[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]







 
                         [H.A.S.C. No. 114-52]

         IMPLEMENTING THE DEPARTMENT OF DEFENSE CYBER STRATEGY

                               __________

                      COMMITTEE ON ARMED SERVICES
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              HEARING HELD

                           SEPTEMBER 30, 2015


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]







                                  ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

97-198                         WASHINGTON : 2016 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001













                                     
                      COMMITTEE ON ARMED SERVICES
                    One Hundred Fourteenth Congress

             WILLIAM M. ``MAC'' THORNBERRY, Texas, Chairman

WALTER B. JONES, North Carolina      ADAM SMITH, Washington
J. RANDY FORBES, Virginia            LORETTA SANCHEZ, California
JEFF MILLER, Florida                 ROBERT A. BRADY, Pennsylvania
JOE WILSON, South Carolina           SUSAN A. DAVIS, California
FRANK A. LoBIONDO, New Jersey        JAMES R. LANGEVIN, Rhode Island
ROB BISHOP, Utah                     RICK LARSEN, Washington
MICHAEL R. TURNER, Ohio              JIM COOPER, Tennessee
JOHN KLINE, Minnesota                MADELEINE Z. BORDALLO, Guam
MIKE ROGERS, Alabama                 JOE COURTNEY, Connecticut
TRENT FRANKS, Arizona                NIKI TSONGAS, Massachusetts
BILL SHUSTER, Pennsylvania           JOHN GARAMENDI, California
K. MICHAEL CONAWAY, Texas            HENRY C. ``HANK'' JOHNSON, Jr., 
DOUG LAMBORN, Colorado                   Georgia
ROBERT J. WITTMAN, Virginia          JACKIE SPEIER, California
DUNCAN HUNTER, California            JOAQUIN CASTRO, Texas
JOHN FLEMING, Louisiana              TAMMY DUCKWORTH, Illinois
MIKE COFFMAN, Colorado               SCOTT H. PETERS, California
CHRISTOPHER P. GIBSON, New York      MARC A. VEASEY, Texas
VICKY HARTZLER, Missouri             TULSI GABBARD, Hawaii
JOSEPH J. HECK, Nevada               TIMOTHY J. WALZ, Minnesota
AUSTIN SCOTT, Georgia                BETO O'ROURKE, Texas
MO BROOKS, Alabama                   DONALD NORCROSS, New Jersey
RICHARD B. NUGENT, Florida           RUBEN GALLEGO, Arizona
PAUL COOK, California                MARK TAKAI, Hawaii
JIM BRIDENSTINE, Oklahoma            GWEN GRAHAM, Florida
BRAD R. WENSTRUP, Ohio               BRAD ASHFORD, Nebraska
JACKIE WALORSKI, Indiana             SETH MOULTON, Massachusetts
BRADLEY BYRNE, Alabama               PETE AGUILAR, California
SAM GRAVES, Missouri
RYAN K. ZINKE, Montana
ELISE M. STEFANIK, New York
MARTHA McSALLY, Arizona
STEPHEN KNIGHT, California
THOMAS MacARTHUR, New Jersey
STEVE RUSSELL, Oklahoma

                  Robert L. Simmons II, Staff Director
                 Kevin Gates, Professional Staff Member
              Lindsay Kavanaugh, Professional Staff Member
                          Neve Schadler, Clerk
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                            C O N T E N T S

                              ----------                              
                                                                   Page

              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Smith, Hon. Adam, a Representative from Washington, Ranking 
  Member, Committee on Armed Services............................     1
Thornberry, Hon. William M. ``Mac,'' a Representative from Texas, 
  Chairman, Committee on Armed Services..........................     1

                               WITNESSES

Rogers, ADM Michael S., USN, Commander, U.S. Cyber Command.......     5
Work, Hon. Robert O., Deputy Secretary of Defense; accompanied by 
  Terry Halvorsen, Chief Information Officer, Department of 
  Defense........................................................     2

                                APPENDIX

Prepared Statements:

    Rogers, ADM Michael S........................................    58
    Work, Hon. Robert O..........................................    49

Documents Submitted for the Record:

    [There were no Documents submitted.]

Witness Responses to Questions Asked During the Hearing:

    Mr. Brooks...................................................    74
    Ms. Duckworth................................................    74
    Mr. Rogers...................................................    73
    Mr. Wilson...................................................    73
    Mr. Wittman..................................................    73

Questions Submitted by Members Post Hearing:

    Mr. Forbes...................................................    77
    Mr. Lamborn..................................................    79
    Mr. Shuster..................................................    77
    Ms. Speier...................................................    79
    Mr. Walz.....................................................    79
    
    
    
    
    
    
    
    
         IMPLEMENTING THE DEPARTMENT OF DEFENSE CYBER STRATEGY

                              ----------                              

                          House of Representatives,
                               Committee on Armed Services,
                     Washington, DC, Wednesday, September 30, 2015.
    The committee met, pursuant to call, at 10:00 a.m., in room 
2118, Rayburn House Office Building, Hon. William M. ``Mac'' 
Thornberry (chairman of the committee) presiding.

  OPENING STATEMENT OF HON. WILLIAM M. ``MAC'' THORNBERRY, A 
    REPRESENTATIVE FROM TEXAS, CHAIRMAN, COMMITTEE ON ARMED 
                            SERVICES

    The Chairman. The committee will come to order. Let me 
welcome our witnesses and guests for our second hearing this 
week at the full committee level on cybersecurity. We are very 
pleased to have a distinguished panel of witnesses to help us 
with this challenging area.
    For those members who were able to participate in our 
hearing yesterday, we heard from the private sector and from 
academia, think tanks, about some of the challenges that we 
face in cyber. For example, questions such as: What is the role 
of the military in defending private infrastructure? Should 
private industry be able to hack back against those who may try 
to steal their intellectual property? What does ``deterrence'' 
mean when it comes to cyber?
    A number of difficult questions that we talked about some, 
but we will continue to pursue that line today. Cyber, as many 
people say, is a new domain of warfare, and so what that means 
for the Department of Defense [DOD], what that means for our 
country's national security is very much at or near the top of 
the agenda for all of us who are involved in national security.
    Before I turn to our distinguished panel of witnesses, I 
will yield to the distinguished ranking member for any comments 
he would like to make about today's hearing.

STATEMENT OF HON. ADAM SMITH, A REPRESENTATIVE FROM WASHINGTON, 
          RANKING MEMBER, COMMITTEE ON ARMED SERVICES

    Mr. Smith. Thank you, Mr. Chairman. I appreciate you 
holding this hearing and the one yesterday.
    Our outside experts sort of basically said that the 
strategy is sound. It is the implementation that is key. And, 
obviously, this is a very difficult area of public policy. It 
is constantly evolving. The threat changes every single day. We 
have to prepare to meet that threat.
    I think a lot of it is, you know, having the right 
personnel, having very, very smart people who understand 
technology, and obviously, we have to compete against private 
industry as we try to bring those folks in. So that is 
definitely a challenge.
    Coordination is also a challenge. There are so many 
different pieces of the Department of Defense: Who is in charge 
of cyber strategy, and how is it being implemented DOD-wide 
because, as we all know, the big problem with cyber is the 
classic single point of failure. You can get absolutely 
everything right except for one thing and have a disaster. How 
do we comprehensively make sure that we are taking into account 
every single one of those points of failure? That is not easy 
to do.
    And then some of the questions that the chairman raised 
about, you know, when is offensive cyberattacks okay? What are 
the rules of the road? And I think that that is a real 
challenge as we deal with China, as we deal with Russia, as we 
deal with Iran and others. What are the red lines, and how do 
we respond if someone crosses those red lines?
    I know that the agreement that was reached with China on 
this is unsatisfactory to many. It is unsatisfactory to me. It 
has a long way to go, but I think we need to have those types 
of conversations, certainly with Russia and China, so that we 
better understand what the rules of the road are so that we can 
get to the point where we don't, you know, stumble into 
something greater than we had expected.
    But I know cyber policy isn't easy, but I look forward to 
hearing from Deputy Secretary Work and our other witnesses on 
how we can get our arms around it and then, also, of course, 
you know, what the legislative branch can do to make it easier 
for you to implement those policies.
    So thank you, Mr. Chairman. I yield back.
    The Chairman. Thank you.
    Again, I want to thank our distinguished witnesses for 
being here. We are very pleased to have the Honorable Robert 
Work, Deputy Secretary of Defense; Admiral Michael Rogers, the 
Commander of USCYBERCOM [U.S. Cyber Command]; and Mr. Terry 
Halvorsen, the Chief Information Officer [CIO] for the 
Department of Defense.
    Without objection, your full written statements will be 
made part of the record. Thank you for submitting those.
    And, Mr. Secretary, we will turn the floor over to you for 
any comments you would like to make.

STATEMENT OF HON. ROBERT O. WORK, DEPUTY SECRETARY OF DEFENSE; 
  ACCOMPANIED BY TERRY HALVORSEN, CHIEF INFORMATION OFFICER, 
                     DEPARTMENT OF DEFENSE

    Secretary Work. Thank you, Chairman Thornberry, Ranking 
Member Smith, distinguished members of the committee.
    Thank you for inviting us here this morning to discuss the 
Department of Defense efforts in cyberspace. As both the 
chairman and the ranking member said, this is an extremely 
important issue that we grapple with every day. And so we 
welcome these types of meetings to discuss the policy issues.
    As you know, cyber intrusions and attacks by both state and 
nonstate actors have increased dramatically in recent years. 
And particularly troubling to us, as the Department of Defense 
and as a nation, are the increased frequency in scale of state-
sponsored cyber actors breaching U.S. Government and business 
networks. These adversaries continually adapt and evolve in 
response to our cyber countermeasures. They threaten our 
networks and systems of the Department of Defense, our Nation's 
critical infrastructure, and the U.S.' companies and interests 
globally.
    The recent spate of cyber events that have been in the 
press, the intrusions into OPM [Office of Personnel 
Management], the Sony, and the Joint Staff networks by three 
separate state actors is not just espionage of convenience, but 
a threat to our national security.
    As one of our responses to this growing threat, the 
Department recently released its 2015 DOD Cyber Strategy, which 
will guide the development of our cyber forces and strengthen 
our cybersecurity and cyber deterrence posture.
    We have three core cyber missions, as defined in our 
strategy. First and foremost--and this is what Secretary Carter 
has made a clear number one priority first--is to defend DOD 
network systems and information. That is job number one. 
Second, we help defend the Nation against cyber events of 
significant consequence. And third, we provide cyber support to 
operational and contingency plans in support of our combatant 
commanders. And in this regard, U.S. Cyber Command may be 
directed to conduct cyber operations in coordination with other 
U.S. Government agencies, as appropriate, to deter and defeat 
strategic threats in that domain.
    Now, my submitted statement contains additional detail on 
how we are moving to achieve these goals, but I would like to 
highlight a particular focus, which is bolstering our cyber 
deterrence. This was a big issue yesterday in the Senate Armed 
Services Committee.
    I want to acknowledge to all of you upfront that in terms 
of deterrence, we are not where we need to be as a nation or as 
a Department. We do believe that there are some things the 
Department is doing that are working, but we have to improve in 
this area, and that is why we have revised our cyber strategy.
    Deterrence is a function of perception. First and foremost, 
it works by convincing a potential adversary that the costs of 
conducting the attack far outweigh any potential benefits that 
they might gain from it. The three main pillars of our strategy 
are denial, resilience, and cost imposition.
    When we talk about denial, denial means preventing a cyber 
adversary from achieving their objectives.
    Resilience is ensuring that our systems will continue to 
perform their essential military tasks, even in a cyber-
contested environment or while under attack.
    And cost imposition is our ability to make sure cyber 
adversaries pay a much higher price for the malicious 
activities than they had hoped for.
    I would like to just dive down deep into these three kinds 
of pillars very, very quickly. To deny an attacker the ability 
to adversely impact our military missions, first and foremost, 
we have to defend our own information networks and data 
systems. Now, we have made a lot of investments in this regard, 
and we believe they are starting to bear fruit, but technical 
upgrades, this is not just about technical upgrades. Because 
nearly all successful network exploitations up to this point 
can be traced to a single or multiple human errors, raising the 
overall level of individual cybersecurity awareness and 
performance throughout the Department is absolutely paramount. 
So we are working to transform our DOD cybersecurity culture 
for the long term by improving human performance and 
accountability within our systems.
    As part of this effort, we just recently published a 
cybersecurity discipline implementation plan and a scorecard, 
the first of its kind. The first time it was implemented was in 
August of this year. These, we believe, are going to be 
critical to our strategic goal of defending the networks and 
securing our data and mitigating risks to our missions. The new 
scorecard system is reported to the Secretary and me on a 
monthly basis, and it will hold commanders accountable for 
hardening and protecting their end points and critical systems, 
and directs compliance with our overall policy.
    Denial also means defending the Nation against cyber events 
of significant consequence. The President has directed DOD, 
working in partnership with other agencies, to be prepared to 
blunt and stop the most dangerous cyber events against our 
Nation and its infrastructure. There may be times where the 
President or Secretary of Defense directs DOD and others to 
conduct a defensive cyber operation to stop a cyberattack from 
impacting our national interests. And so that means to us we 
have to build the capabilities to prevent or stop a potential 
cyberattack from achieving its effect.
    This is an extremely challenging mission. It requires high-
end teams and capabilities, and we are building our Cyber 
Mission Force and deepening our partnerships with law 
enforcement in the Intelligence Community, and we can talk 
about that in questioning.
    A second principle of deterrence is improving our 
resiliency by reducing the ability of our adversaries to attack 
us through cyberspace and protecting our ability to continue to 
execute missions even while in a degraded cyber environment.
    Our adversaries unquestionably view DOD cyber dependency as 
a potential wartime vulnerability. Therefore, we have to have 
the ability to fight through these cyberattacks as a mission-
critical function. That means normalizing cybersecurity as part 
of our mission assurance efforts, building redundancy into our 
systems whenever they are vulnerable, and training constantly 
to operate in a contested cyber environment.
    Our adversaries have to see over time that cyberattacks 
will not provide them a significant operational advantage, and 
that will be one of the key aspects of deterrence.
    The third and final aspect is having the demonstrated 
capability to respond with cyber or noncyber means to impose 
costs on a potential adversary. The administration has made 
clear that the United States will respond in a time, manner, 
and place of our choosing, and it has developed cyber options 
to hold aggressors at risk, if required.
    Successfully executing our missions in cyberspace requires 
a whole-of-government and whole-of-nation approach. This is a 
much, much, much more difficult problem than the debates we had 
over nuclear weapons in the 1950s. For that reason, DOD 
continues to work with our partners and other Federal 
departments and agencies, the private sector, and our partners 
around the world to address the shared challenges we face.
    Secretary Carter, I think you know, has placed a particular 
emphasis on partnering with the private sector. We know we do 
not have all the right answers, and our working with industry 
will be very, very critical to make sure we have both the 
cutting edge of technology as well as best practices and 
procedures.
    Finally, our relationship with Congress is absolutely 
critical. We very, very much appreciate the support for DOD 
cyber activities both last year and this year, as we 
understand, in the 2016 National Defense Authorization Act 
[NDAA]. I encourage continued efforts to pass legislation on 
cybersecurity information sharing, on data breach notification, 
and law enforcement provisions related to cybersecurity, which 
were included in the President's legislative proposal submitted 
earlier this year.
    The American people expect us to defend against cyber 
threats of significant consequence. The Department looks 
forward to working with this committee and Congress to ensure 
we continue to take every step possible to confront the 
substantial cybersecurity risk we face.
    Thank you for inviting us here today, Mr. Chairman, and the 
attention you are giving this urgent matter. I look forward to 
all of your questions.
    [The prepared statement of Secretary Work can be found in 
the Appendix on page 49.]
    The Chairman. Thank you, sir.
    Admiral Rogers, thanks for being here. You are recognized.

