[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]


               BOLSTERING THE GOVERNMENT'S CYBERSECURITY:
                         A SURVEY OF COMPLIANCE
                         WITH THE DHS DIRECTIVE

=======================================================================

                                HEARING

                               BEFORE THE

                       SUBCOMMITTEE ON OVERSIGHT

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           November 14, 2017

                               __________

                           Serial No. 115-38

                               __________

 Printed for the use of the Committee on Science, Space, and Technology
 
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] 
 


       Available via the World Wide Web: http://science.house.gov
       
       
                                __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
27-677PDF                  WASHINGTON : 2018                     
          
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, [email protected].       
       
       

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                   HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas
DANA ROHRABACHER, California         ZOE LOFGREN, California
MO BROOKS, Alabama                   DANIEL LIPINSKI, Illinois
RANDY HULTGREN, Illinois             SUZANNE BONAMICI, Oregon
BILL POSEY, Florida                  AMI BERA, California
THOMAS MASSIE, Kentucky              ELIZABETH H. ESTY, Connecticut
JIM BRIDENSTINE, Oklahoma            MARC A. VEASEY, Texas
RANDY K. WEBER, Texas                DONALD S. BEYER, JR., Virginia
STEPHEN KNIGHT, California           JACKY ROSEN, Nevada
BRIAN BABIN, Texas                   JERRY McNERNEY, California
BARBARA COMSTOCK, Virginia           ED PERLMUTTER, Colorado
BARRY LOUDERMILK, Georgia            PAUL TONKO, New York
RALPH LEE ABRAHAM, Louisiana         BILL FOSTER, Illinois
DRAIN LaHOOD, Illinois               MARK TAKANO, California
DANIEL WEBSTER, Florida              COLLEEN HANABUSA, Hawaii
JIM BANKS, Indiana                   CHARLIE CRIST, Florida
ANDY BIGGS, Arizona
ROGER W. MARSHALL, Kansas
NEAL P. DUNN, Florida
CLAY HIGGINS, Louisiana
RALPH NORMAN, South Carolina
                                 ------                                

                       Subcommittee on Oversight

                   HON. DRAIN LaHOOD, Illinois, Chair
BILL POSEY, Florida                  DONALD S. BEYER, Jr., Virginia, 
THOMAS MASSIE, Kentucky                  Ranking Member
BARRY LOUDERMILK, Georgia            JERRY MCNERNEY, California
ROGER W. MARSHALL, Kansas            ED PERLMUTTER, Colorado
CLAY HIGGINS, Louisiana              EDDIE BERNICE JOHNSON, Texas
RALPH NORMAN, South Carolina
LAMAR S. SMITH, Texas
                            
                            C O N T E N T S

                           November 14, 2017

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Darin LaHood, Chairman, Subcommittee 
  on Oversight, Committee on Science, Space, and Technology, U.S. 
  House of Representatives.......................................     4
    Written Statement............................................     6

Statement by Representative Donald S. Beyer, Jr., Ranking Member, 
  Subcommittee on Oversight, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................     8
    Written Statement............................................    10

Statement by Representative Lamar S. Smith, Chairman, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................    12
    Written Statement............................................    13

Statement by Representative Eddie Bernice Johnson, Ranking 
  Member, Committee on Science, Space, and Technology, U.S. House 
  of Representatives.............................................    16
    Written Statement............................................    17

                               Witnesses:

Ms. Jeanette Manfra, Assistant Secretary for Cybersecurity and 
  Communications, National Protection and Programs Directorate, 
  U.S. Department of Homeland Security
    Oral Statement...............................................    18
    Written Statement............................................    21

Ms. Renee Wynn, Chief Information Officer, National Aeronautics 
  and Space Administration
    Oral Statement...............................................    25
    Written Statement............................................    27

Ms. Essye Miller, Deputy Chief Information Officer for 
  Cybersecurity, U.S. Department of Defense
    Oral Statement...............................................    31
    Written Statement............................................    32

Dr. Mark Jacobson, Associate Teaching Professor, Edmund Walsh 
  School of Foreign Service, Georgetown University
    Oral Statement...............................................    37
    Written Statement............................................    39

Discussion.......................................................    47

             Appendix I: Answers to Post-Hearing Questions

Ms. Jeanette Manfra, Assistant Secretary for Cybersecurity and 
  Communications, National Protection and Programs Directorate, 
  U.S. Department of Homeland Security...........................    70

Ms. Renee Wynn, Chief Information Officer, National Aeronautics 
  and Space Administration.......................................    74

Ms. Essye Miller, Deputy Chief Information Officer for 
  Cybersecurity, U.S. Department of Defense......................    79

Dr. Mark Jacobson, Associate Teaching Professor, Edmund Walsh 
  School of Foreign Service, Georgetown University...............    84

            Appendix II: Additional Material For The Record

Statement submitted by Mr. Troy A. Newman, President, Cyber5, LLC    88

 
               BOLSTERING THE GOVERNMENT'S CYBERSECURITY:
             A SURVEY OF COMPLIANCE WITH THE DHS DIRECTIVE

                              ----------                              


                       Tuesday, November 14, 2017

                  House of Representatives,
                      Subcommittee on Oversight and
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

