[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]



 
               BOLSTERING THE GOVERNMENT'S CYBERSECURITY:
                    ASSESSING THE RISK OF KASPERSKY
                 LAB PRODUCTS TO THE FEDERAL GOVERNMENT

=======================================================================

                                HEARING

                               BEFORE THE

                      SUBCOMMITTEE ON OVERSIGHT &

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            October 25, 2017

                               __________

                           Serial No. 115-33

                               __________

 Printed for the use of the Committee on Science, Space, and Technology
 
 
 
 
 
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
 


       Available via the World Wide Web: http://science.house.gov
       
       
       
                            _________ 

                U.S. GOVERNMENT PUBLISHING OFFICE
                   
 27-672 PDF             WASHINGTON : 2018       
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001           
       
       
       

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                   HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas
DANA ROHRABACHER, California         ZOE LOFGREN, California
MO BROOKS, Alabama                   DANIEL LIPINSKI, Illinois
RANDY HULTGREN, Illinois             SUZANNE BONAMICI, Oregon
BILL POSEY, Florida                  ALAN GRAYSON, Florida
THOMAS MASSIE, Kentucky              AMI BERA, California
JIM BRIDENSTINE, Oklahoma            ELIZABETH H. ESTY, Connecticut
RANDY K. WEBER, Texas                MARC A. VEASEY, Texas
STEPHEN KNIGHT, California           DONALD S. BEYER, JR., Virginia
BRIAN BABIN, Texas                   JACKY ROSEN, Nevada
BARBARA COMSTOCK, Virginia           JERRY MCNERNEY, California
GARY PALMER, Alabama                 ED PERLMUTTER, Colorado
BARRY LOUDERMILK, Georgia            PAUL TONKO, New York
RALPH LEE ABRAHAM, Louisiana         BILL FOSTER, Illinois
DRAIN LaHOOD, Illinois               MARK TAKANO, California
DANIEL WEBSTER, Florida              COLLEEN HANABUSA, Hawaii
JIM BANKS, Indiana                   CHARLIE CRIST, Florida
ANDY BIGGS, Arizona
ROGER W. MARSHALL, Kansas
NEAL P. DUNN, Florida
CLAY HIGGINS, Louisiana
                                 ------                                

                       Subcommittee on Oversight

                   HON. DRAIN LaHOOD, Illinois, Chair
BILL POSEY, Florida                  DONALD S. BEYER, Jr., Virginia, 
THOMAS MASSIE, Kentucky                  Ranking Member
GARY PALMER, Alabama                 JERRY MCNERNEY, California
ROGER W. MARSHALL, Kansas            ED PERLMUTTER, Colorado
CLAY HIGGINS, Louisiana              EDDIE BERNICE JOHNSON, Texas
LAMAR S. SMITH, Texas


                            C O N T E N T S

                            October 25, 2017

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Lamar S. Smith, Chairman, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................     4
    Written Statement............................................     6

Statement by Representative Darin LaHood, Chairman, Subcommittee 
  on Oversight, Committee on Science, Space, and Technology, U.S. 
  House of Representatives.......................................     8
    Written Statement............................................    10

Statement by Representative Donald S. Beyer, Jr., Ranking Member, 
  Subcommittee on Oversight, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................    12
    Written Statement............................................    14

Statement by Representative Eddie Bernice Johnson, Ranking 
  Member, Committee on Science, Space, and Technology, U.S. House 
  of Representatives.............................................    16
    Written Statement............................................    17

                               Witnesses:

Ms. Donna Dodson, Associate Director and Chief Cybersecurity 
  Advisor, Information Technology Laboratory; and Chief 
  Cybersecurity Advisor, National Institute of Standards and 
  Technology
    Oral Statement...............................................    18
    Written Statement (Joint statement with Dr. Kent Rochford)...    21

Mr. David Shive, Chief Information Officer, U.S. General Services 
  Administration
    Oral Statement...............................................    27
    Written Statement (Joint statement with Ms. Lisa Casias).....    29

Mr. James Norton, President, Play-Action Strategies LLC; and 
  Adjunct Professor, Johns Hopkins University
    Oral Statement...............................................    34
    Written Statement............................................    35

Mr. Sean Kanuck, Director of Future Conflict and Cyber Security, 
  International Institute for Strategic Studies
    Oral Statement...............................................    44
    Written Statement............................................    46

Discussion.......................................................    54

             Appendix I: Answers to Post-Hearing Questions

Mr. Sean Kanuck, Director of Future Conflict and Cyber Security, 
  International Institute for Strategic Studies..................    70

             Appendix II: Answers to Post-Hearing Questions

Document submitted by Representative Clay Higgins, Committee on 
  Science, Space, and Technology, U.S. House of Representatives..    78

Document submitted by Representative Barry Loudermilk, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................    81


               BOLSTERING THE GOVERNMENT'S CYBERSECURITY:



              ASSESSING THE RISK OF KASPERSKY LAB PRODUCTS



                       TO THE FEDERAL GOVERNMENT

                              ----------                              


                      Wednesday, October 25, 2017

                  House of Representatives,
                      Subcommittee on Oversight and
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

    The Subcommittee met, pursuant to call, at 10:06 a.m., in 
Room 2318 of the Rayburn House Office Building, Hon. Darin 
LaHood [Chairman of the Subcommittee] presiding.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Chairman LaHood. The Subcommittee on Oversight will come to 
order.
    Without objection, the Chair is authorized to declare 
recesses of the Subcommittee at any time.
    I want to welcome you to today's hearing titled 
``Bolstering the Government's Cybersecurity: Assessing the Risk 
of Kaspersky Lab Products to the Federal Government.''
    The subject of today's hearing involves some information 
that is classified. I remind Members that their questions may 
call for a response that the witnesses know to be classified. 
Please be mindful of this fact. I would like to instruct the 
witnesses to answer to the best of their ability, but should an 
answer call for sensitive information, it may be addressed if 
we vote to move into executive session at the end of the 
hearing.
    At this time, I'm going to yield to the Chairman of the 
Full Committee, Chairman Lamar Smith, for his opening statement 
at this time.
    Chairman Smith. Thank you, Mr. Chairman. I appreciate your 
deferring to me and yielding me time, and let me apologize to 
the panelists. I have to leave immediately for a Judiciary 
Committee markup where they are considering a piece of 
legislation that I've introduced, so that's why I have to leave 
early, but perhaps I'll be able to get back.
    Cybersecurity breaches are so prevalent today that it is 
hard to keep track of them. Every news cycle seems to include a 
new major incident. To address the federal government's 
cybersecurity weaknesses, the Committee hopes to bring H.R. 
1224, the NIST Cybersecurity Framework, Assessment, and 
Auditing Act of 2017, to the House Floor for a vote.
    Specific to Kaspersky Lab, new revelations regarding cyber-
espionage continue to surface. This Committee has engaged in 
robust oversight of Kaspersky Lab, thanks to questions raised 
by Congressman Higgins during a hearing in June.
    On July 27, 2017, this Committee requested all federal 
departments and agencies to disclose their use of Kaspersky Lab 
products. This was less than a month after the U.S. General 
Services Administration banned Kaspersky Lab products from its 
government-wide schedule contracts. However, we still have 
questions: Why was the software approved for government use? 
And was removing it from the approved GSA schedule sufficient 
to protect U.S. interests?
    I support this Administration's subsequent actions. The 
interagency working group on cybersecurity has begun to address 
the problem.
    On September 13, 2017, the Department of Homeland Security 
issued a government-wide order directing federal departments 
and agencies to identify and remove the company's products from 
use. In subsequent hearings, we will need to assess whether the 
federal government's response has been sufficient.
    While once considered reputable, Kaspersky Lab, its founder 
and their Russian ties have created a significant risk to U.S. 
security. According to several media investigations, these 
connections have allowed Kaspersky Lab to be exploited not only 
by the Russian government but also by criminal hackers around 
the world. Mr. Kaspersky's history and recent remarks have done 
little to alleviate these concerns.
    As we move forward with this hearing and future hearings, 
we expect to uncover all aspects of Kaspersky Lab. We are 
particularly interested in what led the previous Administration 
to include Kaspersky Lab products on two GSA schedules. I look 
forward to the testimony of Mr. Shive, the GSA Chief 
Administration and Information Officer. I am also interested in 
proactive steps GSA has taken to assist other departments and 
agencies in rooting out the presence of Kaspersky products on 
their systems.
    Also, we need to better understand the recent news related 
to the breach of an NSA contractor's personal computer.
    The threat Kaspersky Lab products present to the government 
has now been publicly identified and confirmed by the Israeli 
government. I urge anyone with knowledge of potential risks to 
contact the Committee and share that information with us. We 
must be vigilant in addressing this wolf in sheep's clothing.
    Thank you, Mr. Chairman. I'll yield back.
    [The prepared statement of Chairman Smith follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
       
