[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]





          A BORDERLESS BATTLE: DEFENDING AGAINST CYBER THREATS

=======================================================================

                                HEARING

                               before the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             MARCH 22, 2017

                               __________

                            Serial No. 115-9

                               __________

       Printed for the use of the Committee on Homeland Security
                                     



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
                                     

      Available via the World Wide Web: http://www.gpo.gov/fdsys/

                               __________

                        U.S. GOVERNMENT PUBLISHING OFFICE 

26-907 PDF                     WASHINGTON : 2017 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001
 



















                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Sheila Jackson Lee, Texas
Mike Rogers, Alabama                 James R. Langevin, Rhode Island
Jeff Duncan, South Carolina          Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania             William R. Keating, Massachusetts
Lou Barletta, Pennsylvania           Donald M. Payne, Jr., New Jersey
Scott Perry, Pennsylvania            Filemon Vela, Texas
John Katko, New York                 Bonnie Watson Coleman, New Jersey
Will Hurd, Texas                     Kathleen M. Rice, New York
Martha McSally, Arizona              J. Luis Correa, California
John Ratcliffe, Texas                Val Butler Demings, Florida
Daniel M. Donovan, Jr., New York     Nanette Diaz Barragan, California
Mike Gallagher, Wisconsin
Clay Higgins, Louisiana
John H. Rutherford, Florida
Thomas A. Garrett, Jr., Virginia
Brian K. Fitzpatrick, Pennsylvania
                   Brendan P. Shields, Staff Director
             Kathleen Crooks Flynn, Deputy General Counsel
                    Michael S. Twinchek, Chief Clerk
                  Hope Goins, Minority Staff Director
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Michael T. McCaul, a Representative in Congress 
  From the State of Texas, and Chairman, Committee on Homeland 
  Security:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Oral Statement.................................................     4
  Prepared Statement.............................................     5

                               Witnesses

General Keith B. Alexander (Ret. USA), President and Chief 
  Executive Officer, IronNet Cybersecurity:
  Oral Statement.................................................     7
  Prepared Statement.............................................     8
Mr. Michael Daniel, President, Cyber Threat Alliance:
  Oral Statement.................................................    13
  Prepared Statement.............................................    15
Mr. Frank J. Cilluffo, Director, Center for Cyber and Homeland 
  Security, George Washington University:
  Oral Statement.................................................    18
  Prepared Statement.............................................    20
Mr. Bruce W. McConnell, Global Vice President, EastWest 
  Institute:
  Oral Statement.................................................    28
  Prepared Statement.............................................    29

                                APPENDIX

Questions From Chairman Michael T. McCaul for Keith B. Alexander.    63
Questions From Honorable Mike Gallagher for Keith B. Alexander...    65
Questions From Chairman Michael T. McCaul for Michael Daniel.....    66
Questions From Honorable Mike Gallagher for Michael Daniel.......    68
Questions From Chairman Michael T. McCaul for Frank J. Cilluffo..    69
Questions From Honorable Mike Gallagher for Frank J. Cilluffo....    69
Questions From Chairman Michael T. McCaul for Bruce W. McConnell.    70
Questions From Honorable Mike Gallagher for Bruce W. McConnell...    71
 
          A BORDERLESS BATTLE: DEFENDING AGAINST CYBER THREATS

                              ----------                              


                       Wednesday, March 22, 2017

                     U.S. House of Representatives,
                            Committee on Homeland Security,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 10:18 a.m., in 
Room HVC-210, Capitol Visitor Center, Hon. Michael T. McCaul 
(Chairman of the committee) presiding.
    Present: Representatives McCaul, Rogers, Perry, Katko, 
Hurd, McSally, Ratcliffe, Donovan, Higgins, Rutherford, 
Fitzpatrick, Thompson, Jackson Lee, Langevin, Richmond, Vela, 
Watson Coleman, Rice, Correa, Demings, and Barragan.
    Chairman McCaul. The Committee on Homeland Security will 
come to order.
    The purpose of this hearing is to receive testimony from 
cybersecurity experts on the evolving cyber threat landscape 
and the Department of Homeland Security's civilian cyber 
defense mission.
    I recognize myself for an opening statement.
    Today I look forward to discussing the borderless battle 
being waged against us by nation-states, hacktivists, and 
faceless criminals in cyber space. Last month I spoke at the 
RSA Conference in San Francisco, and my message today is the 
same as it was then: We are in the fight of our virtual lives, 
and we are not winning.
    Our adversaries are turning digital breakthroughs into 
digital bombs. From Russia and Chinese hacking to brand-name 
breaches, our cyber rivals are overtaking our defenses.
    Nation-states are using cyber tools to steal our country's 
secrets and intellectual property. Hackers snatch our financial 
data and lock down access to our health care records and other 
sensitive information. Terrorists are abusing encryption and 
social media to crowd-source the murder of innocent people.
    Our exposure to cyber threats grows we understand the 
importance of not only being aware of each individual attack 
and piece of malware, but also the patterns of the 
sophisticated campaigns and life cycle of each threat.
    It is clear that cyber attacks are becoming incredibly 
personal, and the phones in our pockets are now the battle 
space. Our most private information is at stake.
    Just last week the Department of Justice indicted two 
Russian spies for their involvement in the hack of at least 500 
million e-mail accounts at Yahoo. In 2015 Chinese hackers stole 
20 million security clearances--including my own and many, I am 
sure, here in this room--in a breach of the U.S. Government's 
Office of Personnel Management. Recently an alleged attack of 
the CIA has WikiLeaks publishing over 8,000 pages of documents 
with some of the most highly sensitive cyber weapons.
    Cyber criminals are targeting our wallets, as well. One of 
our witnesses today, General Keith Alexander, said on-line 
theft has resulted in the greatest transfer of wealth in human 
history.
    Last year we also realized our democracy itself was at risk 
as the Russian government sought to undermine democratic 
institutions and influence our elections. They broke into 
political institutions, invaded the privacy of private 
citizens, spread false propaganda, and created discord in the 
lead-up to a historic vote.
    The conclusion from all this chaos is clear: Our digital 
defenses need to be strengthened and our attackers must feel 
the consequences of their actions.
    Unfortunately, the U.S. Government is fighting 21st Century 
threats with a 20th Century mindset and a 19th Century 
bureaucracy. Bigger Federal agencies are not necessarily the 
answer. We need to better tap into private-sector innovation, 
and more quickly.
    But Government does play a critical coordinating role. When 
it comes to domestic cybersecurity it is important that our 
efforts are led by a civilian department, not by the military 
and not by intelligence agencies.
    Just as we do not allow soldiers to police our city 
streets, we should not have organizations like the military or 
intelligence agencies patrolling domestic networks.
    That is why in both 2014 and 2015 Congress passed 
legislation that I championed that better defined interagency 
cyber responsibilities. Those bills put DHS in the lead for 
operationally securing the so-called dot.gov space, helping to 
better protect critical infrastructure, being the hub for cyber 
threat information sharing, and providing voluntary assistance 
to private sector.
    At the end of last year the Department announced it was 
providing cybersecurity services to 93 of the Executive 
branch's civilian work force. But perimeter detection is only 
one tool in our toolbox. We need defense-in-depth strategies 
and a talented cyber work force on the front lines.
    Unfortunately, we are not attracting top cyber talent 
because morale is poor on the inside and money is better on the 
outside.
    I propose the creation of a stronger, consolidated 
cybersecurity agency at the Department of Homeland Security. 
This will help us step up our cyber defense efforts and attract 
top talent, and we have already begun to work with the new 
administration and others to make that a reality in the near 
future.
    Finally, winning battles in cyber space depends on our 
ability to deliver consequences. As a former Federal 
prosecutor, I know that if you don't make the costs outweigh 
the benefits, bad behavior will continue. This requires strong 
leadership and a willingness to track down rogue hackers, and a 
determination to hold hostile countries accountable.
    Russia is the most immediate challenge. We cannot allow the 
Kremlin to get away with meddling in our democracy. We need a 
tough response, both seen and unseen, including tighter 
sanctions.
    It is not just about what happened in 2016; it is about 
2017, 2018, and beyond. Our adversaries are trying to break up 
the Western Alliance and interfere in other upcoming elections.
    We have great witnesses here today to discuss all these 
threats, and I look forward to your testimony and 
recommendations.
    [The prepared statement of Chairman McCaul follows:]
                Statement of Chairman Michael T. McCaul
                             March 22, 2017
    Today, I look forward to discussing the borderless battle being 
waged against us by nation-states, hacktivists, and faceless criminals 
in cyber space.
    Last month I spoke at the RSA Conference in San Francisco. And my 
message today is the same as it was then: We are in the fight of our 
virtual lives, and we . . . are . . . NOT . . . winning.
    Our adversaries are turning digital breakthroughs into digital 
bombs.
    From Russian and Chinese hackings to brand-name breaches, our cyber 
rivals are overtaking our defenses. Nation-states are using cyber tools 
to steal our country's secrets and intellectual property.
    Hackers snatch our financial data and lock down access to our 
health care records and other sensitive information. And terrorists are 
abusing encryption and social media to crowd-source the murder of 
innocent people.
    As our exposure to cyber threats grows, we understand the 
importance of not only being aware of each individual attack and piece 
of malware but also the patterns of the sophisticated campaigns and the 
life cycle of each threat.
    It is clear that cyber attacks are becoming incredibly personal, 
and the phones in our pockets are now the battle space.
    Our most private information is at stake. Just last week, the 
Department of Justice indicted two Russian spies for their involvement 
in the hack of at least 500 million email accounts at Yahoo.
    In 2015, Chinese hackers stole 20 million security clearances--
including my own--in a breach of the U.S. Government's Office of 
Personnel Management.
    And recently, an alleged hack of the CIA has Wikileaks publishing 
over 8,000 pages of documents with some of the most highly sensitive 
cyber weapons.
    Cyber criminals are targeting our wallets too. One of our witnesses 
today, General Keith Alexander, said on-line theft has resulted in the 
``greatest transfer of wealth in history.''
    Last year, we also realized our democracy itself was at risk, as 
the Russian government sought to undermine democratic institutions and 
influence our elections.
    They broke into political institutions, invaded the privacy of 
private citizens, spread false propaganda, and created discord in the 
lead-up to a historic vote.
    The conclusion from all of this chaos is clear: Our digital 
defenses need to be strengthened--and our attackers must feel the 
consequences of their actions. Unfortunately, the U.S. Government is 
fighting 21st Century threats with a 20th Century mindset and a 19th 
Century bureaucracy.
    Bigger Federal agencies are not necessarily the answer. We need to 
better tap into private-sector innovation--and more quickly. But 
Government does play a critical coordinating role.
    When it comes to domestic cybersecurity, it is important that our 
efforts are led by a civilian department. Not by the military. And not 
by intelligence agencies.
    Just as we do not allow soldiers to police our city streets, we 
should not have organizations like the military or intelligence 
agencies patrolling domestic networks. That is why in both 2014 and 
2015 Congress passed legislation I championed that better defined 
interagency cyber responsibilities.
    Those bills put DHS in the lead for operationally securing the so-
called ``dot gov'' domain, helping to better protect critical 
infrastructure, being the hub for cyber threat information sharing, and 
providing voluntary assistance to the private sector.
    At the end of last year, the Department announced it was providing 
cybersecurity services to 93 percent of the Executive branch's civilian 
workforce.
    But perimeter detection is only one tool in our tool box. We need 
defense-in-depth strategies and a talented cyber workforce on the front 
lines.
    Unfortunately, we are not attracting top cyber talent because 
morale is poor on the inside and the money is better on the outside.
    I have proposed the creation of a stronger, consolidated 
cybersecurity agency at the Department of Homeland Security. This will 
help us step-up our cyber defense efforts and attract top talent.
    And we have already begun to work with the Trump administration and 
others to make that a reality in the near future.
    Finally, winning battles in cyber space depends on our ability to 
deliver consequences. As a former Federal prosecutor, I know that if 
you don't make the costs outweigh the benefits bad behavior will 
continue.
    This requires strong leadership, a willingness to track down rogue 
hackers, and a determination to hold hostile countries accountable.

    Chairman McCaul. With that, the Chair now recognizes the 
Ranking Member.
    Mr. Thompson. Thank you, Mr. Chairman. I want to thank you 
for holding this hearing.
    Cybersecurity is at the forefront of American politics in a 
way that in my 24 years here in Congress I have never seen 
before. On this committee we regularly gather to hear from 
cybersecurity leaders on the most pressing security 
vulnerabilities to our Nation and the novel ways enemies seek 
to exploit them.
    This past fall details began to emerge about an entirely 
new attack vector--a hacking campaign designed to impact the 
Presidential election. Even before the election Secretary of 
Homeland Security Jeh Johnson and Director of National 
Intelligence James Clapper warned that Russian President 
Vladimir Putin directed hackers to penetrate the e-mail 
accounts of high-ranking Democratic officials to acquire 
information for the purpose of embarrassing and undermining the 
candidacy of Secretary Clinton.
    We may never know whether the Russian intervention was the 
determining factor in such a close election. Still, Congress 
has a responsibility to address the unanimous determination of 
our intelligence community that Putin's government successfully 
meddled in our democracy and, in the view of the intelligence 
community, will do so again.
    In fact, in response to a question about the risk of future 
Russian hacking against our election systems, FBI Director 
James Comey said, ``They will be back.''
    The full scale of this state-sponsored hacking campaign is 
still not fully known, but what we do know is that in addition 
to hacking private e-mail accounts of prominent Democrats, the 
Russian hackers tried to infiltrate vital networks and 
equipment maintained by state election authorities. The Russian 
cyber campaign sought to strike at the heart of our democracy.
    As such, legitimate questions about contacts between 
President Trump's inner circle and associates of the Putin 
regime need to be brought to light. That is why I support an 
independent, 9/11-style commission to investigate the Russian 
cyber campaign.
    For our part, this committee needs to do aggressive 
oversight into this matter.
    It is disheartening to see President Trump be dismissive 
about investigating this very significant cyber attack, even as 
DHS and its Federal partners work to raise the level of cyber 
awareness and hygiene across the country.
    Just this week President Trump responded to the testimony 
from the FBI and NSA before the House Intelligence Committee 
that laid bare that there is no truth to the President's 
allegation that former President Obama tapped his wires--
tweeted, ``The Democrats made up and pushed the Russian 
story.''
    If this was all fake news then why would FBI Director Comey 
be dedicating scarce resources since July to investigating the 
Russian government's interference with our election and any 
links between individuals associated with the Trump campaign 
and the Russian government?
    What seems to be lost on President Trump, who, during the 
campaign, repeatedly expressed support for DOD using cyber 
offensive capabilities, is that there can be no retribution 
without attribution.
    I am pleased that we have with us today cybersecurity 
leaders who understand the dangers posed by state actors like 
Russia and who can speak to what we should be doing inside our 
Government and with our allies, including NATO, to protect 
critical infrastructure, including election infrastructure.
    Before I yield back, Mr. Chair, I must express my deep 
concern also about the aloof--bordering on belligerent--posture 
taken by the Trump administration with respect to our NATO 
allies. Last week the President not only repeated an 
unsubstantiated Fox News claim that defamed the United Kingdom 
intelligence service, but when asked by German Chancellor 
Merkel to shake her hand at a White House press event, he 
refused.
    This week we hear the Secretary of State will not be 
attending a long-scheduled NATO meeting, but plan to visit 
Russia in April. At this heightened threat to Europe, it is 
critical that this administration reverse course and reassure 
our NATO allies that we are full partners against all threats, 
but they and cyber or conventional threats also.
    With that, Mr. Chair, I yield back.
    [The statement of Ranking Member Thompson follows:]
             Statement of Ranking Member Bennie G. Thompson
                             March 22, 2017
    Cybersecurity is at the forefront of American politics in a way 
that, in my 24 years in Congress, I have never seen.
    On this committee, we regularly gather to hear from cybersecurity 
leaders on the most pressing security vulnerabilities to our Nation and 
the novel ways our enemies seek to exploit them.
    This past fall, details began to emerge about an entirely new 
attack vector--a hacking campaign designed to impact the Presidential 
election.
    Even before the election, Secretary of Homeland Security Jeh 
Johnson and Director of National Intelligence James Clapper warned that 
Russian President Vladimir Putin directed hackers to penetrate the 
email accounts of high-ranking Democratic officials to acquire 
information for the purpose of embarrassing and undermining the 
candidacy of Secretary Clinton.
    We may never know whether the Russian intervention was the 
determining factor in such a close election. Still, Congress has a 
responsibility to address the unanimous determination of our 
intelligence community that Putin's government successfully meddled in 
our democracy and, in the view of the IC, will do so again.
    In fact, in response to a question about the risk of future Russian 
hacking against our election systems, FBI Director James Comey said 
``they'll be back.''
    The full scale of this state-sponsored hacking campaign is still 
not fully known, but what we do know is that in addition to hacking 
private email accounts of prominent Democrats, the Russian hackers 
tried infiltrate vital networks and equipment maintained by state 
election authorities.
    The Russian cyber campaign sought to strike at the heart of our 
democracy. As such, legitimate questions about contacts between 
President Trump's inner circle and associates of the Putin regime need 
to be brought to light.
    That is why I support an independent 9/11-style commission to 
investigate the Russian cyber campaign. For our part, this committee 
needs to do aggressive oversight into this matter.
    It is disheartening to see President Trump be dismissive about 
investigating this very significant cyber attack, even as DHS and its 
Federal partners work to raise the level of cyber awareness and hygiene 
across the country.
    Just this week, President Trump, responding to testimony from the 
FBI and NSA before the House Intelligence Committee that laid bare that 
there is no truth to the President's allegations that former-President 
Obama ``tapped his wires,'' tweeted ``the Democrats made up and pushed 
the Russian story.''
    If this was all ``fake news'' then why would FBI Director Comey be 
dedicating scarce resources, since July, to investigating the Russian 
government's interference with our election and ``any links between 
individuals associated with the Trump campaign and the Russian 
government''?
    What seems to be lost on President Trump who, during the campaign, 
repeatedly expressed support for DoD using cyber offensive capabilities 
is that there can be no retribution without attribution.
    I am pleased that we have with us today cybersecurity leaders who 
understand the dangers posed by state actors like Russia and can speak 
to what we should be doing inside our Government and with our allies, 
including NATO, to protect critical infrastructure, including election 
infrastructure.
    Before I yield back, I must express my deep concern about the 
aloof, bordering on belligerent, posture taken by the Trump 
administration with respect to our NATO allies. Last week, the 
President not only repeated an unsubstantiated Fox News claim that 
defamed the U.K. intelligence service but, when asked by German 
Chancellor Merkel to shake her hand at a White House press event, 
refused.
    This week, we hear that his Secretary of State will not be 
attending a long-scheduled NATO meeting but plans to visit Russia in 
April. At a time of heightened threat to Europe, it is critical that 
the Trump administration reverse course and reassure our NATO allies 
that we are full partners against all threats--be they cyber or 
conventional.

    Chairman McCaul. Thank you, Ranking Member.
    Other Members are reminded they may submit opening 
statements for the record.
    We have a distinguished panel.
    First, retired General Keith Alexander, president and CEO 
of the IronNet Cybersecurity. Prior to his work at IronNet the 
four-star general was the director of the National Security 
Agency.
    Thank you, sir, for being here today.
    Next we have Mr. Michael Daniel, president of the Cyber 
Threat Alliance, or CTA. Before that he served as special 
assistant to the president and cybersecurity coordinator on the 
National Security Council staff.
    Thank you, sir, as well.
    Mr. Frank Cilluffo is the director of the Center for Cyber 
and Homeland Security at the George Washington University and 
is co-director of G.W.'s Cyber Center for National and Economic 
Security.
    Thank you, sir.
    Finally, Mr. Bruce McConnell is the global vice president 
of the EastWest Institute. Prior to joining the institute he 
served as deputy under secretary for cybersecurity at the U.S. 
Department of Homeland Security.
    Thank you, sir.
    I want to thank all of you for being here.
    I now recognize General Alexander.

