[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
[H.A.S.C. No. 115-8]
CYBER WARFARE IN THE 21ST CENTURY:
THREATS, CHALLENGES, AND OPPORTUNITIES
__________
COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
HEARING HELD
MARCH 1, 2017
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
COMMITTEE ON ARMED SERVICES
One Hundred Fifteenth Congress
WILLIAM M. ``MAC'' THORNBERRY, Texas, Chairman
WALTER B. JONES, North Carolina ADAM SMITH, Washington
JOE WILSON, South Carolina ROBERT A. BRADY, Pennsylvania
FRANK A. LoBIONDO, New Jersey SUSAN A. DAVIS, California
ROB BISHOP, Utah JAMES R. LANGEVIN, Rhode Island
MICHAEL R. TURNER, Ohio RICK LARSEN, Washington
MIKE ROGERS, Alabama JIM COOPER, Tennessee
TRENT FRANKS, Arizona MADELEINE Z. BORDALLO, Guam
BILL SHUSTER, Pennsylvania JOE COURTNEY, Connecticut
K. MICHAEL CONAWAY, Texas NIKI TSONGAS, Massachusetts
DOUG LAMBORN, Colorado JOHN GARAMENDI, California
ROBERT J. WITTMAN, Virginia JACKIE SPEIER, California
DUNCAN HUNTER, California MARC A. VEASEY, Texas
MIKE COFFMAN, Colorado TULSI GABBARD, Hawaii
VICKY HARTZLER, Missouri BETO O'ROURKE, Texas
AUSTIN SCOTT, Georgia DONALD NORCROSS, New Jersey
MO BROOKS, Alabama RUBEN GALLEGO, Arizona
PAUL COOK, California SETH MOULTON, Massachusetts
JIM BRIDENSTINE, Oklahoma COLLEEN HANABUSA, Hawaii
BRAD R. WENSTRUP, Ohio CAROL SHEA-PORTER, New Hampshire
BRADLEY BYRNE, Alabama JACKY ROSEN, Nevada
SAM GRAVES, Missouri A. DONALD McEACHIN, Virginia
ELISE M. STEFANIK, New York SALUD O. CARBAJAL, California
MARTHA McSALLY, Arizona ANTHONY G. BROWN, Maryland
STEPHEN KNIGHT, California STEPHANIE N. MURPHY, Florida
STEVE RUSSELL, Oklahoma RO KHANNA, California
SCOTT DesJARLAIS, Tennessee TOM O'HALLERAN, Arizona
RALPH LEE ABRAHAM, Louisiana THOMAS R. SUOZZI, New York
TRENT KELLY, Mississippi (Vacancy)
MIKE GALLAGHER, Wisconsin
MATT GAETZ, Florida
DON BACON, Nebraska
JIM BANKS, Indiana
LIZ CHENEY, Wyoming
Robert L. Simmons II, Staff Director
Kevin Gates, Professional Staff Member
Lindsay Kavanaugh, Professional Staff Member
Neve Schadler, Clerk
C O N T E N T S
----------
Page
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Smith, Hon. Adam, a Representative from Washington, Ranking
Member, Committee on Armed Services............................ 2
Thornberry, Hon. William M. ``Mac,'' a Representative from Texas,
Chairman, Committee on Armed Services.......................... 1
WITNESSES
Healey, Jason, Nonresident Senior Fellow, Cyber Statecraft
Initiative, Atlantic Council................................... 6
Libicki, Martin C., Professor, U.S. Naval Academy, and Adjunct
Management Scientist, RAND Corporation......................... 5
Singer, Peter, Strategist and Senior Fellow, New America
Foundation..................................................... 3
APPENDIX
Prepared Statements:
Healey, Jason................................................ 71
Libicki, Martin C............................................ 60
Singer, Peter................................................ 47
Documents Submitted for the Record:
[There were no Documents submitted.]
Witness Responses to Questions Asked During the Hearing:
[There were no Questions submitted during the hearing.]
Questions Submitted by Members Post Hearing:
Mr. Franks................................................... 85
Ms. Hanabusa................................................. 88
Ms. Rosen.................................................... 89
CYBER WARFARE IN THE 21ST CENTURY: THREATS, CHALLENGES, AND
OPPORTUNITIES
----------
House of Representatives,
Committee on Armed Services,
Washington, DC, Wednesday, March 1, 2017.
The committee met, pursuant to call, at 10:03 a.m., in room
2118, Rayburn House Office Building, Hon. William M. ``Mac''
Thornberry (chairman of the committee) presiding.
OPENING STATEMENT OF HON. WILLIAM M. ``MAC'' THORNBERRY, A
REPRESENTATIVE FROM TEXAS, CHAIRMAN, COMMITTEE ON ARMED
SERVICES
The Chairman. The committee will come to order. The
committee meets today to explore ``Cyber Warfare in the 21st
Century: Threats, Challenges, and Opportunities.'' Needless to
say, it is a big complex topic that is at the heart of much of
American national security today and will be even more so in
the future.
One of those internet quotes attributed to Albert Einstein
says: Given one hour to save the planet, I would spend 55
minutes understanding the problem and 5 minutes resolving it.
Well, whether Einstein really said something like that or
not, I think the point rings true that much of our challenge in
cyber is understanding the problem. As we have seen in recent
years, cyber is being used by both nation-states and nonstate
actors in ways that challenge our traditional notions of what
is war. It is being used to destroy, to steal, and to
influence.
Cyber is a domain of warfare in itself, but its
technologies also undergird most all of our defense efforts. It
helps make us the strongest military in the world, and it also
presents a vulnerability, which adversaries are looking to
exploit.
And what is true for our military is also true for our
society. Those technologies offer great opportunity but are
also a vulnerability that must be defended. And when it comes
to things that must be defended, we often turn to the United
States military.
I am very grateful to all the members who came back to
Washington early this week to spend our yearly retreat at Fort
Meade focusing on this issue. Our witnesses today will also
help us advance our thinking and hopefully help lead us to find
the right questions so that we can work together to find the
right answers.
I would yield to the ranking member for any comments he
would like to make.
STATEMENT OF HON. ADAM SMITH, A REPRESENTATIVE FROM WASHINGTON,
RANKING MEMBER, COMMITTEE ON ARMED SERVICES
Mr. Smith. Thank you, Mr. Chairman. I appreciate you
holding this hearing on this very important topic, and it is
one that I guess we are probably going to spend more than 55
minutes trying to figure out the problem, unfortunately. It is
very complicated. You know, the first thing we have to figure
out is how, you know, best and better to protect our networks,
both within government and those private sector groups that we
come into contact with the government. We have that problem on
the Armed Services Committee with a lot of the defense
contractors that have sensitive information within their cyber
domain that we have to figure out how to protect.
And we still don't really have a comprehensive strategy for
how to do that. That is part of the problem. And the other part
is, as cyber is increasingly used for active warfare, what is
our policy on that? If we are attacked through cyber, what is
an appropriate response?
We saw that with the Russian attacks on the DNC [Democratic
National Committee]. You know, the President responded. It took
a long time because we really don't have a set policy on what
is a proportional and appropriate response to a given cyber
attack, which we need to figure out.
And then, lastly, how do we use it as an offensive weapon?
Certainly our enemies are using it. ISIS [Islamic State of Iraq
and Syria] is using it very effectively to spread their message
and recruit. You know, and we have seen Russia use it in a
variety of different formats. We have suspicions of others
using it as well.
What should we do, from an offensive standpoint, to use
cyber to cause problems for our enemies and advance our
interests? So those are the three questions I am most
interested in learning more about.
I apologize; I actually have to leave early from this
hearing. But certainly I will study the remarks of our
witnesses, and I know the panel will benefit from the
discussion.
I thank the chairman for holding this hearing, and I yield
back.
The Chairman. I thank the gentleman.
Again, let me thank each of our witnesses for taking the
time to be here.
We have Dr. Peter Singer, strategist and senior fellow at
New America Foundation, among others things, author of ``Wired
for War'' and ``Ghost Fleet''; Dr. Martin Libicki, professor at
the U.S. Naval Academy and adjunct management scientist at the
RAND Corporation; and Mr. Jay Healey, nonresident senior fellow
for the Cyber Statecraft Initiative at the Atlantic Council.
Thank you all for being here. Without objection, your full
written statement will be made part of the record, and we would
be pleased to hear any oral comments you would like to make at
this point.
Dr. Singer, we will start with you.
STATEMENT OF PETER SINGER, STRATEGIST AND SENIOR FELLOW, NEW
AMERICA FOUNDATION
Dr. Singer. Chairman Thornberry and Ranking Member Smith,
members of the committee, it is an honor to speak at this
important discussion today designed to reboot the cybersecurity
conversation. It is all the more needed as the United States
was recently the victim of what was arguably the most important
cyber attack campaign in history. Hackers reported as working
on behalf of the Russian Government have attacked a wide
variety of American citizens and institutions. They include
political organizations of both parties, the Republican
National Committee and the Democratic National Committee, as
well as prominent Democrat and Republican leaders, as well as
civil society groups like various American universities and
academic research programs.
These attacks started years back, but it continued after
the 2016 election. They have been reported as hitting clearly
government sites, like the Pentagon's email system, as well as
clearly private networks, like U.S. banks. They have also been
reported as targeting a wide variety of American allies ranging
from government, military, and civilian targets, and states
that range from Norway to the United Kingdom, as well as now
trying to influence upcoming elections in Germany, France, and
the Netherlands.
While Vladimir Putin has denied the existence of this
campaign, its activities have been identified by groups that
include all the different agencies of the U.S. intelligence
community, the FBI [Federal Bureau of Investigation], and in
statements by both the prior and present U.S. President. This
campaign has also been well-established by the marketplace.
Five different well-regarded cybersecurity firms have
identified it.
This campaign is not a cyber war of the kind that is often
envisioned with power grids going down and fiery cyber Pearl
Harbors. Instead, it is a competition more akin to the Cold
War's predigital battles that crossed influence operations with
espionage and subversion.
However, while Russia's attacks are the most notable events
in cybersecurity in the last year, unlike in the Cold War, our
strategy must recognize they are only one aspect of a larger
threat landscape. In cyberspace, the malevolent actors
presently engaged in attacks on U.S. persons and institutions
range from criminals who are stealing personal information or
holding ransom valuable corporate data--although here too there
is a prominent Russian link with reportedly 75 percent of
ransomware coming from Russian-speaking parts of the online
criminal underground--to governments, like China, which have
been accused of large-scale intellectual property theft, as
well as breaking into government databases like the OPM [Office
of Personnel Management] in the cyber version of traditional
espionage.
And, finally, our strategy must face that all of this
ongoing activity must account for the risk of an actual cyber
war, the activities that would occur in outright conflict,
including cyber attacks to cause physical damage.
So what can be done to defend America in this challenging
realm? In my written testimony, I submitted a series of 30
actions that can be taken by the Congress to raise
cybersecurity. Notably, in reflecting the nature of this
nonpartisan realm, the overall strategy in each of the proposed
30 measures are designed to be amenable to and implementable by
the leaders of both parties.
I have submitted this strategy for the record, which I hope
will be a useful resource to you and your staff in your
important work ahead. Rather than restating in detail, I would
note that it involves three core elements.
First, activities that can be taken to restore deterrence,
from making key new investments in training, cutting-edge
technology like artificial intelligence [AI], and
organizational changes in our Defense Department approach,
including disentangling CYBERCOM [Cyber Command] and the NSA
[National Security Agency], to utilizing all our tools of power
to better influence current and future adversary thinking in
the wake of Russia's attack, most especially by turning
sanctions into law and strengthening them.
Second, actions to raise resilience, our ability to shake
off attacks and thus create what is known as deterrence by
denial, where we are not only better protected but adversaries
gain less and are thus less incentivized to attack.
Importantly, a strategic effort to raise U.S. resilience would
be a useful investment against any type of attack or attacker.
The steps that can be taken by Congress here range from
measures to better utilize Pentagon buying power to oversight
on the implementation of industry best practices in the
government. They also include innovative means to deal with our
cybersecurity human resource challenge, from supporting better
pipelines into government and the military and better
organizing the wealth of talent that lies outside of government
in the military and Reserves, such as through the creation of a
program akin to Estonia's world-respected approaches to
societal resilience.
The final tract looks at the broader challenge we face in a
world of social media and online influence operations. Here,
too, there are a range of suggested congressional actions,
including enhancing cybersecurity information sharing among
likely U.S. political targets, raising the ability of the U.S.
military to better utilize social media and integrate it into
our own training environments, and supporting the recreation of
the Active Measures Working Group, an interagency Cold War
program designed to debunk foreign propaganda and limit the
impact of lies spread by what the Soviets aptly called ``useful
idiots.''
In conclusion, we must recognize that, for as long as we
use the internet, adversaries like Putin's Russia and many
others will seek to exploit this technology and our dependence
on it in realms that range from politics to business to warfare
itself. In response, the United States can build a new set of
approaches to deliver true cybersecurity, aiming to better
protect ourselves while reshaping adversary attitudes and
options, or we can continue to be a victim. Thank you.
[The prepared statement of Dr. Singer can be found in the
Appendix on page 47.]
The Chairman. Thank you. Dr. Libicki.
STATEMENT OF MARTIN C. LIBICKI, PROFESSOR, U.S. NAVAL ACADEMY,
AND ADJUNCT MANAGEMENT SCIENTIST, RAND CORPORATION
Dr. Libicki. Good morning, Chairman Thornberry, Ranking
Member Smith, and the distinguished members of the committee.
My name is Martin Libicki, the Maryellen and Richard Keyser
Chair of Cybersecurity Studies at the Naval Academy and an
adjunct at RAND. The views expressed are my own.
Two years ago, Admiral Rogers asked Congress to support an
increase in his ability to carry out cyber attacks so that the
United States could deter cyber attacks on it, but would
strength alone suffice? Our deterrence capability has at least
four prerequisites.
First, we must be able to attribute cyber attacks in order
to punish the correct party and convince others that we are
acting justifiably.
Second, we must communicate our thresholds. What actions
will lead to reprisals?
Third, we need credibility so that others believe that
punishment will in fact follow crossing such thresholds.
Fourth, we need the capability to carry out reprisals.
Of the four prerequisites, it is U.S. capability that is
least in doubt. Any country credited with Stuxnet and the
operations that Snowden leaked has demonstrated an impressive
capability. It is the other three prerequisites that need
attention.
Attribution, to be fair, has improved considerably over the
past 10 years, but the same cannot always be said about the
U.S. ability or willingness to prove that its attribution is
correct. After the Sony attack, the FBI's public statement
devoted just 140 words to justifying its attribution, and the
public case that Russia carried out the DNC hack is even more
problematic.
Credibility remains an issue. Although the United States
did retaliate against North Korea for the Sony attack and
Russia for the DNC hack, the reprisals that have been made
public, mostly sanctions, were not the sort that would induce
fear in others.
That leaves the issue of thresholds, which gets the least
attention. What cyber attacks merit cranking up the machinery
of U.S. retaliation for and thereby potentially altering the
U.S. relationship with another country, especially when cyber
attacks can vary so much from a momentary network disruption to
a major catastrophe? Not everything that we might call a cyber
attack is actionable.
By contrast, even the smallest nuclear weapon on U.S. soil
was obviously actionable. Finding a tractable threshold is not
a problem easily solved. So let's consider some candidates.
Should something be actionable if it violates the Computer
Fraud and Abuse Act? Well, there are three problems. First,
using a national law as an international red line sets a
precedent easily abused by countries that, for instance,
criminalize free speech.
Second, this act is violated literally on millions of
occasions, pretty much every time a computer is turned into a
zombie.
Third, such a law makes cyber espionage an actionable act,
but this is something that the United States carries out all
the time.
Well, is something actionable, as one Assistant Secretary
of Defense argued, if it is among the top 2 percent of all
attacks? Here the problem is that cyber attacks have no
minimum. So it is very difficult to define the set and, thus,
very difficult to define 2 percent of the set.