    The Subcommittee met, pursuant to call, at 10:08 a.m., in 
Room 2318 of the Rayburn House Office Building, Hon. Darin 
LaHood [Chairman of the Subcommittee] presiding.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Chairman LaHood. Good morning. The Subcommittee on 
Oversight will come to order.
    Without objection, the Chair is authorized to declare 
recesses of the Subcommittee at any time.
    Welcome to today's hearing entitled ``Bolstering the 
Government's Cybersecurity: A Survey of Compliance with the DHS 
Directive.'' The subject of today's hearing involves some 
information that is classified. I remind members that their 
questions may call for a response that the witnesses know to be 
classified. Please be mindful of this fact. I would like to 
instruct the witness to answer to the best of their ability, 
but should an answer call for sensitive information, members 
will understand if you respond that you are unable to answer in 
this setting.
    I now recognize myself for five minutes for an opening 
statement.
    Good morning and welcome to today's Oversight Subcommittee 
hearing, ``Bolstering the Government's Cybersecurity: A Survey 
of Compliance with the DHS Directive.'' The purpose of this 
hearing is to examine and assess implementation of the 
Department of Homeland Security (DHS) Binding Operational 
Directive (BOD) 17-01, which was the removal of the Kaspersky-
branded products by federal government departments and 
agencies.
    This hearing marks the second time the Committee has 
convened to examine the issues and concerns surrounding 
Kaspersky Lab. On October 25, 2017, the Committee examined the 
potential risks, vulnerabilities, and threats posed to federal 
ICT systems by Kaspersky software. During that hearing, we 
heard from experts about the specific nature of threats posed 
by Kaspersky, action the federal government has taken or plans 
to take to mitigate the threat, and steps that could be taken 
to avoid similar threats in the future.
    The Trump Administration has taken steps to remediate the 
Kaspersky issue. In July of this year, the GSA removed 
Kaspersky from its government-wide contracts. Although it was a 
step in the right direction, it did not completely eliminate 
the threat.
    On September 13, 2017, the Administration took additional 
steps to harden the security of federal information systems 
against the Kaspersky threat when DHS issued Binding 
Operational Directive 17-01. The directive requires federal 
departments and agencies to complete three consecutive phases 
of implementation. First, they must scan their systems to 
identify the use or presence of Kaspersky software. Second, 
they must develop an action plan for the removal and 
replacement of any Kaspersky software identified on their 
systems. Finally, they are required to implement their action 
plan and must begin the process of removal and replacement.
    Federal departments and agencies are also required to 
submit status reports to DHS as they implement each of the 
directive's three phases. The status reports provide data and 
information that is useful for assessing compliance with the 
directive, and for quantifying the pervasiveness of Kaspersky 
installations across federal systems, the extent of threats 
posed by the software, and the complexities associated with 
complete removal.
    Today, we will focus primarily on the status reports to 
guide our assessment of compliance with the directive. In doing 
so, we hope to learn whether agencies have complied with the 
first two phases of the directive and whether any Kaspersky 
installations were found on federal systems. Additionally, we 
hope to understand more about the specific action plans for 
removal and replacement of any identified Kaspersky 
installations and DHS' anticipated timeline for full 
implementation of the directive. Finally, we hope to learn 
about the directive's applicability to federal contractors.
    I want to thank Ms. Miller for being here to represent the 
Department of Defense. Annually, the DOD spends approximately 
$30 billion on information technology. We are interested in 
whether the directive applies to DOD's contractors and, if so, 
are they currently complying? If not, what must be done to 
ensure that contractors take appropriate action to mitigate the 
Kaspersky threat? I'm hopeful that our witnesses today can help 
us resolve these important questions and better understand the 
next steps that must be taken to ensure the integrity, 
resilience, and security of federal information systems.
    Cybersecurity is a complex and evolving issue that affects 
U.S. national and economic security. We must remain diligent in 
our efforts to strengthen and secure federal systems, and our 
approaches to addressing cybersecurity issues must evolve to 
keep pace with everchanging threats. Bolstering the 
cybersecurity of federal information systems is among the 
Committee's top priorities, and I am hopeful that our efforts 
here today will take us one step closer toward accomplishing 
this objective.
    [The prepared statement of Chairman LaHood follows:]
 [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman LaHood. At this time, I now recognize the Ranking 
Member, the gentleman from Virginia, for his opening statement.
    Mr. Beyer. Thank you, Chairman LaHood, and thank you for 
holding this second hearing on Kaspersky.
    Two weeks ago we held a hearing on security concerns 
regarding the use of Kaspersky Lab software on federal computer 
networks, and I think most members on both sides of the aisle 
agree that using the services or software of Kaspersky Lab, a 
Moscow-based company that reportedly has close ties to Russian 
intelligence services, using this on federal networks presents 
risks not worth taking.
    So back in September, the Department of Homeland Security 
also recognized this and issued a directive for federal 
agencies to identify and initiate actions to remove Kaspersky 
Lab software from their networks. So I understand that we're 
holding this hearing as a follow-up to ensure that our federal 
agencies are complying with this DHS directive in a timely 
manner, which is essentially important.
    However, it seems that in holding a second oversight 
hearing solely on Kaspersky Lab products we're missing the 
forest for the trees. Kaspersky products are not the biggest 
security risk we face in Russia. As I mentioned at our last 
hearing and as we saw throughout the 2016 election cycle, 
cybersecurity is no longer just about defending our data. It is 
on a larger scale about defending our democracy from unwanted 
foreign influence and disinformation campaigns.
    Please listen to these actual numbers. One hundred and 
twenty-six million Americans received Russian-backed content on 
their Facebook newsfeeds during the 2016 election. Twitter has 
found 36,746 bots linked to Russia, and these accounts sent a 
combined 1.4 million tweets and were seen 288 million times. 
Google has uncovered tens of thousands of ads purchased by 
Kremlin-linked buyers on YouTube, Gmail--its search page--and 
in double-click ads. The Kremlin directly sponsored fake Black 
Lives Matter activists who posted videos to Facebook, Twitter, 
and YouTube. Last month, the Computational Propaganda Project 
released a study mapping how Russia-linked Twitter accounts 
seek to target U.S. military personnel and veterans.
    So instead of focusing just on Kaspersky Lab software, we 
should also be examining how enemies of democracy are using 
communications technologies in new, precise, and powerful ways 
to disrupt our democratic institutions and influence the 
American public. We should be specifically looking into how the 
Russians have done this just during the 2016 presidential 
election and how we can develop tools, technologies, and public 
awareness to diminish similar attacks in the future. We should 
also examine the state of our cybersecurity practices in 
defending our critical election infrastructure from covert 
interference and manipulation.
    The House Science, Space, and Technology Committee has an 
important role in publicly addressing these issues. We do have 
a specific responsibility to provide oversight on the deeply 
existential role of technology in our society. And, Mr. 
Chairman, at the last Kaspersky hearing I requested that we 
hold a hearing on these larger issues, and I respectfully ask 
again today.
    I'm glad that one of our witnesses today will help put the 
security concerns regarding Kaspersky Lab's software in context 
and helps examine the broader Russian strategy of undermining 
our democratic institutions and influencing our democracy. Dr. 
Mark Jacobson, a professor at Georgetown University, has 
written frequently on the impact of Russia's influence 
operations against the United States in the past few years. I 
look forward to his testimony and all your testimony.
    I'm also attaching to my statement a minority staff report 
that addresses Russia's cyber influence campaign against the 
United States. This report has already been shared with the 
majority staff.
    Thank you, Mr. Chairman, and I yield back.
    [The prepared statement of Mr. Beyer follows:]
 [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman LaHood. Thank you, Mr. Beyer.
    I now recognize the Chairman of the full Committee, Mr. 
Smith, for his opening statement.
    Chairman Smith. Thank you, Mr. Chairman.
    The risk to U.S. security that Kaspersky Lab, a Russian 
company, has created is undeniable and the harm, incalculable. 
The founder of Kaspersky Lab, Eugene Kaspersky, attended a KGB-
funded intelligence institute and served in Russia's Ministry 
of Defense. For years, there has been speculation that 
Kaspersky's antivirus software could be used by the Russians 
for information gathering. Continued investigations have 
disclosed more details on the extent to which Kaspersky Lab is 
a tool for the Russian Government. Press reports claim that 
Kaspersky's prior federal government customers include the 
Departments of State, Justice, Energy, Defense, Treasury, Army, 
Navy and Air Force. This is of more than passing concern; it is 
alarming.
    Last month, The New York Times reported that Russian 
Government hackers conducted a global search of computers 
looking for the code names of American intelligence programs. 
The hackers used the antivirus software made by Kaspersky Lab. 
This Russian operation stole classified documents from at least 
one National Security Agency employee, who had Kaspersky 
antivirus software installed on his home computer.
    Kaspersky's antivirus software allowed Russia to have 
unlimited access to data stored on computers with Kaspersky 
products. The magnitude and widespread use of Kaspersky's 
software--400 million users worldwide--gives the company 
unprecedented access and retrieval capabilities.
    To date, it is unclear what additional American security 
secrets Russia may have acquired through Kaspersky's scans for 
classified programs. This only confirms the need for the 
actions this Administration and this Committee have taken. The 
Science Committee has engaged in continued oversight of 
Kaspersky Lab since questions were raised by Science Committee 
member Congressman Higgins earlier this year. On July 27, 2017, 
this committee requested that all federal departments and 
agencies disclose their use of Kaspersky Lab products. On 
September 13, 2017, the Department of Homeland Security issued 
a Binding Operational Directive to all agencies and 
departments. This directive sought the complete removal of 
Kaspersky products from federal systems after 90 days.
    Today, the Committee is interested in whether federal 
agencies are complying with the directive. How common are 
Kaspersky products in our federal systems? What is the extent 
of the risk? And are the actions required in the DHS directive 
sufficient to protect U.S. interests? The Committee expects to 
uncover all risk associated with Kaspersky Lab. This includes 
identifying all necessary actions needed to eliminate risks 
even beyond the risk to federal systems.
    Based on the NSA contractor's personal computer being 
targeted, we are interested in what steps DHS has taken to 
assist civilian employees and contractors who are at risk of 
exposure. We also are interested in proactive steps and 
coordination among our federal agencies and departments. We 
need to use all resources to ensure that Kaspersky products on 
federal systems have been completely removed.
    Beyond an interest in the risk caused by Kaspersky 
products, the Science Committee will continue to address the 
federal government's cybersecurity weaknesses.
    This committee, along with the Committee on Oversight and 
Government Reform, plans to bring a revised version of H.R. 
1224, the NIST Cybersecurity Framework, Assessment, and 
Auditing Act of 2017, to the House Floor soon. NIST should 
welcome the opportunity to use its expertise to help protect 
our national security.
    The bill amends the Federal Information Security Management 
Act to require that federal agencies' Inspectors General 
coordinate with NIST in conducting their cybersecurity 
evaluations. Anyone with knowledge of potential cybersecurity 
risks should contact the committee and share their information 
with us. We must eliminate the threat of Kaspersky Lab to our 
national security systems. Thank you, Mr. Chairman. I'll yield 
back.
    [The prepared statement of Chairman Smith follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman LaHood. Thank you, Chairman Smith.
    I now recognize the Ranking Member of the full Committee, 
Ms. Johnson, for her opening statement.
    Ms. Johnson. Thank you very much, Mr. LaHood.
    In September, the Department of Homeland Security banned 
the use of Kaspersky Lab software on federal government 
computer networks. The U.S. intelligence community believes 
this Russian company's products pose an unnecessary potential 
risk to our security from Russia's intelligence services. 
Whether or not the company is aware of these threats is 
irrelevant. I trust the judgment of the American intelligence 
community in this matter, and I'm also confident that federal 
agencies will successfully eliminate the Kaspersky Lab software 
from their respective computer systems.
    I am much more concerned, though, about the persistent 
threat foreign actors pose to our electoral system. During the 
previous Kaspersky Lab hearing the Subcommittee held three 
weeks ago, I noted that, prior to the 2016 election, this 
committee held a hearing to review the guidelines for 
protecting voting and election systems, including voter 
registration databases and voting machines. I asked that this 
committee hold a follow-up hearing to discuss protecting these 
same systems in the light of last year's events, as well as to 
examine the sophisticated influence operations conducted by the 
Russian Intelligence Service to disrupt our democratic 
processes and damage our democracy.
    Today, I want to reiterate that request. Russian actors 
attempted to hack into voter databases in multiple States 
before the 2016 election, successfully compromising a small 
number of networks according to the Department of Homeland 
Security. But Russia, as we all know, did not only attempt to 
penetrate these sorts of hard targets, they sought to influence 
public opinion and undermine our democratic institutions 
through their use of trolls, bots, and social media platforms.
    Rather than simply examine the specific threat posed by 
Kaspersky Lab software, we need to take a much wider view and 
look at the evolving and expanding threat that Russians' cyber 
attacks and influence operations pose today in our society.
    I'm happy that Dr. Mark Jacobson, our witness today, can 
speak about Russia's history of influence operations against 
the United States and the many ways that Russia seeks to 
undermine Western democracies. I thank you for coming today, 
Dr. Jacobson.
    I ask again for the Science Committee to commit to holding 
a 2016 election postmortem with an eye on ways the Science 
Committee can help discourage foreign interference in future 
elections and how we can encourage the development of tools and 
technologies to help identify these threats and limit their 
impact on our government, public, and society.
    I thank you, Mr. Chairman, and I yield back the balance of 
my time.
    [The prepared statement of Ms. Johnson follows:]
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

    Chairman LaHood. Thank you, Ms. Johnson.
    At this time let me introduce our witnesses here today. Our 
first witness today is Ms. Jeanette Manfra, Assistant Secretary 
for Cybersecurity and Communications for the National 
Protection and Programs Directorate at the U.S. Department of 
Homeland Security. Ms. Manfra has held multiple positions 
related to cybersecurity at the Department, and prior to 
serving at DHS, Ms. Manfra served in the U.S. Army as a 
Communications Specialist and a Military Intelligence Officer. 
Welcome.
    Our second witness is Ms. Renee Wynn, Chief Information 
Officer at NASA. Ms. Wynn previously served as the Acting 
Assistant Administrator for the Office of Environment 
Information at the EPA. She holds a bachelor of arts in 
economics from DePauw University in Indiana. Welcome, Ms. Wynn.
    Our third witness is Ms. Essye Miller. She is the Deputy 
Chief Information Officer for Cybersecurity at the U.S. 
Department of Defense. Ms. Miller previously served as the 
Director of Cybersecurity for the Army Chief Information 
Officer. She received her bachelor's degree from Talladega 
College and a master's from Troy State University, as well as 
from Air University at the Air War College. Welcome.
    Our last witness today is Dr. Mark Jacobson. He is an 
Associate Teacher Professor for the Edmund Walsh School of 
Foreign Service at Georgetown University. Dr. Jacobson 
previously held appointments as a Senior Advisor to the 
Secretary of Defense and as a Special Assistant to the 
Secretary of the Navy. He has also served as the Deputy NATO 
Representative and Director of International Affairs at the 
International Security Assistance Force. Dr. Jacobson holds 
degrees from the University of Michigan, the King's College, 
University of London, and a Ph.D. in military history from Ohio 
State University. Welcome.
    At this time I now recognize Ms. Manfra for five minutes to 
present her testimony.

