b"<html>\n<title></title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                                    \n                         [H.A.S.C. No. 115-95]\n\n                   CYBER OPERATIONS TODAY: PREPARING\n\n                     FOR 21ST CENTURY CHALLENGES IN\n\n                     AN INFORMATION-ENABLED SOCIETY\n\n                               __________\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                              HEARING HELD\n\n                             APRIL 11, 2018\n\n\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n                                __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n30-569                 WASHINGTON : 2019                     \n          \n                                   \n                      COMMITTEE ON ARMED SERVICES\n                     One Hundred Fifteenth Congress\n\n             WILLIAM M. ``MAC'' THORNBERRY, Texas, Chairman\n\nWALTER B. JONES, North Carolina      ADAM SMITH, Washington\nJOE WILSON, South Carolina           ROBERT A. BRADY, Pennsylvania\nFRANK A. LoBIONDO, New Jersey        SUSAN A. DAVIS, California\nROB BISHOP, Utah                     JAMES R. LANGEVIN, Rhode Island\nMICHAEL R. TURNER, Ohio              RICK LARSEN, Washington\nMIKE ROGERS, Alabama                 JIM COOPER, Tennessee\nBILL SHUSTER, Pennsylvania           MADELEINE Z. BORDALLO, Guam\nK. MICHAEL CONAWAY, Texas            JOE COURTNEY, Connecticut\nDOUG LAMBORN, Colorado               NIKI TSONGAS, Massachusetts\nROBERT J. WITTMAN, Virginia          JOHN GARAMENDI, California\nDUNCAN HUNTER, California            JACKIE SPEIER, California\nMIKE COFFMAN, Colorado               MARC A. VEASEY, Texas\nVICKY HARTZLER, Missouri             TULSI GABBARD, Hawaii\nAUSTIN SCOTT, Georgia                BETO O'ROURKE, Texas\nMO BROOKS, Alabama                   DONALD NORCROSS, New Jersey\nPAUL COOK, California                RUBEN GALLEGO, Arizona\nJIM BRIDENSTINE, Oklahoma            SETH MOULTON, Massachusetts\nBRAD R. WENSTRUP, Ohio               COLLEEN HANABUSA, Hawaii\nBRADLEY BYRNE, Alabama               CAROL SHEA-PORTER, New Hampshire\nSAM GRAVES, Missouri                 JACKY ROSEN, Nevada\nELISE M. STEFANIK, New York          A. DONALD McEACHIN, Virginia\nMARTHA McSALLY, Arizona              SALUD O. CARBAJAL, California\nSTEPHEN KNIGHT, California           ANTHONY G. BROWN, Maryland\nSTEVE RUSSELL, Oklahoma              STEPHANIE N. MURPHY, Florida\nSCOTT DesJARLAIS, Tennessee          RO KHANNA, California\nRALPH LEE ABRAHAM, Louisiana         TOM O'HALLERAN, Arizona\nTRENT KELLY, Mississippi             THOMAS R. SUOZZI, New York\nMIKE GALLAGHER, Wisconsin            JIMMY PANETTA, California\nMATT GAETZ, Florida\nDON BACON, Nebraska\nJIM BANKS, Indiana\nLIZ CHENEY, Wyoming\nJODY B. HICE, Georgia\n\n                      Jen Stewart, Staff Director\n                Pete Villano, Professional Staff Member\n              Lindsay Kavanaugh, Professional Staff Member\n                         Nevada Schadler, Clerk\n                           \n                           \n                           C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nSmith, Hon. Adam, a Representative from Washington, Ranking \n  Member, Committee on Armed Services............................     2\nThornberry, Hon. William M. ``Mac,'' a Representative from Texas, \n  Chairman, Committee on Armed Services..........................     1\n\n                               WITNESSES\n\nAlexander, GEN Keith, USA (Ret.), Founder and Chief Executive \n  Officer, IronNet Cybersecurity.................................     5\nChertoff, Hon. Michael, Co-Founder and Executive Chairman, The \n  Chertoff Group.................................................     3\nJohnson, Hon. Jeh, Partner, Paul, Weiss, Rifkind, Wharton & \n  Garrison LLP...................................................     7\n\n                                APPENDIX\n\nPrepared Statements:\n\n    Alexander, GEN Keith.........................................    57\n    Chertoff, Hon. Michael.......................................    43\n    Johnson, Hon. Jeh............................................    68\n\nDocuments Submitted for the Record:\n\n    [There were no Documents submitted.]\n\nWitness Responses to Questions Asked During the Hearing:\n\n    [There were no Questions submitted during the hearing.]\n\nQuestions Submitted by Members Post Hearing:\n\n    Ms. Rosen....................................................    81\n                   \n                   \n.                   \n                   CYBER OPERATIONS TODAY: PREPARING\n\n                   FOR 21ST CENTURY CHALLENGES IN AN\n\n                      INFORMATION-ENABLED SOCIETY\n\n                              ----------                              \n\n                          House of Representatives,\n                               Committee on Armed Services,\n                         Washington, DC, Wednesday, April 11, 2018.\n    The committee met, pursuant to call, at 10:02 a.m., in Room \n2118, Rayburn House Office Building, Hon. William M. ``Mac'' \nThornberry (chairman of the committee) presiding.