[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


                      CYBER WAR: DEFINITIONS, DETERRENCE, AND 
                              FOREIGN POLICY

=======================================================================

                                HEARING

                               BEFORE THE

                      COMMITTEE ON FOREIGN AFFAIRS
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           SEPTEMBER 30, 2015

                               __________

                           Serial No. 114-106

                               __________

        Printed for the use of the Committee on Foreign Affairs
        
        
        
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]        


Available via the World Wide Web: http://www.foreignaffairs.house.gov/ 
                                  or 
                       http://www.gpo.gov/fdsys/

                                 ______
                                 


                      U.S. GOVERNMENT PUBLISHING OFFICE                                 
96-817 PDF                WASHINGTON : 2015                      
                                 
________________________________________________________________________________________ 
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].  
                                
                                 
                                 
                                 
                      COMMITTEE ON FOREIGN AFFAIRS

                 EDWARD R. ROYCE, California, Chairman
CHRISTOPHER H. SMITH, New Jersey     ELIOT L. ENGEL, New York
ILEANA ROS-LEHTINEN, Florida         BRAD SHERMAN, California
DANA ROHRABACHER, California         GREGORY W. MEEKS, New York
STEVE CHABOT, Ohio                   ALBIO SIRES, New Jersey
JOE WILSON, South Carolina           GERALD E. CONNOLLY, Virginia
MICHAEL T. McCAUL, Texas             THEODORE E. DEUTCH, Florida
TED POE, Texas                       BRIAN HIGGINS, New York
MATT SALMON, Arizona                 KAREN BASS, California
DARRELL E. ISSA, California          WILLIAM KEATING, Massachusetts
TOM MARINO, Pennsylvania             DAVID CICILLINE, Rhode Island
JEFF DUNCAN, South Carolina          ALAN GRAYSON, Florida
MO BROOKS, Alabama                   AMI BERA, California
PAUL COOK, California                ALAN S. LOWENTHAL, California
RANDY K. WEBER SR., Texas            GRACE MENG, New York
SCOTT PERRY, Pennsylvania            LOIS FRANKEL, Florida
RON DeSANTIS, Florida                TULSI GABBARD, Hawaii
MARK MEADOWS, North Carolina         JOAQUIN CASTRO, Texas
TED S. YOHO, Florida                 ROBIN L. KELLY, Illinois
CURT CLAWSON, Florida                BRENDAN F. BOYLE, Pennsylvania
SCOTT DesJARLAIS, Tennessee
REID J. RIBBLE, Wisconsin
DAVID A. TROTT, Michigan
LEE M. ZELDIN, New York
TOM EMMER, MinnesotaUntil 5/18/
    15 deg.
DANIEL DONOVAN, New YorkAs 
    of 5/19/15 deg.

     Amy Porter, Chief of Staff      Thomas Sheehy, Staff Director

               Jason Steinbaum, Democratic Staff Director
                             
                             C O N T E N T S

                              ----------                              
                                                                   Page

                               WITNESSES

James Andrew Lewis, Ph.D., senior fellow and director, Strategic 
  Technologies Program, Center for Strategic and International 
  Studies........................................................     4
Catherine Lotrionte, Ph.D., director, Institute for Law, Science 
  and Global Security, Georgetown University.....................    14
Mr. Bob Butler, adjunct senior fellow, Technology and National 
  Security Program, Center for a New American Security...........    26

          LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING

James Andrew Lewis, Ph.D.: Prepared statement....................     6
Catherine Lotrionte, Ph.D.: Prepared statement...................    16
Mr. Bob Butler: Prepared statement...............................    28

                                APPENDIX

Hearing notice...................................................    56
Hearing minutes..................................................    57
The Honorable Gerald E. Connolly, a Representative in Congress 
  from the Commonwealth of Virginia: Prepared statement..........    59
Written responses from Mr. Bob Butler to questions submitted for 
  the record by members of the committee.........................    60
Written responses from Catherine Lotrionte, Ph.D., to questions 
  submitted for the record by members of the committee...........    62
Questions submitted for the record to James Andrew Lewis, Ph.D., 
  by the Honorable Mark Meadows, a Representative in Congress 
  from the State of North Carolina...............................    66

 
         CYBER WAR: DEFINITIONS, DETERRENCE, AND FOREIGN POLICY

                              ----------                              


                     WEDNESDAY, SEPTEMBER 30, 2015

                       House of Representatives,

                     Committee on Foreign Affairs,

                            Washington, DC.

    The committee met, pursuant to notice, at 10:14 a.m. in 
room 2172, Rayburn House Office Building, Hon. Ed Royce 
(chairman of the committee) presiding.
    Mr. Salmon [presiding]. This hearing will come to order. 
This morning we will consider the growing threats to U.S. 
national security in cyberspace. It is no exaggeration to say 
that we are at the dawn of a new age of warfare. Computers and 
the Internet have connected people around the world. However, 
reliance on these technologies has also made us vulnerable to 
cyber attacks from other countries, terrorists, and criminals.
    So much so that the Pentagon now counts cyberspace as the 
fifth domain of warfare alongside land, air, sea, and space. 
Whether or not an all-out cyber war occurs, it is clear that we 
are in a state of ongoing cyber conflict. The White House, the 
State Department, and the Department of Defense have all been 
hacked, and, of course, the Office of Personnel Management had 
the sensitive information of more than 21 million Americans 
compromised.
    In the private sector, hackers have crashed the computers 
of Sony executives, seized the personal information of more 
than 78 million people from the Nation's second largest health 
insurer, and stolen the credit and debit card information of 
more than 40 million customers of a major retailer. The 
magnitude of this theft is staggering, yet it is said that it 
takes companies an average of 205 days to even realize their 
system has been breached.
    Across the globe, Estonia found itself at the opposite end 
of a crippling Russia-backed denial of service attack. A 
computer worm shut down the air force and navies of France and 
Great Britain for a time. And an attack by North Korea, coined 
Dark Seoul, crippled South Korea's banking system.
    In the coming years, it is likely that Iran will pour more 
resources into cyber weapons. These have already been used 
against the U.S. Navy, American banks, a Las Vegas casino, and 
Saudi Arabia's largest oil producer, all without setting off 
significant retaliation. Indeed, it has been said that it is 
exactly the lack of international norms in responding that make 
cyber weapons so attractive to Russia, China, Iran, and North 
Korea. So we have a lot of work to do.
    Our top intelligence officer told Congress earlier this 
month that the U.S. lacks both the substance and the mind-set 
to deterrence. Indeed, last spring the President issued an 
Executive order that would allow him to target individuals or 
organizations deemed responsible for computer attacks, but this 
new order, similar to the way in which terrorists of nuclear 
proliferators are targeted, has yet to be used. So the 
President's recent comment that offense is moving faster than 
defense is putting it mildly.
    From the private sector to government, our country is 
taking body blow after body blow in cyberspace. Why aren't we 
hitting back? As one observer notes, we have a deterrence 
deficit.
    The new agreement between the United States and China on 
economic espionage would be a step forward if China actually 
abides by it. And others, like Iran and Russia, will be 
watching closely how the United States responds to what is 
perhaps the greatest theft in history.
    We look forward to hearing from our witnesses, what is 
cyber war and how does it differ from cyber conflict and cyber 
espionage? Could better attribution techniques be developed to 
help the United States deter cyberattacks? What is the role of 
diplomacy in containing cyber conflict? Do the international 
norms surrounding traditional warfare apply? And what are the 
foreign policy implications of continued cyber infiltrations 
and espionage?
    We look forward to our witnesses' testimony as we consider 
U.S. responses to one of the most urgent problems facing the 
United States.
    And I now turn to the ranking member for any opening 
comments he might have.
    Mr. Engel. Well, thank you very much, Mr. Salmon. And to 
our witnesses, welcome to the Foreign Affairs Committee. We 
badly need your expertise, because our focus today is a new 
frontier when it comes to enhancing American security, and I 
agree with everything that my colleague just said.
    For years, cyber attacks from overseas have posed a growing 
threat to the United States. Cybercrimes, such as a breach of 
the credit card systems at Target stores by Russian hackers in 
2013, have put millions of American consumers at risk. Cyber 
espionage by foreign governments, the recent attack on the 
Office of Personnel Management, for example, threatens to 
expose national security information and violates the privacy 
of many, many American citizens.
    Today this committee is focusing on cyber war. That is a 
relatively new term and we still don't have a consensus about 
what it generally means, exactly means. Generally speaking, 
cyber war is understood as something different from the attacks 
that the United States has already experienced.
    So today I hope we can provide a little clarity on what we 
mean by cyber war. When does an act of espionage or vandalism 
cross the line and become an act of war? What would it take for 
a cyber attack to violate prohibitions against the use of force 
under the Laws of Armed Conflict? And regardless of the 
terminology we use, what should we be doing to protect the 
security of the United States and our citizens?
    I think it is urgent that we move quickly to address this 
challenge, because it is unlike any threat we have seen in the 
past. In recent history, the power of our military and safety 
of our shores have kept the violence of conventional warfare at 
a distance for most Americans, but technology has made the 
world smaller and more interconnected, for better and for 
worse.
    A conventional war today could easily be accomplished by 
cyber attacks on critical infrastructure here at home. Our 
power grid, air traffic control systems, water treatment 
facilities, or freight infrastructure could all be targeted.
    Our private sector is also a likely target. The Governments 
of China, Russia, Iran and other nations understand the value 
of American business secrets and intellectual property. That is 
why the Justice Department indicted five members of the Chinese 
military conspiring to steal American trade secrets in the 
metal and energy sectors and pass them along to Chinese 
businesses. I hope our witnesses can provide some insight about 
the best ways to shore up our defenses against these threats.
    And as we guard against this danger at home, I think 
America has a role to play around the world helping to 
establish standards for this cyber activity, bringing 
governments together to prevent and put a stop to cyber 
conflict. We led the way when it came to conventional conflict, 
we can lead the way again. In fact, we have already taken 
positive steps.
    In 2011, the Obama administration released an international 
strategy for cyberspace, calling for stronger diplomacy in 
private-public partnership to deal with this issue. A year 
later, we pushed to classify cyber activities causing death, 
injury, or significant destruction as a use of force under 
international law. We worked with Russia and China through the 
U.N. to limit the threat of cyberattacks against critical 
infrastructure. And we took another big step last week.
    Before Chinese President Xi visited the United States, 
several members of this committee wrote to President Obama, 
singling out the Chinese Government's cyber theft of 
intellectual property as a major concern. So I was very pleased 
that on Friday, the administration announced a huge win for 
U.S. companies. President Obama secured a commitment from the 
Chinese Government to stop engaging in state-sponsored cyber 
theft of intellectual property, including trade secrets and 
confidential business information.
    What is more, the Chinese agreed to work with us to 
prosecute cyber criminals targeting American assets. This is a 
significant achievement, but, of course, we need to make sure 
that China holds up its end of the deal. Talk is cheap. We have 
to make sure they produce, and we have to produce by being 
tough.
    Mr. Chairman, let me just add, even though it is off topic, 
last week in, my opinion, we achieved another landmark in U.S.-
China cooperation on another critical threat, climate change. 
After years of pressure from the U.S. at very high levels, the 
Chinese will start a cap and trade system to curb carbon 
emissions in their country. I believe it is a very important 
step.
    Let me close by saying that while we have taken steps at 
home and shown leadership around the world, we still have a 
long way to go just to understand the nature and threat of 
cyber war, let alone what is necessary to contain this threat 
and protect our interests.
    So, again, let me thank our witnesses. I look forward to a 
good discussion and look forward to hearing their expertise. 
Thank you, Mr. Chairman.
    Mr. Salmon. Thank you.
    This morning we are pleased to be joined by a distinguished 
panel. First, Dr. James Lewis is a Senior Fellow and Director 
in the Strategic Technologies Program at the Center for 
Strategic and International Studies. Before joining CSIS, Dr. 
Lewis served in both the Department of State and the Department 
of Commerce. Welcome.
    Dr. Catherine Lotrionte. Is that correct?
    Ms. Lotrionte. Yes.
    Mr. Salmon. Is the Director of the Institute for Law, 
Science and Global Security at Georgetown University, where she 
teaches courses on national security law, U.S. intelligence 
law, and international law. Welcome.
    Mr. Bob Butler is an Adjunct Senior Fellow in the 
Technology and National Security Program at the Center for New 
American Security. Mr. Butler has led a long career in 
information technology, intelligence, and national security in 
both the private and public sector. And he is going to the best 
State in the country this afternoon, Arizona. So happy to have 
that.
    Without objection, the witnesses' full prepared statements 
will be made part of the record, and members will have 5 
calendar days to submit statements, questions, and extraneous 
materials for the record.
    Dr. Lewis, would you please summarize your remarks.

