the higher level of the
spectrum and maybe use force.
So most of what my written statement for the record, that I
have given you, but also I tried to summarize it really quickly
was that is why I put most emphasis on really looking at some
key terminology that we have all accepted under international
law, use of force in armed attack, and come to agreement on
what those terms mean. Why is that important? Well, it is
because then we will all know where the line is.
Mr. Rohrabacher. Right. I understand that part of your
testimony.
Ms. Lotrionte. And I think you can use force.
Mr. Rohrabacher. I think the gentleman would like to
comment as well.
Mr. Lewis. Sure. Thank you, Congressman.
So we talked earlier about a deterrence deficit. People
don't believe that the U.S. will take action in response----
Mr. Rohrabacher. Right.
Mr. Lewis [continuing]. To these cyber things, and so we--
--
Mr. Rohrabacher. There is no deterrent unless there is a
capability of retaliating.
Mr. Lewis. Well, we have the capability, it is people don't
think we will do it. And so one of the most important things we
could do is think, how do we persuade the people like the
Irans, the Chinas, the Russias that we would retaliate for some
kind of cyber action. And many of us are coming to the belief
that----
Mr. Rohrabacher. Give me----
Mr. Lewis [continuing]. We might have to do it once.
Mr. Rohrabacher. Give me an example of when you say, we
will retaliate, what that would mean.
Mr. Lewis. You have a range of options. You could, for
example, with OPM, you could have erased data on some of the
Chinese computer networks that held the OPM data. That wouldn't
have taken it away. It is gone forever. But it would have sent
a signal. You could leak financial data on Chinese leadership.
You could interfere with the power grid. There is a whole range
of things we could do. But I think the fear is until we do
something, and it might be sanctions, until we show some
reaction, people won't take our threats seriously.
Mr. Rohrabacher. Mr. Butler, do you want to----
Mr. Butler. I think it is important to look at who we are
trying to deter. So in China, for instance, if you go back and
just look at August and the Shanghai Exchange, I mean,
something that would hurt would be to impact, you know, them
economically. They are trying to be part of a global economic
system----
Mr. Rohrabacher. Give me an example of what you think we
would--if China has these assets that they are now building
that will hurt us, what would we do with our capabilities to
retaliate against a Chinese, well, they already are,
apparently, breaking into our banking system, et cetera.
Mr. Butler. If we could impact them adversely in an
economic way, I think that will have a significant impact on
it. I mean more and more, I see people like Jack Ma of Alibaba,
Huawei, and ZTE driving into the global economic system, and
needing business outside of China. And they have influence in
China.
On the flip side of it, we have organizations, U.S.-based
multinationals that have relationships in China and actually
have Chinese clients. We should be taking advantage of that to
shape the environment to our advantage, as opposed to waiting
for something and then reacting.
Mr. Rohrabacher. I think this is a very fruitful
discussion, but only probably the first one that we should have
on this issue. And let me note that--let me ask this. When the
chairman mentioned the cyber attack that may have taken place
with the Iranians against some of our naval vessels, could that
have been in retaliation for, perhaps, an Israeli attack on
their reactors?
Mr. Lewis. I don't know in that particular case. In other
cases, there probably has been some retaliation because of
attacks attributed to Israel. So the Kharg Island incident
where the Iranian oil----
Mr. Rohrabacher. We are going to have to make sure that we
establish, and this hearing is the first step toward getting an
honest discussion of this, so I thank the chairman for
scheduling this hearing because we are going to need to know
how to verify that there has been an attack, verify who the
attack is from. We are going to determine what type of
protection that we can have that will nullify or at least
protect us against these attacks, what type of systems we need.
And then we need to discuss if there are attacks like this,
what type of retaliation, what are our options of retaliation.
And as we heard earlier, even the wording as to what will, what
will justify a type of retaliation, just the wording of it, we
haven't even determined that yet.
Mr. Lewis. That is a really important----
Chairman Royce. And maybe, Doctor, we can respond to that
in writing.
We are going to go to Alan Lowenthal from California.
Mr. Lowenthal. Thank you, Mr. Chair. And I want to thank
the panelists. I mean, this is something that I am just
learning myself and I find it fascinating but I certainly don't
consider myself an expert in any way.
