[Senate Hearing 114-671]
[From the U.S. Government Publishing Office]





                                                        S. Hrg. 114-671

 CYBERSECURITY, ENCRYPTION AND UNITED STATES NATIONAL SECURITY MATTERS

=======================================================================

                                HEARING

                               before the

                      COMMITTEE ON ARMED SERVICES
                          UNITED STATES SENATE

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                      JULY 14; SEPTEMBER 13, 2016

                               __________

         Printed for the use of the Committee on Armed Services



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]





        Available via the World Wide Web: http://www.fdsys.gov/

                                 ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

26-536 PDF                     WASHINGTON : 2017 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001
   



















                      COMMITTEE ON ARMED SERVICES

JOHN McCAIN, Arizona, Chairman       JACK REED, Rhode Island
JAMES M. INHOFE, Oklahoma            BILL NELSON, Florida
JEFF SESSIONS, Alabama               CLAIRE McCASKILL, Missouri
ROGER F. WICKER, Mississippi         JOE MANCHIN III, West Virginia
KELLY AYOTTE, New Hampshire          JEANNE SHAHEEN, New Hampshire
DEB FISCHER, Nebraska                KIRSTEN E. GILLIBRAND, New York
TOM COTTON, Arkansas                 RICHARD BLUMENTHAL, Connecticut
MIKE ROUNDS, South Dakota            JOE DONNELLY, Indiana
JONI ERNST, Iowa                     MAZIE K. HIRONO, Hawaii
THOM TILLIS, North Carolina          TIM KAINE, Virginia
DAN SULLIVAN, Alaska                 ANGUS S. KING, JR., Maine
MIKE LEE, Utah                       MARTIN HEINRICH, New Mexico
LINDSEY GRAHAM, South Carolina
TED CRUZ, Texas                      
                                     
                  Christian D. Brose, Staff Director
           Elizabeth L. King, Minority Staff Director 
             

                                  (ii)

  
  
  
  
  
  
  
  
                               C O N T E N T S

                                   ________

                             July 14, 2016

                                                                   Page

Cybersecurity and United States National Security................     1

Vance, Cyrus R., Jr., Manhattan District Attorney................    10
Inglis, John C., Robert and Mary M. Looker, Professor in Cyber       17
  Security Studies, United States Naval Academy, and Former 
  Deputy Director, National Security Agency.
Wainstein, Honorable Kenneth L., Former Assistant Attorney           24
  General for National Security, Department of Justice.

                           September 13, 2016

                                                                   Page

Encryption and Cyber Matters.....................................    43

Lettre, Honorable Marcell J., II, Under Secretary of Defense for     47
  Intelligence.
Rogers, Admiral Michael S., USN, Commander, United States Cyber      49
  Command; Director, National Security Agency; Chief, Central 
  Security Services.

Questions for the Record.........................................    79

                                 (iii)
 
           CYBERSECURITY AND UNITED STATES NATIONAL SECURITY

                              ----------                              


                        THURSDAY, JULY 14, 2016

                                       U.S. Senate,
                               Committee on Armed Services,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 9:33 a.m. in Room 
SD-G50, Dirksen Senate Office Building, Senator John McCain 
(chairman) presiding.
    Committee members present: Senators McCain, Ayotte, 
Fischer, Cotton, Ernst, Sullivan, Reed, Nelson, McCaskill, 
Gillibrand, Blumenthal, Donnelly, Hirono, Kaine, and King.

            OPENING STATEMENT OF SENATOR JOHN McCAIN

    Chairman McCain. Good morning to all of our witnesses. We 
are pleased to have with us a distinguished panel of expert 
witnesses who each bring a unique perspective to this important 
issue of cybersecurity, encryption, and U.S. national security: 
Cyrus Vance, Jr., who currently serves as Manhattan district 
attorney; Chris Inglis, former deputy director of the National 
Security Agency and a professor cybersecurity studies at the 
U.S. Naval Academy; and Kenneth Wainstein, a former Homeland 
security adviser and assistant attorney general for national 
security at the Department of Justice during the Bush 
administration and now partner at Cadwalader.
    I am sure it is a great organization.
    [Laughter.]
    Chairman McCain. I thank each of our witnesses for 
appearing before the committee today.
    I must note for the record that these were not our only 
invited guests. This committee extended an invitation to Apple 
CEO [Chief Executive Officer] Tim Cook to offer his perspective 
on these important issues. He declined.
    I hope he will reconsider in the future so that this 
committee can benefit from the widest possible variety of 
perspectives.
    End-to-end encryption allows communications and data shared 
across devices and platforms to be seen only by the individuals 
holding the device. The information on the device cannot be 
accessed in most cases by the company and in nearly all cases 
by the government, even with a lawful court order backed by 
probable cause.
    Major American technology companies have made this level of 
encryption the default setting on their devices, meaning that 
even the least sophisticated lone wolves can operate in digital 
secrecy.
    Terrorist groups like ISIL [The Islamic State of Iraq and 
the Levant] have taken notice. ISIL's backward ideology and 
brutal tactics may be a throwback to medieval times, but these 
terrorists are also effectively using modern technological 
tools. Indeed, encryption is now ubiquitous across the 
counterterrorism fight, providing an avenue for recruitment and 
radicalization, as well as the planning and coordination of 
attacks that pose an increasingly difficult challenge to 
intelligence collection, military operations, and law 
enforcement.
    Put simply, encryption is eroding the digital advantage our 
national security and intelligence officials once enjoyed. That 
is why the topic of encryption concerns the Senate Armed 
Services Committee.
    We must also recognize that encryption is not just a 
national security issue concerning terrorists in distant lands. 
Encryption is being used to shield criminals that terrorize 
communities across the Nation every day.
    As Mr. Vance will testify, there are thousands of lawfully 
seized iPhones and other devices in the hands of law 
enforcement today that are completely inaccessible because 
their manufacturers refuse to comply with court-issued search 
warrants. The result is that thousands of murder, child sex 
abuse, and human trafficking cases are not being fully 
investigated.
    Let there be no doubt the job of our national security 
agencies and our local, State, and Federal law enforcement is 
getting harder and the threat is growing. However, this is a 
complex problem with no easy solutions.
    Encryption technology protects our most common and 
essential day-to-day Internet activities and safeguards our 
Nation's secrets from sophisticated cyber adversaries. We must 
carefully balance our national security needs and the rights of 
our citizens.
    While we must recognize that authoritarian regimes are 
eager to gain keys to encrypted software so they can further 
their own abusive policies, we must also resist slipping into a 
false moral equivalence. Not all governments are the same. Not 
all surveillance is the same. Complying with valid search 
warrants in countries that uphold the rule of law does not 
create an obligation for technology companies to assist 
repressive regimes that undermine the rule of law in 
suppressing dissent or violating basic human rights.
    Yes, this is a difficult problem. Ignoring this issue is 
not an option, nor is meeting all efforts to reach a middle 
ground with absolute resistance, as too many technology 
companies have done.
    An all-or-nothing approach to encryption that is making it 
difficult and sometimes impossible to prosecute murderers, 
pedophiles, human traffickers, and terrorists is simply 
unacceptable.
    I believe there is a growing recognition that the threat 
posed by the status quo is unacceptable and that we need the 
public and private sectors to come together to eliminate cyber 
safe havens for terrorists and criminals.
    The struggle between security and privacy, or between 
public and private goods, is not new. These struggles are as 
old as our republic. We have not always gotten it right, but 
when we found that balance, it has always been through open and 
honest dialogue. That is what we need right now.
    Beyond encryption, I remain concerned by the 
administration's failure to provide the Department of Defense, 
the National Security Agency, and others with the necessary 
policy guidance to effectively defend, deter, and respond to 
our adversaries in cyberspace.
    To be sure, there has been important progress, including 
the willingness of the administration to carry out and more 
openly discuss offensive cyber operations against ISIL. Still, 
policy deficiencies from deterrence to rules of engagement to 
arbitrary limitations on geographic areas of operations, and 
cyber collateral damage, all must be addressed.
    Rather than answering these hard policy questions, it seems 
the White House continues to micromanage every cyber issue on a 
case-by-case basis.
    Finally, as the role of Cyber Command continues to mature, 
some have suggested that we should reevaluate the ``dual-hack'' 
relationship between Cyber Command and NSA [National Security 
Agency]. Whether in the context of possibly elevating Cyber 
Command to a unified command or in its current role, we must be 
careful not to prematurely sever this important relationship.
    I welcome the views of our witnesses, especially Mr. 
Inglis, as to whether, at some point in the future, it may make 
sense for Cyber Command to stand independent of NSA.
    Once again, I thank our witnesses for their appearance 
before the committee today. I look forward to their testimony.
    Senator Reed?

                 STATEMENT OF SENATOR JACK REED

    Senator Reed. Thank you very much, Mr. Chairman, for having 
this second hearing on encryption. I, too, want to welcome our 
trio of very distinguished witnesses and thank them for their 
many years of service to the Nation.
    Mr. Vance, your leadership on this issue is commendable and 
your statement eloquently articulates your position. I also 
want to note that District Attorney Vance is advocating for 
legislation on only one element of the overall encryption 
debate which he considers most critical for law enforcement, 
the ability to access data stored on the most modern versions 
of the leading smart phones in the custody of the courts or the 
police.
    Mr. Wainstein had a distinguished career in the FBI 
[Federal Bureau of Investigation] before being appointed the 
first assistant attorney general for national security and then 
as Homeland security adviser to President Bush. He has seen 
this issue evolve over time.
    Thank you, Mr. Wainstein.
    Mr. Chris Inglis is a graduate of the Air Force Academy 
with decades of experience at NSA, including over 7 years as 
deputy director. He has taught at both West Point and the Naval 
Academy, to try to make up for his previous situation.
    You now occupy the chair of cybersecurity at the Naval 
Academy.
    Thank you, Mr. Inglis.
    Cyber is an issue that touches many committees in Congress. 
To the extent that it advances commercial encryption 
technology, and the ease with which effective commercial 
encryption is applied adversely impacts foreign intelligence 
collection and counterterrorism, this committee has a strong 
and vital role to play and needs to be informed.
    Law enforcement, in contrast, is not directly in our 
jurisdiction. As the FBI's dispute with Apple in the San 
Bernardino terrorist case shows, the inability of law 
enforcement agents to physically unlock smart phones and 
retrieve unencrypted data can directly impact national 
security.
    I look forward to further exploring these types of issues 
with our witnesses.
    I also want to note that there are other distinguished 
national security experts who provide competing advice on this 
complex issue. National experts such as Admiral Mike McConnell, 
former Director of National Intelligence, director of NSA; 
General Mike Hayden, former deputy director of NSA and CIA 
[Central Intelligence Agency]; and former Deputy Secretary of 
Defense Bill Lynn; and also former Secretary of Homeland 
Security Michael Chertoff, all oppose government mandates on 
commercial industry to enable access to unencrypted content.
    This is an issue I would love to discuss with the panel 
when we get to your questioning.
    They argue that cyber vulnerabilities are the greater 
threats to the public and national security, that previous 
predictions of disastrous consequence from commercial 
encryption technology failed to materialize, that U.S. 
Government access mandates will harm U.S. companies and provide 
cover for repressive regimes to suppress dissent, and that 
previous attempts to control encryption technologies for 
legislation did not succeed.
    These experts have written an article explaining their 
views. Mr. Chairman, I would like to these articles part of the 
record.
    Chairman McCain. Without objection.
    [The information referred to follows:]
      
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    
    
    
      
    Senator Reed. Thank you very much, Mr. Chairman.
    I believe one of the most important functions of our 
hearing is to illuminate and explain complex issues, and I hope 
our hearing today will make such a contribution.
    Indeed, the series of hearings that the chairman has set up 
is absolutely critical, I think, to our consideration going 
forward, so I thank him for that.
    Thank you, gentlemen. I look forward to your testimony.
    Chairman McCain. I thank the witnesses.
    Mr. Vance?

 STATEMENT OF CYRUS R. VANCE, JR., MANHATTAN DISTRICT ATTORNEY

    Mr. Vance. Thank you. Good morning, Chairman McCain,
    Ranking Member Reed, and members of the Senate Committee on 
Armed Services.
    On behalf of our office in New York City, on behalf of 
State and local law enforcement around the country, I am very 
grateful that you are willing to hear our testimony this 
morning.
    The basic facts, Senators, underlying this debate, in my 
view, are really not that much in dispute.
    First, just talking about Tim Cook's own statements that he 
made to the public and his customers in February of this year, 
it is absolutely true, as he said, that smart phones led by the 
iPhone have become an essential part of our lives. They 
certainly are an essential part of my life. As a citizen, I 
certainly appreciate the many benefits of the technological age 
and the Internet.
    These devices are also essential to criminals. Our office 
investigates and prosecutes a range of cases from homicide to 
sex crimes, from international financial crime to crimes of 
terrorism. In all those crimes, and others, it is undisputed 
that criminals use smart phones to share digital information, 
to plan and commit crimes, whether through iMessages, photos, 
or videos.
    Third, criminals know iPhones now enable them to 
communicate with impunity about those crimes. Let me tell you 
that the criminals are thrilled with this development.
    Now, that is not hyperbole. In a real example from a case 
in my office, an incarcerated defendant on a pending sex crimes 
charge tells a friend that we overhear on a lawfully recorded 
landline out of Rikers Island jail, and I am quoting from the 
call, ``Apple and Google came out with software that can no 
longer be unencrypted by the police. If our phones are running 
on iOS 8 software, they cannot open my phone. This may be 
another gift from God.''
    Senators, it is clear this is not a gift from God. It is a 
gift, perhaps unintended, from the two largest technology 
companies in the world.
    Fourth, Apple's and Google's decision to limit law 
enforcement access, even with a court warrant, to critical 
information is, I believe, made under a questionable claim of 
increased privacy.
    The encryption Apple provided on its mobile devices before 
iOS 8, that is, before the end of September 2014, was both 
secure for its customers and amenable to court- authorized 
searches.
    Apple itself characterized the iOS 7 operating system as 
the ultimate in privacy, touting its proven encryption methods 
and ensuring users that iOS 7 could be used with confidence in 
any personal or corporate environment.
    Now, given Apple's own statements about iOS 7, shortly 
after Apple's reengineering of its phones to prevent search 
warrant access by law enforcement, I asked Apple in a letter 
dated March 2015 whether there was a bona fide security reason 
to make its new operating system, iOS 8, warrant- proof. Now, 
Apple chose not to answer me.
    In March of this year, the House Judiciary Committee 
compelled Apple to answer the same question. That committee 
asked Apple the following question in writing, and I am quoting 
from the committee, ``Was the technology you possess to decrypt 
these phones,'' the reference is to iOS 7 and their 
predecessors, ``ever compromised?'' That was the question to 
Apple.
    Apple's written response was, and I am quoting the 
response, ``The process Apple used to extract data from locked 
iPhones running iOS 7 or earlier operating systems was not, to 
our knowledge, compromised.''
    Now Apple's answer to this crucial question shows what we 
have long suspected, that Apple's method of data extraction 
under iOS 7 posed no documented security problems.
    That being so, I believe there should be no unreasonable 
security risk in a going-forward solution, if court-ordered 
warrants can be honored by extracting responsive data off the 
smart phones.
    Now we know, I believe now, the risk of loss of security, 
on the one hand, may have been exaggerated. I know, on the 
other hand, speaking on behalf of law enforcement, that I can 
document the impact of warrant-proof devices on the security of 
the residents in my community.
    Let me give you, if I may, an impact of this new encryption 
protocol introduced by Apple.
    In my office alone, we now have more than 310 lawfully 
seized iPhones running iOS 8 or 9 that are completely 
inaccessible, despite court-ordered search warrants having been 
issued for them. These devices represent hundreds of real 
crimes against New Yorkers that we cannot fully investigate, 
including cases of homicide, child abuse, human trafficking, 
assault, cybercrime, and identity theft.
    Now, that is just my office. The data from across the 
country tell a similar story.
    In California, the Los Angeles County Sherriff's Department 
has amassed more than 150 inaccessible devices. The L.A. Police 
Department has more than 300. The Roseville Police Department 
has more than 200. Riverside County, California, has 12 
inaccessible devices connected just to murder cases alone. The 
Charlotte-Mecklenburg Police Department in North Carolina has 
160 inaccessible devices. In Texas, the Harris County DAs 
office collected more than 100 inaccessible devices in 2015 and 
have encountered 8 to 10 inaccessible devices per month so far 
this year. In Massachusetts, the Suffolk County DA representing 
Boston has 129 inaccessible devices.
    Now this brief list shows the problem from the perspective 
of some members of State and local law enforcement.
    Even this small sampling represents more than 1,000 cases 
in which local prosecutors lacked the evidence that we need, 
and that juries demand, to hold criminals accountable, in some 
cases exonerate the innocent, and deliver justice for victims 
and safety in our streets.
    Now it is, respectfully, in my view, no answer to suggest, 
as some have, that government should develop the capacity to 
hack into these devices. In my opinion, a technological arms 
race between the Federal Government and Silicon Valley is not 
in our collective interest.
    The enormous cost and energy of such a conflict are better 
directed, in my opinion, against our common enemies, the 
criminals.
    Furthermore, local law enforcement agencies do not have the 
resources to access each lawfully seized device and would be 
required to send each device to costly third-party companies 
for analysis and data extraction.
    According to the reports, the FBI paid in the neighborhood 
of $1 million to bypass the terrorist passcode in the San 
Bernardino case. I can assure you that amount represents more 
than the budgets for all law enforcement in many counties 
across the country.
    Despite the large number of experts in the field of digital 
forensics and cryptology, such experts are still several models 
behind Apple's iPhones. The method employed to open Syed 
Farook's iPhone in the San Bernardino case reportedly works 
only on that particular iPhone, and only until Apple finds and 
patches the flaw the FBI was able to exploit.
    Senators, surely the solution to the encryption problem is 
not a technological arms race. It is, in my opinion, Federal 
legislation.
    I appreciate that some are skeptical of Federal regulation. 
Federal regulation of consumer products that impact public 
safety has been a part of our legal landscape for more than 100 
years. Numerous industries, especially in financial services, 
are required by Federal regulators to retain data expressly for 
the purpose of helping to combat fraud and other wrongdoing.
    Federal regulation is already important in the 
communications industry. When telephone companies went from 
using copper wires to using fiber optics and digital signals, 
the police could no longer use their old techniques of 
executing wiretap orders, so Congress passed CALEA 
[Communications Assistance for Law Enforcement Act], mandating 
that telecom providers build into their systems mechanisms for 
law enforcement to install court-ordered wiretaps.
    Many of these regulations initially faced resistance, and 
the affected industries argued that the regulations were 
imposing upon individuals' privacy interests. Over time, the 
regulations have been accepted. It is clear that they play an 
important part in our society, especially in keeping people 
safe from harm.
    Now our office's proposed solution, which was proposed in a 
white paper that we published in September 2014, is to enact a 
Federal statute providing that data on any smart phone made or 
sold in the United States needs to be accessible, not by law 
enforcement, but by the designer of the phone's operating 
system when the company is served with a valid search warrant 
issued by a court.
    If a person or entity such as Apple offers encryption 
software, it has to have the ability to provide data, also in 
response to judicial order.
    The solution, as I say is spelled out in our 2015 report, 
does not require new technology or any government backdoor. 
Under this solution, Apple would be able to comply with 
judicial warrants and offer the same strong encryption that it 
employed without, to our knowledge, a single documented breach 
before it adopted the default device encryption under iOS 8.
    The focus of the proposed legislation, we believe, is 
appropriate because, since September 2014, our primary obstacle 
in local law enforcement has involved getting access to data at 
rest on the smart phones in our possession. That would be no 
small achievement, because it is local law enforcement that 
prosecutes more than 95 percent of the criminal cases in this 
country.
    As it stands today, Apple and Google, not a court, not 
Congress, decide who has access to key evidence in criminal 
investigations and trials. I cannot and I do not believe it is 
right that two private companies should decide which victims 
can achieve justice in our country.
    There has been discussion about convening task forces to 
examine the science and policy implications of default device 
encryption. That may well be a good step, but I urge Congress 
to act quickly. Twelve months of taking testimony resulting in 
nonbinding recommendations in a report will not adequately 
address the urgency of the problem that local law enforcement 
faces.
    Time is simply not a luxury that local law enforcement, 
crime victims, or communities can afford. Our laws require 
speedy trials. Victims are waiting for justice. Criminals must 
be held accountable before they can reoffend.
    Centuries of jurisprudence hold that no item--not a home, 
not a file cabinet, and not a smart phone--is beyond the reach 
of a court order. Our access to data today is grounded in and 
limited by the Fourth Amendment, which authorizes only 
reasonable searches based on probable cause, supported by a 
particularized search warrant, issued by a neutral judge.
    Senators, that burden, not warrant-proof encryption, I 
believe, is the strongest safeguard we have in balancing 
privacy and public safety.
    Thank you very much.
    [The prepared statement of Mr. Vance follows:]

Prepared Statement by New York County District Attorney Cyrus R. Vance, 
                                  Jr.