 STATEMENT OF GENERAL KEITH B. ALEXANDER (RET. USA), PRESIDENT 
       AND CHIEF EXECUTIVE OFFICER, IRONNET CYBERSECURITY

    General Alexander. Chairman McCaul, Ranking Member 
Thompson, distinguished Members of the committee, it is an 
honor to be here.
    Chairman McCaul, I am going to take from some of your 
statements and walk through my thoughts on the threat, where I 
think we need to go as a Nation, and specifically with respect 
to the Department of Homeland Security in the next 4 hours--no, 
I am going to take my 5 minutes.
    So you are right, the threats out there are growing, 
Chairman, as we see them. You see it from Russia. It has hit 
our elections; it has hit a number of areas.
    We see this around the world with Iran on Saudi Arabia, 
most disturbing and the ones that concern me the most. You have 
seen North Korea on Sony and others. It is growing.
    I think there are two aspects of this that we need to 
address. First, our defense is terrible--between Government and 
industry, and with industry getting the information they need 
from Government, and the coordination within Government. It has 
to be better.
    You know, it was interesting being on the Presidential 
commission. One of the things that we recognized is people said 
it is too hard to do A, B, C, or D, but when you look at our 
Constitution it says ``for the common defense.'' It doesn't 
have in parentheses, ``unless it is too hard.''
    It says it is for the common defense. That is what we have 
our Government for.
    Actually, we can defend this Nation in cybersecurity 
working with industry. Actually, what Mr. Daniel is doing with 
Cyber Threat Alliance, and what Homeland Security is doing, and 
what the rest of the Government is doing sets the pieces in 
place.
    We have got to force that together. Let me give you some 
thoughts on how to do that.
    When we talk about this bubble chart that you mentioned 
about how we got the agencies together, it gave clear--fairly 
clear--missions to the Defense Department, to the Department of 
Justice, FBI, and to Homeland Security. But words matter, and 
what I see in those words is there is a lot of confusion over 
the difference in some of the words.
    So what do you mean by ``protect'' and what do you mean by 
``defend''? Whose responsibility is it, and how are we going to 
work together?
    It is clear that if we work together--and industry sees 
this. You see the financial sector starting to work together; 
they are passing things through the FS-ISAC. You see the energy 
sector and all the other sectors doing that, in large part led 
by some of the DHS efforts on critical infrastructure.
    That is a step in the right direction.
    What Mr. Daniel is working on is a cyber threat alliance, 
sharing information. What we have got to get to is how we share 
information within Government and with industry at network 
speed so that when this Nation is attacked all the elements of 
our Government are prepared to do their job, which I would tell 
you from my perspective today, we are not prepared.
    We need to up that defense. We need to share information so 
that DHS can do the job that I believe it is there for, which, 
as you noted in yours, it is not the Defense Department or the 
intelligence community's job to police domestic networks--nor, 
actually, is it any Government--but they have to get 
information from them when they are being attacked.
    I will use Sony as a case in point. Let's say that we 
determined that Sony was critical infrastructure--I will leave 
that to someone else. But if Sony is being attacked by a 
nation-state, whose job is it to defend Sony if we will not 
allow Sony to counter-attack?
    That is the Government's job, in my opinion.
    But the Government did not and could not see that attack. 
We didn't have the information at network speed; we had not 
practiced it; and as you said, Chairman, we don't have the 
rules of engagement and we haven't set this up.
    We need to fix that now.
    First, industry, from my perspective, is more than willing 
to share. It is not personally identifiable information; it is 
threat information, and we can share that at network speed. If 
industry can share it amongst companies within a sector, they 
could also share that with the Government.
    We agreed early on that that would go through DHS but 
should be shared to the rest of Government so those that have a 
responsibility--whether it is law enforcement--for defense of 
the country could do their job at network speed. I know you 
have pushed hard on that, Chairman, to make sure that that is 
right. We should ensure that is right and practice that.
    If we did that, when Sony is being attacked by North Korea 
in that case, and if the President and the Secretary of Defense 
determine a cyber response was valid, they would have the means 
and wherewithal to do a cyber response before we lost Sony.
    Companies don't want the Government there for incident 
response. They want us there when they are being defended. They 
don't want to end up to be a victim like Sony, and we can't 
afford that in many of our sectors, so we have to get this 
right.
    Chairman, I am prepared to answer any questions that you 
have. Thank you very much.
    [The prepared statement of General Alexander follows:]
                Prepared Statement of Keith B. Alexander
                             March 22, 2017
    Chairman McCaul, Ranking Member Thompson, Members of the committee: 
Thank you for inviting me to discuss Defending Against Cyber Threats 
with you today, and specifically, the current cyber threat landscape, 
civilian cyber defense capabilities, and deterrence. I plan to speak 
candidly about the authorities, roles, and responsibilities of the 
Federal Government in cyber space, and how we can provide for our 
Nation's common defense in cyber space. While some see the offense as 
superior to the defense when it comes to cybersecurity, I believe that 
these need to be worked together between the Government and industry.
    I want to thank both Chairman McCaul and Ranking Member Thompson 
for making cybersecurity a top priority, including your bipartisan 
efforts to develop much of the legislation at the heart of the 
Cybersecurity Act of 2015 and earlier legislation that set the stage 
for it. This includes the efforts to codify and strengthen the 
authorities related to the National Cybersecurity and Communications 
Integration Center (NCCIC) and to improve Federal cyber defense 
efforts, including positive changes to the Federal Information Security 
Management Act (FISMA) and provisions that will make it easier for us 
to grow a more capable Federal cyber workforce.
    We live in an age in which data, and access to data, are key 
resources. Never has technology been so focused on how we create, use, 
and communicate data, and this revolution will benefit us as it leads 
the way for significant strides in technology. It was just over 10 
years ago that Apple introduced the first iPhone, a portable 
communications device with a faster processor, more memory, and more 
storage space than the Cray supercomputers of the 1980's and 1990's. In 
the same year the iPhone was introduced, we witnessed cyber attacks 
being used as an element of National power in the attacks on Estonia, 
the most digitally dependent country in the world. Ten years later, we 
continue to witness an astounding rate of growth in the amount of 
unique, new information available world-wide, not to mention huge 
increases in the velocity of data being transmitted and types of 
devices communicating information. With the birth of the Internet of 
Things (IoT) and the continued development and rapid iteration of 
technology, these trends are likely to continue to accelerate.
    We have also witnessed a troubling change in cyber attacks, 
including an increase in major disruptive attacks, as well as the use 
of actual destructive attacks on both public and private-sector 
entities in the United States and abroad. In 2012, we saw the advent of 
destructive attacks against Saudi Aramco, with over 20,000 computers 
affected, and a follow-on attack against Qatari RasGas.\1\ Similar 
attacks have recently been reported against the Saudi government.\2\ 
Here in the United States, we have seen destructive attacks conducted 
by nation-states against private institutions, including the Las Vegas 
Sands Corporation and Sony Corporation.\3\ We have likewise seen 
massive disruptive attacks targeting American financial institutions, 
including major attacks taking place multiple times in the last 5 
years. Most recently, we have seen what appear to be cyber-enabled 
efforts targeting the election of the President of the United States.
---------------------------------------------------------------------------
    \1\ See Director of National Intelligence James R. Clapper, 
Statement for the Record: Worldwide Threat Assessment of the U.S. 
Intelligence Community 2013 at 1, Senate Select Committee on 
Intelligence (Mar. 12, 2013), available on-line at https://www.dni.gov/
files/documents/Intelligence%20Reports/
2013%20ATA%20SFR%20for%20SSCI%2012%20Mar%202013.pdf; Kim Zetter, Qatari 
Gas Company Hit With Virus in Wave of Attacks on Energy Companies (Aug. 
30, 2012), available on-line at https://www.wired.com/2012/08/hack-
attack-strikes-rasgas/.
    \2\ See Zahraa Alkhalisi, Saudi Arabia Warns of New Crippling 
Cyberattack, CNN (Jan. 26, 2017), available on-line at  http://
money.cnn.com/2017/01/25/technology/saudi-arabia-cyberattack-warning/; 
see also Jose Pagliery, Hackers Destroy Computers at Saudi Aviation 
Agency, CNN (Dec. 2, 2016) available on-line at http://money.cnn.com/
2016/12/01/technology/saudi-arabia-hack-shamoon/?iid=EL.
    \3\ See Director of National Intelligence James R. Clapper, Opening 
Statement to Worldwide Threat Assessment Hearing, Senate Armed Services 
Committee (Feb. 26, 2015), available on-line at https://www.dni.gov/
files/documents/2015%20WWTA%20As%20Delivered%20DNI%20- 
Oral%20Statement.pdf (``2014 saw, for the first-time, destructive cyber 
attacks carried out on U.S. soil by nation-state entities, marked first 
by the Iranian attack on the Las Vegas Sands Casino a year ago this 
month and the North Korean attack against Sony in November. Although 
both of these nations have lesser technical capabilities in comparison 
to Russia and China, these destructive attacks demonstrate that Iran 
and North Korea are motivated and unpredictable cyber actors.'').
---------------------------------------------------------------------------
    We have also seen massive data breaches targeting nearly every 
major economic sector here in the United States, perhaps most 
prominently in the customer facing sides of key retailers and health 
insurers. We have likewise seen an increasing trend with respect to the 
use of ransomware by organized criminal groups and small actors alike, 
seeking to hold data or systems hostage at a range of organizations 
across our Nation, from hospitals to educational institutions. 
According to one report, the key sectors affected by ransomware include 
the services and manufacturing sectors, making up a combined 55% of 
ransomware infections.\4\
---------------------------------------------------------------------------
    \4\ See Symantec, An ISTR Report: Ransomware and Businesses 2016, 
at 8, available on-line at http://www.symantec.com/content/en/us/
enterprise/media/security_response/whitepapers/
ISTR2016_Ransomware_and_Businesses.pdf.
---------------------------------------------------------------------------
    This does not even account for the on-going theft of intellectual 
property from American companies, which I believe continues to 
represent the greatest transfer of wealth in human history. While we 
have ostensibly seen a significant down tick in cyber-enabled 
intellectual property theft by key nation-state actors, it remains to 
be seen whether this change will be sustained in the long-run and 
whether it represents an actual reduction in significant activity 
versus simply a more refined focus on key high-value theft.\5\
---------------------------------------------------------------------------
    \5\ See Federal News Service, Transcript: Hearing Before the Senate 
Armed Services Committee on Cybersecurity Policy and Threats at 8 
(Sept. 29, 2015) (``McCain: As a result of the Chinese leader in 
Washington there was some agreement announced between the United States 
and China. Do you believe that that will result in an elimination of 
Chinese cyber attacks? Clapper: Well, hope springs eternal. I think we 
will have to watch what they're behavior is and it will be incumbent on 
the intelligence community I think to depict, portray to policymakers 
what behavioral changes if any, result from this agreement. McCain: Are 
you optimistic? Clapper: No.'').
---------------------------------------------------------------------------
    And it is worth noting that the same network penetrations that 
permit threat actors to steal data can potentially be used to disrupt 
networks or destroy data. This is particularly important to understand 
as we watch the increasing convergence of our systems and networks, 
whether we are talking about the increased links between industrial 
control systems and corporate networks or the proliferation of devices 
that are connected to the global network as part of the expansion of 
the IoT.
    We recently saw the practical implications of broad connectivity 
and convergence when the Mirai botnet turned run-of-the-mill devices 
into a virtual IoT army and used them to execute a Distributed Denial 
of Service (DDoS) attack on Dyn (recently acquired by Oracle), a 
managed DNS and traffic optimization company that serves more than 
3,500 enterprise customers, including major companies like Netflix, 
Twitter, LinkedIn, and CNBC.\6\
---------------------------------------------------------------------------
    \6\ See Dyn, About Dyn, available on-line at http://dyn.com/about/.
---------------------------------------------------------------------------
    As a free society, we have many vulnerabilities and leave ourselves 
open to various threats that more authoritarian nations are more 
capable of combating by limiting access to resources or restricting the 
freedom of their people. Here in the United States, we are most 
vulnerable to two asymmetric threats: Terrorist attacks and cyber-
enabled attacks. While these two types of attacks may overlap, and 
terrorist groups seek to obtain such capabilities, today the most 
advanced capabilities are in the hands of nation-states. This is not to 
discount the threat posed by criminal actors; To the contrary, the most 
wide-spread threat to our people today comes from organized criminal 
groups employing cyber-enabled capabilities to make money.
    It is worth noting that our enemies today need not attack our 
Government to have a substantive strategic effect on our Nation. 
Attacking civilian or economic infrastructure may be a more effective 
approach in the modern era, particularly for asymmetric actors like 
terrorist groups. Our increasing reliance on digital, connected devices 
means that while tanks, bombers, and fighter jets are certainly not 
obsolete, there are newer and perhaps more insidious ways of having 
similar effects without the need for the large investment that those 
assets require. Nation-states have long sought access to the critical 
systems of other nations for espionage, and we now see an expansion 
from these traditional activities to more aggressive actions by nation-
states. The number of nations that possess the capability to exploit 
and attack continues to grow with less of an incentive to act with 
appropriate state-to-state behavior and the using these cyber 
capabilities in a more aggressive way.
    Similarly, an increasing number and range of non-state groups use 
cyber-enabled methods to advance their own agendas. Major criminal 
gangs, organized crime groups, and terrorist organizations are growing 
their cyber capabilities to go beyond mere communication, recruitment, 
and incitement. And though the RAND Corporation estimates that the 
malware black market can be more profitable than the illegal drug 
trade,\7\ we do not treat cyber space threats as an epidemic. Nor do we 
treat nation-state threats, or worse, nation-state actions, in cyber 
space as we would treat the presence of nation-states key naval assets 
inside our territorial waters. Rather, we treat cyber threats largely 
as nuisance or, at worst, criminal activity to be dealt with 
principally through private-sector defensive measures and after-the-
fact government action, typically by traditional law enforcement 
agencies. The future of warfare is here, and we need to structure and 
architect our Nation to defend our country in cyber space.
---------------------------------------------------------------------------
    \7\ See Lillian Ablon, Martin C. Libicki, and Andrea A. Golay, 
Markets for Cybercrime Tools and Stolen Data at 11, RAND Corporation 
(2014), available on line at http://www.rand.org/pubs/research_reports/
RR610.html.
---------------------------------------------------------------------------
    It is critical that as a Nation, we fundamentally rethink how the 
Government and the private sector relate to one another in cyber space. 
We need to draw clear lines and make explicit certain responsibilities, 
capabilities, and authorities. The private sector controls the vast 
majority of the real estate in cyber space, particularly when it comes 
to critical infrastructure and key resources.\8\ Given the private 
sector's role in running the infrastructure upon which our Nation 
relies, there is likewise no question that the Government and private 
sector must collaborate. We need to recognize that neither the 
Government nor the private sector can capably protect the systems and 
networks they need to without extensive and close cooperation.
---------------------------------------------------------------------------
    \8\ See, e.g., Office of the Director of National Intelligence, 
Office of the Program Manager-Information Sharing Environment, Critical 
Infrastructure and Key Resources, available on-line at https://
www.ise.gov/missionpartners/critical-infrastructure-and-key-resources 
(``The private sector owns and operates an estimated 85% of 
infrastructure and resources critical to our Nation's physical and 
economic security.'').
---------------------------------------------------------------------------
    One of the key issues we must address is determining where to place 
responsibility for the cyber defense of the Nation, including its key 
infrastructures and economic sectors. Today, the basic expectation is 
that the private sector is responsible for defending itself in cyber 
space regardless of the enemy, scale of attack, or type of capabilities 
employed. However, the reality is that commercial, private-sector 
entities cannot practically be expected to defend themselves against 
nation-state attacks in cyber space. They do not have the capacity or 
capability to respond in a way that would be fully effective against a 
nation-state attacker, whether from a deterrence or strategic 
perspective.
    For over 200 years, our Constitution has made clear that one of the 
core goals of our forefathers in forming a Federal union was to provide 
``for the common defense.''\9\ And yet today, as we face a rapidly 
expanding threat environment in cyber space and as our National 
institutions and our economic base in the private sector increasingly 
come under direct attack from a wide range of actors including highly 
capable nation-states, we simply do not provide such common defense, at 
least not in any practical sense of the phrase.
---------------------------------------------------------------------------
    \9\ U.S. Const., preamble (emphasis added and spelling modernized).
---------------------------------------------------------------------------
    In 2012, then-Secretary of Defense Leon Panetta noted that ``the 
Department [of Defense] has a responsibility . . . to be prepared to 
defend the Nation and our National interests against an attack in or 
through cyber space.''\10\ Even at that time, it was clear that in 
order to make our overall national cyber architecture truly defensible, 
we needed to establish a shared understanding of our respective roles 
and responsibilities, first within the Government, then between the 
Government and the private sector. As a result, we worked closely with 
our colleagues in other agencies across the Government spending many 
hours, days, weeks, and months to put in place a workable structure for 
sharing authorities and assigning responsibilities at the National 
level. Indeed, by one count, it took 75 drafts to get agreement on a 
single slide regarding the National division of responsibilities for 
cybersecurity.\11\
---------------------------------------------------------------------------
    \10\ See Department of Defense, Remarks by Secretary Panetta on 
Cybersecurity to the Business Executives for National Security, New 
York City (Oct. 11, 2012), available on-line at http://
archive.defense.gov/transcripts/transcript.aspx?transcriptid=5136.
    \11\ See Department of Defense Information Operations Center for 
Research and Army Reserve Cyber Operations Group, Cyber Endeavor 2014: 
Final Report--When the Lights Go Out, at 5 (June 26, 2014), available 
on-line at https://my.nps.edu/documents/105372694/0/
Cyber_Endeavour_2014-Final_Report-2014-08-13.pdf. (``The need to define 
these partnerships and relationships [] led the Government and U.S. 
Federal Cybersecurity Operations Team to define their National roles 
and relationships as highlighted in Figure 1, which is commonly 
referred to as the `Bubble Chart.' There were seventy-five (75) 
versions made of this chart before all parties agreed on how this 
works, and it was powerful and important just to get an agreement.'')
---------------------------------------------------------------------------
    At the end of that process, we assigned the responsibilities as 
follows: The Justice Department would, among other things, 
``[i]nvestigate, attribute, disrupt, and prosecute cyber crimes; [l]ead 
domestic national security operations; and [c]onduct domestic 
collection, analysis, and dissemination of cyber threat intelligence;'' 
DHS would ``[c]oordinate the national protection, prevention, 
mitigation of, and recovery from cyber incidents; [d]isseminate 
domestic cyber threat and vulnerability analysis; and [p]rotect 
critical infrastructure;'' and DOD would ``[d]efend the Nation from 
attack; [g]ather foreign threat intelligence and determine attribution; 
[s]ecure national security and military systems.''\12\ Moreover, the 
``bubble chart,'' as this document was called, assigned the following 
lead roles: DOJ: investigation and enforcement; DHS: protection; and 
DOD: National defense.\13\
---------------------------------------------------------------------------
    \12\ See id. at 6, Fig. 1.
    \13\ See id.
---------------------------------------------------------------------------
    The reality, however, is that the vision of the ``bubble chart'' 
has never been fully realized. The truth is that today, our Government 
agencies appear to be confused by the different terms of protection, 
incident response, and National defense. More needs to be done in 
defining these roles within the key departments, and we must practice 
how the Government is going to collectively execute their 
responsibilities. The relationships amongst our various Government 
agencies and between the Government and the private sector continue to 
be a source of friction, the ``bubble chart'' notwithstanding. Clearly 
more remains to be done to fully achieve the valuable vision set forth 
in the ``bubble chart.''
    Many have also argued that it is important for the creation of ``a 
new component agency, or [the] repurpose[ing of] an existing agency, to 
serve as a fully operational cybersecurity and critical infrastructure 
protection agency on par with other component agencies.''\14\ This 
agency would be a ``DISA equivalent'' for the civilian Government 
agencies. This could be run by the Government or outsourced to a 
commercial entity. As I've previously noted, I generally support this 
recommendation, and think that it is important that the new 
administration give this idea some serious consideration.
---------------------------------------------------------------------------
    \14\ Id. at 44 (action item 5.5.2).
---------------------------------------------------------------------------
    For the Government to effectively work with the private sector to 
secure the Nation in cyber space, perhaps the single most important 
thing the Government can do is to build real connectivity and 
interoperability with the private sector. Such connectivity and 
interoperability on a technology level is critical, but it is also 
important on the policy and governance level. That is, in part why the 
Commission recommended the creation of a National Cybersecurity Public-
Private Partnership (NCP\3\).\15\ This entity, as set forth in 
Commission's report, would serve the President directly, reporting 
directly through the National Security Advisor and would be used ``as a 
forum for addressing cybersecurity issues through a high-level, joint 
public-private collaboration.''\16\ Part of the NCP\3\'s key role would 
be to ``identify clear roles and responsibilities for the private and 
public sectors in defending the Nation in cyber space,'' including 
addressing critical issues like ``attribution, sharing of Classified 
information [and] an approach--including recommendations on the 
authorities and rules of engagement needed--to enable cooperative 
efforts between the Government and private sector to protect the 
Nation, including cooperative operations, training, and exercises.''
---------------------------------------------------------------------------
    \15\ Id. at 14 (action item 1.2.1).
    \16\ Id. at 14-15.
---------------------------------------------------------------------------
    In line with this recommendation, the Commission also recommended 
that the ``[t]he private sector and administration should launch a 
joint cybersecurity operation program for the public and private 
sectors to collaborate on cybersecurity activities to identify, protect 
from, detect, respond to, and recover from cyber incidents affecting 
critical infrastructure.''\17\ In my view, empowering such joint 
efforts is critical to ensuring our long-term National security in 
cyber space. As the Commission indicated, ``[k]ey aspects of any 
collaborative defensive effort between the Government and private 
sector [will] include coordinated protection and detection approaches 
to ensure resilience; fully integrated response, recovery, and plans; a 
series of annual cooperative training programs and exercises 
coordinated with key agencies and industry; and the development of 
interoperable systems.''\18\ Having such mechanisms in place well ahead 
of crisis is critical so that public and private sector entities can 
jointly train and exercise these rules of engagement and mitigate any 
potential spillover effects on on-going business or Government 
activities. In my view, implementing these two recommendations of the 
Commission are amongst the most important things we might do as a 
Nation in the near term.
---------------------------------------------------------------------------
    \17\ Id. at 15 (action item 1.2.2.)
    \18\ Id.
---------------------------------------------------------------------------
    Finally, I think it is worth highlighting that it is critical that 
this be a two-way partnership between Government and the private 
sector. The Government can and must do more when it comes to partnering 
with the private sector, building trust, and sharing threat 
information--yes, even highly Classified threat information--at network 
speed and in a form that can be actioned rapidly. Building out a cross-
cutting information-sharing capability allows the Government and 
private sector to develop a common operating picture, analogous to the 
air traffic control picture. As the air traffic control picture ensures 
our aviation safety and synchronizes Government and civil aviation, the 
cyber common operational picture can be used to synchronize a common 
cyber defense for our Nation, drive decision making, and enable rapid 
response across our entire National cyber infrastructure. This would 
prove a critical defensive capability for the Nation.
    The information-sharing legislation enacted by Congress as part of 
the Cybersecurity Act of 2015 is a step in the right direction. 
However, it lacks key features to truly encourage robust sharing, 
including placing overbearing requirements on the private sector, 
overly limiting liability protections, restricting how information 
might effectively be shared with the Government, and keeping the 
specter of potential Government regulation looming in the 
background.\19\ Moreover, while the Government has placed this 
responsibility with the DHS today,\20\ and DHS established the 
Automated Indicator Sharing platform (AIS) as a ``capability [that] 
enables the exchange of cyber threat indicators between the Federal 
Government and the private sector at machine speed,''\21\ it is 
important for this Committee--as the primary oversight organization for 
the Department--to recognize the perception in industry is that DHS 
faces significant challenges in this area and that it simply lacks the 
technical capabilities to succeed.\22\ When we first discussed this 
approach, DHS was the portal, but it would be a true partnership 
between DOD, DHS, and DOJ. We must help drive DOD, DHS, and DOJ to work 
together to evolve our Government's roles and responsibilities.
---------------------------------------------------------------------------
    \19\ See, e.g., Jamil N. Jaffer, Carrots and Sticks in Cyberspace: 
Addressing Key Issues in the Cybersecurity Information Sharing Act of 
2015,_S. Car. L. Rev._ (forthcoming 2017).
    \20\ See, e.g., Executive Order 13691, Promoting Private Sector 
Cybersecurity Information Sharing (Feb. 13, 2015),available on-line at 
https://www.whitehouse.gov/the-press-office/2015/02/13/executive-order-
promoting-private-sector-cybersecurity-information-shari (``The 
National Cybersecurity and Communications Integration Center (NCCIC), 
established under section 226(b) of the Homeland Security Act of 2002.
. . shall engage in continuous, collaborative, and inclusive 
coordination with ISAOs on the sharing of information related to 
cybersecurity risks and incidents.'').
    \21\ See DHS US-CERT, Automated Indicator Sharing (AIS), available 
on-line at https://www.us-cert.gov/ais.
    \22\ See Commission on Enhancing National Cybersecurity, Testimony 
of Greg Rattray, Director of Global Cyber Partnerships & Government 
Strategy, J.P. Morgan Chase (May 16, 2016) (describing DHS's six 
information sharing initiatives, as ``too broad and [simply] not 
meet[ing] the need [] to enhance cyber defense''); Testimony of Mark 
Gordon, n. 13 supra (arguing that while tactically accelerating 
automating and systemizing threat indicator content with the Government 
is a big vision, it is not a reality today); see also Jaffer, n. 14 
supra, at_ (``DHS is generally seen as facing major challenges in 
capability in the cyber area and a number of other agencies, from DOD/
NSA to FBI, are seen by industry as more capable, reliable, or 
secure.'').
---------------------------------------------------------------------------
    More can be done here, and I stand ready to work with this 
committee and others in Congress and the administration as we seek a 
path forward on this important issue. As with the recommendations of 
the Commission above, I believe that implementing real, robust real-
time threat information sharing across the private sector and with the 
Government could be a game-changer when it comes to cyber defense.
    In sum, Mr. Chairman, I think much remains to be done to fully put 
our Nation on a path to real security in cyber space, but I am strongly 
hopeful for our future. With your leadership and that of the Ranking 
Member, working together collaboratively across the aisle and with the 
White House and key players in the private sector as well as other key 
committees in Congress, I think we can achieve some real successes in 
the near future.

    Chairman McCaul. Thank you, General.
    Chair recognizes Mr. Daniel.

 STATEMENT OF MICHAEL DANIEL, PRESIDENT, CYBER THREAT ALLIANCE

    Mr. Daniel. Thank you, Mr. Chairman, Ranking Member 
Thompson, other distinguished committee Members. It is very 
nice to be here with you today with such a distinguished panel.
    I want to build on what General Alexander was saying in 
terms of how I see the threat evolving and talk briefly about 
why this problem is actually hard, because it is not obvious on 
the surface of it, and then talk a little bit about how we have 
some strategies for dealing with it and how CTA can play a role 
in that.
    When you take a look at the threat space that we are 
talking about you can see three trends that make it--that make 
this problem continue to get worse, one of which is that we are 
making it broader. Every day we are hooking up more and more 
stuff to the internet, and we are hooking up different kinds of 
items.
    It is no longer just wired desktops but, you know, 
refrigerators and cars and light bulbs and a whole array of 
medical devices and other things that are very, very different 
from one another. So we are making our problem continually more 
difficult.
    It is also becoming--the threat is also becoming more 
diverse. Many different actors are learning that they can 
pursue their interests through cyber space, whether they are 
hacktivists or criminals or nation-states, and all of those 
factors mean that the problem is becoming along a much greater 
continuum than it was before.
    It is becoming more dangerous. People are willing to take 
actions in cyber space and cause disruption and destruction in 
a way that they weren't previously.
    Now, it is not obvious on the surface why this problem is 
actually hard to deal with, but I think it is because we tend 
to treat it as just a technology problem and we keep trying to 
impose just technology solutions on this problem. It is not 
just a technology problem.
    It involves aspects of economics, and human behavior, 
business issues, political issues. Until we learn to address it 
in that holistic manner and not continue to treat it just as a 
technology problem, we are going to continue to fail, as 
General Alexander was saying.
    But it is also because cyber space has some different 
rules. It doesn't operate the way the physical world does.
    Certain concepts like near and far, proximity, 
sovereignty--all of these things actually have different 
meanings in cyber space than they do in the way they manifest 
in the physical world. So we have got to learn to grapple with 
the different rules that cyber space imposes on us.
    Last, this is just a new policy area. We don't have 
centuries of experience, decades of a policy framework to draw 
on. Almost everything that we are doing in this space--the 
bubble chart that General Alexander referenced--that is all 
new, and figuring out how to do this is a challenge.
    I think overall when I look at where we are trying to get 
to, information sharing is obviously a critical enabler. I 
would say that it is a necessary but not sufficient part of 
what we need to do in terms of our defense.
    We have talked about it for a long time. In fact, there are 
those that are sort-of tired of talking about information 
sharing. Frank is probably one of them. Part of the issue is 
that we actually haven't figured out how to do it right.
    We have taken some really good steps. The legislation that 
this committee helped pass and get through was a critical part 
of that, some of the Executive Orders from the previous 
administration, some of the steps in the private sector. But we 
really haven't gotten to the point where we are doing it at 
network speed and at scale.
    So I see the model that we are trying with the Cyber Threat 
Alliance of bringing together the cybersecurity industry in a 
new way, using some new models of how to share that 
information, score that information, give that information some 
value, emphasize context, not just the raw data itself--if we 
begin to pool this information in a way--in this new way we 
will actually enable the cybersecurity vendors to raise their 
defenses across the entire ecosystem.
    But it will also enable us to work with Government better 
to actually disrupt what the bad guys are doing and actually 
change the dynamic from always being on the defense to actually 
being able to take the fight to the bad guys. It will enable us 
to do better analysis so we can take that risk-based approach 
that the NIST Cybersecurity Framework promotes, and so that 
companies can actually implement that much more effectively. It 
will make our response and recovery activities much more 
effective because it will be based on solid data.
    So just to close, you know, this is an area that I agree 
with what you said, Mr. Chairman, that this is an absolutely 
critical problem for us to tackle, and I am very committed from 
both my Government service and in my current role to doing so. 
So thank you very much.
    [The prepared statement of Mr. Daniel follows:]
                  Prepared Statement of Michael Daniel
                             March 22, 2017
    Chairman McCaul, Ranking Member Thompson and Members of the 
committee: Thank you for the opportunity to appear before you today to 
discuss how new models of collaboration and threat sharing can be a 
catalyst toward tangibly reducing threats across the cybersecurity 
ecosystem. My name is Michael Daniel and, as of last Monday, I am the 
first president of the Cyber Threat Alliance (CTA)--a cyber threat 
information-sharing organization that now includes six of the world's 
largest cybersecurity companies as founding members. Prior to leading 
the CTA, I served for over 20 years in the U.S. Federal Government, 
most recently for 4 years as Special Assistant to the President and 
Cybersecurity Coordinator at the National Security Council.
    First, let me begin my testimony by acknowledging this committee's 
longstanding leadership on cybersecurity issues. This committee has 
played a central role in passing a range of important cybersecurity 
legislation, including legislation that has helped foster a more robust 
and trusted environment for responsible cyber threat information 
sharing. Having worked on cyber threat information-sharing issues 
first-hand for many years, I understand how challenging this process 
was and sincerely appreciate this committee's continued hard work and 
leadership.
                       the cyber threat landscape
    We live in a digital age. This digital age brings with it 
incredible efficiencies and productivity, but it also brings new 
challenges and potential vulnerabilities that--left unchecked--threaten 
to undermine these very benefits. The increasingly digitized nature of 
the world, and the United States in particular, means the threats we 
face in cyber space are particularly significant. Our economy, our 
National security, our social lives all depend heavily on the internet 
and cyber space. Unfortunately, the threat is also growing more acute 
in at least three fundamental ways:
    1.   The cyber threat is becoming broader: As we increasingly 
        connect more and more devices up to the internet, we are making 
        cyber space bigger and dramatically expanding the potential 
        attack surface. Indeed, even by the Gartner Group's 
        conservative estimates, there will be over 20 billion devices 
        connected to the internet by 2020--that translates to adding 10 
        million devices per day. But more important than just the 
        numbers are the kind of devices we are connecting to the 
        internet. They are not desktops, laptops, or even smartphones. 
        They are light bulbs, refrigerators, cars, thermostats, 
        sensors, and thousands of other ``things''--a huge array of 
        different kinds of devices with different functions, protocols, 
        and security features. This growth in volume and heterogeneity 
        makes effective cyber defense even harder.
    2.   The cyber threat is becoming more frequent: The number of 
        malicious actors in cyber space continues to grow rapidly as 
        hacktivists, criminals, and nation-states all learn that they 
        can pursue their goals relatively cheaply and effectively 
        through cyber space. The barriers to entry are low and the 
        potential return on investment is fairly high. As a result, the 
        volume and frequency of malicious cyber activity is increasing 
        dramatically.
    3.   The cyber threat is becoming more dangerous: Until recently, 
        cyber actors generally limited their malicious activities to 
        stealing money or information, temporary denial-of-service 
        attacks, or website defacements (the digital equivalent of 
        graffiti). But increasingly, we are now seeing actors move to 
        much more destructive and disruptive activities. The 
        destructive cyber attack on Sony Pictures Entertainment, the 
        physical disruption of the Ukrainian power grid, and the use of 
        information operations to influence electoral processes are all 
        recent examples of this trend.
            why is cybersecurity a hard challenge to solve?
    At first glance, it's not obvious why cyber threats are so hard to 
effectively manage. If it's just a technology problem, why can't we 
simply deploy innovative technical solutions to stop these threats? The 
answer is that cyber threats pose not just technical problems, but also 
economic, psychological, and human behavioral challenges. As a result, 
our response to threats has to involve not just technical solutions, 
but economic, psychological, and human behavioral aspects as well--a 
much greater challenge than simply buying a new cybersecurity device or 
service.
    In addition, cyber space operates according to different rules than 
the physical world. I do not mean the social ``rules'' of cyber space 
that get a lot of play in the media, but rather the physics and math of 
cyber space. The concepts of distance, borders, proximity--all operate 
differently in cyber space compared to the physical world. Therefore, 
our typical models for addressing certain challenges, such as border 
security, simply don't work in cyber space. Developing these new models 
will take time and experimentation to get right.
    Finally, cyber space and the internet are still very new, 
relatively speaking. From a policy and legal perspective, we have not 
had the time or the experience to develop the comprehensive frameworks 
we need to tackle cybersecurity's challenges. What is the right 
division of responsibility between governments and the private sector 
in terms of cyber defense? What actions are acceptable for governments, 
companies, and individuals to take and which actions are not? Answering 
these kinds of questions is the fundamental policy challenge for the 
next few years.
                 what should we do about cybersecurity?
    Given the trends, growing complexities, and inherent challenges of 
the cyber threat, is it possible to design an effective strategy to 
combat it? The short answer is yes--but implementing such a strategy 
requires a lot of work, sustained engagement, and a multi-disciplinary, 
risk-based approach. As a Nation, an effective cyber strategy will 
involve three core elements:
       Raising the level of cybersecurity across the global digital 
        ecosystem
       Preventing, disrupting, deterring, and constraining our 
        adversaries' operations in cyber space
       Responding effectively to incidents when they occur
    From an organizational perspective, an effective cyber strategy 
must also contain several core elements:
       Making cybersecurity a C-suite and organizational priority
       Using a risk-based approach to address cyber threats
       Developing, testing, and exercising an incident response and 
        recovery plan
    In developing their strategies to combat cyber threats, governments 
should recognize that no one agency has the full range of capabilities, 
authorities, and perspective needed to address the challenge. 
Organizations must realize that they cannot relegate cybersecurity to 
the Chief Information Officer's (CIO) shop or the geeks in the server 
closet. Collectively, we must realize no government or individual 
company can effectively address the cyber threat by itself. Instead, 
cybersecurity is a fundamentally shared and distributed challenge that 
can only be effectively addressed through collaboration that leverages 
the unique capabilities and authorities of companies, individuals, and 
governments. The private sector, State and local governments, National 
governments--all of these entities will have to work together across 
boundaries and borders if we want our cybersecurity strategies to be 
effective.
    In considering how to build this new kind of collaboration, I don't 
have ``the'' solution for what it should look like. In fact, there's 
almost certainly not just one solution. However, through the hard work 
of many people over the past decade and a half, we have started 
building the foundations for this new kind of collaboration. This 
committee has passed critical legislation that enables this 
collaboration within the U.S. The Federal Government has worked hard to 
build its capabilities across all the relevant agencies--Homeland 
Security, Defense, Commerce, State, Justice, GSA, OMB, and the 
intelligence community all have critical roles to play within the U.S. 
context. This kind of interagency collaboration will be necessary in 
other countries as well. The private sector has also been working hard 
globally, creating new structures, like Information Sharing and 
Analysis Organizations, building new technologies, and creating whole 
new industries, like cyber incident response firms. So the good news is 
that we do not need to start over. Instead, we can continue building on 
this foundation laid over the last decade to evolve this collaboration 
into its effective form.
 cyber threat information sharing as a critical component of effective 
                             cybersecurity
    Clearly, if we are going to have the kind of interagency, 
intercompany, and interorganizational collaboration I described above, 
cyber threat information sharing is a critical enabler. In fact, robust 
cyber threat information sharing across this entire cybersecurity 
ecosystem is a necessity in achieving our shared goals of enhanced 
cybersecurity. Of course, cyber threat information sharing won't solve 
the problem by itself. If it is not used as a tool to leverage people, 
process, and technology to match the highly automated nature of our 
adversaries' attacks with automated defenses, then it will not be 
effective.
    Despite this obvious enabling function, as a society we've had 
trouble figuring out how to actually share useful cyber threat 
information, do so at a speed that matters, and then to take action 
based on that information. That's where the CTA comes in.
      how does cta help achieve these goals of automated defense?
    Within the cyber threat information-sharing environment, 
cybersecurity companies have a unique role to play. They collectively 
have the physical infrastructure and processing ability to 
automatically deploy preventive measures based on new cyber threat 
information to a broad customer base across multiple sectors. For these 
reasons, cybersecurity companies can bring a degree of 
``actionability'' to cyber threat information sharing that is critical 
for achieving the ultimate goal of raising adversary costs and tangibly 
improving cybersecurity across the ecosystem.
    To make this potential real, a core group of cybersecurity 
companies decided to form the Cyber Threat Alliance (CTA). CTA is a new 
kind of Information Sharing and Analysis Organization (ISAO) that 
features six of the largest global cybersecurity companies as founding 
members--Check Point, Cisco, Fortinet, McAfee, Palo Alto Networks and 
Symantec. It also includes IntSights, Rapid7, Reversing Labs, RSA, and 
Telefonica as affiliate members. This partnership underscores the 
philosophy that we can be force multipliers in support of a coordinated 
cyber threat information-sharing effort against our shared cyber 
adversaries. The CTA cyber threat information-sharing model is novel in 
several ways that directly address many of the aspects that have 
limited the effectiveness of other cyber threat information-sharing 
relationships, both formal and informal:
    1. Accountability.--The CTA ensures that there is no anonymity for 
        member contributions, although the customer's data is 
        anonymized. Therefore, submitters have to stand behind the 
        accuracy of the cyber threat information they provide.
    2. Participation.--To encourage active participation and meaningful 
        contributions, the CTA establishes mandatory submission 
        thresholds for cyber threat information sharing, initially on a 
        quantitative basis in an ever-evolving scoring system that 
        measures the qualitative value of shared cyber threat data 
        based on context.
    3. Transparency.--The CTA uses an automated scoring algorithm to 
        evaluate and assign point totals of submitted cyber threat 
        intelligence that will be public among all members. CTA members 
        will all be able to measure their performance on a dashboard.
    Using this new cyber threat-sharing model, CTA undertakes two broad 
operational lines of effort. First, CTA enables near-real time sharing 
of rich, contextual cyber threat information among all cybersecurity 
companies, which can be leveraged on an individual basis to update and 
improve their products and services. Second, CTA uses this shared cyber 
threat information to build ``playbooks'' of malicious cyber activity. 
Taken together, these two broad lines of effort enable CTA to support 
both National and organizational cybersecurity objectives, including:
    1. Improved cyber defense across the entire ecosystem.--By enabling 
        cybersecurity providers to dramatically expand the pool of 
        information their defensive products can leverage, every 
        member's products become more effective for their customers. 
        Because the CTA members' customers span all industry sectors, 
        the impact of this cyber threat information sharing can protect 
        a larger percentage of the global ecosystem than more sector-
        specific information sharing entities.
    2. Better prevention against, and disruption of our adversaries.--
        The CTA is focused on sharing indicators related to an 
        adversary's playbook--a more limited and predictable series of 
        steps an adversary must take to complete a successful cyber 
        attack. Although re-engineering malware requires some time and 
        effort, relatively speaking it is easy to make small tweaks to 
        malware so that it can evade detection. However, an 
        adversaries' total suite of indicators (the ``playbook,'' 
        including tactics, techniques, and procedures, and typical 
        operational approach) is much more difficult to change and 
        update. By developing and publishing these playbooks, we can 
        force adversaries to adapt their business processes--a much 
        more time consuming and therefore disruptive task.
    3. Risk-based.--As CTA's cyber threat information base grows, it 
        will enable better analysis of cyber threats and trends with 
        respect to those threats.--In turn, this analysis will enable 
        our members to better advise clients on the relative risks of 
        the cyber threats they face and how to prioritize among them. 
        This type of broad-based sharing of widely used threat 
        techniques can help neutralize unsophisticated actors and force 
        sophisticated adversaries, such as nation-state actors, to 
        develop new (and therefore costlier) techniques. This narrowing 
        of the threat landscape can enable public and private 
        organizations to more effectively target high-priority and 
        advanced persistent adversaries and threats.
    4. Incident response and recovery.--CTA cyber threat information 
        sharing will lead to better information, particularly about 
        adversary playbooks, that can make incident response and 
        recovery efforts faster and more effective.
    To fulfill these core missions, the CTA has built an automated 
cyber threat information-sharing platform with the goal of enabling and 
incentivizing the sharing of high-quality, actionable cyber threat 
information. The CTA and its platform embody a major step forward in 
transforming shared cyber threat information into effective preventive 
measures that can automatically be deployed by CTA members to their 
respective customers. The CTA platform is not just a concept or a set 
of Powerpoint slides--it is a functioning system, actively working to 
protect its members and their customers in near-real-time, and thus 
contributing to the increased protection of the industry and the world.
    For example, recently, a single shared cyber threat sample from one 
CTA member allowed another member to build protections before that 
organization's customers were targeted--preventing successful attacks 
against 29 subsequent organizations. In another instance, cyber threat 
data shared through the CTA from one member allowed another member to 
identify a targeted attack against its customer and release additional 
indicators to defend that organization. The CTA and its platform have 
shown that a well-designed and well-built cyber threat information-
sharing program can improve the Nation's cyber defenses and undermine 
the efforts of cyber adversaries. CTA is already improving 
cybersecurity, with some members finding that 40 to 50 percent of CTA's 
shared cyber threat data is new and directly actionable.
                          better cybersecurity
    The cyber threats we face as a world are very serious. For over 40 
years, the United States and other like-minded countries have used the 
internet and cyber space to derive enormous benefits: Economic growth, 
National security improvements, and social well-being. However, if we 
do not begin to effectively address the cyber threats we face, those 
benefits could wither. That is not a future we want. Tackling this 
challenge effectively will require forging new partnerships within 
industries, between industries, and between the Government and 
industry. It will require organizations to adopt new mindsets and 
change old beliefs to reflect the realities of the modern cyber threat 
environment. It will require coordinated action in a manner that 
reinforces market forces and competition. The Cyber Threat Alliance is 
ready to do its part in this endeavor and achieve effective 
cybersecurity for everyone around the world.

