b'<html>\n<title> - [H.A.S.C. No. 115-47]FISCAL YEAR 2018 BUDGET REQUEST FOR U.S. CYBER COMMAND: CYBER MISSION FORCE SUPPORT TO DEPARTMENT OF DEFENSE OPERATIONS</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                      \n                         [H.A.S.C. No. 115-47]\n\n                                 HEARING\n\n                                   ON\n\n                   NATIONAL DEFENSE AUTHORIZATION ACT\n\n                          FOR FISCAL YEAR 2018\n\n                                  AND\n\n              OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS\n\n                               BEFORE THE\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n       SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES HEARING\n\n                                   ON\n\n                  FISCAL YEAR 2018 BUDGET REQUEST FOR\n\n                   U.S. CYBER COMMAND: CYBER MISSION\n\n                     FORCE SUPPORT TO DEPARTMENT OF\n\n                           DEFENSE OPERATIONS\n\n                               __________\n\n                              HEARING HELD\n                              MAY 23, 2017\n\n                                     \n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] \n\n\n                               __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n25-869                  WASHINGTON : 2018                     \n          \n----------------------------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). \nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1d7a6d725d7e686e697578716d337e727033">[email&#160;protected]</a> \n                                     \n  \n\n\n           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES\n\n                ELISE M. STEFANIK, New York, Chairwoman\n\nBILL SHUSTER, Pennsylvania           JAMES R. LANGEVIN, Rhode Island\nBRAD R. WENSTRUP, Ohio               RICK LARSEN, Washington\nRALPH LEE ABRAHAM, Louisiana         JIM COOPER, Tennessee\nLIZ CHENEY, Wyoming, Vice Chair      JACKIE SPEIER, California\nJOE WILSON, South Carolina           MARC A. VEASEY, Texas\nFRANK A. LoBIONDO, New Jersey        TULSI GABBARD, Hawaii\nTRENT FRANKS, Arizona                BETO O\'ROURKE, Texas\nDOUG LAMBORN, Colorado               STEPHANIE N. MURPHY, Florida\nAUSTIN SCOTT, Georgia\n                 Kevin Gates, Professional Staff Member\n              Lindsay Kavanaugh, Professional Staff Member\n                          Neve Schadler, Clerk\n                            \n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nLangevin, Hon. James R., a Representative from Rhode Island, \n  Ranking Member, Subcommittee on Emerging Threats and \n  Capabilities...................................................     2\nStefanik, Hon. Elise M., a Representative from New York, \n  Chairwoman, Subcommittee on Emerging Threats and Capabilities..     1\n\n                               WITNESSES\n\nRogers, ADM Michael S., USN, Commander, U.S. Cyber Command.......     3\n\n                                APPENDIX\n\nPrepared Statements:\n\n    Rogers, ADM Michael S........................................    30\n    Stefanik, Hon. Elise M.......................................    29\n\nDocuments Submitted for the Record:\n\n    [There were no Documents submitted.]\n\nWitness Responses to Questions Asked During the Hearing:\n\n    [There were no Questions submitted during the hearing.]\n\nQuestions Submitted by Members Post Hearing:\n\n    Mr. Franks...................................................    45\n    Mr. Langevin.................................................    45\n    Mrs. Murphy..................................................    46\n    Ms. Stefanik.................................................    45\n\n \n FISCAL YEAR 2018 BUDGET REQUEST FOR U.S. CYBER COMMAND: CYBER MISSION \n           FORCE SUPPORT TO DEPARTMENT OF DEFENSE OPERATIONS\n\n                              ----------                              \n\n                  House of Representatives,\n                       Committee on Armed Services,\n         Subcommittee on Emerging Threats and Capabilities,\n                             Washington, DC, Tuesday, May 23, 2017.\n    The subcommittee met, pursuant to call, at 3:37 p.m., in \nroom 2118, Rayburn House Office Building, Hon. Elise M. \nStefanik (chairwoman of the subcommittee) presiding.\n\n OPENING STATEMENT OF HON. ELISE M. STEFANIK, A REPRESENTATIVE \nFROM NEW YORK, CHAIRWOMAN, SUBCOMMITTEE ON EMERGING THREATS AND \n                          CAPABILITIES\n\n    Ms. Stefanik. The subcommittee will come to order. I want \nto welcome everyone to today\'s hearing of the Emerging Threats \nand Capabilities Subcommittee of the House Armed Services \nCommittee [HASC].\n    With the President\'s budget request released just earlier \ntoday, this is our first opportunity to explore this request \nand the major implications for key defense missions. I think it \nis fitting that the first area we will dive into is cyber. This \nis an increasingly important domain of warfare and an area \nwhere we have increased our emphasis on overseeing the \nDepartment\'s progress in building and maintaining cyber forces \nto protect, defend, maintain, and, when necessary, conduct \noffensive operations in cyberspace.\n    As we move towards developing the fiscal year [FY] 2018 \nNDAA [National Defense Authorization Act], I have made cyber \nand cyber warfare one of my main priorities. In the coming \nweeks, Chairman Mac Thornberry and I, in addition to my ranking \nmember, Jim Langevin, and the HASC ranking member, Adam Smith, \nplan to introduce standalone cyber warfare legislation that \nstrengthens congressional oversight of sensitive military cyber \noperations, including mandating prompt notifications to \nCongress in the event of unauthorized disclosures.\n    We look forward to continuing to work with U.S. Cyber \nCommand [CYBERCOM] and the Department of Defense [DOD] as we \nfinalize this draft legislation to ensure such notifications \nare responsive to our needs but without adding undue reporting \nburdens on the Department of Defense.\n    In addition to our focus on strengthening congressional \noversight in the area of cyber warfare, other key focus areas \nwill include provisions to strengthen our own cyber warfare \ncapabilities and provisions that enhance our international \npartnerships across the globe.\n    In order to more thoroughly understand all of these issues, \nI would like to welcome our witness today, Admiral Mike Rogers, \nwho serves as the Commander of U.S. Cyber Command and the \nDirector of the National Security Agency [NSA].\n    Let me now recognize Ranking Member Jim Langevin for any \nopening comments he would like to make.\n    [The prepared statement of Ms. Stefanik can be found in the \nAppendix on page 29.]\n\n  STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM \nRHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS \n                        AND CAPABILITIES\n\n    Mr. Langevin. Thank you, Madam Chair.\n    And welcome, Admiral Rogers. I want to thank you for \ntestifying before us today. It is always a pleasure to have you \nbefore the subcommittee. And thanks for bringing along a crowd. \nIt makes it a little more of an interesting hearing.\n    So the President\'s budget for fiscal year 2018 was \ndelivered just this morning, as the chair stated, and so I look \nforward to hearing about priority investments in cyber and \nabout any potential new legislative initiatives relating to \ncyber.\n    Last year, Congress passed legislation establishing U.S. \nCyber Command as its own unified combatant command. This \nsubcommittee worked diligently on the underlying legislation \nbecause we recognized the importance of a trained and ready \nforce able to conduct effective cyber operations in concert \nwith other military and U.S. Government efforts, consistent \nwith the appropriate legal authorities and policies.\n    The FY 2017 NDAA also formalized the relationship with the \nPrincipal Cyber Advisor to ensure advocacy and oversight of the \ncommand. We also provided U.S. Cyber Command with limited \ncyber-peculiar acquisition authorities 2 years ago, and I would \nlike to acknowledge the thoughtfulness by which the Department \nhas implemented this authority.\n    Today I look forward to hearing about where these two \ninitiatives stand, both the process by which necessary \nresources are being transferred from STRATCOM [Strategic \nCommand] to CYBERCOM and the new resources being provided as \nnecessary for effective implementation.\n    Clearly, we have made progress employing military cyber \noperations over the years. We have been building the Cyber \nMission Force, but now we must make sure that they are ready \nand stay ready for a threat that morphs on a daily basis. The \npersistent training environment, of course, is key to that end.\n    Although the cyber domain is not new, there is still much \nthat we are learning, and we must leverage those lessons \nlearned. We must assess the force we are building, how we \nemploy it, in order to ensure CYBERCOM is postured correctly \nand that the tools and capabilities are the best that we can \nprovide them.\n    So next week, I am going to be traveling to NATO [North \nAtlantic Treaty Organization], the NATO Cooperative Cyber \nDefence Centre of Excellence, to attend its annual conference \nin Tallinn, Estonia. I expect that CyCon [Conference on Cyber \nConflict] will provide extraordinary insight on how our NATO \nallies view the cyber domain and how international laws are \napplicable. And it will provide me with insight on how we can \nincrease cyber collaboration against Russian aggression.\n    Admiral, I would also appreciate your views on how we may \nstrengthen collaboration with our NATO allies.\n    So in closing, I just want to echo what the chair said \nabout the importance of formalizing notifications to Congress \nof sensitive cyber military operations. The cyber quarterly \nbrief provides us a forum to oversee cyber operations, and I \nwas especially pleased with the participation of the Joint \nStaff and OSD [Office of the Secretary of Defense] at the last \nengagement. However, in our oversight capacity, I believe that \nwe must work with the Department to obtain timelier, more \nstandard notifications, as the chair mentioned, and I know that \nwe are going to work toward that end.\n    So with that, I thank you, Admiral Rogers, for appearing \ntoday. Thank you for what you are doing at NSA and U.S. Cyber \nCommand.