b"<html>\n<title> - BOLSTERING THE GOVERNMENT'S CYBERSECURITY: ASSESSING THE RISK OF KASPERSKY LAB PRODUCTS TO THE FEDERAL GOVERNMENT</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n               BOLSTERING THE GOVERNMENT'S CYBERSECURITY:\n                    ASSESSING THE RISK OF KASPERSKY\n                 LAB PRODUCTS TO THE FEDERAL GOVERNMENT\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                      SUBCOMMITTEE ON OVERSIGHT &\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            October 25, 2017\n\n                               __________\n\n                           Serial No. 115-33\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n \n \n \n \n \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n \n\n\n       Available via the World Wide Web: http://science.house.gov\n       \n       \n       \n                            _________ \n\n                U.S. GOVERNMENT PUBLISHING OFFICE\n                   \n 27-672 PDF             WASHINGTON : 2018       \n____________________________________________________________________\n For sale by the Superintendent of Documents, U.S. Government Publishing Office,\nInternet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800\n  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001           \n       \n       \n       \n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                   HON. LAMAR S. SMITH, Texas, Chair\nFRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas\nDANA ROHRABACHER, California         ZOE LOFGREN, California\nMO BROOKS, Alabama                   DANIEL LIPINSKI, Illinois\nRANDY HULTGREN, Illinois             SUZANNE BONAMICI, Oregon\nBILL POSEY, Florida                  ALAN GRAYSON, Florida\nTHOMAS MASSIE, Kentucky              AMI BERA, California\nJIM BRIDENSTINE, Oklahoma            ELIZABETH H. ESTY, Connecticut\nRANDY K. WEBER, Texas                MARC A. VEASEY, Texas\nSTEPHEN KNIGHT, California           DONALD S. BEYER, JR., Virginia\nBRIAN BABIN, Texas                   JACKY ROSEN, Nevada\nBARBARA COMSTOCK, Virginia           JERRY MCNERNEY, California\nGARY PALMER, Alabama                 ED PERLMUTTER, Colorado\nBARRY LOUDERMILK, Georgia            PAUL TONKO, New York\nRALPH LEE ABRAHAM, Louisiana         BILL FOSTER, Illinois\nDRAIN LaHOOD, Illinois               MARK TAKANO, California\nDANIEL WEBSTER, Florida              COLLEEN HANABUSA, Hawaii\nJIM BANKS, Indiana                   CHARLIE CRIST, Florida\nANDY BIGGS, Arizona\nROGER W. MARSHALL, Kansas\nNEAL P. DUNN, Florida\nCLAY HIGGINS, Louisiana\n                                 ------                                \n\n                       Subcommittee on Oversight\n\n                   HON. DRAIN LaHOOD, Illinois, Chair\nBILL POSEY, Florida                  DONALD S. BEYER, Jr., Virginia, \nTHOMAS MASSIE, Kentucky                  Ranking Member\nGARY PALMER, Alabama                 JERRY MCNERNEY, California\nROGER W. MARSHALL, Kansas            ED PERLMUTTER, Colorado\nCLAY HIGGINS, Louisiana              EDDIE BERNICE JOHNSON, Texas\nLAMAR S. SMITH, Texas\n\n\n                            C O N T E N T S\n\n                            October 25, 2017\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Lamar S. Smith, Chairman, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................     4\n    Written Statement............................................     6\n\nStatement by Representative Darin LaHood, Chairman, Subcommittee \n  on Oversight, Committee on Science, Space, and Technology, U.S. \n  House of Representatives.......................................     8\n    Written Statement............................................    10\n\nStatement by Representative Donald S. Beyer, Jr., Ranking Member, \n  Subcommittee on Oversight, Committee on Science, Space, and \n  Technology, U.S. House of Representatives......................    12\n    Written Statement............................................    14\n\nStatement by Representative Eddie Bernice Johnson, Ranking \n  Member, Committee on Science, Space, and Technology, U.S. House \n  of Representatives.............................................    16\n    Written Statement............................................    17\n\n                               Witnesses:\n\nMs. Donna Dodson, Associate Director and Chief Cybersecurity \n  Advisor, Information Technology Laboratory; and Chief \n  Cybersecurity Advisor, National Institute of Standards and \n  Technology\n    Oral Statement...............................................    18\n    Written Statement (Joint statement with Dr. Kent Rochford)...    21\n\nMr. David Shive, Chief Information Officer, U.S. General Services \n  Administration\n    Oral Statement...............................................    27\n    Written Statement (Joint statement with Ms. Lisa Casias).....    29\n\nMr. James Norton, President, Play-Action Strategies LLC; and \n  Adjunct Professor, Johns Hopkins University\n    Oral Statement...............................................    34\n    Written Statement............................................    35\n\nMr. Sean Kanuck, Director of Future Conflict and Cyber Security, \n  International Institute for Strategic Studies\n    Oral Statement...............................................    44\n    Written Statement............................................    46\n\nDiscussion.......................................................    54\n\n             Appendix I: Answers to Post-Hearing Questions\n\nMr. Sean Kanuck, Director of Future Conflict and Cyber Security, \n  International Institute for Strategic Studies..................    70\n\n             Appendix II: Answers to Post-Hearing Questions\n\nDocument submitted by Representative Clay Higgins, Committee on \n  Science, Space, and Technology, U.S. House of Representatives..    78\n\nDocument submitted by Representative Barry Loudermilk, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................    81\n\n\n               BOLSTERING THE GOVERNMENT'S CYBERSECURITY:\n\n\n\n              ASSESSING THE RISK OF KASPERSKY LAB PRODUCTS\n\n\n\n                       TO THE FEDERAL GOVERNMENT\n\n                              ----------                              \n\n\n                      Wednesday, October 25, 2017\n\n                  House of Representatives,\n                      Subcommittee on Oversight and\n               Committee on Science, Space, and Technology,\n                                                   Washington, D.C.\n\n    The Subcommittee met, pursuant to call, at 10:06 a.m., in \nRoom 2318 of the Rayburn House Office Building, Hon. Darin \nLaHood [Chairman of the Subcommittee] presiding.\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Chairman LaHood. The Subcommittee on Oversight will come to \norder.\n    Without objection, the Chair is authorized to declare \nrecesses of the Subcommittee at any time.\n    I want to welcome you to today's hearing titled \n``Bolstering the Government's Cybersecurity: Assessing the Risk \nof Kaspersky Lab Products to the Federal Government.''\n    The subject of today's hearing involves some information \nthat is classified. I remind Members that their questions may \ncall for a response that the witnesses know to be classified. \nPlease be mindful of this fact. I would like to instruct the \nwitnesses to answer to the best of their ability, but should an \nanswer call for sensitive information, it may be addressed if \nwe vote to move into executive session at the end of the \nhearing.\n    At this time, I'm going to yield to the Chairman of the \nFull Committee, Chairman Lamar Smith, for his opening statement \nat this time.\n    Chairman Smith. Thank you, Mr. Chairman. I appreciate your \ndeferring to me and yielding me time, and let me apologize to \nthe panelists. I have to leave immediately for a Judiciary \nCommittee markup where they are considering a piece of \nlegislation that I've introduced, so that's why I have to leave \nearly, but perhaps I'll be able to get back.\n    Cybersecurity breaches are so prevalent today that it is \nhard to keep track of them. Every news cycle seems to include a \nnew major incident. To address the federal government's \ncybersecurity weaknesses, the Committee hopes to bring H.R. \n1224, the NIST Cybersecurity Framework, Assessment, and \nAuditing Act of 2017, to the House Floor for a vote.\n    Specific to Kaspersky Lab, new revelations regarding cyber-\nespionage continue to surface. This Committee has engaged in \nrobust oversight of Kaspersky Lab, thanks to questions raised \nby Congressman Higgins during a hearing in June.\n    On July 27, 2017, this Committee requested all federal \ndepartments and agencies to disclose their use of Kaspersky Lab \nproducts. This was less than a month after the U.S. General \nServices Administration banned Kaspersky Lab products from its \ngovernment-wide schedule contracts. However, we still have \nquestions: Why was the software approved for government use? \nAnd was removing it from the approved GSA schedule sufficient \nto protect U.S. interests?\n    I support this Administration's subsequent actions. The \ninteragency working group on cybersecurity has begun to address \nthe problem.\n    On September 13, 2017, the Department of Homeland Security \nissued a government-wide order directing federal departments \nand agencies to identify and remove the company's products from \nuse. In subsequent hearings, we will need to assess whether the \nfederal government's response has been sufficient.\n    While once considered reputable, Kaspersky Lab, its founder \nand their Russian ties have created a significant risk to U.S. \nsecurity. According to several media investigations, these \nconnections have allowed Kaspersky Lab to be exploited not only \nby the Russian government but also by criminal hackers around \nthe world. Mr. Kaspersky's history and recent remarks have done \nlittle to alleviate these concerns.\n    As we move forward with this hearing and future hearings, \nwe expect to uncover all aspects of Kaspersky Lab. We are \nparticularly interested in what led the previous Administration \nto include Kaspersky Lab products on two GSA schedules. I look \nforward to the testimony of Mr. Shive, the GSA Chief \nAdministration and Information Officer. I am also interested in \nproactive steps GSA has taken to assist other departments and \nagencies in rooting out the presence of Kaspersky products on \ntheir systems.\n    Also, we need to better understand the recent news related \nto the breach of an NSA contractor's personal computer.\n    The threat Kaspersky Lab products present to the government \nhas now been publicly identified and confirmed by the Israeli \ngovernment. I urge anyone with knowledge of potential risks to \ncontact the Committee and share that information with us. We \nmust be vigilant in addressing this wolf in sheep's clothing.\n    Thank you, Mr. Chairman. I'll yield back.\n    [The prepared statement of Chairman Smith follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n       \n    Chairman LaHood. Thank you, Mr. Chairman.\n    At this time I recognize myself for five minutes for an \nopening statement, and again I want to welcome our witnesses \nhere today.