I would like to return now when we are dealing with
cybersecurity, rather than the focus on where the attacks come
from on our own infrastructure and how much we are doing to
protect ourselves and our infrastructure. I believe that the
President has issued an Executive order pledging, I think it
was 13636, to improve our infrastructure, critical
infrastructure in terms of cybersecurity.
I would like to know what significant security developments
have resulted from that Executive order. Has it been effective?
How much of our own critical infrastructure is vulnerable? And
what are we doing about our own infrastructure to understand
the vulnerabilities that we face today? Anybody want to jump
in? Again, to my edification. It may be common knowledge to
everyone else but it certainly isn't to me.
Mr. Butler. I think it is a great question. With the
Executive order and actually prior to the Executive order,
certainty our life/safety systems sectors have been taking
action. They have been incentivized through the government to
take more action.
Again, I will just start with financial services and our
banks and related financial service activities, they have been
practicing, you know, in terms of incident response for some
time. They have been doing a lot of information sharing. They
have gone beyond information sharing into joint solutioning.
They have helped to develop automated ways of information
sharing to find new standards, and they have taken that
globally.
When I look at what is going on in the energy world, we
have work to do. Our energy grid is a challenge. And based on
the regulatory nature of how FERC and NERC work to support
different utilities, co-ops, and consortiums. We need to find
ways to actually not only create incentives but work through
standards and get the grid to a point where it is a lot more
resilient than it is today. As we build that new
infrastructure.
Mr. Lowenthal. Have we not looked at these issues over
time? Is that really, we did we not understand the
vulnerabilities to our private sector and allowed them to
develop without even questioning some of these issues? And is
that true in terms of our own, say, Department of Defense which
may have been more responsive to some of these issues earlier?
I don't understand the difference between the private sector
development and the public sector development, the defense
development.
Mr. Butler. In the Department of Defense, we have been
working on the whole issue of cyberspace and operating
effectively in cyberspace for years. We have continued to try
to ramp up and improve our defenses as we work through concepts
for growing cyberspace as an operational domain in conflict and
warfare.
From the private sector perspective, there has been
different levels of understanding and knowledge, primarily
driven by business motives. And so the financial services, even
before the 2012/2013 attacks, the distributed denial-of-service
attacks, were moving in a very accelerated direction to make
themselves more resilient on a global transaction platform.
I would say oil and natural gas is getting there, but they
are late to the game. And they are working hard to catch up.
They have to work through different kinds of upstream and
downstream activities to kind of ensure that people understand
at all levels within an organization, to include their supply
chain, what is at stake. Certainly Saudi Aramco woke them up to
that.
On the grid side, in California, we have seen the physical
attacks up in Menlo Park and the Metcalf substation. Since
those physical attacks, there has been lots of educational
outreach in terms of ensuring utilities in California and
elsewhere are moving in that direction. The challenge is rate
structures. It costs to build security.
And one of the issues that I am constantly faced with on
the private sector side is how do I generate a return on
investment as I build into security? What the President has
done and the administration has done is opening up a new
dialogue that allows us to drive more into incentivizing the
private sector through threat sharing, ability of using CIPAC,
Critical Infrastructure Partnership Advisory Council,
authorities to get limited liability protections, collaborate
with government and others that are ahead in this game, and to
drive us to a new level so all boats rise together from the
country's standpoint. But it is taking time.
Mr. Lewis. We started talking about this in 1998. In fact,
we started talking about this in 1996. So it has been a slow
progress. But banks, telecommunications companies, and defense
industrial companies are generally at the top of the league,
they are the best. Electrical grid it is a very mixed
performance. Some companies do good, some don't.
One thing to watch is the new industry. So everyone knows
your car is slowly becoming a rolling computer. So the auto
industries, the airplane industries, they are beginning to
focus on cybersecurity. But it varies from sector to sector.
And we haven't found a good way to change that.
Mr. Lowenthal. Thank you, Mr. Chairman.
Chairman Royce. Thank you. We go to Mr. Randy Weber.