\n    And with that, I will yield back.\n    Ms. Stefanik. Thank you, Jim.\n    I also would like to remind members that immediately \nfollowing this open hearing the committee will reconvene \nupstairs in 2337 for a closed classified roundtable discussion \nwith our witness.\n    Admiral Rogers, you are now recognized for your opening \nstatement.\n\nSTATEMENT OF ADM MICHAEL S. ROGERS, USN, COMMANDER, U.S. CYBER \n                            COMMAND\n\n    Admiral Rogers. Thank you. Chairwoman Stefanik, Ranking \nMember Langevin, and members of the subcommittee, thank you for \nyour enduring support and the opportunity today to talk about \nthe hardworking men and women of the United States Cyber \nCommand.\n    I look forward to discussing the command\'s posture, and I \nwelcome the opportunity to describe how U.S. Cyber Command \nconducts efforts in the cyberspace domain and supports the \nNation\'s defense against sophisticated and powerful \nadversaries.\n    The Department of Defense recognized 7 years ago that the \nNation needed a military command focused on cyberspace. U.S. \nCyber Command and its subordinate elements have been given the \nresponsibility to direct, operate, secure, and defend the \nDepartment\'s systems and networks, which are fundamental to the \nexecution of all DOD missions.\n    The Department and the Nation also rely on us to build \nready cyber forces and to be prepared to employ them when \nsignificant cyber attacks against the Nation\'s critical \ninfrastructure require DOD support.\n    The pace of international conflict and cyberspace threats \nhas intensified over the past few years. Hardly a day has gone \nby during my tenure at Cyber Command that we have not seen at \nleast one significant cybersecurity event occurring somewhere \nin the world. This has consequences for our military and our \nNation at large. We face a growing variety of advanced threats \nfrom actors who operate with ever more sophistication and \nprecision.\n    At U.S. Cyber Command, we track state and non-state \nadversaries as they continue to expand their capabilities to \nadvance their interests in and through cyberspace and try to \nundermine the United States national interests and those of our \nallies.\n    Conflict in the cyber domain is not simply a continuation \nof kinetic operations by digital means. It is unfolding \naccording to its own logic, which we continue to better \nunderstand. And we are using this understanding to enhance the \nDepartment\'s and the Nation\'s situational awareness and to \nmanage risk in the cyber arena.\n    I would also look forward to updating you on our \ninitiatives and plans to help do that. Our three lines of \noperation are to provide mission assurance for DOD operations \nand defend the Department of Defense information environment, \nto support joint force commander objectives globally, and to \ndeter or defeat strategic threats to U.S. interests and \ncritical infrastructure.\n    We conduct full-spectrum military cyberspace operations to \nenable actions in all domains, ensure U.S. and allied freedom \nof action in cyberspace, and deny the same to our adversaries. \nDefense of DOD information networks remains our top priority, \nof course, and that includes weapon systems and their platforms \nas well as data.\n    To execute our missions, I requested a budget of \napproximately $647 million for fiscal year 2018, which is \nnearly a 16 percent increase from fiscal year 2017 due to \nadditional funding for Cyber Command\'s elevation per the fiscal \nyear 2017 NDAA, building out Cyber Mission Force and cyber-\nspecific capabilities and tools and JTF-Ares [Joint Task Force-\nAres] support in the fight against ISIS [Islamic State of Iraq \nand Syria].\n    We are completing the buildout of the Cyber Mission Force \nwith all teams scheduled to be fully operational by the end of \nfiscal year 2018, and with the help from the services, \ncontinually increase Cyber Mission Force readiness to hold \ntargets at risk. Your strong and continued support is critical \nto the success of the Department in defending our national \nsecurity interests in cyber.\n    As you well know, I serve as both Commander of United \nStates Cyber Command and Director of the National Security \nAgency. This dual-hat appointment underpins the close \npartnership between Cyber Command and NSA, a significant \nbenefit right now in cyberspace operations. The institutional \narrangement between these two organizations, however, will \nevolve as Cyber Command grows to full proficiency in the near \nfuture.\n    The National Defense Authorization Act in a separate \nprovision also described conditions for splitting the dual-hat \narrangement, which can only happen without impairing either \norganization\'s effectiveness and ability to execute their \nmissions. This is another provision I publicly stated I support \npending the attainment of certain critical conditions.\n    Cyber Command will also engage with this subcommittee on \nseveral other matters related to the enhancement of the \ncommand\'s responsibilities and authorities in the coming year. \nThis would include increasing cyber manpower, enhancing the \nprofessionalization of the cyber workforce, building defensive \nand offensive capability and capacity, and developing and \nstreamlining our acquisition processes.\n    These are critical enablers for cyberspace operations in a \ndynamically changing global environment. And most or all of \nthese particulars have been directed in recent NDAA acts. Along \nwith the Office of the Secretary of Defense for Policy and the \nJoint Staff, we will talk with you and your staffs to iron out \nthe implementation details of that legislation.\n    The men and women of Cyber Command are proud of the roles \nthat we play in our Nation\'s cyber efforts and are motivated to \naccomplish our assigned missions overseen by the Congress, \nparticularly this subcommittee. We work to secure and defend \nDOD systems and networks, counter adversaries, and support \nnational and joint warfighting objectives in and through \ncyberspace.\n    The command\'s operational successes have validated concepts \nfor creating cyber effects on the battlefield and beyond. \nInnovations are constantly emerging out of operational \nnecessity, and the real world experiences in meeting the \nrequirements of national decision makers and joint force \ncommanders continue to mature our operational approaches and \neffectiveness over time.\n    At the same time, I realize cybersecurity is a national \nsecurity issue. It requires a whole-of-nation approach that \nbrings together both public and private sections of our \nsociety.\n    Our Point of Partnership program in Silicon Valley and \nBoston has proven to be a successful initiative to link our \ncommand to some of the most innovative minds from industry, \nworking together on cybersecurity as we face 21st century \nthreats together in the private and public sectors.\n    This, combined with agile policies, decision-making \nprocesses, capabilities, and command-and-control structures, \nwill ensure that Cyber Command attains its potential to counter \nour adversaries.\n    The men and women of U.S. Cyber Command thank you and \nappreciate your continued support as we confront and overcome \nthe challenges facing us. We understand that a frank and \ncomprehensive engagement with Congress not only facilitates the \nsupport that allows us to accomplish our mission but also helps \nensure that our fellow citizens understand and endorse our \nefforts, which are executed on their behalf.\n    I have seen the growth in our command\'s size, budget, and \nmission, and that investment of resources, time, and effort is \npaying off; and more importantly, it is helping to keep \nAmericans safer in the cyber arena, not only in cyberspace but \nin other domains as well. And I look forward to continuing the \ndialogue across the command and its progress with you in this \nhearing today and over the months to come.\n    I look forward to answering your questions.\n    [The prepared statement of Admiral Rogers can be found in \nthe Appendix on page 30.]\n    Ms. Stefanik. Thank you, Admiral Rogers.\n    We now turn to questions. First, I want to thank you for \nyour service and your leadership.\n    My first question is very broad. Last year\'s NDAA directed \nthe elevation of Cyber Command to a full combatant command. \nWhat steps need to happen before the changes to the Unified \nCommand Plan take effect?\n    Admiral Rogers. So, first, the Secretary of Defense and the \nPresident need to make a decision, the Secretary of Defense \nmaking a recommendation, the President ultimately making the \ndecision as to the timing and the process we will use. And that \nprocess is ongoing, and I don\'t want to speak for the Secretary \nor the President, but I know that that process and that \ndiscussion is ongoing.\n    Given the language in the NDAA and in anticipation of this \npossibility, we have spent much of the last year working our \nway through the specifics of how we would do that. And if a \ndecision is ultimately approved, we are prepared to apply that \nand to do it in a timely manner in accordance with the \ndirection in terms of the timeline provided to us via the \nPresident and the Secretary of Defense.\n    Ms. Stefanik. What are the specifics? As you said, you are \nassessing the specifics you would do to take action. What are \nthey specifically?\n    Admiral Rogers. So if I could, until we have an ultimate \ndecision, I would rather not get ahead of my leadership, \nbecause I think I owe them that, and to get into the how, if \nthat would be all right, ma\'am.\n    Ms. Stefanik. Yes.\n    Part of your responsibilities that we enshrined in section \n923 of FY 2017 NDAA when we elevated CYBERCOM to the full \ncombatant command involved development of doctrine and tactics \nrelated to cyber. What role do you have in advocating for or \ndriving doctrinal development for the individual services when \nit comes to cyber?\n    Admiral Rogers. So as the senior operational commander in \ncyber in the Department, it is the partnership between that \ncyber team, if you will, and our fellow operational commanders \nand policy makers that help shape: So what is the doctrine that \nshould shape how we employ this capability that the Department \nis developing?\n    If you look at what we have done over the course of the \nlast year, the efforts against ISIS, things we are doing \nagainst other real world challenges, they are shaping the way \nwe are looking at how do we build the force of the future, what \nare the concepts for its employment.