   STATEMENT OF JAMES ANDREW LEWIS, PH.D., SENIOR FELLOW AND 
DIRECTOR, STRATEGIC TECHNOLOGIES PROGRAM, CENTER FOR STRATEGIC 
                   AND INTERNATIONAL STUDIES

    Mr. Lewis. Thank you, Mr. Chairman, and thanks to the 
committee for inviting me to testify.
    Cybersecurity is a foreign policy problem, so it falls 
squarely in the jurisdiction of this committee. While much of 
our discussion focuses on domestic solutions, these by 
themselves are inadequate to secure our networks against 
foreign opponents. Five countries have advanced cyber attack 
capabilities: The U.S., the U.K., Russia, China, and Israel. 
And several other countries are developing these capabilities. 
They include Iran and North Korea, both of which who have used 
cyber attacks against American companies.
    So far when we look at these countries, they use their 
cyber attack capabilities in a manner that is consistent with 
their national military strategies and their policies. This 
means that cyber war is unlikely outside of some larger 
conflict. If that conflict were to occur, however, whether it 
was over the South China Sea or over the Russian interventions 
around the world, our opponents would use cyber attack to 
disrupt command and control systems and the software that 
controls advanced weapons. Both Russia and China have probed 
the most advanced U.S. weapons systems to prepare for this.
    Critical infrastructure is a second order target. Countries 
will attack it when they think they control the risk of 
escalation or when they are desperate, but it is vulnerable and 
it is a target that both Russia and China have probed.
    While there is agreement that international law, including 
the Laws of Armed Conflict, apply to cyber war, there remains 
areas of significant dispute, particularly over what qualifies 
as an armed attack or use of force in cyberspace. There is a 
gray area since a cyber attack can cause disruption without 
causing destruction or casualties. We have seen this with 
Iran's attack on Saudi Aramco and North Korea's action against 
Sony. How the Laws of Armed Conflict apply to this gray area is 
unclear.
    The concepts of use and force in armed attack underpin our 
treaty obligations for mutual defense. The U.S. has worked with 
its allies in NATO and in Asia to modify our existing treaties 
to ensure that the use of force in cyberspace is covered by 
them, is part of mutual defense.
    The definition of armed attack and use of force also 
determine deterrence thresholds. And I noted that, I think, the 
chairman talked about a deterrence deficit. We clearly have 
that. It is a major problem.
    In response to Sony and to Iran's actions against the Sands 
casino, the administration took steps to strengthen deterrence, 
including public discussion of our improved attribution 
capabilities and the creation of new cybersecurity sanctions. 
The goal was to create a credible threat.
    It is too early to tell if this has worked, but traditional 
military espionage does not work and will not work against 
cyber crime or cyber espionage. The U.S. needs to find 
something other than military threats to stop these activities. 
Indictments and sanctions can threaten deterrence, but more 
work is needed, and this is where the committee can play an 
important role.
    It could consider, among other things, expanded oversight 
of diplomatic activities, including the implementation and 
compliance with alliance commitments and bilateral agreements, 
such as the recent agreement with China, and the work in the 
U.N. to build norms on responsible state behavior. It could 
look at legislative actions to strengthen countermeasures.
    We won't always go to war over cyber espionage, in fact, we 
are unlikely to ever go to war over cyber espionage, but there 
are countermeasures such as sanctions or other penalties that 
we know have an effect on our opponents. It would be useful to 
provide greater clarity into the legal basis for the 
authorization of the use of force in cyberspace.
    Finally, you mentioned the existing 2011 International 
Strategy. This needs to be revised. It was written for a much 
different security environment, and it needs a second look, 
something that either this administration or the next will have 
to do. Cybersecurity poses a difficult challenge for foreign 
policy. Congress can help by providing oversight and guidance 
on its international and diplomatic aspects.
    I thank the committee for the opportunity to testify, and 
will be happy to answer any questions.
    Mr. Salmon. Thank you.
    [The prepared statement of Mr. Lewis follows:]
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
                               ----------                              

    Mr. Salmon. Dr. Lotrionte.

 STATEMENT OF CATHERINE LOTRIONTE, PH.D., DIRECTOR, INSTITUTE 
  FOR LAW, SCIENCE AND GLOBAL SECURITY, GEORGETOWN UNIVERSITY

    Ms. Lotrionte. Thank you for the invitation to speak to you 
today about international law and cyber operations.
    Even though there have not yet been discrete cyber 
operations that rise to the level of damage to property and 
lives equivalent to kinetic attacks, cyber operations are a 
part of the traditional military operations today, fast 
becoming a part of modern kinetic warfare. Such cyber 
operations first appeared overtly in the 2008 armed conflict 
between Georgia and Russia, also during the armed conflicts in 
Afghanistan and Iraq, and throughout the armed conflict in 
Libya and Syria, and recently have played a significant role 
during the 2014 armed conflict between Russia and Ukraine.
    This emerging reality requires that states examine the 
question of how to treat cyber operations under international 
law. There appears no alternative at present but to consider a 
host of legal propositions in examining the law related to 
cyber operations and assessing whether the laws that we 
currently have are adequate as cyber operations become 
ubiquitous.
    Under current international law, cyber operations would 
amount to internationally wrongful acts if they were 
inconsistent with established international law. To date, there 
is only one treaty that explicitly addresses cyber activities: 
That is the 2001 Budapest Convention on cyber crime.
    There is a growing international consensus that aspects of 
international law do apply in the cyber domain, but most of the 
details about how it applies remains in flux. Many states have 
affirmed the application of existing laws, including the U.N. 
Charter and the Laws of Armed Conflict. And while it is well 
settled in the U.S. that the U.N. Charter and the Laws of Armed 
Conflict apply to cyber warfare, the challenge is determining 
exactly how it applies and getting international agreement on 
those issues.
    In July of this year, the fourth U.N. Group of Government 
Experts, under the auspices of the Secretary General and 
composed of 20 states, finalized its recent report to the 
General Assembly. The report highlighted norms for peacetimes 
that states should abide by, including that states should not 
conduct or knowingly support actions that intentionally damage 
critical infrastructure of other states.
    Under the international law related to the use of force, it 
remains unclear whether a cyber operation that does not result 
in physical damage or injury can nevertheless amount to an 
armed attack for purposes of Article 51 of the U.N. Charter, 
when it generates severe but nondestructive or injurious 
effects.
    While the U.S. has asserted in a report to the U.N. that 
``under certain circumstances a disruptive activity in 
cyberspace could constitute an armed attack,'' it has not 
indicated which sorts of disruptive activities would qualify.
    And under International Humanitarian Law, or IHL, cyber 
operations executed in the context of an armed conflict are 
subject to the Law of Armed Conflict. For example, because the 
conflict between Russia and the Ukraine is international in 
nature, the ensuing cyber operations are subject to IHL. 
However, for the customary legal rules of proportionality and 
the requirement to take certain precautions during an attack 
under IHL, the meaning of the word ``attack'' for purposes of 
cyber operations is contested, and yet it is critically 
important in determining if the rules apply.
    In conclusion, while there may never be a comprehensive 
treaty on cyber operations under international law, verbal 
acts, such as diplomatic statements, policy statements, press 
releases, military manuals, decisions of national courts, 
opinions of official legal advisors, pleadings before 
international tribunals, and executive decisions and 
regulations, and importantly for this committee, domestic 
legislation can also serve to develop customary international 
law.
    The U.S. can actively work to develop these specific 
customary principles that it wishes to prevail internationally 
by being outspoken and transparent about what it views as the 
law in cyberspace. This, of course, will also require constant 
and consistent action along with those words.
    Given the existing difficulties involved with adopting a 
new treaty in this area, a reinterpretation of existing laws to 
accord with the emergence of cyber operations, along with the 
development of new customs that serve to adapt existing norms 
to cyber operations, will likely be the path states take.
    The U.S. can build deterrence by telegraphing or clearly 
articulating and promulgating an interpretation of the law it 
believes is applicable to cyber operations. Doing this means 
being specific and being clear, specifically about the 
thresholds for a use of force and an armed attack under the 
law. For example, on the issue of what constitutes a use of 
force, the U.S. could take the position that cyber operations 
executed against certain categories of targets, whether they 
are SCADA systems or specific critical infrastructures, creates 
a rebuttable presumption that such actions constitute a use of 
force for purposes of Article 2 of the U.N. Charter.
    The U.S. could explicitly state such a position is a White 
House national security strategy, for instance. In making such 
legal assertions regarding thresholds and acting in accordance 
with those outlined thresholds, the U.S. could also seek 
agreement on these explicit thresholds from other States to 
develop clearly what the law is. Under such a legal framework, 
we can develop methods of countermeasures to hold those 
accountable for not complying with the law. This is just one 
way to develop deterrence when speaking about cyber conflict.
    I thank you, and I look forward to your questions.
    Mr. Salmon. Thank you.
    [The prepared statement of Ms. Lotrionte follows:]
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
           
                              ----------                              

    Mr. Salmon. Mr. Butler.