\n\n  OPENING STATEMENT OF HON. WILLIAM M. ``MAC'' THORNBERRY, A \n    REPRESENTATIVE FROM TEXAS, CHAIRMAN, COMMITTEE ON ARMED \n                            SERVICES\n\n    The Chairman. Committee will come to order. Looking back at \nmy notes from 10 years ago, when Mr. Smith chaired what is now \nthe Emerging Threats and Capabilities Subcommittee and I was a \nranking member, I found a number of references to preparing for \ncyber as a new domain of warfare.\n    This committee has held many hearings and briefings on this \ntopic over the last decade, and we are continuing with more \nthis week, led by Chairwoman Stefanik and Ranking Member \nLangevin.\n    We have also enacted a number of legislative provisions and \nauthorized a lot of funding, and there's no doubt a lot of it--\nprogress has been made in building up our military and \nintelligence capabilities in cyberspace.\n    But I do not think it is an exaggeration to say that our \nNation has still not faced up to the threat. Cybersecurity \nmeans lots of things. Part of what it means is going on down \nthe hall in another hearing, but part of it is what we are \ngoing to talk about today.\n    Threats to national security in cyberspace come from \nadversaries stealing information. Sometimes it comes from \nadversaries working to manipulate our decisions and American \npublic opinion. Part of it is the potential to disrupt our \neconomy and unleash havoc with our financial system, or \nelectric grid, or public health and sanitation. And I have not \neven begun to discuss the consequences for the effects of our \nmilitary's ability to operate.\n    We still have not answered the fundamental question of what \nwe expect the Federal Government to do to defend our citizens, \nour businesses, our infrastructure, and our society in cyber. \nMeanwhile, the capabilities of our adversaries and their \nwillingness to use them is growing far faster than our \nresponse.\n    The Director of National Intelligence [DNI] recently \nassessed, quote, ``the potential for surprise in the cyber \nrealm will increase in the next year and beyond as billions \nmore digital devices are connected--with relatively little \nbuilt-in security--and both nation states and malign actors \nbecome more emboldened and better equipped in the use of \nincreasingly widespread cyber toolkits.''\n    Fortunately, our witnesses today have a lot of experience \nand a lot of expertise in these issues, and I am grateful to \neach of them for their willingness to share their views today, \nin the hopes that, not just our committee, but the Congress and \nthe country can move at the appropriate pace in confronting \nthese challenges.\n    Mr. Smith.\n\nSTATEMENT OF HON. ADAM SMITH, A REPRESENTATIVE FROM WASHINGTON, \n          RANKING MEMBER, COMMITTEE ON ARMED SERVICES\n\n    Mr. Smith. Thank you, Mr. Chairman. I agree completely with \nthe chairman's opening remarks and will not repeat them. We all \nknow the importance of cybersecurity; I think the chairman \noutlined it very well.\n    And the challenges that I am most interested in hearing \nfrom the three of you on, and in--we have all been people that \nhave been working on this for a long time, is number one, how \ncan we better coordinate the effort? Is--it's, you know, a \nthousand points of failure and then some when it comes to \ncybersecurity.\n    And within DOD [Department of Defense] alone--I mean, \nforget about the contractors and all the other pieces of our \ncyber network that are vulnerable to attack. Within DOD, I \nstill don't think it's clear who's in charge. I don't think \nit's clear what the strategy is, and I don't think all the key \ncomponents at DOD have any idea of really exactly what--what \nthe plan is. Or, overstatement, say ``no idea,'' but they don't \nhave a clear plan.\n    So how can we develop that agenda so that within DOD we \nhave people who are clearly in charge, and we say, okay, what \nis going on in cyber? This is the chain of command. And this is \nwhat is going on with it, and how we would respond to it.\n    Second, I would--do want to emphasize one point the \nchairman made, and that is, when it comes to information \ncampaigns and disinformation campaigns, cyber has taken these \nto a whole new level. And I guess one of my frustrations is \nwhile it's taken to a whole new level, on the one hand, on the \nother hand, it's nothing new. I mean, the medium is new.\n    Disinformation, information, whether it's, you know, \nthrough the radio, or newspapers, or whatever the medium of the \ntime was, you know, we have been doing that since the beginning \nof this country. And yet we seem to be unbelievably slow to \nrespond to using this new tool, this new medium, for spreading \nthe story that we want to spread, whereas in contrast certainly \nRussia, but I also think China, have been incredibly aggressive \nand are unquestionably ahead of us in using this technology. \nHow do we catch up?\n    And the last thing--great debate about storing information \nin the cloud, using open source software versus closed source \nsoftware, and I have had a number of very, very smart people \nfrom out in Seattle passionately argue to me that we can better \ndeal with cyber--the more stuff we have in the cloud and the \nmore we rely on open source software, that it is a better--you \ncan better protect that type of software.