b'<html>\n<title> - [H.A.S.C. No. 114-50]OUTSIDE PERSPECTIVES ON THE DEPARTMENT OF DEFENSE CYBER STRATEGY</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                                    \n                         [H.A.S.C. No. 114-50]\n\n                        OUTSIDE PERSPECTIVES ON\n\n                       THE DEPARTMENT OF DEFENSE\n\n                             CYBER STRATEGY\n\n                               __________\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              HEARING HELD\n\n                           SEPTEMBER 29, 2015\n\n\n                                     \n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] \n\n                               ____________\n                               \n                               \n                     U.S. GOVERNMENT PUBLISHING OFFICE\n97-196                        WASHINGTON : 2016                     \n                             \n________________________________________________________________________________________\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,\nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). \nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="b5d2c5daf5d6c0c6c1ddd0d9c59bd6dad89b">[email&#160;protected]</a>  \n\n \n                                    \n                      COMMITTEE ON ARMED SERVICES\n                    One Hundred Fourteenth Congress\n\n             WILLIAM M. ``MAC\'\' THORNBERRY, Texas, Chairman\n\nWALTER B. JONES, North Carolina      ADAM SMITH, Washington\nJ. RANDY FORBES, Virginia            LORETTA SANCHEZ, California\nJEFF MILLER, Florida                 ROBERT A. BRADY, Pennsylvania\nJOE WILSON, South Carolina           SUSAN A. DAVIS, California\nFRANK A. LoBIONDO, New Jersey        JAMES R. LANGEVIN, Rhode Island\nROB BISHOP, Utah                     RICK LARSEN, Washington\nMICHAEL R. TURNER, Ohio              JIM COOPER, Tennessee\nJOHN KLINE, Minnesota                MADELEINE Z. BORDALLO, Guam\nMIKE ROGERS, Alabama                 JOE COURTNEY, Connecticut\nTRENT FRANKS, Arizona                NIKI TSONGAS, Massachusetts\nBILL SHUSTER, Pennsylvania           JOHN GARAMENDI, California\nK. MICHAEL CONAWAY, Texas            HENRY C. ``HANK\'\' JOHNSON, Jr., \nDOUG LAMBORN, Colorado                   Georgia\nROBERT J. WITTMAN, Virginia          JACKIE SPEIER, California\nDUNCAN HUNTER, California            JOAQUIN CASTRO, Texas\nJOHN FLEMING, Louisiana              TAMMY DUCKWORTH, Illinois\nMIKE COFFMAN, Colorado               SCOTT H. PETERS, California\nCHRISTOPHER P. GIBSON, New York      MARC A. VEASEY, Texas\nVICKY HARTZLER, Missouri             TULSI GABBARD, Hawaii\nJOSEPH J. HECK, Nevada               TIMOTHY J. WALZ, Minnesota\nAUSTIN SCOTT, Georgia                BETO O\'ROURKE, Texas\nMO BROOKS, Alabama                   DONALD NORCROSS, New Jersey\nRICHARD B. NUGENT, Florida           RUBEN GALLEGO, Arizona\nPAUL COOK, California                MARK TAKAI, Hawaii\nJIM BRIDENSTINE, Oklahoma            GWEN GRAHAM, Florida\nBRAD R. WENSTRUP, Ohio               BRAD ASHFORD, Nebraska\nJACKIE WALORSKI, Indiana             SETH MOULTON, Massachusetts\nBRADLEY BYRNE, Alabama               PETE AGUILAR, California\nSAM GRAVES, Missouri\nRYAN K. ZINKE, Montana\nELISE M. STEFANIK, New York\nMARTHA McSALLY, Arizona\nSTEPHEN KNIGHT, California\nTHOMAS MacARTHUR, New Jersey\nSTEVE RUSSELL, Oklahoma\n\n                  Robert L. Simmons II, Staff Director\n                 Kevin Gates, Professional Staff Member\n              Lindsay Kavanaugh, Professional Staff Member\n                          Neve Schadler, Clerk\n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nLangevin, Hon. James R., a Representative from Rhode Island, \n  Committee on Armed Services....................................     2\nThornberry, Hon. William M. ``Mac,\'\' a Representative from Texas, \n  Chairman, Committee on Armed Services..........................     1\n\n                               WITNESSES\n\nBejtlich, Richard, Chief Security Strategist, FireEye, Inc.......     3\nDelfino, Dominick, Vice President, World Wide Systems \n  Engineering, Networking and Security Business Unit, VMware, \n  Inc............................................................     6\nSchmidt, Dr. Lara, Senior Statistician, Associate Director, RAND \n  Project Air Force, RAND Corporation............................     8\nWallace, Ian, Senior Fellow, International Security Program, and \n  Co-Director of the Cybersecurity Initiative, New America \n  Foundation.....................................................     5\n\n                                APPENDIX\n\nPrepared Statements:\n\n    Bejtlich, Richard............................................    43\n    Delfino, Dominick............................................    62\n    Schmidt, Dr. Lara............................................    77\n    Wallace, Ian.................................................    54\n\nDocuments Submitted for the Record:\n\n    [There were no Documents submitted.]\n\nWitness Responses to Questions Asked During the Hearing:\n\n    [There were no Questions submitted during the hearing.]\n\nQuestions Submitted by Members Post Hearing:\n\n    Mr. Shuster..................................................    95\n    Mr. Walz.....................................................    96\n\n\n    OUTSIDE PERSPECTIVES ON THE DEPARTMENT OF DEFENSE CYBER STRATEGY\n\n                              ----------                              \n\n                          House of Representatives,\n                               Committee on Armed Services,\n                       Washington, DC, Tuesday, September 29, 2015.\n    The committee met, pursuant to call, at 10:02 a.m., in room \n2118, Rayburn House Office Building, Hon. William M. ``Mac\'\' \nThornberry (chairman of the committee) presiding.\n\n  OPENING STATEMENT OF HON. WILLIAM M. ``MAC\'\' THORNBERRY, A \n    REPRESENTATIVE FROM TEXAS, CHAIRMAN, COMMITTEE ON ARMED \n                            SERVICES\n\n    The Chairman. The committee will come to order.\n    Cyber is deeply ingrained in virtually every facet of our \ndaily lives, at work, at home, in our schools, and in \ngovernment. We are incredibly dependent upon it, and therefore \nwe are incredibly vulnerable to disruptions or attacks that \naffect it.\n    Cyber is a great enabler for our daily lives, but the \nthreats also pose a significant danger to our national security \nas well. What adds complication is that various estimates show \n85 percent of the infrastructure that needs to be protected is \nowned by the private sector. And so the role of government in \nprotecting not only itself, but the country in this new domain \nof warfare is a major challenge for us.\n    So that is part of the reason this committee is devoting a \nweek to cybersecurity issues. We are starting today with an \noutstanding panel of experts to not only share their insights, \nbut set up the discussion for the remainder of the week. \nTomorrow we will have the deputy secretary of defense and the \ncommander of CYBERCOM [U.S. Cyber Command] before us. The \nEmerging Threats and Capabilities [ETC] Subcommittee has a \nclassified briefing on cyber later in the week.\n    Cyber, of course, is normally in ETC\'s jurisdiction, but \nbecause it does translate to all aspects of this committee\'s \nwork and because of these overall policy issues, the full \ncommittee is having these hearings today and tomorrow.\n    As I say, there are a number of questions. What is the role \nof the Federal Government in defending that 85 percent of the \ninfrastructure? How do you have deterrence in cyberspace? Do we \nhave the necessary authorities and rules of engagement to \nengage in cyber warfare? Are we acquiring the people and the \ncapabilities that we need? Do we have a strategy that can deal \nwith what some of our adversaries are doing? What effect do \nthings like the agreement that the Chinese and the President \nhave reached this week have on cyber? Just some of the \nquestions for us to explore.\n    So I really appreciate to start off our cyber week having \nthis outstanding panel of experts. Before we turn to them, I am \ngoing to yield to the distinguished ranking member of the \nEmerging Threats and Capabilities Subcommittee, Mr. Langevin, \nfor any comments he would like to make.\n\n  STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM \n           RHODE ISLAND, COMMITTEE ON ARMED SERVICES\n\n    Mr. Langevin. Thank you, Mr. Chairman.\n    And thank you to our witnesses for appearing before us \ntoday on the Department of Defense\'s new Cyber Strategy \nreleased in April 2015. I certainly look forward to hearing \nwhat you have to say.\n    Ranking Member Smith is going to be joining us a little \nlater today, so I will be delivering a synopsis of his remarks \non his behalf.\n    So I look forward to hearing the witnesses\' perspectives on \nthe five strategic goals, their views on the objectives \noutlined in the strategy in order to achieve those goals, and \nwhat else we should be thinking about to improve the posture of \nthe Department of Defense [DOD] in the cyber domain.\n    Cybersecurity is an issue that the chairman, the ranking \nmember, and I have been focusing on throughout our tenure on \nthe Armed Services Committee. Our time on the Emerging Threats \nand Capabilities Subcommittee has given us all insight into \nwhat has been recognized since 2013 by the Director of National \nIntelligence as the number one strategic threat to national \nsecurity. We have worked in coordination with the Department of \nDefense across the whole of government and with the private \nsector for many years to better enable the country to deter, \ndefend, and respond to cyberattacks.\n    Despite best intentions, as a nation we are not keeping \npace, though, with the sophisticated and ever-evolving cyber \nthreat. The DOD has made progress. But as Admiral Mike Rogers \nnoted in his June 2015 Vision and Guidance for the U.S. Cyber \nCommand, I quote: ``The Department is still in the very early \nstages of harnessing the power of our Nation\'s cyber \nenterprise.\'\'\n    I believe the new Cyber Strategy will better guide the \nDepartment in its efforts to harness the cyber enterprise. The \nfive strategic goals--building and maintaining ready forces and \ncapabilities; defending the network, securing data and \nmitigating risk to missions; being prepared to defend the \nhomeland and U.S. vital interests from cyberattacks of \nsignificant consequence; building and maintaining a viable \ncyber operations, and plan to use those options to control \nconflict escalation and shape the conflict environment; and \nbuilding international alliances and partnerships to deter and \nincrease stability--set the stage for the U.S. to gain an \nadvantage across the cyber domain, an advantage we desperately \nneed, as evidenced by the recent hack of the Joint Staff \nunclassified network.\n    Yet, not all of these goals and objectives are necessarily \nnew concepts. Many are significant issues that Congress and the \nDepartment have discussed for years. Yet, execution of the \nobjectives has presented technological, policy, and doctrinal \nchallenges at the tactical, operation, and strategic levels. \nThe new strategy provides us an opportunity to confront and \naddress those challenges so our goals can become reality sooner \nrather than later.\n    For instance, we know the Department needs qualified \nmilitary and civilian personnel in order to build and maintain \nforces to conduct cyber operations. But how does the Department \ncompete with the private sector for highly skilled individuals, \nespecially in a budget-constrained environment.\n    This committee has also been hearing about the necessity \nfor an effective cyber deterrence strategy for several years. \nTime has shown the need for such an effective policy has only \ngrown, but we are still grappling with how to approach \ndeterrence given the difficulty of attributing attacks and the \noverall strategic implications of such a policy. So deterrence \nrequires us to relook at the way we tend to think about \nwarfare, about what constitutes an act of war.\n    I look forward to the witnesses\' views on this issue, as \nwell as how we can operationalize other aspects of cyber. These \nare just a few of the issues that I hope that we will examine \ntoday.\n    Chairman Thornberry, I want to thank you for holding this \nhearing. I know of your commitment and interest in cyber \nissues, the work that we have done together both on the \nEmerging Threats and Capabilities Subcommittee and our many \nyears together on the House Permanent Select Committee on \nIntelligence have given us particular insights into the \nchallenges in this space. And, again, I appreciate the \nattention that the full committee is giving to this issue this \nweek.\n    With that, I thank the chairman. And I yield back.\n    The Chairman. I thank the gentleman. He is exactly right, \nhe and I have grappled with this issue for a number of years. \nAnd I very much appreciate Chairman Wilson and the gentleman \nfrom Rhode Island in their efforts to pursue this at the \nsubcommittee level. And, certainly, the full committee is not \nand cannot replace that diligence that they bring to this \nimportant issue.\n    Let me, again, welcome our witnesses. We have Mr. Richard \nBejtlich, chief security strategist for FireEye; Mr. Ian \nWallace, senior fellow and co-director of the Cybersecurity \nInitiative at the New America Foundation; Mr. Dominick Delfino, \nvice president at VMware; and Dr. Laura Schmidt at the RAND \nCorporation.\n    I appreciate the written testimony that each of you have \nsubmitted. I have read it. And I will ask unanimous consent to \nhave that included in the record. Without objection.\n    And so, if you would please, summarize your testimony \nbefore us, and then we will turn to questions.\n    Mr. Bejtlich, if you would like to begin.\n\n   STATEMENT OF RICHARD BEJTLICH, CHIEF SECURITY STRATEGIST, \n                         FIREEYE, INC.\n\n    Mr. Bejtlich. Chairman Thornberry, Ranking Member Smith, \ndistinguished members of the committee, thank you for the \nopportunity to testify. I am Richard Bejtlich, chief security \nstrategist at FireEye. I am also a nonresident senior fellow at \nthe Brookings Institution and I am pursuing a Ph.D. in war \nstudies from King\'s College, London. I began my security career \nas a military intelligence officer in 1997 at the Air Force \nInformation Warfare Center.\n    Speaking today as a FireEye strategist and as a former \nmilitary officer, I assess the new DOD Cyber Strategy as a \ntransition document. Previous strategies emphasized DOD\'s role \nas protecting DOD networks from attack. The current document \nrestates this role and adds a new, albeit limited, mission to, \nquote, ``defend the U.S. homeland and vital interests from \ndisruptive or destructive cyberattacks of significant \nconsequence.\'\'\n    Stepping outside the beltway for a moment, it might be \nnatural to ask what about OPM [Office of Personnel Management] \nor even what about Sony. For these reasons, I believe DOD\'s \nstrategy is a step in the right direction, but one that needs \nto be augmented by additional measures.\n    Now, at this point in my written remarks I cover four \nassociated topics: Private sector security capabilities, \nattribution, hack-back, and acquisition. But in order to meet \nmy time limit, I respectfully refer you to those written \ndocuments. And here I would like to turn straight to five \nrecommendations to improve the Nation\'s digital security.\n    First, I recommend that DOD and the Intelligence Community \nmodify the nature of offensive digital operations against \nnational adversaries. According to open source intelligence \ntradecraft and stories published in open media, U.S. Government \noffensive digital activities currently focus on traditional \nespionage targets. These operations fulfill collection \nrequirements such that U.S. Government decisionmakers can \nexecute their duties based on accurate and actionable \nintelligence.\n    Foreign intelligence services also conduct these \noperations. However, foreign intelligence services, military \nunits, and other teams also attack private sector companies in \nthis country and elsewhere. They also attack civil society \norganizations and even individuals.