b'<html>\n<title> - BOLSTERING THE GOVERNMENT\'S CYBERSECURITY: A SURVEY OF COMPLIANCE WITH THE DHS DIRECTIVE</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n               BOLSTERING THE GOVERNMENT\'S CYBERSECURITY:\n                         A SURVEY OF COMPLIANCE\n                         WITH THE DHS DIRECTIVE\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                       SUBCOMMITTEE ON OVERSIGHT\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           November 14, 2017\n\n                               __________\n\n                           Serial No. 115-38\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n \n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] \n \n\n\n       Available via the World Wide Web: http://science.house.gov\n       \n       \n                                __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n27-677PDF                  WASHINGTON : 2018                     \n          \n----------------------------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). \nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="7a1d0a153a190f090e121f160a5419151754">[email&#160;protected]</a>       \n       \n       \n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                   HON. LAMAR S. SMITH, Texas, Chair\nFRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas\nDANA ROHRABACHER, California         ZOE LOFGREN, California\nMO BROOKS, Alabama                   DANIEL LIPINSKI, Illinois\nRANDY HULTGREN, Illinois             SUZANNE BONAMICI, Oregon\nBILL POSEY, Florida                  AMI BERA, California\nTHOMAS MASSIE, Kentucky              ELIZABETH H. ESTY, Connecticut\nJIM BRIDENSTINE, Oklahoma            MARC A. VEASEY, Texas\nRANDY K. WEBER, Texas                DONALD S. BEYER, JR., Virginia\nSTEPHEN KNIGHT, California           JACKY ROSEN, Nevada\nBRIAN BABIN, Texas                   JERRY McNERNEY, California\nBARBARA COMSTOCK, Virginia           ED PERLMUTTER, Colorado\nBARRY LOUDERMILK, Georgia            PAUL TONKO, New York\nRALPH LEE ABRAHAM, Louisiana         BILL FOSTER, Illinois\nDRAIN LaHOOD, Illinois               MARK TAKANO, California\nDANIEL WEBSTER, Florida              COLLEEN HANABUSA, Hawaii\nJIM BANKS, Indiana                   CHARLIE CRIST, Florida\nANDY BIGGS, Arizona\nROGER W. MARSHALL, Kansas\nNEAL P. DUNN, Florida\nCLAY HIGGINS, Louisiana\nRALPH NORMAN, South Carolina\n                                 ------                                \n\n                       Subcommittee on Oversight\n\n                   HON. DRAIN LaHOOD, Illinois, Chair\nBILL POSEY, Florida                  DONALD S. BEYER, Jr., Virginia, \nTHOMAS MASSIE, Kentucky                  Ranking Member\nBARRY LOUDERMILK, Georgia            JERRY MCNERNEY, California\nROGER W. MARSHALL, Kansas            ED PERLMUTTER, Colorado\nCLAY HIGGINS, Louisiana              EDDIE BERNICE JOHNSON, Texas\nRALPH NORMAN, South Carolina\nLAMAR S. SMITH, Texas\n                            \n                            C O N T E N T S\n\n                           November 14, 2017\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Darin LaHood, Chairman, Subcommittee \n  on Oversight, Committee on Science, Space, and Technology, U.S. \n  House of Representatives.......................................     4\n    Written Statement............................................     6\n\nStatement by Representative Donald S. Beyer, Jr., Ranking Member, \n  Subcommittee on Oversight, Committee on Science, Space, and \n  Technology, U.S. House of Representatives......................     8\n    Written Statement............................................    10\n\nStatement by Representative Lamar S. Smith, Chairman, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................    12\n    Written Statement............................................    13\n\nStatement by Representative Eddie Bernice Johnson, Ranking \n  Member, Committee on Science, Space, and Technology, U.S. House \n  of Representatives.............................................    16\n    Written Statement............................................    17\n\n                               Witnesses:\n\nMs. Jeanette Manfra, Assistant Secretary for Cybersecurity and \n  Communications, National Protection and Programs Directorate, \n  U.S. Department of Homeland Security\n    Oral Statement...............................................    18\n    Written Statement............................................    21\n\nMs. Renee Wynn, Chief Information Officer, National Aeronautics \n  and Space Administration\n    Oral Statement...............................................    25\n    Written Statement............................................    27\n\nMs. Essye Miller, Deputy Chief Information Officer for \n  Cybersecurity, U.S. Department of Defense\n    Oral Statement...............................................    31\n    Written Statement............................................    32\n\nDr. Mark Jacobson, Associate Teaching Professor, Edmund Walsh \n  School of Foreign Service, Georgetown University\n    Oral Statement...............................................    37\n    Written Statement............................................    39\n\nDiscussion.......................................................    47\n\n             Appendix I: Answers to Post-Hearing Questions\n\nMs. Jeanette Manfra, Assistant Secretary for Cybersecurity and \n  Communications, National Protection and Programs Directorate, \n  U.S. Department of Homeland Security...........................    70\n\nMs. Renee Wynn, Chief Information Officer, National Aeronautics \n  and Space Administration.......................................    74\n\nMs. Essye Miller, Deputy Chief Information Officer for \n  Cybersecurity, U.S. Department of Defense......................    79\n\nDr. Mark Jacobson, Associate Teaching Professor, Edmund Walsh \n  School of Foreign Service, Georgetown University...............    84\n\n            Appendix II: Additional Material For The Record\n\nStatement submitted by Mr. Troy A. Newman, President, Cyber5, LLC    88\n\n \n               BOLSTERING THE GOVERNMENT\'S CYBERSECURITY:\n             A SURVEY OF COMPLIANCE WITH THE DHS DIRECTIVE\n\n                              ----------                              \n\n\n                       Tuesday, November 14, 2017\n\n                  House of Representatives,\n                      Subcommittee on Oversight and\n               Committee on Science, Space, and Technology,\n                                                   Washington, D.C.\n\n    The Subcommittee met, pursuant to call, at 10:08 a.m., in \nRoom 2318 of the Rayburn House Office Building, Hon. Darin \nLaHood [Chairman of the Subcommittee] presiding.\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n    Chairman LaHood. Good morning. The Subcommittee on \nOversight will come to order.\n    Without objection, the Chair is authorized to declare \nrecesses of the Subcommittee at any time.\n    Welcome to today\'s hearing entitled ``Bolstering the \nGovernment\'s Cybersecurity: A Survey of Compliance with the DHS \nDirective.\'\' The subject of today\'s hearing involves some \ninformation that is classified. I remind members that their \nquestions may call for a response that the witnesses know to be \nclassified. Please be mindful of this fact. I would like to \ninstruct the witness to answer to the best of their ability, \nbut should an answer call for sensitive information, members \nwill understand if you respond that you are unable to answer in \nthis setting.\n    I now recognize myself for five minutes for an opening \nstatement.\n    Good morning and welcome to today\'s Oversight Subcommittee \nhearing, ``Bolstering the Government\'s Cybersecurity: A Survey \nof Compliance with the DHS Directive.\'\' The purpose of this \nhearing is to examine and assess implementation of the \nDepartment of Homeland Security (DHS) Binding Operational \nDirective (BOD) 17-01, which was the removal of the Kaspersky-\nbranded products by federal government departments and \nagencies.\n    This hearing marks the second time the Committee has \nconvened to examine the issues and concerns surrounding \nKaspersky Lab. On October 25, 2017, the Committee examined the \npotential risks, vulnerabilities, and threats posed to federal \nICT systems by Kaspersky software. During that hearing, we \nheard from experts about the specific nature of threats posed \nby Kaspersky, action the federal government has taken or plans \nto take to mitigate the threat, and steps that could be taken \nto avoid similar threats in the future.\n    The Trump Administration has taken steps to remediate the \nKaspersky issue. In July of this year, the GSA removed \nKaspersky from its government-wide contracts. Although it was a \nstep in the right direction, it did not completely eliminate \nthe threat.\n    On September 13, 2017, the Administration took additional \nsteps to harden the security of federal information systems \nagainst the Kaspersky threat when DHS issued Binding \nOperational Directive 17-01. The directive requires federal \ndepartments and agencies to complete three consecutive phases \nof implementation. First, they must scan their systems to \nidentify the use or presence of Kaspersky software. Second, \nthey must develop an action plan for the removal and \nreplacement of any Kaspersky software identified on their \nsystems. Finally, they are required to implement their action \nplan and must begin the process of removal and replacement.\n    Federal departments and agencies are also required to \nsubmit status reports to DHS as they implement each of the \ndirective\'s three phases. The status reports provide data and \ninformation that is useful for assessing compliance with the \ndirective, and for quantifying the pervasiveness of Kaspersky \ninstallations across federal systems, the extent of threats \nposed by the software, and the complexities associated with \ncomplete removal.\n    Today, we will focus primarily on the status reports to \nguide our assessment of compliance with the directive. In doing \nso, we hope to learn whether agencies have complied with the \nfirst two phases of the directive and whether any Kaspersky \ninstallations were found on federal systems. Additionally, we \nhope to understand more about the specific action plans for \nremoval and replacement of any identified Kaspersky \ninstallations and DHS\' anticipated timeline for full \nimplementation of the directive. Finally, we hope to learn \nabout the directive\'s applicability to federal contractors.\n    I want to thank Ms. Miller for being here to represent the \nDepartment of Defense. Annually, the DOD spends approximately \n$30 billion on information technology. We are interested in \nwhether the directive applies to DOD\'s contractors and, if so, \nare they currently complying? If not, what must be done to \nensure that contractors take appropriate action to mitigate the \nKaspersky threat? I\'m hopeful that our witnesses today can help \nus resolve these important questions and better understand the \nnext steps that must be taken to ensure the integrity, \nresilience, and security of federal information systems.\n    Cybersecurity is a complex and evolving issue that affects \nU.S. national and economic security. We must remain diligent in \nour efforts to strengthen and secure federal systems, and our \napproaches to addressing cybersecurity issues must evolve to \nkeep pace with everchanging threats. Bolstering the \ncybersecurity of federal information systems is among the \nCommittee\'s top priorities, and I am hopeful that our efforts \nhere today will take us one step closer toward accomplishing \nthis objective.\n    [The prepared statement of Chairman LaHood follows:]\n [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman LaHood. At this time, I now recognize the Ranking \nMember, the gentleman from Virginia, for his opening statement.\n    Mr. Beyer. Thank you, Chairman LaHood, and thank you for \nholding this second hearing on Kaspersky.\n    Two weeks ago we held a hearing on security concerns \nregarding the use of Kaspersky Lab software on federal computer \nnetworks, and I think most members on both sides of the aisle \nagree that using the services or software of Kaspersky Lab, a \nMoscow-based company that reportedly has close ties to Russian \nintelligence services, using this on federal networks presents \nrisks not worth taking.\n    So back in September, the Department of Homeland Security \nalso recognized this and issued a directive for federal \nagencies to identify and initiate actions to remove Kaspersky \nLab software from their networks. So I understand that we\'re \nholding this hearing as a follow-up to ensure that our federal \nagencies are complying with this DHS directive in a timely \nmanner, which is essentially important.\n    However, it seems that in holding a second oversight \nhearing solely on Kaspersky Lab products we\'re missing the \nforest for the trees. Kaspersky products are not the biggest \nsecurity risk we face in Russia. As I mentioned at our last \nhearing and as we saw throughout the 2016 election cycle, \ncybersecurity is no longer just about defending our data. It is \non a larger scale about defending our democracy from unwanted \nforeign influence and disinformation campaigns.\n    Please listen to these actual numbers. One hundred and \ntwenty-six million Americans received Russian-backed content on \ntheir Facebook newsfeeds during the 2016 election. Twitter has \nfound 36,746 bots linked to Russia, and these accounts sent a \ncombined 1.4 million tweets and were seen 288 million times. \nGoogle has uncovered tens of thousands of ads purchased by \nKremlin-linked buyers on YouTube, Gmail--its search page--and \nin double-click ads. The Kremlin directly sponsored fake Black \nLives Matter activists who posted videos to Facebook, Twitter, \nand YouTube. Last month, the Computational Propaganda Project \nreleased a study mapping how Russia-linked Twitter accounts \nseek to target U.S. military personnel and veterans.