STATEMENT OF ADM MICHAEL S. ROGERS, USN, COMMANDER, U.S. CYBER 
                            COMMAND

    Admiral Rogers. Sir, thank you. Chairman Thornberry, 
Ranking Member Smith, and distinguished members of the 
committee, I am honored to appear before you today and before 
the American people to explain how we are implementing the 
Department of Defense Cyber Strategy. I thank you for convening 
this forum and for your efforts in this important area. I am 
equally pleased to be sitting alongside today Deputy Secretary 
of Defense Work and the DOD CIO Terry Halvorsen.
    It gives me great pride today to highlight the 
accomplishments of the uniform and civilian personnel of U.S. 
Cyber Command and its components. I am both grateful for and 
humbled by the opportunity that I have been given to lead this 
cyber team. U.S. Cyber Command and its subordinate elements 
have been given a responsibility to direct, operate, and secure 
the Department's systems and networks, which are fundamental to 
the execution of all of DOD's missions. The Department and the 
Nation rely on us to build ready cyber forces and to be 
prepared to employ them when significant cyber events against 
the Nation require DOD support.
    We are expected to work closely with other combatant 
commanders to integrate cyber operations into their broader 
military missions. Policy makers and commanders alike look to 
us for cyber options in all phases of operations.
    Our military is in constant contact with agile learning 
adversaries in cyberspace, adversaries that have shown the 
capacity and the willingness to hit soft targets in the U.S. 
The demand for our cyber forces continues to outstrip supply as 
we bring more capability online, but we continue to rapidly 
mature based on real world experiences and the hard work of the 
men and women of U.S. Cyber Command and our service cyber 
components.
    The Secretary of Defense and the Department of Defense 
Cyber Strategy direct us to intensify our efforts to defend the 
United States and its interests in our digital age. It is my 
intent that we move forward quickly with our partners to build 
our military capabilities, and I have provided this guidance in 
a recently released Commander's Vision and Guidance for U.S. 
Cyber Command.
    In line with that guidance, we are building and employing 
the Cyber Mission Forces. We are conducting exercises with our 
interagency and private sector partners to inform whole-of-
nation responses to crises in cyberspace, and we are supporting 
DHS [Department of Homeland Security] and FBI [Federal Bureau 
of Investigation], when directed, to defend the Nation's 
critical infrastructure from cyber incidents. We support 
operational commanders around the world every day.
    The bottom line is we are being challenged as never before 
to defend our Nation's interests and values in cyberspace 
against states, groups, and individuals that are using 
increasingly sophisticated capabilities to conduct cyber 
coercion, cyber aggression, and cyber exploitation. The targets 
of their efforts extend well beyond government and into 
privately owned businesses and personally identifiable 
information.
    I welcome this opportunity to elaborate on the progress we 
have made to date and where we should be focussing going 
forward to ensure that we continue to stay ahead and deter 
threats to secure our digital networks and our combat systems, 
to ensure our ability to execute the Department's missions.
    With that, I look forward to your questions, and thank you 
again for taking the time today to spend on this important 
topic.
    [The prepared statement of Admiral Rogers can be found in 
the Appendix on page 58.]
    The Chairman. Thank you, sir.
    And, Mr. Halvorsen, I understand you do not have a prepared 
statement but are available to answer questions. Is that 
correct?
    Mr. Halvorsen. That is correct, sir.
    The Chairman. Great. Thank you for being here, sir. I 
appreciate it.
    Admiral Rogers, yesterday, one of our witnesses made the 
point that in any challenge in warfare, what counts is the net 
assessment. In other words, we can talk about what we are 
doing, but what really counts is what the results of that 
versus what the adversaries are doing. And so just at the very 
highest level, as you look at cyber as a domain of warfare, how 
would you describe the net assessment, where we are today and 
where those trends are taking us? Are we in a good direction to 
reduce the vulnerabilities and have the capabilities we need? 
Are the adversaries moving faster than we are? How would you 
describe that kind of net-net in cyber today?
    Admiral Rogers. So this is a mission set where I think we 
have to acknowledge we have at least one peer competitor in the 
form of the Russians when I look at their level of capability, 
when I look at their activity. Then we have a set of other 
nation-states we pay great attention to who I am watching 
increase their level of investment, increase their capacity, 
and their capability. The Chinese are probably the ones that 
get the most attention, if you will, but they are not alone by 
any stretch of the imagination.
    The challenge for us, in many ways, is we are attempting to 
overcome literally decades of investment with a very different 
attitude, where redundancy, resiliency, and defenseability in 
terms of our systems--whether they be our networks, whether 
they be the combat systems and the platforms that we count on 
to execute our missions--defenseability, redundancy, and 
resiliency were, until only recently, they were never core 
design characteristics. They tended to be something that we 
thought of after we focused on efficiency, cost, speed.
    And so we find ourselves trying to overcome literally 
decades of investment, of sunk capital costs, if you will, if I 
was a business. I think we have got a good strategy, a good 
vision for where we need to go. The challenge always is you are 
never as fast as you want to be. So as a commander, the 
argument I have made with my teams is: So this is all about 
prioritization, Team. We have got to step back and assess where 
do we think the greatest vulnerabilities lie, where do we think 
our opponents are most interested in attempting to generate 
effects against us, and how do we forestall their ability to do 
that in broad terms.
    The Chairman. So, to summarize, we are getting better but 
not better fast enough.
    Admiral Rogers. I think that is a fair----
    Secretary Work. Mr. Chairman, if I could add something to 
this on the net assessment side.
    The Chairman. Yes, sir.
    Secretary Work. All of the adversaries that we face are 
generally, in this regard, are authoritarian powers. We are the 
most open nation on the Earth. It is a tremendous competitive 
advantage, but it provides--we are much more open on our 
Internet than our adversaries are in their own countries. That 
makes us inherently more vulnerable. The number of attack 
surfaces that we have to defend against are very, very much 
larger. So in terms of net assessment, that is one of the 
things that are challenging us and we are trying to sort 
through.
    The Chairman. Okay. Thank you.
    Mr. Secretary, I want to ask you, on the three core 
missions you laid out, number two is defend the Nation against 
significant cyberattacks. As you know, there has been 
considerable conversation about what that means. So if I am a 
company under cyberattack, when is the government going to come 
help defend me? And I realize you probably can't put a dollar 
threshold or something very specific on what that means, a 
significant cyber event, but can you help clarify for us, when 
the Department of Defense becomes engaged in defending the 
country and what that means, significant cyber event?
    Secretary Work. Well, those were the--we call it a cyber 
event or activity of significant consequence.
    The Chairman. I am sorry, Mr. Secretary, is your microphone 
on?
    Secretary Work. I am sorry, sir. You are exactly right. We 
are obligated to defend the Nation against cyberattacks or 
cyber activities of significant consequence, and that is not a 
purely defined term. Each attack would be looked at. So, for 
example: Did the attack result in any death? Injury? 
Significant destruction was associated with it? Was it an act 
of espionage? Was it an act of cybercrime? In other words, was 
it a nonstate actor who is trying to get a PII [personally 
identifiable information]? But a significant consequence would 
be things which would go against our national critical 
infrastructure, and this would be decided primarily with the 
Department of Homeland Security, which would have the lead on 
attacks within the United States on critical infrastructure, 
and we would then work through with the policies to make an 
appropriate response.
    Admiral Rogers works this constantly, so I think he would 
be very well placed to answer this question, too.
    Admiral Rogers. I would agree completely with the 
Secretary.
    It explains why the response to Sony, for example, is very 
different than the response to OPM. We try to look at things in 
a case-by-case basis given a specific set of facts, and we are 
clearly still working our way through some of these broader 
definitions. I don't think there is any doubt about that.
    The Chairman. Well, I appreciate it. I think other members 
may want to follow up.
    I mean, you look at OPM and huge consequences for our 
national security. I presume if you had seen it occurring, then 
there would have been action taken to prevent it, but it is 
large consequences, even for the theft of information that did 
not result in death, we trust.
    Mr. Smith.
    Mr. Smith. Thank you.
    And I know you can't talk about this in an open setting in 
terms of what our response has been to some of these 
cyberattacks, but can I ask if, you know, you feel that 
response has been effective? Has it deterred more attacks? At 
this point, how comfortable are you that our responses to--and 
again, there are, as you have laid out, levels of cyberattacks. 
When you pass a certain level, then, you know, we feel like a 
response is appropriate, have those responses been at all 
effective in your view at this point? And how would you define 
effectiveness?
    Secretary Work. I would say at this point we don't believe 
that our deterrence policy has been effective up to this point 
or as effective as it should be, and that is why we want to 
strengthen it. As we talked, one of the problems is 
attribution. So the first thing is, where did the attack come 
from, a geographical location? Then who was the actor who the 
attack came from? And then did the state control the actor, or 
was the actor operating independently?
    So that will tell you whether it is a law enforcement 
response, whether it should be economic sanctions, whether it 
should be offensive or defensive cyber operations. And I 
believe what we have to do is have a very strong policy on cost 
imposition, which we are working towards and we have announced, 
and then we have to prove that through our actions. So I would 
say that we are not where we would want to be in terms of 
deterrence right now.
    Mr. Smith. And following up on that, how effective are you 
at figuring out where the attack came from? Now, I understand 
there is the final piece of that is the one that is really most 
difficult because even if you were to determine who the actor 
was, was that person acting on their own or acting at the 
behest of a government? But how effective are you at when an 
attack comes in saying, all right, tracing it back and saying, 
that is the person who did it?
    Admiral Rogers. We continue to gain increased insight and 
knowledge in that area. If you look, for example, using Sony as 
an illustrative example, we were very quickly able to determine 
the nation-state and the specific actor within the nation-
state. I think that is one reason, again, why you saw, you 
know, a policy response that was relatively quick. We were able 
to provide policymakers with a high level of confidence as to 
who did it, how they did it. It really varies. Though I will 
say we are watching actors around the world as they realize 
that we are gaining increased capability in our ability to 
attribute cyber activity, specific nation-states, specific 
groups.
    It is interesting watching them now attempt to obscure 
that, create different relationships, use different processes, 
so this is one, as was indicated in the opening, the dynamics 
here just change so quickly. It is the nature of this. I don't 
see that fundamental changing any time soon.
    Mr. Smith. Right.
    Secretary Work. One of the problems is we have a very 
strong policy that we will respond in a place and a time and a 
manner of our own choosing, and the problem with this is it is 
not like it can happen sometimes very, very quickly. First, we 
have to go through the attribution phase. Then we have to 
determine: Was it cybercrime? Was it an independent actor? Was 
the actor responding in charge of the state? And what are the 
appropriate responses? That might a law enforcement measure. It 
might be economic sanctions. It might be offensive or defensive 
cyber operations. It could be military operations, depending on 
the damage or threat of the attack to our Nation.
    So this is much, much different than nuclear deterrence 
where you can attribute the attack immediately, generally, and 
you have specific response options already ready. In this case, 
it is a much more whole-of-government approach that takes more 
time.
    Mr. Smith. Understood.
    Thank you, Mr. Chairman.
    The Chairman. Thank you.
    Mr. Jones.
    Mr. Jones. Mr. Chairman, thank you very much.
    You know, this is the new world we all live in. We all know 
that. It is kind of interesting--I am getting to a question in 
just a moment--but I bank with the credit union here in 
Washington. So, last Saturday, I started calling 24-hour 
banking to find out what was in my account. As of today, they 
are not online.
    Well, I am certainly not saying that is a cyberspace 
invasion of anything, but it is just the complexities of the 
world we are living in now. So when I hear your testimony, I 
want to first say thank you for who you are and what you are 
doing.
    My next question would be, at this point, knowing that we 
are constantly here in Washington worried about a shutdown, 
worried about the debt growing, I will never forget--I have had 
reason to call Admiral Mullen recently--of course, he is 
retired--the former chairman--I have great respect for him--on 
a totally different subject. And I have used many times back in 
my district, the Third District of North Carolina, the home of 
Camp Lejeune, Cherry Point, I have used many times what he said 
when he was chairman: The biggest threat to our military is the 
debt of our Nation.
    What I would like to note, as you move forward to give us 
the very best protection that you can, what type of financial 
commitment should the taxpayers and the Congress understand 
that we need to make to ensure that we have got the best 
protection?
    Secretary Work. I believe we have been very clear, sir, 
that the President's request, the PB16 [President's budget 
2016] request, we believe, is the absolute minimum needed to 
provide the national security necessary for the United States.
    I would just like to say, I was talking with the chairman 
just before this, and we are very, very thankful--or we hope--
that we will avoid a shutdown. This would be extremely 
disruptive. I think Admiral Rogers can tell you: the last time 
we went through a shutdown, it set us back 6 months in terms of 
preparing our Cyber Mission Force. So we believe the PB16 level 
is the absolute minimum.
    I would also like to say that, you know, in the last 6 
years, we have been under a CR [continuing resolution] for 2 
years of the 6 years, and each of the first quarters of the 
fiscal year, we have been under a CR for about 93 percent of 
the time. In essence, we are operating in a 9-month fiscal 
year. There is no COO [chief operations officer] in the United 
States who could operate under this type of uncertainty, and we 
hope that the CR will be handled or will be resolved as quickly 
as possible.
    So I very much thank the question, sir. This is an 
important thing. I hope that we will be able to resolve our 
differences on the budget level and provide for the national 
security.
    Admiral Rogers. If I could.
    Mr. Jones. Excuse me.
    Go ahead, Admiral, please.
    Admiral Rogers. The only other comment I would make is, and 
I think it goes to the point you are trying to make: There 
shouldn't be any doubt in anyone's mind that there is a cost 
component to all of this, that, as a Department, we try to 
prioritize that because we clearly realize there are many 
competing requirements and resources are tight for the Nation, 
and we certainly understand that. But there just shouldn't be 
any doubt that there is a cost component to that. And that cost 
may change over time, but I don't think it is going to get 
cheaper for us, at least in the near term, not with the level 
of activity that you see out there every day.
    Secretary Work. Congressman Jones, I will tell you that, 
regardless of level of our budget, Secretary Carter has made it 
clear that cyber defense and cybersecurity is going to be at 
the very, very top of our priority list. So whatever budget we 
receive, cyber will receive the attention that we believe it 
deserves.
    Mr. Jones. Well, I believe that the shutdown will probably 
be avoided, which you know, not getting into the politics of 
that, but I think it probably will be. And I think you all have 
done a great job. I think the American people, like me--I am 
not talking about my colleagues--have really understood that 
this threat of cyberspace warfare in any form is probably at 
the foremost, as you said, Admiral, will grow and the threat 
will become more and more. So I thank you gentlemen for being 
here today and your testimony.
    And I yield back the balance of my time.
    The Chairman. Thank you.
    Mrs. Davis.
    Mrs. Davis. Thank you, Mr. Chairman.
    And thank you to all of you for being here. And as you 
know, we heard from outside groups, the private sector, 
yesterday, and I think you spoke, certainly, Mr. Secretary, to 
the importance of that partnership. One of the questions I 
basically asked them was, you know, what hampers that 
relationship? What hampers moving forward? And they spoke of 
the regulatory burden that is placed on companies wishing to 
work and partner with the DOD, and particularly for newer 
companies who don't have a history of working with the 
government.
    And so I am wondering how can we make that process easier? 
Do you think that is a appropriate analysis or response? You 
may feel that you have done everything you can to assist in 
that way, but obviously, there is a different response.
    The other issue is really whether or not we are kind of 
losing out on working with some of the best minds in the 
business because we just make it so difficult for them to work 
with the Department of Defense.
    Secretary Work. Congresswoman, I would ask Terry Halvorsen, 
our CIO, who works extensively with the private sector, to 
answer your question. I think he is the best to do that.
    Mr. Halvorsen. Thank you, sir.
    I think there is absolutely some truth that we have got to 
get better at bringing in particularly newer companies. I 
think, first, you have to understand, if DOD was a Fortune 500 
company, we are Fortune 1. We are very big. That in itself 
causes us some difficulty with companies that do not have 
experience with us.
    So in the last year, some of the things that we have done 
to make that better, we have reached out, as many of you have 
seen, to Silicon Valley. We are holding different events to 
make industry clearer. One of the things that we did last year, 
which I thought was one of the bigger breakthroughs, you 
probably will ask me a little bit later about Cloud. One of 
things we did to make Cloud easier for people to play and 
easier for industry to get in, we wrote our new Cloud policy 
completely with industry. First time we have done that. They 
actually--we convened them, we brought them in from the 
beginning. We had leading industry providers--I think Amazon--
on the panel to write that. We have gotten very good reviews 
from that. We have got to continue to do that.
    This year we are going to bring some industry players into 
the DOD CIO staff and some of the other service CIO staffs. We 
will actually do exchange with the industry. Some of that will 
be focused on some of the new industries so that we learn how 
they need to respond and how we need to respond.
    So we have to do better. I think we are doing better in 
that area, and I think you will see more results in the next 6, 
7 months coming down that we will be able to concretely show 
you what we have done to improve that relationship.
    Mrs. Davis. Yeah, that is good to hear. I think we have to 
continue to push and, obviously, ask them how that is working. 
I guess we also would agree that in the procurement areas, 
again, maybe there are some better ways of doing it. And 
everybody talks about it, but sometimes it feels like nothing 
is getting done.
    So I wanted to ask you as well in terms of the hiring as 
well because in personnel areas, we know that we are not as 
adaptive in hiring as, obviously, as the private sector is. 
What are we doing to make sure that in the field of 
cybersecurity that we are able to push through nominations to 
positions so that they don't have to wait so long that they go 
ahead and take those jobs in the private sector?
    Mr. Halvorsen. Two things, and first of all, let me thank 
all of you. You did pass good legislation that gave Mike Rogers 
and I some more authority to directly hire people without 
having some of the normal rules and regulations that we have to 
follow so we could compete. I know there is some work on some 
additional. We would appreciate that.
    I think one fact we just have to understand: we are not 
going to pay exactly as much as industry in the cybersecurity 
area and some other areas. One of the things we have going for 
us: we have a pretty exciting mission. So when I talk to--and I 
spend a lot of time talking to people who want to come to work 
for DOD. We are trying to attract them, and we have been able 
to pull some people in even the last year into my staff. As 
long as we can get them in fast and offer them the right wage, 
which the new authority gives us, I think we will be able to 
continue in the right--they want to work this mission. And your 
legislation that recently passed has really helped us with 
that. Thank you.
    Admiral Rogers. If I could just add, this is one area where 
I suspect over time we may in fact end up coming back to you as 
our experience tells us, are there things we could be doing 
differently? Are there challenges here we need your help in 
overcoming? Because I always remind people, look, while we 
spend a lot of time focused on technology, don't ever 
underestimate, at its heart, this is an enterprise powered by 
men and women. And they are our advantage, and that is where we 
need to make sure we are getting really good talent.
    To date, I would argue, at the mission force level, the 
execution piece for us, we have been able to exceed our 
expectations both in terms of the ability to bring in quality 
people, as well as retaining them.
    Mrs. Davis. Perhaps some chart showing the differences as a 
result of some of these changes would be really helpful in 
understanding what the impact has really been. Thank you.
    The Chairman. Thank you.
    And as I mentioned earlier, we stand ready to work with you 
all on those authorities as we assess how they are doing. That 
is very important.
    Mr. Forbes.
    Mr. Forbes. Thank you, Mr. Chairman.
    And I reiterate what Mr. Jones said in thanking each of you 
for what you do for our country and for being here today.
    Mr. Secretary, you probably think strategically and 
analytically on national defense issues as well as anybody we 
have in government today, and we appreciate and respect your 
opinions as you come before this committee.
    I would like to follow up on some questions that the 
chairman offered specifically related to net assessment, and 
one of the things that I just want to ask, as you are aware, 
some of the best strategy we have developed over the years have 
been informed and supported by the practice of net assessment. 
Has DOD done any net assessments of the cyber domain at this 
particular point in time?
    Secretary Work. Well, as you know, sir, we just had a 