\n    If you go back a couple years, for example, I can remember \na year ago, 2 years ago, one of our fundamental concepts was we \nare always going to deploy forward and full teams. One of the \nthings we found with practical experience is we can actually \ndeploy in smaller sub-elements, use reach-back capability, the \npower of data analytics.\n    We don\'t necessarily have to deploy everyone. We can \nactually work in a much more tailored, focused way, optimized \nfor the particular network challenge that we are working. We \nare actually working through some things using this, for \nexample, out in the Pacific at the moment.\n    Ms. Stefanik. A few weeks ago in your testimony in front of \nSASC [Senate Armed Services Committee], you were asked your \nopinion about whether we should be considering the \nestablishment of a cyber service, and at that time you said \nthat you were not a proponent. Could you explain a bit more as \nto why you feel that way?\n    Admiral Rogers. Yes, ma\'am.\n    So the reason I am not a--I certainly understand others \nhave a different view--the reason I am not a proponent of that \nis, my concern is, if we are not careful, we will view cyber as \nthis very technical, very specialized, very narrow mission set. \nAnd my view is cyber fits within a broader context. And if you \nwant to be successful in the ability to achieve outcomes within \nthe cyberspace arena, you need to understand that broader \ncontext.\n    And I am afraid that if we go the service route, we will \ntend to generate incredibly technically proficient but very \nnarrowly focused operators. And one of my takeaways from being \na member of the Department of Defense for the last 36 years is \nwe are best optimized for outcomes when our workforce has a \nmuch broader perspective.\n    And I also think back--because I am a big fan of history--I \nthink back to the dialogue in the 1980s when I first joined, \nwas first commissioned in the military. In the aftermath of the \nfailure of Desert One and the effort to rescue those U.S. \nhostages being held in the embassy in Tehran, we had a lot of \ndialogue about is SOF [special operations forces] so \nspecialized, so poorly understood by the broad conventional \npart of the military, so needing of specific attention that we \nshould create a separate SOF service.\n    We ultimately decided that the right answer was to create a \njoint warfighting construct. Thus, in 1987 was born Special \nOperations Command [SOCOM]. And in addition, we said that that \noperational entity needed to be a little uniquely structured. \nIt not only should be a warfighter, but it should be given \nbudget resources that enable it to not only employ capability \nbut to determine the operational capabilities that actually, \nand drive the investments that actually generate the \ncapability.\n    I think that that is a very effective model for us to think \nabout for cyber and Cyber Command vice just automatically \ntransitioning to the idea of a separate service.\n    Ms. Stefanik. Thank you. My time is about to expire.\n    I now recognize Mr. Langevin.\n    Mr. Langevin. Thank you, Elise.\n    So, Admiral, Congress has provided CYBERCOM with limited \ncyber-peculiar acquisition authority. So I want to first of all \ncommend the thoughtfulness by which the provision was \nimplemented. But can you please provide a general overview of \nhow that authority will be executed and overseen in the \ncommand.\n    Admiral Rogers. So as you are aware, we sat down between \nOSD from a policy and technical perspective and Cyber Command \nfrom an operational perspective and asked ourselves: What is \nthe best way to implement this acquisition authority that was \ngranted to us by the Congress?\n    Again, we thought SOCOM offered a good model. We actually--\nCyber Command actually approached our teammates in SOCOM and \nsaid: Look, you have a skill set, you have personnel who are \nmuch more proficient in this area than we.\n    So SOCOM was kind enough to actually identify the two \ninitial individuals that we have hired who are going to provide \nour acquisition, oversight, and certification, if you will. \nThose individuals were put in place just a couple months ago. \nThe authorities are now almost all finished.\n    What you are going to see starting this summer is we have \nidentified an initial set of priorities about where we want to \napply this authority in terms of acquisition, and you will see \nthat play out over the course of the next couple of months. We \nhave just got a couple of things we have to finish ironing out. \nBut you are going to see us actually implement this over the \ncourse of the next few months in the summer.\n    Mr. Langevin. So it has not, the authority has not been \nused yet?\n    Admiral Rogers. Not yet. There are some specific technical \nand oversight and control things I have to make sure are in \nplace before we start spending the money and using this. That \nwill all be finished within the next month or so, I think.\n    Mr. Langevin. Can you speculate, just provide an example of \nwhat you think the authorities may be used for.\n    Admiral Rogers. So what I have asked is we have already \nidentified, for example, a series of capabilities through Cyber \nCommand\'s Point of Partnership, we call it, out in Silicon \nValley. So I already have a structure that is interacting with \nthe private sector.\n    Now I want to overlay this acquisition authority to \nactually now--I actually purchase, if you will, and acquire \nsome of that capability from the private sector that we have \nbeen talking to them about now for the last few months.\n    So I try to work the requirement piece in anticipation of \ngaining the acquisition authority. Now that we have got that \npretty much done and I overlay the acquisition authority, you \nare going to see us start to enter into some specific contracts \nvery focused on a couple of specific mission sets. Defense \ncapability for cyber protection teams is the first area we are \ngoing to focus on.\n    Mr. Langevin. Okay. Very good.\n    So I mentioned in my opening statement that I am going to \nbe attending the annual cyber conference at NATO, the \nCooperative Cyber Defence Centre of Excellence next week. What \nis Cyber Command\'s relationship with the center and NATO? And \nin your opinion, how can we cooperate more closely with our \nNATO allies? How can that cooperation be strengthened?\n    Admiral Rogers. So, for example, like yourself, I was just \nout there last June, spoke at the same conference you will be \ngoing to next month. Every time I am in Estonia I spend time at \nthe center and actually talk to them. The points I try to make \nto my NATO teammates are a couple-fold.\n    First, under the NATO framework, the center represents the \npositions of the members of the alliance that participate in \nthe center, not necessarily the alliance as a whole. So for \nexample, not all 28 nations--29 now with Montenegro--not all 29 \nnations actually participate in the center. I would like to see \nif we can somehow more formally tie the center to NATO\'s policy \ndevelopment, for example. I think that could really accelerate \nsome things.\n    Also, I am trying, because capacity is certainly a \nchallenge, and I am trying to both meet our own priorities as \nwell as help key allies in the NATO alliance. One of the things \nI am interested in is I have created a partnership with \nEuropean Command. We are talking about potentially placing an \nindividual maybe in the center in the course of the next year \nor so to more directly link with ourselves.\n    I would also like to see what could we potentially do \nwithin the exercise framework that the alliance is starting to \ncreate in cyber now. I have already extended invitations to \nthem to observe and participate in our exercise framework, but \nI would like to do the same thing, if I could, within the NATO \narena.\n    Mr. Langevin. So you know that, obviously, the Congress \npassed the CISA, the cyber information-sharing legislation, and \nthat is something, obviously, domestically.\n    Admiral Rogers. Right.\n    Mr. Langevin. But also we have robust cyber threat \ninformation sharing, for example, with the Israelis.\n    How are we doing with robust cyber threat sharing \ninformation with our NATO partners?\n    Admiral Rogers. Right now, most cyber sharing tends to be \nfocused in many ways on a nation-to-nation basis. That is \nanother one of the challenges that I am interested in with \nCyber Command, how can we work that more formally or military \norganization to military organization so we are doing this once \nand not 29 different times, as it were.\n    Mr. Langevin. Okay. Very good.\n    Well, my time has expired. I do have additional questions, \nbut if we don\'t get to a second round, I will submit them for \nthe record. I appreciate your getting back to me on them.\n    But thank you, Admiral, for the work you are doing, and \nthanks for your service to the country. I yield back.\n    Ms. Stefanik. Dr. Abraham.\n    Dr. Abraham. Thank you, Madam Chair. Thank you, Admiral, \nfor being here. I appreciate it.\n    Admiral Rogers. Thank you.\n    Dr. Abraham. The other services in the armed services \ncertainly have their own cyber commands. What is CYBERCOM doing \nas far as the manning and the concept of operations as far as \nhaving duplicative issues within those services----\n    Admiral Rogers. So, remember, the way----\n    Dr. Abraham [continuing]. To prevent the duplication?\n    Admiral Rogers. So the way we are structured, each of those \nservice primary operational cyber commands is a subcomponent of \nU.S. Cyber Command. So whether it is Army Cyber, Coast Guard \nCyber, Air Force Cyber, Fleet Cyber, MARFORCYBER [Marine Forces \nCyber], they have an operational relationship to me. And so \nthat is how we try to work the joint and the service piece in a \nvery integrated way.\n    I am the first to acknowledge--and I was a service \ncomponent commander before this job. I was the Navy\'s guy. I \nwas Fleet Cyber Command. In those service structures, they are \nboth OPCON [operational control] to me in the execution of \ntheir joint responsibilities, but they also have additional \nservice responsibilities. And I try to be the connecting loop \npartnering with them and also partnering with the service \nleadership to make sure that from a service and a joint \nperspective within the Department we are aligned and focused on \npriorities and outcomes.