\n    Today we intend to discuss and evaluate the cybersecurity \nposture of the federal government. Specifically, we will \nexamine the concerns that this Committee has raised about the \nrisks associated with using Kaspersky Lab's products on federal \ninformation technology systems, as well as actions that the \nTrump Administration has taken in response to these concerns.\n    As part of today's hearing, we will hear from government \nand private sector cybersecurity experts about the potential \nrisks that Kaspersky Lab products and services pose to agency \nIT systems. In doing so, we hope to find effective and \nefficient ways to improve agency practices related to the \ndesign, acquisition, development, modernization, use and \nperformance of federal IT resources.\n    Kaspersky Lab is based in Moscow, Russia, and was founded \nin 1997 by Eugene Kaspersky. The company is one of the world's \nlargest providers of cybersecurity software and services, \nincluding both consumer and enterprise solutions. As early as \n2015, reports began to surface alleging that Mr. Kaspersky \nmaintained close ties to Russian spies. Not only for Mr. \nKaspersky--not only was Mr. Kaspersky educated at a KGB-\nsponsored university, he also wrote code for the Soviet \nmilitary.\n    In May of this year, the concerns surrounding Kaspersky Lab \nwere brought to public light during a Senate Intelligence \nCommittee hearing, where several intelligence community \nofficials unanimously affirmed they would be uncomfortable \nusing Kaspersky Lab's software and services. In June of this \nyear, during this Committee's hearing on the WannaCry \nransomware outbreak, our witnesses expressed similar concerns.\n    The matter reached a tipping point in July, when the \nGeneral Services Administration, the GSA, announced the removal \nof Kaspersky Lab products from its preapproved government \ncontracts schedules.\n    On July 27, the Committee commenced its investigation of \nthe matter, with Chairman Smith probing 22 federal departments \nand agencies on their use of Kaspersky Lab products and \nservices. Last month, the Trump Administration took another \nstep toward addressing the concerns surrounding Kaspersky when \nthe Department of Homeland Security issued Binding Operational \nDirective 17-01, ordering all federal departments and agencies \nto remove Kaspersky Lab software from their systems within 90 \ndays.\n    Mr. Kaspersky has been highly critical of the U.S. \nthroughout this entire process, frequently arguing that no \npublic evidence existed to support the concerns raised about \nhis company. Earlier this month, however, several prominent \nAmerican news organizations published startling revelations \nthat confirmed this Committee's gravest concerns: the Russian \ngovernment has wielded Kaspersky's software as a tool for \ncyber-espionage. This Administration has been proactively \nremedying the Kaspersky situation, and we must continue to take \nsteps to ensure that we do not repeat past mistakes.\n    To that end, I look forward to hearing from our expert \nwitnesses about how Kaspersky became approved for use on \nfederal systems, the policies and procedures that can be \nimplemented to bolster the federal government's cybersecurity \nrisk-management processes, and the actions that must be taken \nto ensure that federal systems remain secure against nefarious \ncyber actors.\n    Thank you.\n    [The prepared statement of Chairman LaHood follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n   \n       \n    Chairman LaHood. At this time I now recognize the Ranking \nMember, the gentleman from Virginia, for his opening statement.\n    Mr. Beyer. Thank you, Chairman LaHood, and thank all of you \nfor being with us.\n    Security concerns related to the Kaspersky Lab products and \nreported ties between Eugene Kaspersky, his company, and \nRussian intelligence services have been brewing within the U.S. \nintelligence community for years. This is deeply troubling \ngiven that Kaspersky Lab, whose main product is antivirus \nsoftware, has offices in 32 countries, approximately 270,000 \ncorporate clients, and its software is used by approximately \n400 million people worldwide. And, until just recently, the \nU.S. Government also used KL software.\n    The founder of Kaspersky Lab, Eugene Kaspersky, is a \nsoftware engineer educated at a KGB cryptography institute who \nalso worked for the Russian intelligence services before \nstarting his software company in 1997. He's been described as \nthe Bill Gates of Russia. Despite his background and the \nconcerns of the U.S. intelligence community, the company has \nvigorously argued that it has no ties to any government.\n    Concerns about connections between Kaspersky Lab and \nRussian intelligence services have become more pronounced over \nthe last year. In April, the Senate Intelligence Committee \nasked the Director of National Intelligence and the U.S. \nAttorney General to look into Kaspersky employees' potential \nties with Russian intelligence. In May, six U.S. intelligence \nagency directors, including the Directors of the CIA and NSA, \ntold the Intelligence Committee that they would not be \ncomfortable using Kaspersky products on their networks. In \nJune, it was reported that FBI agents had interviewed U.S.-\nbased employees of Kaspersky Lab, and in July, Bloomberg \nBusinessweek published a story referencing internal company \nemails that showed a close working relationship between \nKaspersky Lab and Russian intelligence.\n    Finally, earlier this month, the New York Times reported \nthat Israeli intelligence were able to determine that Russian \ngovernment hackers have been using the company's software to \nsearch for the code names of U.S. intelligence programs. \nSpecifically, the Israelis discovered that a contractor to the \nNational Security Agency had his data compromised over two \nyears ago by these Russian hackers after he improperly took \nclassified documents home and stored them on his home computer. \nKaspersky's antivirus software had been installed on the \ncontractor's home computer, and KL Lab has repeatedly denied \nany affiliation with the Russian hacking, but just today, the \ncompany admitted in a blog post that it had collected the NSA \nfiles through routine malware data collection.\n    All of this has led to legitimate security concerns about \nthe use of Kaspersky Lab software. I am glad that the U.S. \nGovernment has realized this. In July, as our Chairman has \nsaid, the General Services Administration removed Kaspersky Lab \nfrom its list of approved federal vendors, and, last month, the \nDepartment of Homeland Security issued a Binding Operational \nDirective banning federal agencies from using any product or \nservice offered by KL, giving federal agencies until mid-\nDecember to implement that directive.\n    But cybersecurity is no longer simply about defending our \ndata from theft. It's also about defending our democracy from \ndisinformation campaigns that combine cyber assaults with \ninfluence operations. Since the 2016 election, it has been \nwell-established that Russia has spread falsehoods and \ndisinformation, seeking to sow divisions between us and \nconfusion among us. This is not, and should not be, a partisan \nissue. Together we should be striving to defend our democracy \nagainst those who seek to damage it.\n    Mr. Chairman, I hope we can have a future hearing where we \nhear from social scientists, researchers, and technical experts \nabout the tools and technologies we can employ to help identify \nthese evolving threats beyond traditional cybersecurity and \ndefend against them.\n    I look forward to hearing from all our witnesses today and \nespecially Sean Kanuck, who happens to be one of my \nconstituents, an expert on these topics. He was appointed the \nfirst National Intelligence Officer for Cyber Issues in 2011 \nand served in that position at the National Security Council \nuntil 2016. Prior to that he spent ten years at the CIA in \ntheir Information Operations Center. Today he joins us as the \nDirector of Future Conflict and Cyber Security at the \nInternational Institute for Strategic Studies. So Sean, \nwelcome, and I look forward to all of your testimony.\n    Mr. Chairman, I yield back.\n    [The prepared statement of Mr. Beyer follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n       \n    Chairman LaHood. Thank you, Mr. Beyer.\n    At this time I now recognize the Ranking Member of the Full \nCommittee, Ms. Johnson, for her opening statement.\n    Ms. Johnson. Thank you very much, Mr. Chairman.\n    Kaspersky Lab is one of the world's largest cybersecurity \ncompanies, and makes a popular antivirus program used by 400 \nmillion users worldwide. But recent concerns by the U.S. \nintelligence community about close connections between \nKaspersky Lab, its founder Eugene Kaspersky, and the Russian \nintelligence services have led to much greater scrutiny of its \nactivities.\n    This hearing is premised on examining what threat that \nKaspersky software poses to the federal government. However, \nthe federal government has already preemptively addressed that \nthreat.\n    Last month, the Department of Homeland Security issued a \ndirective that required all federal agencies to identify any of \ntheir networks using Kaspersky Lab software, and gave those \nagencies a 90-day deadline to initiate a plan to remove the \nKaspersky Lab software from those computer systems. DHS decided \nthat the security risk of having a Russian company embedded on \nfederal computer networks was simply not worth it. I have \nconfidence in the ability of the federal government agencies to \neliminate the Kaspersky Lab products from their respective \ncomputer systems.\n    I am less confident, though, in our collective ability to \nidentify and guard against cyber warfare actions from Russian \nstate actors. Russian hackers have infiltrated some of our \nnation's nuclear power plants, private email accounts, and \nstate election databases. Russia, according to a publicly \navailable Intelligence Community assessment, conducted an \ninfluence campaign in 2016 to undermine public faith in the \nU.S. democratic process and to harm the campaign chances of \nHillary Clinton winning the Presidency.\n    The intelligence assessment should be a wake-up call for \nall of us. We should expect attempts by foreign actors to \naffect future elections using computer hacking, social media, \nand other means, as was done in 2016.\n    Mr. Chairman, prior to the 2016 election, this Committee \nheld a hearing to review guidelines for protecting voting and \nelection systems including voter registration databases and \nvoter machines. I believe a follow-up hearing would be \nappropriate to discuss protecting these same systems, in light \nof last year's events, as well as examining the sophisticated \ninfluence operations conducted by Russian intelligence services \nto disrupt our democratic processes and damage our democracy. \nWith the knowledge of Russian cyber warfare actions in 2016, we \ncan have a more robust discussion on the measures hostile \nactors have been using against America's voting infrastructure, \nand we can discuss measures that need to be taken to bolster \nthe security of our elections.\n    Mr. Chairman, I hope that you seriously consider holding a \n2016 election security postmortem with a focus on what the \nScience Committee can do to help protect the vote going \nforward.