STATEMENT OF MR. BOB BUTLER, ADJUNCT SENIOR FELLOW, TECHNOLOGY 
   AND NATIONAL SECURITY PROGRAM, CENTER FOR A NEW AMERICAN 
                            SECURITY

    Mr. Butler. Congressman Salmon, Ranking Member Engel, and 
distinguished members of the committee, thank you again for the 
invitation to come and talk about cyber war and related topics. 
These are my opinions and not necessarily those of the U.S. 
Government or the Center for a New American Security.
    The bottom line upfront for me is that, you know, we have 
done a good job, I think, as a country in building strategy and 
developing strategy. We are lagging in implementation. And I 
would agree with my colleagues and Congressman Salmon's remarks 
about deterrence deficit. We are definitely in a situation of a 
deterrence deficit, and we are increasing our risk exposure 
over time by not remedying those actions.
    I say this from my perspective as a software developer, 
that is how I was trained; and from a DOD perspective, where I 
served in the United States Air Force for 26 years both as a 
computer systems officer and an intelligence officer; from a 
policy perspective, having served as a deputy assistant 
secretary over at the Pentagon on cyber policy; and from 6 
years in the private sector working in both building business 
and building security programs globally.
    So rather than going through my remarks, I would just like 
to summarize some of the salient points and then stand ready 
for your questions.
    First of all, on the topic of cyber war, I think that is a 
misnomer. We are talking more about actions and tools and 
capabilities in cyberspace that are used as we move through 
cyber conflict, and so the idea within the Department of 
Defense of a combined arms campaign where cyber capabilities 
are integrated as we go through different phases on the run-up 
to conflict and de-escalation.
    With regards to the treaties, I think Catherine went 
through it in quite good detail. My sense, and from practical 
experience, is that the Law of Armed Conflict does apply in 
cyberspace, as do other international rule sets. There are 
principles, such as proportionality, that do apply.
    Treaties are important. What we have with the North 
Atlantic Treaty Organization in terms of collective defense is 
an important aspect of it. And those kinds of treaties that 
fall below the level of war that we are using in law 
enforcement, like the Budapest Convention that Dr. Lotrionte 
mentioned, are key aspects of how we need to think through this 
problem set.
    With regards to deterrence, we have mentioned the 
International Strategy on Cyberspace a few times. That really 
is our declaratory statement. We reserve the right to use all 
means to defend ourselves in accordance with international law. 
But saying something is not just the only element of 
deterrence. We need to be able to display and project force, 
whether that be in economic sanctions or in other ways. We need 
to have deterrence by denial, where we build up defenses and 
avoid things like an OPM breach. We need to look at resiliency 
that takes us beyond U.S. Government activity and into the 
critical infrastructure. And we need to do more in those areas.
    From the standpoint of diplomacy, I think there is 
definitely a role in this emerging area of cyber diplomacy--
whether it be bilateral, multilateral relationships as we see 
with the North Atlantic Treaty Organization, or multi-
stakeholder kinds of partnerships as we talked about with the 
United Nations and the Government Group of Experts, or in 
private sector collaboration. More on that in just a few 
moments.
    In terms of foreign policy implications, certainly I think 
there are foreign policy thrusts here. We need to develop 
norms. We need to also develop standards and comport to 
international standards and ensure others comport to those 
international standards as well. We need to have a leveling set 
of rules. We need to build partnerships, public-private 
partnerships that extend internationally, and we need to find 
enforcement mechanisms as we go forward in time.
    In terms of the administration and the assessment that I 
would have is, again, strategy blueprints have been good, but 
our implementation has been lagging. We need from the President 
on down a unified vision and a much greater focus on 
implementation.
    Here we need to look at resources, yes, but also 
authorities and, more importantly, accountability within each 
of the departments that have responsibilities here. And I do 
believe this takes us into new ways of looking at how cyber 
activities should be comported over time.
    In terms of the laws, we need to update the laws, whether 
it be the existing communications laws, such as the Electronic 
Communications Privacy Act, the Computer Fraud and Abuse Act, 
or the Critical Infrastructure Partnership Advisory Council 
authorities. Those all need to be used as updated tools to help 
us in this area of building deterrence.
    Finally, in terms of the role for the committee, I really 
endorse Jim Lewis's comment about the committee taking on a 
greater role in reviewing the International Strategy on 
Cyberspace. It does need to be updated. The threat has changed 
significantly. We need measures of effectiveness, and I think 
it would be helpful for the committee to be involved there.
    Secondly, I think as an aspect of that, a key aspect, is to 
begin to drive international private-public partnerships, to 
build trust as well as to build a coalition of interested 
stakeholders to help us with norm development, enforcement of 
those norms, and understanding of cyber conflict. I think to 
get to that particular point, it is important to bring in U.S.-
based multinational representatives and experts to help inform 
that discussion and look at things that have been discussed 
already from the government side, like the Wassenaar agreements 
on export control.
    And then, finally, I think from an education standpoint, 
there are ways that we can actually increase our understanding 
through tabletop exercises, and I would commend that the 
committee think about using such types of tabletop exercises to 
continue their education and promotion of where they want to go 
in helping us with cyberspace.
    I stand ready to address your questions.
    Mr. Salmon. Thank you.
    [The prepared statement of Mr. Butler follows:]
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
                                ----------                              

