[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]




 
                   U.S. CYBER DIPLOMACY IN AN ERA OF 
                            GROWING THREATS

=======================================================================

                                HEARING

                               BEFORE THE

                      COMMITTEE ON FOREIGN AFFAIRS
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                            FEBRUARY 6, 2018

                               __________

                           Serial No. 115-106

                               __________

        Printed for the use of the Committee on Foreign Affairs
        
        
        
        
        
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]        


        


Available via the World Wide Web: http://www.foreignaffairs.house.gov/ 
                                  or 
                       http://www.gpo.gov/fdsys/

                                 ______                     
                                 
                                                                 
                 U.S. GOVERNMENT PUBLISHING OFFICE
                   
 28-539 PDF               WASHINGTON : 2018       
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001                                      
                                 
                                 
                                 
                                 
                                 
                                 
                      COMMITTEE ON FOREIGN AFFAIRS

                 EDWARD R. ROYCE, California, Chairman
CHRISTOPHER H. SMITH, New Jersey     ELIOT L. ENGEL, New York
ILEANA ROS-LEHTINEN, Florida         BRAD SHERMAN, California
DANA ROHRABACHER, California         GREGORY W. MEEKS, New York
STEVE CHABOT, Ohio                   ALBIO SIRES, New Jersey
JOE WILSON, South Carolina           GERALD E. CONNOLLY, Virginia
MICHAEL T. McCAUL, Texas             THEODORE E. DEUTCH, Florida
TED POE, Texas                       KAREN BASS, California
DARRELL E. ISSA, California          WILLIAM R. KEATING, Massachusetts
TOM MARINO, Pennsylvania             DAVID N. CICILLINE, Rhode Island
MO BROOKS, Alabama                   AMI BERA, California
PAUL COOK, California                LOIS FRANKEL, Florida
SCOTT PERRY, Pennsylvania            TULSI GABBARD, Hawaii
RON DeSANTIS, Florida                JOAQUIN CASTRO, Texas
MARK MEADOWS, North Carolina         ROBIN L. KELLY, Illinois
TED S. YOHO, Florida                 BRENDAN F. BOYLE, Pennsylvania
ADAM KINZINGER, Illinois             DINA TITUS, Nevada
LEE M. ZELDIN, New York              NORMA J. TORRES, California
DANIEL M. DONOVAN, Jr., New York     BRADLEY SCOTT SCHNEIDER, Illinois
F. JAMES SENSENBRENNER, Jr.,         THOMAS R. SUOZZI, New York
    Wisconsin                        ADRIANO ESPAILLAT, New York
ANN WAGNER, Missouri                 TED LIEU, California
BRIAN J. MAST, Florida
FRANCIS ROONEY, Florida
BRIAN K. FITZPATRICK, Pennsylvania
THOMAS A. GARRETT, Jr., Virginia
JOHN R. CURTIS, Utah

     Amy Porter, Chief of Staff      Thomas Sheehy, Staff Director

               Jason Steinbaum, Democratic Staff Director
               
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               WITNESSES

Mr. Christopher Painter, commissioner, Global Commission for the 
  Stability of Cyberspace (former Coordinator for Cyber Issues, 
  U.S. Department of State)......................................     4
Mr. John Miller, vice president for global policy and law, 
  CYbersecurity, and privacy, Information Technology Industry 
  Council........................................................    17
Michael Sulmeyer, Ph.D., director, Cyber Security Project, Belfer 
  Center for Science and International Affairs, John F. Kennedy 
  School of Government, Harvard University (former Director for 
  Plans and Operations for Cyber Policy, Office of the Secretary 
  of Defense, U.S. Department of Defense)........................    35

          LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING

Mr. Christopher Painter: Prepared statement......................     7
Mr. John Miller: Prepared statement..............................    19
Michael Sulmeyer, Ph.D.: Prepared statement......................    37

                                APPENDIX

Hearing notice...................................................    74
Hearing minutes..................................................    75
The Honorable Edward R. Royce, a Representative in Congress from 
  the State of California, and chairman, Committee on Foreign 
  Affairs: Material submitted for the record.....................    77
The Honorable Gerald E. Connolly, a Representative in Congress 
  from the Commonwealth of Virginia: Prepared statement..........    83
Written responses from the witnesses to questions submitted for 
  the record by the Honorable Ted Lieu, a Representative in 
  Congress from the State of California..........................    85


           U.S. CYBER DIPLOMACY IN AN ERA OF GROWING THREATS

                              ----------                              


                       TUESDAY, FEBRUARY 6, 2018

                       House of Representatives,

                     Committee on Foreign Affairs,

                            Washington, DC.

    The committee met, pursuant to notice, at 10:09 a.m. in 
room 2172, Rayburn, House Office Building, Hon. Ed Royce 
(chairman of the committee) presiding.
    Chairman Royce. We will call the hearing to order and ask 
all the members to take their seats. This is on U.S. cyber 
diplomacy. Cyberattacks and commercial espionage and ransomware 
used by foreign governments, used by terrorists, used by 
criminals, are a serious threat to our U.S. national security. 
They are also a threat to our economic interests around the 
globe, of course.
    As the intelligence community made clear in the 2017 
Worldwide Threat Assessment:

        ``Our adversaries are becoming more adept at using 
        cyberspace to threaten our interests and advance their 
        own. And despite improving our cyber defenses, nearly 
        all information, communication networks, and systems 
        will be at risk for years.''

    Cyber threats have, of course, real-world impact. And in 
2015, Chinese hackers stole the personnel files of 20 million 
current and former Federal employees in a massive data breach. 
And last year, North Korean hackers crippled hospitals in the 
United Kingdom, and they also halted international shipping in 
India. Russia exploits cyberspace to attack its neighbors, 
including Estonia and Ukraine, and to attempt to undermine 
Western democracies, including the United States. Yes, our 
military does have some very unique offensive and defensive 
capabilities in cyberspace, and other agencies to protect our 
critical infrastructure have as well. But it is our diplomats 
who work with our allies and partners to develop a common 
response to these threats, and they do that while engaging our 
adversaries to make clear that cyberattacks resulting in real-
world consequences will be viewed by us as a use of force.
    The importance of the State Department's work cannot be 
understated. Indeed, the Department's role becomes essential 
when you consider that it is not just computer networks and 
infrastructure that the United States needs to protect. The 
open nature of the Internet is increasingly under assault by 
authoritarian regimes, regimes like China, that aggressively 
promote a vision of cyber sovereignty. And this vision 
emphasizes State control over cyberspace. This, obviously, 
could lead to a totalitarian dystopia. It obviously runs 
counter to American values of individual and economic liberty. 
And we know what that could mean, for example, to the people of 
China or other countries.
    We saw this recently in Iran. We saw the regime shut down 
mobile Internet access, and saw them block and pressure 
companies to cut off social media tools that were used by the 
people of Iran to organize themselves and to publicize protests 
among the people of Iran. Authoritarian regimes would love to 
globalize this censorship. And that is the goal here, to 
globalize censorship. That is the kind of censorship they have 
long-imposed at home, and they would like to entice and empower 
authoritarian regimes around the world to do the same thing.
    So it falls to our diplomats to help ensure the world 
rejects this limited version of cyberspace and that the 
American vision of an open, secure, innovative Internet wins 
out over George Orwell's premonitions.
    Coordination among allies is critical in response to 
different undertakings of privacy between--and understandings 
between the United States and Europe. The State Department will 
work with the Department of Commerce to successfully negotiate 
the EU-U.S. privacy shield framework. And this ensures the data 
and business continues to flow across the Atlantic. And just 
yesterday, this House passed a bill strengthening our cyber 
coordination with Ukraine. But there is much more to be done.
    And that is why last month, the House passed the Cyber 
Diplomacy Act. This bill, which I introduced, ensures that the 
State Department has a senior diplomat charged with leading 
this effort that brings together our security, human rights, 
and economic priorities. And I am encouraged to hear that the 
administration has heard our concerns and is working to elevate 
this position.
    So today, we are joined by three experts with experience in 
cyber diplomacy, technology, and defense, including the 
Department's former Coordinator for Cyber Issues.
    We look forward to discussing how Congress can best support 
strong cyber diplomacy. And with that, I turn to our ranking 
member, Mr. Engel, for his opening statement.
    Mr. Engel. Thank you, Mr. Chairman, for convening this 
hearing. And to our witnesses, welcome to the Foreign Affairs 
Committee. I look forward to hearing your thoughts on how the 
United States should improve its cybersecurity policy and 
address the cyber threats we face from overseas.
    America's adversaries are becoming bolder and more 
sophisticated as they pursue their aims in cyberspace. This is 
a challenge for our technology community, a new frontier for 
our diplomats, and a threat to our security. It is also an 
economic hazard with American businesses standing to lose out 
in the face of hostile and unscrupulous behavior in cyberspace. 
Iran's attacks on America's infrastructure, including a dam 
near my district in New York, and North Korea's attack on the 
entertainment sector underscored troubling vulnerabilities to 
this sort of tactic.
    We reached a 2015 agreement with China to prevent cyber 
theft of intellectual property. But Beijing still exerts more 
and more state control over the Internet, denying its citizens 
basic freedoms and hurting American business. The United States 
is not working closely enough with like-minded governments to 
deter adversaries from stealing secrets or undermining an open 
and interoperable Internet. And, of course, Russia's 
cyberattacks were the centerpiece of its attack on American 
democracy during the 2016 Presidential election.
    On this last point, frankly, I am stunned by the 
administration's utter failure to respond to these attacks. 
More than a year has gone by since the intelligence community 
revealed the extent of Russian meddling. Congress 
overwhelmingly passed new sanctions, new legislation to give 
the White House tools to punish those responsible. The law 
singles out those responsible for cyber crimes. It goes after 
the military and intelligence sectors that drove this attack. 
Yet the Trump administration has not imposed a single sanction 
related to election interference mandated by the law. The 
decision to completely ignore Congress' intent and blow up last 
week's deadline for new sanctions has made that much worse by 
what administration officials themselves admit, and that is, 
Russia is at it again.
    The CIA Director, a former Member of Congress, a former 
colleague, Mike Pompeo, has said so repeatedly, which calls 
into question the State Department's claim that just a threat 
of sanctions alone will deter bad behavior. I am at a loss. We 
are talking about the bedrock of American democracy, and the 
administration seems intent on signaling to Russia and the rest 
of the world that it is open season. Between the President's 
constant denial of Russia's involvement and his constant 
attacks on our own justice system, you would almost conclude 
that he would be fine with a repeat of what we saw in 2016. 
Well, I am not fine with it. The President won't take steps to 
protect American democracy. It falls to us as lawmakers.
    Last year I introduced a bill with Mr. Connolly, the SECURE 
Our Democracy Act, which would specifically go after those who 
interfere with an American election from overseas. When we 
passed the sanctions package last summer, we put this bill 
aside because we thought the President would use the tools we 
gave him to push back against Russian aggression. He didn't, so 
now I think it is time to reconsider this measure or something 
similar.
    Responding to Russia is just one piece of the puzzle when 
it comes to our cyber policy. I also think we need to reverse 
course on the administration's relentless assault on our 
diplomacy and development. Mr. Painter, I am sorry that you 
were one casualty of the administration's attempt to hollow out 
the State Department when you were forced out of your role as 
Coordinator for Cyber Issues. This was a major blow to American 
leadership at a time when your expertise was needed the most. I 
was speaking with Mr. Keating just before, and we were 
lamenting about the fact about how the administration has 
really not sent us the witnesses that we really feel that we 
could use so they could give us the perspective from the 
executive branch.
    So I was glad to join Chairman Royce to introduce the Cyber 
Diplomacy Act, which would reinstate and elevate the position, 
your position, Mr. Painter. It passed the House a few weeks 
ago, and I hope the Senate acts on it soon. And I hope it sends 
a message to the administration that we need to ramp up our 
diplomacy on cyber, not scale it back. We need to engage with 
friendly governments facing the same threats. We need to push 
back against countries that will exploit these tools to pilfer 
our intellectual property to hack into our country's most 
sensitive information and to derail international norms to keep 
the Internet open and accessible.
    So I hope that our witnesses can shed additional light on 
these concerns and share with this committee their views on how 
the United States can lead on this issue.
    So I thank you again, Mr. Chairman, and I yield back.
    Chairman Royce. Thank you, Mr. Engel.
    So this morning we are pleased to be joined by a 
distinguished panel, including Mr. Chris Painter. As you 
mentioned, he serves as the Global Commissioner for the 
Stability of Cyberspace, and previously was the first 
Coordinator for Cyber Issues at the State Department. We also 
have John Miller, Vice President for Global Policy and Law, 
Cybersecurity, and Privacy at the Information Technology 
Industry Council. And we have Dr. Michael Sulmeyer, Belfer 
Center's Cybersecurity Project Director at the Harvard Kennedy 
School. Previously, he served as the Director for Plans and 
Operations for Cyber Policy in the Office of the Secretary of 
Defense.
    So without objection, the witnesses' full prepared 
statements are going to be made part of the record, and all the 
members here, you are going to have 5 calendar days to submit 
any other statements or questions or extraneous material that 
you want in the record.
    We have been informed that votes may come earlier this 
morning than we anticipated, so we want as many members as 
possible to have a chance to ask their questions. And to that 
end, members and witnesses, please respect the 5-minute time 
limit.
    So if you would, Mr. Painter, if you could summarize your 
remarks, we will begin with you.