\n    Dr. Abraham. All right. And so let\'s parlay that into our \nother Federal agencies. It seems all of them certainly have a \ncyberspace department, so to speak. CYBERCOM, as far as \ncoordinating mechanisms between other Federal agencies, could \nyou explain that a little bit, please?\n    Admiral Rogers. So we coordinate directly, primarily, in \nthe rest of the government with the Department of Homeland \nSecurity [DHS]. That is particularly driven by the fact that \none of Cyber Command\'s three missions is, if directed by the \nPresident or the Secretary of Defense to defend critical \ninfrastructure against acts of significant cyber consequence, \nwe would do that in partnership with DHS.\n    And so because of that, we are closely aligned with them. \nAnd, in fact, I just was talking with the team yesterday. \nBetween the private sector--in the private sector the U.S. \nGovernment has designated 16 different areas. Think about \nfinance, transportation, aviation. There are 16 different \nsegments that the Federal Government has designated as critical \nto the Nation\'s security, that infrastructure.\n    We have picked one of those 16 segments to do a test case, \nif you will, between DHS, Cyber Command, that private sector, \nas well as NSA, from an information and intelligence sharing--\nthat would be the NSA role--to try to get down to execution-\nlevel detail about so how would we really do this day-to-day. \nBecause my experience as a military individual has taught me, I \ndon\'t like to do discovery learning when I am moving to contact \nagainst an opponent. It tends to be high loss rate, incredibly \ninefficient and ineffective, often very resource intensive, and \nmuch slower.\n    So I am interested, how can I create those relationships \nand exercise them now before we get into a major incident \ndirected against one of those 16 segments.\n    Dr. Abraham. Okay. I think I have time for one more \nquestion.\n    What is CYBERCOM\'s supporting role in NORTHCOM [Northern \nCommand], PACOM [Pacific Command]? And has the DOD codified \nthat relationship so that if there is an incident or accident, \nthat that could be really instituted very seamlessly if such an \nevent should happen?\n    Admiral Rogers. So our role on the defensive side is to \nsupport and ensure the continued operation, for example, of \nthose networks, weapon systems, and platforms that those \noperational commanders and others count on to execute their \nmissions.\n    In addition, we generate offensive capability, particularly \nfor PACOM and other geographic commands outside the United \nStates, because we don\'t really see, I don\'t think, right now \nin my mind, how would we apply cyber offensive capability in \nthe United States. That is not the role of the DOD. Our focus \ninside the United States would be largely defensive.\n    One of the things that is a focus area, I have set out a \nseries of goals for 2017. One of those goals is increased cyber \nReserve and Guard integration, to get to the question that you \nare really driving at: How do we make sure that for a domestic \nincident that all elements of DOD are aligned, and we all know \nhow we are going to do this, and all the forces know what their \nrole is going to be, the command and control is all outlined, \nso NORTHCOM knows what they are going to do, I know what I am \ngoing to do, PACOM, because they have a portion of a domestic \nresponsibility, so that they know what they are going to do?\n    I would like to use the defense support to civil affairs, \nwhich has been an ongoing process we have used for decades, I \nwould kind of like to use that as a test model. I am a big fan \nof let\'s use what is working elsewhere, let\'s not try to create \nsomething different or unique for cyber to the maximum extent \nthat I can.\n    Dr. Abraham. Okay. Thank you.\n    Ms. Stefanik. Mr. Larsen.\n    Mr. Larsen. Thanks, Admiral, for coming.\n    I would like to go back to the question of a unified Cyber \nCommand, because your answer--I wasn\'t concerned about the \nanswer--the portion of the answer, like we are still working it \nout. I was concerned because I thought I heard you say \nsomething that runs counter to what we told you all to do, and \nthat is the decision is made to do this, and that the Secretary \nand the President don\'t need to make a decision to actually do \na unified command. The law, as I understand----\n    Admiral Rogers. But the time--they will drive the----\n    Mr. Larsen. The timing of that, that is something separate.\n    Admiral Rogers. Right. So that is my only point, is the \ntiming piece.\n    Mr. Larsen. If that is your only point, that is fine. I \nthought I heard something else.\n    Admiral Rogers. No. I apologize if I miscommunicated. You \nhave clearly provided a legal framework. It is what you are \ndoing. You know, absent a change in the law, that is what we \nhave to execute.\n    Mr. Larsen. Okay. I appreciate that.\n    And I would like to go back as well to something the chair \nwas exploring with you, and it has to do with having a cyber \nservice or not. I actually agree with you in not having one. \nBut it does beg the question, though: To have that capability, \nwhat flexibility do you need in personnel? What flexibility do \nyou need in contracting? Just kind of what flexibility do you \nneed to fully utilize and even develop a formal framework so \nyou are using Active Component, Reserve, Guard, as well as the \ncontractor community?\n    Admiral Rogers. So among the ways that we try to ask \nourselves: So if we are going to go with a service-based \napproach, which is really what we are executing, how would you \ndo it? We came up with a couple of baseline principles, if you \nwill.\n    The first is, it doesn\'t matter what your service is and it \ndoesn\'t matter if you are Guard or Reserve. We build to one \nstandard. And so we have created within a joint framework for \nevery position within the Cyber Mission Force we can tell you \nwhat the pay grade is, and we can tell you what the \nqualification standards are, and we can tell you what the \nduties are that are assigned to the position. Because I said, \nlook, we have got to create one integrated force, and if we do \n1,000 different variants, I can\'t optimize that.\n    The second thing we said was the structure of the teams \nneeds to be the same regardless of whether it is a particular \nservice, Guard, or Reserve. The analogy I used was, it doesn\'t \nmatter if we have an F-16 squadron in the Guard or in the \nActive force, there is one squadron nomenclature for an F-16 \nthat we can then employ anywhere globally, because we know \neverybody is built to the same standard. Even as we acknowledge \nthere are some variances, but everybody is built to the same \nstandard.\n    So that was another principle. I said, the only way we can \nmake a service-based approach work is that Active or Reserve, \nGuard or Reserve, it doesn\'t matter. We are building to one \nstandard.\n    If we stick to that framework, I am very comfortable that \nwe can make a service approach work for us. If we insist on \nvariance, if we insist on everybody doing their own thing, I am \nthe first to admit, boy, this is not a model that is going to \ngenerate the outcomes that we need. I am the first to \nacknowledge that.\n    Mr. Larsen. And the role of the private sector?\n    Admiral Rogers. So the private sector, when I look at them, \na couple things come to mind. Number one, they are providing, \nthey are the ones who are going to provide the human capital, \nwhether that human capital ends up wearing a uniform, whether \nit is part of our civilian government workforce, or it is \ncontractor force, they all start in the private sector.\n    So it is one of the reasons why I spend a fair amount of \ntime at Cyber Command and as the Director of NSA for that to \nthe same extent in some ways, with the academic world, with \nprivate industry, about: So tell me how you create a workforce. \nWhat works for you? What incentives are you using? What has \nfailed that in hindsight you say to yourself, ``Boy, don\'t go \ndown this road because it really failed spectacularly for us\'\'? \nEven as I acknowledge there is a difference between government \nand the private sector, but I still think there are some things \nthat we can learn from each other.\n    In addition, I think two other areas come to mind for me \nwith the private sector. The first is technology. The days when \nDOD is going to be the engine for technological innovation and \nchange I think are long behind us. That is just not the DOD \nmodel. That is why we created the Point of Partnership in \nSilicon Valley and in Boston. It is why I thought the \nacquisition piece was so important for us. We have got to be \nable to tap into that private sector in terms of acquisition of \ntechnology and capability.\n    And then the last area, which is a little bit \ncounterintuitive in some ways, when it comes to the generation \nof policy, concepts, thought, the private sector can play a \nhuge role here.\n    I think back to the beginnings of nuclear deterrence and \nnuclear policy, for example. If you go back in the 1950s and \nyou read much of the thought process, much of that was flowing \nfrom the academic world. Hardly anybody remembers now that \nHenry Kissinger in the 1950s and early 1960s was a professor at \nHarvard who was writing about concepts of nuclear deterrence, \nnuclear employment that ended up, he and others, ended up \nshaping the strategic vision we had. And I would like to see us \ndo the same thing in cyber.\n    Mr. Larsen. Thank you.\n    Ms. Stefanik. Ms. Cheney.\n    Ms. Cheney. Thank you, Madam Chairwoman. And thank you, \nAdmiral Rogers, for your service and for being here today.\n    Secretary Mattis, before he became Secretary, in talking \nabout the Budget Control Act [BCA] and sequestration, said no \nfoe in the field could do our military as much harm as has been \ndone to us through sequestration and the Budget Control Act.\n    As we begin the process of looking at the 2018 budget, I am \ninterested to know to what extent you were able to factor in \nstrategy and threats and sort of strategic thinking about what \nneeds to be done as you put together the budget for Cyber \nCommand and to what extent you have still been hamstrung by the \nBCA and by those cap numbers.\n    Admiral Rogers. So like any entity, it is all about \nprioritization for us. So we spend a lot of time figuring out \nwith finite resources, even with growth, with finite resources \nhow are we going to prioritize.