leadership change in the Office of Net Assessment [ONA]. It 
reflects Secretary Carter's very strong support of that office 
in providing independent assessments to him and I. Jim Baker, 
who is the new director, has just gotten in and is going to 
come back in. Cybersecurity and cyber is at the very top of our 
list, but there are many, many other strategic challenges, as 
you know.
    This one is going to be one that I believe ONA is going to 
help us on, but I know of nothing at this point as far as an 
ongoing assessment, but we expect to be able to start asking 
Mr. Baker.
    Mr. Forbes. And that is not a criticism; it is an 
encouragement. As the chairman talks about net assessment, if 
we haven't done a net assessment of that, it is kind of 
difficult to know where we are. So I think we would just 
encourage, perhaps, the Department, if it can, to do what it 
can to have that net assessment done, and because I do think it 
helps us in determining what our strategies are going to be.
    The second part of that is I know you have worked very, 
very hard and very, very well on a third offset strategy. Do 
you expect that cyber will be a part of that third offset 
strategy?
    Secretary Work. Absolutely. We assume that the future will 
be an extremely highly contested cyber and electronic warfare 
environment. So no matter what strategy we have, that kind of 
is the underlying baseline that we assume we must be able to 
contend with.
    There are a lot of questions on whether or not--many people 
say, well, if you go to a more network force, are you going to 
be able to have the certainty that you will have the networks 
when you need them? Will you have the confidence? So it will be 
absolutely critical to the third offset, yes.
    Mr. Forbes. And, once again, just an encouragement, the net 
assessment often really helps us inform what we are doing, that 
having that net assessment done would be, I think, very 
helpful.
    Admiral Rogers, do you think we need to leverage a wider 
range of tools, like sanctions, or diplomacy, criminal 
proceedings, to deter cyberattacks with the threat of 
punishment? And can you tell us a little bit more about what 
options you think would be most effective at imposing costs 
upon perpetrators?
    Chairman Wilson and I, for example, have introduced 
legislation calling for targeted economic sanctions, but I am 
not asking you to address that bill----
    Admiral Rogers. Right.
    Mr. Forbes. But what else? What do we have? What else do we 
need, in your opinion?
    Admiral Rogers. That has been part of our strategy to date, 
that just because someone comes at us in a cyber domain doesn't 
mean the response has to be primarily or purely back in that 
same arena, if you will.
    You see that reflected in the response to the attack on 
Sony, for example, where we publicly acknowledged the event. We 
publicly attributed the event. And we talked about an initial 
set of actions we are going to take in response. In this case, 
it was economic sanctions. And then the President also talked 
about and we will take additional action if that is required, 
we believe, at the time and place of our choosing.
    We have used the legal framework within the last year where 
we have indicted individuals of foreign states, individual 
actors, we have indicted them. We have done the economic piece. 
There is a broad range of options that are ongoing with law 
enforcement, what the FBI, for example, does every day today.
    Mr. Forbes. I hate to interrupt you, but I only have----
    Admiral Rogers. Go ahead.
    Mr. Forbes [continuing]. 50 seconds, and I would just like 
to ask you this. Secretary Work said that we have not been as 
effective up to date as we would like to be. Fair. Again, no 
criticism, just an observation.
    What do you attribute that to? Is it our lack of 
willingness to use the tools we have, or does this committee 
need to help you get more tools? What would you say is your 
assessment of how we make that more effective?
    Admiral Rogers. I mean, I think clearly there is a broad 
range of tools available to the Nation to include cyber 
options. One of my particular responsibilities is to be able to 
generate cyber options so that the Secretary has options to tee 
up. We are in the relatively early stages of that journey, but 
we are on that journey, and we have developed some levels of 
capabilities already. I am not going to get into specifics.
    I think the biggest challenge in some ways is just time. I 
mean, we are in the very early stages of this, and if you look 
at, for example----
    Mr. Forbes. Speaking of time, my time is up, but if you 
don't mind, we would submit some questions on the record.
    Admiral Rogers. Okay.
    Mr. Forbes. And maybe you can respond back.
    Admiral Rogers. Be glad to.
    Mr. Forbes. With that, Mr. Chairman, thank you.
    And, with that, I yield back.
    The Chairman. Thank you.
    The gentleman from Rhode Island, who has been a leader in 
this area for some time, is recognized for 5 minutes.
    Mr. Langevin. Thank you, Mr. Chairman.
    I want to thank you and the ranking member, as well as 
Chairman Wilson, for the time and attention that you and the 
committee have put into focussing on cyber.
    And, Mr. Secretary, and Admiral, and Mr. Halvorsen, we 
thank you for your testimony here today.
    I think that the discussion we have been having on imposing 
costs on our enemies and adversaries is critically important, 
and I am not going to ask a question on this today, but I will 
say that I know that the committee and certainly I am going to 
pay a lot of attention on this. We are looking for specifics 
about what those costs being imposed on our enemies and 
adversaries will be.
    I know the American people are looking for answers on this 
because right now, up until now, our enemies, adversaries have 
been eating our lunch for a long time, especially when it comes 
to cyber espionage, especially when it comes to things like 
defense contractors over the years.
    I know we have gotten better, and we have had the DIB 
[defense industrial base] pilot in place now, and the follow-on 
program that has done a better job of defending our defense 
contractors and the like, but imposing costs on our enemies and 
adversaries has to be an important part of the equation, and 
they have to know what it is. I know some of our responses may 
be classified, but others we need to make public so that our 
enemies know, our adversaries know that they can't operate with 
impunity, which is what really is happening right now. It is 
like the Wild West out there, and they are on the better side 
of the equation. We have got to flip that so we have better 
outcomes on our side.
    So let me just turn to another topic. Do you believe--and 
Mr. Secretary, we will start with you--that there is an 
effective accountability mechanism in place for reported 
cybersecurity breaches at defense contractors? And could you 
describe to us the process by which contractors are held 
accountable?
    Secretary Work. Congressman, I do believe we have an 
effective means. We are getting better. We have established our 
own cyber scorecard. This has been one of CIO Halvorsen's top 
jobs, so I would ask him to answer the question with more 
specifics.
    Mr. Halvorsen. Thank you, sir. As you mentioned, sir, we 
actually have improved the DIB process, which brings and gives 
the companies better ability to share data with us. It protects 
them and gives them some protection when they share that data 
with us. That has been very successful.
    We have also improved our ability working with industry to 
look at the supply chain, risk management. I won't get into 
everything we have done there, but what basically done is we 
are sharing it, and we are putting some systems in place with 
industry to be able to see that data better.
    We have now included working very much with industry to 
include now language that is in all IT [information technology] 
and cyber contracts that requires certain levels of security 
and reporting. All of those things are beginning to show 
results, and one way that we impose costs on them is to raise 
our basic level of cyber defense and make them play much higher 
to play the game. The things we are doing I believe we are now 
starting to see some effects in that area about who isn't 
playing as much anymore and what they are having to pay to 
play.
    Mr. Langevin. Thank you. So I have been examining the 
practices and techniques that the financial sector is using to 
determine and address the cyber risk of their contractors and 
vendors, and in many ways, they are way ahead of what the 
government is doing.
    To what degree have you cribbed from civilian sector best 
practices?
    Mr. Halvorsen. Sir, very much so, and I would say that we 
share a lot. In the financial sector, in particular, they have 
just published some new standards about what they expect from 
their vendors. If you looked at what they wrote and you looked 
at what we wrote in our ours, they are very similar. That was 
actually a fairly collaborative effort with the financial 
industry.
    We are also doing that with other segments of industry, 
with the logistics companies and other things. So we are 
cribbing a lot from industry. I spend a lot of time on our 
mobility policy. We will see, as that comes out, that will be 
completely again written with industry playing right from the 
beginning to help us get those pieces right so that we get the 
advantage of effectiveness and efficiency while we are using 
industry practices to raise the level of security.
    Mr. Langevin. Can you describe for us the Department's 
progress on the creation of persistent training environments of 
the type and scale necessary to conduct group and collective 
training, rehearse missions at the unit level, as well as 
integrate and exercise the full spectrum of national, state, 
local, and private sector capabilities?
    Admiral Rogers. So we identified that as a core enabler for 
us to build the vision, actually create the capability we think 
we need. In fact, this is one I actually--Deputy Secretary Work 
and I worked directly on this--and where I said: Hey, boss, I 
could use some more help here in fiscal year 2015. He was kind 
enough to generate additional funds for us. We have created a 
capability down in Suffolk, Virginia. In fact, we have been 
using it now every year with the Guard and interagency to look 
at how we can model different scenarios where DOD would be 
applying the capabilities to support critical infrastructure.
    In addition, we generated the capability at the Fort Meade 
area that we can increasingly pour it out across the framework 
for us. This has been a big investment area. You see it on the 
2016 budget as well. We thank you for your support for that.
    Secretary Work. In our PB17 [President's budget 2017] 
build, Congressman, Secretary Carter has again defense of the 
networks is number one. Improving training is right up there. 
So this is going to have a very, very high level of attention 
from the top down.
    Mr. Langevin. Thank you all.
    Thank you, Mr. Chairman.
    The Chairman. Thank you.
    As I mentioned to our witnesses earlier, Mr. Smith and I 
have to go testify ourselves in front of the Rules Committee, 
so I am pleased to yield the chair--and yield for questions he 
may submit--to the chairman of the Emerging Threats and 
Capabilities Subcommittee, Mr. Wilson.
    Mr. Wilson [presiding]. And ladies and gentlemen, it is the 
unique situation where I have just been recognized and I get to 
preside simultaneously. But it really gives me an opportunity 
to thank Chairman Mac Thornberry and Ranking Member Smith for 
their planning this week, cyber week. It is really a 
recognition for our three witnesses how important what you are 
doing, protecting American families. And so I am very grateful 
we had a hearing yesterday on cyber threats to American 
families, our national defense.
    We have this hearing. Later this afternoon, we have a 
briefing. I want the American people to know that we have got 
really good people, like Congressman Jim Langevin, all the way 
from Rhode Island, who is the ranking member of the Emerging 
Threats Subcommittee. This really is a bipartisan issue that we 
face of great concern of attacks on our government, on private 
businesses, on American citizens, and what you are doing is so 
important. We have also got extraordinary staff, people who are 
here working on these issues.
    And, again, each one of you, in your capacity, are making 
such a difference, and we look forward to working with you in 
the future. In particular, Secretary Work, during the cyber 
hearing yesterday and the chairman mentioned in his opening 
statement about the concept and proposal of hack-back; for 
example, when a private company takes retaliation into their 
own hands and hacks back at someone who has attacked our 
networks or systems. Can you outline concerns that you have? 
And is hack-back inherently a government function that only the 
government should do? Or is there a private role?
    Secretary Work. Well, this is a very, very important issue 
for us because cyberattacks often have second and third and 
fourth order of consequences that we really have to understand, 
that they may cause escalation that were unintended. So this is 
an extremely important policy question for us as a nation to 
grapple with.
    Admiral Rogers deals with this on a daily basis, and I 
would ask him to provide some specifics.
    Admiral Rogers. So I not only acknowledge the policy 
complications, but I also try to point out, at an operational 
level, we have so many actors in this domain already, adding 
more only complicates things.
    The second and third order effects, as the Secretary has 
outlined, are of significant concern. And so I have, from my 
perspective, urged be very careful about going down this road 
because I don't think it is one that we truly understand. And 
from my perspective, the potential to further complicate an 
already complicated situation is very significant here.
    Mr. Wilson. And as complicated as it is, I am just so 
hopeful that with the expertise that you have, to me, it would 
be a deterrence with some level of hack-back. And so I hope 
this is pursued and the capable people that you are and that 
you have working with you, I can't wait to hear of their 
capabilities as to deterrence, stopping hacking on American 
families.
    And, Mr. Halvorsen, the Department recently issued a new 
manual for the defense support of civil authorities, which for 
the first time addresses cybersecurity related incidents. Could 
you discuss how DOD gets a request for such support, especially 
if it might be coming from a State or local agency?
    Mr. Halvorsen. Yes, sir. As the manual lays out, there are 
some formal processes we would go through with that, but one of 
the things I want to stress is the informal processes that we 
have put in place. We have now scheduled routine meetings with 
industry CISOs [chief information security officers]. My CISO, 
Richard Hale, who you will, I think, hear from later today in a 
closed hearing--had scheduled meetings with their security 
officers, both officially and unofficially. So we are sharing 
that data. We are moving forward to be able to give them some 
of our data quicker.
    Mike's work has been superb in being able to lower the 
classification levels of data so that we can share that much 
quicker with industry and accept theirs in a similar fashion. 
So I think all of those things plus what is in the manual are 
adding to our--all of us, industry and the government's--
collection of data and what I will call operational 
intelligence that we can use to better security.
    Admiral Rogers. And I would also add, this is an issue 
where we collaborate very closely between the Northern Command 
commander, U.S. Cyber Command, the Department of Homeland 
Security, the Guard and Reserve, the FBI, about how can we make 
sure that we are most efficient about how we are going to apply 
DOD capacity within the cyber arena within the broader defense 
support to civil authority construct because I am trying to 
make sure, can we use that existing framework to the maximum 
extent possible as opposed to trying to create something new, 
something totally complex in the cyber arena?
    Mr. Wilson. Admiral, thank you for being--pitching in. I 
want you to know, as a very grateful Navy dad, with three sons 
in the Army Guard, but I am very grateful for your service and 
naval service in general.
    Secretary Work, in your testimony you stated, quote: ``The 
Iranian actors have been implicated in the 2012, 2013 attacks 
against U.S. financial institutions and in February 2014, last 
year, cyberattack on the Las Vegas Sands Casino.''
    What economic sanctions or legal actions resulted from this 
activity? Are they being maintained?
    Secretary Work. Sir, I am going to have to take that for 
the record. I don't know exactly what sanctions the DDOS 
[distributed denial of service] attack that you referred to 
against the financial services was attributed to Iran, as well 
as the Sands Casino, as you said. I am going to have to get 
back to you and say exactly what we did as a result of those 
two attacks, but Mike might know.
    [The information referred to can be found in the Appendix 
on page 73.]
    Admiral Rogers. No specific sanctions tied to those each 
individual discrete events. It is clearly a broader discussion 
about what is acceptable, what is not acceptable. We have seen 
a change in behavior. The activity that we had seen previously 
directed against financial Websites, for example, has 
decreased, in part, I think, because of the broader, very 
public discussion we were having in which we were acknowledging 
the activity, and we were partnering between the government and 
the financial sector to see what we could do to work the 
resiliency piece here to preclude the Iranian's ability to 
actually penetrate, which, knock on wood, we were successful 
with.
    Mr. Wilson. And, again, thank each of you.
    We now proceed to Mr. Larsen of Washington State.
    Mr. Larsen. Thank you, Mr. Chairman.
    Any of you can answer this question. I am curious, though. 
Are we still exploring what the outer limits of what 
constitutes the equivalent of a physical kinetic attack against 
the U.S. when we are looking at cyberattacks? We still know 
what would be the equivalent kind of cyberattack that would 
warrant the kind of and size of response that we might do if 
there was a physical kinetic attack against the U.S.? We 
exploring the outer limits still?
    Secretary Work. Well, we defined an event of significant 
consequence, it has to include either a loss of life; 
significant damage to property; serious adverse U.S. foreign 
policy implications or consequences; or serious economic 
impact. Now, that is a broad statement, and each of them have 
to be addressed as an individual act, and that is why there is 
no established red line on what we would say this constitutes a 
physical attack.
    The question we are often asked is, when does a cyberattack 
trigger an act of war? And each of those would be discussed in 
turn, depending on the type of attack and what its consequences 
were. As of this point, we have not assessed that any 
particular attack on us has constituted an act of war.
    Mr. Larsen. Can you--and Admiral, you addressed this a 
little bit--be more specific about the title 10 versus title 32 
responsibilities in working with the National Guard or even 
going beyond that, working with either national, State, or 
local law enforcement? What specific criteria do you use to 
make that distinction?
    Admiral Rogers. For me, among the things I look at our 
scope of the activity we are dealing with, the nature of the 
event that we are trying to deal with, capacity that exists 
within the title 10 arena versus in the title 32. Are there 
specific knowledge or unique insights that, for example, a 
particular Guard structure might have that are really well 
tailored to deal with this specific issue?
    Again, it is a case-by-case basis. The touchstone, though, 
I have tried to maintain with my Guard teammates and the States 
is we need one integrated workforce between the Active and the 
Reserve Component, trained to the same standard using the same 
basic scheme of maneuver so that we can use these capabilities 
interchangeably. That maximizes our flexibility as a 
Department, and it gives us a broad range of options in terms 
of how we employ the capability.
    Mr. Larsen. And then are you making that largely permanent? 
At some point in the future, you have moved on to something 
else, and someone comes in behind you? So is this still 
evolving, how you are trying to establish these relationships 
as they apply to cyber, or are these going to be largely 
permanent? Will you be changing the story?
    Admiral Rogers. Right. I think they will be largely 
permanent. I feel pretty good that we have done the 
foundational work, if you will, broadly. I always remind 
people: Remember, no plan ever survives contact. And the broad 
framework we are going to acknowledge as we get into this, we 
are likely to see things we hadn't anticipated, and we have got 
to be flexible and be willing to change as we need to given the 
specifics of whatever particular event it is that we are 
dealing with.
    But I would compliment the Guard and the Reserve for the 
way we have partnered on developing the cyber capability within 
the Department. It hasn't been adversarial at all. It has been 
a great team.
    Secretary Work. In fact, I would like to jump in on that, 
sir. We work very closely with the Council of Governors. I 
would like to give them a shout out. We have been dealing with 
this on how to build up cyber capacity in the Guard and 
Reserve. We are building right now toward about 2,000 Guard and 
Reserves that are associated with this. And what we are doing 
right now is trying to work out the policy on what our folks 
can do in terms of coordination, training, advising, and assist 
under title 32 and title 10 authorities.
    That is actually--the policy--is working well. We are 
working well with the Governors, and we believe that this is 
going to be a great new story for the Nation.
    Mr. Larsen. Right, that is nice. In my last few moments 
here, I have a question. We talked about defensive networks--
defense of networks, that is--talked about resilience, denial, 
and the whole deterrence issue, but this issue of hybrid 
warfare, of course, has come up and I am curious about what 
steps you are taking to incorporate in a U.S. response or even 
in NATO's [North Atlantic Treaty Organization's] response and 
the role CYBERCOM plays in this in incorporating a responsive 
capability within this hybrid warfare concept that we hear 
really a lot out of General Breedlove.
    Admiral Rogers. So, it is a concept--we are partnering both 
with General Breedlove at EUCOM [European Command] as well as 
in his NATO role as the Supreme Allied Commander, and it also 
highlights the work that Special Operations Command, that 
General Votel's team are doing in this regard. In fact, I was 
just down in Tampa about 10 days ago. This was part of our 
broad discussion about how do we integrate the full range of 
capabilities within the Department as we are trying to respond 
to an evolving world around us?
    I think we are starting to have some good conversations in 
a good broad way ahead within the Department. The international 
framework for this is little more difficult. I think it is fair 
to say not as far as advanced, for example, with us and NATO. 
It is an area we have talked about we have got to work on.
    Mr. Larsen. My time is up. Thank you very much.
    Mr. Wilson. Thank you, Mr. Larsen.
    We now proceed to Congressman Doug Lamborn of Colorado.
    Mr. Lamborn. Thank you, Mr. Chairman.
    I appreciated your comments to earlier questions that were 
directed from Congresswoman Susan Davis, but I would like to 
follow up and build on that. This concerns recruiting and 
retaining top talent. So what are your efforts to--and this is 
for you, Admiral Rogers, in particular--what are your efforts 
to develop a unique cyber career track for those in the 
military?
    Admiral Rogers. So, services have the responsibility for 
man, train, and equip within our Department, in terms of they 
generate the capacity I employ then as the joint commander. In 
the cyber arena, though, one of the things that has been a real 
strength is the joint world and the services have been totally 
integrated as to how we are going to develop this, what are the 
standards, what are the skills, how do we create that 