  STATEMENT OF MR. CHRISTOPHER PAINTER, COMMISSIONER, GLOBAL 
COMMISSION FOR THE STABILITY OF CYBERSPACE (FORMER COORDINATOR 
          FOR CYBER ISSUES, U.S. DEPARTMENT OF STATE)

    Mr. Painter. Chairman Royce, Ranking Member Engel, members 
of the House Foreign Affairs Committee, it is a pleasure to be 
here today to discuss the growing technical and policy threats 
in cyberspace and the vital role of diplomacy in combating 
those threats and shaping an international environment that 
promotes an open, interoperable, secure, and reliable 
information infrastructure.
    For over 26 years, I have devoted my life to these issues 
serving in senior roles in the Department of Justice, the 
National Security Council, and, most recently, as the first 
Coordinator for Cyber Issues at the State Department. I 
continue to work on these issues after leaving government, 
including serving as a Commissioner on the Global Commission 
for the Stability of Cyberspace, and a board member for the 
Center for Internet Security.
    Over the course of my career, I have seen the technical 
threats in cyberspace posed by state and non-state actors 
dramatically increase in both sophistication and number, and 
have seen the potential and actual impact of those threats grow 
exponentially. I have also seen the rise of serious policy 
threats to the very nature, structure, and governance of the 
Internet as we know it. Unprecedented attempts to undermine 
democratic processes, threats posed to economic prosperity, and 
the increasing drive by repressive regimes to suppress and 
control online discourse and undermine Internet freedom.
    It is clear that responding to cyber threats and seizing 
the many opportunities in cyberspace requires a whole-of-
government response leveraging the capabilities of agencies 
across the Federal Government in working with the private 
sector and civil society. It is also clear, given the 
international nature of the threats and the technology itself, 
that the State Department must play a leading role in that 
effort, and that effective cyber diplomacy is paramount.
    The United States has provided significant leadership in 
this area in the past. Indeed, my former office, the Office of 
the Coordinator for Cyber Issues, the first of its kind 
anywhere in the world, literally created and advanced a whole 
new area of foreign policy focus that simply did not exist 
before, and made substantial progress in the number of policy 
and operational fronts.
    Over 25 countries have followed our example by establishing 
high level positions in their foreign ministries. For the U.S. 
to continue to lead as it must, cyber issues must be re-
prioritized and appropriately resourced at the State 
Department. Among other things, effective cyber diplomacy 
involves, one, building strategic partnerships with other 
countries around the world and engaging the many, many 
multilateral forms that are shaping cyber policy; two, using 
diplomacy and diplomatic tools to directly respond to cyber 
threats; and, three, working with other agencies to facilitate 
law enforcement and technical cooperation and provide capacity 
building so other countries can better work with us.
    On a policy level, one of the most important issues is 
avoiding cyber conflict by building a global consensus on a 
framework for long-term cyber stability. My former office 
spearheaded this frame comprised of the application of 
international law to cyberspace, acceptance of voluntary norms 
of state behavior, and implementation of confidence building 
measures. It also includes working with the private sector in 
civil society on these issues. For example, the Global 
Commission that I serve on recently proposed a new 
multistakeholder developed norm, entitled ``A Call to Protect 
the Public Core of the Internet.''
    U.S. work on stability is also the foundation of using 
diplomatic and other tools and partnerships to better deter bad 
actors. Norms of behaviors are irrelevant if there are no 
consequences for those who violate those norms. For example, 
the lack of a sufficiently strong, timely, and continuing 
response to Russian interference with our electoral process 
virtually guarantees that they will attempt to interfere again, 
both in the U.S. and other democracies around the world. We 
must do better.
    And finally, cyber diplomacy involves promoting core 
values, such as Internet freedom and fair market access.
    My former office made a great deal of progress in all these 
issues, but a tremendous amount of work lies ahead, and 
sustained high-level diplomatic leadership is required. I was, 
therefore, disappointed that the State Department, even if 
temporarily, chose to downgrade my former office and constrict 
its resources. This sends the wrong message to our adversaries 
and allies alike. For the U.S. to lead and continue to make 
significant progress in cyber diplomacy, organizational 
structure and resources are important. Accordingly, I am 
pleased that this committee proposed, and the House of 
Representatives passed, the bipartisan Cyber Diplomacy Act of 
2017. Over my career, I have found that these issues have 
almost always been treated in a bipartisan manner, and I am 
very happy to see that reflected in this important legislation. 
The Cyber Diplomacy Act appropriately makes clear that 
international cyber issues are a national policy priority, it 
calls out the importance of norms and stability, and, 
importantly, the Act sets out a strong and appropriate 
organizational structure for these issues of the State 
Department.
    By creating a statutory office of cyber issues with a broad 
scope of cross-cutting substantiative responsibilities at a 
high level, and reporting through a neutral cross-cutting 
reporting chain, they can give full voice to the important 
security issues as well as human rights and economic ones. Of 
course, as I noted, adequate resources are also important to 
the success of this mission, and I hope Congress will address 
this very important issue in the future.
    Although much has been achieved over the last few years in 
cyber diplomacy, there is a long road ahead. Much needs to be 
done to continue to advance stability, norms, bolster 
deterrence, respond to threats, build partnerships, uphold 
human rights online, and advance fair economic access and 
prosperity.
    So I thank you for your interest and support of diplomacy 
in cyberspace. And I thank you for the opportunity to testify 
today on these important and timely issues, and I look forward 
to your questions.
    [The prepared statement of Mr. Painter follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
      
                              ----------                              

    Chairman Royce. Mr. Miller.

STATEMENT OF MR. JOHN MILLER, VICE PRESIDENT FOR GLOBAL POLICY 
  AND LAW, CYBERSECURITY, AND PRIVACY, INFORMATION TECHNOLOGY 
                        INDUSTRY COUNCIL

    Mr. Miller. Chairman Royce, Ranking Member Engel, and 
distinguished members of the committee, on behalf of the 
Information Technology Industry Council, or ITI, thank you for 
the opportunity to testify today regarding the importance of 
U.S. cyber diplomacy in a world of growing threats.
    ITI is a global policy advocacy organization representing 
over 60 leading technology and innovation companies from all 
corners of the tech sector and beyond, all doing business 
globally.
    As we survey the global the cyber policy landscape, we see 
a remarkable level of activity signifying both opportunity and 
risk. A central element of ITI's global advocacy efforts 
involves helping governments understand the critical importance 
of cross-border data flows to the tech sector and the global 
economy. Data is central to the cutting-edge technologies and 
innovations that continue to extend the benefits of the 
Internet, including cloud computing, the Internet of Things, 
big data analytics, and artificial intelligence.
    The ability to freely move data across borders is 
essential, not only to every business that operates 
internationally, but also to our ability to do everything from 
securing global networks and the personal data of customers to 
conducting international trade.
    Unfortunately, policymakers globally are responding to the 
expanding sophistication and capabilities of cyber adversaries, 
as well as more frequent and severe cyber incidents, by 
building virtual cyber policy walls at their borders, by 
proposing cyber laws and policies that threaten to impede 
cross-border data flows, create trade barriers for U.S. 
companies, and undermine the trust and interoperability 
necessary for the global digital economy to continue to thrive.
    The trends we are most concerned about fall into four 
categories: One, forced localization, which refers to a broad 
set of policies designed to compel companies to relocate all or 
part of their business operations within a country's borders, 
including storing or processing data on servers or data centers 
located in-country as a precondition for market access; two, 
siloed or country-specific standards and regulations, such as 
privacy-based transfer restrictions, or security-based testing 
requirements which pose significant risk to interoperability 
and data flows; three, efforts by policymakers to impose 
cybersecurity audit assessment and testing requirements on 
private entities, a potentially invasive practice that 
contemplates testing conducted by government auditors, often 
requiring access to companies' intellectual property; and four, 
the application of legacy regulations to technology and 
services innovations.
    Two recent examples of this rising trend include subjecting 
U.S. online services to so-called over-the-top regulations, and 
expanding use of export controls, most notably in the context 
of innovative cybersecurity technologies.
    It is also important to understand that our global cyber 
policy threats aren't isolated to a few countries, regions, or 
economies; they are everywhere. It has been well-documented 
that some countries, such as China and Russia, are taking 
approaches that incorporate many of these troubling cyber 
policy trends. But it is also critical to understand that 
policymakers in major economies, including the European Union, 
India, Brazil, and many others, are pursuing similar policies.
    Now for the good news. On balance, recent cyber policy 
activity in the U.S. embraces an approach that furthers global 
data flows, interoperability, innovation, and trust, avoiding 
many of these policy pitfalls. The Cyber Diplomacy Act of 2017 
recounts many of these cyber policy achievements, as did Mr. 
Painter. And to that list, we would add the Cybersecurity 
Threat Information Sharing Act passed by Congress in 2016, as 
well as the cybersecurity framework, a voluntary risk 
management-based framework grounded in international standards 
and best practices.
    The Cyber Diplomacy Act will complement these efforts well 
and provides a great encapsulation of the types of 
international cyber policy approaches needed to support an 
open, interoperable, and secure Internet that promotes data 
flows, innovation, and economic prosperity. The bill provides a 
roadmap for how the U.S. Government can translate this 
expression of policy into action, including by securing and 
implementing commitments based on accepted cyber policy norms, 
holding the counter parties to those agreements accountable for 
their implementation, and prioritizing and resourcing the State 
Department's cyber function to maximize success.
    To complement the Cyber Diplomacy Act's solid foundation, 
we offer three additional recommendations designed to help the 
U.S. Government maintain its leadership position in cyberspace, 
while avoiding the potential that China's cybersecurity law 
emerges as the dominant approach to cyber policy in the region, 
or even globally.
    First, to counter the trend of various countries 
increasingly advocating for their own local standards, testing 
protocols, and certifications, the U.S. needs a proactive and 
adequately resourced national cyber standardization strategy.
    Second, promoting the cybersecurity framework approach 
internationally as a counterweight to the data-restrictive 
policy approaches gaining prominence globally can help the U.S. 
sustain its leadership position on cybersecurity policy around 
the world.
    And third, pursuing multilateral solutions in parallel with 
bilateral agreements can be an important force multiplier to 
drive scalable policy solutions across the digital economy.
    We look forward to the opportunity to continue to work with 
Congress and the administration on this important set of 
issues. Thank you, again, for the opportunity to share our 
perspective, and I look forward to your questions.
    [The prepared statement of Mr. Miller follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
      
                              ----------                              

    Chairman Royce. Thank you, Mr. Miller.
    Dr. Sulmeyer.

STATEMENT OF MICHAEL SULMEYER, PH.D., DIRECTOR, CYBER SECURITY 
 PROJECT, BELFER CENTER FOR SCIENCE AND INTERNATIONAL AFFAIRS, 
   JOHN F. KENNEDY SCHOOL OF GOVERNMENT, HARVARD UNIVERSITY 
  (FORMER DIRECTOR FOR PLANS AND OPERATIONS FOR CYBER POLICY, 
OFFICE OF THE SECRETARY OF DEFENSE, U.S. DEPARTMENT OF DEFENSE)

    Mr. Sulmeyer. Chairman Royce, Ranking Member Engel, and 
distinguished members of the Foreign Affairs Committee, it is 
an honor to be with you today to discuss U.S. cyber diplomacy. 
Thank you for bipartisan approach to cybersecurity. I will keep 
my remarks brief. Three topics to focus on: The first, the 
international environment for cyber diplomacy; the second, the 
challenges of deterrence; and third, our elections.
    First, we need diplomacy in cyberspace now more than ever. 
Our adversaries continue to refine their capabilities to 
conduct a range of cyber operations against us. We have 
developed offensive cyber capabilities and hardened our 
defenses, yet hackers keep hacking our systems.
    Under Chris Painter's leadership, the State Department 
pursued international efforts to promote norms of responsible 
State behavior. This effort gained momentum, especially during 
the latter years of the Obama administration, as did efforts to 
negotiate bilateral arrangements, like the U.S.-China 
agreement. The current administration has, thus far, for 
pursued more bilateral arrangements, like the one it announced 
with Israel last summer. Yet, my impression is that most state 
behavior, not state rhetoric, reflects a perception in 
international capitals that the benefits of unrestrained 
hacking outweigh the costs.
    For the time being, the United States will likely need to 
focus on discrete, bilateral arrangements, while protecting 
U.S. interests and existing international institutions. Having 
a dedicated office at the State Department is crucial to 
pursuing both objectives. But for diplomacy to be successful, 
the United States needs to empower its diplomats with as much 
leverage as possible. One approach to creating more leverage is 
to improve our ability to deter adversaries from hacking us. In 
an ideal world, it would be a tremendous help if these threats 
could be deterred by one common approach. But the reality is 
far more complicated. Not all hacks are the same, so we should 
not expect a one-size-fits-all model of deterrence to be 
successful.
    Attacks against critical infrastructure certainly warrant 
the threat of significant cost imposition. In some situations, 
however, deterrence in the criminal law context, which aims to 
minimize but not necessarily eliminate the incidence of the 
crime, seems more applicable, especially to run-of-the-mill 
hacking, than an analogy to nuclear weapons. I would not want 
to bet the cybersecurity of the United States on a policy of 
deterrence if I did not have to. Sometimes, like the prospect 
of defending against thousands of nuclear-tipped missiles, 
deterrence is the least bad option. But this is not the case in 
cyberspace. We have other options, and we should employ them 
alongside deterrence. But we must be realistic about just how 
much we can expect from deterrence.
    So what does this mean when it comes to dealing with 
Russia, which launched a cyber-enabled influence campaign 
against us in 2016? Deterring a repeat of this conduct must be 
a priority for the entire U.S. Government, and indeed for all 
nations whose elections are susceptible to Russian 
interference. The need to impose cost is clear. But the 
challenge is to impose it in ways that matter to the Russian 
regime, not in ways that are projections of what would matter 
to the United States.
    However, we cannot rely on deterrence alone. We need to 
ensure that the United States has capabilities on the shelf to 
prevent and preempt this kind of behavior ahead of the 
midterms, and we must make ourselves harder to hack through 
improving our defenses and becoming more resilient.
    I am proud to be part of a team at the Belfer Center that 
is releasing a new report this morning, a playbook for State 
and local officials to improve the cybersecurity of the systems 
they administer. It represents the culmination of months of 
fieldwork by the research team including some exceptionally 
talented students which developed recommendations to prepare 
for the upcoming elections. We also have a playbook to help 
campaigns protect themselves from hackers. Both reports can be 
helpful for our allies as well who face similar threats. Both 
are available on our Web site.
    There is every indication that foreign governments will try 
to sow confusion ahead of and during the next election. This 
should be of concern to every American, regardless of party. 
Improving the cybersecurity of campaigns as well as at the 
State and local level, both at home and abroad, needs to be a 
core element of a broader strategy to push back against our 
adversaries who seek to undermine the confidence we have in the 
integrity of our elections.
    Let me conclude my opening remarks by reiterating my 
appreciation for this committee's bipartisan approach. I look 
forward to taking your questions.
    [The prepared statement of Mr. Sulmeyer follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
                              ----------                              