\n    U.S. offensive digital capabilities should therefore be \nordered to directly target the foreign teams that are attacking \nprivate U.S. entities. By putting pressure on these foreign \nteams, U.S. victims would receive some relief from the \nrelentless waves of foreign hacking campaigns. By pressure, I \nmean low-level activities that introduce friction and \nuncertainty into the minds and processes of foreign hackers.\n    For example, U.S. offensive teams could quietly corrupt \ntools and infrastructure used by foreign teams against domestic \ntargets. They could periodically crash foreign computers used \nto hack U.S. targets or degrade bandwidth used to transport \nmalicious traffic. The idea is to introduce obstacles into \nforeign hacking operations such that they are working uphill \nwhen trying to attack U.S. victims.\n    Second, the DOD, the IC [Intelligence Community], and \npartners should consider indirect ways to help protect U.S. \nprivate sector and associated targets. If government actors \nlearn that private entities are being targeted by a foreign \nadversary, they should be more willing to warn of the attack \nbefore it happens. Our current strategy is essentially we tell \nthe victim after they have been hacked, which that is valuable, \nmany times that is the only way a victim learns, but we need to \nknow earlier in the process.\n    Third, I recommend that the Congress and DOD should sponsor \na study into creating an independent cyber force. As a former \ncaptain who performed the computer network defense mission in \nthe Air Force, I am very pleased to see the existing military \nservices improving the career paths and opportunities for \ntoday\'s troops. For example, I spoke at an Army Cyber Institute \nevent last week and I watched two young Army captains explain \nhow they would apply cyber tactics to a simulated physical \ncombat mission.\n    Unfortunately, I was reminded of the challenges facing \nthese young officers when an audience member warned that the \npair\'s noncyber colleagues might, quote, ``think they were \nplaying warrior,\'\' and that their makeshift technical solutions \nmight appear to be a toy. These cultural barriers are real and \ninherent in each military service\'s ethos.\n    Fourth, and this is stepping outside DOD a little bit but \nit affects the entire government, I recommend that the \nPresident appoint a U.S. chief information security officer or \nU.S. CISO. The executive branch already has a U.S. chief \ninformation officer [CIO] and a chief technology officer [CTO]. \nThis is similar to the situation of many private sector \nbusinesses before a breach, but after a breach they quickly \nchange. Thus far, the government has not changed. We still \ndon\'t have a U.S. CISO. And I would put that person at the \nlevel of current U.S. CTO and U.S. CIO personnel.\n    Finally, I recommend the administration should develop the \ncapability to take asymmetric actions that target adversary \ncore interests, but in a way the leverages our strengths \nagainst their weaknesses. In my written statement, I discuss \none example involving China\'s Great Firewall.\n    I look forward to answering your questions.\n    [The prepared statement of Mr. Bejtlich can be found in the \nAppendix on page 43.]\n    The Chairman. Thank you.\n    Mr. Wallace.\n\nSTATEMENT OF IAN WALLACE, SENIOR FELLOW, INTERNATIONAL SECURITY \n PROGRAM AND CO-DIRECTOR OF THE CYBERSECURITY INITIATIVE, NEW \n                       AMERICA FOUNDATION\n\n    Mr. Wallace. Chairman Thornberry, Ranking Member Smith, \ndistinguished members of the committee, thank you for inviting \nme to testify about the Department of Defense\'s strategy for \ncybersecurity. I am Ian Wallace. I am a fellow in the \nInternational Security Program at New America. And I am the co-\ndirector of New America\'s Cybersecurity Initiative.\n    As I set out in my written testimony, the DOD\'s strategy is \na necessary and welcome update to the 2011 Strategy for \nOperating in Cyberspace. And as such, I think it does a good \njob of identifying and describing the actions that will be \nnecessary for the DOD to meet the challenges it faces today. \nAnd it also, I have to say, shows an admirable new level of \ntransparency in the way that the DOD discusses these issues.\n    But no strategy is perfect, and in my written testimony I \noffer two particular ways in which I think the committee can \nusefully help the DOD improve on the strategy. The first of \nthese will be to ensure that the DOD does not fall into the \ntrap of becoming the default choice for responding to threats \nagainst the Nation\'s civil infrastructure. The second will be \nto ensure that despite the undoubted cyber threat that the \nUnited States faces today, the DOD is also properly thinking \nabout the future operating environment in which U.S. forces \nwill fight.\n    Both these points are important. But while the immediacy of \nthe current threats are alarming and the issues like deterrence \nand attribution undoubtedly deserve further discussion, I \nencourage members not to lose sight of my second point.\n    To understand the importance of thinking ahead about the \nimplications of new technology, let me for a moment offer the \nanalogy of the advent of military aviation. My own country, \nBritain, emerged from the First World War as a leader in \ncarrier aviation. By the beginning of the Second World War, \nBritain had been eclipsed by the United States, and this new \ncapability was obviously crucial in America\'s prosecution of \nthat war.\n    There were a number of reasons for this, but they include \nUnited States willingness to do four things that are highly \nrelevant to our current situation. Those four things were the \nwillingness to engage in operational experimentation, a \nwillingness to actively foster new thinking about operational \nconcepts in the top military educational establishments, a \nwillingness to make big organizational changes based on those \nnew concepts, and perhaps most importantly, a willingness to \nencourage the best and brightest--that includes the likes of \nHalsey, Nimitz, and King--to make this new technology central \nto their careers.\n    History does not repeat itself exactly. In the 21st \ncentury, the DOD\'s response to new cyber capabilities will need \nto be much more joint than the approach taken in the 1920s and \n1930s. But now, as then, longsighted action and the support, \neven active pushing of Congress, will be crucial to maintaining \nthe United States military edge in future military operations.\n    I look forward to your questions.\n    [The prepared statement of Mr. Wallace can be found in the \nAppendix on page 54.]\n    The Chairman. Thank you.\n    Mr. Delfino.\n\n   STATEMENT OF DOMINICK DELFINO, VICE PRESIDENT, WORLD WIDE \n  SYSTEMS ENGINEERING, NETWORKING AND SECURITY BUSINESS UNIT, \n                          VMWARE, INC.\n\n    Mr. Delfino. Chairman Thornberry, Ranking Member Smith, and \nmembers of the committee, thank you for the opportunity to \ntestify today on the Department of Defense\'s Cyber Strategy. I \nam Dominick Delfino, vice president of World Wide Network and \nSecurity Systems Engineering at VMware. I ask that my full \nstatement be submitted for the record.\n    We believe that the DOD Cyber Strategy is a good first step \ntoward improving the Department\'s cyber posture. However, as \nwith any strategy, the complexity is in the execution of the \nimplementation. With respect to goal number one, building \ncyber-ready forces and capabilities, VMware believes that this \nchallenge can be managed with industry-proven practices, such \nas using technology that is available today to mimic currently \nevolving threats. Once in place, these cyber classrooms can \nprovide on-demand training to warfighters globally.\n    We also recommend that DOD leverage automation technologies \nto simplify cyber detection. By automating responses that can \nbe just as rapidly undone, the Department can empower today\'s \nnetwork professionals with the ability to stop threats \nimmediately without having to wait for complex systems changes.\n    For recruiting experienced personnel, the Department should \nconsider using programs like the government\'s special hiring \nauthority that is used to pay higher wages for people who have \nspecialized skills. We also recommend creating a clear \npromotion path to command-level responsibility for cyber \nwarriors.\n    For goal number two of the Cyber Strategy, defending the \nDOD information networks, we believe a new approach to network \narchitecture is needed. As we have seen in the recent private \nsector and government attacks, hackers were able to penetrate \nperimeter systems and gain access to networks where they were \nfree to access and steal sensitive data over a period of \nseveral months.\n    Hackers typically use this attack methodology because \ntraditional perimeter-centric security systems are structurally \ndesigned to be doors to the network. These doors serve to allow \nauthorized users access to network systems and to prevent \nunauthorized users from getting inside the network. Once the \nintruder has penetrated perimeter security, there is no simple \nmeans to stop malicious activity within the data center without \nextreme disruption to the government\'s mission.\n    For example, imagine a street with homes on it as an \nanalogy for a network with servers in a data center. Let\'s \nassume there is a corridor that connects every home on the \nstreet. If an intruder can manage to break into one home, the \nintruder now has complete access to all of the other homes on \nthe street, even though their doors to the street are locked, \nbecause there is a trusted passage between them. In technology \nterms, the larger and the flatter the network and the more \nservers on the network, the higher the probability the hacker \nwill be able to penetrate one server and leverage it to \ncompromise others on that same network.\n    In order to prevent an attacker from moving freely within \nthe network, the Department should compartmentalize its \nnetworks, implementing what is called a Zero Trust or micro-\nsegmented environment. A Zero Trust environment prevents \nunauthorized movement by minimizing the attack surface of the \nnetwork. When a user or system breaks the rules, the potential \nthreat incident is compartmentalized and security staff can \ntake any appropriate defensive actions. This limits the \nintruder\'s ability to move around freely within the network and \nsignificantly mitigates the impact of a successful perimeter \nbreach. This approach is being widely adopted by the commercial \nsector, including the financial industry and some areas of the \ngovernment.\n    We applaud the Department\'s efforts to move towards the \nJoint Information Environment [JIE] and believe if done \ncorrectly it will significantly enhance the cyber posture of \nthe DOD. We believe that the DOD should leverage the existing \ncloud technologies it owns and consolidate those workloads to \nmove into the JIE first, measuring success through a scorecard. \nWe also recommend the Department review how it treats \nunclassified business systems. Currently these systems, such as \nemail, personnel, and payroll, are treated differently than \nclassified mission-critical systems under current DOD \npractices.\n    Finally, for goal number three, defending the homeland from \ncyberattacks, we recommend two approaches in addressing these \ninitiatives. The first is to automate security features. This \nwill allow the Department to proactively deploy \ncountermeasures. The second approach is to use predictive \nmethods to quantify attacks and likely actions based on their \nearly stage. Investing in these capabilities will yield \nsignificant benefits by preventing later-stage and more serious \nattacks based on the precursor activities.\n    In summary, when implementing its Cyber Strategy, we \nbelieve the DOD should establish aggressive goals for \nautomating the management of its IT [information technology] \ninfrastructure security controls. The Department should also \ncut the common thread linking every major breach by \nimplementing a Zero Trust security model to reduce attacker and \nthreat mobility within the network. Finally, the Department \nshould implement a scorecard to aggressively and manage each \ncommand\'s progress towards moving to the JIE.\n    Thank you for the opportunity to testify today. I look \nforward to answering any questions the committee might have.\n    [The prepared statement of Mr. Delfino can be found in the \nAppendix on page 62.]\n    The Chairman. Thank you.\n    Dr. Schmidt.\n\n STATEMENT OF DR. LARA SCHMIDT, SENIOR STATISTICIAN, ASSOCIATE \n       DIRECTOR, RAND PROJECT AIR FORCE, RAND CORPORATION\n\n    Dr. Schmidt. Thank you. Chairman Thornberry, Ranking \nMember, and members of the committee, I am honored to be here \ntoday to discuss this important topic. My name is Lara Schmidt \nand I am a senior researcher at the RAND Corporation.\n    As I described in my written statement, the 2015 DOD Cyber \nStrategy clearly defines DOD\'s missions in cyberspace, and as \nis typical for a strategy, establishes several goals to ensure \nDOD is able to accomplish these missions. The goals are: to \nbuild and maintain ready forces and capabilities to conduct \ncyber operations; to defend DOD networks, secure DOD data, and \nmitigate risks to DOD missions; to build and maintain viable \ncyber options and plan to use them in the range of conflict \nscenarios DOD may face; to be prepared to defend the homeland \nand U.S. vital interests from cyberattacks of significant \nconsequence; and finally, to build and maintain international \nalliances and partnerships to deter threats and increase \nstability and safety, security. The strategy also identifies a \nseries of implementation objectives to achieve these goals.\n    With all that said, I have four main points I would like to \nshare with you about the 2015 DOD Cyber Strategy. First, a \ncapable cyber workforce is critical to achieving the goals laid \nout in the strategy. But the commercial sector is also vying \nfor high-quality personnel with the same skill sets. However, \nDOD has an opportunity to learn from the commercial sector to \nattract capable military, civilian, and contractor personnel. \nResearch into commercial hiring and retention practices shows \nthat for most of this workforce, it does not all come down to \npay, and even on that scale, DOD is not as bad off as many \nfear.\n    The one exception is the market for the few personnel with \nelite cybersecurity skills, these so-called ninjas, who are a \ncompetitive advantage for cybersecurity and other firms and as \na result, command large salaries.\n    My second point, despite the excitement surrounding DOD \noffensive and defensive cyber operations, it is important to \nremember that the bulk of the workforce is involved in the \ncritical job of configuring and maintaining DOD hardware, \nsoftware applications, and networks around the world. Ensuring \nthe continued functioning of these systems and networks, even \nin the absence of cyberattack, is crucial. Therefore, this DOD \nIT workforce, or as DOD calls it the DODIN [Department of \nDefense Information Network] workforce, requires continued \nsupport as well.\n    Third, DOD has adopted a risk management approach to \nsecuring its systems across their life cycle, and this is \ncommendable. However, it is a challenging undertaking due to \nthe scale of DOD systems and networks, the ever-changing cyber \nthreat, and the hard choices that will need to be made to \nprioritize risk mitigation efforts. Adequate resources and \npractical approaches need to be brought to bear to effectively \nimplement the risk management framework.\n    Fourth, the strategy seeks to integrate cyber operations, \nincluding offensive operations, into military plans for all \nstages of conflict. In order to do this, the Department must \ntake a scientific approach to evaluating whether offensive \ncyber capabilities will achieve the intended effects when \ncalled upon and avoid unintended effects. Doing so requires \nsignificant rigorous testing, data collection, and analysis \nefforts.\n    So in conclusion, it is my view that the DOD Cyber Strategy \nlays out an ambitious set of goals that are well aligned to \noperationalizing cyber. However, implementing the initiatives \nneeded to achieve these goals will be challenging due to the \ndifficulties in quickly building and maintaining a capable \nworkforce, assessing risk across the large number of DOD \nnetworks and systems, and planning for operations in this \nhighly dynamic environment. Achieving the goals of the strategy \nwill take time and significant resources. I appreciate the \nopportunity to discuss this topic and I look forward to your \nquestions.