    Chairman LaHood. Thank you, Mr. Chairman.
    At this time I recognize myself for five minutes for an 
opening statement, and again I want to welcome our witnesses 
here today.
    Today we intend to discuss and evaluate the cybersecurity 
posture of the federal government. Specifically, we will 
examine the concerns that this Committee has raised about the 
risks associated with using Kaspersky Lab's products on federal 
information technology systems, as well as actions that the 
Trump Administration has taken in response to these concerns.
    As part of today's hearing, we will hear from government 
and private sector cybersecurity experts about the potential 
risks that Kaspersky Lab products and services pose to agency 
IT systems. In doing so, we hope to find effective and 
efficient ways to improve agency practices related to the 
design, acquisition, development, modernization, use and 
performance of federal IT resources.
    Kaspersky Lab is based in Moscow, Russia, and was founded 
in 1997 by Eugene Kaspersky. The company is one of the world's 
largest providers of cybersecurity software and services, 
including both consumer and enterprise solutions. As early as 
2015, reports began to surface alleging that Mr. Kaspersky 
maintained close ties to Russian spies. Not only for Mr. 
Kaspersky--not only was Mr. Kaspersky educated at a KGB-
sponsored university, he also wrote code for the Soviet 
military.
    In May of this year, the concerns surrounding Kaspersky Lab 
were brought to public light during a Senate Intelligence 
Committee hearing, where several intelligence community 
officials unanimously affirmed they would be uncomfortable 
using Kaspersky Lab's software and services. In June of this 
year, during this Committee's hearing on the WannaCry 
ransomware outbreak, our witnesses expressed similar concerns.
    The matter reached a tipping point in July, when the 
General Services Administration, the GSA, announced the removal 
of Kaspersky Lab products from its preapproved government 
contracts schedules.
    On July 27, the Committee commenced its investigation of 
the matter, with Chairman Smith probing 22 federal departments 
and agencies on their use of Kaspersky Lab products and 
services. Last month, the Trump Administration took another 
step toward addressing the concerns surrounding Kaspersky when 
the Department of Homeland Security issued Binding Operational 
Directive 17-01, ordering all federal departments and agencies 
to remove Kaspersky Lab software from their systems within 90 
days.
    Mr. Kaspersky has been highly critical of the U.S. 
throughout this entire process, frequently arguing that no 
public evidence existed to support the concerns raised about 
his company. Earlier this month, however, several prominent 
American news organizations published startling revelations 
that confirmed this Committee's gravest concerns: the Russian 
government has wielded Kaspersky's software as a tool for 
cyber-espionage. This Administration has been proactively 
remedying the Kaspersky situation, and we must continue to take 
steps to ensure that we do not repeat past mistakes.
    To that end, I look forward to hearing from our expert 
witnesses about how Kaspersky became approved for use on 
federal systems, the policies and procedures that can be 
implemented to bolster the federal government's cybersecurity 
risk-management processes, and the actions that must be taken 
to ensure that federal systems remain secure against nefarious 
cyber actors.
    Thank you.
    [The prepared statement of Chairman LaHood follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
   
       
    Chairman LaHood. At this time I now recognize the Ranking 
Member, the gentleman from Virginia, for his opening statement.
    Mr. Beyer. Thank you, Chairman LaHood, and thank all of you 
for being with us.
    Security concerns related to the Kaspersky Lab products and 
reported ties between Eugene Kaspersky, his company, and 
Russian intelligence services have been brewing within the U.S. 
intelligence community for years. This is deeply troubling 
given that Kaspersky Lab, whose main product is antivirus 
software, has offices in 32 countries, approximately 270,000 
corporate clients, and its software is used by approximately 
400 million people worldwide. And, until just recently, the 
U.S. Government also used KL software.
    The founder of Kaspersky Lab, Eugene Kaspersky, is a 
software engineer educated at a KGB cryptography institute who 
also worked for the Russian intelligence services before 
starting his software company in 1997. He's been described as 
the Bill Gates of Russia. Despite his background and the 
concerns of the U.S. intelligence community, the company has 
vigorously argued that it has no ties to any government.
    Concerns about connections between Kaspersky Lab and 
Russian intelligence services have become more pronounced over 
the last year. In April, the Senate Intelligence Committee 
asked the Director of National Intelligence and the U.S. 
Attorney General to look into Kaspersky employees' potential 
ties with Russian intelligence. In May, six U.S. intelligence 
agency directors, including the Directors of the CIA and NSA, 
told the Intelligence Committee that they would not be 
comfortable using Kaspersky products on their networks. In 
June, it was reported that FBI agents had interviewed U.S.-
based employees of Kaspersky Lab, and in July, Bloomberg 
Businessweek published a story referencing internal company 
emails that showed a close working relationship between 
Kaspersky Lab and Russian intelligence.
    Finally, earlier this month, the New York Times reported 
that Israeli intelligence were able to determine that Russian 
government hackers have been using the company's software to 
search for the code names of U.S. intelligence programs. 
Specifically, the Israelis discovered that a contractor to the 
National Security Agency had his data compromised over two 
years ago by these Russian hackers after he improperly took 
classified documents home and stored them on his home computer. 
Kaspersky's antivirus software had been installed on the 
contractor's home computer, and KL Lab has repeatedly denied 
any affiliation with the Russian hacking, but just today, the 
company admitted in a blog post that it had collected the NSA 
files through routine malware data collection.
    All of this has led to legitimate security concerns about 
the use of Kaspersky Lab software. I am glad that the U.S. 
Government has realized this. In July, as our Chairman has 
said, the General Services Administration removed Kaspersky Lab 
from its list of approved federal vendors, and, last month, the 
Department of Homeland Security issued a Binding Operational 
Directive banning federal agencies from using any product or 
service offered by KL, giving federal agencies until mid-
December to implement that directive.
    But cybersecurity is no longer simply about defending our 
data from theft. It's also about defending our democracy from 
disinformation campaigns that combine cyber assaults with 
influence operations. Since the 2016 election, it has been 
well-established that Russia has spread falsehoods and 
disinformation, seeking to sow divisions between us and 
confusion among us. This is not, and should not be, a partisan 
issue. Together we should be striving to defend our democracy 
against those who seek to damage it.
    Mr. Chairman, I hope we can have a future hearing where we 
hear from social scientists, researchers, and technical experts 
about the tools and technologies we can employ to help identify 
these evolving threats beyond traditional cybersecurity and 
defend against them.
    I look forward to hearing from all our witnesses today and 
especially Sean Kanuck, who happens to be one of my 
constituents, an expert on these topics. He was appointed the 
first National Intelligence Officer for Cyber Issues in 2011 
and served in that position at the National Security Council 
until 2016. Prior to that he spent ten years at the CIA in 
their Information Operations Center. Today he joins us as the 
Director of Future Conflict and Cyber Security at the 
International Institute for Strategic Studies. So Sean, 
welcome, and I look forward to all of your testimony.
    Mr. Chairman, I yield back.
    [The prepared statement of Mr. Beyer follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
       
    Chairman LaHood. Thank you, Mr. Beyer.
    At this time I now recognize the Ranking Member of the Full 
Committee, Ms. Johnson, for her opening statement.
    Ms. Johnson. Thank you very much, Mr. Chairman.
    Kaspersky Lab is one of the world's largest cybersecurity 
companies, and makes a popular antivirus program used by 400 
million users worldwide. But recent concerns by the U.S. 
intelligence community about close connections between 
Kaspersky Lab, its founder Eugene Kaspersky, and the Russian 
intelligence services have led to much greater scrutiny of its 
activities.
    This hearing is premised on examining what threat that 
Kaspersky software poses to the federal government. However, 
the federal government has already preemptively addressed that 
threat.
    Last month, the Department of Homeland Security issued a 
directive that required all federal agencies to identify any of 
their networks using Kaspersky Lab software, and gave those 
agencies a 90-day deadline to initiate a plan to remove the 
Kaspersky Lab software from those computer systems. DHS decided 
that the security risk of having a Russian company embedded on 
federal computer networks was simply not worth it. I have 
confidence in the ability of the federal government agencies to 
eliminate the Kaspersky Lab products from their respective 
computer systems.
    I am less confident, though, in our collective ability to 
identify and guard against cyber warfare actions from Russian 
state actors. Russian hackers have infiltrated some of our 
nation's nuclear power plants, private email accounts, and 
state election databases. Russia, according to a publicly 
available Intelligence Community assessment, conducted an 
influence campaign in 2016 to undermine public faith in the 
U.S. democratic process and to harm the campaign chances of 
Hillary Clinton winning the Presidency.
    The intelligence assessment should be a wake-up call for 
all of us. We should expect attempts by foreign actors to 
affect future elections using computer hacking, social media, 
and other means, as was done in 2016.
    Mr. Chairman, prior to the 2016 election, this Committee 
held a hearing to review guidelines for protecting voting and 
election systems including voter registration databases and 
voter machines. I believe a follow-up hearing would be 
appropriate to discuss protecting these same systems, in light 
of last year's events, as well as examining the sophisticated 
influence operations conducted by Russian intelligence services 
to disrupt our democratic processes and damage our democracy. 
With the knowledge of Russian cyber warfare actions in 2016, we 
can have a more robust discussion on the measures hostile 
actors have been using against America's voting infrastructure, 
and we can discuss measures that need to be taken to bolster 
the security of our elections.
    Mr. Chairman, I hope that you seriously consider holding a 
2016 election security postmortem with a focus on what the 
Science Committee can do to help protect the vote going 
forward.
    I thank you, and yield back the balance of my time.
    [The prepared statement of Ms. Johnson follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
           