\n    So instead of focusing just on Kaspersky Lab software, we \nshould also be examining how enemies of democracy are using \ncommunications technologies in new, precise, and powerful ways \nto disrupt our democratic institutions and influence the \nAmerican public. We should be specifically looking into how the \nRussians have done this just during the 2016 presidential \nelection and how we can develop tools, technologies, and public \nawareness to diminish similar attacks in the future. We should \nalso examine the state of our cybersecurity practices in \ndefending our critical election infrastructure from covert \ninterference and manipulation.\n    The House Science, Space, and Technology Committee has an \nimportant role in publicly addressing these issues. We do have \na specific responsibility to provide oversight on the deeply \nexistential role of technology in our society. And, Mr. \nChairman, at the last Kaspersky hearing I requested that we \nhold a hearing on these larger issues, and I respectfully ask \nagain today.\n    I\'m glad that one of our witnesses today will help put the \nsecurity concerns regarding Kaspersky Lab\'s software in context \nand helps examine the broader Russian strategy of undermining \nour democratic institutions and influencing our democracy. Dr. \nMark Jacobson, a professor at Georgetown University, has \nwritten frequently on the impact of Russia\'s influence \noperations against the United States in the past few years. I \nlook forward to his testimony and all your testimony.\n    I\'m also attaching to my statement a minority staff report \nthat addresses Russia\'s cyber influence campaign against the \nUnited States. This report has already been shared with the \nmajority staff.\n    Thank you, Mr. Chairman, and I yield back.\n    [The prepared statement of Mr. Beyer follows:]\n [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman LaHood. Thank you, Mr. Beyer.\n    I now recognize the Chairman of the full Committee, Mr. \nSmith, for his opening statement.\n    Chairman Smith. Thank you, Mr. Chairman.\n    The risk to U.S. security that Kaspersky Lab, a Russian \ncompany, has created is undeniable and the harm, incalculable. \nThe founder of Kaspersky Lab, Eugene Kaspersky, attended a KGB-\nfunded intelligence institute and served in Russia\'s Ministry \nof Defense. For years, there has been speculation that \nKaspersky\'s antivirus software could be used by the Russians \nfor information gathering. Continued investigations have \ndisclosed more details on the extent to which Kaspersky Lab is \na tool for the Russian Government. Press reports claim that \nKaspersky\'s prior federal government customers include the \nDepartments of State, Justice, Energy, Defense, Treasury, Army, \nNavy and Air Force. This is of more than passing concern; it is \nalarming.\n    Last month, The New York Times reported that Russian \nGovernment hackers conducted a global search of computers \nlooking for the code names of American intelligence programs. \nThe hackers used the antivirus software made by Kaspersky Lab. \nThis Russian operation stole classified documents from at least \none National Security Agency employee, who had Kaspersky \nantivirus software installed on his home computer.\n    Kaspersky\'s antivirus software allowed Russia to have \nunlimited access to data stored on computers with Kaspersky \nproducts. The magnitude and widespread use of Kaspersky\'s \nsoftware--400 million users worldwide--gives the company \nunprecedented access and retrieval capabilities.\n    To date, it is unclear what additional American security \nsecrets Russia may have acquired through Kaspersky\'s scans for \nclassified programs. This only confirms the need for the \nactions this Administration and this Committee have taken. The \nScience Committee has engaged in continued oversight of \nKaspersky Lab since questions were raised by Science Committee \nmember Congressman Higgins earlier this year. On July 27, 2017, \nthis committee requested that all federal departments and \nagencies disclose their use of Kaspersky Lab products. On \nSeptember 13, 2017, the Department of Homeland Security issued \na Binding Operational Directive to all agencies and \ndepartments. This directive sought the complete removal of \nKaspersky products from federal systems after 90 days.\n    Today, the Committee is interested in whether federal \nagencies are complying with the directive. How common are \nKaspersky products in our federal systems? What is the extent \nof the risk? And are the actions required in the DHS directive \nsufficient to protect U.S. interests? The Committee expects to \nuncover all risk associated with Kaspersky Lab. This includes \nidentifying all necessary actions needed to eliminate risks \neven beyond the risk to federal systems.\n    Based on the NSA contractor\'s personal computer being \ntargeted, we are interested in what steps DHS has taken to \nassist civilian employees and contractors who are at risk of \nexposure. We also are interested in proactive steps and \ncoordination among our federal agencies and departments. We \nneed to use all resources to ensure that Kaspersky products on \nfederal systems have been completely removed.\n    Beyond an interest in the risk caused by Kaspersky \nproducts, the Science Committee will continue to address the \nfederal government\'s cybersecurity weaknesses.\n    This committee, along with the Committee on Oversight and \nGovernment Reform, plans to bring a revised version of H.R. \n1224, the NIST Cybersecurity Framework, Assessment, and \nAuditing Act of 2017, to the House Floor soon. NIST should \nwelcome the opportunity to use its expertise to help protect \nour national security.\n    The bill amends the Federal Information Security Management \nAct to require that federal agencies\' Inspectors General \ncoordinate with NIST in conducting their cybersecurity \nevaluations. Anyone with knowledge of potential cybersecurity \nrisks should contact the committee and share their information \nwith us. We must eliminate the threat of Kaspersky Lab to our \nnational security systems. Thank you, Mr. Chairman. I\'ll yield \nback.\n    [The prepared statement of Chairman Smith follows:]\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman LaHood. Thank you, Chairman Smith.\n    I now recognize the Ranking Member of the full Committee, \nMs. Johnson, for her opening statement.\n    Ms. Johnson. Thank you very much, Mr. LaHood.\n    In September, the Department of Homeland Security banned \nthe use of Kaspersky Lab software on federal government \ncomputer networks. The U.S. intelligence community believes \nthis Russian company\'s products pose an unnecessary potential \nrisk to our security from Russia\'s intelligence services. \nWhether or not the company is aware of these threats is \nirrelevant. I trust the judgment of the American intelligence \ncommunity in this matter, and I\'m also confident that federal \nagencies will successfully eliminate the Kaspersky Lab software \nfrom their respective computer systems.\n    I am much more concerned, though, about the persistent \nthreat foreign actors pose to our electoral system. During the \nprevious Kaspersky Lab hearing the Subcommittee held three \nweeks ago, I noted that, prior to the 2016 election, this \ncommittee held a hearing to review the guidelines for \nprotecting voting and election systems, including voter \nregistration databases and voting machines. I asked that this \ncommittee hold a follow-up hearing to discuss protecting these \nsame systems in the light of last year\'s events, as well as to \nexamine the sophisticated influence operations conducted by the \nRussian Intelligence Service to disrupt our democratic \nprocesses and damage our democracy.\n    Today, I want to reiterate that request. Russian actors \nattempted to hack into voter databases in multiple States \nbefore the 2016 election, successfully compromising a small \nnumber of networks according to the Department of Homeland \nSecurity. But Russia, as we all know, did not only attempt to \npenetrate these sorts of hard targets, they sought to influence \npublic opinion and undermine our democratic institutions \nthrough their use of trolls, bots, and social media platforms.\n    Rather than simply examine the specific threat posed by \nKaspersky Lab software, we need to take a much wider view and \nlook at the evolving and expanding threat that Russians\' cyber \nattacks and influence operations pose today in our society.\n    I\'m happy that Dr. Mark Jacobson, our witness today, can \nspeak about Russia\'s history of influence operations against \nthe United States and the many ways that Russia seeks to \nundermine Western democracies. I thank you for coming today, \nDr. Jacobson.\n    I ask again for the Science Committee to commit to holding \na 2016 election postmortem with an eye on ways the Science \nCommittee can help discourage foreign interference in future \nelections and how we can encourage the development of tools and \ntechnologies to help identify these threats and limit their \nimpact on our government, public, and society.\n    I thank you, Mr. Chairman, and I yield back the balance of \nmy time.\n    [The prepared statement of Ms. Johnson follows:]\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n    Chairman LaHood. Thank you, Ms. Johnson.\n    At this time let me introduce our witnesses here today. Our \nfirst witness today is Ms. Jeanette Manfra, Assistant Secretary \nfor Cybersecurity and Communications for the National \nProtection and Programs Directorate at the U.S. Department of \nHomeland Security. Ms. Manfra has held multiple positions \nrelated to cybersecurity at the Department, and prior to \nserving at DHS, Ms. Manfra served in the U.S. Army as a \nCommunications Specialist and a Military Intelligence Officer. \nWelcome.\n    Our second witness is Ms. Renee Wynn, Chief Information \nOfficer at NASA. Ms. Wynn previously served as the Acting \nAssistant Administrator for the Office of Environment \nInformation at the EPA. She holds a bachelor of arts in \neconomics from DePauw University in Indiana. Welcome, Ms. Wynn.\n    Our third witness is Ms. Essye Miller. She is the Deputy \nChief Information Officer for Cybersecurity at the U.S. \nDepartment of Defense. Ms. Miller previously served as the \nDirector of Cybersecurity for the Army Chief Information \nOfficer. She received her bachelor\'s degree from Talladega \nCollege and a master\'s from Troy State University, as well as \nfrom Air University at the Air War College. Welcome.\n    Our last witness today is Dr. Mark Jacobson. He is an \nAssociate Teacher Professor for the Edmund Walsh School of \nForeign Service at Georgetown University. Dr. Jacobson \npreviously held appointments as a Senior Advisor to the \nSecretary of Defense and as a Special Assistant to the \nSecretary of the Navy. He has also served as the Deputy NATO \nRepresentative and Director of International Affairs at the \nInternational Security Assistance Force. Dr. Jacobson holds \ndegrees from the University of Michigan, the King\'s College, \nUniversity of London, and a Ph.D. in military history from Ohio \nState University. Welcome.\n    At this time I now recognize Ms. Manfra for five minutes to \npresent her testimony.\n\n               TESTIMONY OF MS. JEANETTE MANFRA,\n\n             ASSISTANT SECRETARY FOR CYBERSECURITY\n\n                      AND COMMUNICATIONS,\n\n         NATIONAL PROTECTION AND PROGRAMS DIRECTORATE,\n\n              U.S. DEPARTMENT OF HOMELAND SECURITY\n\n    Ms. Manfra. Thank you, sir. Mr. Chairman, Ranking Member \nBeyer, Mr. Smith, and Ranking Member Johnson, and members of \nthe committee, today\'s hearing is an opportunity to discuss the \nDepartment of Homeland Security\'s actions regarding Kaspersky \nLab products. As the Assistant Secretary for Cybersecurity and \nCommunications, I lead many of the Department\'s efforts to \nsafeguard and secure cyberspace, a core homeland security \nmission. We work every day to protect federal government \nagencies and collaborate with state, local, tribal, and \nterritorial governments and the private sector to enhance the \nsecurity and resilience of our cyber and physical \ninfrastructure.\n    Earlier this year, the President signed an executive order \non strengthening the cybersecurity of federal networks and \ncritical infrastructure. This executive order set in motion a \nseries of assessments and deliverables to improve our defenses \nand lower our risk to cyber threats. DHS has organized around \nthese deliverables by working with government and private \nsector partners.\n    Federal agencies have been implementing the NIST \ncybersecurity framework. Agencies are reporting to DHS and the \nOffice of Management and Budget on their cybersecurity risk \nmitigation and acceptance choices. DHS and OMB are evaluating \nthe totality of these agency reports in order to \ncomprehensively assess the adequacy of the federal government\'s \noverall cybersecurity risk management posture.\n    In addition to our efforts to protect government networks, \nwe are focused on how government and industry work together to \nprotect the Nation\'s critical infrastructure. We are \nprioritizing deeper more collaborative public-private \npartnerships.\n    Protecting federal information systems requires addressing \nrisks within supply chain. The Department has been actively \nengaged in its own efforts, as well as broader interagency \nefforts to address IT supply chain threats. As we build on best \npractices to improve the federal government\'s own actions \nwithin this space, we will coordinate and share information \nwith our state and local government partners, as well as the \nprivate sector critical infrastructure community.