    Good morning Chairman McCain, Ranking Member Reed, and 
members of the Senate Committee on Armed Services. On behalf of 
my office and our partners in state and local law enforcement, 
I thank the Committee for its work and attention to what is not 
only a critically important issue of national security, but 
also an issue of public safety and justice for crime victims in 
thousands of local jurisdictions across the United States.
    The decision by Apple and Google to engineer their mobile 
devices to be, in effect, ``warrant-proof'' has upended the 
balance that we have long enjoyed between privacy and public 
safety. Without federal legislation to restore that balance, we 
have delegated to businesses like Apple and Google the power to 
set it themselves.
    The debate over encryption and public safety has matured 
significantly since 2014. The issue has crossed over into 
mainstream consciousness, owing in large part to Apple's public 
refusal to assist the FBI with unlocking a terrorist's iPhone 
in San Bernardino. The San Bernardino episode introduced many 
Americans for the first time to the problem posed by smartphone 
encryption in criminal investigations, and my office and our 
partners have gone to some lengths to demonstrate to the public 
and to policymakers the full scope of the challenge in each of 
our jurisdictions.
    The basic facts underlying this debate are really not in 
dispute. First, as Tim Cook said himself in his open letter to 
customers dated February 16, 2016: ``Smartphones, led by 
iPhone, have become an essential part of our lives.'' \1\ As a 
citizen, I certainly appreciate the many benefits of the 
internet age.
---------------------------------------------------------------------------
    \1\ Tim Cook, ``A Message to Our Customers'' (Feb. 16, 2016), 
http://www.apple.com/customer-letter/.
---------------------------------------------------------------------------
    Second, these devices are also essential to criminals. Our 
office investigates and prosecutes a wide range of cases--from 
homicide to sex crimes, from international financial crime to 
terrorism. In all those crimes and others, it is undisputed 
that criminals use smartphones to share digital information, 
and to plan and commit crimes, whether through iMessages, 
photos, or videos.
    Third, criminals know iPhones now enable them to 
communicate with impunity about their crimes. The criminals are 
thrilled with this development. That is not hyperbole. In a 
real example from a case in my office, an incarcerated 
defendant on a pending sex crimes charge tells his friend on a 
lawfully recorded landline phone from jail, ``Apple and Google 
came out with these softwares [sic] that I can no longer be 
[un]encrypted by the police . . . [i]f our phone[s are] running 
on iOS8 software, they can't open my phone. This may be 
[a]nother gift from God.''
    That is not a gift from God, but an unintended gift from 
two of the largest technology companies in the world.
    Fourth, Apple and Google's decisions limit our access to 
critical information under a questionable claim of an increase 
in privacy. The encryption Apple provided on its mobile devices 
pre-iOS 8--that is, up until the end of September, 2014--was 
both secure for its customers and amenable to court-authorized 
searches. We have good cause to believe that because Apple 
itself characterized its iOS 7 operating system as the ultimate 
in privacy, touting its proven encryption methods, and assuring 
users that iOS 7 could be used with confidence in any personal 
or corporate environment.1A\2\ Under iOS 7, Apple also 
maintained the ability to help--in Apple's own words--``police 
investigating robberies and other crimes, searching for missing 
children, trying to locate a patient with Alzheimer's disease, 
or hoping to prevent a suicide.''1A\3\ Which is to say, Apple 
itself had already demonstrated that strong encryption and 
compliance with court orders were not incompatible.
---------------------------------------------------------------------------
    \2\ See Apple, ``iOS Security'' (May 2012), at p. 2,
    \3\ Apple, ``Apple's Commitment to Customer Privacy'' (June 16, 
2013), http://www.apple.com/apples-commitment-to-customer-privacy/.
---------------------------------------------------------------------------
    Given Apple's own statements about the security of iOS 7, 
shortly after Apple's re-engineering of its phones to prevent 
search warrant access by law enforcement, I asked it in a 
letter dated March 2015, whether there was a bona fide security 
reason to make its new operating system, iOS 8, warrant-proof. 
\4\ Apple chose not to answer me, but in March of this year, 
the House Judiciary Committee compelled Apple to answer the 
same question. That Committee asked Apple the following 
question, in writing, ``Was the technology you possessed to 
decrypt these phones''--and the clear reference is iOS7 phones 
and their predecessors--``ever compromised?'' Apple's written 
response was: ``The process Apple used to extract data from 
locked iPhones running iOS 7 or earlier operating systems was 
not, to our knowledge, compromised.'' \5\ (Emphasis added.)
---------------------------------------------------------------------------
    \4\ Letter from Cyrus R. Vance, Jr. to Jane Horvath, Senior 
Director of Global Privacy for Apple, Inc. (March 31, 2015), attached 
as Appendix II to the Report of the Manhattan District Attorney's 
Office on Smartphone Encryption and Public Safety (Nov. 2015), http://
manhattanda.org/sites/default/files/
11.18.15%20Report%20on%20Smartphone%20Encryption%20and%20Public%20Safety
.pdf.
    \5\ Bruce Sewell, Senior Vice President and General Counsel for 
Apple, Inc., Responses to Questions for the Record, ``The Encryption 
Tightrope: Balancing Americans' Security and Privacy,'' at p. 2. http:/
/docs.house.gov/meetings/JU/JU00/20160301/104573/HHRG-114-JU00-Wstate-
SewellB-20160301-SD001.pdf.
---------------------------------------------------------------------------
    Apple's answer to this crucial question shows what we have 
long suspected: That Apple's method of data extraction under 
iOS 7 posed no documented security problems. That being so, 
then there should be no unreasonable security risk going 
forward if we return to the procedure where court-ordered 
warrants can be honored by extracting responsive data off of 
smartphones.
    Let me give you the impact of this new encryption protocol 
introduced by Apple. In my office alone, we now have more than 
310 lawfully-seized iPhones running iOS 8 or 9 that are 
completely inaccessible, despite court-ordered search warrants 
having been issued for them. These devices represent hundreds 
of real crimes against New Yorkers that we cannot fully 
investigate, including cases of homicide, child sex abuse, 
human trafficking, assault, cybercrime, and identity theft.
    The data from across the country tells a similar story. In 
California, the Los Angeles County Sheriff's Department has 
amassed more than 150 inaccessible devices, the Los Angeles 
Police Department has more than 300, and the Roseville Police 
Department has more than 200. Riverside County, California has 
12 inaccessible devices connected to murder cases alone. The 
Charlotte-Mecklenburg Police Department in North Carolina has 
160 inaccessible devices. In Texas, the Harris County District 
Attorney's Office collected more than 100 inaccessible devices 
in 2015 and have encountered 8 to 10 inaccessible devices per 
month so far this year. In Massachusetts, the Suffolk County 
District Attorney's Office has 129 inaccessible devices.
    My brief list shows the problem from the perspective of 
some members of state and local law enforcement. Even this 
small sampling represents more than one thousand cases in which 
local prosecutors lack the evidence that we need--and that 
juries demand--to hold criminals accountable, exonerate the 
innocent, and deliver justice for victims and safety in our 
streets.
    Some have argued that we now live in a ``Golden Age of 
Surveillance,'' and therefore, prosecutors do not need 
smartphone evidence to effectively do our jobs. They frequently 
point to the availability of metadata, which is what we can 
obtain from a wireless carrier. Metadata typically consists of 
the time at which a call was placed or a message sent, and the 
phone numbers of the parties to that call or message. Metadata, 
while useful, is extremely limited because it does not include 
the substance of a call or message. With metadata, I can show 
that two people spoke before a criminal incident, but I cannot 
show what they said, and that information, of course, will be 
critical for proving their intent and the scope of their 
agreement.
    The same is often true for social media--it can be a good 
tool for figuring out whether people know each other, but in 
many cases, it does not provide the level of content that we 
need to make our case. For law enforcement to investigate, 
prosecute, and exonerate most effectively, we need access to 
substantive evidence when we have a court order.
    The problems created by default device encryption manifest 
themselves differently in almost every criminal case. Without 
critical evidence on smartphones, prosecutors may not be able 
to secure the most serious charge, but instead can only seek a 
lesser offense. As an example, my office recently handled a 
case where we had strong reason to believe that the defendant 
was running a human trafficking operation. With evidence from 
that defendant's smartphone locked behind a passcode known only 
to him, and existing solely on his device, we could only charge 
a far less serious offense, Promoting Prostitution, which 
carries less stringent penalties than human trafficking.
    In other cases, there may be co-conspirators to the 
criminal scheme, but without the substance of their 
communication with defendants, prosecutors cannot charge those 
co-conspirators at all. In other cases still, the defendant may 
have victimized additional people, but prosecutors cannot 
charge the defendant for those additional crimes without 
evidence contained on smartphones.
    In my view, it is no answer to say, as some suggest, that 
``government'' should develop the capacity to hack into 
devices. A technological arms race between the Federal 
Government and Silicon Valley is not in our collective 
interest. The enormous cost and energy of such a conflict are 
better directed against our common enemies, criminals.
    Furthermore, local law enforcement agencies do not have the 
resources to access each lawfully-seized device. Many lack in-
house forensics labs, and would be required to send each device 
to costly, third-party companies for analysis and data 
extraction. According to reports, the FBI paid upwards of a 
million dollars to bypass the terrorist's passcode in the San 
Bernardino case. That amount represents more than the budgets 
for all law enforcement agencies in many counties around the 
country.
    Despite the large number of experts in the field of digital 
forensics and cryptology, such experts are still several iPhone 
models behind Apple. The method employed to open Syed Farook's 
iPhone in the San Bernardino case reportedly works only on that 
particular model iPhone and that particular operating system, 
and only until Apple finds and patches the flaw that the FBI 
was able to exploit.
    The solution to the encryption problem is not a 
technological arms race. It is federal legislation. I 
appreciate that some are skeptical of federal regulation, but 
federal regulation of consumer products that impact public 
safety has been a part of our legal landscape for over 100 
years, and numerous industries, especially in financial 
services, are required by federal regulation to retain data 
expressly for the purpose of helping to combat fraud and other 
wrongdoing. Many of these regulations initially faced 
resistance, and the affected industries argued that the 
regulations were imposing upon individuals' privacy interests. 
Over time, the regulations have been accepted, and it is clear 
that they play an important part in our society, especially in 
keeping people safe from criminal harm.
    Federal regulation is already important in the 
communications industry. When telephone companies went from 
using copper wires to using fiber optics and digital signals, 
the police could no longer use their old techniques of 
executing wiretap orders, and so Congress passed the 
Communications Assistance for Law Enforcement Act (CALEA), 
mandating that telecom providers build into their systems 
mechanisms for law enforcement to install court-ordered 
wiretaps. CALEA has worked. It has saved lives, and it has 
withstood Constitutional challenge. It has not stifled 
innovation, as its opponents feared. It has not caused American 
consumers to migrate en masse to foreign competitors in search 
of greater privacy.
    Also consider financial services, one of the most regulated 
industries in our country. As we learned more about how 
criminals were using banks to move money, Congress required 
firms to fight money laundering and to better know their 
customers--and specifically, to retain customers' data and make 
that data available to law enforcement with a court order. Over 
time, government and industry came together to work out 
compliance costs and procedures, and a broad consensus in favor 
of these rules emerged. The industry recognized that absolutism 
on customer privacy was not in its best interest. Banks and 
investment firms did not want to be conduits for crime and 
terror.
    Here are a few other examples: DEA regulations require all 
U.S. pharmacies to maintain paper and electronic prescriptions 
bearing the name of the patient and prescriber, drugs 
dispensed, and dates filled. FTC regulations require any 
business that checks a customer's identification to maintain 
and provide victims and law enforcement with transaction 
records relating to identity theft. State regulations require 
private schools to maintain student data records, including 
records of attendance and suspected child abuse.
    I could go on. The point is that companies in nearly every 
industry are required by law to maintain voluminous customer 
records and produce criminal evidence when they receive a court 
order. When your introduction of goods and services into the 
stream of commerce overlaps with public safety, this is the 
price of doing business in the United States. You cannot sell a 
car in this country unless it has dual air bags. Smartphone 
encryption, one of the great public safety challenges of our 
time, remains almost entirely self-regulated.
    Apple and Google's position is that they must be exempt 
from these public safety obligations due to a cybersecurity 
risk unique to their sector. If we are going to make such an 
exemption--if we are going to agree to live with the collateral 
consequence of a little bit more crime and terror--then the 
need for this exemption must be grounded in sound data 
analysis. We need quantitative data--not rhetoric--to 
substantiate the benefits of unregulated, default device 
encryption on smartphones. If we are going to authorize--for 
the first time in our society--evidence-free zones, we need to 
be sure there was a problem that needed to be solved in the 
first place. We need to know what we are getting in exchange 
for trading away a measure of our public safety.
    My office's proposed solution is to enact a federal statute 
providing that data on any smartphone made or sold in the 
United States must be accessible--not by law enforcement, but 
by the maker of the smartphone's operating system--when the 
company is served with a valid search warrant. If a person or 
entity such as Apple offers encryption software, it has to have 
the ability to provide data in response to a judicial order.
    This solution--as spelled out in my office's 2015 Report on 
Smartphone Encryption and Public Safety--requires no new 
technology, and no government backdoor. I want to make it clear 
that we do not want to ban encryption. There is probably no 
office in the country that deals with more cybercrime and 
identity theft cases than mine, so of course, we support strong 
encryption. Under our proposed solution, Apple would be able to 
comply with judicial warrants, and to offer the same strong 
encryption that it employed without a single documented breach 
before it adopted default device encryption in iOS 8.
    This solution is limited to data at rest on smartphones. It 
would not affect encryption of data in motion. I cannot at this 
time offer a technical fix to address data in motion. I am 
confident, however, that engineers from industry and 
government, working together in good faith, can find one.
    The focus of my office's proposed legislation is 
appropriate because since September 2014, our primary obstacle 
in local law enforcement has involved getting access to data at 
rest on smartphones that we possess. That would be no small 
achievement because it is local law enforcement that prosecutes 
more than 95 percent of crimes committed in the United States.
    As it stands today, Apple and Google--not a court, not 
Congress--decide who has access to key evidence in criminal 
investigations and trials. I cannot, and do not believe it is 
right, that two private companies should decide which victims 
can achieve justice.
    There has been discussion about convening task forces to 
examine the science and policy implications of default device 
encryption. That may be a good step, but I urge Congress to act 
quickly. Twelve months of taking testimony resulting in non-
binding recommendations in a report will not adequately address 
the urgency of the problem that local law enforcement faces. 
Time is not a luxury that local law enforcement, crime victims, 
or communities can afford. Our laws require speedy trials. 
Victims require justice. Criminals must be held accountable 
before they can reoffend.
    Centuries of jurisprudence hold that no item--not a home, 
not a file cabinet, and not a smartphone--is beyond the reach 
of a judicial order. Our access to data is grounded in and 
limited by the Fourth Amendment, which authorizes only 
reasonable searches, based on probable cause, supported by a 
particularized search warrant, issued by a neutral judge. That 
burden, not warrant-proof encryption, is the strongest 
safeguard we have in balancing privacy and public safety.
    Thank you for the opportunity to testify today.

    Chairman McCain. Thank you.
    Mr. Inglis?

    STATEMENT OF JOHN C. INGLIS, ROBERT AND MARY M. LOOKER, 
   PROFESSOR IN CYBER SECURITY STUDIES, UNITED STATES NAVAL 
 ACADEMY, AND FORMER DEPUTY DIRECTOR, NATIONAL SECURITY AGENCY

    Mr. Inglis. Thank you, Chairman McCain, Ranking Member 
Reed, and members of the committee. I am pleased to appear 
before you to talk today about cyber and encryption issues.
    In my opening remarks, I would like to cover three areas.
    First, I think it is important to lay out a framework of 
interests that can guide choices about desired or unwanted 
outcomes that transcend the technology discussions that so 
often dominate this debate.
    Second, I would like to offer my view, in the context of 
encryption within the system of systems we once referred to as 
the telecommunications sector and now variously refer to as the 
Internet or cyberspace. There are, of course, surgical 
applications of encryption that can be considered in isolation, 
but these tend to be the exception rather than the rule, even 
if they are considerably more tractable.
    Finally, I will suggest some implications of this 
discussion in the context of an increasingly interconnected 
world, one where it is unlikely that purely national solutions 
will either be acceptable or widely adopted.
    First, framing the issues. In trying to simplify and 
untangle the various threads of this discussion, it is tempting 
to focus first and foremost on technology and, more 
particularly, encryption. One of the perils of that approach is 
that it fails to first establish a foundation of principles and 
objectives that can drive the attributes of technology and 
other systems intended to serve the interests of society.
    There are, arguably, at least four interests converging 
here. The first is the desire by individuals for security of 
the communications and data that they transmit or store on 
digital devices and networks.
    This interest is often oversimplified as a desire to 
protect confidentiality of data, sometimes shorthanded as 
protecting privacy. The services of integrity and availability 
are often just as important, delivering needed confidence to 
the integrity and resilience of financial transactions, 
personal preferences, and the flow of critical resources 
ranging from energy to airplanes, and the like. Encryption 
technology can and does make a contribution to all three.
    The second interest in play here is the goal of protecting 
society from the actions of those who would use internet-based 
communications to plan, coordinate, and deliver harm to its 
collective security interests. This is not an idle threat and 
not a future prospect. These threats include, but are not 
limited to, the use of Internet-based communications to conduct 
illicit activities such as child pornography, terrorism, or the 
delivery of cyberthreats.
    Indeed, it is the demonstrated potential for encryption to 
provide anonymity and cover to those who threaten our 
collective interests that underpins law enforcement and the 
intelligence community's desire to gain access to the content 
of individual communications.
    The third interest in play is the desire of individuals or 
companies to freely innovate, create, share, and sell products 
in the marketplace without undue interference from government. 
The ability to do so, of course, is a vital component of U.S. 
freedoms and its economic and national security.
    Building upon the third interest, a fourth interest 
emerges, namely the need for U.S. companies to remain 
competitive in what has become a global marketplace, a desire 
that is particularly acute for companies doing business across 
differing legal regimes where the balance struck between 
individual and collective security is uneven.
    Solutions that arbitrarily deliver a unique advantage to 
one society above others will falter and fail in that world, 
risking not only a company's viability in foreign markets but 
the economic vitality and prosperity of the U.S. itself.
    Taken individually, each of these aims can be viewed as a 
laudable goal. Taken in sum, an unqualified commitment to one 
of the aims necessarily makes it more challenging to achieve 
one or more of the others. Further, the dynamic nature of 
technology and its creative application to the myriad tasks by 
millions of users, hundreds of millions of users, greatly 
increases the difficulty of striking and sustaining a 
particular balance over time.
    In any event, unless and until we determine which of these 
interests we want to support, we will be unable to judge the 
efficacy and suitability of any particular system, technology, 
or protocol.
    My bottom line point would be the following. Some would 
argue that these four interests constitute a choice. I believe 
this is shortsighted. The U.S. Constitution, as already noted 
by the Senators leading the hearing, provides useful guidance 
here in the use of the word ``and,'' not ``or,'' as the 
conjunction joining the preamble's enumeration of goals 
motivating the formation of a more perfect union.
    I am firmly convinced that the innovation, creativity, and 
industry exist to align and support all four of the interests I 
have outlined here.
    Whatever the choice may be, the premise of our union is 
that we must establish the overarching goal before devising 
laws, procedures, and technologies that advance those stated 
interests.
    There are two common misperceptions that often the cloud 
this debate vis-a-vis encryption. The first is that encryption 
stands on its own as a security tool. In practice, across the 
vast majority of security systems, encryption is just one of 
several mechanisms used in combination to deliver the desired 
mix of confidentiality, availability, and integrity. To be 
sure, it is an essential component of a globally deployed 
system protecting both data and motion and data at rest, but it 
is hardly sufficient in and of itself. Physical security, 
personnel security, user behaviors, hardware, software, 
security are all equally essential.
    I do not point this out to detract from the necessary focus 
on the resilience of encryption schemes, but to say that we 
should not fool ourselves that a strong right arm on an 
otherwise undeveloped frame is enough to protect our interests. 
This will be ever true as technology continues to advance.
    Second, and more important, is the misconception about 
encryption that it is a monolithic thing, that it is either on 
or that it is off. A quick look at the diversity of user 
expectations and vendor choices reveals that it is far more 
nuanced and complicated. Some users want their data encrypted 
so that they can be the only ones who can recover it--no vendor 
backups, no emergency recovery service, no possibility of 
third-party access or government surveillance.
    Other users want a safety net, the ability to recover a 
lost key, retrieve lost data, backup data on some mediums, say 
the cloud, that is recoverable under a variety of 
circumstances.
    Adding to that, vendor choices regarding their service 
offerings cater to this broad array of user preferences while 
adding an overlay of vendor-preferred attributes. Some vendors 
deliver encryption systems that cannot be penetrated by even 
the vendor himself or herself, either for their purposes or on 
behalf of others. Other vendors build and deliver systems that 
contain exceptional access mechanisms, built-in means to remove 
the overlay of encryption at various points in the transport or 
storage of that piece of data.
    The commercial reasons for this exceptional access run the 
gamut from creating safety nets for users seeking to recover 
data to enabling access to data by a party other than the data 
owner--in some cases, the vendor himself or herself--because 
they want to actually access that content for purposes of their 
business proposition.
    The result is an architectural landscape where some vendors 
place security controls wholly in the hands of users while 
others deliver systems that allow vendor or third parties to 
access user data because that access is essential to the 
vendor's business model.
    The point is that these differing approaches are not 
generally portrayed as weak versus strong encryption. They are 
more properly differentiated by their choice of how and when 
the protected materials may be revealed.
    This diversity of choices reflects, of course, the reality 
of a free market economy and the rights of individuals, 
including companies, to pursue features of their own 
preference. As such, these choices are neither good nor bad. 
They are just choices.
    This diversity suggests there is no one design principle 
driving the use of encryption. If we assume that these same 
market forces will deliver a principled reconciliation, if not 
an alignment, of societal goals that will endure over time, we 
should only look at the diverse user expectations, the diverse 
technologies in the marketplaces, and remember the excesses 
periodically delivered by markets to come to a different 
conclusion that that is not the solution.
    In the face of this natural diversity and architectural 
choices, the use of terms like backdoors and secret keys must 
be seen as pejorative and unhelpful. It is ultimately 
determined by a system designer that it is appropriate to 
provide a means for exceptional access through some party other 
than the data owner.
    Generally, they ask three questions. Is there a legitimate 
purpose being served? Does the data owner understand the nature 
if not the details of the potential access? Are the controls on 
the access sufficient to ensure that such access is constrained 
to the identified purpose?
    In summarizing, I would like to actually tease out some 
implications enumerated or perhaps surfaced by those two broad 
topics of discussion.
    First, the use of strong encryption is an essential 
component of security for our Nation and our citizens. The 
fundamental question is not whether to choose one purpose or 
another, but to determine how access to stored or transmitted 
data is controlled by the application of strong encryption that 
is technically feasible to do then.
    Second, a framework to reconcile the various interests 
arguing for potentially different technical solutions will be 
best served by first reconciling if not aligning our societal 
goals.
    Third, if our goal is to deliver security to individuals, 
and security for the American people writ large, and continued 
economic vitality in a global marketplace, then we must deliver 
these goals in a global context, neither surrendering nor 
wholly favoring U.S. security to the detriment of like-minded 
nations.
    Along those lines, fourth, it is considerably more likely 
that law enforcement interests can be parsed into international 
norms than can national security interests. A bias, therefore, 
toward law enforcement interests in this area may be 
appropriate to deliver the framework that we seek and the 
attendant solutions that then work within that framework.
    Fifth, as I have said before, market forces alone have 
seldom shown themselves able to deliver consistent alignment of 
societal outcomes across diverse products and services and 
typically have never done that across time.
    Finally, inasmuch as I describe a mandate for government 
action in this space, I think government action is both 
required and must be fully informed by various interests 
government is formed to represent; focused on ensuring the 
various freedoms and rights of individuals while also 
maintaining collective security--we can do both; and mindful 
that the engine of innovation and delivery is almost 
exclusively found in the private sector.
    To be clear, I do see a role for government in both 
facilitating the creation of an enduring values-based framework 
that will drive technology and attendant procedures and in 
reconciling that framework to like-minded nations across the 
world.
    Conversely, I believe government's failure to serve in this 
role will effectively defer leadership to a combination of 
market forces and the preference of other nation-states, which 
will drive unopposed solutions that we are likely to find far 
less acceptable.
    In spirit, I applaud the initiative of this committee and 
the further work that it undertakes today, and I look forward 
to your questions.
    [The prepared statement of Mr. Inglis follows:]

                   Prepared Statement by Chris Inglis
    Thank you, Chairman McCain, Ranking Member Reed, and Members of the 
Committee. I am pleased to appear before you today to talk about cyber 
and encryption issues with a specific focus on the challenges to law 
enforcement caused by encryption.
    The issues in play here are technically complex but, more 
importantly, cut across several distinguished interests that are not 
easily reconciled. Consistent with its powers under Article I, I 
believe the Congress will be an essential component of our ability to 
identify, create and sustain the framework needed to align the various 
interests in play.
    My comments today are derived from twenty-eight years of experience 
at the National Security Agency working both of its related but 
distinguished missions: the Information Assurance mission supporting 
the defense of critical information and networks, and the Signals 
Intelligence mission which generates foreign intelligence needed to 
inform the Nation's defense. While I possess technical degrees in 
engineering and computer science, the majority of my career at the 
National Security Agency was spent in leadership positions, including 
seven and one half year's service as NSA's senior civilian and Deputy 
Director during the period 2006-2014.
    In my opening remarks, I would like to cover three areas:
      First, I think it is important to lay out the framework 
of interests that can guide choices about desired, or unwanted outcomes 
that transcend the technology discussions that have so often dominated 
this debate.
      Second, I will offer my view on the context of encryption 
within the systems-of-systems we once referred to as the 
telecommunications sector and now variously refer to as the internet or 
cyberspace. There are, of course, surgical applications of encryption 
that can be considered in isolation but these tend to be the exception 
rather than the rule, even if they are considerably more tractable in 
sorting out desired outcomes and equities.
      Finally, I will suggest some implications of this 
discussion in the context of an increasingly interconnected world--one 
where it is unlikely that purely national solutions will either be 
acceptable or widely adopted.
                      framing the issues in play:
    In trying to simplify and untangle the various threads of this 
discussion, it is tempting to immediately focus on the technology, and 
more particularly encryption. One of the perils of that approach is 
that it fails to first establish a foundation of principles and 
objectives that can drive the attributes of technology and other 
systems intended to serve the interests of society.
    There are arguably at least four interests converging here.
      The first is the desire by individuals for security of 
the communications and data they transmit across or store on digital 
devices and networks. This interest is often over-simplified as the 
desire to protect the confidentiality of data communicated across or 
stored in cyberspace--sometimes short-handed as ``protecting privacy''. 
The services of integrity and availability are often just as 
important--delivering needed confidence to the integrity and resilience 
of financial transactions, personal preferences, and the flow of 
critical resources ranging from energy to airplanes. Encryption 
technology can and does make a contribution to all three of the basic 
security services, transcending the issue of privacy alone.
      The second interest in play here is the goal of 
protecting society from the actions of those who would use internet 
based communications to plan, coordinate or deliver harm to its 
collective security interests. These threats include but are not 
limited to the use of internet based communications to conduct illicit 
activity such as child pornography, terrorism, or the delivery of cyber 
threats. Indeed, it is the demonstrated potential for encryption to 
provide anonymity and cover to those who threaten our collective 
interests that underpins law enforcement's and the intelligence 
community's desire to gain access to the contents of individual 
communications.
      The third interest in play here is the desire of 
individuals or companies to freely innovate, create, share and sell 
products in the marketplace without interference from government. Their 
ability to do so is, of course, a vital a component of U.S. freedoms 
and its economic and national security.
      Building upon the third interest, a fourth interest 
emerges, namely the need for U.S. companies to remain competitive in 
what has become a global marketplace, a desire that is particularly 
acute for companies doing business across differing legal regimes where 
the balance struck between privacy and collective security is uneven. 
Solutions that arbitrarily deliver unique advantage to one society 
above others will falter and fail in that world, risking not only a 
company's viability in foreign markets but the economic vitality and 
prosperity of the U.S. itself.
    Taken individually, each of these aims can be viewed as a laudable 
goal. Taken in sum, an unqualified commitment to one of the aims 
necessarily makes it more challenging to achieve one or more of the 
others. Further, the dynamic nature of technology and its creative 
application to myriad tasks by millions of users greatly increases the 
difficulty of striking and sustaining a particular balance over time. 
Keeping up with this ever changing landscape has always been a 
challenge for the conduct of lawful surveillance by law enforcement or 
intelligence agencies. This is generally referred to by the law 
enforcement community as ``going dark''. Encryption is only one 
component of this challenge.
    In any event, unless, and until, we determine which of these 
interests we want to support, we will be unable to judge the efficacy 
and suitability of any particular system, technology, or protocol.
    Some would argue that these four interests constitute a choice. I 
believe this is shortsighted. The U.S. Constitution provides useful 
guidance here in its use of the word ``and'', not ``or'' as the 
conjunction joining the preamble's enumeration of goals motivating the 
formation of a ``more perfect union'': ``to provide for the common 
defence, promote the general Welfare, and secure the Blessings of 
Liberty to ourselves''.
    I am firmly convinced that the innovation, creativity and industry 
exist to align and support all four of the interests I've outlined 
here. Whatever the choice may be, the premise of our union is that we 
must establish the overarching goal before devising laws, procedure and 
technologies that advance those stated interests.
                  on the nature of ``secure systems''
    There are two common misconceptions that often cloud this debate. 
The first is that encryption stands on its own as a security tool. In 
practice, across the vast majority of security systems, encryption is 
just one of several mechanisms used in combination to deliver the 
desired mix of confidentiality, availability and integrity. To be sure, 
encryption is an increasingly essential component of a globally 
deployed security system, protecting both data in motion and at rest, 
but it is hardly ever sufficient in and of itself. Physical security, 
personnel security, user behaviors, and hardware and software security 
are all equally essential components. This observation is not meant to 
detract from a necessary focus on the resilience of encryption schemes 
but we should not fool ourselves that a strong right arm on an 
otherwise underdeveloped frame is enough to protect our interests. This 
will be ever truer as technology continues to advance. By way of 
example, the possibility of quantum computing should remind us that our 
focus should be on determining principles that will endure across the 
inexorable roil of technology transformation.
    The second, and more important, misconception about encryption is 
that it's a monolithic thing. That you either have it ``on'' or you 
don't.
    A quick look at the diversity of user expectations and vendor 
choices reveals that it's far more nuanced and complicated.
    Some users want their data encrypted so that only they can recover 
it. No vendor backups. No emergency recovery service. No possibility of 
third party access or government surveillance.
    Other users want a safety net--the ability to recover a lost key, 
or retrieve lost data by backing it up on some medium, say the 
``cloud'', that's recoverable under a variety of circumstances.
    More significantly, vendor choices regarding their service 
offerings cater to this broad array of user preferences while adding an 
overlay of vendor preferred attributes. Some vendors deliver encryption 
systems that cannot be penetrated by the vendor, either for its own 
purposes, or on behalf of others, whether that's the user or the 
government. Other vendors build and deliver systems that contain 
``exceptional access mechanisms''--built-in means to remove the overlay 
of encryption at various points in the transport or storage of a piece 
of data. The commercial reasons for this ``exceptional access'' run the 
gamut from creating safety nets for users seeking to recover data when 
they cannot remember or find their encryption keys, to enabling access 
to data by a party other than the data owner for the purpose of 
analyzing user content to tee up targeted advertising or other 
commercial offerings.
    The result is an architectural landscape where some vendors place 
security controls wholly in the hands of the user while others deliver 
systems that allow the vendor, or third parties, to access user data 
because that access is essential to the vendor's business model. These 
differing approaches are not generally portrayed as weak versus strong 
encryption. They are more properly differentiated by their choice of 
how and when the protected materials may be revealed.
    This diversity of choices reflects the reality of a free market 
economy and the rights of individuals, including companies, to pursue 
features of their own preference. As such, these choices are neither 
good nor bad. They're just choices. Moreover, this diversity in 
approach suggests that there is no one design principle driving the use 
of encryption, and most certainly there is no one way to make good use 
of it. If we assume that these same market forces will deliver a 
principled reconciliation, if not an alignment, of societal goals that 
will endure over time, diverse user expectations, and attendant 
technology transformation we need only observe the diversity of choices 
currently available, or remember the excesses periodically delivered by 
markets seeking private advantage for some company or segment of the 
private sector.
    In the face of this natural diversity in architectural choices, the 
use of terms like ``backdoors'' and ``secret keys'' must be seen as 
pejorative and unhelpful. If it is ultimately determined by system 
designers that it is appropriate to provide a means for exceptional 
access for some party other than the data owner, the important 
questions will be: ``Is there a legitimate purpose being served?'' 
``Does the data owner understand the nature, if not the details, of the 
potential access?'' and ``Are the controls on the access sufficient to 
ensure such access is constrained to the identified purpose and not 
abused?''
Summarizing:
    I will summarize my opening remarks by enumerating the key 
implications suggested by them:
    First, the use of strong encryption is an essential component of 
security for our nation and our citizens. The fundamental question in 
such systems is how access to stored or transmitted data is controlled 
by the application of strong encryption.
    Second, a framework to reconcile the various interests arguing for 
potentially different technical solutions in this debate will be best 
served by first reconciling, if not aligning, our societal goals before 
considering a particular implementation offered by one or more vendors, 
the government, or subject matter experts.
    Third, if our goal is to deliver security for individuals, and 
security for the American people writ large, and continued economic 
vitality in a global marketplace for American industry then our 
framework must align and deliver these three goals in a global context, 
neither surrendering nor wholly favoring U.S. security to the detriment 
of like-minded Nations.
    Fourth, it is considerably more likely that law enforcement 
interests can be parsed into international norms than can national 
security interests. A bias towards law enforcement's interests in this 
area may be appropriate to deliver a framework and attendant solutions 
that work across national boundaries and to address the more pressing 
needs of local law enforcement, which often lack the technical 
resources to pursue other means of accessing data pursuant to a lawful 
investigation.
    Fifth, market forces, alone, have seldom shown themselves able to 
deliver a consistent alignment of societal outcomes across the diverse 
products and services of vendors at any time, and have never delivered 
one across time.
    Finally, in as much as I describe a mandate for government action 
in this space, I think government action must be:
      Fully informed by the various interests government is 
formed to represent;
      Focused on ensuring the various freedoms and rights of 
individual citizens while also maintaining collective security;
    and
      Mindful that the engine of innovation and delivery is 
almost exclusively found in the private sector.
    To be clear, I do see a role for government both in facilitating 
the creation of an enduring, values based, framework that will drive 
technology and attendant procedures to serve society's interests, and 
in reconciling that framework to-and-with like-minded Nations in the 
world.
    Conversely, I believe government's failure to serve in this role 
will effectively defer leadership to a combination of market forces and 
the preferences of other nation-states which will drive, unopposed, 
solutions that we are likely to find far less acceptable.
    In that spirit, I applaud the initiative and further work of this 
committee in taking up the matter and working through these difficult 
issues.
    I look forward to your questions.

    Chairman McCain. Thank you.
    Mr. Wainstein?