Mr. Weber. Thank you. Mr. Butler, what is the price, how
high of a price is water if you can't get it? What price would
you pay?
Mr. Butler. I think it is needed for life.
Mr. Weber. Yes. Whatever it is----
Mr. Butler [continuing]. Price on it.
Mr. Weber. I am fascinated by the exchange with you and Mr.
Lowenthal about the infrastructure, for example. And the
thought occurs to me on energy, electricity, we have got to
have it.
Mr. Butler. Right.
Mr. Weber. We absolutely have to have it. So maybe a
redundant system, one that is connected, both of them connected
to the grid, and I know the price, you mentioned rates would be
important, I get that. But there is people who have to have
dialysis or police departments have to run, or military, it is
a security and it is a life issue in a lot of ways. So maybe
the answer to that is a redundant setup where you have two
power plants side by side, I know, cost is a factor, one that
is controlled, you know, through the Internet, if you will.
And I have pipelines all over the State of Texas. And they
actually can control the entire pipeline across the country
from their control room. So maybe that is the answer. Maybe you
have a standalone unit that is not connected to the Internet so
none of our enemies can shut it down. But yet it can snap on
line in just a matter of seconds or minutes more appropriately.
So interesting discussion. Dr. Lewis, you said that advanced
cyber capability, in your comments there was five countries,
U.S., U.K., Russia, China, and Israel. Define advanced cyber
capability.
Mr. Lewis. The usual way to look at it is they could cause
physical destruction. They could cause the kind of disruption
in services that you were talking about. They could turn off
electrical plants.
Mr. Weber. Is it safe to say that they have, for lack of a
better term, a military officer or probably a 12-year-old kid
in a computer room, that can hack--that is what they do, that
is their job?
Mr. Lewis. The bad news is the countries that don't like
us, including Iran, Russia, and China, have probed our critical
infrastructure and have looked for vulnerabilities and are
prepared to turn it off if necessary.
Mr. Weber. Okay. What is the percentage of their success?
Mr. Butler, you mentioned earlier they are watching people
monitor the grid. Would you say that of those people who are
trying to attack us, are they 1 percent successful, 10 percent
successful?
Mr. Lewis. My guess would be, I don't know what Bob thinks,
it would be closer to 100 percent.
Mr. Weber. Well, that is encouraging. And you said Russia
and China, you ought to be putting sanctions on it. Is a
reverse hacking, are we able to reverse hack them? Now,
somebody mentioned, you know, maybe it was Dr. Lotrionte? Is
that how you say that? Said releasing the personal financial
information of Chinese leaders? Are you advocating that we have
a department in our military, if you will, that actually does
that, hacks to get back at them and then, is that what you are
saying?
Mr. Lewis. One of the problems in this whole thing is we
have taken kind of a passive approach. We have taken a
technical approach. We have focused on making our defenses
strong which you could call it a Maginot Line approach. We have
to find ways----
Mr. Weber. How did that work with the French by the way?
Mr. Lewis. We don't want to be on the same path.
Mr. Weber. You think?
Mr. Lewis. I think we need to find ways to demonstrate to
countries that we will not put up with this.
Mr. Weber. So, Dr. Lotrionte, am I saying that right?
Ms. Lotrionte. You are.
Mr. Weber. Okay. And you said in 2005 was really the first
appearance of was it a cyber crime, was that international
legislation? I missed that. That got by me. Do you remember?
Ms. Lotrionte. Was that the 2008, the armed conflict that I
was mentioning?
Mr. Weber. That is what it was. Thank you.
Ms. Lotrionte. I wanted to set it up to say we are starting
to see the cyber tools and operations be used within armed
conflicts. And they are continuing. But first for state level
it was 2008 in Georgia and Russia.
Mr. Weber. I am surprised that it took that long, quite
frankly. And then, Dr. Lewis, you said the Israelis did a good
job on responding. What does that look like?
Mr. Lewis. They have an advantage because they are a small
country. And one of the things that they have is they use their
military to identify talent. So they recruit kids out of high
school.
Mr. Weber. That is that set, like I was talking about in
China, they have got a group of people that that is their
attack, that is their platoon or whatever you want to call it.
That is their job.