    Chairman McCaul. Thank you, Mr. Daniel. You stayed right on 
time. I appreciate that.
    Mr. Cilluffo.

STATEMENT OF FRANK J. CILLUFFO, DIRECTOR, CENTER FOR CYBER AND 
        HOMELAND SECURITY, GEORGE WASHINGTON UNIVERSITY

    Mr. Cilluffo. Since I barely had an unspoken thought, I 
will try to be brief.
    But, Mr. Chairman McCaul, Congressman Thompson, 
distinguished Members of the committee, thank you for the 
opportunity to appear before you today.
    To piggyback on some of the comments that General Alexander 
and Michael Daniel brought up, we face a dizzying array of 
cyber threats coming at us from all directions. I mean, 
literally you blink and you have missed the latest hack de 
jour.
    I think what we all can also recognize is that the threat 
tempo is accelerating and magnified by the speed at which 
technology evolves and the fact that we are expanding the 
attack surface through entities such as the Internet of Things; 
but also by the fact that our adversaries continue to adapt 
their tactics, techniques, and procedures, or their TTPs, to 
defeat our prevention and response measures. This is not a 
static set of issues, and we have got to look at it through 
both lenses and perspectives.
    No one is immune--not our Government, not our businesses, 
and not any of us as individuals. But not all hacks are the 
same, nor are all hackers or their targets.
    I think we face a signal-to-noise dilemma right now. Who 
and what do we need to pay attention to, and why?
    I will try to be very brief on laying out some of the 
threat actors because I hope we will have some time to get 
through that during Q&A, but the threat comes in various 
shapes, sizes, and forms. At the high end we are dealing with 
nation-state actors, to criminal enterprises, to foreign 
terrorist organizations, to hacktivists, and script kiddies.
    Just as diverse as the threat actors themselves is the wide 
variance in their intentions, capabilities, and the tools at 
their disposal. While I will pick on four particular countries, 
because they are the greatest threat emanating, from the--from 
a U.S. perspective, it is important to keep in mind that every 
country that has a modern military and intelligence service 
also has a computer network attack capability.
    Nation-states also vary in their intentions, and some are 
more willing to exercise their cyber capabilities to disruptive 
and destructive attacks. Think North Korea; think Iran.
    Indeed, the line between the ability to exploit and the 
ability to attack is paper-thin and turns simply upon the 
question of intent. If you can exploit you can also attack, if 
your intention is there to do so.
    I think it is also important to recognize when we look at 
all these threat actors we can't look at cyber in isolation of 
the broader political and military components of these 
countries. So you can't just look at cyber. It is a tool in 
their toolkit to enable some of their overall primary 
objectives.
    One thing that is compounding the challenge today is that 
countries are often turning to proxies to do their bidding. 
They do so for a whole host of reasons: To augment some of 
their capabilities that they may lack, or obviously to obscure 
the--to not send the muddy footprints back to their doorstep, 
to provide some plausible deniability. This is what I found 
most startling out of the Yahoo indictments, is just how 
explicit Russia's role was in terms of turning to cyber 
criminals to perpetrate these particular crimes.
    Topping the list, from a threat perspective, no surprise to 
anyone here: Russia and China. Why? Because they are actually 
integrating computer network attack and exploit into their 
warfighting capability and doctrine. That is what 
differentiates them from other state actors.
    The one note I would underscore from Monday's hearings 
before the House Permanent Select Committee on Intelligence was 
the banter between Director Comey and Admiral Rogers on whether 
or not this will facilitate and embolden Russia to continue to 
engage in these sorts of attacks. They were talking about 2018, 
2020.
    But in addition to Russia, what other countries are 
observing--what are they getting out of our mealy-mouth and 
weak response? I think that is a fair--all sides are to blame 
on that one. That is not a current situation.
    But I think we need to get to the point where we can start 
articulating a cyber deterrent strategy.
    Just two other points on Russia and China that I think are 
important: In addition to serving as threat actors, they also 
provide virtual safe havens for a number of these criminal 
enterprises, and we don't have extradition treaties. So law 
enforcement is really stymied in their ability to bring hackers 
to justice, and vast majority of these hackers are in Russia 
and China.
    Very briefly, what Russia--when you are thinking about 
countries that are not only looking to computer network exploit 
and warfighting capabilities, obviously topping that list is 
North Korea and Iran. What they may lack in intent--in 
capability they make up for with intent, and they are turning 
to more and more destructive attacks.
    Iran has got a long history in doing so, and I think we 
need to keep an especially close eye on North Korea, given 
their recalcitrant behavior right now and given the fact that, 
ironically, they are not only engaged in computer network 
attack, but they have turned to cyber crime to basically fund 
the regime since they have been entirely isolated by the 
international economy.
    With that, I did go over. Sorry, Mr. Chairman. I hope to 
get to some of these questions during the Q&A.
    [The prepared statement of Mr. Cilluffo follows:]
                Prepared Statement of Frank J. Cilluffo
                             March 22, 2017
    Chairman McCaul, Ranking Member Thompson, and distinguished 
committee Members thank you for the opportunity to testify before you 
today on this subject of National importance. As cyber threats continue 
to multiply and evolve, your resolve to explore this complex yet 
critical area is commendable. My testimony will focus primarily on the 
nature of the threat--including how to think about the major threat 
actors and their behavior--but will also contain thoughts on how best 
to respond to the vexing economic and National security challenges 
associated with America's digital footprint.
    As individuals, businesses, and Government entities choose to 
increasingly utilize the advantages of the internet, they expand their 
exposure to the security vulnerabilities of information technologies 
that ever more sophisticated and persistent threat actors seek to 
leverage for political or monetary gain. Magnifying the security 
problems of growing vulnerabilities and already thinly stretched 
cybersecurity resources, the threat tempo is accelerating. This is due 
to a variety of factors including the continued advantage of offense 
over defense in cyber space, the added efficiencies associated with 
division of labor and specialization in the maturing economy for cyber 
crime, and the weak deterrent force of nascent policy responses that 
have yet to fully account for the diverse and transnational nature of 
cyber threats. The first step to addressing the policy problems created 
by these trends is to seek to understand the complexities of the cyber 
threat. In order to do so, we should conceive of it as a spectrum upon 
which the many and varied threat actors can be placed. Not all hacks 
and not all hackers are the same. To the contrary both intentions and 
capabilities vary widely:
    Nation-states.--At the high end of the spectrum are nation-states 
whose military and intelligence services are both determined and 
sophisticated in the cyber domain. Russia, China, Iran, and North Korea 
presently top the list; but it is important to understand that every 
country with a modern military and intelligence service now possesses 
computer network exploitation (CNE) and computer network attack (CNA) 
capability. Indeed the line between the ability to exploit and the 
ability to attack is reed-thin and turns simply upon the question of 
intent. Also keep in mind that cyber strategy and tactics must be 
understood in context--as part and parcel of other geopolitical tools 
and goals (military, political, economic)--not in isolation from them.
    Nation-states often use proxies to do their bidding. Countries do 
so for a range of reasons including to augment capabilities or to 
obfuscate the true source of the intrusion or attack thereby affording 
plausible deniability. Depending upon the reason(s) for which their 
services have been engaged, the proxy may be state-sponsored, state-
supported or state-sanctioned.
    In previous testimony before this committee I have discussed in 
detail the capabilities and intentions of the four leading threat 
actors.\1\ Building on that baseline, today I will highlight the latest 
developments regarding these countries. Note however that the most 
sophisticated threats that we face emanate from Russia and China which 
have both integrated CNA and CNE into their warfighting strategy and 
doctrine.
---------------------------------------------------------------------------
    \1\ See for example: Statement of Frank J. Cilluffo before the U.S. 
House of Representatives, Committee on Homeland Security, Subcommittee 
on Cybersecurity, Infrastructure Protection and Security Technologies, 
``Emerging Cyber Threats to the United States,'' February 25, 2016. 
https://cchs.gwu.edu/sites/cchs.gwu.edu/files/downloads/
HHSC_Testimony_Feb%2025-2016_Final.pdf. Also see the resource document, 
Samantha F. Ravich and Annie Fixler, ``Framework and Terminology for 
Understanding Cyber-Enabled Economic Warfare,'' Foundation for Defense 
of Democracies, February 22, 2017. http://www.defenddemocracy.org/
content/uploads/documents/22217_Cyber_Definitions.pdf.
---------------------------------------------------------------------------
    Russia.--Russia has a long history of cyber aggression against 
other nations; to wit: Estonia (2007), Georgia (2008), and Ukraine 
(2014-15, and continuing). Russian efforts persisted in 2016-17, with 
attempts to interfere in the U.S. election, and information operations 
targeting multiple countries in both eastern and western Europe--
including those with upcoming elections, such as France and Germany. 
Russia has been particularly adept at integrating cyber into its 
strategic plans and operations. In February 2017, Russia's Defense 
Minister acknowledged that the country had created a new military 
branch: ``information warfare troops.''\2\
---------------------------------------------------------------------------
    \2\ Vladimir Isachenkov, ``Russia Military Acknowledges New Branch: 
Info Warfare Troops,'' The Associated Press, February 22, 2017. http://
www.bigstory.ap.org/article/8b7532462dd0495d9f756c9ae7d2ff3c/russian-
military-continues-massive-upgrade.
---------------------------------------------------------------------------
    In the cases of Ukraine and Georgia, Russia combined cyber and 
kinetic operations; and in the case of Ukraine, Russia is believed to 
have perpetrated the first-ever electricity blackout caused by computer 
network attack. In recent years, Russia has demonstrated an increasing 
level of assertiveness in the cyber domain, showing--in the words of 
then-Director of National Intelligence James Clapper--a ``willingness 
to target critical infrastructure systems and conduct espionage 
operations even when detected.''\3\
---------------------------------------------------------------------------
    \3\ James R. Clapper, Director of National Intelligence, 
``Worldwide Threat Assessment of the U.S. Intelligence Community,'' 
Statement for the Record before the U.S. Senate, Armed Services 
Committee, February 9, 2016. http://www.dni.gov/files/documents/
SASC_Unclassified_2016_ATA_SFR_FINAL.pdf.
---------------------------------------------------------------------------
    In 2009, the Wall Street Journal reported that cyber-spies from 
Russia (and China) had penetrated the U.S. electrical grid, leaving 
behind software programs, and trying to navigate the systems and their 
controls. What purpose could the mapping of U.S. critical 
infrastructure serve, other than intelligence preparation of the 
battlefield? The NASDAQ exchange too has allegedly been the target of a 
``complex hack'' by a nation-state; again one questions the motivation.
    In Russia, the forces of crime, business, and politics have long 
converged in a toxic blend; and there is evidence of complicity between 
the Russian government and cyber criminals and hackers. Over time, 
Russian hackers believed to be doing their government's bidding have 
breached the White House, the State Department, and the Defense 
Department.
    China.--China has demonstrated a remarkable level of persistence 
evidenced by the sheer number of acts of espionage that the country has 
committed. These aggressive collection efforts have amassed secrets 
(military--including plans for the F-35, commercial/proprietary, etc.) 
in order to propel China's economic growth, military power, and 
technological & scientific capacities--and thereby gain strategic 
advantage in relation to (actual and perceived) competitor countries 
and adversaries. In May 2015, data theft on a massive scale, affecting 
virtually all U.S. Government employees, was traced back to China. The 
extent to which the information gleaned from this hack of the U.S. 
Office of Personnel Management (OPM) may be used to blackmail and 
recruit Americans, to China's benefit, remains to be seen.
    In September 2015, China and the United States reached an agreement 
on refraining from conducting economic cyber espionage. Initially this 
agreement appeared to reduce the level of activity, although it may 
simply have pushed China's efforts in a different direction: Greater 
efforts directed at U.S. Government (rather than U.S. corporate) 
targets can be expected, moving forward; in addition, a notable spike 
in Chinese cyber activity in the region (China's ``neighborhood'') has 
been observed. Since the 2015 Obama-Xi agreement, moreover, China 
appears to have shifted from use of the People's Liberation Army (PLA) 
to relying more on its security and intelligence services for a greater 
role in hacking foreign companies. However military officers in China 
are increasingly known to moonlight as hackers for hire, when off the 
clock. While Russia has received an overwhelming amount of attention 
during the past year, this should not detract from the cyber activities 
and threat posed by other state actors.
    Iran.--Iran has invested heavily in recent years in order to deepen 
and expand its cyber warfare capabilities, although this capacity was 
initially directed internally to repress democratic forces in the 
country. This effort came in the wake of the Stuxnet worm, which 
targeted Iran's nuclear weapons development program. In recent years 
Iran has engaged in a concerted cyber campaign against U.S. banks. U.S. 
officials also believe Iran to be responsible for a cyber attack 
against the Sands Casino in Las Vegas owned by politically active 
billionaire Sheldon Adelson; the attack wiped clean many hard drives 
and sought to destroy corporate infrastructure. Hackers linked to the 
Iranian government have also used cyber means to compromise the control 
system of a dam north of New York City. Iran has long relied heavily on 
proxies such as Hezbollah--which now has a companion organization, 
Cyber Hezbollah--to strike at perceived adversaries. Iran and Hezbollah 
are believed to have perpetrated the cyber attacks against Saudi Aramco 
and Qatari RasGas, which compromised 30,000 computers. Elements of 
Iran's Revolutionary Guard Corps (IRGC) have also relied upon proxy 
forces including political/criminal hackers, to work on behalf of the 
regime.
    Iran is expected to hold a Presidential election in May 2017. 
Should a hard-line candidate prevail, there may well be a further 
uptick in the country's aggressive behavior in cyber space. U.S.-Iran 
relations moving forward are yet to be fully defined, given that there 
is also a new administration in the United States that has been in 
office for just 2 months. However the Joint Comprehensive Program of 
Action (JCPOA) regarding Iran's nuclear program looms large in the 
background. Depending upon U.S. actions and policy in this area--
including whether the administration retains the agreement and how it 
handles the matter of sanctions against Iran--the Iranian regime may 
decide to act out further in the cyber domain. Notably the JCPOA has 
resulted in substantial funds being placed in Iranian hands through 
sanctions relief. The regime will likely devote these funds to the 
further expansion of its cyber capabilities (offensive/defensive) and 
should either party move to annul the agreement, we can expect a 
significant increase in cyber activity against U.S. interests and 
assets.
    North Korea.--Many of the details about North Korea's cyber warfare 
capabilities are shrouded in secrecy (the same is true of their 
military capabilities writ large). What we do know is that, much like 
Iran, North Korea has invested heavily in building cyber capabilities. 
A recent report by the South Korean Defense Ministry estimates that the 
North Korean ``cyber army'' employs an elite squad of 6,000 hackers, 
many of whom operate abroad in northeast China and throughout South 
East Asia.\4\ And what North Korea lacks in capability it makes up for 
with intent (again, like Iran). North Korea has shown little restraint, 
engaging in computer network attack--disruptive and/or destructive 
attacks (rather than espionage).
---------------------------------------------------------------------------
    \4\ Martin Anderson, ``North Korea's Internet Tundra Breeds 
Specialised ``Cyber Forces'' Numbering 6,000,'' The Stack, January 7, 
2015. https://thestack.com/security/2015/01/07/north-koreas-internet-
tundra-breeds-specialised-cyber-forces-numbering-6000/.
---------------------------------------------------------------------------
    In recent months, there has been a major increase in North Korean 
cyber attacks (attempted and successful) targeting South Korean 
companies and government.\5\ Senior Japanese cybersecurity officials 
confirmed this in recent meetings, and expressed significant concern 
about both the increase in volume and aggressiveness of North Korean 
cyber activity. Outside the region, North Korea also operates without 
compunction, targeting U.S. companies; The most notorious case is their 
attack on Sony Pictures Entertainment. Recent news articles revealing 
alleged U.S. cyber activities aimed at stymieing North Korea's 
ballistic missile program will likely serve to increase the likelihood 
of additional North Korean cyber attacks.
---------------------------------------------------------------------------
    \5\ Charlie Campbell, ``The World Can Expect More Cybercrime from 
North Korea Now that China has Banned its Coal,'' Time, February 19, 
2017. http://time.com/4676204/north-korea-cyber-crime-hacking-china-
coal/.
---------------------------------------------------------------------------
    North Korea has long turned to illicit activity such as 
counterfeiting (of bills, pharmaceuticals, and cigarettes) to fill its 
coffers. More recently the country has turned to cyber crime and is the 
prime suspect in a string of bank heists. The latest round of U.N. 
economic sanctions aimed at North Korea, coupled with China's 
suspension of coal imports to the country, suggest we ought to be 
prepared for a spike in North Korean state-sponsored and/or state-
supported cyber crime.
    Criminal Enterprises.--After nation-states, criminal organizations 
are the next most capable threat actors. Increasingly, the capabilities 
that used to be the exclusive preserve of nation-states are now in the 
hands of criminal entities \6\--which outstrip the present abilities of 
foreign terrorist organizations (FTOs) in this particular regard. 
Criminal groups are motivated by profit rather than politics or 
ideology, yet their pursuit of monetary gain often has broader impacts 
on the integrity of the global economic system which in turn is closely 
linked to international security. Cyber space allows criminals to take 
their malicious activities to a global scale. Powerful organizations, 
like the recently dismantled Avalanche criminal network can thus create 
cyber crime tools and infrastructure that can bring malicious actors 
together so that they may collectively pose a transnational threat to 
the operations of governments and private entities.\7\ The cross-border 
and interjurisdictional approach of Europol and its partners in the 
United States and elsewhere to take down the Avalanche group is a 
testament to the resources and coordination required to effectively 
address such threats.\8\ It is important to note that while cyber 
criminals are unlikely to ever have the ability to collect and use all-
source intelligence as governments can, the gap between the 
capabilities of sophisticated cyber criminals and nation-states is 
increasingly narrowing. Compounding this challenge is that fact that 
criminal groups are working ever-more either with or for nation-states 
such as Russia. The Yahoo hack (2014) that compromised 500 million 
user-accounts and led to the recent indictment of four individuals--two 
FSB (Russian domestic intelligence) officers and two cyber criminals--
is a case that demonstrates the willingness of states to utilize 
criminals for hire as proxies.\9\
---------------------------------------------------------------------------
    \6\ Doug Olenick, ``Cybercriminal's skills now on par with nation 
states: Mandiant,'' SC Magazine, March 14, 2017. https://
www.scmagazine.com/cybercriminals-skills-now-on-par-with-nation-states-
mandiant/article/644124/.
    \7\ Brian Krebs, ``Avalanche Global Fraud Ring Dismantled,'' Krebs 
on Security, December 16, 2016. https://krebsonsecurity.com/2016/12/
avalanche-global-fraud-ring-dismantled/.
    \8\ ``Avalanche Network Dismantled in International Cyber 
Operation,'' Europol, December 1, 2016. https://www.europol.europa.eu/
newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-
international-cyber-operation.
    \9\ Department of Justice, ``U.S. Charges Russian FSB Officers and 
Their Criminal Conspirators for Hacking Yahoo and Millions of Email 
Accounts,'' March 15, 2017. https://www.justice.gov/opa/pr/us-charges-
russian-fsb-officers-and-their-criminal-conspirators-hacking-yahoo-and-
millions.
---------------------------------------------------------------------------
    This convergence of nation-state and criminal forces heightens the 
dangers posed by both; and also makes it difficult to discern just who 
is master and who is puppet. Traditionally it has been the forces of 
crime that seek to penetrate the state; yet in the case of North Korea 
for example, the opposite is true: The regime engages criminal proxies 
and their cyber prowess to help achieve the ends that will perpetuate 
the regime's survival. This tactic is easier than ever to pursue with 
the emergence of the market model of ``Crime-as-a-Service,''\10\ which 
facilitates cyber crime by making the tools and skills needed for it 
more readily accessible to a wider variety of actors. Compounding the 
challenge for law enforcement, nations such as Russia and China amount 
to virtual safe havens for cyber criminals since the United States 
lacks extradition treaties with these countries.
---------------------------------------------------------------------------
    \10\ EUROPOL, European Union, Serious and Organised Crime Threat 
Assessment, 2017: Crime in the age of technology. https://
www.europol.europa.eu/activities-services/main-reports/european-union-
serious-and-organised-crime-threat-assessment-2017.
---------------------------------------------------------------------------
    Foreign Terrorist Organizations.--For Foreign Terrorist 
Organizations (FTOs) there is no shortage of motivation or intent but 
fortunately, FTOs have yet to fully develop a sustained cyber-attack 
capability. While this is reassuring to a certain extent, it does not 
mean that such actors pose no threat in the cyber domain. Even outside 
of the cyber context, the most pressing threats from terrorist 
organizations stem from their ability to execute asymmetric, ``no-
warning'' attacks, that do not rise to the level of impact associated 
with persistent state-to-state competition or conflict. Nevertheless, 
such operations can endanger the lives of civilians and interfere with 
the integrity of critical infrastructure. Therefore, while FTOs are not 
likely to pose a catastrophic risk to the homeland or America's economy 
in the near future, it would be imprudent to ignore the efforts of 
these actors to utilize the internet to their advantage and acquire 
cyber capabilities that they can then integrate with kinetic force to 
execute the equivalent of a cyber drive-by shooting.
    Those FTOs that are currently most concerning from a cyber threat 
standpoint are entities that benefit from state support or sponsorship 
and those affiliated with the Islamic State in Iraq and Syria. The 
Western world has already seen the troublesome effects of ISIS' use of 
the internet to spread propaganda and radicalize vulnerable 
populations, but their efforts do not stop there. Members of ISIS have 
repeatedly utilized a tactic known as ``doxing'' to target U.S. 
military and law enforcement personnel through the strategic release of 
their stolen personal information and social media intelligence 
collection. Also of note, a group known as the United Cyber Caliphate 
(UCC), which increasingly appears to be functioning as a cyber arm of 
ISIS, has touted its accomplishments in the realms of hacking and DDoS 
attacks, and has announced plans to launch a cyber attack against the 
United States in the near future. America's efforts to target high-
value leaders of ISIS, including its most prolific cyber aggressors 
Junaid Hussain and the UCC's Osed Agha, have demonstrated their 
capacity to successfully set back ISIS' cyber capabilities. Such groups 
deserve the continued attention of security officials, especially in 
cases where they can leverage associations with other malicious actors 
to augment their cyber capabilities.
    Hacktivists.--Whether acting alone or loosely in tandem, 
hacktivists may possess considerable skill and cause significant 
disruption when they perceive their core interests to be at stake. 
Oftentimes, hacking collectives such as Anonymous, can leverage their 
sheer numbers to overwhelm servers and shut down websites or exploit 
vulnerabilities to bring attention to their cause of the day. While 
these movements lack the type of centralized command-and-control 
infrastructures that would make their influence more troubling, their 
sometimes populist appeal and dispersed manpower allow them to operate 
in unique ways that undermine American security interests.
    While hacktivists, including malicious insiders, vary in degree of 
sophistication and tend to be leaderless, their ability to spread 
discord on-line can augment existing digital vulnerabilities and 
reinforce the efforts of other malicious cyber actors. Therefore, they 
should not be discounted when assessing the wider cyber threat 
spectrum. Even in the case of unsophisticated hacktivists, who may not 
possess extensive ``in-house'' cyber expertise, we must consider the 
increasing ease with which such malicious actors can simply buy or rent 
the requisite tools or services on the Deep Web and Darknet(s). Only a 
small percentage of the material available on the internet is indexed 
and accessible from standard search engines. Beneath the surface web 
that we all see is the unindexed Deep Web and its subcomponent, the 
Darknet, which can only be accessed through password protected sites or 
when using specific software such as TOR or I2P.\11\ It is in such 
realms of the internet that malicious actors--including FTOs--buy and 
sell hacking tools and expertise and fence stolen information. As the 
ability to trade in malicious cyber expertise becomes more prevalent, 
it is in fact necessary to consider the impacts of this trend in all 
threat assessments, agnostic to the specific actor in question.
---------------------------------------------------------------------------
    \11\ ``Illuminating the Deep and Dark Web: The Next Frontier in 
Comprehensive IT Security,'' Flashpoint Intel, 2015. https://
www.flashpoint-intel.com/book/illuminating-deep-dark-web.
---------------------------------------------------------------------------
     cyber domain: characteristics, evolution, and vulnerabilities
    In the cyber domain, the advantage lies with the attacker. At the 
same time, the surface of attack has expanded exponentially with the 
advent of the Internet of Things. However, the dynamism of this 
environment should not be underestimated and we must recognize that the 
capabilities of both attackers and defenders in cyber space are 
continually changing. Looking ahead, U.S. officials warn that simple 
theft or disruption of data may give way to data manipulation.\12\
---------------------------------------------------------------------------
    \12\ Spencer Ackerman, ``Newest cyber threat will be data 
manipulation, US intelligence chief says,'' The Guardian, September 10, 
2015. https://www.theguardian.com/technology/2015/sep/10/cyber-threat-
data-manipulation-us-intelligence-chief.
---------------------------------------------------------------------------
    Increasingly, threat actors are setting their sights on America's 
critical infrastructure which cuts across the public and private 
sectors. While the United States approach of designating 16 sectors 
critical is sound, not all of these sectors are equally critical. What 
are known as the ``lifeline'' sectors--in particular, the energy and 
electric sectors, water, telecommunications, transportation, and 
financial services--have an even greater impact on public safety and 
security than the others.
    The potential for cascading effects if any of these were rendered 
inoperative or dysfunctional, especially for a significant length of 
time, further magnifies their importance. From the standpoint of 
prevention and response, it is these areas that should be treated as 
top priority (while bearing in mind the adage that if everything is a 
priority then nothing truly is). Section 9 of Executive Order 13636 on 
Improving Critical Infrastructure Cybersecurity provides the framework 
for a ``risk-based approach'' of this type.\13\
---------------------------------------------------------------------------
    \13\ February 12, 2013. https://www.gpo.gov/fdsys/pkg/FR-2013-02-
19/pdf/2013-03915.pdf.
---------------------------------------------------------------------------
    Examples of cyber incidents and intrusions are regrettably 
plentiful, but a few cases merit mention here in order to bring into 
sharper relief some of the concepts referenced above:
    SWIFT Hacks.--The first case that rises above the noise and 
warrants attention is the theft of $81 million from the Central Bank of 
Bangladesh in February 2016 and similar yet less successful attempts at 
other major banks in the developing world. In the case of Bangladesh 
Bank, it would have been a $950 million heist had the request not set 
off alarms due to a coincidental similarity between the address of a 
bank in which hackers sought to deposit their stolen funds and the name 
of a corporation sanctioned by the U.S. Government.\14\ Although $81 
million is a significant sum, the loss of which doubtlessly had 
significant, negative impacts on the bank and its clients, the global 
economy can absorb relatively minor losses such as this one. From the 
perspective of security officials, the real worry is how hackers 
perpetrated this crime and the systemic vulnerabilities in the global 
financial order that such a cyber heist publicly highlighted. The 
hackers stole the credentials of target banks to gain access to SWIFT, 
the interbank messaging system that connects 11,000 banks and financial 
institutions globally and settles billions of dollars of transactions 
daily. From there, hackers were able to place illegitimate requests for 
transfers of funds that most banks fulfill automatically.\15\
---------------------------------------------------------------------------
    \14\ Krishna Das and Jonathan Spicer, ``How the New York Fed 
Fumbled of the Bangladesh Bank Cyber-Heist,'' Reuters, July 21, 2016. 
http://www.reuters.com/investigates/special-report/cyber-heist-Federal/