               TESTIMONY OF MS. JEANETTE MANFRA,

             ASSISTANT SECRETARY FOR CYBERSECURITY

                      AND COMMUNICATIONS,

         NATIONAL PROTECTION AND PROGRAMS DIRECTORATE,

              U.S. DEPARTMENT OF HOMELAND SECURITY

    Ms. Manfra. Thank you, sir. Mr. Chairman, Ranking Member 
Beyer, Mr. Smith, and Ranking Member Johnson, and members of 
the committee, today's hearing is an opportunity to discuss the 
Department of Homeland Security's actions regarding Kaspersky 
Lab products. As the Assistant Secretary for Cybersecurity and 
Communications, I lead many of the Department's efforts to 
safeguard and secure cyberspace, a core homeland security 
mission. We work every day to protect federal government 
agencies and collaborate with state, local, tribal, and 
territorial governments and the private sector to enhance the 
security and resilience of our cyber and physical 
infrastructure.
    Earlier this year, the President signed an executive order 
on strengthening the cybersecurity of federal networks and 
critical infrastructure. This executive order set in motion a 
series of assessments and deliverables to improve our defenses 
and lower our risk to cyber threats. DHS has organized around 
these deliverables by working with government and private 
sector partners.
    Federal agencies have been implementing the NIST 
cybersecurity framework. Agencies are reporting to DHS and the 
Office of Management and Budget on their cybersecurity risk 
mitigation and acceptance choices. DHS and OMB are evaluating 
the totality of these agency reports in order to 
comprehensively assess the adequacy of the federal government's 
overall cybersecurity risk management posture.
    In addition to our efforts to protect government networks, 
we are focused on how government and industry work together to 
protect the Nation's critical infrastructure. We are 
prioritizing deeper more collaborative public-private 
partnerships.
    Protecting federal information systems requires addressing 
risks within supply chain. The Department has been actively 
engaged in its own efforts, as well as broader interagency 
efforts to address IT supply chain threats. As we build on best 
practices to improve the federal government's own actions 
within this space, we will coordinate and share information 
with our state and local government partners, as well as the 
private sector critical infrastructure community.
    Among other authorities, the Federal Information Security 
Modernization Act of 2014, commonly referred to as FISMA, 
authorizes the Department of Homeland Security to develop and 
oversee the implementation of binding operational directives, 
or BODs. These directives to federal agencies are for purposes 
of safeguarding federal information and information systems 
from a known or reasonably suspected information security 
threat, vulnerability, or risk. Federal agencies are required 
to comply with these DHS-developed directives.
    On September 13 of this year DHS's Acting Secretary signed 
a binding operational directive to address the use or presence 
of Kaspersky Lab products, solutions, and services on federal 
information systems. After careful consideration of available 
information and consultation with interagency partners, DHS 
determined Kaspersky Lab products present a known or reasonably 
suspected information security risk to federal information 
systems. In a public statement, the Department identified 
concerns regarding, one, the ties between certain Kaspersky 
officials and Russian intelligence and other government 
officials; two, the requirements under Russian law that allow 
Russian intelligence agencies to request or compel assistance 
from Kaspersky and to intercept communications transiting 
Russian networks; and three, the broad access to files and 
elevated privileges provided by antivirus products and 
services, including Kaspersky products, that can be exploited 
by malicious cyber actors to compromise information systems. 
The action taken is a reasonable, measured approach to the 
information security risks posed by these threats--or posed by 
these products to the federal government.
    In addition to the reports from agencies required by this 
directive, our National Cybersecurity and Communications 
Integration Center continues to operate important capabilities 
that help DHS better understand the use of these products 
within the federal government. For instance, we operate 
capabilities that monitor NetFlow at federal agencies commonly 
referred to as Einstein. We also provide agencies tools within 
our Continuous Diagnostics and Mitigation program. Both of 
these capabilities enabled us to further our understanding of 
the presence of Kaspersky products on agency networks.
    I want to thank Congress for your focus on these issues and 
highlighting the concerns here. Your focus has been extremely 
helpful to us as we have evaluated the evidence, communicated 
with our colleagues around the interagency, and made the 
decision to issue the binding operational directive.
    It is important for the committee to understand that DHS is 
providing an opportunity for Kaspersky and any other entity 
that claims its commercial interests will be directly impacted 
to submit a written response and any additional information or 
evidence. DHS will review any submissions closely and make 
adjustments to a directive--to our directive if appropriate.
    Before closing, I want to assure the Committee that I will 
answer your questions to the extent I can in an open hearing 
and at this time. Some of your questions may require the 
discussion of classified information, which I clearly cannot 
address in an open hearing. Other questions may not be 
appropriate to address at this time because we are in the 
middle of an administrative process with the affected entity, 
and there could be litigation related to this directive. 
Because we need to provide the company with a meaningful 
opportunity to be heard, and there may be federal court review 
of our actions and decisions, there may be certain issues that 
it would not be appropriate for me to comment on until the 
conclusion of this administrative process.
    Thank you very much for the opportunity to testify today, 
and I look forward to your questions.
    [The prepared statement of Ms. Manfra follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman LaHood. Thanks, Ms. Manfra.
    At this time I now recognize Ms. Wynn for five minutes to 
present her testimony.

                  TESTIMONY OF MS. RENEE WYNN,

                   CHIEF INFORMATION OFFICER,

                      NATIONAL AERONAUTICS

                    AND SPACE ADMINISTRATION

    Ms. Wynn. Great. Good morning, Mr. Chairman, Ranking 
Member, and distinguished Members of the Subcommittee. Thank 
you for the opportunity to testify before you today regarding 
NASA's efforts to comply with the recent Department of Homeland 
Security binding operational directive regarding Kaspersky-
branded products.
    As NASA's Chief Information Officer, my number-one priority 
is to effectively manage and protect NASA's information 
technology assets in an everchanging threat landscape. Each 
day, hundreds of thousands of NASA personnel, contractors, 
academics, international partners, and members of the public 
access some part of NASA's IT infrastructure, which is a 
complex array of information systems with more than 160,000 
components geographically dispersed around the globe and 
beyond.
    NASA works closely with our federal cybersecurity partners 
to ensure NASA's network is safeguarded from threats, assessed 
against stringent federal and agency security requirements, and 
continuously monitored for compromise and the effectiveness of 
our security measures.
    New cybersecurity tools, particularly the Department of 
Homeland Security's Continuous Diagnostics and Mitigation 
program, are allowing us to have better insights into our 
networks, which allows us to better mitigate threats. However, 
given the evolving nature of threats, our work is never done.
    Antivirus software is one component of endpoint protection 
implemented to safeguard NASA systems and data. NASA has been 
using Symantec Endpoint Protection software as its desktop 
standard load since 2010. Therefore, Kaspersky-branded 
products, the focus of today's hearing, are not part of NASA's 
standard load software.
    Between January 1, 2013, and mid-August 2017, NASA 
identified a small number of machines which had Kaspersky-
branded products preinstalled. When discovered, these instances 
were removed to comply with NASA's desktop standard software 
configuration. Another item of importance is that NASA's Office 
of Procurement has no record of NASA funds being used to 
purchase individual instances of Kaspersky-branded products. 
Therefore, we believe that the limited instances of Kaspersky-
branded products found to exist on agency hardware were likely 
the result of larger procurements and bundled preinstalled 
software.
    On September 13, 2017, NASA received the Binding 
Operational Directive 17-01, which required all federal 
executive branch departments and agencies to take action with 
regard to Kaspersky-branded products on federal IT systems. 
NASA notified the Department of Homeland Security on Friday, 
October 13, that no Kaspersky-branded products were identified 
on NASA systems. Therefore, no additional actions are required 
by NASA under the terms of the binding operational directive.
    Also of note, in 1993, the General Services Administration 
asked NASA to be part of a pilot project for the governmentwide 
acquisition contracts. Subsequently, NASA was one of three 
agencies designated to provide a governmentwide contract 
vehicle for other agencies to use when acquiring IT products 
and services for their own agencies. This vehicle is known at 
NASA as the Solutions for Enterprise-Wide Procurement or SEWP. 
In July 2017, in coordination with the General Services 
Administration, NASA removed all offerings of Kaspersky-branded 
products from the SEWP database and installed filters to 
prevent Kaspersky-branded products from being re-added.
    In conclusion, protecting and upgrading and better managing 
NASA's IT infrastructure is and will remain a top agency 
priority. When threats such as unauthorized software are 
detected, NASA personnel take action. NASA is fully committed 
to becoming more secure, effective, and resilient, and we are 
actively pursuing this on all levels.
    Thank you for the opportunity to testify before you today, 
and I'd be happy to answer any questions that you may have.
    [The prepared statement of Ms. Wynn follows:]
  [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman LaHood. Thank you, Ms. Wynn.
    At this time, I recognize Ms. Miller for five minutes for 
her testimony.

                 TESTIMONY OF MS. ESSYE MILLER,

                DEPUTY CHIEF INFORMATION OFFICER

                    FOR CYBERSECURITY, U.S.

                     DEPARTMENT OF DEFENSE

    Ms. Miller. Good morning, Mr. Chairman, Ranking Member, and 
distinguished Members of the Subcommittee. Thank you for this 
opportunity to testify today on the Department of Defense 
position regarding the federal government's use of Kaspersky 
Lab software.
    I currently serve as the Deputy Chief Information Officer 
for Cybersecurity at the Department of Defense. Additionally, I 
serve as the Department's Chief Information Security Officer. 
My primary responsibility is to ensure that the Department has 
a well-defined and executed cybersecurity program. I am also 
responsible for coordinating cybersecurity standards, policies, 
and procedures with federal agencies, coalition partners, and 
industry.
    In this unclassified setting, I can state that as a matter 
of DOD enterprise cybersecurity, antivirus software does play a 
role. However, Kaspersky Lab is not part--a part of the 
Department of Defense antivirus solution. Currently, the DOD 
has enterprise licenses for both McAfee and Symantec Antivirus 
for DOD devices, as well as for DOD personnel's home computer 
use. Kaspersky Lab is not on the approved products list for the 
Department, and there are currently no contract awards for the 
software listed in the federal procurement data system.
    Although the Department of Homeland Security's binding 
operational directive does not apply statutorily to defined 
national security systems, nor to certain systems operated by 
the Department of Defense, the Department has implemented the 
intent of the directive. Prior to the directive's release on 
August 3, 2017, Joint Force Headquarters DODIN Defense 
Information Network issued a task order to mitigate any 
potential threats to the Department networks. Within the bounds 
of the directive requirements, we conducted a search of DOD 
systems and confirmed that we did not have the listed Kaspersky 
products on any of our systems.
    Kaspersky Lab products remain an ongoing supply chain risk 
management for the Department. To reduce these risks, DOD 
issued instruction 5200.44, protection of mission-critical 
functions to achieve trusted systems and networks. Additional 
details on that instruction are contained in my written 
statement, along with the detailed processes and enterprise 
resources DOD has implemented.
    I would like to thank the subcommittee for supporting these 
important cybersecurity issues. Protecting the networks for the 
warfighter is a top priority for the Department of Defense. 
Thank you again for the opportunity to testify before you 
today, and I look forward to answering your questions.
    [The prepared statement of Ms. Miller follows:]
 [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman LaHood. Thank you, Ms. Miller.
    At this time, I will recognize Dr. Jacobson for five 
minutes for his testimony.