workforce. And that is what I did, in fact, in my last job. I 
am very comfortable with how each service has tried to create a 
career path that enables us to extend over an entire career 
both this capability as well as generate the insights we need 
in the workforce. I think that is a big change for us over the 
last 5, 10 years. I think it is a real strength for the future. 
It is not an area that I look at now and I go: Wow, I have real 
heavy concerns there. I think we have got a good way ahead and 
a good broad vision, and the capacity and the capability of 
that workforce, I have yet to run in--knock on wood, with my 
luck, this will happen tomorrow--but I have not yet run into a 
scenario where we didn't have the level of knowledge.
    The challenge has been I might have had a handful of people 
with the right level of knowledge, but we had people with the 
knowledge. I have got to build that capacity out more so we 
have got more of it, if you will.
    Mr. Lamborn. Okay, well, I appreciate hearing that and that 
is really encouraging, so thank you.
    And Secretary Work, the Department has recently floated a 
number of new civilian and military personnel reforms, 
compensation, retirement, et cetera. How will some of these 
reforms affect the cyber workforce?
    Secretary Work. Well, I actually was going to try to jump 
in here because this is a huge priority for Secretary Carter. 
He came into the Department believing that over time we have 
created these barriers for service in our government. And he 
wants to really, as he talks, burrow tunnels through these 
barriers or widen the aperture. And he uses cyber as an example 
of new ways in which we might bring people into the government 
and allow them to serve for a while, then go back out into the 
civilian workforce, and come back in. And so he has challenged 
us and the Under Secretary of Defense for Personnel Readiness, 
Brad Carson, on this force of the future to say: How can we 
make sure that in areas like cyber, you know, space, electronic 
warfare, we have more permeability in the Department to make 
sure that we are getting the best ideas from outside the 
Department?
    I don't have any specifics to give you right now because 
they are in the process of going through a deliberative, 
``Which ideas are good?'' But we are right with the intent of 
your question to improve the ways in which people can come in 
and out of our government service because, as Mr. Halvorsen 
said, this is an exciting mission for many, many people. And 
maybe they don't want to make a 30-year government career, but 
if they had a chance to help Admiral Rogers for a 2- or 3-year 
period, they are all in. So we have to improve the way to do 
that.
    Mr. Lamborn. Okay, thank you.
    And, Mr. Halvorsen, do you have anything to add to what has 
already been said?
    Mr. Halvorsen. No. I just echo all of the same comments.
    And while we are waiting for some of that to be staffed, 
you heard we are moving forward on some pilot programs to bring 
industry into the government, for us to put, for the first 
time, civilians out in industry. Those pilots are moving very 
well, and as we have used those to inform Brad in his work, I 
think you will see some great things coming out of this.
    Mr. Lamborn. Well, I thank you for your answers. And most 
of all, thank you for the great work that you are doing.
    Mr. Chairman, I yield back.
    Mr. Wilson. Thank you, Mr. Lamborn.
    We now proceed to Congresswoman Niki Tsongas of 
Massachusetts.
    Ms. Tsongas. Thank you all for being here. It is obviously 
a topic of great importance. And I think, as you said, so much 
of this is about personnel, really being able to attract the 
people and keep the people who have the skill set and the 
commitment to thinking this through because it is not easy 
stuff--that is for sure--at all. And I gather from the 
testimony I have heard that there is a fair amount of comfort 
level with what DOD and the military services have been able to 
do to put in place appropriate means of training, hiring, and 
then compensating, even though you have said you may have to 
come back to us in the future.
    But you also commented that this is sort of an interagency 
effort and you are working with the Department of Homeland 
Security, law enforcement, the FBI, the Intelligence Community. 
How much sharing across those borders is taking place in terms 
of the skill set that you need in each of those aspects of this 
effort and how comfortable are you with the ways in which you 
are working together and how they are responding to the 
challenges they face in terms of personnel?
    Admiral Rogers. I mean, I would argue very well.
    For example, this is one I have personally sat down with 
the director of the FBI and talked about: Hey, are there things 
we could be doing together? It is a conversation I have had 
with the leadership at Homeland Security. It is a conversation, 
quite frankly, I have also had with the private sector, where I 
have argued: We are both competing for the same pool. What 
works for you? What might we be able to do differently? Are 
there ways, as you have heard previously, can we partner?
    I would make just one slight twist because this is a point 
I wanted to make today. I would tell you, on the opposite side, 
though, the single greatest perturbation I have experienced 
within my workforce in 18 months has been even the hint of a 
shutdown. In the last week, I have had more agitation out of 
the workforce arguing this would be the second time in 2 years. 
And we are even having this discussion--hey, even if we don't 
shut down the government, just the fact that we are even 
getting this close, the workforce is very open with us about, 
``I am not so sure I want to be part of an organization where 
there is this lack of control, and I can't count on 
stability.'' That really concerns me because I can't overcome 
that.
    Ms. Tsongas. Secretary Work, do you have any----
    Secretary Work. Well, this is a very competitive field, as 
the admiral said. We are building up a total of 133 cyber teams 
in the Cyber Mission Force. Some are focused on protection of 
the networks. They are called Cyber Protection Teams. Some are 
focused on national infrastructure protection. They are called 
the National Mission Teams. Then we have teams that are 
supporting our combatant commanders. We want to build to a 
total of 133 of these teams. It is going to be about 6,200 
Active Duty military, civilians, and in some special instances, 
contractors, and we won't get there until 2018. So we are in 
the process of building these.
    And this is a very competitive space. We are on track. We 
are doing well in our recruitment. But as Admiral Rogers says, 
any hints of shutdown or sequestration, that will really set us 
back. So we think we have got a good mission that people want 
to participate in, but we are not where we need to be yet, 
Congresswoman, and we still have until 2018 to build up the 
force to where we just think is the minimum necessary to do our 
missions.
    Ms. Tsongas. You know, I serve on the board of one of the 
service academies, the board of visitors of one of the service 
academies. And I know in our discussions, we have heard that it 
has been difficult to attract young airmen, in this instance, 
to the cyber field because they come into the academy with a 
particular idea in mind of where they want to spend their time. 
And so it is not always as simple as we would like to think, 
given the extraordinary challenge.
    But I have another question as well. You know, the 
Department has shown its commitment to leveraging private 
sector cyber innovation, and we have heard about that here 
today. I commend Secretary Carter with making his way out to 
Silicon Valley to create some presence there, a satellite 
campus there, to have a way in which to interact more easily 
with that community. And I just wonder, how will you expand 
that program and look to other parts of the country where you 
have a deep bench of cyber activists, cyber innovators, cyber 
experts?
    Secretary Work. Well, if you are referring, Congresswoman, 
to the Defense Innovation Unit-Experimental [DIUx]--and it is 
an experimental unit. We want to see how we can interact with 
the private sector in the best way. So, for example, one of our 
ideas was to bring people back to the Pentagon and show them 
what we are doing. And they said: No, really what we want to do 
is go to the field and see what your airmen, soldiers, marines, 
and sailors, what do they do? We want to go on ships. We want 
to see what their problems are. We want to help them.
    So once we do the lessons learned there, we expect that to 
be successful, and it will become a permanent unit. And then 
where would we expand? We would go to other innovation centers 
throughout the country, perhaps Boston. There are different 
places. And Mr. Halvorsen has been helping us to think through 
this also.
    Mr. Halvorsen. You know, as the Secretary went out to 
Silicon Valley, we had also taken a CIO team to Silicon Valley. 
In December, we are doing a similar thing in Boston and New 
York. And not just waiting for that, we have hosted just 
recently a group down from Boston and New York, both some of 
the more mature cyber companies but also a group of some of the 
innovative companies. I think what we are trying to do with 
DIUx is really take what Silicon Valley stands for, not the 
geographic location, and make sure--and the Secretary is very 
clear in his guidance--so is DEPSECDEF [Deputy Secretary of 
Defense]--to us to: Hey, it is more about the concept of 
innovation. Reach to wherever that is, and it is not just in 
Silicon Valley. So you will see us in the next couple of months 
spend more attention in the Northeast and, frankly, in the 
Southwest sector.
    Ms. Tsongas. There is really no substitute for physical 
presence and the kind of physical interaction, day-to-day 
interaction that can take place. Thank you.
    My time is up.
    Mr. Wilson. Thank you, Ms. Tsongas.
    We now proceed to Congressman Mo Brooks of Alabama.
    Mr. Brooks. Thank you, Mr. Chairman.
    At Redstone Arsenal, next to Huntsville, Alabama, the Army 
is establishing a cyber campus within the Aviation and Missile 
Research, Development, and Engineering Center, also known as 
AMRDEC. This campus consists of qualified cyber personnel and 
facilities to provide world-class cybersecurity support to 
aviation missile systems by using cutting-edge research and 
development of cybersecurity solutions to challenges associated 
with emerging and legacy technologies.
    The AMRDEC cyber campus coordinates cyber activities with 
industry, academia, and government partners. Although an Army 
asset, it is uniquely positioned to integrate the Department of 
Homeland Security, the Department of Justice, the Space and 
Missile Defense Command, and the defense industrial base. 
Additionally, it can provide deep technical expertise and 
reduce the risk of cyber threats posed as it relates to 
hardware, software, firmware, networks test and evaluation, 
modeling simulations, forensics, industrial control systems, 
supervisory control, and data acquisition systems. With that as 
a backdrop--and these questions are for each of you--How does 
the Army's vision with AMRDEC integrate with the Department of 
Defense's overall cyber strategy?
    Secretary Work. Well, as Admiral Rogers said, each of the 
services are developing cyber skills within each of the--under 
their title 10 responsibilities. And this is just one 
reflection of many, many, many such organizations that are 
being set up. The Air Force has units down in San Antonio.
    And so I would ask Admiral Rogers to give you more 
specifics, but each of these are going to have specific skills. 
In this case, the one that you have talked about, Congressman, 
really focuses on the aviation systems of the Army and how they 
can make sure that they are not vulnerable to cyberattack, but 
they develop other skills, too.
    Admiral Rogers. So every service, as the Secretary 
indicated, is developing a similar kind of capability, similar 
kinds of relationships. Army has chosen to really harness the 
capability resident at Redstone in the northern Alabama area. 
The positive side thing for me is we have got a good, strong 
collaboration across the services as to who is doing what and 
where. The question I think increasingly for us over time is, 
as we get more experience, do we need to increase investments 
in certain areas where we are really seeing strong results 
versus other areas where perhaps it hasn't played out as well 
as we would like? And we are going to generate more insights in 
that over time.
    Mr. Brooks. Thank you.
    Mr. Halvorsen, would you like to add anything?
    Mr. Halvorsen [continuing]. The policy absolutely talks 
about how we do better with industry, and part of what that 
unit is doing is bringing in industry in the area, too, to be 
part of the solution to the problem. So I think they are 
perfectly aligned with what they said and what was in the 
policy.
    Mr. Brooks. Okay, a followup question. Is there a 
consolidated effort to ensure cyber centers, such as the one at 
Redstone, are interconnected with other services and Department 
of Defense capabilities to properly leverage knowledge sets and 
not create stovepipes of information or efforts?
    Admiral Rogers. I don't know that we have a formal--I know 
there is regular analytic and collaborative venues where they 
all get together. I participate and my team participates in 
some of those. I don't know that there is a formal process, if 
you will. I try to synchronize that at my level with each of 
the service components that work for me about: Hey, we have got 
to look at ourselves as one integrated enterprise here, guys, 
because we have got to maximize effectiveness and efficiency 
because there are more requirements than there is money and 
time, so it is all about, how do we maximize outputs?
    Mr. Brooks. Mr. Work.
    Secretary Work. Sir, I don't believe there is a formal 
program right now. We look at it more in terms of function. So, 
right now, I can tell you in terms of defense of networks, 
everything is on the same playing field. We all have the same 
score cards. We all grade ourselves exactly the same. But to 
your specific question on whether or not we have a formal 
program, that is something I will need to go back and research 
and say--it sounds like a good idea. I just don't know exactly 
how we would implement it yet.
    [The information referred to can be found in the Appendix 
on page 74.]
    Mr. Brooks. Mr. Halvorsen.
    Mr. Halvorsen. Like Secretary Work said, we will have to go 
check and see. It sounds intriguing.
    Mr. Brooks. Thank you, gentlemen, for your insight.
    Mr. Chairman, I yield back.
    Mr. Wilson. Thank you, Mr. Brooks.
    We now proceed to Congressman O'Rourke of Texas.
    Mr. O'Rourke. Thank you, Mr. Chairman.
    Secretary Work, you were talking about the three basic 
tenets of deterrence. And the first two, denial and resilience, 
I understand pretty well. There have been a number of questions 
about the third one, which is cost imposition. And I am 
interested in knowing how we communicate or advertise the 
consequences of cyberattacks to potential adversaries, and to 
the degree that you can talk about it, how has that changed 
their behavior? And how have some of the consequences that we 
have imposed thus far changed their behavior? In other words, 
how have we done on that third tenet, on cost imposition?
    Secretary Work. The first is to have a strong policy 
statement that we will respond at a time, place, and manner of 
our choosing. And then we have to communicate, primarily with 
state actors. I think Admiral Rogers said yesterday, we are 
pretty good at stopping 99.5 percent of the attacks, you know, 
getting rid of the basic hacker, but it is the state 
adversaries that pose the biggest challenge.
    And I would just like to weave in--I think the chairman 
mentioned the Xi and--President Obama and President Xi, the 
cyber agreement. And that came about from intensive discussions 
with the Government of China saying: This behavior is 
unacceptable, and we have got to come to grips with it. So 
there were four specific aspects of what I would consider this, 
call it a confidence-building measure.
    The first one is that we have to have timely response for 
information and assistance if we go to China and say: Hey, 
there is an actor inside China that is conducting these 
activities. We have agreed to share that information. Both the 
United States and China have agreed that they will not 
knowingly conduct cyber-related theft of intellectual property 
for commercial gain. We are making common effort to develop 
these norms of state, norms of behavior, which we have never 
done before. And then we agreed to a high-level joint dialogue.
    Now, people say: Whoa, there is no enforcement mechanism.
    But it is a confidence-building measure, and it is the 
first time that the President of China has said: I will commit 
my government to these things.
    We believe it is very, very significant and could lead to 
this. And it came about from high-level dialogue where we were 
saying: We find your behavior unacceptable. And we do have 
options. But how can we work this out?
    So I believe in the Sony case, we attributed. We did 
sanctions. I believe that those types of activities will prove 
that the United States is very serious about this and may lead 
to these better norms of behavior between nation-states.
    Mr. O'Rourke. I think that is the hope. What are you 
actually seeing in terms of changed behaviors? I understand the 
agreement, which is important, and the statements of intent. 
What are you seeing in terms of number and severity of 
intrusions or cyberattacks following, you know, letting our 
adversaries know that we will choose the place and time of our 
response? And having responded in some of these cases, what has 
that done?
    Admiral Rogers. So we are in an unclassified forum, but in 
broad terms----
    Mr. O'Rourke. To the degree you can.
    Admiral Rogers [continuing]. You haven't seen the North 
Koreans attempt to engage in another offensive act against the 
U.S. infrastructure since November of 2014, and the aftermath 
of our economic sanctions and very public attribution and 
discussion. I would argue, in at least the denial-of-service 
activity we saw the Iranians, for example, doing back in the 
2012, 2013 timeframe, we have not observed that of late. I 
would argue for other nation-states, the impact to date has 
been--I am not seeing significant changes. Again, it is early 
with respect to the PRC [People's Republic of China]. We need 
to see how this commitment plays out over time, and trust me, 
we will be paying great attention to how this commitment plays 
out over time.
    Mr. O'Rourke. I think that is something that I and perhaps 
other members of the committee would be interested in receiving 
a briefing on going forward, just to look at how behaviors are 
changing and whether that third tenet of ensuring that our 
adversaries understand the consequences and costs of these 
kinds of attacks, making sure that that is really working. So I 
appreciate your answers.
    Mr. Chairman, I yield back.
    Mr. Wilson. And thank you, Mr. O'Rourke.
    We now proceed to Congresswoman Jackie Walorski of Indiana.
    Mrs. Walorski. Thank you, Mr. Chairman.
    Admiral Rogers, I have a question. You said earlier that 
Russia is a peer competitor in terms of our cyber technology 
and the cyber threats that are out there, and I guess I am 
interested to see what your perspective is. I am just sitting 
here and I have been watching through the course of this 
hearing the Russian bombers that let loose today in Syria with 
1-hour notice to our generals in Baghdad and striking non-ISIS 
[Islamic State of Iraq and Syria] targets. And I think this is 
a reprehensible activity that is happening today, and I have 
many questions as to how we ended up here.
    But I am curious from you, with this development today of 
an overaggressive Russia, how in the world do we go forward 
with talking about peer competitors and sharing intel 
information and trusting anything that comes from Putin in 
Russia?
    Admiral Rogers. Well, clearly, your point is much broader 
than the cyber arena that I am talking about.
    Mrs. Walorski. I think it is completely related.
    Admiral Rogers. Okay, I didn't say it was unrelated. I said 
it was broader. One of the points I try to make is you have to 
remember that cyber happens in a broader strategic context, so 
it is important that we understand the broader strategic 
context.
    Mrs. Walorski. Would there not be an element of trust that 
would have to prevail here when we just literally saw what 
happened this morning, and for many of us that have sat here on 
this committee for a long time, saw a red line that was 
violated and not upheld in Syria. We have seen all of these 
different gaps with all of these different countries around the 
world with an administration that seems to not have any kind of 
a strategy or a contiguous plan. How would we take a step 
forward today? I know you are looking at the broad context--or 
you are talking about the broad context, but I don't understand 
the gap that is going to be there--that has already been there, 
but the gap that is going to continue to emerge today, how in 
the world do we breach that and how in the world do we say to 
the American people with all seriousness and looking our 
constituents in the eyes that we have their back and that we 
are looking out for the security of the United States of 
America and our allies and we are watching Vladimir Putin come 
right into the Middle East right next to our cohort and friend 
that we want to protect, Israel--does that not change the 
equation of trusting or having any kind of semblance of trust 
with Putin and Russia?
    Admiral Rogers. Well, I would only argue this latest issue 
fits in a broader context with the Ukraine and others. This is 
not a new phenomenon in many ways with this particular actor. 
It is why we have been very direct with them. I know the 
Secretary has had conversations with his counterparts in the 
Russian framework. I have not had specific cyber discussions 
with them. I will say, one of the points I try to make in our 
internal discussions is: I am watching the Russians use cyber 
in an ever-increasingly aggressive way.
    Mrs. Walorski. And would this not be a major alarm? This is 
alarming to me that he just talked to the President yesterday 
and evidently said, ``Stay out of our airspace,'' and we get 1 
hour of warning. And they go in and they attack Syria. So now 
they are a main state player as we are screwing around in our 
country. We are fighting back and forth over all kinds of 
things right now. We just had the Pope here. And while 
America's distraction is focused over here, it, seemingly, is 
that he is using a phenomenal window of opportunity to go in 
and be another major push in Syria. And the alarm, I think--not 
only for lawmakers today but for the citizens of our country 
that we are vowing to protect--is we have now watched him 
establish himself in Syria, in the Middle East.
    Secretary Work. Obviously, as outlined by President Putin, 
he believes he is following his national interests. We are 
alarmed by what happened this morning. What was agreed by the 
two Presidents is that our militaries would talk so that we 
would deconflict operations.
    Mrs. Walorski. So have we not seen a failure between our 
President and President Putin if we were going to talk and try 
to avoid something like this? Because now he is there 1 hour, 1 
hour of notice, with all of our forces over there, the allied 
forces, the NATO forces, the other nations that are fighting as 
well? I mean, would we not see this as a failure?
    Secretary Work. I don't believe it is a failure. I believe 
it is an aggressive action by Russia right now in advance of 
our discussions between our two militaries.
    Mrs. Walorski. And are you confident that we have a 
strategy with the President of the United States that just met 
with Putin? Are you confident that those two leaders have a 
strategy and that we are holding up our end of the bargain? Are 
you confident that the administration is looking at this as, 
``Oh, well, we expected this to happen''? I look at it as a 
gigantic breach because I represent three-quarters of a million 
people that are looking at their TVs right now like I am, and 
the official response from the Pentagon, ``taken aback by 
strikes.'' I think we are all taken aback. Is there a strategy 