    \15\ Devlin Barrett and Katy Burne, ``Now It's Three: Ecuador Bank 
Hacked via Swift,'' The Wall Street Journal, May 19, 2016. https://
www.wsj.com/articles/lawsuit-claims-another-global-banking-hack-
1463695820.
---------------------------------------------------------------------------
    These attacks exposed a potential single-point-of-failure in a 
system that modern economies depend upon every day. We still do not 
know the full extent to which hackers have compromised SWIFT's member-
banks, but SWIFT recently disclosed that its members have suffered a 
number of other hacking incidents through its messaging infrastructure 
in the last year, in which about one in five resulted in stolen 
funds.\16\
---------------------------------------------------------------------------
    \16\. Tom Bergen and Jim Finkle, ``Exclusive: SWIFT Confirms New 
Cyber Thefts, Hacking Tactics,'' Reuters, December 12, 2016. http://
www.reuters.com/article/us-usa-cyber-swift-exclusive-idUSKBN1412NT.
---------------------------------------------------------------------------
    The Carbanak Gang.--In 2013, the so-called Carbanak gang 
perpetrated a series of well-orchestrated assaults on eastern European 
and Russian banks. Named after the malware used, the Carbanak gang 
compromised internal bank systems and sent commands directly to ATMs (a 
scheme known as ``ATM jackpotting'') throughout eastern Europe, causing 
the machines to dispense cash. More than 100 banks spanning 11 
countries were hit--with losses of hundreds of millions of dollars--
highlighting just how much damage cyber-criminals can do.\17\ The 
activities of the Carbanak gang continue unabated with new techniques 
at their disposal and new targets in their crosshairs.
---------------------------------------------------------------------------
    \17\ David E. Sanger and Nicole Perlroth, ``Bank Hackers Steal 
Millions via Malware,'' The New York Times, February 14, 2015. https://
www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-
malware.html?partner=socialflow∣=tw-nytimes&_r=2; Brian Krebs, 
``Carbanak Gang Tied to Russian Security Firm?'' Krebs on Security, 
July 18, 2016. https://krebsonsecurity.com/2016/07/carbanak-gang-tied-
to-russian-security-firm/.
---------------------------------------------------------------------------
    Energy Grid Attacks.--On December 24, 2015, western Ukraine 
experienced a power outage that is believed to have been caused by 
cyber attack perpetrated by Russia. Though just one power company 
reported the incident, ``similar malware was found in the networks of 
at least two other utilities.''\18\ More than 4 dozen substations were 
affected, as were more than a quarter of a million customers for up to 
6 hours. In addition, a simultaneous attack on call centers (a 
telephony denial-of-service attack) hindered communication and customer 
reporting of difficulties. The case is truly significant: It is 
believed to represent the first time that a blackout was caused by 
computer network attack. But it would not be the last: Again, in 
December 2016, Ukraine witnessed a cyber attack on their power grid, 
leaving part of Kiev without power. Once more, all the evidence points 
to Russia (or its proxies) as perpetrator. These incidents represent a 
crossing of the Rubicon: A cyber attack creating real-world, physical 
implications. The attacks thus sent a message that was loud and clear.
---------------------------------------------------------------------------
    \18\ Reuters, ``Experts: Ukraine Utility Cyberattack Wider than 
Reported,'' Voice of America, January 5, 2016. http://www.voanews.com/
a/reu-experts-ukraine-utility-cyberattack-wider-than-reported/
3131554.html.
---------------------------------------------------------------------------
    Mirai Botnet.--Botnets, or networks of internet-connected devices 
that unbeknownst to their legitimate users can be centrally controlled 
to perpetrate malicious cyber activities on a grand scale, have been 
around for a long time. However, this past fall, the Mirai botnet 
demonstrated how the concept of distributed computing power and 
centralized command-and-control can leverage the rampant insecurity 
associated with the expanding Internet of Things environment. Malicious 
actors used the botnet, which was primarily made up of vulnerable 
webcams and internet routers, to execute the most powerful DDoS attack 
in history against the computer security blogger Brian Krebs.\19\ More 
alarmingly, the Mirai botnet later used a DDoS attack to target Dyn, 
which supports much of the internet's infrastructure, and successfully 
interrupted the services of Spotify, Twitter, and PayPal for millions 
of users.\20\ The cases of the Mirai botnet's DDoS attacks are 
significant because they are just the beginning of what security 
officials can expect from malicious actors seeking to leverage the 
digital vulnerabilities of IoT devices and the wide-spread ignorance or 
apathy of IoT producers and consumers to these security concerns. 
Society must begin to consider security over convenience and necessity 
over luxury when connecting devices, even those that seem relatively 
innocuous, to the internet. Otherwise, malicious actors will continue 
to benefit from the bountiful harvest of vulnerable devices ready to be 
recruited for criminal and other malicious purposes. Currently, 
estimates show that around tens of billions of devices will be 
connected to the internet by 2020, an exponential growth in 
connectivity that runs parallel to a growth in the digital attack 
surface.\21\
---------------------------------------------------------------------------
    \19\ Lily Hay Newman, ``The Botnet that Broke the Internet Isn't 
Going Away,'' Wired, December 9, 2016. https://www.wired.com/2016/12/
botnet-broke-internet-isnt-going-away/.
    \20\ Brian Krebs, ``Did the Mirai Botnet Really take Liberia 
Offline?'' Krebs on Security, November 4, 2016. https://
krebsonsecurity.com/tag/mirai-botnet/.
    \21\ BI Intelligence, ``Here's How the Internet of Things Will 
Explode by 2020,'' Business Insider, August 31 2016.  http://
www.businessinsider.com/iot-ecosystem-internet-of-things-forecasts-and-
business-opportunities-2016-2.
---------------------------------------------------------------------------
                             u.s. response
    The many and varied cyber threats that the United States faces 
requires a multidimensional response. While the United States should 
continue to invest in its offensive cyber capabilities to, as best as 
possible, ensure its superiority and escalatory dominance, a powerful 
defensive component is essential to America's cybersecurity and 
underlies all the rest. Resources and funding should therefore be 
balanced between offensive and defensive capacity building. A clearly 
articulated deterrence strategy is also needed, but remains in its 
infancy--although the recent Defense Science Board report on the 
subject is a solid step in the right direction.\22\ An effective cyber 
deterrence strategy should utilize various levers of state power to 
affect the cost-benefit analysis of malicious actors by denying them 
benefits by demonstrating America's capability and willingness to 
impose costs on such malicious actors. Cyber deterrence requires more 
than military underpinnings and the same is true of U.S. cyber response 
more generally. Public-private partnerships are instrumental to 
cybersecurity; and the public sector component of that equation 
includes not only Federal entities but also their State and local 
counterparts. Whether partnering with companies or State and Local 
officials, the Department of Homeland Security (DHS) plays an important 
and meaningful role in terms of enabling U.S. responses to cyber 
threats, distinct from the Department of Defense mandate in this area.
---------------------------------------------------------------------------
    \22\ Department of Defense, Task Force on Cyber Deterrence, 
February 2017. http://www.acq.osd.mil/dsb/reports/2010's/DSB-
CyberDeterrenceReport_02-28-17_Final.pdf.
---------------------------------------------------------------------------
    Cybersecurity requires both a whole-of-Government and whole-of-
society approach. Government alone cannot get us to where we need to 
be. Industry and even individuals must each do their part; and industry 
sectors must collaborate within bounds (with competitor companies) as 
well as across bounds (with other sectors and with government at all 
levels). Developments such as the expansion of the Internet of Things 
serve to reinforce these imperatives.
    Private-sector initiatives of the type needed are already under 
way. The financial services sector in particular is leading the way 
with its Information Sharing and Analysis Center (FS-ISAC), a global 
industry forum for cyber (and physical) threat intelligence analysis 
and sharing; and with the Financial Systemic Analysis and Resilience 
Center (FSARC), intended to deepen threat analysis and mitigate 
systemic risk.\23\ To lead and respond effectively however, companies 
require the tools to do so--which is why the FSARC works together with 
Government partners including DHS, whose expertise complements that of 
industry members.
---------------------------------------------------------------------------
    \23\ Michael Chertoff and Frank Cilluffo, ``Trump Administration 
Can Help Finance Sector Shift Cybersecurity Paradigm,'' Forbes, January 
18, 2017. https://www.forbes.com/sites/realspin/2017/01/18/trump-
administration-can-help-finance-sector-shift-cybersecurity-paradigm/
#72d07- df0645d.
---------------------------------------------------------------------------
    More broadly, the private sector as a whole must be empowered to 
respond proactively and robustly in the face of cyber threats. 
Businesses never expected to find themselves on the front lines of 
cyber battle, facing sophisticated adversaries with nation-state 
capabilities. In such circumstances, companies must take steps (ahead 
of time or in real-time) to protect their data and networks, 
particularly their crown jewels. In turn, Government has a 
responsibility to clarify the parameters of acceptable corporate action 
so that businesses fully understand what they can and cannot do in this 
regard. For those areas deemed outside corporate jurisdiction, 
Government has a responsibility to step in and support/protect the 
targeted entities and assets. Regrettably the discussion surrounding 
these issues has been less than nuanced to date; yet there is much that 
can be done in terms of active defense, apart from the two poles of 
doing nothing at all or ``hacking back.''\24\ Public and private-sector 
actors should work to jointly develop the private sector's capacity and 
authorities to utilize active defenses, capabilities that when 
developed and marshalled responsibly, can begin to flip the equation 
and give cyber defenders a fighting chance.
---------------------------------------------------------------------------
    \24\ For details, see ``Into the Gray Zone: The Private Sector and 
Active Defense Against Cyber Threats,'' CCHS Project Report, October 
2016. https://cchs.gwu.edu/sites/cchs.gwu.edu/files/downloads/CCHS-
ActiveDefenseReportFINAL.pdf.
---------------------------------------------------------------------------
    The operating principles set out above (e.g., the need for a whole-
of-Government approach and public-private partnerships) is equally 
important at the international level. Alliances between the U.S. 
Department of Defense and other nation-states' military services--such 
as NATO--are one crucial component of a solid response posture vis-a-
vis cyber domain; but so too are non-military alliances between the 
United States and foreign governments and companies. While the Five 
Eyes alliance has served us well over time and will continue to play an 
integral role in our National security, it may be that a new and 
broader grouping is needed in order to tackle cyber threats more 
effectively. A transnational threat requires a transnational solution 
and it may be constructive to bring together like-minded states with 
substantial cyber assets in a new international forum with a mandate of 
responding to international cyber threats.
    Returning to DHS, from the standpoint of structure and 
legislation--and in particular how best to organize the bureaucracy for 
cybersecurity and infrastructure protection purposes--what matters most 
at the end of the day is the effective execution of the mission. It is 
important to emphasize that while the Department of Defense's role in 
defending the Nation against foreign cyber threats is significant, 
supporting its initiatives should not come at the cost of neglecting 
the equally important role that DHS plays in protecting critical 
infrastructure and civilian government networks. In this context, there 
have been a number of efforts to legislatively address issues related 
to DHS resourcing and organization. As this committee works to continue 
these efforts--including progress on its own legislation, the following 
principles (which are largely consistent with the committee's proposed 
legislation) should be taken into account: The relevant entities and 
officials within DHS must possess the necessary authorities and 
resources to fulfill their cybersecurity missions; and they must be 
held accountable for their actions through clear lines of 
responsibility and the application of metrics and measurable goals. 
Furthermore, as challenges related to the recruitment and retention of 
necessary cyber talent persist, DHS should also be able to utilize 
streamlined and flexible hiring authorities to fill cyber positions 
with qualified individuals in a timely manner. These principles matter 
more than the wiring diagram per se, if we can agree that 
implementation is paramount.
    Thank you again for the opportunity to testify on such a crucial 
challenge to America's economic and National security. I look forward 
to answering any questions you may have.

    Chairman McCaul. Thanks, Frank.
    Chair recognizes Mr. McConnell.

