[House Hearing, 115 Congress] [From the U.S. Government Publishing Office] [H.A.S.C. No. 115-8] CYBER WARFARE IN THE 21ST CENTURY: THREATS, CHALLENGES, AND OPPORTUNITIES __________ COMMITTEE ON ARMED SERVICES HOUSE OF REPRESENTATIVES ONE HUNDRED FIFTEENTH CONGRESS FIRST SESSION __________ HEARING HELD MARCH 1, 2017 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] COMMITTEE ON ARMED SERVICES One Hundred Fifteenth Congress WILLIAM M. ``MAC'' THORNBERRY, Texas, Chairman WALTER B. JONES, North Carolina ADAM SMITH, Washington JOE WILSON, South Carolina ROBERT A. BRADY, Pennsylvania FRANK A. LoBIONDO, New Jersey SUSAN A. DAVIS, California ROB BISHOP, Utah JAMES R. LANGEVIN, Rhode Island MICHAEL R. TURNER, Ohio RICK LARSEN, Washington MIKE ROGERS, Alabama JIM COOPER, Tennessee TRENT FRANKS, Arizona MADELEINE Z. BORDALLO, Guam BILL SHUSTER, Pennsylvania JOE COURTNEY, Connecticut K. MICHAEL CONAWAY, Texas NIKI TSONGAS, Massachusetts DOUG LAMBORN, Colorado JOHN GARAMENDI, California ROBERT J. WITTMAN, Virginia JACKIE SPEIER, California DUNCAN HUNTER, California MARC A. VEASEY, Texas MIKE COFFMAN, Colorado TULSI GABBARD, Hawaii VICKY HARTZLER, Missouri BETO O'ROURKE, Texas AUSTIN SCOTT, Georgia DONALD NORCROSS, New Jersey MO BROOKS, Alabama RUBEN GALLEGO, Arizona PAUL COOK, California SETH MOULTON, Massachusetts JIM BRIDENSTINE, Oklahoma COLLEEN HANABUSA, Hawaii BRAD R. WENSTRUP, Ohio CAROL SHEA-PORTER, New Hampshire BRADLEY BYRNE, Alabama JACKY ROSEN, Nevada SAM GRAVES, Missouri A. DONALD McEACHIN, Virginia ELISE M. STEFANIK, New York SALUD O. CARBAJAL, California MARTHA McSALLY, Arizona ANTHONY G. BROWN, Maryland STEPHEN KNIGHT, California STEPHANIE N. MURPHY, Florida STEVE RUSSELL, Oklahoma RO KHANNA, California SCOTT DesJARLAIS, Tennessee TOM O'HALLERAN, Arizona RALPH LEE ABRAHAM, Louisiana THOMAS R. SUOZZI, New York TRENT KELLY, Mississippi (Vacancy) MIKE GALLAGHER, Wisconsin MATT GAETZ, Florida DON BACON, Nebraska JIM BANKS, Indiana LIZ CHENEY, Wyoming Robert L. Simmons II, Staff Director Kevin Gates, Professional Staff Member Lindsay Kavanaugh, Professional Staff Member Neve Schadler, Clerk C O N T E N T S ---------- Page STATEMENTS PRESENTED BY MEMBERS OF CONGRESS Smith, Hon. Adam, a Representative from Washington, Ranking Member, Committee on Armed Services............................ 2 Thornberry, Hon. William M. ``Mac,'' a Representative from Texas, Chairman, Committee on Armed Services.......................... 1 WITNESSES Healey, Jason, Nonresident Senior Fellow, Cyber Statecraft Initiative, Atlantic Council................................... 6 Libicki, Martin C., Professor, U.S. Naval Academy, and Adjunct Management Scientist, RAND Corporation......................... 5 Singer, Peter, Strategist and Senior Fellow, New America Foundation..................................................... 3 APPENDIX Prepared Statements: Healey, Jason................................................ 71 Libicki, Martin C............................................ 60 Singer, Peter................................................ 47 Documents Submitted for the Record: [There were no Documents submitted.] Witness Responses to Questions Asked During the Hearing: [There were no Questions submitted during the hearing.] Questions Submitted by Members Post Hearing: Mr. Franks................................................... 85 Ms. Hanabusa................................................. 88 Ms. Rosen.................................................... 89 CYBER WARFARE IN THE 21ST CENTURY: THREATS, CHALLENGES, AND OPPORTUNITIES ---------- House of Representatives, Committee on Armed Services, Washington, DC, Wednesday, March 1, 2017. The committee met, pursuant to call, at 10:03 a.m., in room 2118, Rayburn House Office Building, Hon. William M. ``Mac'' Thornberry (chairman of the committee) presiding. OPENING STATEMENT OF HON. WILLIAM M. ``MAC'' THORNBERRY, A REPRESENTATIVE FROM TEXAS, CHAIRMAN, COMMITTEE ON ARMED SERVICES The Chairman. The committee will come to order. The committee meets today to explore ``Cyber Warfare in the 21st Century: Threats, Challenges, and Opportunities.'' Needless to say, it is a big complex topic that is at the heart of much of American national security today and will be even more so in the future. One of those internet quotes attributed to Albert Einstein says: Given one hour to save the planet, I would spend 55 minutes understanding the problem and 5 minutes resolving it. Well, whether Einstein really said something like that or not, I think the point rings true that much of our challenge in cyber is understanding the problem. As we have seen in recent years, cyber is being used by both nation-states and nonstate actors in ways that challenge our traditional notions of what is war. It is being used to destroy, to steal, and to influence. Cyber is a domain of warfare in itself, but its technologies also undergird most all of our defense efforts. It helps make us the strongest military in the world, and it also presents a vulnerability, which adversaries are looking to exploit. And what is true for our military is also true for our society. Those technologies offer great opportunity but are also a vulnerability that must be defended. And when it comes to things that must be defended, we often turn to the United States military. I am very grateful to all the members who came back to Washington early this week to spend our yearly retreat at Fort Meade focusing on this issue. Our witnesses today will also help us advance our thinking and hopefully help lead us to find the right questions so that we can work together to find the right answers. I would yield to the ranking member for any comments he would like to make. STATEMENT OF HON. ADAM SMITH, A REPRESENTATIVE FROM WASHINGTON, RANKING MEMBER, COMMITTEE ON ARMED SERVICES Mr. Smith. Thank you, Mr. Chairman. I appreciate you holding this hearing on this very important topic, and it is one that I guess we are probably going to spend more than 55 minutes trying to figure out the problem, unfortunately. It is very complicated. You know, the first thing we have to figure out is how, you know, best and better to protect our networks, both within government and those private sector groups that we come into contact with the government. We have that problem on the Armed Services Committee with a lot of the defense contractors that have sensitive information within their cyber domain that we have to figure out how to protect. And we still don't really have a comprehensive strategy for how to do that. That is part of the problem. And the other part is, as cyber is increasingly used for active warfare, what is our policy on that? If we are attacked through cyber, what is an appropriate response? We saw that with the Russian attacks on the DNC [Democratic National Committee]. You know, the President responded. It took a long time because we really don't have a set policy on what is a proportional and appropriate response to a given cyber attack, which we need to figure out. And then, lastly, how do we use it as an offensive weapon? Certainly our enemies are using it. ISIS [Islamic State of Iraq and Syria] is using it very effectively to spread their message and recruit. You know, and we have seen Russia use it in a variety of different formats. We have suspicions of others using it as well. What should we do, from an offensive standpoint, to use cyber to cause problems for our enemies and advance our interests? So those are the three questions I am most interested in learning more about. I apologize; I actually have to leave early from this hearing. But certainly I will study the remarks of our witnesses, and I know the panel will benefit from the discussion. I thank the chairman for holding this hearing, and I yield back. The Chairman. I thank the gentleman. Again, let me thank each of our witnesses for taking the time to be here. We have Dr. Peter Singer, strategist and senior fellow at New America Foundation, among others things, author of ``Wired for War'' and ``Ghost Fleet''; Dr. Martin Libicki, professor at the U.S. Naval Academy and adjunct management scientist at the RAND Corporation; and Mr. Jay Healey, nonresident senior fellow for the Cyber Statecraft Initiative at the Atlantic Council. Thank you all for being here. Without objection, your full written statement will be made part of the record, and we would be pleased to hear any oral comments you would like to make at this point. Dr. Singer, we will start with you. STATEMENT OF PETER SINGER, STRATEGIST AND SENIOR FELLOW, NEW AMERICA FOUNDATION Dr. Singer. Chairman Thornberry and Ranking Member Smith, members of the committee, it is an honor to speak at this important discussion today designed to reboot the cybersecurity conversation. It is all the more needed as the United States was recently the victim of what was arguably the most important cyber attack campaign in history. Hackers reported as working on behalf of the Russian Government have attacked a wide variety of American citizens and institutions. They include political organizations of both parties, the Republican National Committee and the Democratic National Committee, as well as prominent Democrat and Republican leaders, as well as civil society groups like various American universities and academic research programs. These attacks started years back, but it continued after the 2016 election. They have been reported as hitting clearly government sites, like the Pentagon's email system, as well as clearly private networks, like U.S. banks. They have also been reported as targeting a wide variety of American allies ranging from government, military, and civilian targets, and states that range from Norway to the United Kingdom, as well as now trying to influence upcoming elections in Germany, France, and the Netherlands. While Vladimir Putin has denied the existence of this campaign, its activities have been identified by groups that include all the different agencies of the U.S. intelligence community, the FBI [Federal Bureau of Investigation], and in statements by both the prior and present U.S. President. This campaign has also been well-established by the marketplace. Five different well-regarded cybersecurity firms have identified it. This campaign is not a cyber war of the kind that is often envisioned with power grids going down and fiery cyber Pearl Harbors. Instead, it is a competition more akin to the Cold War's predigital battles that crossed influence operations with espionage and subversion. However, while Russia's attacks are the most notable events in cybersecurity in the last year, unlike in the Cold War, our strategy must recognize they are only one aspect of a larger threat landscape. In cyberspace, the malevolent actors presently engaged in attacks on U.S. persons and institutions range from criminals who are stealing personal information or holding ransom valuable corporate data--although here too there is a prominent Russian link with reportedly 75 percent of ransomware coming from Russian-speaking parts of the online criminal underground--to governments, like China, which have been accused of large-scale intellectual property theft, as well as breaking into government databases like the OPM [Office of Personnel Management] in the cyber version of traditional espionage. And, finally, our strategy must face that all of this ongoing activity must account for the risk of an actual cyber war, the activities that would occur in outright conflict, including cyber attacks to cause physical damage. So what can be done to defend America in this challenging realm? In my written testimony, I submitted a series of 30 actions that can be taken by the Congress to raise cybersecurity. Notably, in reflecting the nature of this nonpartisan realm, the overall strategy in each of the proposed 30 measures are designed to be amenable to and implementable by the leaders of both parties. I have submitted this strategy for the record, which I hope will be a useful resource to you and your staff in your important work ahead. Rather than restating in detail, I would note that it involves three core elements. First, activities that can be taken to restore deterrence, from making key new investments in training, cutting-edge technology like artificial intelligence [AI], and organizational changes in our Defense Department approach, including disentangling CYBERCOM [Cyber Command] and the NSA [National Security Agency], to utilizing all our tools of power to better influence current and future adversary thinking in the wake of Russia's attack, most especially by turning sanctions into law and strengthening them. Second, actions to raise resilience, our ability to shake off attacks and thus create what is known as deterrence by denial, where we are not only better protected but adversaries gain less and are thus less incentivized to attack. Importantly, a strategic effort to raise U.S. resilience would be a useful investment against any type of attack or attacker. The steps that can be taken by Congress here range from measures to better utilize Pentagon buying power to oversight on the implementation of industry best practices in the government. They also include innovative means to deal with our cybersecurity human resource challenge, from supporting better pipelines into government and the military and better organizing the wealth of talent that lies outside of government in the military and Reserves, such as through the creation of a program akin to Estonia's world-respected approaches to societal resilience. The final tract looks at the broader challenge we face in a world of social media and online influence operations. Here, too, there are a range of suggested congressional actions, including enhancing cybersecurity information sharing among likely U.S. political targets, raising the ability of the U.S. military to better utilize social media and integrate it into our own training environments, and supporting the recreation of the Active Measures Working Group, an interagency Cold War program designed to debunk foreign propaganda and limit the impact of lies spread by what the Soviets aptly called ``useful idiots.'' In conclusion, we must recognize that, for as long as we use the internet, adversaries like Putin's Russia and many others will seek to exploit this technology and our dependence on it in realms that range from politics to business to warfare itself. In response, the United States can build a new set of approaches to deliver true cybersecurity, aiming to better protect ourselves while reshaping adversary attitudes and options, or we can continue to be a victim. Thank you. [The prepared statement of Dr. Singer can be found in the Appendix on page 47.] The Chairman. Thank you. Dr. Libicki. STATEMENT OF MARTIN C. LIBICKI, PROFESSOR, U.S. NAVAL ACADEMY, AND ADJUNCT MANAGEMENT SCIENTIST, RAND CORPORATION Dr. Libicki. Good morning, Chairman Thornberry, Ranking Member Smith, and the distinguished members of the committee. My name is Martin Libicki, the Maryellen and Richard Keyser Chair of Cybersecurity Studies at the Naval Academy and an adjunct at RAND. The views expressed are my own. Two years ago, Admiral Rogers asked Congress to support an increase in his ability to carry out cyber attacks so that the United States could deter cyber attacks on it, but would strength alone suffice? Our deterrence capability has at least four prerequisites. First, we must be able to attribute cyber attacks in order to punish the correct party and convince others that we are acting justifiably. Second, we must communicate our thresholds. What actions will lead to reprisals? Third, we need credibility so that others believe that punishment will in fact follow crossing such thresholds. Fourth, we need the capability to carry out reprisals. Of the four prerequisites, it is U.S. capability that is least in doubt. Any country credited with Stuxnet and the operations that Snowden leaked has demonstrated an impressive capability. It is the other three prerequisites that need attention. Attribution, to be fair, has improved considerably over the past 10 years, but the same cannot always be said about the U.S. ability or willingness to prove that its attribution is correct. After the Sony attack, the FBI's public statement devoted just 140 words to justifying its attribution, and the public case that Russia carried out the DNC hack is even more problematic. Credibility remains an issue. Although the United States did retaliate against North Korea for the Sony attack and Russia for the DNC hack, the reprisals that have been made public, mostly sanctions, were not the sort that would induce fear in others. That leaves the issue of thresholds, which gets the least attention. What cyber attacks merit cranking up the machinery of U.S. retaliation for and thereby potentially altering the U.S. relationship with another country, especially when cyber attacks can vary so much from a momentary network disruption to a major catastrophe? Not everything that we might call a cyber attack is actionable. By contrast, even the smallest nuclear weapon on U.S. soil was obviously actionable. Finding a tractable threshold is not a problem easily solved. So let's consider some candidates. Should something be actionable if it violates the Computer Fraud and Abuse Act? Well, there are three problems. First, using a national law as an international red line sets a precedent easily abused by countries that, for instance, criminalize free speech. Second, this act is violated literally on millions of occasions, pretty much every time a computer is turned into a zombie. Third, such a law makes cyber espionage an actionable act, but this is something that the United States carries out all the time. Well, is something actionable, as one Assistant Secretary of Defense argued, if it is among the top 2 percent of all attacks? Here the problem is that cyber attacks have no minimum. So it is very difficult to define the set and, thus, very difficult to define 2 percent of the set. Okay. Should everything that affects the U.S. critical infrastructure be actionable? Supposedly we know what is and is not part of the U.S. critical infrastructure. But then we have attacks that make us change our mind. For instance, a number of folks said the attack on Sony was an attack on the critical infrastructure, and after the attack on the DNC, we reconsidered the election--the voting machinery in this country, and we reclassified it as part of the critical infrastructure. Well, do the laws of armed conflict, or LOAC, provide a good dividing line? Well, unfortunately, LOAC kicks in only when something is broken or someone is hurt, and in cyberspace, damage has occurred twice and death not at all. An attack that bankrupts a firm, by contrast, would not be actionable by LOAC. Worse, LOAC fosters the notion that a cyber attack, like a physical attack, is unacceptable behavior for countries, while cyber espionage, like traditional espionage, is something countries do. But the United States does not accept all cyber espionage. It successfully pressed China to stop its economic cyber espionage. If the data taken from OPM had been sold into the black markets, the United States would doubtlessly have raised very strong objection to China, and the DNC hack was actually cyber espionage. If the Russians had taken what they took in-house rather than post it online, there likely would have been no U.S. response. My bottom line is this: deterrence introduces multiple issues that need far more careful attention than they have received to date. Being strong is necessary, but it is not sufficient, and until we have a firmer basis for setting thresholds, we may have to limit reprisals to obviously actionable attacks while using the less obvious ones as markers for what we would react to next time. I appreciate the opportunity to discuss this important topic, and I look forward to your