Okay. Should everything that affects the U.S. critical
infrastructure be actionable? Supposedly we know what is and is
not part of the U.S. critical infrastructure. But then we have
attacks that make us change our mind. For instance, a number of
folks said the attack on Sony was an attack on the critical
infrastructure, and after the attack on the DNC, we
reconsidered the election--the voting machinery in this
country, and we reclassified it as part of the critical
infrastructure.
Well, do the laws of armed conflict, or LOAC, provide a
good dividing line? Well, unfortunately, LOAC kicks in only
when something is broken or someone is hurt, and in cyberspace,
damage has occurred twice and death not at all. An attack that
bankrupts a firm, by contrast, would not be actionable by LOAC.
Worse, LOAC fosters the notion that a cyber attack, like a
physical attack, is unacceptable behavior for countries, while
cyber espionage, like traditional espionage, is something
countries do. But the United States does not accept all cyber
espionage. It successfully pressed China to stop its economic
cyber espionage.
If the data taken from OPM had been sold into the black
markets, the United States would doubtlessly have raised very
strong objection to China, and the DNC hack was actually cyber
espionage. If the Russians had taken what they took in-house
rather than post it online, there likely would have been no
U.S. response.
My bottom line is this: deterrence introduces multiple
issues that need far more careful attention than they have
received to date. Being strong is necessary, but it is not
sufficient, and until we have a firmer basis for setting
thresholds, we may have to limit reprisals to obviously
actionable attacks while using the less obvious ones as markers
for what we would react to next time.
I appreciate the opportunity to discuss this important
topic, and I look forward to your questions.
[The prepared statement of Dr. Libicki can be found in the
Appendix on page 60.]
The Chairman. Thank you.
Mr. Healey.
STATEMENT OF JASON HEALEY, NONRESIDENT SENIOR FELLOW, CYBER
STATECRAFT INITIATIVE, ATLANTIC COUNCIL
Mr. Healey. Good morning, Chairman Thornberry, Ranking
Member Smith, distinguished members of the committee. I am
really humbled to be in front of you today. I will jump right
to the heart of my comments on cyber conflict where several
issues stand out.
First, what isn't a problem? Attribution, as my colleagues
have pointed out, is not nearly the challenge that it used to
be, as analysts at private sector companies and the U.S.
Government have made tremendous gains determining which nations
are behind cyber attacks.
Second, what is different in cyber compared to conventional
conflict? I believe it is not hazy borders or operating at
network speeds or the other things that you might have heard
that is most different, but in fact the role of the private
sector. America's cyber power is not at Fort Meade. No, the
center of U.S. cyber power is instead in Silicon Valley, in
Route 128 in Boston, at Redmond, Washington, and in all of your
districts where Americans are creating and maintaining
cyberspace and can bend it if they need to.
Third, what didn't we see coming? In the wake of the 1991
Gulf War, we in the military were eager to study information
operations, including propaganda and influence, which are now
some of our adversaries' primary weapons against us. Yet, in
the time since, we have become so enamored of the cyber, we
have forgotten critical lessons of information operations from
that time.
Fourth, what might we have most wrong? Simply, deterrence
and coercion. Previous testimony to this House made it clear
there was an electronic Pearl Harbor waiting to happen. Well,
that was in June 1991. So we have been fretting about an
electronic Pearl Harbor for 25 of the 75 years since the actual
Pearl Harbor. Cyber deterrence above the threshold of death and
destruction not just is working but works pretty much like
traditional deterrence. Where deterrence is not working, of
course, is in the gray area between peace and war, where all
major cyber powers are enjoying a free-for-all.
We should not kid ourselves. In that gray zone, the United
States is throwing as well as taking punches, and deterrence
works very differently if your adversary is certain they are
striking back, not first. In fact, I believe cyber may be the
most escalatory kind of conflict we have ever encountered.
Because of this, any exercise in cyber deterrence must be
thought of as an experiment. Some of our experiments will work;
some won't. So we must be cautious, attentive to the evidence,
and willing to learn.
So my first recommendation is that a new set of cyber
influence teams might quickly be trained and folded into the
Cyber Mission Force at Fort Meade working alongside cyber and
area studies experts there.
Second, I continue to advocate splitting the leadership of
NSA and Cyber Command. Imagine if the Commander of U.S. Pacific
Command were the leading source of information on the China
military threat, negotiated with U.S. companies dealing with
China, ran the best funded China-oriented bureaucracies, was
involved in intelligence operations and military planning
against China, and could decide what information on China was
classified or not. Sometimes two heads and two hats are more
American than one.
Third, the best use of government resources is to reinforce
those doing the best work already. Our critical infrastructure
companies are on the front lines and, together with major
vendors and cybersecurity companies, have far more defensive
capabilities than our military. Grants to the nonprofit
associations that are knitting these operations together can
give massive bang for the buck.
Lastly, I would like to leave you with a question to
consider asking others in testimony in the future: What do you
believe will be the dominant form of cyber conflict in 10
years? The Pentagon seems to have a healthy set of cyber
requirements but not many views of what cyber conflict might be
like as they do in the land, sea, air, or space.
For example, I am sure the chief of staff of the Air Force
can give you many reasons on why he sees future air conflict
and why a long-range strike bomber is the answer to succeeding
in many of those kinds of conflicts. What do we think the
future of cyber conflict might be like that will justify the
requirements that the Pentagon is asking for?
In closing, I would like to mention that on 16 and 17
March, 48 student teams, including from many of your districts
or your alma mater, including the Air Force Academy, Brown, and
the Universities of South Alabama and Maryland, College Park,
will compete in the Cyber 9/12 Student Challenge. This
competition prepares students to tackle exactly the same sort
of challenges about which my colleagues and I are testifying
before you today. If you or your staff are available to
observe, judge, or provide remarks, the student teams would
greatly benefit. Thank you for your time.
[The prepared statement of Mr. Healey can be found in the
Appendix on page 71.]
The Chairman. Thank you.
As we notified all members, Mr. Smith and I agreed that,
for the purpose of this hearing, we would start out by going in
reverse seniority order for those members who were here at the
time of the gavel and then go in order that members entered the
room, like we usually do.
I also want to remind members that this afternoon the
Emerging Threats and Capabilities Subcommittee is holding a
classified quarterly update on cyber operations to which all
members of the committee are invited.
And at this point, I would like to yield my 5 minutes to
the chair of that subcommittee, Ms. Stefanik.
Ms. Stefanik. Thank you, Mr. Chairman.
I have two questions. The first is broad. What aspects of
the previous administration's cyber policy should we keep and
what should we rethink? I will start with Mr. Healey and move
down the line.
Mr. Healey. Thank you very much, Chairwoman, Ms. Stefanik.
The previous administration got a lot of runs across the
plate, but they weren't really swinging for the fence. So they
had a lot of small--they were playing small ball. And so there
weren't that many things that really angered me that much about
what they did.
One that I think we should absolutely keep, because I think
the private sector should be the supported command, not the
supporting command, I am a big fan of the work that they had
done on the vulnerabilities equities process. This is the
process by which if the U.S. Government discovers
vulnerabilities, especially in U.S. IT [information technology]
products, that the default is to tell the vendors on that, and
if they keep it, for example, at Fort Meade, that they have a
risk-mitigation strategy so that, if it does become public,
that they can respond most quickly. The work that they did on
that was very important. That actually dates back to CNCI
[Comprehensive National Cybersecurity Initiative] in the
previous administration, but I think that is certainly worth
keeping.
To change: I certainly hope that the U.S. Government can do
better on its own cybersecurity systems. It looks like the new
administration might be doing better on this with more of a
role for the Office of Management and Budget as well as more
shared services, that is, more cloud. I also think we can do
more within the Department of Defense [DOD] for accountability.
My experience in the private sector, especially working for
banks, was that they had much more control over what was added
to their networks and who could do what than even the
Department of Defense does, which was a surprise to me
considering how much we think of command and control and
leadership within the Department of Defense. Thank you.
Ms. Stefanik. Thank you.
Dr. Libicki.
Dr. Libicki. I believe the administration made a lot of
good investment in defensive, in defending networks, and I
think that is a trend that should continue. Details, I suppose,
we can discuss, but I think the general trend toward putting
most of your eggs in the defensive basket is a good one.
In the realm of what I would do different. If you are going
to talk up an attack as something that is unacceptable, then
you need better attribution, public attribution case, and you
need to hit back more strongly. Conversely, if you are not
prepared to hit back strongly and you are not prepared to make
a good attribution case, maybe you shouldn't make so big a deal
of the cyber attack.
Ms. Stefanik. Dr. Singer.
Dr. Singer. I echo what was just previously said and add a
couple of things. Towards the end of the Obama administration,
in the wake of the OPM breach, it put together a series of
essentially best practices from the private sector that could
be mined for implementation into government. I see those as a
key oversight area for Congress and essentially seeing if they
are being implemented or not. And, again, I think they are
bipartisan in that they are pulling from the private sector.
Similarly, in the very last weeks of the transition, there
was a bipartisan commission of experts, cybersecurity experts,
that issued a report of what could be done to aid government in
this realm. It was lost in the little bit of the conversation.
Here too, bipartisan recommendations, implementing those would
be a good area.
Finally, the administration created a cybersecurity human
resources strategy. This space is not merely about zeros and
ones. It is a people problem, and there are all sorts of areas
there, and I would look to that and see, is this being
implemented or not? It also points to, at least so far in the
drafts of the Trump administration's executive orders, human
resources hasn't been mentioned. So I would be focusing on
that.
In areas of what they can do, what they don't do, there is
a wide variety of them that have been mentioned. Whether it is
sanctions to--we have done well at pulling in the National
Guard as a way of tapping broader societal resource, but that
is only limited to what is already in the military. I would
look to the Estonian model or, in essence, the cybersecurity
version of the Civil Air Patrol as a way of pulling in broader
civilian talent that isn't either able or willing to serve in
the military or Guard and Reserves.
Ms. Stefanik. Thank you, Dr. Singer.
So my final more specific question: Mr. Healey, in your
written testimony, you discuss how our adversaries are using
cyber capabilities as part of a larger strategic and
orchestrated influence operations, form of information warfare.
The most recent examples are the North Korean hack of Sony, the
Russia hack of the DNC, and even 2008, the Chinese hack of both
the Obama and McCain campaigns.
In addition to your suggestion to create cyber influence
teams with our cyber forces, what more can we do to counter the
strategic influence campaigns that are so successfully being
waged by Russia, China, North Korea, and Iran?
Mr. Healey. Such an important question. Thank you very
much. I agree with Dr. Singer on returning to the Active
Measures Working Group, which I think is an important step. I
think we can start refunding some of those information
operations projects that we had done in the 1990s, for example,
in [Operation] Allied Force where we had done a lot against
Slobodan Milosevic. There had been a lot done in the military
professional universities, especially places like National
Defense University and the doctrine centers where hopefully
some of those people still reside and we might be able to build
back some capability quickly.
It also--we obviously need to do this whole-of-government
because this clearly isn't a Department of Defense response. It
has helped me to think about--you know, we have incidents of
national significance to respond to terrorist attacks. We have
cyber incidents of national significance, but neither of these
fit here. It has helped me to think about an information
incident of national significance and think, who would we bring
to the table? What agencies would we bring to the table to
respond to an information incident of national significance? I
am not convinced that we should create such a concept because
there is something that strikes me a bit un-American about how
we might use that if there is information we didn't like, but
it certainly helped me think about how we might improve our
interagency response against such actions. Thank you.
Ms. Stefanik. Thank you, Mr. Healey.
I am over my time.
The Chairman. Mrs. Murphy.
Mrs. Murphy. Thank you, gentlemen, for being here and for
your testimony as well as the Q&A [question and answer].
I represent a district in central Florida that is home to
the Nation's largest modeling, simulation, and training
industry cluster, which includes a collaboration--which is a
collaboration between the military, academia, and industry. The
Army command there, known as PEO STRI [Program Executive Office
Simulation, Training, and Instrumentation], has been tasked
with the cyber training mission for Army.
I was alarmed by a recent study that I saw that talked
about the accelerating workforce gap for cybersecurity
professionals. This survey projects that we will have a
shortfall of 1.8 million cybersecurity professionals in the
next 5 years. And to put that in some context, when you talk
about workforce gaps in other industries, we are talking in the
tens of thousands, but not in the millions. So I found this an
astounding shortfall in its size and particularly in a critical
area for both national security as well as economic stability.
So I was wondering, you know, you have all talked a little
bit about some of the initiatives, workforce initiatives, that
could be implemented, but what specific partnerships between
academia, government, and the private sector would help to
build this talent pipeline in the future, and what role does
Congress have in providing investments for and supporting such
partnerships?
Dr. Singer. There is a whole array of activities that can
and, frankly, should be undertaken. As was mentioned, there was
previously a human resources strategy. It is unclear whether
that will be continued or not. I believe it should be in the
new administration. If it is not, there should be a similar
full-fledged version of it.
Equally, there have been organizations created like, for
example, the U.S. Cyber Corps, which is akin to a ROTC [Reserve
Officer Training Corps] program, a scholarship program for
drawing talent into government. It is unclear what the effect
the Federal hiring freeze will have on that. Right now, you
have students that are worried that they are not going to be
able to meet their scholarship commitments by joining
government because the positions won't be open to them.
I would urge Congress and the administration to make clear
that cybersecurity is an area that would not be included in
that hiring freeze because, frankly, any labor savings that you
get will be lost by one breach, one incident.
Similarly, there is a whole series of areas to bring in. As
was mentioned, the strength of the United States is in
districts like yours and around, so ways of bringing that
talent into government for short term. So the examples range
from adding a cybersecurity element to the U.S. Digital Service
to a program akin to what the Centers for Disease Control has
for bringing in talent from the medical field.
Finally, bug bounty programs, which are very cheap ways of
incentivizing people outside of government to volunteer to help
government. I would urge--the DOD is doing these on a pilot
basis. This should be done at every single agency, and Congress
can help support that and incentivize that.
Dr. Libicki. I mean, there are a lot of programs that have
been mentioned, could be mentioned, that could increase the
supply of cybersecurity professionals, but if we are talking
about the scholarship program, we are talking about hundreds
and thousands of people as opposed to millions of folks. And I
think thought needs to be given not only to how do you increase
the supply but also how you reduce the demand. Let me give you
an example.
If you take a look at the Office of Personnel Management,
there was a lot of sensitive information, particularly
information that you gather as part of doing the security
clearance, that was leaked to other countries as a result.
Okay. Now, if you just took a cybersecurity perspective, you
would say, well, how many people does OPM have to hire in order
to make sure that their material doesn't leak?
But there is another way of looking at it. Okay. Do we have
to ask people those questions? Do we have to write down the
answers? Do we have to put those--digitize the answers that
they give? Do we have to make the answers available, and do we
have to make the answers available online? And is there some
way of finding out where the answers are going online in the
circulation?
Okay. None of those things that I describe need a
cybersecurity professional. They need ways of understanding how
information works. And I think, as a general proposition, there
was a tendency to say: We want to compute the way we want to
compute. We want no restrictions. This internet stuff is
wonderful. We want as much as we can have. But it seems to give
us cybersecurity problems. So let's go hire a bunch of
cybersecurity folks and sort of spread some cybersecurity on
the top.
And if you can't get these folks or you are paying an arm
and a leg to get these folks and it still doesn't work because
the Russians are very, very talented and the Chinese are very
talented, okay, then you might want to consider, how are we
actually managing our information? And that leads you to a
different place.
The Chairman. If I could request each of you all, if you
would talk directly into the microphone. Sometimes there is a
noise outside that is making it hard to hear up here. So thank
you.
Mr. Gallagher.
Mr. Gallagher. Thank you, Mr. Chairman.
I have a somewhat related question. The Marine Corps
Commandant, General Neller, recently stated that using tactical
cyber needs to become routine like other technical arms of the
service. So when the Arty [artillery] officer shows up or the
naval gunfire officer shows up, he needs to be accompanied by a
cyber liaison officer.
My concern is that in terms of the cyber talent pool, I
don't think a lot of them are enthusiastic about getting a high
and tight and joining the Marine Corps. So I am drawn to your
idea, Dr. Singer, about something akin to the Estonia Cyber
Defense League, but I see a host of practical challenges to
implementation, and I think we might have to rethink how we
grant security clearances.