   STATEMENT OF BRUCE W. MC CONNELL, GLOBAL VICE PRESIDENT, 
                       EASTWEST INSTITUTE

    Mr. McConnell. Morning, Chairman McCaul, Ranking Member 
Thompson, and distinguished Members of the committee. Thank you 
for inviting me.
    I am Bruce McConnell, from the EastWest Institute, an 
independent, nonpartisan nonprofit that works with all major 
governments and the private sector to reduce security 
conflicts. Before EastWest I served 4 years at DHS, departing 
in 2013, as the acting deputy under secretary of cybersecurity. 
I also served at the OMB under Presidents Reagan, George H.W. 
Bush, and Clinton.
    Let me tell you what keeps me awake at night, what got me 
out of bed this morning to come see you. Last week I hosted a 
meeting near my home in Oakland, California. Two hundred 
government officials, industry geeks, professors, and activists 
from 35 countries spent 3 days developing answers to Apple 
versus FBI, how to make smart cities into safe cities, 
improving capacity in cyber insurance, and, most important, 
developing rules of behavior for governments and companies in 
cyber space.
    Have you ever seen your children or grandchildren swipe 
away the 25 smartphone apps they have open? Each of these apps 
enliven some aspect of their lives--of our lives. We are 
grateful for this technology, and it makes--we are dependent on 
it.
    What is worrisome is that every one of those apps is an 
open door to well-funded, persistent, state-sponsored attackers 
to intrude on our business or deny us the benefits of cyber 
space. When I think about this for myself it makes me mad. 
However, when I multiply that by the 2 billion people and 
millions of companies that are on the network today, I foresee 
a--and the billions of young people who are coming on the 
years--in the years ahead--I foresee a global economic and 
political catastrophe unless we get those attackers under 
control.
    Today's situation reminds me of the Gold Rush out in 
California 160 years ago. Some people made a lot of money and 
it developed one of the great States of our union. It also took 
us 30 years to establish law and order out there.
    Mr. Chairman, we don't have 30 years to establish law and 
order in cyber space. Military and intelligence agencies all 
over the world are equipped with the latest computers, 
communications, and cyber weaponry. These are good weapons. 
They are cost-effective, they are generally non-lethal, and 
they let us project force remotely and often stealthily.
    But there are two problems.
    First, there is a runaway cyber arms race led by the United 
States, Russia, China, Iran, Israel, some European countries, 
and North Korea. Over 30 countries have formed cyber offense 
units. There is no deterrence, no incentive not to do so.
    There is also an information war going on between East and 
West. It involves the cyber burglary and publication of stolen 
information, like during the U.S. elections. This is part of a 
larger, damaging degradation of the information space by the 
dissemination of fake news, political trolling, social media 
bots, and the weaponization of intelligence.
    We know that the Russians and their surrogates are not the 
only attackers. There is always China, and earlier this month 
we learned about Western actions taken against North Korean 
missile systems and a variety of CIA practices.
    Even with the best motivations, these continuing, 
ungoverned state-on-state skirmishes in cyber space undermine 
terrestrial security and stability. There is a growing risk of 
miscalculation and escalation that could spill over into direct 
physical harm to the United States and its citizens.
    If the credibility of cyber space is further degraded it 
will be useless as a medium for commerce and governance. People 
are already leaving e-commerce because they are afraid they 
will be victimized.
    So what should the U.S. Government do to respond? 
Fortunately, we have the answer to that question. In brief, we 
need cyber deterrence governed by rules, and we need cyber 
defense governed by roles.
    Over the past two administrations the Executive branch 
worked on a bipartisan basis with this committee and with the 
rest of Congress to establish clear roles for cyber space 
security. The resulting laws and directives cemented the 
primary role of the Department of Homeland Security in 
protecting the Nation's critical cyber infrastructure, and in 
doing so they reflected two important values.
    First, cyber space is fundamentally a civilian space. The 
military and the NSA in particular must protect our most 
valuable military and intelligence assets, but the military 
must keep out of our civilian infrastructure. It is a long 
National tradition, and they have their hands full already.
    Second, securing cyber space is a team effort. Agencies 
must work with each other and with the private sector in a 
seamless manner.
    In sum, the Government needs to buckle down, work with the 
private sector and with other governments, and get it done. It 
would be really great if you, on behalf of our kids and all the 
kids, could hold the Federal agencies accountable for what you 
have already told them to do.
    Thank you, and I look forward to your questions.
    [The prepared statement of Mr. McConnell follows:]
                Prepared statement of Bruce W. McConnell
                             March 22, 2017
    I am Bruce W. McConnell, global vice president of the EastWest 
Institute, a 36-year-old, independent, non-partisan, non-profit 
organization dedicated to preventing and reducing security conflicts 
among nations on the ground and in cyber space. EWI works closely with 
senior Government and private-sector officials in all the major powers 
around the world to establish and support trustworthy dialog about some 
of the most difficult security issues facing the planet.
    Before joining EWI I served for 4 years at the U.S. Department of 
Homeland Security (DHS), departing in 2013 as the acting deputy under 
secretary for cybersecurity. I also served at the U.S. Office of 
Management and Budget under Presidents Ronald Reagan, George H.W. Bush, 
and William Clinton, with responsibility for information technology 
policy and security.
    This statement covers two topics: An assessment of the current 
state of conflict in cyber space, and my views on how the U.S. 
Government should address those conflicts.
                   how unstable is cyber space today?
    Nearly 4 years ago U.S. national security advisor Susan Rice 
observed that the world's ``most vexing security challenges are 
transnational security threats that transcend borders: Climate change, 
piracy, infectious disease, transnational crime, cyber theft, and the 
modern-day slavery of human trafficking.'' Today, one would add 
migration, violent extremism, and the safety of fissile nuclear 
materials to that list.
    These issues share at least two characteristics: First they are 
accentuated in their severity by modern technology. The bad guys, both 
state and non-state actors, are well-equipped with the latest 
computers, communications equipment, and weaponry, and their ability to 
use these tools is enhanced by their access to global networks.
    Second, no international regimes or institutions have these 
transborder issues well in hand. Rather, global bodies like the World 
Health Organization or the International Telecommunication Union are 
generally struggling to remain relevant. The post-war structures that 
have kept peace for 70 years face a crisis of legitimacy as rising 
powers that were not present at Bretton Woods scorn the old order and 
create their own institutions and power centers.
    Today we are focusing on security and cyber space. Cyber-enabled 
attacks in the lead-up to the U.S. Presidential election roiled 
relationships in Washington and globally. The term cyber-enabled 
emphasizes a new characteristic of cyber space--it's no longer its own 
thing. It's part of everything. There is very little actual ``cyber 
crime.'' Instead, we see a plethora of ordinary crimes and attacks: 
Theft, fraud, trespassing, and destruction of property that use cyber 
means.
    From a geopolitical standpoint, this cyber-enablement has produced 
a runaway cyber arms race, led by the United States, Russia, China, 
Iran, Israel, and some European countries, with many others, including 
the Democratic People's Republic of Korea (DPRK), following close 
behind. Over 30 countries have formed cyber offense units. Non-state 
actors such as organized criminal gangs and the Islamic state are also 
players.
    The U.S. Democratic National Committee hacks and related incidents 
consist of burglary and publication of the fruits on Wikileaks. From a 
legal standpoint, while it is against U.S. law to enter a computer 
without authorization, these incidents may fall more into the shadow 
zone of espionage. As for the publication, the U.S. Supreme Court has 
generally protected media publication of accurate, stolen materials of 
public interest obtained by a third party.
    What's new for Americans is the possibility that there is an 
``information war'' between East and West. Indeed, some states do not 
use the term cybersecurity, preferring the broader term ``information 
security.'' The events around the U.S. election evoked a spirited 
conversation last month at the Munich Security Conference around fake 
news, political trolling, social media bots, and the weaponization of 
intelligence.\1\
---------------------------------------------------------------------------
    \1\ U.S. Homeland Security Secretary John Kelly was on hand in 
Munich to remind European participants that DHS had reaffirmed the 
previous administration's designation of election systems as critical 
infrastructure and that the Department continued its work with state 
election officials to help them secure their systems on a voluntary 
basis.
---------------------------------------------------------------------------
    On the other hand, earlier this month, we also saw additional 
evidence regarding Western actions against North Korean missile systems 
and the CIA's capabilities. Even assuming the most benign motivations 
by all parties, these continuing, ungoverned state-on-state skirmishes 
in cyber space increasingly undermine terrestrial security and 
stability.
    In contrast to cyber space, other international domains are 
governed by norms of behavior and international law. In the airspace it 
is illegal to shoot down a commercial aircraft. But in cyber space, the 
way in which international law applies is still being debated.
    In commercial aviation we have organizations like the private 
sector International Air Transport Association and the governmental 
International Commercial Aviation Organization that partner to maintain 
safety and security on a global basis. There are no comparable 
institutions for cyber space.
    Everyone in this room is painfully familiar with the provisions 
that keep that network secure: Identity proofing of everyone who gets 
close to a passenger plane, licensing of pilots, filing of flight 
plans, certification of aircraft, etc. We have none of these things in 
cyber space. Yet the financial value of the commercial transactions 
conducted over the internet (and here I'm not even counting SWIFT and 
other special purpose networks) is actually 100 times greater on an 
annual basis than the value of goods transported in the air cargo 
system.
    Progress is modest. A group of governmental cyber experts has 
worked at the United Nations for over 10 years to come up with an 
initial set of non-binding norms of behavior in cyber space.
    These include:
   Not allowing the use of information and communications 
        technology, or ICT, to intentionally damage another country's 
        critical infrastructure.
   Not allowing international cyber attacks to emanate from 
        their territory.
   Responding to requests for assistance from another country 
        that has been attacked by computers in the first country.
   Preventing the proliferation of malicious tools and 
        techniques and the use of harmful hidden functions.
   Encouraging responsible reporting of ICT vulnerabilities and 
        sharing associated information.
   Not harming the information systems of the authorized 
        cybersecurity incident response teams.
    In February 2017, the government of the Netherlands, with the 
support of Microsoft, the Internet Society, the EastWest Institute, and 
the Hague Centre for Strategic Studies, launched the Global Commission 
on the Stability of Cyberspace. The GCSC is chaired by Marina 
Kaljurand, former Estonian foreign minister, and co-chaired by Michael 
Chertoff, former U.S. Secretary of Homeland Security and Latha Reddy, 
India's former deputy National security adviser. This multi-stakeholder 
commission will build on and extend existing efforts to develop and 
advocate for norms and polices to enhance international security and 
stability and guide responsible state and non-state behavior in cyber 
space.
    On the private-sector side, global ICT companies are beginning to 
step up to the responsibility that comes with their great power in 
cyber space. For example, Microsoft recently issued a set of norms of 
industry behavior that global ICT companies should follow in their 
business practices.
    Examples of the kinds of norms that companies are considering 
include:
   Creating more secure products and services.
   Not enabling states to weaken the security of commercial, 
        mass-market ICT products and services.
   Practicing responsible vulnerability disclosure.
   Collaborating to defend their customers against and recover 
        from serious cyber attacks.
   Issuing updates to protect their customers no matter where 
        the customer is located.
    Clearly, the industry is at an immature stage. Its rapid growth in 
importance has outstripped systems of governance, including the first 
line of defense--the market. As a general matter, until very recently 
customers demanded two things from the firms that supply ICTs--price 
and features. The market has responded, giving us all manner of 
convenience and efficiency, in business and in our private lives. 
Finally, however, buyers are starting to recognize the criticality of 
ICT to their daily activities, and thus they demand, and may be willing 
to pay for, security.
    Yet there is a gap between what they need and what they are able to 
command. To address this gap, we recently published a ``Buyers Guide 
for Secure ICT.''\2\ This guide recommends questions that buyers can 
ask ICT suppliers to help them evaluate the security of the products 
and services that these suppliers deliver.
---------------------------------------------------------------------------
    \2\ ``Purchasing Secure ICT Products and Services: A Buyers 
Guide,'' EastWest Institute, September 2016, https://www.eastwest.ngo/
sites/default/files/EWI_BuyersGuide.pdf.
---------------------------------------------------------------------------
    Despite best efforts, the reality of today's dynamic technological 
environment--with product cycles of 18 months or less--continues to 
challenge policy development. Two developments are dramatically 
altering the security picture.
    First, we are moving to the cloud. We store our information there 
on virtual machines operated by major providers like Amazon Web 
Services. While AWS and Microsoft's Azure provide much stronger 
cybersecurity and resilience than any single enterprise can field, they 
also create systemic risk, with large potential consequences from 
technology failures or attacks.
    A second emerging source of risk is the Internet of Everything 
(IoE). In a few years there will be ten times as many devices--Fitbits, 
heart monitors, automobiles, thermostats, machine tools, and 
floodgates--connected to the internet than today's smartphones and 
computers. These devices, when combined with 3-D printing, promise to 
disruptively transform manufacturing and transportation. They will also 
create a ubiquitous, global sensor network that will be communicating 
what is going on everywhere. And these sensors are shockingly 
insecure--built with easy to guess passwords, transmitting their data 
unencrypted, and being essentially un-patchable.
    The conventional wisdom is that the IoE represents a massive 
increase in the attack surface. But at EWI, we are exploring two 
questions. First, why do we assume the bad guys will own the sensor 
network? Why not have the good guys own it and use the knowledge of 
what is happening on the internet to increase security--for example, by 
isolating problems and fixing them before they can spread? Second, we 
ask, how will the IoE shift the balance between endpoint and network 
security, and what are the societal implications of that shift?
    One that is gaining currency in the United States is the 
Cybersecurity Framework created by the National Institute of Standards 
and Technology, or NIST, which is part of the U.S. Department of 
Commerce. The framework lays out the basics of a cybersecurity program 
that all firms should manage to. It also lays the foundation for future 
cyber insurance underwriting standards.
    For at least a decade, there has been a lot of hype that we will 
all be left freezing in the dark, as was the case before the turn of 
the 21st Century with the so-called millennium or Y2K bug. These 
scenarios have not materialized, and in fact it is actually quite 
difficult to create broad systemic damage today. But the capability to 
attempt catastrophic attacks is increasing, and the generally 
deteriorating international security situation does not help.
    In sum, it is a dynamic risk environment, augmented by our 
electronic connectedness and interdependence. We must continually adapt 
risk management to rapidly changing technology. Agility rules.
 how should the u.s. government move forward to meet these challenges?
    Over the past 8 years, the previous administration working closely 
with this committee and the rest of Congress, tested, revised, and 
eventually established a clear set of roles and responsibilities for 
cybersecurity among the relevant Federal agencies. One can trace the 
progress of these efforts that took place on a bipartisan basis across 
administrations and Congresses, including:
   Homeland Security Presidential Directive 23/National 
        Security Presidential Directive 54, ``Cybersecurity Policy,'' 
        January 8, 2008.\3\
---------------------------------------------------------------------------
    \3\ See, https://fas.org/irp/offdocs/nspd/nspd-54.pdf.
---------------------------------------------------------------------------
   The Comprehensive National Cybersecurity Initiative, May 
        2009.\4\
---------------------------------------------------------------------------
    \4\ Currently archived after partial declassification in 2011 at: 
https://obamawhitehouse.archives.gov/node/233086.
---------------------------------------------------------------------------
   The March 2013 ``Bubble Chart'' (See Attachment A).
   Six statutes enacted in 2014 and 2015----
     National Cybersecurity Protection Act of 2014 (S. 2519), 
            which codifies DHS's cybersecurity center.
     Cybersecurity Enhancement Act of 2014 (S. 1353), which 
            codifies the National Institute of Standards and 
            Technology's (NIST's) role in cybersecurity.
     Cybersecurity Workforce Assessment Act (H.R. 2952), which 
            requires the DHS to develop a cyber-workforce strategy.
     Border Patrol Agent Pay Reform Act of 2014 (S. 1691), 
            which gives DHS new authorities for cybersecurity hiring.
     Federal Information Security Modernization Act of 2014 (S. 
            2521), which reforms Federal IT security management.
     Cybersecurity Act of 2015 (within H.R. 2029), December 15, 
            2015, which enhances protections for information sharing 
            and further strengthen's DHS viila [sic] coordination role.
   Presidential Policy Directive 41, ``U.S. Cyber Incident 
        Coordination.''\5\
---------------------------------------------------------------------------
    \5\ See, ``Presidential Policy Directive--United States Cyber 
Incident Coordination,'' July 26, 2016, https://
obamawhitehouse.archives.gov/the-press-office/2016/07/26/Presidential-
policy-directive-united-states-cyber-incident.
---------------------------------------------------------------------------
    These documents firmly cement the primary role of the Department of 
Homeland Security in securing the Nation's critical cyber 
infrastructure. In doing so, these documents are broadly consistent 
with each other and reflect two important assumptions:
   First, cyber space is fundamentally a civilian space. As 
        former Deputy Secretary of Homeland Security Jane Holl Lute and 
        I wrote in Wired in 2011, cyber space is ``a neighborhood, a 
        library, a marketplace, a school yard, a workshop--and a new, 
        exciting age in human experience, exploration, and development. 
        Portions of it are part of America's defense infrastructure, 
        and these are properly protected by soldiers.''\6\
---------------------------------------------------------------------------
    \6\ See, ``A Civil Perspective on Cybersecurity,'' https://
www.wired.com/2011/02/dhs-op-ed/.
---------------------------------------------------------------------------
    This is an important assumption for two reasons. First and 
foremost, it is fundamentally consistent with American values. As a 
Nation, we have long recognized the importance of the military in 
providing the common defense, within limitations in tradition and law 
that respect the historical lessons learned when the Crown quartered 
soldiers in civilian homes without consent, after the actions taken to 
suppress the Whiskey Rebellion of 1794 with the authorization of 
Justice James Wilson, and, post-Reconstruction in the Posse Comitatus 
Act of 1878. This tradition is reflected in Department of Defense 
Directive 3025.18, ``Defense Support of Civilian Authorities.''
    The appropriate role of the military in cyber space is also 
important from a practical standpoint. The military must protect its 
own assets and its ability to project force globally. It relies on a 
safe and secure cyber space to do both of those things. But simply as a 
practical matter, the Defense Department cannot secure all of cyber 
space. Indeed, as we have seen over the past 10 years, it is challenged 
to protect its own electronic assets and those of critical defense 
contractors from internal and external attacks. These jobs are too 
important to our National security to permit DoD to be distracted by 
other tasks that are in the end not part of its core mission.
   The second assumption reflected in current law and policy is 
        that securing cyber space is a team effort. No single agency, 
        and no single company or group of companies, can handle this 
        challenge by itself. There must be cooperation and 
        coordination. Agencies must work with each other and with the 
        private sector, applying their capabilities and authorities in 
        a seamless manner.
    Seamlessness is not easy. In fact, in order to achieve it and avoid 
key problems falling through the cracks, there needs to be some overlap 
in responsibilities. While overlap can generate confusion, it is 
essential for full coverage.
    These policy documents are explicit about the overlap, laying out 
joint responsibilities for tasks where appropriate. Such joint 
activities have become the norm in today's U.S. Government. Every 
morning, the Departments of Homeland Security, Justice, and Defense 
coordinate on a ``First Look'' video conference, sharing the latest 
developments and coordinating action plans. Conflicts can arise, for 
example, between the DHS mission to mitigate problems in critical 
infrastructure and the FBI's mission to preserve evidence for 
prosecution. These operational problems get worked out on the ground 
when these agencies work together with the victim of a cyber attack. 
And, when chronic or policy differences arise, a well-organized 
National Security Council will do its job and resolve those differences 
satisfactorily among the agencies for the good of the Nation.
                               conclusion
    Cyber space is a dynamic and dangerous environment. It is also the 
global endoskeleton of commerce, trade, and all manner of human 
interaction. Securing it, an essential task, is a global, multi-
stakeholder effort that must bring all capabilities to bear in a 
cooperative manner. Agility rules. The United States is a world leader 
in having clearly established roles and responsibilities within 
Government so that it can play its critical role. The new 
administration and the Congress should focus on getting the 
implementation right.\7\ Time is too short to do otherwise.
---------------------------------------------------------------------------
    \7\ As co-panelist Frank Cilluffo stated, ``PPD-41 is a good 
initiative, but the real test will lie in the manner and nature of its 
implementation.'' See, ``Overview and Analysis of PPD-41: US Cyber 
Incident Coordination,'' July 27, 2016, https://www.lawfareblog.com/
overview-and-analysis-ppd-41-us-cyber-incident-coordination.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