 STATEMENT OF HONORABLE KENNETH L. WAINSTEIN, FORMER ASSISTANT 
 ATTORNEY GENERAL FOR NATIONAL SECURITY, DEPARTMENT OF JUSTICE

    Mr. Wainstein. Chairman McCain, Ranking Member Reed, 
members of the committee, thank you very much for the 
invitation to appear before you today.
    As my colleagues have made clear, we are in the midst of a 
national debate over the implications of default encryption. 
This is a debate that has been going on for the better part of 
two years, and we now find ourselves at really what is a 
complete impasse. It is time, I urge, for Congress to step in 
and break through that impasse.
    Congress has played a pivotal role over the years in 
striking a balance between individual and societal privacy 
interests on one hand, and our Government's law enforcement and 
national security interests on the other.
    That is what it did when it passed title III and FISA, 
which mandated a judicial process for issuing warrants and 
orders for criminal and national security wiretaps. That is 
what it did when it passed the Communications Assistance for 
Law Enforcement Act, CALEA, that my colleague referenced, 
requiring telecommunications carriers to equip themselves to 
ensure the government can conduct lawfully authorized 
surveillance on their systems.
    Despite these laws, gaps started to appear in our 
surveillance capabilities in the last decade, and government 
officials started to worry that they were going dark. This 
going dark issue has become exponentially more problematic with 
the recent advent of the default encryption, as a result of 
which providers and manufacturers are now often completely 
unable to satisfy lawful court surveillance orders.
    This dilemma is now clear for all to see, and the lines of 
the debate have been drawn with government officials arguing 
that default encryption can endanger our country by creating 
safe places for criminals and terrorists to operate outside the 
reach of law enforcement and national security officials, and 
with representatives of the technology and civil liberties 
communities countering with a variety of arguments, including 
that any accommodation for government surveillance would 
undermine the security of encryption, that any accommodation 
would cause U.S. technology companies to lose customers who 
might be skeptical of a company that cooperates with the U.S. 
Government, and that any accommodation would simply cause 
wrongdoers to start using foreign encrypted services as opposed 
to services here in the U.S. that are subject to that 
accommodation.
    Citing these and other arguments, some of the technology 
and civil liberties communities have taken an absolutist 
position that there should be no government accommodation at 
all.
    Now, while I fully appreciate the tremendous societal value 
of strong encryption, and I appreciate the validity of the 
technology industry's concerns, I do not believe that that is 
the end of the discussion. Our surveillance capabilities are 
just too important to our national security. It is due in large 
part to those capabilities that we have had success in 
protecting our country against large-scale terrorism since 9/
11.
    That record of success, however, is now being tested by the 
rise of ISIS, which clearly recognizes the operational value of 
encrypted communications, as it has issued its members guidance 
on encryption and it intentionally uses encrypted apps in its 
recruiting efforts.
    With this gathering threat on the horizon, now is the time 
for Congress to mobilize and embark on a legislative process 
that calls on both sides of this debate to fully lay out the 
basis for their views.
    For the government, this means completely explaining how 
significantly their different investigative efforts are or are 
not handicapped by the use of default encryption technologies. 
For the technology industry and civil liberties groups, this 
means providing hard data that demonstrates exactly how and how 
much each possible type of potential accommodation would impact 
their encryption system.
    It is only when Congress receives this data that it can 
knowledgeably balance the potential cyber dangers posed by any 
government accommodation against the national security and law 
enforcement benefits of having one in place.
    Congress can undertake this effort either through a 
traditional legislative process or through the establishment of 
a commission like that that has been proposed by Senator Warner 
and Chairman McCaul. Either of these options would be a 
significant step forward from where we are now.
    The option that is not a step forward is the option of 
inaction and continued impasse. We have seen the consequences 
of that option before, as that was the option the government 
effectively pursued in the late 1990s and early 2000s when 
debating the wisdom of the wall, which was the regulatory 
barrier that prevented coordination and information-sharing 
between law enforcement and intelligence community personnel.
    That inaction had tragic consequences when the existence of 
the wall contributed to our inability to identify the 9/11 
hijackers and to prevent them from launching their attacks. 
Congress dismantled the wall when it passed the PATRIOT Act 6 
weeks after 9/11, but that was too late for the 3,000 murdered 
Americans.
    We made the mistake of inaction once before. We must not 
make it again.
    I applaud the committee for holding today's hearing and 
showing leadership on this issue. It gives me hope that we can, 
in fact, move beyond the current impasse and reach a workable 
solution to this critical problem.
    My thanks again for inviting be here today, and I look 
forward to answering your questions.
    [The prepared statement of Mr. Wainstein follows:]

               Prepared Statement by Kenneth L. Wainstein
    Chairman McCain, Ranking Member Reed, and distinguished Members of 
the Committee, thank you for the invitation to appear before you today. 
My name is Ken Wainstein. I am a partner at the law firm of Cadwalader, 
Wickersham & Taft, and I previously served as the Homeland Security 
Advisor to President George W. Bush, as the Assistant Attorney General 
for National Security, and in a variety of other positions in the 
Justice Department. Thank you for the opportunity to address the 
pressing national security issues raised by encryption.
                            i. introduction
    We are in the midst of a national debate that was triggered by the 
recent adoption of default encryption by large communications service 
providers. The debate is between those in government who insist there 
should be a technical accommodation allowing them to penetrate 
encryption and surveil criminal and terrorist communications and those 
in the technology and civil liberties communities who insist that any 
such accommodation would compromise encryption and jeopardize the 
security of our communications. This debate has been going on for about 
two years, and we now find ourselves at an impasse with neither side 
showing any sign of backing down.
    It is time for Congress to step in and break through that impasse. 
Congress has long played a pivotal role in striking the balance between 
individual and societal privacy interests and our Government's law 
enforcement and national security interests. Congress should play that 
role once again by pushing both sides of this debate toward a solution 
to this impasse.
                          ii. legal background
    Since the dawn of telephony, we have wrestled with the question of 
when and under what conditions government investigators should be 
allowed access to the content of private communications. In the 1967 
decision Katz v. United States, the Supreme Court ruled that an 
individual has a reasonable expectation of privacy in the content of 
his or her phone calls, and the next year Congress passed title III of 
the Omnibus Crime Control and Safe Streets Act, mandating the process 
by which the government must make a probable-cause showing to secure a 
judicial warrant authorizing it to use a wiretap. After Congressional 
investigations in the 1970's revealed a series of surveillance abuses 
against persons like Dr. Martin Luther King, Jr., Congress passed the 
Foreign Intelligence Surveillance Act of 1978 (``FISA'') creating a 
process of judicial review and approval for electronic surveillance to 
obtain information related to foreign intelligence, international 
terrorism, foreign espionage and other national security threats.
    With the passage of title III and FISA, Congress struck a balance 
between the privacy interests in electronic communications and the 
legitimate needs of law enforcement and intelligence agencies to obtain 
access to those communications. While the balance Congress struck in 
each of these laws--and other laws addressing government investigative 
access to private information--may have been suitable at that time, 
that balance shifted with the evolution of technology in the ensuing 
years, which, in turn, triggered a series of national debates over how 
best to adapt existing laws to new technological realities. Over the 
past couple decades, Congress has done a very commendable job of 
brokering those debates and bringing the surveillance laws up to date. 
No better example was the legislative debate in 2007-08 that resulted 
in the FISA Amendments Act, a well-considered piece of legislation that 
realigned our foreign intelligence surveillance authorities to account 
for the revolution in communications technology since the passage of 
FISA in 1978.
    Once each of those debates was resolved and the rules were 
legislatively established, government officials could then move forward 
to conduct the surveillance they needed. To get the judicial 
authorization, they provided the required predication and justification 
to the relevant court and received the court's authorizing warrant or 
order. Then, to get the warrant or order implemented, they served the 
relevant communications provider with a secondary order commanding the 
provider to execute the warrant or order.
                            iii. going dark
    Over time, however, this process became less and less reliable as 
more and more providers were unable to give the government the 
assistance necessary to execute the authorized surveillances. With the 
exponential increase in the volume of electronic communications and the 
diversification of technologies from wire telephony to mobile voice 
communications over digital, switch-based services, many providers 
became either unable or unwilling to satisfy lawful wiretap requests. 
As a result, by the mid-1990's, law enforcement agencies saw that their 
surveillance capabilities were declining, and they started to worry 
that they were ``going dark.''
    Congress responded to this concern in 1994 by passing the 
Communications Assistance for Law Enforcement Act (``CALEA"), which 
required telecommunications carriers to modify their equipment, 
facilities, and services to ensure that the government could conduct 
lawfully-authorized surveillances.
    Despite CALEA, significant gaps remained in our surveillance 
capabilities. There were a number of companies that simply did not 
invest the money and time necessary to develop the capabilities to 
enable surveillance in their systems. In addition, there developed a 
broad range of communications technologies--like email, instant 
messaging, social networking sites and peer-to-peer services--that were 
simply not covered by CALEA. As a result, the government was 
increasingly unable to surveil its criminal and national security 
targets by the end of the last decade.
    This ``going dark'' issue then became exponentially more 
problematic with the recent advent of default endpoint and end-to-end 
encryption. With endpoint encryption, the data is encrypted while 
stored on the communication device, and the encryption key is held by 
the device or the device owner, and not by the service provider or 
device manufacturer. Endpoint encryption became the default setting 
when Apple unveiled a new operating system for its iPhones and other 
devices in September 2014, and other service providers like Google have 
since followed suit. The problem was further compounded by the 
introduction of end-to-end encryption, in which the contents of a 
communication are encrypted in transit and neither the device 
manufacturer nor the telecommunications carrier possesses an encryption 
key. As a result of these default encryption processes, service 
providers and device manufacturers are now often unable to satisfy 
lawful court surveillance orders--a scenario that will increasingly put 
our law enforcement and national security officials in the dark as this 
technology becomes industry standard and our adversaries gravitate to 
it.
                      iv.going dark going forward
    This dilemma is now clear for all to see, and the battle lines have 
been drawn, with the government and technology industry taking dueling 
views on the way to proceed. FBI Director James Comey has argued that 
the increasing availability and use of endpoint and end-to-end 
encryption puts our country at grave risk, as it effectively creates 
safe spaces for criminals and terrorists to operate outside the reach 
of law enforcement or the Intelligence Community. He acknowledges the 
important privacy interests at stake, but asserts that those interests 
must be balanced with the security interests of the broader society and 
urges industry to search for a technological solution that can 
accommodate the government's lawful surveillance needs.
    Representatives of the technology industry and the civil liberties 
community have aggressively countered Director Comey's position with a 
variety of arguments, including the following:
      That any accommodation for the government would introduce 
a vulnerability that would undermine the security and integrity of 
encryption, which inarguably is a vitally important technology for 
protecting information and preventing theft and other cyber mischief;
      That any such accommodation could not be confined to the 
United States, as other governments--including repressive governments--
would likely demand the same access;
      That any accommodation would put U.S. technology 
companies at a competitive disadvantage because customers--especially 
overseas customers and those who are already suspicious of U.S. 
Government surveillance in the aftermath of the Snowden revelations--
may stop using those companies' services if they learn that the 
companies are cooperating with the U.S. Government to circumvent 
encryption; and
      That any accommodation imposed on U.S. companies would be 
of limited effectiveness because criminals, terrorists and other 
wrongdoers would simply start using foreign encrypted services.
    Citing these arguments, some in the technology industry and civil 
liberties community have taken an absolutist position that there should 
be no government accommodation at all. One technology industry 
association sent President Obama a letter urging him to resist 
``encryption `work-arounds''' for the government's surveillance needs, 
contending that a work-around would ``compromise the security of 
[communications] products and services, rendering them more vulnerable 
to attacks and [] erode consumers' trust in the products and services 
they rely on for protecting their information.''
    I fully appreciate the importance and tremendous societal value of 
strong encryption, and I recognize the validity of the technology 
industry's concerns. However, I do not believe that those concerns 
automatically mean that encryption should be inviolable and that our 
Government should henceforth be denied access to large swaths of 
communications. That reasoning just does not square with the reality of 
today's national security imperatives.
    That reality is that government access to these communications is 
critical to our national security. From my earliest days as a federal 
prosecutor investigating narcotics networks, I saw the value of 
communications surveillance in gaining insight into the plans and inner 
workings of a conspiracy. That value is particularly high when the 
conspiracy being investigated is a foreign terrorist group, where 
leaders and foot soldiers are often located in different parts of the 
world and have to rely on electronic communication for operational 
coordination.
    Thanks in large part to our signals intelligence capabilities, the 
government has been fairly successful in detecting and protecting our 
country against large-scale terrorism since 9/11. That record of 
success is now being tested, however, by the rise of ISIS, which in 
many ways is a more formidable adversary than al-Qaeda ever was. In 
response to our allies' recent success in pushing back the borders of 
its conquered territory, ISIS seems determined to counter those losses 
with terrorist attacks directed against the homelands of those 
countries--like the U.S.--that they consider their mortal enemies.
    It is also clear that ISIS recognizes the operational value of 
encrypted communications. We know that it has issued a guide for its 
members discussing the relative ``safety'' of different encrypted 
messaging apps. We know that as part of its recruiting efforts, ISIS 
often initially engages on social media, but then moves the 
conversation to encrypted apps. We know that attackers inspired by ISIS 
have made use of such apps prior to conducting their attacks. For 
example, FBI Director Comey has testified that one of the attackers at 
the Muhammad art exhibit in Garland, Texas exchanged over 100 encrypted 
messages with a known overseas terrorist on the morning of the 
shooting. Those messages remain encrypted and unreadable by 
investigators.
                         v.resolving the debate
    With this gathering threat on the horizon, now is not the time to 
blithely concede that encryption automatically trumps surveillance and 
allow our intelligence and law enforcement agencies to go dark. To the 
contrary, now is the time for Congress to mobilize on this issue and 
push for a solution--a solution that allows government the access it 
needs to protect our people and our country without unduly compromising 
the encryption technology that protects our data and communications.
    I urge Congress to embark on a legislative process that calls on 
both sides of this debate to fully lay out the basis of their views:
      For the government, this means laying out the case that 
concretely demonstrates how significantly their different investigative 
efforts are--or are not--handicapped by the use of default encryption 
technologies.
      For the technology industry and civil liberties groups, 
this means laying out technically specific support for the contention 
that a government accommodation would undermine the integrity of 
default encryption. They should provide hard data that demonstrates 
exactly how--and how much--each possible type of accommodation would 
impact their encryption systems. It is only when Congress receives that 
data that it can knowledgeably perform its deliberative function and 
balance the potential cyber security dangers posed by a government 
accommodation against the national security and law enforcement 
benefits of having such an accommodation in place.
    Congress can undertake this effort either through a series of 
hearings and a traditional legislative process, or else through the 
establishment of a commission like that proposed by Senator Warner and 
Chairman McCaul--a commission composed of technologists, security 
experts and other key stakeholders who could delve deeply into the 
intricacies of this complex issue.
    Either of these options would be a significant step forward. The 
option that is not a step forward is the option of inaction and 
continued impasse. We have seen the consequences of that option before, 
as that was the option the government effectively pursued in the late 
1990's and early 2000's when debating the wisdom of ``the wall,'' the 
regulatory barrier that prevented coordination and information sharing 
between law enforcement and Intelligence Community personnel. That 
inaction had tragic consequences when the existence of the wall 
contributed to our inability to identify the 9/11 hijackers and prevent 
them from launching their attacks.
    Congress dismantled the wall when it passed the PATRIOT Act six 
weeks after the 9/11 attacks, but that was too late for the 3,000 
murdered Americans. We made the mistake of inaction once before; we 
must not make it again.
    I applaud the Committee for holding today's hearing and showing 
leadership on this issue. It gives me hope that we can, in fact, move 
beyond the current impasse and reach a workable solution to this 
critical problem. My thanks again for inviting me, and I look forward 
to answering any questions you may have.