    Chairman LaHood. Thank you, Ms. Johnson.
    At this time let me introduce our witnesses here today. Our 
first witness today is Ms. Donna Dodson, Associate Director and 
Chief Cybersecurity Advisor of the Information Technology 
Laboratory, and Chief Cybersecurity Advisor at the National 
Institute of Standards and Technology (NIST). Ms. Dodson began 
her career at NIST in 1987 as a Computer Science Researcher. In 
2010, she was promoted to Computer Security Division Chief for 
NIST. She holds a master's degree in computer science from 
Virginia Tech. Welcome.
    Our second witness is Mr. David Shive, Chief Information 
Officer at the U.S. General Services Administration. Prior to 
being named CIO, Mr. Shive was the Director of the Office of 
Enterprise Infrastructure at the GSA. He received his 
bachelor's degree in physics from California State University 
in Fresno, his master's degree in research meteorology from the 
University of Maryland in College Park, and his postgraduate 
management certificate from the Carnegie Mellon Graduate School 
of Industrial Management.
    Our third witness is Mr. James Norton. He is the founder 
and President of Play-Action Strategies LLC, and an Adjunct 
Professor at Johns Hopkins University. Mr. Norton previously 
served as Vice President of Strategy and Communications for the 
Mission Systems Division at General Dynamics. He holds a 
Bachelor of Science and a master's in business administration 
from Salve Regina University.
    Our last witness today is Mr. Sean Kanuck, Director of 
Future Conflict and Cyber Security at the International 
Institute for Strategic Studies. He previously served as the 
National Intelligence Officer for Cyber Issues from 2011 to 
2016. Mr. Kanuck holds a Bachelor of Arts and law degree from 
Harvard University, a master's of science from the London 
School of Economics, and an LLM from the University of Oslo.
    Thank you all for being here. I will now recognize Ms. 
Dodson for five minutes to present her testimony.

                   TESTIMONY OF DONNA DODSON

    Ms. Dodson. Chairman LaHood, Ranking Member Beyer, and 
members of the Subcommittee, I am Donna Dodson, Chief 
Cybersecurity Advisor for the National Institute of Standards 
and Technology, known as NIST. Thank you for the opportunity to 
appear before you today to discuss NIST's role in cybersecurity 
highlighting the Cybersecurity Framework, referred to as the 
Framework, and the NIST cybersecurity portfolio.
    As a non-regulatory agency, NIST leverages its deep 
technical expertise as well as its power of convener of 
stakeholders to develop and improve solutions to a wide range 
of technical and policy cybersecurity challenges. NIST's role 
in cybersecurity as codified in law is to research, develop, 
and deploy information security standards and technology to 
protect the federal government's non-national security 
information systems against threats to confidentiality, 
integrity, and availability, and to facilitate and support the 
development of voluntary industry-led cybersecurity standards 
and best practices for critical infrastructure.
    In addition to providing resources that organizations of 
all sizes can use to manage cybersecurity risk, NIST also 
provides resources to help organizations recover quickly from 
cybersecurity attacks with confidence that the recovered data 
is accurate, complete, and free of malware and that the 
recovered system is trustworthy and capable.
    I will highlight five of NIST's critical cybersecurity 
programs which are the Cybersecurity Framework, supply-chain 
risk management, cryptography, the National Vulnerability 
Database, and the National Software Reference Library.
    The first resource, the NIST Cybersecurity Framework, or 
Framework, was created in collaboration with industry, academia 
and other government agencies. The Framework consists of 
voluntary standards, guidelines and practices to promote the 
protection of critical infrastructure and to manage 
cybersecurity risks. While originally designed to help protect 
critical infrastructure, numerous businesses use the Framework 
to manage their cybersecurity risk. Since publishing the 
Framework, NIST has released additional guidelines to help 
small businesses manage their cybersecurity risk. Under 
Executive Order 13800, every federal agency or department will 
need to manage their cybersecurity risk by using the Framework 
and then provide a risk management report to OMB and DHS. In 
response to the EO, NIST released the Cybersecurity Framework 
Implementation Guidance for Federal Agencies to help federal 
agencies use the Framework in conjunction with an extensive set 
of NIST cybersecurity risk management standards, guidelines, 
and controls to manage their cybersecurity risk.
    The Cybersecurity Framework also provides guidance for the 
second critical area, which is the security of the supply 
chain. Because of outsourcing, organizations must ensure the 
integrity, security, and resilience of their supply chain. To 
assist in this, NIST established the Supply Chain Risk 
Management program to identify and evaluate effective 
technologies, tools, techniques, practices, and standards that 
help secure an organization's supply chain.
    Another critical area is cryptography. NIST began its work 
in cryptography in 1972. Today, NIST cryptographers research, 
analyze and standardize cryptographic technology. Although 
these standards apply to federal information systems, many 
private-sector organizations voluntarily rely on them to 
protect sensitive personal and business information. NIST also 
runs a program that validates the test results of vendor's 
cryptographic modules to the NIST standard. In this program, 
NIST confirms that a company's underlying cryptography works 
but is not validating the vendor or the company.
    Two final critical components are the National 
Vulnerability Database and the National Software Reference 
Library. NIST maintains the repository for all known and 
publicly reported IT vulnerabilities called the National 
Vulnerability Database, or NVD. The vulnerabilities in the NVD 
are weaknesses in coding found in software and hardware that if 
exploited can impact the integrity of information systems. The 
National Software Reference Library, or NSRL, is another tool 
that along with DHS and other, federal, state and local 
enforcement agencies is supported by the NIST. The NSRL is like 
a fingerprint database for computer files that promotes 
efficient and effective use of computer technology.
    The programs that I have mentioned here are only a portion 
of NIST portfolio and cybersecurity NIST worked to provide and 
improve technical and policy solutions to an ever-growing set 
of cybersecurity challenges continues to grow.
    Thank you for the opportunity to testify today. I am happy 
to answer any questions you may have.
    [The prepared statement of Ms. Dodson follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
       
    Chairman LaHood. Thank you, Ms. Dodson.
    I now recognize Mr. Shive for five minutes to present his 
testimony.

                    TESTIMONY OF DAVID SHIVE

    Mr. Shive. Thank you, and good morning, Chairman LaHood, 
Ranking Member Beyer, and members of the Subcommittee. My name 
is David Shive, and I'm the Chief Information Officer at the 
U.S. General Services Administration. I welcome the opportunity 
to share my organization's experiences related to the 
cybersecurity posture of GSA and the federal government.
    The mission of GSA is to deliver the best value in real 
estate, acquisition, and technology services to government and 
the American people. In support of that, one of my 
organization's key goals in supporting GSA's mission is to 
deliver technology that provides both a secure environment for 
doing business while also ensuring that both IT and business 
continue to run efficiently.
    The Federal Information Security Management Act provides a 
comprehensive framework which helps federal CIOs and federal 
Chief Information Security Officers manage overall information 
technology security risks across federal data and assets. The 
FISMA framework supports the rigorous IT security program 
implemented at GSA by the CISO under the auspices of the CIO's 
authority. Our security program assures the risks to GSA's IT 
systems are assessed and proper security controls implemented 
to mitigate those risks down to an acceptable level. It also 
ensures periodic evaluation and testing of the effectiveness of 
IT security controls, including management, operational, and 
technical controls.
    Furthermore, GSA has a robust incident handling and 
response program that strongly aligns with the NIST 
Cybersecurity Framework. Due to the effectiveness of that 
program, GSA received a rating level of 4, which is managed and 
measurable under ``response'' on the latest FISMA report from 
our Office of the Inspector General (OIG).
    In accordance with FISMA, GSA adheres to all of NIST's 
Federal Information Processing Standards and Special 
Publications in implementing GSA's IT security program. In 
addition, GSA completes a risk-based security assessment in 
accordance with NIST guidance and issues a signed Authority to 
Operate by the authorizing official with concurrence by the 
CISO before any new system goes into production. This is 
accomplished by prioritizing the implementation of security 
controls and focusing on those that have the biggest impact on 
securing the system and data such as securing--ensuring secure 
configurations and patching of vulnerabilities, access 
controls, and auditing and monitoring. GSA is in the process of 
implementing Executive Order 13800. GSA has adopted the 
framework for Improving Critical Infrastructure Cybersecurity 
developed by NIST and has required--as required by the 
Executive Order. GSA has provided a risk management report, as 
well as an action plan to implement the Framework, to the 
Secretary of Homeland Security and the Director of the Office 
of Management and Budget. GSA continues to explore leading edge 
technologies in order to stop the latest and most sophisticated 
attacks from our adversaries. This includes next generation 
antivirus solutions that use machine learning and artificial 
intelligence, as well as advanced detection of malware that is 
embedded in email attachments and links. Both of these 
technologies will greatly protect the end user, which is one of 
the primary vectors for exploiting federal government systems.
    One of GSA's core missions is to assist in procuring goods 
and services that can be made available to federal agencies. 
GSA's Federal Acquisition Service (FAS) offers a continuum of 
voluntary government-wide innovative solutions and services in 
a number of areas. Federal agencies spend approximately $23 
billion annually to acquire IT products and services through 
FAS. This represents only 42 percent of the federal 
government's $55 billion in total IT spend. Significantly, a 
product's placement on a GSA schedule or contract vehicle only 
certifies that the vendor meets the necessary regulatory 
requirements for the product to be sold to the federal 
government. It does not make any value or technical judgment 
about the nature of the product.
    With respect to Kaspersky Lab products, they were available 
from three resale vendors on GSA schedules contracts. On July 
11 of this year, GSA directed the three resellers to remove all 
Kaspersky Lab manufactured products from their catalogs within 
30 days. All three resellers complied. As of today, GSA does 
not offer any Kaspersky Lab manufactured products through its 
our GSA scheduled contracts.
    GSA took a proactive stance and completed comprehensive 
scanning of all IT assets for the presence of Kaspersky 
products in June of 2017. GSA confirmed that there was no 
installation of such products in our on-premise and cloud-based 
systems, and reported this to DHS in accordance with Binding 
Operational Directive) 17-01 on October 4. In addition, GSA's 
FedRAMP PMO is coordinating this activity for the government-
wide cloud service providers that are covered by its ATOs.
    Again, I thank the Subcommittee for its oversight and for 
allowing me the opportunity to contribute to this important 
topic. At this time, I'm happy to take any questions that you 
might have.
    [The prepared statement of Mr. Shive follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
  
    Chairman LaHood. Thank you, Mr. Shive.
    At this time I recognize Mr. Norton for five minutes to 
present his testimony.