questions. [The prepared statement of Dr. Libicki can be found in the Appendix on page 60.] The Chairman. Thank you. Mr. Healey. STATEMENT OF JASON HEALEY, NONRESIDENT SENIOR FELLOW, CYBER STATECRAFT INITIATIVE, ATLANTIC COUNCIL Mr. Healey. Good morning, Chairman Thornberry, Ranking Member Smith, distinguished members of the committee. I am really humbled to be in front of you today. I will jump right to the heart of my comments on cyber conflict where several issues stand out. First, what isn't a problem? Attribution, as my colleagues have pointed out, is not nearly the challenge that it used to be, as analysts at private sector companies and the U.S. Government have made tremendous gains determining which nations are behind cyber attacks. Second, what is different in cyber compared to conventional conflict? I believe it is not hazy borders or operating at network speeds or the other things that you might have heard that is most different, but in fact the role of the private sector. America's cyber power is not at Fort Meade. No, the center of U.S. cyber power is instead in Silicon Valley, in Route 128 in Boston, at Redmond, Washington, and in all of your districts where Americans are creating and maintaining cyberspace and can bend it if they need to. Third, what didn't we see coming? In the wake of the 1991 Gulf War, we in the military were eager to study information operations, including propaganda and influence, which are now some of our adversaries' primary weapons against us. Yet, in the time since, we have become so enamored of the cyber, we have forgotten critical lessons of information operations from that time. Fourth, what might we have most wrong? Simply, deterrence and coercion. Previous testimony to this House made it clear there was an electronic Pearl Harbor waiting to happen. Well, that was in June 1991. So we have been fretting about an electronic Pearl Harbor for 25 of the 75 years since the actual Pearl Harbor. Cyber deterrence above the threshold of death and destruction not just is working but works pretty much like traditional deterrence. Where deterrence is not working, of course, is in the gray area between peace and war, where all major cyber powers are enjoying a free-for-all. We should not kid ourselves. In that gray zone, the United States is throwing as well as taking punches, and deterrence works very differently if your adversary is certain they are striking back, not first. In fact, I believe cyber may be the most escalatory kind of conflict we have ever encountered. Because of this, any exercise in cyber deterrence must be thought of as an experiment. Some of our experiments will work; some won't. So we must be cautious, attentive to the evidence, and willing to learn. So my first recommendation is that a new set of cyber influence teams might quickly be trained and folded into the Cyber Mission Force at Fort Meade working alongside cyber and area studies experts there. Second, I continue to advocate splitting the leadership of NSA and Cyber Command. Imagine if the Commander of U.S. Pacific Command were the leading source of information on the China military threat, negotiated with U.S. companies dealing with China, ran the best funded China-oriented bureaucracies, was involved in intelligence operations and military planning against China, and could decide what information on China was classified or not. Sometimes two heads and two hats are more American than one. Third, the best use of government resources is to reinforce those doing the best work already. Our critical infrastructure companies are on the front lines and, together with major vendors and cybersecurity companies, have far more defensive capabilities than our military. Grants to the nonprofit associations that are knitting these operations together can give massive bang for the buck. Lastly, I would like to leave you with a question to consider asking others in testimony in the future: What do you believe will be the dominant form of cyber conflict in 10 years? The Pentagon seems to have a healthy set of cyber requirements but not many views of what cyber conflict might be like as they do in the land, sea, air, or space. For example, I am sure the chief of staff of the Air Force can give you many reasons on why he sees future air conflict and why a long-range strike bomber is the answer to succeeding in many of those kinds of conflicts. What do we think the future of cyber conflict might be like that will justify the requirements that the Pentagon is asking for? In closing, I would like to mention that on 16 and 17 March, 48 student teams, including from many of your districts or your alma mater, including the Air Force Academy, Brown, and the Universities of South Alabama and Maryland, College Park, will compete in the Cyber 9/12 Student Challenge. This competition prepares students to tackle exactly the same sort of challenges about which my colleagues and I are testifying before you today. If you or your staff are available to observe, judge, or provide remarks, the student teams would greatly benefit. Thank you for your time. [The prepared statement of Mr. Healey can be found in the Appendix on page 71.] The Chairman. Thank you. As we notified all members, Mr. Smith and I agreed that, for the purpose of this hearing, we would start out by going in reverse seniority order for those members who were here at the time of the gavel and then go in order that members entered the room, like we usually do. I also want to remind members that this afternoon the Emerging Threats and Capabilities Subcommittee is holding a classified quarterly update on cyber operations to which all members of the committee are invited. And at this point, I would like to yield my 5 minutes to the chair of that subcommittee, Ms. Stefanik. Ms. Stefanik. Thank you, Mr. Chairman. I have two questions. The first is broad. What aspects of the previous administration's cyber policy should we keep and what should we rethink? I will start with Mr. Healey and move down the line. Mr. Healey. Thank you very much, Chairwoman, Ms. Stefanik. The previous administration got a lot of runs across the plate, but they weren't really swinging for the fence. So they had a lot of small--they were playing small ball. And so there weren't that many things that really angered me that much about what they did. One that I think we should absolutely keep, because I think the private sector should be the supported command, not the supporting command, I am a big fan of the work that they had done on the vulnerabilities equities process. This is the process by which if the U.S. Government discovers vulnerabilities, especially in U.S. IT [information technology] products, that the default is to tell the vendors on that, and if they keep it, for example, at Fort Meade, that they have a risk-mitigation strategy so that, if it does become public, that they can respond most quickly. The work that they did on that was very important. That actually dates back to CNCI [Comprehensive National Cybersecurity Initiative] in the previous administration, but I think that is certainly worth keeping. To change: I certainly hope that the U.S. Government can do better on its own cybersecurity systems. It looks like the new administration might be doing better on this with more of a role for the Office of Management and Budget as well as more shared services, that is, more cloud. I also think we can do more within the Department of Defense [DOD] for accountability. My experience in the private sector, especially working for banks, was that they had much more control over what was added to their networks and who could do what than even the Department of Defense does, which was a surprise to me considering how much we think of command and control and leadership within the Department of Defense. Thank you. Ms. Stefanik. Thank you. Dr. Libicki. Dr. Libicki. I believe the administration made a lot of good investment in defensive, in defending networks, and I think that is a trend that should continue. Details, I suppose, we can discuss, but I think the general trend toward putting most of your eggs in the defensive basket is a good one. In the realm of what I would do different. If you are going to talk up an attack as something that is unacceptable, then you need better attribution, public attribution case, and you need to hit back more strongly. Conversely, if you are not prepared to hit back strongly and you are not prepared to make a good attribution case, maybe you shouldn't make so big a deal of the cyber attack. Ms. Stefanik. Dr. Singer. Dr. Singer. I echo what was just previously said and add a couple of things. Towards the end of the Obama administration, in the wake of the OPM breach, it put together a series of essentially best practices from the private sector that could be mined for implementation into government. I see those as a key oversight area for Congress and essentially seeing if they are being implemented or not. And, again, I think they are bipartisan in that they are pulling from the private sector. Similarly, in the very last weeks of the transition, there was a bipartisan commission of experts, cybersecurity experts, that issued a report of what could be done to aid government in this realm. It was lost in the little bit of the conversation. Here too, bipartisan recommendations, implementing those would be a good area. Finally, the administration created a cybersecurity human resources strategy. This space is not merely about zeros and ones. It is a people problem, and there are all sorts of areas there, and I would look to that and see, is this being implemented or not? It also points to, at least so far in the drafts of the Trump administration's executive orders, human resources hasn't been mentioned. So I would be focusing on that. In areas of what they can do, what they don't do, there is a wide variety of them that have been mentioned. Whether it is sanctions to--we have done well at pulling in the National Guard as a way of tapping broader societal resource, but that is only limited to what is already in the military. I would look to the Estonian model or, in essence, the cybersecurity version of the Civil Air Patrol as a way of pulling in broader civilian talent that isn't either able or willing to serve in the military or Guard and Reserves. Ms. Stefanik. Thank you, Dr. Singer. So my final more specific question: Mr. Healey, in your written testimony, you discuss how our adversaries are using cyber capabilities as part of a larger strategic and orchestrated influence operations, form of information warfare. The most recent examples are the North Korean hack of Sony, the Russia hack of the DNC, and even 2008, the Chinese hack of both the Obama and McCain campaigns. In addition to your suggestion to create cyber influence teams with our cyber forces, what more can we do to counter the strategic influence campaigns that are so successfully being waged by Russia, China, North Korea, and Iran? Mr. Healey. Such an important question. Thank you very much. I agree with Dr. Singer on returning to the Active Measures Working Group, which I think is an important step. I think we can start refunding some of those information operations projects that we had done in the 1990s, for example, in [Operation] Allied Force where we had done a lot against Slobodan Milosevic. There had been a lot done in the military professional universities, especially places like National Defense University and the doctrine centers where hopefully some of those people still reside and we might be able to build back some capability quickly. It also--we obviously need to do this whole-of-government because this clearly isn't a Department of Defense response. It has helped me to think about--you know, we have incidents of national significance to respond to terrorist attacks. We have cyber incidents of national significance, but neither of these fit here. It has helped me to think about an information incident of national significance and think, who would we bring to the table? What agencies would we bring to the table to respond to an information incident of national significance? I am not convinced that we should create such a concept because there is something that strikes me a bit un-American about how we might use that if there is information we didn't like, but it certainly helped me think about how we might improve our interagency response against such actions. Thank you. Ms. Stefanik. Thank you, Mr. Healey. I am over my time. The Chairman. Mrs. Murphy. Mrs. Murphy. Thank you, gentlemen, for being here and for your testimony as well as the Q&A [question and answer]. I represent a district in central Florida that is home to the Nation's largest modeling, simulation, and training industry cluster, which includes a collaboration--which is a collaboration between the military, academia, and industry. The Army command there, known as PEO STRI [Program Executive Office Simulation, Training, and Instrumentation], has been tasked with the cyber training mission for Army. I was alarmed by a recent study that I saw that talked about the accelerating workforce gap for cybersecurity professionals. This survey projects that we will have a shortfall of 1.8 million cybersecurity professionals in the next 5 years. And to put that in some context, when you talk about workforce gaps in other industries, we are talking in the tens of thousands, but not in the millions. So I found this an astounding shortfall in its size and particularly in a critical area for both national security as well as economic stability. So I was wondering, you know, you have all talked a little bit about some of the initiatives, workforce initiatives, that could be implemented, but what specific partnerships between academia, government, and the private sector would help to build this talent pipeline in the future, and what role does Congress have in providing investments for and supporting such partnerships? Dr. Singer. There is a whole array of activities that can and, frankly, should be undertaken. As was mentioned, there was previously a human resources strategy. It is unclear whether that will be continued or not. I believe it should be in the new administration. If it is not, there should be a similar full-fledged version of it. Equally, there have been organizations created like, for example, the U.S. Cyber Corps, which is akin to a ROTC [Reserve Officer Training Corps] program, a scholarship program for drawing talent into government. It is unclear what the effect the Federal hiring freeze will have on that. Right now, you have students that are worried that they are not going to be able to meet their scholarship commitments by joining government because the positions won't be open to them. I would urge Congress and the administration to make clear that cybersecurity is an area that would not be included in that hiring freeze because, frankly, any labor savings that you get will be lost by one breach, one incident. Similarly, there is a whole series of areas to bring in. As was mentioned, the strength of the United States is in districts like yours and around, so ways of bringing that talent into government for short term. So the examples range from adding a cybersecurity element to the U.S. Digital Service to a program akin to what the Centers for Disease Control has for bringing in talent from the medical field. Finally, bug bounty programs, which are very cheap ways of incentivizing people outside of government to volunteer to help government. I would urge--the DOD is doing these on a pilot basis. This should be done at every single agency, and Congress can help support that and incentivize that. Dr. Libicki. I mean, there are a lot of programs that have been mentioned, could be mentioned, that could increase the supply of cybersecurity professionals, but if we are talking about the scholarship program, we are talking about hundreds and thousands of people as opposed to millions of folks. And I think thought needs to be given not only to how do you increase the supply but also how you reduce the demand. Let me give you an example. If you take a look at the Office of Personnel Management, there was a lot of sensitive information, particularly information that you gather as part of doing the security clearance, that was leaked to other countries as a result. Okay. Now, if you just took a cybersecurity perspective, you would say, well, how many people does OPM have to hire in order to make sure that their material doesn't leak? But there is another way of looking at it. Okay. Do we have to ask people those questions? Do we have to write down the answers? Do we have to put those--digitize the answers that they give? Do we have to make the answers available, and do we have to make the answers available online? And is there some way of finding out where the answers are going online in the circulation? Okay. None of those things that I describe need a cybersecurity professional. They need ways of understanding how information works. And I think, as a general proposition, there was a tendency to say: We want to compute the way we want to compute. We want no restrictions. This internet stuff is wonderful. We want as much as we can have. But it seems to give us cybersecurity problems. So let's go hire a bunch of cybersecurity folks and sort of spread some cybersecurity on the top. And if you can't get these folks or you are paying an arm and a leg to get these folks and it still doesn't work because the Russians are very, very talented and the Chinese are very talented, okay, then you might want to consider, how are we actually managing our information? And that leads you to a different place. The Chairman. If I could request each of you all, if you would talk directly into the microphone. Sometimes there is a noise outside that is making it hard to hear up here. So thank you. Mr. Gallagher. Mr. Gallagher. Thank you, Mr. Chairman. I have a somewhat related question. The Marine Corps Commandant, General Neller, recently stated that using tactical cyber needs to become routine like other technical arms of the service. So when the Arty [artillery] officer shows up or the naval gunfire officer shows up, he needs to be accompanied by a cyber liaison officer. My concern is that in terms of the cyber talent pool, I don't think a lot of them are enthusiastic about getting a high and tight and joining the Marine Corps. So I am drawn to your idea, Dr. Singer, about something akin to the Estonia Cyber Defense League, but I see a host of practical challenges to implementation, and I think we might have to rethink how we grant security clearances. Could you just talk a little bit more about that and how we might operationalize and implement such a proposal? Dr. Singer. So the approach that Estonia has is a little bit akin to our age-old the minutemen or, more appropriate today, the Civil Air Patrol. The Cyber Defense League there is, it takes people that have been security cleared. So they do go through a clearance process. They are volunteers. They are outside of government. Their talent ranges from people who are hackers to people who are bankers. So, for example, if you want to understand how to attack or defend a bank, you just don't need computer talent. You need to understand how the systems work. And they essentially volunteer to aid Estonia in everything from red teaming--so attacking voting systems before an election, define vulnerabilities before the bad guys do--to they help with emergency response. It is a little bit akin to the Civil Air Patrol, which gathers people who are interested in aviation, and it ranges from youngsters that are entering the field to people who just want to keep flying, but then they are on call for aviation-related accidents, training exercises, and, importantly, on call at the local, State, and Federal level. My point is, is that, often in this space, we very appropriately