[Senate Hearing 114-750]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 114-750
                  
                  INTERNATIONAL CYBERSECURITY STRATEGY:
                 DETERRING FOREIGN THREATS AND BUILDING
                           GLOBAL CYBER NORMS

=======================================================================

                                HEARING
                               
                               BEFORE THE

                     SUBCOMMITTEE ON EAST ASIA, THE
                       PACIFIC, AND INTERNATIONAL
                         CYBER SECURITY POLICY
                                
                                OF THE
                     COMMITTEE ON FOREIGN RELATIONS
                          UNITED STATES SENATE

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             .MAY 25, 2016

                               __________


       Printed for the use of the Committee on Foreign Relations
       
 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]       
       

                   Available via the World Wide Web:
                         http://www.govinfo.gov

                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
28-853 PDF                  WASHINGTON : 2018                     
          
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, [email protected]. 
            


                COMMITTEE ON FOREIGN RELATIONS         

                BOB CORKER, Tennessee, Chairman        
JAMES E. RISCH, Idaho                BENJAMIN L. CARDIN, Maryland
MARCO RUBIO, Florida                 BARBARA BOXER, California
RON JOHNSON, Wisconsin               ROBERT MENENDEZ, New Jersey
JEFF FLAKE, Arizona                  JEANNE SHAHEEN, New Hampshire
CORY GARDNER, Colorado               CHRISTOPHER A. COONS, Delaware
DAVID PERDUE, Georgia                TOM UDALL, New Mexico
JOHNNY ISAKSON, Georgia              CHRISTOPHER MURPHY, Connecticut
RAND PAUL, Kentucky                  TIM KAINE, Virginia
JOHN BARRASSO, Wyoming               EDWARD J. MARKEY, Massachusetts


                  Todd Womack, Staff Director        
            Jessica Lewis, Democratic Staff Director        
                    John Dutton, Chief Clerk        


            SUBCOMMITTEE ON EAST ASIA, THE PACIFIC,        
             AND INTERNATIONAL CYBERSECURITY POLICY        

                CORY GARDNER, Colorado, Chairman        
MARCO RUBIO, Florida                 BENJAMIN L. CARDIN, Maryland
RON JOHNSON, Wisconsin               BARBARA BOXER, California
JOHNNY ISAKSON, Georgia              CHRISTOPHER A. COONS, Delaware
JEFF FLAKE, Arizona                  TOM UDALL, New Mexico


                              (ii)        
                              
                           C O N T E N T S

                              ----------                              
                                                                   Page

Corker, Hon. Bob, U.S. Senator From Tennessee....................     1

Cardin, Hon. Benjamin L., U.S. Senator From Maryland.............     2

Painter, Christopher, Coordinator for Cyber Issues, U.S. 
  Department of State, Washington, DC............................     4
    Prepared statement...........................................     6


                             (iii)        
 
    INTERNATIONAL CYBERSECURITY STRATEGY: DETERRING FOREIGN THREATS AND 
                      BUILDING GLOBAL CYBER NORMS

                              ----------                              


                        WEDNESDAY, MAY 25, 2016

                               U.S. Senate,
       Subcommittee on East Asia, The Pacific, and 
                 International Cybersecurity Policy
                            Committee on Foreign Relations,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10:05 a.m. in 
Room SD-419, Dirksen Senate Office Building, Hon. Cory Gardner, 
chairman of the subcommittee, presiding.
    Present: Senators Gardner [presiding] and Cardin.

            OPENING STATEMENT OF HON. CORY GARDNER, 
                   U.S. SENATOR FROM COLORADO

    Senator Gardner. This hearing will come to order.
    Let me welcome you all to the sixth hearing for the Senate 
Foreign Relations Subcommittee on East Asia, Pacific, and 
International Cybersecurity Policy in the 114th Congress and 
our first hearing in 2016.
    I want to thank Ranking Member Cardin who, of course, also 
serves as the ranking member of the full committee, for his 
cooperation as we continue our important work together to 
address the important issues within this subcommittee's 
jurisdiction.
    Today's hearing will be our second hearing on cybersecurity 
in this subcommittee which I believe goes to show the extent to 
which cyber issues has become a strategic matter, critical to 
the foreign policy of our Nation and subsequently to this 
committee's work.
    And we are glad to welcome back our witness the State 
Department's cybersecurity coordinator, Chris Painter. This is 
your second time I believe testifying before this subcommittee. 
We hope to hear from Mr. Painter today about what has changed 
since we met just over a year ago at our first cyber hearing of 
this subcommittee, what global threats we are still facing, and 
most importantly, what we can do as a Nation to deter those 
threats.
    The State Department has now released the Department of 
State International Cyberspace Policy Strategy, as mandated by 
the amendment Senator Cardin and I authored to the 2016 omnibus 
legislation. We thank Mr. Painter for fulfilling this 
congressional mandate and producing this document which will 
better inform this committee's efforts going forward. And I 
commend you for standing up the cyber efforts at State and 
elevating cyber issues to the forefront of our Nation's 
diplomacy.
    But we still, obviously, have a lot of questions about how 
this approach is being implemented, how effective it is in 
deterring foreign cyber threats, and how we can continue to 
build viable norms in cyberspace. Our efforts include deterring 
China and Chinese actors from continuing to conduct commercial 
espionage against the United States with agreements made last 
fall, how those agreements are or are not being implemented. 
The questions remain about sensitive data being stolen in the 
breach of the Office of Personnel Management last year and 
other circumstances around the globe.
    And so as we discuss Russia and we discuss Ukraine and we 
discuss Iran, we discuss United Nations activities, this is an 
important hearing to place our cyber policy in the strategic 
realm.
    And so with that, I am going to just let everybody know 
right now we are anticipating votes at 11:00 o'clock, and so we 
will wait as long as we can, if necessary, into that vote 
series before we adjourn the committee hearing.
    So thank you, Mr. Painter.
    And with that, I will turn it to our ranking member, 
Senator Cardin from Maryland.

             STATEMENT OF HON. BENJAMIN L. CARDIN, 
                   U.S. SENATOR FROM MARYLAND

    Senator Cardin. Well, Senator Gardner, first of all, thank 
you for your leadership on this subcommittee. It is a 
critically important subcommittee that deals with East Asia, 
deals with the Pacific, and deals with international 
cybersecurity policy. We certainly have had a very busy agenda 
under your leadership, and it has been a pleasure to work with 
you.
    We should note the President is in Vietnam. Part of our 
challenge is the development of stronger ties with the 
countries of Asia. We have also, of course, been very much 
engaged in North Korea and their proliferation activities, as 
well as of course China.
    And then later today, there will be a full committee 
briefing on the Trafficking in Persons Report, and there are 
several countries in Asia that are of major interest in regards 
to trafficking and other human rights concerns.
    So this has been a very busy subcommittee and I thank you 
for the manner that we have been able to work together, as we 
should, on foreign policy issues without partisan division. So 
thank you very much.
    Cyber represents a new domain in global affairs likely to 
be significant in shaping the 21st century as nuclear weapons 
were in shaping the 20th century. How the United States and 
others in the international community develop norms of 
behavior, assure freedom of expression, and understand how 
concepts such as deterrence, supply, and cyberspace will be 
critical foreign policy challenges in the years ahead.
    These are not going to be easy because what one person sees 
as a national security issue, another looks at as repressive to 
the ability of individuals to be able to get information in 
their country. How cyber technology is used to advance the flow 
of information and to protect us against cyber attacks can also 
be used to repress people from being able to get information by 
governments that look at cyber as a threat to their 
totalitarian regimes.
    So we have challenges here, and how we deal with this is 
going to be one of the major security challenges to face 
America. The Internet must belong to its users, not just the 
states. There are especially repressive regimes like Russia and 
China that are seeking to block or control access to their 
people to the Internet. We will not be able to realize the full 
potential of the Internet to support freedom, civil society, 
and human dignity as long as certain nations continue to 
severely restrict Internet freedom. We need to be cognizant of 
the dangers that cyberspace presents for human progress and 
political rights. The same tools of Internet freedom that can 
be used to organize movements for free speech can also be used 
by ISIS to spew hatred and incite violence against the 
innocents.
    Technologies with the potential to open up access to 
governments can also be hijacked to crush dissent and crush 
human rights. New technologies do not take sides in the 
struggle for human rights, but the United States must. We need 
to be leaders in upholding the principles of Internet freedom 
and human rights in cyberspace. We need to synchronize 
America's undisputed technology leadership with indisputable 
values and principles. That is what America brings to this 
international debate, and that is why it is critically 
important that we develop acceptable international norms in 
regards to the use of cyber and what is expected.
    So, obviously, we look forward to building those norms. 
Last year, the United States and China reached an unprecedented 
deal to combat cyber-enabled theft of intellectual property 
with the intent of providing competitive advantages to 
companies or commercial sectors. To me that was an incredibly 
important moment, but how is it being implemented? And how will 
that lead to acceptable international norms?
    The agreement took a new significance at the G20 summit in 
Turkey when China agreed to join the rest of the G20 nations 
and jointly affirming for the first time that no country should 
conduct or support information or communication technology-
enabled theft of intellectual property with the intent of 
providing competitive advantages to companies or commercial 
sectors.
    I will support the U.S.-China cyber agreement. I am 
concerned that China may not be living up to its terms, and I 
hope today that we will have a chance to review that.
    I am concerned that there is too much ambiguity in our 
current cyber deterrence policy, which leaves our adversaries 
confused about what behavior in cyberspace the United States is 
willing to tolerate. We have what we have learned from the Sony 
attack and the OPM hack in determining what is considered 
appropriate in terms of an attack as opposed to mapping or 
other acceptable activities. What have we learned? Where do you 
draw the right line, and is that clear by U.S. policies 
internationally?
    Mr. Chairman, there are a lot of issues that we need to 
review, and this subcommittee has the responsibility to 
continue our active engagement and we are doing that today by 
this hearing. And I thank you, and I look forward to listening 
to Mr. Painter.
    Senator Gardner. Thank you, Senator Cardin.
    And, of course, we will turn to our witness, Chris Painter, 
today, the Honorable Chris Painter who serves as the State 
Department's Coordinator for Cyber Issues. In this capacity, 
Mr. Painter coordinates and leads the United States' diplomatic 
efforts to implement the President's international strategy for 
cyberspace. He works closely with components across the 
Department, other agencies, the White House, the private 
sector, and civil society.
    Prior to joining the State Department, Mr. Painter served 
in the White House as Senior Director for Cybersecurity Policy 
on the National Security staff. During his 2 years at the White 
House, Mr. Painter was a senior member of the team that 
conducted the President's cyberspace policy review and 
subsequently served as Acting Cybersecurity Coordinator. He 
coordinated the development of the President's 2011 
international strategy for cyberspace.
    Welcome again, Mr. Painter, to the subcommittee, and thank 
you for your service. We look forward to your testimony.