                   TESTIMONY OF JAMES NORTON

    Mr. Norton. Thank you. Chairman LaHood, Ranking Member 
Beyer, and members of the Subcommittee, thank you very much for 
inviting me to testify before you today. My name is James 
Norton, and I am the founder and President of Play-Action 
Strategies, a homeland security and cybersecurity consulting 
firm here in Washington, DC. I'm also a member of the faculty 
at Johns Hopkins University.
    Previously, I served in multiple positions at the 
Department of Homeland Security under President George W. Bush 
including as Deputy Assistant Secretary of Legislation Affairs. 
I was a member of the Department's first team tasked with 
confronting the nascent cybersecurity threat.
    Cyber threats pose a real and immediate danger to our 
federal government and the American people it represents. In 
2016, the federal government experienced 30,899 cyber incidents 
that led to the compromise of information or system 
functionality according to the Office of Management and Budget.
    DHS's role in protecting government networks is 
foundational. Because the Department cannot be well positioned 
to assist the private sector and serve as a model of best 
practices for state and local governments until it has its own 
federal networks or federal systems secure. In order to meet 
today's challenges, DHS must update its systems and technology 
and strengthen the organization in support of its cybersecurity 
functions. Together these issues have led to the use of 
potentially problematic software that is the subject of today's 
hearing.
    To help DHS meaningfully address these challenges, I offer 
the following recommendations: provide CIOs and other officials 
across federal agencies with the resources necessary to invest 
in high-quality, reliable cybersecurity tools; require the 
development of a trusted vendor list that provides guidance on 
approved cybersecurity vendors with a secure supply chain that 
agencies can have confidence in; work with OMB and the White 
House to prevent redundancy across the federal government so 
that competing cyber organizations do not arise in other 
federal agencies.
    I thank the Committee for holding this important hearing, 
and I look forward to your questions.
    [The prepared statement of Mr. Norton follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
       
    Chairman LaHood. Thank you, Mr. Norton.
    At this time I recognize Mr. Kanuck for five minutes to 
present his testimony.

                    TESTIMONY OF SEAN KANUCK

    Mr. Kanuck. Good morning. Thank you, Chairman LaHood, 
Ranking Member Beyer, and Distinguished Members of Congress. 
It's my pleasure to be here today, and being a strategic threat 
analyst, I'm going to speak directly to the risks theoretically 
posed by Kaspersky Lab and Russian cyber operations.
    First, I think we need to understand the very nature of the 
technologies that Kaspersky products offer. They are complete 
network monitoring solutions that can see all activity on their 
clients' networks, and they have remote administration 
capabilities. In these ways, they are not dissimilar from many 
other IT security vendors' products, but what is important to 
note here is that discussions about surreptitious backdoors in 
these kind of products is actually a fairly moot point because 
the very nature of these products and services is to have a 
wide-open front door. Clients pay for that 24/7 monitoring of 
their entire network.
    Now, what is interesting, that ends up an aggregate 
providing Kaspersky Lab and other similar vendors incredible 
optic and visibility into global internet activity including 
malicious software, espionage activities, and other things. In 
essence, it becomes a private global cyber intelligence 
network, and as we've seen from the recent media reports this 
month, that kind of capability is incredibly desired by 
government intelligence actors. If we believe the media reports 
in the public sector, then at least two foreign government 
agencies have exploited Kaspersky's network, and in my mind, 
that makes the question of ``is there a risk through Kaspersky 
products'' to become nearly tautological because allegedly it's 
already happened twice.
    Furthermore, I do not personally feel it is necessary to 
prove a willful complicity or collaboration by Kaspersky 
employees or the company with the Russian government or any 
other to show that there is a potential risk. That added 
factor, if it were true, would of course be a 
counterintelligence concern and a further cause for prohibiting 
such software or products. But the mere fact alone that foreign 
intelligence agencies have sought access through this implies 
there is a risk.
    So what I think we need to do is actually focus on that 
foreign intelligence threat and let's take a moment to discuss 
Russian cyber posture. I can't do it any justice better than 
Director of National Intelligence Dan Coats did in his 
worldwide threat assessment presentation in May where he 
identified Russia as a primary cyber threat actor of the United 
States with a continued interest in exploiting our networks not 
only for espionage but for influence operations, and that 
testimony further noted that even disruptive actions have been 
undertaken by Russia against targets outside the United States. 
So when we combine that willful interest in adversarial context 
with the telecommunications surveillance and monitoring laws of 
Russia and the access potentially posed by Kaspersky Lab 
products, you have a potent combination.
    Even without complicity, it is theoretically possible that 
all Kaspersky Lab corporate communications transiting nodes in 
Russia could possibly be monitored by the domestic security 
service under their telecom surveillance laws. Therefore, if 
you are trying to examine the full scope of this threat, a 
simple review of Kaspersky's products themselves or the source 
code would not be enough. You have to understand the commands 
that remote administrators or unauthorized third parties may be 
issuing to those client networks through that access point, and 
you must understand traffic routing of the global internet and 
how Kaspersky communications move between its regional offices 
and different counterparts.
    Moving to a strategic risk management perspective, I offer 
that resilience is the key to better security, and my 
witnesses--my fellow witnesses have already spoken to that to 
some degree, and I believe that internal review of one's own 
enterprise assets and who might be trying to compromise them is 
essential.
    I'll conclude by offering a couple thoughts on the 
prohibition of Kaspersky Lab software in U.S. government 
networks. I do believe there's a risk posed, and my assessment 
is primarily based on historical arguments of what has already 
happened as well as the access that I've described and the 
foreign threat actors. I am also aware that U.S. government 
actions against specific named foreign companies may likely 
result in similar backlashes against U.S. corporate entities. 
That's not a security risk assessment, it's a political 
realism.
    My last comment will be that I would encourage the U.S. 
government to assess all IT products from all vendors 
regardless of national origin because if we're trying to 
protect sensitive information, we should be fully cognizant 
that foreign intelligence actors will be willing to exploit any 
IT vendor that we're using, even if it's not of their own 
national origin.
    Thank you very much.
    [The prepared statement of Mr. Kanuck follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
       