\n    Among other authorities, the Federal Information Security \nModernization Act of 2014, commonly referred to as FISMA, \nauthorizes the Department of Homeland Security to develop and \noversee the implementation of binding operational directives, \nor BODs. These directives to federal agencies are for purposes \nof safeguarding federal information and information systems \nfrom a known or reasonably suspected information security \nthreat, vulnerability, or risk. Federal agencies are required \nto comply with these DHS-developed directives.\n    On September 13 of this year DHS\'s Acting Secretary signed \na binding operational directive to address the use or presence \nof Kaspersky Lab products, solutions, and services on federal \ninformation systems. After careful consideration of available \ninformation and consultation with interagency partners, DHS \ndetermined Kaspersky Lab products present a known or reasonably \nsuspected information security risk to federal information \nsystems. In a public statement, the Department identified \nconcerns regarding, one, the ties between certain Kaspersky \nofficials and Russian intelligence and other government \nofficials; two, the requirements under Russian law that allow \nRussian intelligence agencies to request or compel assistance \nfrom Kaspersky and to intercept communications transiting \nRussian networks; and three, the broad access to files and \nelevated privileges provided by antivirus products and \nservices, including Kaspersky products, that can be exploited \nby malicious cyber actors to compromise information systems. \nThe action taken is a reasonable, measured approach to the \ninformation security risks posed by these threats--or posed by \nthese products to the federal government.\n    In addition to the reports from agencies required by this \ndirective, our National Cybersecurity and Communications \nIntegration Center continues to operate important capabilities \nthat help DHS better understand the use of these products \nwithin the federal government. For instance, we operate \ncapabilities that monitor NetFlow at federal agencies commonly \nreferred to as Einstein. We also provide agencies tools within \nour Continuous Diagnostics and Mitigation program. Both of \nthese capabilities enabled us to further our understanding of \nthe presence of Kaspersky products on agency networks.\n    I want to thank Congress for your focus on these issues and \nhighlighting the concerns here. Your focus has been extremely \nhelpful to us as we have evaluated the evidence, communicated \nwith our colleagues around the interagency, and made the \ndecision to issue the binding operational directive.\n    It is important for the committee to understand that DHS is \nproviding an opportunity for Kaspersky and any other entity \nthat claims its commercial interests will be directly impacted \nto submit a written response and any additional information or \nevidence. DHS will review any submissions closely and make \nadjustments to a directive--to our directive if appropriate.\n    Before closing, I want to assure the Committee that I will \nanswer your questions to the extent I can in an open hearing \nand at this time. Some of your questions may require the \ndiscussion of classified information, which I clearly cannot \naddress in an open hearing. Other questions may not be \nappropriate to address at this time because we are in the \nmiddle of an administrative process with the affected entity, \nand there could be litigation related to this directive. \nBecause we need to provide the company with a meaningful \nopportunity to be heard, and there may be federal court review \nof our actions and decisions, there may be certain issues that \nit would not be appropriate for me to comment on until the \nconclusion of this administrative process.\n    Thank you very much for the opportunity to testify today, \nand I look forward to your questions.\n    [The prepared statement of Ms. Manfra follows:]\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman LaHood. Thanks, Ms. Manfra.\n    At this time I now recognize Ms. Wynn for five minutes to \npresent her testimony.\n\n                  TESTIMONY OF MS. RENEE WYNN,\n\n                   CHIEF INFORMATION OFFICER,\n\n                      NATIONAL AERONAUTICS\n\n                    AND SPACE ADMINISTRATION\n\n    Ms. Wynn. Great. Good morning, Mr. Chairman, Ranking \nMember, and distinguished Members of the Subcommittee. Thank \nyou for the opportunity to testify before you today regarding \nNASA\'s efforts to comply with the recent Department of Homeland \nSecurity binding operational directive regarding Kaspersky-\nbranded products.\n    As NASA\'s Chief Information Officer, my number-one priority \nis to effectively manage and protect NASA\'s information \ntechnology assets in an everchanging threat landscape. Each \nday, hundreds of thousands of NASA personnel, contractors, \nacademics, international partners, and members of the public \naccess some part of NASA\'s IT infrastructure, which is a \ncomplex array of information systems with more than 160,000 \ncomponents geographically dispersed around the globe and \nbeyond.\n    NASA works closely with our federal cybersecurity partners \nto ensure NASA\'s network is safeguarded from threats, assessed \nagainst stringent federal and agency security requirements, and \ncontinuously monitored for compromise and the effectiveness of \nour security measures.\n    New cybersecurity tools, particularly the Department of \nHomeland Security\'s Continuous Diagnostics and Mitigation \nprogram, are allowing us to have better insights into our \nnetworks, which allows us to better mitigate threats. However, \ngiven the evolving nature of threats, our work is never done.\n    Antivirus software is one component of endpoint protection \nimplemented to safeguard NASA systems and data. NASA has been \nusing Symantec Endpoint Protection software as its desktop \nstandard load since 2010. Therefore, Kaspersky-branded \nproducts, the focus of today\'s hearing, are not part of NASA\'s \nstandard load software.\n    Between January 1, 2013, and mid-August 2017, NASA \nidentified a small number of machines which had Kaspersky-\nbranded products preinstalled. When discovered, these instances \nwere removed to comply with NASA\'s desktop standard software \nconfiguration. Another item of importance is that NASA\'s Office \nof Procurement has no record of NASA funds being used to \npurchase individual instances of Kaspersky-branded products. \nTherefore, we believe that the limited instances of Kaspersky-\nbranded products found to exist on agency hardware were likely \nthe result of larger procurements and bundled preinstalled \nsoftware.\n    On September 13, 2017, NASA received the Binding \nOperational Directive 17-01, which required all federal \nexecutive branch departments and agencies to take action with \nregard to Kaspersky-branded products on federal IT systems. \nNASA notified the Department of Homeland Security on Friday, \nOctober 13, that no Kaspersky-branded products were identified \non NASA systems. Therefore, no additional actions are required \nby NASA under the terms of the binding operational directive.\n    Also of note, in 1993, the General Services Administration \nasked NASA to be part of a pilot project for the governmentwide \nacquisition contracts. Subsequently, NASA was one of three \nagencies designated to provide a governmentwide contract \nvehicle for other agencies to use when acquiring IT products \nand services for their own agencies. This vehicle is known at \nNASA as the Solutions for Enterprise-Wide Procurement or SEWP. \nIn July 2017, in coordination with the General Services \nAdministration, NASA removed all offerings of Kaspersky-branded \nproducts from the SEWP database and installed filters to \nprevent Kaspersky-branded products from being re-added.\n    In conclusion, protecting and upgrading and better managing \nNASA\'s IT infrastructure is and will remain a top agency \npriority. When threats such as unauthorized software are \ndetected, NASA personnel take action. NASA is fully committed \nto becoming more secure, effective, and resilient, and we are \nactively pursuing this on all levels.\n    Thank you for the opportunity to testify before you today, \nand I\'d be happy to answer any questions that you may have.\n    [The prepared statement of Ms. Wynn follows:]\n  [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman LaHood. Thank you, Ms. Wynn.\n    At this time, I recognize Ms. Miller for five minutes for \nher testimony.\n\n                 TESTIMONY OF MS. ESSYE MILLER,\n\n                DEPUTY CHIEF INFORMATION OFFICER\n\n                    FOR CYBERSECURITY, U.S.\n\n                     DEPARTMENT OF DEFENSE\n\n    Ms. Miller. Good morning, Mr. Chairman, Ranking Member, and \ndistinguished Members of the Subcommittee. Thank you for this \nopportunity to testify today on the Department of Defense \nposition regarding the federal government\'s use of Kaspersky \nLab software.\n    I currently serve as the Deputy Chief Information Officer \nfor Cybersecurity at the Department of Defense. Additionally, I \nserve as the Department\'s Chief Information Security Officer. \nMy primary responsibility is to ensure that the Department has \na well-defined and executed cybersecurity program. I am also \nresponsible for coordinating cybersecurity standards, policies, \nand procedures with federal agencies, coalition partners, and \nindustry.\n    In this unclassified setting, I can state that as a matter \nof DOD enterprise cybersecurity, antivirus software does play a \nrole. However, Kaspersky Lab is not part--a part of the \nDepartment of Defense antivirus solution. Currently, the DOD \nhas enterprise licenses for both McAfee and Symantec Antivirus \nfor DOD devices, as well as for DOD personnel\'s home computer \nuse. Kaspersky Lab is not on the approved products list for the \nDepartment, and there are currently no contract awards for the \nsoftware listed in the federal procurement data system.\n    Although the Department of Homeland Security\'s binding \noperational directive does not apply statutorily to defined \nnational security systems, nor to certain systems operated by \nthe Department of Defense, the Department has implemented the \nintent of the directive. Prior to the directive\'s release on \nAugust 3, 2017, Joint Force Headquarters DODIN Defense \nInformation Network issued a task order to mitigate any \npotential threats to the Department networks. Within the bounds \nof the directive requirements, we conducted a search of DOD \nsystems and confirmed that we did not have the listed Kaspersky \nproducts on any of our systems.\n    Kaspersky Lab products remain an ongoing supply chain risk \nmanagement for the Department. To reduce these risks, DOD \nissued instruction 5200.44, protection of mission-critical \nfunctions to achieve trusted systems and networks. Additional \ndetails on that instruction are contained in my written \nstatement, along with the detailed processes and enterprise \nresources DOD has implemented.\n    I would like to thank the subcommittee for supporting these \nimportant cybersecurity issues. Protecting the networks for the \nwarfighter is a top priority for the Department of Defense. \nThank you again for the opportunity to testify before you \ntoday, and I look forward to answering your questions.\n    [The prepared statement of Ms. Miller follows:]\n [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman LaHood. Thank you, Ms. Miller.\n    At this time, I will recognize Dr. Jacobson for five \nminutes for his testimony.\n\n                TESTIMONY OF DR. MARK JACOBSON,\n\n                 ASSOCIATE TEACHING PROFESSOR,\n\n                 EDMUND WALSH SCHOOL OF FOREIGN\n\n                 SERVICE, GEORGETOWN UNIVERSITY\n\n    Dr. Jacobson. Thank you. Mr. Chairman, Ranking Members, \nthank you for the opportunity and the kind introduction. I\'m \ngoing to enjoy speaking with you all today. I hope I\'m not too \nprofessorial for the hearing.\n    I also want to note that I\'m here in my personal capacity \nand not representing any of my employers, the Navy Reserve, or \nthe Department of Defense.\n    My intent is to try and put the Kaspersky situation within \na larger foreign policy context. The Committee is already well \naware of the dangers in the cyber arena and the imperative of \ncyber hygiene as a defense. I believe it\'s also critical to \nunderstand that Russian activities are part of broader foreign \npolicy objectives, part of their political warfare campaign. \nThus, regardless of whether or not there\'s a relationship \nbetween Kaspersky Labs and the Russian Government or it\'s \nsimply a vulnerable piece of software, that becomes an entry \npoint for Russian subversive activities, propaganda operations, \nor espionage.\n    Put simply, while cyber attacks and political warfare \ncampaigns are a danger on their own, cyber activities that \nenable political warfare campaigns can prove incredibly \neffective at influencing attitudes and changing behaviors. Put \nanother way, in political warfare campaigns, it is the human \nmind that is the center of gravity.\n    It\'s worth noting our adversaries have not hidden their \nintentions. Both the Russians and the Chinese have made it \nclear that they believe in the power of political warfare. \nRussia\'s well-financed and deliberate intervention in the \nAmerican political dialogue is part of a broader effort to \nundermine America\'s faith in its free institutions, diminish \nU.S. political cohesion, weaken transatlantic relations, \ndiminish the international appeal of the United States, and \nultimately reduce American power abroad. Thus, we must think \nabout U.S. national security more broadly rather than focusing \non a single hack, one election cycle, or a single social media \nor antivirus company.