Could you just talk a little bit more about that and how we
might operationalize and implement such a proposal?
Dr. Singer. So the approach that Estonia has is a little
bit akin to our age-old the minutemen or, more appropriate
today, the Civil Air Patrol. The Cyber Defense League there is,
it takes people that have been security cleared. So they do go
through a clearance process. They are volunteers. They are
outside of government. Their talent ranges from people who are
hackers to people who are bankers.
So, for example, if you want to understand how to attack or
defend a bank, you just don't need computer talent. You need to
understand how the systems work. And they essentially volunteer
to aid Estonia in everything from red teaming--so attacking
voting systems before an election, define vulnerabilities
before the bad guys do--to they help with emergency response.
It is a little bit akin to the Civil Air Patrol, which gathers
people who are interested in aviation, and it ranges from
youngsters that are entering the field to people who just want
to keep flying, but then they are on call for aviation-related
accidents, training exercises, and, importantly, on call at the
local, State, and Federal level.
My point is, is that, often in this space, we very
appropriately enough say, you know, look, we have got Active
Duty, and National Guard has expanded and gotten really good at
this, but then we stop and miss the fact that, as you put,
there is a great deal of talent that will be forced to be
outside of National Guard.
I would also, real quickly, one other point I want to make
is that, if we are looking at history, we often talk about the
Pearl Harbor parallel, and what General Neller is pointing to
is that there are other battles--Kasserine Pass--which were
really ones that whether we won or lost was not based on our
weapons but our failure to figure out how we command and
controlled, how we organized, and that is what I would urge you
to be pushing a little bit more on the military side with.
Mr. Gallagher. And then, on that point, Mr. Healey, you
seem to argue that the reports of a cyber Pearl Harbor have
been greatly exaggerated, but I count myself among many
Americans who received a notification from OPM after the hack,
which some describe as a cyber Pearl Harbor. What is your
assessment of the long-term damage caused by that hack?
Mr. Healey. Certainly when I thought about my colleagues,
my friends who in the future might be negotiating with China
over some issue, and I can imagine their Chinese counterparties
sitting down in front of them and having their complete SF-86
and the rest of their information in front of them. And I
imagine the chilling effect that would have on that negotiation
and how America's diplomatic position is going to be
significantly worse since then.
But I also take the thought of a devastating attack that
leaves thousands of Americans dead. I mean, that, for me, is--
it is what we have been thinking about, what we have been
imagining that was going to be this catastrophic bolt from the
blue, and so certainly that hasn't happened yet. And yet we
still, to some degree, allow that to capture our imagination.
So I think we need a little bit more curiosity about what
future cyber conflicts might be like and how we respond to
those. I think that would put us much better off to deal with
the OPMs and to deal with the Russian hacking.
Mr. Gallagher. And, finally, Dr. Libicki, among the many
terrorist groups that we are fighting kinetically right now,
who is the most sophisticated cyber actor?
Dr. Libicki. I think you would have to say ISIS. But I
think even--ISIS is really good at information operations and
propaganda, okay, because in many ways, they say that terrorism
is sort of the propaganda of the deed, and so they are
integrated within a country--with an organization like ISIS.
But in terms of actual cyber capability, there are many
criminal groups that are better than all the terrorist groups.
Mr. Gallagher. Thank you, Mr. Chairman.
I yield the rest of my time.
The Chairman. Mr. Brown.
Mr. Brown. Thank you, Mr. Chairman.
I represent a district in Maryland that is perhaps less
than 8 miles from Fort Meade, which is home to, you know,
several very important agencies and activities in the
cyberspace, NSA, Cyber Command, and Defense Information Systems
Agency, and we are home to a very large percentage of those
high-and-tight cyber warriors. And I know that this committee,
over the past several years, has looked at the organization and
structure of the cyber force, Cyber Command, as a unified
command. We are interested in the dual-hat arrangement between
the Director of NSA and as Commander of CYBERCOM, and also we
are interested in a strategy for incorporating the Guard and
the Reserve.
So my question is--and there are a lot of different
activities involved in cyber warfare. At the operational level,
do you have any thoughts and opinions on how best to support
that combatant commander? We have got cyber mission teams that,
my understanding, right now, pretty much operate from CONUS
[continental United States], a lot at Fort Meade, some in
Atlanta, and pushing those teams out much like the Special
Operations Command does, and any other thoughts you have on
sort of the operational tactical deployment of these assets.
Mr. Healey. Thank you very much, and there are parts of
this that remind me of the previous question. You know, the
cyber forces, I think, for a very, very long time are going to
be high-demand, low-density [HDLD] assets. You know, there is
just not going to be enough of them, and in general, when we
have got HDLD assets, we try to keep them in a centralized pool
so that way--especially keeping them in a place where they can
support multiple commands and multiple operations without
having to necessarily to deploy to do them.
I think it is going to be a long time before it is as easy
to use cyber capabilities as it is to drop a JDAM [Joint Direct
Attack Munition] or to send artillery rounds downrange. It is
extremely complex, and when you have capabilities, you tend to
want to use them sparingly and not in a tactical kind of
situation because the adversary will just fix them.
And so the kinds of things that I think have been happening
within the Cyber Mission Force have been really excellent, and
we hope to see more capabilities and spending in that area.
Dr. Libicki. Briefly, I am not too sure I have an answer to
your question, but I do have a sense of what it will depend on.
First is we need to understand a lot better the efficacy of
offensive cyber forces, and the second thing is that we have to
understand their depleteability. There is a difference when you
surprise somebody in cyberspace, when you pull off something
that they weren't expecting, okay. The surprise element tends
to deteriorate over time. It is not like an artillery round,
which still has the same blast effect for the first as it does
for the hundredth.
So that we don't understand a lot, and for these next 5 to
10 years, we are going to have to be playing around with a lot
of alternative models until we do have a level of understanding
that allows us to make good decisions.
Dr. Singer. I think your mention of Special Operations
Command is an appropriate one. I was actually down there
literally yesterday, and it is my sense that that is the likely
and I think ideal future evolution of what happens with Cyber
Command where it is, as mentioned, it is global in its
operation but also can focus down and help in specific commands
on a theater level or the like. It also has its own culture,
its own approaches to promotions, to different types of budget
authorities to reflect kind of its unique role. That is my
sense of where Cyber Command can and should evolve to.
Part of that will, as was mentioned, I do think it is time
for it to disentangle from the dual-hat leadership structure
for both what Jay Healey mentioned, in terms of the
intelligence operational side, to just, frankly, it is a human
talent. No matter how good the person is, those two roles are
incredibly important, and you are getting half their time. They
are also very different. To make a sports parallel, it is like
having, you know, the coach of the Wizards and the general
manager of the Capitals. You know, you wouldn't do that.
The final aspect that I would put in terms of--to aid this
in solving a lot of this question is better integration of this
into our muddy boots training environments, and when I say
``this,'' I mean both offensive and defensive cyber
capabilities as well as the social media side. Our training
environment should reflect what the internet looks like now and
how we can and our adversaries will use it.
Mr. Brown. Thank you, Mr. Chairman.
The Chairman. Ms. McSally.
Ms. McSally. Thank you, Mr. Chairman.
Thank you, gentlemen. First, I just have a comment as we
are talking about this cyber workforce. Although I agree with
you, Dr. Libicki, about managing our information. There is
going to be demand. These are going to be jobs that will be out
there and growing. And I highlight the University of Arizona
South in my district has, you know, taken advantage and seen
that coming and really created a cyber operations program
partnering with Fort Huachuca, Federal agencies, seeing that
this is an opportunity to really train the workforce of the
future for government, military, and the private sector, and I
think a great example of really how educational institutions
need to take advantage of this to provide training and
opportunities, you know, for good jobs in the future. So I just
want to highlight what is happening at the U of A South.
I am former military. You look at our potential
adversaries. They don't want to take us head-on although they
are closing some gaps. But we are so heavily reliant on network
operations for command and control, for situation awareness,
you know, whether that is GPS [Global Positioning System] or
how we are managing unmanned aerial systems, even how we are
managing air tasking orders and time-sensitive targeting.
If you are the bad guy, you want to go after that
asymmetrical potential Achilles' heel. Although we haven't seen
it happen, I would like to hear your comments on our
vulnerability. Obviously, we are in an unclassified setting,
and what we, you know, could do because if we had an adversary
go in that direction and try and take us down, we would--you
know, we talk about like the AOR [area of responsibility] would
go stupid pretty fast, like we wouldn't be able to operate; we
wouldn't know how to command and control and give directions to
our assets. And I see this as a very deep vulnerability that we
have. Do you have any comments on that and what we need to be
doing better about it? You want to start, Mr. Healey?
Mr. Healey. Thank you. It is tough for me when you ask me
the question not to answer first with ``Assault Course,
Ma'am.'' So I would start with----
Ms. McSally. Sorry about that.
Mr. Healey. You haven't had----
Ms. McSally. Put him through basic training.
Mr. Healey [continuing]. The cyber Pearl Harbor the way
that we thought in some way because cyber attacks tend to only
take down things made of silicon, things made of ones and
zeros, and those are relatively easy to replace.
The more that we are bringing in the Internet of Things
[IOT] and the smart grid, the more that those same attacks,
instead of just bringing down things made of silicon, can bring
down things made of concrete and steel.
Ms. McSally. Right.
Mr. Healey. So I am not of those that think cyber attacks
have been that bad lately. I really don't, because no one has
died yet. I think we are going to look back at these days as
the halcyon days when Americans had not yet started dying from
these.
So, to me, that is really where I would like to start
putting a lot of my time and I think the time from the DOD and
from Congress and in trying to see what we can do about--to
secure the IOT and keep our adversaries away from them. Thank
you.
Ms. McSally. Any other comments from----
Dr. Singer. I think you are spot-on, and I would point to,
you know, so what would make the previous member happy, we
spent over $2 billion on construction in the Fort Meade area
alone, which is great. We have grown up this capability in
Cyber Command, but the Pentagon's own weapons tester found in
their words, quote, ``significant vulnerabilities,'' end quote,
in every major U.S. weapons program. And that is made up--it
has revealed itself in everything from China flying comparable
copycat versions of the F-35, which either coincidentally the
J-31 looks like it or it is because there were reported three
different breaches during the design process, to exploitation
during warfare itself.
So, in terms of what Congress can do, I think we need to
have a focus on building resilience within the DOD acquisition
system. Specifically, establishing metrics and determining
where progress has been made or not in our acquisitions process
to deal with vulnerabilities in that. So we know they are
there; what can we do about it?
I would also add: we can explore how to use Pentagon buying
power more effectively outside the defense industrial base. So,
for example, entities like Transportation Command have
relationships with a lot of different critical infrastructure,
how can they incentivize them to get better at their
cybersecurity using Pentagon buying power?
Ms. McSally. Dr. Libicki.
Dr. Libicki. Three things. First, I think we need a better
understanding of our end-to-end vulnerability. Part of the
problem in defensive cyber is we tend to chop them up into
little pieces and look at the vulnerability of each piece, but
in fact, if the bad guys are going to exploit our
vulnerabilities, it is going to do it on an end-to-end basis,
and this is the basis under which you ought to measure things.
In terms of the vulnerability, as you point out, this is an
unclassified session. So my best guess is that heterogeneity
and, believe it or not, legacy systems make a big difference
because it gives us a lot of ways of doing different things,
and I think, in general, the fact that our warfighters tend to
be given the authority to do their own innovation is very
important because, after a cyber attack, the world is going to
look different than it did before, and how do you put the
pieces back together becomes very important, and a well-trained
military that knows how to think on the spot in different ways
becomes very important in the aftermath of a cyber attack, part
of the resilience package.
Ms. McSally. Great. Thank you. I had another question about
ISIS, but I am out of time. I often--we see ISIS either using
the internet to recruit, train, direct, yet the internet was
continuing to still work in Raqqa. I have asked many times in
this setting, why is the internet still on in Raqqa? But we
don't have time. So we will follow up with you all later.
Thank you. I will yield back.
The Chairman. Mr. Carbajal.
Mr. Carbajal. Thank you, Chairman Thornberry and Ranking
Member Smith.
Dr. Singer, I am going to build on that but maybe closer to
home. An area of major concern is the supply chain
vulnerabilities where malicious software, hardware is
inadvertently--or exists in the development or acquisition of
different systems.
In your testimony, you express concern over the significant
vulnerabilities in every major weapons program, extending from
breaches of operational systems to original design process. Can
each of you speak to how we can tackle these vulnerabilities?
What checks and balances can we put in place to avoid
developing systems with malicious software or hardware? And
what resources do we need to invest in order to protect our
supply chain?
Dr. Singer. So I should clarify this phrase of significant
vulnerabilities. That is actually from the Pentagon's own
weapons tester. So it is not merely an assertion of mine. It is
from our own government's reporting on it. The concern here,
again, as you put, is not just merely, what does it do in
acquisitions, what does it do in an operational environment
like we explored in future scenarios, but it also means it is,
I would argue, difficult to impossible to win an arms race if
you are paying the research and development for the other side.
And so, in terms of what can be done, I think the question
for Congress is where, in using your authority, what are the
changes needed in acquisition law, or is it processes, is it
policy, to create better requirements for essentially
resilience to cybersecurity attack, not preventing it? We will
never be able to prevent all of it but build resilience to it.
This also points to the human resources side that we have
talked about, and again, this cuts across the board in
everything from within the military, as was laid out, to
outside and broader society, and it is very exciting to hear--
everyone is very proud of the different universities. We need
to think about how we can build training for cybersecurity into
our education system to create better levels of cyber hygiene.
Thank you.
Mr. Carbajal. Thank you.
Dr. Libicki. There has been a lot of concern about the fact
that some of our foreign sourcing leads to vulnerabilities. I
am not entirely certain whether we need to do all that much
more than we are currently doing. I remember that there was a
lot of discussion 20 years ago when people were talking about
fixing the Y2K [Year 2000] problem, and there was a lot of
handwringing about foreigners working on our code, and
therefore, we become much more vulnerable because we couldn't
trust the foreigners to work on our code, and I haven't seen
any evidence that that really mattered to Y2K or that mattered
to vulnerabilities in the immediate aftermath of Y2K.
I think, as a general principle, it gets back to
understanding our end-to-end vulnerabilities. Even if a
particular product is weak, if there is no way to exploit the
weakness, that gives you a certain level of protection. So you
do have to look at supply chain vulnerability as part of a
broader overall systemic end-to-end vulnerability issue.
Mr. Healey. Thank you very much.
I have been impressed with how much has been done on the
academic side and within the computer security community on
trying to build a trusted system on untrustworthy components.
So, for example, if you use end-to-end encryption, like is
happening now in Apple, even if you don't trust the systems
between you and the person you are talking to, there are tools
like end-to-end encryption that can give you much more trust
over the system as a whole.
One example in the DOD context is DARPA [Defense Advanced
Research Projects Agency] is now putting a system they call
HACMS [High-Assurance Cyber Military Systems], the High
Assurance Computing Systems--I can't remember the exact
acronym--where they are using mathematically provably secure
code. They have done this on a helicopter drone. They have
given a red team hacker access to part of that drone, and they
have not been able to get out, to hack the entire drone and
take control of it. So here are areas where you can trust the
system even if it has some untrustworthy components.
I would like to also call out what has been happening
between the defense industrial base companies themselves. The
amount of information sharing, my colleagues tell me, have
gotten that, in the past, if the Chinese were to hack one of
those companies, they could use that same vulnerability to hack
all of them. And it has now been several years where the
sharing and the defenses have gotten so good that now they have
to use a different software vulnerability on each of these
companies. I think that is exactly getting toward the kind of
defenses that we need, and it is probably more because of the
sharing, which is cheap, than having to add more and give them
more money in the contract so they can improve their security.
Thank you.
Mr. Carbajal. Thank you for your insight and your wisdom.
I yield back.
The Chairman. Ms. Stefanik, do you have additional
questions on your own time?