                TESTIMONY OF DR. MARK JACOBSON,

                 ASSOCIATE TEACHING PROFESSOR,

                 EDMUND WALSH SCHOOL OF FOREIGN

                 SERVICE, GEORGETOWN UNIVERSITY

    Dr. Jacobson. Thank you. Mr. Chairman, Ranking Members, 
thank you for the opportunity and the kind introduction. I'm 
going to enjoy speaking with you all today. I hope I'm not too 
professorial for the hearing.
    I also want to note that I'm here in my personal capacity 
and not representing any of my employers, the Navy Reserve, or 
the Department of Defense.
    My intent is to try and put the Kaspersky situation within 
a larger foreign policy context. The Committee is already well 
aware of the dangers in the cyber arena and the imperative of 
cyber hygiene as a defense. I believe it's also critical to 
understand that Russian activities are part of broader foreign 
policy objectives, part of their political warfare campaign. 
Thus, regardless of whether or not there's a relationship 
between Kaspersky Labs and the Russian Government or it's 
simply a vulnerable piece of software, that becomes an entry 
point for Russian subversive activities, propaganda operations, 
or espionage.
    Put simply, while cyber attacks and political warfare 
campaigns are a danger on their own, cyber activities that 
enable political warfare campaigns can prove incredibly 
effective at influencing attitudes and changing behaviors. Put 
another way, in political warfare campaigns, it is the human 
mind that is the center of gravity.
    It's worth noting our adversaries have not hidden their 
intentions. Both the Russians and the Chinese have made it 
clear that they believe in the power of political warfare. 
Russia's well-financed and deliberate intervention in the 
American political dialogue is part of a broader effort to 
undermine America's faith in its free institutions, diminish 
U.S. political cohesion, weaken transatlantic relations, 
diminish the international appeal of the United States, and 
ultimately reduce American power abroad. Thus, we must think 
about U.S. national security more broadly rather than focusing 
on a single hack, one election cycle, or a single social media 
or antivirus company.
    Propaganda and political warfare campaigns are certainly 
not new. It's worth noting that 500 years ago, Martin Luther's 
95 Theses were probably the first element of intellectual 
thought to go viral. Of course, the Twitter of his day was the 
printing press and his own social media networks that allowed a 
message of religious reform to go viral and spread across all 
of Christendom in about four weeks. Today, that timeline might 
be four hours.
    The Cold War also provides some insights into how the 
Russians think about disinformation and subversion. Soviet 
efforts not only included campaigns to discredit Martin Luther 
King and try and make the civil rights movement more extreme 
and more violent, but they also sought to provoke a full-blown 
race war in the United States. Perhaps more dramatically in 
1983, the Soviets planted newspaper articles alleging that the 
AIDS virus had been developed by the U.S. Government to target 
African Americans and the homosexual community. Within four 
years, that story had been repeated in over 80 countries, doing 
tremendous damage to U.S. credibility abroad and at home. 
Indeed, at least one study as late as 2005 found that almost 50 
percent of African Americans believed HIV was a manmade virus 
designed to wipe out the African-American community.
    Today, the fingerprints of Russian disinformation campaigns 
have been left on both sides of the Atlantic, whether it's 
Brexit or the American election, Russia propaganda still 
infects U.S. social media networks, and we see the same sort of 
divisive propaganda that we saw during the Cold War. Again, the 
goal is to divide and exploit divisions, yes, that already 
exist in our country, but they are exacerbating the problem.
    So what do we do about this? While robust cybersecurity 
practices in the regulation of political advertising on social 
media are a good start, we must strengthen the public's ability 
to interact with information in the digital world. Broadly, we 
must begin a concerted effort to inoculate the American public 
against the viral threat of disinformation through more civic 
education and media literacy. Specifically, these must become 
bedrocks of our formal and informal education systems in order 
to make our population more immune to the threat.
    This may require the same level of effort that President 
Eisenhower showed with the National Defense Education Act in 
1958 in an attempt to bolster poor American efforts in math, 
science, and foreign language education. Indeed, Eisenhower 
believed those skills were critical in keeping up with the 
Russians during the post-Sputnik world. Today, it may be 
critical thinking and media literacy that can protect our 
freedoms.
    To conclude, in 1900 Mark Twain celebrated the anniversary 
of the Gutenberg printing press, and he noted that everything 
that is good in the world today and everything that is bad is a 
result of that invention. That device had, in Twain's words, 
``found truth walking and given it a pair of wings, but it also 
found falsehood trotting and gave it two pair of wings. It had 
set peoples free but at the same time made despotism more 
possible where it was not possible before.''
    In short, the internet revolution may surpass Gutenberg's 
printing press is the greatest event in secular history, and 
it's already created wonderful opportunities and wicked 
problems. But we must understand that in the end it's used by 
human beings, and it's in human beings where we will need to 
strengthen, as the Chairman said earlier, resiliency.
    Thank you very much, and I look forward to your questions.
    [The prepared statement of Dr. Jacobson follows:]
 [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman LaHood. Thank you, Dr. Jacobson. And we will now 
move to the question portion of our hearing today.
    And let me just thank all the witnesses for your valuable 
testimony here today for this important hearing. And the Chair 
now will recognize himself for five minutes.
    And, Ms. Manfra, I want to start with you. It's my 
understanding that DHS notified Kaspersky of the BOD or the 
Directive 17-01 outlining the concerns that led to the issuance 
of the directive and provided Kaspersky the opportunity to 
initiate a review by DHS by providing a written response by 
November 3 of 2017. Did DHS receive a response from Kaspersky 
by that date?
    Ms. Manfra. Sir, we did give them a one-week extension to 
November 10, and we did receive a response.
    Chairman LaHood. And have you initiated a review of that 
response?
    Ms. Manfra. Yes, sir. My legal counsel is reviewing the 
response right now.
    Chairman LaHood. And can you give us an update on that 
today?
    Ms. Manfra. I cannot, sir.
    Chairman LaHood. Can you tell us whether you've received 
any evidence or information from Kaspersky that addresses or 
alleviates the Department's concerns at this time?
    Ms. Manfra. I cannot say that we have. The legal counsel is 
still reviewing it. We just received it on Friday night. So 
once they review it, I will review it as well, and we'll make 
the determination to send it out to the Acting Secretary in 
order for her to make a decision.
    Chairman LaHood. And have you reviewed it yourself?
    Ms. Manfra. Not yet, sir.
    Chairman LaHood. Do you know how long it was, the response?
    Ms. Manfra. It was significant, sir. I'm not sure how many 
pages it was.
    Chairman LaHood. And you referenced earlier your concern 
about litigation as it pertains to Kaspersky. Can you elaborate 
on that on your specific concerns?
    Ms. Manfra. Sir, the company, should we make a decision 
that they do not believe is appropriate, they always have the 
option to take this to court to have a judge make a decision 
about whether the Department made an appropriate decision.
    Chairman LaHood. And have you reviewed the legal aspects of 
this, and have you made a determination on what was done here 
was legally proper?
    Ms. Manfra. I am not a lawyer, sir. I have had the lawyers 
review it and spoke with them about it. I do believe that it 
was legally proper.
    Chairman LaHood. Ms. Manfra, the directive was issued on 
September 13, and within 30 calendar days, federal departments 
and agencies were required to identify the user presence of 
Kaspersky products on their systems and provide DHS a report 
containing preliminary findings such as the number of endpoints 
impacted by each product and the methodologies used to detect 
the presence of Kaspersky. Has DHS received this information 
from all agencies?
    Ms. Manfra. We have received it from the majority, sir. 
There are a small number of very small agencies that we are 
assisting them. They do not have the tools that other larger 
agencies might have, but we've received them from 94 percent of 
the federal agencies.
    Chairman LaHood. And can you give us an update on what you 
have received thus far?
    Ms. Manfra. What we've received is that, again, out of all 
the federal agencies, a very small number have identified the 
use or presence in some aspect of their system of Kaspersky-
branded products, about 15 percent of agencies who have 
reported.
    Chairman LaHood. And where are you in the process of 
determining in the next phase whether anything was compromised 
or where we're at with that?
    Ms. Manfra. We're working with each agency individually. 
Some of them have chosen to go ahead and remove the products 
ahead of schedule, and so we're working to understand where the 
presence was, what doing an audit if you will of what 
information may have transited those systems and whether there 
was any cause for concern for the most part. We have not 
identified any yet, but we're still working with agencies.
    Chairman LaHood. And do you believe the phased system 
that's been put in place, that you'll be able to comply with 
that fully?
    Ms. Manfra. Yes, sir.
    Chairman LaHood. Within 60 calendar days of the issuance of 
the directive, agencies were required to develop and provide 
DHS a detailed action plan to remove and discontinue future 
uses of Kaspersky products. Since the 60-day deadline has 
passed, can you confirm that all agencies or departments have 
submitted their required action plan?
    Ms. Manfra. Not all of the agencies have submitted the 
required action plan. As I mentioned, some of them have gone 
ahead and just identified a way to remove the software, so 
they're going about that. A couple of the agencies needed 
additional help, so we're working with them on that so they can 
meet the deadline.
    Chairman LaHood. Thank you. Those are all my questions at 
this time. I'll yield to Mr. Beyer for his questions.
    Mr. Beyer. Thank you, Mr. Chairman. Thanks all of you very 
much for being with us. This is fascinating.
    Dr. Jacobson, in your testimony--I'm going to quote from 
your written one because I have it written down. You said, 
``Russia's well-financed and deliberate intervention in the 
American political dialogue is part of a much broader effort to 
undermine America's faith in its free institutions, diminish 
U.S. political cohesion, erode confidence in Western 
democracies and the credibility of Western institutions, weaken 
transatlantic relationships, including NATO, and diminish the 
international appeal of the United States, as well as reduce 
American power abroad.'' I'd just love it if you could 
emphasize that this is a bipartisan concern, much larger than 
the 2016 presidential election.
    Dr. Jacobson. Thank you, Ranking Member Beyer. I grew up as 
a child of the Cold War and watched how Ronald Reagan 
strengthened U.S. efforts against the Soviets, but I also think 
it's interesting--and at the risk of invoking ire even from my 
Democratic friends--so did Jimmy Carter in different ways. And 
I think that we had a bipartisan consensus throughout the Cold 
War that the Russians were a threat.
    I actually--in listening to the Committee today, I see a 
recognition of that, and I think there's an understanding that 
there are things that need to be done to strengthen America's 
ability to be a strong ally abroad and look out for our vital 
national security interests that don't have to cross partisan 
lines. And I think if we look at what the Russian effort is 
doing and look at dealing with the technical, as well as 
dealing with this war against our population in terms of 
disinformation, I think there are a number of avenues where 
Congress can lead the way in terms of a bipartisan effort.
    Mr. Beyer. Let me go further on that. I love the--Ph.D. in 
military history. It was a fascinating educational background. 
So as a professor, you talked about the human mind is the 
center of gravity in political warfare and then cited President 
Eisenhower with the whole notion of the ability to evaluate 
information, thank critically, maintain a healthy skepticism, 
understand the some messages out there are deliberately 
deceptive will make our population much more conscious about 
the information they absorb. How do we get there?
    Dr. Jacobson. It's a great challenge, sir. The Stanford 
History Education Group just did a study that's a bit 
disheartening, and what it did was take undergraduate students, 
high school students, as well as trained historians--my 
colleagues in the academic arena--and all of them failed pretty 
miserably at identifying fake news. The folks who did do pretty 
well were professional fact-checkers, and the reason is not 
only do they look for the source of information, they were 
comparing things horizontally. As I say to my students, ``Watch 
MSNBC, watch CNN, watch Fox, even read Breitbart.'' You need to 
understand what everyone is doing about looking at a story, and 
you can pick up the anomalies. You can see what does not make 