    Chairman McCaul. Thank you, Mr. McConnell.
    I will recognize myself for questions.
    You know, I kind-of went through the litany of attacks, and 
they are--they have been very numerous. You know, North Korea 
on Sony Pictures, very destructive; Iran hitting the financial 
sector; to China stealing 20 million security clearances; to 
Russia interfering with our elections--and whether you are a 
Democrat or a Republican, that is an American issue, and the 
next time it could happen to the Republicans; and most 
recently, this--that alleged attack on the CIA, with some of 
the most sensitive cyber tools in the U.S. Government.
    Yet, there never seems to be any consequences to this bad 
behavior. I have five children. If there aren't bad--if there 
aren't consequences to bad behavior, bad behavior continues.
    The Chinese--I think we had a meeting with them after they 
stole the 20 million security clearances.
    So my first question is to General Alexander. I mean, there 
are no rules of the game, as you mentioned. There are no 
consequences.
    How do you see that? But also, importantly, how do you see 
the role between the military and the civilian counterpart, 
DHS, in terms of defending the Nation and also offensively 
responding?
    General Alexander. Thank you, Chairman.
    I think the role is, first--I will start with the military 
side. The military's responsibility is to defend this country, 
in terms of offensive capabilities outside the country. If you 
think about an attack in cyber space, I look at that as FEMA 
and the military working together.
    Do you have--whose responsibility would it be to work with 
State, local government, and industry to build back up damaged 
infrastructure? DHS has the lead.
    DOD and the intelligence community should be going after 
the perpetrators of that or the country that is attacking us, 
because DOD's responsibilities would most logically go from 
cyber into the physical domain.
    One of the reasons that we couldn't have Sony attack North 
Korea--while I think Sony could win, it could start a war on 
the Korean Peninsula, and that is a Government responsibility.
    But here is where it gets tricky. I think there are several 
things that you need to put in place.
    First, I agree with the organization around DHS of 
organizing NPPD and others into an agency. I think that makes 
sense.
    I think you need to go further. I think you need to look at 
the civilian part of Government, look at the information 
technology and cyber. It is not sufficient. They don't have the 
resources; they will never get the people. Consolidate that in 
a disalike organization and put that under somebody.
    That organization would be responsible for protecting 
Government. DHS would be responsible for protecting DHS and 
working with the rest of that, and could be responsible for 
protecting the rest of that Government.
    When the Nation is being attacked like Sony, DHS, DOD, and 
DOJ should be notified through the same portal at the same 
time, and they should practice the rules of engagement. What is 
DHS going to do to help ensure Sony doesn't collapse, or the 
financial sector, or energy sector doesn't collapse? What is 
the Defense Department, the intel community, and law 
enforcement going to do to stop that attack?
    My experience from being on the offense: The offense always 
wins because the defense is terrible.
    We can fix the defense by getting Government and industry 
to work together. I think DHS should have the lead. I think we 
should bring in parts of the intelligence community and the 
military into those meetings to talk with industry so they know 
that this is an all-of-Government approach.
    DHS could have the lead. We would call them the public 
face.
    That is before Bruce came in. We would have changed the 
public face a little bit.
    Just kidding, Bruce.
    But if you think about it, we wanted DHS to be the public 
face for just the reasons that you said.
    But industry wants to know: When I am being attacked by 
Iran is the military and the Government going to stop that 
attack while you help me fix this part?
    That is where we have failed, in my opinion, and where we 
can take these next steps.
    Chairman McCaul. I completely agree.
    Last question to the remaining three witnesses--my time is 
very limited--is we passed the Cybersecurity Act. We will be 
providing oversight. This committee also intends to pass 
legislation to prioritize cyber within DHS to create a 
cybersecurity agency, taking the NPPD and making that a more 
prioritized, streamlined agency within the Department.
    Do the three of you--and I think General Alexander has 
already answered that question--but do the three of you agree 
with this idea in principle?
    Mr. Daniel. Yes, Mr. Chairman. I think that taking NPPD out 
of being a headquarters function, which it is clearly not, and 
making it into a line agency within DHS, along with the other 
functions that DHS has, and prioritizing that makes a great 
deal of sense.
    I think that continuing that holistic focus on our critical 
infrastructure and the Federal civilian agencies also makes a 
great deal of sense, and that would, I think, put DHS on an 
even more solid foundation to partner with the Defense 
Department and the Justice Department in doing their mission.
    Chairman McCaul. Right.
    Mr. Cilluffo. Mr. Chairman, I would echo that. Not to be 
ingratiating, but I think this committee deserves a lot of 
credit for moving legislation in this space, and I think most 
notably some of your cyber bills.
    I see three primary criteria. I mean, first DHS needs to 
get its own house in order, lead by example. Then it needs to 
administer with NIST and OMB and others, obviously the Federal 
civilian agencies, because the initiative, as General Alexander 
said, clearly does remain with the attacker, but some of these 
civilian agencies are even--are woefully behind some of the 
military capabilities are to defend.
    Then I think it is really about enabling the most critical 
of our critical infrastructures. To me, I think if everything 
is critical nothing is critical. I am not taking away from 16 
sectors, but I think we need to start really zeroing in on the 
four life-line sectors and the so-called Section 9 companies.
    So I do feel you also need to streamline capability that 
the Department has for cyber crime efforts outside of NPPD. So 
I think there is a lot more that can be done, and I think an 
agency is a way to do it.
    Chairman McCaul. Thank you.
    Finally, Mr. McConnell.
    Mr. McConnell. Thank you, Mr. Chairman.
    So yes, I agree with--it is always great to be on a panel 
where I can agree with Keith, so this is good for me.
    I would say that we spent a lot of time while I was at 
Homeland Security debating what the name of this new 
organization should be. I think it is a low bar. Any name is 
going to be better than National Protection and Programs 
Administration, or whatever it is. So I think you should just 
get it done, sir.
    Thank you.
    Chairman McCaul. Thanks so much.
    Chair recognizes the Ranking Member.
    Mr. Thompson. Thank you very much.
    I am glad to see the agreement on the role for DHS in this 
great challenge that we have.
    One of the things that we are grappling with is some of the 
things that we are dealing with go to the basic threat of our 
democracy. My opening comments talked a little bit about 
Russia's involvement, and that involvement is very concerning 
because they have somehow looked at this as a vulnerability and 
have decided to take full advantage of it.
    So--and I will start with you, General--have you given 
thought to what we should do to shore our vulnerability as a 
country, to defend our democracy and how we select our leaders?
    General Alexander. Yes. Ranking Member Thompson, I have 
talked to some of the States and I am going to meet with some 
of the States on just that issue to give them my thoughts and 
advice.
    I think it is important to recognize we have got to fix our 
defense, and you sit in a key position that can help get our 
Nation on its feet, from a Government perspective, so that DHS, 
DOD, DOJ work together in that common cause, each with their 
roles and responsibilities, and ensure that they are well 
understood.
    Then we need to educate the American people on 
cybersecurity, and we need to help build the bar--raise the bar 
for industry with the NIST Framework, incentives, and liability 
protection.
    If we were to do those we would significantly improve the 
cybersecurity posture of this country.
    Mr. Thompson. Well, and part of, I guess, my direction--and 
I will go to the other witnesses--if I hear you correctly, are 
you talking about some National system of election protection 
initiated by Congress?
    General Alexander. Not necessarily. It may be run by the 
States. I think the States have a responsibility here.
    I think what Congress--what you can do here with this 
committee, and you have already done in part, is get things 
like the National Institute of Standards and Technology--they 
have a cyber framework. We recommend in the commission that you 
take that framework, make it metrics-based so it is something 
you can measure, and get people to apply that as a way of 
getting liability protection and a way of incentivizing.
    Now, if you did that the States could do the same to the 
election process. That would significantly improve----
    Mr. Thompson. Yes. But at some point somebody is going to 
say we can't afford it, you know, for whatever reason. I think 
what I am trying to get to is where our role as Members of 
Congress fall within--in this framework to guarantee that it 
occurs.
    Would any of the other witnesses like to address that?
    Mr. McConnell.
    Mr. McConnell. Thank you, Mr. Thompson.
    I would say two things about the election situation. First, 
if it is true that defense is lousy--which I agree, and there 
are some things we can do about that--we also need to start 
figuring out how to manage the offense and try to cut the 
supply down, both through consequences and through self-
measures of restraint.
    On the election systems in the States, I think the 
underappreciated vulnerability here is with the companies who 
manufacture and support these election systems. They are not 
accountable at all. They do not make their machines available 
for inspection by security experts.
    The DHS has designated election systems as critical 
infrastructure, but that does not necessarily apply in any way 
to the companies that support this.
    In several Midwestern States the same company that prints 
the ``I Voted'' stickers also runs the so-called election 
management system for those States. So I think we need to take 
a look and bring the private sector into those, as well, sir.
    Thank you.
    Mr. Thompson. Mr. Cilluffo.
    Mr. Cilluffo. Congressman Thompson, I would like to 
actually look at the question a little different. Very valid 
question, but I think it actually stems from a point that the 
Chairman brought up in his first question, and that is we 
ultimately don't deter cyber; we deter actors from engaging in 
certain behavior.
    Whereas the interference in the elections, rightfully so, 
generated headline after headline, the reality is is Russia's 
fingerprints have been on the mouse for a long time. This is 
not the first incident. It is a repeated pattern of behavior, 
including the first state-on-state cyber attack followed up by 
cyber weapons being used in concert of the battlefield in 
Georgia, as well as cyber and kinetic means in Crimea and the 
Ukraine.
    So what I am really getting at is we can defend our way out 
of certain things, but ultimately we have got to start 
articulating a strategy that is aimed at dissuading, deterring, 
and, if need be, compelling bad behavior from occurring.
    Russians are doing the same thing in France and Germany 
right now as we speak. So at the end of the day, we can get our 
systems secure; they are just going to find a new 
vulnerability. It is a cat-and-mouse issue.
    So I think what we really need to do is get to the point 
where we are ready to impose cost on bad behavior.
    We have been blaming the victim. We blame companies. We 
build higher walls protected with bigger locks after we get 
hit.
    Imagine if all our homes were robbed and we called the 
locksmith. That is doomed for failure.
    We have got to start leaning a little forward and looking 
at some proactive measures. I would argue that includes 
private-sector actions that can be taken short of hacking back.
    Long-winded way of saying I think we need to actually start 
imposing costs on bad behavior.
    Mr. Thompson. Thank you.
    Yield back.
    Chairman McCaul. The Chair recognizes Mr. Ratcliffe.
    Mr. Ratcliffe. Thank you, Mr. Chairman.
    Appreciate all the witnesses being here today.
    You know, when we talk about cyber challenges that we face 
today, clearly one of them is the cyber work force. All the 
members on this panel, we talk about creating jobs to grow the 
economy, but right now there are--estimates are somewhere in 
the neighborhood of 200,000 cyber-related jobs that are 
unfilled due to the lack of a qualified applicants to fill 
them.
    While we would all, I know, love to solve that macro issue, 
I am going to focus specifically on what my subcommittee, the 
Subcommittee on Cybersecurity and Infrastructure Protection on 
this--on Homeland Security Committee, has jurisdiction and 
oversight over, and that is specifically the cyber labor work 
force issues at DHS.
    So, General Alexander, let me start with you because at one 
point you had to manage the cyber work force at the NSA. So if 
instead of me sitting here this was Secretary Kelly, what 
advice would you be able to offer him--and you are smiling, so 
maybe you already have--about programs at the NSA or maybe even 
out in the private sector that he might be able to leverage to 
address that problem at the DHS?
    General Alexander. Yes, I was smiling because you said 
Secretary Kelly, and I was thinking, ``John, what the heck were 
you thinking?''
    [Laughter.]
    General Alexander. Actually, that is a great point. I think 
one of the things that we need to look at in DHS--there are so 
many political appointees and you have such a rotation, the 
stability of the work force at the management level is in 
shambles. People come in, they are a political appointee, they 
go for a while, and then they are out.
    The difference at the National Security Agency and within 
the military are people are professionals brought up through 
that, and so the person who is running a cyber area has 
tremendous depth and experience in that, is recognized by the 
work force, has gone to school in it.
    I think we need to look at that from a DHS--the number of 
political appointees. We have, you know, thousands of those. I 
just say for you that are working it, that is the first part.
    The second, a good area that DHS and NSA actually work 
together in is on the cyber education. We actually go out and 
with universities we give them a curriculum and we certify it. 
It is certified by both DHS and NSA as a cyber curriculum.
    I think bringing in students from that and incentivizing 
them to come into DHS--like NSA does; we get a tremendous 
amount out of that--is a good thing to do and you know they are 
already trained. That is a great population out there of kids 
that want to come in and work in this area.
    I think I would look at both, and that is what I would tell 
Secretary Kelly.
    Mr. Ratcliffe. Thank you. You know, I think this is an 
important enough issue that I want to use my time to give all 
of the witnesses here an opportunity to weigh in on this.
    Mr. Daniel, you--obviously your role as the special 
assistant to the President and cybersecurity coordinator for 
4.5 years, I think I would appreciate your perspective on this, 
as well.
    Mr. Daniel. Certainly. Thank you.
    I think to get at your question about the broader work 
force issues and the economy as a whole, I think one of the 
things that we are beginning to realize is that as we build 
these curriculums we actually have to think about the problem 
and break it down, that it is not just producing cybersecurity 
professionals, it is that we actually need to produce a variety 
of cybersecurity professionals and we actually need to start 
making sure that our curriculum and our training, you know, 
does provide a core for--that all professionals need, but then 
allow some specialization in there.
    Are you going to be a hands-on-keyboard, you know, firewall 
defender? Are you going to be a hunter? Are you going to be, 
you know, a policy integrator, one that looks holistically at 
the problem?
    Those are different skills sets, and we need to start 
building people that come out with those different skill sets 
because they are going to fulfill different roles in the 
ecosystem.
    Specifically with respect to DHS, I--to me I actually see 
this as a broader problem of how we manage the tech work force 
and other specialized skills in the Federal Government as a 
whole. It is really about speed and flexibility.
    One of the primary lessons that I learned from my time in 
the White House is we can get people to come into the 
Government for a while. They will take lower pay for a while. 
They just won't do it for their entire career.
    So this idea that we are going to recruit kids out of 
college and bring them into one Federal agency, probably one 
bureau, and keep them there for 40 years and have them retire 
in their 60's, that is just ludicrous. That is not how any of 
the work force operates.
    So we need to enable our Federal agencies to both bring 
people in faster and allow them to bring people in and out from 
the private sector with greater degrees of flexibility over the 
course of their career in order to allow for that rotation and 
that rejuvenation of the work force. I think that is the key 
factors of what we are going to need to get at in order to deal 
with the work force problems.
    Mr. Ratcliffe. Terrific. Thank you.
    Frank.
    Mr. Cilluffo. Congressman Ratcliffe, I mean, I think 
Michael nailed it. Speed and flexibility, certainly from a 
civilian hiring perspective, and that is something some of the 
Title 50 or intelligence community entities can actually move a 
lot faster, and I think that is something perhaps DHS can look 
to.
    Another issue, though, that just dawned on me is I had 
mentioned the attacks on Estonia, so I would bring my 
students--as a--representing a place of higher education, 
obviously I advocate the roles that universities play. But I 
also think there is a huge K-12 opportunity here, and when I go 
to Estonia you have first-graders and then you have got 
students that are going into their high school gymnasium with a 
STEM focus.
    They are learning to speak Estonian, English, and code at 
first grade. First grade. I fear that we are going to be behind 
that work force power curve.
    We know how to push all the buttons. We can make it look 
nice. But I feel like we really do need to get to some of that 
K-12 sets of issues.
    And notably, women in STEM. It is not just--this is 
something that I think we are lagging and we really need to do 
more.
    So work force generally, in terms of DHS it really is about 
speed and flexibility. Don't expect people to stay forever.
    The Estonians also have what is called the Cyber Defense 
League. It is basically their active reserve component. They 
can pull the top people from industry to serve the government 
for a short period of time and then go back out, and they are 
all patriotic so it is basically like the reserve corps with 
a--active reserve corps with a focus on cyber. That is another 
area I think we can be looking at.
    Mr. Ratcliffe. Mr. McConnell, my time is expired, but if 
you can quickly answer?
    Mr. McConnell. Thank you, Mr. Ratcliffe.
    Thank you, Mr. Chairman.
    So the NSA programs that Keith mentioned are very good. 
Those authorities, hiring authorities are not always available 
at DHS, so you could look at that: Does DHS have the 
authorities to do what it needs to do?
    It also has trouble with execution. NSA has a great program 
of getting summer interns in from colleges. They get those 
people a security clearance way before so they can come right 
in. They do that way up front. They have a finely oiled machine 
on that.
    DHS is not so good at executing in that way. So I think you 
should set targets for DHS in this area and hold them to it.
    Mr. Ratcliffe. Thank you all.
    Chairman, I yield back.
    Chairman McCaul. Mrs. Watson Coleman is recognized.
    Mrs. Watson Coleman. Thank you, Mr. Chairman.
    So it is clear that there is a consensus that China, 
Russia, Iran represent--and North Korea--represent our greatest 
threats. Do we have the capacity right now to prioritize who we 
need to give our greatest attention to? If so, would that be 
Russia?
    Anyone.
    General Alexander. I can give it to you from my 
perspective. I think we can handle all--we can and have to 
handle all four because it is not clear how the threat will 
come back at us. We have to be prepared.
    Mrs. Watson Coleman. During the 2016 election obviously 
Russian government waged a campaign to undermine the U.S. 
democracy using hacked e-mails, WikiLeaks, and false news 
reports. President Trump has repeatedly praised Vladimir Putin 
and spent months denying that the Putin government carried out 
this campaign, accusing U.S. intelligence community of 
spreading falsehoods instead and suggesting that he will undo 
U.S. sanctions imposed against Russia.
    Mr. McConnell, in your view, what message does the 
President's borderline-dismissive attitude toward this 
unprecedented attack on our democracy send to the Russian 
government as well as to other nations?
    Mr. McConnell. Thank you, ma'am.
    You know, these attacks were predicted. A year ago General 
Clapper, the director of national intelligence, said, ``Russia 
is assuming a more assertive cyber posture based on its 
willingness to target critical infrastructure systems and 
conduct espionage operations even when detected and under 
increased public scrutiny. Russian cyber operations are likely 
to target U.S. interests to support several strategic 
objectives, including influence operations to support military 
and political objectives.''
    These highly visible information and influence operations 
are new to Americans--except for one thing: Americans are also 
contributing to the degradation of the information space, 
usually for commercial or domestic political reasons. At the 
same time----
    Mrs. Watson Coleman. Mr. McConnell----
    Mr. McConnell [continuing]. We do have to keep talking to 
the Russians. The planet is getting too small to do otherwise.
    Mrs. Watson Coleman. So not disagreeing with anything that 
you have said, what message does this President's dismissive 
attitude communicate? Does it communicate a weakness? A 
coziness? A fearsomeness? Is it bold? Is it acceptable? Is it 
responsive? And is it proactive? What is it?
    Mr. McConnell. Well, ma'am, I never try to impute motives 
to other people. I think there are a couple different things 
here.
    One is there is an on-going investigation, so I wouldn't 
want to comment on that.
    I think it is important to remember that it doesn't do us 
any good to just vilify the Russians and push them into a 
corner. They don't respond well to that.
    We have to figure out how to talk to them and engage with 
them, but at the same time, as you say, take them very 
seriously. It is a very serious threat to our country.
    Mrs. Watson Coleman. It doesn't seem like, according to 
what FBI Director Comey testified to, about they will be back 
and they really didn't care that we knew what they were doing, 
it doesn't seem that we are talking about having discussions 
with rational players here. It seems that we have a situation 
with an equally if not more arrogant regime that chooses to 
undermine our very democracy.
    So my question to you, General Alexander: What are your 
thoughts on this?
    General Alexander. I think two sets of thoughts: First, we 
have to have consequences for somebody coming after our 
country, and I think the Chairman put that right. There have to 
be consequences and people have to know it.
    We need to give the President and the Secretary of Defense 
latitude, though, in their strategy and their approach. I think 
this is where President Trump can actually be very good for us 
because he is negotiating how we deal with Russia in the 
future.
    I think what Mr. McConnell said is right. If we vilify them 
and we keep them pushed out we are going to fight them. We 
agree that a war--and you would agree a war is not where we 
want to go. We have got to figure out how to set this right.
    So I think there has to be consequences. I think we have to 
have that discussion and we have to be open to it.
    Mrs. Watson Coleman. Thank you.
    General Alexander. We don't have to like them.
    Mrs. Watson Coleman. Thank you, General. I think that this 
attack that we have experienced is a form of war, is a--was a 
form of war on our fundamental democratic principles.
    One last question if I might, Mr. Chairman. That is to Mr. 
McConnell, because he speaks to the fact that the international 
laws are behind on these issues in addressing issues of this 
nature.
    My question to him: In this climate, how do you think--do 
you think it is possible that we could have those kinds of, 
``conversations'' and move into some agreement as to what is 
and what would not be allowed on the National stage--
international stage? Thank you.
    After that I yield back.
    Mr. McConnell. Thank you, ma'am.
    As I note in my written statement, there is some progress 
at the United Nations and in some companies in developing these 
rules of the road, but it is very slow.
    One bright spot is a new global commission on the stability 
of cyber space, which is co-chaired by Secretary Michael 
Chertoff, and it has the mission to accelerate that work on 
rules of the road. It is nongovernmental, represents all the 
interests in all the countries, and is working on a fast track 
to propose rules that governments can agree to. The governments 
don't always follow the rules, but if there are no rules then 
there is nothing for them to follow.
    Chairman McCaul. That is well put.
    Chair recognizes Mr. Donovan.
    Mr. Donovan. Thank you, Mr. Chairman.
    Gentlemen, thank you for attending here, and thank you for 
the work that you do in this very important area for our 
Nation's security.
    Our Chairman laid out some of the things that this 
committee has done, some of the great work in this area. We are 
lawmakers, and every time we have a hearing I ask the experts--
because we deal with scores of issues every day; you deal with 
this issue--what could we do as lawmakers that could help you 
and help DHS and help the people who are responsible for 
protecting our networks more so than we have done so far?
    The Chairman laid out some of the great work we have 
already done. What would you like to see this committee, this 
legislative body, do to help protect our data, our information 
from our enemies even further than we are able to do now?
    I just leave it open to each one of you to comment. Thank 
you.
    General Alexander. If I could just start, based on the 
commission, what we saw there, I think there are a few things 
that this committee has already started on but could reinforce. 
First, getting industry and the Government to look at the NIST 
standard for cybersecurity framework--add metrics in, but get 
that as a standard across Government and industry. There are so 
many out there right now you are hard-pressed to figure out 
which standard and how you are applying it.
    The second is liability protection. How do we protect these 
companies that meet a certain standard from all the lawsuits 
that they get?
    Third--it was brought up by the Ranking Member--this is--
could be expensive, so how do we incentivize industry and 
individuals to actually take the next step?
    In those three areas this committee and Congress could 
help. We could set that up and get this going.
    You know more about tax incentives and stuff than I do, but 
that is where I think my discussions with the financial, 
energy, health care, and the rest of government--where I think 
this would really help.
    Mr. Donovan. Thank you, General.
    Mr. Daniel. Congressman Donovan, I think the--I would agree 
with--well, first of all I would say that this committee has 
done tremendous work in moving the ball forward in the 
legislation that you have already done, and that--it has made a 
tremendous difference.
    I would say that, for example, CTA couldn't really exist 
without the--some of the legislation that you have already put 
in place and the liability protections for information sharing, 
for example, that are already there.
    I do agree with Keith that the--sort-of continuing to work 
on--we see a standard of care emerging in industry, but it is 
basically emerging via the courts and sort-of in a very ad hoc 
fashion, and I think getting--asking industry to step up and 
sort of proactively define what that standard of care is going 
to be would actually be very helpful to accelerate that 
process.
    Then also, I think to Frank's point, continuing to refine 
the--and get the analysis done of what are the points where 
we--that we really care about in this country? Because yes, we 
can call an entire sector critical infrastructure, but that 
doesn't actually tell you where you need to prioritize within 
that sector.
    Mr. Donovan. Thank you very much, Mr. Daniel.
    Frank.
    Mr. Cilluffo. Congressman Donovan, let me echo everything 
that General Alexander and Michael Daniel said, and also thank 
you, because we hosted you for a talk on state and local 
cybersecurity, which I think is an area in particular to 
remember. The pointy end of the spear, it is always going to 
be--is always going to--it is not always going to be Federal. 
We need to ensure that our law enforcement and first responders 
writ large have some of the capabilities.
    I think in addition to liability protection and in addition 
to allowing some of the information sharing, one thing I would 
like this committee to take a look at is defining some of the 
rules of the road for enabling active defense measures. I am 
not talking hack-back.
    There is a lot of space between hacking back and building 
higher walls, and I think that there is some anxiety--in fact, 
I know there is--from the industry to be able to lean a little 
more forward until they felt like it was codified in some sort 
of way. So I think that would be a very valuable set of issues.
    Then finally, this is more the appropriators, but policy 
without resources can be rhetoric. Let's make sure that we are 
funding the most critical of our critical infrastructure 
entities first and foremost.
    Mr. Donovan. Thank you, Frank.
    Mr. McConnell.
    Mr. McConnell. Thank you, Mr. Donovan.
    Three things: First, fix the DHS organization. Second, 
conduct oversight over DHS to make sure it does what it is 
supposed to do. Third, you might consider taking a look at the 
cyber insurance industry because it is now helping set the 
standards for what companies are going to do in their 
cybersecurity protection activity, and they are setting those 
standards, and they can be helpful to you, I think, and to the 
country in moving that forward.
    Mr. Donovan. I thank you.
    I thank all the witnesses for your input.
    I yield back, Mr. Chairman.
    Chairman McCaul. Thank you.
    Chair recognizes Miss Rice.
    Miss Rice. Thank you, Mr. Chairman. I just want to thank 
you for your opening statement about how this is not a 
Republican or a Democratic issue; it is an American issue. 
Because there was some questioning at the hearing the other day 
that I thought was, quite frankly, disgraceful--focusing on 
leaks instead of the--how important it is for us to make sure 
this doesn't happen again in the future.
    Mr. Cilluffo, Russian cyber attacks on NATO targets rose by 
60 percent in the last--in the past year, and cyber attacks 
against E.U. institutions rose by 20 percent. Members of NATO 
and the European Union are some of our closest allies, 
obviously, in the world, and those relationships are absolutely 
vital to our own security.
    In your opinion, how do you think these allies will react 
to news that the Secretary of State will not be meeting with 
NATO foreign ministers next month but will instead be going to 
Russia later in April?
    Mr. Cilluffo. Yes. I don't know precisely how they will 
respond, but clearly it is important to recognize not only that 
NATO is a critical alliance to our trans-Atlantic relationship, 
but that our leadership visibly recognizes that, as well. So, I 
mean, Secretary Mattis has been very strong in terms of 
enhancing the--NATO's capabilities, and I hope we follow 
through on that.
    One note to underscore, though, is we need to rethink our 
alliances. So we need NATO, of course. Five Eyes relationship 
is the strongest intelligence cooperative relationship in the 
world; we need that.
    But we have other allies that aren't included in either of 
those. Where does Israel fit in? Where does Japan fit in? They 
have been on the front end of massive cyber attacks from North 
Korea of late as well as China, of course.
    So I do think we need to rethink that a little bit.
    Miss Rice. That is a good point.
    Well, you also made the comment before that Russia is 
actually in France and Germany now, obviously, with these 
upcoming elections. What more should we be doing to aid our 
allies within NATO, the European Union, and even beyond, as you 
pointed out, to protect themselves from Russian cyber attacks?
    Mr. Cilluffo. That is a great point, and Admiral Rogers in 
those hearings earlier this week underscored that he is working 
directly with his signals intelligence counterparts in France 
and Germany. I think we need to continue to do that and move 
beyond, because quite honestly, we are only going to see bits 
and pieces.
    We need the full snapshot of the activity we are seeing 
here, so this is something where intelligence relationships are 
dicey. They are--take forever to build and they could easily 
disappear based on relationships and what have you.
    But I think in this particular case it would actually be 
pretty cool to pool all of that to see what other countries are 
seeing and then have a full snapshot of the activity we are 
seeing. Because history may not repeat itself, but it tends to 
rhyme, according to Mark Twain, and I think that is really 
right from a cyber perspective, too.
    Miss Rice. I think you, in your opening statement or in one 
of the answers to one of your--one of the questions you kind-of 
put China and Russia together, and North Korea and Iran 
together. If you had to rank these four nation-states in terms 
of who would be the most dangerous in that order from most to 
least, and what are we doing to make sure that we are not--by 
focusing on whomever is the most, we are not allowing the least 
to kind-of get up the ladder?
    Mr. Cilluffo. That is a great question, and I am actually 
afraid that we chase shiny objects anyway, so--and then we 
get--our eyes are off the ball in other areas.
    But here is the reality: Russia is the most capable. No 
question about that.
    China, very active, mostly in computer network exploit, or 
espionage activity. Also building out their space and other 
sorts of computer network attack capabilities.
    North Korea and Iran I am actually in some cases more 
concerned about because they are more likely to turn to 
computer network attack--massively disruptive attack. So 
capabilities differ, and intentions all matter. We have a 
responsibility to keep our eyes on the ball.
    But North Korea in particular, I mean, it really is 
completely isolated. They have not only built out some of their 
cyber capabilities, they have got an army that includes 
officers operating in northeast China, southeast Asia, abroad, 
because they don't have a very connected country themselves.
    But they are also turning to cyber crime. Normally 
criminals try to penetrate the state through corruption. Here 
you have a state penetrating organized crime to ensure the 
survival of the regime.
    Miss Rice. This is my last question, with the Chair's 
indulgence, to all four of you--and this is just taking on--off 
on what you were just saying, Mr. Cilluffo. What more needs to 
be done in each of the 16 critical infrastructure sectors to 
ensure that the sectors remain operable even when they are 
under a successful attack?
    Mr. Daniel. So I can at least take a stab at that.
    It is going to differ from sector to sector because the 
sectors are at different levels of maturity. Even within a 
sector, the difference between the very large players and the 
very small players is pretty radical.
    But I think in many cases it is continuing to make cyber a 
priority within those companies and organizations at the 
Executive level; have them actually employ a risk-based 
approach; develop and test a response and recovery plan, so 
don't just have one on the shelf that the first time you open 
is when you have actually already had a problem, but actually 
develop it and test it ahead of time and make sure you have 
those relationships with law enforcement, with DHS going in 
ahead of time.
    General Alexander. If I could, I think what you need to do 
is--and you could help facilitate--you need to bring in the key 
executives from financial sector, five or six of those, with 
the energy sector, with health care, with the Government, and 
walk through exactly how we are going to do this: What they 
have to do, what they could do with incentives, how you could 
help, and what the Government response is going to be.
    Because what you are asking is if Iran, who has attacked 
Saudi Arabia several times in the last 3 months, were to attack 
this country, we are not ready. So we need to get ready and we 
need to put that in place.
    By having the industry players who are the most likely 
target walk through with Government how that is going to work 
and what you need to put in place, we would start down that 
road. We need to do that.
    Mr. McConnell. I can't disagree with those points. They are 
very good.
    If I might go back briefly to your concern about NATO, I 
travel quite a bit in other countries, both to U.S. allies and 
adversaries. There is a lot of confusion across the board about 
what Americans' foreign policy is, and in particular in this 
area of information warfare.
    I was recently at the Munich Security Conference with 
Chancellor Merkel and other foreign leaders, and there was much 
concern about where America is going on NATO. The Trump 
administration was there and said all the right things; there 
was a full-court press by the vice president, along with 
Secretary Mattis and Secretary Kelly, so that was very good. 
But there is a lot of skepticism still, a lot of concern, and I 
think the proof will be in the pudding.
    Miss Rice. Thank you.
    Thank you, Mr. Chairman.
    Chairman McCaul. Thank you.
    Chair recognizes Mr. Rutherford.
    Mr. Rutherford. Thank you, Mr. Chairman.
    I thank the panel for being here today.
    You know, it seems some of that confusion and 
disjointedness that we see in response to cyber attacks goes to 
exactly what Mr. McConnell said we really need to do earlier, 
and that is define the roles and response.
    The bubble chart was an attempt at that maybe, but failed. 
I think, you know, when you say, ``OK, DOJ is going to do the 
prosecution; DHS is going to do the protection; and then DOD is 
going to do the defense,'' it reminded me--you know, I am a 41-
year law enforcement officer so I go back to the environment 
that I know well, and I know that that is kind-of the way it 
works in civil law in protection is, you know, law enforcement 
is the Government response to protect the public from the bad 
actors--whether they are criminal actors or even state actors, 
bad actors.
    So I also understand this, though: Law enforcement are 
priority one response time. If you are the victim of an 
aggravated battery and an aggravated assault, we understand 
that there is like a 7-minute priority response time. So for 7 
minutes that citizen better be able to deal with whatever it is 
on their own.
    Our founding fathers understood that. That is why they gave 
individuals the 2d Amendment right to protect themselves.
    There is a self-defense interest here, and it really 
concerns me when I hear people say, ``Limit the ability to hack 
back.'' You are taking away the self-defense capability, I 
think.
    Also, the general mentioned, you know, Sony could take them 
if you unleashed them. So I want to get back to this concept 
that we have to define the roles and response, because I think 
that is going to drive everything that we do from that point 
on.
    Because I am really concerned about this idea that we are 