    Chairman Royce. Thank you.
    Thank you. Let me just begin by saying what we in the House 
have advocated here in the legislation that we passed that I 
authored, along with Mr. Engel, has been to call for a Cyber 
Diplomacy Act, I think, is unique. We are not simply asking the 
Department to maintain the cyber coordinator. What we are 
asking for here is the creation of a cyber bureau headed by the 
Senate-confirmed Assistant Secretary, and the Bureau and its 
leaders, then, are empowered, as they must be, are empowered to 
deal with a full range of cyber issues, including security, 
including economy, including human rights. So that is the 
approach the House is taking, and the Senate has been receptive 
to that idea.
    So let me go with my question here, Mr. Painter, if I 
could, or Mr. Miller.
    So China has emerged as a very aggressive power in 
cyberspace. And in addition to China's articulation of this 
idea of cyber sovereignty, Beijing is now aggressively pushing 
U.S. companies to turn over its technological know-how as the 
cost of assessing China's enormous market. Obviously, it is in 
both our national security and economic interest to respond to 
this technology grab there, and one proposal is to strengthen 
CFIUS, the Committee on Foreign Investment in the United 
States. This committee is looking at a complementary approach 
of strengthening our export controls in tandem.
    So, Mr. Miller, if I could start with you. How does the 
technology industry see this threat, since they have got the 
most to lose here, and how can Congress best respond?
    Mr. Miller. Thank you for your question, Chairman Royce.
    Well, in terms of the threat, the technology industry has 
been consistent in advocating against any policies globally 
that would require companies to turn over or provide access to 
source code to governments anywhere. So, it is certainly very 
concerning indeed.
    You referenced the efforts that are underway to update, 
modernize the CFIUS process. In terms of the underlying 
national security concerns that are articulated in that bill 
with respect to the transfers of technologies that are critical 
to U.S. national security interests, you know, absolutely, the 
tech sector agrees that that is a serious concern. As you 
pointed out, it is highlighted in some of these approaches. You 
know, the question is whether the bill is narrowly tailored to 
address that goal, or whether it sweeps in all kinds of 
ordinary business transactions that do not involve the transfer 
of critical technology, or whether it involves--it might sweep 
in transactions that are already adequately covered or should 
be adequately covered by the export control regime.
    From our perspective, what we are working to ensure is an 
approach that addresses the underlying national security 
concerns in a targeted fashion without negatively impacting 
those daily business transactions or creating kind of a 
parallel duplicative export control regime. From our 
perspective, ultimately export controls and CFIUS should work 
in a complementary, not a duplicative fashion. And we believe 
there is a way to both update and optimize the current export 
control system to cover emerging technologies, for instance, 
and also to update CFIUS in a targeted way that makes sense and 
helps supplement that.
    Chairman Royce. Well, let me ask Mr. Painter, also, his 
views on this.
    Mr. Painter. Yeah. I think it is clear that China has 
become much more aggressive on the world stage. Among other 
things, one of the counterparts I had that was created after 
our office was created was China. China and Russia created 
counterparts. And they have their own international strategy 
they put out about a year ago which champions this idea of 
absolute sovereignty. And they also, as you noted, had been 
passing laws in the guise of cybersecurity that are often more 
about market protection. It is a difficult issue because I 
think one of the things that we have seen is they become active 
in working diplomatically with other countries and trying to, 
quite frankly, build alliances with a developing world and 
others to really further their own view of cyberspace.
    On the company side, we have made some progress. As you 
know, the agreement with China not to steal intellectual 
property by cyber means, that was a landmark agreement. It took 
a while to get us there and a lot of pressure to get us there. 
That was very helpful.
    Chairman Royce. How about on the enforcement side of that?
    Mr. Painter. Well, I--no. I think what we said then, and 
we--and this is still the policy as far as I know now, is all 
tools are on the table. We didn't take anything off the table 
to get that agreement. And sanctions and other tools are there, 
and we have to think of other tools still.
    I do worry that, you know, when I see U.S. companies faced 
with this, and I have dealt with a number of them, they are 
often unwilling individually to express these issues because 
they are concerned about the market issues in China. Trade 
associations, ITI and others, I think, have been very good 
interlocutors about this. But that is one of the issues.
    The other thing I worry about is even if you look at CFIUS 
and other types of legislation, which are not exactly tailored 
to this problem, there are things that China is doing in terms 
of joint ventures and other things that really don't fall 
within that rubric. So how do you really address this problem 
in a broader sense? And I think it takes looking at a lot of 
different tools including----
    Chairman Royce. And that is why we will be consultation 
with you on the export controls and on the----
    Let's go to Dr. Sulmeyer.
    Do you have any insights that you could share with us on 
this?
    Mr. Sulmeyer. On this particular topic, I agree with my 
colleagues, but would emphasize the need to strengthen CFIUS. I 
think that is a critical priority.
    Chairman Royce. Very good.
    We go to Mr. Engel.
    Mr. Engel. Thank you, Mr. Chairman.
    First, quickly, I would like to start by asking all of our 
witnesses just a quick yes or no to set the record straight. We 
can start with Mr. Painter.
    Do any of you have any reason to doubt the intelligence 
community's assessment that Russia interfered to influence our 
2016 election?
    Mr. Painter. None whatsoever.
    Mr. Miller. No.
    Mr. Sulmeyer. Nope.
    Mr. Engel. Thank you.
    Dr. Sulmeyer, the intelligence community reported that the 
Kremlin interfered to aid Donald Trump and damage Hillary 
Clinton's candidacy. The Trump administration's CIA Director 
said that the Russians have been doing this in other countries 
for years, and will do so again during our next election.
    What is Russia's overall goal with this interference? What 
should the United States do that it is not doing to become more 
resilient and prepare itself for another round of Putin's 
election interference?
    Mr. Sulmeyer. Thank you. It is an important question, and 
it is a good baseline way to express first that these Russian 
activities form a broader part of a strategy that are not 
limited to cyberspace. They are operating in areas below what 
we would think of as war, but it is certainly not peace. And 
they are very active and have no shame in what they are willing 
to do and the tactics they are willing to employ in the so-
called gray zones.
    I think you can discern sometimes three different motives 
at times: One is very straightforward traditional espionage 
collection in ways to help military and intelligence goals. We 
have seen that against the United States in many different 
situations against government networks; two, the spread of, and 
sometimes, also, manufacture of disinformation. Here the 
objective being the creation of chaos and confusion that 
undermines their opponent's ability to actually discern the 
truth. It is not just hacking. It is not just a cyber question. 
It is the knowing introduction of false and fake information at 
the right times, at the right place, on the right topics, to 
make it so that it becomes much more difficult to get to the 
bottom of what is going on. The example you can easily point to 
is the shoot-down of the aircraft over Ukraine, and the 
disinformation put out there.
    The third topic I will just hit briefly is the increasing 
desire on the part of the Russians to hold targets at risk. And 
this is about being able to affect and manipulate critical 
infrastructure targets when tensions get hot. And the example 
here would be taking out power in the Ukraine for a little 
while a couple years ago. We want to make sure that does not 
happen here, not at all.
    Mr. Engel. Thank you.
    Mr. Painter, I was disappointed when I heard that the 
administration downgraded the State Department cyber diplomacy 
office. Hopefully, the Cyber Diplomacy Act will elevate this 
office again. In the meantime, what do you think downgrading 
this office will mean for American leadership on cybersecurity 
and other critical issues?
    Mr. Painter. So I very much hope that the trend reverses. I 
think we had built up a lot of momentum, and especially, we are 
in the midst of it, an Executive order on cyber dealing with 
diplomacy and other issues, and we had established a leadership 
position in the world, I think even if it was for a temporary 
period, stepping--or seeming to stepping back from the world 
stage really empowers our adversaries to try to exploit that 
and work to advance their agenda, and really gives our allies 
and partners a reason to question whether the U.S. is going to 
continue to lead and continue to prioritize these issues.
    So I think that that was just not the right approach. I 
very much hope that between the act and other activities that 
we can elevate this again at the State Department. I think it 
is a key 21st century issue, and I hope that happens.
    And if there is time, Congressman, I also would like to 
address the question that you just asked Mr. Sulmeyer, too, in 
terms of some of the things we can being doing. I agree we have 
not done enough to deter this activity. This will, in fact, 
happen again, as was stated by the Director of National 
Intelligence in both administrations, including Mike Pompeo 
recently. There is a number of things I think we can do 
actively, including having a clear declarative statement that 
this is something that we will not countenance. There will be 
consequences for this activity coming from the administration.
    I think you could set up, and this is not my ideas, but 
talking to a lot of people in the community, including a lot of 
former government people and present ones, but we could set up 
a task force that will really deal with protecting our 
elections, knowing this is going to happen in 2018 and beyond 
that would involve dealing with social media and others, a real 
interagency task force that would be focused on this issue. I 
think we can enhance our deterrence tools. I think we do a bad 
job in deterrence, as I said before, across the board.
    And then finally, I think there is a number of pieces of 
legislation, both in the Senate and the House side, that can 
give us greater tools to protect election systems. And there is 
a lot more that can be done there.
    Mr. Engel. Mr. Painter, I want to ask you one final 
question.
    As I mentioned in my statement, the President has refused, 
in my opinion, to hold Russia accountable for election 
interference. He has refused to impose sanctions, which clearly 
was in the legislation that we passed with over 400 votes on 
the House floor. So he has refused to impose sanctions or 
intensify efforts to prevent Putin from trying to undermine our 
next election.
    Let me ask you this: What do you think the President should 
do in response to this last attack on our democracy and what 
message does our lack of action send?
    Mr. Painter. I outlined some of this just now, but I would 
say that in deterrence, the classic parts of deterrence, other 
than the deterrence by denial, is that you have a credible 
response and you have a timely response. And consequences are 
important.
    When I was a prosecutor, if we didn't prosecute people, 
they would be running around doing crimes every day, right? So 
you need to have consequences for bad actors, both to deter 
them and as a consequence of their actions. And if we don't 
take any action, that, itself, sets a norm of inaction. That 
makes the activity they are doing seem acceptable. And they 
will do it again. And I think it is very likely they will.
    So given all that, I think we need to really use all the 
tools in our tool kit, including sanctions, to continue to send 
a clear message this is unacceptable. This was a very, very big 
deal. This is trying to undermine our democracy. Whatever side 
of the political spectrum you are on, this is a huge deal in 
the U.S. and around the world, and we have got to do everything 
we can to try to thwart it. And I think if you don't do actions 
and--to be sure, you can think of how you are strategically 
going to approach it. But if you don't do actions, that sends a 
clear message, Hey, this is okay. Or at least, Hey, this is a 
costless enterprise.
    Mr. Engel. Thank you. I couldn't agree with you more.
    Thank you.
    Chairman Royce. Mr. Dana Rohrabacher.
    Mr. Rohrabacher. Thank you very much, Mr. Chairman, and 
thank you for providing leadership in this area, making sure we 
have a hearing and to a very important issue.
    It is easy to see that we live in a different world than I 
grew up in. There was no Internet, and when people wanted to 
sabotage someone else's campaign, they didn't have to go onto 
the Internet or use cyber warfare in order to do it. But now we 
know that we have this vehicle. We are dependent on the 
Internet to do business. And when we talk about cyberattacks, 
we are talking about sometimes sabotaging someone, a system, so 
they can't work, or we are talking about the theft of 
information. And I don't know, frankly, these things were done 
beforehand, but now we have a new threat, a new challenge, 
because we have a new technology vehicle.
    Mr. Miller, you just, in passing, noted that India and 
China and other countries beside Russia are engaged in this 
type of activity.
    Mr. Miller. Sure. Thank you for the question Representative 
Rohrabacher.
    There are actually--if you look at some of the problematic 
policy provisions that I mentioned at the outset broadly, 
forced localization types of policies and requiring companies 
to store their data in-country, or you look at some of the 
potential requests for security testing to be conducted by 
government auditors, those types of proposals do exist in India 
specifically.
    Mr. Rohrabacher. So we have a lot of hacking going on----
    Mr. Miller. Right.
    Mr. Rohrabacher [continuing]. In this arena, not just in 
Russia, but throughout the world.
    By the way, does our Government engage in using the 
Internet to place false stories about people we consider our 
adversaries?
    Mr. Miller. I really have no personal knowledge of what the 
government is doing in that regard.
    Mr. Rohrabacher. What about you? Does the United States do 
this?
    Mr. Sulmeyer. I have no direct knowledge of that.
    Mr. Rohrabacher. Oh, so we don't know. We know all about 
the Russians doing it, but we don't know if our own Government 
does the same thing?
    I would suggest that maybe our Government does the same 
thing quite often, and having direct knowledge of several 
instances of that.
    Now, with that said, let me just ask this----
    Mr. Deutch. Will the gentleman yield for a second?
    Mr. Rohrabacher. You know, I can't do it, because I have 
limited time. But I will be happy to have the discussion with 
you on your time.
    Mr. Deutch. I appreciate that.
    Mr. Rohrabacher. Let me ask you this: We have heard about 
the Russians today. The most important issue that came out of 
this whole, how do you say--this episode in American democracy 
was that the Russians had hacked into our systems and 
interfered with our election, and you all agreed that there was 
something to that.
    The most important example of that was, that we could all 
understand, is that they hacked into the Democratic National 
Committee and got out all of those emails and made public what 
was in those emails. So the public had this information they 
wouldn't have otherwise had.
    But let me ask you this: From a lot of other experts that I 
have read that they said it was impossible for the Russians to 
have been the ones to have done that, that it was probably done 
by an insider into the DNC, because the thumb drive that--where 
this information was downloaded was downloaded from someone on 