    Chairman McCain. I thank you. I want to emphasize to you, 
sir, that I view this issue as one of the most compelling for a 
whole variety of reasons, and I intend for this committee to, 
if necessary, take up separate legislation to try to address an 
issue that has clearly not been resolved.
    Mr. Vance, we, Republicans and Democrats, liberals and 
conservatives, disagree on a lot of issues. One issue we do not 
disagree on is the horrible crimes that are committed by child 
pornographers and human traffickers. I know of no one that does 
not condemn this terrible, terrible exploitation of the 
innocent in our lives and our society.
    What we are doing here, if you would mention again, we are 
basically protecting child pornographers and human traffickers. 
We are protecting them by giving them access to encrypted 
mechanisms so that they can carry on their disgraceful, odious 
conduct.
    I guess I say that because we talk about encryption and 
freedom of speech and government intervention and all that, but 
I thought one of the fundamental requirements of any government 
is to protect the defenseless. Now, de facto, by this 
encryption and failure for us to allow law enforcement people 
such as yourselves to have access to this information, we are 
furthering the cause of child pornographers and human 
traffickers.
    Your comments, Mr. Vance?
    Mr. Vance. Senator, I absolutely agree that the consequence 
of this device default encryption, which was a purposeful 
reengineering of the devices to make them inaccessible and to 
be unlocked even with court order, the consequence of that is a 
loss of, speaking for local law enforcement, local law 
enforcement's ability to do the job that each of us was sworn 
to protect.
    The cases that we outlined in our white paper from November 
2015 described to the committee some of the absolutely horrific 
fact patterns that in the past we have been able to solve those 
issues because of access to devices. As I say, in our office 
alone, there are 314 cases ranging from murder to child sex 
abuse that we can now not access those devices.
    The answer is yes. I think, from my perspective, Senator, 
the reason I think this is so important, that the legislature 
deal with this, and why I am so grateful that you are giving 
further visibility to this, is that it seems to me that there 
are some in the technology community who have come to the 
conclusion that the inability to find a path toward justice for 
victims in the cases that I described is simply collateral 
damage and acceptable collateral damage in the service of their 
privacy position.
    I, for one, have a hard time understanding how I can 
explain that to the victims of crime in my community.
    Chairman McCain. Even though the United States Supreme 
Court, if I recollect, stated that child pornography was unique 
in itself and its criminal activities. ``I know it when I see 
it'' is one of the phrases that was used.
    Twitter barred a data miner, a company specializing in 
searching across millions of tweets to identify unfolding 
terror attacks and unrest, from accessing its real-time stream 
of tweets because of its work for U.S. intelligence agencies.
    What are your thoughts, all three witnesses, on Twitter's 
decision to ban this valuable counterterrorism tool from being 
used by the intelligence community, even though Twitter 
continues to sell the information used about consumers for a 
profit?
    Mr. Inglis?
    Mr. Inglis. Sir, if I might, I will answer that question, 
and first go back to the previous question.
    I fully support the comments made by Mr. Vance about the 
nature of the choices being made with respect to the use of 
default encryption. The idea that the private sector believes 
that they are the arbiter of that choice is both inappropriate 
and I think unnecessary because I do not think we have to 
choose. I think that are systems that we can develop that 
essentially deliver appropriate security for those systems.
    He gave a great example between operating versions seven 
and eight, and that at the same time can deliver appropriate 
access for the government when and where it needs it.
    Chairman McCain. Is that a second key idea?
    Mr. Inglis. Pardon, sir?
    Chairman McCain. A second key?
    Mr. Inglis. There are any number of schemes that you can 
bring to bear. That might be one of them. I think the 
government is taking great pains, and I think appropriately so, 
to not specify an implementation because I would defer to the 
innovation of the private sector which has shown----
    Chairman McCain. If they want to, they could.
    Mr. Inglis. They could. They could.
    There are any number of ways that you can do this and that 
you could provide appropriate protection for that, without 
giving the government the keys to the store or, for that 
matter, rogue governments that might want to have access to the 
same thing.
    To your question about the data miner, I think it is 
inappropriate and hypocritical for a data miner to retain that 
information for use for commercial purposes, but not to provide 
that such that society, writ large, might be protected.
    Chairman McCain. That is Twitter's fault, right, because 
Twitter stopped doing business with them? It was kept from 
accessing their real-time stream of tweets.
    Mr. Inglis. Senator, I do not disagree. The shame of the 
larger proposition is that, increasingly, entities within the 
private sector stand in as the arbiter of how you align these 
societal values. I think that is not appropriate.
    Chairman McCain. I see.
    Mr. Wainstein?
    Mr. Wainstein. Thank you, Mr. Chairman. I agree with Mr. 
Inglis on this issue.
    I would like to point out the broader question or the 
broader concern that I have, which is just generally about 
cooperation by private industry with our efforts to protect the 
country. As a prosecutor for 15 years or so, I enjoyed great 
cooperation from most of the telecommunications providers and 
others in the industry. When we were running down terrorists or 
criminals, they were very helpful.
    I think there has been a change since the disclosures by 
Snowden, and I think there are now business reasons for some 
companies to not only scale back on their cooperation with the 
government, but to be seen by customers and potential customers 
as scaling back because they think there is a business 
disincentive for them to be seen as cooperative. There are some 
customers who will go to other companies if they think that 
your company is being too cozy with the U.S. Government.
    That is terribly unfortunate. I think part of what I would 
like to see come out of this legislative process, which you 
just discussed embarking on, is the clear signal that we expect 
cooperation and we should have a cooperative relationship.
    This is not to say there isn't. I was briefed recently by a 
major technology company that is doing a lot of really good 
stuff for the intelligence community, so there is cooperation 
going on. I just think it is very unfortunate that some 
companies are resorting to these public measures to show how 
they are distancing themselves from the U.S. Government.
    Chairman McCain. Well, I am reminded when the technology 
companies say that, well, other countries will not do business 
because of the fact that there is a possibility of compromise, 
I am reminded of when, after the scandals of the 1970s, we 
enacted antibribery laws and everybody said, oh, no, you cannot 
do that because then these countries will not do business with 
our defense companies and corporations. That obviously did not 
happen.
    My time has long expired, but I do think it is important to 
point out, and maybe we can get a comment later on, there is a 
Wall Street Journal article that says, ``How Islamic State 
Teaches Tech Savvy to Avoid Detection.'' It is a well-known 
fact that Mr. Baghdadi is sending people into the refugee flow 
with encrypted phones in order to carry out acts of terror. 
That is well-known. It is not classified information. Yet our 
technology companies seem to be ignoring that direct threat to 
the security of the United States.
    Senator Reed?
    Senator Reed. Thank you very much, Mr. Chairman. Again, 
thank you for holding these hearings. This is the second. There 
will be many more, because this issue is extraordinarily 
complex.
    I do not want to oversimplify it, but let me suggest, at 
least to begin, that there are two perhaps distinct issues 
here, among many. One is a phone that law enforcement 
authorities physically have in their custody. The question is, 
should there be a statute that gives the right, or demands the 
company gives you access to that phone? That seems to me more 
straightforward than the second issue, which is how you access 
encrypted communication before a crime or with probable cause 
that a crime has been committed, but you do not yet have a 
complete case.
    Mr. Vance, are there technological ways to do that that the 
companies could provide? That is the first issue here, too, in 
terms of getting into that encrypted----
    Mr. Vance. On the phone itself?
    Senator Reed. No, I am talking about one of the challenges 
we have, particularly to anticipate criminal activity, to 
investigate it, the old wiretap, where you had probable cause 
to suspect a crime was being planned, went to a court. In the 
old days, you just put the electrodes, the wires on the phones, 
and you were listening in and you got information. Can we 
physically do that now, technologically?
    Mr. Vance. Senator, in our office, we have historically 
used title III to access data in transit, cell phone to cell 
phone, text to text. It historically has been doable.
    Obviously, the developments of encryption software, 
purposefully, in some cases, directed to be used by outside 
terrorism actors, affects that. Director Comey, I think, has 
been the most powerful spokesperson on that interest.
    Going forward, the answer to your question is, can you 
create an environment in which law enforcement, pursuant to a 
court order, can access communications and others cannot? That 
is the technological question that I think all of us are 
struggling with.
    I would suggest that, and, respectfully, the answer has to 
be yes. We are an enormously creative and innovative country 
with geniuses in the technology community, as well as in the 
security industry, particularly at the Federal level. I find it 
not a solution for industry to fold its arms and say we are not 
going to provide any way forward for this debate. I think that 
is not helpful. I believe that, surely, with all the other 
technological advances we have achieved, this is not 
impossible. It is just not being--there is no direction or 
requirement that this be addressed by the technology industries 
and the government in a coordinated manner.
    Senator Reed. Again, my knowledge is not as extensive as 
yours. That will require not only the makers of the phones but 
the Internet providers to be able to, pursuant to court order, 
have the means of getting into the phone surreptitiously, 
because you do not want to disclose your activities, and 
extracting information.
    Mr. Vance. I think that is accurate. Again, though I am not 
the smartest technological person in the room, I think that 
does not mean that it is not achievable.
    Senator Reed. No, I think the technology could be there. I 
just want to make sure we are focused on what has to be done, 
and then let people to it. That is the issue of end-to-end 
encryption.
    I second Mr. Wainstein's comment, too. I think after 
Snowden, there is a whole different attitude in the industry 
about this, and there are business considerations about who is 
the most secure, et cetera. I think it was a very interesting 
and important point to make, Mr. Wainstein. That is something 
we have to face going forward.
    Just to the whole panel, I mentioned in my opening remarks 
Secretary Chertoff, Admiral McConnell, very distinguished, 
thoughtful people who spend their lives dedicated to national 
security, have taken a very different position, saying several 
factors.
    First of all, these are real problems but there is a 
greater issue, and that is protecting legitimate information 
from cyber intrusion. That is one aspect.
    The second aspect is that, and the chairman alluded to 
this, that if we do it, and the rest of the world does not do 
it, we are at a disadvantage.
    Third, we tried efforts to control encryption technology 
through legislation before, and they have not worked.
    Quickly, my time is expired, but I will start with Mr. 
Wainstein, your comments?
    Rebuttal, Mr. Vance and Mr. Inglis?
    Thank you.
    Mr. Wainstein. Thank you, Senator Reed.
    First, that list that you just read off of people are some 
of the finest public servants this country has ever had, and 
they are close friends and colleagues of mine, and I have 
tremendous respect for their opinions. They raise good points.
    As I said in my remarks, there are strong arguments on the 
technology industry side of this. There are real concerns, and 
they have raised them.
    I guess my response would be this. Those concerns have been 
raised, and there have been arguments as to why this might end 
up unduly compromising encryption, which really is an important 
thing for society.
    The only way you are going to be able to do your job and 
balance the need for an accommodation against the impact it 
might have on encryption is for them to show exactly, 
specifically, technically, how that damage would come about.
    This potential, whether it is escrow key accommodation or 
another one, look at that and have them lay out exactly what 
that will do to encryption that causes them concern.
    We have not heard that yet. Until we hear that, you cannot 
do your job and come up with a solution.
    Senator Reed. Thank you very much.
    Mr. Vance. Senator, I could not agree more with what Mr. 
Wainstein has said. In fact, I think it has been one of our 
frustrations that there has not been the ability or the 
willingness to quantify the increased loss of security.
    Now, as I indicated, we just learned recently that it 
appears that there had been no data compromises by virtue of 
phones running on iOS 7 being open pursuant to court order. I 
think we all, listening to the technology community, thought 
that this was happening all the time. The fact of the matter 
is, it turns out it was actually extremely secure.
    I think there is reality and then there is argument and 
advocacy.
    As to the international disadvantage, I certainly think we 
need to take that seriously, but I think it is safe to say that 
the world has found a way to address the individual 
requirements of each country in the world to respect their 
sovereignty.
    If Volkswagen or any company wants to sell a car in the 
United States, they have to meet certain security standards--in 
some way, or at least--really, really meet them.
    Chairman McCain. Bad example.
    Mr. Vance. That is not a strange concept in the world of 
international commerce. If governments want to move money in 
and out of treasury departments around the world, there are 
certain standards that are required in each country before 
money is accessed and moved.
    This has happened before. It is not a foreign concept to 
the world.
    Senator Reed. Thank you, Mr. Vance.
    Mr. Inglis, please?
    Mr. Inglis. First, I support the remarks of the prior two 
speakers. I absolutely have an enormous and abiding respect for 
the individuals that you cited who made that comment.
    I would say the following. First, if the choice is to 
weaken security, such that the government or others might have 
access to it, or to leave it strong, of course, the right 
choice is to leave it strong. I do not think that is the 
choice. I think that is a false choice.
    Second, I would observe that there are a variety of 
circumstances under which, as a desired feature, we cut a third 
party into a conversation, maybe for a teleconference purpose 
or because you want to blind courtesy copy somebody on an 
email. For a variety of purposes, we essentially do software 
upgrades because we want to patch a system, and we have the 
means by which, from the vendor to the devices at the edge, we 
can have a sweeping application of software.
    We do not call the former a backdoor, and we do not call 
the latter a secret method to denigrate the quality of the 
software. We call them features. I think the technology exists 
such that we might do this.
    To the comment that if we set this up, other foreign 
governments might then misappropriate it, that is a real issue. 
I think that we need to think our way through that. If we do 
not drive the rules, they will.
    There are thoughtful nations, like the United Kingdom 
United Kingdom, that are thinking their way through this, and 
they have come up with something in the investigatory powers 
bill, which I think is likely to be passed this fall, which is 
going to strike an alignment, not a compromise, but an 
alignment of these great goods. There are other nations that 
will not be as thoughtful as that.
    If the United States stands by, we defer to the wishes, to 
the values set, of others. If we lead, we might just perhaps 
drive that to the place we want it to go.
    Senator Reed. Thank you very much.
    Thank you, Mr. Chairman.
    Chairman McCain. Senator Cotton?
    Senator Cotton. Thank you, gentlemen, for being here on 
this important topic.
    I speak today as a friend of encryption, someone who 
recognizes its vital role in protecting some of the most 
important data that we all have, whether it is our email, text 
messages, phone calls, health information, financial 
information. Also someone who wants to protect the American 
people, to protect them from mass casualty terrorist attacks, 
to prevent them from being shot in nightclubs or in community 
centers, or blown up in malls, something that is as important 
if not more important than protecting that data.
    I also recognize the great contribution that companies like 
Apple and Twitter and Facebook have made to our society and the 
way that we live today.
    I hope that there is some way that we can all find some 
compromise or alignment, as Mr. Inglis called it, to address 
all of these threats to the American people.
    Mr. Inglis, I want to touch on a point you just made. In 
this debate, we often hear a lot about backdoors. As you said, 
many companies employ software update mechanisms that could be 
thought of as a backdoor because they change or update the 
functionality of the device periodically, and sometimes without 
even notice.
    These require additional keys or pathways to enter a 
device, so could you elaborate a little bit on, if a company 
can build a safeguard or additional key for updates and 
patches, why they could not do so for safeguards or keys for 
emergency purposes like terrorism, like kidnappings, like child 
pornography and so forth?
    Mr. Inglis. I think your point is well-made, sir. I think 
that they can.
    The question is not whether that capability exists or not. 
It certainly does exist, that you can upgrade software, that 
you can add other parties, legitimate parties, at the behest of 
the user to conversations, whether it is retraction to pull 
stored data, or whether it is a conversation in motion.
    The question is, is there a legitimate purpose that we 
understand and say that is sufficiently noble, we are going to 
engineer the solution. Do we have the controls on that, such 
that we are confident it will be used for that purpose and no 
other.
    It is the bookends, not the capability, that then should be 
the focus of our conversation.
    I think the technology does exist. The question is whether 
we can engineer that and have confidence about its efficacy.
    Senator Cotton. Let's put this question in a bit of a 
broader societal and legal context, Mr. Vance. We all have an 
expectation of privacy in our bank accounts, of course. 
However, you, I would assume, regularly obtain lawful subpoenas 
from a court to obtain the bank records of someone suspected of 
engaging in criminal activity. Is that correct?
    Mr. Vance. Correct.
    Senator Cotton. We also have reasonable expectation of 
privacy in our telephone conversations, the actual content of 
those conversations. However, I would assume that you often 
seek court-ordered wiretaps from telecom providers when there 
is a reasonable suspicion of criminal activity?
    Mr. Vance. Correct.
    Senator Cotton. Is there any reason why technology and data 
companies should be treated differently from banks or telephone 
companies in our society?
    Mr. Vance. Senator, I believe there is no legitimate 
objective reason. I think what is interesting about the state 
of affairs we find ourselves in today is, sticking with Apple 
for a second, they reengineered the phones so they can no 
longer be opened by the company. That was a conscious choice.
    Having done that, they have now argued that they have 
created a right to privacy that previously did not exist 
because of their engineering decisions to block access by law 
enforcement.
    I think that is ironic, but that is where we are today. I 
find no logical, reasonable reason why the technology companies 
should not be subject to the same sorts of rights and 
obligations that other industries have come to adapt and have 
worked through over the decades. I think that is something that 
is fair to look at going forward.
    Senator Cotton. Mr. Wainstein, do you have any perspective 
on whether there should be some special set of rules for 
technology and data companies, as opposed to banks or telephone 
companies?
    Mr. Wainstein. No, Senator Cotton. Look, I agree with Mr. 
Vance on this, that as a sort of our compact with our 
Government, we all, individuals, industry, companies, we have 
to submit to lawful court orders.
    Despite this encryption, as Mr. Vance said, they did not 
create a new zone of privacy. They cannot do that. The privacy 
is as dictated in the Constitution and by the decisions of our 
courts.
    They have an obligation to provide that information. They 
have tried to litigate it. At the end of the day, I think they 
are going to lose on the fundamental issue. I am quite 
confident they will. I think that it is really up to Congress 
to make the point legislatively that unless you voluntarily 
accept the solution to this, it is of such paramount importance 
to the national security and to enforcement of our laws that we 
are going to legislate it.
    Senator Cotton. We all have certain rights to privacy under 
our Constitution, but we also have a duty to provide 
information when subjected to a lawful court order, and that 
would be a duty not to our Government, but to our fellow 
citizens.
    Thank you.
    Chairman McCain. Senator King?
    Senator King. I think it is important to clarify, because 
there is a lot of confusion in this discussion, even in this 
hearing.
    Encryption, the encryption horse is way out of the barn. We 
are not talking about encryption. We are not talking about 
WhatsApp or Telegram. That is done. It cannot be broken.
    We could say WhatsApp, you are owned by Google, you have to 
open it up. Somebody goes and buys Telegram, which is from 
Germany, and the Internet as a free exchange across borders.
    I mean, if NSA can break it, that is one thing. I do not 
think any of you are suggesting, or are you, that somehow we 
can deal with the encryption of apps that al-Baghdadi is using.
    I think we need to clarify this discussion. We are really 
talking about the Apple case and compelling technology 
companies to provide access to their devices.
    Am I not correct? Encryption, that is a done deal, isn't 
it?
    Mr. Inglis. I think it is, sir. It is a done deal. It is a 
good thing that encryption is in wide and almost ubiquitous 
use.
    Senator King. That is not really the question before the 
house. The real question are issues like the Apple case.
    I think one of the problems we have to think anew here is, 
is that this is an international phenomenon. It is not neat 
borders, sovereignty. It is very difficult to make those things 
stick where you have something that moves invisibly through the 
air and can be built anywhere in the world. It seems to me that 
is one of the problems.
    We could pass a law here that forced Apple in some way, 
shape, or form to provide the key to open their iPhones. 
Whether or not that law would apply to an iPhone made in Turkey 
or Germany or Russia--and I guess we could try to pick them up 
at the border, but it is like squeezing Jell-O. I mean, it is 
going to be a very difficult technological--the international 
aspect of this makes it incredibly more difficult.
    Mr. Inglis, don't you agree?
    Mr. Inglis. I do agree, sir. I think that, then, this 
government has a dual obligation. One, to figure out what our 
values are such that we would drive choices to be biased toward 
an alignment of these, as I described it, four interests. It 
could be that it is three interests. At the same time, work 
with like-minded governments to create an international regime 
where it is more likely that these products will win in that 
marketplace and put our vendors in the right position.
    Senator King. I agree with that. This is a very difficult 
issue to grapple with, because basically we are balancing two 
provisions of the Constitution, provide for the common defense 
and ensure domestic tranquility, and the First, Fourth, and 
Fifth Amendments. I mean, that is what we are trying to do 
here.
    I do not like commissions, but I signed on to Senator 
Warner's bill to set up a commission to really look in depth at 
this issue involving the technology community, the law 
enforcement community, and the intelligence community, and come 
back to us with some really good thinking. I like your term of 
alignment.
    As I say, I do not generally--I think commissions often are 
a copout. I think in this case--and I totally agree that this 
should be a legislative solution. It should not be case-by-case 
in various Federal district courts. It should be a legislative 
solution. It is a policy issue.
    I think we need more information, frankly. I commend the 
chair for setting up this hearing, but I think this really 
needs some deep thought by a lot of people because it is 
really, in many ways, new territory.
    Mr. Vance, hypothetical, and I know we were all taught in 
law school to never ask a question you do not know the answer 
to, and I do not know the answer to this.
    If a locksmith makes a safe, and it is set up in such a way 
that the customer can set the combination and the locksmith 
does not know the combination, cannot open it, could you get a 
subpoena or a warrant to force that locksmith to somehow break 
into that safe?
    Mr. Vance. We would, Senator, likely get a warrant 
permitting us to, through physical force, open that safe with 
court directive.
    Senator King. That is my point. The FBI found a way to get 
into the Apple iPhone. They did not make Apple do it. In your 
answer, you just conceded that you would not make the locksmith 
do it. You would figure out how to do it.
    One of the things, frankly, that really bothered me about 
the Apple case was that we had all this excitement and 
publicity about a great American company that went on for 
months and months, and then the FBI said never mind, we figured 
out how to do it. That bothered me.
    They should have exhausted all of those remedies before 
they went to that magistrate in California and said we need 
something under a 200-year-old All Writs Act.
    You couldn't enforce that locksmith to come in and somehow 
break into that safe.
    Mr. Vance. Senator, I think that legislation could be 
passed which would require that locksmith to have the ability 
to open that safe, if we reached a level of volume, such as we 
are reaching right now with the probability of a problem 
getting into encrypted devices that are relevant to law 
enforcement investigations.
    Senator King. You have 300 cases pending, so this isn't 
about one iPhone in San Bernardino. You have 300. Where does it 
stop? Is this for an OUI [organization unique idenfier] in 
Poughkeepsie that you are going to be able to open the iPhone? 
Is there any limit? Once we say law enforcement can get a 
warrant to force Apple or Google or whoever it is to open their 
phone, is there any limit on that?
    Mr. Vance. I am not sure why there would be any other limit 
than the constitutionally recognized requirements of a court-
ordered, specific warrant based on probable cause. Yes, if that 
standard was met in Poughkeepsie or New York City or 
California, that warrant should be able, in my opinion, to be 
affected.
    Senator King. I think that is a very important point, 
because a lot of the publicity and discussion and testimony at 
the time of the original San Bernardino case was we only want 
this for one phone. We are not talking about one phone. We are 
talking about thousands of phones.
    Mr. Vance. I am certainly not talking about one phone, 
Senator, absolutely. I believe it is because we are talking 
about thousands of phones that represent criminal 
investigations involving thousands of victims and 
investigations that may relate to security beyond the 
individual victims, that is why it is so important that this 
committee has taken this issue up and is looking at it with an 
eye toward potential Federal legislation.
    Senator King. One quick question, Mr. Chairman.
    Do you fellows have any few on the Warner bill on the 
commission idea?
    Mr. Vance. Senator, my view is that a commission sounds 
like a very sensible, thoughtful thing. As I said before, there 
is a sense of real urgency, particularly in State and local law 
enforcement, that we reach a resolution that could permit us to 
go forward.
    It is 1,000 cases. Maybe it is 5,000 cases around the 
country. Each of our cases in State court have statute of 
limitations, once filed, that we are operating under. We have 
victims of real crimes that are waiting for justice all around 
the country.
    If a commission was a commission that went on for 18 months 
and that issued a nonbinding recommendation at the end of that 
18 months, from this one prosecutor's perspective, I am not 
sure that addresses the urgency with which State and local law 
enforcement need to deal with this problem.
    Senator King. Mr. Inglis?
    Mr. Inglis. I largely agree with all of that.
    It might well be that the government's best play is to say 
that it intends to act to create a stalking horse with a sense 
of urgency, but, at the same time, it intends to do so in the 
most thoughtful way and the most well-informed way possible, 
such that then the commission creates an opportunity to 
establish a venue at which a very diverse array of disciplines, 
functions, perspectives, then can come together, but to 
encourage collaboration in advance of what ultimately will be a 
government action.
    There is an urgent need to get on with that, and thus far 
we have not seen the kind of collaboration required to bring 
the diversity that America has been so well-known for to the 
table to pull that off.
    If I might go back to your earlier question, I think you 
are quite right to raise the context of the All Writs Act. 
Leaving aside, which I think you are right about the precedent 
of one versus a thousand, I would say that I think we are 
likely to find that the All Writs Act is insufficient, that it 
was not imagined it could be used in this situation, and, 
therefore, Congress needs to act to actually update that and 
bring that into the modern age.
    Two, with respect to the San Bernardino case, the idea that 
in the absence of an All Writs Act, the absence of an ability 
to compel the vendor to assist, that you then turn to the FBI 
and say you are just going to have to hack the civilian 
infrastructure, I think that puts the government in exactly the 
wrong place. You do not want government hacking civilian 
infrastructure, the private sector's infrastructure. You want 
government aiding and abetting the increased resilience of that 
infrastructure.
    You, therefore, need to figure out how upfront do I attend 
to all of government's responsibilities to provide for 
collective security, which is what Jim Comey is pursuing. That 
is his lawful charge. At the same time, have deference and 
support for the individual privacy and security that is 
attendant to the Constitution's promise.
    Senator King. Thank you. Thank you for your thoughtful 
testimony on a very tough issue. I appreciate it.
    Chairman McCain. If we did a commission, it would be at 
least a year, at best. The point is this issue is not so 
complicated.
    We have banking laws in the United States that are not 
respected by every country in the world, but we enforce them 
because anybody who wants to do business with the United States 
of America has to abide by those laws. We have other rules and 
regulations that we enforce--antibribery--that other nations 
engage in.
    We set the pace, and we are the ones who dictate the terms 
because we happen to be the largest market in the world.
    I have heard this song before about, well, other people are 
going to do it. Therefore, we should not do it. I do not accept 
that argument.
    When we have child pornographers who are operating freely--
freely--and human traffickers who are operating freely, there 
is an urgency to this issue, which is why this committee has 
taken up, and is going to have more hearings on it, including 
hearing from the technology companies, even if they do not want 
to come here. This committee has subpoena power.
    For them to blatantly say that they will not give us 
information or give us the ability to acquire information as we 
have, as you pointed out, Mr. Vance, on banking financial 
records, all kinds of other ways that we have of pursuing 
criminal activity, but somehow this new technology should be 
exempt from all of that is something that I do not buy. Nor do 
I think the families of those young girls who are being human 
trafficked right now, nor those children who are now the 
victims of child pornography, which is being protected by the 
way that these companies are doing business now. I find it 
unacceptable.
    Senator Blumenthal?
    Senator Blumenthal. Thanks, Mr. Chairman.
    I want to thank you for those comments. I share those 
concerns about the power of our private sector, financial and 
communication companies, that have immense financial and market 
power, and the ability to do good and cooperate and protect 
victims of human trafficking, as well as of terror, extremism, 
and violence.
    The United States is home to some of the world's leading 
social media, advertising, film, communications companies. One 
of ISIL's most powerful tools for recruitment is its social 
media campaign. The group releases absolutely horrifying but 
expertly done videos inspiring young people to join its ranks.
    On the one hand, our modern, interconnected world gives 
ISIS the ability to reach the United States, no matter how 
robust the physical barriers or boundaries may be. On the other 
hand, their hatred for us is absolutely inescapable and open, 
and we need to intensify our efforts against those malicious 
messages, including forging solidarity with the Muslim world, 
which has as much to lose as we do. The messages of intolerance 
and persecution and extremist violence I think can bring us 
together, even as our adversaries and enemies seek to divide 
us.
    I want to thank all of you for being here today on this 
supremely important topic, particularly District Attorney 
Vance.
    Thank you for your good work. I know of all of your 
distinguished service.
    District Attorney Vance happens to work in a venue close to 
my State of Connecticut in an area where I used to work as 
well, both as a Federal prosecutor and as State Attorney 
General.
    I think your work is supremely important in this area, and 
your leadership and advocacy.
    I want to ask a question that is directed to the private 
sector.
    How can we bring the private sector to cooperate more 
closely and be a better partner of law enforcement in this 
area?
    Mr. Vance. I am not expert in these matters, but I do 
think, as I was saying, Senator, that whether the private 
sector is willing to acknowledge it or not, this is an urgent 
issue. It is urgent because it is affecting national security, 
about which I am not an expert, but local security, about which 
I have some knowledge.
    Now I guess the commission, a presidential commission or 
congressional commission, is one sure way to start the process. 
One of the Senators has suggested that.
    I think it needs the active involvement of the 
administration. I think the President and his administration 
needs to grab ahold of the collar of local law enforcement and 
the enforcement communities, grab ahold of the collar of the 
private sector, pull them into a room, work at an accelerated 
speed with an eye toward getting a resolution to this or some 
recommendations on how to go forward between now and the end of 
the year.
    That may be totally unrealistic from a calendar standpoint 
with the way we are in America right now, but unless the 
administration is going to come in and assist the Congress, 
local law enforcement and others, I think it is not going 
happen.
    Senator Blumenthal. Yes, sir?
    Mr. Inglis. Sir, I would add to that that I think the 
government first and foremost, Mr. Vance's point, needs to 
indicate its desire to lead, its intent to lead, as opposed to 
observe.
    Then second, the framing will be profoundly important. If 
the government were to approach this by saying we intend to 
impose a requirement on the private sector, to satisfy Mr. 
Vance's or perhaps Jim Comey's need for exceptional access, 
that is one way of framing it.
    Another way to frame it would be to say that we intend to 
guarantee or to align the kind of collective distinguished 
interests that are on the table here, kind of individual 
pursuit of security to include companies' abilities to innovate 
and succeed in national, international marketplaces, and the 
ability of governments when necessary under exceptional access 
to access communication for purposes of what Mr. Vance and Jim 
Comey are pursuing under their lawful mandate. That is a very 
different framing.
    That might then encourage people to say I am coming to the 
table because that is the way we are essentially going to make 
a contribution against the interests I am charged to represent.
    Senator Blumenthal. What I see, from Connecticut's 
standpoint, and we have very able Federal prosecutors, our 
United States attorney, Deirdre Daly, whom you no doubt know, 
Mr. Vance, as well as our State prosecutors, increasingly tell 
and show me that our local and State security are inseparable 
from our national security, and that the bad guys have seamless 
ways of accessing information and communicating with each 
other, and we remain separated in terms of our law enforcement 
jurisdiction and our inability to access the very means of 
communication that they use so seamlessly.
    I share the chairman's and your sense of urgency, not that 
I oppose a commission. Who could oppose a commission focused on 
this issue? I feel a much greater sense of urgency and 
immediacy about the need to address these concerns.
    Thank you very much, Senator Reed, Mr. Chairman.
    Thank you to our panel.
    Senator Reed. [Presiding] On behalf of Chairman McCain, let 
me recognize Senator King for a very quick question, because we 
have floor activity.
    Senator King. We have to go vote.
    I just want to again sort of clarify. You can tap phones 
now, right, Apple iPhones, if you get subpoenas, Mr. Vance? You 
can get the verbal conversation?
    Mr. Vance. Some, unless the communications, for example, 
are encrypted.
    Senator King. Okay. Okay, but encryption, we talked about 
encryption. Encryption is not the issue here. Encryption is 
encryption, and you can either can get it or you cannot.
    You can get messages. You can get the content of messages, 
unless they are encrypted. You can get where people called 
under the 215 program under the metadata.
    I just want to be clear what it is you can already get 
without asking companies to unlock their phones, because you 
are really talking about something other than phone calls, 
messages, and metadata. You are talking about maybe the 
geographic--anyway, I just think it is important.
    That shows the complexity of this issue. You have to really 
do it in a granular way.
    Mr. Vance. Senator, I understand what you are saying. Let's 
just talk about data at rest, which is of the most interest to 
law enforcement of what is on the phones. Interestingly, many 
criminals do not encrypt, and that was one reason why we were 
able to get so much information about rape, robbery, murder, 
and other state law crimes.
    Why they do not encrypt is a question I cannot answer. The 
fact of the matter is that even when there has been encryption 
technology, it is not used by the vast majority of people 
committing crimes.
    Therefore, there is an absolutely direct consequence 
because of now our inability to access those phones, with a 
court-ordered warrant, information that is on the phone likely 
not to be encrypted relevant to the criminal investigation is 
inaccessible.
    Senator King. I understand. I would appreciate, to the 
extent you guys can give us suggested language or proposals or 
outlines of legislation, that is what we are looking for. Thank 
you very much.
    Thank you, Mr. Chairman.
    Senator Reed. Thank you, Senator King.
    Gentlemen, thank you for your extraordinarily thoughtful 
testimony. I can assure you that as the days go forward, and 
you made it quite clear this is not something that can take 
forever, we will be reaching out for your advice and your 
assistance.
    I second Senator King's point. Any proactive legislative 
proposals or ideas, please forward them.
    On behalf of Chairman McCain, I also want to explain that 
this is a busy day, lots of floor activity. Your testimony was 
extraordinarily important, the most important issue that we are 
coming to grips with, which is cybersecurity and protecting the 
Nation. My colleagues were, I think, deflected to the floor, so 
I apologize.
    Let me thank you all for your extraordinary testimony. On 
behalf of the chairman, Chairman McCain, let me adjourn the 
hearing. Thank you.
    [Whereupon, at 10:55 a.m., the hearing was adjourned.]



                      ENCRYPTION AND CYBER MATTERS

                              ----------                              


                      TUESDAY, SEPTEMBER 13, 2016

                                       U.S. Senate,
                               Committee on Armed Services,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 9:37 a.m. in Room 
SH-216, Hart Senate Office Building, Senator John McCain 
(chairman) presiding.
    Committee members present: Senators McCain, Wicker, 
Fischer, Cotton, Rounds, Ernst, Sullivan, Lee, Cruz, Reed, 
Nelson, McCaskill, Manchin, Shaheen, Gillibrand, Blumenthal, 
Donnelly, Hirono, King, and Heinrich.

       OPENING STATEMENT OF SENATOR JOHN McCAIN, CHAIRMAN

    Chairman McCain. I would--since a quorum is not present, 
but we have pending military nominations, I would ask unanimous 
consent to waive the requirement for two more members in order 
to conduct a routine business for the 4,158 pending military 
nominations, which I'm--none of which are controversial. Is 
there any objection to that?
    [No response.]
    Chairman McCain. If not, since--a quorum is not present, 
but I ask the committee to consider a list of 4,158 pending 
military nominations. Of these nominations, 503 nominations are 
2 days short of the committee's requirement that nominations be 
in committee for 7 days before we report them out. No objection 
has been raised. These nominations--I recommend the committee 
waive the 7-day rule in order to permit the confirmation of the 
nomination of these officers before the Senate goes out for the 
October recess.
    Is there a motion to favorably report these 4,158 military 
nominations to the Senate?
    Senator Reed. So move.
    Chairman McCain. Is there a second?
    Senator Wicker: Second.
    Chairman McCain. All in favor?
    [A chorus of ayes.]
    Chairman McCain. The motion carries.
    I thank the committee. We wouldn't want to go out for a 
long period of time with these pending nominations, none of 
which are in any way controversial.
    I think that there was a cyber attack on Admiral Rogers' 
automobile, which accounts for him being late this morning.
    [Laughter.]
    Chairman McCain. We'll have a full investigation----
    Voice: He's joking.
    [Laughter.]
    Chairman McCain. Mr. Secretary, we welcome you and Admiral 
Rogers. We'll begin with you, Mr. Secretary.
    Mr. Lettre. Chairman McCain, Ranking Member Reed, members 
of the committee, thank you for inviting us to discuss the 
importance of strong encryption, trends on its use, and its 
impact on the Department of Defense.
    With your permission, I've submitted a longer written 
statement, and I would ask that it be made part of today's 
record.
    Chairman McCain. If you'll hold for a moment, Secretary 
Lettre, in my--I forgot the opening statements by myself and 
the Ranking Member----
    [Laughter.]
    Mr. Lettre. I was wondering about that.
    Chairman McCain.--which is the reason why so many of my 
colleagues are staying here, in order to hear our words of 
wisdom.
    [Laughter.]
    Senator Nelson. We thought you were going to spare us.
    [Laughter.]
    Chairman McCain. Probably should, given the calendar, but 
could I just--I'll go ahead, Secretary Lettre.
    Encryption has become ubiquitous across the 
counterterrorism fight. The Islamic State of Iraq and the 
Levant [ISIL] has successfully leveraged messaging applications 
developed by some of our most innovative companies to create an 
end-to-end encrypted safe haven where they can operate with 
near perfect secrecy and at arms' length of law enforcement, 
the intelligence community, and the military. From Syria to San 
Bernardino to Paris to Brussels to perhaps even Orlando, ISIL 
has utilized encrypted communications that, just a few years 
ago, were limited to a select few of the world's premier 
military and intelligence services.
    As I've stated in the past, this is a complex and difficult 
problem, with no easy solutions. We must balance our national 
security needs and the rights of our citizens. We must also 
recognize that authoritarian regimes are eager to gain keys to 
encrypted software so they can further their own abusive 
policies, such as suppressing dissent and violating basic human 
rights. Yet, ignoring the issue, as the White House has done, 
is also not an option.
    I look forward to hearing how the use of encryption by 
terrorist organizations is impacting your ability to detect and 
prevent future attacks, and how the proliferation of encryption 
alters the way you do business at the National Security Agency 
[NSA] and Cyber Command [CYBERCOM].
    Admiral Rogers, you have frequently spoken with this 
committee about the so-called ``dual hat'' under which the 
Commander of Cyber Command also serves as the Director of the 
NSA. Last year, you told this committee, quote, ``I will 
strongly recommend, to anyone who asks, that we remain in the 
`dual-hat' relationship. This is simply the right thing to do 
for now, as the White House reiterated in late 2013.'' You 
stated that it might not be a permanent solution, but that it 
is a good solution, given where we are. You were asked again in 
our hearing earlier this year, and you reaffirmed the need to 
keep the two organizations tightly aligned.
    That's why I'm troubled by recent reports that the Obama 
administration may be trying to prematurely break the dual-hat 
before President Obama leaves office. On Friday, it was 
reported that Secretary of Defense Ash Carter and Director of 
National Intelligence [DNI] James Clapper have backed a plan to 
separate Cyber Command and the NSA. Here we go again. Another 
major policy matter has apparently been decided, with no 
consultation whatsoever between the White House or the 
Department of Defense with this committee. I urged Secretary 
Carter to provide this committee and the Congress the details 
of this plan and his reasoning for support it. I will--hope he 
will explain what has changed since the last time the 
administration rejected this idea, in 2013.
    While I'm sure the phrase ``predecisional'' is written 
somewhere in our witnesses' briefing papers, I would remind 
them that this committee does not take well to being 
stonewalled while their colleagues in the administration leak 
information to the press. Even if this decision has not been 
made, our witnesses should still be able to provide substantive 
analysis on the consequences of separating the dual-hat for our 
national security and for taxpayers.
    Let me be very clear. I do not believe rushing to separate 
the dual-hat in the final months of an administration is 
appropriate, given the very serious challenges we face in 
cyberspace and the failure of this administration to develop an 
effective deterrence policy. Therefore, if a decision is 
prematurely made to separate NSA and Cyber Command, I will 
object to the confirmation of any individual nominated by the 
President to replace the Director of the National Security 
Agency if that person is not also nominated to be the Commander 
of Cyber Command.
    This committee and this Chairman are tired of the way that 
Congress, in general, and this committee is treated by this 
administration. These issues present larger concerns about 
whether the Department is appropriately organized to manage the 
defensive and offensive requirements of the cyber mission. We 
know that the Department faces challenges in recruiting and 
retaining top cyber talent. We know that the Department's 
cumbersome acquisition system hinders technological advancement 
and has eroded our technological superiority. We know that the 
administration's failure to confront deficiencies in its cyber 
policy has undermined the Department's ability to effectively 
defend, deter, and respond to our adversaries in cyberspace. 
Both Russia and China have leveraged cyber to systematically 
pillage certain critical defense technologies, create 
uncertainty in our networks, and demonstrate capability. Make 
no mistake, they are the first movers in the cyber domain, and 
they have put us on the defensive. The administration has 
consistently failed to provide a meaningful response.
    The latest media reporting, that Russia may try to 
undermine our electoral process, underscores this point. Russia 
is using cyber to undermine American national interest, and now 
it appears our democracy could be the next target. The 
administration's response to a mere warning from the Secretary 
of Defense--is that the best the United States can do? Despite 
this committee's numerous requests for a cyber deterrence 
framework, the administration has failed to present any 
meaningful strategy. Instead, it has evidently distracted 
itself with debates over the dual-hat. Instead of shaping the 
limits of acceptable behavior in cyberspace, the 
administration, instead, has allowed Russia and China to write 
the playbook. As a result, this administration has left the 
United States vulnerable.
    I look forward to hearing more about the cyber operations 
against ISIL and the challenges, opportunities, and constraints 
you are facing on the cyber front.
    Senator Reed.