    Chairman LaHood. Thank you, Mr. Kanuck, for your opening 
statement, and thank all the witnesses for your opening 
statement. We will begin the questioning part of the hearing 
today, and with that, the Chair recognizes himself for five 
minutes.
    I'd like to start. After months of denying any improper 
activity, and Kaspersky has claimed that any allegation they're 
involved with cyber espionage or involved with the Russian 
government, they claim that's false allegations, and today 
there's an article by Reuters that came out this morning on the 
cusp of this hearing titled, ``Kaspersky says it obtained 
suspected NSA hacking code from U.S. computer,'' and that 
article goes on to say, and Kaspersky Lab admits ``that its 
security software had taken source code for a secret American 
hacking tool from a personal computer in the United States.'' 
And in fact, in this article, the company admits that it 
exfiltrated the code earlier than previously reported and that 
Kaspersky gained access in 2014, and I think that's troubling 
on a lot of levels.
    Let me just start off with you, Mr. Norton. Should the 
federal government have known about this incident?
    Mr. Norton. Thank you for the question. You know, I think 
that we need to take into effect that there's kind of the 
military side of federal networks, the military networks, and 
then there's the civilian side of networks, and I think, you 
know, what we're seeing today is that it's been years of really 
underfunded networks where we haven't really had the capability 
or the staffing or the opportunity to really take a look, an 
internal look at, you know, what is on the network outside of 
kind of these kind of clean-up that's going on right now in 
terms of removing what's on there. So I think that, you know, 
we need to take into effect that we haven't really taken this 
issue seriously. The Executive Branch is just now looking at 
this in the last couple of years and so I think that it's 
obviously a big miss and there's been a lot of success in terms 
of foreign adversaries being able to infiltrate not only the 
DOD, DHS and other networks as well as civilian networks, and 
so I think that it's definitely an issue that it's important 
that it's being covered in this hearing and that it is 
something that we need to know going forward. However, you 
know, I think we just haven't had the capability in place over 
the last couple of years to even know what's there, and I think 
that's part of the trouble.
    Chairman LaHood. And Mr. Norton, what are the consequences 
of this revelation?
    Mr. Norton. Well, I think what you're seeing today is the 
government essentially scrambling to fix this. I think the fact 
that Homeland Security Secretary had this public announcement 
of removing the software is really alarming in the sense that, 
you know, for it to raise to that level, for the Secretary to 
put out an immediate edict across the federal government, I 
think that is certainly troubling and that's something that it 
says that we're not where we need to be and we have a long way 
to go to get there in terms of securing out networks.
    Chairman LaHood. And does it surprise you that Kaspersky 
has denied this all the way through until today?
    Mr. Norton. You know, I don't have access to all the 
intelligence. You know, I think that the issue is not only, you 
know, Kaspersky but I think other, you know, possible intruders 
that are, you know, on the network that are there. So I think 
this is absolutely a global issue. I think that, you know, for 
DHS and other intelligence communities to probably share more 
would be a good thing so the general public has a sense of what 
this means and how it is impacting our networks, so I think 
it's important for them to tell us a little bit more so we know 
what's going on.
    Chairman LaHood. Ms. Dodson, same question for you in terms 
of should the federal government have known about this incident 
and what are the consequences of this revelation?
    Ms. Dodson. So from the NIST perspective, security controls 
that we provide through our guidelines and special publications 
provide guidance on how to set up security for networks and be 
able to take a look at those. But a second critical issue 
relates to supply chain, and that is the ability to understand 
your suppliers, the kinds of products and services that you 
have and that you're using in your systems. NIST has been 
working with the federal government and with industry to 
develop supply chain guidelines as part of the Framework for 
Improving Critical Infrastructure that can be used to give 
organizations a much better understanding of those suppliers so 
that they can have the trust and confidence that they need when 
they put these products and services on their networks.
    Chairman LaHood. As a follow-up on that, can you--what 
confidence can you give us that the NSA, their ability to stay 
ahead of our adversaries on this issue?
    Ms. Dodson. I can't speak for another organization such 
as----
    Chairman LaHood. Do you have an opinion on that?
    Ms. Dodson. The federal government as a whole is taking the 
threat issues very seriously across government and working with 
industry to set up information-sharing systems so that as 
threat issues come up we can act and respond quickly. We are 
all taking this kind of issue very, very seriously.
    Chairman LaHood. Thank you.
    I now yield to Mr. Beyer for his questions.
    Mr. Beyer. Thank you, Mr. Chairman, very much.
    Mr. Norton, thank you for bringing up the LPTA issue. I 
will just quote you quickly: ``Many CIOs are forced to abide by 
the lowest price technically acceptable, LPTA standard, which 
often means they don't up with the best products.'' I couldn't 
agree more, and we have a bipartisan bill, Mark Meadows and I, 
which has been reported out of the Oversight and Government 
Reform Committee unanimously. So if you can help us get it on 
the House Floor, we can get it passed unanimously and send it 
over to the Senate and not tie the hands of our purchasing 
agents on lowest price rather than encouraging them to get the 
best value.
    Mr. Kanuck, Ms. Dodson talked about the voluntary risk-
based, flexible, repeatable and cost-effective approach of the 
NIST Framework. So that's for the federal government. At what 
point do we ever consider making it mandatory across the U.S. 
business community or mandatory for subcontractors of the 
federal government? When do we elevate it to just beyond where 
we are?
    Mr. Kanuck. Currently, that is not the approach under law 
and regulation. Private-sector entities are left to their own 
corporate policies and hiring cybersecurity elements to assist 
them. As far as taking legislative or regulatory actions to 
mandate certain activities, that may be forthcoming in the 
future but I cannot speculate on that. What the NIST Framework 
does is, it provides a baseline for a lot of the private sector 
to emulate what the government is doing and is required as Ms. 
Dodson said. I think that is universally viewed as a positive. 
And the challenge remains, is the U.S. government going to 
force actions on the private sector, and there are pros and 
cons to that.
    Mr. Beyer. One of the things we may think about is, do we 
begin with government contractors?
    Mr. Kanuck. That is actually a very interesting point to 
start, and clearly in the defense industrial base that is done 
through the procurement power of requiring certain aspects of 
cybersecurity to be utilized or followed by entities that are 
contracting with the U.S. government, and there's been success 
with that model. So that may be a model to be extended beyond 
just the defense contracting community. I think that would be a 
wise option.
    Mr. Beyer. Mr. Kanuck, you probably know what's been called 
the Gerasimov Doctrine, so I'll take a moment to explain to 
others who may not have read it.
    In 2013, General Valery Gerasimov, Russia's Chief of the 
General Staff, or head of its military, published an article 
titled ``The Value of Science is in the Foresight'' in a weekly 
Russian trade paper in which he let out--laid out his theory of 
modern warfare. He blends tactics developed by the Soviets with 
strategic military thinking about total war, which looks much 
more like the hacking of an enemy's society than attacking it 
head on. He wrote, ``The very rules of war have changed. The 
role of non-military means of achieving political and strategic 
goals have grown. In many cases, they have exceeded the power 
of the force of weapons and their effectiveness. All of this is 
supplemented by military means of a concealed character.''
    So Mr. Kanuck, do you believe that we're seeing the 
Gerasimov Doctrine in practice during this last election cycle, 
and what are they trying to achieve by engaging these 
aggressive assaults on our democracy?
    Mr. Kanuck. Well, I think you're not only seeing it in the 
form of influence operations in recent democratic elections in 
the United States and/or France, I think you've also seen it 
conjoined with military operations in Crimea or Ukraine as 
well. The Russian Federation, as I alluded to in my written 
comments and my opening statement, is very active in the area 
of information operations beyond the simple layer of cyber or 
critical infrastructure issues that we tend to think about. 
They actually used the word ``information confrontation'' when 
discussing this issue, and that is a wholesale part of their 
strategic paradigm. You can read it in the open translations of 
their strategic doctrine from 2000 onwards, and as you 
articulated it, I would wholeheartedly concur that you are 
seeing that assault on the intellectual and media space of 
societies through cyber means. What they have found is the 
perfect tool set, whether it's social media, remote hacking, et 
cetera, to achieve their philosophical objective through that 
stated doctrine.
    Mr. Beyer. Thank you. Quick question. You wrote that all 
similar companies, the antivirus, could be unwittingly 
exploited by third parties. How at risk are Norton and MacAfee 
of this, you know----
    Mr. Kanuck. I am not----
    Mr. Beyer. --especially when you talk about they create the 
open front door.
    Mr. Kanuck. So I'm not prepared to talk critically about 
other companies besides Kaspersky today. I will say, though, 
that a proper review of the features of a lot of these security 
softwares would allow you to do a proper assessment, and quite 
frankly, in my experience, foreign intelligence actors and 
criminals alike, once they find out who has access to the 
network they seek access will attempt to derive ways to exploit 
that path in, and it's a matter of intent and resources. I do 
not believe there is any network or any product that is 
perfectly secure. It's all a risk management issue.
    Chairman LaHood. Thank you, Mr. Beyer.
    I now yield to Mr. Higgins for his questions.
    Mr. Higgins. Thank you, Mr. Chairman. I ask unanimous 
consent to enter a letter from Mr. Troy Newman, a cybersecurity 
professional with whom I consulted, to the record.
    Chairman LaHood. Without objection.
    [The information appears in Appendix II]
    Mr. Higgins. Thank you, Mr. Chairman.
    Ms. Dodson, how long have you been a cybersecurity advisor 
for the United States government?
    Ms. Dodson. I have worked at NIST since 1987, and I've been 
the Chief Cybersecurity Advisor for about four years.
    Mr. Higgins. So you were in place in 2012?
    Ms. Dodson. Yes.
    Mr. Higgins. You mentioned in one of your responses that 
the U.S. government is taking cybersecurity and the realm of 