\n    Propaganda and political warfare campaigns are certainly \nnot new. It\'s worth noting that 500 years ago, Martin Luther\'s \n95 Theses were probably the first element of intellectual \nthought to go viral. Of course, the Twitter of his day was the \nprinting press and his own social media networks that allowed a \nmessage of religious reform to go viral and spread across all \nof Christendom in about four weeks. Today, that timeline might \nbe four hours.\n    The Cold War also provides some insights into how the \nRussians think about disinformation and subversion. Soviet \nefforts not only included campaigns to discredit Martin Luther \nKing and try and make the civil rights movement more extreme \nand more violent, but they also sought to provoke a full-blown \nrace war in the United States. Perhaps more dramatically in \n1983, the Soviets planted newspaper articles alleging that the \nAIDS virus had been developed by the U.S. Government to target \nAfrican Americans and the homosexual community. Within four \nyears, that story had been repeated in over 80 countries, doing \ntremendous damage to U.S. credibility abroad and at home. \nIndeed, at least one study as late as 2005 found that almost 50 \npercent of African Americans believed HIV was a manmade virus \ndesigned to wipe out the African-American community.\n    Today, the fingerprints of Russian disinformation campaigns \nhave been left on both sides of the Atlantic, whether it\'s \nBrexit or the American election, Russia propaganda still \ninfects U.S. social media networks, and we see the same sort of \ndivisive propaganda that we saw during the Cold War. Again, the \ngoal is to divide and exploit divisions, yes, that already \nexist in our country, but they are exacerbating the problem.\n    So what do we do about this? While robust cybersecurity \npractices in the regulation of political advertising on social \nmedia are a good start, we must strengthen the public\'s ability \nto interact with information in the digital world. Broadly, we \nmust begin a concerted effort to inoculate the American public \nagainst the viral threat of disinformation through more civic \neducation and media literacy. Specifically, these must become \nbedrocks of our formal and informal education systems in order \nto make our population more immune to the threat.\n    This may require the same level of effort that President \nEisenhower showed with the National Defense Education Act in \n1958 in an attempt to bolster poor American efforts in math, \nscience, and foreign language education. Indeed, Eisenhower \nbelieved those skills were critical in keeping up with the \nRussians during the post-Sputnik world. Today, it may be \ncritical thinking and media literacy that can protect our \nfreedoms.\n    To conclude, in 1900 Mark Twain celebrated the anniversary \nof the Gutenberg printing press, and he noted that everything \nthat is good in the world today and everything that is bad is a \nresult of that invention. That device had, in Twain\'s words, \n``found truth walking and given it a pair of wings, but it also \nfound falsehood trotting and gave it two pair of wings. It had \nset peoples free but at the same time made despotism more \npossible where it was not possible before.\'\'\n    In short, the internet revolution may surpass Gutenberg\'s \nprinting press is the greatest event in secular history, and \nit\'s already created wonderful opportunities and wicked \nproblems. But we must understand that in the end it\'s used by \nhuman beings, and it\'s in human beings where we will need to \nstrengthen, as the Chairman said earlier, resiliency.\n    Thank you very much, and I look forward to your questions.\n    [The prepared statement of Dr. Jacobson follows:]\n [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman LaHood. Thank you, Dr. Jacobson. And we will now \nmove to the question portion of our hearing today.\n    And let me just thank all the witnesses for your valuable \ntestimony here today for this important hearing. And the Chair \nnow will recognize himself for five minutes.\n    And, Ms. Manfra, I want to start with you. It\'s my \nunderstanding that DHS notified Kaspersky of the BOD or the \nDirective 17-01 outlining the concerns that led to the issuance \nof the directive and provided Kaspersky the opportunity to \ninitiate a review by DHS by providing a written response by \nNovember 3 of 2017. Did DHS receive a response from Kaspersky \nby that date?\n    Ms. Manfra. Sir, we did give them a one-week extension to \nNovember 10, and we did receive a response.\n    Chairman LaHood. And have you initiated a review of that \nresponse?\n    Ms. Manfra. Yes, sir. My legal counsel is reviewing the \nresponse right now.\n    Chairman LaHood. And can you give us an update on that \ntoday?\n    Ms. Manfra. I cannot, sir.\n    Chairman LaHood. Can you tell us whether you\'ve received \nany evidence or information from Kaspersky that addresses or \nalleviates the Department\'s concerns at this time?\n    Ms. Manfra. I cannot say that we have. The legal counsel is \nstill reviewing it. We just received it on Friday night. So \nonce they review it, I will review it as well, and we\'ll make \nthe determination to send it out to the Acting Secretary in \norder for her to make a decision.\n    Chairman LaHood. And have you reviewed it yourself?\n    Ms. Manfra. Not yet, sir.\n    Chairman LaHood. Do you know how long it was, the response?\n    Ms. Manfra. It was significant, sir. I\'m not sure how many \npages it was.\n    Chairman LaHood. And you referenced earlier your concern \nabout litigation as it pertains to Kaspersky. Can you elaborate \non that on your specific concerns?\n    Ms. Manfra. Sir, the company, should we make a decision \nthat they do not believe is appropriate, they always have the \noption to take this to court to have a judge make a decision \nabout whether the Department made an appropriate decision.\n    Chairman LaHood. And have you reviewed the legal aspects of \nthis, and have you made a determination on what was done here \nwas legally proper?\n    Ms. Manfra. I am not a lawyer, sir. I have had the lawyers \nreview it and spoke with them about it. I do believe that it \nwas legally proper.\n    Chairman LaHood. Ms. Manfra, the directive was issued on \nSeptember 13, and within 30 calendar days, federal departments \nand agencies were required to identify the user presence of \nKaspersky products on their systems and provide DHS a report \ncontaining preliminary findings such as the number of endpoints \nimpacted by each product and the methodologies used to detect \nthe presence of Kaspersky. Has DHS received this information \nfrom all agencies?\n    Ms. Manfra. We have received it from the majority, sir. \nThere are a small number of very small agencies that we are \nassisting them. They do not have the tools that other larger \nagencies might have, but we\'ve received them from 94 percent of \nthe federal agencies.\n    Chairman LaHood. And can you give us an update on what you \nhave received thus far?\n    Ms. Manfra. What we\'ve received is that, again, out of all \nthe federal agencies, a very small number have identified the \nuse or presence in some aspect of their system of Kaspersky-\nbranded products, about 15 percent of agencies who have \nreported.\n    Chairman LaHood. And where are you in the process of \ndetermining in the next phase whether anything was compromised \nor where we\'re at with that?\n    Ms. Manfra. We\'re working with each agency individually. \nSome of them have chosen to go ahead and remove the products \nahead of schedule, and so we\'re working to understand where the \npresence was, what doing an audit if you will of what \ninformation may have transited those systems and whether there \nwas any cause for concern for the most part. We have not \nidentified any yet, but we\'re still working with agencies.\n    Chairman LaHood. And do you believe the phased system \nthat\'s been put in place, that you\'ll be able to comply with \nthat fully?\n    Ms. Manfra. Yes, sir.\n    Chairman LaHood. Within 60 calendar days of the issuance of \nthe directive, agencies were required to develop and provide \nDHS a detailed action plan to remove and discontinue future \nuses of Kaspersky products. Since the 60-day deadline has \npassed, can you confirm that all agencies or departments have \nsubmitted their required action plan?\n    Ms. Manfra. Not all of the agencies have submitted the \nrequired action plan. As I mentioned, some of them have gone \nahead and just identified a way to remove the software, so \nthey\'re going about that. A couple of the agencies needed \nadditional help, so we\'re working with them on that so they can \nmeet the deadline.\n    Chairman LaHood. Thank you. Those are all my questions at \nthis time. I\'ll yield to Mr. Beyer for his questions.\n    Mr. Beyer. Thank you, Mr. Chairman. Thanks all of you very \nmuch for being with us. This is fascinating.\n    Dr. Jacobson, in your testimony--I\'m going to quote from \nyour written one because I have it written down. You said, \n``Russia\'s well-financed and deliberate intervention in the \nAmerican political dialogue is part of a much broader effort to \nundermine America\'s faith in its free institutions, diminish \nU.S. political cohesion, erode confidence in Western \ndemocracies and the credibility of Western institutions, weaken \ntransatlantic relationships, including NATO, and diminish the \ninternational appeal of the United States, as well as reduce \nAmerican power abroad.\'\' I\'d just love it if you could \nemphasize that this is a bipartisan concern, much larger than \nthe 2016 presidential election.\n    Dr. Jacobson. Thank you, Ranking Member Beyer. I grew up as \na child of the Cold War and watched how Ronald Reagan \nstrengthened U.S. efforts against the Soviets, but I also think \nit\'s interesting--and at the risk of invoking ire even from my \nDemocratic friends--so did Jimmy Carter in different ways. And \nI think that we had a bipartisan consensus throughout the Cold \nWar that the Russians were a threat.\n    I actually--in listening to the Committee today, I see a \nrecognition of that, and I think there\'s an understanding that \nthere are things that need to be done to strengthen America\'s \nability to be a strong ally abroad and look out for our vital \nnational security interests that don\'t have to cross partisan \nlines. And I think if we look at what the Russian effort is \ndoing and look at dealing with the technical, as well as \ndealing with this war against our population in terms of \ndisinformation, I think there are a number of avenues where \nCongress can lead the way in terms of a bipartisan effort.\n    Mr. Beyer. Let me go further on that. I love the--Ph.D. in \nmilitary history. It was a fascinating educational background. \nSo as a professor, you talked about the human mind is the \ncenter of gravity in political warfare and then cited President \nEisenhower with the whole notion of the ability to evaluate \ninformation, thank critically, maintain a healthy skepticism, \nunderstand the some messages out there are deliberately \ndeceptive will make our population much more conscious about \nthe information they absorb. How do we get there?\n    Dr. Jacobson. It\'s a great challenge, sir. The Stanford \nHistory Education Group just did a study that\'s a bit \ndisheartening, and what it did was take undergraduate students, \nhigh school students, as well as trained historians--my \ncolleagues in the academic arena--and all of them failed pretty \nmiserably at identifying fake news. The folks who did do pretty \nwell were professional fact-checkers, and the reason is not \nonly do they look for the source of information, they were \ncomparing things horizontally. As I say to my students, ``Watch \nMSNBC, watch CNN, watch Fox, even read Breitbart.\'\' You need to \nunderstand what everyone is doing about looking at a story, and \nyou can pick up the anomalies. You can see what does not make \nsense.\n    But I think what\'s even more critical is to understand we \nhave to start this at the K-through-12 level. By the time our \nchildren are 18 years of age, it\'s almost hardwired in their \nsystem where they can\'t identify or can\'t see the difference \nbetween an advertisement and a factual news article, an opinion \npiece, and false information. So this is an education issue. \nIt\'s also a training issue as well, even for folks like myself, \neven for all of us sitting here today.\n    Mr. Beyer. Thank you. I confess the number of emails I get \nevery week from family members that have the wildest possible \ntheories, including the fact that Chairman LaHood and I are \ngoing to be paid our full salary for the rest of our lives \nafter serving one day in Congress, that kind of disinformation \nis out there.\n    You talk about cyber hygiene imperative. You know, our \nelectoral system is widely, widely distributed, you know, \nprecincts. Virginia\'s got 2,500 precincts. How do we ever get \ncyber hygiene down to the towns and the counties around \nAmerica?\n    Dr. Jacobson. Again, I think the first step is awareness, \nbut I\'m actually glad I\'m on this side of the table here and \ndon\'t have to worry too much about implementation, but I think \nit\'s important to understand that this is not just a federal \ngovernment issue; it\'s a state and local issue as well. And the \nreason I emphasize cyber hygiene is all the technology in the \nworld, as we used to say in the Army, is not going to G.I.