                 STATEMENT OF SENATOR JACK REED

    Senator Reed. Well, thank you very much, Mr. Chairman.
    Let me join you in welcoming Secretary Lettre and Admiral 
Rogers back to the committee.
    Thank you, gentlemen, and the men and women that you lead, 
for their service and your service.
    This is a third committee hearing focused on the encryption 
issue, which underscores the importance of this issue and its 
impact on national security. The rapid growth of sophisticated 
end-to-end encryption applications and extremely secure 
physical access control to smartphones and computers has an 
adverse impact on law enforcement agencies at all level of 
government, and impairs the ability of the intelligence 
community and the Defense Department's Cyber Command to detect 
and counter cyber threats to the Nation. At the same time, this 
security technology helps to protect individuals, corporations, 
and the Government against cybercrime, espionage, terrorism, 
and aggression.
    While Federal Bureau of Investigation [FBI] Director Comey 
has tirelessly stressed the danger of law enforcement going 
dark, respected national security experts, including General 
Michael Hayden, former Director of the Central Intelligence 
Agency [CIA] and NSA, Michael Chertoff, the former Under 
Secretary--or Secretary, rather, of Homeland Security, have 
advised against compelling industry to ensure that the 
Government can always get access to encrypted data. These 
experts argue that cyber vulnerabilities are the greatest 
threat to the public and national security. This debate 
underscores the complexity and difficulty of the issue that we 
all face and we all must deal with very quickly, because it is 
a growing--as the Chairman's testimony indicates, it's a 
growing threat to our national security and our law 
enforcement.
    A major problem for law enforcement at this juncture is 
gaining access to data on devices that are physically in their 
control for foreign intelligence collection, where physical 
access is rarely, if ever, applicable, the challenges to 
overcome encryption of data in transit, or to gain remote 
access to devices when they are turned on and communicating. 
The latter set of problems is not qualitatively new. I will 
ask, when questioning, whether they're more manageable than 
these law enforcement issues.
    In addition to encryption, another important area that I 
hope we're able to discuss today is the issue that the Chairman 
brought up. That's the future of Cyber Command. I understand 
the administration is deliberating on whether it is the proper 
time to elevate Cyber Command to a unified command, and if, and 
under what conditions, the administration should terminate the 
so-called ``dual-hat'' arrangement in which the Commander of 
Cyber Command serves also as the Director of the NSA. An 
additional issue, a discussion of whether the Director of NSA 
should be a civilian rather than a general officer. While I 
know that is likely difficult for our witnesses to discuss 
administrative deliberations in an open hearing, I will welcome 
any of your thoughts or considerations on these important 
issues.
    Another area that I know is of interest to the committee, 
but, again, may be difficult to comment on publicly, is several 
revelations of hacking of major computer systems in this 
country by outside actors. Again, that is a very critical issue 
and one that we're very much involved and interested in.
    Once again, gentlemen, thank you for your service, and 
thank you for your appearance here today.
    Chairman McCain. Now Secretary Lettre.

STATEMENT OF HONORABLE MARCELL J. LETTRE II, UNDER SECRETARY OF 
                    DEFENSE FOR INTELLIGENCE

    Mr. Lettre. Chairman McCain, Ranking Member Reed, and 
members of the committee, thank you for inviting us to discuss 
the importance of strong encryption, trends on its use, and its 
impact on the Department of Defense.
    With your permission, I have a written statement that is a 
little longer than my opening statement here, and I'd ask that 
it be made part of today's record.
    In my brief opening statement, I would like to underscore 
three points:
    First, the Department of Defense strongly seeks robust 
encryption standards and technology vital to protecting our 
warfighting capabilities and ensuring that key data systems 
remain secure and impenetrable to our adversaries today and 
well into the future. The Department's support for the use of 
strong encryption goes well beyond its obvious military value. 
For example, commercial encryption technology is not only 
essential to U.S. economic security and competitiveness, but 
the Department depends upon our commercial partners and 
contractors to help protect national security systems, 
research-and-development data related to our weapon systems, 
classified and sensitive information, and servicemembers' and 
Department civilians' personally identifiable information and 
health records.
    Second, we are concerned about adversaries, particularly 
terrorist actors, using technology innovation, including 
ubiquitous encryption, to do harm to Americans. The 
cybersecurity challenges confronting the Department are 
compounded by the pace and scope of change, not only in the 
threat environment, but also in associated technologies. Our 
adversaries are constantly searching, looking, and adopting new 
and widely available encryption capabilities, with terrorist 
groups such as the Islamic State of Iraq in the Levant, ISIL, 
leveraging such technology to recruit, plan, and conduct 
operations. Our concern grows as some parts of the 
communication technology industry move towards encryption 
systems that providers themselves are incapable of un-
encrypting, even when served with lawful government requests to 
do so for law enforcement or national security needs. This 
presents a unique policy challenge, one that requires that we 
carefully review how we manage the tradeoffs inherent in 
protecting our values, which include individual privacy as well 
as our support for U.S. companies' ability to innovate and 
compete the global economy, and also protecting our citizens 
from those who mean to do us grave harm.
    Third, the Department is working with other parts of the 
Government and the private sector to seek appropriate solutions 
on these issues now. We need to strengthen our partnership with 
the private sector, finding ways to protect our systems against 
our adversaries' cyberattacks and at the same time finding 
innovative and broadly acceptable ways to address nefarious 
actors' adoption of new technologies, including encryption, 
even while we must carefully avoid introducing any 
unintentional weaknesses in the protection of our security 
systems or hurting our global economic competitiveness.
    Mr. Chairman, the Department is committed to the security 
and resiliency of our data and networks, and to defending the 
U.S. at home and abroad. An ongoing dialogue with Congress as 
well as other departments and agencies and the private sector 
is absolutely critical as we work together to confront and 
overcome the security challenges associated with encryption.
    I appreciate the committee's interest in these issues, 
grateful for the dialogue, and I look forward to your 
questions.
    [The prepared statement of Mr. Lettre follows:]

           Prepared Statement by The Honorable Marcel Lettre
                              introduction
    Chairman McCain, Ranking Member Reed, and Members of the Committee, 
thank you for inviting us to discuss the importance of strong 
encryption, trends on its use, and its effects on the Department of 
Defense (DOD). It is an honor to appear before you today and we 
appreciate the opportunity to explain both the importance of encryption 
to secure data and to protect systems vital to our national defense, as 
well as the impact that the continuing adoption of strong encryption 
has on the execution of our national security missions. The use of 
strong encryption is a vital component to protect our warfighting 
capabilities and ensures our national security interests remain secure.
                    importance of strong encryption
    The Department supports the use of strong encryption. Commercial 
encryption technology is vital to U.S. competitiveness and economic 
security and the Department depends upon secure data and strong 
encryption technology to carry out our national security mission. DOD 
depends upon our commercial-sector partners to help protect national 
security systems, research and development data related to our weapons 
systems, classified and sensitive information, servicemembers' 
personally identifiable information and health records, just to name a 
few examples. The National Security Agency (NSA), which is responsible 
for setting encryption standards within the Department of Defense, 
depends upon strong and voluntary commercial industry partnerships to 
protect these systems and to develop best practices on the 
implementation and integration of encryption.
    If our adversaries are able to gain access to our networks, weapons 
systems, and other critical infrastructure, they could manipulate 
information, destroy data, and harm our national security systems. We 
must stay ahead of our adversaries' capabilities to ensure that our 
systems remain protected. Strong encryption remains a vital element to 
do so.
                         encryption challenges
    The threat landscape continues to change. The widespread 
availability of strong encryption has also allowed terrorist groups, 
such as the Islamic State of Iraq and the Levant (ISIL), to leverage 
such technology for its operations. ISIL uses the internet and mobile 
applications to securely communicate and recruit fighters, further 
incite violence, and inspire, plan, and conduct attacks against its 
enemies, including our forces. As terrorist groups become more 
sophisticated and technologically savvy, encryption presents a 
challenge for the Department, especially NSA, to acquire needed 
intelligence if communications cannot be decrypted. This challenge will 
compound as industry moves towards implementation of encryption that 
they are incapable of unencrypting as they will no longer hold the 
decryption keys enabling them to provide access to the content of 
communications.
    While the Department benefits from strong encryption, malicious 
actors use the accessibility of strong encryption and other 
technologies to thwart DOD efforts in a variety of areas. This presents 
a unique challenge for government, one that requires the nation to 
determine how to balance individual privacy, a fundamental tenet in our 
democracy, with the need to protect our citizens from those who would 
do harm. As we have seen with ISIL, terrorists are increasingly using 
strong encryption to hide the content of their communications. This 
challenges the ability of the Department to understand our adversaries' 
intent, terrorist networks, financing streams, tactics, attack planning 
and execution, in the United States and abroad.
                          encryption way ahead
    We need to strengthen our partnership with industry to find ways to 
protect against the national security threats to the United States. We 
will continue to work closely with our industry partners to find 
innovative ways to outmaneuver malicious actors' adoption of strong 
encryption, while ensuring that individual privacy interests are 
protected. I believe any steps we take as a government must be 
carefully considered to avoid introducing unintentional weaknesses in 
the protection of our commercial networks and national security 
systems. We should also be careful not to negatively affect our 
economic competitiveness as a world leader in technology, which could 
unintentionally drive technology innovation outside the United States.
                               conclusion
    The Department is committed to the security and resiliency of our 
data and networks and for defending the U.S. interests at home and 
abroad. Our relationship with Congress as well as other Departments, 
Agencies, and industry is absolutely critical as we work together to 
navigate the encryption challenge. I am grateful for the committee's 
interest in these issues, and I look forward to your questions.

    Chairman McCain. Admiral Rogers.

STATEMENT OF ADMIRAL MICHAEL S. ROGERS, USN, COMMANDER, UNITED 
   STATES CYBER COMMAND; DIRECTOR, NATIONAL SECURITY AGENCY; 
                CHIEF, CENTRAL SECURITY SERVICES

    Admiral Rogers. Chairman McCain, Ranking Member Reed, and 
members of the committee, thank you for the opportunity to 
appear before you today to discuss the current communications 
environment, including strong encryption and cyber challenges.
    When we last met, on the 12th of July in a closed session, 
I outlined several of those challenges to the committee. Today, 
I look forward to further discussion so the American people are 
provided the greatest amount of information possible on these 
important topics. Of course, some aspects of what we do must 
remain classified to protect national security, so today I will 
limit my discussion to those in the public domain.
    When I use the term ``encryption,'' I'm referring to a 
means to protect data from any access except by those who are 
authorized to have it. Encryption is usually done by combining 
random data with the data you want to protect. The random data 
is generated by a mathematical algorithm and uses some secret 
information only, called a key, in the generation. Without the 
key, you can't undo the encryption.
    NSA supports the use of encryption. It's fundamental to the 
protection of everyone's data as it travels across the global 
network. NSA, through its information assurance mission, for 
example, sets the encryption standards within the Department of 
Defense. We understand encryption. We rely on it, ourselves, 
and set the standards for others in the U.S. Government to use 
it properly to protect national security systems. At the same 
time, we acknowledge encryption presents an ever-increasing 
challenge to the foreign intelligence mission of NSA. The easy 
availability of strong encryption by those who wish to harm our 
citizens, our government, and our allies is a threat to our 
national security. As you well know, the threat environment, 
both in cyberspace and in the physical world, is constantly 
evolving, and we must keep pace in order to provide 
policymakers and warfighters the foreign intelligence they need 
to help keep us safe.
    Terrorists and other adversary tactics, techniques, and 
procedures continue to evolve. Those who would seek to harm us, 
whether they be terrorists or criminals, use the same internet, 
the same mobile communication devices, the same software and 
applications, and the same social media platforms that law-
abiding citizens around the world use. The trend is clear. The 
adversaries continue to get better at protecting their 
communications, including through the use of strong encryption.
    I want to take this opportunity to assure you and the 
American people that the NSA has not stood still in response to 
this changing threat environment. We are making investments in 
technologies and capabilities designed to help us address this 
challenge. Last year, we started a process to better help 
position ourselves to face these challenges.
    It is premised in the idea that, as good as NSA is--as it 
is at foreign intelligence and its information assurance 
mission, the world will continue to change. The goal is, 
therefore, to change, as well, to ensure that we will be as 
effective tomorrow as we are today. The Nation counts on NSA to 
achieve insights into what is happening in the world around us, 
what should be of concern to our Nation's security, the safety 
and well-being of our citizens and of our friends and allies.
    We have a challenge before us. We are watching 
sophisticated adversaries change their communication profiles 
in ways that enable them to hide information relating to their 
involvement in things such as criminal behavior, terrorist 
planning, malicious cyber intrusions, and even cyberattacks. 
Right now, technology enables them to communicate in a way that 
is increasingly problematic for NSA and others to acquire 
critical foreign intelligence needed to protect the Nation or 
for law enforcement individuals to defend our Nation from 
criminal activity.
    The question then becomes, What's the best way to deal with 
this? Encryption is foundational to the future. The challenge 
becomes, given that premise, What is the best way for us ensure 
the protection of information, the privacy and civil liberties 
of our citizens, and the production of the foreign intelligence 
necessary to ensure those citizens' protection and safety? All 
three are incredibly important to us as a Nation.
    You've also asked me to talk about cyber deterrence and 
U.S. Cyber Command's organizational structure. As I have said 
before, I do not believe that malicious cyber activity by 
adversaries can only be, or must be, deterred by cyber 
activity. Our Nation can deter by imposing costs in and through 
other domains as well as using a whole-of-nation approach. Our 
instruments--all instruments of power should be considered when 
countering cyber threats, intrusions, or attacks.
    With regard to our organizational structure, U.S. Cyber 
Command is well along in building our Cyber Mission Force, 
deploying teams to defend the vital networks that undergird DOD 
operations to support combatant commanders in their missions 
worldwide, and to bolster DOD's capacity and capabilities to 
defend the Nation against cyberattacks of significant 
consequence.
    I, too, ask that my previously submitted written statement 
be made a part of the record.
    I look forward to your questions, sir.
    [The prepared statement of Admiral Rogers follows:]

            Prepared Statement by Admiral Michael S. Rogers
    Chairman McCain, Ranking Member Reed, and Members of the Committee, 
thank you for inviting me. It is a distinct honor and privilege to 
appear before you today. I appreciate this opportunity to speak to you 
about the current communications environment, including the wide 
availability of strong encryption, and its impact on the National 
Security Agency as we conduct our foreign intelligence and information 
assurance missions.When we last met on 12 July, I outlined several of 
these challenges to the Committee, and today I look forward to 
discussing those challenges so that the American people are provided 
the greatest amount of information possible on this topic.
    When I use the term encryption, I am referring to a means to 
protect data from any access except by those who are intended or 
authorized to have it. Encryption is usually accomplished by combining 
random data with the data you want to protect. The random data is 
generated by mathematical algorithm and uses secret information--called 
a key--in the generation. Without the key, you cannot unlock the 
encryption, and access the data.
    First and foremost, you should know that NSA supports the use of 
encryption. Encryption is fundamental to the protection of everyone's 
data as it travels across the global network. NSA, through its 
Information Assurance mission, sets the standards for the use of 
encryption within the Department of Defense. We understand encryption, 
rely on it ourselves, and set the standards for others in the 
government to use it properly to protect national security systems. At 
the same time, encryption presents an ever-increasing challenge to, our 
foreign intelligence mission. The easy availability of strong 
1encryption by those who wish to harm our citizens, our government, and 
our allies is a threat to national security.
    As you well know, the threat environment--both in cyberspace and in 
the physical world--is constantly evolving, and we must keep pace in 
order to provide our policy makers and war fighters the foreign 
intelligence they need to keep us safe. Terrorists' tactics, 
techniques, and procedures continue to evolve. Those who would seek to 
harm us use the same internet, the same mobile communications devices, 
and the same social media platforms that law-abiding citizens around 
the world use. The trend is clear, terrorists are becoming more savvy 
about protecting their communications--including through the use of 
strong encryption.
    NSA has not stood still in response to this changing landscape. We 
are making investments in technologies and capabilities designed to 
help us address this challenge and last year, we started a process to 
better position NSA to face these challenges. It's premised on the 
idea--that as good as NSA is at its foreign intelligence and its 
information assurance missions, the world will continue to change. The 
goal is therefore to change as well in order to ensure we will be as 
effective tomorrow as we are today. The nation counts on NSA to 
generate insights into what is happening in the world around us, what 
should be of concern to our nation's security, the safety and well-
being of our citizens, and of our friends and allies. We asked 
ourselves: how do we continue to generate the same level of information 
assurance or foreign intelligence or computer network defense insight 
given these changes? We see technology fundamentally changing--the 
proliferation of strong encryption across the internet and mobile 
devices is just one part of that change.
    I told my team that I wanted us to think about what 2025 will look 
like and how we can better position NSA for that future. We call this 
effort NSA in the 21st Century, or NSA21. As we look out to 2025, we 
see technology fundamentally changing in a variety of ways. Encryption 
tends to be getting a lot of attention at the moment, but the nature of 
technology's change is so much broader than that.It's encryption. It's 
the Internet of Things. It's the increased interconnectivity that is 
being built into every facet of our lives.
    We have a challenge before us. We're watching sophisticated 
adversaries change their communication profiles in ways that enable 
them to hide information relating to their involvement in things such 
as criminal behavior, terrorist planning, malicious cyber intrusions, 
and even cyber attacks. Right now technology enables them to 
communicate in a way that is increasingly problematic for NSA to 
acquire critical foreign intelligence needed to protect the nation or 
for law enforcement officers to defend our nation from criminal 
activity.
    The question then becomes, so what's the best way to deal with 
that? Encryption is foundational to the future. Anyone who thinks we 
are just going to walk away from that, I think, is totally unrealistic. 
The challenge becomes, given the premise that encryption is 
foundational to the future, what's the best way for us to ensure the 
protection of information, the privacy and civil liberties of our 
citizens, and the production of the foreign intelligence necessary to 
ensure their protection and safety?All three are incredibly important 
to us as a nation.
    Thank you.I look forward to your questions.