the inside rather than using the Internet, which would have 
taken a lot longer to get that same information.
    Have you read anything about that? You are the experts. Is 
that an analysis that a group of retired intelligence officers 
have claimed is true? Do you think that is true, meaning that 
it was an inside job by what you can see with your expertise 
into cyberattacks?
    Mr. Painter. So I will start by saying that you are right, 
hacking is not new. Influence operations are not new. However--
and even--there was hacking back in 2008 into both the 
Republican and Democratic campaigns.
    Mr. Rohrabacher. You know, I have only got 5 minutes. Do 
you disagree with that?
    Mr. Painter. The difference then was it was used to gather 
intelligence and not weaponized to try to affect our elections. 
You know, there are lots of----
    Mr. Rohrabacher. I have got to ask you about this--look. I 
am sorry. But it is my time right now. They are not going to 
give me 1 extra minute to get your answer.
    Mr. Chairman, I ask unanimous consent for 1 extra minute to 
get them to answer.
    Chairman Royce. No objection.
    Mr. Rohrabacher. All right.
    Mr. Chairman, I think it is appalling--I think that type of 
camaraderie is appalling when we have a witness that is 
refusing to go to----
    Chairman Royce. Okay. We go to Mr. Albio Sires of New 
Jersey.
    Mr. Sires. Thank you, Mr. Chairman. And thank you for being 
here today.
    You know, I am one of those guys that is on a different 
scale here. I think that while we sleep, countries like Russia, 
China, North Korea, and Iran are plotting how to undermine this 
country. Especially Russia. So has America really woken up to 
the fact that this is a real danger to our country, or do we 
still need to go a little ways more to recognize how dangerous 
this is to our country?
    Mr. Painter.
    Mr. Painter. So, yes, I think we have not gone far enough. 
I think it should have been a wake-up call. There has been a 
lot of wake-up calls we have seen from a lot of different 
threats. The Sony Pictures hack by North Korea, some of the big 
data thefts. And the effect on our election. I think we need to 
have a sustained focus on this. This is not a blip. This is 
going to be repeated in the future. And so we absolutely have 
to sustain the focus on this in the future.
    Mr. Sires. Mr. Miller.
    Mr. Miller. I agree that absolutely we need more focus on, 
really, the full spectrum of cyber-related threats out there. 
We have certainly heard a lot already today about many of the 
very high profile hacks. And it is very important, a couple of 
features of those that have been pointed out already, you do 
have increasingly sophisticated threats and threat actors, 
including nation states increasingly involved in this activity. 
And then even when we do have bilateral agreements in some 
instances to not do a specific thing like hack for commercial 
purposes, the reality is, all these other cyber policies that 
are problematic that we have been talking about can really 
cause some of the very same issues, for instance, by just 
requiring companies to turn over source code or things like 
that. So it is a problem that we have to magnify.
    Mr. Sires. Mr. Sulmeyer.
    Mr. Sulmeyer. Yes, sir. It should be a wake-up call, not 
just about cyber operations and cybersecurity, but also about 
these information operations and the knowing introduction of 
fake and false information. Others tend to view that as a full 
spectrum activity to do in war and peace. We tend to think 
about information operations more in a wartime context. That is 
an important difference we should be conscientious of. Thank 
you.
    Mr. Sires. And in terms of places like Russia, they have 
become so sophisticated that they don't have to have their 
imprint in there, but they use hackers and criminal networks. 
Is that accurate?
    Mr. Painter. Yeah. I mean, I think one of the concerns we 
have had for a long time is not just state actors on their own, 
but state actors using proxies. And they do that because it is 
more difficult to trace it to them, more difficult to attribute 
to them. That is a real concern as well. And so as we look at 
the spectrum of different threats, and it is the Annual Threat 
Report, in 2017 and also in many years before that, Russia, 
China North Korea, and Iran have been the key threat state 
actors, and Russia has been one of the most sophisticated.
    Mr. Sires. How do we respond to that?
    Mr. Sulmeyer, how do----
    Mr. Sulmeyer. Gone are the days when the non-state actors 
were less capable. Non-state actors can be just as capable now 
as state actors. So the distinction in my mind is now moot.
    In a number of situations, we need to hold the state 
accountable because the non-state actor is actually a proxy for 
the state. And when our Justice Department indicted several 
Russian criminals for the hack on Yahoo, there is a lot of good 
information in that indictment about that situation.
    Mr. Sires. So that tells me that diplomacy--they can easily 
get around that, whatever arrangements we make.
    Mr. Painter. No. I mean, diplomacy is one of the tools in 
our tool set. I absolutely agree that law enforcement and 
stronger enforcement and giving the tools for that is 
important. That is what I used to do in one part of my career. 
Diplomacy is pressing not just the state that is responsible, 
but other states who are similarly victims of this conduct, to 
take action against a state that is doing it. And that is one 
of the things of deterrence we have to be much better at.
    Mr. Sires. Mr. Miller, do you have any response to that?
    Mr. Miller. Well, I think to go back to your previous 
question that I didn't answer about the different types of 
state actors. That is absolutely true that it is not just the 
state-sponsored cyber activities that we need to----
    Mr. Sires. And some states work with these hackers----
    Mr. Miller. Yeah. Yeah. Yeah. Absolutely. I think another 
feature of this problem is that it is also--it is not just 
economic rationales behind the hacking. Increasingly we see 
political or activist types of hacking as well from WikiLeaks, 
for instance, and others. And it is a really--it is a very 
complicated environment in that regard.
    Mr. Sires. My time ran out. Thank you.
    Thank you, Mr. Chairman.
    Chairman Royce. We go to Joe Wilson, South Carolina.
    Mr. Wilson. Thank you, Mr. Chairman. And thank each of you 
for being here today.
    Mr. Painter, in the fiscal year 2017 National Defense 
Authorization Act, Congress expanded the role of the Global 
Engagement Center to include countering foreign, state, and 
unsafe propaganda and disinformation efforts that threaten U.S. 
national security interests as well as the security interest of 
U.S. allied and partner nations.
    With this expanded mission, could you please explain, or 
describe the role of the Global Engagement Center and the 
broader U.S. cyber diplomacy effort?
    Mr. Painter. So the Global Engagement Center was a separate 
part of the State Department from where I was. We did talk to 
the Global Engagement Center. As I said previously, if we are 
really taking this seriously, and we are trying to combat all 
these threats, not just the terrorist threats, but also other 
states who are trying to influence various operations around 
the world, I think the Global Engagement Center can and should 
play an important role. And I think that that legislation helps 
ensure that, if it is properly resourced, if it is properly 
doing all the things it needs to do.
    Mr. Wilson. And that really is the next point. Is there 
more that Congress can do to back up the Center?
    Mr. Painter. I haven't been to the State Department now for 
a few months, so I can't say how it is operating currently. I 
would say that it is an important mission. It has got to be a 
mission that is done strategically. I think one of the problems 
we had in that space is if the government is simply saying it, 
we are not doing the best job, we have to get other 
interlocutors who have more credibility in the community doing 
that. That is one of the things the Global Engagement Center 
has and can continue to do. It is only part of the solution, 
though. We also have to work with social media companies and 
maybe create some sort of task force that I talked about before 
to deal with these issues more generally.
    Mr. Wilson. We look forward to your input.
    And, Mr. Miller, a persistent problem that has presented 
itself in cyberspace is attribution.
    Could you please describe the process of attributing 
malicious activity in cyberspace and the technical and 
political challenges associated with attribution. What are the 
benefits or pitfalls of international attribution organization, 
and would all nations participate?
    Mr. Miller. Thank you for the question, Representative 
Wilson.
    Absolutely, attribution is a really important piece of the 
equation here. I am not a technical expert. But by all 
accounts, we have gotten a lot better collectively at 
attribution in cyberspace. However, at least based on my 
knowledge, it is definitely not--it is still more--it is hard 
to have absolute 100 percent certainty in all cases in terms of 
attribution. As we have been describing, there is a whole host 
of cyber threat actors involved. Oftentimes there are various 
different ways to try to mask an IP address, or what have you, 
on the Internet. But I think your question does highlight the 
need for continuing to share cyber threat information and 
vulnerabilities with our partners and on other information, 
particularly partners internationally to really try to have as 
much information as we can to try to get the best information 
we can about tough issues, such as attribution.
    Mr. Wilson. Thank you.
    And, Dr. Sulmeyer, what is your view about attribution?
    Mr. Sulmeyer. Yes, sir.
    Sophisticated states and companies can and do attribute. 
Just like anything, nothing is perfect. But gone are the days 
when attribution as a sort of bumper sticker--gone are those 
days when attribution was hard to do. It is a complicated 
process. You use all source methods of intelligence. You don't 
just rely on an IP address or cyber technical indicators. You 
throw everything at the book in trying to figure out who did 
it. And the critical part here is that now companies are in the 
mix as well, not just governments. And that muddies the water 
as well as for everyone.
    Mr. Wilson. And, actually, Mr. Miller, you have already hit 
on this. But--and both of you, the potential of Russia and 
China working with us, and, of course, it seems inconceivable, 
but DPRK, any level of attribution from those particular 
countries?
    Mr. Miller. Well, to the extent you are asking about 
attribution from North Korea in particular, as I am sure you 
know, the Department of Homeland Security did, in fact, 
attribute the WannaCry attacks to North Korea right before the 
holidays. And I certainly, as Mr. Sulmeyer says, I think the 
U.S. or any nation state takes great pains before they publicly 
attribute. But when they do, I have a high degree of confidence 
that it is reliable information.
    Mr. Wilson. Again, thank each of you for being here today.
    Thank you, Mr. Chairman.
    Chairman Royce. Thank you, Mr. Wilson.
    Before we go to Congresswoman Karen Bass, I think we want 
her to get her full time, so might I suggest that we can--oh, 
we can go now.
    All right. We go now to you. Afterwards, we will recess 
until the third vote, and come back immediately afterwards. 
Okay?
    Congresswoman Karen Bass.
    Ms. Bass. I appreciate that. Mr. Painter, could you please 
explain why the administration downgraded your office and what 
is the status of the office today?
    Mr. Painter. So I don't know. We had a very good, I think, 
close working relationship with the people at the NSC with Rob 
Joyce, Tom Bossert and others. This is something where we were 
continuing to make progress on these issues.
    Ms. Bass. So what were you told?
    Mr. Painter. I think it was part of a larger reorganization 
where they were trying to get rid of all the special envoys, 
all the direct reports to the Secretary. I think, frankly, 
there was maybe a lack of understanding of the importance of 
this issue and how it fit into the----
    Ms. Bass. Is it staffed today? Does the office exist?
    Mr. Painter. So the office, as I understand it, my old 
office still exists. They have kept it together, which I think 
is critically important.
    Ms. Bass. So who is staffing it?
    Mr. Painter. My former deputy is still there, and several 
of the people who were just a great team are still there, and 
that is important.
    Ms. Bass. So what are they doing?
    Mr. Painter. They are working on some of these issues. They 
are continuing to work on it, however, the level of the person 
who is assigned over there is at a lower level, deputy 
assistant secretary level. He is in an economic reporting 
chain. As important as those issues are, it doesn't give full 
voice to all these other issues around deterrence, around 
incident response.
    Ms. Bass. So what signal do you think that sends, 
especially to Russians and Chinese and other actors?
    Mr. Painter. Look, quite frankly--and I have talked to a 
lot of our allies and others about this--I think it sends a 
message, as I said before, to our adversaries that this is an 
opportunity for them to flex their muscles and try to influence 
even more than they have the international debate. If we are 
not there in a leadership role, if it is a signal that this is 
not as important an issue in the State Department, and----
    Ms. Bass. So if you take that combined with what is going 
on today in terms of the attacks on the FBI and the other 
intelligence agencies, what do you think is happening in 
preparation for our midterm?
    Mr. Painter. I think we need to do everything we can, 
because the Russians will be there. Other actors could be 
there. If the goal is to sow chaos, which I think it is, you 
don't know which party is going to be affected. It is going to 
be something where they are going to come back, they are going 
to try to create chaos.
    Ms. Bass. Do you think they see what is going on here as 
chaos today?
    Mr. Painter. Well, I think what we see is that the people 
that we need to defend those networks, the FBI, who I have 
worked with and have tremendous respect for, the Department of 
Justice, who I used to work for and I have tremendous respect 
for, if we diminish their ability to fight these types of 
issues and our intelligence community that is shooting 
ourselves in the foot. We need to be able to deal with these 
issues.
    Ms. Bass. Do you think we are not vulnerable today in terms 
of the midterm elections?
    Mr. Painter. I can't make an assessment about the midterm 
elections themselves, except for to say if we don't take 
action, if we continue to not make this a high priority issue, 
and not communicate that this is a high priority issue, one 
that is really the top of the agenda and we will take action, 
and I talked about some of the actions we could take, including 
a clear declaratory statement and making sure we take actions--
--
    Ms. Bass. So in addition to a declaratory statement, which 
I don't think we have done, what type of consequences do you 
think would stop, in particular, the Russians?
    Mr. Painter. Look, it is hard to assess, but even if you 
impose consequences on the Russians, whether that will stop 
them, but it will at least make them think twice about it, and 
you can do economic sanctions to even greater ones than we have 
now. You can think about a whole range of options that we have 
in deterrence, not just economic. We can think about, you know, 
other law enforcement options. We can think about other options 
that we can pursue, but we need to be able to communicate that, 
too, saying we will do these things if you take these actions 
to try to make----
    Ms. Bass. And last question. I know we need to go to votes. 
You made specific reference to legislation, and I was wondering 
if you could be more specific than that in terms of what bills 
you were talking about.
    Mr. Painter. I know there are a bunch of bills, there are a 
couple in the House dealing--I think there is one dealing with 
sanctions; there is one with giving more tools to deter actions 
on the Senate side. There is a bill that will help protect 
election systems. So there are a lot of efforts out there. I 
think the most important thing is we make sure that the people 
who are trying to keep this from happening have the tools in 
place, and that we give the resources and ability to help work 