sense.
    But I think what's even more critical is to understand we 
have to start this at the K-through-12 level. By the time our 
children are 18 years of age, it's almost hardwired in their 
system where they can't identify or can't see the difference 
between an advertisement and a factual news article, an opinion 
piece, and false information. So this is an education issue. 
It's also a training issue as well, even for folks like myself, 
even for all of us sitting here today.
    Mr. Beyer. Thank you. I confess the number of emails I get 
every week from family members that have the wildest possible 
theories, including the fact that Chairman LaHood and I are 
going to be paid our full salary for the rest of our lives 
after serving one day in Congress, that kind of disinformation 
is out there.
    You talk about cyber hygiene imperative. You know, our 
electoral system is widely, widely distributed, you know, 
precincts. Virginia's got 2,500 precincts. How do we ever get 
cyber hygiene down to the towns and the counties around 
America?
    Dr. Jacobson. Again, I think the first step is awareness, 
but I'm actually glad I'm on this side of the table here and 
don't have to worry too much about implementation, but I think 
it's important to understand that this is not just a federal 
government issue; it's a state and local issue as well. And the 
reason I emphasize cyber hygiene is all the technology in the 
world, as we used to say in the Army, is not going to G.I.-
proof that computer against someone who picks up a USB stick on 
the sidewalk and decides to plug it into their computer. There 
are stupid things that smart people do that can help infect 
systems. And I think helping to make things easy for our 
federal workforce to understand in terms of what to do and what 
not to do but also educating the general public in terms of 
understanding malicious links.
    And anyone who's looked at emails or read in the newspapers 
about even our most senior military leaders were duped by 
phishing attempts, this is difficult, but again, I think the 
solution in terms of teaching people what to do and what not to 
do is a bit easier than we might concede.
    Mr. Beyer. Great. Thank you very much. Mr. Chair, I yield 
back.
    Chairman LaHood. Thank you, Mr. Beyer.
    I now recognize the gentleman from Florida, Mr. Posey, for 
his questions.
    Mr. Posey. Thank you, Mr. Chairman.
    Ms. Manfra, it staggers the imagination that our government 
approved and purchased security software from Russia's 
Kaspersky Labs, known to have ties to the Kremlin's 
intelligence community. I mean, it's just--it's still hard for 
me to get my arms around the fact that we really allowed that 
to happen and that in fact that that software doesn't protect 
us. Obviously, it harms America's security by allowing 
malicious actors to get total access to our computers. Who 
approved the purchase of that software?
    Ms. Manfra. Sir, it's hard to say in every case. Often, 
what we see is that that software was bundled into other 
purchases, so you buy a computer and the antivirus was 
installed with the computer, so they weren't necessarily aware 
that they were explicitly purchasing that, which is why it took 
a little bit of time to--for agencies to go through and 
identify that. You know, in the end it is the procurement of 
individuals who are making some of these choices, but what we 
did see is a very low percentage of that presence. But for the 
most case, what we believe happened was it was often bundled 
into other purchases.
    Mr. Posey. So where does the buck stop?
    Ms. Manfra. Sir, in the end it is up to every agency head 
to make cybersecurity risk management decisions, and we are 
working across the federal government to approve--to improve 
our processes for supply chain risk management to be able to 
address issues such as this and to be able to make it clear 
what software and hardware agencies are purchasing and what 
risk that introduces into the system.
    Mr. Posey. Okay. So every agency head ultimately is 
responsible?
    Ms. Manfra. Yes, sir.
    Mr. Posey. According to the directives, already you were 
supposed to receive some reports from every agency that was 
affected. I think the Chairman asked you about that earlier. 
Would you mind stating for me which agencies have complied thus 
far?
    Ms. Manfra. Sir, all of the agencies have complied with the 
first phase except for a very small number of very small 
agencies who just don't have the resources and we're helping 
them with that. We're still in the--sort of the second phase.
    Mr. Posey. When we say all the agencies except a few, how 
many agencies are we talking about?
    Ms. Manfra. Six, sir.
    Mr. Posey. Six agencies have complied?
    Ms. Manfra. Six have not complied yet with the first phase, 
which is the reporting whether they have the products on their 
system.
    Mr. Posey. How many have complied?
    Ms. Manfra. About--so, there's 102 total agencies, six--
    Mr. Posey. All right, 96, 98, okay.
    Ms. Manfra. Yes.
    Mr. Posey. Which agencies have not complied?
    Ms. Manfra. Sir, I'd be happy to work with your staff, not 
an open hearing, to talk to you about the specific agencies. 
They are working very hard, sir. It's not like they're--
    Mr. Posey. Well, I know they're----
    Ms. Manfra. --not trying--
    Mr. Posey. --working hard. I don't see, you know, what risk 
there is in naming who hasn't complied. I'm just curious. I 
don't know if other members are, but I'm curious to know which 
ones haven't complied.
    Ms. Manfra. We would prefer to keep those not public, sir. 
We don't believe that it is helpful to name them publicly.
    Mr. Posey. How would that harm anything?
    Ms. Manfra. I think it could have two aspects, sir. It 
would, you know, alert anybody who was looking to use 
potentially the presence of that software on their systems if--
should they have it. It would also harm the relationship that 
we have. A lot of our work depends on a trusted relationship 
with these agencies.
    Mr. Posey. And so if you told Congress that they weren't 
behaving appropriately, it might hurt your relationship?
    Ms. Manfra. Sir, I don't mean to imply that they're not 
behaving appropriately. What I imply is that these are very 
small agencies, some of them with only 6 to 10 people in them 
that do not currently have the resources, and we're just 
assisting them with identifying what products are on their 
system.
    Mr. Posey. Now, you talked about fear of litigation from 
Kaspersky Labs a little while ago when somebody else mentioned 
that. How in the world could you possibly fear any action by 
them? I mean, you wouldn't have signed an agreement with them 
that would allow them to sue you and you not defend yourself, 
would you?
    Ms. Manfra. I don't fear any action from them, sir, but 
they do--they could potentially take action, and I want to 
ensure that we are in a position to address any concerns that a 
judge may have.
    Mr. Posey. Yes. I think the audacity--I think to paraphrase 
Clint Eastwood, ``Go ahead and make my day.''
    Ms. Manfra. Yes, sir.
    Mr. Posey. Can you explain to me the penalties to the 
executive agencies if they don't comply?
    Ms. Manfra. We would work with the Office of Management and 
Budget to determine what the issue was. Sometimes the issue is 
they don't have the resources, and whether it is to identify 
the products or it is to replace them, so it may not be a stick 
that they need but actually additional resources, or if there 
was a stick required, then we would work with OMB to address 
that.
    Mr. Posey. Have there been any enforcement actions thus 
far?
    Ms. Manfra. No, sir. We have issued six binding operational 
directives, and in each case every agency that we've worked 
with has been willing and eager to comply with them. Some of 
them are challenged with resources, though.
    Mr. Posey. Thank you, Mr. Chairman. I see my time's 
expired.
    Chairman LaHood. Thank you, Mr. Posey.
    I now yield to the Ranking Member, Ms. Johnson.
    Ms. Johnson. Thank you very much.
    Dr. Jacobson, you referred to fake news generated by the 
Soviet Union during the Cold War and cite the disinformation 
campaign by Soviets that claimed that the U.S. Government 
developed the AIDS virus intentionally to target homosexuals 
and African Americans. You say these stories spread to 80 
countries and were translated into 30 languages in just four 
years, a timeline which today could probably be as little as 4 
hours or perhaps 4 minutes to circulate around the world. You 
said one of the reasons the Soviets generated this fake story 
was to heighten racial divisions in America.
    Just last month, CNN reported that Russia had created a 
fake group called Black Fist and Russian trolls linked to this 
operation paid personal trainers in New York, Florida, and 
other States to run self-defense classes for African Americans. 
They were apparently attempting to sow animosity and tension 
along racial lines. But this group was created in January of 
2017, 2 months after the 2016 U.S. presidential election.
    Dr. Jacobson, do you believe that Russia's influence 
campaign against America is only tied to trying to manipulate 
our elections or do they have other wider interests in 
influencing American citizens?
    Dr. Jacobson. Thank you, Congressman--Congresswoman. I 
believe the Russians have long-term objectives. They are not 
simply concerned with one election cycle. This is a campaign 
designed to continue to divide the United States. And if you 
take a look at some of the sites you've mentioned, you had 
mentioned Black Fist. There was also the Blacktivist, a fake 
site. There was also one called Heart of Texas. And the whole 
idea is to take the divide we have--and the Russians don't want 
to see reconciliation. They don't want to see dialogue and 
debate. What they would like to see is both sides of an issue 
resort to violence in the end. And I'm overstating the 
simplicity of doing that, but that's their long-term effort 
because it requires us then to look inside and not look at 
what's happening around the world and thereby advance Russian 
foreign policy objectives.
    Ms. Johnson. You mentioned the need for better standards 
and fact-checking by reputable news organizations to help them 
avoid being duped by fake news. Social media sites are not 
newspapers, but they do generate news. At the same time, we 
don't want to limit anyone's ability to speak out publicly and 
share their own thoughts or opinions, so how do we emphasize 
fact-checking in news-related stories and distinguish that from 
someone being able to offer their own opinion?
    Dr. Jacobson. I think there are a couple pieces there. I'll 
be the last person who wants to mess with the business model or 
content on social media sites. I mean, you look at one of the 
strengths of our nation, it's the idea of freedom of 
expression.
    But I think there are certain limits we can place. For the 
social media world, they're are as much media companies today 
as they are social, and they have to understand that when it 
comes to political advertisements they should be subject to the 
same regulations that traditional media are.
    I think there are ways--you look at a company like Twitter 
where there's a verification blue check that says to the world, 
``This individual is who they say they are.'' I also think if 
you look at systems like Moody's for the financial network, 
let's find an independent organization that gives a rating to 
either traditional or social media outlets. Now, not all the 
traditional or social media outlets will be particularly happy 
with it, but it's just a start. And in fact I'm--I believe that 
Silicon Valley could come up with some even better ways to do 
it if they put their mind to it.
    Ms. Johnson. Thank you very much.
    Mr. Chairman, I yield back.
    Chairman LaHood. Thank you, Ms. Johnson.
    I now yield to the gentleman from Louisiana, Mr. Higgins, 
for his questions.
    Mr. Higgins. Thank you, Mr. Chairman. At this time I ask 
unanimous consent to enter into the record the written 
testimony of cybersecurity expert Troy Newman of Cyber5.
    Chairman LaHood. Without objection.
    [The information appears in Appendix II]
    Mr. Higgins. Ms. Wynn, Mr. Newman has advised myself and 
other Members of this Committee that a simple software 
uninstall can't guarantee that all components of the 
application are removed. He elaborated that the best, most 
secure software removal process for remediation of threat is 
first an immediate uninstall and then a scheduled complete hard 
drive replacement. Can you briefly elaborate for those of us 
that don't understand things of this nature why a simple 
software uninstall is insufficient and why complete hard drive 
replacement is the best solution?
    Ms. Wynn. Thank you for your question. I would have to take 
that back to some serious experts in terms of hard drive 
management and truly erasing software and breadcrumbs and 
footprints associated with that software that get left behind 
on hard drives. What I can speak to is that NASA takes very 
seriously its cybersecurity responsibility, and when we find 
unauthorized or unapproved software, we work very quickly to 
remove that.
    We also have lines of defense that if--that are sort of 
layered in terms of--so that if you don't do very well on your 
first pass there are other ways and other mitigations that we 
do to protect our network to try to contain any threats to our 
environment.
    Mr. Higgins. So when members of this panel have referred to 
agencies that have attempted to comply with the directive by 
removing Kaspersky software from their systems, would you 
concur that that doesn't mean that Kaspersky is actually gone 
from the system?
    Ms. Wynn. I would say that cybersecurity is never a 100 
percent deal and that what we have to--