-\nproof that computer against someone who picks up a USB stick on \nthe sidewalk and decides to plug it into their computer. There \nare stupid things that smart people do that can help infect \nsystems. And I think helping to make things easy for our \nfederal workforce to understand in terms of what to do and what \nnot to do but also educating the general public in terms of \nunderstanding malicious links.\n    And anyone who\'s looked at emails or read in the newspapers \nabout even our most senior military leaders were duped by \nphishing attempts, this is difficult, but again, I think the \nsolution in terms of teaching people what to do and what not to \ndo is a bit easier than we might concede.\n    Mr. Beyer. Great. Thank you very much. Mr. Chair, I yield \nback.\n    Chairman LaHood. Thank you, Mr. Beyer.\n    I now recognize the gentleman from Florida, Mr. Posey, for \nhis questions.\n    Mr. Posey. Thank you, Mr. Chairman.\n    Ms. Manfra, it staggers the imagination that our government \napproved and purchased security software from Russia\'s \nKaspersky Labs, known to have ties to the Kremlin\'s \nintelligence community. I mean, it\'s just--it\'s still hard for \nme to get my arms around the fact that we really allowed that \nto happen and that in fact that that software doesn\'t protect \nus. Obviously, it harms America\'s security by allowing \nmalicious actors to get total access to our computers. Who \napproved the purchase of that software?\n    Ms. Manfra. Sir, it\'s hard to say in every case. Often, \nwhat we see is that that software was bundled into other \npurchases, so you buy a computer and the antivirus was \ninstalled with the computer, so they weren\'t necessarily aware \nthat they were explicitly purchasing that, which is why it took \na little bit of time to--for agencies to go through and \nidentify that. You know, in the end it is the procurement of \nindividuals who are making some of these choices, but what we \ndid see is a very low percentage of that presence. But for the \nmost case, what we believe happened was it was often bundled \ninto other purchases.\n    Mr. Posey. So where does the buck stop?\n    Ms. Manfra. Sir, in the end it is up to every agency head \nto make cybersecurity risk management decisions, and we are \nworking across the federal government to approve--to improve \nour processes for supply chain risk management to be able to \naddress issues such as this and to be able to make it clear \nwhat software and hardware agencies are purchasing and what \nrisk that introduces into the system.\n    Mr. Posey. Okay. So every agency head ultimately is \nresponsible?\n    Ms. Manfra. Yes, sir.\n    Mr. Posey. According to the directives, already you were \nsupposed to receive some reports from every agency that was \naffected. I think the Chairman asked you about that earlier. \nWould you mind stating for me which agencies have complied thus \nfar?\n    Ms. Manfra. Sir, all of the agencies have complied with the \nfirst phase except for a very small number of very small \nagencies who just don\'t have the resources and we\'re helping \nthem with that. We\'re still in the--sort of the second phase.\n    Mr. Posey. When we say all the agencies except a few, how \nmany agencies are we talking about?\n    Ms. Manfra. Six, sir.\n    Mr. Posey. Six agencies have complied?\n    Ms. Manfra. Six have not complied yet with the first phase, \nwhich is the reporting whether they have the products on their \nsystem.\n    Mr. Posey. How many have complied?\n    Ms. Manfra. About--so, there\'s 102 total agencies, six--\n    Mr. Posey. All right, 96, 98, okay.\n    Ms. Manfra. Yes.\n    Mr. Posey. Which agencies have not complied?\n    Ms. Manfra. Sir, I\'d be happy to work with your staff, not \nan open hearing, to talk to you about the specific agencies. \nThey are working very hard, sir. It\'s not like they\'re--\n    Mr. Posey. Well, I know they\'re----\n    Ms. Manfra. --not trying--\n    Mr. Posey. --working hard. I don\'t see, you know, what risk \nthere is in naming who hasn\'t complied. I\'m just curious. I \ndon\'t know if other members are, but I\'m curious to know which \nones haven\'t complied.\n    Ms. Manfra. We would prefer to keep those not public, sir. \nWe don\'t believe that it is helpful to name them publicly.\n    Mr. Posey. How would that harm anything?\n    Ms. Manfra. I think it could have two aspects, sir. It \nwould, you know, alert anybody who was looking to use \npotentially the presence of that software on their systems if--\nshould they have it. It would also harm the relationship that \nwe have. A lot of our work depends on a trusted relationship \nwith these agencies.\n    Mr. Posey. And so if you told Congress that they weren\'t \nbehaving appropriately, it might hurt your relationship?\n    Ms. Manfra. Sir, I don\'t mean to imply that they\'re not \nbehaving appropriately. What I imply is that these are very \nsmall agencies, some of them with only 6 to 10 people in them \nthat do not currently have the resources, and we\'re just \nassisting them with identifying what products are on their \nsystem.\n    Mr. Posey. Now, you talked about fear of litigation from \nKaspersky Labs a little while ago when somebody else mentioned \nthat. How in the world could you possibly fear any action by \nthem? I mean, you wouldn\'t have signed an agreement with them \nthat would allow them to sue you and you not defend yourself, \nwould you?\n    Ms. Manfra. I don\'t fear any action from them, sir, but \nthey do--they could potentially take action, and I want to \nensure that we are in a position to address any concerns that a \njudge may have.\n    Mr. Posey. Yes. I think the audacity--I think to paraphrase \nClint Eastwood, ``Go ahead and make my day.\'\'\n    Ms. Manfra. Yes, sir.\n    Mr. Posey. Can you explain to me the penalties to the \nexecutive agencies if they don\'t comply?\n    Ms. Manfra. We would work with the Office of Management and \nBudget to determine what the issue was. Sometimes the issue is \nthey don\'t have the resources, and whether it is to identify \nthe products or it is to replace them, so it may not be a stick \nthat they need but actually additional resources, or if there \nwas a stick required, then we would work with OMB to address \nthat.\n    Mr. Posey. Have there been any enforcement actions thus \nfar?\n    Ms. Manfra. No, sir. We have issued six binding operational \ndirectives, and in each case every agency that we\'ve worked \nwith has been willing and eager to comply with them. Some of \nthem are challenged with resources, though.\n    Mr. Posey. Thank you, Mr. Chairman. I see my time\'s \nexpired.\n    Chairman LaHood. Thank you, Mr. Posey.\n    I now yield to the Ranking Member, Ms. Johnson.\n    Ms. Johnson. Thank you very much.\n    Dr. Jacobson, you referred to fake news generated by the \nSoviet Union during the Cold War and cite the disinformation \ncampaign by Soviets that claimed that the U.S. Government \ndeveloped the AIDS virus intentionally to target homosexuals \nand African Americans. You say these stories spread to 80 \ncountries and were translated into 30 languages in just four \nyears, a timeline which today could probably be as little as 4 \nhours or perhaps 4 minutes to circulate around the world. You \nsaid one of the reasons the Soviets generated this fake story \nwas to heighten racial divisions in America.\n    Just last month, CNN reported that Russia had created a \nfake group called Black Fist and Russian trolls linked to this \noperation paid personal trainers in New York, Florida, and \nother States to run self-defense classes for African Americans. \nThey were apparently attempting to sow animosity and tension \nalong racial lines. But this group was created in January of \n2017, 2 months after the 2016 U.S. presidential election.\n    Dr. Jacobson, do you believe that Russia\'s influence \ncampaign against America is only tied to trying to manipulate \nour elections or do they have other wider interests in \ninfluencing American citizens?\n    Dr. Jacobson. Thank you, Congressman--Congresswoman. I \nbelieve the Russians have long-term objectives. They are not \nsimply concerned with one election cycle. This is a campaign \ndesigned to continue to divide the United States. And if you \ntake a look at some of the sites you\'ve mentioned, you had \nmentioned Black Fist. There was also the Blacktivist, a fake \nsite. There was also one called Heart of Texas. And the whole \nidea is to take the divide we have--and the Russians don\'t want \nto see reconciliation. They don\'t want to see dialogue and \ndebate. What they would like to see is both sides of an issue \nresort to violence in the end. And I\'m overstating the \nsimplicity of doing that, but that\'s their long-term effort \nbecause it requires us then to look inside and not look at \nwhat\'s happening around the world and thereby advance Russian \nforeign policy objectives.\n    Ms. Johnson. You mentioned the need for better standards \nand fact-checking by reputable news organizations to help them \navoid being duped by fake news. Social media sites are not \nnewspapers, but they do generate news. At the same time, we \ndon\'t want to limit anyone\'s ability to speak out publicly and \nshare their own thoughts or opinions, so how do we emphasize \nfact-checking in news-related stories and distinguish that from \nsomeone being able to offer their own opinion?\n    Dr. Jacobson. I think there are a couple pieces there. I\'ll \nbe the last person who wants to mess with the business model or \ncontent on social media sites. I mean, you look at one of the \nstrengths of our nation, it\'s the idea of freedom of \nexpression.\n    But I think there are certain limits we can place. For the \nsocial media world, they\'re are as much media companies today \nas they are social, and they have to understand that when it \ncomes to political advertisements they should be subject to the \nsame regulations that traditional media are.\n    I think there are ways--you look at a company like Twitter \nwhere there\'s a verification blue check that says to the world, \n``This individual is who they say they are.\'\' I also think if \nyou look at systems like Moody\'s for the financial network, \nlet\'s find an independent organization that gives a rating to \neither traditional or social media outlets. Now, not all the \ntraditional or social media outlets will be particularly happy \nwith it, but it\'s just a start. And in fact I\'m--I believe that \nSilicon Valley could come up with some even better ways to do \nit if they put their mind to it.\n    Ms. Johnson. Thank you very much.\n    Mr. Chairman, I yield back.\n    Chairman LaHood. Thank you, Ms. Johnson.\n    I now yield to the gentleman from Louisiana, Mr. Higgins, \nfor his questions.\n    Mr. Higgins. Thank you, Mr. Chairman. At this time I ask \nunanimous consent to enter into the record the written \ntestimony of cybersecurity expert Troy Newman of Cyber5.\n    Chairman LaHood. Without objection.\n    [The information appears in Appendix II]\n    Mr. Higgins. Ms. Wynn, Mr. Newman has advised myself and \nother Members of this Committee that a simple software \nuninstall can\'t guarantee that all components of the \napplication are removed. He elaborated that the best, most \nsecure software removal process for remediation of threat is \nfirst an immediate uninstall and then a scheduled complete hard \ndrive replacement. Can you briefly elaborate for those of us \nthat don\'t understand things of this nature why a simple \nsoftware uninstall is insufficient and why complete hard drive \nreplacement is the best solution?\n    Ms. Wynn. Thank you for your question. I would have to take \nthat back to some serious experts in terms of hard drive \nmanagement and truly erasing software and breadcrumbs and \nfootprints associated with that software that get left behind \non hard drives. What I can speak to is that NASA takes very \nseriously its cybersecurity responsibility, and when we find \nunauthorized or unapproved software, we work very quickly to \nremove that.\n    We also have lines of defense that if--that are sort of \nlayered in terms of--so that if you don\'t do very well on your \nfirst pass there are other ways and other mitigations that we \ndo to protect our network to try to contain any threats to our \nenvironment.\n    Mr. Higgins. So when members of this panel have referred to \nagencies that have attempted to comply with the directive by \nremoving Kaspersky software from their systems, would you \nconcur that that doesn\'t mean that Kaspersky is actually gone \nfrom the system?\n    Ms. Wynn. I would say that cybersecurity is never a 100 \npercent deal and that what we have to--\n    Mr. Higgins. If the hard drive is removed, is it a 100 \npercent deal?\n    Ms. Wynn. Sir, I can\'t speak to a hypothetical computer. I \nthink you\'d have to take a look at how a computer might be, \nlet\'s say, infected to decide whether the hard drive was one \nwhere you could reuse again or if you would just decide not to \nput that hard drive back into your computer.\n    Mr. Higgins. So that would require--that\'s an excellent \nanswer, thank you, Madam. And that would require further \nevaluation of that particular system?\n    Ms. Wynn. You need to always monitor your network to make \nsure it\'s fully protected.\n    Mr. Higgins. Very well. Thank you for your answer.\n    Ms. Manfra, thank you for your service to your country. The \nBinding Operational Directive 17-01 in its initial statement \ncalls for a 30-day period to identify the use of Kaspersky \nproducts and then a 60-day period to provide detailed plans to \nremove and discontinue the present and future use of the \nproducts and then a 90-day period to begin to implement the \nagency plans to discontinue use and remove the products from \ninformation systems. However, there\'s a clause stating in \nthere--stating that unless directed otherwise by DHS based on \nnew information at--by what measure, Madam, would DHS ever \ndetermine never mind, let\'s go ahead and keep this product on \nour systems? Why is that clause in there?