Mr. Lewis. The Israelis are under attack probably every
week by Hezbollah, very low level attacks, and probably by
Iran, by the Syrian Electronic Army.
Mr. Weber. Well, we are too I mean not necessarily by those
entities but others.
Mr. Lewis. They are a lot smaller. And so they don't have
what you would call strategic depth. So they get a lot of
practice. People are a little more afraid of attacking us. But
we need to make them more afraid.
Mr. Weber. Okay. All right. Thank you, Mr. Chairman. I
yield back.
Chairman Royce. We go now to Mr. Ted Poe of Texas.
Mr. Poe. Thank you, Mr. Chairman. The cyber attack on Sony
Pictures Entertainment by North Korea, in your opinion, Dr.
Lewis, is that an act of terrorism?
Mr. Lewis. Yeah, so it is one of these things that falls in
this gray area because they did disrupt Sony Pictures, they
leaked damaging materials, they put out emails. It was a
coercive act, right? Now, whether you call that terrorism or
not, I would call it coercion. The North Koreans probably
intended it to terrify Sony. So they were doing this
intentionally to punish Sony for that movie.
Mr. Poe. North Korea used to be on the State Sponsors of
Terrorism List. They are off. Do you think we should reconsider
that, Dr. Lewis? Just your opinion.
Mr. Lewis. Sure. No, I don't. Because it is, what
influences how countries think about this doesn't have to do
with sanctions that are external to that or terrorism lists
that are external to that. We need to think about things that
directly apply to cybersecurity. And that is where the
committee might want to do some work. Putting them back on the
list or taking them off, it is not going to affect their
behavior. We need to do things that are more direct.
Mr. Poe. Because their behavior is bad.
Mr. Lewis. Yes. Oh, yeah.
Mr. Poe. Let me ask the other two witnesses, same question,
do you think it is an act of terrorism? And if you think it is,
should they be put back on the list? Just your opinion. Both of
you. All three witnesses.
Mr. Butler. I rarely disagree with Jim. I think we need to
spend more time thinking about what the North Koreans are
really trying to do here. They are building a cyber capability.
And they did achieve their desired effect in really terrorizing
a large entertainment firm. Where is that going to go? And so I
think, I wouldn't rule it out in terms of putting them back on
an established terrorist list. But I think we need to spend
more time understanding where they are growing with their
capabilities, as well as intent.
Ms. Lotrionte. If I took a very legalistic approach to it,
under international law, I would call that not an act of
terrorism but a violation of the norm of non-intervention under
international law which is----
Mr. Poe. Wait a minute. Wait a minute. Wait a minute. What
did you just say?
Ms. Lotrionte. Not to get in the weeds, but the norm of
non-invention under international law which is----
Mr. Poe. The norm of non-intervention under international
law.
Ms. Lotrionte. It is what Lewis described as coercive. It
is by definition coercive interference when you are basically
bleeding or forcing a state to give up one of its fundamental
rights under international law. And that typically is seen as
political elections. But also it can be the freedom of speech.
So this was illegal, in my view, under international law. It
was a violation of the norm of non-intervention but not
terrorism.
Mr. Poe. Okay. And just following up on that, the Sony
situation, any consequences for that attack? Were there any
consequences on the North Koreans for doing what they did?
Ms. Lotrionte. As a policy matter----
Mr. Poe. Did somebody call them to the principal's office?
Were they retaliated against? Did we hack into their system? I
mean, was there any type of response to that act by Sony? I
mean by----
Mr. Lewis. I think they were scared. So one of the things
that has come up repeatedly in the questioning is our ability
to attribute the source of an attack. And about 8 years ago,
DOD started to work really hard with a lot of money in--to be
able to figure out who is doing the hacking. And I think the
North Koreans were shocked that we were able to tell so quickly
that it was them. And that scared them.
Five years ago, they did another attack on U.S. facilities,
not as bad. We never were quite sure. This time we knew it was
them. We could take pictures of the guys doing it. Right. So it
is that improved attribution capability that scared them.
Ms. Lotrionte. So to answer that question, was there a
response or retaliation, what was publicly, at least, available
to know, it does not appear that the U.S. took a public move in
response, retaliation.