Ms. Stefanik. Thank you, Mr. Chairman.
NATO [North Atlantic Treaty Organization] has introduced
the Tallinn Manual through its Cyber Defense Center of
Excellence in Estonia, which provides an analysis on how
existing international law applies to cyberspace. The most
recent Tallinn 2.0 Manual focuses on cyber operations and
discusses cyber activities that fall below the thresholds of
the use of force or armed conflict.
Is this framework helpful in establishing international
norms for nation-states, and what, if anything, would you
recommend we consider incorporating into U.S. policy?
I will start with Dr. Libicki.
Dr. Libicki. I mean, I can say nice things about global
rule under international law, but international law is only as
good as countries that support international law are willing to
support it. In other words, they are willing to put muscle
behind violations of international law. And I would--I regard
international law as a tool of policy. I do not regard it as a
substitute for policy.
At some point, you have to take certain elements of
international law seriously enough to say, ``This is
unacceptable, and this is what we are going to do about that,''
and this is in turn part of a broader discussion, which I urge
that we have, about what in fact constitutes thresholds. Okay.
Part of the problem with using international law as a base,
as was obvious in the Tallinn 1 Manual, is that there is a lot
of disagreement among people about what in fact constitutes
legal behavior, and you don't have the same judicial mechanism
in the United States where you can point to the opinions that
are rendered by judges to say, okay, there is a consensus that
this is a way it is and this isn't the way it is. We don't have
that. Okay.
So, in the end, international law has to be supported by
nation-states--by countries and their willingness to take risks
in support of law before it becomes actionable.
Ms. Stefanik. Thank you.
Mr. Healey and Dr. Singer, do you have anything to add?
Mr. Healey. I am a huge fan because it takes a lot of the
arguments off the table. You know, instead of arguing, well,
arguing from scratch if we think something is an act of war,
not now; we at least have a place to come from. And that helps
a lot. Now we can argue what part to do about it. That is
really what has been tripping us up, I think, more than
anything, is not what to call something or what thresholds to
set, but what are the actual policy tools and how are we going
to use them in each instance, and hopefully now we can focus on
that.
Ms. Stefanik. Dr. Singer.
Dr. Singer. I am a huge supporter of it as well. I would
just add two things to it. The first is to recognize that there
is not just this process but a broader webwork of agreements
and norm building that is going on in everything from
bilaterals with allies to multilaterals, be it at NATO to all
the way up to United Nations. And I think a key area for action
for Congress is to essentially request of the administration,
what is your overall strategy here, how does this all fit
together, and, most importantly, are you not going to let this
fall by the wayside, because it is clearly advantageous to the
United States to shape these norms in a way that restores
global cybersecurity.
The second most important thing is to recognize that the
quickest way to undermine norms and laws is to take an action
when they are broken, and we have seen repeated instances,
specifically by Russia, in everything from attacks on power
grids that were no-go areas, such as in Ukraine, to most
recently this broader campaign that I mentioned. And so, if we
want to norm build, we also have to take actions besides just
write things down in treaties.
Ms. Stefanik. Thank you.
In some of your testimonies, you have talked about our
increasing capabilities when it comes to attribution. My
question is, how good are we at doing battle damage assessment
[BDA] in cyberspace? Are there areas or capabilities that we
need to invest in to improve our ability to do BDA?
Mr. Healey. Do you mean against our--when the attack is
against us or----
Ms. Stefanik. Yes.
Mr. Healey. Yes. Here, I think a lot of work that has been
happening in the Information Sharing and Analysis Centers as
well as the new policy from the past administration for
Information Sharing and Analysis Centers to try and come
together and get that coordination done within the affected
sectors themselves or the affected companies, that depends so
much on which sector has been hit to try and figure out the
level of disruption.
Some, like finance, are extremely good at this. Their
regulatory agencies are banging on the door to find out what
happened. Other parts of our critical infrastructure, like
water, aren't going to be as strong, and that underlines, I
think, how good the sector organizations are, how well they are
regulated, for example, rather than anything specific to
determining the level of disruption and the damage.
Ms. Stefanik. Dr. Singer.
Dr. Singer. This is one of those key areas, I think, to
delve deeper into in the muddy boots training side. So, for
example, if you lose 10 percent of communications, it is only
if you actually go out and exercise it that you understand that
maybe it doesn't have a 10 percent compromise on you; maybe it
actually means your entire organization can't work. Or,
similarly, if it is not you lose access but that you can't
trust communication. If one time the adversary inserts false
information, be it into GPS or false information into an order,
does that mean that you no longer trust the system itself, so
the entire system goes down?
So that is one of the areas where I think we need to evolve
it more and do our own training to understand the effects of
it. That is the only way.
Ms. Stefanik. Thank you.
My time is expired.
The Chairman. Ms. Rosen.
Ms. Rosen. Thank you, and I really appreciate all of you
being here today. Thank you, Mr. Chairman.
My question is about the disentangling of the NSA and Cyber
Command. And so I see some of the benefits and challenges. I
would like you to expand on that a little bit and especially
about how that relates to our ability to respond dynamically to
threats or challenges as you see them and our ability to be
fast and flexible there.
Mr. Healey. Thank you very much, Congresswoman Rosen.
The most dynamic part of America's cyber defenses is not
Fort Meade, and it will never be at the Pentagon. It just
isn't. They can't--pretty much no part of the U.S. Government
is actually creating and maintaining cyberspace. One of my
colleagues that used to--a former Army major that then went on
to work at Verizon--said, look, if there is an attack, we at
Verizon and our colleagues and our companies, we can bend
cyberspace if we need to; we can change the physics of the
space to blunt this attack in a way that is incredibly
difficult for places like Fort Meade and U.S. Cyber Command to
do. U.S. Cyber Command simply just doesn't have the levers to
be able to respond agilely enough to attacks against us.
They can certainly attack back, but they are not--they are
not tied in in the same way as these companies are. And so,
because I believe that the private sector is the supported
command, they have agility, they have the subject-matter
expertise, and they can bend cyberspace if they need to, that
our money is best spent, rather than trying to recreate that at
Fort Meade, find ways to help make sure what they can do
better.
Dr. Libicki. You have asked an interesting question, which,
unfortunately, I don't have a clear answer for because I am
still thinking through it. Okay? But a lot of what you do with
Cyber Command, vis-a-vis NSA, depends on what you actually want
Cyber Command to do. If you are thinking of what Cyber Command
does as part of a broader information operations area, then you
need to bring Cyber Command in with other parts of the
Department of Defense that deal with information operations.
And this is not a--this is not something that is currently on
the table.
Ms. Rosen. Cyber Command, doesn't it also execute?
Dr. Libicki. Right.
Ms. Rosen. Right.
Dr. Libicki. In terms of its--in terms of its offense
mission is what I am referring to. Okay? In terms of its
defense mission, it is a coordination between Cyber Command and
the way the networks are currently managed that becomes an
important component. And for a long time, NSA has had that
responsibility to improve the security management of DOD
networks.
If you are looking for Cyber Command to think in terms of a
general analysis of the vulnerability of other people's
militaries, then you may want to bring them in together with
other folks who look at the vulnerabilities of other people's
militaries that are not necessarily digital zero and ones but,
in fact, arise from the interaction of the various components
of their militaries. And that is about as far as I have gotten
in my thinking, unfortunately.
Dr. Singer. So I think we have laid out earlier some of the
rationales for it, and it ranges from the split, as you note,
between, essentially, the evolution of the missions from
intelligence to Cyber Command becoming more and more
operational, both offense and defense, having training
requirements and the like. As I mentioned, there is the double-
hat problem of just human talent.
There is another aspect of this that I think is interesting
to talk with you about is go back to the original rationale for
why they were double-hatted. It was both because the creation
of Cyber Command, it didn't have its own culture, didn't have
its own human talent, but it also was because there was a
concern that the head of Cyber Command would not be able to
speak with a voice or authority that would get Congress'
attention.
Ms. Rosen. Right.
Dr. Singer. Post-Snowden, the absolute opposite happened
where you are more interested--maybe not you individually, but
Congress is more interested in the NSA surveillance encryption
debate side. And we even saw that in the confirmation hearings
for the head of Cyber Command.
So I think for this wide variety of reasons, it makes sense
to split them, but I would not do it instantaneously. I would
do it like the transition that we had with the Joint Forces
Command where the mandate, so to speak, of the last commander
was figure out how to disentangle this in a way that doesn't
compromise effectiveness.
Ms. Rosen. Thank you.
Well, as a former computer programmer and systems analyst,
I have about a million more questions about the public-private
partnership versus privacy. We don't have the time to do it
today. I hope you will come back, and I will be able to ask
them all. Thank you.
The Chairman. You can use the gentlelady as a resource as
you go on ahead. That is what is clear to me.
Mr. Scott.
Mr. Scott. Thank you, Mr. Chairman.
Gentlemen, many of my questions have been answered, but I
want to go back and focus on a couple of things. The Y2K issue
was approximately 20 years ago. It was not intentional, but my
question has always been, as we talk about malware and digital
and Xs and Os, one of the vulnerabilities that we don't talk
about much, which has been mentioned before, has been the
supply chains and the ability to perhaps embed things in
hardware prior to the manufacturing of the actual equipment.
I go back to just, for example, the GPS system that we put
in an airplane or a radio system that we put in an airplane,
could it be preprogrammed to stop working at a certain point in
time, in which case that would give your, certainly, major
adversaries, your near-peer adversaries, a distinct advantage
over you, and that if they knew that you were going to lose
radio communications at a certain point in time, that would
obviously be an opportune time for them to go on the offense.
And so it seems to me that we have this constant testing,
if you will, of capabilities among select few countries. When
one of those countries finds a weakness, the question is how
far do they go in exploiting it, I guess, before a cold war
actually becomes what we would acknowledge as a true war.
I listened to your comments on the split of leadership at
NSA, certainly interested in further discussion on that. But I
would like for you to speak, if you would, towards the future.
Dr. Healey, you said that we don't have the levers that the
private sector has to bend cyberspace, I think is the way you
put it. We obviously have Active Duty personnel. We have
National Guard personnel. National Guard has had a tremendous
amount of success in helping us. What is the--what does the
Cyber Mission Force look like 20 years from now? What are the
decisions that have to be made to make sure that we have that
cyber force?
Mr. Healey. Thank you very much. It is a great question.
And to put some context, I am not taking swipes at Cyber
Command. I was one of the initial cadre of what became Cyber
Command. When I was a young captain in the late 1990s, I helped
the headquarters there set up what was to become the Joint Task
Force-Computer Network Defense and was one of the 21st--one of
the first 25 cadre members there, and then it went on to grow
to be U.S. Cyber Command.
When I think about--it is a great question and what that
force might look like. One of the futures that I start
thinking, and I am saying, what would happen if we went down
that--if--what cyber conflict might look like in 10 years.
Last year, at--DARPA funded a contest called the Cyber
Grand Challenge in which they had different supercomputers
discovering their own vulnerabilities and throwing--discovering
vulnerabilities and attacking the other supercomputers on
stage, which then had to run through their programming and come
up with automated defenses. And, certainly, when I am thinking
about what cyber conflict might look like in 20 years or 10
years, that to me seems like somewhere obvious to start in
where DARPA is already thinking.
So just imagine how--what that might mean for the Cyber
Mission Force where we have over 6,000 people at Fort Meade,
and other places now, preparing for a fight. Well, if the
future conflict is going to be malicious software that has got
a back end over a supercomputer telling it what to target next,
how to change to avoid defenses, you now need your own
supercomputer to try and defend against that. And I think that
has just tremendous challenges for military doctrine, for
organizations, and certainly, for staffing.
Mr. Scott. That brings me to another question. I mean,
obviously, a lot of these people, they are extremely
intelligent. We need to have the ability to work with these
people. They may not be interested in joining the military.
They may not work, certainly, full-time or part-time. I mean,
for lack of better terminology, I mean, do we, when we see this
problem coming, deputize a cyber posse like the old days where
you bring people in that you have never worked with before?
And, Dr. Singer, I know--interested in your opinions.
Dr. Singer. That is why I am an advocate of, look, there is
great talent within Active Duty. National Guard has been a way
to pull in. We have reorganized, so we can pull in that talent,
you know, that already has cyber skill sets. But at the end of
the day, as you note, there will be a wide range of people who
either are unwilling to serve in the National Guard and
Reserves or they simply won't qualify for physical reasons,
whatnot. And so we need to create alternative pathways to draw
people in beyond just contracting them.
And that is why I am an advocate of both this Civil Air
Patrol cybersecurity equivalent to expansions of the U.S.
Digital Service to include cybersecurity, simply looking at
outside of this field, what are like models that we know work?
How do we use those to bring in cyber talent?
And then, lastly, I would point to the bug bounty program.
The--you asked, you know, what will this look like? The people
that participated in the Pentagon's first bug bounty ranged
from off-duty government workers to people working in business
doing it nights. My favorite example was an 18-year-old who did
it in the middle of their AP [Advanced Placement] test, who
volunteered to help defend Pentagon networks and reportedly he
did it because he just wanted the T-shirt. So we have to have a
means of pulling in all this wide variety of talent. That is
what makes America great.
Mr. Scott. But you also have to get them cleared from a
security standpoint. You have to have them operate under some
agency out there, and those are things that, I think, need--we
need to have that outlined before the attack happens.
Dr. Singer. Absolutely.
Mr. Scott. Mr. Chairman, I apologize for going over.
The Chairman. That is fine. Interesting discussion.
Mr. O'Halleran.
Mr. O'Halleran. Thank you, Mr. Chairman.
I guess I want to go back a little bit to Mr. Scott's
issue, because I have a concern that what we are doing here is
without deterrence, without clearly showing deterrence that we
are in this never-ending spiral of more and more people, more
conflict between budget for cyberspace and the budget for
defense; how do we pay for it, that the people that are
attacking us are spending far less to attack us than we are to
stop the attacks. And so it appears that the deterrence factor
has to be something that is credible, as Mr. Libicki said.
I am just trying to understand how we start to slow down
that cycle. It is a great full-time employment issue for a lot
of young people that are coming out of our universities, but it
is a serious question as far as our long-term capability to be
able to defend ourselves without trying to deal with the
deterrent side in a meaningful way--if we do not deal with it
in a meaningful way.
So how does that all occur? And, Mr. Libicki, I would like
to start with you.
Dr. Libicki. I think, ultimately, the way you discourage
people from attacking you is to give yourself an architecture,
the relationship between information and systems, that reduces
their value--what they get from attacking you in the first
place.
And even if we had an effective national deterrence policy,
we would still have many other threats from criminals, from
insiders. And so one of the advantages of defense and
resiliency is that defends against people, no matter what their
motivation and no matter what way we can and cannot reach out
and touch them.
Mr. O'Halleran. And I take it from your comment that you
don't feel we are at that point yet where we have the system
that can deter like that?
Dr. Libicki. I think we have made a great deal of progress.
I think we have a lot more progress to make. It is going to be
a long challenge.
Mr. O'Halleran. Dr. Singer.
Dr. Singer. So there are different forms of deterrence. And
because of the Cold War experience, we typically focus on the
idea of deterrence by overwhelming retaliation.
There are many things for the people in Fort Meade to be
upset with Mr. Snowden about, but the one thing he did reveal
is that there is no question of our offensive capability. And
yet, as we see, the attacks continue. So it is not like the
Cold War where there is mutuality here and that, you know,
someone attacks us and we respond in a like manner. So if we
are thinking about retaliation, it is going to be better using
those other tools of American power to influence actors that
have both attacked us but also others looking to it. And that
is why I am very pointed about the Russian campaign and our
lack of a response to it has incentivized a wider array of
actors.
Secondly, there is a different form of deterrence which
wasn't possible in the Cold War called deterrence by denial or
it's resilience. It is the idea that I don't attack you not
because you are going to hit me back, but because my attack is
not going to succeed. You will shrug it off. And importantly,
resilience would be a useful building activity. Whatever the
form or type of attacker, you build good resilience, it is good
against criminal actors, state actors, you name it.