cyberattack very seriously. Were we taking it very seriously in 
2012 when the State Department contracted with Kaspersky?
    Ms. Dodson. The federal government has been working on 
issues related to supply chain for about seven years, and we 
continue to work on our guidelines there as the complexity of 
our systems continue to grow. There are challenges in 
understanding all that we have in our networks but it's 
necessary to do that, and our work with the Framework to 
improve critical infrastructure cybersecurity provided some 
opportunities to think about supply chain, to think about 
resiliency in our networks so that we can understand cyber 
threat and respond quickly to those.
    Mr. Higgins. So in your opinion, the United States 
government was taking cybersecurity very seriously in 2012?
    Ms. Dodson. I think NIST has been taking cybersecurity 
seriously----
    Mr. Higgins. Very well.
    Ms. Dodson. --for a very long time.
    Mr. Higgins. Mr. Chairman, Kaspersky product has over 400 
million users nationwide. It's widely known Kaspersky's ties to 
the FSB. That's the Federal Security Service, the Russian 
Federation. FSB is the main successor to the Soviet Union's 
former KGB. Kaspersky headquarters is headquartered in Moscow 
in the former KGB headquarter buildings in Lubyanka Square, and 
yet in 2012, the United States State Department contracted with 
Kaspersky. I read from Mr. Newman's letter that I entered into 
the official record earlier. Many security software users 
believe that security software is akin to a shield, that this 
shield wards off would-be attackers. The reality is that 
security software is more similar to an inoculation, as Mr. 
Kanuck pointed out earlier. Security software resides deep 
inside the computers and infrastructure within the very most 
sensitive and secure areas. In order to install any effective 
security software, we must first expose the system, making all 
information vulnerable. The security software has full access 
to all input and output operations. Security software is fully 
imbedded in such a way that it has complete access to total--to 
the entire system.
    Mr. Shive, you're familiar with the end-user license 
agreement for security?
    Mr. Shive. Yes, I am.
    Mr. Higgins. That's the part that most Americans when we 
purchase a cybersecurity product, it appears on the screen and 
it's a lot of language that we don't read, we just click ``I 
agree.'' Is that correct?
    Mr. Shive. Yes.
    Mr. Higgins. The end-user license agreement for Kaspersky 
systems is governed by the laws of the United States or by the 
laws of the Russian Federation?
    Mr. Shive. If they're doing business in the United States, 
it would be governed by the United States.
    Mr. Higgins. The end-user license agreement for Kaspersky 
products, Mr. Chairman, according to my research, are governed 
by the laws of the Russian Federation. We have certainly begun 
recently taking cybersecurity very seriously, but I find it 
alarming that although it was rather well known within the 
cybersecurity realm that Kaspersky was--you know, posed a 
particular risk--we continued to do business with them until 
very recently.
    Let me just ask quickly, Mr. Shive. Are U.S. government 
employees restricted from using Kaspersky products, devices, on 
their own at this time?
    Mr. Shive. I can't speak for the entire government. TSA 
employees are not restricted.
    Mr. Higgins. Are Kaspersky products still allowed to be 
purchased by U.S. government agencies outside or separate from 
the GSA contract process?
    Mr. Shive. Not if they're going to comply with the Binding 
Operational Directive that DHS published.
    Mr. Higgins. And my colleague asked earlier, are U.S. 
government contractors restricted from using Kaspersky 
products?
    Mr. Shive. Yes, they are as a result of the Binding 
Operational Directive.
    Mr. Higgins. Mr. Chairman, my time has expired. I thank you 
for your cooperation.
    Chairman LaHood. Thank you, Mr. Higgins.
    I now yield to Ms. Johnson for her questions.
    Ms. Johnson. Thank you very much.
    Mr. Kanuck, the Russians appear to have a very good 
understanding of ways that they can attempt to influence 
America's views on certain issues or disrupt democratic 
institutions. Social scientists are now working with 
journalists and technologists and others to help understand 
these techniques and to identify them in order to forewarn the 
public about the covert efforts that intentionally generate 
disinformation and fake news for political purpose. Do you 
believe a robust understanding of social science and investment 
in the area of research can be applied to helping to thwart 
these sort of disinformation influence campaigns in the future?
    Mr. Kanuck. Absolutely. I think we would want a triumvirate 
of government initiative efforts to protect systems. I think we 
would want the corporations whose social media or other 
platforms are being exploited to join the effort to preserve 
the integrity of their own corporate interests and networks. 
And then finally, broader public awareness and education to 
appreciate the risk and to take measures to secure their own 
systems would all be beneficial.
    Ms. Johnson. Are there technologies we might be able to 
invest in to get a better grasp on this?
    Mr. Kanuck. Certainly. There are a number of different 
innovative proposals, some being offered in the social-media 
community, others in the block chain technology. I believe this 
Committee even had discussions of quantum computing and quantum 
cryptography recently. So there are a number of different 
innovative technologies which may offer some additional 
security solutions in the future, and I do hope that both 
government and private-sector initiatives pursue them because 
as of right now, it is incredibly difficult to detect and/or 
prevent the kind of influence operations which you were 
referring to.
    Ms. Johnson. Thank you very much.
    I yield back Mr. Chairman.
    Chairman LaHood. Thank you, Ms. Johnson.
    At this time I'll yield to Mr. Posey--no, he's not there. 
We'll go to Mr. Marshall, Dr. Marshall of Kansas.
    Mr. Marshall. Thank you, Mr. Chairman.
    I think I'll start with Ms. Shive. Mr. Shive, is there a 
problem with the Kaspersky software now? Is there really a 
problem with it?
    Mr. Shive. So the GSA position for Kaspersky is, there was 
a problem with them being entered onto GSA schedules the way 
that they were entered onto GSA schedules, hence them being 
removed. GSA doesn't run Kaspersky products so we haven't done 
deep and rich analysis into the capabilities or technologies 
associated with that.
    Mr. Marshall. Was or is the Kaspersky Lab a threat to 
national security?
    Mr. Shive. I'm not in a position to answer that. Our 
partners at DHS felt there was something significant enough to 
bar use of Kaspersky in the----
    Mr. Marshall. When do you think they first would have 
thought or been concerned, approximately?
    Mr. Shive. Who is ``they''?
    Mr. Marshall. DHS is who you mentioned.
    Mr. Shive. Right.
    Mr. Marshall. Or GSA, either one.
    Mr. Shive. So GSA became aware that there was some 
discussion about the risk associated with Kaspersky at the end 
of last year, and then as news came out, we did a couple of 
evaluations on the GSA internal enterprise. When we found that 
we weren't running Kaspersky internally, we did no further deep 
and rich analysis of the technology embedded within Kaspersky. 
DHS can speak to when they became aware of----
    Mr. Marshall. Mr. Kanuck, our friends in Israel obviously 
go back to 2014, it looks like, with a concern about that. Is 
that accurate that the Israel government maybe alerted us in 
2014 that there was a problem?
    Mr. Kanuck. Given the unclassified nature of this hearing, 
I'm going to have to simply refer to the recent media 
discussions that I saw in the New York Times, Washington Post, 
and Guardian and others that took it back to 2015.
    Mr. Marshall. Okay. Mr. Norton, when the government 
identifies a problem in this aspect, whose responsibility is it 
to fix something like this? Is it particular to the people that 
are running the software or this is a bigger problem, maybe 
more of a national-security problem? Whose responsibility is it 
to fix the problem?
    Mr. Norton. That's absolutely a national-security issue. I 
think that, you know, on paper it's the Department of Homeland 
Security's challenge for the civilian side of the networks to 
fix this problem and to alert their other federal partners. I 
think that DHS has been challenged essentially since day one to 
kind of work their way around the bureaucracy that we have.
    Mr. Marshall. It looks like to me this probably has been 
going on for two or three years. Frankly, I'm embarrassed. I've 
helped run a hospital and as well as part of a bank. I've seen 
us take on all these IT problems over the past decade. 
Absolutely convinced that if Thursday morning this is presented 
to me and we weren't solving the problem by Friday that people 
would have been fired and lost their job over it, and this 
looks like to me it took three years when we knew there was a 
problem, a potential problem. Even if it was just a potential 
problem, if it's a national-security issue, we should have been 
fixing it yesterday, not tomorrow. Am I--what's wrong with my 
expectations, Mr. Norton?
    Mr. Norton. I think your expectations are absolutely fair 
and they're right on, and I think that the government has----
    Mr. Marshall. Mr. Kanuck, are my expectations unrealistic?
    Mr. Kanuck. I think the desire to remediate things as soon 
as possible is very well placed. I'm also aware that the speed 
of changes in government can occasionally be slow.
    Mr. Marshall. Okay. You know, I think of this concept of 
the fox and the henhouse. Again, I go back to my experience 
working with a hospital and bank. If we would have vendors 
applying to do our IT and to protect our stuff, and if I would 
have brought to the board people with connections to the 
Russian government, A, they would have probably fired me, and 
B, they would have fired the IT person who even let them in the 
door. I mean, did this pass the sniff test, Mr. Kanuck? Would 
they pass the sniff test today to get this type of contract?
    Mr. Kanuck. If it's meant to protect the information of a 
sensitive national security type, I would think that it would 
not pass the sniff test because of the foreign penetrations and 
foreign influence that we have previously discussed here.
    Mr. Marshall. Mr. Shive, in today's environment, would they 
pass--the smell test is a better term. I've been corrected by 
my colleagues across the aisle. We called it sniff in Kansas. 
Maybe it's smell other----
    Mr. Shive. Again, because we don't run that particular 
software, I can't say specifically, and we don't base those 
evaluations on press reports. What I can say is that every 
agency CIO has a responsibility and obligation to vet any 
software or technology or process that runs in that 
organization, and that if Kaspersky or any similar tool was 
going to be entered into service in that agency, it would be 
put through a battery of tests to evaluate whether or not it 
was suitable for that environment.
    Mr. Marshall. Mr. Chairman, may I have 30 more seconds?
    Chairman LaHood. I'll yield you 30 more seconds.
    Mr. Marshall. You know, it feels like with all these IT 
issues that we have, people are trying to rob the bank, and as 
long as they don't get--as long as they don't rob the bank, we 