that was supposed to prevent this, or is our attitude now, 
``Well, we know they are going to do their things; we are just 
going to see at what point we are going to try to contain 
them''?
    Secretary Work. We have a disagreement on strategy. They 
want to be able to do military action first followed by a 
political agreement.
    Mrs. Walorski. They are doing military action. They have 
been doing military action. They encroach on the Ukraine, they 
are making headway through that whole Eastern European area. 
They have been doing military action, and today we are watching 
a live bombing, and from your perspective and the perspective 
of the administration, we expected that? The American people 
don't. I don't expect that.
    Secretary Work. The Russians made clear that they would 
support the Assad regime with air strikes, and we made an 
agreement to have our militaries talk so that there would not 
be any problem between our interactions between our forces.
    Mrs. Walorski. You think 1 hour of notice is legitimate for 
two organizations and militaries that are talking? Obviously, 
talks broke down, and we got a last minute--so what is our 
response now?
    Secretary Work. Well, you have me at a disadvantage, 
Congresswoman. I don't know exactly what has happened over the 
last hour. We heard about the attacks this morning. They asked 
us to avoid the area where they would be operating. We continue 
to fly throughout Syria.
    Mrs. Walorski. And we continue to talk. Are we continuing 
to talk to our Russian counter-opponents?
    Secretary Work. We have agreed for our militaries to meet, 
and that meeting just simply has not occurred. It was an 
agreement between the two Presidents just a couple of days ago. 
So we are trying to find out where we will meet, where it will 
be, who----
    Mrs. Walorski. Would you not agree this is a crisis because 
for the first time, they have now entered the Middle East. And 
for the first time, we now have watched the broadening of 
Putin's powers, who was just here on the American soil right 
next to a mess, a hotbed of war, and right next to our dear 
ally Israel. Have we not now watched something elevate to the 
point that this is now a crisis because Russia has just now 
gone from their position, through the Ukraine, looking at 
Eastern Europe, and now has sufficiently landed themselves with 
a coalition inside of Syria?
    Secretary Work. I do not believe it is a crisis. I believe 
it is a disagreement in strategy, and that is what we are 
trying to work out.
    Mrs. Walorski. And I respect that. I believe it is a 
crisis. I believe we have had a President with no foreign 
policy whatsoever. We have had red lines talked about and 
crossed. And this thing has played out all by itself, and now 
today here we are, back in a crisis, back on TV in front of 
every single American, wondering who in the world is defending 
our country?
    And, with that, Mr. Chairman, I yield back.
    Mr. Wilson. And thank you very much, Congresswoman Jackie 
Walorski.
    We now proceed to Mr. Takai.
    Mr. Takai. Thank you, Mr. Chairman.
    I would like to rebalance and refocus to cyber strategy, if 
I may. A lot of my colleagues have asked about deterrence 
today, and this is something that I am also very concerned 
about after recent events that have been discussed. With the 
current threats to our cyber network, the need to discuss here 
today, including creating and maintaining a persistent training 
environment, development of a unified platform, and building 
the Joint Information Environment to secure the DOD enterprise, 
the development of these priorities cannot only serve as a 
deterrent in their own right but will enable our CYBERCOM--our 
Cyber Mission Force readiness to be the best in the world. So, 
Admiral Rogers, where is DOD in allocating resources for these 
priorities? If you could address each one, again, persistent 
training environment, unified platform, and the Joint 
Information Environment.
    Admiral Rogers. So persistent training environment is a 
program that we have put together. It will take us several 
years to finish. I think we are in the--fiscal year 2017 
represents the third year of funding for it. We are working 
through the 2017 build now internally within the Department. 
Again, I sense strong support for this. I haven't come to an 
issue yet where I am saying, ``Oh, I have problems with the way 
ahead.''
    I think we have got a way ahead, and it seems to be 
working. JIE [Joint Information Environment], I will let Terry 
comment only because it has been a particular focus for him.
    Unified platform, a relatively new idea for us that, based 
on 5 years of practical experience now as an organization, we 
think the Department needs to create a capability somewhat 
separate from NSA [National Security Agency], if you will, for 
us to execute operations. Unified platform is the program name 
we put together in terms of our ability to do that. Again, we 
really are starting that with the 2017 build. And it is an 
example to me of how, as we gain more experience, as we do this 
over time, we have got to continually reassess and ask 
ourselves: So are some of the assumptions that we made when we 
started, are they proving to be what we thought they were, or 
do we need to make changes?
    Mr. Takai. Okay, and the----
    Admiral Rogers. JIE, if you want to----
    Mr. Halvorsen. With respect to JIE, the first concrete 
action that becomes of that is the establishment of the Joint 
Regional Security Stacks [JRSS]. They are on track. They will 
be funded in 2017, and they will be fully operational by the 
end of 2017.
    Mr. Takai. Okay. Thank you. I wanted to go back to the 
integration of personnel. I know the Secretary mentioned that, 
and I think you, Admiral, as well, I want to focus on defining 
where the role of the National Guard fits into the cyber 
strategy. I am a member of the Guard in Hawaii, and all of us 
here on this committee have constituents in the Guard. So can 
you touch upon some of the points on where the Guard can 
increase their role in the larger cyber mission?
    Secretary Work. Let me just start by saying, our cyber 
force that we are building to as we discussed earlier, 
Congressman, is about 6,200 Active and civilians and, in some 
special cases, contractors.
    Mr. Takai. Right. That is what you said. You didn't mention 
National Guard when you said that.
    Secretary Work. Two thousand--2,000--National Guard and 
Reserves on top of that. Some of them will be part of the cyber 
teams that I talked about, and others will be extra capacity 
that might be able to help the States. As I said, the Council 
of Governors and we have been working very, very closely 
together. Our policy shop is working through all of the aspects 
of what we can do under title 32 and title 10 authorities in 
support of the States. But the Guard and Reserve will be 
absolutely central to the Cyber Mission Force; about a quarter 
of the entire force, 6,200 in the Active side and another 2,000 
on the Reserve and National Guard. So they are absolutely 
central.
    Admiral Rogers. The only other comment I would make, and I 
say this, I am the son of a guardsman. My father was a member 
of the Illinois National Guard for 27 years. So, as a child, I 
watched him every day, every month, every summer participate in 
Guard activities. And I spent a lot of time playing in armories 
as a little boy every day with my father.
    Every service has used a slightly different construct. In 
the case of the Air Force, they are using the Guard and the 
Reserve to fill out a part, if you will, of the Active 
requirement for their share of the 6,200. In the case of the 
Army, they have decided that the Guard and the Reserve 
represent an opportunity to generate additional capacity over 
and above that dedicated 6,200 people. Clearly, Navy and Marine 
Corps don't have a Guard construct. It is a little different 
for them. But as I have said, the discussions today have been 
very good. I think, as the Secretary said, we have got a way 
ahead in terms of how we are going to work our way though this, 
particularly this, quote, ``additional capacity,'' if you will, 
that the Guard is developing and partnering with the States 
about how we are going to view this as one integrated 
enterprise, as it were, so we are maximizing the capabilities 
that the Department and the States are investing in.
    Mr. Takai. You spoke earlier about the cyber teams and the 
number of teams that you are building. I understand that there 
may be, in fact, opportunities for these teams to be wholly 
Guard. You didn't mention that today. So can you----
    Admiral Rogers. I said in the case of the Air Force, for 
example, a portion of their share of the 133, they, in fact, 
are creating a small number of teams that are wholly Guard.
    Mr. Takai. Okay. Great. And then one more question for the 
Secretary. How resilient are our military networks to 
cyberattacks, and how do you measure and qualify resilience?
    Secretary Work. We are getting better, but we are not where 
we need to be. That is why Secretary Carter has said defense of 
our networks is absolutely job number one. Now, that will come 
through a whole lot of different things, as I said in my 
opening statement. First, get the network as defendable as 
possible. So the JIE that Terry Halvorsen talked about and the 
Joint Regional Security Stacks will take 1,000 defendable 
firewalls down to less than 200. A whole bunch of different--I 
mean, the number of enclaves--and Terry can talk about this--
will be dropped.
    So the first thing is to make your network with the 
surfaces, the fewer surfaces as possible and as defendable as 
possible. The second is to build up these teams so that is 
another big part. And the other one is to have a cyber 
scorecard, which is telling us exactly how well we are doing. 
And Mr. Halvorsen was the creator of the scorecard, and I would 
ask him to be able to tell you how we are going to track this.
    Mr. Halvorsen. So cyber resiliency is actually a measure on 
the scorecard that we are actively developing. It will look----
    Mr. Rogers of Alabama [presiding]. The gentleman's time has 
expired.
    The Chair now recognizes himself for questions.
    Secretary Work and Admiral Mike Rogers, good to meet you. 
Do you use telecommunications--and either one of you--
telecommunications equipment manufactured by Huawei in your 
offices?
    Admiral Rogers. I apologize. I didn't hear the question.
    Mr. Rogers of Alabama. Do you use telecommunications 
equipment manufactured by Huawei in your offices?
    Secretary Work. In the office of the Secretary of Defense, 
absolutely not. And I know of no other--I don't believe we 
operate in the Pentagon, any systems in the Pentagon.
    Mr. Rogers of Alabama. Admiral Rogers?
    Admiral Rogers. No.
    Mr. Rogers of Alabama. Why? Why do you not use it?
    Admiral Rogers. For us, I think it is a broader conscious 
decision as we look at supply chain and we look at potential 
vulnerabilities within the system, that it is a risk we felt 
was unacceptable.
    Mr. Rogers of Alabama. Secretary Work? Agree with Admiral 
Rogers. What about your cleared defense contractors? Should 
they be using Huawei telecommunications equipment?
    Secretary Work. I will have to take that for the record, 
sir. I know of no defense contractors that are using Huawei 
equipment, but I just don't know.
    [The information referred to can be found in the Appendix 
on page 73.]
    Mr. Rogers of Alabama. Okay.
    Admiral.
    Admiral Rogers. This is a broader departmental issue. I 
mean, we don't, the contracts we have, we specify security 
standards that you have to meet. We specify the requirement to 
notify us. Again, I think we would have to take it as a 
question. I don't know if the current language--and Terry may 
know--but I don't know if the current language specifies 
specific vendors, if you will. You may or may not. I know in 
some of the national security systems, we are very specific 
about making that standard. In the nuclear and other areas, we 
are very explicit that that is not allowable.
    Mr. Rogers of Alabama. Well, Secretary Work, I would 
appreciate if you would get back with me on whether you have 
any cleared defense contractors that are compelled to use 
Huawei telecommunications equipment.
    And, with that, my next question has to do with the nuclear 
enterprise review that recognized that Vietnam era Huey 1N 
helicopters that helped provide security for our ICBM 
[intercontinental ballistic missile] fields are woefully 
antiquated and inadequate. The NER [Nuclear Enterprise Review] 
said that we need to get new, modern helicopters into ICBM 
fields because after all, we are talking about nuclear weapons.
    Based on a meeting I had with the Air Force and the OSD 
[Office of the Secretary of Defense] a few weeks ago, I am very 
concerned that the Air Force acquisition approach is going to 
take 4 or more years to get these helicopters. Now, these are 
ICBM fields, and I had a hearing on this security issue and 
this came up, and it is alarming, the concern that we are being 
told by the commanders about their security of these fields. 
What can you tell me about why we are looking at such a long 
period of time?
    Secretary Work. Well, first of all, this is an extremely 
high priority, and we are dealing with it right now in PBR-17 
[President's budget request 2017]. Last year, the Air Force 
plan to replace those helicopters was to take their UH-60As, 
their old--excuse me, take UH-60As and upgrade them to UH-60Ls 
and it turned out that all of the As that were available in the 
force were just too old and tired. And it became cost 
prohibitive. And that is why the timing slid because now we 
will have to go and buy new-build UH-60Ms or whatever 
helicopter we decide, whether we decide whether we can do sole 
source or whether it has to be a competition.
    STRAT commander, the commander of U.S. Strategic Command, 
Admiral Cecil Haney, has come in and said we cannot afford to 
wait for 4 years, and we are looking at a wide variety of 
measures to mitigate the problem until we can get these new 
helicopters built. It is a very high priority issue for us in 
this budget build, and I will be able to give you a little bit 
more information once we work through all of the different 
options before us.
    Mr. Rogers of Alabama. Okay, well, I just want you to 
understand that I really believe that we should see an 
immediate reprogramming request for the fiscal year 2017 
budget.
    And, with that, I will close by saying that now that the 
NDAA is about to be sent to the President, I would like to talk 
with you offline about our new engine to replace the RD-180 as 
soon as we can get a chance to privately.
    With that, I will yield back my time, and go to Ms. Speier 
for 5 minutes.
    Ms. Speier. Speier.
    Mr. Rogers of Alabama. Speier.
    Ms. Speier. Thank you, Mr. Chairman.
    Thank you, gentlemen, for your service to our country. You 
know, we are dealing with some very, very savvy actors in these 
various foreign countries that have been hacking into us. On 
the agreement with China, Mr. Work, you seemed somewhat elated 
by the agreement, and yet I have reason to be very skeptical 
about them complying with what they agreed to comply with. But, 
more importantly, I would like to ask you, what isn't in the 
agreement that you would have wished was in the agreement?
    Secretary Work. Well, I wouldn't characterize my reaction 
as elation, Congresswoman, so much as I believe it is a very 
good first step. It is the first time that the President of 
China has committed himself and his country to address the 
issues that have been of such high concern to our government. 
So I consider that a very good first step.
    Ms. Speier. I understand that, but what wasn't in the 
agreement? I have very limited time. So, please, if you would, 
answer the question.
    Secretary Work. There were no enforcement mechanisms per 
se, and that, I think, is the key thing that people have 
pointed out. But, again, I believe this was a confidence-
building measure. Now China is either going to prove that they 
are serious about this or not, and then we can take actions as 
necessary if they prove not to follow through on their 
commitment.
    Ms. Speier. Now, the OPM hack was devastating, and it is 
clear that China did it. They denied it. It is also very clear 
that they now have very personal information about many persons 
with top secret status. And the phishing that just went on 
recently of the Joint Chiefs of Staff's unclassified email 
worries me a great deal. Whether it is Russia or China, access 
to that personal information is such that if they know who your 
family members are or who your next-door neighbor is and they 
then can pretend like they are your family member or next-door 
neighbor, you are more apt to click on to that email, and then 
they can get in.
    What steps are being taken to deal with phishing in terms 
of either requiring greater accountability by those who hold 
those positions who end up clicking by either punishing them or 
coming up with some system, so that we can anticipate that kind 
of phishing going on and prevent it?
    Secretary Work. I would just like to make an overall point 
and then turn it over to Mike and Terry. Although our 
adversaries have very sophisticated capabilities in this 
regard, almost every one of these intrusions that have 
occurred, have occurred because of simple operator error, bad 
cyber hygiene. They click on a spear-phishing attempt. So we 
are going after that. I would just like to say that that is the 
biggest problem we have right now is getting our cyber hygiene 
better.
    Ms. Speier. Okay, but my point is, is there any kind of 
penalty being imposed on those who in a careless manner click 
on to them?
    Mr. Halvorsen. The simple answer is yes.
    And I won't go into the specifics of what has been imposed, 
but yes. We have upped the level of accountability on that and 
actions have been taken for people who have misbehaved in a 
cyber way.
    Secondly, we have increased the training frequency, 
phishing training, and we have taken certain actions on the 
networks to eliminate the ability to click on links. And at a 
minimum, we have a warning on there now that says you must 
think about this link, and in some cases--and again, I won't 
say--you physically can no longer click on links via any of our 
networks.
    Admiral Rogers. And I would say from a network perspective, 
I have implemented nine specific technical changes where, quite 
frankly, I have told users now, I am going to make your life 
harder. If this is what it takes to drive a change in behavior, 
I will make your user life harder to try to preclude this from 
happening.
    Ms. Speier. My last question and very briefly, what is 
keeping you up at night?
    Admiral Rogers. So I would say from my perspective, there 
are three things in cyber that concern me: Are we going to see 
offensive activity taken against U.S. critical infrastructure? 
Are we going to see the focus shift from theft of intellectual 
property, the theft of information, to manipulation of the data 
that is in our system, so we no longer can trust what we see? 
And then the third thing that worries me is, are we going to 
see nonstate actors, meaning terrorist groups are probably at 
the forefront on my mind, start to use the Web as an offensive 
weapon?
    Ms. Speier. Thank you.
    Secretary Work. I would add two things. One, we have a 
large number of systems, Congresswoman, that were built in an 
era, like Admiral Rogers, that was not--the systems were not 
built to withstand the cyber environment that we are in now. So 
what keeps me up at night is, can we get through all of our 
systems and make sure that they do have cyber hardening? Going 
forward, we are making sure that there are key performance 
parameters in every system that we have, but we have to go 
through this risk mitigation on every one of our systems and 
saying, what is the critical cyber vulnerability? Have we taken 
care of it? And I would just like to echo, it is manipulation 
of data, since we rely upon our networks, that really keeps me 
up at night.
    Mr. Rogers of Alabama. The gentlelady's time is expired.
    The Chair now recognizes Chairman Wittman for 5 minutes.
    Mr. Wittman. Thank you, Mr. Chairman.
    Gentlemen, thanks for joining us today.
    Secretary Work, I want to begin with getting your 
perspective on how we address the cyber threat. We have 
constructed a military that is very adept and capable of 
addressing kinetic threats, and that is top-to-bottom 
capability. We have generalists. We have specialists. When 
enlistees come in, they learn the lessons in training about 
what to do in that kinetic environment. We have our officers 
that learn tactics and strategy within that environment. Yet it 
seems we have a very myopic or piecemeal element with the cyber 
threat.
    Give me your perspective. Shouldn't we have the same top-
to-bottom capability and capacity for cyber? Shouldn't our 
enlisted men and women come in, shouldn't they also get 
training in the cyber realm? Shouldn't our curriculums at our 
service academies include very robust and extensive instruction 
and education within the cyber realm? How do we construct a 
force that is as capable kinetically as it should be in the 
cyber realm? And we are far behind, and we need to be catching 
up. Give me your perspective on how should we do that? Is that 
valuable to do, and what are you doing to get to that 
particular point?
    Secretary Work. Congressman, it is very valuable. The first 
thing is to include--what we call this is improving the cyber 
hygiene of the entire force, making every single member--Active 
Duty, civilians, contractors, and Reserves--to understand the 
cyber threat that we face each day, and to understand the 
simple actions they can take to improve our security. I think 
many of the things that you say--in all of our education and 
our schools, cyber is now an important part of our curriculum. 
We have red teams that are going out and helping commanders 
understand where their vulnerabilities are and how they can 
improve. We have different types of means by which we hold 
people accountable for like if you have a negligent discharge 
with a weapon, that is a bad thing. We want everybody to know 
that a negligent discharge in cyber is almost, I mean, could be 
as dangerous. So I totally agree with what you are saying, and 
this is a big, big cyber cultural shift that Admiral Rogers 
spoke to earlier.
    Admiral Rogers. And I would just echo that is the approach 
we are taking. This is so foundational to the future for us as 
a Department in terms of our ability to execute our missions 
that the Nation is counting on. We have got to do this 
foundationally across the spectrum. We don't need the same 
level of training that the dedicated Cyber Mission Force has, 
but there has got to be a level of basic cyber awareness across 
our entire force, regardless of rank.
    Last comment, this is the one environment in which if we 
had given you access to a keyboard, you now represent a 
potential point of vulnerability, and everyone in our 
Department--that numbers in the millions in terms of the Active 
Component, contractors, civilians, reservists, Guard--everyone 
is an operator in this environment.
    Mr. Wittman. In that realm, that priority also has to be 
reflected in how resources are dedicated. Give me your 
perspective: Where are we dedicating resources for things like 
MILCON [military construction] for cyber, within personnel, 
within training, within hardware and software? I think it is 
also reflected not only in what you are doing from a doctrine 
standpoint, a philosophy standpoint, and training standpoint, 
but where are you dedicating resources to make sure that you 
are successfully meeting that objective?
    Secretary Work. Well, when Secretary Carter was the Deputy 
Secretary filling the job that I fill now, starting around 
fiscal year 2013, I believe, there was a concerted effort to 
try to increase the investment in cyber forces. I believe that 
we are doing very well in this regard. We could always do more. 
It is budget dependent. But as I said earlier in testimony, 
Secretary Carter says: Wherever our budget ends up, cyber is 
going to be a very, very top priority.
    The one area where I think we could do better on is in 
tools. I think we are focused--we had to build the human 
capital first, which we have been doing very well, but if there 
is one area where I think we could do better for Admiral Rogers 
and the team is to invest more money in tools that he would be 
able to then create better options for the force.