STATEMENT OF CHRISTOPHER PAINTER, COORDINATOR FOR CYBER ISSUES, 
            U.S. DEPARTMENT OF STATE, WASHINGTON, DC

    Mr. Painter. Thank you very much. Chairman Gardner, Ranking 
Member Gardner, members of the Subcommittee on East Asia, the 
Pacific, and International Cybersecurity Policy, it is indeed a 
pleasure to appear again before your subcommittee to provide an 
update on our efforts to deter foreign threats and promote 
global norms in cyberspace. I would agree that the fact that 
this committee has shown attention to this issue helps heighten 
this issue as a foreign policy issue both here and around the 
world.
    Since I testified before your subcommittee 1 year ago, the 
Department of State has continued to make significant progress 
working closely with other Federal Departments and agencies 
across all of our policy priorities, including international 
security, Internet governance, cybersecurity due diligence, 
cyber crime, Internet freedom, and Internet access.
    And it is also important to note, as the chairman noted, 
that last month, the Department submitted to Congress the 
Department of State International Cyberspace Policy Strategy, 
and therefore today I am going to focus my remarks on a few of 
our recent successes in promoting our framework for 
international cyber stability. However, I am happy to answer 
any questions regarding the strategy which addresses all of our 
priorities in greater detail or any questions from my written 
testimony that was submitted for the record.
    As described in those documents, we have spearheaded the 
promotion of a framework for stability in cyberspace based on, 
first, the applicability of international law to state behavior 
in cyberspace; second, the identification of additional 
voluntary norms of responsible state behavior in cyberspace 
that apply during peacetime; and third, the development and 
implementation of practical confidence building measures to 
reduce the risk of misperception and escalation.
    I would like to highlight today some significant 
developments that have occurred in the last year to advance 
this framework.
    Of special interest to this subcommittee are developments 
with China. As the subcommittee is well aware, the United 
States strongly opposes the use of cyber technology to steal 
intellectual property for commercial advantage and has 
continuously raised this concern with China for some time. In 
September 2015, the U.S. and China reached agreement during 
President Xi Jinping's state visit on several key commitments 
on cyber issues. Among those commitments, in addition to the 
ones relating to law enforcement cooperation, were that, one, 
neither country's government will conduct or knowingly support 
cyber-enabled theft of intellectual property for commercial 
advantage and, two, both governments will work together to 
further identify and promote appropriate norms of state 
behavior in cyberspace and hold a senior experts group on 
international security issues in cyberspace.
    While these commitments do not resolve all of our 
challenges with China on cyber issues, nevertheless they do 
represent a step forward in our efforts to address one of the 
sharpest areas of disagreement in the U.S.-China bilateral 
relationship.
    I would also note that 2 weeks ago today on May 11th, we 
hosted the first meeting of the senior experts group in 
Washington on international security issues in cyberspace, 
which provided a forum to further engage China on its views and 
seek common ground regarding norms of state behavior in 
cyberspace and other topics.
    The agreement with China last year is in part built upon 
the success we had a few months earlier when the United Nations 
Group of Governmental Experts reached a consensus on its third 
report since 2009 on issues related to international security 
in cyberspace.
    The 2015 GGE report's most significant achievement was its 
recommendation regarding voluntary norms of state behavior 
designed for peacetime, which included concepts that have been 
championed by the U.S. This included norms against harming 
critical infrastructure, our computer security incident 
response teams, as well as the norm that states respond to 
appropriate requests in mitigating malicious cyber activity 
emanating from their territory.
    Both of these developments that I just mentioned fed into a 
third major accomplishment. Last November, the leaders of the 
G20 meeting in Turkey strongly endorsed the U.S. approach to 
promoting stability in cyberspace. The leaders' communique 
affirmed that states should not conduct or support cyber theft 
of intellectual property for commercial advantage. The 
communique also highlighted the 2015 GGE report I discussed, 
affirmed international law and, in particular, the U.N. charter 
applies to state conduct in cyberspace, and endorsed the view 
that all states should abide by norms of responsible state 
behavior in cyberspace.
    These three developments occurring in a remarkably short 
period of time, along with recent agreements in two regional 
security organizations to advance our work in developing cyber 
confidence building measures, collectively represents a major 
step towards international acceptance of the U.S. approach to 
promoting stability in cyberspace. It gives us great momentum 
as we work to convince more states to endorse our approach at 
the leaders' level as we move into the upcoming round of the 
GGE that begins in August where we hope to further develop this 
framework.
    While we can be proud of our recent successes, it is 
important to also acknowledge that we still face a range of 
policy and technical challenges to our vision of an open, 
interoperable, secure, and reliable cyberspace.
    As we look ahead, cybersecurity will continue to be a 
challenge for the United States when we take into consideration 
the rapidly expanding environment of global cyber threats, the 
increasing reliance on information, the reality that many 
developing nations are still in the early stages of their cyber 
maturity, and the ongoing and increasingly sophisticated use of 
information technology by terrorists and other criminals. 
Therefore, the Department of State anticipates a continued 
increase and an expansion of our cyber-focused diplomatic and 
capacity building efforts for the foreseeable future.
    Again, I am happy to be here before the subcommittee and 
happy to take any questions.
    [Mr. Painter's prepared statement follows:]


            Prepared Statement of Christopher M. E. Painter

    Chairman Gardner, Ranking Member Cardin, members of the 
Subcommittee on East Asia, the Pacific, and International Cybersecurity 
Policy, it is a pleasure to appear again before your Subcommittee to 
provide an update on key developments in our cyber foreign policy 
efforts.
    Since I testified before your Subcommittee one year ago, the 
Department of State (the Department) has continued to work closely with 
other Federal departments and agencies and has made significant 
progress in a number of areas.
    It is also important to note that last month, as required by the 
Consolidated Appropriations Act for 2016, the Department submitted to 
Congress the Department of State International Cyberspace Policy 
Strategy (the Strategy) that included a report on the Department's work 
to implement the President's 2011 International Strategy for 
Cyberspace, as well as a discussion of our efforts to promote norms of 
responsible state behavior in cyberspace, alternative concepts for 
norms promoted by certain other countries, threats facing the United 
States, tools available to the President to deter malicious actors, and 
resources required to build international norms. I appreciate the 
opportunity today to provide an update on our progress as well as the 
challenges we face in a number of areas.
    As reflected in the Strategy we provided to Congress last month, 
the Department of State structures its cyberspace diplomacy in close 
cooperation with our interagency partners--including the Departments of 
Justice, Commerce, Defense, Homeland Security, and Treasury, and the 
Intelligence Community--around the following interrelated, dynamic, and 
cross-cutting policy pillars drawn from the President's International 
Strategy for Cyberspace: digital economy; international security; 
promoting cybersecurity due diligence; combating cybercrime; Internet 
governance; Internet freedom; and international development and 
capacity building, as well as cross-cutting issues such as countering 
the use of the Internet for terrorist purposes. In addition, as we 
noted, the Department actively is mainstreaming cyberspace issues into 
its foreign diplomatic engagements and building the necessary internal 
capacity.
    I am happy to answer any questions regarding the Strategy, which 
discusses all of these policy priorities in greater detail, including 
specific accomplishments from our robust bilateral and multilateral 
diplomatic engagements and highlights from the roles and contributions 
of other Federal agencies.
    In spite of the successes outlined in the Strategy, the U.S. vision 
for an open, interoperable, secure, and reliable Internet faces a range 
of policy and technical challenges. Many of these challenges were 
described in my testimony last year, and they largely remain. I would 
like to focus my time today delving specifically into our efforts to 
promote a broad international framework for cyber stability, as well 
some of the alternative views regarding the Internet that some 
governments are promoting. I will also spend some time discussing the 
technical challenges and threats posed by continuing malicious cyber 
activity directed at the United States, as well as our allies, and the 
tools we have at our disposal to deter these actions.

           Diplomatic Efforts To Shape the Policy Environment

     building a framework for international stability in cyberspace
    The Department of State, working with our interagency partners, is 
guided by the vision of the President's International Strategy for 
Cyberspace, which is to promote a strategic framework of international 
cyber stability designed to achieve and maintain a peaceful cyberspace 
environment where all states are able to fully realize its benefits, 
where there are advantages to cooperating against common threats and 
avoiding conflict, and where there is little incentive for states to 
engage in disruptive behavior or to attack one another.
    This framework has three key elements: (1) global affirmation that 
international law applies to state behavior in cyberspace; (2) 
development of an international consensus on and promotion of 
additional voluntary norms of responsible state behavior in cyberspace 
that apply during peacetime; and (3) development and implementation of 
practical confidence building measures (CBMs), which promote stability 
in cyberspace by reducing the risks of misperception and escalation.
    Since 2009, the United Nations Group of Governmental Experts on 
Developments in the Field of Information and Telecommunications in the 
Context of International Security (UN GGE) has served as a productive 
and groundbreaking expert-level venue for the United States to build 
support for this framework. The consensus recommendations of the three 
UN GGE reports in 2010, 2013, and 2015 have set the standard for the 
international community on international cyberspace norms and CBMs. The 
UN GGE process will continue to play a central role in our efforts to 
fully promulgate this framework when it reconvenes in August 2016.
    Applicability of international law. The first and most fundamental 
pillar of our framework for international cyber stability is the 
applicability of existing international law to state behavior in 
cyberspace. The 2013 UN GGE report was a landmark achievement that 
affirmed the applicability of existing international law, including the 
UN Charter, to state conduct in cyberspace. The 2013 report underscored 
that states must act in cyberspace under the established international 
obligations and commitments that have guided their actions for 
decades--in peacetime and during conflict--and states must meet their 
international obligations regarding internationally wrongful acts 
attributable to them. The 2014-2015 UN GGE also made progress on issues 
related to international law by affirming the applicability of the 
inherent right to self-defense as recognized in Article 51 of the UN 
Charter, and noting the law of armed conflict's fundamental principles 
of humanity, necessity, proportionality, and distinction.
    Norms of responsible state behavior. The United States is also 
building consensus on a set of additional, voluntary norms of 
responsible state behavior in cyberspace that define key areas of risk 
that would be of national and/or economic security concern to all 
states and which should be off-limits during times of peace. If 
observed, these stability measures--which are measures of self-
restraint--can contribute substantially to conflict prevention and 
stability. The United States was the first state to propose a set of 
specific peacetime cyber norms, including the cybersecurity of critical 
infrastructure, the protection of computer security incident response 
teams (CSIRTs), and cooperation between states in responding to 
appropriate requests in mitigating malicious cyber activity emanating 
from their territory. In May 2015, Secretary of State Kerry highlighted 
these norms in his speech in Seoul, South Korea, on an open and secure 
Internet. The 2015 UN GGE report's most significant achievement was its 
recommendation for voluntary norms of state behavior designed for 
peacetime, which included concepts championed by the United States.
    Confidence Building Measures. Together with our work on law and 
voluntary norms, cyber CBMs have the potential to contribute 
substantially to international cyber stability. CBMs have been used for 
decades to build confidence, reduce risk, and increase transparency in 
other areas of international concern. Examples of cyber CBMs include: 
transparency measures, such as sharing national strategies or doctrine; 
cooperative measures, such as an initiative to combat a particular 
cyber incident or threat actor; and stability measures, such as 
committing to refrain from a certain activity of concern. Cyber CBMs 
are being developed, and are in the first stages of implementation, in 
two regional venues--the Organization for Security and Cooperation in 
Europe (OSCE) and the ASEAN Regional Forum where agreement was reached 
in 2015 on a detailed work plan with a proposed set of CBMs for future 
implementation.
    Although many of the elements of the framework I have described 
above may seem selfevident to an American audience, it is important to 
recognize that cyber issues are new to many states, and as I describe 
later in my testimony, there are also many states that hold alternative 
views on how we should promote cyber stability. Notwithstanding these 
headwinds, as well as the fact that diplomatic negotiations on other 
issues can take many years, if not decades, the United States and its 
allies have made substantial progress in recent years towards advancing 
our strategic framework of international cyber stability. At this 
point, I would like to highlight examples from last year that reflect 
our progress.
U.S.-China Cyber Commitments
    The United States strongly opposes the use of cyber technology to 
steal intellectual property for commercial advantage, and has raised 
this concern with Chinese interlocutors for several years. In 2014, the 
U.S. indicted five members of the Chinese military for hacking, 
economic espionage, and other offenses directed at six U.S. entities. 
This led China to suspend the U.S.-China Cyber Working Group. The U.S. 
and China, however, reached agreement during President Xi Jinping's 
state visit in September 2015 on several key commitments on cyber 
issues. These commitments are:


 1. both governments agreed to cooperate and provide timely responses 
        to requests for information and assistance regarding malicious 
        cyber activity emanating from their territories;

 2. neither country's government will conduct or knowingly support 
        cyber-enabled theft of intellectual property for commercial 
        advantage;

 3. both governments will work together to further identify and promote 
        appropriate norms of state behavior in cyberspace and hold a 
        senior experts group on international security issues in 
        cyberspace; and

 4. both governments will establish a Ministerial-level joint dialogue 
        mechanism on fighting cybercrime and related issues.


    Two weeks ago today--on May 11--the United States hosted the first 
meeting of the senior experts group in Washington on international 
security issues in cyberspace, which provided a forum to further engage 
China on its views and seek common ground regarding norms of state 
behavior in cyberspace and other topics. The Department of State led 
the U.S. delegation that included participation from the Department of 
Defense and other U.S. government agencies. The senior experts group 
helps us advance the growing international consensus on international 
law and voluntary cyber norms of state behavior. We also have 
encouraged China to join us in pushing for other states to affirm these 
principles in international forums like the Group of Twenty (G20), and 
will continue to do so.
    To implement other commitments reached during President Xi's visit, 
the United States and China held the first ministerial level dialogue 
on cybercrime and other related issues in Washington on December 1, 
2015. Attorney General Loretta Lynch and Homeland Security Secretary 
Jeh Johnson, together with Chinese State Councilor Guo Shengkun, co-
chaired the first U.S.-China High-Level Joint Dialogue on Cybercrime 
and Related Issues to foster mutual understanding and enhance 
cooperation on law enforcement and network protection issues. The 
second dialogue is scheduled to occur next month in Beijing, China.
    Moreover, regarding the commitment that neither government will 
conduct or knowingly support cyber-enabled theft for commercial gain, 
Deputy Secretary of State Blinken testified last month before the full 
Committee on Foreign Relations that the United States is ``watching 
very closely to ensure this commitment is followed by action.''
    The outcomes of last year's Xi-Obama summit focus on concrete 
actions and arrangements that will allow us to hold Beijing accountable 
to the commitments they have made. These commitments do not resolve all 
our challenges with China on cyber issues. However, they do represent a 
step forward in our efforts to address one of the sharpest areas of 
disagreement in the U.S.-China bilateral relationship.
Group of Twenty (G20) Antalya Summit
    In November 2015, the leaders of the G20 met in Antalya, Turkey, to 
discuss and make progress on a wide range of critical issues facing the 
global economy. At the conclusion of the Antalya Summit, the strong 
final communique issued by the G20 leaders affirmed the U.S.-championed 
vision of international cyber stability and its pillars.
    Among other things, the G20 leaders affirmed in their statement 
that ``no country should conduct or support the ICT-enabled theft of 
intellectual property, including trade secrets or other confidential 
business information, with the intent of providing competitive 
advantages to companies or commercial sectors.'' They also highlighted 
the ``key role played by the United Nations in developing norms'' and 
the work of the UN GGE and its 2015 report. Addressing our overall 
framework, the G20 leaders stated that they ``affirm that international 
law, and in particular the UN Charter, is applicable to state conduct 
in the use of ICTs and commit ourselves to the view that all states 
should abide by norms of responsible state behavior in the use of ICTs 

    The G20 leaders' communique represents a remarkable endorsement of 
our approach to promoting stability in cyberspace. But there is still 
more to do. The United States will continue to work within the G20 and 
in other bilateral and multilateral engagements to promote and expand 
these policy pronouncements regarding responsible state behavior in 
cyberspace.
          organization for security and cooperation in europe
    As a result of the leadership by the United States and like-minded 
countries, the 57 member states of the OSCE, which includes not only 
Western allies but also Russia and other former Soviet states, reached 
consensus in March 2016 on an expanded set of CBMs. This expanded set, 
which includes five new CBMs, builds upon the 11 CBMs announced by the 
OSCE in 2013 that member states are already working to implement.
    The initial 11 CBMs were primarily focused on building transparency 
and putting in place mechanisms for de-escalating conflict. For 
example, there were CBMs calling upon participating states to identify 
points of contact that foreign governments could reach out to in the 
event of a cyber incident emanating from the state's territory and put 
in place consultation and mediation mechanisms. The additional five 
CBMs focused more on cooperative measures focusing on issues like 
cybersecurity of critical infrastructure and developing public-private 
partnerships. Secure and resilient critical infrastructure, including 
in the communications sector, requires the integration of cyber, 
physical, and human elements. Since most critical infrastructure is 
privately owned, public-private partnerships are essential for 
strengthening critical infrastructure. Given the distributed nature of 
critical infrastructure, these efforts also require international 
collaboration. Work will continue this year to strengthen 
implementation of the previous CBMs and to begin implementing the new 
ones as well. This will build on the cooperation we have underway with 
many international partners in this and other similar fora. We also 
hope that this further success within the OSCE context can serve to 
strengthen CBMs as a model that other regional security organizations 
can adopt.
    In addition to our work with governmental organizations, the 
Department of State engages extensively with a range of stakeholders 
outside of government, who play critical roles in helping to preserve 
and promote the same vision of cyberspace held by the United States. 
Non-government stakeholders are often part of our delegations to key 
meetings, for which there is intensive consultation, and we often 
engage with our stakeholders before and after key events to hear their 
views and to inform them of our activities. We also engage extensively 
with the stakeholder community ahead of and immediately following major 
cyber conferences, such as the Global Conference on Cyberspace, most 
recently in The Hague, the Netherlands, and previously in Seoul, South 
Korea.
          policy challenge: alternative views of the internet
    A challenge to the implementation of our cyberspace strategy is a 
competing and alternative view of the Internet. The United States and 
much of the broader international community support the open flow and 
movement of data on the Internet that drives economic growth, protects 
human rights, and promotes innovation. The United States believes in a 
multistakeholder approach whereby governments, private sector, civil 
society, and the technical and academic communities cooperate to 
address both technical and policy threats through inclusive, 
transparent, consensus-driven processes.
    China's approach to cyberspace in the international context is 
propelled by its desire to maintain internal stability, maintain 
sovereignty over its domestic cyberspace, and combat what it argues is 
an emerging cyber arms race and `militarization' of cyberspace. China 
has been willing to consider cyber confidence building measures, and 
has affirmed that international law applies in cyberspace, but has not 
been willing to affirm more specifically the applicability of the law 
of armed conflict or other laws of war, because it believes it would 
only serve to legitimize state use of cyber tools as weapons of war.
    This has led to a set of external policies that reinforces 
traditional Chinese foreign policy priorities of non-interference in 
internal affairs, national sovereignty over cyberspace, and ``no first 
use'' of weapons. China views its expansive online censorship regime--
including technologies such as the Great Firewall--as a necessary 
defense against destabilizing domestic and foreign influences, and it 
has promoted this conception internationally. China also urges creation 
of new ``cyber governance'' instruments, which would, inter alia, 
create new binding rules designed to limit the development, deployment, 
and use of ``information weapons,'' promote speech and content 
controls, seek to replace the framework of the Council of Europe 
Convention on Cybercrime (Budapest Convention), elevate the role of 
governments vis-a-vis other stakeholders, and likely give the United 
Nations authority for determining attribution and responding to 
malicious cyber activity. While the United States and its partners seek 
to focus our cyber policy efforts on combatting threats to networks, 
cyber infrastructure, and other physical threats from cyber tools, 
China also emphasizes the threats posed by online content. In addition, 
some of these policies stand in sharp contrast to the U.S. view that 
all stakeholders should be able to contribute to the making of public 
policy regarding the Internet.
    Russia's approach to cyberspace in the international context has 
focused on the maintenance of internal stability, as well as 
sovereignty over its ``information space.'' While Russia co-authored 
the Code of Conduct, with China and other Shanghai Cooperation 
Organization members, Russia's ultimate goal is also a new 
international cyber convention, which they pair with criticism of the 
Budapest Convention.
    Russia has nonetheless found common ground with the United States 
on our approach of promoting the applicability of international law to 
state conduct in cyberspace as well as voluntary, non-binding norms of 
state behavior in peacetime. Russia has also committed to the first 
ever set of bilateral cyber confidence building measures with the 
United States, as well as the first ever set of cyber CBMs within a 
multilateral institution, at the OSCE in 2013 and 2016 that I 
previously discussed.
    We counter these alternative concepts of cyberspace policy through 
a range of diplomatic tools that include not only engagement in 
multilateral venues, but also direct bilateral engagement and 
awareness-raising with a variety of state and non-state actors. I now 
would like to discuss some of the technical challenges and threats the 
U.S. faces and some of the tools we have to respond to and prevent 
cyber incidents.