\n    [The prepared statement of Dr. Schmidt can be found in the \nAppendix on page 77.]\n    The Chairman. Great. Thank you. I appreciate all of you all \nbeing able to get a lot into a short amount of time in your \noral statements. But, as I said, I appreciate your written \nstatements as well.\n    I think a lot of notable historical figures have made the \npoint that it is more important to get the questions right, in \na way, than it is to get the answers, or at least you ought to \nspend more time and effort focused on what the proper questions \nare before you attempt to find the answers. So I would just \nlike to ask each of you, what is the primary proper question \nfor us as policymakers to ask or to grapple with when it comes \nto cyber?\n    I have thought that maybe it was, what is the appropriate \nrole of the military in defending the private sector \ninfrastructure? Mr. Wallace kind of addressed that in his \ncomments. But that may not be the most important question for \nus to ask. Maybe it is on the people side. Maybe it is \nsomething else.\n    So without trying to steer you in any direction, for \npolicymakers, what do you think the most important question or \nissue for us to grapple with when it comes to cyber and our \ncountry\'s security?\n    Mr. Bejtlich.\n    Mr. Bejtlich. Sir, I would define it as, what is the \nacceptable level of loss for this country? For example, I don\'t \nwant to equate the country to a store, but every store accepts \na certain amount of shrinkage, in other words, theft from the \nstore. We accept in the geopolitical realm a certain amount of \ninstability. We have to define in this realm, what is it that \nwe are willing to tolerate? You could argue simply by inaction \nwe are tolerating quite a bit right now in terms of theft of \nintellectual property, theft of personally identifiable \ninformation. Essentially by inaction, we have determined that \nthat is acceptable.\n    Now, do we want to push back on that and say, no, we are \nnot going to accept that? I think the President has done a \nlittle bit of that now with China, although we can talk more \nabout that. But that to me is the central question, what is the \nacceptable level of loss and how do you define that loss?\n    The Chairman. Okay.\n    Mr. Wallace.\n    Mr. Wallace. As I mentioned earlier, I think the \nappropriate role of the military is an important question. The \nother important question that I think needs to be asked is, in \na world where technology is effectively leveling out the \ndifferences between countries and their ability to engage \nagainst each other, how does the U.S., and particularly the \nU.S. military, maintain its advantage? And if that is no longer \ntechnology, I think the answer is likely to be in its ability \nto build alliances and in the quality of its people. But that \ndoesn\'t happen by accident. That requires investment and \nforward planning.\n    The Chairman. Okay. Thank you.\n    Mr. Delfino.\n    Mr. Delfino. I think the appropriate question is, how do we \nmove from a stature of managing compliance to a stature of \nmanaging risk? Legislation can only be passed so frequently. \nAnd we are in a world where the dynamics of this is changing \ndaily. And how do we really put a defensive posture in place \nand potentially an offensive posture in place that manages the \nrisk with the association of potential DOD systems and \ninfrastructure and military capabilities being breached?\n    The Chairman. Okay.\n    Dr. Schmidt.\n    Dr. Schmidt. I agree with Mr. Delfino. I think that the \nmost important question in my mind is, how is DOD postured to \nprotect its own networks, its own data, its own missions \nagainst the evolving cyber threat? And it all comes down in the \nstrategy to the implementation plan of a risk-assessment \napproach.\n    The Chairman. Okay. I think there is more to pursue there, \nbut I want to get to other members.\n    Mr. Langevin.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    Again, I want to thank our witnesses for your very \ninsightful testimony.\n    I guess I would like to start, first of all, with Mr. \nBejtlich, on your call for a Federal CISO. And I have felt \nsimilar for quite some time and have had legislation in for \nyears now calling for a director\'s position in the Executive \nOffice of the President that has both policy and budgetary \nauthority to reach across government to compel departments and \nagencies to do what they need to do to close our cyber \nvulnerabilities. Right now, we do not have anyone in charge, \nostensibly, in that respect. The closest we have is the \ncybersecurity coordinator. It is a special assistant to the \nPresident position, but it is advisory and has no policy and \nbudgetary authority. Not even the Secretary of Homeland \nSecurity doesn\'t even have the ability to reach across \ngovernment and compel departments and agencies to do that.\n    So you called for a Federal cybersecurity officer. My \nvision had been that this director\'s position would apply \nmainly to the .gov domain. Are you suggesting that this Federal \nchief information security officer would have jurisdiction both \nover DOD operations as well as .gov or would you separate the \ntwo?\n    Mr. Bejtlich. Thank you for the question, sir. I would \nseparate the two. Traditionally in government IT we have carved \nout DOD and IC systems from the rest of the approaches. And in \nmy experience, DOD and the IC are doing the best job as far as \ndefending themselves.\n    They also have a unique culture in a sense that they do \nsomething called projecting friendly forces on the network. In \nother words, they assume that they are compromised and they are \nout there looking for the adversaries. This is a culture shift \nthat needs to take place in the rest of the government, in the \ncivilian side of the government.\n    And that would be my initial mandate to the Federal CISO, \nwould be to bring that culture of going out there and looking \nfor intruders in the Federal networks, as opposed to continuing \nto build higher walls. Which we do need to improve Federal \nsecurity, there is no doubt, but you need to have two missions, \nfinding the intruders and kicking them out and also improving \nsecurity.\n    Mr. Langevin. Good. Thank you.\n    So for the panel, when it comes to violence in the physical \ndomain, society by and large manages to keep a lid on our worst \nimpulses or at least has established a countervailing structure \nof rule of law. However, we seem to have a deficit of \nstructures of a similar nature with sufficient influence over \ncyberspace, particularly supranational issues.\n    Moreover, it seems increasing clear that we as a global \nsociety have a tactical deficit when it comes to defense in \ncyberspace. The Internet ecosystem is not solid defense and \ndefense agility in equal measure to the offensive capabilities \nit unleashes.\n    Would you agree? And if so, how do we harness our S&T \n[science and technology] capabilities in our global influence \nto turn this picture around?\n    Mr. Delfino. If I may, Congressman. I think an element of \nthis has to be compared to terrorism, right? Cyberterrorism is \nanalogous to terrorism. And our enemy only has to be right once \nand we have to be right every single time. So I think the \neffort that this Nation has put into dealing with the threat of \nterror within the Nation, we need to take similar aspects and \nattributes and efforts and put them into cyberterrorism as \nwell.\n    Mr. Langevin. Thank you.\n    Anyone else?\n    Mr. Bejtlich. Sir, if I could offer, when we think about \nrisk as security professionals, we have three levers we can \npull: There is vulnerability, there is the threat, and there is \nthe consequences or cost of an intrusion.\n    In my community, the tactical community, we have spent way \ntoo much time, in my opinion, on the vulnerability side. It is \nimportant to reduce vulnerabilities, but we are moving to an \nInternet of things where there are tens of billions of devices \non the Internet, and trying to reduce the vulnerabilities in \nall of them is just too much. Similarly, on the cost side, we \nincreasingly have more and more information on the Internet.\n    So I do recommend that we do as much as possible to \nminimize. In fact, I saw Representative Buchanan has a bill to \ntry to get rid of Social Security numbers on tax returns. I \nthink that is a wonderful idea.\n    But the one part of that equation that is really not \nexploding--I mean it is growing, but not exploding--is the \nthreat side. The head of Interpol the other day said that he \nestimates there are only about 100 malware kingpins in the \nworld. These are the top-level guys who can write the worst \nmalware for criminal purposes. A hundred of them compared to \ntens of billions of devices we have to secure. I would put much \nmore emphasis on, as Mr. Wallace mentioned, working with our \nallies, going after those criminal groups. I think that would \nbring a little bit more security to the Internet.\n    Mr. Langevin. Thank you.\n    My last question--and I will have others, but for right now \ngiven time constraints--it is no secret that the cybersecurity \nworkforce is challenged and it can be difficult to mesh the \nprivate sector and the needs of government. Certainly the \nNational Guard plays an important role in bridging that divide, \nand I am extremely proud to host the 102nd Network Warfare \nSquadron in the Rhode Island National Guard in my district. The \nGuard is and will remain a critical pathway for the DOD to \naccess expertise that it otherwise, frankly, could not afford. \nIt is an important model and one that has many variants. I am \nreminded particularly of Estonia, which has a cyber defense \nleague operating under a volunteer paramilitary model.\n    Is the strategy being creative enough when it comes to ways \nto both integrate the capabilities of the Guard and access the \ncapabilities of the private sector, be it through Secretary \nCarter\'s outreach to Silicon Valley, some paramilitary program \nsuch as Estonia\'s, or any other model?\n    Mr. Wallace. I very much agree that the National Guard \noffers important opportunities for ways to involve people in \nthe implementation of the DOD\'s strategy, experts that wouldn\'t \notherwise be able to be used. But I do think we need more work \nto understand exactly how that will work in the future and \navoid slipping into a situation where we militarize problems \nthat don\'t necessarily need to be militarized.\n    There is a real question about how you spread \nresponsibilities between civilian experts and military experts, \nand simply pulling the experts into the military isn\'t always \nthe best solution. It may be the best way to deal with \nsupporting warfighters in fighting wars, but in terms of \ndefending civil infrastructure, one of the things we have to do \nis make sure that we better understand how the private sector \nand defense can work together.\n    Dr. Schmidt. If I could just add a few things. I think that \nyour point about the National Guard and the Reserve Forces is \nan excellent one. They stand to provide the longevity that is \nrequired to maintain the technical depth that is necessary to \nperform these cyber mission roles. However, the question that I \nwould ask is, are they well aligned with their expertise in \ntheir civilian sector jobs? Are they engaged in cyber \nactivities there such that they can be bringing that expertise \nto DOD or are they doing completely different things in their \ncivilian lives?\n    You also asked about the new--is the strategy being \ninnovative enough, forward thinking enough to take on these new \ninitiatives for getting the workforce that we need. And I think \nthat one of the positive things that has happened lately has \nbeen the release of the new DOD Directive 8140, which basically \naligns job roles with the knowledge, skills, and abilities that \nare required to perform those roles and identifies three \nseparate categories of cyber-oriented jobs: an IT category, a \ncybersecurity category, and a cyber effects category. And this \nis the first time we have seen that kind of clarity coming out \nfor workforce management. I think it stands to really align the \ntraining that is required to do those types of jobs and lay \nforward career progression that is an effective strategy for \nDOD.\n    Mr. Langevin. Thank you, Dr. Schmidt.\n    Mr. Delfino, do you have any comment?\n    Mr. Delfino. Well, I believe Dr. Schmidt covered most of my \nthoughts as well. I do believe that we need to have a \nconsistent focus on recruiting the proper talent into those \nroles, whether they be military, civilian, Guard, reservists, \net cetera, so on and so forth. And I do believe, as Dr. Schmidt \noutlined in her oral testimony, that the government can be \ncompetitive with the private sector marketplace, particularly \nwhen they target recruits and candidates who are early in \ncareer and use methodologies like we have in the ROTC [Reserve \nOfficers\' Training Corps] where we can actually offer \nscholarships to these individuals going into universities and \npartner with the right universities with the right academic \nprograms in computer science, and then have them serve some \nmandatory period of time postgraduate in either a military or \ncivilian capability to fight our cyber efforts.\n    Mr. Langevin. Thank you.\n    Mr. Bejtlich, do you have any comment?\n    Mr. Bejtlich. Yes, sir, quickly. I endorse Under Secretary \nCarson\'s work to make DOD more flexible. One of the things we \nshould consider is being able to take an Active Duty person, \nhave them work at FireEye for 2 years, we would love to have \nthem, and then send them back to DOD. We need this fluidly to \ngo back and forth between the private sector and the public \nsector.\n    Secondly, just as an issue with the Guard, I love the \nGuard, I have done some exercises with them. Sometimes they \nbeat the regular forces at the fort. However, we have to be \ncareful, some of those same people who are working in the \nGuard, if the flag goes up and they have to do DOD duty, they \nare not going to be around to defend Bank of America or another \nplace that we really care about. So that is why I am partial to \nlooking into a cyber force where we do have people whose job it \nis, if things get really bad, to take care of those bad \nproblems.\n    Mr. Langevin. Thank you, Mr. Chairman. I have other \nquestions. But I will yield back.\n    The Chairman. Thank you.\n    Mr. Forbes.\n    Mr. Forbes. Mr. Chairman, first of all, I want to thank you \nfor your leadership in this area and for having this hearing. I \nalso want to thank Mr. Wilson for the efforts that his \nsubcommittee is doing in this area and continues to do.\n    And as the chairman said, sometimes it is important for us \nto ask the right question. In this area, there are so many \nquestions to ask and it is so big and so complicated. I would \nlike to maybe narrow in on just one. Under the current DOD \npractices, unclassified business system networks, such as email \nand payroll, are not defended as strongly as classified \nnetworks.\n    Mr. Delfino, you have highlighted how an attack on an \nunclassified payroll system at DOD could impact the morale and \nfamilies of DOD employees if the payroll system were to be \ncompromised. You also mentioned an important point, that as the \nDepartment is implementing its network defense across the \nenterprise, it should review how it treats unclassified \nbusiness system networks. As you know, these systems were \nrecently the subject of a cyberattack.\n    Do you think that DOD should be treating unclassified \nnetworks any differently than classified networks? And what \nrecommendations do you have for the committee to improve their \ncyber posture.\n    Mr. Delfino. Thank you for the question, Congressman \nForbes.\n    So I do believe while systems may be unclassified from a \nnational security perspective or from a confidentiality \nperspective, they may be no less mission critical to the DOD or \nits efforts as well. And I don\'t believe they should be treated \ndifferently from a security posture perspective as it relates \nto its technology controls at all.