\n    So our input for the fiscal year 2018 budget in truth in \nlending, we just rolled it out as a government, as a Department \nthis afternoon, during the midday today, so I have not yet seen \nthe specifics yet. I know what the broad number for us is, but \nI haven\'t seen the sub-elements of that, so I will talk \nbroadly. I apologize, but I will talk broadly.\n    For the 2018 input, we tried to identify those priorities. \nAt a macro sense, in no particular order, I have been arguing \nmanpower; investment in core capabilities; and then, number \nthree, how can I accelerate number one and number two, how can \nI do both of those faster.\n    Because in some ways, even though as the WannaCrypt \nransomware issue that we have been going through shows, there \nis capability in the Department. There are a lot of motivated \nmen and women who are doing some good work. We were not \nimpacted by WannaCrypt, and that wasn\'t from a lack of effort.\n    We had spent significant time starting in March asking \nourselves how might this play out, how do we position ourselves \nin the case of--because Microsoft had put out the patch for the \nvulnerability. We, as Microsoft users, saw that and started \nasking ourselves how might an opponent attempt to exploit this \nvulnerability even as we were working to patch.\n    It is one of the reasons why we use a defense in-depth \nstrategy. There is no one single solution. There is no one \nsingle way to fix this problem. It is layers built on top of \neach other. That really has been the key to our success.\n    So we are asking ourselves how can we do this faster. Every \nday, one of my biggest concerns is--and I have never really had \nthis same viewpoint in almost 36 years of commissioned \nservice--every day I literally think to myself, we are in a \nrace to generate more capacity and more capability at the same \ntime that I am watching a host of global actors do the exact \nsame thing.\n    And so we are trying to sustain both staying up with them, \nbut, quite frankly, my objective is to get ahead of the problem \nset. I don\'t like reacting to things. It is not an effective or \nefficient way to do business, and I don\'t think that is what \nthe Nation wants from us.\n    So until I am able to bore into the specifics of the \nbudget, that kind of gives you a broad sense of what I thought \nwe needed to focus on.\n    Ms. Cheney. So would you say, Admiral, that the budget as \nit has been proposed provides the resources necessary to regain \nsuperiority in areas that we have lost it?\n    Admiral Rogers. It certainly moves us along that road, but \nno one should think for one moment that this mission set, not \nunlike some others, is going to require increased and sustained \ninvestment over time. This is not going to be a 1 or 2 years we \nhave increased you by some reasonable number, which has been \nthe case for the last 2 years, and that is all you are going to \nneed.\n    If you look at the scope of the challenges associated with \nthis mission set and from where we are starting, we have got a \nlot of hard work ahead of us.\n    Ms. Cheney. And would you talk a little bit about how you \nare going to measure success and how you are going to measure \nprogress along that path of regaining superiority?\n    Admiral Rogers. So there are a couple components to it. \nFirst, we have developed a set of--we are in the process of \ndeveloping a set of metrics, so how do we truly assess \nreadiness for this force that we created.\n    We focused for the first few years on assessing initial \noperating capability [IOC] and final operating capability \n[FOC]. It is when you hear us talk in slang about IOC and FOC. \nAnd you heard me in my remarks, we achieved IOC essentially on \ntime, October 2016. We have until 30 September, 2018, to \nachieve FOC. I think we are on track for that.\n    But one of the things I tell the team is that doesn\'t get \nto warfighting. And in the end, it is about our ability to \nactually operate in a sustained heavy environment. Just like \nwhen we are building a brand new carrier or a brand new fighter \nwing, for example, it is not enough just to say we have got all \nthe pilots, we have got all the parts. It is about training. It \nis about assessing readiness. So we are working our way through \nhow are we going to do that.\n    Then it is other things like we ask ourselves are we \ndriving down defensive penetrations, are we driving down \nmalware infections. There are some specific metrics that we \nthink that we can use to give us a sense, particularly on the \ndefensive side, are we being more effective or not.\n    Ms. Cheney. Thank you very much. My time has expired.\n    Ms. Stefanik. Mr. O\'Rourke.\n    Mr. O\'Rourke. Thank you.\n    Help me understand a little bit how we make clear to other \ncountries in the world the consequences of cyber attacks. With \nconventional weapons in conventional wars there may be an \nunderstanding of what the consequences will be should one \ncountry attack another with a certain kind of weapon. What is \nour level of dialogue with other countries, including those \ncountries we view as threats, including those countries who, I \nthink, we know who have attacked us, about what the \nconsequences are going forward?\n    Admiral Rogers. So if I could in an unclassified session, I \nam not going to get into specifics associated with particular \nnation-states. And it hasn\'t been a one-size-fits-all approach, \nwhich is true broadly for strategy for us, I would argue, as a \nNation. It is not a one-size-fits-all approach. We try to \noptimize the way we are looking at this particular challenge \nset based on whatever the particular actor that we are dealing \nwith. What works for one won\'t necessarily have the same kind \nof impact as what will work for another.\n    There are a couple--first, let me talk about a couple basic \nthings. We have been very public and acknowledged the fact that \nwe are using cyber offensively against ISIS, not just because \nwe want ISIS to know that we are contesting them, but because, \nquite frankly, we also think it is in our best interest for \nothers to have a level of awareness that we are investing in \ncapability. And we are employing it within a legal Law of Armed \nConflict framework, not indiscriminately, but we are employing \nit.\n    We have also acknowledged very publicly in unclassified \nstrategy documents, for example, for the Department\'s \ncyberspace strategy, that we are developing offensive \ncapability, that we believe that deterrence is an important \nconcept that we have got to work our way through. We are trying \nto communicate to the world around us that we are aware of the \nkinds of activity we are seeing out there. Some of it we view \nwith concern.\n    As a result, we think it is in our own Nation\'s best \ninterest to have a set of capabilities that both generate \ngreater options for our policymakers and our operational \ncommanders, but at the same time help communicate to others \naround us you don\'t want to go down this road with us.\n    I think the reaction or the way WannaCrypt played out in \nthe United States, for example, is a very good example of that. \nHey, look, in a major malware effort that took down many \nsystems in lots of other parts of the world, did not have the \nsame level of effect on us here in the United States. That is \nnot by chance.\n    Mr. O\'Rourke. Let me ask you a question about that. To what \ndegree are we treaty bound to assist an ally who is attacked \nthrough cyber not kinetically, and are we already assisting \nallies who are? And maybe to use that most recent example that \nyou just gave.\n    Admiral Rogers. So that is a bit of a legal question. That \nis not my lane. But I will give you my thoughts from my \nperspective as an operational commander.\n    For example, NATO has been very direct in saying that they \nview cyber as a natural continuation of the standing Article 5 \nframework where attack against one is an attack against all, \neven as NATO acknowledges the application of Article 5 is \nthrough a decision framework in the North Atlantic Council, and \nit is done on a case-by-case basis. But broadly that is the \nintent. That has been communicated in multiple forms, in \nmultiple ways.\n    For other nations, you would have to ask somebody who is a \nlittle bit smarter about the specifics of the standing mutual \ndefense treaties that we have.\n    Mr. O\'Rourke. Okay. Let me ask another question then. \nBecause we know the Russians attacked the integrity of our \nelections here, because we know they have done that in other \ncountries, because past behavior is a good predictor of future \nbehavior, whose responsibility is it in this country? And then \nmaybe for the record on for our allies when our allies\' \nelections are attacked.\n    But is it Cyber Command? Is it DHS? Is it both? Should the \nRNC [Republican National Committee] or the DNC [Democratic \nNational Committee] be attacked going forward, for example, \nwhose responsibility is that?\n    Admiral Rogers. So under the current framework, which could \nchange, but under the current framework the Department of \nHomeland Security has overall responsibility for the provision \nof capability and capacity within the Federal Government in \nsupport of the private sector, broadly.\n    Cyber Command in its defined mission of, if directed, as I \nsaid, to support the defense of critical infrastructure, we \nwould partner with DHS to do that. We would do that, Cyber \nCommand, by attempting to interdict that activity before it \never reached that U.S. network. Quite frankly, we wouldn\'t \nfocus on blue or friendly space. We would be out in gray and \nred space, if you will, trying to stop the activity from ever \ngetting there.\n    Mr. O\'Rourke. It is yours before it gets here. Once it gets \nhere, it is DHS.\n    Admiral Rogers. Yeah, simplistically. Then once it gets \nhere, DHS has created a sector framework. Cyber Command also \nhas a set of capabilities in the form of national cyber \nprotection teams that we would also deploy in partnership with \nDHS to support among those 16 specific critical infrastructure \nareas.\n    Again, it is one of the things I mentioned earlier that I \nwant to test. We are going to start using one particular sector \nthat is a little bit more mature than some of the other 15.\n    Mr. O\'Rourke. Thank you.\n    Ms. Stefanik. Mr. Franks.