    Mr. Salmon. Well, we will now begin member questions.
    Last week President Xi Jinping visited the United States. 
Among other things, they came to an agreement on economic 
espionage, cyber espionage that neither country's government 
will conduct or knowingly support cyber-enabled theft of 
intellectual property with the intent of providing competitive 
advantages to companies or commercial sectors.
    To me, the wording is vague and it gives both the U.S. and 
the Chinese side substantial room for interpretation.
    Tell me, Dr. Lewis, does this agreement actually mean 
anything? Why do you believe President Obama chose to forego 
any public discussion of the grievous economic and security 
losses from China's previous attacks? And given that China 
believes that economic security is a national security 
imperative, do you predict whether China will actually 
substantially decrease or cease cyber theft in this realm?
    Mr. Lewis. Well, I would agree with you. Thank you for the 
question.
    By the way, the very first time I ever testified 15 years 
ago was in front of this committee. I couldn't sleep the night 
before, I sweat through my shirt, and I stuttered. So it is a 
lot more fun being here as a private citizen.
    Mr. Connolly. Dr. Lewis, I have the same problem.
    Mr. Lewis. Yeah.
    Mr. Salmon. Just stay awake for the answers, and we will be 
all right.
    Mr. Lewis. That is my advice.
    It is a significant step forward, because for the first 
time a Chinese leader has addressed the issue of commercial 
espionage, and in the past, the Chinese have stoutly denied in 
public that they have any concern with this activity. In 
private, they have made the argument that for them commercial 
espionage is a national security issue, and so therefore they 
are legitimate in that kind of espionage.
    In talking to administration officials, they know there is 
wiggle room in the language. They have told me they will be 
watching it closely to see how well the Chinese live up to 
their commitments. It is not an on/off switch. This is very 
difficult for Xi, in particular because the PLA, which is our 
primary actor, makes money. This is a source of extracurricular 
income for them, and they are not going to be happy giving it 
up.
    But we can now count to a degree the number of economic 
espionage incidents that occur in the U.S., FBI and NSA can 
count them, and so that means if the Chinese live up to their 
agreement, the numbers should start to go down; if it stays the 
same or it goes up, we know they are not. And what I was told 
by, again, administration officials is sanctions are still on 
the table. They realize they may have to take action.
    Mr. Salmon. Mr. Butler, despite affirmations and 
reassurances, we should still be prepared for malicious cyber 
incidents, correct?
    Mr. Butler. [Nonverbal response.]
    Mr. Salmon. With your prior military and government service 
and current private sector experience, what do you think our 
priorities should be in contingency planning for these attacks 
or for continued cyber espionage that targets our military and 
economic assets?
    And lastly, for anyone on the panel after you address that 
question, if this government--or excuse me--if this agreement 
doesn't live up to its word, what should the U.S. Government do 
besides maybe sanctions? Are there other opportunities to 
escalate the severity of the issue? So what are some of the 
other options? Mr. Butler.
    Mr. Butler. Thank you, Congressman Salmon. I think our 
priority is to get our own house in order here. We need to 
improve our defenses first and foremost. We can't go through 
another type of breach like we have seen of the magnitude and 
severity of the OPM breach. So finding ways to, what I would 
say, create cyber hygiene and doing that quickly will help us 
in a significant way. I think beyond that, it is now thinking 
through resiliency within the critical infrastructure. As a 
foundational piece, I think we need to continue to improve in 
our deterrence by denial activities.
    At the same time, we need to think through how to establish 
norms much faster and find ways to enforce those norms. Again, 
I think one aspect of that is what I was discussing earlier, by 
bringing the private sector into the discussion to help us with 
understanding their perspective and looking at ways that we can 
tie together continuity of government and continuity of 
business-type activity.
    Beyond that, and in terms of other options, we need to make 
sure that we not only speak about the potential for creating 
cost on the part of an adversary, but be able to show that. And 
that needs to be certainly in the demonstration of force, 
things like economic sanctions, but it is also showing the 
ability to be able to operate in spite of attacks. And so 
finding ways to work across the spectrum of those options, I 
think, is absolutely critical.
    When we talk about deterrence today, it is cross-domain, it 
is the idea of using economic sanctions, potentially some other 
tools in the economic inventory that take us from beyond OFAC 
work into looking at ways that we could restrict travel of 
individuals into our country based on, you know, wrongful acts 
that are being prosecuted. It is certainly building the 
capability through our law enforcement activities and finding 
ways to not only name and shame, but to continue to work with 
entities like Interpol to help us with taking down illegal 
activity around the world. It is working to continue to grow 
the cyber mission forces that we have laid out in the defense 
cyber strategy. So I think it is a multi-facetted strategy, it 
is cross-domain deterrence.
    Ms. Lotrionte. If I can add something to that. I think that 
with this agreement, it would be very good if the United States 
had a plan in place already for, one, how they are going to 
verify this. So, optimally right now, we would have measures in 
place and sensors in place that we would be able to basically 
approach the Chinese, and we would have to determine now which 
forum we would want to approach them in when and if they cheat 
in this agreement. Once that happens, though, I think we have 
to have, as Bob said, a cross-domain strategy.
    And I would activate all those elements at once, meaning I 
would use law enforcement tools; I would start prosecuting 
those that are violating our domestic law; I would pull out all 
the options on sanctions, whether it is financial or others; I 
would also look at the WTO; and I would start bringing 
immediately--I would have the USTR ready to bring charges or 
claims against China for violations in the TRIPS agreement; 
and, of course, less spoken of publicly, I would have our 
intelligence organizations actively prepared to do 
counterintelligence and, in the more covert world, things to 
counter their actions.
    So, I think we need to have that plan now and assume the 
worst, assume that they will cheat, so the minute they do, we 
have every avenue of the U.S. Government prepared to take 
action.
    Mr. Lewis. Just to build on that quickly, there was an 
intense debate within the administration on how to respond to 
the OPM hack, and sanctions were the middle course. Some people 
wanted to do more aggressive things, some people didn't want to 
do anything. So I think that the Chinese got the message that 
we were mad about this and would take action.
    And in the future, to both strengthen deterrence and make 
sure there is compliance with the agreement, we probably will 
need to think about possible punitive actions, whether that is 
publishing financial data, leaking financial data on Chinese 
leaders, or erasing data on their servers, sanctions, 
indictments. There are a range of tools, but we will probably 
have to use them.
    Chairman Royce [presiding]. We are going to go now to our 
ranking member, Mr. Eliot Engel.
    Mr. Engel. Thank you, Mr. Chairman.
    As your testimony shows, the international community has 
not yet formed a consensus on how to reduce cyber conflict. For 
example, some of our adversaries in cyberspace have advocated 
for an arms control approach, while America is focused on 
establishing global norms and confidence-building measures.
    So let me ask Dr. Lewis and Mr. Butler, what do you see as 
the greatest factors motivating countries to support one 
approach over the other, and what are the most significant 
barriers to fostering a greater international consensus? Why 
don't we start with you, Dr. Lewis.
    Mr. Lewis. Thank you for the question.
    One of the things that is interesting is that while there 
is a wide disparity of views on what we should do, all 
countries are afraid of cyber war, and this is from the biggest 
to the smallest, and many of them fear Cyber Command quite a 
bit. And I always wonder, should I tell them the truth or 
should I let them continue to believe that we are omnipotent, 
but that is the impression, and so it is that shared fear that 
drives the negotiation.
    The dilemmas with a traditional arms control approach, 
which is the preferred Russian approach, is, it is difficult to 
define what is a cyber arm. They clearly would like to include 
information in that category. The Russians talked about 
information weapons, which doesn't make any sense, right, but 
they would like to control information, and they have 
supporters in the world.
    So the treaty approach has verification problems, it has 
definition problems, and that is why the U.S. decided to go 
after norms of state behavior. You have to think about how you 
would verify compliance with norms and you have to think about 
penalties if norms aren't followed, but the arms control 
approach has just not been that useful because of its sort of 
structural problems that we face.
    Mr. Engel. Thank you.
    Mr. Butler.
    Mr. Butler. Yes, Congressman Engel. I think the incentives 
and the factors for driving people into this discussion exist. 
Really everyone is affected by some type of malware or 
maliciousness that is going on in cyberspace, whether it is 
China, Russia, Iran, North Korea, our allies are affected, and 
so there is an incentive to come to the table and discuss. The 
challenge, as Jim indicated, is there is fear. There are also 
problems with taxonomy. We have different doctrines in terms of 
what is in cyberspace, and what is not in cyberspace, including 
these physical and logical structures.
    We also are challenged with regards to understanding our 
overall objectives as we come to the table. As we look at, for 
instance, you know, the United States, we are trying to create 
an open and secure environment that allows for a global 
transaction platform and national security. Many countries see 
the benefits in that, but they see it as a U.S.-defined 
environment, and so going to multi-stakeholder types of venues 
actually helps us, the government group of experts, for 
instance.
    And, finally, I would say that one of the other barriers is 
getting folks involved in the global economic system. And here 
is where the private sector again comes into play. I think it 
is important for nations, whether they are, you know, very, 
very developed or underdeveloped, to see where we are heading 
and helping folks to begin to see the value of being on the 
Internet.
    There is this aspect of fear that not only comes from cyber 
war for high-end states, but as we think about some of the 
underdeveloped countries of the world not understanding exactly 
where we are going in terms of an interconnected society.
    Mr. Engel. Thank you.
    Dr. Lotrionte, let me throw a double-edged question at you. 
As international conflict increasingly moves into cyberspace, 
we need to be prepared for situations in which our military 
engages in hostilities overseas without deploying troops 
outside the United States. So in your opinion, would such 
activities trigger the congressional oversight and 
authorization requirements of the War Powers Resolution, and 
what steps should Congress take to ensure that cyber activities 
of the U.S. military fall within these oversight and 
authorization requirements?
    And let me also add, as the United States works to develop 
global norms and customary international law governing cyber 
conflict, what legal clarifications are needed to ensure that 
we are able to prevent and respond to cyber threats by 
terrorist groups and other nonstate actors?
    Ms. Lotrionte. Okay. Thank you for the two-part question.
    First on your question with respect to the applicability of 
the War Powers Resolution, so as it is today, the language of 
that statute today, for most of the cyber activities that one 
could anticipate or think of where the U.S. would be conducting 
these activities abroad without soldiers engaged abroad, my 
position on that in the current state of the language is it is 
not applicable, meaning that if you look at the words within 
that statute, there could be a whole scope of cyber activities 
that would not trigger. So, if the President is honestly 
looking at that statute and trying to fulfill his reporting and 