    Chairman McCain. Thank you very much, Admiral. Is it still 
your professional military advice that maintaining the dual-hat 
at the--at this time is in our best national security interest?
    Admiral Rogers. Yes.
    Chairman McCain. General Dempsey stated that cyber is the 
one area we lack an advantage over our adversaries. Do you 
agree--still agree with that statement, Mr. Secretary?
    Mr. Lettre. I do agree that cyber--that the cyber threat is 
one of the greatest challenges we face.
    Chairman McCain. Admiral?
    Admiral Rogers. Yes.
    Chairman McCain. Russian activity reporting hacking on our 
electoral process, I find it interesting that one of the two 
States there seems to be evidence of it is the State of 
Arizona. What can you tell us about the Russian activity and 
reported hacking on our electoral process? Do you think this is 
acceptable?
    Admiral Rogers?
    Admiral Rogers. Sir, as this is an ongoing investigation 
and a public, unclassified forum, I'm not going to be able to 
provide you specifics as to what our current assessment is. I 
will say this. This continues to be an issue of great focus, 
both for the foreign intelligence community, attempting to 
generate insights as to what foreign nations are doing in this 
area, as----
    Chairman McCain. This is the first time we've seen 
attempted interference in an--in elections in the United States 
of America, isn't it, Admiral?
    Admiral Rogers. Sir, we continue to see activity of 
concern. Again, I'm not going to characterize this activity 
``Is it a foreign nation-state, or not?"
    Chairman McCain. Mr. Secretary, you have anything to add to 
that?
    Mr. Lettre. Senator, I just would underscore that these are 
activities that the government is taking quite seriously. The 
FBI and the Department of Homeland Security [DHS] has an 
aggressive investigation underway, so the government can form 
its conclusion.
    Chairman McCain. Do we have a policy as to how to respond 
to this interference in elections in the United States of 
America? Do we have a policy as to what our actions be taken?
    Mr. Secretary?
    Mr. Lettre. In this particular instance, Senator, the 
government is intending to rely on the results of the 
investigation being led by the Bureau to----
    Chairman McCain. I'm asking if----
    Mr. Lettre.--inform its policy decisions.
    Chairman McCain.--we have a policy, and the answer is no.
    Admiral Rogers, there's a Wall Street Journal article 
yesterday, ``New Tricks Make ISIS, Once Easily Tracked, a 
Sophisticated Opponent.'' Goes on and talks about how 
incredibly sophisticated some of their work was in preparation 
for these attacks--electronic silences; when they did 
communicate, called or sent text messages; location; cheap 
burner phones, et cetera. What are we--what would you think 
about this kind of activity, Admiral?
    Admiral Rogers. ISIL remains the most adaptive target I've 
ever worked in 35 years as an intelligence professional, sir.
    Chairman McCain. It was--is not a leap of the imagination 
to think that this kind of activity and planning further 
attacks on the United States is taking place as we speak?
    Admiral Rogers. Yes, sir.
    Chairman McCain. Admiral Rogers and Mr. Secretary, do you 
believe there's a legislative solution that can address some of 
these challenges we're talking about?
    Mr. Lettre. Senator, it--from my view, the legislative 
route is not something that we think is the best way to go, at 
this time. New legal and regulatory approaches are not as 
potentially productive as a robust dialogue seeking cooperation 
and collaboration with the private sector.
    Chairman McCain. I agree. Unless there is a policy about 
what the United States actions will be in the case of a threat, 
in the case of actual attack, in the case of other aspects of 
this challenge we're on, then you're going to see legislation. 
Right now, there is no policy. There is no policy that you can 
describe to me as to what we would do about an impending attack 
or what we would do about an attack. There's a vacuum there. If 
you don't act, then I guarantee you the Congress will act.
    Admiral Rogers, it was recently reported that Twitter 
barred Data Miner, a company specializing in searching across 
millions of tweets to identify unfolding terrorist attacks and 
political unrest, from accessing its realtime stream of tweets 
because of its work for U.S. intelligence agencies. According 
to an article in the Wall Street Journal, this service gave the 
U.S. Intelligence Committee--community an alert about the Paris 
terrorist attacks shortly before they began to unfold last 
November. In March, the company says--first notified clients 
about the Brussels attacks ten minutes ahead. It also appears 
that Twitter will continue allowing information to be sold for 
use in the private sector, not just the government. Help me 
out, here.
    Admiral Rogers. I wish I could, Senator. I am perplexed by 
their approach in this particular instance.
    Chairman McCain. We have a situation where--excuse me--we 
have a situation where we have the ability to detect terror 
attacks using organizations' such as Data Miner, and yet, in 
order for us to anticipate these attacks, we have to have 
certain information. Twitter is refusing to allow them to have 
information which literally could prevent attacks on the United 
States of America? Is that the situation here, Admiral?
    Admiral Rogers. Yes, sir. At the same time, still willing 
to provide that information to others for business purposes.
    Chairman McCain. For sale.
    Admiral Rogers. For sale, for revenue.
    Chairman McCain. What do you think we ought to do about 
people like that, besides expose--besides exposing them for 
what they are?
    Admiral Rogers. Clearly, I wish I had better 
understanding--and perhaps there's insights that I'm just not 
aware of--I wish I had better understanding as to the rationale 
that leads someone to believe that that is the right course of 
action. I'm just the first to acknowledge, I don't understand 
it.
    Chairman McCain. Shame on them.
    Senator Reed.
    Senator Reed. Thank you very much, Mr. Chairman.
    One of the issues--and it's the last line of questioning, 
and it's highlighted quite a bit--is that what used to be the 
domain of nation-states--sophisticated research, development, 
application of products--are now done commercially all across 
the globe. I mean, some of these encryption devices were just 
adapted by ISIL, they weren't developed by ISIL, but they've 
been very effective. We're in a race not just against another 
nation-state, we're in a race against technical innovation that 
is widespread and is relatively inexpensive, in terms of the 
commitment you have to make to develop a product. Is that a 
fair assessment, Admiral Rogers?
    Admiral Rogers. Yes, sir. I often use the phrase, ``Cyber 
is the great equalizer.'' It doesn't take billions of dollars 
of investment, it doesn't take tens of thousands of dedicated 
individuals, and it's--uses a set of capabilities that are 
readily available globally to a host of actors.
    Senator Reed. I think it's incumbent upon us to approach it 
not as we've done in the past, you know, a nation-state, to 
countering their technology, but with a much more, you know, 
innovative approach.
    Let me ask both you and the Secretary, What is this new 
innovative approach to counter this new decentralized, 
disaggregated, relatively inexpensive ability to upset our very 
expensive and elaborate systems, both platforms and 
intelligence systems?
    Mr. Lettre. Senator, I'd just make a couple of broad points 
on this.
    The most important thing we need to do in the Department of 
Defense is reach out to any and all partners that can help us 
find solutions. For example, the Department's senior leadership 
has invested heavily in conversations with leadership across 
the U.S. technology sector to really seek a dialogue about how 
we can come up with innovative solutions to address the 
dynamics you've raised, which include a quick and agile set of 
adversaries being able to adapt to new technologies, 
themselves, and leveraging those technologies to conduct global 
messaging that advances their interests. We've got to find a 
way to outpace that. We believe that we can do so by tapping 
into the best ingenuity that the American private sector has to 
offer.
    Senator Reed. Admiral?
    Admiral Rogers. The other thing we're trying to do, at an 
operational level, in addition to the power of partnerships, 
which I agree with Marcell is very important for us--the 
argument I'm trying to make on both the NSA and the Cyber 
Command side is, ``Guys, we're dealing with a whole new 
ecosystem out there, and we've got to bore into this ecosystem 
and look at it in just that way. Don't focus on just one 
particular application as used by one particular target. Think 
more broadly about the host of actors that are out there, about 
how that"--and I apologize, I can't get onto specifics in an 
open forum, but looking at it more deeply, not just the one 
particular app, if you will, used by one particular target, 
that if we look at this more as an ecosystem, we will find 
vulnerabilities that we can access to generate the insights 
that the Nation and our allies is counting on.
    Senator Reed. I think, fundamental to your approach--and 
again, it touches on the issues raised by the Chairman--is that 
if these large technological players or, you know, civilian 
potential partners refuse to cooperate, then that is very--
could be detrimental in our security. We have to find a way 
either to convince them or otherwise get them to cooperate, 
because I--my sense is, without it, that we will not be able to 
deal with this issue. Is that fair?
    Admiral Rogers?
    Admiral Rogers. It is, from my perspective. Partnerships is 
going to be incredibly foundational to the future, here.
    Senator Reed. Just a final point. Raise it. You might 
comment quickly. That is, you know, there's been some 
discussion about having sort of a key to these encryption so 
that--you know, the proverbial backdoor--so that government 
could get in, et cetera. Opponents to that approach suggest 
that that--not only government could get in, but other bad 
actors could get in. Is that a solution that causes more 
problems, or is that a real solution?
    Mr. Lettre. Senator, from a policy perspective, we're in 
favor of strong encryption. We benefit from it, ourselves. 
Anything that looks like a backdoor is not something we would 
like to pursue. The important thing, I think, is, on a case-by-
case basis, for institutions like the Department of Defense and 
the Federal Bureau of Investigation and other key stakeholders, 
to have a really rich dialogue, case by case, with key industry 
players to see what kinds of solutions can be brought to bear, 
given the imperative to also balance privacy and civil 
liberties for our public, as well as to be able to ensure the 
competitiveness of our economic players.
    Senator Reed. Thank you.
    Thank you, Mr. Chairman.
    Chairman McCain. If I--Senator Rounds will indulge me one 
second.
    Admiral, I just want to go back to this election in 
Arizona. Is it possible that Russians could somehow harm the 
electoral process in my home State of Arizona?
    Admiral Rogers. Senator, let me plead ignorance on the 
specifics of the electoral system in the State of Arizona.
    Chairman McCain. Or is it--is there a possible scenario 
where they could disrupt the voting results in the upcoming 
election?
    Admiral Rogers. I think there are scenarios where you can 
see capability applied in particular areas. Again, it's not--I 
don't have strong fundamental knowledge across the breadth of 
the 50 States, since elections are run on a----
    Chairman McCain. Yeah.
    Admiral Rogers.--State basis. One advantage I do see, from 
a defensive standpoint, is that the structure is so disparate, 
with some elements being very--still very manually focused, 
others being more electronically and interconnected--because 
it's not just one nationwide, single, integrated structure, 
that tends to help us, I think, defensively, here.
    Chairman McCain. It is a concern.
    Admiral Rogers. Oh, yes, sir.
    Chairman McCain. Senator Rounds. Thank you, Senator Rounds.
    Senator Rounds. Thank you, Mr. Chairman. Thank you, to you 
and the Ranking Member, for putting this subject before us 
today.
    I have a number of questions concerning how we respond to a 
cyberattack on civilian infrastructure. I'm just curious. I 
know that the Chairman has already raised the question of a 
policy, but I'd like to go a little bit deeper. What I'm really 
curious about is, what is the role of the Department of Defense 
with regard to an attack on civilian critical infrastructure? 
Is there a preemptive responsibility that the Department of 
Defense has to protect civilian infrastructure in a 
cyberattack, similar to what happens with a kinetic attack?
    Mr. Lettre. Senator, from a policy perspective at DOD, we 
have three main missions. One is to defend the Defense 
Department and its networks. The second is to support our 
commanders in providing military options in support of their 
plans and operations that relate to cyber. The third is, when 
called upon by the President and the national command 
leadership, to support broader efforts that might be brought to 
bear in the case of an attack on U.S. critical infrastructure.
    Senator Rounds. Has that occurred? Has that request 
occurred yet?
    Mr. Lettre. Well, it--the request typically would come in, 
in a specific instance of an attack.
    Senator Rounds. In the case of an attack on a civilian 
infrastructure, how long would it take from the time that the 
attack is initiated until a time that the damage is done? 
Milliseconds?
    Mr. Lettre. It really depends on the circumstances of the 
attack, but it can be pretty quick, in the case of a 
cyberattack, yes.
    Senator Rounds. How in the world would we expect the 
President of the United States, even if it's not at 3:00 
o'clock in the morning, to respond in time to give you 
permission to protect critical civilian infrastructure if you 
already don't have a plan in place? Or do you have a plan in 
place?
    Mr. Lettre. Right. There--at the policy level, there has 
been a multiyear effort to develop that overall framework for 
how to respond to attacks.
    Senator Rounds. No----
    Mr. Lettre. Then operationally----
    Senator Rounds.--either you've got one----
    Mr. Lettre.--there are systems, as well.
    Senator Rounds.--in place today or you do not. Do you have 
a plan in place today to respond to an attack on critical 
civilian infrastructure?
    Mr. Lettre. I believe we do have a plan in place, Senator. 
In July, for example, the President approved something called 
the Presidential Policy Directive on Cyberincident 
Coordination, PPD-41, which lays out a framework for an 
interagency effort to respond to attacks on our critical 
infrastructure from a cyber perspective.
    Senator Rounds. You would not have to respond----
    Mr. Lettre. In addition----
    Senator Rounds.--you would not have to wait for a 
presidential directive to protect critical infrastructure 
today.
    Mr. Lettre. That's right. Now, there are a whole host of 
operational implications that need to follow from that. Each 
department and agency has worked through what capabilities it 
brings to bear and how quickly, operationally, those can be 
applied. In the case of the Department of Defense, obviously, 
we look very quickly to the capabilities of U.S. Cyber Command.
    Senator Rounds. Admiral Rogers, today----
    Admiral Rogers. Sir.
    Senator Rounds.--can we protect critical infrastructure if 
it is under a cyberattack?
    Admiral Rogers. Do I have the capability to protect aspects 
of critical U.S. infrastructure? Yes, sir.
    Senator Rounds. Thank you.
    Let me go back. I--you know, in the news, you've all heard, 
and we've all heard, about the discussions regarding Secretary 
Clinton's use of the email systems and so forth. One of the 
things that concerns me--and I'd just like you to maybe put 
this in perspective for me if you could--one of the ways in 
which we lose information or in which data that is private, 
confidential, classified is released, is not necessarily 
through unfriendly actors getting a hold of or breaking into 
our encrypted information, but simply human error and 
individuals within government who have access to classified or 
confidential information, or information which is classified at 
a higher category than that. Could you talk to us a little bit 
about what the responsibility is and whose responsibility it is 
to actually train or to give information to individuals who are 
either elected, appointed, or hired by the government to make 
sure that they understand the differences between the 
categories, between whether a ``C'' means that it's in 
alphabetical order or it is confidential or any classified 
setting? Whose responsibility is it within the governmental 
layout, the structure today, to see that that information is 
appropriately disseminated and that instructions and remedial 
instructions are provided if there is a break? Where does that 
fit?
    Mr. Lettre. Senator, the questions around cyber hygiene, 
essentially, and how to properly protect yourself against IT 
intrusions and so forth is one set of policies and practices 
that typically the CIOs and associated IT security managers 
have responsibility for educating government employees at all 
levels. There are also aspects around the handling of 
classified information that flow from security policies and 
procedures, and those are typically handled by departments' 
security subject-matter experts.
    Senator Rounds. Department by department?
    Mr. Lettre. Typically so, yes, sir.
    Senator Rounds. Who oversees that information--or the 
delivery of that information?
    Mr. Lettre. Well, the----
    Senator Rounds. Your agency?
    Mr. Lettre. The--in the case of the Department of Defense 
[DOD], for DOD employees, my office oversees the setting of 
security policy standards.
    Senator Rounds. Mr. Chairman, thank you.
    Chairman McCain. Senator Nelson.
    Senator Nelson. Admiral, I have often thought of our 
ability to protect ourselves in cyber as that we are really 
almost like the standoff in the nuclear, assured mutual 
destruction. It gets more complicated with this, because we 
have nonstate actors. Could you give us an example, in this 
open setting--and, if required, then in a classified setting--
of where we have been attacked and we showed them that the 
return hit is going to be so hard that it deters them from 
hitting in the future?
    Admiral Rogers. Again, I can't get any details in an open 
forum, but I would suggest the response to the Sony hack by the 
North Koreans in November of 2014 is an example of that.
    Senator Nelson. Is that in the public domain--that example?
    Admiral Rogers. In the sense that we publicly acknowledged 
both the event, we publicly acknowledged who did it, and we 
publicly discussed the steps we were going to take in response 
to it, and we also highlighted at the time, ``If this activity 
continues, we are prepared to do more at the time and place of 
our choosing.''
    Senator Nelson. The specifics of that, will that have to be 
in a classified setting?
    Admiral Rogers. No, in the sense that, in this case, we 
chose to use the economic lever, it goes to one of the comments 
I made in my opening statement. One of the things I'm always 
recommending--I realize I just work the operational piece of 
much of this--but, I always encourage people, ``Think more 
broadly than cyber. When thinking deterrence, think more 
broadly than cyber.'' Just because an entity, nation-state, 
group, individual comes at us in cyber, that doesn't mean that 
our response has to automatically fall back on, ``Well, we have 
to respond in kind. We have to go back from a cyber 
perspective.'' I've tried to make the argument, as have others, 
we need to play to all of the strengths of our Nation. In the 
Sony case, for example, we collectively, from a policy 
perspective, made a choice to play to the strength of the 
economic piece for the United States.
    Senator Nelson. Right. I think that's smart. You've got a 
menu of things.
    Admiral Rogers. Sir.
    Senator Nelson. When you get right down to tit-for-tat, we 
could absolutely, with our attacks, shut down a number of 
things.
    Admiral Rogers. We could cause significant challenges to an 
opponent. I'm not going to get into specifics, but yes.
    Senator Nelson. Right. Do--with state actors, do we see 
that that is actually creating a mutually assured destruction?
    Admiral Rogers. I would argue, not yet. Because remember, a 
part of deterrence is both--some aspects to deterrence--
convincing someone that the benefit that they will gain doesn't 
justify the cost, convincing the actor that they just won't 
succeed, or convincing the actor that, ``Even if you were to do 
this, and even if you were to succeed, what we'll bring back 
against you in response to this just doesn't merit you doing 
this. You really ought to think hard and fast before you really 
do this.'' I have said this multiple times publicly before. The 
challenge we have right now is, I think, for a variety of 
reasons, some--not all--some actors have not yet come to the 
conclusion that there's a significant price to pay for some 
pretty aggressive actions on their part in the cyber arena.
    Senator Nelson. Well, I'd like to follow with you, in a 
classified setting----
    Admiral Rogers. Sir.
    Senator Nelson.--how we might respond to some of those 
actors.
    Admiral Rogers. Sir.
    Senator Nelson. In the private sector, do we have the 
cooperation that we need to tackle these encryption challenges?
    Admiral Rogers. At an operational level, my observation--
because this is much bigger than just Cyber Command or NSA--my 
answer would be no, in the sense that--my sense, as I look at 
this problem set, I see multiple parties spending a lot of time 
talking about what they can't do or what can't be done. I wish 
we spent more time thinking about, Well, what could we do, what 
is in the realm of other possible? Even as I acknowledge I 
think there's multiple parts to this conversation. What can we 
do is not necessarily the same thing as what should we do. 
Those are two very important parts of this conversations that I 
think we need to have.
    Senator Nelson. The encryption thing does trouble all of 
us.
    Admiral Rogers. Sir.
    Senator Nelson. Aside from encryption, what other 
technology trends are shaping the way that the Department does 
business?
    Admiral Rogers. It--from a cyber perspective?
    Senator Nelson. Yes.
    Admiral Rogers. We're very much interested in artificial 
intelligence, machine learning. How can we do cyber at scale, 
at speed? Because if we're just going to make this a largely 
human capital approach to doing business, that is a losing 
strategy. It will be both incredibly resource-intensive, and it 
will be very slow. I'd say that is a big area of focus for us. 
In addition, we're constantly reaching out--Defense Innovation 
Unit Experimental [DIUX], the capability that's been created 
out in Silicon Valley as well as Boston, U.S. Cyber Command has 
a separate but related--that teams with DIUX to try to harness 
partnerships in the private sector.
    Overall, I'd say good. As the Chairman highlighted, every 
once in a while, you just run into a situation where you go, 
``Can't we just step back, sit down, and talk to each other 
rather than, you know, these arbitrary, `Hey, you can't do 
this, you can't do that, we won't do this, we won't do that'?'' 
Even as I acknowledge there are different perspectives out 
there, I have no issue with that at all. I certainly understand 
that.
    Senator Nelson. Thank you, Mr. Chairman.
    Chairman McCain. Senator Lee.
    Senator Lee. Thank you, Mr. Chairman.
    Thanks, to both of you, for being here. I also appreciate 
your commitment to protecting the rights that we hold dear as 
Americans, and our security.
    This issue of encryption cuts right to the heart of a lot 
of things. It cuts right to the heart of the nature of the 
relationship between the American people and their national 
government, and to the heart of a number of features in the 
Constitution, including responsibilities of the Federal 
Government to safeguard the people and also to safeguard their 
rights.
    I believe it's an issue that Congress and the executive 
branch have to approach with a great deal of prudence, 
recognizing that we can't view it exclusively either as a 
national security issue, on the one hand, or as a privacy 
issue, on the other hand. We have to view it holistically, 
understanding that we've got to find a resolution to this that 
respects all the interests at stake.
    Admiral Rogers, I'd like to start with you. On August 17th, 
the Washington Post reported that a cache of commercial 
software flaws that had been gathered by NSA officials was 
mysteriously released, causing concerns both for government 
security and also for the security and the integrity of those 
companies who I believe had not been notified by the NSA of the 
flaws discovered in their systems. Can you walk through this 
process with us that the NSA uses to determine----
    Admiral Rogers. Vulnerability?
    Senator Lee. Yeah. Well, to determine when, whether, to 
what extent you should notify a private company of a security 
vulnerability that you've discovered, and whether NSA will 
continue to withhold such information from those companies when 
you're holding those and there are some clear concerns about 
the security of your own systems.
    Admiral Rogers. There's a vulnerability evaluation process, 
interagency, that was started in 2014, that we continue to be a 
part of, whereas NSA and other entities, not just us, become 
aware of, you know, zero-day vulnerability, so to speak, those 
vulnerabilities that we don't think are--others are aware that 
haven't been patched or addressed, that we raise those through 
an interagency process, where we assess what's the impact of 
disclosing or not disclosing. I have said publicly before, I 
think, over the last few years, overall--I think our overall 
disclosure rate has been 93 percent or so of the total number 
of vulnerabilities using this process since 2014. We continue 
to use that process.
    Senator Lee. Okay. Okay. You do that on a case-by-case 
basis----
    Admiral Rogers. Yes, sir.
    Senator Lee.--depending on the totality of the 
circumstances.
    Has there been an instance in which a U.S. company has 
suffered a security breach because of a cyber vulnerability 
that you were aware of that you--that NSA had previously 
identified but----
    Admiral Rogers. I can't say totality of knowledge, sir. I 
don't know totality. I apologize.
    Senator Lee. Okay. No, it's understandable.
    On Sunday, just this past Sunday, the Wall Street Journal 
published a report on the methods of ISIS, the methods that 
ISIS is using, in which there were some experts who concluded 
that low-tech communications, including things like face-to-
face conversations, handwritten notes, and sometimes the use of 
burner phones, have proven to be just as much of a problem for 
Western intelligence officials as the use of high-end 
encryption by our adversaries.
    Mr. Secretary, I was wondering if I could get your sense on 
this. Are the defense and intelligence communities investing 
enough into human intelligence and other activities to address 
low-tech terror methods, like those leading up to the Paris 
attacks? If we continue, I--a related question to that is, If 
we continue focusing on combating highly sophisticated 
encryption technology, do we expect to see a corresponding 
shift into these lower-tech alternatives?
    Mr. Lettre. Senator, you're--you've put your finger on a 
really important point, which is the need for a really diverse 
set of intelligence collection capabilities and disciplines. 
Capabilities that go after the high end, using the best of our 
technology available, but also capabilities that draw upon 
individual case officers, area expertise, language expertise, 
and presence on the ground in a lot of places around the world, 
where we can, in a very granular way, pick up what's going on 
and identify threat actors who, as you noted, may be using 
relatively unsophisticated mechanisms for planning and plotting 
attacks against the U.S. Homeland and our allies. With regard 
to the aspect of your question around human intelligence, we 
have been making some investments, over the last several years, 
to continue to improve the effectiveness and capacity of 
defense-related human intelligence, working closely with CIA. I 
think that that is a very important set of investments to be 
making.
    Admiral Rogers. Senator, could I add one comment?
    Senator Lee. Sure.
    Admiral Rogers. That would be okay?
    I think what that article highlights is the fact that we 
are watching ISIL use a multi-tiered strategy for how they 
convey information and insight that runs the entire gamut. I 
think, for us, as intelligence professionals, we've got to come 
up with a strategy and a set of capabilities that are capable 
of working that spectrum. It can't be we just spend all our 
money focused on one thing. I don't think that's a winning 
strategy for us, if that makes sense.
    Senator Lee. Understood.
    I've got a couple of other questions, but my time's 
expired, so I'll submit those in writing.
    Thank you very much.
    Chairman McCain. Senator Heinrich.
    Senator Heinrich. Thank you, Mr. Chair.
    Admiral Rogers, I want to continue along that line of 
questioning. Recently there was a worldwide survey, actually, 
of encryption products, looked at 865 hardware and software 
commercial encryption products that are available worldwide. 
About a third of those were developed in the U.S.; two-thirds 
were developed overseas. You know, it begs the question, If 
Congress were to act on this issue, if Congress were to compel 
some sort of built-in backdoor to those kinds of products, 
would that in any way effectively limit access to strong 
encryption projects to our enemies, to foreign terrorist 
groups? So long as they're widely available on the Internet?
    Admiral Rogers. I think, clearly, any structure, any 
approach that we come up with here with respect to encryption 
has to recognize that there is an international dimension to 
this, that encryption doesn't recognize these arbitrary 
boundaries on the globe that we have drawn, in the form of 
borders of nation-states. I don't know what the answer is, but 
I certainly acknowledge we have to think more broadly than just 
one particular market, so to speak.
    Senator Heinrich. Given how easy it is to just download an 
app onto your smartphone to do end-to-end encryption of texting 
and other communications, does it--and getting to, really, 
Senator Lee's question--does it beg the question of whether or 
not we've become overly reliant on signals intelligence, 
generally? Are we investing enough in human intelligence?
    Admiral Rogers. I'll leave that up to the Under Secretary. 
I'm a----
    Senator Heinrich. I know it's dangerous question for 
someone in your position, but----
    Secretary?
    Mr. Lettre. Senator, the short answer is, we do need to be 
investing in a range of capabilities, including the human 
intelligence capabilities. As to the point about individuals 
being able to download an app onto their mobile phones and 
smartphones that can avoid law enforcement or national security 
coverage, it really just underscores the imperative for a 
really rich and diverse set of conversations to be going on 
between government and all players across the technology 
sector. Each company has a different business model, which may 
or may not implement end-to-end encryption in a ubiquitous way, 
and we need to be looking for solutions on a case-by-case basis 
that allow us to preserve our values, including the ability to 
conduct law enforcement and national security protective 
operations in service of the Nation.
    Senator Heinrich. You know, one of the issues that was 
raised earlier is this idea of identifying vulnerabilities that 
may exist in software, in operating systems, in hardware. 
Obviously, when there are those vulnerabilities, it means that 
people who work for the U.S. Government, as well as private 
citizens, have data potentially exposed to nefarious actors. 
Has the administration ever considered some sort of reward 
structure, incentive structure for those sorts of 
vulnerabilities to be identified and, therefore, identified to 
companies so that they can plug those holes as they come up?
    Admiral Rogers. I can't speak for the administration as a 
whole, but we have done this twice now within the Department of 
Defense, you could argue, in the Bug Bounty Program, where we 
specifically have tried to incentivize the discovery and 
sharing of vulnerabilities, both to help the Department as well 
as to help the commercial sector in trying to address them. 
That's something that we've been doing.
    Senator Heinrich. Have you found that to be a--an effective 
strategy?
    Admiral Rogers. Yes, sir. In fact, you'll see us--in the 
coming months, we're looking at the next iteration of the 
program, as well. This is something we want to continue.
    Senator Heinrich. Do you think that's something we should 
be looking at as a more whole-of-government approach, as well?
    Admiral Rogers. I would only say, our experience has been a 
positive one, and I would fully expect that it would turn to be 
positive for others. The scale is----
    Senator Heinrich. I know with my conversations with the 
technology sector, that's something that's come up----
    Admiral Rogers. Right.
    Senator Heinrich.--consistently over time.
    Thank you both.
    Chairman McCain. Senator Sullivan.
    Senator Sullivan. Thank you, Mr. Chairman.
    Thank you, gentlemen, for the testimony today.
    Admiral Rogers, I just want to get--and I know you've been 
talking about this in a more broad sense, but what do you see 
as the three top threats that U.S. Cyber Command or the NSA 
have to plan or defend against? Top three. It can be a country 
or it can be an issue. When you're going to bed at night, what 
are the top three that you're----
    Admiral Rogers. Broadly, as I look out, number one is just 
the day-to-day defense of the DODIN. I look at DOD. We are a 
massive Department with a global laydown and a network 
infrastructure that was built in a different time and a 
different place, in which redundancy, resiliency, and 
defensibility were not core design characteristics. My 
challenge at the Cyber Command side is, I've got to defend an 
imperfect infrastructure and give us the time to make the 
investments to build something better. That's challenge number 
one. I'm always thinking to myself, what are the 
vulnerabilities out there that I don't recognize yet that 
someone's exploiting?
    Number two would probably be--I worry about--most 
penetrations in networks to date have largely been about 
extracting information--extracting, pulling the data--whether 
it's to generate intelligence insights, whether it's to 
generate battlefield insights, whether it's to potentially 
attempt to manipulate outcomes. What happens when it's no 
longer just about data extraction, but it's about data 
manipulation, and now data integrity becomes called into 
question? As a military commander, if I can't believe the 
tactical picture that I am seeing, that I'm using to make 
decisions, that are designed to drive down the risk and help me 
achieve the mission, if what I'm seeing is a false 
representation and, in fact, the choices I'm making are 
increasing the risk and, in fact, are not having positive 
outcomes--data integrity, data manipulation really concerns me. 
That's a whole different kettle of fish.
    Then the third one, probably, What happens when nonstate 
actors decide that the Internet is not just a forum to 
coordinate, to raise money, to spread ideology, but instead 
offers the opportunity to act as a weapon system, to employ 
capability on a global scale?
    Senator Sullivan. Let me ask about that last one, because I 
think one of the things that we continually hear, in terms of 
our cyber strategy and how it--and how the--this domain differs 
in so many other domains--is that the attacks, when they occur 
on us, seem to come, in some cases, without much cost. We're 
getting hit from all different angles, and we're not sure where 
or how, and you can't do a symmetrical smackdown, maybe. How do 
we--how do we raise the costs for adversaries who are attacking 
us in this domain? Or how do we signal that we're going to do 
it? Obviously, a lot of it--if we're signaling, we have to have 
credibility. How do we raise the cost? Do you think we do need 
to raise the cost? Do you think, in this domain, that our 
adversaries or potential adversaries think that they can take 
action and kind of get away with it because we're not going to 
respond? Do we need to be more aggressive in signaling how 
we're going to respond, and then respond?
    Admiral Rogers. I think we need to show adversary we have 
capability, we have intent, and we have the will to employ it, 
within a legal framework----
    Senator Sullivan. Have we done that, though, much?
    Admiral Rogers. We have--as I've said, we've done it. The 
Sony piece, I would argue. You could also argue, in the areas 
of hostilities--Syria, Iraq, Afghanistan--we're doing some good 
things every day that clearly I think the opponent understands 
that we're applying this capability against them. We've 
publicly acknowledged that we are doing that. I think, in part, 
that idea of publicly acknowledging the fact that we were using 
cyber as a capability to counter ISIL was not just to signal 
ISIL, but was also to make sure others are aware that the 
Department of Defense is investing in these capabilities, we 
are prepared to employ them, within a legal, lawful framework.
    Senator Sullivan. Do you think we're sending that signal to 
state actors in the cyberspace?
    Admiral Rogers. I certainly hope so, sir.
    Senator Sullivan. Well, do you think we are? I don't know 
what----
    Admiral Rogers. I think it----
    Senator Sullivan. You're the--you're in charge, right? 
``Hope'' makes me a little worry. What you think----
    Admiral Rogers. It varies by the actor. Honestly. It varies 
by the actor.
    Senator Sullivan. Do the Iranians fear that we could 
retaliate against them if they take some kind of cyber action?
    Admiral Rogers. Yes. My sense is, the Iranians have a sense 
for a capability. I apologize, I can't get into a lot of 
specifics, but my sense is, they have awareness of capability, 
and they've seen us use it.
    Senator Sullivan. Let me ask this one final question. It 
seems to me, kind of longer term, one of the biggest strategic 
advantages we have in this domain is our youth and their 
capabilities, which far exceed, probably, everybody in this 
room, given how smart they are in this space and how they've 
just naturally grown up with it. What are we doing to make sure 
to try to recruit younger Americans to, you know, be on the 
right side of the issue, to come serve their country in a 
really critical area, where they, in many ways, have unique 
skillsets that a lot of us--no offense to my colleagues around 
the dais here--that a lot of us don't have?
    Admiral Rogers. Yes, sir. On the NSA side, I'll just 
highlight a couple of examples. We have a conscious effort that 
we've been doing for several years now. We do high school and 
junior high school cyber camps that we partner with a variety 
of institutions across the United States. We have cyber 
acquisition--or cyber academic excellence and academic research 
excellence relationships with over 200 universities on the NSA 
side across the United States, because we realize much of the 
workforce that we're looking to gain in the future is going to 
come from these pools. There's something to be gain, we 
believe, by interacting early with them, and, more broadly, for 
the Nation as a whole, helping to encourage the acquisition of 
these skills, this knowledge, in a way that just wasn't 
necessarily the case in the past.
    Senator Sullivan. Thank you.
    Thank you, Mr. Chairman.
    Chairman McCain. Senator Manchin.
    Senator Manchin. Thank you, Mr. Chairman.
    Thank both of you all for being here.
    Admiral Rogers. Sir.
    Senator Manchin. Along the line of questioning there, for 
those of us who grew up in the not-Internet Age, if you look 
around at some of us here in the audience and some of us on 
this--and now all this coming to fruition, it's quite 
confusing, quite troubling, quite concerning. With all that 
being said, you know, we have concern over our food supply, our 
energy supply. The average person in America right now is 
concerned over, whether they have children or grandchildren, 
cyber bullying, everything that goes on with the Internet. We 
see the rise of terrorist--the great equalizer is the Internet 
for them. They don't have an air force, they don't have a navy. 
They have nothing more than the will to do us harm or wreak 
havoc around the world.
    With all that being--going on, the question I would like to 
ask best is, In a perfect world, without the politics involved, 
not being--trying--being politically correct, what can we, as 
Senators sitting on this committee or in this body or in 
Congress, 535 of us, concentrate and do to allow you to 
streamline this to make this work? It looks to me like you're 
going to take a covey of volunteers around the country that are 
smart and bright, to recruit them, but also, if people are out 
there hacking us continuously, are they able to intercede? Are 
they able to see what's going on? Are they able to report--is 
there some way of communication that the average person say, 
``Listen, I've seen some activity going on here that I think is 
going to be detrimental to us, think you ought to know about.'' 
You all have a--an agency--I mean, a way that you can collect 
this information? What can we do to help to streamline this, to 
correct this, so it doesn't get so convoluted that something 
falls through the cracks?
    Whoever wants to take that one, you can----
    Mr. Lettre. Senator, I'll take a first crack at it. Really, 
the most important thing, I think, that we can all do--and this 
committee and you all, as members, are incredibly powerfully 
well suited and seated to be able to do this--is to have that 
dialogue, catalyze that dialogue with the public, with civic 
leaders, with industry leaders, about the shared nature of this 
challenge, both the cybersecurity challenge and the hacking 
that we all face across--from the individual to companies and 
governments, and the acute threat from--ongoing threat from 
terrorism, and the need to put our best foot forward, in terms 
of countering violent extremist messaging, countering their 
ability to recruit and persuade over the Internet. That----
    Senator Manchin. I think----
    Mr. Lettre.--that dialogue with leaders to really impress 
upon corporate and civic leaders the need to have--view that as 
a shared problem and to really look for solutions with us.
    Senator Manchin. Well, the question I'm asking, I think, to 
both of you all, is that--I mean, if you're looking at us as 
a--everybody says lack of money, it's always a money situation, 
to a certain extent, or is it a lack of, basically, siloing to 
where everyone's protecting their own territory? Is there a way 
that we can break through, that, if you're going to be that 
agency, there has to be one gathering point and, basically, one 
dispensing point. I'm understanding that some of our agencies 
aren't talking to each other. We have the situation to where we 
don't have the private sector cooperating--San Bernardino, 
Apple, and all that, that comes to mind. This can't happen. If 
that's the great equalizer, and we have people that have 
nothing else more than the will to do us harm, we have to have 
the will to protect greater than the will to do harm.
    Admiral, I'm looking for just a way to help.
    Admiral Rogers. Senator, I don't disagree with many of the 
statements you're making. This is my takeaway, having done this 
for a while now. Using the same structures and the same 
processes and expecting different outcomes probably is not 
going to get us----
    Senator Manchin. We understand that definition.
    Admiral Rogers.--where we want to be. I think the 
challenge, particularly as we're looking in the future, is, can 
we take the opportunity to step back and ask ourselves, ``Hey, 
what do we need to be doing differently?"
    The other thing, I think, particular as Senators, as among 
the leaders of our Nation, these are serious, hard issues, with 
a wide variety of perspectives, and we have got to get beyond 
this simplistic vilification of each other to roll up our 
sleeves and figure out, How are we going to make this work? 
Realizing that there's multiple perspectives and a lot of 
different aspects of this that have to come to the fore.
    Senator Manchin. You know, I tell--I speak to children 
and--much as I possibly can. I would--and I tell them, I says, 
I don't think--nowhere in the world is there a military might 
that can challenge us. We have the greatest military in the 
world. The economy--our economy is greater than anyone in the 
world, almost double the closest--of China. I'm not worried 
about a military or an economic takeover of the United States 
of America. I worry every day about the cyber--breaking down 
the cybersecurity, how they hack and whack at us and, 
basically, come at us different ways. If we're not defending 
that, if we're not giving you the tools, and if we're playing 
politics, being Democrat and Republican and who's politically 
correct--this is not a time to do that.
    I think there's a group of us here that would love to step 
out and say, ``Okay, how do we streamline this? How do we make 
sure that someone says, `We do this, or we don't do this, or we 
go in this direction'?'' That's what we're looking for. 
Hopefully you know that we're here to help there.
    Admiral Rogers. Yes, sir.
    Senator Manchin. Thank you.
    Chairman McCain. Senator Shaheen.
    Senator Shaheen. Thank you, Mr. Chairman.
    Thank you both for being here today.
    I want to follow up a little bit on Senator Manchin's 
question, which was really referred back, I think, to Senator 
McCain and the Twitter example that you used earlier.
    How do we get some of those private-sector companies to 
recognize that this a shared challenge and that we've got to 
work together? Do we need more legislation to address that? 
This is really a policy question for you, Secretary. Is it 
that, or is it meeting with folks? What do you think we need?
    Mr. Lettre. Senator, our view, at this point in the 
dialogue and debate, is that legislation that forced or 
required a regulatory solution is not preferred, at this point. 
What we have found is that, on a case-by-case basis, when 
leaders from the executive branch have been able to have a very 
effective, quiet dialogue with leaders in industry, that the 
nature of the conversation starts to shift in a couple of ways. 
One is, you know, industry and government, for decades, have 
worked together very proudly on projects that protect the 
Nation. Reminding ourselves of that rich history, I think, 
starts to put the conversation into a dialogue around solutions 
rather than being at odds with each other in an antagonistic 
way. If, on the government side, we're able to communicate the 
problems we're trying to solve and ask for industry's best 
expertise and wisdom about the solutions that might be brought 
to bear that we haven't even thought about yet, often we find 
that we are able to come up with solutions that meet our law 
enforcement and national security needs.
    The second thing that I think is----
    Senator Shaheen. Well, let me just----
    Mr. Lettre.--that we----
    Senator Shaheen.--I'm sorry to interrupt, but has that 
worked with Twitter, in terms of the willingness of Twitter to 
allow us to scrub some of the information that they have?
    Mr. Lettre. As was mentioned earlier, to the best of my 
knowledge, Twitter's position hasn't changed on its level of 
cooperation with the U.S. intelligence community, so far.
    Senator Shaheen. We were not very successful with Apple, 
either. Is that correct?
    Mr. Lettre. That's right, yeah.
    Senator Shaheen. There are limits. Certainly, there are 
limits to that kind of a strategy. I appreciate what you're 
saying. I mean, I would--I have a--always rather try and sit 
down and resolve the situation rather than pass legislation, 
but right now we've had mixed reviews of the opportunity to 
work collaboratively with the private sector to address this 
issue.
    Mr. Lettre. Yeah, that's absolutely fair to say. Now, the 
industry and the private sector is very diverse. Businesses----
    Senator Shaheen. Sure.
    Mr. Lettre.--have different business models, which leave 
them in different positions, as far as their ability or 
willingness to work closely with government on working our way 
through some of these law enforcement questions. It--a case-by-
case approach, I think, is what is absolutely needed. As you 
pointed out, we are not successful in every case.
    Senator Shaheen. I had the opportunity, earlier this year, 
to visit Estonia, which, as we know, was the first state 
subject to a massive cyberattack from Russia. Are there lessons 
to be learned from examples like Estonia who have experienced 
this, or from other countries or businesses?
    Admiral Rogers, are there lessons that we should be taking 
from what's happened in other places?
    Admiral Rogers. It's not by chance that I've been to 
Estonia twice in the past year. Again, I'm not going to get 
into specifics, but we have talked about creating a 
relationship to try to build on it. Although one comment I make 
to my Estonian teammates also is, what works necessarily in 
your construct may not----
    Senator Shaheen. Sure.
    Admiral Rogers.--necessarily scale directly to a nation of 
350---you know, 335 million and the largest economy in the 
world. There are perhaps some things that we can take away from 
this. Because you have to admire--they sat down and decided 
this was a national imperative for them, and they consciously 
sat down and asked themselves, What do we need to do to get 
where we want to be? Then, how can the government help to be a 
primary driver in this? Not the only focus, but how can we 
harness the power of the government and their structure to help 
drive that? That aspect of it is very impressive, to me.
    Senator Shaheen. I would agree with that. I was very 
impressed with what I heard. To follow up on what you're 
saying, do you think we've reached the point where we believe 
that this is a national imperative for the United States?
    Admiral Rogers. Intellectually, my sense is, most people 
intuitively realize that, but then translating that into a 
series of specific actions to drive broader change than we have 
done, I think that is still the rub, if you will.
    Senator Shaheen. Thank you.
    Thank you, Mr. Chairman.
    Chairman McCain. Senator Cruz.
    Senator Cruz. Thank you, Mr. Chairman.
    Mr. Secretary, Admiral, thank you for your service. Thank 
you for joining us today on this vital topic before this 
committee.
    Admiral Rogers, during your testimony to this committee in 
April, you indicated that the Department of Defense was making 
significant progress towards establishing 133 Cyber Mission 
Force teams with plans to be fully operational by the end of 
fiscal year 2018. In my home State of Texas, I'm very proud of 
the contributions of the Air Force Cyber Command. I'm glad to 
see that the Air Force is taking advantage of the unique 
synergies between the academy, industry, and the military which 
exist in San Antonio. The combined efforts of the Air National 
Guard and the Active Duty Forces at Lackland have played, and 
will continue to play, an integral role in modern cyber 
warfare. I thank them for their hard work, and you for your 
leadership to ensure that they have the right tools they need 
to train, to fight, and to win.
    Admiral Rogers, would you provide an update on the Cyber 
Mission Force and detail specific shortfalls that merit 
congressional assistance?
    Admiral Rogers. The Cyber Mission Force, 6,187 individuals 
and 133 teams focused on three missions, providing capability 
to provide combatant commanders, if you will, with offensive 
capability, providing defensive capability to defend the 
Department of Defense Information Network [DODIN], if you will, 
the DOD network structure, also the third mission set for us, 
providing capability to help defend critical U.S. 
infrastructure against significant acts of cyber consequence, 
if you will. Three primary mission sets, those 133 teams, if 
you will, break down into those three different missions.
    The first goal we had was IOC of the 133 teams by 30 
September of 2016. That's three weeks from now--or two weeks or 
so from now. We will be IOC by 30 September 2016 of all teams. 
I would compliment the services, because this is one where, 
quite frankly, I haven't been the nicest individual, at times, 
about, what don't we understand about--this is a goal and a 
standard, and we are going to meet this. We're on track to do 
that.
    The next major milestone, if you will, in the fourth 
generation, is to be at full operational capability by 30 
September 2018, because our experience is that it takes about 2 
years to get a team, from the time we stand it up til it's 
fully mission capable, so the teams we're finishing standing up 
this month in IOC, we expect it'll take us 2 years to get them 
to full operational capability.
    The biggest challenges meet a continue--we continue to 
learn insights about tools on the cyber defensive side that we 
need to continue to deploy more broadly. I'm trying to use a 
best-of-breed approach to this across the Department, whereas 
we generate insights from capabilities that the individual 
services have--NSA, Defense Information Systems Agency [DISA], 
other elements--let's pick the best of breed, and let's apply 
it more broadly. Let's not waste money, everybody trying to do 
their own thing, here.
    Investment in the persistent training environment, our 
ability to actually simulate, in garrison, the networks that 
we're going to defend, the networks that we're going to operate 
on. That's fundamental to the future for us. We just cannot 
afford a model, where we do these major exercises, we try to 
bring everybody together. It's just a cost-intensive approach 
to doing business. It's a part of our strategy, but it 
shouldn't be the fundamental backbone.
    Cyber situational awareness is another area where I would 
argue we have got to be able to visualize this battlespace. 
Right now, we just don't do that well. I have prioritized it at 
a lower level. I'm the first to acknowledge that. We've had to 
identify where can we take risk, so I've tended to prioritize 
it lower. It's an area where I remain concerned from a--we need 
to increase the level of investment. We're taking too much 
risk.
    Those are probably the--I don't want to give you a long 
answer, because I know you have limited time, Senator--those 
would probably be the three biggest areas that I would argue we 
need to keep focused on, keep investing on.
    Senator Cruz. Okay. Thank you, Admiral.
    Let me shift to a different topic. An NBC news article this 
week claims that, despite evidence that Russia is behind a 
number of cyber intrusions into American networks, that the 
administration failed to respond because it determined that we 
need Russia's help in Syria. If true, the Obama administration 
will have effectively ignored the threats from an adversary, 
that it is actively trying to influence the election process 
and will set a terrible precedent for our country, going 
forward.
    Mr. Secretary, are these reports true? Is this, in fact, 
what the administration's done?
    Mr. Lettre. I'm not aware of the details of that particular 
NBC story, Senator, but I'm not aware of any linkage of these 
issues that I've seen in the policy discussions. The incidents 
that you've described around the apparent hacking related to 
our electoral systems is under an aggressive FBI investigation 
so that the U.S. Government can compose its own conclusions 
about what has occurred there and what are the appropriate 
actions to take in response. To the discussion that the 
committee has been having this morning around cyber deterrence, 
it will be very important to look at the facts around that 
investigation and the conclusions from it in order to inform 
policy choices about what kind of acts to take in response.
    Senator Cruz. Very well.
    Thank you.
    Chairman McCain. Senator Blumenthal.
    Senator Blumenthal. Thanks, Mr. Chairman.
    Thank you for--both for your service and the excellent 
contribution that you're making to our national defense.
    I want to return to the Chairman's questions about our 
electoral system. Isn't there a pretty powerful argument that 
our systems of elections and voting ought to be declared 
critical infrastructure?
    Mr. Lettre. Senator, that--that's an important question. I 
think, when we look at critical infrastructure across the 
country, we do need to consider the possibility of attacks on 
infrastructure causing significant consequences to the U.S. If 
there were scenarios where we could envision attacks having 
significant consequences in our electrical--electoral context, 
we really do need to consider that.
    Senator Blumenthal. Well, certainly we've envisioned those 
potential consequences.
    Admiral, your response to the Chairman's question was, in 
part, that this electoral system is--I think you used the word 
``disparate,'' by which I took it to mean decentralized; 
``disparate'' meaning divided and localized----
    Admiral Rogers. Yes, sir.
    Senator Blumenthal.--which is true. Every State has its own 
system. As you well know, in our presidential elections, the 
electoral college is the critical decision maker, which results 
from elective systems within States. Of course, elections have 
consequences at the State and local level, as well, and now 
many are driven or directed by some kind of computer collection 
of information, so they are vulnerable, maybe not at the ballot 
box, but at some point in the chain of collecting and 
assimilating that information. Isn't that troubling to you? I 
don't know the circumstance of Arizona. You're not familiar 
with the circumstance of Connecticut, but----
    Admiral Rogers. Right.
    Senator Blumenthal.--this is a common thread in our 
elective system. We've seen, from some of these hacks, that 
they can have very severe impacts on the--these systems, and 
they are largely unprotected right now.
    Admiral Rogers. I think it raises a broader question of, 
What is truly critical in the cyber world? You know, we've 
tended to think--I think, my sense--we've tended to think along 
very traditional industrial, in many ways, you know, kinds of 
lines. One of the things, I think, that the events in the last 
few years are highlighting to us is that, for example, we need 
to think about data in a whole different way. What are the 
implications from a security and a critical infrastructure----
    Chairman McCain. Admiral, wouldn't the selection of our 
leaders--of our system of government be--there should be no 
discussion about that.
    Admiral Rogers. Senator, my----
    Chairman McCain. If you attack that, and succeed in 
destroying that, you've destroyed democracy.
    Admiral Rogers. So----
    Chairman McCain. Why are we equivocating, here, about this? 
I'm sorry to interrupt.
    Senator Blumenthal. No, I----
    Chairman McCain.--Senator Blumenthal.
    Senator Blumenthal. Mr. Chairman, you took the words, much 
more eloquently, out of my mouth. I think there is not only a 
powerful argument, it's virtually incontrovertible.
    I understand that you're approaching it from a more 
abstract standpoint. I don't mean to interrupt, because I'm 
here to listen to you, but I would hope that there would be a 
move to designate these systems as critical infrastructure. Why 
don't you--I know you were remarking on the----
    Admiral Rogers. Yes, sir.
    Senator Blumenthal.--nature of data.
    Admiral Rogers. My only point is, if you look at critical 
infrastructure, from a data perspective, and you look at-- What 
are the key data-driven decisions that tend to shape us of a--
as a Nation?--you come to a very different conclusion about an 
election that--structure--for example, that if your perspective 
was, ``Well, critical infrastructure, to us, is primary 
industry"--that that's my only point to you, is, this leads us, 
I think, to a different set of conclusions as to what is truly 
critical, here. An election system is a good example of that.
    Senator Blumenthal. Well, my time has expired, but I think 
that we really need a national consensus that our electoral 
system, our system of choosing our leaders, as the Chairman has 
said very well--our system of choosing leaders at every level, 
not just the national level, but State government, State 
legislators--all of these systems are going to be increasingly 
involving the collection of--you refer to it as ``data"--the 
data are votes. The votes are individual citizens deciding who 
their leadership is going to be, which is going to determine 
who sits in the chair you occupy right now. These chairs here. 
Who makes these critical decisions. Nothing is more 
fundamental--our financial system, our utilities, our system of 
healthcare, all are critical infrastructure. I think our system 
of electing and choosing leaders is no less so.
    Thank you very much.
    Chairman McCain. Senator Ernst.
    Senator Ernst. Thank you, Mr. Chair.
    Gentlemen, thank you very much for coming in today and 
talking about cybersecurity and its impact on our national 
security.
    I'd like to address some situations from the National Guard 
perspective. I'm a former soldier in the Iowa National Guard, 
and I have been tracking the increasing cyber capabilities that 
both the Army and the Air National Guard are bringing to the 
table, even in my own home State of Iowa. Unfortunately, it 
appears that the DOD has not been tracking this as closely as I 
have.
    A report from the Government Accountability Office [GAO] 
last week stated that, quote, ``DOD does not have visibility of 
all National Guard unit cyber capabilities, because the 
Department has not maintained a database that identifies the 
National Guard units' cyber-related emergency response 
capabilities, as required by law,'' end quote.
    This is a little bit alarming to me, because, in the 
National Guard, we do have some tremendous capabilities, and 
we're able to poll a number of those private-sector cyber 
warriors into the Guard. That's their part-time job and full-
time job. They are very talented, and we want to see that they 
are being used to the fullest of their capabilities.
    Admiral, how close is the DOD to having a database of all 
of the National Guard cyber capabilities required by law?
    Admiral Rogers. Senator, I can't answer to the specifics of 
the National Guard Bureau. Let me only say this. I am the son 
of a guardsman. My father was enlisted as an officer in the 
Illinois Guard for 25 years. This is the world I knew as a 
child, growing up. The Guard and the Reserve are something 
personally important to me. In fact, I just, coincidentally, 
sat down with a team over the last week and were just 
reviewing, What's the Guard and Reserve plan, the portion of 
the mission-force piece?
    The point I think you make is both important. I'm the first 
to acknowledge that. I will take an action from here to pull 
the string on this, because, I apologize, I just haven't seen 
that report, and I don't know the specifics. It is reflective. 
We have always maintained that, as we're building the breadth 
of capability for the Department in cyber, that the structure 
we have to come up with has to go way beyond just the Active 
piece, here, that the Guard and Reserve have got to a critical 
piece of what we do here, which is why, if you look at what the 
Air Force is doing, six of their 40 or so teams are Guard or 
Reserve. If you look at the Army, for example, they are 
bringing online an additional 22 Cyber Protection Teams from 
the Guard, purely associated with Guard and State missions, not 
necessarily the Cyber Mission Force, because they realize the 
importance of this investment. Marine Corps and Navy, there 
is--their approach, slightly different. Again, they don't have 
a Guard structure. Their approach, slightly different.
    If I could, let me take for action that one and pull the 
strong. Then I apologize, I just don't----
    Senator Ernst. No, I----
    Admiral Rogers.--have a good answer----
    Senator Ernst.--I certainly appreciate----
    Admiral Rogers.--for you there.
    Senator Ernst.--that. One team, one fight. I think there's 
a lot of capabilities that we are simply not utilizing or 
considering when we look at that big picture. I do appreciate 
that a lot.
    [The information referred to follows:]