\n    And many times these systems will, with less security, will \nbe leveraged as a jumping-off point for a hacker. This happens \nin private enterprise many, many times. We have seen it happen \nin multiple government attacks as well. And they should be \ntreated with the same model, they should be treated with the \nsame security controls. Albeit they may be separated from the \nclassified systems, it doesn\'t mean that there is a need for \nless security on those systems. As I referred to, a Zero Trust \nsecurity model or a micro-segmented security model would be one \nfoundational aspect of how to secure these systems as well.\n    Mr. Forbes. We appreciate the expertise of all of our \nwitnesses. Do any of you agree or disagree with Mr. Delfino in \nhis assessment of the problem there?\n    Dr. Schmidt. I would just mention that the DOD is taking a \nrisk-management approach to managing the security of their \nnetworks, and that requires not only understanding how the \nsystems are going to be used and the vulnerabilities, but also \nthe threats.\n    One of the large pieces of implementing a risk-management \nframework, though, is tracing what missions use what systems, \nwhether it is a computer or a server or an integrated circuit \nsomewhere deep within a weapon system, and understanding how \nthose missions are dependent on the computer systems that could \nbe attacked. It is a huge analytic effort, it is difficult, and \nit is something that DOD is going to have to grapple with.\n    Once they identify the risks to those systems, they would \nthen protect them accordingly, and that is all part of a risk-\nassessment initiative. And I agree with your original statement \nthat it doesn\'t necessarily depend on classification, it \ndepends on impact to the mission.\n    Mr. Forbes. Thank you.\n    Mr. Wallace. I would endorse the comments of Dr. Schmidt. I \nthink in a risk-management approach some information will be \ninherently more sensitive than other bits of information. The \ntrick in this new environment is understanding your risk and \nacting appropriately.\n    Mr. Forbes. Good. Thank you so much.\n    Well, thank you all very much.\n    And with that, Mr. Chairman, I yield back.\n    The Chairman. Mrs. Davis.\n    Mrs. Davis. Thank you, Mr. Chairman.\n    And thank you all for being here and providing your outside \nexpertise. We appreciate it.\n    You are all talking about risk management, risk assessment, \nand how important that is. I am wondering if you feel that we \nshould be exploring or really where do you think that tools of \ndeterrence fit and how are we developing those, how should we \nbe developing those. What do you think makes sense?\n    Mr. Bejtlich. Ma\'am, I believe that there is a certain \namount of deterrence in play now. There are actors who have the \ncapability to cause substantial damage to different companies \nand organizations, and yet they don\'t. We have only seen a few \nexamples. Sands Casino, apparently Iranian actors. Sony \nPictures in the U.S., North Korean actors. There is plenty more \nthat could be done, but it hasn\'t happened. So there is a \ncertain amount of deterrence that is occurring.\n    The question, though, has been at the subdestruction level, \nthe destruction of data, subphysical level, there has been a \nlot of activity, mostly in the form of theft of business \nsecrets. Hopefully that will change. I am not sure if it will, \nbut we will see.\n    Mrs. Davis. To what extent is the fact that we don\'t always \nknow where things are coming from?\n    Mr. Bejtlich. Well, ma\'am, in my testimony I address \nattribution, and there has been a revolution in attribution \nover the last 5 years, both, I would say, in the government, \nbut also in the private sector. Just last week, two security \ncompanies essentially revealed the entire life story of a \nChinese hacker operating out of Kunming. This is something that \nwould have taken me months to do in the military.\n    So the attribution problem, as more and more of our lives \nare online, those are hackers too, they are online, and we are \nfinding out who these guys are even without having access to \nclassified information. So attribution is much less of a \nproblem than it was 5 years ago.\n    Mr. Wallace. I would just like to build on Mr. Bejtlich\'s \ncomments by adding that I think deterrence very definitely \nexists. But that deterrence of cyber threats doesn\'t have to \nhappen within cyberspace.\n    One of the most significant deterrents for nation-states \nparticularly to attack the United States is the fact that the \nUnited States is the biggest military power in the world and \nadversaries know that if they step over a certain line they \nwill invite a response. That, as Mr. Bejtlich points out, \npushes the threats down to the level where below that which the \nUnited States would be willing to go to war.\n    There are still tricky issues to manage, but to a large \ndegree that counts as success and means that at least a good \nproportion of threats can be dealt with by other parts of \ngovernment and the private sector themselves.\n    Mrs. Davis. Anybody else? Are you seeing that whole-of-\ngovernment response to deterrence, though? Are we doing a very \ngood job with that, bringing?\n    Mr. Bejtlich. Ma\'am, there have certainly been activities \ncoming out of DOJ [Department of Justice] with the indictment \nof five PLA [People\'s Liberation Army] officers. I actually met \nwith four PLA colonels several months after that happened and \nthey were shocked that we had done that. So that has certainly \nplayed a role. I know that USTR [Office of the United States \nTrade Representative] has been looking at some activities. So \ndifferent parts of the government have been trying to do this. \nThe effects, though, are what I am waiting to see.\n    Mrs. Davis. Okay.\n    Dr. Schmidt. On the DOD end of things, you are talking \nabout trying to change an adversary\'s decision calculus. So you \ncan do that also by raising the costs. So efforts to improve \nthe resilience of DOD systems is certainly something that you \ntake into account in terms of deterrence, and also the advent \nof offensive operations that could be used to impose costs on \nthe adversary and better defenses that just make it harder for \nthe adversary to attack.\n    Mrs. Davis. Is there a role of sanctions in that as well?\n    Dr. Schmidt. Absolutely.\n    Mrs. Davis. Yeah. Okay.\n    One of the issues that we deal with here, and we had a \ndiscussion the other day about procurement, and, you know, the \nDepartment of Defense has had silo problems for years and \npeople not really having that whole-of-government approach as \nwell. But I am just wondering, within the cyber community where \nadaption has to be so critical and so important and moving \nquickly in making those changes, how would you assess the \nDepartment of Defense in that regard, in this area?\n    Dr. Schmidt. I think one of the key ways that DOD isn\'t \nquite as adaptive as you would like to see is in the hiring. \nLots of comments have been made about the speed with which the \ncommercial sector can identify high-quality cyber personnel and \nhire them. But the slowness of, especially on the civilian side \nof----\n    Mrs. Davis. The personnel system, yes.\n    Dr. Schmidt. Yes. So I think that is one way that the DOD \ncould improve to be able to be more competitive with the \ncommercial sector.\n    Mr. Delfino. Congresswoman, I think there are two answers \nfor this question. As we talked about the people, I think we \ncan talk a little bit about the technology now. As a vendor, \nthe regulatory burden of doing business with the government is \nvery high. It is unlike any other market that we play in. As a \nrelatively young 16-year-old software company who does hundreds \nof millions of dollars in the public sector, including the DOD, \nfor the most part we don\'t hold direct contracts, but instead \nprovide products and service through resellers and distributors \nwho do hold contracts with the government. This is a fairly \nsubstantial impediment to younger technology companies who may \nhave offerings that could substantially help the DOD.\n    And the second to that is funding. It is difficult for the \ncustomer to find ways to acquire innovative technology \nfollowing today\'s acquisition appropriations process. An IT \ncycle is 24 months. However, once a product is in development, \nthere is often a delay in getting it into the government.\n    So the private sector has the ability here to, you know, in \nall reality stay 2 to 3 years ahead of the government if they \nchoose to do so.\n    Mrs. Davis. Yeah. Thank you.\n    The Chairman. Thank you.\n    Chairman Wilson.\n    Mr. Wilson. Thank you, Mr. Chairman. And thank you and \nRanking Member Smith for arranging for cyber week this week. We \nhave the hearing today. Tomorrow again at 10. Tomorrow \nafternoon. It has been a real honor for me to work with \nCongressman Langevin as the ranking member on Emerging Threats. \nThis really has been a bipartisan effort to address the issues \nwe have. And we also have an extraordinary professional staff, \nas I referenced in a 1-minute yesterday.\n    For Mr. Bejtlich and Mr. Wallace, you have touched on this, \nand that is in regard to attribution. What is our capability? \nAnd then how much attribution is necessary or can be achieved \nto provide for a response such as sanctions against \nindividuals, businesses, military units, maybe a nation?\n    Mr. Bejtlich. Sir, briefly, the way I like to think about \nattribution is that the government, the military, the IC have \ncapabilities that exceed the private sector when you think \nabout the source of attacks. They have the legal authority and \nthey have the national technical means to get very close, and \nto even infiltrate, who the adversaries are.\n    The private sector, on the other hand, our expertise tends \nto lie at the other end. We are with the victims. We are \nhelping the victims. We are seeing what the adversary is doing \nwithin the victim companies.\n    So when you put those two things together, we have a very \ngood picture of what is happening. Now, the government doesn\'t \nnecessarily tell us what they know. We tend to tell the \ngovernment what we know by working through our customers.\n    So you put those two things together, and when you add in \nthe idea that attribution is ultimately a political question, \nit is not necessarily a technical question, you have very \nstrong attribution capabilities now.\n    Mr. Wallace. I would just add to what Mr. Bejtlich said to \nsay that the level of attribution you require depends what you \nwant to achieve. And since it is a political decision, it \ndepends what political acts you want to take. One of the most, \nI think, important things going forward is going to be able to \ntake other nations with you in your actions, and that is going \nto require increasingly greater level of attribution in helping \nthose countries understand the reasons that you are taking the \nactions that you are.\n    Mr. Wilson. And, Mr. Bejtlich, I would look forward to \nreceiving information about the hacker in Kunming. Ironically, \nmy dad was stationed in Kunming with the 14th Air Force in \nWorld War II and always he was so grateful for the opportunity \nto protect the people of China from the attacks. And so it is \nsomewhat ironic now that there would be attacks from there \npotentially. There should be a reminder of the relationships \nthat we have had.\n    And, Dr. Schmidt and Mr. Delfino, something that I hope can \nbe done, the technologies change so quickly, and, to me, there \nneeds to be a real effort and advice, and I know Secretary \nCarter has been working on this, but what can be done to \npromote public-private partnership?\n    Mr. Delfino. I do feel that there is a pretty strong \npublic-private partnership not only within the DOD, but \nthroughout other U.S. Government agencies as well. I think some \nof the risk that we manage today is due to the scale of legacy \nimplementations that we have and the amount of effort it would \ntake to moving something like the JIE.\n    So I believe that, through reading through the documents \nand the initiatives and the goals of the JIE, there has been a \ngood amount of consultation between the DOD and the private \nsector as well, and I do believe it is reflected in that \ndocument as well. So I commend the DOD for that.\n    Dr. Schmidt. The topic of a public-private partnership is a \nbit outside my area of expertise, but I will point you to the \nrecent information-sharing proposals that have come forward in \nvarious bills. And I think that the sentiment there is that \nwhile information sharing between the government and the public \nsector is possibly a beneficial arrangement, it is not \nnecessarily a panacea. And there is testimony from my colleague \nMartin Libicki that explains that it depends upon the actions \nof the threat actors. And if they can get inside the time with \nwhich we can share information from the government to the \ncorporate sector, it may not have the benefits that it is \ndesigned to have.\n    Mr. Wilson. And we look forward to all of you in providing \ninformation to us on how we can expedite a public-private \npartnership.\n    And a final for Mr. Bejtlich. Is there any way for us to \nrespond back where there has been a hacking?\n    Mr. Bejtlich. Yes, sir. I think the notion of hack-back is \nsomething that is often asked of the private sector. I believe \nthe state should retain a monopoly on force and retain that as \na potential state function.\n    Mr. Wilson. Thank you very much.\n    The Chairman. Interesting question we probably have more \nquestions to ask about.\n    Mr. Cooper.\n    Mr. Cooper. [Audio malfunction in hearing room.]\n    The Chairman. Mr. Johnson.\n    Mr. Johnson. Thank you, Mr. Chairman.\n    Mr. Bejtlich, do you believe it is worthwhile for the \nFederal Government to initiate negotiations with other nations \nwhen it comes to avoiding cyber conflict, cyber war?\n    Mr. Bejtlich. Yes, sir, I do. I think the example with \nChina is a good one, where it was difficult for us to establish \na norm saying that we should not steal each other\'s secrets in \norder to provide them to the private sectors of each country. \nNow that we have actually established that as a norm publicly, \nI think it is a good idea to take to other locations.\n    Mr. Johnson. Does anyone disagree with that on the panel or \nhave anything to add to it?\n    Mr. Wallace. I would just add that we already have norms, \neven laws against countries going to war with each other. What \nwe actually need to seek to do is find ways to avoid that \nhappening by accident. So we shouldn\'t throw out all of the \nexperience or the international law that exist. We need to \nbetter understand how we integrate cyber into those frameworks.\n    Mr. Johnson. Is there a role for an international \norganization such as the U.N. [United Nations] in this new \ncyber arena where there needs to be clear rules established for \nconduct of folks internationally, both private and--or both \ngovernment and nongovernment entities?\n    Mr. Wallace. So the United Nations is already engaged in \nthis area. They have a group of government experts who have \nbeen meeting over a number of years to sit around a table and \nnegotiate, at least agree the norms of behavior that should \nexist. They have essentially over a number of years agreed that \nwhat happens--that international law should apply.\n    What I think possibly we have to do now is move into other \nfora where blocking countries, those countries who make life \ndifficult, are not present, and to move together to try to \nimplement some other norms a little bit more aggressively.\n    Mr. Johnson. Do you see a future where the U.S. goes it \nalone and seeks to be the world superpower, dominant, in \ncontrol, and kind of a go-it-alone attitude about the cyber \narena when it comes to just dominance and enforcement? I know I \nam not being eloquent with my question, but I think you might \nknow what I mean.\n    Mr. Bejtlich. Sir, I do know what you mean. And it is \ninteresting, this is one of the fears some other countries \nhave. The Chinese, for example, are very aware that much of the \nhardware--not necessarily the hardware, they make the hardware \nover there. But we make the software. We have the innovative \ncompanies. We have the protocols. We have the core of the \nstakeholder agreements that run the Internet, and they are \nlooking for a way to better integrate and in some ways exert \ntheir own control over that.\n    So I do believe this idea of more inclusion for all the \naffected parties matters. It was different years ago when we \nwere the dominant force in terms of users. Now we are rapidly \nbecoming less and less compared to the hundreds of millions of \npeople elsewhere.