    Admiral Rogers. And I could echo. I think we are doing a 
very good job with the dedicated Cyber Mission Force in terms 
of the commitment to bringing it online. Where I think we are 
going to need to look at over time, as the Secretary said, the 
things I have raised are tools, situational awareness, 
persistent training environment, the unified platform, and then 
asking yourselves over time: Is the manpower piece right? Is 
the command-and-control structure that we put in place right? 
And this is part of an ongoing process. What I try to remind 
people is, look, cyber is an environment in which where we are 
today is not where we are going to wind up. And we have got to 
stop focusing on the 100 percent solution up front. We have got 
to take this in bite-sized chunks and keep moving out.
    Mr. Wittman. If you could, just for the record, I would 
love to see a breakdown about what you are proposing in 
resource allocation now and what your projection is in the 
future to make sure we are building that capability. And you 
talked about the time element. Time in this, I think, is 
critical. So getting your perspective on how you are going to 
accomplish that, both strategically within the planning sense 
but also in allocation of resources, is going to be critical.
    Secretary Work. I will take that for the record, sir.
    [The information referred to can be found in the Appendix 
on page 73.]
    Mr. Wittman. Thank you.
    Mr. Rogers of Alabama. The gentleman's time is expired.
    The Chair now recognize Mr. Ashford for 5 minutes.
    Mr. Ashford. Thank you, Mr. Chairman.
    And many of my questions have been asked and answered. But 
I want to pick up on something that Admiral Rogers and Mr. Work 
mentioned a few minutes ago about the government shutdown. You 
know, and I have been sitting here since February, and I admire 
everybody on this committee and the witnesses. And I have 
learned a great deal. I have been here 8 months or whatever.
    I am from Nebraska. It is absolutely unfathomable, it is 
beyond belief, it is incomprehensible that this government or 
this Congress or anybody would even begin to talk about 
shutting down the government for whatever political gain they 
may get. And, you know, we were in the Middle East in February, 
and at the beginning of the--not the beginning of the ISIS 
effort, but certainly it was in the beginning stages of our 
effort to combat ISIS. And we were in Baghdad, and there was 
discussion at that point about standing up a force to address 
social media issues. It was at the very, very beginning, 
beginnings of that, at least in Baghdad, of getting both 
civilian and military personnel up to speed on what was going 
on with ISIS and social media. And we are now in October. And I 
know this is a little bit of a speech, and I apologize. But it 
seems to me at that time, I came back with the sense of all of 
the things we talk about in Congress now and all of the 
discussion about shutting down the government and all of these 
other issues--I understand this is democracy; we can talk about 
what we want to talk about. But I kept thinking to myself, why 
don't we debate and discuss and at least give to the military, 
every branch of the military, some clear plan and understanding 
of where we want to go with not only ISIS but in the Middle 
East, generally?
    It seems to me that we are reacting to these various 
incidents. We are reacting to what the Russians did today 
because for whatever these existential threats are there; these 
other threats are there. It seems to me it is incumbent upon us 
in Congress to clearly indicate to you what we want you to do 
and where we want you to go because I think that is totally 
lacking. And this week, with all of the things that went on in 
the House, I just kept thinking to myself, what is our military 
thinking about we can't get our house in order? We can't 
operate. And going back to my service in Nebraska, they look at 
me like we are nuts. You know, we are sending our military. We 
are asking them to do almost an impossible task around the 
globe, and we are bickering about stuff that has nothing to do 
with giving you the capabilities you need to go forward. So, 
anyway, I have said enough.
    So here is my picking up on your third point about the 
social media issue, and that is the third thing that keeps you 
up at night. What is your analysis of where we are--in the next 
minute and 56 seconds--where we are, Admiral Rogers, where we 
are with that third element, and how do you see that evolving?
    Admiral Rogers. I think we need to do a better job of 
contesting ISIL [Islamic State of Iraq and the Levant] in the 
information dynamic. Their ability in the information arena is 
every bit as important in many ways as their battlefield 
successes. And we have clearly focused a large piece of our 
strategy on trying to stop and forestall that battlefield 
activity level. I think we are going to need to do the same 
thing in the information dynamic because part of their ability 
to get out their story, their propaganda, their vision of the 
world around us, we need to contest that. ISIL is as much an 
idea in many ways----
    Mr. Ashford. Right.
    Admiral Rogers [continuing]. As it is a physical presence 
simplistically on the ground.
    Mr. Ashford. And how is that going?
    Admiral Rogers. Clearly not where we want it to be. 
Multiple components across the government ongoing. Don't get me 
wrong. But I think it is fair to say we have not achieved yet 
the impact that we think we need to have and certainly the 
impact that we want to have.
    Secretary Work. And, Congressman, if I could just say that 
what your opening statement--certainly resonates with Secretary 
Carter and me. Strategy is all about balancing in ways and 
means. And when you have no idea what your means are, it is 
almost impossible to have a good strategy. So as I said earlier 
today, you know, in the last 6 years, we are in a situation 
where we think a continuing resolution [CR] is a better deal 
than a government shutdown, and it is. But it is certainly not 
something that I as a COO would say I would want to operate 
under.
    In the last 6 years, essentially what we have is a 9-month 
fiscal year because every first quarter, we are in a CR. And 
that means that we are limited to do what you told us to do 
last year, rather than doing the things we need to do this 
year. It is an incredible situation, and there is no Member of 
Congress in any House, in any party, that would sit in my job 
as a COO and say: We can make this work without compromising 
our national security.
    So I am sorry I am on the soapbox, but this is something 
that we deal with every day. We hope that we won't have a 
government shutdown. We hope that the CR will be taken care of 
in a very quick manner.
    Mr. Ashford. Right. My time is up, but thank you very much.
    Thank you, Mr. Chairman.
    Mr. Rogers of Alabama. I thank the gentleman.
    The Chair now recognizes Ms. McSally for 5 minutes.
    Ms. McSally. Thank you, Mr. Chairman.
    Thank you, gentlemen.
    And now that you are on the topic, I want to make sure I am 
on the record that I, after serving 26 years in uniform and 
seeing government shutdowns and continuing resolutions and the 
impact that that has on our ability to do our mission, I have 
been strongly advocating against shutting down the government; 
strongly advocating for us doing our job and actually passing 
appropriations bills so that you guys can plan, you can 
strategize, you can execute the mission. And I would urge all 
of my colleagues, if you want to keep the government open, you 
need to vote to keep the government open. And that would be my 
urge to them today. Those of us who understand what that means 
are going to do that, but we would appreciate a large number of 
my colleagues actually showing some courage in joining us.
    Anyway, on to the issues at hand. Prior to running for 
Congress, I was a professor at the George C. Marshall Center, 
one of our defense security centers. And one of the last 
courses that I participated in was a Senior Executive Seminar 
related to cybersecurity, cyberterrorism.
    And so, in your strategy, you talk about building and 
maintaining robust alliances, partnerships. Obviously, this is, 
you know, a global domain, and so they are now starting a--one 
of my colleagues, Phil Lark, retired Marine colonel, is 
starting a program on cybersecurity studies or he is leading 
that effort.
    And so I am wondering if you could speak to how the defense 
security centers fit in with this strategy; how you feel as far 
as resources in order to use tools like these security centers, 
like the Marshall Center, to execute that strategy; and whether 
you need new authorities or additional resources in that venue.
    Secretary Work. Well, first of all, these different centers 
are very vital. Part of our strategy, regardless of what the 
level of resources are, Congresswoman, is partnerships.
    Ms. McSally. Yeah.
    Secretary Work. And establishing strong partnerships, and 
as Admiral Rogers and Terry have said, this is a collaborative 
environment that we all face the same threats and need to 
operate together.
    Ms. McSally. Right.
    Secretary Work. So I don't know if there are any 
authorities that Mike would ask to help us work more deeply 
with our partners, but I know that we are doing so very 
aggressively.
    Admiral Rogers. I would say----
    Ms. McSally. Resources as well, yeah.
    Admiral Rogers. Right. It hasn't been an authorities issue 
as much. And the case specifically of the Marshall Center, 
General Breedlove, in fact, has asked both I and the 
Department, you know, for assistance, said: Hey, this is 
important to me; I think it will generate good outcomes for us 
in Europe----
    Ms. McSally. Right.
    Admiral Rogers [continuing]. As we are trying and 
understand the broader cyber environment. So I have committed 
to General Breedlove: Hey, look, I will be there to provide 
expertise to help because that is what I can bring, not 
necessarily money.
    We are working--I don't think either of us off the top of 
our heads know the specifics, other than the fact that we have 
committed to moving forward on that. I know it is ongoing.
    Ms. McSally. Yeah, and I will tell you, having been there--
and sometimes we have senior officials from 45 different 
countries--this is not a technical course. It is more of an 
awareness of best practices, policy issues, especially for some 
of our less capable partners. They are not going to ever have a 
Cyber Command like we do, but if we can raise their game up a 
bit and we can have better collaboration and coordination for 
strategic understanding and best practices, how to quickly 
alert and respond and working with each other intelwise, 
threatwise, I think it goes a long way. I mean, I was very 
impressed with the capabilities that we have there. And I would 
think it is a little bit of an investment for potentially huge 
strategic outcomes.
    Secretary Work. We agree with you completely.
    Mr. Halvorsen. I will just say some of that work is 
related. Mike will be doing some things, but over the next 
months, we will be in NATO working to do exactly that with some 
of our partners, raising their cyber basics.
    Ms. McSally. Right.
    Mr. Halvorsen. We will be in Bulgaria doing the same thing, 
and some of that is a result of some of the arrangements that 
were worked frequently from the Marshall Center.
    Ms. McSally. Yeah. Great.
    Mr. Halvorsen. That is paying back some good dividends.
    Ms. McSally. Excellent. I look forward to working with you 
in the future if you have any other additional requests related 
to that with the firsthand experience that I have, so not just 
the Marshall Center but the other defense centers, obviously, 
because this is a global issue.
    So I thank you, gentlemen. I appreciate it.
    Mr. Chairman, I yield back.
    Mr. Rogers of Alabama. I thank the gentlelady.
    The Chair now recognizes Ms. Duckworth for 5 minutes.
    Ms. Duckworth. Thank you, Mr. Chairman.
    Gentlemen, I am very interested in looking at cyber 
vulnerabilities in our critical infrastructure. I would love to 
drill down more specifically to our bases and installations 
that support core warfighting functions. I feel that they face 
similar threats.
    Our installations are tied into local grids, rely on sewage 
and water from the surrounding areas, so there is always 
potential for impact for those basic life services on the base. 
Certainly continuity of operations is critical for DOD, just as 
it is for our civilian infrastructure.
    Admiral, I would like for you to sort of address this, and 
I am going to give you an example that I found deeply, deeply 
disturbing. I took a tour of a contractor that--a wonderful 
company that works in smart grid technology. And as part of 
this tour of this facility, small business, they were very 
proud to show me what they were doing. They had won a contract 
at one of our facilities, one of our bases. Actually, the base 
where a major--I won't say which base it is because this is not 
a secret room, but it was the home for a major maneuver 
division in the Army. And from another State where I was, I 
watched them turning off the lights at that base.
    And then when I asked the person who was operating the 
computer, who was turning the lights on and off at this base, I 
said: ``Do you have a secret clearance?''
    They said, ``No.''
    I said: ``Do you, as the company, have anybody with a 
secret clearance?''
    ``Yes, the chief engineer does.''
    But this is an unsecure room. People in the business were 
coming in and out. And they were very--I mean, amazing 
technology that is going to help us save tons of money when it 
comes to environmental costs and energy efficiency and all 
those good things as a Democrat I love. But I was deeply, 
deeply concerned that I was sitting there watching them turn 
the lights on and off on a major road on a major installation 
of a major maneuver division command in the Army.
    Admiral, if you could speak a little bit to perhaps what 
you are doing to both coordinate with Installations Command for 
each of the different branches, whether it is the Army's 
Installation Management Command, the Marine Corps' 
Installations Command, and also local civilian infrastructure 
as well. And, by the way, this base is outside of a major 
metropolitan city. It is not one of the Army bases that is out 
in the middle of nowhere. I spent a lot of time at those 
myself, but I was deeply concerned.
    Admiral Rogers. So we share your concern. The services and 
installation and their respective installation commands are 
working with each individual installation. I had been an 
installation commander myself in the course of my career, so I 
have experienced this as a commander. When you are so dependent 
in some ways on infrastructure and capability that is outside 
of your immediate span and control and yet it directly derives 
your ability to execute your mission, it is one of the reasons 
why collectively in the Department, we ask ourselves: So what 
are the capabilities we need to bring on the installation, if 
you will, to put redundancy and backups in so we have a level 
of control?
    We are working our way through this. The challenge I think 
we find is, again, it goes just the scope of the problem sets 
out there, just the infrastructure that we count on as a 
Department, that just the broad swath of it, the size and the 
age of it in many ways as we are trying to collectively work 
our way through this. This is a problem set that is going to 
take us years to work our way through. I don't think there is 
any doubt about that.
    Ms. Duckworth. Do you have a liaison from Cyber Command 
that sits at installation command for each of the branches of 
service?
    Admiral Rogers. No. What I do is I work through my service 
components who partner with their installation command. So, for 
example, in my last job where I was the Navy's cyber individual 
reporting to U.S. Cyber Command, I was working directly with 
the Navy's Installations Command as to what we were doing in 
naval installations, you know, around the world for us, and we 
still do that now.
    Ms. Duckworth. Is there any policy that looks at--and one 
of the great things about this committee is this is a very 
bipartisan committee. And I want to applaud our chairman for 
his continuing work on acquisition reform.
    But one of my concerns with acquisition reform is these 
contractors and sub-subcontractors. Huawei North American 
Regional headquarters is actually in my district. And I have 
concern that we are talking about service subcontractors that 
are several layers down, and we are not inspecting them. I 
mean, there was nobody inspecting this contractor and making 
sure that they were--I mean, that they had, you know, secured 
the facilities and their computers and the devices that are in 
the hands of people who are actually turning on and off the 
lights at a major military base.
    Admiral Rogers. Right. So we have taken the Huawei issue 
specifically for action. We will provide feedback on that. 
This, I share your concern, ma'am. This is something we are 
going to have to just work our way through.
    Ms. Duckworth. What do you specifically--do you have plans 
in place? Are you writing policy? What are you doing 
specifically to address this particular issue?
    Admiral Rogers. I apologize----
    Mr. Halvorsen. Mike, let me take that one.
    Admiral Rogers. Yeah.
    Mr. Halvorsen. There is policy in place. We are looking at 
all of the installations and, frankly, grading them and looking 
for where are the priorities.
    But as Mike said, this is a priority issue. There is a vast 
number of, you know, installations. Very frankly, the control 
systems for power and water when they were built, there was no 
consideration of cyber, so now we have to go back and fix that.
    We have a list of those priorities. We are prioritizing on 
those bases that have more strategic assets first, which I 
think is smart, and we will keep going down that list to fix 
those issues. But there is a priority list. We have new 
language required in the FAR [Federal Acquistion Regulation] 
for all levels of contractors now to meet certain requirements 
about the security control systems, and that is in place.
    Ms. Duckworth. Can I have a copy of your priorities list 
and that new language for contractors? Is that available for 
Members of Congress?
    Mr. Halvorsen. We will certainly take that for the record. 
I am sure it is, and we will figure out how to get it to you.
    [The information referred to can be found in the Appendix 
on page 74.]
    Ms. Duckworth. Thank you.
    I yield back, Mr. Chairman.
    Mr. Rogers of Alabama. The Chair now recognizes the 
gentleman from Arizona, Mr. Franks, for 5 minutes.
    Mr. Franks. Well, thank you, Mr. Chairman.
    Admiral Rogers, I appreciate people like you that put 
yourself at risk and assiduously try to do everything you can 
to protect the homeland and the future generations. So, on 
behalf of my children, thank you.
    Admiral Rogers. Thank you, sir.
    Mr. Franks. I am going to paraphrase here, but in recent 
press briefings at the Wilson Center, you said that what keeps 
you up at night--and I know you have been asked that question 
several times today--are threats to critical infrastructure and 
that you have been observing nation-states spending a lot of 
time within the power structure of the United States. And as 
you know better than perhaps anyone, the Department of Defense 
relies upon the electric grid for 99 percent of its electricity 
needs, without which even the Department's position is that it 
cannot effect its mission.
    And, of course, there are 320 million Americans that also 
depend upon it pretty significantly for everyday survival. And 
a widespread collapse of the electric grid, of course, would 
lead to gross societal collapse.
    So wearing your CYBERCOM hat, how protected is our electric 
grid from, number one, cyberattacks and lesser discussed 
attacks that could come from geomagnetic disturbance or 
electromagnetic pulse? And do you find industry to be a willing 
partner in helping to secure the grid? And what have you been 
tasked with or coordinated with or asked to do from the 
Department of Homeland Security or the FERC, Federal Energy 
Regulatory Commission, in regards to hardening the electric 
grid and protecting it and just giving us your best military 
advice? A lot of questions here, I am sorry. What do you think 
needs to be accomplished to robustly harden our electric grid 
against these stated threats?
    Admiral Rogers. Let me try to do them backwards to 
forwards.
    Remember, DOD does not physically act on private sector 
networks. I am not responsible for hardening them.
    Mr. Franks. That is true, but without them, you will 
certainly maybe revisit that.
    Admiral Rogers. Right. My only point is, your question 
specifically, though, is, what are you doing as--well, that is 
not Cyber Command's role. What we do is we partner with DHS in 
their role. I try to make sure that, again, because one of the 
missions you heard the Secretary talk about in the very 
beginning, where there is an expectation that DOD needs to be 
ready to respond if the President decides that we have to 
respond to a cyber event of significant consequence, a power 
scenario is definitely one of the things that we talk about.
    So we partner with DHS. We partner with the segment--for 
example, we do a Cyber Guard annual exercise. I had two 
different power sector segments from two different parts of the 
United States that participated in this exercise. That was one 
of the scenarios we walked our way through.
    In terms of the grid, if you will, vulnerability, I would 
argue it is pretty broad. If you look in the eastern part of 
the United States, the grid is operating on the margin already 
just between capacity and demand.
    The other point I try to make, particularly in the eastern 
part of the United States, is we need to think more than just 
the U.S. Our grid in the east in particular is so tied into our 
Canadian counterparts for hydroelectric and other power 
generation. Capacity on their side of the border often is 
flowing south to meet our basic needs.
    The other challenge I find in the power sector is--and they 
are quick to remind me of this--is their business model: ``A, 
Admiral, we are a regulated industry. The only way for us to 
generate revenue is through rates. Those are governed. I just 
can't universally say I am going to upcharge this to generate a 
$5 billion capital fund that I can use to invest in basic 
infrastructure.'' So each of the utilities, if you will, within 
the sector is trying to work their way through it.
    Mr. Franks. Well, now, I appreciate that.
    I guess one of things over the years in dealing with this 
issue that has occurred to me is that what you just said--and 
you are absolutely correct; I mean, you know, this is not your 
responsibility to tell the private sector what to do with the 
grid. But then the private sector, when we talk to them about 
hardening the grid for national security purposes, they say 
that is the national defense apparatus' job. And, in the 
meantime, this, what could be a profound threat, given the fact 
that all of our other security, our other critical 
infrastructures rely heavily upon the grid, it walks the 13th 
floor of congressional debate, and no one addresses it.
    And, of course, you know, there is always a moment in the 
life of every problem when it is big enough to be seen and 
still small enough to be addressed. And I think we live in that 
window. So I certainly don't offer you any advice. Just the 
question I hope lingers in our minds is, are we doing what is 
relevant to protect the national security on this particular 
threat because certainly a loss of the grid would be the 
ultimate cybersecurity issue? I mean, you know, if you can't 
turn those computers on, you can't do really much else.
    Again, there is no arrogance in my comments, Admiral. I 
think that you are doing a great job, and I hope you will 
consider this as much as possible.
    Admiral Rogers. Certainly.
    Mr. Franks. Thank you.
    Mr. Rogers of Alabama. I thank the gentleman for yielding 
back.
    All of our members have completed their questions.
    I want to thank the witnesses for their time and 
preparation for this hearing. I know it takes a lot to get 
ready for these and your time here today, but it has been very 
beneficial to us.
    And, with that, we are adjourned.
    [Whereupon, at 12:15 p.m., the committee was adjourned.]