\n    Mr. Franks. Well, thank you, Madam Chair. And thank you, \nAdmiral Rogers. Thank you for your service to the country, and \nyour job is so very important to us all.\n    You stated that your first mission priority is defense of \nDOD information networks. Would you suggest that that means \nthat defensive operations doctrinally will take precedence over \noffensive operations?\n    Admiral Rogers. No, because I remind the team: Look, we \nhave three missions, and we have to be capable of executing all \nof them. I can\'t go to my boss and say: Hey, I really just \nchose to focus on number one.\n    Now, don\'t get me wrong. Like any commander, I have to \nprioritize. And so as I am looking at the challenges out there, \nI have told the team we will prioritize against number one, \neven as we acknowledge we still have to execute those other two \nmissions.\n    But like any other operational organization, at times I \nhave to prioritize resources, focus. But it isn\'t: Well, it is \njust one and not the others. We have got to do all of them.\n    Mr. Franks. Yeah. Well, as you know, the DOD relies upon \nthe civilian power grid for 99 percent of its power \nrequirements, without which, I am told, that it becomes \nimpossible in CONUS [continental United States] to effect the \nDOD mission. Do your priorities include protecting the U.S. \npower grid and other critical infrastructure against cyber \nattacks?\n    Admiral Rogers. So, again, I don\'t have responsibility for \nthe defense of that in the United States.\n    I will say, one of the things I am interested to see if we \ncan maybe look at doing differently, and I am having this \nconversation in particular with TRANSCOM [Transportation \nCommand] at the moment, right now, when it comes, for example, \nto critical infrastructure that the DOD counts on to do its \nmission, when it comes to cleared defense contractors who \neither are generating the capabilities that we use, advanced \nfighters, for example, and other platforms, as well as private \nindustry, for example, for TRANSCOM that provides services, \nlift, movement of cargo, under the current structure the \nDefense Security Service [DSS] has overall responsibility for \nthe interface with those private companies, not TRANSCOM, for \nexample, even though they work for TRANSCOM or they provide a \nservice based on a contractual relationship with TRANSCOM, and \nnot necessarily with us.\n    I would like to see, is there a way to bring those \noperational commands, Cyber Command, DSS, and that private \nsector together in a much more integrated way, because what we \nare finding right now is I will become aware of activity, I \nwill pass that to DSS, DSS passes that to the private sector. \nThat doesn\'t come across to me always as the fastest, most \nefficient, most agile way to do business, and I would like to \nsee if we can maybe try to change that.\n    Mr. Franks. Well, Admiral, you know that that has been one \nof the challenges in the past, that sometimes the whole notion \nof protecting the grid from cybersecurity challenges kind of \nwalks the 13th floor of humanity.\n    Admiral Rogers. Right.\n    Mr. Franks. Because we, the Department, your department \nconsider that a civilian responsibility. Of course, the \ncivilian response is that that is a national security issue and \nshould not be our responsibility. And my fear, of course, is \nthat neither has the sufficient focus on it necessary. And \ngiven it is your stated----\n    Admiral Rogers. Yes, sir.\n    Mr. Franks. Yeah. So it is worth always touching base on.\n    How will Cyber Command\'s posture improve once it is \nelevated? Do you believe you will have all the resources and \nauthorities you require to accomplish your assigned missions? \nAnd what do you expect your number one challenge will be in \nterms of Russia, China, Tehran, ISIS, someone else?\n    Admiral Rogers. Okay. So let me try to unpack it, and if I \nforget one, please just let me know, sir.\n    So first, what is the benefit of elevation, why have I and \nothers recommended that that is a smart course of action, even \nas I acknowledge the decision is not mine, as we have already \ntalked? That is outlined within legislation. Now it is a timing \nissue absent a change to the legislation.\n    In the Department\'s processes, when it comes to how we \ndevelop budgets, how we articulate prioritization, how we \ndevelop broad policy, it is generally built around the idea \nthat the combatant commanders are the primary voices for the \noperational end of those processes, not subunified commands, \ncombatant commanders.\n    So one of my concerns has been we talk about the importance \nof cyber--and I acknowledge that there are other priorities in \nthe Department--and yet, for some--not all but for some of our \nprocesses the cyber expertise is not embedded in the current \nstructure because you put it one level below.\n    So I believe that elevation plugs us more directly into the \nprimary decision-making processes within the Department, which \nare really optimized for combatant commanders. It also makes us \nfaster, because now I have got one less layer that I have to \nwork through. I have been very blessed in my time at Cyber \nCommand.\n    The Strategic Command commanders I have worked with, \nGeneral Hyten and--boy, how quickly we forget, I can picture, \nhe was a good flag officer, a friend--they were great to team \nwith, because I would tell them: Look, if we are going to \ninsist everything I do flows through Offutt [Air Force Base], I \ncan\'t get to timeliness, I can\'t get to speed. And this helps \naddress that.\n    Ms. Stefanik. The time has expired.\n    I now recognize Mr. Cooper.\n    Mr. Cooper. Thank you, Madam Chair.\n    Apparently, two of our colleagues have introduced a bill \nthat would allow private sector U.S. companies to hack back, \nactive defense. I hadn\'t realized before that this is \napparently illegal today absent a law change. So could you \nreflect on this proposal and whether it is a good idea or not?\n    Admiral Rogers. So broadly--and I will only speak for Mike \nRogers, because I am not in the policy lane but I have an \nopinion--as an operational commander, my concern is while there \nis certainly historic precedence for this, nation-states have \noften gone to the private sector when we lacked government \ncapacity or capability.\n    We did that in the Revolutionary War, letters of marque. We \ndidn\'t have a Navy. We went to the private sector, gave them \nauthority and protection via our government to say go out and \ncapture cargos from the Royal Navy and from the British \nmerchant fleet.\n    My concern is, be leery of putting more gunfighters out in \nthe street in the Wild West. As an individual tasked with \nprotecting our networks, I am thinking to myself, we have got \nenough cyber actors out there already. Just putting more out \nthere I am not sure is in everybody\'s best interest.\n    And I would also be concerned about the legal liability you \nmight--and I am not a lawyer--about the legal liability. I \nwould think that you would have some liability issues \nassociated with taking actions with second- and third-order \neffects that you don\'t truly understand when you actually \nexecute it. That is just my concern.\n    Mr. Cooper. Are other countries doing this? Are you \nfamiliar with any other countries that have enabled their \nprivate sector to be aggressive?\n    Admiral Rogers. There may be equivalent legal frameworks \nout there, certainly not that have come to my attention and not \nthat I have a discussion about.\n    Mr. Cooper. I was curious, you used a gunfighter analogy, \nbecause some people have thought that NRA [National Rifle \nAssociation] might set up a whole new wing of activity for \nthis.\n    But to the extent that private business in this country \nfeels disconnected from government or that, as you pointed out \nearlier, government response is too slow or that certain \nnational security interests are not recognized as being \nnational security interests even when it is protecting the \ngrid, I think you are probably going to see greater pressure.\n    Admiral Rogers. Right. I would agree.\n    In some ways, it goes back to--again, showing you my war \ncollege education. I don\'t want you to think as a taxpayer I \ndidn\'t listen when I was sent to service colleges.\n    In the Westphalian construct, the application of force has \ngenerally, for the last several centuries, been viewed as a \nmission or a right of a sovereign state, not something that the \nprivate sector does. We don\'t use, for example, for us, we \ndon\'t use contracts to actually drop and fire weapons. We don\'t \nuse mercenaries to do that. We use uniformed military.\n    I would just be concerned that going that route, again, \nargues against the broad principles we have used about the role \nof the state and applying force kinetically or nonkinetically.\n    Mr. Cooper. We don\'t use those tools, but in our degraded \nWestphalian system, we don\'t know who we are being attacked by. \nIt might be state actors, quasi-state actors, probably private \nactors. Who knows?\n    Admiral Rogers. Although it depends on the situation. But I \nam the first to acknowledge 100 percent attribution is probably \na standard we are going to be driving for for a long time and \nnot necessarily achieve immediately.\n    Mr. Cooper. What percentage of accuracy in attribution \nwould you give us today?\n    Admiral Rogers. Oh, it depends on the actor. If you take, \nfor example, speaking now on the NSA side, if you take a look \nat the efforts we did in the intelligence community assessment \nwith respect to Russian efforts to influence the 2016 election \nprocess, really high confidence, very fine-grain attribution.\n    If you take a look at WannaCrypt, for example, we are 10 \ndays into this, and collectively, both the private sector and \nthe government, we are still working our way through who is the \nactor or actors associated with this. So it tends to vary. \nThere is no single concrete answer.\n    Mr. Cooper. So with the elections, we are close to 90 \npercent, 95 percent, and with this we are 60 but raising it?\n    Admiral Rogers. I don\'t know. I have never really thought \nabout it from a number.\n    Mr. Cooper. Okay. Thank you, Madam Chair.\n    Ms. Stefanik. Mr. Scott.\n    Mr. Scott. Thank you, Madam Chair. Admiral, it is a long \nway from Auburn University.\n    Admiral Rogers. War Eagle, sir.\n    Mr. Scott. I hope you never lose a war or win a ball game. \nI am University of Georgia graduate.