consulting requirements, there are a lot of activities that 
would not be triggered.
    There are two elements of that resolution that bring me to 
that reason. The two triggering elements for reporting are the 
words ``armed forces'' and ``hostilities.'' And when you are 
talking about, not just cyber, but other emerging technologies, 
even drones, nanotechnology, there is a slew of new 
technologies in which this resolution is wholly inadequate in 
terms of covering.
    But particularly with cyber, when you are talking about 
armed forces, that language needs to be expanded if you would 
like to cover and trigger that consulting and reporting 
requirement from the executive branch. As well as the 
phraseology with respect to hostilities, that has to also be 
expanded.
    So, you know, for instance on the armed forces, it is not 
so much armed forces will be involved overseas necessarily when 
you are talking about the use of cyber tools by the President, 
but you need to use the language that would be suitable for 
that statute would be something to the effect of adding 
capabilities, language about capabilities, oriented provisions 
or supplies.
    And as far as the phrase in the statute on hostilities, I 
would expand that language and not just leave it as it is 
today, but expand it to include it is not only engaging in 
hostilities, but it is also potentially the violation of the 
sovereignty of another nation that may trigger it.
    Now, this, of course, would take some consultation, but if 
you ask me the original intent of that statute, if we wanted 
that original intent to consist today and you want the 
reporting and consulting that was envisioned for the 
legislative branch in the war-making process with the 
President, that is what I would say would need to be changed.
    That was the first one. Would you like me to go on to the 
second question you had or----
    Chairman Royce. Should we do that in writing?
    Mr. Engel. I guess we can do that in writing.
    Ms. Lotrionte. Okay.
    Mr. Engel. Thank you.
    Chairman Royce. Yeah. Thank you.
    Let me ask a quick question to Dr. Lewis. We had the cyber 
attack on Turkey's electric grid. That was on March 31 of 2015. 
That was a 12-hour power outage, affected 40 million people in 
Turkey. You had the Iran cyber attack against American 
companies and the 2012 cyber attack on Saudi Arabia's oil 
conglomerate that destroyed the data on tens of thousands of 
computers.
    So the question I have is what impact could the 
administration's lifting of sanctions on Iran have on Iran's 
cyber capabilities going forward?
    Mr. Lewis. It is a very good question and one that I think 
people, particularly in the financial sector, have been paying 
close attention to. The theory that most folks had was that 
Iran would be on its best behavior while the nuclear deal was 
being negotiated.
    Chairman Royce. But they were hacking during the--they were 
doing the attacks during the deal.
    Mr. Lewis. Well, they weren't doing it as much as they were 
doing it against U.S. banks. They toned back a little bit. And 
the question is once this is completed, will they resume their 
activity, and so I think that is something that we are all 
watching.
    My assumption is that Iran will be aggressive in the 
Persian Gulf. And the whole point of much of the discussion 
around the Sony episode----
    Chairman Royce. Okay. I have got to stop you right there--
--
    Mr. Lewis. Okay.
    Chairman Royce [continuing]. Because James Clapper says 
that Iran used cyber to attack U.S. military networks in 
December 2014. That would be in the middle of the Iranian 
nuclear negotiations. I don't know how you can present this 
thesis if they are in bad behavior in the middle of a 
negotiation where they are trying to get us to do what they 
want us to do, and now you say, well, now afterwards, after we 
have lost the leverage, they are going to change their 
behavior. And let me go to another question.
    Mr. Lewis. Oh, change their behavior for the worst.
    Chairman Royce. Yeah.
    Mr. Lewis. This is not--one of the changes in the last few 
years has been significant improvement on Iran's attack 
capabilities.
    Chairman Royce. Yeah.
    Mr. Lewis. So the concern is will they use them against the 
U.S.? And they used them against Sands.
    Chairman Royce. Yeah.
    Mr. Lewis. You know, so----
    Chairman Royce. Yeah. Well, very good. I appreciate that, 
Dr. Lewis.
    I have got a question for Bob Butler. The DNI, our Director 
of National Intelligence, says he doesn't think that the 
agreement announced last week during the visit of President Xi 
is going to impact the bottom line in how China attempts to 
access U.S. computer systems, including our intellectual 
property. I was going to see if you agree with that. How do you 
gauge that agreement? Is it going to affect the cyber conflict? 
Are they going to honor the agreement?
    Mr. Butler. I think the proof is in the pudding. We are 
going to have to wait and see. We had an agreement on Friday. 
We have also had an informal announcement about the Chinese not 
being very happy with some of our positions on U.S. Internet 
policy since then. I think we need to see from a validation and 
verification standpoint with regards to the follow-through on 
this.
    My sense is the wording is important. You know, there was 
no agreement, of course, on espionage writ large, specifically 
on commercial secrets and how that is interpreted. So I think 
we need to put in place immediately some type of validation and 
verification scheme that takes advantage of our national 
intelligence apparatus, but also capabilities that we have in 
the private sector to understand what exactly is changing and 
how it is changing as we go forward in time.
    Chairman Royce. Let me ask a question of Dr. Lotrionte. 
Which U.S. Government agencies are responsible for addressing 
cyber-war-related threats and response and recovery efforts? 
Because the point I want to make is should the Department of 
Defense protect the cybersecurity of the U.S. homeland from 
significant cyber attacks? And is it really time for us to look 
at this just as, you know, during the second world war, we 
stood up the Air Force as a separate branch in order to give 
that responsibility, give that authority? Is it time to do 
something like that?
    Ms. Lotrionte. So I think there are multiple agencies and 
departments that have underneath their legal mission or 
authority a role to play both in preventing, but also 
countering and responding.
    First I would start with State Department, the significant 
role in the diplomacy. In order to have a form of deterrence, 
we need to have the establishment of some agreements, these 
norms, right, to make a link----
    Chairman Royce. You know what, what I am going to ask you 
to do, as an attorney, you have a great background in this: 
Could you delineate that in writing for me, because I am about 
to be out of time and I wanted to ask Bob Butler one more 
question?
    If a cyber attack took down our financial system or took 
down the electrical grid, would the United States consider it a 
use of force, and if so, how would we determine who to strike 
back and who to strike against?
    And, Dr. Lotrionte, I am going to ask you that too, but, 
Bob?
    Mr. Butler. Sure. Mr. Chairman, certainly from the vantage 
point of taking down life safety systems, the grid, water 
treatment systems, and looking at our financial services, I 
think that would be of serious consequence. We are planning, 
from a DOD standpoint, national teams to support that.
    In terms of figuring it out, you know, I think we have to 
understand what the ``roll-up'' is to cyber conflict, and maybe 
I will just take 30 seconds here to explain how that takes 
place.
    I mean, initially we see reconnaissance activity, right? We 
see people scanning networks. We then see people crawling on 
networks. Then we see focused targeting of activity based on 
our knowledge--based on the adversary's knowledge from what 
they have done on reconnaissance and surveillance activities. 
Then potentially we see exploitation through malware that could 
lead to stealing things. It could also be an implant that 
basically positions someone for a further attack, whether it is 
disruptive or destructive.
    We would need to find and ``lay in'' intelligence both on 
the national security side and with commercial sensors to help 
us understand what is ``going on,'' on the network.
    Chairman Royce. Well, okay. So here is what I am going to 
do. I am out of time, but----
    Mr. Butler. Yes.
    Chairman Royce [continuing]. If any of the three witnesses 
for the last two questions have some ideas here in terms of 
attribution techniques and how we could follow up on that, 
because that is what you are getting to, that would be helpful 
to the committee.
    We now go to Karen Bass of California.
    Ms. Bass. Thank you, Mr. Chair.
    In listening to your testimony, I wanted to know if either 
one of you, you know, out of the three could give me examples 
of where you think other countries are doing a good job in 
terms of cybersecurity, and maybe there are some lessons that 
we can learn from there.
    And then I believe it was you, Mr. Butler, that were 
talking about the consequences and maybe imposing sanctions on 
individuals. But then, how do we address it when a lot of this 
is state run?
    And then finally, sorry to load up all my questions, but 
when I think of some of the major terrorist groups that we are 
dealing with, whether it is Al Qaeda or ISIS, or the Taliban, 
what level of involvement do they have in cyber attacks?
    Mr. Lewis. I will start. Let me come back briefly to the 
earlier question, though, which is to if you want to get the 
Iranians to change how they think about this, you don't want to 
take a passive approach, and that has been one of our 
problems----
    Ms. Bass. Are you----
    Mr. Lewis [continuing]. One of our problems in 
cybersecurity. We need to make credible threats and we need to 
have countries believe that we will respond with some punitive 
action.
    Not a lot of people are doing a good job on this. The 
Israelis have done a good job, but not perfect. The Russians 
have done a good job, the French, and to some extent the 
British. That might be it in the world. We do okay, but one of 
the things we need to do is make people believe that if they 
hack us, there will be punishment, and that is maybe the most 
important thing we can do.
    Ms. Bass. And are any of our intelligence agencies 
cooperating or taking lessons and implementing practices from 
the countries you just mentioned?
    Mr. Lewis. We have really close relations with the British. 
We have okay relations with the Israelis and the French, good 
relations, but not as close as the British. So there is an 
effort in the context of our alliances to build a collective 
defense.
    Ms. Bass. Thank you.
    Mr. Butler. Let me go to your first question with regards 
to states that are doing good work in the area of 
cybersecurity. I think the U.S. model and allied models 
continue to grow. And when I look at really good work going on 
around the globe. I think of the partnerships that we have in 
place.
    So, if I look at the Japanese Computer Emergency Response 
Team, which is really the APAC Computer Emergency Response 
Team, they have taken lessons learned from what we have done 
and others, and are really doing a pretty good job in tracking 
advanced persistent threats.
    When I think about, for instance, what are we doing on the 
global transaction platform, the Financial Services-ISAC, or 
Information Sharing and Analysis Center, has broadened their 
approach to where they are now looking globally as opposed to 
just within the country.
    There is a new activity that has stood up in Singapore that 
is an extension of Interpol--Global Center for Innovation. 
Here, a model that we, I think, pioneered, maybe some others 
were involved in terms of botnet takedowns, proactive botnet 
``takedowns,'' is being worked on on a global basis.
    So I think both on the proactive/prevention side as well as 
on the prevent, or on the response side, there are models that 
we can look at. And, again, we have been involved with helping 
others in that area, but we can also learn from that as well.
    In terms of sanction enforcements, I think, again, it is a 
combination of trust and verify. So there are different 
economic and trade remedies that could be employed. We need to 
look at the impact as best we know it would have on the nation-
state, and then we need to think through the enforcement, the 
verification mechanism, and certainly intelligence is involved 
in there, but we could also ensure validation through a partner 
working in conjunction with us against that potential 
adversary.
    In terms of looking at the terrorist issue, deterrence is 
different. I like to talk about tailored deterrence against 
nation-states, a nation-state, and what is required to deter 