with local and state election officials to up their game and 
have better cybersecurity.
    Ms. Bass. Thank you very much, Mr. Chairman.
    Chairman Royce. Thank you very much, Congresswoman Bass, 
and so at this point we will recess. We will resume immediately 
following the third vote. We stand in recess.
    [Recess.]
    Chairman Royce. If I could have the attention of the 
witnesses and the other members, we are going to reconvene at 
this time, and we will go first to Mr. Ted Yoho of Florida and 
then to Mr. Bill Keating of Massachusetts with their 
questioning.
    Mr. Yoho. Thank you, Mr. Chairman, I appreciate it and I 
appreciate you holding this hearing at this moment. And I think 
this is such a very important topic, the cybersecurity of the 
United States of America and around the world. And I have lost 
my note here. Hang on just a minute. Bear with me.
    Chairman Royce. Well, as you search for that, I have just 
received a letter, if I could.
    Mr. Yoho. Go ahead.
    Chairman Royce. If you could yield me some time----
    Mr. Yoho. Yes, sir.
    Chairman Royce [continuing]. From the Secretary of State 
announcing that the Department is creating a Bureau for 
Cyberspace and Digital Economy headed by an assistant 
secretary. I ask unanimous consent that this be included in the 
record. I think this is a positive step, but we are going to 
continue to work with the Department and continue to work with 
our colleagues over on the Senate side to pass the legislation 
we have passed out of this committee to ensure that this 
assistant secretary of the Bureau is empowered to engage on the 
full range of cyber issues dealing with security and human 
rights and the economy. And with that I would like to yield 
back to the gentleman from Florida.
    Mr. Yoho. Again, thank you, Mr. Chairman. I have been here 
for 6 years, and I remember some of the first meetings we had 
here in this committee. We started talking about a 
cybersecurity policy for the United States, and I found it 
shocking that the United States did not have a definition of 
what a cybersecurity threat was, how it was defined, if it was 
amount of life lost, money lost, or infrastructure shut down, 
like a power grid. And then we didn't have the response for 
that, which I found that much more shocking to allow us to tell 
other nations when they do something, what they can expect from 
us. I am currently working on legislation that would complement 
Chairman Royce's Cyber Diplomacy Act with a deterrent and 
response mechanism.
    One limitation of U.S. cyber deterrence is that the United 
States, as I mentioned, does not have a formal process to name 
and shame perpetrators when they are identifiable. We have seen 
how effective naming and shaming can be in other contexts like 
the Annual Trafficking in Persons Report, or the list of state 
sponsors of terrorism. The goal here is not to shame people, 
but the goal here is to get people to be honest actors in the 
world we live in. And if people don't follow and respect other 
nations' rules and laws, you get a breakdown of society.
    So my question to all three of you is do you think it would 
be helpful to create a designation for known malicious cyber 
actors, or what should a designation process for known 
malicious cyber actors look like? If you guys want to just kind 
of go down the panel, and I have got one more follow-up 
question if I have time.
    Mr. Painter. I think it is an interesting idea. I think 
there are some things you have to be careful about, though. 
Even when the U.S. knows and can attribute the conduct, 
sometimes they want to make that public, and that is useful, as 
we did in the case of North Korea, as we recently did with 
North Korea again, Russia and some others and China. Sometimes 
you don't. Sometimes you want to use it as a tool to then go 
back privately to that country and tell them basically this is 
unacceptable as a predicate to doing more. So that is one 
issue.
    The other issue, I would say, is that if I don't know the 
scope of the naming and shaming you are talking about, if it is 
for non-state actors for, like, criminal activity that is 
coming from their country, one of the challenges there is 
sometimes those countries simply don't have the tools to deal 
with it.
    Mr. Yoho. Let me ask Mr. Miller that, because I think you 
are the one that brought up that a lot of the proxy groups are 
working with state actors, I think that was you.
    Mr. Miller. Yes, sir.
    Mr. Yoho. Your button, please.
    Mr. Miller. Sorry. Yes, sir, I did bring that up. And I 
think I would agree with that. We don't want to look at this 
too narrowly to only focus on the state actors, because they 
are working with a whole variety of others, so, to just amplify 
what Mr. Painter was saying, I think it is definitely an 
interesting idea, but we want to just proceed carefully because 
we don't want to put the focus on one area, and then have 
others kind of running free, if you will, and kind of leading 
to a false sense of security in that regard.
    Mr. Yoho. Right. Dr. Sulmeyer?
    Mr. Sulmeyer. Congressman, I do agree. I find the idea 
interesting. The trick for me would be to balance between 
strategic ambiguity, and when you really want to articulate 
precisely what actions will trigger what responses. It is 
always a balance.
    Mr. Yoho. And I think we need to do that, because right now 
there is not, and so there is so much ambiguity and gray areas 
that the obvious thing that countries are going to do is keep 
expanding that and pushing that. And what sort of consequence 
should the United States impose on groups that have committed 
attributable cyberattacks on the United States? And we already 
talked about the actors that are acting on their behalf. Mr. 
Painter?
    Mr. Painter. We have to have a menu of options. Right now 
we have diplomatic options to bring pressure, not just by us, 
but by our allies and partners; we have economic things, like 
sanctions; we have law enforcement tools; we have cyber 
operational tools, which I think are sometimes often overrated; 
and we have kinetic tools, which we are unlikely to use in a 
cyber event, but----
    Mr. Yoho. Go ahead.
    Mr. Painter. So I think what we need to do is really expand 
our tool set, have more tools, work with partners to bring 
these consequences and do it in a more timely fashion.
    Mr. Yoho. All right. I am out of time, and I thank you 
gentlemen for your patience.
    Chairman Royce. We go to Mr. William Keating of 
Massachusetts.
    Mr. Keating. Thank you, Mr. Chairman. I would like to say 
again, thank our witnesses. It is great to have former 
officials; it is great to have counsels and think tanks; it is 
great to have people from facilities like the JFK School in my 
home State. But I would say, again, it is important to have 
actual members of the Trump administration here. It is 
important for our committee, and I mean that as no criticism to 
you, Mr. Chairman, because I know you have pushed for this, 
too, but the continued lack of having these people here is, at 
best, indifference, worst case, arrogance. So with that, I will 
get the attention of our witnesses and thank them for being 
here once again.
    Mr. Painter, you have said that basically it is irrelevant, 
if I had my notes, what we do without a deterrent response, and 
you said that absent that response virtually it guarantees us a 
recurrence of this behavior, and the norm of inaction is a big 
deal. Now, the fact that we didn't move on the Russian 
sanctions will have an impact in that regard. We can't go back 
at their elections because in Russia, opponents either end up 
imprisoned or poisoned or dead or missing, but in our country, 
we are open to this.
    I was very concerned, you know, with the public information 
that in 29 States it has been reported publicly, that Russians 
were actually in our voting apparatus. Can you tell us beyond 
just the bots and everything they are doing from, you know, to 
really change attitudes and use that kind of propaganda here, 
what about actually being involved in the voting apparatus? 
What dangers does that present? Any of you, but Mr. Painter, 
if, you could start.
    Mr. Painter. It presents a real danger. Now, in some sense, 
the U.S. system has some resiliency because there are so many 
different states and jurisdictions that have their own ways of 
doing voting. On the other hand, you can imagine an attacker 
getting in, either not just changing voting machines, but also, 
doing things with respect to voter rolls and registrations and 
all kinds of other things that could, at the very least, create 
uncertainty and havoc during the election, and that is all you 
need to do, right?
    You don't need to actually change a result. Creating 
uncertainty itself could delegitimize an election. So I think 
that is a huge issue. That is why we need to do everything we 
can also to work with the State and local authorities to 
protect their systems.
    Mr. Keating. Mr. Miller?
    Mr. Miller. Thank you. Yes, I would agree with that. 
Absolutely, on one of the other items. Potential threats to 
voting machines and voting systems highlights is just how, 
frankly, we are living in a world when we talk about the 
Internet of Things and other connected cyber physical devices 
where there are more and more attack vectors that we all need 
to protect both industry and government working together, so 
that further highlights the need for a well-functioning State 
Department, but it is not just the State Department that we are 
talking about here today. It is a bit of a cliche, but cyber is 
a team sport, and the Department of Homeland Security, to their 
credit, has been doing a lot of work on this topic.
    Mr. Keating. Thank you. I am just--on that subject I will 
interrupt, but I know Mr. Sulmeyer, his report is coming out in 
that regard that will be helpful, but you just mentioned 
homeland, and it is a whole of government approach to this. I 
am concerned of the threats to the grid that are there. We 
issued requirements that bolster our nuclear reactors, or 
nuclear power plants to make them stronger, more resilient 
against a cyberattack, yet the NRC alone, in my district, 
waived that requirement.
    Now, don't you think that the NRC by themselves shouldn't 
be in that position? Shouldn't there be, if there is a whole-
of-government approach, shouldn't there be input from the 
Department of Homeland Security, from State, from other 
entities of government?
    Mr. Painter. Look, it is a classic risk management issue, 
right, and that is a high risk, very high impact if things 
happen, and I would say you need to be extraordinarily careful 
in how you do these things. And I think it would benefit from 
the intelligence community, from other communities in our 
Government that can pass on information so that can be a more 
reasoned decision.
    Mr. Keating. I have 30 seconds left, so I couldn't agree 
more. The NRC alone being able to do that without the input of 
our intelligence agencies makes no sense whatsoever, and I 
know, Mr. Sulmeyer, you wanted to get to that other question.
    Mr. Sulmeyer. Well, just to say, I think the principles are 
the same, which is, I don't want to bet the farm or deterrence. 
I would much rather make us much harder to hack and prevent the 
bad guy from being able to act. You can look at our play books 
for State and local officials to do that for elections. We 
should also be having the same facilities you described. Thank 
you.
    Mr. Keating. Thank you. I yield back.
    Chairman Royce. We go to Mr. Tom Garrett of Virginia.
    Mr. Garrett. Thank you, Mr. Chairman. I would ask first, 
Mr. Miller, I presume, sir, you are an attorney?
    Mr. Miller. Yes, sir.
    Mr. Garrett. That is a yes-or-no question. Thank you. I 
don't have a lot of time.
    Let me ask you this, would foreign interference in 
elections be easier if sensitive national security information 
was kept on a private server? That is a yes-or-no question, 
too, sir.
    Mr. Miller. You know, I----
    Mr. Garrett. Yes or no, sir. Mr. Painter, would foreign 
interference in elections be more difficult or less if 
sensitive information was kept on a private server?
    Mr. Painter. It depends on the security of the server.
    Mr. Garrett. Okay. If it were a private server kept in the 
bathroom closet in a Denver loft, might that impact it? Would 
that be a highly secure server based on your training and 
experience? Mr. Sulmeyer, yes or no?
    Mr. Sulmeyer. I'm sorry, it does depend on the security 
setup of each server.
    Mr. Garrett. Okay. You guys are absolutely correct. And it 
shocks me, though, with your amazing credentials that when 
asked, Mr. Miller and Mr. Sulmeyer, if you are familiar with 
the United States interfering in foreign elections that you 
went, ``Oh, I don't know,'' because the United States media has 
covered this extensively. In fact, Nina Agrawal in The Los 
Angeles Times December 21, 2016, wrote a story entitled, ``The 
U.S. is no Stranger to Interfering in the Elections of Other 
Countries.'' Are any of you familiar with the U.S. interfering 
in the elections of other countries via open source 
information? Any of you, yes or no?
    Okay. I am running out of time, gentlemen.
    If someone kept information that was sensitive of a 
national security politically sensitive nature on a private 
server and they were found to have done such acts, would it be 
useful to punish that information to prohibit or prevent that 
sort of behavior in the future?
    Okay. No yes or no answers there?
    Okay. And if you heard that somebody had reached out from 
the United States Senate to a foreign power, say, I don't know, 
the Russians, and said, Will you work with me, I will help you 
get media opportunities, it is important to, and I quote, 
``counter the policies of this administration,'' would that be 
troubling?
    Okay. No answers on that.
    Would it be troubling if a member of this elected body had 
reached out to a foreign government, say, I don't know, the 
Russians, and said it is important to undermine his prospect 
for reelections. I will help you get contacts with the U.S. 
media, would that be troubling?
    No answers.
    Are any of you gentlemen familiar with the story in the 
London papers from 1992 detailing Senator Ted Kennedy's 
reaching out to the Russians to interfere in the 1984 
elections? No? Okay.
    Are any of you familiar with the nuclear freeze movement? 
Any of you? No? Okay.
    Are any of you familiar with the funding mechanisms of the 
nuclear freeze movement and their activities in the United 
States Presidential elections? Would you be shocked to learn 
that the nuclear freeze movement was largely funded by the 
Soviet Union and that they worked against the Reagan elections 
in 1980 and 1984?
    Crickets.
    Mr. Chairman, I will yield back the balance of my time.
    Mr. Rohrabacher. Will the gentleman yield his time to----
    Mr. Garrett. Mr. Chairman, I take that back. I yield the 
balance of my time to my colleague, Mr. Rohrabacher.
    Mr. Rohrabacher. Thank you very much, and let me just note 
for the record, we have witnesses who are unable to give direct 
answers to things as important as this reflects on your 
integrity and--or your knowledge base. I don't know which. We 
will let whoever is looking at this decide.
    Also let me know note that for 30 years, I have never 
turned down a colleague when he asked for an extra minute in a 
situation like we had earlier. That discourtesy is unfortunate, 
Mr. Chairman, as you have tried to develop a bipartisan 
camaraderie here, even when you ask tough questions like what 
we just heard, and I think that should give us all a little 
something to think about.
    Let me note also for the record, Mr. Painter intentionally 
used time that was allocated to finding a truth in order to 
obscure the dissemination of information based on a question by 
a Member of Congress.
    Mr. Cicilline. Mr. Chairman, I would ask that order be 
maintained in this committee that the integrity of these 
witnesses not be impugned, and that Mr. Rohrabacher doesn't 
speak for this committee when he makes that kind of assessment.
    Mr. Garrett. Mr. Chairman, I yielded my time to Mr. 
Rohrabacher, and I would ask that he be granted the time taken 
by this gentleman to whom I did not yield time.
    Chairman Royce. There are 50 seconds remaining in the time.
    Mr. Rohrabacher. I also find it absolutely unforgivable 
that another member would use limited time to interfere with a 
member's right to ask a very pertinent question. Now, and we 
have 30 seconds, so I will ask you the yes-or-no question that 
you refused to answer before. Is it more likely when knowing 
that as has been reported by people who are retired 