    Responsibility for a DOD database for all National Guard cyber 
capabilities required by Law is beyond my purview. National Guard 
response capabilities that are domestic only (title 32 or state Active 
Duty status and retained by the governor), report their unit's status 
of forces to the NGB and are tracked directly by Major General James C. 
Witham, Director, Domestic Operations and Force Development, National 
Guard Bureau. The General's staff can be contacted at (703) 607-3643 
for any inquiries as it relates to title 32 authorities.
    The Secretary of Defense has delegated to Commander USCYBERCOM the 
Directive Authority for Cyberspace Operations and the execution of 
title 10 cyber missions. Under my U.S. Code Title 10 authorities and 
responsibilities, I track the status and readiness of 133 Cyber Mission 
Force teams under my command. Of the 133 teams, three are National 
Guard activated under title 10 federal mission support. We use DOD's 
standard Defense Readiness Reporting System (DRRS) to track readiness 
of our offensive and defensive teams.

    Senator Ernst. Are there steps that you think that you can 
take that would tie together better our Reserve component, our 
National Guard component? What kind of efforts can you assist 
with? What we can we assist with?
    Admiral Rogers. I feel comfortable, overall, with the, 
quote, ``Cyber Mission Force.'' Where I think the broader 
challenge for us is, What additional level of investment, as a 
Department and in a State structure, do we think that is 
appropriate, over and above that? That's probably the biggest 
focus area for me, working with General Lengyel, about--What 
should the future be? Then, whatever investments we make in the 
Guard and Reserve, how do we make sure that they are tied in 
and aligned with the broader Department effort? We're working 
this as one team. Because we just can't afford--everybody's out 
there doing their own thing. That's just not going to get us 
where we need to be.
    Senator Ernst. Right. Absolutely. I agree.
    Then, gentlemen, for both of you, please. The Government 
Accountability Office also found that the yearly cyber 
exercise, Cyber Guard, failed to focus on emergency or disaster 
scenarios concurrent to cyber incidents, an area where the 
National Guard would be very helpful. What efforts--and again, 
you may not be tied as much into National Guard, but what 
efforts could you take to improve Cyber Guard for the upcoming 
year----
    Admiral Rogers. So----
    Senator Ernst.--so that we can focus on those----
    Admiral Rogers.--I haven't seen the specifics of the 
reports, but I will tell you that, not having read it, I'm, 
quite frankly, a little bit in disbelief, because I would tell 
you we call it Cyber Guard----
    Senator Ernst. Right.
    Admiral Rogers.--for a reason, because it's focus on, How 
do we exercise, in an annual basis, the integration of the 
Guard, Reserve, and the Active component with industry? I spend 
time at that exercise every year. We just did it in June, down 
in Tidewater. Some members of the committee, in fact, actually 
came down and observed it.
    I'm a little bit perplexed by the basic premise, but I 
haven't--I apologize, I just haven't seen the specifics.
    Senator Ernst. Okay. My time is running out. Again, I think 
that demonstrates where we do need to put a little more 
emphasis on our Reserve-component forces and tie those in to 
our Active Duty component, as well, and really take advantage 
of the talent that exists out there, make sure that we're 
exercising their capabilities.
    Admiral Rogers. Yes, ma'am.
    Senator Ernst. Thank you very much, gentlemen.
    Thank you.
    Senator Reed [presiding]. On behalf of Chairman McCain, let 
me recognize Senator McCaskill.
    Senator McCaskill. Yes. I want to follow up with Senator 
Ernst's comments. I just came from a tour around Missouri, and 
I had the opportunity to see the cyber unit at Jefferson 
Barracks, the Guard cyber unit at Jefferson Barracks in St. 
Louis, and also the Cyber Warriors at the 139th Airlift Wing at 
Rosecrans Air Force Base. Both were remarkable. Both surprised 
me. I was not aware--and I'm not sure, candidly, you're aware--
of all these units and what their capabilities are, and what 
they're doing. What Senator Ernst just said--what was 
remarkable about the Guard unit in St. Louis was who these 
people were in their day jobs. We're talking about the very top 
level of cybersecurity at a Fortune 500 company that has huge 
needs in this area. Huge needs. I mean, this guy knows more, I 
would bet, than a huge number of the people that you are 
commanding within the Active military, in terms of both cyber 
offense and cyber defense.
    I've realized that this is a great opportunity for our 
Guard to recruit some of the most talented and technically 
capable people in the private sector, since the vast majority 
of the networks that we are supporting, in terms of protection 
in this country, are, in fact, private networks.
    I wanted to bring that up with you and ask your opinion 
about that integration, and particularly as it relates to the 
lynchpin with the Department of Homeland Security. Because the 
beauty of the Guard is, it is busy with domestic security as 
part of their mission, because of the TAG and the involvement 
of State governments, whether it's a natural disaster or other 
kinds of problems. It seems to me that utilizing the Guard as 
the lynchpin between the Department of Homeland Security and 
the Department of Defense would make a great deal of sense, 
Admiral Rogers. I would like your comment on that.
    Admiral Rogers. First of all, I agree with the fundamental 
premise that the Guard and the Reserve bring a lot of 
capability. That's one reason why the Cyber Mission Force idea 
is predicated as the idea--it's our ability to bring it all 
together--not just all Active, not just Guard; it's the ability 
to bring it together.
    In terms of who should be the fundamental lynchpin--before 
I get into publicly endorsing a particular strategy or 
solution, this is just one I want to make sure we think our way 
through. Because in--there are challenges if you do it Active-
only. There's challenges if you do it over Guard- or Reserve-
only. I'd also be interested: Hey, what's DHS's perspective in 
this?
    One of the other challenges I've found so far in my time in 
command, we have to work our way through what--and this is 
where the Guard, I think, becomes incredibly critical--what's 
the difference between--we're using DOD capability to work 
Federal large critical infrastructure versus what is the 
capability DOD--by extension, the Guard--can bring to the fore 
at a much more localized State and local level? That's an area 
that, clearly, the Guard is very optimized for, that the Active 
piece is not as readily optimized for.
    Senator McCaskill. I'm sure one of our problems in this 
space is retaining Active personnel, because if they become 
very skilled in this area, the--there's lots of lucrative 
opportunities in the private sector. Has there been any thought 
given to an Active recruitment of these folks into the Guard as 
they move into the private sector for a lot more money and 
people not being able to tell them where they're going to live 
24/7? Is it possible that we are losing an opportunity, in 
terms of retaining some of the talent that we have, by not 
directly recruiting them into the Guard?
    Admiral Rogers. Knock on wood, retention on the Active side 
is exceeding our expectations. That doesn't mean it won't 
change tomorrow or next week or next month.
    I will say, since the Guard is an Air Force and an Army-
specific construct, I know both of those services, in my 
discussion with my subordinate commanders from them, talk 
about, how do we make sure, as we're watching the workforce 
transition out of the Active--separate, retire--is there a way 
to tie in the Guard piece? Senator Cruz mentioned San Antonio, 
for example. I've seen several instances in the San Antonio 
area, because they're such a large concentration, where this is 
working very well. I'm not sure how well it's working in those 
areas where we don't have this large Guard and Active----
    Senator McCaskill. Right.
    Admiral Rogers.--complement of force, if it will. I just 
don't know, off the top of my head.
    Senator McCaskill. This idea has been discussed openly, and 
I know there is a lot of controversy around it and a lot of 
pros and cons, but one of these really talented cyber warriors 
at the Guard unit that I visited with, I was told that one of 
them almost was removed because of sit-ups. What about the PT 
requirement? What value is there to forming an elite cyber 
squad that is civilian, as opposed to, you know, losing a 
really talented guy because of sit-ups?
    Admiral Rogers. My first comment would be, remember, the 
Law of Armed Conflict specifically prescribes what civilians 
and uniforms can do in some particular applications. I 
generally remind people, a lot of it would have to do with, 
what would the mission be that you gave that entity? Because 
there are some things in the Law of Armed Conflict that 
physically could not do. Uniforms have to do it, as opposed 
to----
    Senator McCaskill. Right.
    Admiral Rogers.--application of force and capability.
    To date, are there numbers where that is an issue? Clearly. 
I'm not going to pretend, for one minute. We have been able to 
retain people and still meet the requirements associated with 
the broader military without decreasing capability. If that 
changes over time, though--it's one of the things I have talked 
about--we need to be mindful that if circumstances change, we 
need to look about changing the rules that we currently 
operate. If the situation were to change, those would be one of 
the things I would say, ``Do we need to look at a different 
force balance or mix? Do we''----
    Senator McCaskill. Right.
    Admiral Rogers.--``need to look at a different set of 
standards or requirements associated with individuals?'' I 
don't think we're at that point now, but if the situation were 
to change, I think we would definitely need to do that.
    Senator McCaskill. I would certainly urge that 
flexibility----
    Admiral Rogers. Yes, ma'am.
    Senator McCaskill.--because I think this is going to be a 
growing part of our national security----
    Admiral Rogers. Right.
    Senator McCaskill.--piece.
    Admiral Rogers. Thank you.
    Senator Reed. On behalf of the Chairman, let me recognize 
Senator King.
    Senator King. Thank you, Mr. Chairman.
    It seems to me the good news is that we're the most wired 
society on Earth. It gives us fantastic efficiencies and 
productivity and advantages, in many ways. The bad news is, 
we're the most wired society on Earth, which means we are the 
most vulnerable.
    Admiral Rogers, you're familiar, I'm sure, with the Ukraine 
hack of the grid in December 2015. One of the things we learned 
from that is that there--that hack was much less serious than 
it might have been, because of some retro technology----
    Admiral Rogers. The antiquated----
    Senator King.--analog switches, old Demetri, who had to go 
out and throw a switch somewhere at a relay. Do we have some 
lessons from that, that we ought to be thinking? Thinking about 
elections, it's hard to hack a paper ballot.
    Admiral Rogers. Sir.
    Senator King. Those kinds of things. Is that--should we be 
examining that area?
    Admiral Rogers. I mean, we certainly are. I mean, one of 
the lessons, I think, from the Ukraine, for example, is, not 
only the analog, the physical piece, but also the way that 
their grid was broken down into components.
    Senator King. Right.
    Admiral Rogers. It's leading to some things. For example, 
as a naval officer, we're teaching celestial navigation again--
--
    Senator King. I was going to bring that up.
    Admiral Rogers.--at the Naval Academy.
    Senator King. I understand it's the first time in 20 years 
that----
    Admiral Rogers. Right, which we had stopped doing, because 
we said to ourselves, ``Well, we have automated chart processes 
now. Why would we need to use celestial bodies to--for 
navigation to define out''----
    Senator King. Because you can't hack a sextant.
    Admiral Rogers. Yes, sir. We acknowledge that there are 
things that we are going to need to look back, in this current 
world we're living in, and say to ourselves, ``Perhaps some of 
the assumptions that we've made are not going to prove to be 
accurate.'' We've got to ask ourselves, ``What are the second- 
and third-order implications? What have we got to train 
differently? What skills do we need to have that we perhaps''--
--
    Senator King. We also need to----
    Admiral Rogers.--``for the last 20 years have said we don't 
need?''
    Senator King. As you--as I think you've said, we need to 
question the basic assumption that digital is----
    Admiral Rogers. Yes, sir.
    Senator King.--always better.
    Admiral Rogers. Yes, sir.
    Senator King. Senator Risch and I have a bill in before the 
Energy and Natural Resources Committee to ask the National Labs 
to work with the utilities to look at the Ukraine situation and 
see if there are places--not to de-digitize the----
    Admiral Rogers. Sir.
    Senator King.--grid, but places where there could be analog 
switches or other devices put in to deal with just----
    Admiral Rogers. Right.
    Senator King.--just this issue.
    Let me turn to encryption for a minute. While this hearing 
was going on--and I don't want to sound like this was a big 
production--in about, literally, a minute and a half, I 
downloaded Telegram. Telegram is an app, as you know, that's 
encrypted. I thought it was interesting. I looked at what it--
how it works. It's fully encrypted. It's in English, Arabic, 
Dutch, German, Italian, Korean, Portuguese, and Spanish. It's--
was started by two brothers from Russia. It's based in Berlin. 
I mean, this is the reality, isn't it, Mr. Lettre, that we're--
we can't stop this. The idea of somehow being able to control 
encryption is just not realistic.
    Mr. Lettre. We can't stop these trends, you're right, 
Senator. Individuals--all of us benefit from strong encryption. 
The Department of Defense does. I personally am in favor of 
having strong encryption that allows me to protect my personal 
data. The challenge is--and yet, we need to find our--think our 
way through how we can continue to fulfill our responsibilities 
to enforce the laws and protect the Nation. I think what we do 
find is, there are a number of instances where government 
leaders have been able to strike a very collaborative and 
cooperative dialogue with key sectors in the text sector. 
Individual players and executives have been able to focus on 
finding----
    Senator King. That----
    Mr. Lettre.--solutions.
    Senator King.--that worked pretty well in the '20s, when 
you were talking about the telephone system, which was only 
within the country. You can--we can deal with Apple or with 
Microsoft or with Cisco or whoever, but if you've got a cloud-
based app that's--the headquarters is in Berlin, and who knows 
where the data is--I mean, we--as hard it is for us to believe, 
there are places our power doesn't reach. We can't regulate 
something that's over in Berlin or Swaziland.
    Mr. Lettre. That's a very good point. There will always be 
places across these sectors and these technology solutions that 
we just--we may not be able to find a way forward. They may 
be--the solution may be elusive.
    Senator King. Well, I'd like----
    Mr. Lettre. It does require us to think innovatively--
Senator King. Well----
    Mr. Lettre.--even beyond encryption, about how we can 
continue to go after national security challenges.
    Senator King. That was--you know, the word ``innovation''--
I mean, this is a--this is the world history of conflict, is 
invention, reinvention, reinvention, reinvention.
    I also want to associate myself with Senator Lee's 
questions. We also need to get back to old-fashioned human 
intelligence. I think it's--SIGINT [Signals Intelligence] was 
easy, in a sense, if you can pick up conversations. Now that 
that's no longer as easy as it once was, we need to be thinking 
about, what are the other techniques that we can use? They--and 
it may be old-fashioned intelligence. It may also be other 
high-tech satellite or other things. It--it's--we can't--I 
think innovation is going to be an absolute key to this.
    Mr. Lettre. Yes. That's absolutely right, Senator. The--in 
particular, as you pointed out, we do need to build innovation 
across a range of intelligence disciplines and collection 
capabilities. Even in the human intelligence arena, we know how 
effective it can be. We also know that technology trends are 
changing how we do HUMINT [Human Intelligence]. We need to be 
able to adapt and invest in innovation, in how we conduct our 
human intelligence operations, as well.
    Senator King. My time is up, but I would suggest big data 
analysis is one of those tools.
    Mr. Lettre. Absolutely.
    Senator King. Thank you.
    Thank you, Mr. Chairman.
    Senator Reed. Thank you, Senator King.
    On behalf of the Chairman, let me thank you gentlemen for 
your testimony today and your service.
    Since there are no other colleagues here, I would call the 
hearing adjourned.
    Thank you.
    [Whereupon, at 11:20 a.m., the hearing was adjourned.]
    [Questions for the record with answers supplied follow:]

             Questions Submitted by Senator Roger F. Wicker
                                  zte
    Senator Wicker. The Commerce Department announced on March 8 that 
it had added ZTE to its entity list for setting up shell companies in 
order to ship equipment that contained U.S. parts to Iran. However, 
Commerce later softened the sanctions against ZTE and allowed U.S. 
companies to temporarily ship goods to ZTE, and has extended this 
temporary license several times, most recently through November 28.
    In addition to having a history of evading U.S. sanctions, ZTE, and 
other Chinese telecommunications firms like Huawei and Lenovo present a 
potential cyber security risk to U.S. national security. There have 
been numerous instances where the U.S. Government, through the CFIUS 
process, has canceled mergers between American companies and these 
Chinese telecommunication firms. Additionally, there have been many 
statements and reports on the risks these companies present, ranging 
from the 2012 House Permanent Select Committee on Intelligence report 
on ``U.S. National Security Issues Posed by Chinese Telecommunications 
Companies Huawei and ZTE'' to comments by former CIA Director and NSA 
Director General Michael Hayden who stated that Huawei had ``shared 
with the Chinese state intimate and extensive knowledge of foreign 
telecommunications systems it is involved with.''
    ZTE and Huawei obviously present a national security risk.