              Responding To and Preventing Cyber Incidents

                        continuing cyber threats
    Cyber threats to U.S. national and economic security are increasing 
in frequency, scale, sophistication, and severity. In 2015, high 
profile cyber incidents included the breach of health insurance company 
Anthem, Inc.'s IT system that resulted in the theft of account 
information for millions of customers; an unauthorized breach of the 
Office of Personnel Management's systems that resulted in the theft of 
approximately 22 million personnel files; and hackers launching an 
unprecedented attack on the Ukraine power grid that cut power to 
hundreds of thousands of customers.
    Overall, the unclassified information and communications technology 
networks that support U.S. government, military, commercial, and social 
activities remain vulnerable to espionage and disruption. As the 
Department noted in the Strategy we submitted last month, however, the 
likelihood of a catastrophic attack against the United States from any 
particular actor is remote at this time. The Intelligence Community 
instead foresees an ongoing series of low-to-moderate level cyber 
operations from a variety of sources, which will impose cumulative 
costs on U.S. economic competitiveness and national security, pose 
risks to Federal and private sector infrastructure in the United 
States, infringe upon the rights of U.S. intellectual property holders, 
and violate the privacy of U.S. citizens.
    In February, Director of National Intelligence James Clapper 
testified before Congress on the 2016 Worldwide Threat Assessment of 
the U.S. Intelligence Community, and stated: ``Many actors remain 
undeterred from conducting reconnaissance, espionage, and even attacks 
in cyberspace because of the relatively low costs of entry, the 
perceived payoff, and the lack of significant consequences.'' He 
highlighted the malicious cyber activities of the leading state actors, 
non-state actors such as Da'esh, and criminals who are developing and 
using sophisticated cyber tools, including ransomware for extortion and 
malware to target government networks.
    The Intelligence Community continues to witness an increase in the 
scale and scope of reporting on malicious cyber activity that can be 
measured by the amount of corporate data stolen or deleted, personally 
identifiable information compromised, or remediation costs incurred by 
U.S. victims. The motivation to conduct cyber attacks and cyber 
espionage will probably remain strong because of the gains for the 
perpetrators.
                tools available to counter cyber threats
    The United States works to counter technical challenges through a 
whole-of-government approach that brings to bear its full range of 
instruments of national power and corresponding policy tools--
diplomatic, law enforcement, economic, military, and intelligence--as 
appropriate and consistent with applicable law.
    The United States believes that deterrence in cyberspace is best 
accomplished through a combination of ``deterrence by denial''--
reducing the incentive of potential adversaries to use cyber 
capabilities against the United States by persuading them that the 
United States can deny their objectives--and ``deterrence through cost 
imposition''--threatening or carrying out actions to inflict penalties 
and costs against adversaries that conduct malicious cyber activity 
against the United States. It is important to note that there is no 
one-size-fits-all approach to deterring or responding to cyber threats. 
Rather, the individual characteristics of a particular threat determine 
the tools that would most appropriately be used.
    The President has at his disposal a number of tools to carry out 
deterrence by denial. These include a range of policies, regulations, 
and voluntary standards aimed at increasing the security and resiliency 
of U.S. government and private sector computer systems. They also 
include incident response capabilities and certain law enforcement 
authorities.
    With respect to cost imposition, the President is able to draw on a 
range of response options from across the United States government.


        Diplomatic tools provide a way to communicate to adversaries 
        when their actions are unacceptable and to build support and 
        greater cooperation among, or seek assistance from, allies and 
        like-minded countries to address shared threats. Diplomatic 
        demarches to both friendly and potentially hostile states have 
        become a regular component of the United States' response to 
        major international cyber incidents. In the longer term, U.S. 
        efforts to promote principles of responsible state behavior in 
        cyberspace, including peacetime norms, are intended to build 
        increasing consensus among like-minded states that can form a 
        basis for cooperative responses to irresponsible state actions.

        Law enforcement tools can be used to investigate crimes and 
        prosecute malicious cyber actors both within the United States 
        and abroad. International cooperation is critical to cybercrime 
        investigations, which is why the United States has promoted 
        international harmonization of substantive and procedural 
        cybercrime laws through the Budapest Convention, created an 
        informal channel for data preservation and information sharing 
        through the G7 24/7 network, and promoted donor partnerships to 
        assist developing nations.

        Economic tools, such as financial sanctions, may be used as a 
        part of the broader U.S. strategy to change, constrain, and 
        stigmatize the behavior of malicious actors in cyberspace. 
        Since January 2015, the President has provided guidance to the 
        Secretary of the Treasury to impose sanctions to counter North 
        Korea's malicious cyber-enabled activities. Executive Order 
        13687 was issued, in part, in response to the provocative and 
        destructive attack on Sony Pictures Entertainment, while 
        Executive Order 13722 targets, among others, significant 
        activities by North Korea to undermine cybersecurity, in line 
        with the recently-signed North Korea Sanctions and Policy 
        Enhancement Act of 2016. Aside from these North Korea-specific 
        authorities, in April 2015, the President issued Executive 
        Order 13694, Blocking the Property of Certain Persons Engaging 
        in Significant Malicious Cyber-Enabled Activities, which 
        authorizes the imposition of sanctions against persons whose 
        malicious cyber-enabled activities could pose a significant 
        threat to the national security, foreign policy, or economic 
        health or financial stability of the United States.

        Military capabilities provide an important set of options for 
        deterring and responding to malicious cyber activity. The 
        Department of Defense continues to build its cyber capabilities 
        and strengthen its cyber defense and deterrence posture. As 
        part of this effort, the Department of Defense is building its 
        Cyber Mission Force, which is already employing its 
        capabilities to defend Department of Defense networks, defend 
        the Nation against cyberattacks of significant consequence, and 
        generate integrated cyberspace effects in support of 
        operational plans and contingency operations. In addition, 
        Secretary of Defense Ashton Carter announced earlier this year 
        that U.S. forces are using cyber tools to disrupt Da'esh's 
        command and control systems and to negatively impact its 
        networks.

        Intelligence capabilities are also an important tool at the 
        President's disposal in detecting, responding to, and deterring 
        malicious activities in cyberspace, particularly given the 
        unique challenges associated with attributing and understanding 
        the motivation behind such malicious activities.


    Even with this broad range of tools, deterring cyber threats 
remains a challenge. Given the unique characteristics of cyberspace, 
the United States continues to work to develop additional and 
appropriate consequences that it can impose on malicious cyber actors.
                           capacity building
    In addition to the tools that I have just outlined, the ability of 
the United States to respond to foreign cyber threats and fight 
transnational cybercrime is greatly enhanced by the capabilities and 
strength of our international partners in this area. Therefore, the 
Department of State is working with departments and agencies, allies 
and multilateral partners to build the capacity of foreign governments, 
particularly in developing countries, to secure their own networks as 
well as investigate and prosecute cybercriminals within their borders. 
The Department also actively promotes donor cooperation, including 
bilateral and multilateral participation in joint cyber capacity 
building initiatives.
    In 2015, for example, the United States joined the Netherlands in 
founding the Global Forum on Cyber Expertise, a global platform for 
countries, international organizations, and the private sector to 
exchange best practices and expertise on cyber capacity building. The 
United States partnered with Japan, Australia, Canada, the African 
Union Commission, and Symantec on four cybersecurity and cybercrime 
capacity building initiatives. The Department also provided assistance 
to the Council of Europe, the Organization of American States, and the 
United Nations Global Program on Cybercrime to enable delivery of 
capacity building assistance to developing nations. Many traditional 
bilateral law enforcement training programs increasingly include cyber 
elements, such as training investigators and prosecutors in the 
handling of electronic evidence. Much of our foreign law enforcement 
training on combating intellectual property crime focuses on digital 
theft.
    In another example of capacity building, the Department of State, 
through its Bureau of International Narcotics and Law Enforcement 
Affairs, manages five International Law Enforcement Academies (ILEAs) 
worldwide, and one additional Regional Training Center. These six 
facilities provide law enforcement training and instruction to law 
enforcement officials from approximately 85 countries each year. The 
ILEA program includes a wide variety of cyber investigation training 
courses, from basic to advanced levels, taught by subject matter 
experts from the U.S. Secret Service and other agencies and policy-
level discussions with senior criminal justice officials. This serves 
as a force multiplier to enhance the capabilities of the international 
law enforcement community to collaborate in the effort to fight 
cybercrime.
    The Department of State is committed to continuing its capacity 
building initiatives as another effective way to counter international 
cyber threats and promote international cyber stability.

                             looking ahead

    Cybersecurity will continue to be a challenge for the United States 
when we take into consideration the rapidly expanding environment of 
global cyber threats, the increasing reliance on information technology 
and number of ``smart devices,'' the reality that many developing 
nations are still in the early stages of their cyber maturity, and the 
ongoing and increasingly sophisticated use of information technology by 
terrorists and other criminals. Thus, the Department of State 
anticipates a continued increase and expansion of our cyber-focused 
diplomatic and capacity building efforts for the foreseeable future.
    The Department will continue to spearhead the effort to promote 
international consensus that existing international law applies to 
state actions in cyberspace and build support for certain peacetime 
norms through assisting states in developing technical capabilities and 
relevant laws and policies, to ensure they are able to properly meet 
their commitments on norms of international cyber behavior.
    The Department of State remains appreciative of this Subcommittee's 
continued support. Thank you for the opportunity to testify today. I am 
happy to answer your questions.