intelligence officers, that it is highly unlikely that the 
Russians could have been the ones who hacked into the 
Democratic National Committee and made those emails public, 
that instead, it was highly likely that it was an inside job, 
yes or no?
    Mr. Painter. Sir, I do not accept that.
    Mr. Rohrabacher. Okay. Fine. You won't--what about you?
    Mr. Miller. I am not exactly sure about your question 
honestly.
    Mr. Rohrabacher. Okay. What about you? So we have witnesses 
today who can't say anything that would be damaging to the 
Democratic Party or to one side of this argument. Shame on you.
    Mr. Painter. Sir, to be clear, I am concerned about any 
interference by----
    Mr. Rohrabacher. You do not have the floor.
    Chairman Royce. Time has expired. All time has expired. We 
go now to Mr. David Cicilline of Rhode Island.
    Mr. Cicilline. First of all, I want to apologize to these 
witnesses that you were just subjected to that discourteous 
behavior, and I certainly want to applaud you for your 
integrity, your candor today, your service to our country. And 
I would like to begin, it is one thing to be unwilling to 
respond to foreign interference in our elections in 
cyberattacks in particular, but it is quite another thing to 
speak in a way, and to describe Russian interference in our 
elections as a hoax, as fake news to discredit intelligence 
agencies that have done this work, have fired the FBI Director 
because of the Russia thing.
    So my question is, how does the behavior like that 
undermine our efforts to protect our democracy and protect us 
from these kinds of cyberattacks? Does it enhance it, or does 
it make it more difficult, Mr. Painter?
    Mr. Painter. Look, as I said before, I think we have to be 
very clear that this is a huge issue, and that we are not going 
to countenance this happening again. I think some of the things 
I outlined about what we should be doing about this needs to 
focus on the future, too, because this is going to happen 
again. I think we need to be clear and clear-eyed of how 
important and how big an issue this was and that this is 
something that is not acceptable. The intelligence community 
has concluded this in both administrations.
    Mr. Cicilline. And is it important to have a strong 
declaration from the leader of the country that says this will 
not be tolerated, we will make certain there are consequences 
if you do this again, and create some national commitment to 
protect our democracy and our electoral institutions?
    Mr. Painter. Yes, that is the kind of declaratory statement 
I was talking about earlier.
    Mr. Cicilline. Mr. Miller, do you agree that that is 
necessary?
    Mr. Miller. I think I absolutely agree that the types of 
policies that are expressed in the Cyber Diplomacy Act should 
be loudly broadcast. You know, everything we have been talking 
about, keeping the Internet open and free, secure, et cetera.
    Mr. Cicilline. Dr. Sulmeyer?
    Mr. Sulmeyer. Yes, I agree.
    Mr. Cicilline. Thank you. So with respect to kind of what 
we are doing to respond to this very real threat, CIA Director 
Pompeo said there is no question the Russians are coming back 
in another attempt to interfere with our democratic 
institutions, which, as you say, should not be a Republican or 
Democratic issue, it is an issue that is important to every 
single American in our country.
    When we had the Attorney General before us, he said, and I 
quote, ``I have not followed through to see where we are on 
that,'' referring to an effort to review our practices and our 
policies and legislative infrastructure to support our 
democratic institutions. And he said very candidly, ``Are we at 
the level we need to be at? I don't think so.'' Are you aware 
of any effort underway by our Government, by the 
administration, to prevent a reoccurrence of foreign 
interference by a foreign adversary in our elections in 2018?
    Mr. Painter. I am not aware of any high-level effort. That 
is why I am saying that time is running out, and this is an 
issue that we need to take seriously. And I think there are 
certainly a lot of professionals in the government that are 
looking at this issue with the FBI and the intelligence 
agencies, and really across the government. I think this needs 
to be a top priority.
    Mr. Cicilline. Mr. Miller, are you aware of any high-level 
effort coordinated at the administration to respond to this 
very real threat in the elections which are only 10 months 
away?
    Mr. Miller. It is difficult to comment on the level, per 
se, sir, but I am aware, I do a lot of work with the Department 
of Homeland Security. I do know the Department of Homeland 
Security is very much focused on this threat and working 
operationally, for instance, with the States and others to try 
to help.
    Mr. Painter. And I would agree with that. I have seen that, 
too.
    Mr. Cicilline. Dr. Sulmeyer?
    Mr. Sulmeyer. I would reiterate Mr. Miller's point about 
DHS, but no in a broader national coordinated level, no.
    Mr. Cicilline. And I think I just would like to conclude by 
making reference to what Mr. Keating said. It would be very 
useful to actually hear from administration officials and allow 
the world to hear in a very strong declarative statement, not 
only that they acknowledge that this happened, but their 
commitment to be certain that it never happens again, and that 
they are working in an interagency way to ensure that that 
happens. I would love to hear from members of the 
administration before our committee to actually talk about 
that.
    The final thing I want to ask you about is, we passed the 
Countering America's Adversaries Through Sanctions Act 
recently, and we, of course, learned that the administration 
has failed to implement the sanctions that we imposed as a 
direct result of Russian aggression and Russian interference in 
our elections.
    Some people have tried to explain that away and just said, 
well, just the threat of doing that has been a deterrent, but, 
of course, it was also to punish them for interfering in 
American elections. What is the impact of the failure of the 
administration not to implement these sanctions against Russia, 
both in terms of their behavior and what kind of message it 
sends to the rest of the world?
    Mr. Painter. So I don't discount that the threat could have 
an effect, as it did with the Chinese in bringing them to the 
table. However, this is a huge issue, and the fact that we 
haven't done it yet, and I know there is some confusion about 
whether we will do it in the future, we need to take action. We 
need to make sure there are consequences. Without consequences, 
there is not deterrence, and there is an invitation to do it 
again.
    Mr. Sulmeyer. I would just say it risks emboldening our 
adversaries very much.
    Mr. Cicilline. Thank you.
    Chairman Royce. We go now to Ann Wagner of Missouri.
    Mrs. Wagner. Thank you, Mr. Chairman, for your leadership 
on the issue. I was disturbed last month when China's civil 
aviation regulator demanded an apology from Delta Airline for 
listing Taiwan as a country on the Delta Web site. Also last 
month, China blocked Marriott Web sites and intimidated the 
country into groveling and apologizing for listing both Taiwan 
and Tibet as separate countries. China's actions are egregious 
of violations of basic expressions and speech. They were also 
part of coordinated efforts to undermine regional stability.
    Just a couple weeks ago, China unilaterally announced that 
it would open disputed air routes through the Taiwan Strait. My 
colleagues and I wrote a letter to the Chinese Ambassador 
calling on China to enter into a constructive dialogue with 
Taiwan. It is entirely inappropriate for China to use cyber 
retaliation against American companies to push its political 
agenda and aggression against Taiwan, and the administration 
should be responding to this, I believe, at the highest level.
    Mr. Painter, in 2014, Congress authorized the 
administration to sanction foreign persons that commit cyber 
espionage. What progress has the administration made in 
sanctioning Chinese actors that repeatedly steal American IP?
    Mr. Painter. Thank you for that question. About that same 
time, I think, the administration also came out with an 
Executive order listing sanctions for the first time that would 
apply to cyber activities, a range of cyber activities, 
including the activities you described. And I think that the 
fact that those sanctions were in place were indeed one of the 
things, among others, that drove the Chinese to come to the 
table and after for a long time, saying there was no difference 
between normal intelligence gathering, and taking trade secrets 
to benefit your commercial sector for a long time saying there 
was no difference at all and they didn't do either of them 
saying there was a difference and they agreed not to do the 
latter. And I think that was a landmark thing that was then 
replicated at the G20. Australia has reached an agreement with 
them; Germany has reached an agreement; the U.K. reached an 
agreement, that is important.
    Now, I do agree with you----
    Mrs. Wagner. But what progress has been made, I guess, is 
what I am concerned about, because it is my sense, to be 
perfectly honest, that both the Obama and the Trump 
administrations have kind of shied away from using that 
authority?
    Mr. Painter. Look, I think that has to be a tool in your 
tool kit. And I think you have to be ready and willing to use 
it, and as I said earlier, sanctions were not taken off the 
table when that agreement was reached. If there is a violation, 
if that agreement is violated, that has to be one of the tools 
and should be one of the tools that is used. I would say that 
that sanctions order from back in 2014 or 2013 has been 
underused. I think we need to use that as one of our tools more 
aggressively and in the right circumstances, not just with 
China, but with others, when we see conduct----
    Mrs. Wagner. Thank you.
    Mr. Painter [continuing]. That rises to a certain level.
    Mrs. Wagner. Thank you for that testimony, because I 
believe it has been underutilized also.
    Mr. Miller, 2 years ago Congress created a private right of 
action for victims of trade secret theft in U.S. courts. Have 
companies doing business in China begun taking advantage of 
this cause of action?
    Mr. Miller. Thank you for the question. I am actually 
really not aware of whether or not there have been a number of 
cases filed under that cause of action.
    Mrs. Wagner. I was just wondering if there are examples of 
companies bucking the trend of referring not to report or 
remedy losses?
    Mr. Miller. I do know that certainly, ITI's companies take 
intellectual property rights very seriously and, as I mentioned 
earlier, it is concerning that some of the government policies 
that we see around the globe that put U.S. companies, or any 
company's intellectual property----
    Mrs. Wagner. Relatedly, would you recommend that the 
Department of Justice direct additional resources toward 
prosecuting trade secret theft?
    Mr. Miller. Trade secret theft is--I mean, I think I would, 
yes, sure.
    Mrs. Wagner. Just they put forward this private right of 
action 2 years ago, we did here in Congress, and I just don't 
see it utilized, and I see harm coming to many of our 
companies.
    Mr. Sulmeyer, in my brief time left, I believe that Russia 
issued a requirement that would force companies to submit the 
locations of data centers and servers to Russia's ICT 
regulators. Is this a security concern given that hackers and 
other malintentioned actors might know where to look for 
important data?
    Mr. Sulmeyer. Thank you, Congresswoman. Yes, I do believe 
that would be one among many security concerns that the 
regulators there enforce on companies, yes.
    Mrs. Wagner. Outrageous. Mr. Chairman, I believe my time 
has expired. I yield back.
    Chairman Royce. Joaquin Castro of Texas.
    Mr. Castro. Thank you, Chairman. Mr. Painter, as the 
chairman noted, the State Department just announced it plans to 
establish a new Bureau for Cyberspace and Digital Economy. 
Although elevating the issue of cyber diplomacy is positive, it 
strikes me as odd that the Bureau would report to the Under 
Secretary for Economic Growth, Energy, and the Environment 
rather than the Under Secretary for Political Affairs. Would 
the new Assistant Secretary be able to focus on a full range of 
cybersecurity and other critical issues under this arrangement?
    Mr. Painter. I quite agree with you. I think that that is 
not the ideal arrangement. I think the Under Secretary for 
Economic Affairs, by their title and their responsibilities, 
really has to have that economic perspective. That is an 
important perspective to be sure, but if you look at all these 
issues, as I talked about in my written testimony, that include 
hard issues of security deterrence, incident response, issues 
around cyber operations and military actions in cyberspace, 
that does not fit close to in that substantive rubric. So you 
really need something really broad-based. I think the 
committee's recommendation to be under the Under Secretary of 
Political Affairs makes a lot more sense. It is a neutral 
reporting chain. They can deal with security issues, human 
rights issues that also don't fit.
    There are sometimes conflicts between human rights issues 
and economic issues, for instance, and security issues and 
economic issues. You want a place where you can have full voice 
of all those issues, particularly the security issues that are 
really facing us today. And so I would say that I applaud the 
fact that they have taken action. I think it is great they are 
elevating it. That is exactly what should be done, but it would 
not put it under the Under Secretary for Economic Affairs. I 
would put it, at a minimum, under the Under Secretary for 
Political Affairs, where you can have full force of these 
issues.
    Mr. Castro. No, thank you. And let me ask you three 
gentlemen, whoever wants to answer. Besides sitting on the 
Foreign Affairs Committee, I am also on the Intelligence 
Committee, so as you know, we have had, for over a year now, a 
front row seat in understanding how Russian hacking and basic 
cyber operations has affected our democracy. But the threats, 
as we mentioned in the committee, come not only from them but 
other nations, and non-state actors. So one of the issues that 
I have been working on, and I know others have also, is the 
eventual development of mutual cyber defense treaties.
    Right now, you know, you think about the existence of NATO, 
for example, which mostly involves mutual defense when there is 
a physical intrusion of one country against another. You know, 
in your vision of the future, what is the future for any kind 
of mutual response to cyberattacks and cyber intrusions, if 
there is one?
    Mr. Painter. Look, I think that is paramount actually. I 
think that as we look at sharpening our deterrence tools, one 
of the things we need to do is work with like-minded partners 
who can act together to sanction bad actors in cyberspace, and 
whether it is done by a treaty or it is a loose arrangement, 
which I think might be more flexible and valuable in this case, 
like we did with, for instance, the Proliferation Security 
Initiative, or in money laundering other areas, which I think 
probably may have worked better in the short term; that is 
important. I can also say that some bilateral arrangements, 
like with Australia and others, on larger defense issues, we 
have added cyber to that and said mutual defense treaties with 
those organizations would also involve cyber, and NATO has 
stepped up their game on cyber, including in the last summit, 
declaring it our domain.
    Mr. Sulmeyer. I would just say, I think it is a great idea, 
Congressman, to be pushing those kinds of arrangements. I would 
try to distinguish at times between when the treaty would come 
into effect during a crisis, and in steady state, and I 
wouldn't want to just reserve it for when things get hot. I 
would want to make sure that the information sharing that is 
happening on a steady-state basis, so you never have to really 
invoke the ones in a crisis.
    Mr. Miller. Just to briefly add to those comments of both 
my fellow witnesses, which I agree with, I absolutely think it 
is a good idea. It is clear we need all the tools in the tool 
shed, as Mr. Painter testified earlier, and multilateral 
agreements and vehicles are really important, and, you know, as 
well as the work that has been done in NATO certainly at a 
higher level. There have been some good agreements made in 