not going to allow Sony or some other corporation to defend 
themselves for that 7 minutes that we are waiting on law 
enforcement to show up. So how do you address that 7-minute 
response time the Government has to be able to protect our 
corporations from cyber attack?
    General Alexander. If I could start, light speed, in which 
the network operates, to go around the whole world once is----
    Mr. Rutherford. Oh, I understand that, but, I mean, there 
is a response time.
    General Alexander. Right. Now, so that is the problem that 
I see.
    I agree with where you have taken this, but I would take it 
one step further, and that is we could be responding at network 
speed and should be, but we don't because we aren't organized 
to do that. We haven't looked at this as the common defense.
    You hit the Constitution, and I think if our forefathers 
were here they would say the intent is when I am being attacked 
the Government is supposed to help me in certain things and I 
have to meet certain standards. My standard, let's call it the 
NIST; your standard is if Iran is attacking my you go kick 
their--and we will take it from here.
    We don't have the ability today to do that. You have the 
organizational construct, and I think the bubble chart was a 
start. That is if you are--if a sector is being attacked the 
DHS has roles and responsibility to keep the Nation operating, 
DOD to go after these guys with cyber or any other element of 
National power.
    So I would be concerned about a civilian corporation 
attacking back into North Korea and they assume it was our 
Government and it is an act of war and they lob missiles into 
Seoul. That could and would likely happen.
    So you have to determine who is going to take the steps to 
do that. Now you are into the Defense Department and the 
President's roles.
    So I would just offer that as consideration.
    Mr. Daniel. I think from--Congressman, I think from my 
perspective I think, you know, we worked very hard at the end 
of the previous administration to shape out the bubble chart 
into policy with respect to particular incidents, and that 
became Presidential Policy Directive 41, which I think actually 
helps clarify a lot of that--the roles and responsibilities and 
provides a very solid framework for enabling the Government to 
get its act together in terms of how we do response.
    I would also hit on what Frank was saying, though, that 
there is a big--I agree with Keith that enabling a private 
corporation to go all the way back, there is also other 
problems, which is since the bad guys don't typically use, you 
know, computers and equipment labeled ``bad guy stuff''----
    Mr. Rutherford. Right.
    Mr. Daniel [continuing]. They are, you know, 
commandeering--yes, they are commandeering, you know, third-
party innocent people's machines and things like that. So we 
need to be very careful about, you know, how we go back at 
somebody.
    But as Frank said, there is a big difference between simply 
building the wall higher and, you know hack-back. There is some 
space in there for companies to actually defend themselves.
    But I think ultimately sort-of working out how we are going 
to do this and how we are going to divide up the roles and 
responsibilities between the private sector and the 
government--and governments; not just the U.S. Government but 
all governments around the world--and doing defense of their 
critical infrastructure is one of the fundamental policy 
challenges that we have right now. And how we are going to lay 
that out in some coherent framework that we can all live with I 
think is the policy issue that we are all struggling with.
    I don't have a clear answer to that question right now, but 
I know that it is one that we have got to continue struggling 
our way through.
    Mr. Cilluffo. Congressman Rutherford, if I could just build 
on a couple of quick points: Seven minutes? It can be 7 years 
before the Government responds or it can follow up on some of 
the events that are occurring, so there is no 9-1-1 where you 
call and you get the Government to respond. So I think 
companies--I think it is an unfair playing field.
    How many companies went into business thinking they had to 
defend themselves against Chinese intelligence services, or the 
SBR--Russian intelligence services, or North Korea, or Iran? 
Even the biggest companies in the world--for example, JPMorgan 
Chase, they spend $650 million a year on cybersecurity. They 
have well over 1,000 people focused on this particular issue. 
These are big numbers.
    But no company--if you are throwing all-source 
intelligence, you see--cyber crime is getting so sophisticated 
that the lines between nation-state and criminal are narrowing 
dramatically, and they are blurring if they are using proxies. 
But here is the difference: Nation-states can use other forms 
of collection--signals intelligence, human intelligence, you 
name it. So that is an unfair playing field if you are a 
company.
    So I am not asking to hack back, but I do think we should 
have suppressive fire. So there is one thing firing, there is 
another defending your own system from a suppressive fire 
perspective, if you want to use a military analogy in that 
respect.
    So there is a lot more that can be done there. But don't--
--
    Mr. Rutherford. OK. I didn't catch that in your first 
comment about not hacking back, so that--I like that.
    Mr. Cilluffo. That is what I am for, so thank you.
    Mr. Rutherford. Good. Good.
    Thank you, Mr. Chairman. I yield back.
    Chairman McCaul. The Chair recognizes Mr. Correa.
    Mr. Correa. Thank you, Mr. Chairman.
    Gentleman, a few weeks ago I asked a question from another 
panel and I am going to ask the same one here. I think I am 
beginning to get some responses or clarification.
    My question then was how do you get private sector, public 
sector all to coordinate, and how do you get everybody to be 
accountable?
    Let me explain. You just talked about JPMorgan. We know 
they are a hard target. But there are other players in the 
private sector, financially related, that are not spending 
millions of dollars to get hardened.
    Same thing in the Federal Government--all levels of 
government, State governments. You mentioned--alluded to the 
fact that maybe there are some States out there that maybe 
aren't up to snuff on their election system. Probably there are 
some Federal agencies that are not as hardened as the CIA.
    So the question is, how do you get everybody to coordinate?
    Let me paraphrase what I am hearing from all of you, which 
is you gotta have standards--standards that address liability, 
which indirectly address cost, because everybody has got to 
share the costs if you are not--if you are going to protect 
yourselves. If you are going to get insurance of some sort here 
to protect yourselves you have gotta have some oversight, 
meaning some coordination.
    Maybe that is the role of DHS, in terms of making sure 
everybody is talking to each other.
    Mr. Rutherford talked about retaliation. Well--and response 
times. As you said, this is speed of light, so maybe that is 
where DHS assures that the government and others are there to 
maybe lay down fire suppression.
    So this is a map here that maybe the role of DHS is really 
to coordinate private and public sector, not in the sense of 
managing it but to make sure everybody is talking to each 
other, to make sure that we have the response, to make sure we 
protect everybody in our critical areas, and maybe also look at 
working with our allies overseas, NATO and some of the others.
    Open it up for comment.
    General Alexander. I will give you a first one, Congressman 
Correa, and that is I think when you look at this that we do 
have to walk through the roles, responsibilities, and the 
standards that we are going to have people at. We pushed to 
have the NIST framework as the standard, and I think we should 
look at that.
    I think when you think about the relationship of DHS and 
DOD, the idea of having this done as an exercise here in 
Congress, where you could bring in first the Government and 
then other civilian agencies, would really pay dividends 
because we talk by each other. Words matter.
    For example, if you look at missiles coming into the United 
States, you are going to want NORAD to shoot down those 
missiles. NORAD has to have the authority and the ability to do 
that in time to block the missile.
    Now, they may not be 100 percent effective. A missile may 
come in and hit somebody.
    DHS has now a role to help build that back up. It has 
protection and certain standards.
    In cyber it is very much the same. I see a role and 
responsibility for DHS working with industry on these 
standards, but not being the portal for saying what DOD would 
do, but rather that is going to be a Presidential decision on 
the roles of, when do you respond and how do you respond? I 
think they should establish those and make that clear, and then 
show how you are going to have DHS, DOD----
    Mr. Correa. But to a certain level you have to have those 
rules up front----
    General Alexander. That is right.
    Mr. Correa [continuing]. Because you have got to respond in 
a nanosecond.
    General Alexander. That is right. We don't. We should. We 
don't have the rules and we should have them.
    Mr. Correa. Thank you.
    Mr. Daniel. So, Congressman, I think that--to build out a 
little bit of what you were saying, I think part of this is 
that one of the things that we are struggling with is that we 
operate at a scale that is very difficult to comprehend.
    This was actually driven home to me when we did a joint 
exercise with the United Kingdom and their financial sector, 
and I realized that the entire United Kingdom financial 
sector--representatives of that could fit in this room, that 
you could literally get all of them together around the table.
    We have 13,000 financial sector companies, roughly. So 
there is no way to, you know, sort-of do it by traditional 
sort-of organizational means.
    That means to my mind sort-of two things. One is that we 
actually need to set up the structures to enable us to sort-of, 
if you will, use trees and other ways to get at that 
organizational problem so it is not DHS trying to talk to--or 
even NSA or anybody in the government--trying to talk to 13,000 
institutions, Treasury talking to 13,000 institutions 
simultaneously. So we need some intermediate structures in 
there to help with that.
    But then we also need to use the networks and the power----
    Mr. Correa. Standards?
    Mr. Daniel [continuing]. Power--yes.
    Mr. Correa. DHS-generated or standards of private sector?
    Mr. Daniel. I think private-sector standards, but I think 
when I----
    Mr. Correa. OK. Be like accounting rules.
    Mr. Daniel. Yes. Like Keith says, I am a big fan of the 
NIST Cybersecurity Framework. I also agree it needs metrics 
behind it to help organizations figure out how to actually 
apply the framework.
    But clearly we need to be using network technology and I.T. 
technology to actually work for us in this space rather than 
just only against us in this area and allow us to use the 
network to communicate defenses at network speed. That is a 
large part of what we are trying to build toward right now, but 
I think that is going to be the only way that we get at these 
questions.
    Mr. Cilluffo. Just to build on some of those quick points, 
I do think standards are important, and I think that many of 
those can be driven by the private sector since they know their 
systems' vulnerabilities and capabilities better.
    But let me just say two things. First--and it is not to go 
back to an old point, but if everything is critical nothing is. 
I think we have got to get--at least get to a grade B on the 
most critical of our critical infrastructures. These are our 
lifeline sectors. Think electric power and energy; think 
telecommunications; think financial services; and think 
transportation.
    Let's start there because they are--a disruptive or 
destructive attack to any of those, the impact upon our 
economy, on our public safety, our National security could be 
incredibly damaging. So let's start it with those very initial 
points.
    Then I think there are some systemic risks that we need to 
ameliorate or backfill some of those vulnerabilities. So, for 
example, I didn't bring it up in my remarks but in my written 
testimony I mentioned the SWIFT hack, which, by the way, North 
Korea is seen as a prime perpetrator.
    But what made the SWIFT hack of last year--February of last 
year, and this was against the Central Bank of Bangladesh--
unique was not that $81 million was stolen. That is bad. Bad 
day for the bank; bad day for its customers and clients. But 
the economy could absorb it.
    What was important about that is it identified a systemic 
risk. The whole global financial institutions all are based 
upon that SWIFT. It clears billions--hundreds of billions of 
dollars daily. So to me that is a systemic risk. That rises 
above the noise.
    If you look at the Russian attacks on the energy grid in 
the Ukraine, these are the sorts of--it was the first time a 
cyber attack had a physical consequence in a real-world 
environment. That is a big deal.
    We are talking about the interference in the elections. 
Yes, big deal. I am actually worried about safety. That is a 
bigger deal, that you are taking off--if you don't have power I 
don't care what other critical infrastructure is up and 
running, we are not moving.
    One in particular that is critical but so far behind in its 
security are water. So water is truly critical, but they are 
nowhere near the gold standard of the financial services 
sector.
    My last word, enable organizations like the Cyber Threat 
Alliance. I highlighted the FSR, which are all the big banks 
that are coming together. These are the groups and 
organizations that are going to drive change, and I think 
historically there has been a little bit of arrogance that the 
Government thinks, ``Government lead, private sector follow.''
    I take an opposite approach. I think private sector is 
going to lead and Government need to lead by example by doing--
getting its own houses in order.
    Chairman McCaul. Gentleman's time is expired.
    The Chair recognizes Mr. Fitzpatrick.
    Mr. Fitzpatrick. Thank you, Mr. Chairman.
    Just a segue from Mr. Correa's question, focusing first on 
the Federal agencies. So there are two agencies, DHS and the 
FBI, that have concurrent jurisdiction over cyber crime 
investigations.
    My first question is: Have you encountered any issues with 
that as far as overlapping jurisdiction, redundancy?--would be 
my first question, because that is an issue in the law 
enforcement community.
    Second, the relationship between--since this is the 
Homeland Security Committee--DHS and the private sector, 
because I think most of us know that typically the private 
sector is far ahead of the curve over the Government when it 
comes to, typically, matters of I.T. and technology.
    Is there any proactive outreach steps that DHS has done for 
any of your organizations to reach out and try to learn from 
what you all know?
    Mr. McConnell. If I could just start on that, sir, on the 
private-sector part, one of the reasons that we all agreed on 
the bubble chart when we were serving in the Government was 
because DHS does have a good interaction with the private 
sector of exchange of information and coordination. So they can 
improve on that, but it is a good--as General Alexander said, a 
good public face in that area.
    The larger point that you made also makes a lot of sense, 
and I leave that to my other colleagues.
    Mr. Daniel. So I think that the--Congressman, I think the 
question of, you know, the proactive steps that DHS has taken, 
you know, certainly, yes, you can see the programs that they 
are trying to put in place, like the Automated Indicator 
Sharing Program, the teams that they have developed to go out 
and assist upon request, the critical infrastructure protection 
efforts that they have to engage proactively--all of those are 
good elements and I think they need to continue to be resourced 
and expanded and prioritized, as Frank says, to focus on the 
most critical areas.
    I think that those are critical to continue.
    I certainly think that your question on the concurrent 
jurisdiction is one that clearly warrants some further 
discussions. My personal view is that DOJ and DHS, in the form 
of FBI and Secret Service, have worked out a way to handle that 
in most cases, and it is--they actually cooperate better than 
sort-of some of the public perception would lead you to believe 
sometimes.
    But that is still something that should probably be 
reevaluated every so often as we look at what the 
responsibilities of all of those agencies are.
    General Alexander. I can give you my experience working 
with the FBI and Secret Service on this. The FBI was great to 
work with for us, and we had an assumption between Director 
Mueller and myself, and that was any cyber action would be a 
law enforcement because most of the things that we are seeing 
are criminal in nature, and he would have the lead. If it 
turned out to be a nation-state then those would turn and we 
would support him, in terms of the law enforcement.
    I think between Secretary Napolitano, Secretary Gates, 
Mueller, myself, and the bubble chart, we actually had pretty 
good agreement across how we were going to do each of those.
    I do think that we should look at how we organize our 
Government, and is this what industry would do for organizing 
cyber, and having it in three pillars and separated all out the 
way we do. We do that in part because of all the issues with 
civil liberties and privacy and the public faces and that, but 
if we were running our Government like a company would we run 
it this way?
    I just ask that because you have asked and you gave some 
great points, and the answer is, ``Nope, we wouldn't do that.''
    Here is part of the reason. We have talked about people. If 
you were in charge of all three and you put them together would 
you share more of those people amongst them to make sure we 
could each do our job? Yes. Would we work together better? Yes. 
How could we get there and what should we do?
    Secretary Gates and Napolitano had some great discussions 
on that. It might be good for you, Chairman, to bring those in 
because I think it actually answers some of the questions you 
are asking, Congressman, and they are better at that than I 
was.
    Mr. Fitzpatrick. Thank you. I yield back.
    Chairman McCaul. Just for the record, are you saying that 
it should be more integrated and less siloed--those three?
    General Alexander. Yes, Chairman, I am. I think it should 
be more integrated.
    Chairman McCaul. I think that is a----
    General Alexander. I agree with civilian control. I think 
you can look at--Secretary Gates came up with this approach to 
say, why don't we work to have some strategy to bring those 
together so that we all benefit from the talent?
    Chairman McCaul. Yes. I tend to agree.
    Chair recognizes Ms. Jackson Lee.
    Ms. Jackson Lee. Let me thank the Chair and the Ranking 
Member for again being at really the cutting edge of securing 
this Nation, and that is the issue of cybersecurity, which a 
decade ago I--the most we might have been saying, General, is 
that 85, 87 percent of the cyber world was in the private 
sector. That was the mantra or the conversation, and it was 
considered infrastructure, and we looked at it in those 
terminologies.
    But I am glad that we are looking now to prioritize 
cybersecurity, protecting the cyber system. But more 
importantly, I want to thank all of the witnesses for their 
focus on the importance of the Department of Homeland Security.
    I am excited about a potential reserve corps--vetted 
individuals that move in and out of the corporate community on 
the basis of public service. I might make the point that 
because of Mr. Snowden I would prefer those individuals who--
forgive me--are not contract, you don't know where they are; 
they are sitting right at DHS working with us.
    I applaud the zero to 12--I guess I am already on the 
birth, but let's go from K to 12. I don't mind doing zero to 
12, start talking early about STEM, but the--that is OK. The K 
to 12 I think is an excellent idea, and I also think it is 
important to develop that base of informed professionals ready 
to be on task to be on the offense.
    So let me ask questions related to some of the public 
incidences that we have been seeing. I want to start with 
General Alexander and Dr. Cilluffo, if I can.
    Last week's Justice Department indictment of two Russian 
government agents in the Kremlin's cyber division is a 
watershed moment in our efforts to counter state-directed cyber 
hacking campaigns. What does last week's unsealed indictment 
regarding the 2014 Yahoo breach tell us about the Russian 
government's 2016 election interference, and does this give us 
a better understanding of the importance of attribution? 
Because you all had talked previously about getting right to 
it, not being shy about who has done it, and if you would 
answer that.
    Let me add to that, to General Alexander, very quickly, 
your exit memo indicated--and I have other questions but I am 
going to yield for you all to answer--indicated your work with 
the NSA and Cyber Command the greatest privilege and honor of 
your life. You also described NIST and Cyber Command employees 
as people who dedicated their lives to protecting the Nation--
not for money, but for the mission.
    What do you think about how troubling it is to have seen 
the President compare the I.C. to Nazi Germany and denigrate 
the contributions of your former colleagues? What, if any, 
effects could any President's attacks on the intelligence 
community have on our analysts, our relationships with the 
allies, and the work of the I.C. in recruitment?
    But, General Alexander and Doctor, if you could go to the 
first question that I asked, please?
    General Alexander. Could you say that first question again? 
I was thinking about that second one. Could you just quickly 
say the first----
    Ms. Jackson Lee. No problem at all. It is to comment on the 
indictments of the Russian agents regarding Yahoo and to--what 
does the breach tell us about Russian government's interference 
in 2016? Then the subset of that: Does this give us a better 
understanding of the importance of attribution?
    Then you could go into the other one, and then I will yield 
to the doctor.
    General Alexander. Yes. So on attribution--I will start 
there--absolutely vital. It is something that we jointly worked 
about 12 years ago starting getting attribution and have gotten 
much better at it.
    What this shows me--from what we are seeing on Russia, on 
Yahoo, on our elections, on China--is our defense is terrible, 
and we don't have any consequences. I agree with the way the 
Chairman said that. We have to have consequences.
    I think we need a two--at least a two approaches to this. 
Come up with the consequences--think of that as rules of 
engagement; and then go fix the defense by getting industry and 
the Government to work together.
    I agree with Frank saying the Government should be the 
standard. We should set the standard for the rest of the 
Nation.
    With respect to working at NSA and the comments about the 
employees of the intelligence community and others, I would go 
back to my time in NSA. You know who really did a great job 
coming up there was President Bush.
    He came up and talked to the people about what they were 
doing and he made this comment to us, and it was the most 
important leadership thing that I saw in 40 years, and it was 
to me he said, ``Look, you protect the Nation, I will take the 
heat.'' He told the people of NSA, ``You are here to protect 
the country,'' and they--he made them feel good.
    We need leaders to make people in Government feel good 
about what they are doing.
    Ms. Jackson Lee. Thank you.
    Mr. Cilluffo. Congressman Jackson Lee, I--you know, I think 
that the indictment was quite startling. To actually see what 
we have all kind-of known, that you have a nation-state and 
that you have FSB officers turning to well-known--including 
someone who is on the world's most-wanted list, from a U.S. 
perspective, for cyber criminals--to do their bidding.
    So we have know that any country worth their salt is going 
to work through a proxy because they don't want the muddy 
footprints coming back to them, or the cyber footprints. So I 
do think that it is a pretty big deal.
    I think that the bigger takeaway, though, is it is just 
reflective of what they have been doing for a long time. The 
interference in the election, that is not new. This is what 
Russia has been engaged in for quite some time.
    The one thing I would just caution everyone with is it is 
not just Russia. I mean, the perpetrators are vast. So what I 
don't want to do is focus all of our efforts on one actor when 
all the other actors are going to take advantage of that 
situation.
    So I do find the indictments important. In the past we 
indicted PLA officers from the Russian--I mean from the Chinese 
army. People said, ``What is the likelihood of them ever seeing 
a courtroom?''
    Nil. But it sent a message. It signaled we mean business. 
Oh, by the way, these officers can't travel anywhere that has 
extradition treaties with the United States.
    So it has some effect, and I am happy the indictments just 
did what they are supposed to do. Just the facts, ma'am.
    Ms. Jackson Lee. Thank you.
    Chairman McCaul. Gentlelady's time has expired.
    Mrs. Demings, from Florida, is recognized.
    Mrs. Demings. Thank you so much, Mr. Chairman and Ranking 
Member.
    To all of our witnesses, thank you so much.
    Mr. McConnell. after the 2015 attack on Ukraine's 
electrical grid DHS and NCCIC was able to help the Ukrainian 
government respond to the incident. In your perspective, how 
well-positioned is the U.S. Government or the U.S. Government 
continue to be to help our European allies, including France 
and Germany, whose elections are being targeted by regimes like 
the Putin regime?
    Mr. McConnell. Thank you, ma'am.
    Yes, I think that is still a work in progress. There is 
good coordination at the operational level between the NCCIC 
and their counterparts in most European countries, but the 
coordination at the policy level has a lot left to be done, and 
I think that is a really good question for you all to be asking 
about.
    On the NATO side there is also very good collaboration in 
this area, so I think that the--in general that we are in a 
pretty good position to help them from lessons learned, and 
there has been quite a bit of conversation between the 
Europeans and the Americans post election and sharing some of 
the lessons learned.
    Mrs. Demings. Thank you.
    The next question is for any of the witnesses. What 
concepts or principles are you hoping to see reflected in 
President Trump's Executive Order on cybersecurity, and are 
there specific policies or relationships that you would like to 
advise the President not to disturb?
    Mr. Daniel. Congresswoman, I can certainly start with that. 
I think that the principles that I would hope to see and the 
approach are actually what you--what we have certainly seen in 
some of the--in some of the versions that have made their way 
out into the public in the sense of continuing to emphasize the 
risk-based approach to cybersecurity, that you are not going to 
be able to protect everything all of the time, to continue the 
focus on moving a lot of the cybersecurity mission out of the 
hands of the--all of the Federal civilian agencies but leaving 
them--retaining accountability for protecting their 
information. But indicating that they don't have to be doing 
all of the protecting themselves and, you know, finding ways to 
do shared services across the Federal civilian side. That is 
incredibly important.
    I think continuing to emphasize this--the fact that all of 
this has to be done, as we have all been talking about this 
morning, in partnership, that no one element within the Federal 
Government, no--the Federal Government by itself, and indeed, 
the United States by itself cannot tackle this problem, but we 
have to do it in partnership both, you know, within the 
Government, between State and local governments and the Federal 
Government, internationally, and with the private sector.
    General Alexander. I think three things that need to come 
out: One, we talked about fixing Government--I.T. and 
cybersecurity--and make that a standard, because right now when 
you look at it compared to industry it is way behind.
    The second is we have got to have Government-industry 
collaboration and we have got to encourage that collaboration. 
I think we have got to also--a third point is figure out how we 
are going to protect critical infrastructure and where do you 
start?
    I agree with what Frank said in terms of picking your 
starting points, but I think as a Nation we have got to go 
beyond. I think it is got to be: How do we educate the people? 
How do we take the next steps in terms of getting this 
collaboration? What can other sectors do while we focus on the 
lifeline, as Frank put it?
    So we have got to cover that, and I would hope that is in 
there.
    Mr. Cilluffo. Just a couple of very quick points, and I 
think they have been raised here in different sorts of ways.
    First thing I would do is to Mr. Rutherford's comment 
earlier: Clarify roles and missions of various agencies and 
entities and recognize that as much as we have been talking on 
the defensive side here, the reality is we are never going to 
firewall our way out of this problem. We have to be comfortable 
discussing some of our offensive capabilities because that 
leads to a cyber deterrence strategy.
    We can't deter if the enemy doesn't know what capabilities 
we have. As the old movie, ``What good is having the doomsday 
machine if no one knows you got it?''
    So the reality is is I feel we need to look at it in a much 
more strategic kind of way, where we start clarifying roles and 
missions; we are comfortable about some of our capabilities; we 
articulate and, more importantly, demonstrate a deterrent 
capability; we manage what we can from a risk-based 
perspective.
    I think that based on what I have seen I am pleased to see 
that the Trump administration is building on the continuity of 
what worked well in the previous administration, and then 
recognizing a couple of areas where they want to go a little 
further.
    So I think for starters it is that roles and missions 
piece.
    The one thing I would just caution is--I mean, an Executive 
Order is basically a statement of intent. That is where you 
guys come in is when do you codify some of those intentions and 
align that from a legislative perspective? I think you guys 
have honestly done a terrific job, and this committee, I think, 
more than any other committee is moving legislation.
    Those are my quick thoughts.
    Mrs. Demings. Thank you very much. I am out of time.
    Thank you, Mr. Chairman.
    Chairman McCaul. Thank you.
    Chair recognizes Mr. Langevin.
    Mr. Langevin. Thank you, Mr. Chairman. I want to thank you 
and the Ranking Member for organizing this hearing.
    I certainly want to thank our distinguished panel of 
witnesses here, your testimony today and the many contributions 
you have made in moving the Nation's cybersecurity defenses 
forward and putting us in a much stronger place.
    I have been at this cybersecurity issue, like the Chairman, 
now for the better part of a decade, and I certainly always 
feel as much as I have learned I still have so much more to 
learn. I certainly do when I have the caliber of a panel like 
you all here before us. So thank you for that.
    General, I will start with you, and I thank you for your 
many years of service to the Nation and appreciate the work 
that you and I have done over the years on cyber. But in your 
written testimony you State, ``However, the reality is that 
commercial private-sector entities cannot practically be 
expected to defend themselves against nation-state attacks in 
cyber space.'' I certainly completely agree with that.
    However, most breaches--and I have heard numbers anywhere 
from 85 percent upwards of 95 percent--are not sophisticated 
but rely on unpatched systems, poor--a poor understanding of 
network topography, or other examples of poor cyber hygiene. So 
how can we increase the signal-to-noise ratio so that the 
Government can focus on protecting against nation-state 
attacks?
    For the panel, I would certainly be interested in your 
perspectives on why so many breaches continue to be the result 
of failures and--forgive me for using the term--cyber hygiene?
    My second question--and I certainly would welcome the panel 
on this, as well--is for Mr. Daniel. Thank you for your work at 
the White House. Certainly in my time there--your time there 
when General Alexander was there you both were incredibly 
accessible to me and very helpful.
    So to Mr. Daniel, I know you spoke at the Cybersecurity for 
a New America conference on Monday, and I had the chance to 
review some of your remarks. One thing that really leapt out at 
me was your discussion of where an organization should spend 
their marginal dollar on defense.
    So this ties in with my interest on cybersecurity metrics. 
You know, how can we tell whether our controls are working? 
Same thing that goes with just adopting the NIST standards. You 
know, what organizations are adopting them, and to what degree 
are those standards even effective?
    So what suggestions do you have--and I would, again, invite 
the panel to chime in--to allow us to better understand where 
that marginal dollar should be spent?
    So, General Alexander, if we could start with you?
    General Alexander. Congressman, good to see you again.
    I would say first we have got to have standards. In order 
to set those standards we have talked about the NIST and the 
NIST framework, but I think we have to take a couple more 
steps.
    When you look at what goes on, the big companies can afford 
to throw money and resources at it. Your small and mid-sized 
don't have the resources, don't have the money, can't afford 
it, and so they are in a risk calculus: Can I absorb a hit? 
They are in the feeder tank, so think about what happened to 
Target and the air-conditioning company.
    So when you look at those things, how do we set up and 
incentivize this? That is where Congress can come in.
    I think we need to set the standards. I think we need to 
incentivize them for having those standards.
    You can look at it by sectors and you see the SEC and the 
New York Department of Financial Services are already setting 
standards in cybersecurity.
    I think Congress has a role in that. What is the initial 
standard and how do we do that?
    I think we have got to incentivize and therefore push the 
cybersecurity industry to come up with practical solutions for 
small, mid-sized, and large companies. I think the cloud and 
where this is going is going to play a large part in it. That 
is something we could talk about after.
    Thank you.
    Mr. Daniel. Thank you, Congressman Langevin. It was always 
a great partnership that we had, and I always appreciated our 
conversations in this area.
    I think from my perspective what I was alluding to there is 
that we have tended to focus on the cybersecurity industry on a 
very narrow slice of the problem and sort-of that ``protect,'' 
maybe into the ``detect'' portion of the NIST Cybersecurity 
Framework.
    But in many cases you now have chief information security 
officers and others buying new appliances and equipment and 
they don't really understand how it all fits together and they 
don't have a holistic view of what that ``nth'' device in their 
stack actually gets them, in terms of additional cybersecurity 
protection.
    It may well be the case that for many organizations rather 
than buying the new shiny object or the newest technology, what 
they actually need to invest in is very solid recovery 
capability, and that might actually provide them more benefit 
down the road.
    But I think part of this is that, again, you have to come 
at this from a holistic standpoint--not just the mechanics of 
the cybersecurity and the technology, but understanding how 
your work force interacts with it, how it interacts with your 
business processes, what are the impacts on your business 
economics, and come at it from that much more holistic 
standpoint.
    Until we get to that point where we are actually making 
security the easier path--being cyber-secure the easier path to 
do rather than the harder path, people just aren't going to do 
it, or at least not enough people are going to do it at the 
scale that we need them to.
    So I do think that there is a burden on the cybersecurity 
industry to step up to that, but also organizations to think 
more holistically about their cybersecurity and manage it as a 
risk, just like the manage their legal risk and their customer 
risk and other reputational risk and all the risks that they 
face as an organization.
    Mr. Langevin. Thank you.
    Other panel members?
    Mr. McConnell. It is great to see you, sir, and thank you 
for all your work in this area for so long.
    I would just make one point on your comment about cyber 
hygiene and why it is still the biggest source of attacks and 
vulnerabilities. I think this approach we have today of telling 
people to patch their devices and get that latest patch in and 
don't click on attachments--bad attachments--doesn't work.
    It is certainly not going to work when we 10 times as many 
devices attached to the network, and now I forgot to patch that 
lightbulb and it is now a--connected to the internet and is a 
vulnerability.
    So I think there is going to be a shift in the industry 
moving away from the devices and the end-points more to the 
network layer and that the enterprise network operators and the 
tier one ISPs are going to have to take more responsibility for 
the security of the traffic that is coming over, and we can't 
leave it to the--to local cyber hygiene.
    That is still important. We still have to secure those 
devices, but there has got to be a shift of responsibility if 
we are going to do this at scale.
    Mr. Langevin. Thank you.
    Mr. Cilluffo. Congressman Langevin, let me also thank you 
for all your terrific work in this space, and I have had the 
privilege of working with you for a number of years now.
    Two things, though, that I would just build on. I agree 
with everything, although I would say to Bruce's point, still 
make sure you update all your patches and you don't click on 
bad links.
    But yes, the vast majority of breaches are due to social 
engineering, including the most sophisticated. That is where 
human--other means, from an all-source collection standpoint, 
can be thrown at you.
    Two things though: One, technology will continue to change; 
human nature is pretty consistent. So if you start looking at 
it from a behavioral standpoint there are certain things you 
can put in place. None of us discussed on this--on the panel 
here today the insider threat, which I still think is probably 
at the very top of the threat, agnostic to their ideological 
motivations or intentions.
    Two things that I think will be--machine learning and A.I. 
There is a lot of buzz. There is a lot of gobbledygook, but 
there are some very real initiatives here, and I think the 
Department of Homeland Security deserves some credit here in 
terms of leaning forward with some of the STIX-TAXII 
opportunities, which enable more real-time cyber intelligence 
sharing.
    I also think that, given your work on the Armed Services 
Committee, maybe we ought to be looking at some of the DOD 
acquisition cybersecurity components for the most critical of 
our critical infrastructure. In other words, it is looking from 
a supply chain perspective.
    So Bruce brought up the point, I mean, small--even small 
banks, they don't have the resources the big financial 
institutions have. They have to collect that.
    So they are either going to go through their providers, 
whether it is ISP or otherwise, but maybe there is another way 
to be looking at it where we start baking security on the front 
end and we have acquisition processes for some of these 
entities that ask, at least, the cyber question.
    Mr. Langevin. All great points, yes.
    Thank you all.
    I yield back.
    Chairman McCaul. Let me thank the panel. What an excellent 
discussion. Very insightful, educational.
    I do want to mention during the course of this hearing it 
has been reported there is a terrorist attack in London at 
the--both the parliament and Westminster Bridge. One confirmed 
dead and possibly 10 injured, and so we pray for those victims 
and Godspeed.
    With that, other committee Members may have questions. This 
will remain open for 10 days.
    This hearing stands adjourned.
    [Whereupon, at 12:17 p.m., the committee was adjourned.]