\n    I thank you, and yield back the balance of my time.\n    [The prepared statement of Ms. Johnson follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n           \n    Chairman LaHood. Thank you, Ms. Johnson.\n    At this time let me introduce our witnesses here today. Our \nfirst witness today is Ms. Donna Dodson, Associate Director and \nChief Cybersecurity Advisor of the Information Technology \nLaboratory, and Chief Cybersecurity Advisor at the National \nInstitute of Standards and Technology (NIST). Ms. Dodson began \nher career at NIST in 1987 as a Computer Science Researcher. In \n2010, she was promoted to Computer Security Division Chief for \nNIST. She holds a master's degree in computer science from \nVirginia Tech. Welcome.\n    Our second witness is Mr. David Shive, Chief Information \nOfficer at the U.S. General Services Administration. Prior to \nbeing named CIO, Mr. Shive was the Director of the Office of \nEnterprise Infrastructure at the GSA. He received his \nbachelor's degree in physics from California State University \nin Fresno, his master's degree in research meteorology from the \nUniversity of Maryland in College Park, and his postgraduate \nmanagement certificate from the Carnegie Mellon Graduate School \nof Industrial Management.\n    Our third witness is Mr. James Norton. He is the founder \nand President of Play-Action Strategies LLC, and an Adjunct \nProfessor at Johns Hopkins University. Mr. Norton previously \nserved as Vice President of Strategy and Communications for the \nMission Systems Division at General Dynamics. He holds a \nBachelor of Science and a master's in business administration \nfrom Salve Regina University.\n    Our last witness today is Mr. Sean Kanuck, Director of \nFuture Conflict and Cyber Security at the International \nInstitute for Strategic Studies. He previously served as the \nNational Intelligence Officer for Cyber Issues from 2011 to \n2016. Mr. Kanuck holds a Bachelor of Arts and law degree from \nHarvard University, a master's of science from the London \nSchool of Economics, and an LLM from the University of Oslo.\n    Thank you all for being here. I will now recognize Ms. \nDodson for five minutes to present her testimony.\n\n                   TESTIMONY OF DONNA DODSON\n\n    Ms. Dodson. Chairman LaHood, Ranking Member Beyer, and \nmembers of the Subcommittee, I am Donna Dodson, Chief \nCybersecurity Advisor for the National Institute of Standards \nand Technology, known as NIST. Thank you for the opportunity to \nappear before you today to discuss NIST's role in cybersecurity \nhighlighting the Cybersecurity Framework, referred to as the \nFramework, and the NIST cybersecurity portfolio.\n    As a non-regulatory agency, NIST leverages its deep \ntechnical expertise as well as its power of convener of \nstakeholders to develop and improve solutions to a wide range \nof technical and policy cybersecurity challenges. NIST's role \nin cybersecurity as codified in law is to research, develop, \nand deploy information security standards and technology to \nprotect the federal government's non-national security \ninformation systems against threats to confidentiality, \nintegrity, and availability, and to facilitate and support the \ndevelopment of voluntary industry-led cybersecurity standards \nand best practices for critical infrastructure.\n    In addition to providing resources that organizations of \nall sizes can use to manage cybersecurity risk, NIST also \nprovides resources to help organizations recover quickly from \ncybersecurity attacks with confidence that the recovered data \nis accurate, complete, and free of malware and that the \nrecovered system is trustworthy and capable.\n    I will highlight five of NIST's critical cybersecurity \nprograms which are the Cybersecurity Framework, supply-chain \nrisk management, cryptography, the National Vulnerability \nDatabase, and the National Software Reference Library.\n    The first resource, the NIST Cybersecurity Framework, or \nFramework, was created in collaboration with industry, academia \nand other government agencies. The Framework consists of \nvoluntary standards, guidelines and practices to promote the \nprotection of critical infrastructure and to manage \ncybersecurity risks. While originally designed to help protect \ncritical infrastructure, numerous businesses use the Framework \nto manage their cybersecurity risk. Since publishing the \nFramework, NIST has released additional guidelines to help \nsmall businesses manage their cybersecurity risk. Under \nExecutive Order 13800, every federal agency or department will \nneed to manage their cybersecurity risk by using the Framework \nand then provide a risk management report to OMB and DHS. In \nresponse to the EO, NIST released the Cybersecurity Framework \nImplementation Guidance for Federal Agencies to help federal \nagencies use the Framework in conjunction with an extensive set \nof NIST cybersecurity risk management standards, guidelines, \nand controls to manage their cybersecurity risk.\n    The Cybersecurity Framework also provides guidance for the \nsecond critical area, which is the security of the supply \nchain. Because of outsourcing, organizations must ensure the \nintegrity, security, and resilience of their supply chain. To \nassist in this, NIST established the Supply Chain Risk \nManagement program to identify and evaluate effective \ntechnologies, tools, techniques, practices, and standards that \nhelp secure an organization's supply chain.\n    Another critical area is cryptography. NIST began its work \nin cryptography in 1972. Today, NIST cryptographers research, \nanalyze and standardize cryptographic technology. Although \nthese standards apply to federal information systems, many \nprivate-sector organizations voluntarily rely on them to \nprotect sensitive personal and business information. NIST also \nruns a program that validates the test results of vendor's \ncryptographic modules to the NIST standard. In this program, \nNIST confirms that a company's underlying cryptography works \nbut is not validating the vendor or the company.\n    Two final critical components are the National \nVulnerability Database and the National Software Reference \nLibrary. NIST maintains the repository for all known and \npublicly reported IT vulnerabilities called the National \nVulnerability Database, or NVD. The vulnerabilities in the NVD \nare weaknesses in coding found in software and hardware that if \nexploited can impact the integrity of information systems. The \nNational Software Reference Library, or NSRL, is another tool \nthat along with DHS and other, federal, state and local \nenforcement agencies is supported by the NIST. The NSRL is like \na fingerprint database for computer files that promotes \nefficient and effective use of computer technology.\n    The programs that I have mentioned here are only a portion \nof NIST portfolio and cybersecurity NIST worked to provide and \nimprove technical and policy solutions to an ever-growing set \nof cybersecurity challenges continues to grow.\n    Thank you for the opportunity to testify today. I am happy \nto answer any questions you may have.\n    [The prepared statement of Ms. Dodson follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n       \n    Chairman LaHood. Thank you, Ms. Dodson.\n    I now recognize Mr. Shive for five minutes to present his \ntestimony.\n\n                    TESTIMONY OF DAVID SHIVE\n\n    Mr. Shive. Thank you, and good morning, Chairman LaHood, \nRanking Member Beyer, and members of the Subcommittee. My name \nis David Shive, and I'm the Chief Information Officer at the \nU.S. General Services Administration. I welcome the opportunity \nto share my organization's experiences related to the \ncybersecurity posture of GSA and the federal government.\n    The mission of GSA is to deliver the best value in real \nestate, acquisition, and technology services to government and \nthe American people. In support of that, one of my \norganization's key goals in supporting GSA's mission is to \ndeliver technology that provides both a secure environment for \ndoing business while also ensuring that both IT and business \ncontinue to run efficiently.\n    The Federal Information Security Management Act provides a \ncomprehensive framework which helps federal CIOs and federal \nChief Information Security Officers manage overall information \ntechnology security risks across federal data and assets. The \nFISMA framework supports the rigorous IT security program \nimplemented at GSA by the CISO under the auspices of the CIO's \nauthority. Our security program assures the risks to GSA's IT \nsystems are assessed and proper security controls implemented \nto mitigate those risks down to an acceptable level. It also \nensures periodic evaluation and testing of the effectiveness of \nIT security controls, including management, operational, and \ntechnical controls.\n    Furthermore, GSA has a robust incident handling and \nresponse program that strongly aligns with the NIST \nCybersecurity Framework. Due to the effectiveness of that \nprogram, GSA received a rating level of 4, which is managed and \nmeasurable under ``response'' on the latest FISMA report from \nour Office of the Inspector General (OIG).\n    In accordance with FISMA, GSA adheres to all of NIST's \nFederal Information Processing Standards and Special \nPublications in implementing GSA's IT security program. In \naddition, GSA completes a risk-based security assessment in \naccordance with NIST guidance and issues a signed Authority to \nOperate by the authorizing official with concurrence by the \nCISO before any new system goes into production. This is \naccomplished by prioritizing the implementation of security \ncontrols and focusing on those that have the biggest impact on \nsecuring the system and data such as securing--ensuring secure \nconfigurations and patching of vulnerabilities, access \ncontrols, and auditing and monitoring. GSA is in the process of \nimplementing Executive Order 13800. GSA has adopted the \nframework for Improving Critical Infrastructure Cybersecurity \ndeveloped by NIST and has required--as required by the \nExecutive Order. GSA has provided a risk management report, as \nwell as an action plan to implement the Framework, to the \nSecretary of Homeland Security and the Director of the Office \nof Management and Budget. GSA continues to explore leading edge \ntechnologies in order to stop the latest and most sophisticated \nattacks from our adversaries. This includes next generation \nantivirus solutions that use machine learning and artificial \nintelligence, as well as advanced detection of malware that is \nembedded in email attachments and links. Both of these \ntechnologies will greatly protect the end user, which is one of \nthe primary vectors for exploiting federal government systems.\n    One of GSA's core missions is to assist in procuring goods \nand services that can be made available to federal agencies. \nGSA's Federal Acquisition Service (FAS) offers a continuum of \nvoluntary government-wide innovative solutions and services in \na number of areas. Federal agencies spend approximately $23 \nbillion annually to acquire IT products and services through \nFAS. This represents only 42 percent of the federal \ngovernment's $55 billion in total IT spend. Significantly, a \nproduct's placement on a GSA schedule or contract vehicle only \ncertifies that the vendor meets the necessary regulatory \nrequirements for the product to be sold to the federal \ngovernment. It does not make any value or technical judgment \nabout the nature of the product.