\n    Admiral Rogers. Oh, I have a brother who went to the \nUniversity of Georgia and a sister-in-law.\n    Mr. Scott. He is a good man. He is a good man.\n    Admiral Rogers. Misguided individuals. I love them, but \nthey are misguided.\n    Mr. Scott. Was he the one holding Uga when he bit the \nAuburn player?\n    All kidding aside, thank you for your service.\n    And we talk a lot about how fast technology changes and the \nacquisition process being a problem throughout the Department, \nbut I would like to hear your comments on the personnel again. \nYou speak to this in your comments.\n    When you get the young man, the young woman out there that \nis the best and the brightest, there are opportunities in the \nprivate sector versus there are opportunities in the public \nsector under your command. The challenges there. And the issue \nof, what percentage of your personnel are civilian versus \nuniform?\n    Admiral Rogers. Roughly, we are about 80 percent military, \nabout 20 percent civilian. That is kind of what we are building \nto. It varies in some areas, but it is about 80-20.\n    Mr. Scott. I know we have a tremendous number of wonderful \npeople in uniform. Some of the people that we see that seem to \nbe the best and the brightest in the technology field aren\'t \nexactly the people that you imagine going to boot camp.\n    Admiral Rogers. Right.\n    Mr. Scott. How do we recruit in case--I mean, do we have a \nsystem in place to allow those people to serve?\n    Admiral Rogers. So it is one of the reasons why we have \ntried to come up with a total force concept for us--Active, \nGuard, Reserve, civilian, contractor--that within that pool of \nfive subpopulations, if you will, we can match almost any \nindividual.\n    ``Hey, I really want to get into this. I want to serve the \nNation. But I have no desire to deploy or be put through the \nphysical fitness standards of the uniform law. Boy, I would \nlove to work for you as a civilian.\'\'\n    ``Hey, I like mobility, I am going to try the contractor \nroute so I can move around a little bit.\'\'\n    We try to build a structure that enables us to try to \nattract a pretty broad swath.\n    The positive side to me is, boy, when you get people in the \nteam--I was just talking to one of the service review panels. \nOne of the services out there has created--has asked a party of \ngray beards to take a look at how they manage the Cyber Mission \nForce within their service and to answer the question: Are they \nreally optimized for the future?\n    And I coincidentally this morning was just sitting down \nwith this retired former chief of their service. And I said, \n``Well, you have talked to the teams,\'\' because they did that \nas part of their process. I said, ``Tell me what you are \nhearing from them, because I have a sense, but I am curious \nwhat you are hearing.\'\'\n    And he said to me, ``The most amazing thing is every team \nwe talk to, these men and women are so motivated and love what \nthey are doing. I mean, that is a real plus for you. They \nreally are into this mission. Because their self-image is they \nare the digital warriors of the 21st century.\'\'\n    The challenge, I think, we have got to work with the \nservices who provide this manpower capability, how do we manage \nit effectively over time, and how do we also build into this \nthe fact that we have got to acknowledge there are some areas \nwe are going to need to do differently? We can\'t put a person \nin this once and then spend all that time training him and then \nthey don\'t do it for another 10 years. That is ridiculous to \nme.\n    On the other hand, I realize that there is more than just \nthe Cyber Mission Force, that the services are asking \nthemselves: How are we building a broader workforce to address \ncyber?\n    So I am working with the services about what percentage of \nthe eligible trained population makes sense, what kind of \npolicies we should have with respect to retouring them so we \nsustain some level of capability and experience over time and \nwe are not starting all over again every 3 years.\n    That is one of the challenges at the moment that one \nservice is trying to deal with. Their model, I am trying to \nargue, we have got to make some changes to. We just can\'t \nafford to retrain everybody every 3 years. I just don\'t think \nthat is cost effective, and it is a little demoralizing to the \nmen and women.\n    Mr. Scott. I think this is going to be one of our greatest \nchallenges going forward in how we handle the cyber war, if you \nwill.\n    Admiral Rogers. Right.\n    Mr. Scott. And not just with your issue. We hear the same \nthing about the drone pilots and how dedicated they are and how \ndetermined they are and the need for flexibility----\n    Admiral Rogers. Yes, sir.\n    Mr. Scott [continuing]. With where they work and the time \nthat they work. And I recognize, from a pay scale, we are \nnowhere close to what they would get in the private sector.\n    Admiral Rogers. Right. But on the other hand----\n    Mr. Scott. So I appreciate their commitment to the country \nand your commitment to the country as well.\n    Thank you.\n    Ms. Stefanik. Mr. Wilson.\n    Mr. Wilson. Thank you, Chairwoman Elise Stefanik, for your \nextraordinary leadership on organizing this hearing.\n    And it is just an honor, Admiral, to be back with you, and \nwe appreciate your innovative service to address the issues of \ncyber defense.\n    As the former chairman of the Subcommittee on Emerging \nThreats and Capabilities, I am keenly aware of the huge \nchallenges that lie before us and the extraordinary men and \nwomen that you have put together to serve in your command.\n    Cybersecurity is a 24-hour-a-day, 365-day-a-year \nresponsibility that requires instantaneous analysis, response, \nand deterrence. After each cyber attack, we have the \ncircumstance of where the government officials are grappling \nwith whether or not it constitutes a mere nuisance or an act of \nwar.\n    It is for this reason I introduced the Cyber Attack \nStandards of Measurement Study Act, H.R. 1030, which would \nrequire the Director of National Intelligence, the Homeland \nSecurity Department, FBI [Federal Bureau of Investigation], and \nSecretary of Defense to conduct a study to determine \nappropriate standards that could be used to quantify the damage \nof cyber incidents for the purpose of determining appropriate \nresponse.\n    And two questions. Do you believe that there exists an \ninteragency definition for cyber act of war? And secondly, do \nyou believe that we have a common metric to measure cyber \nincidents which could benefit the interagency response?\n    Admiral Rogers. I think there is a broad, certainly in the \nkinetic world, there is a broad definition out there of an act \nof war. But even in the kinetic world, it is still somewhat \nsituational. And so I fully expect that our experience in cyber \nis going to be something similar.\n    It goes to one of the previous questions in some ways. \nArticulating those concepts in a way that actors understand \nthat you may be tripping a threshold that will trigger a \nresponse, I think that is in our best long-term interest. That \nhelps, I think, help the nation-states, actors, groups out \nthere understand there are potential prices to pay here, and at \nsome point you will trip a threshold--again, depending on the \nscenario--and that is not a good place for you to be.\n    We are clearly still working our way through there. And I \nam not a policy guy, I am the operational guy, so I try to \nfigure out what do we do once the policymaker makes that \ndetermination.\n    Mr. Wilson. And then thank you for recognizing, too, it \ncould be nation-states, it could be other actors. What a \nchallenge. And so we are so grateful for your service.\n    One of the first challenges that you have are updating \nantiquated infrastructure.\n    Admiral Rogers. Yes, sir.\n    Mr. Wilson. I am grateful that the district I represent is \nadjacent to Fort Gordon, home of the Army Cyber Command. Can \nyou please describe the amount of infrastructure modernization \nthat needs to occur and how the demand differs across the Army, \nNavy, Air Force, and Marines?\n    Admiral Rogers. So as we saw--and I will use WannaCrypt as \nan example--as we are working our way through the services, \nbecause I have overall operational responsibility, the services \nphysically own much, under the current network structure, the \nservices still own much of the infrastructure. So I partner \nwith them in attempting to address that infrastructure \ncybersecurity.\n    One of the things we continue to find is we are still \ncarrying a lot of very old infrastructure that offers potential \nincreased vulnerability. And the ``defense in depth\'\' approach \nwe use is designed to help mitigate that, but I literally just \nsent a note to a service chief earlier this week and senior \nleaders in that service and said: Look, at some point these \nvulnerabilities down at the tactical level that interact with \nacquisition will become potential points of exploitation by \nothers that have the chance to negate some of that defense in \ndepth. So we have got to address this.\n    I find we have talked a lot about manpower, but in some \nways, to me, the acquisition piece, that is even harder, \nbecause it is long term, it is huge sunk cost, and it is \ncompeting against priorities like: So do you want me to buy \nmore F-35s? Additional, you know, carriers? Do you want more \nbrigade combat teams?\n    In a world of finite resources, you have got to make those \nresource tradeoffs, and, in general, the acquisition world \nhasn\'t historically always been incentivized for cybersecurity \noutcomes as its primary metric.\n    Mr. Wilson. Well, thank you very much. And we look forward \nto working with Chairwoman Stefanik to back you up in every \nway.\n    Admiral Rogers. Thanks.\n    Mr. Wilson. And with my time running out, I do want to \nthank you for the participation by the National Guard and your \nefforts. And what has been the level and what more can we do to \nhelp you in this regard?\n    Admiral Rogers. Boy, so if we just look at Cyber Command, \nwe have over 100 guardsmen and reserves every day supporting \nus. Every day we currently have Guard components activated on \nthe defensive side, on the offensive side, in some of our \nspecialized capabilities. So the Guard is a day-to-day player \nfor us.\n    If you also look at what the Guard is doing from an--oops, \nsorry ma\'am.