And in my written testimony, there are a whole series of
actions that we can take to raise our resilience levels and
therefore make attacks against us less successful and,
therefore, less likely.
Mr. O'Halleran. Thank you.
And, Mr. Healey, just to go a little bit further on this.
We just talked about Russia during the Cold War. It got to the
point where they just appeared to not be able to afford to
continue on with the path.
In this instance, we have a situation where those that are
attacking us can afford to keep going because our cost ratio is
much higher than their cost ratio. How--just how do we start to
stop that? I understand what Dr. Singer just said, but, again,
the architecture is just not there right now, and our cost is
just exploding.
Mr. Healey. There are new architectures and new things that
are coming down in the computer field that I think will help.
We have been doing a New York cyber task force at Columbia
University to say what can we make a more defensible
cyberspace, a more defensible America, more defensible sectors,
more defensible companies. And so, for example, going to the
cloud. I was astounded how many of the bank chief information
security officers and others that were saying absolutely allows
you a more secure foundation to build that from the ground up.
The CIO [chief information officer] thinks he is going to do it
for cost reasons, but really you do it for security.
I would also like to add, I tend to be very hesitant when
it comes to trying to raise the adversaries' costs more
directly, but I certainly think when it comes to Russia, we
have got a national mission team. They are looking into red
space, able to disrupt the Russian influence operations and
cyber attacks. I think, absolutely, we should start thinking
about that to help out France, German elections as they are
coming up. Thank you.
Mr. O'Halleran. Thank you, Mr. Chairman.
The Chairman. Thank you.
Mr. Wittman.
Mr. Wittman. Thank you, Mr. Chairman.
I appreciate our panelists for joining us today. Dr.
Libicki, I want to start with you. You have spoken very much
about building an offensive capability. I have a particular
interest in that, because I think it is the way that we can
make our adversaries use their resources to defend their
systems. I think that is extraordinarily important.
Give me your perspective about how in the realm that we see
ourselves in, especially with the United States Navy with new
systems, unmanned platforms, and what we have to do to create
command and control there, how do we not only protect those
systems, but how do we look at vulnerabilities that our
adversaries might have with their systems so that their time is
taken up not in going after our links within our systems or
looking for weak points there, but what they have to do to
defend their systems. And how do we most aggressively pursue
that?
Dr. Libicki. Well, there are a number of standard ways for
exploring other people's systems. And one of the best ways is
actually buy a copy of them and then run it in our test labs.
We did that throughout the Cold War, and I don't think our
activity has slowed down very much.
To the extent that they use international components in
their systems, they already have a certain amount of
familiarity with that. We probably pick up a great deal of
electronic intelligence just by listening to these components
communicate with them over the air. Okay? But let me actually
address your question by asking a question, for which I am not
quite too sure there is a good answer, but I will do this
anyway.
To what extent do we want to tell folks or hint to folks
that we have an ability to interrupt their information systems?
Okay? On the one hand, it gives us a great--a certain amount of
deterrence. It reminds people who are doing a lot of--throwing
a lot of stones that they live in glass houses, and it reveals
our intention to go after their glass houses, which I think is
very important.
On the other hand, you want to do it in such a way that it
doesn't look overly aggressive, aggressive but not overly
aggressive, and you want to do it in such a way that it doesn't
give away too much of how we actually do our business.
So there is a lot of trade-off to be had here. I think we
are in a good position where we are given credit for a lot of
capability without necessarily having to show it. I don't know
what the depletion rate of that confidence is. Okay? But right
now I think it is pretty high.
So we have American defense officials, certainly in the
last administration, I think in this administration, who have
hinted from time to time that we have a great deal of
capability, and they need to watch themselves, but to maintain
that confidence, or lack of confidence, in their mind, I think
is a challenging problem but not an insurmountable one.
Mr. Wittman. The next question. How do we, as we look at
where the future brings us with educating and training our
military members and leaders today for the challenges they will
face tomorrow within the cyber realm--and I have been an
advocate to say all the way from the basic training level,
tactical level, all the way up to the strategic level, there
needs to be a common theme of training and educating everybody
in the military as to the cyber sphere that they are going to
operate in.
Give me your perspective on where you see things currently
going, maybe even some of the efforts that are undergoing
through your experience that are happening maybe at places like
the academies, and what needs to happen there to make sure we,
from top to bottom in our fighting force, emphasize the cyber
realm as much as we do the kinetic realm?
Dr. Libicki. I am glad you asked that question, because it
allows me to speak on behalf of my employer. I think the Naval
Academy does a really good job on this. We have two semesters
of requirements for all naval and Marine Corps officers; one
they take in their first year, one they take in their third
year. I have a little experience with them, because I teach a
lot of freshman this sort of stuff. We also have a cyber
operations major. This year, we will be graduating about 40
folks. And one of the nice things I like about the program is
that we spend years two and three on the technical education,
and then starting a bit in year three and into year four, we
give them the policy perspective.
One of the biggest shortfalls in the area of cyber is you
have a lot of technical people that can't talk policy; you have
a lot of policy people who don't have a rich enough foundation
in the technology. And I believe the Naval Academy is
graduating officers that, in fact, have a background in both of
them. And I think that is very beneficial, and I think it is
something that I--speaking ex cathedra that I think the other
two military academies also should take a serious look at.
Mr. Wittman. Are there any efforts underway currently as
far as facilities or things that might be there in the future
to make sure that we are even enhancing that experience with
things like, you know, a secure facility like a SCIF [sensitive
compartmented information facility] for them to be able to
learn and operate within?
Dr. Libicki. Well, as you happen to ask, we are building a
cyber building, the Hopper--Hopper Hall, I think it is called,
on campus. It should be ready in about 2019, and it is supposed
to have a SCIF.
Mr. Wittman. Very good.
Thank you, Mr. Chairman. With that, I yield back.
The Chairman. Mr. Veasey.
Mr. Veasey. Thank you, Mr. Chairman.
I want to ask Mr. Healey a question. In your testimony, you
recommended that the U.S. needs to take further steps to deal
with foreign influence in cyber realm. And I wanted to ask you
if you could elaborate more on what those steps look like and
which agency you would have spearhead those?
Mr. Healey. Yes. Thank you, Congressman Veasey. I think it
is a tough question, because one reason why I think we have
turned to the Department of Defense to help us out on cyber
issues, has been they were there with the capability when they
were needed.
Many people have been very disappointed that it has taken
the Department of Homeland Security so long to get themselves
up when it comes to dealing with cyber issues, and yet DOD has
been there quietly providing capabilities for a long time. I
see the same problems are going to affect us here when we are
talking about influence operations. DOD clearly should not be
in the lead on such things, but we could easily imagine ways
that the Department of Defense can bring their amazing
capability to bear on this. They have already been studying
information operations. I think they should be coming to
Congress with different projects to fund within the--probably
within the cyber branches, for example, 24th Air Force or 10th
Fleet, to start rebuilding that information operations
capability.
And also, blowing--blowing on the coals of where those--
that information operations capability resides, particularly
National Defense University. And, hopefully, that can kick off,
while the interagency process is figuring out how better to
deal with this. I think there obviously will be a role for
Justice and for State and the Department of Homeland Security,
but it is going to take them much longer, I think, to get their
capability up to speed, unfortunately.
Mr. Veasey. Thank you very much.
And, also, I wanted to ask about just the relationship
between the private sector and the government moving forward
when addressing these cybersecurity concerns. You know, there
have been, obviously, lots of talk about the government being
able to have a back door to be able to go into some of these
devices so they can go back and find out exactly what was
taking place. But then, also, there are other--there are apps
and things like that that are overseas that these--that the
companies here in America don't necessarily have the same
access to that wouldn't be able to unlock some of those clues
that we may be seeking in case of some sort of a terrorist
attack. So I just wondered if you had any thoughts on that at
all, either--any of you.
Dr. Singer. So across the board, if you did a poll--and,
actually, they have been done--of cybersecurity experts,
consistently they would say that building in back doors is the
best way to create greater vulnerability for the wider public
and the Defense Department systems themselves that we have
talked about. So that is why you find very few advocates of
that within the community. And, oh, by the way, people would
just move to other systems.
So the challenge, I think, you know, to move--that is a
known known. The challenge between the public and private
sector relationship now, one of the key areas is just who does
the private sector turn to for help when there is an incident?
The administration towards the--the Obama administration in
its last year began to clarify that a bit, but it is not yet
enough, it is not yet clarified. And in my sense, among the
proposals that I have got there is, you know, the idea you need
a one-stop shop, a key place for them to go.
I wanted to circle back, though, to your prior question
about influence operations. Much of this, the activity to
counter it, is going to have to happen outside of the Defense
Department. It is everything that we mentioned from the
creation of an Active Measures Working Group to debunk lies and
make it harder for people to spread them. It is to the debate
over critical infrastructure and our election systems has, I
believe, wrongly focused just on voting machines when, clearly,
the targets are political organizations.
They should be having the same kind of information sharing
that competing banks do, and same kind of linkups to
government. The activities during the 2016 election would have
been stopped if just the FBI and the DNC had had a better means
of communication and had been able to trust each other.
To--again, there are other elements to this. On the
intelligence community side, Congress should be requesting
briefings on just what these influence operations in the
broader spread of social media means for the likelihood of
conflict itself, how it is affecting popular sentiment among
adversary states and the like.
Mr. Veasey. Thank you very much.
Mr. Chairman, I yield back.
The Chairman. Thank you.
Mr. Bacon.
Mr. Bacon. Thank you, Mr. Chairman. I stepped out to get a
couple of votes in, but good to be back.
My question is about the dual-hat relationship between
Cyber [Command] and National Security Agency. We heard some
testimony today that suggests there is a good thing to break
that into two different [inaudible] for staffs. [Inaudible] I
was at Fort Meade earlier this week, and there are indications
to do the same, but I see warning signs of that. Right now, the
expression of cyber teams, there seems to be a cohesion of, you
know, a synergy between the NSA side and the--some of it,
sometimes it is one person, goes to title 50 to title 10 back
to title 50. Eventually, at some point, you are going to get
different priorities, different visions, and I see where it can
break down that synergy that you need and that cohesion.
What are the benefits of moving away from a dual-hat
relationship and getting two different four-stars? And isn't
there a better way to elevate Cyber Command than going down the
path that some are suggesting? And I would just open it up to
anybody that would care to answer.
Dr. Libicki. Let me make sort of a tactical--a tactical
statement here. We tend to think of attack and espionage as two
different things. Right? Attack is your title 10 thing,
espionage is title 50. We shouldn't have the same people doing
attack as we have doing espionage. But in practice, the two may
be a lot more similar than we think.
Let me give you a scenario. Let us say that I can attack a
network, inject messages in a network and tell the bad guys to
meet at a particular place. I get there an hour before they do,
tactical engagement, I win. Right?
Mr. Bacon. Right.
Dr. Libicki. Scenario two. I listen until I find out that
they are going to meet in a particular place. I find out where,
when. I get there an hour before they do. The tactical results,
fairly similar. Right? Why do you want one organization doing
one and one organization doing the other because we happen to
have defined injection as a title 10 issue and interception as
a title 50 issue?
I think what those folks are doing--and sort of as a
broader issue, a lot of what you can do with interception of
information these days has a lot more tactical relevance than
it did 20, 40, 60 years ago. If I can get into your equivalent
of Blue Force Tracker and just listen, the tactical advantages
I would have would be tremendous.
Mr. Bacon. So you are positing here that you should have a
totally separate Cyber Command that has that reconnaissance
capability? Is that what I am hearing?
Dr. Libicki. Well, if you end up with that reconnaissance
capability, you have now recreated a large chunk of NSA.
Mr. Bacon. That is right. So wouldn't you want a single-hat
or a dual-hat four-star?
Dr. Libicki. Well, that is a different voice, and again,
have to give more thinking about. You certainly want some very
strong XOs [executive officers] in both of them. Right?
Mr. Bacon. Right. Two different----
Dr. Libicki. So that, in fact, the XOs are running the
agency.
Mr. Bacon. Which is what we have today.
Dr. Libicki. Which is what we have today, so it depends on
the quality of the XO.
Mr. Bacon. Mr. Healey, it looks like you have a different
thought.
Mr. Healey. I think both Peter and I were looking to jump
in.
One, I don't mind creating a friction. I think this is the
most escalatory kind of conflict we have ever come across. I
don't mind having some brakes on that, just like we don't mind
brakes on using nuclear capability.
The people that say let's keep them together, they want to
optimize offense, intel, and defense, and it is true, keeping
them together does optimize that. I want to optimize America's
overall defense, and that means optimizing the integration with
the private sector.
Look at what we have done. We have folded information
assurance directorate farther into the signals intelligence
directorate at NSA. I would have loved the option to keep that
out so that they are able to better work with America's private
sector, which I think are the ones that are truly doing the
defense.
Of course, it makes sense to optimize those things. I just
think we--there is a higher priority when it comes to this.
Mr. Bacon. Mr.--Dr. Singer.
Dr. Singer. I think there are two points here. The first
is, just because you divide the dual-hat structure doesn't mean
that they can't continue to work effectively together. And we
can look at models outside this space for how you have seen
task forces and interagency teams and everything from, you
know, General McChrystal, what he creates, to engaging into
counter--counterinsurgency efforts in Iraq, which brings
together talent from across services, other agencies, to how we
approach counterdrug efforts down in SOUTHCOM [Southern
Command].
So just because you split them doesn't mean you can't
operate in this interagency manner. And, frankly, as Jay puts
it, it may be easier to bring in other elements either legally
or because of their willingness to work with.
And then the second is, I would echo Jay's point, there is
a worry, you know, but what if they might disagree? That is a
good thing. That is a good--that is our system, and
disagreements then allow the next tier of leaders--it airs
ideas and then allows the next tier of leaders to get both
perspectives. So I would say the friction between them isn't
necessarily 100 percent bad, and in a lot of situations, it
might be good.
Mr. Bacon. Okay. Well, I appreciate your inputs. I just see
a warning--I have commanded five times, and I have seen a good
rapport, and I have seen some where there wasn't that good a
rapport. And I could see two different four-stars with
different visions, and folks that would pay for it would be
those 133 teams that have to be working well together. So thank
you.
I yield back, sir.
The Chairman. Mr. Courtney.
Mr. Courtney. Thank you, Mr. Chairman, and for organizing
this hearing, which is a big one for this committee.
First of all, Dr. Libicki, I just wanted to, you know, add
a footnote to your comments about the academies. I represent
New London, Connecticut, where the Coast Guard Academy, and
they are moving very swiftly over the last three or so years to
boost their cyber curriculum. And I mean, they are, you know,
very, very much focused on that and doing good work. So I am
sure, you know, the Naval Academy has obviously been leading
the way, but I just wanted to at least add that sort of little
extra comment there.
And I really have just sort of one question. One of the
members talked about back doors. And you may have already
covered this, and I apologize, because I was in another
committee. But, I mean, we are seeing, you know, obviously, a
lot of programs flow through this committee, large platforms
whether it's long-range strike bomber, F-35, Columbia class.
And, you know, the model for building these platforms now
relies on a pretty extensive supply chain, which can be, you
know, firms and companies that are, I mean, tiny. And I just
sort of wonder if you had any comment about, you know, how we
sort of address that issue? I mean, it is a big one in terms of
just, again, the number of actors that participate in, you
know, pretty sensitive projects.
Dr. Singer. Sir, you are exactly right. There is a series
of potential vulnerabilities, and they extend, again, across
from the software-based attacks on the design process, i.e.,
you know, learning how to model, to copy it all the way to
operational side, and then the same thing when you think about
the hardware, the potential of hardware hacks on the chips
themselves. And the result is that it is--it can play out in
anything from lost future arms races or future sales to foreign
markets to actual loss in battle.
The thing is that the Pentagon senior leadership, I
believe, is aware of this problem, but the answer to it has
been kind of uneven in its implementation. And I would urge the
committee, essentially, to, you know--you are the ones who best
know, whether it is through a hearing or a report. We need to
figure out, when it comes to these kind of vulnerabilities, how
in our acquisition system can we build up resilience, and is it
law changes that need to happen in that buying process or is it
policy changes that need to happen to incentivize resilience
across the supply chain.