\n    Dr. Schmidt. If I could just add a few points. You will \nnotice that the DOD strategy points to the need to build \npartnerships with international players on this line, not \nnecessarily to dominate, as you asked originally, but to build \nsecurity and safety for all the players.\n    Mr. Johnson. Thank you. And I will yield back my time.\n    Mr. Wilson [presiding]. Thank you, Mr. Johnson.\n    We now proceed to Congressman Wittman of Virginia.\n    Mr. Wittman. Thank you, Mr. Chairman. I thank the members \nof the panel for joining us today.\n    Several of you had mentioned earlier concerning members of \nthe military, and number one, their abilities, but also what we \nwould do to make sure they have the proper education within \ncybersecurity. And let me get your perspective on several \ndifferent levels.\n    How important is it for us as a nation to train our future \nmilitary leaders, specifically in the realm of cybersecurity? \nNot just a cursory introduction, but an in-depth educational \nexperience at our service academies, through our ROTC programs. \nAnd, secondly, how important is it for us to make sure that \nevery enlistee in every branch of the services gets some level \nof training and education within cybersecurity?\n    It seems to me that having a higher level of expertise \nthroughout the service ranks would be a great advantage to us, \nespecially with the eyes and ears and the skills that they \nmight have to be on the lookout, but also to think intuitively \nand creatively about not only how to prevent cyberattacks, but \nlook at how we can be better defensively, but also things we \ncould do on the offensive side.\n    So I would like to get your perspective on that on both of \nthose levels.\n    Mr. Bejtlich. Yes, sir. I agree with your idea of--over the \nentire spectrum of someone\'s career. My wife was an operations \nofficer at a basic training squadron in the Air Force. I know \nthe schedule is tight, but that 18-year-old enlisted person is \nthe way into the force many times. So don\'t put them through \nsome boring set of slides where they just look and sort of \nstare at it. Put them through a little exercise, where they are \nin front of the computer; they get that email, they go to that \nWeb site, whatever it is so that they know what it looks like.\n    I also think it needs to be taught at the academies, as you \nmentioned, at the mid-level and senior-level schools, but this \nis also, I think, where the cyber force comes in. We need \npeople who can defend themselves. We also need those people who \nthink about this in that domain, and that is the way that they \napproach this problem.\n    And that\'s what I think--I firmly believe in 20 years we \nare going to look back and wonder, how did we not have such a \ncapability?\n    Mr. Wallace. I think it is essential that we have better \ncyber education, as I have already argued. I think there are \ntwo separate aspects to that education; cybersecurity and \nawareness of the vulnerabilities at a personal level, and at a \ninstitutional level, also an awareness of cyber operations. I \ndisagree with Mr. Bejtlich. I think imbedding an understanding \nof cyber operations within the current services may be a more \nsensible way forward.\n    But I think we both agree that having a better appreciation \nof how wars will be fought in the cyber context is going to be \nessential for military leaders, and that has to start right at \nthe beginning of their military education.\n    Mr. Wittman. Mr. Delfino.\n    Mr. Delfino. So I think certainly, those people in \npositions in the military leading people whose primary \nobjective is cyber efforts need to have very deep cyber \nexpertise themselves, not just be, you know, a more generalized \nleader.\n    I think as it relates to the more general or the broader \nenlisted service men and women, they certainly need to be \ntrained on best practices to prevent themselves from becoming a \npoint of compromise and entry into the DOD infrastructure. And \nalso need to learn what happens if in mid-mission a system that \nthey are using or dependent upon for that mission is breached \nand is no longer there, how would they deal with that from a \ncircumstances perspective as well? So, I would not attempt to \nturn every enlisted member into a cybersecurity expert, is \nlikely infeasible.\n    Mr. Wittman. Dr. Schmidt.\n    Dr. Schmidt. I think research shows that it requires a \ndepth of expertise in the cyber workforce, but also in the \nleaders of the cyber workforce. I think there is a tendency to \nthink that managers can just have a broader understanding, but \nour research indicates that that is not the case. And to keep \nup with the technology trends, the evolving threats, the \nleaders also have to be deep in their expertise, and so I would \nsupport a deeper cyber education for military leadership, DOD \nleadership. And that has to be refreshed over time due to the \ndynamic nature of the cyberspace.\n    Mr. Wittman. One additional question. How important is pay \nto retain those experts across the spectrum of needed \nexpertise, but also in the different areas of the service \nbranches both on the civilian side and the uniform service \nside?\n    Mr. Bejtlich. So pay is important, but it is not \neverything. In 2001, when I got out of the Air Force, I didn\'t \nget out because I wasn\'t making enough money. I got out because \nthere was no career path. I would have gladly stayed. I would \nhave even been more inclined to stay if I knew I could go to \nthe private sector for a couple of years, go back into the \nmilitary. You can do things in the military you can\'t do \nanywhere else, so it is quite a retention bonus.\n    Mr. Wittman. Any other thoughts? Mr. Delfino.\n    Mr. Delfino. Just as in my written testimony as well, I \nthink pay is a component of it, and I do believe that the \ngovernment can be competitive there and the DOD as well. I \nbelieve it is also a training investment, an ongoing training \nand development investment to keep people sharp. The ability \nfor them to get industry accreditations that they can use post \ntheir service either in the military or as a civilian in the \nDepartment of Defense as well. And a career path I also \nhighlighted in my written testimony is very, very important for \nthese individuals as well.\n    Mr. Wittman. Thank you, Mr. Chairman. I yield back.\n    Mr. Wilson. And thank you, Chairman Wittman.\n    We now proceed with Mr. O\'Rourke of Texas.\n    Mr. O\'Rourke. Thank you, Mr. Chairman.\n    Mr. Bejtlich, you said earlier that perhaps the most \nimportant question for us to answer is the amount of loss that \nwe are willing to tolerate. And I like that, because if we had \na chief information security officer that is a level to which \nwe hold that person accountable and responsible for. If we are \ntrying to communicate consequences to our adversaries, we can \nsay, you know, this is the level, whereas now it is a little \nambiguous.\n    How would you advise us to proceed in answering that \nquestion? What are the factors that you take into account? And \ndo you have an answer to it?\n    Mr. Bejtlich. Sir, I do. I would start by taking a look at \nthe metrics we use to assess whether we are winning or not. The \nway I like to describe it is this, we spend a lot of time \nmeasuring the height of our players, how fast they run the 40, \nwhere they went to college, and we don\'t figure out what the \nscore of the football game is. So we are doing a lot of input \nmetrics; we are not taking a look at what the outcome of the \ngame is. So the outcome of the game in cyberspace for me would \nbe how many intrusions are occurring over a certain period of \ntime? What were the consequences of those intrusions? How \nquickly did we find out that it had happened?\n    Just, you know, to give you an example, the front page of \nUSA Today the other day said, Energy hacked 159 times in 4 \nyears. This is a step in the right direction? But this doesn\'t \nsay, ``How bad was it?\'\' ``What actually happened?\'\' I could \nlook at this and say, ``This isn\'t actually too bad.\'\' So we \nneed to turn more towards metrics like this and less from we \nhave certain numbers of systems patched and so forth.\n    Mr. O\'Rourke. And in terms of communicating that level of \ntolerance to an adversary, is that something that is made \nexplicit, if you do this, these will be the consequences, both \ncyber and perhaps physically militarily for crossing this red \nline or this threshold?\n    Mr. Bejtlich. I think there needs to be something like \nthat. And I know Secretary Panetta at one point said that in, I \nthink it was an October 2011 speech he gave, where he said if \nthere is significant consequence to the power sector, \nfinancial--he laid out certain categories that they would be \nmet by a response, not just as Mr. Wallace mentioned in \ncyberspace, but outside of cyberspace. So, we have to keep \ndelivering that message. And when something significant \nhappens, like OPM, we should take a response. We just can\'t \nsay, well, this is something that we would have done as well.\n    In the Cold War when a spy ring was uncovered, we didn\'t \nsay, well, the Soviet Union spies. We kicked them out, we might \nkick out the ambassador. So there can be consequences that \nsignal our disapproval of that action.\n    Mr. O\'Rourke. Mr. Wallace, I really enjoyed your analogy \ncomparing what we are doing today to the development of \nmilitary aviation prior to World War II. And you seem to \nsuggest that in the United States we were rewarding risk-\ntaking, and through that attracting the best and brightest, and \nensuring that they have career advancement connected to that \nrisk-taking and that advancement of military aviation.\n    Can you give me a specific example of what we are not doing \nin the U.S. if we are, in fact, not doing that today in cyber? \nAnd perhaps to ask it in a positive way, what we could be \ndoing, what we should be doing, and as specific as you can get?\n    Mr. Wallace. So I would say in defense of the commanders of \ntoday that back in the 1920s, U.S. Navy had a very clear sense \nof who its adversary was likely to be and worked around that. \nBut I think they were more imaginative and they did take steps \nthat are not being taken today.\n    One very specific example is Admiral King. When he was a \ncaptain, quite advanced in his career, was taken and trained as \nan aviator so that he had the qualifications, because Congress \nhad passed laws to say you needed to be an aviator in order to \ncommand an aircraft carrier. And therefore as some other senior \nofficers got that qualification.\n    So they understood not only the actual process of flying an \naircraft, but also had an appreciation of the tactics that \nwould be required and the organization, putting the carrier at \nthe center of the battle fleet rather than the battleship, that \nwould be necessary to go on and prevail in the operations that \nfollowed in the 1920s.\n    Mr. O\'Rourke. What is the analogy to cyber? What are we not \ndoing? Who is not getting the training? Is it senior commanders \nwithin the Department of Defense?\n    Mr. Wallace. Rather than treating cyber operators off to \nthe side, as the sort of techies, it is integrating cyber into \nmilitary operations and having those people who understand \ncyber operations as part of the group of people who go on to \ncommand full-spectrum operations.\n    Mr. O\'Rourke. Thank you.\n    Mr. Chairman, I yield back.\n    Mr. Wilson. Thank you, Mr. O\'Rourke.\n    We now proceed to Congressman Rich Nugent of Florida.\n    Mr. Nugent. Thank you, Mr. Chairman. And I appreciate this \npanel.\n    Now I sit on ETC, and we hear, obviously in classified \nsettings, issues as it relates to how we are going to do \ncertain things. But I guess what strikes me though is, you \nknow, what we can tolerate or what we are willing to tolerate. \nAnd I don\'t know that we have a whole lot of discussion on \nthat. And so then when you start saying, okay, what are the \nconsequences to your actions? And there really--that is pretty \nundefined also.\n    Do you think to date that we have been, I guess, succinct \nenough to talk about consequences to actions, particularly as \nit relates to just China and what\'s gone on? We heard about the \nfact that we indicted five. You know, prior law enforcement, \nthat would be a problem for me if we indicted them and they \nwere residents of the United States where we had extradition \nabilities, but, I mean, that sounds good, but what other \nconsequences have we imposed when we clearly know who the \nactors were?\n    And it is just not China. I mean, there is other actors out \nthere: Russia, Iran, and others, and North Korea. What other \nsanctions have we imposed to date? Can anyone speak to that?\n    Mr. Bejtlich. Sir, my own personal experience, I have been \nworking intrusions by Romanian hackers, Russian, Chinese, \ncriminal nation-states for--in the private sector, post-\nmilitary for 13, 14 years now, and we are only now seeing \nconsequences. Now, there has been a decent amount of law \nenforcement work that has been done, but in terms of going \nafter, say, businesses that have benefitted from the theft of \ncommercial information, we still haven\'t done that.\n    Mr. Nugent. Please.\n    Mr. Wallace. I would say that I think we have to remember \nthat the issue is bounded. There is a level which, I think, \nadversaries know they shouldn\'t go. There is also the fact that \nlaw enforcement does take care of cyber intrusions in many more \nfriendly countries around the world, say, for a smaller area.\n    And in relation to the PLA five, the colonels that were \nindicted. I think there is a debate as to whether that was the \nright tactical action. But I think one thing that could be said \nin favor of it, is that at least it began the process of \npreventing a negative norm, the idea that countries can act \nwith impunity and not have any kind of acknowledgement that \nthat is unacceptable behavior.\n    Mr. Delfino. I will just add to that, that there may be \ntimes where we want to respond offensively cyberly, while \nmaintaining confidentiality and not take a responsibility for \nthose responses as well in order to not divulge our level of \nsophistication and our responses as well.\n    Mr. Nugent. I agree.\n    Dr. Schmidt. And to build on that, one of the things that \nthe DOD strategy has set out as a goal is to be able to respond \nwhen a contingency comes up and the desire is to implement an \noffensive cyber capability. I think one of the critical areas \nwhere we need to be working is ensuring that commanders know \nhow those offensive cyber capabilities will perform if they are \ncalled upon to be used.\n    And we could be doing more in that area to characterize \ntheir performance and ensure that they do not have unintended \neffects.\n    Mr. Nugent. I agree. One statement was made, I think Mr. \nDelfino, you were talking about, is our reliance on technology \nwithin the military is so high, whether it is ground troops, \nobviously, air troops, whether it is naval engagements. Are we \ndoing enough in regards to challenging those members of the \nmilitary to say, okay, this system crashed or is down because \nof a cyberattack? Are we doing enough in any of your estimation \nto, I guess, work around that particular issue? Are we doing \nenough within the military?\n    Mr. Delfino. I think it is a good question. I think there \nis three attributes of what we do, you know, people and \nprocess, and the third one being technology. Are we doing \nenough? Are we giving these people the technology they need \nfast enough and the funding that they need fast enough to make \nthe changes that they need to prevent those or recover from \nthem when they happen, I think is a good question, and is part \nof why we see this JIE initiative. Because I think they have \nnoted that the legacy approaches that they have been taking \nhave increased complexity substantially. So it is a big \nchallenge for them.\n    Mr. Bejtlich. Just briefly, sir. I agree with your sense of \nthat. We need to war-game with major systems not being \navailable, GPS [Global Positioning System], and so forth, and \nsee how people respond.\n    Mr. Nugent. Mr. Chairman, my time has expired. I yield \nback. Thank you.\n    Mr. Wilson. Thank you. Thank you, Sheriff Nugent.\n    We now proceed to Mr. Aguilar of Texas--of California. And \nI want to thank--Congressman Aguilar actually came early, so \nthis is good.