\n    With respect to Kaspersky Lab products, they were available \nfrom three resale vendors on GSA schedules contracts. On July \n11 of this year, GSA directed the three resellers to remove all \nKaspersky Lab manufactured products from their catalogs within \n30 days. All three resellers complied. As of today, GSA does \nnot offer any Kaspersky Lab manufactured products through its \nour GSA scheduled contracts.\n    GSA took a proactive stance and completed comprehensive \nscanning of all IT assets for the presence of Kaspersky \nproducts in June of 2017. GSA confirmed that there was no \ninstallation of such products in our on-premise and cloud-based \nsystems, and reported this to DHS in accordance with Binding \nOperational Directive) 17-01 on October 4. In addition, GSA's \nFedRAMP PMO is coordinating this activity for the government-\nwide cloud service providers that are covered by its ATOs.\n    Again, I thank the Subcommittee for its oversight and for \nallowing me the opportunity to contribute to this important \ntopic. At this time, I'm happy to take any questions that you \nmight have.\n    [The prepared statement of Mr. Shive follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n  \n    Chairman LaHood. Thank you, Mr. Shive.\n    At this time I recognize Mr. Norton for five minutes to \npresent his testimony.\n\n                   TESTIMONY OF JAMES NORTON\n\n    Mr. Norton. Thank you. Chairman LaHood, Ranking Member \nBeyer, and members of the Subcommittee, thank you very much for \ninviting me to testify before you today. My name is James \nNorton, and I am the founder and President of Play-Action \nStrategies, a homeland security and cybersecurity consulting \nfirm here in Washington, DC. I'm also a member of the faculty \nat Johns Hopkins University.\n    Previously, I served in multiple positions at the \nDepartment of Homeland Security under President George W. Bush \nincluding as Deputy Assistant Secretary of Legislation Affairs. \nI was a member of the Department's first team tasked with \nconfronting the nascent cybersecurity threat.\n    Cyber threats pose a real and immediate danger to our \nfederal government and the American people it represents. In \n2016, the federal government experienced 30,899 cyber incidents \nthat led to the compromise of information or system \nfunctionality according to the Office of Management and Budget.\n    DHS's role in protecting government networks is \nfoundational. Because the Department cannot be well positioned \nto assist the private sector and serve as a model of best \npractices for state and local governments until it has its own \nfederal networks or federal systems secure. In order to meet \ntoday's challenges, DHS must update its systems and technology \nand strengthen the organization in support of its cybersecurity \nfunctions. Together these issues have led to the use of \npotentially problematic software that is the subject of today's \nhearing.\n    To help DHS meaningfully address these challenges, I offer \nthe following recommendations: provide CIOs and other officials \nacross federal agencies with the resources necessary to invest \nin high-quality, reliable cybersecurity tools; require the \ndevelopment of a trusted vendor list that provides guidance on \napproved cybersecurity vendors with a secure supply chain that \nagencies can have confidence in; work with OMB and the White \nHouse to prevent redundancy across the federal government so \nthat competing cyber organizations do not arise in other \nfederal agencies.\n    I thank the Committee for holding this important hearing, \nand I look forward to your questions.\n    [The prepared statement of Mr. Norton follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n       \n    Chairman LaHood. Thank you, Mr. Norton.\n    At this time I recognize Mr. Kanuck for five minutes to \npresent his testimony.\n\n                    TESTIMONY OF SEAN KANUCK\n\n    Mr. Kanuck. Good morning. Thank you, Chairman LaHood, \nRanking Member Beyer, and Distinguished Members of Congress. \nIt's my pleasure to be here today, and being a strategic threat \nanalyst, I'm going to speak directly to the risks theoretically \nposed by Kaspersky Lab and Russian cyber operations.\n    First, I think we need to understand the very nature of the \ntechnologies that Kaspersky products offer. They are complete \nnetwork monitoring solutions that can see all activity on their \nclients' networks, and they have remote administration \ncapabilities. In these ways, they are not dissimilar from many \nother IT security vendors' products, but what is important to \nnote here is that discussions about surreptitious backdoors in \nthese kind of products is actually a fairly moot point because \nthe very nature of these products and services is to have a \nwide-open front door. Clients pay for that 24/7 monitoring of \ntheir entire network.\n    Now, what is interesting, that ends up an aggregate \nproviding Kaspersky Lab and other similar vendors incredible \noptic and visibility into global internet activity including \nmalicious software, espionage activities, and other things. In \nessence, it becomes a private global cyber intelligence \nnetwork, and as we've seen from the recent media reports this \nmonth, that kind of capability is incredibly desired by \ngovernment intelligence actors. If we believe the media reports \nin the public sector, then at least two foreign government \nagencies have exploited Kaspersky's network, and in my mind, \nthat makes the question of ``is there a risk through Kaspersky \nproducts'' to become nearly tautological because allegedly it's \nalready happened twice.\n    Furthermore, I do not personally feel it is necessary to \nprove a willful complicity or collaboration by Kaspersky \nemployees or the company with the Russian government or any \nother to show that there is a potential risk. That added \nfactor, if it were true, would of course be a \ncounterintelligence concern and a further cause for prohibiting \nsuch software or products. But the mere fact alone that foreign \nintelligence agencies have sought access through this implies \nthere is a risk.\n    So what I think we need to do is actually focus on that \nforeign intelligence threat and let's take a moment to discuss \nRussian cyber posture. I can't do it any justice better than \nDirector of National Intelligence Dan Coats did in his \nworldwide threat assessment presentation in May where he \nidentified Russia as a primary cyber threat actor of the United \nStates with a continued interest in exploiting our networks not \nonly for espionage but for influence operations, and that \ntestimony further noted that even disruptive actions have been \nundertaken by Russia against targets outside the United States. \nSo when we combine that willful interest in adversarial context \nwith the telecommunications surveillance and monitoring laws of \nRussia and the access potentially posed by Kaspersky Lab \nproducts, you have a potent combination.\n    Even without complicity, it is theoretically possible that \nall Kaspersky Lab corporate communications transiting nodes in \nRussia could possibly be monitored by the domestic security \nservice under their telecom surveillance laws. Therefore, if \nyou are trying to examine the full scope of this threat, a \nsimple review of Kaspersky's products themselves or the source \ncode would not be enough. You have to understand the commands \nthat remote administrators or unauthorized third parties may be \nissuing to those client networks through that access point, and \nyou must understand traffic routing of the global internet and \nhow Kaspersky communications move between its regional offices \nand different counterparts.\n    Moving to a strategic risk management perspective, I offer \nthat resilience is the key to better security, and my \nwitnesses--my fellow witnesses have already spoken to that to \nsome degree, and I believe that internal review of one's own \nenterprise assets and who might be trying to compromise them is \nessential.\n    I'll conclude by offering a couple thoughts on the \nprohibition of Kaspersky Lab software in U.S. government \nnetworks. I do believe there's a risk posed, and my assessment \nis primarily based on historical arguments of what has already \nhappened as well as the access that I've described and the \nforeign threat actors. I am also aware that U.S. government \nactions against specific named foreign companies may likely \nresult in similar backlashes against U.S. corporate entities. \nThat's not a security risk assessment, it's a political \nrealism.\n    My last comment will be that I would encourage the U.S. \ngovernment to assess all IT products from all vendors \nregardless of national origin because if we're trying to \nprotect sensitive information, we should be fully cognizant \nthat foreign intelligence actors will be willing to exploit any \nIT vendor that we're using, even if it's not of their own \nnational origin.\n    Thank you very much.\n    [The prepared statement of Mr. Kanuck follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n       \n    Chairman LaHood. Thank you, Mr. Kanuck, for your opening \nstatement, and thank all the witnesses for your opening \nstatement. We will begin the questioning part of the hearing \ntoday, and with that, the Chair recognizes himself for five \nminutes.\n    I'd like to start. After months of denying any improper \nactivity, and Kaspersky has claimed that any allegation they're \ninvolved with cyber espionage or involved with the Russian \ngovernment, they claim that's false allegations, and today \nthere's an article by Reuters that came out this morning on the \ncusp of this hearing titled, ``Kaspersky says it obtained \nsuspected NSA hacking code from U.S. computer,'' and that \narticle goes on to say, and Kaspersky Lab admits ``that its \nsecurity software had taken source code for a secret American \nhacking tool from a personal computer in the United States.'' \nAnd in fact, in this article, the company admits that it \nexfiltrated the code earlier than previously reported and that \nKaspersky gained access in 2014, and I think that's troubling \non a lot of levels.\n    Let me just start off with you, Mr. Norton. Should the \nfederal government have known about this incident?\n    Mr. Norton. Thank you for the question. You know, I think \nthat we need to take into effect that there's kind of the \nmilitary side of federal networks, the military networks, and \nthen there's the civilian side of networks, and I think, you \nknow, what we're seeing today is that it's been years of really \nunderfunded networks where we haven't really had the capability \nor the staffing or the opportunity to really take a look, an \ninternal look at, you know, what is on the network outside of \nkind of these kind of clean-up that's going on right now in \nterms of removing what's on there. So I think that, you know, \nwe need to take into effect that we haven't really taken this \nissue seriously. The Executive Branch is just now looking at \nthis in the last couple of years and so I think that it's \nobviously a big miss and there's been a lot of success in terms \nof foreign adversaries being able to infiltrate not only the \nDOD, DHS and other networks as well as civilian networks, and \nso I think that it's definitely an issue that it's important \nthat it's being covered in this hearing and that it is \nsomething that we need to know going forward. However, you \nknow, I think we just haven't had the capability in place over \nthe last couple of years to even know what's there, and I think \nthat's part of the trouble.