enough say, you know, look, we have got Active Duty, and National Guard has expanded and gotten really good at this, but then we stop and miss the fact that, as you put, there is a great deal of talent that will be forced to be outside of National Guard. I would also, real quickly, one other point I want to make is that, if we are looking at history, we often talk about the Pearl Harbor parallel, and what General Neller is pointing to is that there are other battles--Kasserine Pass--which were really ones that whether we won or lost was not based on our weapons but our failure to figure out how we command and controlled, how we organized, and that is what I would urge you to be pushing a little bit more on the military side with. Mr. Gallagher. And then, on that point, Mr. Healey, you seem to argue that the reports of a cyber Pearl Harbor have been greatly exaggerated, but I count myself among many Americans who received a notification from OPM after the hack, which some describe as a cyber Pearl Harbor. What is your assessment of the long-term damage caused by that hack? Mr. Healey. Certainly when I thought about my colleagues, my friends who in the future might be negotiating with China over some issue, and I can imagine their Chinese counterparties sitting down in front of them and having their complete SF-86 and the rest of their information in front of them. And I imagine the chilling effect that would have on that negotiation and how America's diplomatic position is going to be significantly worse since then. But I also take the thought of a devastating attack that leaves thousands of Americans dead. I mean, that, for me, is-- it is what we have been thinking about, what we have been imagining that was going to be this catastrophic bolt from the blue, and so certainly that hasn't happened yet. And yet we still, to some degree, allow that to capture our imagination. So I think we need a little bit more curiosity about what future cyber conflicts might be like and how we respond to those. I think that would put us much better off to deal with the OPMs and to deal with the Russian hacking. Mr. Gallagher. And, finally, Dr. Libicki, among the many terrorist groups that we are fighting kinetically right now, who is the most sophisticated cyber actor? Dr. Libicki. I think you would have to say ISIS. But I think even--ISIS is really good at information operations and propaganda, okay, because in many ways, they say that terrorism is sort of the propaganda of the deed, and so they are integrated within a country--with an organization like ISIS. But in terms of actual cyber capability, there are many criminal groups that are better than all the terrorist groups. Mr. Gallagher. Thank you, Mr. Chairman. I yield the rest of my time. The Chairman. Mr. Brown. Mr. Brown. Thank you, Mr. Chairman. I represent a district in Maryland that is perhaps less than 8 miles from Fort Meade, which is home to, you know, several very important agencies and activities in the cyberspace, NSA, Cyber Command, and Defense Information Systems Agency, and we are home to a very large percentage of those high-and-tight cyber warriors. And I know that this committee, over the past several years, has looked at the organization and structure of the cyber force, Cyber Command, as a unified command. We are interested in the dual-hat arrangement between the Director of NSA and as Commander of CYBERCOM, and also we are interested in a strategy for incorporating the Guard and the Reserve. So my question is--and there are a lot of different activities involved in cyber warfare. At the operational level, do you have any thoughts and opinions on how best to support that combatant commander? We have got cyber mission teams that, my understanding, right now, pretty much operate from CONUS [continental United States], a lot at Fort Meade, some in Atlanta, and pushing those teams out much like the Special Operations Command does, and any other thoughts you have on sort of the operational tactical deployment of these assets. Mr. Healey. Thank you very much, and there are parts of this that remind me of the previous question. You know, the cyber forces, I think, for a very, very long time are going to be high-demand, low-density [HDLD] assets. You know, there is just not going to be enough of them, and in general, when we have got HDLD assets, we try to keep them in a centralized pool so that way--especially keeping them in a place where they can support multiple commands and multiple operations without having to necessarily to deploy to do them. I think it is going to be a long time before it is as easy to use cyber capabilities as it is to drop a JDAM [Joint Direct Attack Munition] or to send artillery rounds downrange. It is extremely complex, and when you have capabilities, you tend to want to use them sparingly and not in a tactical kind of situation because the adversary will just fix them. And so the kinds of things that I think have been happening within the Cyber Mission Force have been really excellent, and we hope to see more capabilities and spending in that area. Dr. Libicki. Briefly, I am not too sure I have an answer to your question, but I do have a sense of what it will depend on. First is we need to understand a lot better the efficacy of offensive cyber forces, and the second thing is that we have to understand their depleteability. There is a difference when you surprise somebody in cyberspace, when you pull off something that they weren't expecting, okay. The surprise element tends to deteriorate over time. It is not like an artillery round, which still has the same blast effect for the first as it does for the hundredth. So that we don't understand a lot, and for these next 5 to 10 years, we are going to have to be playing around with a lot of alternative models until we do have a level of understanding that allows us to make good decisions. Dr. Singer. I think your mention of Special Operations Command is an appropriate one. I was actually down there literally yesterday, and it is my sense that that is the likely and I think ideal future evolution of what happens with Cyber Command where it is, as mentioned, it is global in its operation but also can focus down and help in specific commands on a theater level or the like. It also has its own culture, its own approaches to promotions, to different types of budget authorities to reflect kind of its unique role. That is my sense of where Cyber Command can and should evolve to. Part of that will, as was mentioned, I do think it is time for it to disentangle from the dual-hat leadership structure for both what Jay Healey mentioned, in terms of the intelligence operational side, to just, frankly, it is a human talent. No matter how good the person is, those two roles are incredibly important, and you are getting half their time. They are also very different. To make a sports parallel, it is like having, you know, the coach of the Wizards and the general manager of the Capitals. You know, you wouldn't do that. The final aspect that I would put in terms of--to aid this in solving a lot of this question is better integration of this into our muddy boots training environments, and when I say ``this,'' I mean both offensive and defensive cyber capabilities as well as the social media side. Our training environment should reflect what the internet looks like now and how we can and our adversaries will use it. Mr. Brown. Thank you, Mr. Chairman. The Chairman. Ms. McSally. Ms. McSally. Thank you, Mr. Chairman. Thank you, gentlemen. First, I just have a comment as we are talking about this cyber workforce. Although I agree with you, Dr. Libicki, about managing our information. There is going to be demand. These are going to be jobs that will be out there and growing. And I highlight the University of Arizona South in my district has, you know, taken advantage and seen that coming and really created a cyber operations program partnering with Fort Huachuca, Federal agencies, seeing that this is an opportunity to really train the workforce of the future for government, military, and the private sector, and I think a great example of really how educational institutions need to take advantage of this to provide training and opportunities, you know, for good jobs in the future. So I just want to highlight what is happening at the U of A South. I am former military. You look at our potential adversaries. They don't want to take us head-on although they are closing some gaps. But we are so heavily reliant on network operations for command and control, for situation awareness, you know, whether that is GPS [Global Positioning System] or how we are managing unmanned aerial systems, even how we are managing air tasking orders and time-sensitive targeting. If you are the bad guy, you want to go after that asymmetrical potential Achilles' heel. Although we haven't seen it happen, I would like to hear your comments on our vulnerability. Obviously, we are in an unclassified setting, and what we, you know, could do because if we had an adversary go in that direction and try and take us down, we would--you know, we talk about like the AOR [area of responsibility] would go stupid pretty fast, like we wouldn't be able to operate; we wouldn't know how to command and control and give directions to our assets. And I see this as a very deep vulnerability that we have. Do you have any comments on that and what we need to be doing better about it? You want to start, Mr. Healey? Mr. Healey. Thank you. It is tough for me when you ask me the question not to answer first with ``Assault Course, Ma'am.'' So I would start with---- Ms. McSally. Sorry about that. Mr. Healey. You haven't had---- Ms. McSally. Put him through basic training. Mr. Healey [continuing]. The cyber Pearl Harbor the way that we thought in some way because cyber attacks tend to only take down things made of silicon, things made of ones and zeros, and those are relatively easy to replace. The more that we are bringing in the Internet of Things [IOT] and the smart grid, the more that those same attacks, instead of just bringing down things made of silicon, can bring down things made of concrete and steel. Ms. McSally. Right. Mr. Healey. So I am not of those that think cyber attacks have been that bad lately. I really don't, because no one has died yet. I think we are going to look back at these days as the halcyon days when Americans had not yet started dying from these. So, to me, that is really where I would like to start putting a lot of my time and I think the time from the DOD and from Congress and in trying to see what we can do about--to secure the IOT and keep our adversaries away from them. Thank you. Ms. McSally. Any other comments from---- Dr. Singer. I think you are spot-on, and I would point to, you know, so what would make the previous member happy, we spent over $2 billion on construction in the Fort Meade area alone, which is great. We have grown up this capability in Cyber Command, but the Pentagon's own weapons tester found in their words, quote, ``significant vulnerabilities,'' end quote, in every major U.S. weapons program. And that is made up--it has revealed itself in everything from China flying comparable copycat versions of the F-35, which either coincidentally the J-31 looks like it or it is because there were reported three different breaches during the design process, to exploitation during warfare itself. So, in terms of what Congress can do, I think we need to have a focus on building resilience within the DOD acquisition system. Specifically, establishing metrics and determining where progress has been made or not in our acquisitions process to deal with vulnerabilities in that. So we know they are there; what can we do about it? I would also add: we can explore how to use Pentagon buying power more effectively outside the defense industrial base. So, for example, entities like Transportation Command have relationships with a lot of different critical infrastructure, how can they incentivize them to get better at their cybersecurity using Pentagon buying power? Ms. McSally. Dr. Libicki. Dr. Libicki. Three things. First, I think we need a better understanding of our end-to-end vulnerability. Part of the problem in defensive cyber is we tend to chop them up into little pieces and look at the vulnerability of each piece, but in fact, if the bad guys are going to exploit our vulnerabilities, it is going to do it on an end-to-end basis, and this is the basis under which you ought to measure things. In terms of the vulnerability, as you point out, this is an unclassified session. So my best guess is that heterogeneity and, believe it or not, legacy systems make a big difference because it gives us a lot of ways of doing different things, and I think, in general, the fact that our warfighters tend to be given the authority to do their own innovation is very important because, after a cyber attack, the world is going to look different than it did before, and how do you put the pieces back together becomes very important, and a well-trained military that knows how to think on the spot in different ways becomes very important in the aftermath of a cyber attack, part of the resilience package. Ms. McSally. Great. Thank you. I had another question about ISIS, but I am out of time. I often--we see ISIS either using the internet to recruit, train, direct, yet the internet was continuing to still work in Raqqa. I have asked many times in this setting, why is the internet still on in Raqqa? But we don't have time. So we will follow up with you all later. Thank you. I will yield back. The Chairman. Mr. Carbajal. Mr. Carbajal. Thank you, Chairman Thornberry and Ranking Member Smith. Dr. Singer, I am going to build on that but maybe closer to home. An area of major concern is the supply chain vulnerabilities where malicious software, hardware is inadvertently--or exists in the development or acquisition of different systems. In your testimony, you express concern over the significant vulnerabilities in every major weapons program, extending from breaches of operational systems to original design process. Can each of you speak to how we can tackle these vulnerabilities? What checks and balances can we put in place to avoid developing systems with malicious software or hardware? And what resources do we need to invest in order to protect our supply chain? Dr. Singer. So I should clarify this phrase of significant vulnerabilities. That is actually from the Pentagon's own weapons tester. So it is not merely an assertion of mine. It is from our own government's reporting on it. The concern here, again, as you put, is not just merely, what does it do in acquisitions, what does it do in an operational environment like we explored in future scenarios, but it also means it is, I would argue, difficult to impossible to win an arms race if you are paying the research and development for the other side. And so, in terms of what can be done, I think the question for Congress is where, in using your authority, what are the changes needed in acquisition law, or is it processes, is it policy, to create better requirements for essentially resilience to cybersecurity attack, not preventing it? We will never be able to prevent all of it but build resilience to it. This also points to the human resources side that we have talked about, and again, this cuts across the board in everything from within the military, as was laid out, to outside and broader society, and it is very exciting to hear-- everyone is very proud of the different universities. We need to think about how we can build training for cybersecurity into our education system to create better levels of cyber hygiene. Thank you. Mr. Carbajal. Thank you. Dr. Libicki. There has been a lot of concern about the fact that some of our foreign sourcing leads to vulnerabilities. I am not entirely certain whether we need to do all that much more than we are currently doing. I remember that there was a lot of discussion 20 years ago when people were talking about fixing the Y2K [Year 2000] problem, and there was a lot of handwringing about foreigners working on our code, and therefore, we become much more vulnerable because we couldn't trust the foreigners to work on our code, and I haven't seen any evidence that that really mattered to Y2K or that mattered to vulnerabilities in the immediate aftermath of Y2K. I think, as a general principle, it gets back to understanding our end-to-end vulnerabilities. Even if a particular product is weak, if there is no way to exploit the weakness, that gives you a certain level of protection. So you do have to look at supply chain vulnerability as part of a broader overall systemic end-to-end vulnerability issue. Mr. Healey. Thank you very much. I have been impressed with how much has been done on the academic side and within the computer security community on trying to build a trusted system on untrustworthy components. So, for example, if you use end-to-end encryption, like is happening now in Apple, even if you don't trust the systems between you and the person you are talking to, there are tools like end-to-end encryption that can give you much more trust over the system as a whole. One example in the DOD context is DARPA [Defense Advanced Research Projects Agency] is now putting a system they call HACMS [High-Assurance Cyber Military Systems], the High Assurance Computing Systems--I can't remember the exact acronym--where they are using mathematically provably secure code. They have done this on a helicopter drone. They have given a red team hacker access to part of that drone, and they have not been able to get out, to hack the entire drone and take control of it. So here are areas where you can trust the system even if it has some untrustworthy components. I would like to also call out what has been happening between the defense industrial base companies themselves. The amount of information sharing, my colleagues tell me, have gotten that, in the past, if the Chinese were to hack one of those companies, they could use that same vulnerability to hack all of them. And it has now been several years where the sharing and the defenses have gotten so good that now they have to use a different software vulnerability on each of these companies. I think that is exactly getting toward the kind of defenses that we need, and it is probably more because of the sharing, which is cheap, than having to add more and give them more money in the contract so they can improve their security. Thank you. Mr. Carbajal. Thank you for your insight and your wisdom. I yield back. The Chairman. Ms. Stefanik, do you have additional questions on your own time? Ms. Stefanik. Thank you, Mr. Chairman. NATO [North Atlantic Treaty Organization] has introduced the Tallinn Manual through its Cyber Defense Center of Excellence in Estonia, which provides an analysis on how existing international law applies to cyberspace. The most recent Tallinn 2.0 Manual focuses on cyber operations and discusses cyber activities that fall below the thresholds of the use of force or armed conflict. Is this framework helpful in establishing international norms for nation-states, and what, if anything, would you recommend we consider incorporating into U.S. policy? I will start with Dr. Libicki. Dr. Libicki. I mean, I can say nice things about global rule under international law, but international law is only as good as countries that support international law are willing to support it. In other words, they are willing to put muscle behind violations of international law. And I would--I regard international law as a tool of policy. I do not regard it as a substitute for policy. At some point, you have to take certain elements of international law seriously enough to say, ``This is unacceptable, and this is what we are going to do about that,'' and this is in turn part of a broader