\n    Mr. Aguilar. And stuck around late. Thanks, Mr. Chairman. I \nappreciate it.\n    Mr. Bejtlich, you mentioned in your testimony, I think the \nfifth point, how the administration should develop asymmetric \ncapabilities to target the core interests of the bad actors, \nand you mentioned one. And building off of what Mr. Nugent \nmentioned, you talked about the censorship network in China. \nWhat other asymmetric examples do you believe are available not \nonly with respect to China but other actors like Russia?\n    Mr. Bejtlich. You know, it is interesting you mention \nRussia. No one really talks about the degree of instrumentation \nthey have in their country. One of the interesting aspects of \nthe Russia-China dynamic is that they have agreed to work on \nInternet security mechanisms. And what that really means is \nInternet control mechanisms, dissident suppression mechanisms.\n    So, they are developing software to make it easier for them \nto target their dissidents both inside and outside the country. \nSo, just as easily as we could go after the Great Firewall, we \ncould look for vulnerabilities in that software that those two \ncountries are developing and figure out ways to exploit it, \ndegrade it, potentially even render it inoperable.\n    Clearly, control is important to those regimes, and I gave \none example to the Great Firewall in China, but there is \nsimilar activities you could do elsewhere.\n    Mr. Aguilar. And what other countries? What other examples?\n    Mr. Bejtlich. Well, if we are going to talk, the big ones \nwe worry about, North Korea, their core interest is in the \nstability of the regime and keeping out outside influence. So \nwe could work on ways to better--right now there are people \nsending DVDs [digital versatile discs] into North Korea using \nballoons. We could potentially get SATCOM [satellite \ncommunications] or Mesh Network equipment into that country, \nmake it easier for people to get information real time rather \nthan having to wait for a balloon to make it across the border.\n    Mr. Aguilar. Thank you.\n    Mr. Bejtlich, you also mentioned in the discussion about \ncollaboration and public-private partnerships other potential \nto embed folks, my words, not yours, in private companies. Can \nyou talk a little bit about structurally how that would work? \nHow you would have liked that to work in 2000, 2001 when you \nwere still in the military service?\n    Mr. Bejtlich. It is a great question. So, I was an incident \nresponder in the Air Force. I would have loved to have been \nable to go to Mandiant for 2 years. It didn\'t exist at the \ntime, but let\'s say now you go to Mandiant, you do incident \nresponse for 2 years inside private companies; you learn how to \nuse the tools that the private sector uses, you learn what \nprivate sector networks look like; you learn what the adversary \ndoes in those environments.\n    At the same time the private sector company learns from \nyour capabilities. You have to respect the classification and \nall that, but that dynamic is what makes for a powerful \ncapability. And then, so after the 2-year period I would go \nback into the military and I would continue down my career \npath. And perhaps even go back at a later time, maybe as an \nexecutive, maybe at another time going and teach. While we do \nhave a great educational system in this country, there is many \npeople who think that security is encryption. We need more \npeople who spend time in the trenches teaching that next \ngeneration of security professional.\n    Mr. Aguilar. Thank you very much.\n    I yield back, Mr. Chairman.\n    Mr. Wilson. And thank you, Mr. Aguilar.\n    We now proceed to Congresswoman Jackie Walorski, of \nIndiana.\n    Mrs. Walorski. Thank you, Mr. Chairman. And thank you, \npanel, for being here. I appreciate it.\n    I represent Indiana, where I know you mentioned this has \nbeen talked about before--the National Guard is looking at \nthose new cyber force teams, and we are thrilled that Indiana \nis going to be involved in our National Guard.\n    But I just had a question. I think, Mr. Wallace, you had \ntalked about the possibility of over-relying on DOD and \ndefending the Nation from cyber threat. In August, I was on a \ntrip to Czech Republic. And in Czech Republic, the subject of \nEstonia came up in the 2007 giant cyberattack in Estonia, and \nthey developed the cyber defense league. And I know that our \nDOD worked some with that. Any of you can answer this question. \nBut I looked at that and some of the things the little tiny \nnation was able to do, which really is building an alliance \nvery quickly. Is that a model that our country looks at? I know \nwe are somewhat a part of it, but can you speak to the \nsignificance or the success Estonia has had as opposed where to \nwhere we are? Is that something we should look at more \nseriously?\n    Mr. Bejtlich. I do. I think Estonia has the advantage of \nbeing small, 1.7 million people; they can be nimble. They had a \nthreat that was very visible to the entire country.\n    In this country, I think we could have, in addition to the \ncyber force, we could have something like a cyber corps. Now I \nknow there\'s one that exists, but it\'s not really very popular. \nI\'m thinking more of like a Peace Corps model where you get \nsome training; you go to a one-month boot camp, and then you \ncan deploy within either our country or perhaps even overseas, \nand you can be that cybersecurity expert for that small- to \nmedium-size business.\n    I would love to hire a person like that who had just been \nthrough a 2-year program out in the field. There is a big \ndifference between book learning and learning out on the job. \nSo there is, I think, many ways to involve people, not just in \nthe military, but through government service to improve their \ncybersecurity.\n    Mrs. Walorski. Mr. Wallace.\n    Mr. Wallace. I would completely agree with that. I think \nEstonia is a particular case, its history, and its small size, \nthe fact that people tend to know each other. But I do think \nthere is something in the fact that the cyber defense league is \nboth a military and a nonmilitary organization.\n    And I think the idea to be involved in national security \nyou have to be in uniform is something that in the age of sort \nof cyber capabilities we need to move away from. And something \nthat, as Richard suggests, takes a more imaginative approach to \nhow we manage some of the threats we face is definitely \nsomething that could well be explored.\n    Mrs. Walorski. And is there a benefit in displaying some \noffensive cyber capabilities in some way that we do possess as \na nation, or--it seems that, of all the hearings that I have \nsat in, we always hear the lack, the holes, things we could be \ndoing better. Are there things that we actually do right now \nthat are kind of like the kingpins that hold us together to be \nable to at least get the information that we have without going \ninto anything that we classified.\n    Is there a benefit in kind of letting the world know that \nwe are not just playing catch-up; there are things to at least \nget out there in the cyber world that we are doing or something \nlike that?\n    Mr. Delfino. I think there is a benefit to doing the \noffense, I don\'t know if there is a benefit to displaying it.\n    Mrs. Walorski. So how would we do the offense? And what \nwould we do internally? When would we do that? Because it seems \nlike that isn\'t happening.\n    Mr. Delfino. Right. And I think, you know, there are things \nthat we don\'t know that we assume that the U.S. does because we \nare not taking responsibility for that. Right? Stuxnet and the \nIranian nuclear reactor would be a good example of that. Right? \nAnd I don\'t know that we could claim credit for that, nor do I \nthink we should.\n    Mrs. Walorski. Right.\n    Mr. Delfino. However, leaving the enemy guessing about was \nthat a response for something I did may be a very good tactic \noffensively.\n    Mrs. Walorski. Yeah. Mr. Wallace.\n    Mr. Wallace. I also think that we shouldn\'t necessarily \nthink of offensive cyber operations purely in the context of a \nstand-alone covert operation, which are probably outside the \nrealms of the DOD\'s title 10 mission.\n    But, actually, there may well be opportunities within a \nwarfighting context where you can save lives, but the lives of \nU.S. personnel and indeed, civilians and perhaps even enemy by \nusing capabilities, putting down an air defense capability that \nyou couldn\'t do with kinetic weapons. And I think it is \ndifficult to demonstrate, but over time could prove extremely \nimportant.\n    Mrs. Walorski. I appreciate it.\n    Thank you, Mr. Chairman. I yield back.\n    Mr. Wilson. And thank you, Mrs. Walorski.\n    And we now proceed to Mr. Ashford of Nebraska.\n    Mr. Ashford. Thank you, Mr. Chairman.\n    This has been extremely interesting to me, this \nconversation, and we have learned a lot.\n    Of course, it was dramatized in the movie at Bletchley Park \nwhen Ultra was just developed during World War II. And one of \nthe parts--and you have talked about this a little bit, but \nmaybe we can talk about it just a little more, but the idea, \nthe cultural, sort of obstacles that we saw in Bletchley Park \nat the beginning, before the code was broken and during that \nwhole process--I realize it is a while ago, but Mr. Wallace \ntalked about prior to World War II and the developments in \nBritain, and you\'ve talked about the cultural thing. But I am \nreally intrigued by it.\n    I know in Omaha, where I am from, Omaha, Nebraska, there \nare many young private sector tech startup companies that do--\nhave had some, maybe some history with these kinds of matters. \nAnd you have talked about it, but how do we break down those \ncultural barriers? Could you go through that once again? We \nencourage people to work on this. They can go back to the \nprivate sector, I get that. Would you say these cultural \nbarriers are significant? Are they being worked on? What is \nyour vision timeframe-wise to kind of break down some of these \nboundaries and obstacles to integration, getting the best \npeople working on these issues? Maybe just----\n    Mr. Bejtlich. Certainly. So my observation has been in \ncertain parts there is more supply than demand. So the Army has \ngone through a very successful exercise, putting out a call, \nfor people within the service now who want to go into cyber. \nAnd they have gotten many applicants. Things are going well.\n    The question is, where are they going to be in 2 years or 4 \nyears. You have already seen the attempt to build a Cyber \nMission Force and other parts at Cyber Command. They are still \nstruggling to fill those spots. I do think when you are looking \nat military personnel, ultimately, how are they rewarded? How \nare they viewed compared to their peers?\n    You know, in the Air Force, you know, the pilots were the \ntop. You are not going to get a cyber commander of the Air \nForce. You are not maybe even going to get an intel commander \nof the Air Force. You could probably get an airlift commander \nof the Air Force, but you are not going to get some of these \nother people. So I think if you want to be able to keep and \nretain the best for the longest period of time, you are going \nto eventually have to break them off and have them be their \nown.\n    Now, that doesn\'t mean no cyber or any other forces. I \nthink tactical cyber supporting physical missions should remain \nwith the other services, cyber, it is in everybody\'s lives. But \nI think that at the end of the day, strategic cyber is probably \ngoing to have to be its own service with its own culture and \nits own ethos.\n    Mr. Ashford. Mr. Wallace.\n    Mr. Wallace. Practice, war-gaming, going through the \nmotions, working between the services, bringing in the private \nsector to go through scenarios that reflect events that may \nhappen in the future is, to my mind, the best way of \nidentifying the problems, getting people of different cultures \nto understand ahead of the point where they have to do it for \nreal where the other people are coming from.\n    And to the point that Congressman O\'Rourke made about \nanalogies, one of the real triumphs of the interwar years was \npracticing and trying things out before having to do them for \nreal and developing new concepts off the back of that. And I \nthink that is going to be important in this area too.\n    Mr. Ashford. Thank you.\n    Mr. Delfino. I would just add, in the context of public-\nprivate partnership in this area, you could make a private \nsector rotation, job rotation, a condition of promotion to the \nSenior Executive Service as well as part of this.\n    Mr. Ashford. Thank you. Dr. Schmidt.\n    Dr. Schmidt. With regard to rotating between public and \nprivate, I think one of the key problems that DOD faces is \nretaining the highly skilled folks around the 6- to 8-year \nmark. And that is, in fact, what Mr. Bejtlich was talking \nabout, about this time that he was starting to get interested \nin the commercial sector.\n    So if there can be something done to help retain those \nfolks either through incentives to stay in or other \nopportunities to rotate to the commercial sector, that could \nhelp solve one of DOD\'s primary problems.\n    Mr. Ashford. All right. Thank you very much. I think we \nhave talked a lot about that with the NDAA [National Defense \nAuthorization Act] this year, to try to think about about how \ndo we retain. And in this area it is a significant challenge. \nThank you very much.\n    And I yield back. Thanks, Mr. Chairman.\n    The Chairman [presiding]. Thank you.\n    Ms. Gabbard.\n    Ms. Gabbard. Thank you very much, Mr. Chairman.\n    You know, the issue that you are bringing up of how to just \ncompletely change the way we think about how we bring in the \nbest talent to deal with these cybersecurity challenges and \nthinking outside the traditional concept of well, it has to be \nin uniform if you are dealing with the Department of Defense I \nthink is really at the crux of all this, to make sure that we \nare on the cutting edge of this constantly changing and dynamic \narea.\n    I am interested to hear your thoughts on Secretary Carter\'s \nimplementing this initiative to work closer with Silicon \nValley, what you see, maybe the pros and cons of that, how we \ncan benefit, or maybe what some of the barriers are to the DOD \nbeing able to really get the best of what that policy, I think, \nhopes to accomplish.\n    Mr. Bejtlich. Just two quick points, ma\'am. I would like to \nendorse Mr. Delfino\'s earlier comments about the difficulty of \nsmall companies doing business with DOD. And on a related \npoint, when we are operating under continuing resolutions, it \nis tough to get new programs going. And so that has been a \nchallenge for the private sector for the last several years.\n    Mr. Wallace. I would just add that I think it is absolutely \nessential that the DOD has access to the best technology \navailable, but I also think it is important to recognize that \nworking with Silicon Valley it is not a silver bullet. There \nare good reasons why Silicon Valley companies who depend on \ninternational markets for their entire business model, they\'re \nnot necessarily going to roll over and work with the DOD in the \nway that DOD might necessarily want. So, I think it is \nimportant, but it is not the silver bullet, nor do I think that \nDOD thinks it is.\n    Dr. Schmidt. I would just like to point out that I think \nthings like pursuing personnel that have STEM [science, \ntechnology, engineering, and mathematics] degrees in electrical \nengineering, computer science, information technology, would go \na lot further than a couple of small initiatives associated \nwith Silicon Valley.\n    Mr. Delfino. I would have to agree extensively with Dr. \nSchmidt here. I don\'t think this problem should be that \ncomplicated. I think if you are pursuing a career in \ncybersecurity or information technology as a long-term \ninvestment, I am sure many of us would be thrilled to hire \nfolks who worked in cybersecurity and U.S. Department of \nDefense or other U.S. intelligent agencies as well, and they \nwould be rewarded greatly.\n    So, I think this is about keeping the pipeline of talent \ncoming in. I am sure that we don\'t want the DOD to become the \ntraining ground for information technology in cybersecurity \nacross America. However, our ability to attract that young \ntalent going into university and coming out of university, \nparticularly from those acclaimed universities, is something \nthat the DOD can successfully do.