\n    Ms. Manfra. Sir, after extensive review of this process by \nour legal counsel, we felt that it was important to allow \nKaspersky Labs and any other potentially affected entity a \nmeaningful opportunity to respond to the decision that we had \nmade.\n    Mr. Higgins. So that clause is inserted into the DHS DOD \n17-01, the binding operational directive for United States \nGovernment agencies--that clause was inserted to protect \nKaspersky----\n    Ms. Manfra. No, sir.\n    Mr. Higgins. --as opposed to government agencies?\n    Ms. Manfra. No, sir. That clause was inserted that should \nthe Kaspersky or another commercial entity come back with new \ninformation that would result in the Acting Secretary \nreconsidering her decision, then we would issue new guidance \nbased off of that new information.\n    Mr. Higgins. And what could that new guidance be other than \nto discontinue the process of removing Kaspersky products?\n    Ms. Manfra. That would probably be it, sir, if that was the \nActing Secretary\'s decision but it would have to be based off \nof new information that had previously not been understood or \nconsidered.\n    Mr. Higgins. Mr. Chairman, I have one brief question if you \nwould allow.\n    Chairman LaHood. Yes, go ahead, Mr. Higgins.\n    Mr. Higgins. Regarding code, Ms. Manfra, it\'s my \nunderstanding that the directive does not apply to Kaspersky \ncode embedded into products of other companies. Is that \ncorrect?\n    Ms. Manfra. I wouldn\'t say that it doesn\'t apply to \nKaspersky code because that would be--\n    Mr. Higgins. The directive applies to removal of the \nproducts----\n    Ms. Manfra. Correct, sir.\n    Mr. Higgins. --but what about the code behind?\n    Ms. Manfra. It--what we focused on was products that is \nclearly identified as Kaspersky. What we have not focused on in \nthis directive that we are continuing to pursue is \nunderstanding how they may be embedded in other products that \nare not Kaspersky and working toward the process to address \nthose.\n    Mr. Higgins. Thank you for your answer.\n    Mr. Chairman, my time is expired. I would just share that \nit\'s concerning--it\'s exactly what we\'re talking about, the \nentire series of Kaspersky-related hearings, concerns, and \napparently known or reasonably suspected information security \nthreat that the Kremlin has embedded itself in our federal \nsystems, and may I submit that that should certainly include \ncode.\n    I thank you for your indulgence, Mr. Chairman. I yield \nback.\n    Chairman LaHood. Thank you, Mr. Higgins.\n    I now recognize the gentleman from California, Mr. \nMcNerney.\n    Mr. McNerney. Well, I thank the Chairman and I thank the \nwitnesses.\n    Dr. Jacobson, three prominent U.S. security agencies \nincluding the CIA and the NSA, concluded that the Russians had \noperations intended to influence the 2016 presidential election \nbut declined to comment on whether that effort had been \nsuccessful. Do you have an opinion if the Russian efforts were \nsuccessful in influencing the 2016 elections?\n    Dr. Jacobson. Well, I\'m cognizant of not getting ahead of \nwhere the multiple congressional investigations are, and of \ncourse I\'m as eager to see what the conclusions are there, and \nI\'m eager to see the U.S. intelligence community speak more \npublicly about this. What I am very confident in saying is that \nthere is clear evidence of attitude changes amongst the U.S. \npopulation as a--in response to the numerous social media \nefforts undertaken by the Russians and Russian agents. And I \nwould point to in particular a study by the Oxford \nComputational Propaganda project, which noted changes in the \nway--in the attitudes of individuals commenting on the election \non social media after spikes in Russian-bot activity. But I \nhave not done that original research, so I\'m reliant on what \nthey have done. But to me, as someone who worked on \npsychological warfare operations in the Army for quite some \ntime, there is clear evidence of an attitude change amongst the \npopulation.\n    Mr. McNerney. Well, has the Russian effort in any way \ndiminished as a result of the publicity around the 2016 \nelection?\n    Dr. Jacobson. I don\'t think it\'s diminished. I think maybe \nthe target sets have changed, so in short, no.\n    Mr. McNerney. Okay. In your testimony you state that social \nmedia companies must start to see themselves more as media \ncompanies because their ability to spread information and \ninfluence the public. What actions can we take in Congress to \nensure that the social media companies assume that \nresponsibility more seriously, especially regarding political \nads?\n    Dr. Jacobson. As Dr. Jim Ludes and I said earlier this year \nin our co-authored report, it\'s probably time that the social \nmedia companies have the same standards in terms of regulation \nof political advertising transparency that traditional media \ncompanies have. I actually think the larger problem--so you \nhave one problem of advertising--paid advertising on the social \nmedia networks. The larger problem is the one of fake sites, \nand I think that the continued dialogue between Congress, which \nI don\'t think wants to regulate the social media companies any \nmore than necessary, and the social media companies which don\'t \nwant regulation should continue this dialogue because their--\nthe social media companies\' terms of service are very powerful \nweapon against these fake sites. And we\'ve actually already \nseen Facebook and YouTube use their terms of service to \neliminate these fake sites, including one that was targeting \nveterans in particular.\n    Mr. McNerney. Thank you. Ms. Miller, last month Reuters \nreported that H.P. Enterprises allowed a Russian defense agency \nto review the source code of H.P. cybersecurity software \nArcSight as a condition of gaining certification to sell the \nproduct in Russia\'s public sector. In the same article, Reuters \nreported that ArcSight serves as a cybersecurity nerve center \nfor much of the U.S. military and that vulnerabilities \ndiscovered during the source code review could make the U.S. \nmilitary more vulnerable to cyber attacks. Is the DOD using \nArcSight software?\n    Ms. Miller. Sir, we use ArcSight primarily in our intel \ncommunity, but unfortunately, I can\'t speak to the details at \npresent.\n    Mr. McNerney. Is the DOD taking steps to secure its systems \nsince learning about the ArcSight code review?\n    Ms. Miller. I would have to take that as a question for the \nrecord, sir.\n    Mr. McNerney. Thank you. Does the DOD use any other \nsoftware that\'s subject to source review by a foreign \ngovernment--source code review?\n    Ms. Miller. Well, actually, we have processes in place, \nsir, to help us work through that process, yes, we do.\n    Mr. McNerney. Okay. Ms. Wynn, does NASA use ArcSight \ncybersecurity software?\n    Ms. Wynn. I\'m trying to think about that for a second. \nWe\'re going through a process of significant change in terms of \nthe tools in the layers of our cyber defense, and I actually \ncan\'t remember if ArcSight is coming in or leaving our network, \nso I\'ll take for the record and get back to you.\n    Mr. McNerney. Okay. Ms. Manfra, same question. Does DHS use \nArcSight cybersecurity software?\n    Ms. Manfra. Yes, sir. I\'ll get back to you. We\'re working \nthrough a process to address this change similar to the other \nagencies.\n    Mr. McNerney. Okay. Thank you. Mr. Chairman, I yield back.\n    Chairman LaHood. Thank you. At this time I yield to the \nChairman of the full committee, Mr. Smith, for his questions.\n    Chairman Smith. Thank you, Mr. Chairman. Just a comment, \nI\'m really surprised our witnesses didn\'t have a better answer \nfor the gentleman from California. I hope you will be able to \nanswer my questions. And let me direct first ones, Ms. Manfra, \nto you. Are you aware of any breaches to our national security \nthat have been facilitated by the Kaspersky products?\n    Ms. Manfra. Sir, I can\'t discuss that in this forum.\n    Chairman Smith. I don\'t understand your answer.\n    Ms. Manfra. Sir, I prefer to have that discussion in a \nclassified----\n    Chairman Smith. No, you don\'t need to have that in a \nclassified hearing. I\'m not asking for any specifics. I\'m just \nasking if there have been breaches. I\'m not talking about who \nhad their systems breached, when it occurred, or how it \noccurred, just whether breaches did occur.\n    Ms. Manfra. Sir, we\'re still working through the process to \nidentify----\n    Chairman Smith. We\'ve heard that phrase several times \ntoday, ``working through the process.\'\' That is just not \nsufficient of an answer.\n    Ms. Manfra. Sir, is not conclusive at this time.\n    Chairman Smith. You don\'t know whether or not systems have \nbeen breached by Kaspersky Lab products yet?\n    Ms. Manfra. We do not currently have evidence that--\nconclusive evidence that they have been breached. I want to do \na thorough review to ensure that we have a full picture of----\n    Chairman Smith. What about the NSA employee? You don\'t \nthink that was considered a breach?\n    Ms. Manfra. Sir, I would have to direct any questions on \nNSA to the NSA.\n    Chairman Smith. But sure--are you aware of that episode?\n    Ms. Manfra. Sir, we\'d have to have that discussion with the \nNSA.\n    Chairman Smith. I\'m not--are you aware of the episode and \ndo you consider it a breach?\n    Ms. Manfra. I\'m aware of the allegations of what has been \npublicly reported in the press and would have to discuss any \nfurther details with the NSA.\n    Chairman Smith. Okay. Let me try a different question. How \ndid the Russian software--some people would consider it \nspyware--get on the approved list by Department of Homeland \nSecurity?\n    Ms. Manfra. Are you referring to the GSA----\n    Chairman Smith. Yes.\n    Ms. Manfra. --sir? Yes. As I mentioned, we need to \nmodernize our supply chain risk management processes within the \ngovernment. Currently, our processes within the civilian \ngovernment are largely focused on lowest-cost if you will.\n    Chairman Smith. The fact that it was a Russian firm \noperated by a Russian who had some perhaps association with the \nKGB and certainly the Department of Defense and Russia, that \ndidn\'t raise any red flags to anyone?\n    Ms. Manfra. Sir, I wasn\'t a part of the GSA decision-making \nprocess. What I can say is that when we had enough information \nto make this risk decision, we engaged the GSA, NASA, and \nothers who had these governmentwide contracts to begin to \nexecute a process to remove it.\n    Chairman Smith. But wasn\'t that after we called it to your \nattention? Didn\'t anybody see any red flags before that?\n    Ms. Manfra. Yes, sir. One of the things when I assumed the \nacting position that I\'m now appointed to in January was to \nconduct a thorough review of our use of Kaspersky, the \nintelligence associated with it----\n    Chairman Smith. Yes, that\'s----\n    Ms. Manfra. --and initiate a plan to remove it.\n    Chairman Smith. Yes, that\'s not what I\'m asking. That\'s \nafter the fact. I\'m asking about several years ago when it was \non the approved GSA list. Are you aware of any agency that \nmight have raised any red flags or not?\n    Ms. Manfra. The government has been aware of some \nincreasing concerns about Kaspersky, and we did--not me \npersonally but the agencies with that information did engage \nwith other agencies that had----\n    Chairman Smith. Okay.\n    Ms. Manfra. --those procurement responsibilities.\n    Chairman Smith. I have a question to DOD about that in a \nsecond, but one other question. Did the license agreement with \nKaspersky allow penetration beyond the usual type of agreements \nyou have with similar types of companies?\n    Ms. Manfra. No.\n    Chairman Smith. Okay. We have pretty good evidence that \nthat\'s not the case, and we\'ll get back to you on that and have \na further discussion.\n    Ms. Miller, let me address a couple questions to you. We\'re \nunder the impression that in 2012 the Department of Defense \nmade a decision not to use Kaspersky Lab products. Are you \naware of that or is that even true?\n    Ms. Miller. Sir, I\'m not even sure that was true. However, \nwe have used processes that I can\'t discuss at this point based \non intel information----\n    Chairman Smith. Right.\n    Ms. Miller. --to decide not to use the product.\n    Chairman Smith. Okay. When did you decide not to use the \nproducts?\n    Ms. Miller. I don\'t know a date, sir.\n    Chairman Smith. A year?\n    Ms. Miller. I don\'t have a year. I think it\'s been a \ncouple, but I would have to check.\n    Chairman Smith. Okay. It might have been 2012. I think we \nmight have the same information. And can you say why they \ndecided not to use--why DOD decided not to use Kaspersky Lab \nproducts?\n    Ms. Miller. I cannot discuss that in open forum, but it was \nbased on intel information that we had.\n    Chairman Smith. And security--are you aware of any security \nbreaches that occurred at DOD as a result of Kaspersky \nproducts?\n    Ms. Miller. I have no knowledge of any within DOD.\n    Chairman Smith. Itself, okay. And in 2012 or however many \nyears it was ago that DOD decided not to use Kaspersky Lab \nproducts--and you say you\'ll get back to us as to why they \ndecided that; there had to be a good reason I assume--do you \nknow if they notified any other agencies of their concerns?\n    Ms. Miller. I\'m not aware of any notification, sir.\n    Chairman Smith. Okay. Can you double-check that for me? And \nthat\'ll be an easy question to find out. If you can get back to \nus by this afternoon on those two questions that I asked you.