discussion, which I urge that we have, about what in fact constitutes thresholds. Okay. Part of the problem with using international law as a base, as was obvious in the Tallinn 1 Manual, is that there is a lot of disagreement among people about what in fact constitutes legal behavior, and you don't have the same judicial mechanism in the United States where you can point to the opinions that are rendered by judges to say, okay, there is a consensus that this is a way it is and this isn't the way it is. We don't have that. Okay. So, in the end, international law has to be supported by nation-states--by countries and their willingness to take risks in support of law before it becomes actionable. Ms. Stefanik. Thank you. Mr. Healey and Dr. Singer, do you have anything to add? Mr. Healey. I am a huge fan because it takes a lot of the arguments off the table. You know, instead of arguing, well, arguing from scratch if we think something is an act of war, not now; we at least have a place to come from. And that helps a lot. Now we can argue what part to do about it. That is really what has been tripping us up, I think, more than anything, is not what to call something or what thresholds to set, but what are the actual policy tools and how are we going to use them in each instance, and hopefully now we can focus on that. Ms. Stefanik. Dr. Singer. Dr. Singer. I am a huge supporter of it as well. I would just add two things to it. The first is to recognize that there is not just this process but a broader webwork of agreements and norm building that is going on in everything from bilaterals with allies to multilaterals, be it at NATO to all the way up to United Nations. And I think a key area for action for Congress is to essentially request of the administration, what is your overall strategy here, how does this all fit together, and, most importantly, are you not going to let this fall by the wayside, because it is clearly advantageous to the United States to shape these norms in a way that restores global cybersecurity. The second most important thing is to recognize that the quickest way to undermine norms and laws is to take an action when they are broken, and we have seen repeated instances, specifically by Russia, in everything from attacks on power grids that were no-go areas, such as in Ukraine, to most recently this broader campaign that I mentioned. And so, if we want to norm build, we also have to take actions besides just write things down in treaties. Ms. Stefanik. Thank you. In some of your testimonies, you have talked about our increasing capabilities when it comes to attribution. My question is, how good are we at doing battle damage assessment [BDA] in cyberspace? Are there areas or capabilities that we need to invest in to improve our ability to do BDA? Mr. Healey. Do you mean against our--when the attack is against us or---- Ms. Stefanik. Yes. Mr. Healey. Yes. Here, I think a lot of work that has been happening in the Information Sharing and Analysis Centers as well as the new policy from the past administration for Information Sharing and Analysis Centers to try and come together and get that coordination done within the affected sectors themselves or the affected companies, that depends so much on which sector has been hit to try and figure out the level of disruption. Some, like finance, are extremely good at this. Their regulatory agencies are banging on the door to find out what happened. Other parts of our critical infrastructure, like water, aren't going to be as strong, and that underlines, I think, how good the sector organizations are, how well they are regulated, for example, rather than anything specific to determining the level of disruption and the damage. Ms. Stefanik. Dr. Singer. Dr. Singer. This is one of those key areas, I think, to delve deeper into in the muddy boots training side. So, for example, if you lose 10 percent of communications, it is only if you actually go out and exercise it that you understand that maybe it doesn't have a 10 percent compromise on you; maybe it actually means your entire organization can't work. Or, similarly, if it is not you lose access but that you can't trust communication. If one time the adversary inserts false information, be it into GPS or false information into an order, does that mean that you no longer trust the system itself, so the entire system goes down? So that is one of the areas where I think we need to evolve it more and do our own training to understand the effects of it. That is the only way. Ms. Stefanik. Thank you. My time is expired. The Chairman. Ms. Rosen. Ms. Rosen. Thank you, and I really appreciate all of you being here today. Thank you, Mr. Chairman. My question is about the disentangling of the NSA and Cyber Command. And so I see some of the benefits and challenges. I would like you to expand on that a little bit and especially about how that relates to our ability to respond dynamically to threats or challenges as you see them and our ability to be fast and flexible there. Mr. Healey. Thank you very much, Congresswoman Rosen. The most dynamic part of America's cyber defenses is not Fort Meade, and it will never be at the Pentagon. It just isn't. They can't--pretty much no part of the U.S. Government is actually creating and maintaining cyberspace. One of my colleagues that used to--a former Army major that then went on to work at Verizon--said, look, if there is an attack, we at Verizon and our colleagues and our companies, we can bend cyberspace if we need to; we can change the physics of the space to blunt this attack in a way that is incredibly difficult for places like Fort Meade and U.S. Cyber Command to do. U.S. Cyber Command simply just doesn't have the levers to be able to respond agilely enough to attacks against us. They can certainly attack back, but they are not--they are not tied in in the same way as these companies are. And so, because I believe that the private sector is the supported command, they have agility, they have the subject-matter expertise, and they can bend cyberspace if they need to, that our money is best spent, rather than trying to recreate that at Fort Meade, find ways to help make sure what they can do better. Dr. Libicki. You have asked an interesting question, which, unfortunately, I don't have a clear answer for because I am still thinking through it. Okay? But a lot of what you do with Cyber Command, vis-a-vis NSA, depends on what you actually want Cyber Command to do. If you are thinking of what Cyber Command does as part of a broader information operations area, then you need to bring Cyber Command in with other parts of the Department of Defense that deal with information operations. And this is not a--this is not something that is currently on the table. Ms. Rosen. Cyber Command, doesn't it also execute? Dr. Libicki. Right. Ms. Rosen. Right. Dr. Libicki. In terms of its--in terms of its offense mission is what I am referring to. Okay? In terms of its defense mission, it is a coordination between Cyber Command and the way the networks are currently managed that becomes an important component. And for a long time, NSA has had that responsibility to improve the security management of DOD networks. If you are looking for Cyber Command to think in terms of a general analysis of the vulnerability of other people's militaries, then you may want to bring them in together with other folks who look at the vulnerabilities of other people's militaries that are not necessarily digital zero and ones but, in fact, arise from the interaction of the various components of their militaries. And that is about as far as I have gotten in my thinking, unfortunately. Dr. Singer. So I think we have laid out earlier some of the rationales for it, and it ranges from the split, as you note, between, essentially, the evolution of the missions from intelligence to Cyber Command becoming more and more operational, both offense and defense, having training requirements and the like. As I mentioned, there is the double- hat problem of just human talent. There is another aspect of this that I think is interesting to talk with you about is go back to the original rationale for why they were double-hatted. It was both because the creation of Cyber Command, it didn't have its own culture, didn't have its own human talent, but it also was because there was a concern that the head of Cyber Command would not be able to speak with a voice or authority that would get Congress' attention. Ms. Rosen. Right. Dr. Singer. Post-Snowden, the absolute opposite happened where you are more interested--maybe not you individually, but Congress is more interested in the NSA surveillance encryption debate side. And we even saw that in the confirmation hearings for the head of Cyber Command. So I think for this wide variety of reasons, it makes sense to split them, but I would not do it instantaneously. I would do it like the transition that we had with the Joint Forces Command where the mandate, so to speak, of the last commander was figure out how to disentangle this in a way that doesn't compromise effectiveness. Ms. Rosen. Thank you. Well, as a former computer programmer and systems analyst, I have about a million more questions about the public-private partnership versus privacy. We don't have the time to do it today. I hope you will come back, and I will be able to ask them all. Thank you. The Chairman. You can use the gentlelady as a resource as you go on ahead. That is what is clear to me. Mr. Scott. Mr. Scott. Thank you, Mr. Chairman. Gentlemen, many of my questions have been answered, but I want to go back and focus on a couple of things. The Y2K issue was approximately 20 years ago. It was not intentional, but my question has always been, as we talk about malware and digital and Xs and Os, one of the vulnerabilities that we don't talk about much, which has been mentioned before, has been the supply chains and the ability to perhaps embed things in hardware prior to the manufacturing of the actual equipment. I go back to just, for example, the GPS system that we put in an airplane or a radio system that we put in an airplane, could it be preprogrammed to stop working at a certain point in time, in which case that would give your, certainly, major adversaries, your near-peer adversaries, a distinct advantage over you, and that if they knew that you were going to lose radio communications at a certain point in time, that would obviously be an opportune time for them to go on the offense. And so it seems to me that we have this constant testing, if you will, of capabilities among select few countries. When one of those countries finds a weakness, the question is how far do they go in exploiting it, I guess, before a cold war actually becomes what we would acknowledge as a true war. I listened to your comments on the split of leadership at NSA, certainly interested in further discussion on that. But I would like for you to speak, if you would, towards the future. Dr. Healey, you said that we don't have the levers that the private sector has to bend cyberspace, I think is the way you put it. We obviously have Active Duty personnel. We have National Guard personnel. National Guard has had a tremendous amount of success in helping us. What is the--what does the Cyber Mission Force look like 20 years from now? What are the decisions that have to be made to make sure that we have that cyber force? Mr. Healey. Thank you very much. It is a great question. And to put some context, I am not taking swipes at Cyber Command. I was one of the initial cadre of what became Cyber Command. When I was a young captain in the late 1990s, I helped the headquarters there set up what was to become the Joint Task Force-Computer Network Defense and was one of the 21st--one of the first 25 cadre members there, and then it went on to grow to be U.S. Cyber Command. When I think about--it is a great question and what that force might look like. One of the futures that I start thinking, and I am saying, what would happen if we went down that--if--what cyber conflict might look like in 10 years. Last year, at--DARPA funded a contest called the Cyber Grand Challenge in which they had different supercomputers discovering their own vulnerabilities and throwing--discovering vulnerabilities and attacking the other supercomputers on stage, which then had to run through their programming and come up with automated defenses. And, certainly, when I am thinking about what cyber conflict might look like in 20 years or 10 years, that to me seems like somewhere obvious to start in where DARPA is already thinking. So just imagine how--what that might mean for the Cyber Mission Force where we have over 6,000 people at Fort Meade, and other places now, preparing for a fight. Well, if the future conflict is going to be malicious software that has got a back end over a supercomputer telling it what to target next, how to change to avoid defenses, you now need your own supercomputer to try and defend against that. And I think that has just tremendous challenges for military doctrine, for organizations, and certainly, for staffing. Mr. Scott. That brings me to another question. I mean, obviously, a lot of these people, they are extremely intelligent. We need to have the ability to work with these people. They may not be interested in joining the military. They may not work, certainly, full-time or part-time. I mean, for lack of better terminology, I mean, do we, when we see this problem coming, deputize a cyber posse like the old days where you bring people in that you have never worked with before? And, Dr. Singer, I know--interested in your opinions. Dr. Singer. That is why I am an advocate of, look, there is great talent within Active Duty. National Guard has been a way to pull in. We have reorganized, so we can pull in that talent, you know, that already has cyber skill sets. But at the end of the day, as you note, there will be a wide range of people who either are unwilling to serve in the National Guard and Reserves or they simply won't qualify for physical reasons, whatnot. And so we need to create alternative pathways to draw people in beyond just contracting them. And that is why I am an advocate of both this Civil Air Patrol cybersecurity equivalent to expansions of the U.S. Digital Service to include cybersecurity, simply looking at outside of this field, what are like models that we know work? How do we use those to bring in cyber talent? And then, lastly, I would point to the bug bounty program. The--you asked, you know, what will this look like? The people that participated in the Pentagon's first bug bounty ranged from off-duty government workers to people working in business doing it nights. My favorite example was an 18-year-old who did it in the middle of their AP [Advanced Placement] test, who volunteered to help defend Pentagon networks and reportedly he did it because he just wanted the T-shirt. So we have to have a means of pulling in all this wide variety of talent. That is what makes America great. Mr. Scott. But you also have to get them cleared from a security standpoint. You have to have them operate under some agency out there, and those are things that, I think, need--we need to have that outlined before the attack happens. Dr. Singer. Absolutely. Mr. Scott. Mr. Chairman, I apologize for going over. The Chairman. That is fine. Interesting discussion. Mr. O'Halleran. Mr. O'Halleran. Thank you, Mr. Chairman. I guess I want to go back a little bit to Mr. Scott's issue, because I have a concern that what we are doing here is without deterrence, without clearly showing deterrence that we are in this never-ending spiral of more and more people, more conflict between budget for cyberspace and the budget for defense; how do we pay for it, that the people that are attacking us are spending far less to attack us than we are to stop the attacks. And so it appears that the deterrence factor has to be something that is credible, as Mr. Libicki said. I am just trying to understand how we start to slow down that cycle. It is a great full-time employment issue for a lot of young people that are coming out of our universities, but it is a serious question as far as our long-term capability to be able to defend ourselves without trying to deal with the deterrent side in a meaningful way--if we do not deal with it in a meaningful way. So how does that all occur? And, Mr. Libicki, I would like to start with you. Dr. Libicki. I think, ultimately, the way you discourage people from attacking you is to give yourself an architecture, the relationship between information and systems, that reduces their value--what they get from attacking you in the first place. And even if we had an effective national deterrence policy, we would still have many other threats from criminals, from insiders. And so one of the advantages of defense and resiliency is that defends against people, no matter what their motivation and no matter what way we can and cannot reach out and touch them. Mr. O'Halleran. And I take it from your comment that you don't feel we are at that point yet where we have the system that can deter like that? Dr. Libicki. I think we have made a great deal of progress. I think we have a lot more progress to make. It is going to be a long challenge. Mr. O'Halleran. Dr. Singer. Dr. Singer. So there are different forms of deterrence. And because of the Cold War experience, we typically focus on the idea of deterrence by overwhelming retaliation. There are many things for the people in Fort Meade to be upset with Mr. Snowden about, but the one thing he did reveal is that there is no question of our offensive capability. And yet, as we see, the attacks continue. So it is not like the Cold War where there is mutuality here and that, you know, someone attacks us and we respond in a like manner. So if we are thinking about retaliation, it is going to be better using those other tools of American power to influence actors that have both attacked us but also others looking to it. And that is why I am very pointed about the Russian campaign and our lack of a response to it has incentivized a wider array of actors. Secondly, there is a different form of deterrence which wasn't possible in the Cold War called deterrence by denial or it's resilience. It is the idea that I don't attack you not because you are going to hit me back, but because my attack is not going to succeed. You will shrug it off. And importantly, resilience would be a useful building activity. Whatever the form or type of attacker, you build good resilience, it is good against criminal actors, state actors, you name it. And in my written testimony, there are a whole series of actions that we can take to raise our resilience levels and therefore make attacks against us less successful and, therefore, less likely. Mr. O'Halleran. Thank you. And, Mr. Healey, just to go a little bit further on this. We just talked about Russia during the Cold War. It got to the point where they just appeared to not be able to afford to continue on with the path. In this instance, we have a situation where those that are attacking us can afford to keep going because our cost ratio is much higher than their cost ratio. How--just how do we start to stop that? I understand what Dr. Singer just said, but, again, the architecture is just not there right now, and our cost is just exploding. Mr. Healey. There are new architectures and new things that are coming down in the computer field that I think will help. We have been doing a New York cyber task force at Columbia University to say what can we make a more defensible cyberspace, a more defensible America, more defensible sectors, more defensible companies. And so, for example, going to the cloud. I was astounded how many of the bank chief information security officers and others that were saying absolutely allows you a more secure foundation to build that