    Senator Gardner. Thank you, Mr. Painter.
    I will begin with questions.
    Obviously, over the past several years, since 2011 with the 
publication of the International Strategy for Cyberspace out of 
the White House, we have seen activities from Russia attacking 
critical infrastructure in Ukraine last December. We have seen 
reports of targeting of U.S. critical infrastructure by various 
actors. We have seen news reports of Iranian agents attempting 
to access a dam near New York City. We have seen North Korea 
develop cyber as an asymmetric tool to threaten its neighbors 
and the United States. And we continue to see other actions 
despite the conversations and negotiations that we have.
    And so in light of all these attacks from Russia, China, 
Iran, or supposed attacks from these nations, does the 2011 
International Strategy for Cyberspace accurately reflect the 
threats that we face today, and if not, what has changed in the 
2011 cyberspace strategy and what needs to change?
    Mr. Painter. So I think the 2011 strategy was, as you know, 
a high level document that talked about our goals in 
cyberspace. Those goals have not changed. But I do think that 
as we look at the various challenges we are facing in 
cyberspace, particularly by various threat actors around the 
world, we are going to continue to hone the way we implement 
those goals and achieve those goals.
    The strategy that we submitted to Congress, pursuant to the 
requirement of the committee, talks about both some of the 
threat actors that we are seeing but also some of the tools we 
have in our tool set to mitigate those threats and go after 
those threats. And that is going to be a continuing 
conversation. It needs to be a continuing and flexible approach 
that we have that uses a lot of the tools in our national tool 
set, really all the tools we have.
    One thing we said in our international strategy in 2011 is 
that we need to look at all the tools we have as a government, 
a whole-of-government approach that uses everything from our 
economic tools, our diplomatic tools, certainly what I do, our 
law enforcement tools, our other trade tools that we might 
have, and even military tools in appropriate circumstances 
after we have exhausted other remedies. So we have to look at 
all the various tools we have.
    I would say--on some of the issues you raised, I do not 
think we have made complete attribution, but on some we have--
we have been using a variety of those tools. Certainly in terms 
of the diplomatic tools, we have used the tools that diplomats 
use. We have used them both against the people we are unhappy 
with and been very clear about what our concerns are. I would 
argue that the U.S.-China agreement came about because this was 
raised consistently at a very high level of our government as a 
major area of friction that would affect not just cyber issues 
between our two countries, but really the whole of the 
relationship. And that was significant.
    I think the fact that we had other tools, including the law 
enforcement tools that were used to indict PLA officers in that 
case or more recently the indictment of the Iranian actors for 
the denial of service attacks and the penetration of the dam as 
a significant use of those tools that sends a deterrent 
message, and that is important.
    We have a sanctions regime for cyber. We also have, thanks 
to both of you, additional sanctions authority for North Korea. 
We used North Korean sanctions authority after North Korea's 
attacks of Sony a couple of years ago. So we have used those 
tools, but we certainly have those other tools in our tool set.
    So we really do have a variety of different ways to go 
after that. But we have to understand this threat is going to 
continue and it is going to evolve, and we need to be ready to 
deal with that evolution and use again all the tools in 
partnership. So I have a role in this, but I work with all of 
my interagency colleagues to do this.
    The other thing I would mention is that part of the issue 
is also talking to not just our allies but other countries 
about what threats are out there. When I testified last year, I 
mentioned that we were the first office of our kind and that 
now there are over 20 countries around the world that have 
offices like mine. And a number of additional ones are looking 
at it. Australia just recently announced their cybersecurity 
strategy, and they are creating an office like mine, for 
instance. So, more and more countries are doing that. And that 
is significant because it means that we can, at a White House 
level, at a State Department level, talk with other countries 
and, again, in a whole-of-government way about what threats we 
are facing and what we may be able to do collectively.
    And the third thing I mentioned goes back to the norms, and 
this is a long-term game. So we talked about law enforcement 
tools. We talked about trade tools. We talked about other 
tools. The norms of conduct that we are trying to promote and 
get more and more countries to sign up for and accept create an 
environment where there are rules of the road, where there is 
an expectation of what is appropriate conduct in cyberspace. If 
you have countries who are acting outside of that expectation, 
the countries who agree can act together to work against those 
transgressors. Now, that will take a while to build. We have 
had tremendous progress over the last year, but I think we are 
on the right track.
    Senator Gardner. In your written testimony, you talk about 
the various tools, diplomatic tools, law enforcement tools, 
economic tools, military capabilities, and intelligence 
capabilities. Obviously, you have talked about a number of 
diplomatic tools that have been utilized, talked about law 
enforcement tools that have been used to investigate cyber 
crimes and the work in partnership with other nations to enlist 
them in this investigative effort.
    I want to talk a little bit more about the economic tools. 
Could you talk a little bit about the financial sanctions and 
when a determination is made by State-Treasury to move forward 
on economic sanctions?
    Mr. Painter. Senator, as you know, the President signed a 
couple of executive orders, one right after the North Korea 
Sony attacks that were broad sanctions that went after members 
of the North Korean Communist Party and people who supported 
them. Two was the cyber sanctions order which was really the 
first of its kind anywhere in the world that targeted 
specifically various kinds of very serious cyber conduct. And 
then third, most recently, the North Korea Sanctions Act. And 
there is an EO now that gives voice to that last act, as well 
as U.N. Security Council resolutions.
    That first sanctions order against North Korea has been 
used. The President, at the end, decides whether sanctions are 
used, and it is the right tool.
    I would emphasize that is just one tool in the tool set. So 
if you look at the various tools, you will make a decision of 
what tools are appropriate in what case, and that can be 
flexible depending on the various threats you face. To date, 
the cyber sanctions order has not been used, but I am fully 
confident it will be used. I would also say the fact that it 
exists has a deterrent effect in and of itself and also changes 
behavior.
    Senator Gardner. You are referring to Executive Order 
13694. Correct?
    Mr. Painter. Correct.
    Senator Gardner. Is there any active consideration right 
now of sanctions under the executive order?
    Mr. Painter. All I can say is that there is an interagency 
group that looks at this. It includes State. It includes 
Treasury, the White House, and it includes other agencies as 
well. I cannot make any statement about actual designations 
under that, but as I said, this is an important tool in our 
tool set and one I am confident will be used.
    Senator Gardner. Senator Cardin.
    Senator Cardin. Thank you again.
    We are almost at the year anniversary of the announcement 
of the compromise by OPM of millions of Americans' information 
being compromised through a cyber attack. Millions of Federal 
workers are at risk today as a result of that attack. Their 
economic issues are very much at risk.
    As a result of that announcement, I think it gave extra 
attention to the November agreement between the United States 
and China that we have referred to several times. Would the 
agreement we entered into with China be effective in preventing 
China from actively engaging in that type of attack against 
American Federal workers?
    Mr. Painter. What I would say is that we obviously take 
that kind of activity very seriously. There has been a lot of 
work that the administration has done, including the one thing 
I did not mention in response to Senator Gardner's question, 
which is doing a lot of work to harden the targets, doing a lot 
of work to make sure we are doing deterrence by denial. So the 
recent CNAP announcements by the administration, both in terms 
of funding but also in terms of the programmatic changes to 
make sure that there is better protection of government 
systems, are part of how we keep that from happening in the 
future.
    We have not made any public attribution of the OPM attack, 
as I believe you know, or the character of it. But what I would 
say is what we did say to China at the time--and I think Deputy 
Secretary Blinken mentioned this--is that kind of intrusion is 
just too big to ignore and too disruptive and it is a real 
concern.
    With respect to the agreement that was made in the context 
of the Xi visit, there is agreement not to use cyber to steal 
intellectual property for purposes of benefiting a commercial 
sector. That was something we do not do. We do not think any 
country around the world should do. And quite frankly, as you 
know, China was not willing to make that distinction, the 
distinction between intelligence gathering that every country 
does and the kind of commercial theft and benefit----
    Senator Cardin. I think I know where your answer is 
leading, which is, no, it would not cover that type of a----
    Mr. Painter. The other thing it did was create a number of 
mechanisms, including the mechanism that is led by the Attorney 
General and the Secretary of Homeland Security and the group 
that I lead that allows for messaging in those contexts where 
we did not have those messaging channels before.
    Senator Cardin. Well, here is why I think it does cover 
that. China's largest companies are government-owned. So how do 
you deal with the issue of competitive advantage to companies' 
commercial sectors when you are dealing with a country, China, 
where so much of its economy is controlled by the government? 
Does not their attack against our workforce very much affect 
their commercial advantage?
    Mr. Painter. Specifically, what the agreement, which then 
got approved at the G20, is an agreement that was approved 
right after President Xi was here for his summit with President 
Obama--he went to U.K. Prime Minister Cameron and asked for a 
similar agreement. German Chancellor Angela Merkel asked for a 
similar agreement, and then we had the G20 statement. It 
specifically talks about theft of trade secrets, intellectual 
property as the thing that is being stolen to benefit a 
commercial sector. And even if it is a state-owned enterprise, 
I would submit that theft of intellectual property can be, even 
if it is going to a state-owned enterprise, violate that 
agreement if it is being used to benefit what is there in a 
commercial sector. So that is what we are working on. That is 
what we are looking at very closely.
    Of course, we want to stop all kinds of intrusions. Of 
course, we want to stop intrusions even if they are for 
intelligence purposes. But we need to do as good a job as we 
can to make sure we are preventing those, and that is why the 
deterrence by denial and far better protection of our Federal 
networks is really important.
    Senator Cardin. Are you prepared to advise this committee 
as to whether the agreement with China has resulted in a 
reduced amount of activity by China in its attempts to steal 
intellectual property from American companies?
    Mr. Painter. So the way I characterize this is--I think 
recently Admiral Rogers testified not to this committee but 
another committee--that we are watching very closely and the 
jury is still out. I think Director Comey said that he has seen 
some more cooperation on cyber crime cases. We are looking 
closely, and we are going to continue to look closely. And all 
of our government and all the tools of our government are being 
used to make sure that that commitment is being honored.
    I would also make clear, however, that as the President 
said, words are not enough. We need to make sure that actions 
are matching and that we have not taken any tools off the 
table. We have not taken any of the tools we have, any of the 
tools I talked about in response to Senator Gardner's question, 
off the table if we find that China is not complying with the 
agreement.
    Senator Cardin. Well, I would just point out I support 
moving forward with protocols of other countries. You are 
dealing with a controlled economy. You are dealing with a 
communist country in China. And if the agreement does not 
protect our Federal workforce, then we can expect more in 
direct agreements with other countries. You do not invade the 
privacy of a workforce and call that intelligence gathering for 
your national security. That should be in the same category as 
the agreement that covers the theft of intellectual property. 
And if you are dealing with a country that has controlled 
companies, then we need to also understand that that needs to 
cover the type of activities that are being done by the Chinese 
Government.
    So I hear what you are saying. And the Federal workforce 
very much depends upon the use of technology to protect them, 
but they also expect that we are going to be raising these 
issues at the highest levels in order to protect our workforce 
because they should not be fair game in the world of cyber 
activities.
    Mr. Painter. I do not disagree. I am a member of the 
Federal workforce. So I totally agree.
    Senator Cardin. I am sure that there is an entity that now 
has all your personal information controlled by another 