\n    Chairman LaHood. And Mr. Norton, what are the consequences \nof this revelation?\n    Mr. Norton. Well, I think what you're seeing today is the \ngovernment essentially scrambling to fix this. I think the fact \nthat Homeland Security Secretary had this public announcement \nof removing the software is really alarming in the sense that, \nyou know, for it to raise to that level, for the Secretary to \nput out an immediate edict across the federal government, I \nthink that is certainly troubling and that's something that it \nsays that we're not where we need to be and we have a long way \nto go to get there in terms of securing out networks.\n    Chairman LaHood. And does it surprise you that Kaspersky \nhas denied this all the way through until today?\n    Mr. Norton. You know, I don't have access to all the \nintelligence. You know, I think that the issue is not only, you \nknow, Kaspersky but I think other, you know, possible intruders \nthat are, you know, on the network that are there. So I think \nthis is absolutely a global issue. I think that, you know, for \nDHS and other intelligence communities to probably share more \nwould be a good thing so the general public has a sense of what \nthis means and how it is impacting our networks, so I think \nit's important for them to tell us a little bit more so we know \nwhat's going on.\n    Chairman LaHood. Ms. Dodson, same question for you in terms \nof should the federal government have known about this incident \nand what are the consequences of this revelation?\n    Ms. Dodson. So from the NIST perspective, security controls \nthat we provide through our guidelines and special publications \nprovide guidance on how to set up security for networks and be \nable to take a look at those. But a second critical issue \nrelates to supply chain, and that is the ability to understand \nyour suppliers, the kinds of products and services that you \nhave and that you're using in your systems. NIST has been \nworking with the federal government and with industry to \ndevelop supply chain guidelines as part of the Framework for \nImproving Critical Infrastructure that can be used to give \norganizations a much better understanding of those suppliers so \nthat they can have the trust and confidence that they need when \nthey put these products and services on their networks.\n    Chairman LaHood. As a follow-up on that, can you--what \nconfidence can you give us that the NSA, their ability to stay \nahead of our adversaries on this issue?\n    Ms. Dodson. I can't speak for another organization such \nas----\n    Chairman LaHood. Do you have an opinion on that?\n    Ms. Dodson. The federal government as a whole is taking the \nthreat issues very seriously across government and working with \nindustry to set up information-sharing systems so that as \nthreat issues come up we can act and respond quickly. We are \nall taking this kind of issue very, very seriously.\n    Chairman LaHood. Thank you.\n    I now yield to Mr. Beyer for his questions.\n    Mr. Beyer. Thank you, Mr. Chairman, very much.\n    Mr. Norton, thank you for bringing up the LPTA issue. I \nwill just quote you quickly: ``Many CIOs are forced to abide by \nthe lowest price technically acceptable, LPTA standard, which \noften means they don't up with the best products.'' I couldn't \nagree more, and we have a bipartisan bill, Mark Meadows and I, \nwhich has been reported out of the Oversight and Government \nReform Committee unanimously. So if you can help us get it on \nthe House Floor, we can get it passed unanimously and send it \nover to the Senate and not tie the hands of our purchasing \nagents on lowest price rather than encouraging them to get the \nbest value.\n    Mr. Kanuck, Ms. Dodson talked about the voluntary risk-\nbased, flexible, repeatable and cost-effective approach of the \nNIST Framework. So that's for the federal government. At what \npoint do we ever consider making it mandatory across the U.S. \nbusiness community or mandatory for subcontractors of the \nfederal government? When do we elevate it to just beyond where \nwe are?\n    Mr. Kanuck. Currently, that is not the approach under law \nand regulation. Private-sector entities are left to their own \ncorporate policies and hiring cybersecurity elements to assist \nthem. As far as taking legislative or regulatory actions to \nmandate certain activities, that may be forthcoming in the \nfuture but I cannot speculate on that. What the NIST Framework \ndoes is, it provides a baseline for a lot of the private sector \nto emulate what the government is doing and is required as Ms. \nDodson said. I think that is universally viewed as a positive. \nAnd the challenge remains, is the U.S. government going to \nforce actions on the private sector, and there are pros and \ncons to that.\n    Mr. Beyer. One of the things we may think about is, do we \nbegin with government contractors?\n    Mr. Kanuck. That is actually a very interesting point to \nstart, and clearly in the defense industrial base that is done \nthrough the procurement power of requiring certain aspects of \ncybersecurity to be utilized or followed by entities that are \ncontracting with the U.S. government, and there's been success \nwith that model. So that may be a model to be extended beyond \njust the defense contracting community. I think that would be a \nwise option.\n    Mr. Beyer. Mr. Kanuck, you probably know what's been called \nthe Gerasimov Doctrine, so I'll take a moment to explain to \nothers who may not have read it.\n    In 2013, General Valery Gerasimov, Russia's Chief of the \nGeneral Staff, or head of its military, published an article \ntitled ``The Value of Science is in the Foresight'' in a weekly \nRussian trade paper in which he let out--laid out his theory of \nmodern warfare. He blends tactics developed by the Soviets with \nstrategic military thinking about total war, which looks much \nmore like the hacking of an enemy's society than attacking it \nhead on. He wrote, ``The very rules of war have changed. The \nrole of non-military means of achieving political and strategic \ngoals have grown. In many cases, they have exceeded the power \nof the force of weapons and their effectiveness. All of this is \nsupplemented by military means of a concealed character.''\n    So Mr. Kanuck, do you believe that we're seeing the \nGerasimov Doctrine in practice during this last election cycle, \nand what are they trying to achieve by engaging these \naggressive assaults on our democracy?\n    Mr. Kanuck. Well, I think you're not only seeing it in the \nform of influence operations in recent democratic elections in \nthe United States and/or France, I think you've also seen it \nconjoined with military operations in Crimea or Ukraine as \nwell. The Russian Federation, as I alluded to in my written \ncomments and my opening statement, is very active in the area \nof information operations beyond the simple layer of cyber or \ncritical infrastructure issues that we tend to think about. \nThey actually used the word ``information confrontation'' when \ndiscussing this issue, and that is a wholesale part of their \nstrategic paradigm. You can read it in the open translations of \ntheir strategic doctrine from 2000 onwards, and as you \narticulated it, I would wholeheartedly concur that you are \nseeing that assault on the intellectual and media space of \nsocieties through cyber means. What they have found is the \nperfect tool set, whether it's social media, remote hacking, et \ncetera, to achieve their philosophical objective through that \nstated doctrine.\n    Mr. Beyer. Thank you. Quick question. You wrote that all \nsimilar companies, the antivirus, could be unwittingly \nexploited by third parties. How at risk are Norton and MacAfee \nof this, you know----\n    Mr. Kanuck. I am not----\n    Mr. Beyer. --especially when you talk about they create the \nopen front door.\n    Mr. Kanuck. So I'm not prepared to talk critically about \nother companies besides Kaspersky today. I will say, though, \nthat a proper review of the features of a lot of these security \nsoftwares would allow you to do a proper assessment, and quite \nfrankly, in my experience, foreign intelligence actors and \ncriminals alike, once they find out who has access to the \nnetwork they seek access will attempt to derive ways to exploit \nthat path in, and it's a matter of intent and resources. I do \nnot believe there is any network or any product that is \nperfectly secure. It's all a risk management issue.\n    Chairman LaHood. Thank you, Mr. Beyer.\n    I now yield to Mr. Higgins for his questions.\n    Mr. Higgins. Thank you, Mr. Chairman. I ask unanimous \nconsent to enter a letter from Mr. Troy Newman, a cybersecurity \nprofessional with whom I consulted, to the record.\n    Chairman LaHood. Without objection.\n    [The information appears in Appendix II]\n    Mr. Higgins. Thank you, Mr. Chairman.\n    Ms. Dodson, how long have you been a cybersecurity advisor \nfor the United States government?\n    Ms. Dodson. I have worked at NIST since 1987, and I've been \nthe Chief Cybersecurity Advisor for about four years.\n    Mr. Higgins. So you were in place in 2012?\n    Ms. Dodson. Yes.\n    Mr. Higgins. You mentioned in one of your responses that \nthe U.S. government is taking cybersecurity and the realm of \ncyberattack very seriously. Were we taking it very seriously in \n2012 when the State Department contracted with Kaspersky?\n    Ms. Dodson. The federal government has been working on \nissues related to supply chain for about seven years, and we \ncontinue to work on our guidelines there as the complexity of \nour systems continue to grow. There are challenges in \nunderstanding all that we have in our networks but it's \nnecessary to do that, and our work with the Framework to \nimprove critical infrastructure cybersecurity provided some \nopportunities to think about supply chain, to think about \nresiliency in our networks so that we can understand cyber \nthreat and respond quickly to those.\n    Mr. Higgins. So in your opinion, the United States \ngovernment was taking cybersecurity very seriously in 2012?\n    Ms. Dodson. I think NIST has been taking cybersecurity \nseriously----\n    Mr. Higgins. Very well.\n    Ms. Dodson. --for a very long time.