\n    Mr. Wilson. Thank you very much.\n    Ms. Stefanik. Time has expired. They are calling votes, and \nso I want to get to everybody.\n    Dr. Wenstrup.\n    Dr. Wenstrup. Thank you, Madam Chair. Admiral, good to be \nwith you here today. I appreciate it.\n    You were talking about various structures of how we set up \nour command and where we are headed. I am curious what our \nadversaries are doing. What do we know about how they are \nstructured and looking at what they are doing and maybe guiding \nus in some way?\n    Admiral Rogers. In some ways, it is kind of interesting. \nAgain, I am not going to get into a classified discussion. But \nbroadly, Cyber Command is viewed as: Wow, this is a really \ninteresting concept that the U.S. has created, what can we do \nto attempt to emulate at least parts of it?\n    I am not arguing that it is perfect or that everyone else \nin the world wants to. But, in general, I spend a lot of time \ntalking to allies, and they will often say to me: Well, we may \nnot opt to go the same particular structure you have created, \nthe process you went through, the capabilities you have \ndeveloped, the way you have created an organizational \noperational construct that is focused on generating outcomes, \nhey, we are really interested in doing that. Is there a way we \ncan potentially partner?\n    So part of the Cyber Command\'s mission set right now is you \nspend a lot of time with foreign partners around the world. And \nI can\'t--I am the first to acknowledge I have to prioritize \nhere, but as part of the broader Department strategy, I have \nprioritized different areas of the world that we are really \nheavily focused on right now in terms of partnership, helping \nthose nations develop cyber capability.\n    Dr. Wenstrup. That is our allies. And you mentioned, in a \ndifferent setting, go into more detail what our adversaries \nare----\n    Admiral Rogers. Right. If I could, I would be glad, in a \nclosed session and share some interesting thoughts there.\n    Dr. Wenstrup. Another time. That is fine. I appreciate \nthat.\n    You did mention that we wanted people to know some of the \nthings we were doing to counter ISIS, and maybe that is kind of \nhitting them, but a shot across the bow for others. Have you \nfelt that it has had an effect?\n    Admiral Rogers. I certainly hope so, because, quite \nfrankly, again, one of the reasons we opted to publicly \nacknowledge this was we wanted other actors to be aware that we \nare developing and employing--again, within a legal framework--\nbut we are developing and employing those capabilities.\n    There certainly is an increased awareness by some actors \naround the world as they look at us, as they try to study us, \nabout capabilities and kinds of things we are doing. Again, I \nam not going to get into specifics, but we are certainly aware \nof that.\n    Dr. Wenstrup. Yeah, in another setting I might like to hear \nmore about that.\n    Admiral Rogers. Yes, sir, I would be glad to.\n    Dr. Wenstrup. Yeah, we will have that opportunity, I am \nsure.\n    Thank you very much. I yield back.\n    Admiral Rogers. Yes, sir.\n    Ms. Stefanik. Thank you.\n    Thank you very much, Admiral Rogers, for your testimony.\n    At this time, they are likely to call votes in the next \ncouple of minutes or so. After votes are finished, we will \nreconvene in Rayburn 2337 upstairs for the closed portion of \nthis.\n    If there are additional questions from the members, please \nfeel free to submit them for the record, and then we can \nanticipate a response from you.\n    Admiral Rogers. Yes, ma\'am.\n    Ms. Stefanik. This committee is adjourned, and we will \nreconvene.\n    Admiral Rogers. Thank you, ma\'am.\n    [Whereupon, at 4:46 p.m., the subcommittee proceeded in \nclosed session.]\n\n     \n=======================================================================\n\n\n\n                            A P P E N D I X\n\n \n      \n=======================================================================\n\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                              May 23, 2017\n\n=======================================================================\n\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n      \n=======================================================================\n\n\n              QUESTIONS SUBMITTED BY MEMBERS POST HEARING\n\n                              May 23, 2017\n\n=======================================================================\n\n      \n\n                   QUESTION SUBMITTED BY MS. STEFANIK\n\n    Ms. Stefanik. I am aware that staff from the legislative branch \nhave been participating in DOD\'s Cyber Guard exercise series over the \npast 2 years in an effort to better defend our own networks. Cyber \nGuard helps to prepare for a major cyber event by training for a whole \nof nation approach led by DOD, DHS, FBI, with private sector \nparticipants for CI/KR sectors and the legislative branch. Are there \nother training opportunities that would make sense for the legislative \nbranch to participate in, such as other Continuity exercises or smaller \nscale cyber technical or operational training?\n    Admiral Rogers. [The information was not available at the time of \nprinting.]\n                                 ______\n                                 \n                  QUESTIONS SUBMITTED BY MR. LANGEVIN\n    Mr. Langevin. The Fiscal Year 2017 National Defense Authorization \nAct also formalized the relationship between the Principal Cyber \nAdvisor and CYBERCOM to establish a service-like secretary. A service-\nlike secretary is critical for advocacy and oversight of the command \nand for ensuring operations are synched with policies, as well as \ncivilian control of the military. In light of the law, what steps has \nCYBERCOM taken to enhance the relationship between OSD and the command?\n    Admiral Rogers. [The information was not available at the time of \nprinting.]\n    Mr. Langevin. The Persistent Training Environment is key to a ready \nforce. What is the status of the effort based on funding provided to \ndate? What can we expect in FY18 both in funding and capability \ndelivery?\n    Admiral Rogers. [The information was not available at the time of \nprinting.]\n    Mr. Langevin. The military services are making significant \ninvestments in cyber training and cyber centers of excellence. Although \nI\'m pleased to see the investment, I want to ensure coordination and \navoid duplicative efforts. How are you encouraging the services to \nleverage respective centers of excellence, and investment in training \ngenerally?\n    Admiral Rogers. [The information was not available at the time of \nprinting.]\n    Mr. Langevin. Academia and industry have much to offer the \nDepartment of Defense in the cyber domain, from strategic thinking to \nexperienced personnel to technology. Please describe the relationships \nCYBERCOM has with academia and industry. How have these relationships \nbenefited the Department?\n    Admiral Rogers. [The information was not available at the time of \nprinting.]\n                                 ______\n                                 \n                   QUESTIONS SUBMITTED BY MR. FRANKS\n    Mr. Franks. You stated your first mission priority is defense of \nDOD information networks. Will defensive operations doctrinally take \nprecedence over offensive operations?\n    The DOD relies on the civilian power grid for 99% of its power \nrequirements. Do you believe your priorities include protecting the \nU.S. power grid and other critical infrastructure against cyber \nattacks?\n    Admiral Rogers. [The information was not available at the time of \nprinting.]\n    Mr. Franks. How will Cyber Command\'s posture improve once elevated: \nDo you believe you will have all the resources and authorities you \nrequire to accomplish your assigned missions?\n    Who do you expect your #1 challenge to be? Russia, China, Iran, \nISIS, someone else?\n    Admiral Rogers. [The information was not available at the time of \nprinting.]\n    Mr. Franks. In your opinion, what are we missing in our thinking to \nget to an effective comprehensive approach that allows for deterrence \nand rapid response capabilities?\n    What do we know about the cyber doctrine and military structure of \nour adversaries and allies?\n    While we may have some sense of Russian and Chinese actors, do we \nhave any understanding of other actors and has doctrine been \nestablished to counter threats from them (Syria, Iran, Israel, Germany, \netc.)?\n    Admiral Rogers. [The information was not available at the time of \nprinting.]\n                                 ______\n                                 \n                   QUESTIONS SUBMITTED BY MRS. MURPHY\n    Mrs. Murphy. I am encouraged that the Department is moving forward \non creating the Persistent Cyber Training Environment, which will be a \ntraining platform to allow cyber forces to train in simulated network \nenvironments. The Army\'s Program Executive Officer for Simulation, \nTraining, and Instrumentation (PEO STRI), based in Orlando, was tapped \nas the lead to develop and acquire the Persistent Cyber Training \nEnvironment, which will also incorporate the work of the National Cyber \nRange in Orlando.\n    In your view, what is the value of the Persistent Cyber Training \nEnvironment for readiness? What individual and collective training gaps \nwill the Persistent Cyber Training Environment fill?\n    Admiral Rogers. [The information was not available at the time of \nprinting.]\n    Mrs. Murphy. Earlier this year the Committee heard from LTG Joseph \nAnderson (Deputy Chief of Staff, G-3/5/7) that our commanders don\'t \nhave the facilities or capabilities to understand what cyber does for \nthem, both from a defensive and offensive perspective.\n    How might the Persistent Cyber Training Environment help increase \ncyber fluency at leadership levels in the Army, and across the \nservices?\n    Admiral Rogers. [The information was not available at the time of \nprinting.]\n    Mrs. Murphy. You stated in your testimony that CYBERCOM is working \nto synchronize cyber planning and operations across the joint force, \nand that CYBERCOM is helping the combatant commands build cyber effects \ninto their planning processes. How exactly is CYBERCOM doing this?\n    Admiral Rogers. [The information was not available at the time of \nprinting.]\n\n                                  [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'