    Mr. Higgins. If the hard drive is removed, is it a 100 
percent deal?
    Ms. Wynn. Sir, I can't speak to a hypothetical computer. I 
think you'd have to take a look at how a computer might be, 
let's say, infected to decide whether the hard drive was one 
where you could reuse again or if you would just decide not to 
put that hard drive back into your computer.
    Mr. Higgins. So that would require--that's an excellent 
answer, thank you, Madam. And that would require further 
evaluation of that particular system?
    Ms. Wynn. You need to always monitor your network to make 
sure it's fully protected.
    Mr. Higgins. Very well. Thank you for your answer.
    Ms. Manfra, thank you for your service to your country. The 
Binding Operational Directive 17-01 in its initial statement 
calls for a 30-day period to identify the use of Kaspersky 
products and then a 60-day period to provide detailed plans to 
remove and discontinue the present and future use of the 
products and then a 90-day period to begin to implement the 
agency plans to discontinue use and remove the products from 
information systems. However, there's a clause stating in 
there--stating that unless directed otherwise by DHS based on 
new information at--by what measure, Madam, would DHS ever 
determine never mind, let's go ahead and keep this product on 
our systems? Why is that clause in there?
    Ms. Manfra. Sir, after extensive review of this process by 
our legal counsel, we felt that it was important to allow 
Kaspersky Labs and any other potentially affected entity a 
meaningful opportunity to respond to the decision that we had 
made.
    Mr. Higgins. So that clause is inserted into the DHS DOD 
17-01, the binding operational directive for United States 
Government agencies--that clause was inserted to protect 
Kaspersky----
    Ms. Manfra. No, sir.
    Mr. Higgins. --as opposed to government agencies?
    Ms. Manfra. No, sir. That clause was inserted that should 
the Kaspersky or another commercial entity come back with new 
information that would result in the Acting Secretary 
reconsidering her decision, then we would issue new guidance 
based off of that new information.
    Mr. Higgins. And what could that new guidance be other than 
to discontinue the process of removing Kaspersky products?
    Ms. Manfra. That would probably be it, sir, if that was the 
Acting Secretary's decision but it would have to be based off 
of new information that had previously not been understood or 
considered.
    Mr. Higgins. Mr. Chairman, I have one brief question if you 
would allow.
    Chairman LaHood. Yes, go ahead, Mr. Higgins.
    Mr. Higgins. Regarding code, Ms. Manfra, it's my 
understanding that the directive does not apply to Kaspersky 
code embedded into products of other companies. Is that 
correct?
    Ms. Manfra. I wouldn't say that it doesn't apply to 
Kaspersky code because that would be--
    Mr. Higgins. The directive applies to removal of the 
products----
    Ms. Manfra. Correct, sir.
    Mr. Higgins. --but what about the code behind?
    Ms. Manfra. It--what we focused on was products that is 
clearly identified as Kaspersky. What we have not focused on in 
this directive that we are continuing to pursue is 
understanding how they may be embedded in other products that 
are not Kaspersky and working toward the process to address 
those.
    Mr. Higgins. Thank you for your answer.
    Mr. Chairman, my time is expired. I would just share that 
it's concerning--it's exactly what we're talking about, the 
entire series of Kaspersky-related hearings, concerns, and 
apparently known or reasonably suspected information security 
threat that the Kremlin has embedded itself in our federal 
systems, and may I submit that that should certainly include 
code.
    I thank you for your indulgence, Mr. Chairman. I yield 
back.
    Chairman LaHood. Thank you, Mr. Higgins.
    I now recognize the gentleman from California, Mr. 
McNerney.
    Mr. McNerney. Well, I thank the Chairman and I thank the 
witnesses.
    Dr. Jacobson, three prominent U.S. security agencies 
including the CIA and the NSA, concluded that the Russians had 
operations intended to influence the 2016 presidential election 
but declined to comment on whether that effort had been 
successful. Do you have an opinion if the Russian efforts were 
successful in influencing the 2016 elections?
    Dr. Jacobson. Well, I'm cognizant of not getting ahead of 
where the multiple congressional investigations are, and of 
course I'm as eager to see what the conclusions are there, and 
I'm eager to see the U.S. intelligence community speak more 
publicly about this. What I am very confident in saying is that 
there is clear evidence of attitude changes amongst the U.S. 
population as a--in response to the numerous social media 
efforts undertaken by the Russians and Russian agents. And I 
would point to in particular a study by the Oxford 
Computational Propaganda project, which noted changes in the 
way--in the attitudes of individuals commenting on the election 
on social media after spikes in Russian-bot activity. But I 
have not done that original research, so I'm reliant on what 
they have done. But to me, as someone who worked on 
psychological warfare operations in the Army for quite some 
time, there is clear evidence of an attitude change amongst the 
population.
    Mr. McNerney. Well, has the Russian effort in any way 
diminished as a result of the publicity around the 2016 
election?
    Dr. Jacobson. I don't think it's diminished. I think maybe 
the target sets have changed, so in short, no.
    Mr. McNerney. Okay. In your testimony you state that social 
media companies must start to see themselves more as media 
companies because their ability to spread information and 
influence the public. What actions can we take in Congress to 
ensure that the social media companies assume that 
responsibility more seriously, especially regarding political 
ads?
    Dr. Jacobson. As Dr. Jim Ludes and I said earlier this year 
in our co-authored report, it's probably time that the social 
media companies have the same standards in terms of regulation 
of political advertising transparency that traditional media 
companies have. I actually think the larger problem--so you 
have one problem of advertising--paid advertising on the social 
media networks. The larger problem is the one of fake sites, 
and I think that the continued dialogue between Congress, which 
I don't think wants to regulate the social media companies any 
more than necessary, and the social media companies which don't 
want regulation should continue this dialogue because their--
the social media companies' terms of service are very powerful 
weapon against these fake sites. And we've actually already 
seen Facebook and YouTube use their terms of service to 
eliminate these fake sites, including one that was targeting 
veterans in particular.
    Mr. McNerney. Thank you. Ms. Miller, last month Reuters 
reported that H.P. Enterprises allowed a Russian defense agency 
to review the source code of H.P. cybersecurity software 
ArcSight as a condition of gaining certification to sell the 
product in Russia's public sector. In the same article, Reuters 
reported that ArcSight serves as a cybersecurity nerve center 
for much of the U.S. military and that vulnerabilities 
discovered during the source code review could make the U.S. 
military more vulnerable to cyber attacks. Is the DOD using 
ArcSight software?
    Ms. Miller. Sir, we use ArcSight primarily in our intel 
community, but unfortunately, I can't speak to the details at 
present.
    Mr. McNerney. Is the DOD taking steps to secure its systems 
since learning about the ArcSight code review?
    Ms. Miller. I would have to take that as a question for the 
record, sir.
    Mr. McNerney. Thank you. Does the DOD use any other 
software that's subject to source review by a foreign 
government--source code review?
    Ms. Miller. Well, actually, we have processes in place, 
sir, to help us work through that process, yes, we do.
    Mr. McNerney. Okay. Ms. Wynn, does NASA use ArcSight 
cybersecurity software?
    Ms. Wynn. I'm trying to think about that for a second. 
We're going through a process of significant change in terms of 
the tools in the layers of our cyber defense, and I actually 
can't remember if ArcSight is coming in or leaving our network, 
so I'll take for the record and get back to you.
    Mr. McNerney. Okay. Ms. Manfra, same question. Does DHS use 
ArcSight cybersecurity software?
    Ms. Manfra. Yes, sir. I'll get back to you. We're working 
through a process to address this change similar to the other 
agencies.
    Mr. McNerney. Okay. Thank you. Mr. Chairman, I yield back.
    Chairman LaHood. Thank you. At this time I yield to the 
Chairman of the full committee, Mr. Smith, for his questions.
    Chairman Smith. Thank you, Mr. Chairman. Just a comment, 
I'm really surprised our witnesses didn't have a better answer 
for the gentleman from California. I hope you will be able to 
answer my questions. And let me direct first ones, Ms. Manfra, 
to you. Are you aware of any breaches to our national security 
that have been facilitated by the Kaspersky products?
    Ms. Manfra. Sir, I can't discuss that in this forum.
    Chairman Smith. I don't understand your answer.
    Ms. Manfra. Sir, I prefer to have that discussion in a 
classified----
    Chairman Smith. No, you don't need to have that in a 
classified hearing. I'm not asking for any specifics. I'm just 
asking if there have been breaches. I'm not talking about who 
had their systems breached, when it occurred, or how it 
occurred, just whether breaches did occur.
    Ms. Manfra. Sir, we're still working through the process to 
identify----
    Chairman Smith. We've heard that phrase several times 
today, ``working through the process.'' That is just not 
sufficient of an answer.
    Ms. Manfra. Sir, is not conclusive at this time.
    Chairman Smith. You don't know whether or not systems have 
been breached by Kaspersky Lab products yet?
    Ms. Manfra. We do not currently have evidence that--
conclusive evidence that they have been breached. I want to do 
a thorough review to ensure that we have a full picture of----
    Chairman Smith. What about the NSA employee? You don't 
think that was considered a breach?
    Ms. Manfra. Sir, I would have to direct any questions on 
NSA to the NSA.
    Chairman Smith. But sure--are you aware of that episode?
    Ms. Manfra. Sir, we'd have to have that discussion with the 
NSA.
    Chairman Smith. I'm not--are you aware of the episode and 
do you consider it a breach?
    Ms. Manfra. I'm aware of the allegations of what has been 
publicly reported in the press and would have to discuss any 
further details with the NSA.
    Chairman Smith. Okay. Let me try a different question. How 
did the Russian software--some people would consider it 
spyware--get on the approved list by Department of Homeland 
Security?
    Ms. Manfra. Are you referring to the GSA----
    Chairman Smith. Yes.
    Ms. Manfra. --sir? Yes. As I mentioned, we need to 
modernize our supply chain risk management processes within the 
government. Currently, our processes within the civilian 
government are largely focused on lowest-cost if you will.
    Chairman Smith. The fact that it was a Russian firm 
operated by a Russian who had some perhaps association with the 
KGB and certainly the Department of Defense and Russia, that 
didn't raise any red flags to anyone?
    Ms. Manfra. Sir, I wasn't a part of the GSA decision-making 
process. What I can say is that when we had enough information 
to make this risk decision, we engaged the GSA, NASA, and 
others who had these governmentwide contracts to begin to 
execute a process to remove it.
    Chairman Smith. But wasn't that after we called it to your 
attention? Didn't anybody see any red flags before that?
    Ms. Manfra. Yes, sir. One of the things when I assumed the 
acting position that I'm now appointed to in January was to 
conduct a thorough review of our use of Kaspersky, the 
intelligence associated with it----
    Chairman Smith. Yes, that's----
    Ms. Manfra. --and initiate a plan to remove it.
    Chairman Smith. Yes, that's not what I'm asking. That's 
after the fact. I'm asking about several years ago when it was 
on the approved GSA list. Are you aware of any agency that 
might have raised any red flags or not?
    Ms. Manfra. The government has been aware of some 
increasing concerns about Kaspersky, and we did--not me 
personally but the agencies with that information did engage 
with other agencies that had----
    Chairman Smith. Okay.
    Ms. Manfra. --those procurement responsibilities.
    Chairman Smith. I have a question to DOD about that in a 
second, but one other question. Did the license agreement with 
Kaspersky allow penetration beyond the usual type of agreements 
you have with similar types of companies?
    Ms. Manfra. No.
    Chairman Smith. Okay. We have pretty good evidence that 
that's not the case, and we'll get back to you on that and have 
a further discussion.
    Ms. Miller, let me address a couple questions to you. We're 
under the impression that in 2012 the Department of Defense 
made a decision not to use Kaspersky Lab products. Are you 
aware of that or is that even true?
    Ms. Miller. Sir, I'm not even sure that was true. However, 
we have used processes that I can't discuss at this point based 
on intel information----
    Chairman Smith. Right.
    Ms. Miller. --to decide not to use the product.
    Chairman Smith. Okay. When did you decide not to use the 
products?
    Ms. Miller. I don't know a date, sir.
    Chairman Smith. A year?
    Ms. Miller. I don't have a year. I think it's been a 
couple, but I would have to check.
    Chairman Smith. Okay. It might have been 2012. I think we 
might have the same information. And can you say why they 
decided not to use--why DOD decided not to use Kaspersky Lab 
products?