that particular actor. A lot of the things we have been talking 
about lately really are focused on determined resource nation-
states as opposed to terrorist groups.
    And in this space, we need to think hard about, you know, 
for instance, in ISIS, that is growing in social media 
campaigns and recruiting and creating challenges for us. How do 
we deter those kinds of actors and how do we deter actors that 
are really where we don't know a lot about their doctrine?
    Ms. Bass. Thank you. I appreciate it.
    Dr. Lotrionte?
    Ms. Lotrionte. In terms of other countries working well on 
the cybersecurity front, I would put in a word for the Brits in 
terms of what I have seen they do. Now, a lot in the awareness 
area and also working with their universities. They have less 
than we do in this country, but they have done a lot of good 
work, the government has, in reaching out and coordinating to 
understand what resources on that, the higher education level, 
and putting in R&D as well.
    I think they are not better than us, but they have followed 
our lead in most of the ways that we have communicated with the 
private sector. I think they also are working on getting better 
at that, sending out warnings to their companies about the 
nature of the threat.
    But I would say in general, and this is not always the 
case, I think the U.S. is the lead in this, and the Europeans, 
I have heard the Europeans say that. And I have often had, 
whether it is the Japanese or the Germans or other East Asian 
countries, when they come into town, the officials are coming 
into town and going to the State Department, they often come to 
me and they have asked me, talk to me about how the U.S. is 
handling and doing their cybersecurity work. And they are 
looking to us for good examples, for models. So I think that 
might be my general sense.
    On the sanctions, over the years watching how under 
international law targeted sanctions, while slow in terms of 
their effectiveness, can ultimately be effective. I think you 
can do very targeted, smart sanctions against individuals. You 
know, I personally like the thought of freezing assets. When 
people lose their money and they no longer can get their money, 
you usually see some effect.
    Ms. Bass. Thank you.
    Ms. Lotrionte. And terrorist groups are also definitely, as 
Bob has already said, a consideration we have to deal with.
    Ms. Bass. Thank you very much.
    Chairman Royce. We go now to Mr. Dana Rohrabacher of 
California.
    Mr. Rohrabacher. Thank you very much, Mr. Chairman.
    I guess we are talking about a number of approaches to this 
sort of new subject. I don't think anybody talked about this 
10, 20 years ago. And what you just said when we were talking 
about a retaliation, I was thinking in terms of retaliation 
versus sanctions.
    Would it not be better to try to set up a system where we 
are not offering some sort of economic sanction, but instead if 
we catch you and your people, how do you say, disturbing our 
system, our economic system in some way or our weapons systems, 
that we will just retaliate against your systems? That the 
Chinese banks will have to experience some problems if people 
keep hacking into our banks? Isn't that what--wouldn't that be 
more effective than telling the Chinese Government, you are 
going to not be able to deliver anymore widgets over here that 
you have manufactured?
    Ms. Lotrionte. I can----
    Mr. Rohrabacher. And we will ask our whole panel that. Go 
right ahead.
    Ms. Lotrionte. I can say something about the law, at least 
international law. Well, first, absolutely correct: 10 years 
ago we weren't dealing with the level of threats, and 
therefore, it wasn't really a conversation about talking about 
responses, right, and how to react to this. But since then, 
luckily, a lot of people have given a lot of their time 
internationally to think about the rules that we had and have 
today, can we actually use them effectively to actually respond 
in a pretty effective and meaningful way?
    And, yes, it is sometimes economic, you try to use the, if 
you will, less escalatory means to resolve this dispute, right, 
whatever it is, and the law actually requires that. But at 
times you will need to actually go to the higher level of the 
spectrum and maybe use force.
    So most of what my written statement for the record, that I 
have given you, but also I tried to summarize it really quickly 
was that is why I put most emphasis on really looking at some 
key terminology that we have all accepted under international 
law, use of force in armed attack, and come to agreement on 
what those terms mean. Why is that important? Well, it is 
because then we will all know where the line is.
    Mr. Rohrabacher. Right. I understand that part of your 
testimony.
    Ms. Lotrionte. And I think you can use force.
    Mr. Rohrabacher. I think the gentleman would like to 
comment as well.
    Mr. Lewis. Sure. Thank you, Congressman.
    So we talked earlier about a deterrence deficit. People 
don't believe that the U.S. will take action in response----
    Mr. Rohrabacher. Right.
    Mr. Lewis [continuing]. To these cyber things, and so we--
--
    Mr. Rohrabacher. There is no deterrent unless there is a 
capability of retaliating.
    Mr. Lewis. Well, we have the capability, it is people don't 
think we will do it. And so one of the most important things we 
could do is think, how do we persuade the people like the 
Irans, the Chinas, the Russias that we would retaliate for some 
kind of cyber action. And many of us are coming to the belief 
that----
    Mr. Rohrabacher. Give me----
    Mr. Lewis [continuing]. We might have to do it once.
    Mr. Rohrabacher. Give me an example of when you say, we 
will retaliate, what that would mean.
    Mr. Lewis. You have a range of options. You could, for 
example, with OPM, you could have erased data on some of the 
Chinese computer networks that held the OPM data. That wouldn't 
have taken it away. It is gone forever. But it would have sent 
a signal. You could leak financial data on Chinese leadership. 
You could interfere with the power grid. There is a whole range 
of things we could do. But I think the fear is until we do 
something, and it might be sanctions, until we show some 
reaction, people won't take our threats seriously.
    Mr. Rohrabacher. Mr. Butler, do you want to----
    Mr. Butler. I think it is important to look at who we are 
trying to deter. So in China, for instance, if you go back and 
just look at August and the Shanghai Exchange, I mean, 
something that would hurt would be to impact, you know, them 
economically. They are trying to be part of a global economic 
system----
    Mr. Rohrabacher. Give me an example of what you think we 
would--if China has these assets that they are now building 
that will hurt us, what would we do with our capabilities to 
retaliate against a Chinese, well, they already are, 
apparently, breaking into our banking system, et cetera.
    Mr. Butler. If we could impact them adversely in an 
economic way, I think that will have a significant impact on 
it. I mean more and more, I see people like Jack Ma of Alibaba, 
Huawei, and ZTE driving into the global economic system, and 
needing business outside of China. And they have influence in 
China.
    On the flip side of it, we have organizations, U.S.-based 
multinationals that have relationships in China and actually 
have Chinese clients. We should be taking advantage of that to 
shape the environment to our advantage, as opposed to waiting 
for something and then reacting.
    Mr. Rohrabacher. I think this is a very fruitful 
discussion, but only probably the first one that we should have 
on this issue. And let me note that--let me ask this. When the 
chairman mentioned the cyber attack that may have taken place 
with the Iranians against some of our naval vessels, could that 
have been in retaliation for, perhaps, an Israeli attack on 
their reactors?
    Mr. Lewis. I don't know in that particular case. In other 
cases, there probably has been some retaliation because of 
attacks attributed to Israel. So the Kharg Island incident 
where the Iranian oil----
    Mr. Rohrabacher. We are going to have to make sure that we 
establish, and this hearing is the first step toward getting an 
honest discussion of this, so I thank the chairman for 
scheduling this hearing because we are going to need to know 
how to verify that there has been an attack, verify who the 
attack is from. We are going to determine what type of 
protection that we can have that will nullify or at least 
protect us against these attacks, what type of systems we need.
    And then we need to discuss if there are attacks like this, 
what type of retaliation, what are our options of retaliation. 
And as we heard earlier, even the wording as to what will, what 
will justify a type of retaliation, just the wording of it, we 
haven't even determined that yet.
    Mr. Lewis. That is a really important----
    Chairman Royce. And maybe, Doctor, we can respond to that 
in writing.
    We are going to go to Alan Lowenthal from California.
    Mr. Lowenthal. Thank you, Mr. Chair. And I want to thank 
the panelists. I mean, this is something that I am just 
learning myself and I find it fascinating but I certainly don't 
consider myself an expert in any way.
    I would like to return now when we are dealing with 
cybersecurity, rather than the focus on where the attacks come 
from on our own infrastructure and how much we are doing to 
protect ourselves and our infrastructure. I believe that the 
President has issued an Executive order pledging, I think it 
was 13636, to improve our infrastructure, critical 
infrastructure in terms of cybersecurity.
    I would like to know what significant security developments 
have resulted from that Executive order. Has it been effective? 
How much of our own critical infrastructure is vulnerable? And 
what are we doing about our own infrastructure to understand 
the vulnerabilities that we face today? Anybody want to jump 
in? Again, to my edification. It may be common knowledge to 
everyone else but it certainly isn't to me.
    Mr. Butler. I think it is a great question. With the 
Executive order and actually prior to the Executive order, 
certainty our life/safety systems sectors have been taking 
action. They have been incentivized through the government to 
take more action.
    Again, I will just start with financial services and our 
banks and related financial service activities, they have been 
practicing, you know, in terms of incident response for some 
time. They have been doing a lot of information sharing. They 
have gone beyond information sharing into joint solutioning. 
They have helped to develop automated ways of information 
sharing to find new standards, and they have taken that 
globally.
    When I look at what is going on in the energy world, we 
have work to do. Our energy grid is a challenge. And based on 
the regulatory nature of how FERC and NERC work to support 
different utilities, co-ops, and consortiums. We need to find 
ways to actually not only create incentives but work through 
standards and get the grid to a point where it is a lot more 
resilient than it is today. As we build that new 
infrastructure.
    Mr. Lowenthal. Have we not looked at these issues over 
time? Is that really, we did we not understand the 
vulnerabilities to our private sector and allowed them to 
develop without even questioning some of these issues? And is 
that true in terms of our own, say, Department of Defense which 
may have been more responsive to some of these issues earlier? 
I don't understand the difference between the private sector 
development and the public sector development, the defense 
development.
    Mr. Butler. In the Department of Defense, we have been 
working on the whole issue of cyberspace and operating 
effectively in cyberspace for years. We have continued to try 
to ramp up and improve our defenses as we work through concepts 
for growing cyberspace as an operational domain in conflict and 
warfare.
    From the private sector perspective, there has been 
different levels of understanding and knowledge, primarily 
driven by business motives. And so the financial services, even 
before the 2012/2013 attacks, the distributed denial-of-service 
attacks, were moving in a very accelerated direction to make 
themselves more resilient on a global transaction platform.
    I would say oil and natural gas is getting there, but they 
are late to the game. And they are working hard to catch up. 
They have to work through different kinds of upstream and 
downstream activities to kind of ensure that people understand 
at all levels within an organization, to include their supply 
chain, what is at stake. Certainly Saudi Aramco woke them up to 
that.
    On the grid side, in California, we have seen the physical 
attacks up in Menlo Park and the Metcalf substation. Since 
those physical attacks, there has been lots of educational 
outreach in terms of ensuring utilities in California and 
elsewhere are moving in that direction. The challenge is rate 