And to echo something I said earlier, we shouldn't just
think about this, though, in the defense industrial base. DOD
has a lot of buying power to other parts of the economy. Where
can it use that influence to aid cybersecurity writ large for
the Nation?
Mr. Healey. And if I may, like many cybersecurity problems,
this comes down to who pays in many cases. If you are talking
about Lockheed Martin having the defenses to keep out Chinese
attackers, well, we can say, all right, Lockheed, you have to
pay for that. But for many of the companies that we are talking
about here, buying in a more secure way for the supply chain is
going to be more expensive, and we can't always expect them to
foot the bill on that to choose a more expensive part for where
there is a little bit more trust. And, of course, when it comes
down to more pay, then it is going to be services and
committees like these that are going to have to help decide
that.
Dr. Libicki. I would like to make a statement. We mentioned
back doors, but I think front doors are also a problem. Okay?
Imagine you have a very capable--a very great capability, a
very sensitive capability. And you say, I want these people to
be able to access it, and you are happy. And then somebody from
the outside--not the outside, you know, somebody who is part of
your group, or whatever, part of the military, says, oh, I also
want an ability to access it. Okay. Well, we give you access.
And I also want the ability to access it. Sooner or later, you
end up trying to figure out who has got the ability to access
it. How many more people do I have to protect? How many more
people do I have to monitor? Because there is a tendency in
this world to just expand accessibility because it can help
people do their jobs. And every time you expand accessibility,
you expand the attack surface. And if you are not careful,
every time you expand the attack surface, you have created
another route for somebody else who doesn't have your interests
at heart to go in and try to play with your system. So a lot of
cybersecurity means saying no to people.
Mr. Courtney. I yield back.
The Chairman. Chairman Conaway.
Mr. Conaway. Thank you. The officer corps is being trained
at the academies, but this exact same training is going on for
enlisted ranks at Goodfellow Air Force Base in San Angelo,
Texas. Give a shout out.
A lot of speculation in the media or in this world about
how soon it will be before robotic soldiers take the place of
the fight in the kinetic world. How soon will AI supplant the
need for--and, Mr. Healey, you mentioned a bit of computer--
computers fighting computers. But how quickly will AI supplant
the need for all these human beings to be able to defend these
networks and do what we do?
Mr. Healey. I will take it quickly, and then yield to
Peter, since he kind of wrote the books on this.
One, because I was an alumni at San Angelo, I think it is
probably going to come more quickly than we think, as many of
these developments do. The part of it that worries me the
most--and by that I mean 10 years. The part of it that
particularly worries me the most is that on the defensive side,
many people are thinking that artificial intelligence, new
heuristics, better analytics, and automation are going to help
the defense. That if only we can roll these things out faster,
that we will be better and the system will be more stable.
I think that these technologies are going to aid the
offense much more than it aids the defense. Because to defend
against these kinds of attacks, you need your own
supercomputer. That is fine for the Department of Defense. We
have got them lying around.
But for America's critical infrastructure, they are not
going to be able to afford such defenses in many cases.
Certainly, small and medium-size enterprises and mom and pops
are not going to be able to. And so that is why that future, in
particular, worries me if it goes down that direction, because
it leaves much of America undefended.
Mr. Conaway. Let me ask one other thing, and you can
comment on either one of these. But most of these cyber
warriors, the human versions, will be in protected enclaves,
probably here in the continental United States, where most of
the work will never need, really, to be able to field dress an
M-4. However, there are others in this group that may be fully
deployed again and protect the enclaves, but they should have
some familiarity with it.
Is the DOD doing a good job of being able to split out
those guys, who are going to be in an enclave forever, don't
need to look like a soldier. They probably don't act like one,
and they don't take orders like one. But is the Department
looking at, in terms of the near term, need for human beings,
this group of folks that really don't look good in uniform and
don't need to know how to fight other than with a keyboard
and--or versus AI I think that I mentioned earlier?
Dr. Singer. So on your first question on AI, I point to, as
an example, at recent hacker convention, DARPA competition had
AI competing to bug hunt, and it was won by one from Carnegie
Mellon called MAYHEM, and it was able to take on a task that
human hackers, bug hunters, it would take them a long period of
time, and did it quite quickly.
So the point I would make here is that much like, you know,
you mentioned robotics and drones and conventional warfare, we
have a couple of kind of disruptions potentially coming in the
cyber conflict side. AI would be one, another would be quantum,
where when I say disruption, it is not just when is it going to
happen, but we don't yet know is it going to privilege the
offense or defense, what are going to be the effects of it.
So in my written testimony, I advocate that you should hold
a classified hearing on trying to find out where do we stand in
these technologies versus likely adversaries, because they are
critical. We don't want to fall behind on them.
On your question of people, the answer, to be blunt, is no.
We have done a very good job of organizing existing talent
within the military, be it an Active Duty or starting to retool
the National Guard, but we don't have a means for pulling in
people outside the military who are willing to serve but not to
formally join or unable to because of some requirement. And
that is why in the written testimony I propose a sort of series
of actions and organizations that could help us do that better.
Mr. Conaway. Dr. Libicki.
Dr. Libicki. I just want to add one thing. It is important
to get talent into the technical side of hacking and counter-
hacking, but from a military perspective, it is also important
to have people who understand how offensive and defensive cyber
warfare fits into all of the other elements of warfare so they
can be presented in an integrated manner. And for that, I don't
think you have much of an alternative but a militarily trained
individual, whether an officer or enlisted.
Mr. Conaway. Clearly, it is not either/or. It is both.
Because the physical requirements to run a keyboard and a mouse
pad are dramatically different than somebody who has got to
even go downrange and run a keyboard.
I appreciate your perspective, and I yield back.
The Chairman. I would just note an editorial comment on the
AI discussion. It seems to me that we are always a lot better
at developing technologies than we are the policies on how to
use them, and that certainly seems the case there.
I would like to back up and maybe rehash a little bit some
of the topics that you all have touched on.
Starting with the role of the military to defend the
country in cyberspace. If there were a bunch of bombers coming
toward refineries in the Houston ship channel, we know what we
would expect the U.S. military to do to defend that private
infrastructure. If packets were coming through the internet
against the same refineries, under the Obama administration, if
it caused death or significant economic damage, I guess, not
really defined, then the military could get involved to defend
that private infrastructure. You have got to make judgment
calls, all this is happening at the speed of light, et cetera.
So I would just appreciate reflections from each of you on
the appropriate role of the military in defending nonmilitary--
in defending the country, private infrastructure especially.
Dr. Libicki. I think there are a lot of things that the
military can do, but I think it is also--there are a lot of
things the military cannot do, and a lot of the difference, by
the way, between the two is the sort of a technical difference.
Let me give you an example. Let us say we lived in a world
where the technology of firewalls was good enough, and the
economies of scales of firewalls were such that it made sense
to have a national firewall. Right? You could say, well, that
could be a role for the Department of Defense. It could be a
role for another part of the Federal Government, et cetera.
Let's say the Department of Defense, because it often takes
classified information to make a firewall run well. Right? And
if it turns out that that was a large part of the solution,
there would be a strong argument for the military.
But the state of firewall technology does not suggest a
ground for that sort of optimism. There are--it doesn't defend
against zero-days. It doesn't defend against built-in malware.
It doesn't defend against encrypted stuff. And by the time you
sort of do a positive and a negative, you end up saying, I
don't think the firewall is going to get us there, and,
therefore, I don't think whatever role is associated with
running the firewall is going to get us there either.
I don't think it is a question of, well, physical is going
to be military and cyber is not going to be military, because
there is a sort of existential difference between the two. I
think it is a matter of what tools do you use and then how do
you deploy those tools. And if the tools that you need to use,
for instance, have a lot to do with architecture, have a lot to
do with systems administration, have a lot to do with training,
then the role for the Federal Government is correspondingly
smaller.
If, however, you are depending on barriers, if you are
depending on classified intelligence, then the role of the
military is larger. And it might be, for instance, that 20
years from now, with the technology, that the role of the
military is much larger than it is today because the tools are
different. It is entirely possible that 20 years from now, the
role would be smaller, because we are looking at a different
set of tools entirely. Okay?
It is not an ideological ipso facto issue. You have to
follow the technology in order to think about roles and
missions.
The Chairman. Interesting. I want you all's perspective
too. In addition, you have got to figure out who is doing it.
Because if it is the most sophisticated sort of state actors,
then it is pretty hard for anybody, other than our military, to
defend against it. But I would be interested in you all's
perspective on this.
Dr. Singer. So I think it is interesting to use your
example to look back at history. So we have the obvious, a
bomber plane crosses into our territory, drops a bomb, military
responsibility. But we had a real--fortunately, that never
happened in World War II or ever. But we did have a real-world
example in World War II where German submarines dropped off
saboteurs, and the Navy was responsible for hunting down the
German submarines. In the midst of an all-out national
conflict, it was the FBI that was in charge of the saboteur
hunting down.
So I point to--you know, we have wrestled with these before
in the physical domain. So I think when it comes to the
questions of roles and responsibilities, the way we have
divided out so far for the military makes a great deal of
sense. It is very clear offensive action should be
governmental, should be military responsibility.
I would note, there's been a push recently for, hey,
shouldn't the private sector be able to hit back on its own. I
would argue that is a very bad idea. It is a bad idea for the
same reason that vigilantism in general is a bad idea. Makes
you feel good about yourself, it doesn't actually do anything
about the effect. When you move into politics, if we have got
private actors out there hitting foreign entities, they might
think it is a U.S. state action.
So that is clearly military. Defend its own networks,
again, clearly military, pulling in aid from the private
sector. Where it gets questionable is in this what should the
military do to aid the private sector.
And as I think Jay noted and probably will note, it is not
just a question of what kind of roles and responsibilities.
There is also the hard reality that the private sector knows
its own systems better. So it is going to be the one best
equipped to defend itself, set aside all of the other kind of
appropriate questions.
So, for me, the parallel here is just like when there is a
natural disaster or some other thing, the military should be on
call to aid. When it moves into a situation of war, where it is
an act of violence, political in nature, now we have moved into
there is a clear role for the military. So they should be able
to aid if they are called upon by other agencies, but if we are
short of an act of war, I don't want them fiddling around with
power grid networks or the like.
The Chairman. Okay. And, Mr. Healey, as you answer, I just
want to add another layer here. So according to press reports,
a foreign actor destroyed computers owned by Saudi Aramco. Is
that destruction of property that justifies this kind of added
layer of military involvement if something like that were to
happen here?
Mr. Healey. Without a doubt. I used to be the vice chairman
of a group called the Financial Services Information Sharing
and Analysis Center [FS-ISAC] that coordinates response and
information within the finance sector. And there is a bunch of
military help that I could have used, but it is not generally
the military help that we think. I would have loved to have had
just some senior NCOs [noncommissioned officers] or good junior
officers that knew how to respond to incidents and could keep
their head so that when we had a bad incident, that they could
help us get ready for the response and what was going to happen
next.
I could easily imagine a situation where attacks against
the finance sector, where we have to call for fires, where we
have--the banks have to say, we are not going to be able to
open for business tomorrow unless we get this taken care of.
How are we going to do that, that call for fires? The private
sector is the supported command. We need to start thinking
about this.
On the finance sector, is finally starting to push an issue
of how do we get our intelligence requirements listened to? We
are the ones that are on the front line. How can we have some
communication with the intel community just like any other
customer?
To me, this is so difficult, because the attacks have
largely been so inconsequential, not causing death and
destruction. So I like to step back and say, well, imagine if
we are not in a gray area. Imagine it is black and white.
People have--Americans have just died because of foreign cyber
attack. In the Aramco case, large-scale attacks against our
refineries. What do the American people, what does the American
President now looking to, to the military? It is not support to
civil authorities. We are going to be looking for that military
to step up.
And the last thing I will mention is, in historical
analogy, during the Battle of Britain, they invented something
called the Dowding System, where they were having to track what
incoming fighters, what is the radar telling us, which fighters
are we going to divert. And so I see us needing a modern
version of this Dowding System that includes the private
sector. So that when you have these kinds of attacks, we have
got information that is coming in and we can figure out how to
handle those defenses.
I don't believe that is probably going to be at the NCCIC
[National Cybersecurity and Communications Integration Center],
at DHS where it is right now, and it might not even be at Cyber
Command. We might need a more American model that brings
together a better partnership.
The Chairman. One other thing that occurs to me as you were
talking is, we are going to--if that is the case, we are going
to have to have a government decision-making ability in
appropriate time. You cannot take every one of these cases to
the NSC [National Security Council] and deliberate on it for a
month. Maybe we are moving more in that direction, but it has
obviously been a problem before.
Let me yield to the distinguished ranking member of the
Emerging Threats Subcommittee, Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman. I want to thank you
for convening this panel. It has been a great discussion. I
wish I had been here for all of it. I was at a Homeland
Security briefing on cybersecurity, on this topic as well. So--
but I appreciate all of the contributions you all have made in
various aspects to this dialogue and the work you are doing in
this field.
Dr. Libicki, let me start with you. What metrics do you
believe we should have in place to determine if cyber
operations, both offensive and defensive, are effective or not?
Dr. Libicki. Well, that is a very interesting question,
because metrics are one of the hardest things in security.
Right? The problem with a lot of defense is if the other side
is only interested in stealing your information, and you don't
know about it, you think you are in good shape, when, in fact,
you are not in good shape.
One of the things that our intelligence community and our
law enforcement community has gotten some traction on is trying
to figure out, by looking at the other side, what people have
stolen from our own side in terms of--in terms of how good our
defense is. In terms of our offense, that--some of it you can
do directly. If you maintain a presence on the other person's
network and you want to attack it in a certain way, as long as
that attack doesn't kick you out of that network, you have a
fairly good platform for how you see the other side react.
But, in general, I think when you are judging offense, you
have to take a look back and say, what is the broader overall
military effect that we want to have and how do we measure that
particular effect, not merely the cyber effect? I think there
is often a tendency--particularly because cyberspace operations
are so technical--to measure the quality of cyberspace
operations and did we move the ones and zeros without measuring
the bigger picture, did it help us win the battle/campaign/war?
Mr. Langevin. Anybody else?
Dr. Singer. I would add in a couple of other elements. When
you are thinking about on the offensive side, we have typically
framed it in terms of classic military operations where,
clearly, many, if not most, of our adversaries are looking at
them through the lens of influence operations. So it is not how
many websites did I take down or your access to GPS or the
like, but it is how did I shape the overall environment? How
did I, to put it bluntly, hack your hearts and minds? And that
is something that we need to pay attention to both in adversary
hands and ours.
The second is on the defensive side. When we are looking
for metrics, again, they are not just sort of the obvious ones
of detecting attacks. What we are seeing in the corporate
sector moving more to this resilience strategy is--a key is
recovery time. So how long after I have detected--how long
after I have been knocked down do I get back up quickly? And
this points to, again, the concept of deterrence by denial. If
you have got good recovery time, then you have nullified what
the attacker did to you.
Mr. Langevin. Thank you. Yes, it is one of the things I am
wrestling with right now is, you know, how do we assess
metrics. And we have the NIST [National Institute of Standards
and Technology] standards, for example, which are important,
but, you know, the degree to which they are being adopted and
if they are being adopted, is the framework effective? We don't
have any sufficient metrics right now to measure that.
So let me ask, while I have--so I have a little bit of time
left, to all of our witnesses. In your opinion, what are the
greatest policy challenges that the Department is facing with
respect to military operations in the cyber domain?
Dr. Libicki. I would say that the greatest challenge the
DOD faces is understanding its own vulnerability and
understanding its own vulnerability on an end-to-end basis.
Mr. Healey. I think that is a fine answer. I am still--I
struggle when I talk to DOD officers and officials, and they
seem pretty uncurious about how tomorrow's cyber conflict might
look different than yesterday's. They are so deep down into
looking at the ones and the zeros and talking about network
speed and hazy borders that I would love their challenge to
pull out. I mean, we are so busy doing the destroyer
engagements, we are not thinking about fleet actions or what
actually winning is going to mean in this field.