\n    Mr. Higgins. Mr. Chairman, Kaspersky product has over 400 \nmillion users nationwide. It's widely known Kaspersky's ties to \nthe FSB. That's the Federal Security Service, the Russian \nFederation. FSB is the main successor to the Soviet Union's \nformer KGB. Kaspersky headquarters is headquartered in Moscow \nin the former KGB headquarter buildings in Lubyanka Square, and \nyet in 2012, the United States State Department contracted with \nKaspersky. I read from Mr. Newman's letter that I entered into \nthe official record earlier. Many security software users \nbelieve that security software is akin to a shield, that this \nshield wards off would-be attackers. The reality is that \nsecurity software is more similar to an inoculation, as Mr. \nKanuck pointed out earlier. Security software resides deep \ninside the computers and infrastructure within the very most \nsensitive and secure areas. In order to install any effective \nsecurity software, we must first expose the system, making all \ninformation vulnerable. The security software has full access \nto all input and output operations. Security software is fully \nimbedded in such a way that it has complete access to total--to \nthe entire system.\n    Mr. Shive, you're familiar with the end-user license \nagreement for security?\n    Mr. Shive. Yes, I am.\n    Mr. Higgins. That's the part that most Americans when we \npurchase a cybersecurity product, it appears on the screen and \nit's a lot of language that we don't read, we just click ``I \nagree.'' Is that correct?\n    Mr. Shive. Yes.\n    Mr. Higgins. The end-user license agreement for Kaspersky \nsystems is governed by the laws of the United States or by the \nlaws of the Russian Federation?\n    Mr. Shive. If they're doing business in the United States, \nit would be governed by the United States.\n    Mr. Higgins. The end-user license agreement for Kaspersky \nproducts, Mr. Chairman, according to my research, are governed \nby the laws of the Russian Federation. We have certainly begun \nrecently taking cybersecurity very seriously, but I find it \nalarming that although it was rather well known within the \ncybersecurity realm that Kaspersky was--you know, posed a \nparticular risk--we continued to do business with them until \nvery recently.\n    Let me just ask quickly, Mr. Shive. Are U.S. government \nemployees restricted from using Kaspersky products, devices, on \ntheir own at this time?\n    Mr. Shive. I can't speak for the entire government. TSA \nemployees are not restricted.\n    Mr. Higgins. Are Kaspersky products still allowed to be \npurchased by U.S. government agencies outside or separate from \nthe GSA contract process?\n    Mr. Shive. Not if they're going to comply with the Binding \nOperational Directive that DHS published.\n    Mr. Higgins. And my colleague asked earlier, are U.S. \ngovernment contractors restricted from using Kaspersky \nproducts?\n    Mr. Shive. Yes, they are as a result of the Binding \nOperational Directive.\n    Mr. Higgins. Mr. Chairman, my time has expired. I thank you \nfor your cooperation.\n    Chairman LaHood. Thank you, Mr. Higgins.\n    I now yield to Ms. Johnson for her questions.\n    Ms. Johnson. Thank you very much.\n    Mr. Kanuck, the Russians appear to have a very good \nunderstanding of ways that they can attempt to influence \nAmerica's views on certain issues or disrupt democratic \ninstitutions. Social scientists are now working with \njournalists and technologists and others to help understand \nthese techniques and to identify them in order to forewarn the \npublic about the covert efforts that intentionally generate \ndisinformation and fake news for political purpose. Do you \nbelieve a robust understanding of social science and investment \nin the area of research can be applied to helping to thwart \nthese sort of disinformation influence campaigns in the future?\n    Mr. Kanuck. Absolutely. I think we would want a triumvirate \nof government initiative efforts to protect systems. I think we \nwould want the corporations whose social media or other \nplatforms are being exploited to join the effort to preserve \nthe integrity of their own corporate interests and networks. \nAnd then finally, broader public awareness and education to \nappreciate the risk and to take measures to secure their own \nsystems would all be beneficial.\n    Ms. Johnson. Are there technologies we might be able to \ninvest in to get a better grasp on this?\n    Mr. Kanuck. Certainly. There are a number of different \ninnovative proposals, some being offered in the social-media \ncommunity, others in the block chain technology. I believe this \nCommittee even had discussions of quantum computing and quantum \ncryptography recently. So there are a number of different \ninnovative technologies which may offer some additional \nsecurity solutions in the future, and I do hope that both \ngovernment and private-sector initiatives pursue them because \nas of right now, it is incredibly difficult to detect and/or \nprevent the kind of influence operations which you were \nreferring to.\n    Ms. Johnson. Thank you very much.\n    I yield back Mr. Chairman.\n    Chairman LaHood. Thank you, Ms. Johnson.\n    At this time I'll yield to Mr. Posey--no, he's not there. \nWe'll go to Mr. Marshall, Dr. Marshall of Kansas.\n    Mr. Marshall. Thank you, Mr. Chairman.\n    I think I'll start with Ms. Shive. Mr. Shive, is there a \nproblem with the Kaspersky software now? Is there really a \nproblem with it?\n    Mr. Shive. So the GSA position for Kaspersky is, there was \na problem with them being entered onto GSA schedules the way \nthat they were entered onto GSA schedules, hence them being \nremoved. GSA doesn't run Kaspersky products so we haven't done \ndeep and rich analysis into the capabilities or technologies \nassociated with that.\n    Mr. Marshall. Was or is the Kaspersky Lab a threat to \nnational security?\n    Mr. Shive. I'm not in a position to answer that. Our \npartners at DHS felt there was something significant enough to \nbar use of Kaspersky in the----\n    Mr. Marshall. When do you think they first would have \nthought or been concerned, approximately?\n    Mr. Shive. Who is ``they''?\n    Mr. Marshall. DHS is who you mentioned.\n    Mr. Shive. Right.\n    Mr. Marshall. Or GSA, either one.\n    Mr. Shive. So GSA became aware that there was some \ndiscussion about the risk associated with Kaspersky at the end \nof last year, and then as news came out, we did a couple of \nevaluations on the GSA internal enterprise. When we found that \nwe weren't running Kaspersky internally, we did no further deep \nand rich analysis of the technology embedded within Kaspersky. \nDHS can speak to when they became aware of----\n    Mr. Marshall. Mr. Kanuck, our friends in Israel obviously \ngo back to 2014, it looks like, with a concern about that. Is \nthat accurate that the Israel government maybe alerted us in \n2014 that there was a problem?\n    Mr. Kanuck. Given the unclassified nature of this hearing, \nI'm going to have to simply refer to the recent media \ndiscussions that I saw in the New York Times, Washington Post, \nand Guardian and others that took it back to 2015.\n    Mr. Marshall. Okay. Mr. Norton, when the government \nidentifies a problem in this aspect, whose responsibility is it \nto fix something like this? Is it particular to the people that \nare running the software or this is a bigger problem, maybe \nmore of a national-security problem? Whose responsibility is it \nto fix the problem?\n    Mr. Norton. That's absolutely a national-security issue. I \nthink that, you know, on paper it's the Department of Homeland \nSecurity's challenge for the civilian side of the networks to \nfix this problem and to alert their other federal partners. I \nthink that DHS has been challenged essentially since day one to \nkind of work their way around the bureaucracy that we have.\n    Mr. Marshall. It looks like to me this probably has been \ngoing on for two or three years. Frankly, I'm embarrassed. I've \nhelped run a hospital and as well as part of a bank. I've seen \nus take on all these IT problems over the past decade. \nAbsolutely convinced that if Thursday morning this is presented \nto me and we weren't solving the problem by Friday that people \nwould have been fired and lost their job over it, and this \nlooks like to me it took three years when we knew there was a \nproblem, a potential problem. Even if it was just a potential \nproblem, if it's a national-security issue, we should have been \nfixing it yesterday, not tomorrow. Am I--what's wrong with my \nexpectations, Mr. Norton?\n    Mr. Norton. I think your expectations are absolutely fair \nand they're right on, and I think that the government has----\n    Mr. Marshall. Mr. Kanuck, are my expectations unrealistic?\n    Mr. Kanuck. I think the desire to remediate things as soon \nas possible is very well placed. I'm also aware that the speed \nof changes in government can occasionally be slow.\n    Mr. Marshall. Okay. You know, I think of this concept of \nthe fox and the henhouse. Again, I go back to my experience \nworking with a hospital and bank. If we would have vendors \napplying to do our IT and to protect our stuff, and if I would \nhave brought to the board people with connections to the \nRussian government, A, they would have probably fired me, and \nB, they would have fired the IT person who even let them in the \ndoor. I mean, did this pass the sniff test, Mr. Kanuck? Would \nthey pass the sniff test today to get this type of contract?\n    Mr. Kanuck. If it's meant to protect the information of a \nsensitive national security type, I would think that it would \nnot pass the sniff test because of the foreign penetrations and \nforeign influence that we have previously discussed here.\n    Mr. Marshall. Mr. Shive, in today's environment, would they \npass--the smell test is a better term. I've been corrected by \nmy colleagues across the aisle. We called it sniff in Kansas. \nMaybe it's smell other----\n    Mr. Shive. Again, because we don't run that particular \nsoftware, I can't say specifically, and we don't base those \nevaluations on press reports. What I can say is that every \nagency CIO has a responsibility and obligation to vet any \nsoftware or technology or process that runs in that \norganization, and that if Kaspersky or any similar tool was \ngoing to be entered into service in that agency, it would be \nput through a battery of tests to evaluate whether or not it \nwas suitable for that environment.\n    Mr. Marshall. Mr. Chairman, may I have 30 more seconds?\n    Chairman LaHood. I'll yield you 30 more seconds.\n    Mr. Marshall. You know, it feels like with all these IT \nissues that we have, people are trying to rob the bank, and as \nlong as they don't get--as long as they don't rob the bank, we \ndon't prosecute them. What do we do when people are just trying \nto rob the bank? So all these attacks on us, people are trying \nto rob the bank. They're trying to rob us of information? \nWhat's the solution to trying to--I mean, my gosh, I can't \nbelieve this goes on this much. They're robbing--they're trying \nto rob the bank, they don't accomplish it, so it seems like \nnothing happens to them. Does anybody have a solution, a short \nsolution? Mr. Kanuck, you raised your hand.\n    Mr. Kanuck. Where we lack the ability to have cooperative \ninternational law enforcement or forensic capabilities to \nidentify and prosecute those individuals, we are left with \nrecourse to improving our own networks' resiliency.\n    Mr. Marshall. Thank you. I yield back.\n    Chairman LaHood. Thank you, Dr. Marshall.\n    I now yield to Mr. McNerney.\n    Mr. McNerney. I thank the Chairman. I thank the witnesses. \nIt's certainly an important subject and I want to pursue a \nlittle bit.