from the ground up. The CIO [chief information officer] thinks he is going to do it for cost reasons, but really you do it for security. I would also like to add, I tend to be very hesitant when it comes to trying to raise the adversaries' costs more directly, but I certainly think when it comes to Russia, we have got a national mission team. They are looking into red space, able to disrupt the Russian influence operations and cyber attacks. I think, absolutely, we should start thinking about that to help out France, German elections as they are coming up. Thank you. Mr. O'Halleran. Thank you, Mr. Chairman. The Chairman. Thank you. Mr. Wittman. Mr. Wittman. Thank you, Mr. Chairman. I appreciate our panelists for joining us today. Dr. Libicki, I want to start with you. You have spoken very much about building an offensive capability. I have a particular interest in that, because I think it is the way that we can make our adversaries use their resources to defend their systems. I think that is extraordinarily important. Give me your perspective about how in the realm that we see ourselves in, especially with the United States Navy with new systems, unmanned platforms, and what we have to do to create command and control there, how do we not only protect those systems, but how do we look at vulnerabilities that our adversaries might have with their systems so that their time is taken up not in going after our links within our systems or looking for weak points there, but what they have to do to defend their systems. And how do we most aggressively pursue that? Dr. Libicki. Well, there are a number of standard ways for exploring other people's systems. And one of the best ways is actually buy a copy of them and then run it in our test labs. We did that throughout the Cold War, and I don't think our activity has slowed down very much. To the extent that they use international components in their systems, they already have a certain amount of familiarity with that. We probably pick up a great deal of electronic intelligence just by listening to these components communicate with them over the air. Okay? But let me actually address your question by asking a question, for which I am not quite too sure there is a good answer, but I will do this anyway. To what extent do we want to tell folks or hint to folks that we have an ability to interrupt their information systems? Okay? On the one hand, it gives us a great--a certain amount of deterrence. It reminds people who are doing a lot of--throwing a lot of stones that they live in glass houses, and it reveals our intention to go after their glass houses, which I think is very important. On the other hand, you want to do it in such a way that it doesn't look overly aggressive, aggressive but not overly aggressive, and you want to do it in such a way that it doesn't give away too much of how we actually do our business. So there is a lot of trade-off to be had here. I think we are in a good position where we are given credit for a lot of capability without necessarily having to show it. I don't know what the depletion rate of that confidence is. Okay? But right now I think it is pretty high. So we have American defense officials, certainly in the last administration, I think in this administration, who have hinted from time to time that we have a great deal of capability, and they need to watch themselves, but to maintain that confidence, or lack of confidence, in their mind, I think is a challenging problem but not an insurmountable one. Mr. Wittman. The next question. How do we, as we look at where the future brings us with educating and training our military members and leaders today for the challenges they will face tomorrow within the cyber realm--and I have been an advocate to say all the way from the basic training level, tactical level, all the way up to the strategic level, there needs to be a common theme of training and educating everybody in the military as to the cyber sphere that they are going to operate in. Give me your perspective on where you see things currently going, maybe even some of the efforts that are undergoing through your experience that are happening maybe at places like the academies, and what needs to happen there to make sure we, from top to bottom in our fighting force, emphasize the cyber realm as much as we do the kinetic realm? Dr. Libicki. I am glad you asked that question, because it allows me to speak on behalf of my employer. I think the Naval Academy does a really good job on this. We have two semesters of requirements for all naval and Marine Corps officers; one they take in their first year, one they take in their third year. I have a little experience with them, because I teach a lot of freshman this sort of stuff. We also have a cyber operations major. This year, we will be graduating about 40 folks. And one of the nice things I like about the program is that we spend years two and three on the technical education, and then starting a bit in year three and into year four, we give them the policy perspective. One of the biggest shortfalls in the area of cyber is you have a lot of technical people that can't talk policy; you have a lot of policy people who don't have a rich enough foundation in the technology. And I believe the Naval Academy is graduating officers that, in fact, have a background in both of them. And I think that is very beneficial, and I think it is something that I--speaking ex cathedra that I think the other two military academies also should take a serious look at. Mr. Wittman. Are there any efforts underway currently as far as facilities or things that might be there in the future to make sure that we are even enhancing that experience with things like, you know, a secure facility like a SCIF [sensitive compartmented information facility] for them to be able to learn and operate within? Dr. Libicki. Well, as you happen to ask, we are building a cyber building, the Hopper--Hopper Hall, I think it is called, on campus. It should be ready in about 2019, and it is supposed to have a SCIF. Mr. Wittman. Very good. Thank you, Mr. Chairman. With that, I yield back. The Chairman. Mr. Veasey. Mr. Veasey. Thank you, Mr. Chairman. I want to ask Mr. Healey a question. In your testimony, you recommended that the U.S. needs to take further steps to deal with foreign influence in cyber realm. And I wanted to ask you if you could elaborate more on what those steps look like and which agency you would have spearhead those? Mr. Healey. Yes. Thank you, Congressman Veasey. I think it is a tough question, because one reason why I think we have turned to the Department of Defense to help us out on cyber issues, has been they were there with the capability when they were needed. Many people have been very disappointed that it has taken the Department of Homeland Security so long to get themselves up when it comes to dealing with cyber issues, and yet DOD has been there quietly providing capabilities for a long time. I see the same problems are going to affect us here when we are talking about influence operations. DOD clearly should not be in the lead on such things, but we could easily imagine ways that the Department of Defense can bring their amazing capability to bear on this. They have already been studying information operations. I think they should be coming to Congress with different projects to fund within the--probably within the cyber branches, for example, 24th Air Force or 10th Fleet, to start rebuilding that information operations capability. And also, blowing--blowing on the coals of where those-- that information operations capability resides, particularly National Defense University. And, hopefully, that can kick off, while the interagency process is figuring out how better to deal with this. I think there obviously will be a role for Justice and for State and the Department of Homeland Security, but it is going to take them much longer, I think, to get their capability up to speed, unfortunately. Mr. Veasey. Thank you very much. And, also, I wanted to ask about just the relationship between the private sector and the government moving forward when addressing these cybersecurity concerns. You know, there have been, obviously, lots of talk about the government being able to have a back door to be able to go into some of these devices so they can go back and find out exactly what was taking place. But then, also, there are other--there are apps and things like that that are overseas that these--that the companies here in America don't necessarily have the same access to that wouldn't be able to unlock some of those clues that we may be seeking in case of some sort of a terrorist attack. So I just wondered if you had any thoughts on that at all, either--any of you. Dr. Singer. So across the board, if you did a poll--and, actually, they have been done--of cybersecurity experts, consistently they would say that building in back doors is the best way to create greater vulnerability for the wider public and the Defense Department systems themselves that we have talked about. So that is why you find very few advocates of that within the community. And, oh, by the way, people would just move to other systems. So the challenge, I think, you know, to move--that is a known known. The challenge between the public and private sector relationship now, one of the key areas is just who does the private sector turn to for help when there is an incident? The administration towards the--the Obama administration in its last year began to clarify that a bit, but it is not yet enough, it is not yet clarified. And in my sense, among the proposals that I have got there is, you know, the idea you need a one-stop shop, a key place for them to go. I wanted to circle back, though, to your prior question about influence operations. Much of this, the activity to counter it, is going to have to happen outside of the Defense Department. It is everything that we mentioned from the creation of an Active Measures Working Group to debunk lies and make it harder for people to spread them. It is to the debate over critical infrastructure and our election systems has, I believe, wrongly focused just on voting machines when, clearly, the targets are political organizations. They should be having the same kind of information sharing that competing banks do, and same kind of linkups to government. The activities during the 2016 election would have been stopped if just the FBI and the DNC had had a better means of communication and had been able to trust each other. To--again, there are other elements to this. On the intelligence community side, Congress should be requesting briefings on just what these influence operations in the broader spread of social media means for the likelihood of conflict itself, how it is affecting popular sentiment among adversary states and the like. Mr. Veasey. Thank you very much. Mr. Chairman, I yield back. The Chairman. Thank you. Mr. Bacon. Mr. Bacon. Thank you, Mr. Chairman. I stepped out to get a couple of votes in, but good to be back. My question is about the dual-hat relationship between Cyber [Command] and National Security Agency. We heard some testimony today that suggests there is a good thing to break that into two different [inaudible] for staffs. [Inaudible] I was at Fort Meade earlier this week, and there are indications to do the same, but I see warning signs of that. Right now, the expression of cyber teams, there seems to be a cohesion of, you know, a synergy between the NSA side and the--some of it, sometimes it is one person, goes to title 50 to title 10 back to title 50. Eventually, at some point, you are going to get different priorities, different visions, and I see where it can break down that synergy that you need and that cohesion. What are the benefits of moving away from a dual-hat relationship and getting two different four-stars? And isn't there a better way to elevate Cyber Command than going down the path that some are suggesting? And I would just open it up to anybody that would care to answer. Dr. Libicki. Let me make sort of a tactical--a tactical statement here. We tend to think of attack and espionage as two different things. Right? Attack is your title 10 thing, espionage is title 50. We shouldn't have the same people doing attack as we have doing espionage. But in practice, the two may be a lot more similar than we think. Let me give you a scenario. Let us say that I can attack a network, inject messages in a network and tell the bad guys to meet at a particular place. I get there an hour before they do, tactical engagement, I win. Right? Mr. Bacon. Right. Dr. Libicki. Scenario two. I listen until I find out that they are going to meet in a particular place. I find out where, when. I get there an hour before they do. The tactical results, fairly similar. Right? Why do you want one organization doing one and one organization doing the other because we happen to have defined injection as a title 10 issue and interception as a title 50 issue? I think what those folks are doing--and sort of as a broader issue, a lot of what you can do with interception of information these days has a lot more tactical relevance than it did 20, 40, 60 years ago. If I can get into your equivalent of Blue Force Tracker and just listen, the tactical advantages I would have would be tremendous. Mr. Bacon. So you are positing here that you should have a totally separate Cyber Command that has that reconnaissance capability? Is that what I am hearing? Dr. Libicki. Well, if you end up with that reconnaissance capability, you have now recreated a large chunk of NSA. Mr. Bacon. That is right. So wouldn't you want a single-hat or a dual-hat four-star? Dr. Libicki. Well, that is a different voice, and again, have to give more thinking about. You certainly want some very strong XOs [executive officers] in both of them. Right? Mr. Bacon. Right. Two different---- Dr. Libicki. So that, in fact, the XOs are running the agency. Mr. Bacon. Which is what we have today. Dr. Libicki. Which is what we have today, so it depends on the quality of the XO. Mr. Bacon. Mr. Healey, it looks like you have a different thought. Mr. Healey. I think both Peter and I were looking to jump in. One, I don't mind creating a friction. I think this is the most escalatory kind of conflict we have ever come across. I don't mind having some brakes on that, just like we don't mind brakes on using nuclear capability. The people that say let's keep them together, they want to optimize offense, intel, and defense, and it is true, keeping them together does optimize that. I want to optimize America's overall defense, and that means optimizing the integration with the private sector. Look at what we have done. We have folded information assurance directorate farther into the signals intelligence directorate at NSA. I would have loved the option to keep that out so that they are able to better work with America's private sector, which I think are the ones that are truly doing the defense. Of course, it makes sense to optimize those things. I just think we--there is a higher priority when it comes to this. Mr. Bacon. Mr.--Dr. Singer. Dr. Singer. I think there are two points here. The first is, just because you divide the dual-hat structure doesn't mean that they can't continue to work effectively together. And we can look at models outside this space for how you have seen task forces and interagency teams and everything from, you know, General McChrystal, what he creates, to engaging into counter--counterinsurgency efforts in Iraq, which brings together talent from across services, other agencies, to how we approach counterdrug efforts down in SOUTHCOM [Southern Command]. So just because you split them doesn't mean you can't operate in this interagency manner. And, frankly, as Jay puts it, it may be easier to bring in other elements either legally or because of their willingness to work with. And then the second is, I would echo Jay's point, there is a worry, you know, but what if they might disagree? That is a good thing. That is a good--that is our system, and disagreements then allow the next tier of leaders--it airs ideas and then allows the next tier of leaders to get both perspectives. So I would say the friction between them isn't necessarily 100 percent bad, and in a lot of situations, it might be good. Mr. Bacon. Okay. Well, I appreciate your inputs. I just see a warning--I have commanded five times, and I have seen a good rapport, and I have seen some where there wasn't that good a rapport. And I could see two different four-stars with different visions, and folks that would pay for it would be those 133 teams that have to be working well together. So thank you. I yield back, sir. The Chairman. Mr. Courtney. Mr. Courtney. Thank you, Mr. Chairman, and for organizing this hearing, which is a big one for this committee. First of all, Dr. Libicki, I just wanted to, you know, add a footnote to your comments about the academies. I represent New London, Connecticut, where the Coast Guard Academy, and they are moving very swiftly over the last three or so years to boost their cyber curriculum. And I mean, they are, you know, very, very much focused on that and doing good work. So I am sure, you know, the Naval Academy has obviously been leading the way, but I just wanted to at least add that sort of little extra comment there. And I really have just sort of one question. One of the members talked about back doors. And you may have already covered this, and I apologize, because I was in another committee. But, I mean, we are seeing, you know, obviously, a lot of programs flow through this committee, large platforms whether it's long-range strike bomber, F-35, Columbia class. And, you know, the model for building these platforms now relies on a pretty extensive supply chain, which can be, you know, firms and companies that are, I mean, tiny. And I just sort of wonder if you had any comment about, you know, how we sort of address that issue? I mean, it is a big one in terms of just, again, the number of actors that participate in, you know, pretty sensitive projects. Dr. Singer. Sir, you are exactly right. There is a series of potential vulnerabilities, and they extend, again, across from the software-based attacks on the design process, i.e., you know, learning how to model, to copy it all the way to operational side, and then the same thing when you think about the hardware, the potential of hardware hacks on the chips themselves. And the result is that it is--it can play out in anything from lost future arms races or future sales to foreign markets to actual loss in battle. The thing is that the Pentagon senior leadership, I believe, is aware of this problem, but the answer to it has been kind of uneven in its implementation. And I would urge the committee, essentially, to, you know--you are the ones who best know, whether it is through a hearing or a report. We need to figure out, when it comes to these kind of vulnerabilities, how in our acquisition system can we build up resilience, and is it law changes that need to happen in that buying process or is it policy changes that need to happen to incentivize resilience across the supply chain. And to echo something I said earlier, we shouldn't just think about this, though, in the defense industrial base. DOD has a lot of buying power to other parts of the economy. Where can it use that influence to aid cybersecurity writ large for the Nation? Mr. Healey. And if I may, like many cybersecurity problems, this comes down to who pays in many cases. If you are talking about Lockheed Martin having the defenses to keep out Chinese attackers, well, we can say, all right, Lockheed, you have to pay for that. But for many of the companies that we are talking about here, buying in a more secure way for the supply chain is going to be more expensive, and we can't always expect them