don't prosecute them. What do we do when people are just trying 
to rob the bank? So all these attacks on us, people are trying 
to rob the bank. They're trying to rob us of information? 
What's the solution to trying to--I mean, my gosh, I can't 
believe this goes on this much. They're robbing--they're trying 
to rob the bank, they don't accomplish it, so it seems like 
nothing happens to them. Does anybody have a solution, a short 
solution? Mr. Kanuck, you raised your hand.
    Mr. Kanuck. Where we lack the ability to have cooperative 
international law enforcement or forensic capabilities to 
identify and prosecute those individuals, we are left with 
recourse to improving our own networks' resiliency.
    Mr. Marshall. Thank you. I yield back.
    Chairman LaHood. Thank you, Dr. Marshall.
    I now yield to Mr. McNerney.
    Mr. McNerney. I thank the Chairman. I thank the witnesses. 
It's certainly an important subject and I want to pursue a 
little bit.
    Mr. Norton, in your written testimony, you mentioned that 
budget cuts across the federal government are affecting--are 
forcing federal officials to use the lowest price technically 
available standards. What aspects of security might be 
compromised as a result of that lowering of standards?
    Mr. Norton. Well, I think that, you know, sequestration, 
which was put in place 7 or eight years ago, right now what 
we're seeing is the impacts of sequestration where we've 
essentially conditioned government executives, CIOs, other 
managers to really look for that LPTA product and they might 
not necessarily look for the best type of software that's 
available, maybe something that's customized, something that 
might fit the particular need of an agency, and also we're 
seeing where they're not turning on the software to fully 
capability and that they maybe use part of an acquisition and 
maybe not all of it and so I think all that goes to not having 
enough resources and being kind of constrained to the 
sequestration that's essentially still in place and kind of 
hovering----
    Mr. McNerney. Are there specific examples you could submit 
to the Committee of this phenomenon you're describing?
    Mr. Norton. I think that broadly I would say, you know, 
program to program from, you know, federal agencies, you know, 
like at DHS where they have, you know, component agencies like 
Customs and Border Protection or other places where, you know, 
you've got components that are purchased that might not 
necessarily have a cyber component, you know, put inside of it.
    I think if you think about the commercial attack back in 
October of last year where essentially the internet was slowed 
down because they were attacking a piece of the internet from a 
small company in, you know, New Hampshire. You find these 
little parts that can be exploited and slow down the internet 
overall, and you think of that broadly in terms of other 
products that maybe are purchased day to day at, you know, Best 
Buy, for example, that don't necessarily have cyber built into 
it goes to that lowest price technically acceptable.
    Mr. McNerney. Thank you.
    Mr. Shive, are commercial antivirus computer security 
software products made by other companies also potentially 
vulnerable to the same sorts of exploitation as in the case of 
Kaspersky?
    Mr. Shive. Because of the persistent nature of the threat, 
all softwares are vulnerable, and that's why CIOs have the 
obligation to assess those softwares before they enter them 
into service in each of their agencies.
    Mr. McNerney. Do you have any recommendations for federal--
to protect federal systems?
    Mr. Shive. Increased investment in cybersecurity is a very 
good idea.
    Mr. McNerney. Ms. Dodson, has NIST made available any 
guidelines or best practices concerning security of voting 
infrastructure?
    Ms. Dodson. NIST has developed guidelines for voting 
infrastructures that relate to cybersecurity and in particular 
looking at risk-management processes that can be put in place 
for the different phases of voting systems and voting use.
    Mr. McNerney. Should NIST be doing more in this arena?
    Ms. Dodson. NIST is continuing to work with the voting 
community as well as the Department of Homeland Security as 
they are also looking at security and voting systems, so we are 
continuing our efforts there.
    Mr. McNerney. Okay. What limitation's do you face?
    Ms. Dodson. I'm sorry. What kind of limitation do we face 
in----
    Mr. McNerney. Right.
    Ms. Dodson. So NIST continues to look at a number of 
different aspects of voting and work with that community. We 
are looking at security. We are looking at the interoperability 
and the usability, so many different aspects of voting systems 
to support the United States and to support the different 
states as they're developing and implementing their solutions.
    Mr. McNerney. Thank you. Mr. Shive, what would you 
recommend small businesses do to strengthen their cybersecurity 
networks and practices?
    Mr. Shive. For small businesses, employ the best practices 
that exist for large business and government in their 
cybersecurity practices, make an emphasis and focus on 
cybersecurity from the ground up at the beginning of creation 
of their product, tools, process or service rather than as a 
bolt on at the end.
    Mr. McNerney. But a lot of these small businesses don't 
have the resources to have an IT person to take care of those 
issues.
    Mr. Shive. And then they'll suffer the same fate that every 
other corporation that makes that fundamental mistake does and 
they'll go out of business.
    Mr. McNerney. Thank you. Mr. Chairman, I yield back.
    Chairman LaHood. Thank you, Mr. McNerney.
    I now yield to the gentleman from South Carolina, Mr. 
Norman.
    Mr. Norman. Thank you, Mr. Chairman.
    Mr. Shive, when we talk about getting on the GSA's 
preapproved contract list, who's got the final approval? Is it 
a person, is it a group? Who would make the final call on that?
    Mr. Shive. The Federal Acquisition Service in GSA, which is 
made up of contracting officers, lawyers, and business 
professionals who interact with the vendor community and create 
a framework for their entrance into the schedules.
    Mr. Norman. How many people is that?
    Mr. Shive. I can get back to you with the number. I think 
it's around 6,000 people.
    Mr. Norman. Okay. Now, was Congressman Higgins right when 
he mentioned the fine print of being under the--and I forget 
which agency he mentioned but being under the, I guess the 
legal guidelines of Soviet Union rather than the United States? 
Is that right?
    Mr. Shive. So thank you for asking that clarifying 
question. So every company has a EULA as a part of their 
business practice. The federal government, the U.S. federal 
government is not obligated under that EULA to enter service. 
There's a negotiation that takes place that includes on the 
government side lawyers and contracting officers that assess 
the EULA relative to the regulation and policy of the federal 
government. If there's a disconnect there, then the vendor 
can't do business with government.
    Mr. Norman. Okay. So going forward, would that be--would 
any changes be made on that?
    Mr. Shive. No. I think it's a good process to have 
government lawyers and contracting officers scanning that test 
for corporations and making sure that it complies with federal 
regulation and law.
    Mr. Norman. Okay. And Mr. Shive, in your testimony you note 
that three resellers included Kaspersky's products without 
taking appropriate steps to modify the contracts. Is that 
right?
    Mr. Shive. That's right.
    Mr. Norman. Did these three resellers comply with the GSA's 
request to remove Kaspersky products from the list?
    Mr. Shive. Yes, they did so immediately.
    Mr. Norman. After the fact?
    Mr. Shive. Yes.
    Mr. Norman. Okay. Did the GSA evaluate whether these three 
resellers needed to be sanctioned for including the products?
    Mr. Shive. I'm not aware of the sanctioning process, of any 
sanctioning process.
    Mr. Norman. Do you think there need to be sanctions, at 
least go down--to go down that path to have consequences? 
Because it looks like just from what I'm hearing has really 
been the--there's no consequences on this.
    Mr. Shive. Right. So I'm actually not saying that there 
were or were not consequences. I just don't know if there was. 
We can circle back to you and get you that information.
    Mr. Norman. Like Congressman Marshall mentioned, you know, 
the consequences in the private sector, the consequences in 
just about everything in the political arena, and it looks like 
there ought to be consequences with this. It's pretty serious 
from what I'm hearing today.
    Mr. Shive. Understood. We're happy to circle back with you 
and let you know what the consequences were, if there were in 
fact any.
    Mr. Norman. Thanks so much.
    I yield back, Mr. Chairman.
    Chairman LaHood. Thank you, Mr. Norman.
    I now will yield to Mr. Perlmutter from Colorado.
    Mr. Perlmutter. I thank the Chair, and just an inquiry of 
the Chair. Was Mr. Kaspersky invited to testify or somebody 
from his organization?
    Chairman LaHood. Not to today's hearing. I know that we 
plan to have a few more hearings on this, and we'll entertain 
that as we move along.
    Mr. Perlmutter. All right. Thank you.
    And Mr. Norton, it's good to see you. We've had two records 
today. You have had the shortest opening statement, and the 
Ranking Member had the shortest questioning along with Mr. 
Norman today that we've had I think on this Committee of all 
time, so thank you all.
    You know, over time the computers I've had, I've had 
MacAfee, I've had Kaspersky, and I've had--and Mr. Norton, I 
don't think it's your company but I've had Norton antivirus 
too.
    Mr. Norton. It is not my company.
    Mr. Perlmutter. I think this is a very important hearing 
we're having today. Mr. Higgins talked about the KGB 
potentially having access into governmental records, talked 
about--I think Dr. Marshall talked about the fox in the 
henhouse and robbing the bank or attempting to rob the bank, 
and words like ``trusted'' and ``complicit'' and ``willful'' 
and ``adversarial'' and ``espionage'' and ``intelligence risk'' 
and ``national security'' have been bandied about today. What--
I'll start with you, Mr. Kanuck. What is it that we're worried 
about here?
    Mr. Kanuck. I believe we're particularly worried about the 
ability for unauthorized users to access systems and either 
steal confidential information or disrupt the availability of--
--
    Mr. Perlmutter. But a particular unauthorized user, who is 
that? What is that?
    Mr. Kanuck. Well, from my role as a Strategic Threat 
Analyst, I would say there are numerous of them in the 
international space. The one we seem to be focusing on today is 
the Russian threat actor and that has theoretically, according 
to open-source reporting, exploited Kaspersky products to that 
end.
    Mr. Perlmutter. Mr. Norton, are you familiar with Guccifer 
2.0?
    Mr. Norton. Yes.
    Mr. Perlmutter. What is that?
    Mr. Norton. Well, essentially it's hacktivism, if you will, 
in terms of, you know, hacking into, finding information, you 
know, getting into a system and then pulling information out. I 
think your assessment in terms of what exactly we're talking 
about here is a great point. I think there are multiple 
threats. Whether they're here domestically or they're 
international, I think the government is woefully behind in 
terms of preparation in terms of what we've done now and what 