\n    Mr. Norton, in your written testimony, you mentioned that \nbudget cuts across the federal government are affecting--are \nforcing federal officials to use the lowest price technically \navailable standards. What aspects of security might be \ncompromised as a result of that lowering of standards?\n    Mr. Norton. Well, I think that, you know, sequestration, \nwhich was put in place 7 or eight years ago, right now what \nwe're seeing is the impacts of sequestration where we've \nessentially conditioned government executives, CIOs, other \nmanagers to really look for that LPTA product and they might \nnot necessarily look for the best type of software that's \navailable, maybe something that's customized, something that \nmight fit the particular need of an agency, and also we're \nseeing where they're not turning on the software to fully \ncapability and that they maybe use part of an acquisition and \nmaybe not all of it and so I think all that goes to not having \nenough resources and being kind of constrained to the \nsequestration that's essentially still in place and kind of \nhovering----\n    Mr. McNerney. Are there specific examples you could submit \nto the Committee of this phenomenon you're describing?\n    Mr. Norton. I think that broadly I would say, you know, \nprogram to program from, you know, federal agencies, you know, \nlike at DHS where they have, you know, component agencies like \nCustoms and Border Protection or other places where, you know, \nyou've got components that are purchased that might not \nnecessarily have a cyber component, you know, put inside of it.\n    I think if you think about the commercial attack back in \nOctober of last year where essentially the internet was slowed \ndown because they were attacking a piece of the internet from a \nsmall company in, you know, New Hampshire. You find these \nlittle parts that can be exploited and slow down the internet \noverall, and you think of that broadly in terms of other \nproducts that maybe are purchased day to day at, you know, Best \nBuy, for example, that don't necessarily have cyber built into \nit goes to that lowest price technically acceptable.\n    Mr. McNerney. Thank you.\n    Mr. Shive, are commercial antivirus computer security \nsoftware products made by other companies also potentially \nvulnerable to the same sorts of exploitation as in the case of \nKaspersky?\n    Mr. Shive. Because of the persistent nature of the threat, \nall softwares are vulnerable, and that's why CIOs have the \nobligation to assess those softwares before they enter them \ninto service in each of their agencies.\n    Mr. McNerney. Do you have any recommendations for federal--\nto protect federal systems?\n    Mr. Shive. Increased investment in cybersecurity is a very \ngood idea.\n    Mr. McNerney. Ms. Dodson, has NIST made available any \nguidelines or best practices concerning security of voting \ninfrastructure?\n    Ms. Dodson. NIST has developed guidelines for voting \ninfrastructures that relate to cybersecurity and in particular \nlooking at risk-management processes that can be put in place \nfor the different phases of voting systems and voting use.\n    Mr. McNerney. Should NIST be doing more in this arena?\n    Ms. Dodson. NIST is continuing to work with the voting \ncommunity as well as the Department of Homeland Security as \nthey are also looking at security and voting systems, so we are \ncontinuing our efforts there.\n    Mr. McNerney. Okay. What limitation's do you face?\n    Ms. Dodson. I'm sorry. What kind of limitation do we face \nin----\n    Mr. McNerney. Right.\n    Ms. Dodson. So NIST continues to look at a number of \ndifferent aspects of voting and work with that community. We \nare looking at security. We are looking at the interoperability \nand the usability, so many different aspects of voting systems \nto support the United States and to support the different \nstates as they're developing and implementing their solutions.\n    Mr. McNerney. Thank you. Mr. Shive, what would you \nrecommend small businesses do to strengthen their cybersecurity \nnetworks and practices?\n    Mr. Shive. For small businesses, employ the best practices \nthat exist for large business and government in their \ncybersecurity practices, make an emphasis and focus on \ncybersecurity from the ground up at the beginning of creation \nof their product, tools, process or service rather than as a \nbolt on at the end.\n    Mr. McNerney. But a lot of these small businesses don't \nhave the resources to have an IT person to take care of those \nissues.\n    Mr. Shive. And then they'll suffer the same fate that every \nother corporation that makes that fundamental mistake does and \nthey'll go out of business.\n    Mr. McNerney. Thank you. Mr. Chairman, I yield back.\n    Chairman LaHood. Thank you, Mr. McNerney.\n    I now yield to the gentleman from South Carolina, Mr. \nNorman.\n    Mr. Norman. Thank you, Mr. Chairman.\n    Mr. Shive, when we talk about getting on the GSA's \npreapproved contract list, who's got the final approval? Is it \na person, is it a group? Who would make the final call on that?\n    Mr. Shive. The Federal Acquisition Service in GSA, which is \nmade up of contracting officers, lawyers, and business \nprofessionals who interact with the vendor community and create \na framework for their entrance into the schedules.\n    Mr. Norman. How many people is that?\n    Mr. Shive. I can get back to you with the number. I think \nit's around 6,000 people.\n    Mr. Norman. Okay. Now, was Congressman Higgins right when \nhe mentioned the fine print of being under the--and I forget \nwhich agency he mentioned but being under the, I guess the \nlegal guidelines of Soviet Union rather than the United States? \nIs that right?\n    Mr. Shive. So thank you for asking that clarifying \nquestion. So every company has a EULA as a part of their \nbusiness practice. The federal government, the U.S. federal \ngovernment is not obligated under that EULA to enter service. \nThere's a negotiation that takes place that includes on the \ngovernment side lawyers and contracting officers that assess \nthe EULA relative to the regulation and policy of the federal \ngovernment. If there's a disconnect there, then the vendor \ncan't do business with government.\n    Mr. Norman. Okay. So going forward, would that be--would \nany changes be made on that?\n    Mr. Shive. No. I think it's a good process to have \ngovernment lawyers and contracting officers scanning that test \nfor corporations and making sure that it complies with federal \nregulation and law.\n    Mr. Norman. Okay. And Mr. Shive, in your testimony you note \nthat three resellers included Kaspersky's products without \ntaking appropriate steps to modify the contracts. Is that \nright?\n    Mr. Shive. That's right.\n    Mr. Norman. Did these three resellers comply with the GSA's \nrequest to remove Kaspersky products from the list?\n    Mr. Shive. Yes, they did so immediately.\n    Mr. Norman. After the fact?\n    Mr. Shive. Yes.\n    Mr. Norman. Okay. Did the GSA evaluate whether these three \nresellers needed to be sanctioned for including the products?\n    Mr. Shive. I'm not aware of the sanctioning process, of any \nsanctioning process.\n    Mr. Norman. Do you think there need to be sanctions, at \nleast go down--to go down that path to have consequences? \nBecause it looks like just from what I'm hearing has really \nbeen the--there's no consequences on this.\n    Mr. Shive. Right. So I'm actually not saying that there \nwere or were not consequences. I just don't know if there was. \nWe can circle back to you and get you that information.\n    Mr. Norman. Like Congressman Marshall mentioned, you know, \nthe consequences in the private sector, the consequences in \njust about everything in the political arena, and it looks like \nthere ought to be consequences with this. It's pretty serious \nfrom what I'm hearing today.\n    Mr. Shive. Understood. We're happy to circle back with you \nand let you know what the consequences were, if there were in \nfact any.\n    Mr. Norman. Thanks so much.\n    I yield back, Mr. Chairman.\n    Chairman LaHood. Thank you, Mr. Norman.\n    I now will yield to Mr. Perlmutter from Colorado.\n    Mr. Perlmutter. I thank the Chair, and just an inquiry of \nthe Chair. Was Mr. Kaspersky invited to testify or somebody \nfrom his organization?\n    Chairman LaHood. Not to today's hearing. I know that we \nplan to have a few more hearings on this, and we'll entertain \nthat as we move along.\n    Mr. Perlmutter. All right. Thank you.\n    And Mr. Norton, it's good to see you. We've had two records \ntoday. You have had the shortest opening statement, and the \nRanking Member had the shortest questioning along with Mr. \nNorman today that we've had I think on this Committee of all \ntime, so thank you all.\n    You know, over time the computers I've had, I've had \nMacAfee, I've had Kaspersky, and I've had--and Mr. Norton, I \ndon't think it's your company but I've had Norton antivirus \ntoo.\n    Mr. Norton. It is not my company.\n    Mr. Perlmutter. I think this is a very important hearing \nwe're having today. Mr. Higgins talked about the KGB \npotentially having access into governmental records, talked \nabout--I think Dr. Marshall talked about the fox in the \nhenhouse and robbing the bank or attempting to rob the bank, \nand words like ``trusted'' and ``complicit'' and ``willful'' \nand ``adversarial'' and ``espionage'' and ``intelligence risk'' \nand ``national security'' have been bandied about today. What--\nI'll start with you, Mr. Kanuck. What is it that we're worried \nabout here?\n    Mr. Kanuck. I believe we're particularly worried about the \nability for unauthorized users to access systems and either \nsteal confidential information or disrupt the availability of--\n--\n    Mr. Perlmutter. But a particular unauthorized user, who is \nthat? What is that?\n    Mr. Kanuck. Well, from my role as a Strategic Threat \nAnalyst, I would say there are numerous of them in the \ninternational space. The one we seem to be focusing on today is \nthe Russian threat actor and that has theoretically, according \nto open-source reporting, exploited Kaspersky products to that \nend.\n    Mr. Perlmutter. Mr. Norton, are you familiar with Guccifer \n2.0?\n    Mr. Norton. Yes.\n    Mr. Perlmutter. What is that?\n    Mr. Norton. Well, essentially it's hacktivism, if you will, \nin terms of, you know, hacking into, finding information, you \nknow, getting into a system and then pulling information out. I \nthink your assessment in terms of what exactly we're talking \nabout here is a great point. I think there are multiple \nthreats. Whether they're here domestically or they're \ninternational, I think the government is woefully behind in \nterms of preparation in terms of what we've done now and what \nwe need to do, you know, going forward. I think that we seem to \nbe having, you know, these type of discussions every 6 to 12 \nmonths with these massive hacks that are occurring, and I think \nthat, you know, it's time to really kind of move on and figure \nout what is the next step, whether it's massive research and \ndevelopment funding for the government to hire these, you know, \nmore experts, bring people in to government. I think that \nwe've, you know, kind of assigned this opportunity to CIOs and \nother people within the government that have had traditional \nroles and now they seem to be the cybersecurity experts, and I \nthink they obviously do a great job for us but I also think \nthey need more help and more services and more, you know, \nsupport.