country.
    Mr. Painter. I think we need to do whatever we can to 
protect that information. I do think that you have seen a lot 
of activity, and it has really been sustained activity, but 
some of the recent announcements that talk about, for instance, 
appointing a White House CISO, Chief Information Security 
Officer--we have not had that before--trying to make sure we 
have much better protections including the DHS Einstein 
System--these are all critical, and this is not easy. You 
mentioned this is not easy because it is an asymmetric often, 
and making sure that you get the protections in place--it is 
hard to protect systems. But there is a lot of work we can and 
should be doing and we are.
    Senator Cardin. I have other questions, but I will wait 
until the next round.
    Senator Gardner. Thanks, Senator Cardin.
    Just following up on the OPM question, in mid-March, 
Director Comey had a visit with some high level Chinese 
officials on further cyber crime issues, investigations. Do you 
know the subject matter of that conversation? Did it lead to 
OPM? Were there discussions about cooperation on finalizing or 
getting resolution of the OPM?
    Mr. Painter. I will defer to the FBI for any substance of 
any conversations in law enforcement channels or investigatory 
channels. So I have no real comment on that.
    Clearly one of the mechanisms that was set up was this 
mechanism that is led by the Attorney General and the Secretary 
of Homeland Security. There are a number of things that came 
out of that, including a protocol for making sure we are both 
sharing and making requests of information from each other, but 
I am not going to comment on any specific conversation that DOJ 
was involved in.
    Senator Gardner. When talking about the tools available, 
diplomatic tools, law enforcement tools, economic tools, and 
denial efforts and deterrence, the State Department is in 
communication with the Department of Defense on a number of 
these issues. Has the State Department ever denied a request by 
the Department of Defense for action in either retaliation or 
any other cyber actions that we should take?
    Mr. Painter. There are a number of ways that we talk to the 
Department of Defense, and we as a government look at all these 
various policy issues. And we have been very supportive of the 
Department of Defense's strategies for operating in cyberspace. 
They now have two of them out. I have worked with them on those 
documents. I have a call every 2 weeks with my counterpart at 
DOD, at the OSD Policy where we talk about issues that are 
coming----
    Senator Gardner. And who do you consider your counterpart 
to be?
    Mr. Painter. Aaron Hughes, who is the DASD for cyber, 
essentially for cyber over there, and before that it was Eric 
Rosenbach, who is now the Chief of Staff to the Secretary.
    So we have very close coordination.
    One of the things I do in my own Department is we have a 
monthly coordination group--in fact, we are meeting this 
afternoon--where we bring all the different agencies, including 
DOD, and all the different parts of the Department together to 
discuss our international engagement strategy. And then the 
White House holds a number of meetings at an IPC, interagency 
policy committee, level, at a CRG, which I will talk about in a 
moment, and also a deputies and principals level. So there is a 
lot of interaction.
    I am not going to comment on specific operations or how 
those various things are considered. But I think one thing we 
are doing as a government that is first--and I mentioned in our 
strategy one of the tools we have seen is DOD developing its 
capabilities, having more mission teams that are dealing with 
this. And that is important. That is one part of deterrence. It 
is one part of our approach.
    So there has been much more activity. There is much more 
unity of purpose. There is much more discussion of this. Our 
doctrine allows us to take all the different aspects into 
account, both what aspects we need to go after wrongdoers but 
also what the effects are on our foreign policy, what the 
effects are on other issues that we need to look at. Our 
policy, as I think you know, is to look at law enforcement and 
network security aspects, when we are talking about cyber 
defense, before going to other tools. Also certainly DOD is 
looking at tools in areas of hostility like ISIL. So that is 
another issue that we have been working on, but I cannot really 
get into those particular conversations.
    Senator Gardner. Without getting into the specifics of any 
kind of action, though, has the State Department said no to 
any----
    Mr. Painter. Again, I am not going to comment on the 
discussions. I think there are continuing discussions, as there 
should be, on any possible operation that we do. And that is 
the same for any of the other tools.
    Senator Gardner. Let me rephrase the question then I guess. 
Are you in a position to say no to a Department of Defense 
strategy?
    Mr. Painter. We have an interagency process. Just like DOD 
comments on our strategies and indeed commented on the strategy 
that I sent to you, we comment on strategies and things that 
they are doing as well. So it really is a whole-of-government 
process. This is not any one agency acting on their own. We are 
working as a team.
    Senator Gardner. Okay. For instance, North Korea. If the 
Department of Defense decided to take an action against North 
Korea because of a Sony attack or against Iran because of 
critical infrastructure, that discussion would go to the State 
Department. Correct?
    Mr. Painter. That discussion would involve the State 
Department, but essentially it goes to the President. The 
President is the one who makes the decisions about what tools 
we use and what kinds of tools and when we use those tools.
    Senator Gardner. Who else at the White House is involved in 
that type of a decision on----
    Mr. Painter. There is, just like there is in other areas, 
an interagency. There is a CRG, the cyber response group, of 
which State is a member. That is essentially an IPC level 
discussion. Discussions, depending on a particular topic, can 
go to a deputy's level, can go to a principal's level, and 
ultimately the President. It involves the National Security 
Advisor. It involves Lisa Monaco and others. It involves a 
range of different people as we look at all these really 
important policy issues.
    This, Senator Gardner, is something that I personally have 
seen--I have been doing various aspects for 26 years. I have 
seen a real change over the last 5 or 6 years where we do have 
a good process that comes together to make sure we are looking 
at all the different aspects of this. Now, this is not unique 
to cyber, to be sure. But I think this is one of the ways it is 
done.
    Senator Gardner. You mentioned earlier in your testimony 
that your office is the first office of its kind and that many 
other nations now--I think you said 20 other nations--are 
creating some sort of office--a similar office. During the 
discussion and debate on the National Defense Authorization 
Act, there will be an amendment to create basically a cyber 
COCOM, a COCOM level cyber command, combatant command level. Do 
you believe that we should create any higher level cyber 
department, administration? Do you believe your position within 
the State Department should be elevated to perhaps special 
envoy level, ambassador level so that we can fully focus on 
this? Because this is an issue that is gaining in strategic 
importance and is going to be with us throughout our coming 
lives. And so are we focused enough on this and elevating it 
enough to the level of importance that it deserves?
    Mr. Painter. I think we absolutely are. I report directly 
to the Secretary. I am in the Secretary's Office. The reason 
the office was created in the Secretary's Office was so that it 
could reach across the Department in really a very 
collaborative way and work with everyone from, as Senator 
Cardin was talking about, our democracy and human rights people 
on issues around Internet freedom, our Economic Bureau people 
on some of the economic and access issues and governance 
issues, our Counterterrorism Bureau and terrorist use of the 
Internet, our INL Bureau and some of the capacity building 
around law enforcement issues, AVC, arms control and 
verification.
    We set the architecture up so that we can work with all 
these groups. And, as I mentioned, our monthly coordination 
group has done that.
    I have not had any issue, I can say, in meeting with other 
counterparts around the world at any level in foreign 
ministries. I have not had any issue with our structure in 
making sure we can really aggressively go after the things we 
are trying to do. Look, I am a former prosecutor, so I am an 
impatient person as a rule. But the fact that we were able in 
the last year to do as we have done on something where just a 
year ago--just a year ago, I was sitting here and I was telling 
you about these norms of behavior. That is when they first got 
some publicity when I was telling you about it. And a year 
later, we have all this activity. That is significant. So 
neither the Department nor I personally really feel that we 
need to change it.
    What I would say is I want to make sure that whoever comes 
in in the next administration--and I think this will happen at 
both the presidential level and the secretary level--continues 
to really see this as a priority area. As a coordinator, I am 
one of the special envoys, if you will. I am one of the people 
who looks across the Department and works with the Department 
to make sure we are elevating this issue, which did not really 
even exist as an issue area 5 years ago.
    Senator Gardner. But in terms of its own bureau, you do not 
think----
    Mr. Painter. So here is the problem with its own bureau, 
and this is something that has been raised before. If you think 
about the crosscutting nature of this issue--and Senator 
Cardin, you mentioned this as well--when you are talking about 
everything from human rights and the importance of human 
rights, cybersecurity, cyber crime, international security, 
Internet governance, capacity building, if you create a bureau, 
you do two things.
    One, you stovepipe it so that other people will say, well, 
that is a boutique issue. You guys go and deal with that.
    Two, you would pull the people out of all the bureaus that 
need to do this. We are trying to mainstream this issue at the 
State Department. We are trying to make this something that is 
like every other foreign policy issue. We want people to deal 
with this in every bureau, regional bureau, and functional 
bureau. If you create a bureau, you have to pull the people 
out, and frankly they have to replicate it anyway. So that is 
not very effective.
    We have not seen that being done in other countries around 
the world. They have the same sort of coordination function 
that they pursue.
    I think that that actually is counterproductive to us 
making progress in this area because it is, by its nature, a 
distributed issue.
    I would say one other thing. To give you an example of some 
of the things we have done, we just a couple of weeks ago--and 
I think I mentioned this to you when I saw you both recently--
had a training for essentially our cyber diplomats. From over 
100 posts around the world, we brought back the folks in those 
embassies who are charged with this issue. We are looking at 
this crosscutting issue. We have told each of them in the 
embassies to build a crosscutting team, get the political cone, 
get the economic cone, get the LEGAT if there is one, get the 
defense attache, get the whole group in the embassy to have a 
mini-team on this. That is really the model we are trying to 
promote.
    Senator Gardner. Thank you.
    Senator Cardin.
    Senator Cardin. Thank you for mentioning human rights. 
Human rights, I have been told by the leaders in the Obama 
administration, is one of the Obama administration's top 
priorities for advancing not just American ideals but our 
national security because it very much affects the stability of 
regimes and prevents the voids from being created that adds to 
radicalization.
    So let me just find out from you how active you are in 
promoting human rights in our cyber strategies. We have export 
control laws that deal with our weapon systems because we 
understand that American technology should not be used against 
America's national security. So, therefore, we restrict the 
ability of manufacturers to be able to export U.S. technology. 
They have to proceed under certain procedures.
    American technology in the cyber area is the best in the 
world. What steps are we taking to make sure that American 
companies are not exporting technology in cyber that is being 
used by repressive regimes to violate the human rights of its 
citizens?
    Mr. Painter. This is an issue we are very concerned about. 
We are certainly concerned about the use of these technologies. 
But as I think you also know, they are dual-use technologies. 
We are both concerned about technologies that could be used by 
repressive regimes to monitor citizens, but we are also worried 
about tools that could be used by regimes that are not our 
friends to attack us. So we do not want to have either of those 
things happen. We want to make sure of that and we are 
committed to keeping the most dangerous cyber tools from the 
most dangerous actors.
    At the same time, we are also committed to supporting the 
ability of our businesses, our consumers, and the government to 
defend themselves from cyber threats and to promote innovation 
in cybersecurity. So we have been talking a lot to our industry 
colleagues about this issue.
    As I think you may know, there was an agreement in the so-
called Wassenaar Group to create certain controls for cyber 
technology that could either be used, as you said, by 
repressive regimes for monitoring of its citizens or to attack 
us. We are and the Department of Commerce is in particular 
looking at how can they get that implemented. We are actually 
going back to Wassenaar, which has 40 participating states, to 
talk about how those might actually apply and whether we need 
to make some changes in those controls that were agreed to.