to foot the bill on that to choose a more expensive part for where there is a little bit more trust. And, of course, when it comes down to more pay, then it is going to be services and committees like these that are going to have to help decide that. Dr. Libicki. I would like to make a statement. We mentioned back doors, but I think front doors are also a problem. Okay? Imagine you have a very capable--a very great capability, a very sensitive capability. And you say, I want these people to be able to access it, and you are happy. And then somebody from the outside--not the outside, you know, somebody who is part of your group, or whatever, part of the military, says, oh, I also want an ability to access it. Okay. Well, we give you access. And I also want the ability to access it. Sooner or later, you end up trying to figure out who has got the ability to access it. How many more people do I have to protect? How many more people do I have to monitor? Because there is a tendency in this world to just expand accessibility because it can help people do their jobs. And every time you expand accessibility, you expand the attack surface. And if you are not careful, every time you expand the attack surface, you have created another route for somebody else who doesn't have your interests at heart to go in and try to play with your system. So a lot of cybersecurity means saying no to people. Mr. Courtney. I yield back. The Chairman. Chairman Conaway. Mr. Conaway. Thank you. The officer corps is being trained at the academies, but this exact same training is going on for enlisted ranks at Goodfellow Air Force Base in San Angelo, Texas. Give a shout out. A lot of speculation in the media or in this world about how soon it will be before robotic soldiers take the place of the fight in the kinetic world. How soon will AI supplant the need for--and, Mr. Healey, you mentioned a bit of computer-- computers fighting computers. But how quickly will AI supplant the need for all these human beings to be able to defend these networks and do what we do? Mr. Healey. I will take it quickly, and then yield to Peter, since he kind of wrote the books on this. One, because I was an alumni at San Angelo, I think it is probably going to come more quickly than we think, as many of these developments do. The part of it that worries me the most--and by that I mean 10 years. The part of it that particularly worries me the most is that on the defensive side, many people are thinking that artificial intelligence, new heuristics, better analytics, and automation are going to help the defense. That if only we can roll these things out faster, that we will be better and the system will be more stable. I think that these technologies are going to aid the offense much more than it aids the defense. Because to defend against these kinds of attacks, you need your own supercomputer. That is fine for the Department of Defense. We have got them lying around. But for America's critical infrastructure, they are not going to be able to afford such defenses in many cases. Certainly, small and medium-size enterprises and mom and pops are not going to be able to. And so that is why that future, in particular, worries me if it goes down that direction, because it leaves much of America undefended. Mr. Conaway. Let me ask one other thing, and you can comment on either one of these. But most of these cyber warriors, the human versions, will be in protected enclaves, probably here in the continental United States, where most of the work will never need, really, to be able to field dress an M-4. However, there are others in this group that may be fully deployed again and protect the enclaves, but they should have some familiarity with it. Is the DOD doing a good job of being able to split out those guys, who are going to be in an enclave forever, don't need to look like a soldier. They probably don't act like one, and they don't take orders like one. But is the Department looking at, in terms of the near term, need for human beings, this group of folks that really don't look good in uniform and don't need to know how to fight other than with a keyboard and--or versus AI I think that I mentioned earlier? Dr. Singer. So on your first question on AI, I point to, as an example, at recent hacker convention, DARPA competition had AI competing to bug hunt, and it was won by one from Carnegie Mellon called MAYHEM, and it was able to take on a task that human hackers, bug hunters, it would take them a long period of time, and did it quite quickly. So the point I would make here is that much like, you know, you mentioned robotics and drones and conventional warfare, we have a couple of kind of disruptions potentially coming in the cyber conflict side. AI would be one, another would be quantum, where when I say disruption, it is not just when is it going to happen, but we don't yet know is it going to privilege the offense or defense, what are going to be the effects of it. So in my written testimony, I advocate that you should hold a classified hearing on trying to find out where do we stand in these technologies versus likely adversaries, because they are critical. We don't want to fall behind on them. On your question of people, the answer, to be blunt, is no. We have done a very good job of organizing existing talent within the military, be it an Active Duty or starting to retool the National Guard, but we don't have a means for pulling in people outside the military who are willing to serve but not to formally join or unable to because of some requirement. And that is why in the written testimony I propose a sort of series of actions and organizations that could help us do that better. Mr. Conaway. Dr. Libicki. Dr. Libicki. I just want to add one thing. It is important to get talent into the technical side of hacking and counter- hacking, but from a military perspective, it is also important to have people who understand how offensive and defensive cyber warfare fits into all of the other elements of warfare so they can be presented in an integrated manner. And for that, I don't think you have much of an alternative but a militarily trained individual, whether an officer or enlisted. Mr. Conaway. Clearly, it is not either/or. It is both. Because the physical requirements to run a keyboard and a mouse pad are dramatically different than somebody who has got to even go downrange and run a keyboard. I appreciate your perspective, and I yield back. The Chairman. I would just note an editorial comment on the AI discussion. It seems to me that we are always a lot better at developing technologies than we are the policies on how to use them, and that certainly seems the case there. I would like to back up and maybe rehash a little bit some of the topics that you all have touched on. Starting with the role of the military to defend the country in cyberspace. If there were a bunch of bombers coming toward refineries in the Houston ship channel, we know what we would expect the U.S. military to do to defend that private infrastructure. If packets were coming through the internet against the same refineries, under the Obama administration, if it caused death or significant economic damage, I guess, not really defined, then the military could get involved to defend that private infrastructure. You have got to make judgment calls, all this is happening at the speed of light, et cetera. So I would just appreciate reflections from each of you on the appropriate role of the military in defending nonmilitary-- in defending the country, private infrastructure especially. Dr. Libicki. I think there are a lot of things that the military can do, but I think it is also--there are a lot of things the military cannot do, and a lot of the difference, by the way, between the two is the sort of a technical difference. Let me give you an example. Let us say we lived in a world where the technology of firewalls was good enough, and the economies of scales of firewalls were such that it made sense to have a national firewall. Right? You could say, well, that could be a role for the Department of Defense. It could be a role for another part of the Federal Government, et cetera. Let's say the Department of Defense, because it often takes classified information to make a firewall run well. Right? And if it turns out that that was a large part of the solution, there would be a strong argument for the military. But the state of firewall technology does not suggest a ground for that sort of optimism. There are--it doesn't defend against zero-days. It doesn't defend against built-in malware. It doesn't defend against encrypted stuff. And by the time you sort of do a positive and a negative, you end up saying, I don't think the firewall is going to get us there, and, therefore, I don't think whatever role is associated with running the firewall is going to get us there either. I don't think it is a question of, well, physical is going to be military and cyber is not going to be military, because there is a sort of existential difference between the two. I think it is a matter of what tools do you use and then how do you deploy those tools. And if the tools that you need to use, for instance, have a lot to do with architecture, have a lot to do with systems administration, have a lot to do with training, then the role for the Federal Government is correspondingly smaller. If, however, you are depending on barriers, if you are depending on classified intelligence, then the role of the military is larger. And it might be, for instance, that 20 years from now, with the technology, that the role of the military is much larger than it is today because the tools are different. It is entirely possible that 20 years from now, the role would be smaller, because we are looking at a different set of tools entirely. Okay? It is not an ideological ipso facto issue. You have to follow the technology in order to think about roles and missions. The Chairman. Interesting. I want you all's perspective too. In addition, you have got to figure out who is doing it. Because if it is the most sophisticated sort of state actors, then it is pretty hard for anybody, other than our military, to defend against it. But I would be interested in you all's perspective on this. Dr. Singer. So I think it is interesting to use your example to look back at history. So we have the obvious, a bomber plane crosses into our territory, drops a bomb, military responsibility. But we had a real--fortunately, that never happened in World War II or ever. But we did have a real-world example in World War II where German submarines dropped off saboteurs, and the Navy was responsible for hunting down the German submarines. In the midst of an all-out national conflict, it was the FBI that was in charge of the saboteur hunting down. So I point to--you know, we have wrestled with these before in the physical domain. So I think when it comes to the questions of roles and responsibilities, the way we have divided out so far for the military makes a great deal of sense. It is very clear offensive action should be governmental, should be military responsibility. I would note, there's been a push recently for, hey, shouldn't the private sector be able to hit back on its own. I would argue that is a very bad idea. It is a bad idea for the same reason that vigilantism in general is a bad idea. Makes you feel good about yourself, it doesn't actually do anything about the effect. When you move into politics, if we have got private actors out there hitting foreign entities, they might think it is a U.S. state action. So that is clearly military. Defend its own networks, again, clearly military, pulling in aid from the private sector. Where it gets questionable is in this what should the military do to aid the private sector. And as I think Jay noted and probably will note, it is not just a question of what kind of roles and responsibilities. There is also the hard reality that the private sector knows its own systems better. So it is going to be the one best equipped to defend itself, set aside all of the other kind of appropriate questions. So, for me, the parallel here is just like when there is a natural disaster or some other thing, the military should be on call to aid. When it moves into a situation of war, where it is an act of violence, political in nature, now we have moved into there is a clear role for the military. So they should be able to aid if they are called upon by other agencies, but if we are short of an act of war, I don't want them fiddling around with power grid networks or the like. The Chairman. Okay. And, Mr. Healey, as you answer, I just want to add another layer here. So according to press reports, a foreign actor destroyed computers owned by Saudi Aramco. Is that destruction of property that justifies this kind of added layer of military involvement if something like that were to happen here? Mr. Healey. Without a doubt. I used to be the vice chairman of a group called the Financial Services Information Sharing and Analysis Center [FS-ISAC] that coordinates response and information within the finance sector. And there is a bunch of military help that I could have used, but it is not generally the military help that we think. I would have loved to have had just some senior NCOs [noncommissioned officers] or good junior officers that knew how to respond to incidents and could keep their head so that when we had a bad incident, that they could help us get ready for the response and what was going to happen next. I could easily imagine a situation where attacks against the finance sector, where we have to call for fires, where we have--the banks have to say, we are not going to be able to open for business tomorrow unless we get this taken care of. How are we going to do that, that call for fires? The private sector is the supported command. We need to start thinking about this. On the finance sector, is finally starting to push an issue of how do we get our intelligence requirements listened to? We are the ones that are on the front line. How can we have some communication with the intel community just like any other customer? To me, this is so difficult, because the attacks have largely been so inconsequential, not causing death and destruction. So I like to step back and say, well, imagine if we are not in a gray area. Imagine it is black and white. People have--Americans have just died because of foreign cyber attack. In the Aramco case, large-scale attacks against our refineries. What do the American people, what does the American President now looking to, to the military? It is not support to civil authorities. We are going to be looking for that military to step up. And the last thing I will mention is, in historical analogy, during the Battle of Britain, they invented something called the Dowding System, where they were having to track what incoming fighters, what is the radar telling us, which fighters are we going to divert. And so I see us needing a modern version of this Dowding System that includes the private sector. So that when you have these kinds of attacks, we have got information that is coming in and we can figure out how to handle those defenses. I don't believe that is probably going to be at the NCCIC [National Cybersecurity and Communications Integration Center], at DHS where it is right now, and it might not even be at Cyber Command. We might need a more American model that brings together a better partnership. The Chairman. One other thing that occurs to me as you were talking is, we are going to--if that is the case, we are going to have to have a government decision-making ability in appropriate time. You cannot take every one of these cases to the NSC [National Security Council] and deliberate on it for a month. Maybe we are moving more in that direction, but it has obviously been a problem before. Let me yield to the distinguished ranking member of the Emerging Threats Subcommittee, Mr. Langevin. Mr. Langevin. Thank you, Mr. Chairman. I want to thank you for convening this panel. It has been a great discussion. I wish I had been here for all of it. I was at a Homeland Security briefing on cybersecurity, on this topic as well. So-- but I appreciate all of the contributions you all have made in various aspects to this dialogue and the work you are doing in this field. Dr. Libicki, let me start with you. What metrics do you believe we should have in place to determine if cyber operations, both offensive and defensive, are effective or not? Dr. Libicki. Well, that is a very interesting question, because metrics are one of the hardest things in security. Right? The problem with a lot of defense is if the other side is only interested in stealing your information, and you don't know about it, you think you are in good shape, when, in fact, you are not in good shape. One of the things that our intelligence community and our law enforcement community has gotten some traction on is trying to figure out, by looking at the other side, what people have stolen from our own side in terms of--in terms of how good our defense is. In terms of our offense, that--some of it you can do directly. If you maintain a presence on the other person's network and you want to attack it in a certain way, as long as that attack doesn't kick you out of that network, you have a fairly good platform for how you see the other side react. But, in general, I think when you are judging offense, you have to take a look back and say, what is the broader overall military effect that we want to have and how do we measure that particular effect, not merely the cyber effect? I think there is often a tendency--particularly because cyberspace operations are so technical--to measure the quality of cyberspace operations and did we move the ones and zeros without measuring the bigger picture, did it help us win the battle/campaign/war? Mr. Langevin. Anybody else? Dr. Singer. I would add in a couple of other elements. When you are thinking about on the offensive side, we have typically framed it in terms of classic military operations where, clearly, many, if not most, of our adversaries are looking at them through the lens of influence operations. So it is not how many websites did I take down or your access to GPS or the like, but it is how did I shape the overall environment? How did I, to put it bluntly, hack your hearts and minds? And that is something that we need to pay attention to both in adversary hands and ours. The second is on the defensive side. When we are looking for metrics, again, they are not just sort of the obvious ones of detecting attacks. What we are seeing in the corporate sector moving more to this resilience strategy is--a key is recovery time. So how long after I have detected--how long after I have been knocked down do I get back up quickly? And this points to, again, the concept of deterrence by denial. If you have got good recovery time, then you have nullified what the attacker did to you. Mr. Langevin. Thank you. Yes, it is one of the things I am wrestling with right now is, you know, how do we assess metrics. And we have the NIST [National Institute of Standards and Technology] standards, for example, which are important, but, you know, the degree to which they are being adopted and if they are being adopted, is the framework effective? We don't have any sufficient metrics right now to measure that. So let me ask, while I have--so I have a little bit of time left, to all of our witnesses. In your opinion, what are the greatest policy challenges that the Department is facing with respect to military operations in the cyber domain? Dr. Libicki. I would say that the greatest challenge the DOD faces is understanding its own vulnerability and understanding its own vulnerability on an end-to-end basis. Mr. Healey. I think that is a fine answer. I am still--I struggle when I talk to DOD officers and