\n    And then a couple questions, Ms. Manfra, I asked you if you \ncan get back this afternoon as well. They\'re easy to answer. \nAnd if you have to talk to me directly, that\'s fine, but I \nwould ask you not to take advantage of the cover of classified \nunless individual\'s names are involved or unless it\'s in regard \nto specifics. If it\'s very general, that shouldn\'t be \nclassified.\n    Okay. Thank you, Mr. Chairman. I yield back.\n    Chairman LaHood. Thank you, Mr. Smith.\n    I now recognize the gentleman from Colorado, Mr. \nPerlmutter.\n    Mr. Perlmutter. Thank you, Mr. Chair.\n    So Mr. Higgins talked about the Kremlin has embedded itself \nin the structure of the United States. And in prior hearings \nwe\'ve had conversations about foreign intelligence risk, \nespionage, meddling in U.S. affairs by the Russians and by Mr. \nPutin himself. And in Danang just a few days ago when asked \nabout Russia meddling in U.S. affairs, the President said, \nquote, ``I asked him again about meddling. You can only ask so \nmany times. He said he absolutely\'\'--he, Putin--``absolutely \ndid not meddle in our election. He did not do what they are \nsaying he did. I really believe that when he tells me that. He \nmeans it. I think he\'s very insulted if you want to know the \ntruth.\'\'\n    So, Mr. Jacobson, you know, we\'re here and it\'s a real \nissue, Kaspersky having embedded itself potentially for the \nbenefit of the Kremlin and Russia in our software, in our \nDefense Department, in NASA, in Homeland Security, but let me \nask you about Mr. Putin and about whether or not, given his \nbackground, the President should just take him at his word. \nWhat do you think about that?\n    Dr. Jacobson. Well, Mr. Putin\'s an ex-KGB officer. I\'m not \nsure I would take him at his word if he told me the sun were \nshining and I was standing outside and there were blue skies \nand the sun was shining down on me.\n    Mr. Perlmutter. You used the word psychological warfare \nearlier. Would Mr. Putin be familiar with that? Is that \nsomething he did as the head of the KGB?\n    Dr. Jacobson. Mr. Putin would be intimately familiar with \nnot only operations he may have been involved in but the entire \nhistory of Soviet disinformation and propaganda campaigns. I \nmean, this is something embedded in the nature of KGB officers \nand not just propaganda designed to influence and shape \nAmerican foreign policy that might be truthful. We\'re talking \nabout deliberate attempts to mislead and obfuscate, covert \naction, sabotage, subversion, what have you. I don\'t trust \nanything coming out the Russian Government.\n    Mr. Perlmutter. And I appreciate the Chairman and the \nRepublican majority for having this hearing and looking at \nKaspersky and how it may have corrupted some of our computer \nsystems, but, you know, when I take a look at the connections \nthat this Administration has to Russia, Michael Flynn, Jeff \nSessions had some contacts, Carter Page, Roger Stone, Jared \nKushner, Donald Trump Junior, Michael Cohen, J.D. Gordon, Paul \nManafort, Mr. Gates, Mr. Papadopoulos. I mean, that\'s where \nthis investigation, not just--should not just be on Kaspersky, \nwhich is coming in through the back door through different \nkinds of software that may have tainted the system, but what \nabout the front door which is at the White House? So are you \nfamiliar with these different connections that this \nAdministration may have with Russia?\n    Dr. Jacobson. Only insofar as what I read in the newspaper. \nAnd like everyone else, I\'m eager to see what the various \ncongressional investigations or the Special Counsel\'s Office \ncomes up with on this.\n    Mr. Perlmutter. You answered a question that Ms. Johnson \nasked you about, well, what\'s the real purpose? What is it that \nwe\'re worried about? Why are we worried about Kaspersky having \ncorrupted some of our systems? Why are we worried about these \ngentlemen with connections to Russia and with the President \nsaying he believes Mr. Putin? What\'s the worry here?\n    Dr. Jacobson. I think there are a couple things here. As \nwe\'ve heard during this hearing, there are concerns about--and \nit\'s not a back door; it\'s a front door. You know, we\'ve given \nKaspersky access--if I\'m putting antivirus software on my home \ncomputer, I\'m giving that software company some access. It can \nbe used for espionage. It can be used--I\'m particularly worried \nabout data manipulation as well. But again with respect to my \narea of expertise, I think once you start to get into a system, \nit becomes a vector for propaganda and influence. It allows you \nto discredit federal organizations if you want. It allows you \nto manipulate data and try and create poor policy decisions.\n    But it\'s also part of a broader effort. If we think of \ncyber--and again the alleged Kaspersky situation is just one \nbattle in a larger war. You know, imagine if cyber attacks \naugment rhetorical propaganda attacks that seek to influence \nthe American people\'s attitudes on Ukraine or Syria or U.S. \ninvolvement in the NATO alliance. You can see how the ability \nof the internet to penetrate, to get to every single \nindividual, and the ability of the Russians to take advantage \nof the enormity of the marketing data created by Facebook so \nthey can tailor propaganda messages to individuals, it\'s \nsomething--we\'ve never seen anything on that scale.\n    Mr. Perlmutter. Thank you. And I yield back.\n    Chairman LaHood. Thank you. Next yield to the gentleman \nfrom South Carolina, Mr. Norman.\n    Mr. Norman. Thank you, Mr. Chairman.\n    You know, as we in Congress hear your testimony and look \nback over the facts and what you\'re discussing, you know, I \nlooked at your bios. You\'ve each got, if you combine it, over \n100 years in this area, so you\'re experts in what you do. As--\nif we look back over the time frame, Kaspersky didn\'t come up \njust recently, did it? When did--Ms. Manfra, when did this--the \nidea of having a problem with the product come up?\n    Ms. Manfra. When I first became engaged was around 2014----\n    Mr. Norman. Okay. So this President has been here for nine \nmonths, so it\'s prior to this President coming into office----\n    Ms. Manfra. Yes, sir.\n    Mr. Norman. --the issue came up.\n    Ms. Manfra. Yes, sir.\n    Mr. Norman. Now, you mentioned--Chairman Smith mentioned \nthe ULA agreements. Are you familiar with those?\n    Ms. Manfra. Yes, sir.\n    Mr. Norman. Walk me through the process for approving a ULA \nagreement.\n    Ms. Manfra. It\'s somewhat dependent on the agency, but \ngenerically, when a company decides to procure a certain \nsoftware, they would receive what the company would like that \nend user license agreement to look like. In some cases we can \nnegotiate some differences. Generally, we don\'t, but that is \nagain a generic sort of process, so each agency might have \ndifferent implementation.\n    Mr. Norman. So how many sets of eyes would look on a--would \nread a ULA agreement?\n    Ms. Manfra. Ideally, you would have a legal review--well, \nyou would absolutely have a legal review. You would also have \nthe procurement officials involved, and ideally, you would also \nhave the mission owners, and then you would have those \nindividuals that are responsible for authorizing that network \nto operate and whatever software goes on that----\n    Mr. Norman. So a lot of eyes go on it and detail people \nthat know or experienced in reading them.\n    Ms. Manfra. Yes, sir.\n    Mr. Norman. And you say--I think your testimony was there\'s \nno abnormality in the ULA agreements that were signed?\n    Ms. Manfra. No, sir.\n    Mr. Norman. Okay. Is it normal to agree to binding \narbitration and no trial by jury? Is it normal to give access \nto all data, microphones, and cameras? Is that part of--is that \nboilerplate language that each agency would agree to?\n    Ms. Manfra. Sir, I can\'t comment on what each agency \nboilerplate language is, but access to much of your computer \nsystem is often required for antivirus systems and security \nsoftware, which was one of the reasons that we looked to \nunderstand how that data will be used and ensure we have a \ntrusted relationship with that provider.\n    Mr. Norman. Well, I guess my question is do you--is it to \nwaive a trial by jury?\n    Ms. Manfra. That, sir, I would have to get back to on as to \nwhether that was common practice.\n    Mr. Norman. Well, we have testimony by Mr. Newman that was \nan abnormality, that that was agreed to by somebody, somewhere, \nsome agency.\n    Ms. Manfra. It seems unusual, sir.\n    Mr. Norman. Okay. If--and you don\'t know which agency--your \ntestimony was this agreement was reviewed by experts in the \nfield, by a lot of different agencies. Now, if that\'s not a \nroutine clause, who would have put that in there?\n    Ms. Manfra. Sir, I\'d have to understand the details of what \nthe testimony is that you\'re referring to, the expert \ntestimony, and we can get back to you with details on what \nmight be unusual that that gentleman is referring to.\n    Mr. Norman. Okay. If you could get that in writing----\n    Ms. Manfra. Yes, sir.\n    Mr. Norman. --to all of the members--anybody here that \nwould be interested in seeing it. I think all of us would.\n    Ms. Manfra. Yes, sir.\n    Mr. Norman. The exact language that was agreed to, any \nabnormality that was not normal----\n    Ms. Manfra. Yes, sir.\n    Mr. Norman. --if you could highlight that, and then give us \nnames of the different--I\'m sure there are lawyers within the \nagencies that would agree that looked at this--give us some \nnames of who looked at this ULA agreement.\n    Ms. Manfra. I will do my best, sir.\n    Mr. Norman. I yield back.\n    Chairman LaHood. Thank you. I now yield to Mr.--the \ngentleman from Georgia, Mr. Loudermilk.\n    Mr. Loudermilk. Well, Thank you, Mr. Chairman.\n    Ms. Wynn, in 2013 the Science Committee staff emailed the \nlegislative affair teams at NASA to ensure that Kaspersky Lab \nwas not being used on any NASA systems. Do you have any record \nof that request?\n    Ms. Wynn. No, sir, I\'m not aware of that request, but I can \ncertainly check on the record status within NASA. I didn\'t join \nNASA until 2015.\n    Mr. Loudermilk. Okay. If you would and get back to the \nCommittee on that, I\'d appreciate it.\n    Today, you testified that Kaspersky Lab products were \nidentified on a small number of machines that had access to the \nNASA internal network. Is that correct?\n    Ms. Wynn. Yes, that\'s correct.\n    Mr. Loudermilk. Okay. What was the time frame that \nKaspersky was present on the NASA systems? Was it after 2013?\n    Ms. Wynn. We discovered between 2013 and the assurances \nthat we did in recent past that there had been Kaspersky on the \nnetwork. Our belief is that it was part of either a larger \nprocurement or bundled within a series of software that then, \nbecause our tools are getting smarter, able for us to identify \nit and go ahead and get that removed.\n    Mr. Loudermilk. Okay. So some of it may have been software \nbundled on a computer that was purchased?\n    Ms. Wynn. It could have been within a computer that was \npurchased or within a package of software that was put on the \nnetwork.\n    Mr. Loudermilk. Can you tell us why it was not remedied \nearlier and disclosed to the Committee as part of the response \nto the Chairman\'s July 27 letter to all departments and \nagencies?\n    Ms. Wynn. So at NASA we\'ve been working very hard to deploy \nthe continuous diagnostic and mitigation tools which allow us \nto have absolute insights to every single part of NASA\'s IT \ninfrastructure, which is over 160,000 components. Prior to the \nCDM coming on board, NASA\'s ability to take a look at its \nentire footprint was fragmented and therefore pulling together \nand synthesizing an entire picture was very, very difficult to \ndo that.\n    Mr. Loudermilk. Okay. Ms. Manfra, on October 10 the New \nYork Times reported additional details regarding hackers \nworking for the Russian Government stealing details about the \nNSA\'s cyber capabilities from a contractor who had stored the \ninformation on his home computer. I think everyone is aware of \nthat report. These new revelations were that Israeli \nintelligence uncovered the breach and the Russian hackers\' use \nof Kaspersky software. The article details that ``Israeli \nintelligence officers informed NASA that in the course of their \nKaspersky hack, they uncovered evidence that Russian Government \nhackers were using Kaspersky\'s access to aggressively scan for \nAmerican Government classified program.\'\' This thing reads like \na Clancy novel, spies spying on spies. But in your opinion \nwould this be considered concrete evidence that Kaspersky Lab \nhas ties to the Russian Government?\n    Ms. Manfra. Sir, I can\'t make a judgment based off of a \npress reporting, but I understand the allegations outlined in \nthat report, and should those be true, I would say that that \nwas evidence, yes, sir.\n    Mr. Loudermilk. So if the intelligence community were to \nverify this, then you would agree that that\'s concrete evidence \nthere\'s ties?\n    Ms. Manfra. Yes.\n    Mr. Loudermilk. Okay. Thank you for your candor there. If \nthis happened in 2014 and the NSA was alerted immediately, why \ndid it take until 2017 for action to take place to secure our \nsystems by removing the software?\n    Ms. Manfra. Sir, the binding operational directive was just \nthe latest in a series of actions that we have been taking \nwithin the government over the past few years to address this. \nWe had been briefing at a classified level across the federal \ngovernment, as well as critical infrastructure, as well as--as \nmuch unclassified information as we can share. I was not \nsatisfied with the progress, and so we looked for other avenues \nto escalate to ensure that we had full removal across the \nfederal government.