structures. It costs to build security.
    And one of the issues that I am constantly faced with on 
the private sector side is how do I generate a return on 
investment as I build into security? What the President has 
done and the administration has done is opening up a new 
dialogue that allows us to drive more into incentivizing the 
private sector through threat sharing, ability of using CIPAC, 
Critical Infrastructure Partnership Advisory Council, 
authorities to get limited liability protections, collaborate 
with government and others that are ahead in this game, and to 
drive us to a new level so all boats rise together from the 
country's standpoint. But it is taking time.
    Mr. Lewis. We started talking about this in 1998. In fact, 
we started talking about this in 1996. So it has been a slow 
progress. But banks, telecommunications companies, and defense 
industrial companies are generally at the top of the league, 
they are the best. Electrical grid it is a very mixed 
performance. Some companies do good, some don't.
    One thing to watch is the new industry. So everyone knows 
your car is slowly becoming a rolling computer. So the auto 
industries, the airplane industries, they are beginning to 
focus on cybersecurity. But it varies from sector to sector. 
And we haven't found a good way to change that.
    Mr. Lowenthal. Thank you, Mr. Chairman.
    Chairman Royce. Thank you. We go to Mr. Randy Weber.
    Mr. Weber. Thank you. Mr. Butler, what is the price, how 
high of a price is water if you can't get it? What price would 
you pay?
    Mr. Butler. I think it is needed for life.
    Mr. Weber. Yes. Whatever it is----
    Mr. Butler [continuing]. Price on it.
    Mr. Weber. I am fascinated by the exchange with you and Mr. 
Lowenthal about the infrastructure, for example. And the 
thought occurs to me on energy, electricity, we have got to 
have it.
    Mr. Butler. Right.
    Mr. Weber. We absolutely have to have it. So maybe a 
redundant system, one that is connected, both of them connected 
to the grid, and I know the price, you mentioned rates would be 
important, I get that. But there is people who have to have 
dialysis or police departments have to run, or military, it is 
a security and it is a life issue in a lot of ways. So maybe 
the answer to that is a redundant setup where you have two 
power plants side by side, I know, cost is a factor, one that 
is controlled, you know, through the Internet, if you will.
    And I have pipelines all over the State of Texas. And they 
actually can control the entire pipeline across the country 
from their control room. So maybe that is the answer. Maybe you 
have a standalone unit that is not connected to the Internet so 
none of our enemies can shut it down. But yet it can snap on 
line in just a matter of seconds or minutes more appropriately. 
So interesting discussion. Dr. Lewis, you said that advanced 
cyber capability, in your comments there was five countries, 
U.S., U.K., Russia, China, and Israel. Define advanced cyber 
capability.
    Mr. Lewis. The usual way to look at it is they could cause 
physical destruction. They could cause the kind of disruption 
in services that you were talking about. They could turn off 
electrical plants.
    Mr. Weber. Is it safe to say that they have, for lack of a 
better term, a military officer or probably a 12-year-old kid 
in a computer room, that can hack--that is what they do, that 
is their job?
    Mr. Lewis. The bad news is the countries that don't like 
us, including Iran, Russia, and China, have probed our critical 
infrastructure and have looked for vulnerabilities and are 
prepared to turn it off if necessary.
    Mr. Weber. Okay. What is the percentage of their success? 
Mr. Butler, you mentioned earlier they are watching people 
monitor the grid. Would you say that of those people who are 
trying to attack us, are they 1 percent successful, 10 percent 
successful?
    Mr. Lewis. My guess would be, I don't know what Bob thinks, 
it would be closer to 100 percent.
    Mr. Weber. Well, that is encouraging. And you said Russia 
and China, you ought to be putting sanctions on it. Is a 
reverse hacking, are we able to reverse hack them? Now, 
somebody mentioned, you know, maybe it was Dr. Lotrionte? Is 
that how you say that? Said releasing the personal financial 
information of Chinese leaders? Are you advocating that we have 
a department in our military, if you will, that actually does 
that, hacks to get back at them and then, is that what you are 
saying?
    Mr. Lewis. One of the problems in this whole thing is we 
have taken kind of a passive approach. We have taken a 
technical approach. We have focused on making our defenses 
strong which you could call it a Maginot Line approach. We have 
to find ways----
    Mr. Weber. How did that work with the French by the way?
    Mr. Lewis. We don't want to be on the same path.
    Mr. Weber. You think?
    Mr. Lewis. I think we need to find ways to demonstrate to 
countries that we will not put up with this.
    Mr. Weber. So, Dr. Lotrionte, am I saying that right?
    Ms. Lotrionte. You are.
    Mr. Weber. Okay. And you said in 2005 was really the first 
appearance of was it a cyber crime, was that international 
legislation? I missed that. That got by me. Do you remember?
    Ms. Lotrionte. Was that the 2008, the armed conflict that I 
was mentioning?
    Mr. Weber. That is what it was. Thank you.
    Ms. Lotrionte. I wanted to set it up to say we are starting 
to see the cyber tools and operations be used within armed 
conflicts. And they are continuing. But first for state level 
it was 2008 in Georgia and Russia.
    Mr. Weber. I am surprised that it took that long, quite 
frankly. And then, Dr. Lewis, you said the Israelis did a good 
job on responding. What does that look like?
    Mr. Lewis. They have an advantage because they are a small 
country. And one of the things that they have is they use their 
military to identify talent. So they recruit kids out of high 
school.
    Mr. Weber. That is that set, like I was talking about in 
China, they have got a group of people that that is their 
attack, that is their platoon or whatever you want to call it. 
That is their job.
    Mr. Lewis. The Israelis are under attack probably every 
week by Hezbollah, very low level attacks, and probably by 
Iran, by the Syrian Electronic Army.
    Mr. Weber. Well, we are too I mean not necessarily by those 
entities but others.
    Mr. Lewis. They are a lot smaller. And so they don't have 
what you would call strategic depth. So they get a lot of 
practice. People are a little more afraid of attacking us. But 
we need to make them more afraid.
    Mr. Weber. Okay. All right. Thank you, Mr. Chairman. I 
yield back.
    Chairman Royce. We go now to Mr. Ted Poe of Texas.
    Mr. Poe. Thank you, Mr. Chairman. The cyber attack on Sony 
Pictures Entertainment by North Korea, in your opinion, Dr. 
Lewis, is that an act of terrorism?
    Mr. Lewis. Yeah, so it is one of these things that falls in 
this gray area because they did disrupt Sony Pictures, they 
leaked damaging materials, they put out emails. It was a 
coercive act, right? Now, whether you call that terrorism or 
not, I would call it coercion. The North Koreans probably 
intended it to terrify Sony. So they were doing this 
intentionally to punish Sony for that movie.
    Mr. Poe. North Korea used to be on the State Sponsors of 
Terrorism List. They are off. Do you think we should reconsider 
that, Dr. Lewis? Just your opinion.
    Mr. Lewis. Sure. No, I don't. Because it is, what 
influences how countries think about this doesn't have to do 
with sanctions that are external to that or terrorism lists 
that are external to that. We need to think about things that 
directly apply to cybersecurity. And that is where the 
committee might want to do some work. Putting them back on the 
list or taking them off, it is not going to affect their 
behavior. We need to do things that are more direct.
    Mr. Poe. Because their behavior is bad.
    Mr. Lewis. Yes. Oh, yeah.
    Mr. Poe. Let me ask the other two witnesses, same question, 
do you think it is an act of terrorism? And if you think it is, 
should they be put back on the list? Just your opinion. Both of 
you. All three witnesses.
    Mr. Butler. I rarely disagree with Jim. I think we need to 
spend more time thinking about what the North Koreans are 
really trying to do here. They are building a cyber capability. 
And they did achieve their desired effect in really terrorizing 
a large entertainment firm. Where is that going to go? And so I 
think, I wouldn't rule it out in terms of putting them back on 
an established terrorist list. But I think we need to spend 
more time understanding where they are growing with their 
capabilities, as well as intent.
    Ms. Lotrionte. If I took a very legalistic approach to it, 
under international law, I would call that not an act of 
terrorism but a violation of the norm of non-intervention under 
international law which is----
    Mr. Poe. Wait a minute. Wait a minute. Wait a minute. What 
did you just say?
    Ms. Lotrionte. Not to get in the weeds, but the norm of 
non-invention under international law which is----
    Mr. Poe. The norm of non-intervention under international 
law.
    Ms. Lotrionte. It is what Lewis described as coercive. It 
is by definition coercive interference when you are basically 
bleeding or forcing a state to give up one of its fundamental 
rights under international law. And that typically is seen as 
political elections. But also it can be the freedom of speech. 
So this was illegal, in my view, under international law. It 
was a violation of the norm of non-intervention but not 
terrorism.
    Mr. Poe. Okay. And just following up on that, the Sony 
situation, any consequences for that attack? Were there any 
consequences on the North Koreans for doing what they did?
    Ms. Lotrionte. As a policy matter----
    Mr. Poe. Did somebody call them to the principal's office? 
Were they retaliated against? Did we hack into their system? I 
mean, was there any type of response to that act by Sony? I 
mean by----
    Mr. Lewis. I think they were scared. So one of the things 
that has come up repeatedly in the questioning is our ability 
to attribute the source of an attack. And about 8 years ago, 
DOD started to work really hard with a lot of money in--to be 
able to figure out who is doing the hacking. And I think the 
North Koreans were shocked that we were able to tell so quickly 
that it was them. And that scared them.
    Five years ago, they did another attack on U.S. facilities, 
not as bad. We never were quite sure. This time we knew it was 
them. We could take pictures of the guys doing it. Right. So it 
is that improved attribution capability that scared them.
    Ms. Lotrionte. So to answer that question, was there a 
response or retaliation, what was publicly, at least, available 
to know, it does not appear that the U.S. took a public move in 
response, retaliation.
    Now, I would hope or assume that our intelligence 
organizations have responded to that. And under international 
law, a countermeasure to a violation of a norm of non-
intervention is appropriate and legal. So if we have legal 
authority to take a countermeasure, it has to be non-forcible, 
I would think that would be in the bailiwick of the 
intelligence community to do that. And we might not see or talk 
about that publicly.
    Mr. Poe. Okay. I will yield back, Mr. Chairman.
    Chairman Royce. Mr. Ted Yoho of Florida.
    Mr. Yoho. Thank you, Mr. Chairman. And thank you for having 
this very important meeting. And I would propose or recommend, 
not recommend, I would ask that we build on this hearing to 
define what constitutes a cyber attack and when it is an act of 
war or an act of terror, and define systems that fall under 
that, whether it is our electrical system, military system, 
power systems, hospitals, and whether that is a certain amount 
of life lost, any life lost, or economic, a major economic 
catastrophe.
    And, Dr. Lewis, you were saying we have known about this 
since 1996. That is 20 years. Twenty years and we still don't 
have a definition or a policy. I think that is way too long. We 
have just dropped the ball on this. And who is watching the hen 
house? I mean, this is not acceptable.
    Number one charge of America's Government, as we all know, 
is national security. This is a national security threat. And 
technology will continue to advance, become more complex in the 
future. And we are going to be more intertwined with that. And 
to not have those kind of policies in place is a shortfall of 
administrations, not just this one but of past ones. And this 
is something we need to get on right now. We should have been 
on it.
    I am glad, I am sure there is a lot more going on behind 
the scenes than we hear about. I am sure it is like Jack 
Nicholson in that movie you can't stand, you can't tolerate the 
truth or you don't want to know it. And I think to ask you what 
constitutes an act of war or an act of terrorism, do we have a 