    Ms. Miller. I cannot discuss that in open forum, but it was 
based on intel information that we had.
    Chairman Smith. And security--are you aware of any security 
breaches that occurred at DOD as a result of Kaspersky 
products?
    Ms. Miller. I have no knowledge of any within DOD.
    Chairman Smith. Itself, okay. And in 2012 or however many 
years it was ago that DOD decided not to use Kaspersky Lab 
products--and you say you'll get back to us as to why they 
decided that; there had to be a good reason I assume--do you 
know if they notified any other agencies of their concerns?
    Ms. Miller. I'm not aware of any notification, sir.
    Chairman Smith. Okay. Can you double-check that for me? And 
that'll be an easy question to find out. If you can get back to 
us by this afternoon on those two questions that I asked you.
    And then a couple questions, Ms. Manfra, I asked you if you 
can get back this afternoon as well. They're easy to answer. 
And if you have to talk to me directly, that's fine, but I 
would ask you not to take advantage of the cover of classified 
unless individual's names are involved or unless it's in regard 
to specifics. If it's very general, that shouldn't be 
classified.
    Okay. Thank you, Mr. Chairman. I yield back.
    Chairman LaHood. Thank you, Mr. Smith.
    I now recognize the gentleman from Colorado, Mr. 
Perlmutter.
    Mr. Perlmutter. Thank you, Mr. Chair.
    So Mr. Higgins talked about the Kremlin has embedded itself 
in the structure of the United States. And in prior hearings 
we've had conversations about foreign intelligence risk, 
espionage, meddling in U.S. affairs by the Russians and by Mr. 
Putin himself. And in Danang just a few days ago when asked 
about Russia meddling in U.S. affairs, the President said, 
quote, ``I asked him again about meddling. You can only ask so 
many times. He said he absolutely''--he, Putin--``absolutely 
did not meddle in our election. He did not do what they are 
saying he did. I really believe that when he tells me that. He 
means it. I think he's very insulted if you want to know the 
truth.''
    So, Mr. Jacobson, you know, we're here and it's a real 
issue, Kaspersky having embedded itself potentially for the 
benefit of the Kremlin and Russia in our software, in our 
Defense Department, in NASA, in Homeland Security, but let me 
ask you about Mr. Putin and about whether or not, given his 
background, the President should just take him at his word. 
What do you think about that?
    Dr. Jacobson. Well, Mr. Putin's an ex-KGB officer. I'm not 
sure I would take him at his word if he told me the sun were 
shining and I was standing outside and there were blue skies 
and the sun was shining down on me.
    Mr. Perlmutter. You used the word psychological warfare 
earlier. Would Mr. Putin be familiar with that? Is that 
something he did as the head of the KGB?
    Dr. Jacobson. Mr. Putin would be intimately familiar with 
not only operations he may have been involved in but the entire 
history of Soviet disinformation and propaganda campaigns. I 
mean, this is something embedded in the nature of KGB officers 
and not just propaganda designed to influence and shape 
American foreign policy that might be truthful. We're talking 
about deliberate attempts to mislead and obfuscate, covert 
action, sabotage, subversion, what have you. I don't trust 
anything coming out the Russian Government.
    Mr. Perlmutter. And I appreciate the Chairman and the 
Republican majority for having this hearing and looking at 
Kaspersky and how it may have corrupted some of our computer 
systems, but, you know, when I take a look at the connections 
that this Administration has to Russia, Michael Flynn, Jeff 
Sessions had some contacts, Carter Page, Roger Stone, Jared 
Kushner, Donald Trump Junior, Michael Cohen, J.D. Gordon, Paul 
Manafort, Mr. Gates, Mr. Papadopoulos. I mean, that's where 
this investigation, not just--should not just be on Kaspersky, 
which is coming in through the back door through different 
kinds of software that may have tainted the system, but what 
about the front door which is at the White House? So are you 
familiar with these different connections that this 
Administration may have with Russia?
    Dr. Jacobson. Only insofar as what I read in the newspaper. 
And like everyone else, I'm eager to see what the various 
congressional investigations or the Special Counsel's Office 
comes up with on this.
    Mr. Perlmutter. You answered a question that Ms. Johnson 
asked you about, well, what's the real purpose? What is it that 
we're worried about? Why are we worried about Kaspersky having 
corrupted some of our systems? Why are we worried about these 
gentlemen with connections to Russia and with the President 
saying he believes Mr. Putin? What's the worry here?
    Dr. Jacobson. I think there are a couple things here. As 
we've heard during this hearing, there are concerns about--and 
it's not a back door; it's a front door. You know, we've given 
Kaspersky access--if I'm putting antivirus software on my home 
computer, I'm giving that software company some access. It can 
be used for espionage. It can be used--I'm particularly worried 
about data manipulation as well. But again with respect to my 
area of expertise, I think once you start to get into a system, 
it becomes a vector for propaganda and influence. It allows you 
to discredit federal organizations if you want. It allows you 
to manipulate data and try and create poor policy decisions.
    But it's also part of a broader effort. If we think of 
cyber--and again the alleged Kaspersky situation is just one 
battle in a larger war. You know, imagine if cyber attacks 
augment rhetorical propaganda attacks that seek to influence 
the American people's attitudes on Ukraine or Syria or U.S. 
involvement in the NATO alliance. You can see how the ability 
of the internet to penetrate, to get to every single 
individual, and the ability of the Russians to take advantage 
of the enormity of the marketing data created by Facebook so 
they can tailor propaganda messages to individuals, it's 
something--we've never seen anything on that scale.
    Mr. Perlmutter. Thank you. And I yield back.
    Chairman LaHood. Thank you. Next yield to the gentleman 
from South Carolina, Mr. Norman.
    Mr. Norman. Thank you, Mr. Chairman.
    You know, as we in Congress hear your testimony and look 
back over the facts and what you're discussing, you know, I 
looked at your bios. You've each got, if you combine it, over 
100 years in this area, so you're experts in what you do. As--
if we look back over the time frame, Kaspersky didn't come up 
just recently, did it? When did--Ms. Manfra, when did this--the 
idea of having a problem with the product come up?
    Ms. Manfra. When I first became engaged was around 2014----
    Mr. Norman. Okay. So this President has been here for nine 
months, so it's prior to this President coming into office----
    Ms. Manfra. Yes, sir.
    Mr. Norman. --the issue came up.
    Ms. Manfra. Yes, sir.
    Mr. Norman. Now, you mentioned--Chairman Smith mentioned 
the ULA agreements. Are you familiar with those?
    Ms. Manfra. Yes, sir.
    Mr. Norman. Walk me through the process for approving a ULA 
agreement.
    Ms. Manfra. It's somewhat dependent on the agency, but 
generically, when a company decides to procure a certain 
software, they would receive what the company would like that 
end user license agreement to look like. In some cases we can 
negotiate some differences. Generally, we don't, but that is 
again a generic sort of process, so each agency might have 
different implementation.
    Mr. Norman. So how many sets of eyes would look on a--would 
read a ULA agreement?
    Ms. Manfra. Ideally, you would have a legal review--well, 
you would absolutely have a legal review. You would also have 
the procurement officials involved, and ideally, you would also 
have the mission owners, and then you would have those 
individuals that are responsible for authorizing that network 
to operate and whatever software goes on that----
    Mr. Norman. So a lot of eyes go on it and detail people 
that know or experienced in reading them.
    Ms. Manfra. Yes, sir.
    Mr. Norman. And you say--I think your testimony was there's 
no abnormality in the ULA agreements that were signed?
    Ms. Manfra. No, sir.
    Mr. Norman. Okay. Is it normal to agree to binding 
arbitration and no trial by jury? Is it normal to give access 
to all data, microphones, and cameras? Is that part of--is that 
boilerplate language that each agency would agree to?
    Ms. Manfra. Sir, I can't comment on what each agency 
boilerplate language is, but access to much of your computer 
system is often required for antivirus systems and security 
software, which was one of the reasons that we looked to 
understand how that data will be used and ensure we have a 
trusted relationship with that provider.
    Mr. Norman. Well, I guess my question is do you--is it to 
waive a trial by jury?
    Ms. Manfra. That, sir, I would have to get back to on as to 
whether that was common practice.
    Mr. Norman. Well, we have testimony by Mr. Newman that was 
an abnormality, that that was agreed to by somebody, somewhere, 
some agency.
    Ms. Manfra. It seems unusual, sir.
    Mr. Norman. Okay. If--and you don't know which agency--your 
testimony was this agreement was reviewed by experts in the 
field, by a lot of different agencies. Now, if that's not a 
routine clause, who would have put that in there?
    Ms. Manfra. Sir, I'd have to understand the details of what 
the testimony is that you're referring to, the expert 
testimony, and we can get back to you with details on what 
might be unusual that that gentleman is referring to.
    Mr. Norman. Okay. If you could get that in writing----
    Ms. Manfra. Yes, sir.
    Mr. Norman. --to all of the members--anybody here that 
would be interested in seeing it. I think all of us would.
    Ms. Manfra. Yes, sir.
    Mr. Norman. The exact language that was agreed to, any 
abnormality that was not normal----
    Ms. Manfra. Yes, sir.
    Mr. Norman. --if you could highlight that, and then give us 
names of the different--I'm sure there are lawyers within the 
agencies that would agree that looked at this--give us some 
names of who looked at this ULA agreement.
    Ms. Manfra. I will do my best, sir.
    Mr. Norman. I yield back.
    Chairman LaHood. Thank you. I now yield to Mr.--the 
gentleman from Georgia, Mr. Loudermilk.
    Mr. Loudermilk. Well, Thank you, Mr. Chairman.
    Ms. Wynn, in 2013 the Science Committee staff emailed the 
legislative affair teams at NASA to ensure that Kaspersky Lab 
was not being used on any NASA systems. Do you have any record 
of that request?
    Ms. Wynn. No, sir, I'm not aware of that request, but I can 
certainly check on the record status within NASA. I didn't join 
NASA until 2015.
    Mr. Loudermilk. Okay. If you would and get back to the 
Committee on that, I'd appreciate it.
    Today, you testified that Kaspersky Lab products were 
identified on a small number of machines that had access to the 
NASA internal network. Is that correct?
    Ms. Wynn. Yes, that's correct.
    Mr. Loudermilk. Okay. What was the time frame that 
Kaspersky was present on the NASA systems? Was it after 2013?
    Ms. Wynn. We discovered between 2013 and the assurances 
that we did in recent past that there had been Kaspersky on the 
network. Our belief is that it was part of either a larger 
procurement or bundled within a series of software that then, 
because our tools are getting smarter, able for us to identify 
it and go ahead and get that removed.
    Mr. Loudermilk. Okay. So some of it may have been software 
bundled on a computer that was purchased?
    Ms. Wynn. It could have been within a computer that was 
purchased or within a package of software that was put on the 
network.
    Mr. Loudermilk. Can you tell us why it was not remedied 
earlier and disclosed to the Committee as part of the response 
to the Chairman's July 27 letter to all departments and 
agencies?
    Ms. Wynn. So at NASA we've been working very hard to deploy 
the continuous diagnostic and mitigation tools which allow us 
to have absolute insights to every single part of NASA's IT 
infrastructure, which is over 160,000 components. Prior to the 
CDM coming on board, NASA's ability to take a look at its 
entire footprint was fragmented and therefore pulling together 
and synthesizing an entire picture was very, very difficult to 
do that.
    Mr. Loudermilk. Okay. Ms. Manfra, on October 10 the New 
York Times reported additional details regarding hackers 
working for the Russian Government stealing details about the 
NSA's cyber capabilities from a contractor who had stored the 
information on his home computer. I think everyone is aware of 
that report. These new revelations were that Israeli 
intelligence uncovered the breach and the Russian hackers' use 
of Kaspersky software. The article details that ``Israeli 
intelligence officers informed NASA that in the course of their 
Kaspersky hack, they uncovered evidence that Russian Government 
hackers were using Kaspersky's access to aggressively scan for 
American Government classified program.'' This thing reads like 
a Clancy novel, spies spying on spies. But in your opinion 
would this be considered concrete evidence that Kaspersky Lab 
has ties to the Russian Government?
    Ms. Manfra. Sir, I can't make a judgment based off of a 
press reporting, but I understand the allegations outlined in 
that report, and should those be true, I would say that that 
was evidence, yes, sir.
    Mr. Loudermilk. So if the intelligence community were to 
verify this, then you would agree that that's concrete evidence 
there's ties?
    Ms. Manfra. Yes.
    Mr. Loudermilk. Okay. Thank you for your candor there. If 
this happened in 2014 and the NSA was alerted immediately, why 
did it take until 2017 for action to take place to secure our 
systems by removing the software?