officials, and they seem pretty uncurious about how tomorrow's cyber conflict might look different than yesterday's. They are so deep down into looking at the ones and the zeros and talking about network speed and hazy borders that I would love their challenge to pull out. I mean, we are so busy doing the destroyer engagements, we are not thinking about fleet actions or what actually winning is going to mean in this field. Dr. Singer. I would echo the concept here, again, of while it is almost natural and in terms of identity and thinking to focus on the offensive, on the how do I use this, how do I take it to the enemy, the reality is that resilience is the side, that building up DOD resilience would give us a greater advantage. It is just, to put it bluntly, not as sexy, and it is not something that has the same appeal. The second to add to this would be multidomain operations, understanding how fires from one domain might affect another domain. And a key element of this is recognizing that a lot of what we are talking about is not just cybersecurity but moves into the space of electronic warfare [EW] where adversaries, in particular Russia, have been making deep, deep investment in that. And as they showed off in Ukraine, particularly in the ground forces side, they are probably better than us. And this is an area where, again, we may need to think about, you know, coming off of decades-plus of counterinsurgency, have we shrunk too much our electronic warfare capability, not just building out cybersecurity capability, but do we need to build up EW side too? Mr. Langevin. Thank you all very much. The Chairman. Mr. Khanna. Mr. Khanna. Thank you, Mr. Chairman, for convening this panel and for your leadership of our committee. My question is for Mr. Healey. I was very pleased to read in your testimony that the center of U.S. cyber power is in Silicon Valley and not in Fort Meade. Of course, I represent that area, and that is what the many folks in the Valley think. My question for you concerns coordination. The reality is, today, we have many private companies that have their own basic cybersecurity defense, and we would never have that each company have their own private military. Is there a way to have information sharing or a platform between these companies? Is there a way to have information sharing between them and the government in a way that doesn't compromise classified information? Mr. Healey. It is a great question, and I am very happy that I had a chance to come back and add some details to these remarks. Some of those already exist and are relatively well funded. We can still build capability. Others don't exist, and we hope that they will stand up. Others are in place but relatively starved of resources. I have been, as I mentioned, the vice chairman of the FS- ISAC. And we only shared information and coordinated response for people that paid to be members; largely, that meant Wall Street. We got about a $2 million grant from Treasury to re-up our technology, but we had to include all 13,000-plus financial institutions in the United States. And now the FS-ISAC is winning awards for being the best information-sharing and response organization. I think that is the best $2 million that we spent in U.S. Government on cyber ever. Compare that. DHS right now is spending millions of dollars a year on a vulnerability database that is in trouble right now. One of my colleagues was running an open source version of that that had something like four times as many vulnerabilities in it for $10,000 a year, and they ended up having to close up shop because they were starved of resources. So there is so much that is happening out there, and we don't necessarily have to recreate that within the Department or within the government, because it already exists. Others that I will mention--and I am sorry, I won't break out the acronyms in the interest of time. NANOG [North American Network Operators Group] is an operating group that helps coordinate the main network service providers. NSP-SEC [Network Service Provider-Security] does the same and was critical in the response to the denial of service attacks on Estonia. And there are many of these groups out there that are already helping. And I think with some small targeted grants like the FS-ISAC could, we are talking about a few million dollars, they might be able to build a secretariat, they might be able to include new technology, and I think really make a difference. You saw this with the defense industrial base sharing where just saying, go ahead, you can share, and you won't get an anti--in anticompetitive trouble led to significant differences. Mr. Khanna. I would love to follow up with you offline and get your thoughts on this. But if you were to prioritize, then, one or two things that we on the committee could do, what would those be in terms of the funding? Mr. Healey. In this area? The first thing I would want to do, and this is this committee but also maybe Homeland Security, is have the executive branch go through each of several different kinds of the main incidents that we faced-- botnet takedown; denial of service attack; major malware spread, like Conficker; counter-APT [advanced persistent threat]--and go through in a disciplined way, who took what actions, who took what decisions based on what information, and what happened next. I think if we went through that process in a disciplined way--include decision modelers in that. I mean, again, we are talking about a few million dollars. And you come out with that and now you know the actual decision makers, you know what the information sharing requirements are. We can build our cyber incident response plan around that, and then we can help use grants, if necessary, to start building the capability where it is needed to make sure that is going to happen better next time. Thank you. Mr. Khanna. Thank you. Well, thank you for your testimony, and I hope we can work with you on these issues. Thank you, Mr. Chairman. The Chairman. Thank you. I want to go back to resilience for just a second. Now, you all talked a lot about it. Obviously, the drive for the Department of Defense--and you have all mentioned, you know, an Internet of Things; everything is connected; every platform is a sensor--so to increase your capability. And yet, as we think about the Russian hacking, one of the reasons people had confidence in our voting system is because every State was different, and so that diversity, the fact that they were not all linked together, was part of the resilience that made it much harder for any actual changes to happen in the voting. So how do you balance that? You want to be more effective. We don't have enough money, and yet does not this drive to have everything connected reduce our resilience? Dr. Singer. There are a couple of things to note. I mean, we should be clear that--well, I will put it this way. Part of how you find that optimal mix of--what you are laying out is essentially kind of both diversity but new and old, and the constant story again, whether it is your personal cybersecurity or DOD cybersecurity is this battle between convenience, effectiveness, and security, and that is the same--so you find that optimal space, frankly, by doing, by training, by testing. I would use the example of the election side, though, to illustrate this. There has been testing done that shows, yes, voting machines are vulnerable. It is not that the diversity kept us safe. It is that, in the 2016, the threat actor didn't go after them. The threat actor went after not the voting machines but the voting public, and this is again a lesson to the DOD side, is it is not always about how does my system work; it is about the humans behind them, be it their hearts and minds and sentiments or their awareness or the like. So, you know, we shouldn't tell ourselves that we have been made secure because an actor didn't go after something. The actor went after something else and was effective at it and, now, again, are going after other allies. They are not targeting, as far as we are aware, the French voting machines or the German voting machines. They are targeting the voting public and getting potentially maybe more out of it. Mr. Healey. And I think it is a great point, and I really want to associate myself with Dr. Singer's point in this and your previous question, because to me, when I hear the military talking about cyber and the third offset, I get really, really worried because it seems, from a lot of my colleagues that I hear from, they are thinking that that means more offense and offense is going to be how we can use cyber as part of the third offset to move in a way that our ally--that our adversaries can't. I think you have hit exactly on resilience is the way that we can do that. Having better cybersecurity so that we can have deterrence by denial and they are not going to be able to affect us is a critical part of that. I have been very heartened to see what has been happening in the military the few years where they are saying, ``Let's operate--let's unleash the red teams and exercise this so that they can really show us what they can do and really affect the exercise,'' whereas, normally, you would not let them affect the exercise goal. Just like the Air Force used to make sure pilots could operate through jamming, they are now starting to say, what can we do when we don't have the internet? I think that kind of resilience is really where we are going to have the third offset. The Chairman. I agree completely on exercising when your networks go down or something; that is true. And I just mention among the hearings we are planning in the future is one that looks more broadly at, however you want to describe it, hybrid warfare, attempts to influence policy short of traditional methods of warfare. Certainly what the Russians are doing are some examples. Chinese are using their economic power. Others-- I mean, this is one of our key challenges, I think, which you all have touched on, but we don't have time to get in. Thank you all for being here. It has been very helpful. The hearing stands adjourned. [Whereupon, at 12:08 p.m., the committee was adjourned.] ======================================================================= A P P E N D I X March 1, 2017 ======================================================================= PREPARED STATEMENTS SUBMITTED FOR THE RECORD March 1, 2017 ======================================================================= [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] ======================================================================= QUESTIONS SUBMITTED BY MEMBERS POST HEARING March 1, 2017 ======================================================================= QUESTIONS SUBMITTED BY MR. FRANKS Mr. Franks. Background: How are forensics done in a timely manner to determine if the attack was nonstate, state actor, or local terrorist? Once identified by DOD, what authorities are required to conduct a mission to stop the attack, mitigate it in the future, and/or attribution of the origin of the attack. Question: What is USCYBERCOM doing to counter our adversaries before, during, and after an attack or probe on DOD networks? Dr. Singer. There are a wide variety of forensics, some of which involve monitoring your own network activity, other's gaining access to and monitoring potential attacker networks, and even the use of information outside cyberspace (HUMINT for example). The key is to establish awareness of the attack as rapidly as possible which then allows an appropriate response. To some attacks, you might simply want to close off access. Others, you might want to feed them false information. And still others might be an act of war that require response in realms beyond cyberspace. CYBERCOM engages in and prepares for these range of scenarios. A key, as in my written testimony, is more exercises/wargames that stress test our own systems, explore new doctrines. Better to find vulnerabilities or discover new methods in the practice than in the big game. Mr. Franks. Background: Industrial control system (ICS) is a general term that encompasses several types of control systems and associated instrumentation used in industrial production, including Supervisory Control and Data Acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures. Since cyber is a man- made domain of operations, DHS should be responsible for ICS/SCADA attacks as they are in industry. However, since cyber happens so fast, attribution can be a challenge to determine if this is really a U.S.C. Title 10, 18, 32 etc... lane of responsibility. So imagine a bomber from a state actor was heading to the U.S. with intent to destroy an oil refinery. Who should respond? DHS or DOD? Question: Who do you believe is responsible to respond to SCADA/ICS network attacks? If DHS, what is USCYBERCOM or DOD doing to facilitate/ support the operations as all data transverses over the same IP provider? Why would DHS be responsible for defense or counter measure against a state actor, wouldn't DOD be planning those actions? Dr. Singer. ICS is used everywhere from U.S. navy ships to traffic lights to energy plants to toymakers. The defense of such systems would be shared across the operators of the systems, supported by legal authorities (DHS etc) and, if moving into the realm of state attack in the context of war, the DOD. For example, DHS and other government agencies can't/shouldn't operate a toymaker or oil refinery's SCADA system on its own, but it should be enabling the operators to better defend themselves in realms that range from information sharing, standards setting, threat intelligence etc, as well as incentivizing the market via insurance etc. In turn, if a state actor did attack such a system with the intent of making war (physical damage etc), we wouldn't want the toy or oil company to retaliate, but the U.S. military and other relevant agencies, with our means not limited to only cyber retaliation. Mr. Franks. Background: Since 1988 each of the theater, unified commands have established a separate Special Operations Command (SOC) to meet its theater-unique special operations requirements. As subordinate unified commands, the theater SOCs provide the planning, preparation, and command and control of SOF from the Army, Navy, and Air Force. They ensure that SOF strategic capabilities are fully employed and that SOF are fully synchronized with conventional military operations, when applicable. SOCs, established as sub-unified commands of the combatant unified commands, are the geographic Combatant Commander in Chiefs (CINCs) sources of expertise in all areas of special operations, providing the CINCs with a separate element to plan and control the employment of joint SOF in military operations. Additionally, SOCs provide the nucleus for the establishment of a joint special operations task force (JSOTF), when a joint task force is formed. There are six SOCs supporting geographic CINCs worldwide. Question: If the SOCOM model has worked for years with proven performance in geographic AORs, why hasn't USCYBERCOM moved out to support the warfighter in the same manner? Dr. Singer. As a young organization, with a unique positioning vis STRATCOM and NSA, U.S. CYBERCOM has not been structured of empowered to act like a full equivalent of SOCs as you lay out. I do believe that it is evolving towards this model (vs a TRANSCOM-style or separate service future) and Congress would do well to support studies on what aspects of the model are applicable or not, and what challenges that the SOCOM organization has faced (particularly in its cohesion with theater command) might be navigated as CYBERCOM moves forward. Mr. Franks. Background: How are forensics done in a timely manner to determine if the attack was nonstate, state actor, or local terrorist? Once identified by DOD, what authorities are required to conduct a mission to stop the attack, mitigate it in the future, and/or attribution of the origin of the attack. Question: What is USCYBERCOM doing to counter our adversaries before, during, and after an attack or probe on DOD networks? Dr. Libicki. Attribution is the process of narrowing down who did what. In the United States, it uses a combination of intelligence (apparently, we track certain cyber groups) and forensics. The latter uses information from the attack such as the IP addresses and malware used, social engineering tricks, and nation-linked indicators (such as language)--to make an educated guess about who did it. Much of it is quick; some of it is slow and depends on the flow of future information: e.g., an attack that we know was carried out by X leaves indicators which then match the indicators of an earlier attack which can then be attributed. Some recent trends--notably the use of black- market tools--are troubling for attribution because they could be wielded by anyone. USCYBERCOM's ability to do anything prior to an attack largely depends on its foreknowledge of particular hacker groups (and would thus be of limited use against an unknown hacker). The best we can hope for--if the hackers themselves are unaffected by whatever the United States does (e.g., are not arrested)--is to be able to postpone an attack and force the group to develop new accesses as well as new tools or techniques. At best, this buys six months (taking down a botnet can provide somewhat longer relief but that's a different form of cyberattack). At worst, the attackers have been dealt a minor inconvenience, and the better hackers have backup plans in case their infrastructure (e.g., their favorite IP sites) are discovered and compromised. *Please note that I have never worked for CYBERCOM, and any statements about them are based on my understanding of unclassified information. Mr. Franks. Background: Industrial control system (ICS) is a general term that encompasses several types of control systems and associated instrumentation used in industrial production, including Supervisory Control and Data Acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures. Since cyber is a man- made domain of operations, DHS should be responsible for ICS/SCADA attacks as they are in industry. However, since cyber happens so fast, attribution can be a challenge to determine if this is really a U.S.C. Title 10, 18, 32 etc... lane of responsibility. So imagine a bomber from a state actor was heading to the U.S. with intent to destroy an oil refinery. Who should respond? DHS or DOD? Question: Who do you believe is responsible to respond to SCADA/ICS network attacks? If DHS, what is USCYBERCOM or DOD doing to facilitate/ support the operations as all data transverses over the same IP provider? Why would DHS be responsible for defense or counter measure against a state actor, wouldn't DOD be planning those actions? Dr. Libicki. Everything depends on what the response is. DOD gets the call to prevent bomber aircraft from getting to the refinery because of how bombers are engaged (e.g., with other aircraft, or by anti-aircraft systems). DHS or local police would get the call to prevent a terrorist from getting to the refinery because such a terrorist would be engaged by border enforcement and/or police action. A similar logic would dictate how a hacker would be stopped from attacking SCADA/ICS networks. If the particulars of exploit are understood, it can be stopped by the defensive actions of the network owners; DHS may play a role but only insofar as its advice works and is considered useful and actionable. If the origin but not the particulars of the exploit are understood, it may be possible to block the relevant bytes at the border (or would be if the legal authority existed and the ISPs were equipped to detect and sinkhole the relevant bytes). If the origin or a waypoint of the attack were known but nothing else, there is the possibility of covert action by CYBERCOM or the CIA against the relevant node (although as the last answer indicated, that only buys time and not much. If the author of the exploit were identified but nothing else was known the, author may be subject to police action (especially if the author sat in friendly territory). If the author sat in a hostile country, it may be up to the State Department to persuade the country to yield the individual. If nothing else worked, and there was no other way to head off the attack (and, in fact, there often are many other ways), the author could be militarily attacked but that is tantamount to waging war on another country--which carries risks unless the country is essentially ungoverned or already a war zone (but these are qualities that make it difficult to carry out cyberattacks from such locations). Mr. Franks. Background: Since 1988 each of the theater, unified commands have established a separate Special Operations Command (SOC) to meet its theater-unique special operations requirements. As subordinate unified commands, the theater SOCs provide the planning, preparation, and command and control of SOF from the Army, Navy, and Air Force. They ensure that SOF strategic capabilities are fully employed and that SOF are fully synchronized with conventional military operations, when applicable. SOCs, established as sub-unified commands of the combatant unified commands, are the geographic Combatant Commander in Chiefs (CINCs) sources of expertise in all areas of special operations, providing the CINCs with a separate element to plan and control the employment of joint SOF in military operations. Additionally, SOCs provide the nucleus for the establishment of a joint special operations task force (JSOTF), when a joint task force is formed. There are six SOCs supporting geographic CINCs worldwide. Question: If the SOCOM model has worked for years with proven performance in geographic AORs, why hasn't USCYBERCOM moved out to support the warfighter in the same manner? Dr. Libicki. When CYBERCOM started up, its Commander (GEN Alexander) argued that all the forces belonged to him and he would direct their use. Over time the relationship between particular mission teams and the regional CINCs have grown closer to the SOC model. I think that trend is continuing. But there are two reasons why they may never be the same. First, offensive cyber operations often rely on a bag of tricks (some of which are zero-day exploits). Once these tricks are exposed, they cannot be easily reused. Thus there may have to be some central allocation of these tricks so that high-value tricks are not used for low-value objectives. This use-once feature does not apply to special operations quite so much. Similarly, there is a lot of common learning that has to happen and a unified organization provides a basis for such learning. Two, getting the requisite access to a target system can take a long time. There is no equivalent of kicking down the door. Thus, teams have to be dedicated to targets well in advance of when these targets are attacked. The bullpen model--here are some forces, what would you like them to do for you today--does not work very well for cyberspace operations.? Mr. Franks. Background: How are forensics done in a timely manner to determine if the attack was nonstate, state actor, or local terrorist? Once identified by DOD, what authorities are required to conduct a mission to stop the attack, mitigate it in the future, and/or attribution of the origin of the attack. Question: What is USCYBERCOM doing to counter our adversaries before, during, and after an attack or probe on DOD networks? Mr. Healey. I defer to USCYBERCOM for the particulars. Mr. Franks. Background: Industrial control system (ICS) is a general term that encompasses several types of control systems and associated instrumentation used in industrial production, including Supervisory Control and Data Acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures. Since cyber is a man- made domain of operations, DHS should be responsible for ICS/SCADA attacks as they are in industry. However, since cyber happens so fast, attribution can be a challenge to determine if this is really a U.S.C. Title 10, 18, 32 etc... lane of responsibility. So imagine a bomber from a state actor was heading to the U.S. with intent to destroy an oil refinery. Who should respond? DHS or DOD? Question: Who do you believe is responsible to respond to SCADA/ICS network attacks? If DHS, what is USCYBERCOM or DOD doing to facilitate/ support the operations as all data transverses over the same IP provider? Why would DHS be responsible for defense or counter measure against a state actor, wouldn't DOD be planning those actions? Mr. Healey. Answer 1: The first response will always be the private sector and only the private sector. Neither DOD nor DHS have any capability to respond in any kind of timely way and neither additional authorities nor money will make any difference. DHS can help ensure coordination happens and has some role, but it is as a supporting actor, one among many in an ensemble cast, not the leading role. Answer 2: After the first response, which is only the responsibility of the private sector, then the U.S. government does have more of a role. If it comes to counter measures, then DOD ought to plan and execute those actions. I recommend each critical infrastructure sector should have one military unit, chosen from the Guard or Reserves, which specializes in that sector and can help this coordination. For example, an Air Guard or Reserve squadron from Texas (where many cyber units are located) could specialize in the oil and gas sector. Another unit, perhaps from the Army Guard or Reserve, could specialize in the finance sector, and work with that sector's organizations, like the Finance Sector Information Sharing and Analysis Center (FS-ISAC). Mr. Franks. Background: Since 1988 each of the theater, unified commands have established a separate Special Operations Command (SOC) to meet its theater-unique special operations requirements. As subordinate unified commands, the theater SOCs provide the planning, preparation, and command and control of SOF from the Army, Navy, and Air Force. They ensure that SOF strategic capabilities are fully employed and that SOF are fully synchronized with conventional military operations, when applicable. SOCs, established as sub-unified commands of the combatant unified commands, are the geographic Combatant Commander in Chiefs (CINCs) sources of expertise in all areas of special operations, providing the CINCs with a separate element to plan and control the employment of joint SOF in military operations. Additionally, SOCs provide the nucleus for the establishment of a joint special operations task force (JSOTF), when a joint task force is formed. There are six SOCs supporting geographic CINCs worldwide. Question: If the SOCOM model has worked for years with proven performance in geographic AORs, why hasn't USCYBERCOM moved out to support the warfighter in the same manner? Mr. Healey. My apologies, I am not aware of how USCYBERCOM has organized itself in this regard and the reasons why. I defer to them for the particulars. ______ QUESTIONS SUBMITTED BY MS. HANABUSA Ms. Hanabusa. When we talk about cyber warfare, naturally, we tend to focus on where the threats are. In the Asia-Pacific, that means China, North Korea, and to a lesser extent, Russia. However, we rarely focus on our allies--nations we can partner with in the cyber domain to build capacity, share information, and mutually defend each other. Can you speak to how we're cooperating with our allies on cyber warfare, particularly Asia-Pacific nations like Japan, South Korea, and Australia? Dr. Singer. We have various levels of both information sharing and agreements with our partners in Asia, with Australia having the added link of the ``5 Eyes'' participation. Two key areas to enhance are 1) aligning our norm building, so that it is not each country individually pushing for action by an adversary state, but multilateral and global alliances, and 2) joint military training, as adversaries can/will seek to exploit alliance vulnerabilities and seams. Ms. Hanabusa. When we talk about cyber warfare, naturally, we tend to focus on where the threats are. In the Asia-Pacific, that means China, North Korea, and to a lesser extent, Russia. However, we rarely focus on our allies--nations we can partner with in the cyber domain to build capacity, share information, and mutually defend each other. Can you speak to how we're cooperating with our allies on cyber warfare, particularly Asia-Pacific nations like Japan, South Korea, and Australia? Dr. Libicki. My best understanding is that there is a lot of interchange among all three Pacific allies, but they are better characterized as from time-to-time rather than day-to-day. As for defense, there is a large and growing world of contractors whose advice is probably as good as and sometimes better than what is available from allies' military forces or other employees. When it comes to offense, however, security classification levels are very high; we probably share a lot more with Australian (a Five-Eyes member) than we do with Japan and South Korea. Ms. Hanabusa. When we talk about cyber warfare, naturally, we tend to focus on where the threats are. In the Asia-Pacific, that means China, North Korea, and to a lesser extent, Russia. However, we rarely focus on our allies--nations we can partner with in the cyber domain to build capacity, share information, and mutually defend each other. Can you speak to how we're cooperating with our allies on cyber warfare, particularly Asia-Pacific nations like Japan, South Korea, and Australia? Mr. Healey. There are excellent stories to tell here, in quiet diplomacy, sharing, and cooperation with key nations, including those in the Asia-Pacific region. The Departments of Defense, State, and Homeland Security and the DNI can give you more detailed answers, but it is worth noting we've got long-standing signals intelligence relationships with all three of these nations, agreements which have extended into cyber capabilities. In addition, the United States has held extensive bilateral agreements with these countries, in addition to India, and works closely with Singapore. Perhaps more important, U.S. companies work extensively with their subsidiaries and peers in these countries, ensuring that attacks are prevented and stopped, at no cost to governments (and with no arguments about authorities). ______ QUESTIONS SUBMITTED BY MS. ROSEN Ms. Rosen. Cyberspace has been called the fastest evolving technology space in human history, both in scale and properties. The United States was the victim of great exploitation of this technology realm in the 2016 election, and in your testimony you call it ``the most important cyber-attack so far in history.'' If our cyber systems do not out-perform those of our adversaries, our national power is at risk in all of the domains in which we operate. What specifically must the United States do, that we are not yet addressing, to deter adversaries in this complex threat environment, and how should we respond to those who aim to meddle in it? Dr. Singer. In my written testimony I identified 30 specific and non-partisan actions that the Congress could take to better protect the nation. Available at: http://docs.house.gov/meetings/AS/AS00/20170301/ 105607/HHRG-115-AS00-Wstate-Singer P-20170301.pdf If we do not better respond to Russia's operations, we undercut any future cyber deterrence. Ms. Rosen. Is our cyber force structured for rapid response to meet national requirements and combatant commander needs, or are we mired by the bureaucracy of a NSA and CYBERCOM dual-hat command? Dr. Singer. The time has come to establish Cyber Command's long- term status and disentangle the ``dual hat'' leadership structure with the National Security Agency. These two valuable organizations work in the same realm, but they must reflect different organizational culture, goals, and processes. Of note, among the original rationale for this ``dual'' structure was concern that the leadership of Cyber Command would not have enough stature with Congress; instead, the post-Snowden debates have meant that Congress has more often become interested in their NSA role. Ms. Rosen. How does our cyber apparatus differ from those of our state-adversaries and allies? What technologies are they using and how are they employing them? Dr. Singer. There are some 100 plus nations that have cybersecurity organizations of some kind, parallel to the U.S. Cyber Command. They range in their funding, number of personnel, etc. but one of the most noted is how they make use of entities beyond government. The U.S., for instance, tends to rely on private contracting companies, while Russia, as a point of comparison, has made use of criminal networks and China of university linked cyber militia. As I submitted in my testimony, the Estonian model of better leveraging civilian expertise is an apt model for the U.S. Ms. Rosen. What additional efforts should we be making to protect against hacking? Do you see an obvious action that Congress should take? Dr. Singer. In my written testimony I identified 30 specific and non-partisan actions that the Congress could take to better protect the nation http://docs.house.gov/meetings/AS/AS00/20170301/105607/HHRG-115- AS00-Wstate-SingerP-20170301.pdf Ms. Rosen. How is attribution possible without revealing sources and methods of U.S. cyber capabilities? Dr. Singer. Full sources and methods will not be able to be disclosed in every case. In some situations, the information will only be able to shared at different levels of clearance or with some information removed. But this should not limit all attribution. A good parallel is the 2011 alleged Iranian plot to conduct an attack inside the U.S. The U.S. government attributed it to Iran but did not disclose ALL our sources and methods. Yet the House still voted for sanctions. As I point out in my testimony, the case of Russia's attacks on U.S. targets is backed by an extensive and wide range of both U.S. government but also private company information. The question now is not whether Russia did it, but how will we respond? Ms. Rosen. Is our cyber force structured for rapid response to meet national requirements and combatant commander needs, or are we mired by the bureaucracy of a NSA and CYBERCOM dual-hat command? Dr. Libicki. The primary barrier to a rapid response is not our inability to make decisions so much as it is the difficulty in acquiring and maintaining access to systems that we might want to attack via cyberspace. A large part of the reason that cyberattacks were not used against Libya is that prior to the Arab Spring there was no good reason to penetrate Libyan air defenses to create a capacity for some later cyberattack. Once such a reason existed, there was not enough time to exploit such penetrations for effect before other faster means could be brought to bear. Ms. Rosen. What additional efforts should we be making to protect against hacking? Do you see an obvious action that Congress should take? Dr. Libicki. As a general rule, the primary defenses against cyberattack are those undertaken by network/system owners. For non- government systems, the Government is on the outside looking in. It can provide assistance, but cannot guarantee that such assistance will be used (or if used, used effectively). But there are exceptions. 1. Certain systems, notably the electric grid, should be isolated from the outside world (and not just put behind firewalls, many of which are permeable). Furthermore, they should be able to pass penetration tests to indicate they are, in fact, isolated. Legislation to that end, as long as it is temporary (so that the result can be evaluated) and limited to the electric grid (it helps to take one step at a time) could be useful. 2. DDOS attacks are a unique concern. Unlike with most cyberattacks, they do not arise because of something the victims themselves did wrong. ISPs should be given some authority and incentive to detect and sinkhole the traffic that constitutes a DDOS attack--but exactly how is something I'm still wrestling with. Ms. Rosen. Is our cyber force structured for rapid response to meet national requirements and combatant commander needs, or are we mired by the bureaucracy of a NSA and CYBERCOM dual-hat command? Mr. Healey. I suspect the answer you get from U.S. Cyber Command is that they want to be escalated so they be better structured for rapid response. This is probably true but certainly overstated. It is worth noting the DOD first created in 1998 a special joint command with the authorities to counter attacks and probes on DOD networks. It has been therefore nearly 20 years and yet DOD still has similar problems. I'm not convinced elevation to a unified command will resolve these issues any more than the escalation of this from a two- star to three-star command (in 2004), or from three-stars to four (in 2010). Moreover, some friction is actually beneficial. Cyber conflict is extremely complex, and is fought in, through, and with the products of American technology companies on which we all depend for innovation and prosperity. Attacks can cascade in unpredictable ways. In air warfare, we have learned that if we push the rules of engagement too low, we end up bombing Afghani weddings. We should be similarly careful here. Further, the use and stockpiling of capabilities can cause outrage in citizens who feel their privacy and trust is being violated. We should be wary of taking away too much of the mire or the Congressional oversight function will be overwhelmed with incidents and complaints. Ms. Rosen. Discuss the role of industry in cyber warfare and cyber operations. What is the relationship between the government and these private companies, and privacy? Mr. Healey. Americans seem to trust private sector companies with their information far more than they do the U.S. government. (Note, this tends to be the opposite in Europe.) This can be a strength for cyber defense, as cybersecurity companies tend to have far greater capabilities, and fewer restrictions, than the DOD or DHS. A smart policy will refocus American cyber defense so the private sector is the supported command, not the supporting command. Ms. Rosen. What additional efforts should we be making to protect against hacking? Do you see an obvious action that Congress should take? Mr. Healey. My top practical step for Congress to take is to require DOD and DHS to conduct a review of how the United States has responded to past incidents. In a structured way, they should look at two of each major kind of attack (countering a denial of service attack, for example, and kicking out foreign spies) to determine which organizations and people took which decisions, based on what information and which led to what effectiveness in mitigating the attack. The results of this review will suggest how the U.S. government could have better responded better in the past and suggest how to do better in future. This should then be the basis of a new cyber incident response plan. I suspect an accurate review would show that most of the decisions and actions which have mattered were taken by the private sector, not just the companies under attack, but the software vendors (e.g. Microsoft), network service providers (e.g. AT&T), and cybersecurity companies (e.g. Symantec). Other critical actions are likely to be taken by small non-profits who are critical to sharing and response, such as ISACs (information sharing and analysis centers). Congress could develop grant programs to help these non-profits, if it proves they could be doing more critical work. This would be far cheaper to the public purse than hiring more DOD bureaucrats. It would also allow far better oversight, as Congress could better see just where the executive branch is succeeding and failing. [all]