definition of that?
    Ms. Lotrionte. So I will, one, I agree with you in terms of 
the amount of time it has taken to get to the point we are 
where we are actually talking about the specific definitions 
and norms I think has been too long. And it does remind me when 
I was in the intelligence community, the years leading up to 9/
11. And it was like a good 15, 20 years it took people to 
understand what would be an armed attack under the law by non-
state actors like terrorists that would allow us to use force 
in response against them on somebody else's sovereign 
territory. And I think it took us too long.
    So here we are in a different context, different types of 
threats, of course, but the same principles that need to be 
discussed and defined. So, really the focus of my whole point 
and my written statement was that we do need to get agreement 
on some very important terms with respect to international law 
and the use of force and armed conflict. Specifically, what is 
a use of force for purposes of Article 2(4) of the U.N. 
Charter. What is an armed attack for purposes of Article 5(1) 
of the U.N. Charter which allows a country to use forcible 
measures in response.
    And so I think that we have had some laws that have 
developed at the U.N., for instance, with respect to non-state 
actors. After 9/11, the U.N. Security Council passed two very 
important resolutions which cleared up the law and said you can 
go and you can use force and retaliate against even non-state 
actors.
    Mr. Yoho. That was U.S. law?
    Ms. Lotrionte. Well, it is U.S. law.
    Mr. Yoho. It is fine that the U.N. has that, but the U.S. 
needs to have our own definition so we don't need to go to the 
U.N. We are saying we need to put this out to the world that if 
you do this, this is our response.
    And, Dr. Lewis, you were saying we need to have a credible 
response. Unfortunately, our Government right now has lost a 
lot of credibility. We draw red lines in disappearing ink. We 
call for regime change and deny it. I mean, we go on and on. 
Again, it is not just this administration. It is what America 
stands for.
    We have got to be able to project credibility with a policy 
and be willing to back it up. And what, you know, what I would 
like to see is what is the appropriate response the U.S. should 
state it will do? Is it to retaliate and to put other countries 
on notice in the beginning and say this is what we are going to 
do? And is it an eye for an eye response as my colleague Dana 
Rohrabacher said? Or is it, you know, we are going to respond 
two or three or four times worse than whatever you did? What is 
your thoughts on that?
    Mr. Lewis. You touched on some key points. And Bob is being 
a little modest here, but DOD has actually done a good job of 
coming up with doctrine on offensive use, defensive use of 
cyber----
    Mr. Yoho. I would like to see that. And I would like to 
build that. Because if somebody comes into my house uninvited, 
it is not going to be a nice response. You know, and that is 
what I feel they are doing here. They are invading our privacy. 
They are invading our sovereignty. And for us to not have a 
response stated and put people on notice I think is just such a 
shortfall. Mr. Butler?
    Mr. Butler. Yes. Just building on the conversation, I mean 
we have levels of activity, exploitation, disruption, 
destruction. When we hit disruption and destruction, we have a 
problem. And that should signal to the national command 
authorities we need to take action.
    The challenge inside this space is making sure we have the 
indications and warning before it happens. For instance, we 
need to have some signaling with regards to what is happening 
to our industrial control systems. If malware drops into our 
industrial control systems, that should be a signal that we 
should be thinking about taking action to counter, before 
something rises to another level and we actually get into 
aggression.
    Mr. Yoho. All right. Let me ask you this. With North Korea 
attacking Sony, we have had people here saying it wasn't North 
Korea, it was China working through North Korea as a proxy. 
What do we do when another country, a nation-state, works 
through a proxy, maybe Hezbollah in the future, some terrorist 
organization, but we know it was directed by a nation-state? 
And if we don't have time, if I could get a response to that, I 
would love to hear that.
    Ms. Lotrionte. Do you want me to just----
    Mr. Yoho. Go ahead.
    Ms. Lotrionte. So non-state actors as proxies for state's 
actions, right? Well, yes, we have authority. And it is under 
international law. And the U.S. could accept it to take action 
against the state who is, if you can attribute, if you can 
attribute the actions of the non-state actors to the state, you 
can use force and take it to the state, hold them responsible.
    Ms. Lewis. One place we get hung up on, and this is where 
the committee could help, is we get hung up on what is a 
proportional response. So there is a lot of debate, what is a 
proportional response to Sony? And that is where having some 
guidelines or some principles.
    There is a second issue, though, which is the one you 
brought up which is maybe sometimes we don't want to be 
proportional in our response. And that would be useful to have 
guidelines on as well.
    Mr. Yoho. Thank you. Thank you, Mr. Chairman, for the extra 
time.
    Chairman Royce. Thank you. We will pursue that question. We 
will go to Mr. Brad Sherman of California.
    Mr. Sherman. We don't play offense. China hacks. We don't 
talk about what tariff to put on all Chinese products in order 
to compensate ourselves for that. Not even allowed to talk 
about that in polite society. It is much easier for 
bureaucracies to say we want money for defense. Offense, oh my 
God, it is not politically correct.
    The unique vulnerability of China, and to some extent 
Russia, is the incredible corruption. We have the capacity 
through cyber and other means to identify which princeling owns 
which chateaus. Dr. Lewis, do we have the capacity to find, 
document, and leak to the press the ill-gotten foreign assets 
of Chinese leaders and their children?
    Mr. Lewis. I believe we do, particularly because many of 
those assets are located in the United States.
    Mr. Sherman. And if you are trying to embarrass a regime, 
there is, you know, entries on a Merrill Lynch form are 
interesting but--pictures of chateaus, mcmansions, et cetera, 
are more so.
    Dr. L, to what extent do we play offense in the sense of 
not just gathering, traditional statecraft, spying on 
governments and feeding it into our intel operation? To what 
extent do we play offense beyond that?
    Ms. Lotrionte. I certainly think we have the capability. I 
also think we have the authority, legal authority, particularly 
Cyber Command in its authority legislated by Congress gives it 
both defensive and offensive capability. Unfortunately, I think 
because of the nature of those----
    Mr. Sherman. Could we, for example, steal Chinese 
proprietary company, corporate information and just either hand 
it to an American company, which would raise huge questions 
which company, or just publish it?
    Ms. Lotrionte. If the U.S. Government----
    Mr. Sherman. Yes.
    Ms. Lotrionte [continuing]. Determined that they wanted as 
a matter of policy to conduct economic espionage, they could do 
it.
    Mr. Sherman. And do we have the legal authority to then 
publish the results?
    Ms. Lotrionte. Yes.
    Mr. Sherman. Do we have the authority to give it to those 
companies that correctly choose which political party to donate 
to?
    Ms. Lotrionte. Yes.
    Mr. Sherman. You mean, we could leak it to one company and 
not another?
    Ms. Lotrionte. Well, when we discuss the economic espionage 
part, I think that is a concern of agencies in the U.S. 
Government, would there be any liability in terms of choosing 
between companies that benefit. Well, you can solve that by 
actually having a framework for, similar to when you put out a 
bid for a contract. There are processes----
    Mr. Sherman. You mean, we would announce that we had stolen 
secret technology to build printing presses and then have 
companies bid? That would be interesting.
    Ms. Lotrionte. I think so too, sir.
    Mr. Sherman. And you say we would have all the legal 
authority to do that? If we had a President that wanted to go 
in, steal some corporate--now, the problem we have here, what 
is asymmetrical is, we got a lot more intellectual property 
than they do. So that is, I don't want to get in a tit for tat 
steal intellectual property world. What I would rather do is 
get them to stop.
    Mr. Butler, can you think of any other offensive cyber 
techniques that we could use that the Chinese and the Russians 
would find painful?
    Mr. Butler. I think for the Chinese, and as I mentioned 
earlier, as they are trying to integrate into the global 
economic system. Anything that we could do that would impact 
their growth potential, Huawei, ZTE, Baidu, Alibaba, I think 
would have an impact. I think like you said, sir----
    Mr. Sherman. But it is asymmetric. Alibaba might want 
access to the U.S. market. Google does want access to the 
Chinese market.
    Mr. Butler. Right. Right.
    Mr. Sherman. The easiest thing, of course, is just tariffs 
on their imported goods. And the asymmetrical way is to go 
after the corruption because, and I gather from this panel 
there are no legal obstacles to espionage designed to identify 
and prove ill-gotten gains held by Chinese leaders and their 
children, and leak that to the press, in both China and the 
United States. Mr. Lewis, do you see any legal bar to that?
    Mr. Lewis. No. I was just going to say that it would apply 
equally to Russia.
    Mr. Sherman. Yes. I think, I think it would have less 
political impact in Russia, although that regime has to be a 
little shaky. I mean, China is trying to explain to its people 
why under their great leadership they may have to suffer with 
less than 7 percent growth. Putin has to explain a world of $44 
a barrel oil which is a much more painful world. Doctor, do you 
have----
    Ms. Lotrionte. I would just say, I think you wanted to 
reconfirm about the legality of it. Not only would that be 
legal, but in the past, as far as the first half of that 
scenario, doing it to them and leaking it, we have history 
outside of this cyber context that the intelligence community 
has done things like that before. So both legal under 
international law and under domestic law.
    Mr. Sherman. Okay. And so we have in pre-cyber methodology 
obtained embarrassing information about the leaders and 
families of countries we are not entirely friendly with and 
leaked it to the press. Unless Mr. Butler has a comment, I 
yield back.
    Chairman Royce. I want to thank our witnesses. There is one 
more favor that the panel could do for this committee if you 
would. Mr. Ted Yoho of Florida had two other questions that we 
would like to get your response in writing to if we could. Mr. 
Yoho, do you want to lay out those two questions?
    Mr. Yoho. Yes, sir, Mr. Chairman. I appreciate it. The 
first one is what is your recommendation to help facilitate our 
Government working with private industry or, vice versa, 
industry working with our Government to prevent or alert each 
other about attacks. That is question number one.
    The second one which is really two questions, are there any 
laws prohibiting us to follow through on these, you know, 
something prohibiting us. And I know we have got to go through 
the U.N. to be nice and all that. But, again, my concern is the 
sovereignty and the protection of the United States Government, 
and that law ought to trump everything else.
    And then are there any laws that are needed for us to do 
what we want to do as far as protecting this country and our 
citizens and the economy of this country? Those, if you could 
do that, because what we would like to do, according to 
Chairman Royce, is formulate a cybersecurity policy for the 
United States of America. And we don't want to wait another 20 
years. And if you would do that, it would be greatly 
appreciated. How long do you think it would take? Can we get 
that in a week, within a week?
    Ms. Lotrionte. I can give you the legal answers in a day.
    Mr. Yoho. Perfect. Thank you.
    Mr. Butler. A week.
    Mr. Yoho. Mr. Chairman, thank you.
    Chairman Royce. Thank you very much, Mr. Yoho. I appreciate 
those ideas. And we stand adjourned. And, again, thank you very 
much, panel.
    [Whereupon, at 11:45 a.m., the committee was adjourned.]

                                  
                                 

                            A P P E N D I X

                              ----------                              


         Material Submitted for the RecordNotice deg.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

[Note: No responses were received by the committee to the above 
questions prior to printing.]
    
 
                                 [all]