these areas at the G7 and G20, and then also, if you look at 
other tools like the Budapest Convention on Cyber Crime, for 
instance, there are ways to work together on these issues.
    Mr. Castro. And it just it strikes me right now as a big 
gap or void in our defense, really, that this is not fully 
fleshed out essentially, that there is no kind of comprehensive 
agreement among friendly nations, at least, or even strong 
bilateral agreements to take--on a mutual cyber response and 
what exactly--when you would respond, and how you would 
respond, whether that involves private companies, for example, 
in the United States. So my time is up, but thank you, 
gentlemen, for your testimony.
    Chairman Royce. If the gentleman would yield, I want to 
make it clear, we passed legislation to direct what Mr. Joaquin 
has suggested here, to direct that change in law and that bill 
is in the Senate, and we are going to continue to engage with 
the Department on who this new Assistant Secretary reports to.
    However, the Department has made clear that this position 
will handle national security issues, so I want to point that 
out, including national security level cyber incidents, and 
promotion and adoption of a national process and programs that 
enable foreign territorial cyber threat detention, prevention, 
and response, and build foreign capacity to protect the global 
network.
    So I think that with respect to the legislation we have 
moved into the Senate, we are starting to see a movement, and I 
especially thank the members of this committee for their 
engagement on this issue here today. We now go to Congresswoman 
Norma Torres of California.
    Mrs. Torres. Thank you, Mr. Chairman, and I want to begin 
by thanking our panelists for being here. Although I wasn't 
here during the earlier discussion, I want to tell you that 
this committee really prides itself from working on a 
bipartisan way, and we often truly enjoy the folks in the 
dialogue we have with our guests, so I apologize. It is not 
reflective of the entire committee. Certainly it is not 
reflective of me, and I am eager to hear your feedback on the 
issues that I am going to cover.
    According to the Freedom House in 2017, freedom on the net 
report, governments around the world have dramatically 
increased their efforts to manipulate information on social 
media. We have seen this in our own hemisphere, Guatemala, for 
example, there are armies of paid trolls who are actually 
working to discredit the fight against corruption in the 
country.
    I don't know if they are tied to the government or not, but 
they are called net centers, and they are working to undermine 
the work that we are doing in that country, and we have 
significant U.S. assistance in that country in the northern 
triangle of Central America. So how do you get more information 
about these net centers and other paid trolls, and how do we 
find out who is actually paying for them? And how do we push 
back on those efforts?
    Mr. Painter. I mean, I think that information involves, for 
instance, working with our posts around the world in those 
countries, and with the intelligence community as well, and the 
law enforcement community. I think the way we push back is--I 
am concerned. I follow Freedom House's reports, and I think 
over time freedom online has been challenged around the world 
and this is a huge issue, and we have seen it by repressive 
regimes and we have seen it increasing in other places, as 
well.
    And so, there are a number of things I think we can do. Our 
democracy and human rights part of the State Department does a 
number of grants around the world to promote freedom online, 
and also to protect dissidents and others and their own 
cybersecurity. There is something called the Freedom Online 
Coalition that the U.S. was a founding member of, which is I 
forget how many states it is now, it is over 30 that are around 
the world who value freedom online and deal with these issues 
and mutually come up with really good policies on these issues, 
and this is an issue I think is ripe for that. They have looked 
at things like network shutdowns and other issues in this 
space.
    So I think we really--and one of the things that we used to 
do in the State Department is that we would raise freedom 
online in all of our bilateral discussions with other 
countries. And we would have these all-of-government 
discussions and I would have someone from our democracy and 
human rights there to talk about these issues. We need to 
continue to do that. This is a big deal. We need to make sure 
security is not used as a proxy by countries to overtake basic 
freedoms like freedom online, so that has to be part of our 
policy.
    Mr. Miller. Thank you, Congresswoman. To that, I would add, 
we have certainly appropriately talked a lot about the security 
policy and security challenges here today, and during this 
hearing. You know, and I think few would question, again, the 
important economic element of a lot of what we are talking 
about here today, particularly cross-border data flows, but I 
think your question highlights another really key element of, 
you know, frankly the Cyber Diplomacy Act, and also what we are 
talking about, which is these norms and values that this 
country supports of a free and open Internet, we have a First 
Amendment, free speech, privacy. All these issues are really 
important as well, and that is why it is so important to have 
the State Department and other U.S. Government entities out 
there internationally trying to influence the rest of the 
global community toward that way of thinking, because it is 
under assault in a lot of different ways.
    Ms. Torres. All right. It is a free and open Internet, and 
we absolutely want to continue to have that, but it is a free 
and open Internet for people, not necessarily for trolls or 
paid trolls.
    Mr. Miller. Sure, absolutely I would agree with that.
    Ms. Torres. I think my time is almost up, so I am not going 
to go into the next question. Thank you.
    Chairman Royce. Thank you, Congresswoman. We will go to 
Brad Schneider of Illinois.
    Mr. Schneider. Thank you, Chairman Royce. Thank you for 
having this meeting, and I just want to take a moment to thank 
you for your longstanding commitment and dedication to the 
bipartisanship within this committee and the commitment to work 
together, and I mention that in the context of what I feel was 
an outrageous and unjustified attack on our witnesses.
    I appreciate you being here and sharing with us your 
perspectives. I am grateful for the work you have done and 
continue to do, and I hope that we don't see what we saw again. 
And thank you for talking about the increasingly important 
topic of cybersecurity. I have said this before in this 
committee, but it is too important not to repeat again. The 
U.S. intelligence agencies found that Russia did, in fact, 
interfere in the 2016 Presidential election, and there is no 
doubt in my mind that they will do it again, but it is not just 
me saying this. Last July, the Director of National 
Intelligence, Daniel Coats, said there was no dissent, I will 
repeat, no dissent inside the United States intelligence 
agencies about the conclusion that Russia used hacking and fake 
news to interfere in our election.
    And just last month, the CIA Director Mike Pompeo stated, 
he believes Russia would seek to do so again. I will quote him: 
``I have every expectation they will continue to try and do 
that.''
    I share that, and just to lift two statements from the 
prepared testimony that the witnesses shared with us, Mr. 
Painter, you said, The U.S. did not foresee the hybrid threat 
posed by Russia's cyber-enabled attempt to undermine and 
influence the 2016 election that goes to the core of our 
democracy. I think that is critical. This is the foundation of 
our democracy, and every American should have the right to know 
that their vote will be counted, and that the integrity of 
their vote and the vote as a whole will be protected.
    And, Dr. Sulmeyer, you noted that deterring a repeat of 
this conduct must be a priority for the entire United States 
Government, and, indeed, for all nations whose elections are 
susceptible to Russian interference, and I couldn't agree more. 
Unfortunately, this administration has not acted to secure our 
election systems and has not acted to punish those responsible 
for the 2016 meddling.
    This administration is leaving the door open for Russia to 
interfere again. This is not just horrifying, it is 
unacceptable. Congress passed, and the President signed into 
law, the Countering America's Adversaries Through Sanctions 
Act, yet the administration has ignored the law by not imposing 
the strong sanctions laid out by CAATSA.
    That is why I continue to raise the alarm regarding the 
seriousness of this situation, and why I join together with my 
colleague, former chairman Ileana Ros-Lehtinen of this 
committee, chairman of the subcommittee, to introduce the 
Defending Elections from Threats By Establishing Redlines, or 
the DETER Act. This bill would make clear that there will be 
consequences for those who interfere in our elections, and 
would ensure the United States Government had an actual 
strategy to prevent such interference. So I would like to ask 
the witnesses today a number of questions. First, what do you 
believe Putin hopes to achieve by interfering in our democratic 
process, and to what degree of certainty do you believe he will 
seek to do so in the elections coming up in November?
    Mr. Painter. My sense, and I think what the intelligence 
community has said, too, is that to sow chaos, distrust, to 
undermine democratic systems, both here and around the world. 
That is, I think, the ultimate goal. And I think the likelihood 
this is going to happen in 2018, and also around the world, is 
incredibly high. There is no reason it wouldn't happen.
    Mr. Schneider. Mr. Miller?
    Mr. Miller. I don't see any evidence to suggest that it is 
not likely to happen again for sure.
    Mr. Schneider. Thank you. Dr. Sulmeyer?
    Mr. Sulmeyer. I think the motive is for Putin to increase 
his and Russia's relative power. That is why they are doing 
what they are doing, and yes, it seems inevitable they will do 
it again.
    Mr. Schneider. And to some extent, do you have a sense that 
the administration's failure to respond is likely to embolden 
the Russians, and embolden Putin in their efforts to undermine 
our democracy?
    Mr. Painter. Yes. I think we need to be strong. We need to 
be clear about what the consequences are. Whether that deters 
them or not, I don't know, but we need to be as clear as we can 
about that because it is likely to happen again.
    Mr. Schneider. Dr. Sulmeyer, I think you were going to say 
something.
    Mr. Sulmeyer. Yes, we have to, but we can't rely on it, and 
that is why my colleagues at the Belfer Center have tried to go 
about helping state and local officials protect themselves as 
much as possible.
    Mr. Schneider. Okay. And we are 9 months away from the 
election, 9 months from tomorrow. What should the 
administration be doing, what more can we do to help make sure 
that every vote will count, that every American knows that the 
integrity of their vote will be protected?
    Mr. Painter. So I outlined some of these earlier, but one 
of them is exactly what Mr. Sulmeyer said. Working with the 
State and local authorities and DHS is doing some of this, but 
really upping that game to protect those systems to make sure 
they are secure. That is a technical part. Convening an 
interagency group at a high level to really focus on this; 
wherever it is coming from, whether it is Russia or other 
countries that we can really deal with this; enhancing our 
deterrence posture and tools we can use for deterrence; and 
coming up with a really strong declaratory message about what 
the problems are, what the consequences will be for doing this. 
And finally, I think working as has been happening, but working 
with social media and others to make sure that we are trying to 
cut off those areas of attack.
    Mr. Schneider. Mr. Miller?
    Mr. Miller. I would focus again on DHS and the role that 
they play there. Again, as has been mentioned a few times, they 
are working with local officials, and that is absolutely 
important. It is also very important, DHS is kind of on the 
front lines of the public-private partnership between industry 
and working with industry partners and also, some of the things 
that stretch beyond this issue, like sharing threat information 
between the government and industry to try to figure out what 
is happening, and avoid it is really important.
    Mr. Schneider. I have gone well past my time. Thank you 
again for your testimony today. Chairman, thank you for having 
this hearing. I hope we will continue to focus on this very 
important issue. I yield back.
    Chairman Royce. Thank you. And our last questioning comes 
from Mr. Brad Sherman of California.
    Mr. Sherman. I want to build on the gentleman from 
Illinois' questioning. It is always nice to have an office, 
give it importance, give it the highest possible title. But if 
we are not serious about cybersecurity, it is just an office. 
We know that Russia cyber hacked for the purpose of affecting 
our election. And Congress acted. Congress passed CAATSA, and 
every section of it that is mandatory is ignored. So one 
wonders why create offices if the executive branch--I mean, why 
are we here? It is much warmer back in California. I am here to 
try to legislate. We pass laws and the President just ignores 
them, so let's go through. CAATSA Section 225 says, ``The 
President shall impose sections on those who invest in certain 
deep or Arctic oil locations with Russia provided a September 
1, 2017, deadline.'' Nothing was done.
    Then we have the bank transactions with especially 
designated nationals. No bank has been sanctioned for a 
significant transaction with a Russian specially designated 
national. That is Section 226 of CAATSA. But of greatest 
concern is Section 231, because on this one, we know what the 
administration is going to do. They have said officially we 
refuse to follow the statute, because our oath to the 
Constitution means nothing, and frankly, Congress means 
nothing. Because that law says that there have to be sanctions 
against those who do business with Russia's defense and intel 
complexes.
    Now, it does have a waiver provision, also ignored by the 
administration. What do they do? They issue a press release 
basically saying, Congress, thanks for passing the law that 
says we shall do something. We have determined it is 
unnecessary. We are not going to do it.
    This is something that I think the Russians would 
understand. Their Duma is pretty much an advisory body. When it 
was initially created, it was an advisory body to the czar, and 
I feel that perhaps we should adjust the pay here to be no 
higher than that of the 1905 Duma, since our legislation has no 
more effect or legislative actions.
    And I will ask any of the witnesses, how are we going to 
have an effective person in the State Department working on 
cyber issues if we have a policy of not doing anything when the 
most vital parts of our country are attacked through a cyber 
hack? Mr. Painter?
    Mr. Painter. So structure is important, but you are quite 
right, structure alone doesn't solve the problem. You have to 
have structure----
    Mr. Sherman. Structure can actually make the problem worse 
by disguising the fact that you are doing nothing about the 
problem.
    Mr. Painter. Structure is not the only thing. You need a 
good structure to actually lead this and communicate to the 
rest of the world it is important. However, you also need----
    Mr. Sherman. I think we have communicated to the world that 
is not important.
    Mr. Painter. But you are quite right. You need strong 
policies to actually enforce this and make sure that when you 
have attacks on this--alleged attacks or other attacks too, 
that there are consequences for those actors. And part of that 
is deterrence, but part of that is responding to incidents, and 
we need to do this. I hope this new Bureau actually does this, 
and is empowered to do this and that is going to be important.
    Mr. Sherman. Okay. Now, you served as the State 
Department's Coordinator for Cyber Issues running an office 
that was eliminated days before you were scheduled to testify 
before the committee last summer. A lower level office was 
created in its stead. What did we lose by actually going 
backward on this rather than forward?
    Mr. Painter. Look, I am heartened that the State Department 
has seen to provide a higher level structure. That is great. 