\n    Ms. Gabbard. Thank you. And forgive me for coming in late \nif you have already addressed this. If you could briefly state \nthe major cybersecurity breaches that we have seen across the \nFederal Government, really within the last several months, \nwould you say those are primarily attributed to a lack of \ntechnical capability, or is this a larger policy issue?\n    Mr. Delfino. I don\'t think this is so much as a policy \nissue, and I don\'t think they differentiate dramatically from \nthose that we are seeing in the private sector either. There \nare common exploits that the attackers are using across both \npublic and private sector as well as military and classified \nnetworks as well. I have addressed a list to some extent in my \nwritten statement. We continue to see this, and until we change \nthe technology that we are using, we are going to continue to \nsee this.\n    The private sector exploits of Target and Home Depot and \nJPMorgan Chase that we saw were 3 years ago from companies that \nare extremely sophisticated, wildly intelligent, and have \nmassive technology budgets. And there are some fundamental, \nfoundational network architecture problems that are allowing \nthese attacks to continue to happen. And until we change the \nway we build and construct these and automate these \ninfrastructures as well, both from putting security in to \ndefending once we see a cyberattack, we would likely continue \nto see these issues.\n    Ms. Gabbard. Do you see those changes being implemented in \nthe private sector?\n    Mr. Delfino. They are in the acceleration stage of being \nimplemented in the private sector. So these are things that are \nnot new now. People get the reason why. They have tried \ntraditional methods. I would point you back to General Keith \nAlexander\'s comment, former director of National Security \nAgency: ``I look at the DOD architectures today, and defending \nthem is really hard. We have 15,000 enclaves, each individually \nmanaged.\'\'\n    People are starting to realize that physical separation, \nyou know, can get you security to a point, but as you start to \nscale it becomes unmanageable, operationally infeasible, and \nover time becomes so complex you actually may get reduced \nsecurity from it.\n    Ms. Gabbard. Thank you.\n    Thank you, Mr. Chairman.\n    The Chairman. Thank you. Mr. Wilson.\n    Mr. Wilson. Thank you, Mr. Chairman. And again, thank each \nof you for your input today.\n    Mr. Bejtlich, with your military background, what is the \nrole that DOD should have in protecting the critical \ninfrastructure from cyberattack or intellectual property from \ncyber espionage?\n    Mr. Bejtlich. Thank you for the question, sir. As I \nmentioned in my written testimony, I think it is difficult to \nhave the DOD directly involved at the customer end of this \nproblem. For the most part, these sectors don\'t want troops \nstationed nearby. They don\'t want government sensors on their \nnetworks. So I feel that that is the realm of the private \nsector and those entities themselves, which can be guided, \nperhaps, through better incentives and regulation.\n    But I think that as far as DOD is concerned, I would put \npressure on those adversaries twofold. One, you want to know \nwhat they are up to so you can interdict their activities. And, \ntwo, you want to introduce some friction into their activities \nso they don\'t have free rein against their targets. And then \nwhen they do see something coming down the pike, you have got \nto warn those targets that this is about to happen and work \nwith them to try to prevent that breach from occurring.\n    Mr. Wilson. And, then specifically, I am concerned about \nthe electrical grid. And so what would be the DOD role to \nprotect the electrical grid for the people of the United \nStates?\n    Mr. Bejtlich. I would identify which foreign actors are \nconsidering trying to take down the power grid. I would target \ntheir activities. And when I see them trying to or planning to \ndo something like that, I would hit them preemptively.\n    This is one of the cases where it would be worth the gain-\nloss in the intel equation to disrupt their activities, and \npotentially lose a source rather than sit back and have to \nrecover from a power grid failure.\n    Mr. Wilson. And for anyone who would like to answer, I am \nreally concerned about DOD protecting its networks and mission \nsystems from attack. Has this adequately been provided?\n    Dr. Schmidt. I think that\'s yet to be determined. \nCertainly, the risk management approach that they have put in \nplace is an excellent step in the right direction, but it all \ncomes down to the implementation of that framework. I think \nidentifying the vulnerabilities and more critically their tie \nto missions is what it is all going to come down to.\n    I think the strategy doesn\'t fully describe how they will \nimplement that objective, and I would like to hear more about \nthe implementations, specifically, for missions systems and how \nit relates to critical DOD missions.\n    Mr. Wilson. And I am particularly concerned about the \nsystems relative to air defense. Would anybody comment on that, \nor missile defense?\n    Mr. Bejtlich. Sir, it is interesting you bring that up. Air \ndefense is one of the physical systems that has an attack, a \ncyberattack, associated with it. Apparently, there has been--\nthe Israeli Air Force did something to Syria at some point in \nthe last 5 years. We don\'t really have any unclassified \ncorroboration of this. I am not saying I have classified \ncorroboration; I am just saying this is what I have read. So it \nis potentially a system that has seen a physical effect due to \ncyber.\n    Mr. Wilson. And I have a great concern about the \ncapabilities of DPRK [Democratic People\'s Republic of Korea], \nNorth Korea, and its capability of intercontinental ballistic \nmissiles with an inability on our part to protect the American \npeople. Is that a legitimate concern?\n    Mr. Delfino. Sir, I think, you know, there are elements of \nthe DOD and the government, specifically STRATCOM [Strategic \nCommand] is doing very well at this, the DISA [Defense \nInformation Systems Agency] milCloud is doing very well at \nthis, and specifically, the Missile Defense Agency is doing \nwell in implementing automation and cloud-based technologies \nand the appropriate security technologies to protect that \ninfrastructure from DPRK or other nation-state actors as well.\n    Mr. Wilson. And a challenge it\'s developing, is the \ncapability of mobile missiles being developed by--such an \nextraordinary challenge and threat to us. And so, again, I want \nto thank you for being here, and we all look forward to your \ninput to protect the American people.\n    I yield.\n    The Chairman. Thank you.\n    Mr. Langevin.\n    Mr. Langevin. Thank you, Mr. Chairman. And I also would be \nremiss in not acknowledging and thanking Chairman Wilson for \nhis leadership on this issue as well. It has been a real \npleasure working with him as the chairman, me as the ranking \nmember, he as the chairman of the Emerging Threats and \nCapabilities Subcommittee. He has really done a deep dive on \nthis, and I appreciate his leadership, so thank you, to both \nchairmen.\n    So if I could just ask a couple last questions that I had. \nGiven your disparate backgrounds, if each of you could see the \nDOD CIO successfully and fully implement just one policy, what \nwould it be?\n    Mr. Bejtlich, want to start with you and go down the line.\n    Mr. Bejtlich. Sir, I think you win the toughest question \naward for the hearing.\n    I would like to see a strategy that is based--first of all, \na strategy, that is based on recognizing that adversaries will \nget into the network, that the goal should be to minimize what \nthey can do, and that you achieve that by seeing them as \nquickly as possible and containing them.\n    And then being a beacon for the rest of the government. \nThis is one of the few areas, I think, where--not one of the \nfew areas, but this is an area where DOD does a pretty good job \nalready. So taking that expertise and leveraging it and \nteaching the rest of the government would be a great \nachievement.\n    Mr. Langevin. Thank you.\n    Mr. Wallace. I am afraid that question probably takes me \nbeyond my level of expertise, but I certainly don\'t disagree \nwith what Mr. Bejtlich said, that making sure that the DOD\'s \nexpertise is leveraged by the rest of government and learning \nthe lessons. DOD is not perfect, but taking those lessons and \nleveraging them across government I think is an opportunity \nthat should be taken.\n    Mr. Delfino. Congressman, I will simply respond by saying, \nI think if the DOD only did one thing, we would have a much \nbigger problem. I think the first thing they need to do is \nrecognize that this is a multifaceted, complex problem which \nrequires multiple serial strategies being put in place \nsimultaneously to address.\n    So if they only do one thing or there is really not one \nthing that is more important than the many things that need to \nbe done here. And I do think that the Joint Information \nEnvironment is a good step in the right direction, caveating \nthe successful execution and implementation of that technology.\n    Dr. Schmidt. I think DOD has recently issued policies that \nare aimed at securing the cyber acquisition chain. So looking \nat major weapons systems acquisition and thinking about how to \nproperly do that such that they are defensible in the future. I \nthink that that has been a good step. What I think could also \nbe needed is looking at legacy weapon systems, the ones that \nare already fielded and that where the cyber acquisition \npolicies won\'t come into play as effectively, what can DOD do \nto make sure that those legacy weapon systems are cyber secure.\n    Mr. Langevin. Thank you. And if I could, Dr. Schmidt. I \nfind your testimony regarding deliberate planning for cyber \noperations very interesting.\n    What should we do today to enable the kind of deep analytic \nwork you refer to?\n    Dr. Schmidt. So I am referring to a deliberate planning for \ncyber operations in terms of getting those offensive \ncapabilities ready to be used in case they are called upon to \ndo so. And so commanders need to have the confidence in those \nkind of capabilities that they have in conventional weapons. So \nwe have had decades upon decades of experimentation and tests \nand very rigorous test designs, data collection, and analysis \nefforts that have led to, on the conventional side, deep \nphysics models and an understanding of how those weapons are \ngoing to perform when they are called upon to be used.\n    I think we need exactly the same thing on the offensive \ncyber side, and that is going to require an investment in \ndesigning those kinds of tests to explore how they\'re going to \nbe used, what the operational conditions will be in those \nsettings, and especially to ensure that the offensive cyber \ncapabilities don\'t have unintended effects. Because only then \nwill commanders have the confidence that is required to deploy \nthose capabilities to contribute to the deterrence that we \ndesire.\n    Mr. Langevin. Is DOD paying enough attention right now to \nthat? In the sense that war-gaming these types of things out \nand so they fully understand the capabilities they have at \ntheir disposal and how to use them?\n    Dr. Schmidt. I think it is a growing area of concentration. \nI definitely think more could be done to make sure that we \ncharacterize the capabilities.\n    Mr. Langevin. Okay. Thank you.\n    Thank you, all. Mr. Chairman, I yield back.\n    The Chairman. Thank you.\n    I want to, I guess in some ways, follow through on some of \nthat. I don\'t think we talked too much about supply chain, and \nyet there are very few things DOD buys these days that don\'t \nhave some component, either the hardware or the software, that \ncomes from other places. And, you know, mostly when we talk \nabout cyber we think about networks and going through the \nInternet to have effects somewhere else.\n    But do any of you all have suggestions on this supply chain \nissue where there may be corrupted, tampered hardware or \nsoftware that makes it into important systems that create \nvulnerabilities for us? And probably, my guess is, there is no \nway we can be assured of finding it all. So what do we do?\n    Mr. Delfino. Thank you, Mr. Chairman.\n    This is why we have to move to a model where there is no \nlonger a trusted element inside of the infrastructure as well. \nWhether it was maliciously tampered with by a private entity or \na foreign government or somebody within the United States \nitself or it is just, many of these devices that we are finding \ntoday that are being inputted into the network have software in \nthem that has known vulnerabilities, right? And I don\'t know \nthat the DOD has the ability to test every single device that \ncomes into its infrastructure itself.\n    And this moves to the model where we have to have--there is \nno longer a people outside the perimeter are untrusted and \npeople within the perimeter are trusted. Everybody has to be \ntreated as an untrusted entity so that at the time that that \ndevice or piece of software tries to propagate malware or a \nvirus or spyware within the environment, it can be detected \nautomatically and shut down and defended against.\n    Mr. Bejtlich. Sir, just briefly. I come at it from a \nslightly different angle. I would come at it from the \ncounterintelligence perspective. Best way to find out if the \nadversary has ways into your system is to be inside theirs and \nnotice, hey, these guys are getting into our systems, or they \nhave a plan to do so, or they have a team that is standing up \nto do that activity. That could be potentially another way to \nfind out what\'s happening.\n    The Chairman. Both Mr. Bejtlich and Mr. Wallace say that \nthe Federal Government, the military, should not defend private \ninfrastructure, although Mr. Bejtlich says, well, we ought to \ncreate some friction, you know, don\'t let them have it too \neasy, which is kind of an interesting subplot.\n    So if I am a major company--if I own a bunch of refineries \nin the Houston ship channel and a bunch of bombers come my way, \nI know what I expect the United States Air Force to do to \nprotect me. A bunch of packets come against those same \nrefineries from somewhere, I may or may not have the ability to \nget the attribution on that. I take your point on attribution. \nSo the Federal Government is not going to defend me, so I am \nleft on my own. And my options, then, are to sit there and take \nit or have, if I am sophisticated enough, some sort of \nretribution on my own, which leads to all sorts of problems.\n    Is that really a good scenario? And if other nation-states \nor terrorist organizations or Russian mafia know that we won\'t \ndefend these companies, doesn\'t that open it up and they know \nhow far to go and to take advantage of it? So explain to me why \nthat is a preferable way of doing things.\n    Mr. Wallace. Can I just clarify my answer?\n    The Chairman. Yes, of course. I obviously summarized in \ngreat generalities.\n    Mr. Wallace. So, in extremis, I absolutely believe that it \nis the role of the military to defend the United States against \nattacks of a serious consequence. What I think is important, \nhowever, is to avoid the military becoming the first place that \nthe private sector turns to when it feels under threat.\n    There is a number of other places that they can go, \nfirstly, others in the private sector to improve not only their \ncapabilities to defend themselves, but also that resilience \nwhen they do get attacked, the deterrence by denial, if you \nlike.\n    Secondly, I think it is not necessarily the case--that in \nthis area that you need to be wearing a uniform and having gone \nthrough military training to be--to be a Federal Government \nemployee supporting the private sector. And so, it doesn\'t need \nto be the case that the military has to be the place even \nwithin the Federal Government that the private sector would \nturn to when it feels it needs to.\n    And so my point is not necessarily that the military \nshouldn\'t defend the private sector in certainly, particularly, \nin a warfighting environment where the homeland is under threat \nas a result of what the military is potentially doing overseas, \nthere needs to be cooperation. But I do think that if the \nmilitary becomes the first place everyone turns to, that is \ngoing to be a burden which the military cannot bear in the long \nterm.