      
=======================================================================




                            A P P E N D I X

                           September 30, 2015

      
=======================================================================


              PREPARED STATEMENTS SUBMITTED FOR THE RECORD

                           September 30, 2015

=======================================================================

      

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

 
=======================================================================


              WITNESS RESPONSES TO QUESTIONS ASKED DURING

                              THE HEARING

                           September 30, 2015

=======================================================================

      

              RESPONSE TO QUESTION SUBMITTED BY MR. WILSON

    Secretary Work. At this time, we have not taken legal actions or 
pursued economic sanctions. The Administration remains concerned about 
Iran's increasing capabilities and malicious activity in cyberspace. 
The Department works closely with interagency and international 
partners to enhance cyber defenses. The President is able to use a 
broad range of tools--including diplomatic engagement, trade policy, 
and law enforcement mechanisms--to address cybersecurity threats 
emanating from Iran.   [See page 18.]
                                 ______
                                 
             RESPONSE TO QUESTIONS SUBMITTED BY MR. ROGERS
    Secretary Work and Admiral Rogers. Only in limited circumstances 
would the Department have insight into or the contractual right to 
control a cleared defense contractor's decision to use any particular 
subcontractor or supplier. Absent suspension or debarment or a 
statutory restriction on contracting with a prohibited source, our 
cleared defense contractors would generally not be precluded from using 
a specific vendor's telecommunications equipment.
    However, it is important to note that the Department has several 
mechanisms in place to help ensure the security of products or services 
delivered to us and the systems that cleared defense contractors use to 
store or process sensitive DOD information.
    First, the Department requires Program Protection Plans (PPPs) to 
address the full spectrum of security risks for the critical components 
contained in our weapons systems, including supply chain 
vulnerabilities, and to implement mitigations to manage risk to system 
functionality. In addition to the security requirements applied to 
deliverable products or services, the Federal Acquisition Regulation 
(FAR) requires that contractor information systems used to store or 
process classified information are compliant with the National 
Industrial Security Program Operating Manual (NISPOM). Additionally, 
the Defense FAR Supplement (DFARS) requires that contractor 
unclassified systems that will store or process sensitive Department of 
Defense (DOD) information must also provide appropriate security for 
that information.
    There are additional statutory authorities available to the 
Department to limit or exclude vendors in specific circumstances. For 
example, section 1211 of the National Defense Authorization Act (NDAA) 
for Fiscal Year (FY) 2006, as amended by section 1243 of the NDAA for 
FY 2012, and as implemented at DFARS Section 225.77, prohibits the 
Secretary of Defense from acquiring supplies or services that are on 
the United States Munitions List through a contract, or subcontract at 
any tier, from any Communist Chinese military company. In addition, 
section 806 of the NDAA for FY 2011, as amended by section 806 of the 
NDAA for FY 2013, has been implemented at DFARS Subpart 239.73, 
``Requirements for Information Relating to Supply Chain Risk.'' The 
clause enables DOD components to exclude a source that fails to meet 
established qualifications standards or fails to receive an acceptable 
rating for an evaluation factor regarding supply chain risk for 
information technology acquisitions, and to withhold consent for a 
contractor to subcontract with a particular source or to direct a 
contractor to exclude a particular source.   [See page 32.]
                                 ______
                                 
             RESPONSE TO QUESTION SUBMITTED BY MR. WITTMAN
    Secretary Work. The Department continues to develop and maintain 
cyberspace capabilities to support full spectrum operations in pursuit 
of national objectives, and is prepared to defend the nation against 
cyber threats and provide the President options in crisis or 
contingency.
    To support these strategic goals, the Department is prepared to 
defend information, information-based processes, and information 
systems against threats, thus ensuring their availability, integrity, 
authenticity, confidentiality, and non-repudiation on the Department of 
Defense Information Network (DODIN) at all security levels.
    The Department has established a trained and ready cyber operations 
workforce with all the technical capabilities necessary to complete 
missions and support full-spectrum operations. The FY2016 President's 
budget requests $5.5 billion in FY 2016 (FYDP, $27.4 billion) for the 
cyberspace operations, an increase of 11 percent. The FY 2016 
cyberspace operations budget continues to support: computer network 
defense, cyber identity and access management, engineering and 
deployment controls, cryptographic key production and management, cross 
domain capabilities, workforce development, information assurance and 
operational resiliency, offensive cyber operations, and cyberspace 
Science and Technology.   [See page 37.]
                                 ______
                                 
            RESPONSE TO QUESTION SUBMITTED BY MS. DUCKWORTH
    Mr. Halvorsen. The Department has a very mature and active Defense 
Critical Infrastructure Program and a disciplined Mission Assurance 
Risk Management process that is used to identify the Department's most 
critical assets. The process includes working with the DOD Components 
to identify single points of failure related to DOD OPLANs/CONPLANs, 
and the Department's other strategic missions. It also includes 
prioritization of assets for risk management efforts (to include 
cybersecurity) and resource investment.
    The Federal Acquisition Regulation (FAR) language referred to in 
testimony is actually an August 26, 2015, update to the Defense Federal 
Acquisition Regulation Supplement (DFARS), DFARS Case 2013-D018, 
``Network Penetration Reporting and Contracting for Cloud Services. 
This rule expands upon the existing ``Safeguarding Covered Defense 
Information and Cyber Incident Reporting'' clause, which only covered 
the protection of and reporting of incidents affecting the controlled 
technical information. The August 2015 interim rule expands the 
protection and reporting requirements to a broader scope of information 
(i.e., ``covered defense information'') which includes controlled 
technical information as a subset. This interim rule also requires 
contractors to be compliant with NIST Special Publication 800-171, 
``Protecting Controlled Unclassified Information in Nonfederal 
Information Systems and Organizations''.   [See page 42.]
                                 ______
                                 
              RESPONSE TO QUESTION SUBMITTED BY MR. BROOKS
    Secretary Work. The Department of Defense (DOD) Cyber Strategy 
emphasizes improving cyber collaboration, information sharing, and 
unity of effort within the Department. The efforts at the U.S. Army 
Aviation and Missile Research, Development, and Engineering Center 
(AMRDEC) Cyber Campus, and similar facilities, are consistent with this 
emphasis. The AMRDEC Cyber Campus at Redstone Arsenal, Alabama, is an 
organization designed to integrate, in one location, the expertise of 
multiple DOD and non-DOD organizations that support aviation and 
missile system cybersecurity. This campus participates in several 
programs that leverage DOD-wide capabilities in cybersecurity and 
related areas, such as the Joint Federated Assurance Center and the DOD 
Software Assurance Community of Practice.   [See page 25.]