Again, I have problems about where it reports, given the range 
of issues it involves, because people are prisoners of their 
perspective, quite frankly, and someone who is an economic 
Under Secretary is going to be in that perspective. However, we 
had a lot of momentum going, and to say for a 6-month period or 
longer, that this was not, or communicate this is not a high 
priority, has an effect both with our adversaries and with our 
friends, and I don't understand why we did that. I think when 
we have a strategy in place to make even higher up, great, but 
why interrupt that in the interim?
    Mr. Sherman. Unless you want to signal to the world and to 
Moscow that it isn't important. Look, I am a cosponsor of H.R. 
3776, the Cyber Diplomacy Act. We passed this in the House. I 
think it had overwhelming support. We need U.S. international 
engagement on these cyber issues but just boxes in the State 
Department chart don't accomplish anything if you are not 
willing to take action. I yield back.
    Chairman Royce. Let me just clarify that the administration 
has taken steps to implement CAATSA. They have briefed staff on 
both sides of the aisle at this point. Let me just make this 
point on their approach, which--and this is the point I want to 
make. Instead of sanctioning our allies that buy Russian 
weapons, what they are doing, at this point, is pressuring 
those allies to wind down those sales. I just want that 
understood.
    Mr. Sherman. If the gentleman will yield.
    Chairman Royce. But of course.
    Mr. Sherman. First of all, law is law. You can't say we are 
going to violate the law because we have got a better deal to 
achieve your purpose.
    Chairman Royce. I understand that in terms of their 
briefing with our staff here, they understand, or they 
articulate that this complies with the letter and spirit of the 
law as they now implement--without going through a whole debate 
in terms of what was laid out in the law and their methodology 
I am just explaining.
    Mr. Sherman. Well, Turkey is going to give $2.5 billion to 
the military complex of Russia, and they are not going to be 
sanctioned, and we are going to be told that the fact that you 
have passed a law doesn't matter. We are not even going to even 
look at the waiver provisions of the law. We are going to 
ignore the law, and we have got a better idea and we are 
smarter than Congress, and trust us, we are there on your side, 
but we are going to ignore your legislation.
    The fact is, I think Turkey fully understands they can send 
$2.5 billion to the Russians and to their military complex, and 
nothing will be done by this administration, except they will 
tell us privately and publicly that they know better, and that 
they are really on our side and they are really going to 
achieve our purposes.
    Chairman Royce. Let me just add--reclaiming my time--it is 
up, the way it is written it is up to the administration to 
determine what constitutes a significant transaction, but they 
have also made clear to us in their discussions, that these 
designations are forthcoming. So I am just, for the record, 
clarifying those points.
    I do know----
    Mr. Sherman. If you will yield for just a second. If the 
administration wants to go public and say $2.5 billion from 
Turkey is not a significant transaction, let them have the guts 
to do so in public. I yield back.
    Chairman Royce. And with that, I think we should go to our 
remaining member here with questions, and I am going to, at 
this point, give Mike McCaul the chairman's chair here, since I 
am supposed to be in the Financial Services Committee at this 
moment with Secretary Mnuchin. I thank all of our witnesses for 
their patience today especially given the votes that we had 
across the building. Thank you.
    Mr. McCaul [presiding]. Let me recognize myself. And I 
chair the Homeland Security Committee, but I really enjoy being 
on this committee. It is a great intersection of similar 
issues, and cyber is really one of them, and I think I have 
done a lot on Homeland in terms of legislation, and I think at 
the State Department, and Chris Painter and I go way back at 
DOJ.
    Cyber is a mission I would like to see elevated at the 
State Department. It is the only Department that can work with 
other countries to establish rules of the road, if you will, 
where we exist in a world where there are no, as you mentioned, 
real consequences to a lot of these cyber events that we have 
been discussing. And I just want to bring up one because I 
think it involves probably all three of you and myself, and 
that is the breach of 20 million security clearances at OPM 
where they stole mine, and I am sure Mr. Painter's and our 
fingerprints and all that. Were there any consequences to that 
breach, Mr. Painter?
    Mr. Painter. I think there were. There were a lot of things 
said during that, after that. I think one of the problems there 
is espionage every country around the world does intelligence 
gathering. If that is classic espionage, if that is what that 
was, that is harder to deter, quite frankly, because every 
government other--you are not going to have an agreement not to 
actually do intelligence gathering with other countries. But at 
the same time, that doesn't change the fact that we need to 
harden our targets as much as possible, and when that happens, 
we don't have to like it either, we can do things in response 
to it.
    Mr. McCaul. I know in 2015, the--maybe one thing that there 
was a meeting I think that was the only thing I saw take place 
but between the United States and China, and China agreed to 
refrain from conducting or supporting cyber-enabled theft of 
intellectual property, including trade secrets and other 
confidential business information, and I think I know the 
answer to this question but is China abiding with that 
agreement currently?
    Mr. Painter. I think, to some extent, the jury is out. I 
think a lot of the people who track this in the private sector 
said there was a large diminution in that kind of activity. It 
doesn't mean that intrusions from China stopped, by my means. 
It means that kind of commercial espionage to benefit their 
commercial sector, which is something we don't do, we don't 
think any country should do, and they agreed not to do 
diminished substantially.
    Now, there are have been mixed reports recently about that. 
I think if there is a breach of that agreement we have to take 
it seriously and we have to make sure there are consequences 
for that, but I think it did, at least, have an effect, and it 
was then enshrined in the G20 statement and with other 
countries around the world, so there was pressure not just from 
us, but from other countries too because they were also victims 
of this.
    Mr. McCaul. Like in any agreement, I mean, what are the 
penalties for violating that agreement?
    Mr. Painter. Yes, I mean the penalties, like I said, 
nothing was taken off the table. We didn't say, Hey, if you 
agree to this, we are not going to sanction you. We didn't give 
anything for that, right, so those are all still on the table. 
If we see that happening the government can use sanctions. The 
government can use, you know, other law enforcement actions 
like they have before against the PLA officers. There is still 
a range of things that the U.S. can do and the U.S. and its 
allies can do in appropriate circumstances, and you want to 
make sure you have the right factual basis to do that.
    Mr. McCaul. In the----
    Mr. Painter. I would submit, however, as I said before, I 
think our tool set is still too slim. I any we need to develop 
other tools to respond to these kinds of threats in cyberspace.
    Mr. McCaul. Do you agree that if a NATO country was 
attacked in an act of cyber warfare, that Article 5 would apply 
and be invoked?
    Mr. Painter. I absolutely do. In fact, NATO said that that 
was a fact. I mean, Article 5 is a fact-specific, case-by-case 
basis. It has been invoked once on 9/11, but I think if it is a 
sufficient attack that causes the same kind of death and injury 
that a physical one did, absolutely it could be involved in a 
case-by-case basis.
    Mr. McCaul. The Russian interference in our elections, 
Congress passed sanctions on Russia for that. Were there any 
other consequences taken by the administration for that, and I 
got briefed by Jeh Johnson and DNI Clapper during the previous 
administration on that around October before the elections 
occurred. It was clear to me it was happening. The attribution 
was clear. I didn't see--my advice was to call it out for what 
it was, and that there should be consequences to bad behavior 
like that.
    Mr. Painter. I would agree that the consequences should be 
imposed. There were a number of them in December at the end of 
the administration. There was some economic sanctions. There 
were throwing a number of diplomats out of the country and 
closing compounds. There were a number of things done. But for 
deterrence to actually work, it has to be timely, and 6 months 
later is a long time, and that has to continue because the 
threat is still there.
    So I think the cyber community didn't really understand the 
nature of this threat. We knew about attacks against 
infrastructure. We knew about potential theft of intellectual 
property. We weren't focused on this hybrid threat when it 
happened.
    Mr. McCaul. Well, I have been working on my committee, 
Homeland. DHS will be--as we go into 2018 elections, there is 
no question that they are going to try to do this again.
    Mr. Painter. Yes.
    Mr. McCaul. In fact, there is some evidence they are 
already interfering in some U.S. Senate races. And--well, it is 
a good question for all three of you. What role do you think 
the Federal Government could play in the 2018 elections?
    Mr. Painter. So, the things I have laid out, and I am not 
the only one. Rick Ledgett and others have talked about this in 
the past. You know, a strong, clear declaratory statement that 
this is unacceptable and we will take action, a task force that 
is an interagency task force to work on this and also to deal 
with other parties, and particularly social media and others, 
working as has been happened, but working with the State and 
local election officials to actually secure their systems. I 
know DHS is doing some of that, but really up our game 
substantially there. Having the willingness to use tools to 
deter this action and actually having more tools there. That is 
just part of the response.
    And then, frankly, working with other countries. Other 
countries are facing the same problem, not in 2018 elections, 
but in elections that they have. And maybe looking at some of 
the things they have done to push back against this and try to 
go after these disinformation campaigns.
    The one thing I would say is this is not just a cyber 
problem, right? This has to be a hybrid solution to a hybrid 
threat. We have to have other players in the room, and not just 
the cyber people.
    Mr. McCaul. Well, I was in France right before Macron's 
election. I don't think the French bought into the propaganda. 
I was in Estonia and Ukraine. I mean, talk about a laboratory 
for malicious behavior. And I think we are learning a lot from 
that experience.
    Mr. Painter. And I should mention that, as we stated 
earlier, Michael Sulmeyer has been working--Belfer has been 
working on some of these issues too, so I don't know if you 
address this quickly. I have taken all the time.
    Mr. McCaul. My time has expired, but I guess I am in the 
chair, so----
    Mr. Sulmeyer. Thank you for the opportunity to plug the 
Belfer Center, Chris. But that is why we have devoted work over 
the last year to try and help State and local officials and 
also campaigns just protect themselves and be harder to hack in 
the absence of Federal Government doing a lot over the last 
year. So I would like to see, in terms of collection 
priorities, threats to the election be at the top. I don't know 
where they are. I am not in. But then I would like to make sure 
that there is a willingness to neuter attackers before they 
strike abroad. Then I would like to be able to see the 
willingness to reducing classification or declassify 
information that should get into the hands of those who can use 
it, make it actionable, and defend themselves.
    Mr. McCaul. That is very good.
    Let me just say in closing that, first of all, Chris, you 
did a fantastic job at State as the coordinator for cyber 
since--I guess 2011 is when that was created. Secretary 
Tillerson then tried to merge that office with the Bureau of 
Economic and Business Affairs. And I--they are sort of an 
interim step. But in my judgment, as I try to create a cyber 
agency within DHS, it almost appeared as if it was not a 
priority if you are merging it with another office like that. I 
would like to see a cyber office that makes it a priority. And 
I think that is what the Cyber Diplomacy Act that I worked with 
the chairman on to codify the Office of Cyber issues led by a 
Senate-confirmed Ambassador precisely what we are trying to do 
here, is elevate the priority and the mission within the State 
Department.
    Do all three of you agree with this bill?
    Mr. Painter. I completely agree with this. I think the 
bill's formulation is absolutely correct. I know the State 
Department just today sent a letter saying they were going to 
create a Bureau dealing with some of these issues, which is 
great. However, the way its reporting structure is through the 
economic Under Secretary which, given the breadth of these 
issues and the security issues, doesn't make a lot of sense. I 
think the bill's statement should be through the political 
Under Secretary or higher makes a lot more sense as a cross-
cutting issue. But I think that bill, frankly, helped motivate 
some of these changes, and that is good. We need to really keep 
the pressure on.
    Mr. McCaul. That is good.
    Mr. Miller.
    Mr. Miller. Thank you, Chairman McCaul, for now anyway, 
right?
    Yeah, I also--and we, ITI, agree with the stated objectives 
of the Cyber Diplomacy Act. And those probably don't need any 
repeating here. But also the proposed follow-through on 
actually how you are going to keep the Internet open and free, 
while also protecting security and promoting data flows.
    One of the things that is really important about that is, 
number one, having a State Department cyber coordinator's 
office that really is focused on the cyber issues. And we have 
heard that here today. But then also, the bill suggests the 
necessary follow-through. As Mr. Painter mentioned earlier, 
there was a lot of good progress made, both bilaterally and 
multilaterally in recent years by State. But you need to hold 
the counterparties accountable for the agreements that they are 
signing. And we really need to keep furthering these types of 
approaches, because these issues are not getting easier, they 
are getting harder and we need to be working together on this 
with our allies.
    Mr. McCaul. I agree completely.
    Dr. Sulmeyer.
    Mr. Sulmeyer. Same answer but different reason, if I might 
offer, which is that from an interagency or non-State 
Department perspective, having a dedicated office like Chris 
Painter ran, gives you the touch point. You know who to call 
when you are at DOD or you are at a different part of the 
government. And that is how policymaking works is not always at 
the Secretary level but also at the lower levels of the 
bureaucracy. So I am a big supporter of this for additional 
reasons, because it helps the rest of the government come 
together and play as a team.
    Mr. McCaul. Yeah. I mean, it is just a point of contact, I 
think, for other departments.
    Well, anyway, I want to thank all of you for your testimony 
and your expertise and leadership on this very important issue. 
I think it is very often overlooked as some sort of technical 
in-the-ether type thing. But in reality it is very real, and it 
is a threat on many levels, so I appreciate your leadership on 
this issue.
    And with that, the committee now stands adjourned.
    [Whereupon, at 12:58 p.m., the committee was adjourned.]

                                     

                                     

                            A P P E N D I X

                              ----------                              


         Material Submitted for the Record
         
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

               

 Material submitted for the record by the Honorable Edward R. Royce, a 
Representative in Congress from the State of California, and chairman, 
                      Committee on Foreign Affairs
                      
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]