                            A P P E N D I X

                              ----------                              

   Questions From Chairman Michael T. McCaul for Keith B. Alexander *
---------------------------------------------------------------------------
    * Gen. (Ret.) Keith B. Alexander is the former Director, National 
Security Agency and the Founding Commander, United States Cyber 
Command. Currently, he is the President and CEO of IronNet 
Cybersecurity and recently completed service as a member of the 
President's Commission on Enhancing National Cybersecurity.
---------------------------------------------------------------------------
    Question 1a. While the goal, for combatting cyber crime, is to make 
it financially untenable to conduct illegal activities, what would the 
corollary of this goal be for nation-state actors?
    Answer. The goal for combatting nation-state actors is to deter 
them from engaging in activities that are particularly harmful to our 
National security, including destructive cyber attacks, massive theft 
of private-sector intellectual property, and access to critical 
infrastructure systems.
    Question 1b. How do we tip the scales so that it isn't worth it for 
nation-state actors to break into our systems both in the private 
sector and in the Government?
    Answer. Though some level of espionage is unavoidable, we must 
significantly improve our defense and the public-private partnership. 
Nation-states have long sought access to one another's secrets and will 
almost certainly continue to do so. Our company and Government networks 
are too easy a target for both nation-state and non-nation-state 
actors, especially when they stand alone. We need to significantly 
raise the bar and have an integrated ``common'' defense.
    We need to treat the cyber realm more like the physical world when 
it comes to deterrence and having nation-states recognize that there 
are very real costs to acting against the United States in cyber space.
    Question 2a. At the hearing, we heard that we need to rethink how 
the Government and private sector relate to one another on cyber 
issues.
    What are your recommendations for rethinking the relationship 
between public and private sectors?
    Answer. The key to rethinking the relationship between the public 
and private sectors on cyber issues is recognizing that for too long, 
we assumed that the private sector can largely protect itself on its 
own. Unlike in any other domain, we expect companies to protect 
themselves against nation-states, criminals, and script kiddies alike 
when it comes to cyber space; in the physical world, we certainly do 
not expect corporate America to deploy surface-to-air missiles to 
defend against nation-state bomber threats. Recognizing this dichotomy 
and taking steps to address by sharing much more detailed threat 
information in both directions, building interoperable defensive 
systems, exercising how the Government and the private sector would 
respond to a real, on-going threat, and establishing clear roles, 
responsibilities, and rules of engagement would be a strong first step 
in the right direction.
    Question 2b. How do we ensure the private and public sectors can 
work together harmoniously, without overstepping the Government's role 
or creating a new regulatory regime?
    Answer. It is critical that the Government and the private sector 
recognize their respective roles and responsibilities, and perhaps most 
importantly, their own capabilities when it comes to working together 
in cyber space. The Government must have a clear understanding of the 
roles and responsibilities of each department. Further, putting in 
place specific laws and stringent regulations are not particularly 
useful when it comes to a fast-moving technology area like 
cybersecurity because they are not very flexible and adaptive. The 
Government should set broad goals and encourage behaviors through 
positive incentives rather than through regulations and penalties. At 
the same time, both the public and private sectors need to rebuild the 
trust and confidence with one another.
    Finally, we need to train how we are going to defend, first within 
the Government, and then between the Government and private sector. We 
should have routine drills to practice and build up our competence in 
responding to threats.
    Question 2c. How can we ensure this much-needed and strengthened 
collaboration is nimble enough to consider the evolving nature of cyber 
threats and organizational needs?
    Answer. Many of the regulatory and legal tools available to the 
Government are not particularly nimble. Positive incentives are most 
likely to achieve successful results in a dynamic threat and defensive 
environment. Similarly, flexibility on key policy issues and seeking to 
find the reasonable middle ground, rather than taking extreme positions 
on both sides of the debate on Capitol Hill and in Silicon Valley, are 
likely to reach the best outcomes when it comes to increasing 
collaboration between the Government and the private sector.
    Question 3a. A number of witnesses at the hearing mentioned the 
shift to more disruptive and destructive cyber attacks. Over the last 
several years concern has been raised about the threat of nation-state 
cyber actors, criminals or others, causing physical damage through a 
cyber attack.
    How difficult of an operation would this be, to cause physical 
damage, does it require a higher degree of sophistication?
    Answer. Causing physical damage can, at times, require a higher 
degree of sophistication than simply obtaining access, but it depends 
on how well-defended a particular system may be. For example, an 
extremely well-defended system may be extremely difficult to access, 
but once accessed, it may be relatively easy to conduct actions upon; 
and the counter is also be true. The most important thing to note about 
this new trend towards cyber attacks that cause physical damage is that 
it is now happening. The capability to undertake such attacks is 
becoming more common and perhaps may end up in the hands of nation-
states and other entities that are perhaps less subject to deterrence 
than typical, highly-capable cyber actors.
    Question 3b. Can you speak to this threat and how concerned should 
we be about it?
    Answer. This trend is one of the most troubling trends in 
cybersecurity because it represents a fundamental shift in the way 
cyber access to systems may be used, both as a tool for covert action, 
but also in a time of real conflict. Given the spread of these 
capabilities to less ``deterrable'' actors, we need to demonstrate that 
the United States takes such attacks seriously and will respond swiftly 
and with the application of all elements of National power, including 
military force, as needed in a particular circumstance.
    Question 4a. As we look at evolving threats, ransomware attacks are 
on the rise. In your testimony, you noted that ransomware has been used 
by organized criminal groups and small actors alike.
    Do you see the use of this tool growing?
    Answer. As Microsoft recently noted, while the overall ``volume of 
ransomware encounters is on a downward trend . . . a look at the attack 
vectors, the number of unique families released into the wild, and the 
improvements in malware code reveals otherwise.''\1\ As the Microsoft 
report points out, there was no decline in the volume of emails 
carrying ransomware downloaders; rather, systems operators were simply 
getting better at blocking the email entry point for such infections. 
Similarly, Microsoft notes that attackers continue to innovate and 
evolve the tools and tactics they use to deploy and exploit ransomware. 
As such, while numbers of successful attacks may be down, we have not 
seen the end of this trend.
---------------------------------------------------------------------------
    \1\ See Microsoft Malware Protection Center (MMPC) Ransomware: a 
Declining Nuisance or an Evolving Menace? (Feb. 14, 2017), available 
on-line at https://blogs.technet.microsoft.com/mmpc/2017/02/14/
ransomware-2016-threat-landscape-review/.
---------------------------------------------------------------------------
    Question 4b. Do you see ransomware being utilized by larger actors 
for more nefarious purposes?
    Answer. Yes. There is possibility that we will see ransomware be 
put to larger-scale strategic use than the extraction of small amounts 
of wealth. It is important that governments and large corporations 
prepare for such incidents by establishing policies and procedures to 
prevent such attacks and the ability to recover if and when it happens.
    Question 4c. How do we prepare and respond to ransomware attacks?
    Answer. As with most cyber threats, the best offense is good 
preparation in advance and placing strong defensive measures in our 
networks. This includes basic hygiene at the outset: Consistent 
patching, use of strong passwords, two-factor authentication, strong 
anti-social engineering training of staff, as well as the deployment of 
strong capabilities using a defense-in-depth approach, from network and 
end-point detection tools, to file security applications, use of strong 
encryption for sensitive data, and consistent, capable, and resilient 
back-up and recovery plans.
     Questions From Honorable Mike Gallagher for Keith B. Alexander
    Question 1. General Alexander, at a cybersecurity panel in December 
2016, in regards to problems with retention in the Federal cyber 
workforce, you were quoted as saying, ``I do hear that people are 
increasingly leaving in large numbers and it is a combination of things 
that start with morale and there's now much more money on the outside . 
. . I am honestly surprised that some of these people in cyber 
companies make up to seven figures. That's five times what the chairman 
of the Joint Chiefs of Staff makes. Right? And these are people that 
are 32 years old . . . Do the math. [The NSA] has great competition.'' 
Several reasons have been cited for NSA and other cyber-related 
employees leaving the Government sector. These include: Higher pay in 
the private sector, low morale due to negative press coverage from 
leaked information regarding Government surveillance and data-
collection capabilities, an overworked labor force which was described 
by an unnamed former U.S. cyber official as ``20% of the workforce 
doing 80% of the actual work,'' to name just a few of the issues. What 
do you think are the biggest challenges facing the cybersecurity work 
force at present?
    Answer. I think you identified a number of the challenges facing 
our Federal cybersecurity workforce, from higher pay on the outside, 
morale challenges as a result of recent disclosures and debates in the 
political arena, and a relatively severe lack of alignment in the 
number of positions and actual work being done. These negative factors 
are compounded when public officials ``attack'' the Government agencies 
and its personnel who are protecting the country for political gain.
    We need to do a better job of encouraging cross-training between 
the public and private sectors by creating opportunities for people to 
move in and out of Government, maintaining their security clearances, 
and working to enhance both public and private-sector cybersecurity. 
Likewise, the Government needs to learn how to work better, more 
rapidly, and more flexibly with the most innovative companies in our 
Nation today, including those in various innovation hubs around the 
country.
    This will not be easy, as the Government has real, legitimate 
concerns about protecting National security information, particularly 
as our companies become increasingly globalized. Until the Government 
harnesses the knowledge and capabilities of our Nation's most 
innovative thinkers, both by bringing them into the Government for 
short periods, as well as by working with the companies they start (and 
encouraging Government employees to do the same in the opposite 
direction), I fear that we will remain slow to innovate and adapt.
    Finally, we need to recognize those protecting our Nation are doing 
what we asked them to do. We need to support them when the going gets 
tough. We should hold them accountable when they make mistakes, but we 
should clearly help them accomplish those missions we have asked them 
to accomplish.
    Question 2. Russia's cyber attack in December 2015 against 
Ukraine's power grid is a concerning example of exposing weaknesses in 
physical systems that are comnected to networks. What is in greater 
danger of offensive cyber operations by our adversaries: Our cyber 
networks themselves and the data stored in those networks, or physical 
systems that are connected to and dependent upon those networks to 
successfully operate?
    Answer. Both the data stored in our computer systems and the 
physical systems they are connected to are subject to major threat from 
offensive cyber operations by our adversaries. American innovation 
economy, information and intellectual property is often as (or more) 
valuable than physical assets even though we do not often treat it as 
such. We cannot deny the troubling trend of physical damage being 
caused by cyber attacks. We need to act now to deter attacks that 
target core American National security interests, including, 
destructive cyber attacks, the massive theft of private-sector 
intellectual property, and efforts to obtain long-term access to 
critical infrastructure systems that might be exploited down the road.
    Question 3a. In June 2015, I, along with millions of other Federal 
employees, became the victim of a cyber attack, as my personal data was 
hacked through the Office of Personnel Management. Putting this many 
Government employees' personal information at risk should have never 
happened.
    What actions can we take to improve data encryption across all 
Federal networks?
    Answer. Certainly, encrypting such data provides a certain amount 
of protection and there is no reason we ought not do so at scale. 
Encouraging broad adoption requires highly capable tools and a well-
trained workforce with leadership willing to commit resources to the 
effort. We have challenges in these areas across the Government.
    Encryption is only one type of protection that we should employ. 
When it comes to cybersecurity, Federal Government must become better 
and faster. There are pockets of excellence when it comes to both cyber 
offense and defense in the Federal Government and we should take 
advantage of that knowledge, capability, and skill set when it comes to 
protecting Federal systems.
    In addition, the Government should leverage the best and brightest 
in the private sector and be able to work with them rapidly to innovate 
better defensive systems. The Government remains stuck in old paradigms 
of how security clearances are utilized and old contracting and 
requirements constructs when it comes to working with the private 
sector. If we are ever going to be able to innovate rapidly enough to 
keep up with the threats, we need to evolve to a much more modern 
mentality in the Government.
    Question 3b. Are we simply lacking encryption in certain areas or 
is what we currently employ not good enough?
    Answer. I do not think the issue is the lack of encryption 
strength, but rather a lack of capable tools and willingness and 
leadership to deploy such tools where they do exist. Moreover, though, 
I am concerned that the lack of a strong working relationship day in 
and day out between our most innovative Government agencies and our 
most innovative private-sector entities is hampering the success of our 
overall defensive effort as a Nation. We can and must do more here and 
I stand ready to work with this committee to achieve this critical goal 
for our Nation.
    Also, we should consider outsourcing the IT infrastructure and 
consolidating cybersecurity for the civilian side of Government.
    Question 4. My colleague, Congressman Hurd, has proposed the 
creation of a Cyber Defense National Guard. In August 2016, Congressman 
Hurd suggested, ``The Federal Government could forgive the student loan 
debt of STEM graduates who agreed to work for a specified number of 
years in the Federal Government in cybersecurity jobs at places like 
SSA or Department of the Interior. Furthermore, when those individuals 
moved on to private-sector jobs they would commit 1 weekend a month and 
2 weeks a year to continued Federal service. This would help ensure a 
cross-pollination of experience between the private and public 
sectors.'' What do you think of Congressman Hurd's proposal?
    Answer. I think that the type of cross-pollination that Congressman 
Hurd proposes is a sensible approach to consider, as the incentive in 
this proposal would also provide more students to train in critical 
STEM areas that would also be helpful to our National security 
(including our economic security) in the long run. This would also 
ensure a steady stream of exceptional personnel into the Government, 
even if it is for a few years.
    While there are important questions we must examine when it comes 
to our fiscal situation, from a cybersecurity and National security 
perspective, I am supportive of new and innovative ideas like those 
proposed by Congressman Hurd and wish to continue to work with you, 
Congressman Hurd, Chairman McCaul, Ranking Member Thompson, and others 
on this committee and across Congress to support and move forward such 
good ideas.
      Questions From Chairman Michael T. McCaul for Michael Daniel
    Question 1a. While the goal, for combatting cyber crime, is to make 
it financially untenable to conduct illegal activities, what would the 
corollary of this goal be for nation state actors?
    Answer. Deterrence for all cyber criminals, including nation-state 
actors, must start with increasing the cost to conduct an attack and 
associated likelihood of success. This can only be accomplished by 
disrupting the adversaries' business models. Although re-engineering 
malware requires some time and effort, it is relatively easy to make 
small tweaks so that it can evade detection. However, an adversaries' 
total suite of indicators (including tactics, techniques, and 
procedures, and typical operational approach) is much more difficult to 
change and update. By exposing adversaries' predictable malicious 
activity and enabling infrastructure, we can force adversaries, both 
nation-state and other actors, to adapt their business model. Business 
reengineering is a much more time-consuming and resource-intensive task 
that more effective disrupts malicious activity better than any 
technological solution.
    Question 1b. How do we tip the scales so that it isn't worth it for 
nation-state actors to break into our systems both in the private 
sector and in the Government?
    Answer. As stated above, deterring nation-state actors starts with 
increasing their overall costs by upending their business model. We 
need to start by removing known, low-level actors from the ecosystem by 
disrupting known, preventable attacks. Removing low-level actors also 
makes it harder for less sophisticated nation-states to enter into the 
criminal arena. By lowering the noise, we can focus on the more 
sophisticated nation-states and actors. The Cyber Threat Alliance has a 
critical role to play in this disruption through their creation of 
Playbooks that give visibility into adversaries' infrastructure, TTPs, 
and business processes. By sharing information, CTA members can better 
protect customers across the globe in all economic sectors.
    However, I strongly believe that governments build on these private 
sector-led technical disruption efforts with diplomacy, economic tools 
(such as sanctions), law enforcement actions, intelligence activity, 
and if necessary, military action in order for technical actions to be 
effective.
    Question 2a. At the hearing, we heard that we need to rethink how 
the Government and private sector relate to one another on cyber 
issues.
    What are your recommendations for rethinking the relationship 
between public and private sectors?
    Answer. Public-private partnerships are necessary to tackle the 
cyber challenge. While governments have unique tools to combat cyber 
crime in the form of diplomacy and law enforcement, the development and 
deployment of technological tools primarily fall to the private sector. 
Therefore, the focus must be on public-private collaboration and 
partnership, not just regulation or contracting. Effective 
collaboration requires us to be more realistic about what governments 
can and should be doing. Governments have a unique responsibility and 
authority to take action beyond the technological defense of networks. 
Defining roles and responsibilities for both private and public 
stakeholders empowers both groups to be most effective in combatting 
cyber adversaries.
    Question 2b. How do we ensure the private and public sectors can 
work together harmoniously, without overstepping the Government's role 
or creating a new regulatory regime?
    Answer. As discussed above, the Government can bring to bear 
authorities and capabilities in diplomacy, law enforcement, and 
intelligence, as well as technical defensive capabilities. These 
capabilities should be used in conjunction with the capabilities for 
rapid defensive action that the private sector can bring to bear. Given 
its position in society, the Government must also play a role in 
convening and promoting best practices that reduce cyber risk. An 
example of such an initiative is the NIST-led process to build the 
Cyber Security Framework. This example shows how the Government can 
work with industry to identify best practices that are not mandatory. 
Best practices developed in public-private collaboration will have 
cross-sector applicability to achieve risk reduction across all 
critical infrastructure sectors. Cybersecurity-related regulations also 
have a place in certain industries, but such approaches should be used 
sparingly and with maximum flexibility. Such regulations should be 
risk-based and not compliance-focused. Compliance-based regulation has 
the potential to divert an organization's resources from driving down 
risk.
    Question 2c. How can we ensure this much-needed and strengthened 
collaboration is nimble enough to consider the evolving nature of cyber 
threats and organizational needs?
    Answer. Taking a risk-based approach is the solution to ensuring 
that the public and private collaboration remain nimble and effective. 
The NIST Framework development process and end result should serve as a 
model for future efforts. The risk-based approach in the NIST Framework 
ensures that all organizations, regardless of industry, size, maturity, 
can adequately baseline, benchmark, and strengthen their cyber posture. 
The flexibility of this approach empowers organizations to align 
resources to drive down risk, versus spending resources to demonstrate 
compliance.
    Question 3a. How is the Federal Government engaging its 
international partners and allies regarding cyber norms?
    What should the Government do to more clearly define cyber norms?
    Answer. The NIST development approach is not only a proven model 
for domestic public-private collaboration, but also for broader 
international engagement. In addition to this collaborative model, 
muti-lateral efforts also have demonstrated success. This includes the 
G7 increasingly promoting common values around internet freedom and 
cybersecurity. Furthermore, bi-lateral agreements, such as President 
Obama and President Xi defining appropriate and inappropriate use of 
assets in the cyber space, are effective for working closely with key 
individual nation.
    Question 3b. How can the private sector engage in this work?
    Answer. The private sector absolutely has a role in these efforts 
to define cyber norms. The perspective of cybersecurity operators is 
essential to ensuring that international cyber norms are appropriately 
actionable, scalable, and applicable across the globe. To date, we've 
seen private-sector input incorporated in a range of Track 1.5 and 
Track 2 dialogues. These various efforts must be continued to ensure 
harmonious collaboration between the public and private sectors.
    Question 4a. You stated in your testimony that hacktivists, 
criminals, and nation-states are moving to more destructive and 
disruptive activities.
    Why do you think this is happening?
    Answer. In the simplest terms, because they can. Motivations differ 
among groups, however. For criminal actors, money forms the prime 
motivation, while hacktivists want to make a point publicly, and 
nation-states want to either conduct espionage or hold other nations at 
risk to achieve their foreign policy or national security goals. Each 
of these groups are learning that more disruptive and destructive 
activities have a higher likelihood of achieving their goal, and little 
downside exists for moving to the more destructive techniques. In 
addition, destruction and disruption is increasingly happening in mass 
due to adversaries having increased access to open-source or low-cost 
tools at their disposal. Finally, neither the public or private sector 
is adequately deterring adversaries at a technical level. As discussed 
in an above question, there must be a concerted effort to lower the 
noise in the system by taking out low-level actors.
    Question 4b. Where does this trend move in the future and do we 
continue to see even more destructive and disruptive attacks?
    Answer. Continued interconnectivity will continue to increase cyber 
threats. We live in a digital age that promises incredible efficiencies 
and productivity, but it also brings new challenges and potential 
vulnerabilities that--left unchecked--threaten to undermine these very 
benefits. As connectivity continues to increase, the cyber threat will 
become broader, more frequent, and more dangerous. The growth in volume 
of connective devices will make effective cyber defense even harder 
from a sheer numbers perspective. This fact, paired with the fact that 
the barriers to entry are low and the potential return on investment is 
fairly high, means that malicious cyber activity is increasing 
dramatically and will continue to grow for the foreseeable future.
    Question 4c. How do we prepare for and defend against this trend?
    Answer. Response was not received at the time of publication.
       Questions From Honorable Mike Gallagher for Michael Daniel
    Question 1. Russia's cyber attack in December 2015 against 
Ukraine's power grid is a concerning example of exposing weaknesses in 
physical systems that are connected to networks. What is in greater 
danger of offensive cyber operations by our adversaries: Our cyber 
networks themselves and the data stored in those networks, or physical 
systems that are connected to and dependent upon those networks to 
successfully operate?
    Answer. A blanket statement cannot be made about whether network or 
physical system assets are most vulnerable. Instead, we must conduct 
risk assessments across all critical infrastructure assets by 
evaluating potential cyber threats, vulnerabilities, and consequences. 
This process will enable the Government and private sector to 
prioritize resources in order to most efficiently and effectively 
reduce risk. The risk assessment must consider and prioritize the need 
to build trust where money is serviced and where critical services are 
deployed.
    Question 2a. In June 2015, I, along with millions of other Federal 
employees, became the victim of a cyber attack, as my personal data was 
hacked through the Office of Personnel Management. Putting this many 
Government employees' personal information at risk should have never 
happened.
    What actions can we take to improve data encryption across all 
Federal networks?
    Answer. Improving the security of antiquated networks must be a 
priority for the Government. However, encryption alone is not an 
adequate solution to enhance network security. In fact, stronger 
encryption would not have necessarily prevented the OPM breach, as the 
hackers were able to obtain administrative privileges. Because they had 
those credentials, they could operate as trusted insiders and by-pass 
or turn off the encryption. Once intruders have access to legitimate 
credentials, encryption is not usually a barrier.
    Question 2b. Are we simply lacking encryption in certain areas or 
is what we currently employ not good enough?
    Answer. Strengthening encryption is only aspect of improved 
security. Organizations need to employ a risk-based, holistic approach 
to managing their cybersecurity that involves multiple methods for 
frustrating the malicious actors. For example, organizations should 
manage privileged access carefully, enable appropriate network 
segmentation, and employ sophisticated detection capabilities to 
protect their highest-value assets.
    Question 3. My colleague, Congressman Hurd, has proposed the 
creation of a Cyber Defense National Guard. In August 2016, Congressman 
Hurd suggested, ``The Federal Government could forgive the student loan 
debt of STEM graduates who agreed to work for a specified number of 
years in the Federal Government in cybersecurity jobs at places like 
SSA or Department of the Interior. Furthermore, when those individuals 
moved on to private-sector jobs they would commit 1 weekend a month and 
2 weeks a year to continued Federal service. This would help ensure a 
cross-pollination of experience between the private and public 
sectors.'' What do you think of Congressman Hurd's proposal?
    Answer. There is certainly a need to encourage people to pursue 
fields related to cybersecurity. Without reviewing the Congressman's 
proposal in detail, this program sounds like an innovative idea to 
strengthen and grow the cyber workforce. However, efforts to close the 
cyber talent gap must be broader than just focused on attracting talent 
to the Government. In additional to considering this specific proposal, 
we should also review existing initiatives to determine how we can best 
expand on programs already in place. Furthermore, neither the 
Government nor private sector can ``hire out'' of this problem. 
Instead, we must focus on evolving the workforce and enabling greater 
automation. Energy should be focused on developing workforce strategies 
that harness human intelligence, sophistication, and action.
    Questions From Chairman Michael T. McCaul for Frank J. Cilluffo
    Question 1. While the goal, for combatting cyber crime, is to make 
it financially untenable to conduct illegal activities, what would the 
corollary of this goal be for nation-state actors?
    How do we tip the scales so that it isn't worth it for nation-state 
actors to break into our systems both in the private sector and in the 
Government?
    Answer. Response was not received at the time of publication.
    Question 2a. At the hearing, we heard that we need to rethink how 
the Government and private sector relate to one another on cyber 
issues.
    What are your recommendations for rethinking the relationship 
between public and private sectors?
    Question 2b. How do we ensure the private and public sectors can 
work together harmoniously, without overstepping the Government's role 
or creating a new regulatory regime?
    Question 2c. How can we ensure this much-needed and strengthened 
collaboration is nimble enough to consider the evolving nature of cyber 
threats and organizational needs?
    Answer. Response was not received at the time of publication.
    Question 3a. In your testimony you noted that ``In Russia, the 
forces of crime, business, and politics have long converged in a toxic 
blend; and there is evidence of complicity between the Russian 
government and cyber criminals and hackers.'' The recent DOJ indictment 
of two Russian FSB officers also alluded to this government/security 
service collaboration with cyber criminals. This blurring of the lines 
makes attribution a much taller task.
    Can you expand on why this is such a dangerous problem?
    Question 3b. Are we seeing this in other countries?
    Question 3c. What can the United States do to combat this?
    Answer. Response was not received at the time of publication.
    Question 4. When discussing criminal enterprises you noted that the 
gap between the capabilities of sophisticated cyber criminals and 
nation-states is increasingly narrowing. You also noted the cross-
border interjurisdictional approach needed to take down Avalanche 
criminal network. It seems like in light of the growth in the criminal 
enterprise we should expect more threats in this area. How do we ensure 
and support international collaboration to address these criminal 
entities?
    Answer. Response was not received at the time of publication.
     Questions From Honorable Mike Gallagher for Frank J. Cilluffo
    Question 1. Russia's cyber attack in December 2015 against 
Ukraine's power grid is a concerning example of exposing weaknesses in 
physical systems that are connected to networks. What is in greater 
danger of offensive cyber operations by our adversaries: Our cyber 
networks themselves and the data stored in those networks, or physical 
systems that are connected to and dependent upon those networks to 
successfully operate?
    Answer. Response was not received at the time of publication.
    Question 2a. In June 2015, I, along with millions of other Federal 
employees, became the victim of a cyber attack, as my personal data was 
hacked through the Office of Personnel Management. Putting this many 
Government employees' personal information at risk should have never 
happened.
    What actions can we take to improve data encryption across all 
Federal networks?
    Question 2b. Are we simply lacking encryption in certain areas or 
is what we currently employ not good enough?
    Answer. Response was not received at the time of publication.
    Question 3. My colleague, Congressman Hurd, has proposed the 
creation of a Cyber Defense National Guard. In August 2016, Congressman 
Hurd suggested, ``The Federal Government could forgive the student loan 
debt of STEM graduates who agreed to work for a specified number of 
years in the Federal Government in cybersecurity jobs at places like 
SSA or Department of the Interior. Furthermore, when those individuals 
moved on to private-sector jobs they would commit 1 weekend a month and 
2 weeks a year to continued Federal service. This would help ensure a 
cross-pollination of experience between the private and public 
sectors.'' What do you think of Congressman Hurd's proposal?
    Answer. Response was not received at the time of publication.
    Questions From Chairman Michael T. McCaul for Bruce W. McConnell
    Question 1. While the goal, for combatting cyber crime, is to make 
it financially untenable to conduct illegal activities, what would the 
corollary of this goal be for nation-state actors?
    How do we tip the scales so that it isn't worth it for the nation-
state actors to break into our systems both in the private sector and 
in the Government?
    Answer. The conventional wisdom as articulated by the Department of 
State and the White House is that we should employ all instruments of 
National power to deter cyber attacks from nation-states. These 
instruments include the traditional ``DIME'' four-some--diplomatic, 
intelligence, military, and economic-- to which law enforcement is 
usually added in the cyber context. We have seen that approach used 
with some success to lead up to the agreement between Presidents Xi and 
Obama regarding economic espionage conducted by cyber means.
    However, we also know that deterrence in cyber space is quite 
challenging, particularly for an advanced, connected economy like the 
United States. We have much more to lose in a degraded cyber 
environment than almost anyone else. Further, as the witnesses 
testified, while cyber defense is important, today, and for the 
foreseeable future, ``Offense Wins.'' For these reasons I advocated 
that the United States begin to propose measures of restraint in the 
development and use of cyber weapons. There is an emerging 
international consensus that, for example, attacks on international 
infrastructure such as core internet routers or key financial exchanges 
and clearing houses, is detrimental to all nations and should be off-
limits. The United States, by virtue of its position as the world's 
strongest cyber power, is in the best position to lead by example and 
drive public advocacy for the adoption of such cyber norms of behavior.
    Question 2a. At the hearing, we heard that we need to rethink how 
the Government and private sector relate to one another on cyber 
issues.
    What are your recommendations for rethinking the relationship 
between public and private sectors?
    Question 2b. How do we ensure the private and public sectors can 
work together harmoniously, without overstepping the Government's role 
or creating a new regulatory regime?
    Question 2c. How can we ensure this much-needed and strengthened 
collaboration is nimble enough to consider the evolving nature of cyber 
threats and organizational needs?
    Answer. Strengthening agile public-private collaboration is a 
continuing challenge. Recently-enacted laws, sponsored by this 
committee, have created improved incentives for such collaboration. But 
there is no silver bullet. The potential for conflicts of interest, 
litigation and liability risk, and unintended consequences remains 
large. Perhaps the best way forward is to increase the exchange of 
people between Government and the private sector. With shared 
experience, many seemingly intractable differences can be addressed 
with creative, informal solutions that respect the policy and economic 
environments of both sides.
    As far as a new regulatory regime, in my view some additional 
regulation will be needed, as illustrated recently by the State of New 
York for financial services companies. This approach--having regulation 
proposed and adopted by the expert regulatory agency, is preferable to 
any across-the-board approach. Given the variable risks and business 
models of different critical infrastructure sectors, one size will not 
fit all.
    Question 3. In your testimony you posed an interesting set of 
questions related to the Internet of Things (IoT) or the Internet of 
Everything (IoE), specifically: ``Why do we assume the bad guys will 
own the sensor network? Why not have the good guys own it and use the 
knowledge of what is happening on the internet to increase security?'' 
So, I have to ask you and our other witnesses, what are the key 
elements of ensuring the good guys own the network and the data and 
information derived?
    Answer. Thank you. I believe there are three elements that would 
increase the likelihood that the good guys own the network. First, the 
endpoints need to be smarter and more secure, including the ability to 
be modified or turned off remotely with appropriate authorization. The 
technical standards community is working on this, but it could use a 
push from Government. Second, the network service providers, such as 
the Tier 1 Carriers, need the authority to see the network status 
information that the devices provide and the authority to stop bad 
traffic (as they do now with spam). There would need to be liability 
protection and business model changes for this to be practical. 
Finally, there need to be strong and enforceable privacy provisions in 
statute so that any bad actors who may work for the good guy 
organizations don't abuse the capabilities that the first two items 
require.
     Questions From Honorable Mike Gallagher for Bruce W. McConnell
    Question 1. Russia's cyber attack in December 2015 against 
Ukraine's power grid is a concerning example of exposing weaknesses in 
physical systems that are connected to networks. What is in greater 
danger of offensive cyber operations by our adversaries: Our networks 
themselves and the data stored in those networks, or physical systems 
that are connected to and dependent upon those networks to successfully 
operate?
    Answer. If one equates ``danger'' and ``risk,'' then one can 
consider the three elements of risk: Threat, vulnerability, and 
consequence. Threat, in turn, is comprised of capability and intent. So 
the question is, which exhibits the larger combination of these risk 
elements: The networks themselves or the physical systems connected to 
them?
    The table below reflects my current thinking.

------------------------------------------------------------------------
          Risk Element                 Networks        Physical Systems
------------------------------------------------------------------------
Threat: Intent..................  Malicious actors    Malicious actors
                                   may be less         may find the
                                   interested in       possible visible
                                   attacking the       consequences of
                                   core networks       successful
                                   because they        physical attacks
                                   depend on them      more attractive
                                   also.               than the less
                                                       visible results
                                                       of network
                                                       attacks.
Threat: Capability..............  Widespread          Knowledge of how
                                   availability of     to attack
                                   attack tools        physical systems
                                   means that a well-  is not wide-
                                   funded and          spread. The
                                   persistent actor    systems are
                                   can inflict         diverse and often
                                   significant         peculiar.
                                   damage, at least
                                   for brief periods.
Vulnerability...................  Most critical       Physical systems
                                   networks are        rely on older
                                   highly defended,    software and
                                   continually         hardware, and the
                                   updated and         long replacement
                                   patched, and        cycles mean these
                                   monitored with a    systems are
                                   24x7 dedicated      softer targets,
                                   security culture.   at least once an
                                                       attacker has
                                                       learned how the
                                                       systems work.
Consequences....................  Since both the      Physical systems
                                   networks            tend to be
                                   themselves and      loosely
                                   the physical        interconnected
                                   systems depend on   and in some ways
                                   the networks, the   locally managed.
                                   consequences of     Thus a system-
                                   major network       wide failure is
                                   failures could be   less likely, at
                                   catastrophic.       least in some
                                                       sectors. Regional
                                                       effects are more
                                                       likely. However,
                                                       service
                                                       restoration time
                                                       could be longer
                                                       as some scarce
                                                       components may
                                                       not be easily
                                                       replaceable.
------------------------------------------------------------------------

    Question 2a. In June 2015, I, along with millions of other Federal 
employees became the victim of a cyber attack, as my personal data was 
hacked through the Office of Personnel Management. Putting this many 
Government employees' personal information at risk should have never 
happened.
    What actions can we take to improve data encryption across all 
Federal networks?
    Question 2b. Are we simply lacking encryption in certain areas or 
is what we currently employ not good enough?
    Answer. Strong encryption and strong (multi-factor) authentication 
should be mandatory for systems as critical as the one you refer to. 
One must select strong encryption and implement it uniformly and well. 
The current Federal encryption standards provide strong enough 
encryption for Unclassified systems. However, agency implementation is 
likely to be non-uniform and, in some cases, technically incorrect. It 
is by no means obvious that line agencies whose missions are not 
cybersecurity could successfully implement such a policy, were it in 
place. Recent proposals to centralize some aspects of cybersecurity 
responsibility in a civilian agency have merit in this context.
    Question 3. My colleague, Congressman Hurd, has proposed the 
creation of a Cyber Defense National Guard. In August 2016, Congressman 
Hurd suggested, ``The Federal Government could forgive the student loan 
debt of STEM graduates who agreed to work for a specified number of 
years in the Federal Government in cybersecurity jobs at places like 
SSA or Department of the Interior. Furthermore, when those individuals 
moved on to private-sector jobs they would commit 1 weekend a month or 
2 weeks a year to continued Federal service. This would help ensure a 
cross-pollination of experience between the private and public 
sectors.'' What do you think of Congressman Hurd's proposal?
    Answer. While serving at the Department of Homeland Security, I was 
engaged in lengthy discussions along with the Department of Defense 
about the possibilities of a cyber National Guard, a cyber reserves, 
and a cyber volunteer corps of some sort. Each of these ideas has 
advantages and disadvantages based on existing law and policy regarding 
the use of civilian citizens to perform security duties, potential for 
conflicts of interest, costs, etc. Perhaps this is an area that the 
Congressional Research Service could be helpful in investigating.

                                 [all]