\n    Mr. Perlmutter. And the Congress has got to be in the lead \nhopefully of providing those resources, which I think you now \nmentioned and Mr. Kanuck mentioned.\n    So let me move to NIST and to the GSA for just a second and \nthen I've got a political statement I want to make. I think one \nof the places where we can harden systems especially for small \nbusiness is through small business taking advantage of the NIST \nFramework and that the GSA in its protocols demand that small \nbusiness have access, you know, taking advantage of those NIST \nprotocols or Framework, just if the two of you would comment \nreal quickly.\n    Ms. Dodson. NIST has developed some guidance specifically \nfor small businesses around the Framework to make that publicly \navailable, and we've worked with the Small Business \nAdministration, with our manufacturing Extension Partnership \nand others to make sure these guidelines are available and that \nsmall businesses can find out about them.\n    Mr. Perlmutter. But for you, they're guidelines. For GSA, \nthey could demand something like that as part of the purchase.\n    Mr. Shive. And that's exactly right. Increasingly we find \nthat business both big and small is increasingly availing \nthemselves of NIST policy, guide work and frameworks because \nit's good IT and cybersecurity practice. As a CIO who purchases \nsoftwares and technologies increasingly I'm asking my vendor \npartners to conform to those standards as well.\n    Mr. Perlmutter. If I could have just a few more seconds, \nMr. Chairman----\n    Chairman LaHood. Absolutely.\n    Mr. Perlmutter. --for my political statement?\n    Chairman LaHood. It depends on what it is but----\n    Mr. Perlmutter. Well, you're not going to like it but I \nmean, I think this is a very important subject but obviously, \nyou know, when we have at the White House an investigation \nbetween connections between the White House and many of its \npeople with the guy who was the former head of the KGB, \nVladimir Putin, then we've got a lot of ground to cover, \nwhether it's within the cybersecurity or as to, you know, just \nbasic oldpersonal relationships and not have too many front \ndoors to Russia because I think that is jeopardizing our \nnational security, and with that, I yield back.\n    Chairman LaHood. Thank you, Mr. Perlmutter.\n    At this time I'll yield to Mr. Loudermilk of Georgia.\n    Mr. Loudermilk. Thank you, Mr. Chairman, and thank all of \nyou for being here today.\n    Spending 20 years in the IT industry, actually 30 if you \ninclude my time in the intelligence community when I was in the \nmilitary, there are so many aspects of this issue that are so \ndisturbing that I can't even get my hands around all of it, and \nsome of it outside of this hearing such as an intelligence \nanalyst taking classified material home. I mean, that was a \nfelony when I was in the intelligence community. And then \nsomebody who is in that arena having pirated software, I mean, \nanybody who works in this arena at all, you know that if it's \npirated software, it's dirty. It's likely dirty in some way. So \nanyhow, that's outside the scope of this. This happened in a \nprevious Administration and hopefully we're cleaning up some of \nthe looseness that we've had in the intelligence community, but \nI'm reading an article from Associated Press which, Mr. \nChairman, I'd like to introduce into the record.\n    Chairman LaHood. Without objection.\n    [The information appears in Appendix II]\n    Mr. Loudermilk. This thing reads like a Clancy novel, the \nIsraelis spying on the Russians who are spying on us, and they \nalert us to the fact that the Russians are gaining information \nthat are being captured through this software.\n    Mr. Norton, in your experience, if a cybersecurity company \ncomes across, whether intentional or unintentional, comes \nacross classified information, I would think, through my \nexperience, that it not only legally but professionally you \nshould alert the agency of which it came from that--or at least \nthe proper officials that you have come across this \ninformation. Am I wrong in that? Is that something that you \nwould assess if somebody just happened to come across this \ninformation they would alert?\n    Mr. Norton. I think in the last couple of years that there \nhas been an effort in terms of sharing information amongst DHS \nand other, you know, companies across the cyber realm, if you \nwill, in terms of moving information back and forth certainly \ncould be better but I think the process has started and I think \nas you're seeing professionals kind of cross into the private \nsector and back into government and back and forth, it's \ngetting a little bit better, but absolutely, it's something \nthat we need to continue to get our arms around and do a better \njob.\n    Mr. Loudermilk. I mean, if in your business you come across \na piece of classified information that was not within your \nrealm of need to know, you would report to someone?\n    Mr. Norton. Of course.\n    Mr. Loudermilk. Okay. In this article from Associated \nPress, you know, they reported that Israel notified us that \nRussia was gaining classified information using the software. \nEugene Kaspersky spoke--in this article, he stated that they \ndid collect NSA materials clearly marked classified in 2014, \nwhich were spirited to Moscow for analysis, and then deleted at \nhis direction. When asked if Kaspersky alerted the NSA that his \nsoftware discovered classified materials, he claimed that he \ndidn't want to see it in the news. If he is asked why he didn't \nreport it, he didn't want to see in the news that I tried to \ncontact the NSA to report the case, definitely I didn't want to \nsee it in the news. Is that plausible that he would not report \nthat they, you know, came across by unintentional means that \nthey came across classified information? Is it plausible that \nhe would have not reported it just because he didn't want to \nsee it in the news? Yes, Mr. Norton. I'm sorry.\n    Mr. Norton. I guess the answer is, sir, I don't know what's \ngoing inside his head or what his thought process was. It's \nhard for me to assess why he made that decision or didn't make \nthat decision.\n    Mr. Loudermilk. To me, from a legal aspect, maybe laws have \nchanged since I was in the intelligence community but I would \nhave a legal responsibility at that point to notify the \nauthorities look, our software came across this information, \nyou may need to go look at this employee. I also have issue \nwith them just reading the documents they come across as well.\n    Mr. Kanuck, do you think this is a plausible response by \nMr. Kaspersky?\n    Mr. Kanuck. My first observation would be that Mr. \nKaspersky may not be subject to a secrecy agreement of any kind \nthat would have the legal contractual binding nature that \nyourself previously and myself have had before that would have \nobligated us to report that information had we stumbled across \nit. Secondly, I guess I am personally a little surprised that \nknowing the scrutiny that his firm is under that he might not \nhave taken an opportunity to return it to the U.S. government \nand try to get in our good favor.\n    Mr. Loudermilk. Maybe redeem himself, you know, to show \ngoodwill.\n    Let me ask you, why would he not inform the NSA? I mean----\n    Mr. Kanuck. Possibly because he felt there was no legal \nobligation for him to, and in his personal decision thought it \nwas not in the best interest of his company, which again is a \nRussian company.\n    Mr. Loudermilk. Mr. Norton, is it plausible that maybe the \nsuspicions that the Israelis have, that we have is that they're \npurposely mining for information? Is that plausible?\n    Mr. Norton. I think that, you know, with the digital age \nhaving really grown in the last 15 years that online \nintelligence gathering is the normal. I think that we as, you \nknow, society need to continue to come to grips with the fact \nthat mining online data and the fact that you can target \nindividuals is the new normal and that we all need to be aware \nof this, and I think that whether it's the Russians or other \nadversaries, nation-states, individuals, absolutely our \nnetworks are a target every day, every second, and we need to \nbe really aware of that.\n    Mr. Loudermilk. Why would be send it to Moscow? Is that not \nsuspect that he sent the documents to Moscow, then asked for \nthem to be deleted, Mr. Norton?\n    Mr. Norton. I think--again, I don't know what really \noccurred or didn't occur. It seems like that would be something \nthat we would need to really kind of take a look at, and \nhopefully our intelligence services is on that and they can \ngive us----\n    Mr. Loudermilk. Mr. Kanuck, would you--would you find it \nsuspect that he sends them to Moscow after seeing that they're \nclassified NSA documents determines to not notify the NSA but \nthen sends them to Moscow and then says I'm going to have them \ndeleted? I mean, that's pretty suspect to me.\n    Mr. Kanuck. So again, I'm not personally knowledgeable of \nwhether he himself was the one who did the discovering and the \nforwarding. I would, as I said in my opening statement, \nencourage the analysis of traffic flows within the Kaspersky \nglobal communications network. That may have been standard \noperating procedure or it may have been an ad hoc decision. I \ncan't speak to that because I don't work for that company.\n    Mr. Loudermilk. All right. Well, thank you, Mr. Chairman. I \nyield back the time I have exceeded.\n    Chairman LaHood. Well, thank you, Mr. Loudermilk, for your \ninsightful questions there.\n    That concludes our questions here today. I want to thank \nthe witnesses for your valuable testimony here today. I think \nthis Committee as part of our oversight mission will continue \nto investigate leads and evidence as it relates to this matter. \nSecondly, I think we've just touched the surface as it relates \nto Kaspersky and their alleged complicity and involvement with \ncyber espionage, and this Committee will continue to work on \nthat. We anticipate more hearings and more testimony to come.\n    So with that, this hearing is concluded, and we thank you.\n    [Whereupon, at 11:31 a.m., the Subcommittee was adjourned.]\n\n                               Appendix I\n\n                              ----------                              \n\n\n                   Answers to Post-Hearing Questions\n\n\n\n\n                   Answers to Post-Hearing Questions\nResponses by Mr. Sean Kanuck\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n                              Appendix II\n\n                              ----------                              \n\n\n                   Additional Material for the Record\n\n\n\n\n            Letter submitted by Representative Clay Higgins\n            \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]            \n\n         Document submitted by Representative Barry Loudermilk\n         \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]         \n\n\n                                 <all>\n</pre></body></html>\n"