Now, I would hope or assume that our intelligence
organizations have responded to that. And under international
law, a countermeasure to a violation of a norm of non-
intervention is appropriate and legal. So if we have legal
authority to take a countermeasure, it has to be non-forcible,
I would think that would be in the bailiwick of the
intelligence community to do that. And we might not see or talk
about that publicly.
Mr. Poe. Okay. I will yield back, Mr. Chairman.
Chairman Royce. Mr. Ted Yoho of Florida.
Mr. Yoho. Thank you, Mr. Chairman. And thank you for having
this very important meeting. And I would propose or recommend,
not recommend, I would ask that we build on this hearing to
define what constitutes a cyber attack and when it is an act of
war or an act of terror, and define systems that fall under
that, whether it is our electrical system, military system,
power systems, hospitals, and whether that is a certain amount
of life lost, any life lost, or economic, a major economic
catastrophe.
And, Dr. Lewis, you were saying we have known about this
since 1996. That is 20 years. Twenty years and we still don't
have a definition or a policy. I think that is way too long. We
have just dropped the ball on this. And who is watching the hen
house? I mean, this is not acceptable.
Number one charge of America's Government, as we all know,
is national security. This is a national security threat. And
technology will continue to advance, become more complex in the
future. And we are going to be more intertwined with that. And
to not have those kind of policies in place is a shortfall of
administrations, not just this one but of past ones. And this
is something we need to get on right now. We should have been
on it.
I am glad, I am sure there is a lot more going on behind
the scenes than we hear about. I am sure it is like Jack
Nicholson in that movie you can't stand, you can't tolerate the
truth or you don't want to know it. And I think to ask you what
constitutes an act of war or an act of terrorism, do we have a
definition of that?
Ms. Lotrionte. So I will, one, I agree with you in terms of
the amount of time it has taken to get to the point we are
where we are actually talking about the specific definitions
and norms I think has been too long. And it does remind me when
I was in the intelligence community, the years leading up to 9/
11. And it was like a good 15, 20 years it took people to
understand what would be an armed attack under the law by non-
state actors like terrorists that would allow us to use force
in response against them on somebody else's sovereign
territory. And I think it took us too long.
So here we are in a different context, different types of
threats, of course, but the same principles that need to be
discussed and defined. So, really the focus of my whole point
and my written statement was that we do need to get agreement
on some very important terms with respect to international law
and the use of force and armed conflict. Specifically, what is
a use of force for purposes of Article 2(4) of the U.N.
Charter. What is an armed attack for purposes of Article 5(1)
of the U.N. Charter which allows a country to use forcible
measures in response.
And so I think that we have had some laws that have
developed at the U.N., for instance, with respect to non-state
actors. After 9/11, the U.N. Security Council passed two very
important resolutions which cleared up the law and said you can
go and you can use force and retaliate against even non-state
actors.
Mr. Yoho. That was U.S. law?
Ms. Lotrionte. Well, it is U.S. law.
Mr. Yoho. It is fine that the U.N. has that, but the U.S.
needs to have our own definition so we don't need to go to the
U.N. We are saying we need to put this out to the world that if
you do this, this is our response.
And, Dr. Lewis, you were saying we need to have a credible
response. Unfortunately, our Government right now has lost a
lot of credibility. We draw red lines in disappearing ink. We
call for regime change and deny it. I mean, we go on and on.
Again, it is not just this administration. It is what America
stands for.
We have got to be able to project credibility with a policy
and be willing to back it up. And what, you know, what I would
like to see is what is the appropriate response the U.S. should
state it will do? Is it to retaliate and to put other countries
on notice in the beginning and say this is what we are going to
do? And is it an eye for an eye response as my colleague Dana
Rohrabacher said? Or is it, you know, we are going to respond
two or three or four times worse than whatever you did? What is
your thoughts on that?
Mr. Lewis. You touched on some key points. And Bob is being
a little modest here, but DOD has actually done a good job of
coming up with doctrine on offensive use, defensive use of
cyber----
Mr. Yoho. I would like to see that. And I would like to
build that. Because if somebody comes into my house uninvited,
it is not going to be a nice response. You know, and that is
what I feel they are doing here. They are invading our privacy.