?

      
=======================================================================


              QUESTIONS SUBMITTED BY MEMBERS POST HEARING

                           September 30, 2015

=======================================================================

      

                   QUESTIONS SUBMITTED BY MR. FORBES

    Mr. Forbes. The Intelligence Community is using commercial cloud 
computing capabilities to enable important classified missions. If 
commercial cloud services are able to meet the security standards of 
the intelligence community, can DOD use commercial cloud services for 
classified and sensitive missions? Does DOD have particular technical 
concerns with regard to the capabilities available on the commercial 
market?
    Mr. Halvorsen. The Intelligence Community's (IC) use of a private, 
classified instance of the Amazon AWS cloud demonstrates that, when 
properly configured and separated from public networks and facilities, 
commercial cloud services can be leveraged to satisfy many of the 
Department's requirements for classified and sensitive missions. The IC 
commercial cloud is essentially a private version of Amazon's public 
cloud that has been built on the IC's premises supporting the Top 
Secret network. DOD IC components are exploring contract mechanisms to 
permit DOD applications and data on the IC cloud.
    For the Secret environment, it is not the technical concerns that 
present a significant challenge; rather, it is the time and investment 
risk associated with acquiring a private cloud that operates solely 
within that classified environment. The Department is currently in the 
process of identifying requirements and options for expanding 
commercial cloud services to support secret networks.
    In the unclassified environment, the Department is able to leverage 
more of the existing commercial infrastructure, which greatly reduces 
the time and expense necessary to establish a commercial cloud service. 
The Department continues to work with commercial cloud providers to 
perform cybersecurity assessments and approve commercial cloud services 
for use on the Unclassified but Sensitive Internet Protocol Router 
Network (NIPRNet). As of October 2015, the Department has approved more 
than 30 commercial cloud services for use within the Department.
    Mr. Forbes. Is DOD looking at solutions that can prevent exploits 
from succeeding via isolation/containerization strategies ``at the end 
point''? What measures are you taking to address the advanced 
``polymorphic'' threats you face?
    Mr. Halvorsen. Yes, DOD is looking at solutions that can prevent 
exploits from succeeding via isolation/containerization strategies at 
the end point. The isolation/containment concept is a primary function 
of DOD's DMZ architecture. By physically and logically separating 
public, restricted, and private information systems into their own 
security zones, movement between these zones becomes minimalized and 
reduces the attack surface.
    In regards to polymorphic attacks, DOD has expanded its detection 
arsenal to include technology designed to identify malicious code 
behavior through analysis that identifies specific code execution 
patterns. This addresses the challenge of malicious code variants. 
Behavioral analytics can be applied at runtime to a specific machine 
tracing the execution of applications or offline via a sandbox 
environment.
    The ability to detect and react at the endpoints is a key part of 
DOD's Defense in Depth and Layered Defense strategies. Once a 
compromise is detected, containment from the rest of the unaffected 
Information System (IS) and Information Technology (IT) assets requires 
swift action and the ability to keep the event scope isolated to the 
smallest area possible. Micro-segmentation, virtual computing, and 
software-designed networking will enable Cyber Security Providers, 
Network defenders, and security engineers more options and capabilities 
to keep the IT and IS at the prerequisite security posture to meet it 
missions.
                                 ______
                                 
                   QUESTIONS SUBMITTED BY MR. SHUSTER
    Mr. Shuster. We heard testimony earlier in the week that 
attribution in cyberspace is much improved, allowing U.S. agencies to 
identify and target our greatest cyber-based threats. Do you feel you 
have adequate guidance and the necessary authorities to executive 
sufficient offensive and defensive cyber-based activities in support of 
DOD's three cyber missions?
    Secretary Work. Yes, I believe we have adequate guidance and the 
necessary authorities to execute sufficient offensive and defensive 
cyber operations in support of the Department's three cyber missions. 
Consistent with Presidential guidance and the Department of Defense 
Cyber Strategy, the Department will streamline its policies and 
procedures for cyber. This effort will help translate national and 
departmental guidance and policy for implementation in tactical 
operations.
    Mr. Shuster. There are many companies that partner with multiple 
sectors of the U.S. Government to include DOD, civilian agencies and 
the Intelligence Community. I recognize that each entity must develop a 
comprehensive cyber strategy yet I worry that differing strategies 
among our government entities could create challenges for the companies 
that work across agencies. What issue areas do you believe are best 
legislated by Congress for the whole of government and what areas do 
you recommend we defer to DOD and/or other executive agencies to 
develop?
    Secretary Work. The Department depends on passing legislation with 
meaningful measures to address core critical infrastructure 
vulnerabilities and provisions to facilitate public-private sharing of 
information. This can be done while ensuring the protection of privacy 
and civil liberties. The Department appreciates the early steps taken 
during this session to build consensus on information sharing 
legislation. The Department also looks forward to progress on other key 
provisions, such as data breach and cybercriminal provisions, included 
in the President's legislative proposal submitted earlier this year.
    Internally, the Department works continuously with federal 
interagency partners to develop a whole-of-government approach to 
ensure all the resources of the federal government are used wisely. The 
Department also amended its cybersecurity reporting requirements for 
defense contractors who hold sensitive defense information in their 
networks. On August 26, 2015, the Department issued an interim rule 
amending the Defense Federal Acquisition Regulation Supplement to 
implement section 941 of the Fiscal Year 2013 National Defense 
Authorization Act, which requires cleared defense contractors to report 
network penetrations and to allow defense personnel to access those 
networks to assess the impact of the reported cyber incident.
    Mr. Shuster. What steps has and can DOD take to prevent malicious 
attacks similar to the OPM breach from occurring on DOD networks? Given 
that in many instances cyberattacks on U.S. networks are undertaken by 
entities linked to foreign military forces, what response do you feel 
is appropriate to such a malicious cyberattack?
    Secretary Work. Once the Office of Personnel Management (OPM) 
breach was identified, the Department immediately took a number of 
steps to mitigate potential impact to the Department's systems. This 
included scanning systems for indicators of compromise from the breach; 
mitigating vulnerabilities in other repositories of personally-
identifiable information of the Department's personnel; and assessing 
any network connections between OPM and Department of Defense networks.
    The Department's total network attack surface is very large. It is 
critical to identify, prioritize, and defend the most important 
networks and data so the Department can carry out its missions 
effectively.
    To stay ahead of cyber threats, Secretary Carter places a high 
priority on investing in technology and innovation. The Department is 
enhancing its cyber defense capabilities by building and employing more 
defendable network architecture in the Joint Information Environment.
    Many hackers frequently target the defense industrial base. Network 
and data protection requires extensive collaboration with the private 
sector. The collaboration includes sharing defensive information, 
ensuring that the Department's contractors report attempted and 
successful cyber intrusions, and encouraging or mandating adherence to 
cybersecurity standards as appropriate.
    In addition to building U.S. cyber defense and cybersecurity 
capabilities, the United States will continue to respond to 
cyberattacks against U.S. interests at a time, in a manner, and in a 
place of our choosing, using appropriate instruments of U.S. power and 
in accordance with applicable law. As with attacks in the physical 
domain, the Administration takes into account the severity of the 
attack, such as loss of life or property damage, and consider all 
possible levers, including diplomatic, economic, and military efforts, 
when contemplating any response.
    Mr. Shuster. Many of the strategic objectives in the 2015 cyber 
strategy require significant changes to the services' human capital 
management programs related to recruitment, retention, training and 
utilization. Is the human capital enterprise engaging and adapting 
rapidly enough to achieve the stated objectives?
    Admiral Rogers. [The information referred to is for official use 
only and retained in the committee files.]
    Mr. Shuster. Earlier in the week, we heard testimony from industry 
experts that recommended a ``Zero Trust'' or ``micro-segmented'' 
network to prevent significant data losses. Do you agree with that 
recommendation and if so, what would be potential barriers to 
implementing that approach across DOD?
    Mr. Halvorsen. Yes, we agree that a ``Zero Trust'' concept 
implemented through ``micro-segmentation'' has significant advantages 
for cybersecurity. Implementing these concepts would theoretically 
allow for 100%, near-real-time inspection of network traffic and, if 
necessary, isolation and remediation of impacted areas. In a perfect 
world, micro-segmentation would occur at the lowest possible level; for 
instance, an individual suite of offices versus an entire organization.
    The Department has issued Requests for Information and has reviewed 
responses received. This information will be integrated into the pilot 
programs and proof of concept testing as these software-defined 
networking and network virtualization programs move forward. Lessons 
learned from the pilots and proofs of concept testing will determine 
the required skill sets needed to operate and manage micro-segmentation 
of the DODIN.
    The challenges of implementing this concept DOD-wide include three 
primary factors: First, the technology to implement is still emerging. 
Although companies like VMWare, Palo Alto, and EMC are bringing 
products to market, they're not yet complete solutions.
    Second, full implementation requires re-engineering and integration 
at the data center-level rather than at the network-level. DOD is still 
working to implement a number of virtualization and software-defined 
networking initiatives across the Department, and the best path forward 
has not been determined.
    Third, the skills and tools to manage the dramatic increase in the 
number of virtual networks that would occur as a result of implementing 
micro-segmentation do not currently exist in the Department.
                                 ______
                                 
                   QUESTIONS SUBMITTED BY MS. SPEIER
    Ms. Speier. During your testimony, you stated that those involved 
in the spear-phishing attack on the JCS UNCLASSIFED network were 
punished but were unwilling to discuss specifics in public. Please 
provide an overview of those involved and their punishments as well as 
any policies that have been put in place to punish those responsible 
for breaches.
    Secretary Work and Mr. Halvorsen. The Department of Defense follows 
standard investigative procedures to derive an accurate accounting of 
any situation requiring further investigation. In the case of the Joint 
Staff spear-phishing attack, the Joint Staff conducted a fact-finding 
inquiry to determine the facts surrounding the intrusion. In response 
to the incident, immediate corrective actions were taken addressing 
those involved; the Director, Joint Chiefs of Staff, led Joint Staff-
wide training, and additional comprehensive training was provided for 
each affected individual prior to reconnecting to the network.
    Ms. Speier. During your testimony, you stated that those involved 
in the spear-phishing attack on the JCS UNCLASSIFED network were 
punished but were unwilling to discuss specifics in public. Please 
provide an overview of those involved and their punishments as well as 
any policies that have been put in place to punish those responsible 
for breaches.
    Admiral Rogers. [The information referred to is for official use 
only and retained in the committee files.]
                                 ______
                                 
                   QUESTIONS SUBMITTED BY MR. LAMBORN
    Mr. Lamborn. What are you doing to ensure cyber personnel keep 
critical skills current, such as computer tech and programming 
languages, which change constantly? More broadly, what are you doing to 
improve cyber training?
    Admiral Rogers. [The information referred to is for official use 
only and retained in the committee files.]
                                 ______
                                 
                    QUESTIONS SUBMITTED BY MR. WALZ
    Mr. Walz. Do you believe our current capabilities pertaining to the 
number of individuals and technical tools is sufficient to deal with 
the scale of the amount of cyberattacks that the nation faces on a 
daily basis? If not, how would you rate our risk level due to these 
lacking resources? High, medium, low?
    Secretary Work. Cyber-attacks are increasing in frequency, scale, 
sophistication, and consequence. Although the nation will never 
eliminate all cyber threats, both government and industry, acting 
together, are taking important steps to reduce cyber risk. The 
Department of Defense (DOD) is halfway through manning, training, and 
equipping the Cyber Mission Force, which includes developing 
capabilities to defend the nation from a cyber-attack. Additionally, 
DOD, through efforts such as the Defense Innovation Unit-Experimental, 
is strengthening interaction with industry to identify breakthrough and 
emerging technologies to counter the sophisticated cyber threats the 
U.S. faces. The risk of cyber-attacks against the United States remains 
high, and the Department must do everything it can to be prepared. This 
includes continuing to build and equip our Cyber Mission Force and to 
innovate in partnership with the private sector. Congress can help by 
expanding DOD's civilian hiring authorities to recruit and retain top 
talent.
    Mr. Walz. Is there any discussion or efforts taking place in DOD to 
address and counter the use of social media and the Internet for 
recruitment purposes by terrorist and extremists groups such as ISIS 
and Al Qaeda?
    Secretary Work. Yes. The Department of Defense is engaged on 
multiple fronts to address and counter terrorist and extremist group 
activities in social media, in close coordination with our interagency 
and foreign partners as appropriate. More specifically, the Department 
has a task force focused on supporting interagency and foreign 
government actions to disrupt foreign fighter movement from their home 
countries to the Middle East. One of the sources of information used to 
enable these operations is derived from social media.
    Additionally, the Department of Defense plays a supporting role in 
the Department of State's effort to counter violent extremist 
ideologies, including providing personnel to augment the Center for 
Strategic Counterterrorism Communications, which has the mission to 
coordinate, orient, and inform government-wide strategic communications 
focused on violent extremists and terrorist organizations. The 
Department of Defense's efforts alone will not solve the challenge of 
this contested information environment and adversary propaganda.
    The imperative to stay abreast of increasing technological change 
and our adversaries' rapid adaptation of technology demands that the 
Department use a thoughtful, strategic approach to achieve success 
against a mix of adversaries. Simply trying to match our adversaries 
``tweet'' for ``tweet'' or matching Website for Website would be both 
fiscally irresponsible and operationally ineffective. Instead, the 
Department continues to rely on the skills of its personnel to develop 
thoughtful, well-constructed plans and partnerships with other U.S. 
Government departments and agencies and with foreign partners, and to 
leverage a variety of means to disrupt the adversary's narrative, 
expose its contradictions and falsehoods, and ultimately bring 
credible, persuasive, and truthful information to audiences who often 
have significantly differing perceptions and cultural norms than our 
own. The main challenge today is the size and pace of communications in 
social media. Our ability to assess the social media environment is 
challenged due to its broad scope and constantly changing nature.
    Mr. Walz. As DOD continues to develop the Cyber Mission Force, how 
does DOD plan on measuring its efforts toward progress and readiness on 
a continuous basis?
    Admiral Rogers. [The information referred to is for official use 
only and retained in the committee files.]
    Mr. Walz. Is there any discussion or efforts taking place in DOD to 
address and counter the use of social media and the Internet for 
recruitment purposes by terrorist and extremists groups such as ISIS 
and Al Qaeda?
    Admiral Rogers. [The information referred to is classified and 
retained in the committee files.]
    Mr. Walz. Is there any discussion or efforts taking place in DOD to 
address and counter the use of social media and the Internet for 
recruitment purposes by terrorist and extremists groups such as ISIS 
and Al Qaeda?
    Mr. Halvorsen. Countering the threat posed by terrorist and 
extremists organizations using the Internet for recruitment purposes is 
a concern of the Department. I would like to defer to Admiral Michael 
Rogers, Commander of the U.S. Cyber Command, Director of the National 
Security Agency on what the Department is doing to combat this threat.

                                    
                              [all]