\n    Mr. Loudermilk. But it took three years to really take \naction once this was known?\n    Ms. Manfra. Sir, we--this is a more recent authority that \nwe were given. It is just, again, one of the tools that we had. \nWe were exhausting all of the tools through information-sharing \nmechanisms throughout, again, the government and others, and \nthis was just one of the public tools that we took to remove \nthe----\n    Mr. Loudermilk. Okay.\n    Ms. Manfra. --software.\n    Mr. Loudermilk. Dr. Jacobson, in a recent interview with \nReuters, Mr. Kaspersky admitted his company widely used \nantivirus software to copy files from personal computers, files \nthat did not pose a threat to the personal computers of those \ncustomers. I worked 30 years in the IT business. I did not know \nthis as being a standard practice. Is this typical of industry \nto copy files that are known not to be threats?\n    Dr. Jacobson. Congressman, I don\'t know. I don\'t have that \nsort of expertise. However, what I will say is that I stopped \nusing Kaspersky years ago just because of the first sets--this \nhas to be maybe four, five years ago--because there were a \nnumber of articles in trade journals that suggested that they \njust didn\'t have the types of standards that you want if you\'re \na home computer user so--but beyond that, I can\'t answer your \nquestion.\n    Mr. Loudermilk. Ms. Miller, is there any other antivirus \nsoftware that you know that would copy files not known to be \nthreats?\n    Ms. Miller. None that I\'m----\n    Mr. Loudermilk. Okay.\n    Ms. Miller. None that I\'m aware of, sir.\n    Mr. Loudermilk. All right. Thank you.\n    Ms. Manfra, last question. Would you review--would a review \nof Kaspersky\'s Lab source code, as recently offered by the CEO \nof Kaspersky, help alleviate concerns or is this merely a \npublicity stunt?\n    Ms. Manfra. Sir, I have heard the offer to review the \nsource code, and while we would welcome opportunity to hear \nfrom Kaspersky on what potential new information and \nmitigations they could put in place, the source code review \nwould not be sufficient in my opinion.\n    Mr. Loudermilk. Okay. Thank you. Mr. Chairman, I yield \nback.\n    Chairman LaHood. Thank you. I have a few additional \nquestions here to ask.\n    Ms. Miller, you commented earlier that the Department of \nDefense at some point made a determination based on \nintelligence that you were not going to engage with Kaspersky \nproducts. Is that correct?\n    Ms. Miller. Yes, sir, based on threat information and other \nintel feeds that we had.\n    Chairman LaHood. In that threat information and concerns, \nwas that information relayed to DHS or other agencies?\n    Ms. Miller. I\'m not aware--not sure, sir. I would have to \nconfirm.\n    Chairman LaHood. And do you know why that information \nwouldn\'t have be relayed? Are you saying it could have been \nrelayed and you\'re not aware of it?\n    Ms. Miller. It could have been relayed and I\'m not aware of \nit. I would have to confirm.\n    Chairman LaHood. Okay. And how long will it take you to \nconfirm that and get that back to the committee on that?\n    Ms. Miller. We can do that within the next day or so, sir.\n    Chairman LaHood. Okay. Ms. Manfra, are you aware of the \nintelligence information that DOD relied upon when they made \nthe decision not to engage with Kaspersky products?\n    Ms. Manfra. I believe I\'m aware of the same information, \nsir, yes.\n    Chairman LaHood. And when did you become aware or when did \nthe Department become aware?\n    Ms. Manfra. I would have to get back to you on when the \nDepartment became aware. I can tell you that I first became \naware of concerns in the 2014 time frame.\n    Chairman LaHood. And can you tell us why a similar decision \nin 2014 wasn\'t made similar to what DOD did?\n    Ms. Manfra. Some agencies such as the Department of \nHomeland Security did engage in an effort to remove the \nKaspersky software from their systems. What we identified was \nlargely agencies who are more security-focused or had the \nability to receive classified briefings or removing the \nsoftware. Where there was a gap was in the civilian agencies \nthat did not have that infrastructure necessarily in place \nwhere they could rely on classified information to make \nprocurement decisions. So we wanted to provide further \ndirection across the civilian government for them to be able to \nmake the same choices based off of the risk management \ndecisions that we had made.\n    Chairman LaHood. Ms. Manfra, does the September 2, 2017, \ndirective apply to federal contractors?\n    Ms. Manfra. Yes, sir.\n    Chairman LaHood. Okay. And to your--can you give us an \nupdate or where is it at? Have all federal contractors been \ncompliant? Where is that at in terms of your follow-up with \nthem and how do you keep track of that?\n    Ms. Manfra. We have a couple of different mechanisms to \nkeep track. Every agency is responsible for defining what \ncontractors constitute their federal information system and \nreporting that up to us. What we see is what the agencies \nreport to us. We also, as I mentioned, have sensors deployed \nboth internal to agency networks as well as at the perimeter \nthat can identify what agencies may be calling out to Kaspersky \nIP addresses so that that would indicate that they probably \nhave it on their systems as well. So we\'re looking at a variety \nof different avenues to identify whether they have it. And that \nwould include a contractor system if they identify it to us. \nHowever, it is up to the agency to identify that contractor \nsystem to us.\n    Chairman LaHood. And do you feel like you have full \nknowledge of all the contractors that the different agencies \nengaged with?\n    Ms. Manfra. I do not--I could not say that I have full \nknowledge of all the contractors that agencies engage with. I \ncan say that for all of the largest agencies I feel very \nconfident that they have done an assessment of not only the \ninternal government-owned and -operated networks as well--but \nas well as the contractor-owned or -operated networks and \nsystems. But there--to say that I have full insight into every \ncontractor that the civilian government uses, I probably do not \nhave that right now.\n    Chairman LaHood. Ms. Miller, in previous testimony before \nthis committee, cybersecurity experts stated, quote, ``The \nFederal Government should take the lead on developing a trusted \nvendor list that provides guidance on approved cybersecurity \nvendors with a secure supply chain that agencies can have \nconfidence in,\'\' unquote. In your opinion, how would the \nfederal government go about establishing such a trusted vendor \nlist? And what agencies should lead the federal government\'s \neffort to do so?\n    Ms. Miller. Sir, I\'ll start with the second question. I\'m \nnot sure what agency I would recommend leading it, but I think \nwe have a responsibility as we work with our vendors to ensure \nwe have supply chain management processes in place to evaluate \nwhat they\'re bringing to us. We\'ve established relationships \nwith DIA and the--what--I can\'t think of the acronym right \nnow--that give us an opportunity to identify critical \ncomponents where supply chain managements are of real concern \nand put processes in place to help us avoid any risk introduced \nby our industry partners.\n    At the same time, we have had very strong conversations \nwith members of the defense industrial base to make sure they \nunderstand risk associated with use of the Kaspersky products, \nand the Defense Security Service has directed all of them to \nremove the products for any--especially of our classified \nsystems. And we\'re working with our unclassified--or our \nvendors in the unclassified arena now with the Defense Federal \nAcquisition Regulation clause that we\'ve put in place to help \nthem not only understand the risk but to understand the \nproducts that they\'re using and their responsibility to protect \ngovernment information and the government network as they \nrelate to mission operations.\n    Chairman LaHood. Thank you. That\'s all my time.\n    Mr. Perlmutter, I recognize you for additional questions.\n    Mr. Perlmutter. Just a couple questions about Kaspersky, \nand this is to the whole panel.\n    In October 2015 the U.S. subsidiary of Kaspersky Lab, which \nis called Kaspersky Government Security Solutions, paid \nPresident Trump\'s former National Security Advisor Lieutenant \nGeneral Michael Flynn $11,250 for a speaking fee. So just to \nthe panel I would ask, are you aware of anybody from your \nagencies speaking at any Kaspersky conferences not for payment \nbut just as one of their speakers? And what is it again, Dr. \nJacobson, that we\'re worried about to have a guy like Michael \nFlynn speaking at a Kaspersky conference? Some open-ended \nquestions, start with you, Ms. Manfra. Do you know if anybody \nfrom GSA or your agency has spoken at any Kaspersky \nconferences?\n    Ms. Manfra. Sir, we not done a thorough review of speaking \nengagements at Kaspersky-sponsored events. I can say that we--\nthe guidance to my workforce is to not engage with Kaspersky-\nsponsored events.\n    Mr. Perlmutter. Ms. Wynn?\n    Ms. Wynn. I am not aware of anyone speaking at a Kaspersky-\nsponsored conference, and I would say that there is a thorough \nvetting review by our Office of General Counsel with respect to \nany speaking engagements of NASA personnel.\n    Mr. Perlmutter. Ms. Miller?\n    Ms. Miller. Sir, same with DOD. We go through a rigorous \nreview with the general counsel before we approve speaking \nengagements, and to my knowledge, we\'ve not had any DOD \nemployees speak at a Kaspersky event.\n    Mr. Perlmutter. Dr. Jacobson?\n    Dr. Jacobson. Can I provide you a very unsatisfying answer? \nYou know, I don\'t know the specifics of that case, but I think \nthis is exactly why we need to understand that the Russians are \ngoing to continue to try and find key influencers, whether in \ngovernment or in the media space or amongst the public, to help \nthem with their information or disinformation campaigns in the \nUnited States. I mean, all foreign governments try and \ninfluence the United States. That\'s why we have laws that \nregulate the level of transparency there.\n    But let me also state that this is why I think there\'s a \ngreat opportunity for a bipartisan sponsored commission like \nthe 9/11-style commission, the Iraq study group, or the \nAfghanistan study group to really look forward and see how do \nwe combat information campaigns or disinformation, whether it\'s \nRussian, Chinese, or terrorist networks in the future? And that \nwould be a last point in terms of urging what the committee and \nCongress overall could do.\n    Mr. Perlmutter. Well, and to that point, again, sort of \nlooking for these different crevices or potential vulnerable \nspots, in December 2016 Kaspersky Lab awarded $18,000 in \nfunding to three universities to help identify and--to help \ndevelop identity and verification methodologies for secure \nonline voting systems. So, you know, obviously, they\'re looking \nfor different places to take advantage of, you know, America \nand an open--pretty open system that we have.\n    Just curious, if you were at DHS, Ms. Manfra, if you were \nadvising these universities, what would you advise them about \nspeaking and taking money from Kaspersky Lab? It\'s a very \nhypothetical question and it calls for speculation on your \npart, but I\'m still going to ask it.\n    Ms. Manfra. Yes, sir. I can\'t presume to advise a \nuniversity on what money they might take or engagements they \nmight speak at, but I would encourage them to ensure that they \nconsider the risk associated with those interactions as a part \nof their engagement and their funding.\n    Mr. Perlmutter. Dr. Jacobson?\n    Dr. Jacobson. Well, I\'m definitely not speaking for \nGeorgetown University here, but I was thinking of three things. \nIf I was asked today whether I would advise a university on \nthat, I would think about three things: one, politically, it \nwould be absolutely unacceptable to do given what\'s going on \nwith Kaspersky and the allegations in the committee right now; \nsecond, from a public relations perspective, it would be a \nreally bad idea; and third, there\'s prudence. We know in the \nuniversity and think tank world there\'s certain countries and \ncertain companies you just really think twice about taking \nmoney from, and again, if someone asked me, I would recommend \nthey not take it today.\n    Mr. Perlmutter. Okay. I yield back.\n    Chairman LaHood. Thank you, Mr. Perlmutter.\n    That concludes our questions today. I would just advise \nthat the Committee--the Oversight Subcommittee on this is going \nto continue to monitor this situation, and as the directive \ncontinues to get implemented, we look forward to continuing to \nwork with you on this issue. It\'s important that we as a \ncommittee and subcommittee stay engaged on this, and we\'ll look \nforward to the next phase of our hearing series on this and \nlook forward to continuing to work with you.\n    With that, our hearing is concluded. Thank you.\n    [Whereupon, at 11:53 a.m., the Subcommittee was adjourned.]\n\n                               Appendix I\n\n                              ----------                              \n\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n\n                              Appendix II\n\n                              ----------                              \n\n\n                   Additional Material for the Record\n                   \n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'