    1. Do you think that the Defense Department should be using 
technology that includes component parts or software from Huawei, ZTE, 
or other Chinese telecommunication companies?

    Mr. Lettre. Decisions to use technology from Huawei, ZTE, or other 
Chinese telecommunication companies must be made on case-by-case basis 
using a risk-based methodology. DOD does not ``blacklist'' suppliers or 
individual products, except as directed by law (e.g., munitions list 
items, countries promoting terrorism). DOD does, however, create 
Approved Product or Supplier Lists (Whitelists) of products or 
organizations that have been assessed for use in certain applications. 
There are currently no Huawei or ZTE products on the DOD Unified 
Capabilities Approved Products List (APL). The fact that a product does 
not appear on an APL does not mean contractors cannot offer bids or 
that the government can still select outside the APL. It's the policy 
of the DOD to solicit from a broad number of potential offerors and 
award contracts based on full and open competition to the maximum 
extent possible.
    Short of suspension and debarment, federal contractors and vendors 
are not precluded from competing on DOD contracts.
    It is important to note that the Department has several mechanisms 
in place to help ensure the security of products or services delivered 
to us and the systems used to store or process sensitive DOD 
information. For DOD national security systems, there are program 
protection planning (DOD Instruction (DODI) 5000.02) and supply chain 
risk management (SCRM; DODI 5200.44) policies and processes which 
require programs to identify critical components and request threat 
reports on them from the Defense Intelligence Agency's SCRM Threat 
Analysis Center. DOD mitigates identified risk where possible, but also 
has authorities granted by section 806 of the NDAA for FY 2011, as 
amended by section 806 of the NDAA for FY 2013, which enables DOD 
components to exclude a source that fails to meet established 
qualifications standards or fails to receive an acceptable rating for 
an evaluation factor regarding supply chain risk for information 
technology acquisitions, and to withhold consent for a contractor to 
subcontract with a particular source or to direct a contractor to 
exclude a particular source. \1\
---------------------------------------------------------------------------
    \1\ NSA avoids the use of products from vendors with a 
disqualifying Foreign Ownership, Control or Influence (FOCI), in 
accordance with its security and Information Awareness policies. The 
Agency makes decisions regarding acquisitions from FOCI vendors and 
acceptance of their goods and services on a case-by-case basis. In 
particular, the Agency requires vendors and potential vendors to 
disclose FOCI, and evaluates these disclosures in its acquisition 
decisions. The Agency may require vendors to produce an appropriate 
mitigation plan or substitution of products for items produced or 
services performed outside the United States or its territories.
---------------------------------------------------------------------------
    Admiral Rogers. As this question concerns a Department of Defense-
wide position on technology acquisitions and use, it exceeds the scope 
of my direct responsibility, but from my unique understanding and 
knowledge on the issues at stake, I join in the response submitted by 
Mr. Lettre, USDI, to this same question.

    2. Senator Wicker. Are there any parts, components, software, 
products, or other related items from any Chinese firm, including 
Huawei, ZTE, or Lenovo, present in the Defense Department unclassified 
and classified information technology (IT) network, telecommunications 
network, and related infrastructure? (For the purposes of this 
question, the IT network, telecommunications network, and related 
infrastructure includes, but is not limited to, fiber optic cables, 
computer chips, software, personal computers, office desktop computers, 
servers, routers, telecommunications equipment, and networking 
equipment, at any State Department location in the United States or 
around the world.)
    Mr. Lettre. Yes, there are parts/components/software/products from 
Chinese firms in DOD's unclassified and classified networks, 
telecommunications, networks and related infrastructure. Most products 
used by the USG, including DOD, have component parts manufactured in 
China. In addition, DOD systems and networks sometimes use products 
from Chinese firms. Decisions for inclusion of components from Chinese 
firms or with nexus with China (such as manufacturing or test) are made 
on a case-by-case basis based on an assessment of risk specific to the 
system.
    The Department leverages several mechanisms to enable it to manage 
supply chain and cybersecurity risks to its systems and networks, while 
cost effectively leveraging globally sourced technologies.
    First, the Department requires Program Protection Plans (PPPs) to 
address the full spectrum of security risks for the critical components 
contained in our national security systems, including supply chain 
vulnerabilities, and to implement mitigations to manage risk to system 
functionality. Within program protection planning, DOD performs 
criticality analysis to identify critical components for added 
protections. Such components are subjected to all source intelligence 
evaluation and, where risks are identified, vulnerability analysis.
    There are additional statutory authorities available to the 
Department to limit or exclude vendors in specific circumstances. For 
example, section 1211 of the National Defense Authorization Act (NDAA) 
for Fiscal Year (FY) 2006, as amended by section 1243 of the NDAA for 
FY 2012, and as implemented at DFARS section 225.77, prohibits the 
Secretary of Defense from acquiring supplies or services that are on 
the United States Munitions List through a contract, or subcontract at 
any tier, from any Communist Chinese military company. In addition, 
section 806 of the NDAA for FY 2011, as amended by section 806 of the 
NDAA for FY 2013, has been implemented at DFARS Subpart 239.73, 
``Requirements for Information Relating to Supply Chain Risk.'' The 
clause enables DOD components to exclude a source that fails to meet 
established qualifications standards or fails to receive an acceptable 
rating for an evaluation factor regarding supply chain risk for 
information technology acquisitions, and to withhold consent for a 
contractor to subcontract with a particular source or to direct a 
contractor to exclude a particular source.
    Admiral Rogers. As this question concerns a Department of Defense-
wide position on technology acquisitions and use, it exceeds the scope 
of my direct responsibility, but from my unique understanding and 
knowledge on the issues at stake, I join in the response submitted by 
Mr. Lettre, USDI, to this same question.
                                 china
    Senator Wicker. In his testimony before the Senate Armed Services 
Committee on February 9, 2016, Director of National Intelligence James 
Clapper labeled China a ``Leading Threat Actor'' in regards to cyber 
threats. Specifically, the he stated in his written testimony: ``China 
continues to have success in cyber espionage against the U.S. 
Government, our allies, and U.S. companies. Beijing also selectively 
uses cyberattacks against targets it believes threaten Chinese domestic 
stability or regime legitimacy. We will monitor compliance with China's 
September 2015 commitment to refrain from conducting or knowingly 
supporting cyber-enabled theft of intellectual property with the intent 
of providing competitive advantage to companies or commercial sectors. 
Private-sector security experts have identified limited ongoing cyber 
activity from China but have not verified state sponsorship or the use 
of exfiltrated data for commercial gain.''

    3. Senator Wicker. Do you agree with his assessment that China is a 
``Leading Threat Actor'' and that China ``continues to have success in 
cyber espionage against the U.S. Government, our allies, and U.S. 
companies''?
    Mr. Lettre. Yes.
    Admiral Rogers. Yes.
                               __________
              Questions Submitted by Senator Kelly Ayotte
            protecting iran's nuclear program from sabotage
    Senator Ayotte. As I mentioned in your April hearing, according to 
paragraph 10.2 of Annex III of the Joint Comprehensive Plan of Action 
(JCPOA), or `Iran Deal', the U.S. must cooperate with Tehran ``through 
training and workshops to strengthen Iran's ability to protect against 
. . . sabotage'' of its nuclear program. I asked you, from a cyber 
perspective, has the U.S. helped Tehran strengthen its ability to 
protect against sabotage of its nuclear program. You said that U.S. 
Cyber Command has not participated in any such efforts.

    4. Is this still accurate?
    Admiral Rogers. Yes.

    5. Senator Ayotte. Are you aware of ANY U.S. government activities 
helping Iran protect its nuclear program against sabotage?
    Admiral Rogers. No.
                                ectr fix
    Senator Ayotte. I understand that there is an important division 
between the FBI's domestic law enforcement and your mission.

    6. However, based on your experience, are you familiar with the 
Electronic Communications Transaction Records, or ``ECTR fix'' that the 
FBI has identified as a top priority in terrorism investigations?
    Admiral Rogers. I do not have sufficient knowledge about the ``ECTR 
fix'' to comment on it.

    7. Senator Ayotte. Would you agree that ensuring that law 
enforcement has the tools they need to prevent future attacks is 
extremely important?
    Admiral Rogers. I agree with the general proposition of the 
question that it is important that law enforcement have access to 
necessary tools. However, speaking from my roles as the Commander of 
U.S. Cyber Command and Director of NSA, there are many factors that we 
take into consideration when evaluating whether to pursue the use of a 
specific tool, chief among them that it is consistent with law and 
policy.

    8. Senator Ayotte. Do you agree that providing law enforcement with 
the authority to appropriately obtain basic information--excluding 
content--is extremely valuable in helping to piece together actionable 
intelligence that can help stop an attack?
    Admiral Rogers. I agree with the general proposition of the 
question that non-content data could be of great use to law enforcement 
in any given investigation. Speaking from my roles as the Commander of 
U.S. Cyber Command and Director of NSA, this type of information is 
certainly of value.

    9. Senator Ayotte. Based on your experience, do you agree with FBI 
Director Comey's assessment that the ECTR fix ``would be enormously 
helpful?''
    Admiral Rogers. As I noted earlier, I do not have sufficient 
knowledge about the ``ECTR fix'' to comment on it.
                                 china
    Senator Ayotte. The U.S and China entered into a Cyber theft 
agreement in September 2015. China pledged that their government would 
refrain from computer--related theft of intellectual property for 
commercial gain.

    10. Senator Ayotte. Has China honored that commitment? If not, what 
have we done about their failure to honor their commitment?
    Admiral Rogers. [Deleted.]

    11. Senator Ayotte. If not, what is your assessment of Chinese 
cyber activity since then? What have they been doing? Are these 
activities directly or indirectly conducted or supported by the Chinese 
government?
    Admiral Rogers. See answer to question ten.

    12. Senator Ayotte. Does China continue to target and exploit U.S. 
government, defense industry, and academic networks?
    Admiral Rogers. Yes.

    13. Senator Ayotte. How confident are we that these intrusions, 
thefts, and attacks from China are coming from government or 
government-supported sources (as opposed to private Chinese actors not 
acting in cooperation with the government)?
    Admiral Rogers. [Deleted.]
                        iran's cyber activities
    14. Senator Ayotte. Can you describe Tehran's current cyber 
capabilities and activities? How have Iran's cyber activities and 
capabilities changed since the adoption of the Iran Deal?
    Admiral Rogers. [Deleted.]
                     north korea's cyber activities
    15. Senator Ayotte. Can you describe North Korea's cyber 
capabilities and activities? How does North Korea use these 
capabilities and activities in furtherance of its nuclear and ballistic 
missile programs?
    Admiral Rogers. [Deleted.]
                          identity management
    16. Senator Ayotte. How is DOD improving identity management and 
data access? What is your view of enhancing identity management and 
data access by incorporating improvements to authentication, 
accountability, privacy, and deployability?
    Secretary Lettre. The Department of Defense (DOD) is taking 
aggressive action to improve identity management and data access 
capabilities. These capabilities, which are critical to military 
operations and defense activities, are foundational components of DOD's 
Information Assurance Program and enable secure information sharing 
within DOD and with mission partners. DOD is also working to address 
privacy concerns and to ensure protection of civil liberties as it 
implements stronger authentication and authorization on sites accessed 
by consumers, retirees, family members, businesses, and home users.
    Improving authentication and authorization policy, processes, 
capabilities, and adoption reduces overhead and costly information 
sharing friction, and improves accountability and access to data 
resources. To that end, DOD has identified that mission partner 
interoperability is only possible if we coordinate our identity 
policies and standards around industry norms. DOD supports the Office 
of Management and Budget's (OMB) Identity, Credentialing, and Access 
Management for standardization across the federal government--including 
the Intelligence Community--and resulting National Institutes of 
Standards and Technology (NIST) draft special publication on Digital 
Authentication Guidelines. DOD is leveraging this same standardization 
effort in its dialogue with Allies and industry partners, oriented on 
the same goals.
    DOD is also working with OMB and General Service Administration 
(GSA) to improve trust, security, and privacy support on commercial 
devices and browsers off the shelf. By making changes to the Federal 
and DOD Public Key Infrastructure (PKI) that supports our websites, we 
intend to eliminate trust errors that have been a frustration for users 
outside of DOD networks.
    DOD is also undertaking a two-year effort to diminish our reliance 
on the Common Access Card (CAC) as the only acceptable way to 
authenticate on many DOD IT systems. Broadening DOD authentication 
support has two main objectives. First, to improve interoperability 
with mission partners--many of whom have not chosen to implement smart 
card authentication; and second, to support strong authentication on 
emerging devices like smartphones and tablets that the CAC has simply 
not been able to support.
    As part of this effort, DOD is working with OMB to converge around 
standards for ``derived credentials'' that can be supported securely by 
current and future commercial smart phones and tablets. Supporting the 
Personal Identity Verification (PIV) standard capability (``CAC'' for 
DOD) by implementing a virtual card on DOD's half-million mobility 
devices will significantly improve information sharing capability for 
our forces on the move. Supporting mobility with high-assurance 
authentication will significantly enhance deployable access and lower 
the risk of making more mission data available at the point of need.
    DOD Acquisition Programs are working to leverage existing and 
emerging strong authentication capabilities for implementation on 
deployable systems, and researching alternatives that support specific 
operational environments or device form factors. The SECDEF's top 
priority within the Cybersecurity Discipline Implementation Plan is 
implementation of strong authentication and elimination of 
authentication solely by username-password. Within that effort, the 
early focus is on mission systems and applications where compromised 
credentials would pose the most risk--including users with powerful 
administrator-level privileges across our networks.
    DOD is also leveraging the SECDEF's Defense Innovation Unit 
Experimental to identify innovations in industry that we can quickly 
adopt to close additional gaps in our authentication capabilities. 
We're working to identify fair, open, and transparent means to identify 
industry innovation in the authentication area.
    Stronger authentication and rules-based authentication is critical 
to advancing privacy protections across the DOD--particularly in 
response to the Office of Personnel Management (OPM) breach last year. 
DOD is working to leverage our most advanced access control 
technologies to protect this data and other sensitive datasets--
especially large stores of Personally Identifiable Information (PII). 
By shifting from legacy account management to enterprise identity and 
access control capabilities, we can reduce the exposure of PII on local 
systems to support administration of user access. DOD is also working 
to improve monitoring and audit for users that have access to sensitive 
data to identify abuse by authorized personnel, and to identify 
credentials that have been compromised.
    Consistent with the Cyber National Action Plan, DOD intends to 
implement multi-factor authentication and forced session encryption for 
consumers that access personal information on DOD websites. We're 
working with OMB and GSA to identify how DOD can leverage capabilities 
across the federal government to meet those requirements, understanding 
that consumers using DOD systems will invariably require strong 
authentication access to other federal resources.
                          chief data scientist
    17. Senator Ayotte. In 2015 the White House named the first-ever 
``Chief Data Scientist.'' What is your view of creating a Chief Data 
Scientist position within the DOD?
    Mr. Lettre. DOD does not currently have a Chief Data Scientist 
position. However, depending on future DOD requirements, the creation 
of a DOD Chief Data Scientist position may be considered.
                               __________
                Questions Submitted by Senator Mike Lee
    Senator Lee. Some officials believe that commercial companies 
should build into their products ``back-door'' systems or other similar 
mechanisms that enable the government to access encrypted information 
on personal communication devices when doing so is deemed necessary for 
protecting the nation's security. However, building such openings into 
products like smart phones will leave them vulnerable to the types of 
cyber-security threats that we are also seeking to prevent. Writing in 
the Washington Post in July 2015, former NSA Director Mike McConnell 
and former DHS Secretary Michael Chertoff stated [QUOTE] ``If the 
United States is to maintain its global role and influence, protecting 
business interest from massive economic espionage is essential.''

    18. What sort of economic and security risks could companies face 
if they are compelled to build ``back-doors'' or other vulnerabilities 
in their products and systems?
    Admiral Rogers. There are any number of legitimate considerations 
in the debate over encryption, to include economic and security risks 
to our private sector. However, there are companies that for business 
purposes currently provide for their own access to encrypted data sent 
by users of their products and they are presumably doing so with those 
economic and security considerations in mind. As such, it does not 
necessarily follow that lawful access by one entity implies unlawful 
access for an unauthorized entity. Thus, consideration for whether to 
ensure a product allows for lawful access needs to balance the 
government's duty to ensure public safety and conduct foreign affairs 
with any increased risks to the security of the device. I believe the 
debate over encryption should take into account these and all other 
legitimate considerations--including the importance of this data to law 
enforcement and national security matters--and that this issue can only 
be solved by cooperation between the government and the private sector.

    19. Senator Lee. Since you are tasked both with protecting 
vulnerable systems and enabling our military and intelligence forces to 
detect threats, how do you reconcile the tension between these two 
missions?
    Admiral Rogers. These missions are inherently complementary and 
mutually supportive.

    20. Senator Lee. Requiring U.S. companies to provide access to 
government agencies would not prevent foreign app developers from 
creating encryption software for jailbreak phones. Wouldn't the logical 
response for anyone seeking to threaten the United States be to use a 
foreign encrypted app; thus harming U.S. companies and not giving us 
any discernable security edge?
    Admiral Rogers. I do not think there exists a simple direct 
correlation as suggested in the question. There are any number of 
considerations that go into an individual's decision to use a 
particular information technology product, service or application. 
While security is likely one such consideration for many individuals, 
it is also not likely the only one and, when considering security, the 
alternative to lawful access by the U.S. government under narrow 
circumstances may be more appealing than a foreign product subject to 
potentially unchecked foreign government access.

    21. Senator Lee. The FBI was able to access the phone of San 
Bernardino shooter Syed Farook without the cooperation of the company 
that created his phone. Secretary Lettre, while I am sure that the 
specifics of how the FBI accomplished that cannot be fully discussed in 
an open setting, can you confirm whether similar capabilities are 
available to the Department of Defense or Intelligence agencies that do 
not require commercial companies to engage in practices they see as 
unethical or dangerous to themselves and their customers?
    Mr. Lettre. I cannot answer this question in an open session.
                               __________
               Questions Submitted by Senator Mike Rounds
    Senator Rounds. During the Sep. 13, 2016 SASC hearing, you stated 
the following in response to the question, ``Do we have a plan in place 
today to respond to an attack on critical civilian infrastructure?'' 
Response--``I believe we do have a plan in place, Senator.''

    22. Would you please provide the plan you referred to in your 
response? Specifically, I seek a plan prescribing the department's 
response to an attack on critical civilian infrastructure, not a 
process-related policy, e.g. PPD-41. If the plan is classified, please 
so state. Additionally, if the plan's dissemination is restricted, 
please so state to include the level of classification and access 
categories, e.g. TS SCI, SAP etc.
    Mr. Lettre. Overall, the Department of Defense's primary concern is 
defending the United States and its interests, against cyber attacks of 
significant consequence. DOD's approach to defending the Nation from a 
significant cyber incident is the same as its approach to defending the 
Nation in any other domain. \2\ Options to directly respond to an 
adversary cyberattack are not necessarily limited to cyberspace, and 
DOD considers the full range of military options when providing options 
to the President.
---------------------------------------------------------------------------
    \2\ The recently released Presidential Policy Directive on United 
States Cyber Incident Coordination (PPD-41) codifies the policy that 
governs the Federal government's response to cyber incidents. PPD-41 
defines a ``significant cyber incident'' as a cyber incident that is 
(or group of related cyber incidents that together are) likely to 
result in demonstrable harm to the national security interests, foreign 
relations, or economy of the United States or to the public confidence, 
civil liberties, or public health and safety of the American people.
---------------------------------------------------------------------------
    For domestic cyber incident response, DOD follows the structure put 
in place under PPD-41 by supporting the incident response activities of 
the Department of Homeland Security and the Department of Justice, just 
as we are able to provide support to civil authorities in other 
domains. As directed by PPD-41, DHS is in the process of finalizing an 
update to the National Cyber Incident Response Plan (NCIRP). \3\ Just 
as DOD aligns its physical emergency plans with the National Response 
Framework, it's cyber response plans will align with the framework 
established under the NCIRP.
---------------------------------------------------------------------------
    \3\ The recently released Presidential Policy Directive on United 
States Cyber Incident Coordination (PPD-41) codifies the policy that 
governs the Federal government's response to cyber incidents. PPD-41 
directs the Secretary of Homeland Security, in coordination with the 
Attorney General, the Secretary of Defense, and the Sector-Specific 
Agencies, to submit a National Cyber Incident Response Plan (NCIRP) to 
the President. Consistent with PPD-41 and the Homeland Security Act of 
2002, as amended, the Department of Homeland Security (DHS) is 
currently coordinating an update to the Interim NCIRP from 2010. DHS 
has worked closely with both public and private sector stakeholders 
over the summer to ensure wide participation and input into the 
development process of the new NCIRP. Hence, they would be in the best 
position to discuss the plan for responding to an attack on critical 
civilian infrastructure. The draft plan was recently released for 
public comment and can be found online at: https://www.us-cert.gov/
ncirp.
---------------------------------------------------------------------------
    Not only does DOD plan for these activities, we also exercise them. 
DOD's Cyber Guard exercise program brings together partners from across 
government, industry, and the international community to test 
operational and interagency coordination, as well as tactical-level 
operations to protect, prevent, mitigate, and recover from a domestic 
cyberspace incident.
    That said, while we plan for a variety of response options, there 
is no prescribed response plan. Each cyber incident must be assessed on 
a case-by-case basis to ensure the response is appropriate and 
communicates the desired message to the adversary.
                               __________
           Questions Submitted by Senator Richard Blumenthal
                        critical infrastructure
    23. Senator Blumenthal. What are we doing to protect our critical 
systems--like the electric grid and transportation networks--from 
cyberattacks?
    Mr. Lettre. Consistent with the Presidential Policy Directive on 
National Preparedness (PPD-8), PPD-21 on Critical Infrastructure 
Security and Resilience, and Executive Order 13636 on Improving 
Critical Infrastructure Cybersecurity, it is the policy of the United 
States to strengthen the security and resilience of its critical 
infrastructure against both physical and cyber threats. This endeavor 
is a shared responsibility among the Federal, state, local, tribal, and 
territorial entities, and public and private owners and operators of 
the critical infrastructure. The Department of Homeland Security 
provides strategic guidance to a national unity of effort.
    Therefore, it is my understanding that the primary effort is to 
strengthen the security and resilience of our critical systems for the 
continuity of national essential functions and to organize itself to 
partner effectively with, and add value to, the security and resilience 
efforts of critical infrastructure owners and operators. For additional 
detail, I will defer to DHS.
    Admiral Rogers. [Deleted.]
                           cyber acts of war
    24. Senator Blumenthal. Has the Department of Defense identified 
what constitutes an act of war in the cyber realm?
    Mr. Lettre. The determination of what constitutes an ``act of war'' 
in or out of cyberspace, would be made on a case-by-case and fact 
specific basis by the President. There would likely be an accompanying 
assessment of seriousness of a particular cyber activity and potential 
response options that would be legally available.
    Specifically, cyber attacks that proximately result in a 
significant loss of life, injury, destruction of critical 
infrastructure, or serious economic impact should be closely assessed 
as to whether or not they would be considered an unlawful attack or an 
``act of war.'' Similarly, the USG would assess malicious cyber 
activities that threaten our ability to respond as a military, threaten 
national security, or threaten national economic collapse . . . hence 
the context for these events is important, and cyber activities should 
not be viewed in isolation.
    Another question the Department is often asked is when does a cyber 
attack trigger an act of war? Each of those would be discussed in turn, 
depending on the type of attack or malicious cyber activity and what 
were the consequences. As of this point, we have not assessed that any 
particular cyber activity on us has constituted an act of war.
    Admiral Rogers. We concur with the comments submitted by Mr. 
Lettre, USDI.

    25. Senator Blumenthal. What types of actions would the Department 
of Defense consider to be acts of war in the cyber realm?
    Secretary Lettre. Actions that threaten our ability to respond as a 
military, threaten national security, or threaten national economic 
collapse. Each of these would be discussed in turn, depending on the 
type of attack or malicious cyber activity and what were the 
consequences. (See Question 24 for more detail)
    Admiral Rogers. We concur with the comments submitted by Mr. 
Lettre, USDI.

                                 [all]