    That is just one area of nonproliferation, but that is an 
important one. And we need to make sure that we are addressing 
this. And even as we talked at Wassenaar about making changes 
so we can promote innovation and cybersecurity while, at the 
same time, targeting the behavior you talk about, we need to do 
that in the right way.
    Whatever will happen with Wassenaar in the negotiations 
there, we also, as we implement this, need to make sure we walk 
that line in an appropriate way. And we have been talking a lot 
and Commerce has to our private sector, but we will also have 
at least another----
    Senator Cardin. You know that American companies today are 
using their technology to support repressive policies of other 
countries as a way of gaining entry into the markets of those 
countries. Are we trying to develop policies that will prevent 
the use of American technology for the repressive actions of 
regimes against its own people?
    Mr. Painter. As I said, I think the one area where we have 
done this is in this Wassenaar area, but it is a very delicate 
balance to make sure we are not stifling either innovation or 
stifling cybersecurity. That is one area.
    The other is my colleagues in DRL have been promoting--we 
have been promoting together--the idea of business 
responsibility and protection of fundamental human rights and 
how you have businesses look at that issue. And the thing that 
we have been promoting there in a couple different aspects--one 
is the Global Network Initiative, which is a group of 
businesses that looks at what the ethics are and what the rules 
are for businesses. And this is a voluntary association. A 
number of businesses are part of that.
    The other is in the context of something called the Freedom 
Online Coalition, which I think I mentioned to you last year 
Tom Malinowski and I had just gone to the meeting, and we 
support that group very much. It is going to have the next 
meeting in Costa Rica, so in our region for the first time, 
coming up this year, which is significant because getting more 
of our region as part of that, that that is important.
    I should also say that as we do these all-of-government 
dialogues that we do with multiple countries around the world 
now, human rights are always a part of that. So it is not just 
about cybersecurity. Human rights are a part of it. As we do 
capacity building, we weave that in too.
    This Freedom Online Coalition has talked about some of the 
responsibilities of businesses, some of the tension between 
security and human rights, and that is a continuing discussion.
    This is not an easy area, but we want to make sure, as I 
said, that the most dangerous tools are not given to the most 
dangerous actors while at the same time making sure we are 
protecting innovation.
    Senator Cardin. I would hope that you would be aggressive 
in developing protocols related to the use of technology, as 
well as some of the other areas that you are working on as it 
relates to protecting human rights.
    I would also hope as you look at this delicate balance--and 
it is a delicate balance. I do not deny that. But I would hope 
that you will use the same sensitivities that we use for 
military arms as we use for Internet technology so that we are 
not wrapped up in the view that the Internet is so global that 
technology development in the United States must be immediately 
made available globally when it can be used by repressive 
regimes to trample on the human rights of its citizens.
    I also think there has got to be a tradeoff with corporate 
responsibility, and there needs to be protocols which American 
businesses are prepared to adhere to and not just yield to the 
unreasonable demands of repressive regimes.
    Let me ask one more question, if I might, Mr. Chairman, and 
that is can you tell me or do you intend to clarify when an 
attack on cyber would trigger an inherent right of self-defense 
pursuant to article 51 of the U.N. Charter. When do we get to 
that point?
    Mr. Painter. So a couple things. I do not think we have 
actually defined that with exceptional clarity in the physical 
world either. And there is a reason for that. Because it is 
often dependent on the circumstances of the attack.
    However, there is nothing magic about cyber.
    Senator Cardin. When you say that--and I understand the 
sensitivities here again, but if it is not clear, then 
countries can try to test and test and test and pull us to the 
line and say they did not know that that would trigger the 
military response on self-defense. So to me clarity is 
important here.
    Mr. Painter. As I said, we do not do this in the physical 
world. There is a reason, not just the fact it is a factual 
basis. But if you create clear red lines----
    Senator Cardin. Which we do on physical invasion of a NATO 
ally. That is a clear red line.
    Mr. Painter. But in cyberspace, as you create some clear 
red lines, you give an incentive to actors to creep up to that 
red line knowing that they do not risk retaliation or do not 
risk response, and that does not create a good environment 
either. So you do need--and I think the deterrent strategy that 
was submitted by the Department of Defense recently talked 
about the need for--some strategic ambiguity here, which is 
important.
    Now, we have said--and one of the things we got agreement 
with both in the context of this recent GGE--is article 51 
actually does apply to cyberspace, and that there is activity. 
And that activity could be looked at just like you look at 
physical activity. Is it causing death and serious injury? Is 
it causing major damage? Those are the kind of factors that are 
used now to look at physical space. Use the same factors in 
cyberspace. You do not use a different set of factors. And so 
that is one of the things we are pursuing.
    And then one of the other issues is, as you know, we 
continue to make sure that cyber is part of NATO's core 
operating precepts, and we have said that article 5 in NATO 
could apply in a cyber incident. It is going to be a case-by-
case basis, but we are going to look at all those factors as 
well.
    I should also just mention, to Senator Gardner's question 
about the bureau, the issues you raise with respect to human 
rights is another reason why when my office was created, the 
point was to not just look at the security issues, but to draw 
in all these other interests and make sure that our approach 
both upheld human rights and looked at the security issues. It 
is important to have those together.
    Senator Cardin. I just would underscore this point. I do 
not follow your point on article 51, and I will say the reasons 
why.
    When you are talking about conventional threats, you know 
when those conventional threats have been initiated, and you 
know the consequences if you do not defend yourself from those 
attacks. In cyber, we are being attacked every second, and to a 
large extent, the consequences depend upon the success of the 
cyber attacks. And we may not know about the cyber attacks, as 
in the OPM hack. We did not know about it until well after they 
had penetrated and gotten the information, which puts millions 
of Americans at risk. At risk.
    I understand you want to use conventional standards for 
whether our security has been compromised from the point of 
view of public safety, et cetera. But in cyber you just do not 
have the luxury of knowing that until maybe it is too late. So, 
therefore, a country will say we will take it to the point 
until we get discovered, and then we will say, gee, we did not 
mean to do it. And therefore, there is no response under 
article 51.
    Mr. Painter. But there is no limitation that we cannot take 
a range of different actions. The whole idea of having all 
these different tools that we talked about in our toolkit is 
that we can take those actions, even if it does not reach the 
level of an article 51 armed attack. An armed attack is a 
specific term that triggers the right to self-defense in a 
particular way. And even when that threshold is reached, we 
sometimes as a country might decide not to respond.
    Senator Cardin. I understand. The military is the last 
resort always.
    Mr. Painter. Right. So we can still use all these tools we 
have.
    And I would also say there is a difference, and I think the 
DNI talked about this recently--or not that recently, but 
fairly recently. There is a difference between an attack and an 
intrusion. An attack, a destructive attack, is different than 
an intrusion and the kind of disruptive effects it has under 
international law. One of the things we have been pioneering 
this idea as part of our framework that international law 
applies in cyberspace. That was not clear a couple years ago. 
It was seen as a free fire zone. International law means there 
are rules, including the triggering of article 51, including 
proportionality and distinction when you actually have a 
shooting war. All those things are important, and we need to 
look at all the tools we have even if it is below that 
threshold.
    The idea behind the norms I talked about, not attacking the 
critical infrastructure of another country absent wartime, is 
that gives us some rules of the road even when you do not reach 
that high level because that is the activity we see every day. 
We do not see armed conflict every day. We see the theft of 
intellectual property. We see potential attacks against 
infrastructure. We see attacks against CERTs. Those are the 
rules of the road we are trying to promote so that we have 
activities we can do even below that high threshold.
    Senator Cardin. Thank you.
    Senator Gardner. Thank you, Senator Cardin.
    Mr. Painter, just to follow up on a few of those questions.
    On critical infrastructure in particular, do you think that 
Russia's attacks against Ukraine's power grid in 2015, 
December, violated its commitment to the United Nations on 
critical infrastructure?
    Mr. Painter. As I believe you know, we have not made any 
attribution of that incident. We are very concerned about that 
kind of attack and that kind of incident, and we have 
characterized that as an attack. We had an interagency group at 
DHS and DOE and others work with the Ukrainians in the 
aftermath of that. So it is something of concern.
    One of the things that we have done is--not me personally 
but our DHS colleagues--also made warnings to our own 
electrical grid and made sure that they were aware of what the 
risks were of this kind of attack. It is something we take very 
seriously.
    But we have not attributed that. I am not going to 
attribute it. I am not going to characterize what it is.
    Senator Gardner. Do you believe that Russia is still 
attempting to penetrate U.S. critical infrastructure?
    Mr. Painter. I would defer to what the DNI said in terms of 
Russia, China, Iran, and North Korea being the major threat 
actors we are seeing and that Russia has a full spectrum of 
activities. But in this setting, I will not----
    Senator Gardner. And so does that activity violate their 
commitment to the United Nations?
    Mr. Painter. Again, I am not going to characterize what 
Russia is doing in this setting. However, if there is an 
attack, our view--and it is a voluntary norm. It is a voluntary 
norm at this point, which has been agreed to. But if there is 
an attack on critical infrastructure by another country, first 
of all, we are going to take it seriously whether there is a 
norm or not. We are going to be able to use all the tools we 
have in our toolkit.
    Second, we do not want any country to do that, and it is 
exactly why we are promoting those norms around the world. If 
countries do do it, then we have to make sure we can work with 
other countries against those transgressors and also use the 
tools we have to defend ourselves.
    Senator Gardner. And so when we see penetration by Russia 
or Iran into critical infrastructure of the United States, 
whether that is an actual attack or whether that is preparing 
the battlefield, as it was characterized at one point, is that 
a violation of United Nations norms?
    Mr. Painter. I think we are certainly concerned about those 
kinds of penetrations and those intrusions, and I think, as you 
know, in the case of Iran, there was an indictment from our 
Department of Justice against an actor not just for the denial 
of service attacks that we played a role in mitigating--I 
mentioned the last time we were here the State Department 
actually worked with other countries to ask them to mitigate 
the botnets all over the world--but also into the penetration 
of the dam and the SCADA system there. Those are really 
concerning issues, and we are going to make sure that we use 
the tools we have. In this case, there has been an indictment. 
There could be other tools in the future.
    Senator Gardner. Have you witnessed a change in behavior 
from Iran toward the United States in terms of cyber activities 
against the United States since the nuclear agreement of 
October 2015? Did you anticipate a change?
    Mr. Painter. I would defer that question to the DNI who I 
think has addressed this in a more classified setting. I will 
say the DNI has continued to characterize Iran as one of the 
threat actors--Iran, North Korea, Russia, and China.
    Senator Gardner. Both before and after the nuclear 
agreement.
    Mr. Painter. I think the DNI threat assessment was 
relatively recent.
    Senator Gardner. Your response to revelations--I think it 
was in the ``New York Times''--regarding U.S. capabilities to 
significantly degrade or destroy Iran's nuclear capabilities 
before the JCPOA negotiations began. There was an article that 
talked about had they failed, there was a possible cyber 
exercise that could be taken against Iran to bring down their 
nuclear provisions. Were you a part of those discussions?
    Mr. Painter. Again, I cannot comment on any operations or 
any plans that the United States may have had in this area, 
particularly----
    Senator Gardner. Was the State Department cyber office 
involved?
    Mr. Painter. I would say more generally the State 
Department at some level was involved in all the decisions 
involving the use of cyber capabilities.
    Senator Gardner. Was the office of cyber----
    Mr. Painter. Again, I cannot really get into that in this--