They are invading our sovereignty. And for us to not have a
response stated and put people on notice I think is just such a
shortfall. Mr. Butler?
Mr. Butler. Yes. Just building on the conversation, I mean
we have levels of activity, exploitation, disruption,
destruction. When we hit disruption and destruction, we have a
problem. And that should signal to the national command
authorities we need to take action.
The challenge inside this space is making sure we have the
indications and warning before it happens. For instance, we
need to have some signaling with regards to what is happening
to our industrial control systems. If malware drops into our
industrial control systems, that should be a signal that we
should be thinking about taking action to counter, before
something rises to another level and we actually get into
aggression.
Mr. Yoho. All right. Let me ask you this. With North Korea
attacking Sony, we have had people here saying it wasn't North
Korea, it was China working through North Korea as a proxy.
What do we do when another country, a nation-state, works
through a proxy, maybe Hezbollah in the future, some terrorist
organization, but we know it was directed by a nation-state?
And if we don't have time, if I could get a response to that, I
would love to hear that.
Ms. Lotrionte. Do you want me to just----
Mr. Yoho. Go ahead.
Ms. Lotrionte. So non-state actors as proxies for state's
actions, right? Well, yes, we have authority. And it is under
international law. And the U.S. could accept it to take action
against the state who is, if you can attribute, if you can
attribute the actions of the non-state actors to the state, you
can use force and take it to the state, hold them responsible.
Ms. Lewis. One place we get hung up on, and this is where
the committee could help, is we get hung up on what is a
proportional response. So there is a lot of debate, what is a
proportional response to Sony? And that is where having some
guidelines or some principles.
There is a second issue, though, which is the one you
brought up which is maybe sometimes we don't want to be
proportional in our response. And that would be useful to have
guidelines on as well.
Mr. Yoho. Thank you. Thank you, Mr. Chairman, for the extra
time.
Chairman Royce. Thank you. We will pursue that question. We
will go to Mr. Brad Sherman of California.
Mr. Sherman. We don't play offense. China hacks. We don't
talk about what tariff to put on all Chinese products in order
to compensate ourselves for that. Not even allowed to talk
about that in polite society. It is much easier for
bureaucracies to say we want money for defense. Offense, oh my
God, it is not politically correct.
The unique vulnerability of China, and to some extent
Russia, is the incredible corruption. We have the capacity
through cyber and other means to identify which princeling owns
which chateaus. Dr. Lewis, do we have the capacity to find,
document, and leak to the press the ill-gotten foreign assets
of Chinese leaders and their children?
Mr. Lewis. I believe we do, particularly because many of
those assets are located in the United States.
Mr. Sherman. And if you are trying to embarrass a regime,
there is, you know, entries on a Merrill Lynch form are
interesting but--pictures of chateaus, mcmansions, et cetera,
are more so.
Dr. L, to what extent do we play offense in the sense of
not just gathering, traditional statecraft, spying on
governments and feeding it into our intel operation? To what
extent do we play offense beyond that?
Ms. Lotrionte. I certainly think we have the capability. I
also think we have the authority, legal authority, particularly
Cyber Command in its authority legislated by Congress gives it
both defensive and offensive capability. Unfortunately, I think
because of the nature of those----
Mr. Sherman. Could we, for example, steal Chinese
proprietary company, corporate information and just either hand
it to an American company, which would raise huge questions
which company, or just publish it?
Ms. Lotrionte. If the U.S. Government----
Mr. Sherman. Yes.
Ms. Lotrionte [continuing]. Determined that they wanted as
a matter of policy to conduct economic espionage, they could do
it.
Mr. Sherman. And do we have the legal authority to then
publish the results?
Ms. Lotrionte. Yes.
Mr. Sherman. Do we have the authority to give it to those
companies that correctly choose which political party to donate
to?
Ms. Lotrionte. Yes.
Mr. Sherman. You mean, we could leak it to one company and
not another?
Ms. Lotrionte. Well, when we discuss the economic espionage
part, I think that is a concern of agencies in the U.S.