Dr. Singer. I would echo the concept here, again, of while
it is almost natural and in terms of identity and thinking to
focus on the offensive, on the how do I use this, how do I take
it to the enemy, the reality is that resilience is the side,
that building up DOD resilience would give us a greater
advantage. It is just, to put it bluntly, not as sexy, and it
is not something that has the same appeal.
The second to add to this would be multidomain operations,
understanding how fires from one domain might affect another
domain. And a key element of this is recognizing that a lot of
what we are talking about is not just cybersecurity but moves
into the space of electronic warfare [EW] where adversaries, in
particular Russia, have been making deep, deep investment in
that. And as they showed off in Ukraine, particularly in the
ground forces side, they are probably better than us.
And this is an area where, again, we may need to think
about, you know, coming off of decades-plus of
counterinsurgency, have we shrunk too much our electronic
warfare capability, not just building out cybersecurity
capability, but do we need to build up EW side too?
Mr. Langevin. Thank you all very much.
The Chairman. Mr. Khanna.
Mr. Khanna. Thank you, Mr. Chairman, for convening this
panel and for your leadership of our committee.
My question is for Mr. Healey. I was very pleased to read
in your testimony that the center of U.S. cyber power is in
Silicon Valley and not in Fort Meade. Of course, I represent
that area, and that is what the many folks in the Valley think.
My question for you concerns coordination. The reality is,
today, we have many private companies that have their own basic
cybersecurity defense, and we would never have that each
company have their own private military. Is there a way to have
information sharing or a platform between these companies? Is
there a way to have information sharing between them and the
government in a way that doesn't compromise classified
information?
Mr. Healey. It is a great question, and I am very happy
that I had a chance to come back and add some details to these
remarks.
Some of those already exist and are relatively well funded.
We can still build capability. Others don't exist, and we hope
that they will stand up. Others are in place but relatively
starved of resources.
I have been, as I mentioned, the vice chairman of the FS-
ISAC. And we only shared information and coordinated response
for people that paid to be members; largely, that meant Wall
Street. We got about a $2 million grant from Treasury to re-up
our technology, but we had to include all 13,000-plus financial
institutions in the United States. And now the FS-ISAC is
winning awards for being the best information-sharing and
response organization. I think that is the best $2 million that
we spent in U.S. Government on cyber ever.
Compare that. DHS right now is spending millions of dollars
a year on a vulnerability database that is in trouble right
now. One of my colleagues was running an open source version of
that that had something like four times as many vulnerabilities
in it for $10,000 a year, and they ended up having to close up
shop because they were starved of resources. So there is so
much that is happening out there, and we don't necessarily have
to recreate that within the Department or within the
government, because it already exists.
Others that I will mention--and I am sorry, I won't break
out the acronyms in the interest of time. NANOG [North American
Network Operators Group] is an operating group that helps
coordinate the main network service providers. NSP-SEC [Network
Service Provider-Security] does the same and was critical in
the response to the denial of service attacks on Estonia. And
there are many of these groups out there that are already
helping. And I think with some small targeted grants like the
FS-ISAC could, we are talking about a few million dollars, they
might be able to build a secretariat, they might be able to
include new technology, and I think really make a difference.
You saw this with the defense industrial base sharing where
just saying, go ahead, you can share, and you won't get an
anti--in anticompetitive trouble led to significant
differences.
Mr. Khanna. I would love to follow up with you offline and
get your thoughts on this. But if you were to prioritize, then,
one or two things that we on the committee could do, what would
those be in terms of the funding?
Mr. Healey. In this area? The first thing I would want to
do, and this is this committee but also maybe Homeland
Security, is have the executive branch go through each of
several different kinds of the main incidents that we faced--
botnet takedown; denial of service attack; major malware
spread, like Conficker; counter-APT [advanced persistent
threat]--and go through in a disciplined way, who took what
actions, who took what decisions based on what information, and
what happened next.
I think if we went through that process in a disciplined
way--include decision modelers in that. I mean, again, we are
talking about a few million dollars. And you come out with that
and now you know the actual decision makers, you know what the
information sharing requirements are. We can build our cyber
incident response plan around that, and then we can help use
grants, if necessary, to start building the capability where it
is needed to make sure that is going to happen better next
time. Thank you.
Mr. Khanna. Thank you. Well, thank you for your testimony,
and I hope we can work with you on these issues.
Thank you, Mr. Chairman.
The Chairman. Thank you. I want to go back to resilience
for just a second. Now, you all talked a lot about it.
Obviously, the drive for the Department of Defense--and you
have all mentioned, you know, an Internet of Things; everything
is connected; every platform is a sensor--so to increase your
capability. And yet, as we think about the Russian hacking, one
of the reasons people had confidence in our voting system is
because every State was different, and so that diversity, the
fact that they were not all linked together, was part of the
resilience that made it much harder for any actual changes to
happen in the voting.
So how do you balance that? You want to be more effective.
We don't have enough money, and yet does not this drive to have
everything connected reduce our resilience?
Dr. Singer. There are a couple of things to note. I mean,
we should be clear that--well, I will put it this way. Part of
how you find that optimal mix of--what you are laying out is
essentially kind of both diversity but new and old, and the
constant story again, whether it is your personal cybersecurity
or DOD cybersecurity is this battle between convenience,
effectiveness, and security, and that is the same--so you find
that optimal space, frankly, by doing, by training, by testing.
I would use the example of the election side, though, to
illustrate this. There has been testing done that shows, yes,
voting machines are vulnerable. It is not that the diversity
kept us safe. It is that, in the 2016, the threat actor didn't
go after them. The threat actor went after not the voting
machines but the voting public, and this is again a lesson to
the DOD side, is it is not always about how does my system
work; it is about the humans behind them, be it their hearts
and minds and sentiments or their awareness or the like.
So, you know, we shouldn't tell ourselves that we have been
made secure because an actor didn't go after something. The
actor went after something else and was effective at it and,
now, again, are going after other allies. They are not
targeting, as far as we are aware, the French voting machines
or the German voting machines. They are targeting the voting
public and getting potentially maybe more out of it.
Mr. Healey. And I think it is a great point, and I really
want to associate myself with Dr. Singer's point in this and
your previous question, because to me, when I hear the military
talking about cyber and the third offset, I get really, really
worried because it seems, from a lot of my colleagues that I
hear from, they are thinking that that means more offense and
offense is going to be how we can use cyber as part of the
third offset to move in a way that our ally--that our
adversaries can't.
I think you have hit exactly on resilience is the way that
we can do that. Having better cybersecurity so that we can have
deterrence by denial and they are not going to be able to
affect us is a critical part of that. I have been very
heartened to see what has been happening in the military the
few years where they are saying, ``Let's operate--let's unleash
the red teams and exercise this so that they can really show us
what they can do and really affect the exercise,'' whereas,
normally, you would not let them affect the exercise goal.
Just like the Air Force used to make sure pilots could
operate through jamming, they are now starting to say, what can
we do when we don't have the internet? I think that kind of
resilience is really where we are going to have the third
offset.
The Chairman. I agree completely on exercising when your
networks go down or something; that is true. And I just mention
among the hearings we are planning in the future is one that
looks more broadly at, however you want to describe it, hybrid
warfare, attempts to influence policy short of traditional
methods of warfare. Certainly what the Russians are doing are
some examples. Chinese are using their economic power. Others--
I mean, this is one of our key challenges, I think, which you
all have touched on, but we don't have time to get in.
Thank you all for being here. It has been very helpful. The
hearing stands adjourned.
[Whereupon, at 12:08 p.m., the committee was adjourned.]
=======================================================================
A P P E N D I X
March 1, 2017
=======================================================================
PREPARED STATEMENTS SUBMITTED FOR THE RECORD
March 1, 2017
=======================================================================
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
=======================================================================
QUESTIONS SUBMITTED BY MEMBERS POST HEARING
March 1, 2017
=======================================================================
QUESTIONS SUBMITTED BY MR. FRANKS
Mr. Franks. Background: How are forensics done in a timely manner
to determine if the attack was nonstate, state actor, or local
terrorist? Once identified by DOD, what authorities are required to
conduct a mission to stop the attack, mitigate it in the future, and/or
attribution of the origin of the attack.
Question: What is USCYBERCOM doing to counter our adversaries
before, during, and after an attack or probe on DOD networks?
Dr. Singer. There are a wide variety of forensics, some of which
involve monitoring your own network activity, other's gaining access to
and monitoring potential attacker networks, and even the use of
information outside cyberspace (HUMINT for example). The key is to
establish awareness of the attack as rapidly as possible which then
allows an appropriate response. To some attacks, you might simply want
to close off access. Others, you might want to feed them false
information. And still others might be an act of war that require
response in realms beyond cyberspace.
CYBERCOM engages in and prepares for these range of scenarios. A
key, as in my written testimony, is more exercises/wargames that stress
test our own systems, explore new doctrines. Better to find
vulnerabilities or discover new methods in the practice than in the big
game.
Mr. Franks. Background: Industrial control system (ICS) is a
general term that encompasses several types of control systems and
associated instrumentation used in industrial production, including
Supervisory Control and Data Acquisition (SCADA) systems, distributed
control systems (DCS), and other smaller control system configurations
such as programmable logic controllers (PLC) often found in the
industrial sectors and critical infrastructures. Since cyber is a man-
made domain of operations, DHS should be responsible for ICS/SCADA
attacks as they are in industry. However, since cyber happens so fast,
attribution can be a challenge to determine if this is really a U.S.C.
Title 10, 18, 32 etc... lane of responsibility. So imagine a bomber
from a state actor was heading to the U.S. with intent to destroy an
oil refinery. Who should respond? DHS or DOD?
Question: Who do you believe is responsible to respond to SCADA/ICS
network attacks? If DHS, what is USCYBERCOM or DOD doing to facilitate/
support the operations as all data transverses over the same IP
provider?
Why would DHS be responsible for defense or counter measure against
a state actor, wouldn't DOD be planning those actions?
Dr. Singer. ICS is used everywhere from U.S. navy ships to traffic
lights to energy plants to toymakers. The defense of such systems would
be shared across the operators of the systems, supported by legal
authorities (DHS etc) and, if moving into the realm of state attack in
the context of war, the DOD. For example, DHS and other government
agencies can't/shouldn't operate a toymaker or oil refinery's SCADA
system on its own, but it should be enabling the operators to better
defend themselves in realms that range from information sharing,
standards setting, threat intelligence etc, as well as incentivizing
the market via insurance etc. In turn, if a state actor did attack such
a system with the intent of making war (physical damage etc), we
wouldn't want the toy or oil company to retaliate, but the U.S.
military and other relevant agencies, with our means not limited to
only cyber retaliation.
Mr. Franks. Background: Since 1988 each of the theater, unified
commands have established a separate Special Operations Command (SOC)
to meet its theater-unique special operations requirements. As
subordinate unified commands, the theater SOCs provide the planning,
preparation, and command and control of SOF from the Army, Navy, and
Air Force. They ensure that SOF strategic capabilities are fully
employed and that SOF are fully synchronized with conventional military
operations, when applicable.
SOCs, established as sub-unified commands of the combatant unified
commands, are the geographic Combatant Commander in Chiefs (CINCs)
sources of expertise in all areas of special operations, providing the
CINCs with a separate element to plan and control the employment of
joint SOF in military operations. Additionally, SOCs provide the
nucleus for the establishment of a joint special operations task force
(JSOTF), when a joint task force is formed. There are six SOCs
supporting geographic CINCs worldwide.
Question: If the SOCOM model has worked for years with proven
performance in geographic AORs, why hasn't USCYBERCOM moved out to
support the warfighter in the same manner?
Dr. Singer. As a young organization, with a unique positioning vis
STRATCOM and NSA, U.S. CYBERCOM has not been structured of empowered to
act like a full equivalent of SOCs as you lay out. I do believe that it
is evolving towards this model (vs a TRANSCOM-style or separate service
future) and Congress would do well to support studies on what aspects
of the model are applicable or not, and what challenges that the SOCOM
organization has faced (particularly in its cohesion with theater
command) might be navigated as CYBERCOM moves forward.
Mr. Franks. Background: How are forensics done in a timely manner
to determine if the attack was nonstate, state actor, or local
terrorist? Once identified by DOD, what authorities are required to
conduct a mission to stop the attack, mitigate it in the future, and/or
attribution of the origin of the attack.
Question: What is USCYBERCOM doing to counter our adversaries
before, during, and after an attack or probe on DOD networks?
Dr. Libicki. Attribution is the process of narrowing down who did
what. In the United States, it uses a combination of intelligence
(apparently, we track certain cyber groups) and forensics. The latter
uses information from the attack such as the IP addresses and malware
used, social engineering tricks, and nation-linked indicators (such as
language)--to make an educated guess about who did it. Much of it is
quick; some of it is slow and depends on the flow of future
information: e.g., an attack that we know was carried out by X leaves
indicators which then match the indicators of an earlier attack which
can then be attributed. Some recent trends--notably the use of black-
market tools--are troubling for attribution because they could be
wielded by anyone.
USCYBERCOM's ability to do anything prior to an attack largely
depends on its foreknowledge of particular hacker groups (and would
thus be of limited use against an unknown hacker). The best we can hope
for--if the hackers themselves are unaffected by whatever the United
States does (e.g., are not arrested)--is to be able to postpone an
attack and force the group to develop new accesses as well as new tools
or techniques. At best, this buys six months (taking down a botnet can
provide somewhat longer relief but that's a different form of
cyberattack). At worst, the attackers have been dealt a minor
inconvenience, and the better hackers have backup plans in case their
infrastructure (e.g., their favorite IP sites) are discovered and
compromised. *Please note that I have never worked for CYBERCOM, and
any statements about them are based on my understanding of unclassified
information.
Mr. Franks. Background: Industrial control system (ICS) is a
general term that encompasses several types of control systems and
associated instrumentation used in industrial production, including
Supervisory Control and Data Acquisition (SCADA) systems, distributed
control systems (DCS), and other smaller control system configurations
such as programmable logic controllers (PLC) often found in the
industrial sectors and critical infrastructures. Since cyber is a man-
made domain of operations, DHS should be responsible for ICS/SCADA
attacks as they are in industry. However, since cyber happens so fast,
attribution can be a challenge to determine if this is really a U.S.C.
Title 10, 18, 32 etc... lane of responsibility. So imagine a bomber
from a state actor was heading to the U.S. with intent to destroy an
oil refinery. Who should respond? DHS or DOD?
Question: Who do you believe is responsible to respond to SCADA/ICS
network attacks? If DHS, what is USCYBERCOM or DOD doing to facilitate/
support the operations as all data transverses over the same IP
provider?
Why would DHS be responsible for defense or counter measure against
a state actor, wouldn't DOD be planning those actions?
Dr. Libicki. Everything depends on what the response is. DOD gets
the call to prevent bomber aircraft from getting to the refinery
because of how bombers are engaged (e.g., with other aircraft, or by
anti-aircraft systems). DHS or local police would get the call to
prevent a terrorist from getting to the refinery because such a
terrorist would be engaged by border enforcement and/or police action.
A similar logic would dictate how a hacker would be stopped from
attacking SCADA/ICS networks. If the particulars of exploit are
understood, it can be stopped by the defensive actions of the network
owners; DHS may play a role but only insofar as its advice works and is
considered useful and actionable. If the origin but not the particulars
of the exploit are understood, it may be possible to block the relevant
bytes at the border (or would be if the legal authority existed and the
ISPs were equipped to detect and sinkhole the relevant bytes). If the
origin or a waypoint of the attack were known but nothing else, there
is the possibility of covert action by CYBERCOM or the CIA against the
relevant node (although as the last answer indicated, that only buys
time and not much. If the author of the exploit were identified but
nothing else was known the, author may be subject to police action
(especially if the author sat in friendly territory). If the author sat
in a hostile country, it may be up to the State Department to persuade
the country to yield the individual. If nothing else worked, and there
was no other way to head off the attack (and, in fact, there often are
many other ways), the author could be militarily attacked but that is
tantamount to waging war on another country--which carries risks unless
the country is essentially ungoverned or already a war zone (but these
are qualities that make it difficult to carry out cyberattacks from
such locations).