    Senator Gardner [continuing]. Because I just want to know 
whether or not you were a part of any discussions.
    Mr. Painter [continuing]. Either our office or the State 
Department as a whole, depending on what the particular issue 
is, is involved in these discussions, as a policy matter all 
the time. And again, I cannot comment on that particular issue.
    Senator Gardner. And I am not trying to get you to give me 
any details of it, but I just want to make sure that I 
understand.
    Mr. Painter. I am not going to even comment on whether that 
was actually a fact or whether that was being considered. I am 
not going to comment on that.
    However, what I would say is the State Department is 
involved in discussions with respect to really all the tools we 
use as part of the interagency discussion. And one of the 
changes that I mentioned before is that I would say several 
years ago, the State Department had much more of a minor 
involvement in a lot the discussions, and now I think the 
discussions are--the State Department is one of the key 
players, as we discuss any of these issues.
    Senator Gardner. The cyber agreement that Senator Cardin 
spoke of earlier--how involved was the State Department in 
drafting that or your office in drafting the cyber agreement?
    Mr. Painter. You mean with----
    Senator Gardner. The Chinese.
    Mr. Painter [continuing]. Very, very involved. I think as 
you know, President Xi sent out his special envoy Meng Jianzhu 
to the United States about 10 days before the official visit. 
There were a number of meetings which I personally participated 
in and a meeting also that Secretary Kerry participated in. So 
we were very involved in that. And we were involved in the all-
night negotiations that led to that agreement, and I personally 
was. So we were very involved in that.
    Senator Gardner. Senator Cardin?
    The final questions I have--I know we are going to be 
voting here soon. Just in terms of China's activities, you 
mentioned it is premature to comment on whether the agreement 
has actually deterred the collection of commercial information 
for gain of its own commercial sector. We talked about Russia's 
possibility of attacks against Ukraine, whether or not that 
violates the agreements of the United Nations. We talked about 
Iran's activities and identifying China, Russia, Iran as 
ongoing challenges for the United States in cyber.
    Is it time for a new framework of negotiation? We know 
Russia and China will not agree on what we believe should be 
secure cyberspace, open, free Internet. Is it time that we move 
forward with likeminded nations, the Five Eyes or the Ottawa 
Group, that we move forward in our own ideas with our own 
nations to create a block of interested parties that can then 
use that as leverage against others who simply are not going to 
behave the way they should----
    Mr. Painter. Well, that is precisely what we are doing with 
these norms. Even though it is important to get China and 
Russia to agree to it as key countries--and that is what we 
have been doing--we have been trying to expand the likeminded 
tent, certainly with our Five Eyes allies but also with the EU 
and other countries in Europe, with countries in our own 
region. The whole idea of this expansion--and I mentioned one 
of the other things that has happened in the last year is that 
the President in almost every meeting with a foreign leader and 
every summit or when we have high level meetings with other 
governments on a diplomatic level has raised this issue of the 
importance of norms in cyberspace, the importance of this 
international security framework. To give you an example, 
Japan, India, China, Pakistan, the East Asian Summit, U.S.-EU 
at my level, Australia, ASEAN, the G7 Foreign Ministers 
meeting, and the GCC have all had statements. And most 
recently, just a couple weeks ago when the Nordic leaders were 
all here, there was a statement about cyber norms in there. So 
that is important to continue to advance that framework.
    That is different than trying to have a cyber treaty. I 
think one of the concerns we have about the cyber treaty is 
that it is often advocated by the Chinese and Russians to try 
to control cyber weapons, as they say, but really they are 
trying to control--and this goes to Senator Cardin's point--
they are trying to control information. They view information 
as destabilizing, and they talk about information security. 
That is not a productive path for us.
    That is why the path that we have chosen, which I think is 
the most productive, is to promote how international law 
applies, norms in cyberspace, and confidence building measures 
among our likeminded, but make the likeminded tent bigger. That 
means working with the developing world as well, and a lot of 
the capacity building efforts are aimed that way.
    Senator Gardner. But do those agreements--I mean, that 
obviously does not include Russia or China.
    Mr. Painter. Well, Russia and China have signed up to the 
agreements within the GGE, and they will be part of the----
    Senator Gardner. They continue to violate----
    Mr. Painter. They continue to pose concerns, but so do 
other countries and other actors, including criminal and other 
actors, transnational organized groups around the world. So we 
need to promote and create expectations of what these 
agreements mean and what consequences there will be. That is 
part of the long-term effort, Senator. This is not an overnight 
development.
    Senator Gardner. So the model of likeminded nations, 
though, if we were to enter into some kind of agreement on this 
universal agreement areas--I mean, excluding them because 
obviously they are not going to----
    Mr. Painter. I think it is important we are trying to 
promote international cyber stability. The reason I think there 
has been uptake on these norms is that Russia and China do not 
want their critical infrastructures attacked either. We want 
the widest possible group that is agreeing to those. And then 
we want to be able to act collectively against transgressors. 
We are not there yet. We have made tremendous progress in the 
last year, but as you know, part of our strategy going forward 
is getting more and more countries to sign up to it. For China 
to do some written agreement I just think is premature in this 
area. There is too much more we need to do to understand what 
the expectations are even with our close allies, and we are 
continuing to do that.
    Senator Gardner. But it is clear that--I mean, you would 
agree that neither China nor Russia has lived up to their 
agreements.
    Mr. Painter. I would not say that. I would say this 
framework--international law, the norms in cyberspace, and 
confidence building measures--is increasing and will increase 
international stability. Yes, there will continue to be threat 
actors out there. Yes, countries around the world will continue 
to gather intelligence as countries have since the beginning of 
time. We need to do a better job and so do other countries in 
protecting ourselves against it. But China took off--the most 
destabilizing contact off the table and have mechanisms to 
discuss and raise with them--that is what the confidence 
building measures are about--are part of that way of addressing 
that.
    Then, frankly, the backup to this is all the tools I talked 
about before. If countries are not abiding by that, to use all 
the tools, including diplomatic, which is my area, but also our 
law enforcement tools, our trade tools, the range of tools we 
have. We need to be ready and willing and continue to use 
those.
    Senator Gardner. Does the range of tools include things 
like the strategy to ban cyber weapons similar to like an NPT 
kind of thing?
    Mr. Painter. Again, I do not know what a cyber weapon is. I 
think that the problem is we look at effects.
    Senator Gardner. But it is important that we do know what a 
cyber weapon is because that means----
    Mr. Painter. Well, no.
    Senator Gardner [continuing]. Because different triggers 
under article 51 and others.
    Mr. Painter. But no. A cyber weapon can be dual-use, and 
that is particularly true in the cyber arena. What we focused 
on, instead of cyber weapons, is we looked at effects. If you 
look at the norms we are talking about, it is what effects will 
they have, you know, attacking critical infrastructure. What is 
the endpoint, not what tool do you use, whether that is a dual-
use tool or not. And so trying to restrict a quote/unquote 
cyber weapon I think, first of all, with changing technology is 
not going to work. And secondly, I think it would have an 
effect in terms of the dual-use technologies that are used to 
protect us.
    Senator Gardner. Is there any dual-use for malware or 
ransomware?
    Mr. Painter. I think researchers will tell you that they 
use malware and antivirus companies and others to try to 
protect our systems and better understand the threats that are 
out there.
    Senator Gardner. It is sort of a Good Samaritan approach. 
Correct?
    Mr. Painter. Well, I think you have to be careful in terms 
of what you are actually trying to control. This is exactly the 
issue that we have raised that we have run up into in the 
Wassenaar arrangement where we are trying to make sure we walk 
that balance where we are prohibiting governments from getting 
really bad tools that we do not want them to have, but at the 
same time, we are not inadvertently or advertently actually 
affecting industry's ability to protect itself with new and 
innovative tools.
    Senator Gardner. So you do not anticipate any kind of like 
a weapons of mass destruction type ban when it comes to cyber 
because you are concerned that we cannot define what a cyber 
weapon is.
    Mr. Painter. What I would say, Senator, is I think the 
correct course is for us and not just our allies, but as large 
a community as we can muster, to pursue this idea of what 
effects we are trying to control, what are the rules of the 
road, what are the norms that we want, how does international 
law apply, how do we communicate with each other--and there has 
been a lot of good work there too--to make sure we have a long-
term, stable environment in cyberspace. That is what we need to 
do. That is, I think, a more effective route especially now.
    We are still in the beginning of this conversation. Yes, we 
had lots of progress since I talked to you last year, but you 
compare this to nuclear or others, we are really in the infancy 
of a lot of these conversations.
    So I think that the path we are on is exactly the right 
path to raise awareness about these issues and what the threats 
are and to talk about what things that we are not going to do 
and we do not think anyone should do. I think that is more 
effective than going to some treaty.
    Senator Gardner. Final question. Senator Cardin, did you 
have anything that you wanted to ask?
    Senator Cardin. I am fine. Again, I thank Mr. Painter.
    Senator Gardner. Just one question. I mean, is there a 
discussion amongst nations to try to define what a cyber weapon 
is?
    Mr. Painter. I think there have been discussions in the 
past and it has always run into some of the problems that I 
mentioned. With dual-use technology and new sorts of attacks 
and new technologies in place, it is difficult to say what a 
``cyber weapon'' is, and I think more and more countries are 
looking at what are the effects we are trying to prohibit.
    Senator Gardner. But if we had some kind of an agreement 
amongst nations of what a cyber weapon is and defining they are 
dual-use but when used a certain way as a weapon, would that 
not help?
    Mr. Painter. Again, I think it runs into all the problems 
that I just mentioned. It runs into all the problems in terms 
of how do you define it and that does cover inadvertently 
things that you need for research, things that you need to 
actually protect ourselves from some of the computer security 
companies. Again, I think the most effective way to address 
this is to go after what effects we are looking at, make sure 
that there are some clear understandings of what effects that 
we do not think countries should do, and that there are 
consequences for those effects.
    Senator Gardner. We have agreements on radioisotopes and 
other things that are dual-use. Why can we not do it with 
cyber?
    Mr. Painter. I think it is much more complicated in this 
area than that. I think that these--first of all, radioisotopes 
are radioisotopes. These kinds of tools will continue to evolve 
and change and have different uses. So I do not think we can 
really freeze this in place.
    Senator Gardner. Thank you.
    Senator Cardin, if no further questions, I want to thank 
you, Mr. Painter. I believe the vote has started. So thanks to 
everyone for attending today's hearing and to Mr. Painter for 
providing us with your testimony.
    For the information of the members of the committee, the 
record will remain open until the close of business Friday, 
including for members to submit questions for the record. Mr. 
Painter, we would ask that you please promptly reply to any 
questions for the record as soon as possible, and they will be 
made a part of the record.
    With the thanks of the committee, this hearing is now 
adjourned.
    [Whereupon, at 11:10 a.m., the hearing was adjourned.]



                                  [all]