Government, would there be any liability in terms of choosing
between companies that benefit. Well, you can solve that by
actually having a framework for, similar to when you put out a
bid for a contract. There are processes----
Mr. Sherman. You mean, we would announce that we had stolen
secret technology to build printing presses and then have
companies bid? That would be interesting.
Ms. Lotrionte. I think so too, sir.
Mr. Sherman. And you say we would have all the legal
authority to do that? If we had a President that wanted to go
in, steal some corporate--now, the problem we have here, what
is asymmetrical is, we got a lot more intellectual property
than they do. So that is, I don't want to get in a tit for tat
steal intellectual property world. What I would rather do is
get them to stop.
Mr. Butler, can you think of any other offensive cyber
techniques that we could use that the Chinese and the Russians
would find painful?
Mr. Butler. I think for the Chinese, and as I mentioned
earlier, as they are trying to integrate into the global
economic system. Anything that we could do that would impact
their growth potential, Huawei, ZTE, Baidu, Alibaba, I think
would have an impact. I think like you said, sir----
Mr. Sherman. But it is asymmetric. Alibaba might want
access to the U.S. market. Google does want access to the
Chinese market.
Mr. Butler. Right. Right.
Mr. Sherman. The easiest thing, of course, is just tariffs
on their imported goods. And the asymmetrical way is to go
after the corruption because, and I gather from this panel
there are no legal obstacles to espionage designed to identify
and prove ill-gotten gains held by Chinese leaders and their
children, and leak that to the press, in both China and the
United States. Mr. Lewis, do you see any legal bar to that?
Mr. Lewis. No. I was just going to say that it would apply
equally to Russia.
Mr. Sherman. Yes. I think, I think it would have less
political impact in Russia, although that regime has to be a
little shaky. I mean, China is trying to explain to its people
why under their great leadership they may have to suffer with
less than 7 percent growth. Putin has to explain a world of $44
a barrel oil which is a much more painful world. Doctor, do you
have----
Ms. Lotrionte. I would just say, I think you wanted to
reconfirm about the legality of it. Not only would that be
legal, but in the past, as far as the first half of that
scenario, doing it to them and leaking it, we have history
outside of this cyber context that the intelligence community
has done things like that before. So both legal under
international law and under domestic law.
Mr. Sherman. Okay. And so we have in pre-cyber methodology
obtained embarrassing information about the leaders and
families of countries we are not entirely friendly with and
leaked it to the press. Unless Mr. Butler has a comment, I
yield back.
Chairman Royce. I want to thank our witnesses. There is one
more favor that the panel could do for this committee if you
would. Mr. Ted Yoho of Florida had two other questions that we
would like to get your response in writing to if we could. Mr.
Yoho, do you want to lay out those two questions?
Mr. Yoho. Yes, sir, Mr. Chairman. I appreciate it. The
first one is what is your recommendation to help facilitate our
Government working with private industry or, vice versa,
industry working with our Government to prevent or alert each
other about attacks. That is question number one.
The second one which is really two questions, are there any
laws prohibiting us to follow through on these, you know,
something prohibiting us. And I know we have got to go through
the U.N. to be nice and all that. But, again, my concern is the
sovereignty and the protection of the United States Government,
and that law ought to trump everything else.
And then are there any laws that are needed for us to do
what we want to do as far as protecting this country and our
citizens and the economy of this country? Those, if you could
do that, because what we would like to do, according to
Chairman Royce, is formulate a cybersecurity policy for the
United States of America. And we don't want to wait another 20
years. And if you would do that, it would be greatly
appreciated. How long do you think it would take? Can we get
that in a week, within a week?
Ms. Lotrionte. I can give you the legal answers in a day.
Mr. Yoho. Perfect. Thank you.
Mr. Butler. A week.
Mr. Yoho. Mr. Chairman, thank you.
Chairman Royce. Thank you very much, Mr. Yoho. I appreciate
those ideas. And we stand adjourned. And, again, thank you very
much, panel.
[Whereupon, at 11:45 a.m., the committee was adjourned.]
A P P E N D I X
----------
Material Submitted for the RecordNotice deg.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[Note: No responses were received by the committee to the above
questions prior to printing.]
[all]