we need to do, you know, going forward. I think that we seem to 
be having, you know, these type of discussions every 6 to 12 
months with these massive hacks that are occurring, and I think 
that, you know, it's time to really kind of move on and figure 
out what is the next step, whether it's massive research and 
development funding for the government to hire these, you know, 
more experts, bring people in to government. I think that 
we've, you know, kind of assigned this opportunity to CIOs and 
other people within the government that have had traditional 
roles and now they seem to be the cybersecurity experts, and I 
think they obviously do a great job for us but I also think 
they need more help and more services and more, you know, 
support.
    Mr. Perlmutter. And the Congress has got to be in the lead 
hopefully of providing those resources, which I think you now 
mentioned and Mr. Kanuck mentioned.
    So let me move to NIST and to the GSA for just a second and 
then I've got a political statement I want to make. I think one 
of the places where we can harden systems especially for small 
business is through small business taking advantage of the NIST 
Framework and that the GSA in its protocols demand that small 
business have access, you know, taking advantage of those NIST 
protocols or Framework, just if the two of you would comment 
real quickly.
    Ms. Dodson. NIST has developed some guidance specifically 
for small businesses around the Framework to make that publicly 
available, and we've worked with the Small Business 
Administration, with our manufacturing Extension Partnership 
and others to make sure these guidelines are available and that 
small businesses can find out about them.
    Mr. Perlmutter. But for you, they're guidelines. For GSA, 
they could demand something like that as part of the purchase.
    Mr. Shive. And that's exactly right. Increasingly we find 
that business both big and small is increasingly availing 
themselves of NIST policy, guide work and frameworks because 
it's good IT and cybersecurity practice. As a CIO who purchases 
softwares and technologies increasingly I'm asking my vendor 
partners to conform to those standards as well.
    Mr. Perlmutter. If I could have just a few more seconds, 
Mr. Chairman----
    Chairman LaHood. Absolutely.
    Mr. Perlmutter. --for my political statement?
    Chairman LaHood. It depends on what it is but----
    Mr. Perlmutter. Well, you're not going to like it but I 
mean, I think this is a very important subject but obviously, 
you know, when we have at the White House an investigation 
between connections between the White House and many of its 
people with the guy who was the former head of the KGB, 
Vladimir Putin, then we've got a lot of ground to cover, 
whether it's within the cybersecurity or as to, you know, just 
basic oldpersonal relationships and not have too many front 
doors to Russia because I think that is jeopardizing our 
national security, and with that, I yield back.
    Chairman LaHood. Thank you, Mr. Perlmutter.
    At this time I'll yield to Mr. Loudermilk of Georgia.
    Mr. Loudermilk. Thank you, Mr. Chairman, and thank all of 
you for being here today.
    Spending 20 years in the IT industry, actually 30 if you 
include my time in the intelligence community when I was in the 
military, there are so many aspects of this issue that are so 
disturbing that I can't even get my hands around all of it, and 
some of it outside of this hearing such as an intelligence 
analyst taking classified material home. I mean, that was a 
felony when I was in the intelligence community. And then 
somebody who is in that arena having pirated software, I mean, 
anybody who works in this arena at all, you know that if it's 
pirated software, it's dirty. It's likely dirty in some way. So 
anyhow, that's outside the scope of this. This happened in a 
previous Administration and hopefully we're cleaning up some of 
the looseness that we've had in the intelligence community, but 
I'm reading an article from Associated Press which, Mr. 
Chairman, I'd like to introduce into the record.
    Chairman LaHood. Without objection.
    [The information appears in Appendix II]
    Mr. Loudermilk. This thing reads like a Clancy novel, the 
Israelis spying on the Russians who are spying on us, and they 
alert us to the fact that the Russians are gaining information 
that are being captured through this software.
    Mr. Norton, in your experience, if a cybersecurity company 
comes across, whether intentional or unintentional, comes 
across classified information, I would think, through my 
experience, that it not only legally but professionally you 
should alert the agency of which it came from that--or at least 
the proper officials that you have come across this 
information. Am I wrong in that? Is that something that you 
would assess if somebody just happened to come across this 
information they would alert?
    Mr. Norton. I think in the last couple of years that there 
has been an effort in terms of sharing information amongst DHS 
and other, you know, companies across the cyber realm, if you 
will, in terms of moving information back and forth certainly 
could be better but I think the process has started and I think 
as you're seeing professionals kind of cross into the private 
sector and back into government and back and forth, it's 
getting a little bit better, but absolutely, it's something 
that we need to continue to get our arms around and do a better 
job.
    Mr. Loudermilk. I mean, if in your business you come across 
a piece of classified information that was not within your 
realm of need to know, you would report to someone?
    Mr. Norton. Of course.
    Mr. Loudermilk. Okay. In this article from Associated 
Press, you know, they reported that Israel notified us that 
Russia was gaining classified information using the software. 
Eugene Kaspersky spoke--in this article, he stated that they 
did collect NSA materials clearly marked classified in 2014, 
which were spirited to Moscow for analysis, and then deleted at 
his direction. When asked if Kaspersky alerted the NSA that his 
software discovered classified materials, he claimed that he 
didn't want to see it in the news. If he is asked why he didn't 
report it, he didn't want to see in the news that I tried to 
contact the NSA to report the case, definitely I didn't want to 
see it in the news. Is that plausible that he would not report 
that they, you know, came across by unintentional means that 
they came across classified information? Is it plausible that 
he would have not reported it just because he didn't want to 
see it in the news? Yes, Mr. Norton. I'm sorry.
    Mr. Norton. I guess the answer is, sir, I don't know what's 
going inside his head or what his thought process was. It's 
hard for me to assess why he made that decision or didn't make 
that decision.
    Mr. Loudermilk. To me, from a legal aspect, maybe laws have 
changed since I was in the intelligence community but I would 
have a legal responsibility at that point to notify the 
authorities look, our software came across this information, 
you may need to go look at this employee. I also have issue 
with them just reading the documents they come across as well.
    Mr. Kanuck, do you think this is a plausible response by 
Mr. Kaspersky?
    Mr. Kanuck. My first observation would be that Mr. 
Kaspersky may not be subject to a secrecy agreement of any kind 
that would have the legal contractual binding nature that 
yourself previously and myself have had before that would have 
obligated us to report that information had we stumbled across 
it. Secondly, I guess I am personally a little surprised that 
knowing the scrutiny that his firm is under that he might not 
have taken an opportunity to return it to the U.S. government 
and try to get in our good favor.
    Mr. Loudermilk. Maybe redeem himself, you know, to show 
goodwill.
    Let me ask you, why would he not inform the NSA? I mean----
    Mr. Kanuck. Possibly because he felt there was no legal 
obligation for him to, and in his personal decision thought it 
was not in the best interest of his company, which again is a 
Russian company.
    Mr. Loudermilk. Mr. Norton, is it plausible that maybe the 
suspicions that the Israelis have, that we have is that they're 
purposely mining for information? Is that plausible?
    Mr. Norton. I think that, you know, with the digital age 
having really grown in the last 15 years that online 
intelligence gathering is the normal. I think that we as, you 
know, society need to continue to come to grips with the fact 
that mining online data and the fact that you can target 
individuals is the new normal and that we all need to be aware 
of this, and I think that whether it's the Russians or other 
adversaries, nation-states, individuals, absolutely our 
networks are a target every day, every second, and we need to 
be really aware of that.
    Mr. Loudermilk. Why would be send it to Moscow? Is that not 
suspect that he sent the documents to Moscow, then asked for 
them to be deleted, Mr. Norton?
    Mr. Norton. I think--again, I don't know what really 
occurred or didn't occur. It seems like that would be something 
that we would need to really kind of take a look at, and 
hopefully our intelligence services is on that and they can 
give us----
    Mr. Loudermilk. Mr. Kanuck, would you--would you find it 
suspect that he sends them to Moscow after seeing that they're 
classified NSA documents determines to not notify the NSA but 
then sends them to Moscow and then says I'm going to have them 
deleted? I mean, that's pretty suspect to me.
    Mr. Kanuck. So again, I'm not personally knowledgeable of 
whether he himself was the one who did the discovering and the 
forwarding. I would, as I said in my opening statement, 
encourage the analysis of traffic flows within the Kaspersky 
global communications network. That may have been standard 
operating procedure or it may have been an ad hoc decision. I 
can't speak to that because I don't work for that company.
    Mr. Loudermilk. All right. Well, thank you, Mr. Chairman. I 
yield back the time I have exceeded.
    Chairman LaHood. Well, thank you, Mr. Loudermilk, for your 
insightful questions there.
    That concludes our questions here today. I want to thank 
the witnesses for your valuable testimony here today. I think 
this Committee as part of our oversight mission will continue 
to investigate leads and evidence as it relates to this matter. 
Secondly, I think we've just touched the surface as it relates 
to Kaspersky and their alleged complicity and involvement with 
cyber espionage, and this Committee will continue to work on 
that. We anticipate more hearings and more testimony to come.
    So with that, this hearing is concluded, and we thank you.
    [Whereupon, at 11:31 a.m., the Subcommittee was adjourned.]

                               Appendix I

                              ----------                              


                   Answers to Post-Hearing Questions




                   Answers to Post-Hearing Questions
Responses by Mr. Sean Kanuck

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




                              Appendix II

                              ----------                              


                   Additional Material for the Record




            Letter submitted by Representative Clay Higgins
            
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]            

         Document submitted by Representative Barry Loudermilk
         
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]