Mr. Franks. Background: Since 1988 each of the theater, unified
commands have established a separate Special Operations Command (SOC)
to meet its theater-unique special operations requirements. As
subordinate unified commands, the theater SOCs provide the planning,
preparation, and command and control of SOF from the Army, Navy, and
Air Force. They ensure that SOF strategic capabilities are fully
employed and that SOF are fully synchronized with conventional military
operations, when applicable.
SOCs, established as sub-unified commands of the combatant unified
commands, are the geographic Combatant Commander in Chiefs (CINCs)
sources of expertise in all areas of special operations, providing the
CINCs with a separate element to plan and control the employment of
joint SOF in military operations. Additionally, SOCs provide the
nucleus for the establishment of a joint special operations task force
(JSOTF), when a joint task force is formed. There are six SOCs
supporting geographic CINCs worldwide.
Question: If the SOCOM model has worked for years with proven
performance in geographic AORs, why hasn't USCYBERCOM moved out to
support the warfighter in the same manner?
Dr. Libicki. When CYBERCOM started up, its Commander (GEN
Alexander) argued that all the forces belonged to him and he would
direct their use. Over time the relationship between particular mission
teams and the regional CINCs have grown closer to the SOC model. I
think that trend is continuing. But there are two reasons why they may
never be the same.
First, offensive cyber operations often rely on a bag of tricks
(some of which are zero-day exploits). Once these tricks are exposed,
they cannot be easily reused. Thus there may have to be some central
allocation of these tricks so that high-value tricks are not used for
low-value objectives. This use-once feature does not apply to special
operations quite so much. Similarly, there is a lot of common learning
that has to happen and a unified organization provides a basis for such
learning.
Two, getting the requisite access to a target system can take a
long time. There is no equivalent of kicking down the door. Thus, teams
have to be dedicated to targets well in advance of when these targets
are attacked. The bullpen model--here are some forces, what would you
like them to do for you today--does not work very well for cyberspace
operations.?
Mr. Franks. Background: How are forensics done in a timely manner
to determine if the attack was nonstate, state actor, or local
terrorist? Once identified by DOD, what authorities are required to
conduct a mission to stop the attack, mitigate it in the future, and/or
attribution of the origin of the attack.
Question: What is USCYBERCOM doing to counter our adversaries
before, during, and after an attack or probe on DOD networks?
Mr. Healey. I defer to USCYBERCOM for the particulars.
Mr. Franks. Background: Industrial control system (ICS) is a
general term that encompasses several types of control systems and
associated instrumentation used in industrial production, including
Supervisory Control and Data Acquisition (SCADA) systems, distributed
control systems (DCS), and other smaller control system configurations
such as programmable logic controllers (PLC) often found in the
industrial sectors and critical infrastructures. Since cyber is a man-
made domain of operations, DHS should be responsible for ICS/SCADA
attacks as they are in industry. However, since cyber happens so fast,
attribution can be a challenge to determine if this is really a U.S.C.
Title 10, 18, 32 etc... lane of responsibility. So imagine a bomber
from a state actor was heading to the U.S. with intent to destroy an
oil refinery. Who should respond? DHS or DOD?
Question: Who do you believe is responsible to respond to SCADA/ICS
network attacks? If DHS, what is USCYBERCOM or DOD doing to facilitate/
support the operations as all data transverses over the same IP
provider?
Why would DHS be responsible for defense or counter measure against
a state actor, wouldn't DOD be planning those actions?
Mr. Healey. Answer 1: The first response will always be the private
sector and only the private sector. Neither DOD nor DHS have any
capability to respond in any kind of timely way and neither additional
authorities nor money will make any difference.
DHS can help ensure coordination happens and has some role, but it
is as a supporting actor, one among many in an ensemble cast, not the
leading role.
Answer 2: After the first response, which is only the
responsibility of the private sector, then the U.S. government does
have more of a role. If it comes to counter measures, then DOD ought to
plan and execute those actions.
I recommend each critical infrastructure sector should have one
military unit, chosen from the Guard or Reserves, which specializes in
that sector and can help this coordination. For example, an Air Guard
or Reserve squadron from Texas (where many cyber units are located)
could specialize in the oil and gas sector. Another unit, perhaps from
the Army Guard or Reserve, could specialize in the finance sector, and
work with that sector's organizations, like the Finance Sector
Information Sharing and Analysis Center (FS-ISAC).
Mr. Franks. Background: Since 1988 each of the theater, unified
commands have established a separate Special Operations Command (SOC)
to meet its theater-unique special operations requirements. As
subordinate unified commands, the theater SOCs provide the planning,
preparation, and command and control of SOF from the Army, Navy, and
Air Force. They ensure that SOF strategic capabilities are fully
employed and that SOF are fully synchronized with conventional military
operations, when applicable.
SOCs, established as sub-unified commands of the combatant unified
commands, are the geographic Combatant Commander in Chiefs (CINCs)
sources of expertise in all areas of special operations, providing the
CINCs with a separate element to plan and control the employment of
joint SOF in military operations. Additionally, SOCs provide the
nucleus for the establishment of a joint special operations task force
(JSOTF), when a joint task force is formed. There are six SOCs
supporting geographic CINCs worldwide.
Question: If the SOCOM model has worked for years with proven
performance in geographic AORs, why hasn't USCYBERCOM moved out to
support the warfighter in the same manner?
Mr. Healey. My apologies, I am not aware of how USCYBERCOM has
organized itself in this regard and the reasons why. I defer to them
for the particulars.
______
QUESTIONS SUBMITTED BY MS. HANABUSA
Ms. Hanabusa. When we talk about cyber warfare, naturally, we tend
to focus on where the threats are. In the Asia-Pacific, that means
China, North Korea, and to a lesser extent, Russia. However, we rarely
focus on our allies--nations we can partner with in the cyber domain to
build capacity, share information, and mutually defend each other. Can
you speak to how we're cooperating with our allies on cyber warfare,
particularly Asia-Pacific nations like Japan, South Korea, and
Australia?
Dr. Singer. We have various levels of both information sharing and
agreements with our partners in Asia, with Australia having the added
link of the ``5 Eyes'' participation. Two key areas to enhance are 1)
aligning our norm building, so that it is not each country individually
pushing for action by an adversary state, but multilateral and global
alliances, and 2) joint military training, as adversaries can/will seek
to exploit alliance vulnerabilities and seams.
Ms. Hanabusa. When we talk about cyber warfare, naturally, we tend
to focus on where the threats are. In the Asia-Pacific, that means
China, North Korea, and to a lesser extent, Russia. However, we rarely
focus on our allies--nations we can partner with in the cyber domain to
build capacity, share information, and mutually defend each other. Can
you speak to how we're cooperating with our allies on cyber warfare,
particularly Asia-Pacific nations like Japan, South Korea, and
Australia?
Dr. Libicki. My best understanding is that there is a lot of
interchange among all three Pacific allies, but they are better
characterized as from time-to-time rather than day-to-day. As for
defense, there is a large and growing world of contractors whose advice
is probably as good as and sometimes better than what is available from
allies' military forces or other employees. When it comes to offense,
however, security classification levels are very high; we probably
share a lot more with Australian (a Five-Eyes member) than we do with
Japan and South Korea.
Ms. Hanabusa. When we talk about cyber warfare, naturally, we tend
to focus on where the threats are. In the Asia-Pacific, that means
China, North Korea, and to a lesser extent, Russia. However, we rarely
focus on our allies--nations we can partner with in the cyber domain to
build capacity, share information, and mutually defend each other. Can
you speak to how we're cooperating with our allies on cyber warfare,
particularly Asia-Pacific nations like Japan, South Korea, and
Australia?
Mr. Healey. There are excellent stories to tell here, in quiet
diplomacy, sharing, and cooperation with key nations, including those
in the Asia-Pacific region. The Departments of Defense, State, and
Homeland Security and the DNI can give you more detailed answers, but
it is worth noting we've got long-standing signals intelligence
relationships with all three of these nations, agreements which have
extended into cyber capabilities. In addition, the United States has
held extensive bilateral agreements with these countries, in addition
to India, and works closely with Singapore. Perhaps more important,
U.S. companies work extensively with their subsidiaries and peers in
these countries, ensuring that attacks are prevented and stopped, at no
cost to governments (and with no arguments about authorities).
______
QUESTIONS SUBMITTED BY MS. ROSEN
Ms. Rosen. Cyberspace has been called the fastest evolving
technology space in human history, both in scale and properties. The
United States was the victim of great exploitation of this technology
realm in the 2016 election, and in your testimony you call it ``the
most important cyber-attack so far in history.'' If our cyber systems
do not out-perform those of our adversaries, our national power is at
risk in all of the domains in which we operate. What specifically must
the United States do, that we are not yet addressing, to deter
adversaries in this complex threat environment, and how should we
respond to those who aim to meddle in it?
Dr. Singer. In my written testimony I identified 30 specific and
non-partisan actions that the Congress could take to better protect the
nation. Available at: http://docs.house.gov/meetings/AS/AS00/20170301/
105607/HHRG-115-AS00-Wstate-Singer
P-20170301.pdf
If we do not better respond to Russia's operations, we undercut any
future cyber deterrence.
Ms. Rosen. Is our cyber force structured for rapid response to meet
national requirements and combatant commander needs, or are we mired by
the bureaucracy of a NSA and CYBERCOM dual-hat command?
Dr. Singer. The time has come to establish Cyber Command's long-
term status and disentangle the ``dual hat'' leadership structure with
the National Security Agency. These two valuable organizations work in
the same realm, but they must reflect different organizational culture,
goals, and processes. Of note, among the original rationale for this
``dual'' structure was concern that the leadership of Cyber Command
would not have enough stature with Congress; instead, the post-Snowden
debates have meant that Congress has more often become interested in
their NSA role.
Ms. Rosen. How does our cyber apparatus differ from those of our
state-adversaries and allies? What technologies are they using and how
are they employing them?
Dr. Singer. There are some 100 plus nations that have cybersecurity
organizations of some kind, parallel to the U.S. Cyber Command. They
range in their funding, number of personnel, etc. but one of the most
noted is how they make use of entities beyond government. The U.S., for
instance, tends to rely on private contracting companies, while Russia,
as a point of comparison, has made use of criminal networks and China
of university linked cyber militia. As I submitted in my testimony, the
Estonian model of better leveraging civilian expertise is an apt model
for the U.S.
Ms. Rosen. What additional efforts should we be making to protect
against hacking? Do you see an obvious action that Congress should
take?
Dr. Singer. In my written testimony I identified 30 specific and
non-partisan actions that the Congress could take to better protect the
nation http://docs.house.gov/meetings/AS/AS00/20170301/105607/HHRG-115-
AS00-Wstate-SingerP-20170301.pdf
Ms. Rosen. How is attribution possible without revealing sources
and methods of U.S. cyber capabilities?
Dr. Singer. Full sources and methods will not be able to be
disclosed in every case. In some situations, the information will only
be able to shared at different levels of clearance or with some
information removed. But this should not limit all attribution. A good
parallel is the 2011 alleged Iranian plot to conduct an attack inside
the U.S. The U.S. government attributed it to Iran but did not disclose
ALL our sources and methods. Yet the House still voted for sanctions.
As I point out in my testimony, the case of Russia's attacks on U.S.
targets is backed by an extensive and wide range of both U.S.
government but also private company information. The question now is
not whether Russia did it, but how will we respond?
Ms. Rosen. Is our cyber force structured for rapid response to meet
national requirements and combatant commander needs, or are we mired by
the bureaucracy of a NSA and CYBERCOM dual-hat command?
Dr. Libicki. The primary barrier to a rapid response is not our
inability to make decisions so much as it is the difficulty in
acquiring and maintaining access to systems that we might want to
attack via cyberspace. A large part of the reason that cyberattacks
were not used against Libya is that prior to the Arab Spring there was
no good reason to penetrate Libyan air defenses to create a capacity
for some later cyberattack. Once such a reason existed, there was not
enough time to exploit such penetrations for effect before other faster
means could be brought to bear.
Ms. Rosen. What additional efforts should we be making to protect
against hacking? Do you see an obvious action that Congress should
take?
Dr. Libicki. As a general rule, the primary defenses against
cyberattack are those undertaken by network/system owners. For non-
government systems, the Government is on the outside looking in. It can
provide assistance, but cannot guarantee that such assistance will be
used (or if used, used effectively). But there are exceptions. 1.
Certain systems, notably the electric grid, should be isolated from the
outside world (and not just put behind firewalls, many of which are
permeable). Furthermore, they should be able to pass penetration tests
to indicate they are, in fact, isolated. Legislation to that end, as
long as it is temporary (so that the result can be evaluated) and
limited to the electric grid (it helps to take one step at a time)
could be useful. 2. DDOS attacks are a unique concern. Unlike with most
cyberattacks, they do not arise because of something the victims
themselves did wrong. ISPs should be given some authority and incentive
to detect and sinkhole the traffic that constitutes a DDOS attack--but
exactly how is something I'm still wrestling with.
Ms. Rosen. Is our cyber force structured for rapid response to meet
national requirements and combatant commander needs, or are we mired by
the bureaucracy of a NSA and CYBERCOM dual-hat command?
Mr. Healey. I suspect the answer you get from U.S. Cyber Command is
that they want to be escalated so they be better structured for rapid
response. This is probably true but certainly overstated.
It is worth noting the DOD first created in 1998 a special joint
command with the authorities to counter attacks and probes on DOD
networks. It has been therefore nearly 20 years and yet DOD still has
similar problems. I'm not convinced elevation to a unified command will
resolve these issues any more than the escalation of this from a two-
star to three-star command (in 2004), or from three-stars to four (in
2010).
Moreover, some friction is actually beneficial. Cyber conflict is
extremely complex, and is fought in, through, and with the products of
American technology companies on which we all depend for innovation and
prosperity. Attacks can cascade in unpredictable ways. In air warfare,
we have learned that if we push the rules of engagement too low, we end
up bombing Afghani weddings. We should be similarly careful here.
Further, the use and stockpiling of capabilities can cause outrage
in citizens who feel their privacy and trust is being violated. We
should be wary of taking away too much of the mire or the Congressional
oversight function will be overwhelmed with incidents and complaints.
Ms. Rosen. Discuss the role of industry in cyber warfare and cyber
operations. What is the relationship between the government and these
private companies, and privacy?
Mr. Healey. Americans seem to trust private sector companies with
their information far more than they do the U.S. government. (Note,
this tends to be the opposite in Europe.) This can be a strength for
cyber defense, as cybersecurity companies tend to have far greater
capabilities, and fewer restrictions, than the DOD or DHS.
A smart policy will refocus American cyber defense so the private
sector is the supported command, not the supporting command.
Ms. Rosen. What additional efforts should we be making to protect
against hacking? Do you see an obvious action that Congress should
take?
Mr. Healey. My top practical step for Congress to take is to
require DOD and DHS to conduct a review of how the United States has
responded to past incidents.
In a structured way, they should look at two of each major kind of
attack (countering a denial of service attack, for example, and kicking
out foreign spies) to determine which organizations and people took
which decisions, based on what information and which led to what
effectiveness in mitigating the attack.
The results of this review will suggest how the U.S. government
could have better responded better in the past and suggest how to do
better in future. This should then be the basis of a new cyber incident
response plan.
I suspect an accurate review would show that most of the decisions
and actions which have mattered were taken by the private sector, not
just the companies under attack, but the software vendors (e.g.
Microsoft), network service providers (e.g. AT&T), and cybersecurity
companies (e.g. Symantec). Other critical actions are likely to be
taken by small non-profits who are critical to sharing and response,
such as ISACs (information sharing and analysis centers).
Congress could develop grant programs to help these non-profits, if
it proves they could be doing more critical work. This would be far
cheaper to the public purse than hiring more DOD bureaucrats. It would
also allow far better oversight, as Congress could better see just
where the executive branch is succeeding and failing.
[all]