\n    Mr. Bejtlich. Sir, if I could address it as well. I agree \nwith what Mr. Wallace said, but I also would like to mention \ntwo things. One, would the government have been effective as it \nwas with, say, OPM? Maybe not. Who knows.\n    So, the second issue is one of time. I think there is a \nperception, and you probably even hear it from some of the \nwitnesses, not here, thankfully, but sometimes witnesses \nwearing uniforms, where they talk about attacks at the speed of \nlight or attacks at network speed. And it is this idea that \nthere is this magic that is going to happen in a couple of \nseconds the whole world will explode. My own research has shown \nthat many times it is taking days, weeks, even months from when \nan adversary first gets into a target to when they have their \neffect. So if at any point during that time, generally, it is a \ncouple of weeks to a month, you are able to interrupt their \nactivities, you win and they lose.\n    So that gives time for, if the private sector entity hasn\'t \ndealt with it, you know, within the first week or whatever it \nis, the government can step in and say, hey look, you guys have \na problem; you need to deal with this before they accomplish \ntheir mission. So I think there can be ways to have the \ngovernment help without having say, government security \nequipment inside private sector organizations.\n    Mr. Delfino. I think we need to be careful to say, should \nthe DOD defend these American companies versus should they \nsecure them and monitor them actively to see if they are under \nattack. I think if the DOD saw an active attack on a private \nsector U.S. entity by a foreign nation-state backer and had the \nability to, they may stop it.\n    But I do think it is a fair question to say, is it the \nresponsibility of the DOD to respond on behalf of that private \nentity because of that, right? So if a warfighter was to show \nup and bomb a U.S. refinery, the DOD may defend that in the \nphysical world and maybe should potentially do that in the \nvirtual world as well. But I think we need to be careful not to \ntake the responsibility off these private entities to secure \nand monitor their own infrastructure as well.\n    Dr. Schmidt. And the strategy also provides for DOD\'s role \nin protecting critical U.S. interests of significant \nconsequence, which would include loss of life and significant \ndamage to property, although your----\n    The Chairman. It says that, but I don\'t really know what \nthey mean by that, which is part of why I was wanting to see \nwhat you all thought.\n    I had one more, and I forgot what it was.\n    Oh. Most of what we talk about is others stealing \ninformation. According to press reports, the Iranians actually \ndestroyed computers with Aramco that had some consequence for \nthe Saudi oil production. Do you all regard it as inevitable \nthat at some point it won\'t just be stealing information, but \nthere will be destruction of data or hardware, that there is \ninevitable escalation to these things with potentially more \nserious consequences on loss of life and so forth?\n    Mr. Bejtlich. Sir, that is an excellent question. I do see \nthat. Also not just wholesale destruction. It could be subtle \ncorruption such that we can\'t trust what we are dealing with, \nwhich in some ways I would be more worried about, because at \nleast if it is destroyed, I know, okay, I have to restore it \nfrom backups and such. But even the restoration part. There was \na great talk recently by a young lady who was involved in the \nincident response at Saudi Aramco. They basically went to \nJapan, South Korea, and bought every laptop, hard drive, \ncomputer that they could find in order to bring that refinery \nback. That is not something you are going to be able to do over \nand over again.\n    Mr. Wallace. I think over time, anything can happen. And \ndefinitely capabilities do exist to conduct destructive \nattacks. But I think we should be careful in expecting \nmotivations of actors in cyberspace to be fundamentally \ndifferent from actors outside of cyberspace. And there are \nsignificant reasons why adversaries would not want to conduct \nan out-of-the-blue attack.\n    Where I think it is of more concern potentially, is inside \na warfighting scenario where the United States is engaged \noverseas, it would be certainly an asymmetric option open to \nthe adversary that was not available in years past to make an \nattack on the U.S. homeland. And understanding that dynamic I \nthink is going to be important and probably more likely to be \nsomething that the DOD should consider than a bolt from the \nblue attack.\n    As DNI [Director of National Intelligence] Clapper I think, \nsaid recently, data manipulation may be a more likely and \nworrying scenario than something destructive like Saudi Aramco.\n    The Chairman. Okay. I am sorry. Did you have something you \nwanted to add?\n    Dr. Schmidt. I was just going to mention that data \nmanipulation is certainly being demonstrated in the academic \nsector. There are several studies that show that manipulating \nsmall bits of information, for example, in GPS signals can \ncause unexpected reactions when the data is processed within \nthe computer and the GPS receiver, and it is something that DOD \nwill have to take very seriously.\n    The Chairman. It is a great point, and I guess kind of \nrelated to that, what, I think may be more likely is the sort \nof plausible deniability, it is not really us, you know, this \nis just happening on its own. We are seeing that in warfare in \ngeneral to cause confusion and uncertainty to slow the \nresponse. And I agree if it is active warfare, then all holds \nare barred, but even to put pressure on our economy doing \nthings with the banking system that you can\'t quite figure out \nwhy it is slowing down, et cetera, is a huge challenge.\n    We could talk much of the day about the challenges we face. \nI really appreciate you all being here, and I think you have \nhelped set up a number of the issues that we will address to \nthe deputy secretary and Admiral Rogers tomorrow.\n    And so thank you for your testimony. With that, the hearing \nstands adjourned.\n    [Whereupon, at 11:58 a.m., the committee was adjourned.]\n\n     \n=======================================================================\n\n                          A P P E N D I X\n\n                           September 29, 2015\n\n    \n=======================================================================\n\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                           September 29, 2015\n\n=======================================================================\n\n            \n    [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] \n=======================================================================\n\n\n              QUESTIONS SUBMITTED BY MEMBERS POST HEARING\n\n                           September 29, 2015\n\n=======================================================================\n\n      \n\n                   QUESTIONS SUBMITTED BY MR. SHUSTER\n\n    Mr. Shuster. In your testimony, you said you do not support giving \nprivate sector, non-government parties the authority to conduct \noffensive operations. At what point do you think it becomes appropriate \nfor the U.S. Government to investigate, prosecute, or defend private \nsector entities?\n    Mr. Bejtlich. Private sector entities must comply with local, \nstate, and federal laws governing breach disclosure, particularly with \nregard to loss of personally identifiable information. Beyond cases \nthat involve mandatory disclosure, private sector entities make \ndecisions by weighing the costs and benefits of engaging law \nenforcement. I personally encourage private sector entities to contact \nlaw enforcement because such engagement helps law enforcement build \ncases against perpetrators, ultimately contributing to their arrest and \nprosecution. Law enforcement should investigate and prosecute whenever \nthey learn of an incident and can make a case.\n    Mr. Shuster. You mentioned that VMware serves all sectors of the \nU.S. Government to include DOD, civilian agencies and the Intelligence \nCommunity. I recognize that each entity must develop a comprehensive \ncyber strategy yet I worry that differing strategies among our \ngovernment entities could create challenges for companies like VMware \nthat works across agencies. What issue areas are best legislated by \nCongress for the whole of government and what areas would you defer to \nDOD and/or other executive agencies to develop?\n    Mr. Delfino. Congress can assist the efforts of developing a \ncomprehensive cyber strategy by providing adequate funding for training \nof cyber employees to defend our nation. Experienced talent in \ncybersecurity is a specialized skill and Congress can encourage the use \nof special hiring authorities to pay experienced personnel competitive \nprivate sector rates. Congress can also assist agencies and the private \nsector in being better informed about cyber threats by passing laws \nthat enhance government and private sector information sharing. Since \ntechnology is changing so rapidly, Congress should not legislate \ntechnology mandates but rather encourage the use of best practices that \nthe private sector is adopting. In order to ensure the government has a \ncomprehensive strategy, the Office of Management and Budget and the \nNational Security Council should work across the civilian and defense \nagencies to set procedures, best practices, and metrics that the \nagencies can follow. Congress can assist these efforts by providing \noversight and highlight the Executive Branch\'s progress or challenges.\n    Mr. Shuster. In your written testimony, you addressed DOD \nshortfalls in both recruiting and retention of the cyber workforce. \nOften times, financial incentives are cited as the potential solution \nto these shortcomings. I agree with your statement that retention is \nclosely linked to job satisfaction so my question is whether DOD\'s \nhuman capital management system is effective in placing the cyber \nworkforce into positions that provide sufficient skill utilization and \njob satisfaction?\n    Dr. Schmidt. I have not conducted a formal analysis of the extent \nto which the Department of Defense\'s (DOD\'s) approach to cyber \nworkforce management succeeds in placing civilians and service members \ninto jobs for which they are qualified. Furthermore, I am unaware of \nany such assessment for workforce management approaches following the \nnew initiatives DOD unveiled in 2015.\\1\\ However, the work undertaken \nas part of the National Initiative for Cyberspace Education (NICE) \nCyberspace Workforce Framework,\\2\\ which identifies the required skills \nfor many cyberspace jobs, is a necessary first step toward performing \nany ``job analysis\'\' to evaluate the extent to which personnel matched \nto jobs possess the required skills to work effectively. Both receiving \nthe right training (initial and continuing) and progressing through \ndifferent jobs that draw on similar skill sets are important to \nensuring personnel are well matched to job requirements.\n---------------------------------------------------------------------------\n    \\1\\ Department of Defense, Cyberspace Workforce Management, \nDirective 8140.01, August 11, 2015.\n    \\2\\ NICE, National Cybersecurity Workforce Framework, Washington, \nD.C.: Department of Commerce, 2013. The services have adopted this \nframework to varying extents.\n---------------------------------------------------------------------------\n    I am also unaware of any formal analyses of job satisfaction among \nDOD\'s civilian and military cyberspace cadres. Conventional wisdom \nasserts that DOD offers its personnel unique opportunities to serve the \nnation and conduct high-stakes, highly dynamic operations they would \nfind no place else; as a result, conventional wisdom asserts that job \nsatisfaction is high. While this assertion rings true for some DOD \ncyberspace jobs (e.g., military personnel conducting offensive and \ndefensive operations), I question the wisdom of applying such logic to \nDOD cyberspace jobs that both (a) require staff to manage a high \noperational tempo and other stressors on family and personal time \n(e.g., frequent changes of duty location and/or organizations) and (b) \nare similar to jobs conducted in the private sector (i.e., lack the \n``only in DOD\'\' allure). Therefore, an assessment of job satisfaction \nin the ``IT-like\'\' DOD Information Network Operations (DODIN Ops) job \ncategories may be illuminating, as it may not adhere to conventional \nwisdom. Commercial-sector IT job satisfaction has been linked to the \nexistence of defined career paths that allow growth and progression not \nonly through advancement into the management ranks, but also through \ntechnical tracks that allow personnel to continue to learn, engage with \nprofessional peer groups, and innovate to keep pace with rapidly \nchanging technology.\n                                 ______\n                                 \n                    QUESTIONS SUBMITTED BY MR. WALZ\n    Mr. Walz. There are several ongoing cyber initiatives between the \nNational Guard and private sector. Are any of you familiar with any of \nthese initiatives? If so, could you comment on the opportunity the \nFederal Government and DOD has to benefit from the lessons learned by \nthese initiatives?\n    Mr. Bejtlich. I am not deeply familiar with specific initiatives. \nHowever, I have observed National Guard cyber exercises involving teams \nfrom across the country. Although I saw a wide variety in the \ncapabilities of the teams, some operated at very high levels. All were \nmotivated to improve their skills. I believe that National Guard and \nReserve components are part of the answer to better defense at a \nnational level. However, I also believe the government should support \nresearch projects to evaluate the costs and benefits of an independent \nmilitary Cyber Force.\n    Mr. Walz. There are several ongoing cyber initiatives between the \nNational Guard and private sector. Are any of you familiar with any of \nthese initiatives? If so, could you comment on the opportunity the \nFederal Government and DOD has to benefit from the lessons learned by \nthese initiatives?\n    Mr. Wallace. [No answer was available at the time of printing.]\n    Mr. Walz. There are several ongoing cyber initiatives between the \nNational Guard and private sector. Are any of you familiar with any of \nthese initiatives? If so, could you comment on the opportunity the \nFederal Government and DOD has to benefit from the lessons learned by \nthese initiatives?\n    Mr. Delfino. Yes, VMware is working with the National Guard Bureau \nat the Professional Education Center in Little Rock, Arkansas. We are \nhelping the National Guard Bureau architect a cyber ``Classroom as a \nService\'\' experience that allows cyber warrior training to be stood up \nin minutes and allows for realistic threat scenarios. This is based on \nthe model VMware implemented at US Army Cyber Center of Excellence in \nFort Gordon, Georgia.\n    Mr. Walz. Do you believe DOD has a complete and comprehensive \nstrategy for cyber policy? If not, what level of vulnerability risk \nwould you estimate the DOD and Federal Government networks to be at, \nhigh, medium, or low?\n    Dr. Schmidt. [No answer was available at the time of printing.]\n    Mr. Walz. There are several ongoing cyber initiatives between the \nNational Guard and private sector. Are any of you familiar with any of \nthese initiatives? If so, could you comment on the opportunity the \nFederal Government and DOD has to benefit from the lessons learned by \nthese initiatives?\n    Dr. Schmidt. [No answer was available at the time of printing.]\n    Mr. Walz. Including the data breach at OPM and the Joint Chiefs of \nStaff server, there have been several high profile government cyber \nbreaches in the last year. Are these network compromises a result of \nlack of technical capability in the cyber workforce, or a lack of cyber \npolicy that prioritizes protections? In your opinion, what actions \nwould you recommend are the most important to take in reducing the \nlikelihood of future data breaches and protect our cyber networks?\n    Dr. Schmidt. [No answer was available at the time of printing.]\n\n                                  [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'