    Ms. Manfra. Sir, the binding operational directive was just 
the latest in a series of actions that we have been taking 
within the government over the past few years to address this. 
We had been briefing at a classified level across the federal 
government, as well as critical infrastructure, as well as--as 
much unclassified information as we can share. I was not 
satisfied with the progress, and so we looked for other avenues 
to escalate to ensure that we had full removal across the 
federal government.
    Mr. Loudermilk. But it took three years to really take 
action once this was known?
    Ms. Manfra. Sir, we--this is a more recent authority that 
we were given. It is just, again, one of the tools that we had. 
We were exhausting all of the tools through information-sharing 
mechanisms throughout, again, the government and others, and 
this was just one of the public tools that we took to remove 
the----
    Mr. Loudermilk. Okay.
    Ms. Manfra. --software.
    Mr. Loudermilk. Dr. Jacobson, in a recent interview with 
Reuters, Mr. Kaspersky admitted his company widely used 
antivirus software to copy files from personal computers, files 
that did not pose a threat to the personal computers of those 
customers. I worked 30 years in the IT business. I did not know 
this as being a standard practice. Is this typical of industry 
to copy files that are known not to be threats?
    Dr. Jacobson. Congressman, I don't know. I don't have that 
sort of expertise. However, what I will say is that I stopped 
using Kaspersky years ago just because of the first sets--this 
has to be maybe four, five years ago--because there were a 
number of articles in trade journals that suggested that they 
just didn't have the types of standards that you want if you're 
a home computer user so--but beyond that, I can't answer your 
question.
    Mr. Loudermilk. Ms. Miller, is there any other antivirus 
software that you know that would copy files not known to be 
threats?
    Ms. Miller. None that I'm----
    Mr. Loudermilk. Okay.
    Ms. Miller. None that I'm aware of, sir.
    Mr. Loudermilk. All right. Thank you.
    Ms. Manfra, last question. Would you review--would a review 
of Kaspersky's Lab source code, as recently offered by the CEO 
of Kaspersky, help alleviate concerns or is this merely a 
publicity stunt?
    Ms. Manfra. Sir, I have heard the offer to review the 
source code, and while we would welcome opportunity to hear 
from Kaspersky on what potential new information and 
mitigations they could put in place, the source code review 
would not be sufficient in my opinion.
    Mr. Loudermilk. Okay. Thank you. Mr. Chairman, I yield 
back.
    Chairman LaHood. Thank you. I have a few additional 
questions here to ask.
    Ms. Miller, you commented earlier that the Department of 
Defense at some point made a determination based on 
intelligence that you were not going to engage with Kaspersky 
products. Is that correct?
    Ms. Miller. Yes, sir, based on threat information and other 
intel feeds that we had.
    Chairman LaHood. In that threat information and concerns, 
was that information relayed to DHS or other agencies?
    Ms. Miller. I'm not aware--not sure, sir. I would have to 
confirm.
    Chairman LaHood. And do you know why that information 
wouldn't have be relayed? Are you saying it could have been 
relayed and you're not aware of it?
    Ms. Miller. It could have been relayed and I'm not aware of 
it. I would have to confirm.
    Chairman LaHood. Okay. And how long will it take you to 
confirm that and get that back to the committee on that?
    Ms. Miller. We can do that within the next day or so, sir.
    Chairman LaHood. Okay. Ms. Manfra, are you aware of the 
intelligence information that DOD relied upon when they made 
the decision not to engage with Kaspersky products?
    Ms. Manfra. I believe I'm aware of the same information, 
sir, yes.
    Chairman LaHood. And when did you become aware or when did 
the Department become aware?
    Ms. Manfra. I would have to get back to you on when the 
Department became aware. I can tell you that I first became 
aware of concerns in the 2014 time frame.
    Chairman LaHood. And can you tell us why a similar decision 
in 2014 wasn't made similar to what DOD did?
    Ms. Manfra. Some agencies such as the Department of 
Homeland Security did engage in an effort to remove the 
Kaspersky software from their systems. What we identified was 
largely agencies who are more security-focused or had the 
ability to receive classified briefings or removing the 
software. Where there was a gap was in the civilian agencies 
that did not have that infrastructure necessarily in place 
where they could rely on classified information to make 
procurement decisions. So we wanted to provide further 
direction across the civilian government for them to be able to 
make the same choices based off of the risk management 
decisions that we had made.
    Chairman LaHood. Ms. Manfra, does the September 2, 2017, 
directive apply to federal contractors?
    Ms. Manfra. Yes, sir.
    Chairman LaHood. Okay. And to your--can you give us an 
update or where is it at? Have all federal contractors been 
compliant? Where is that at in terms of your follow-up with 
them and how do you keep track of that?
    Ms. Manfra. We have a couple of different mechanisms to 
keep track. Every agency is responsible for defining what 
contractors constitute their federal information system and 
reporting that up to us. What we see is what the agencies 
report to us. We also, as I mentioned, have sensors deployed 
both internal to agency networks as well as at the perimeter 
that can identify what agencies may be calling out to Kaspersky 
IP addresses so that that would indicate that they probably 
have it on their systems as well. So we're looking at a variety 
of different avenues to identify whether they have it. And that 
would include a contractor system if they identify it to us. 
However, it is up to the agency to identify that contractor 
system to us.
    Chairman LaHood. And do you feel like you have full 
knowledge of all the contractors that the different agencies 
engaged with?
    Ms. Manfra. I do not--I could not say that I have full 
knowledge of all the contractors that agencies engage with. I 
can say that for all of the largest agencies I feel very 
confident that they have done an assessment of not only the 
internal government-owned and -operated networks as well--but 
as well as the contractor-owned or -operated networks and 
systems. But there--to say that I have full insight into every 
contractor that the civilian government uses, I probably do not 
have that right now.
    Chairman LaHood. Ms. Miller, in previous testimony before 
this committee, cybersecurity experts stated, quote, ``The 
Federal Government should take the lead on developing a trusted 
vendor list that provides guidance on approved cybersecurity 
vendors with a secure supply chain that agencies can have 
confidence in,'' unquote. In your opinion, how would the 
federal government go about establishing such a trusted vendor 
list? And what agencies should lead the federal government's 
effort to do so?
    Ms. Miller. Sir, I'll start with the second question. I'm 
not sure what agency I would recommend leading it, but I think 
we have a responsibility as we work with our vendors to ensure 
we have supply chain management processes in place to evaluate 
what they're bringing to us. We've established relationships 
with DIA and the--what--I can't think of the acronym right 
now--that give us an opportunity to identify critical 
components where supply chain managements are of real concern 
and put processes in place to help us avoid any risk introduced 
by our industry partners.
    At the same time, we have had very strong conversations 
with members of the defense industrial base to make sure they 
understand risk associated with use of the Kaspersky products, 
and the Defense Security Service has directed all of them to 
remove the products for any--especially of our classified 
systems. And we're working with our unclassified--or our 
vendors in the unclassified arena now with the Defense Federal 
Acquisition Regulation clause that we've put in place to help 
them not only understand the risk but to understand the 
products that they're using and their responsibility to protect 
government information and the government network as they 
relate to mission operations.
    Chairman LaHood. Thank you. That's all my time.
    Mr. Perlmutter, I recognize you for additional questions.
    Mr. Perlmutter. Just a couple questions about Kaspersky, 
and this is to the whole panel.
    In October 2015 the U.S. subsidiary of Kaspersky Lab, which 
is called Kaspersky Government Security Solutions, paid 
President Trump's former National Security Advisor Lieutenant 
General Michael Flynn $11,250 for a speaking fee. So just to 
the panel I would ask, are you aware of anybody from your 
agencies speaking at any Kaspersky conferences not for payment 
but just as one of their speakers? And what is it again, Dr. 
Jacobson, that we're worried about to have a guy like Michael 
Flynn speaking at a Kaspersky conference? Some open-ended 
questions, start with you, Ms. Manfra. Do you know if anybody 
from GSA or your agency has spoken at any Kaspersky 
conferences?
    Ms. Manfra. Sir, we not done a thorough review of speaking 
engagements at Kaspersky-sponsored events. I can say that we--
the guidance to my workforce is to not engage with Kaspersky-
sponsored events.
    Mr. Perlmutter. Ms. Wynn?
    Ms. Wynn. I am not aware of anyone speaking at a Kaspersky-
sponsored conference, and I would say that there is a thorough 
vetting review by our Office of General Counsel with respect to 
any speaking engagements of NASA personnel.
    Mr. Perlmutter. Ms. Miller?
    Ms. Miller. Sir, same with DOD. We go through a rigorous 
review with the general counsel before we approve speaking 
engagements, and to my knowledge, we've not had any DOD 
employees speak at a Kaspersky event.
    Mr. Perlmutter. Dr. Jacobson?
    Dr. Jacobson. Can I provide you a very unsatisfying answer? 
You know, I don't know the specifics of that case, but I think 
this is exactly why we need to understand that the Russians are 
going to continue to try and find key influencers, whether in 
government or in the media space or amongst the public, to help 
them with their information or disinformation campaigns in the 
United States. I mean, all foreign governments try and 
influence the United States. That's why we have laws that 
regulate the level of transparency there.
    But let me also state that this is why I think there's a 
great opportunity for a bipartisan sponsored commission like 
the 9/11-style commission, the Iraq study group, or the 
Afghanistan study group to really look forward and see how do 
we combat information campaigns or disinformation, whether it's 
Russian, Chinese, or terrorist networks in the future? And that 
would be a last point in terms of urging what the committee and 
Congress overall could do.
    Mr. Perlmutter. Well, and to that point, again, sort of 
looking for these different crevices or potential vulnerable 
spots, in December 2016 Kaspersky Lab awarded $18,000 in 
funding to three universities to help identify and--to help 
develop identity and verification methodologies for secure 
online voting systems. So, you know, obviously, they're looking 
for different places to take advantage of, you know, America 
and an open--pretty open system that we have.
    Just curious, if you were at DHS, Ms. Manfra, if you were 
advising these universities, what would you advise them about 
speaking and taking money from Kaspersky Lab? It's a very 
hypothetical question and it calls for speculation on your 
part, but I'm still going to ask it.
    Ms. Manfra. Yes, sir. I can't presume to advise a 
university on what money they might take or engagements they 
might speak at, but I would encourage them to ensure that they 
consider the risk associated with those interactions as a part 
of their engagement and their funding.
    Mr. Perlmutter. Dr. Jacobson?
    Dr. Jacobson. Well, I'm definitely not speaking for 
Georgetown University here, but I was thinking of three things. 
If I was asked today whether I would advise a university on 
that, I would think about three things: one, politically, it 
would be absolutely unacceptable to do given what's going on 
with Kaspersky and the allegations in the committee right now; 
second, from a public relations perspective, it would be a 
really bad idea; and third, there's prudence. We know in the 
university and think tank world there's certain countries and 
certain companies you just really think twice about taking 
money from, and again, if someone asked me, I would recommend 
they not take it today.
    Mr. Perlmutter. Okay. I yield back.
    Chairman LaHood. Thank you, Mr. Perlmutter.
    That concludes our questions today. I would just advise 
that the Committee--the Oversight Subcommittee on this is going 
to continue to monitor this situation, and as the directive 
continues to get implemented, we look forward to continuing to 
work with you on this issue. It's important that we as a 
committee and subcommittee stay engaged on this, and we'll look 
forward to the next phase of our hearing series on this and 
look forward to continuing to work with you.
    With that, our hearing is concluded. Thank you.
    [Whereupon, at 11:53 a.m., the Subcommittee was adjourned.]

                               Appendix I

                              ----------                              

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]


                              Appendix II

                              ----------                              


                   Additional Material for the Record
                   
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]


                                 [all]