\n    So I am curious what your guys' thoughts are on the cloud \nand open source and how it fits into us developing that cyber \nstrategy that we so desperately need.\n    And with that, I yield back. Thank you, Mr. Chairman.\n    The Chairman. We are pleased to welcome the Honorable \nMichael Chertoff, Co-Founder and Executive Chairman of The \nChertoff Group and of course also former Secretary of Homeland \nSecurity.\n    General Keith Alexander, Founder and Chief Executive \nOfficer of IronNet Cybersecurity, former Director of the \nNational Security Agency.\n    And the Honorable Jeh Johnson, partner, Paul, Weiss, \nRifkind, Wharton & Garrison, but also former Secretary of \nHomeland Security, and General Counsel to the Department of \nDefense, which may play a role here.\n    Without objection, each of your written statements will be \nmade part of the record, and we would be pleased to hear \nwhatever oral comments you would like to make at this point.\n    Secretary Chertoff.\n\n STATEMENT OF HON. MICHAEL CHERTOFF, CO-FOUNDER AND EXECUTIVE \n                  CHAIRMAN, THE CHERTOFF GROUP\n\n    Mr. Chertoff. Thank you, Mr. Chairman, and thank you, \nRanking Member Smith. I appreciate the opportunity to testify. \nI thought I had testified before pretty much every committee in \nCongress, but I hadn't before this one. So you have moved me \ntowards a perfect record, or a royal flush.\n    I think this is a very timely hearing, and maybe not quite \nas well attended as the one down the hall, but in many ways I \nthink focusing on an area that requires greater attention, and \nI think that the opening remarks, I think, make that point very \nwell.\n    Let me just very briefly summarize a couple of points. \nFirst of all, there's no question in my mind the threats have \nincreased in intensity and frequency. We now are dealing with \nwhat I would call industrial-scale data theft, whether it is \nthe billions of accounts on Yahoo that were stolen, or the OPM \n[Office of Personnel Management] hack, which resulted in north \nof 20 million very sensitive files being taken.\n    I mean, this is really theft on an industrial scale, and it \napplies to straight-out criminality, as well as to things that \nare relevant for intelligence purposes.\n    We have seen what we call information operations, the use \nof cyber means, including hacking, to disseminate data which is \npart of an attempt to influence and disrupt our elections and \nour democracy.\n    We have seen data destruction with ransomware--WannaCry, \nNotPetya--which has had a serious impact on civilian \ninfrastructure in various parts of the world, including some \nmajor enterprises.\n    And as was recently announced by DHS [Department of \nHomeland Security], we have found malware in much of our \ncritical infrastructure, including our electric grid, and if \nyou go back and look at the Ukraine in 2016 and 2017, \nChristmastime, the lights went out because of cyberattacks that \nwere mounted against the electric infrastructure there.\n    So there's no question whether it's theft of data or \ninformation, or actually disruptive or destructive attacks. We \nhave seen an increase in severity and frequency.\n    And I want to be clear by defining a couple of things. \nFirst, when we talk about protecting the data, we are talking \nabout protecting confidentiality, availability, and integrity. \nAnd that is different than the issue of the content itself.\n    And I say that because I know the Russians have a concept \nof what they call information security, which to them means, \nlet's keep information we don't like off the network. We call \nthat censorship in this country, and it's important not to \nconfuse the two, because what we want to do to defend the \navailability, confidentiality, and integrity of data is a \ndifferent set of considerations than when we deal with the \nissue of content that we happen to disagree with.\n    So with that being said, let me briefly just summarize a \ncouple of points. First, as it relates to defense, I do think \nwe have made some progress on unity of effort with the U.S. \nGovernment, but not as much as we need. In theory, the major \nagencies that deal with cyber--the Department of Defense, \nHomeland Security, and the FBI [Federal Bureau of \nInvestigation]--have distinct roles, and when you have a lead \nrole of one, for example, in a particular area, and the others \nsupport, but we need to make sure we exercise that and \ninstitutionalize it.\n    As far as the private sector is concerned, there we have \nthe challenges--you have got widely distributed ownership and \ncontrol of infrastructure, and uneven capabilities and \nknowledge about how to defend that infrastructure.\n    Some of the things we can do to make that a little bit \neasier are continuing to promote information sharing, \nparticularly having it be automated, and having the ability to \nuse a common language to describe threats, and I would argue \nalso being--making clearances a little bit more widely \navailable to the private sector so that there could be greater \nin-depth sharing of information.\n    I think the propagation of additional standards about what \nare considered to be good cyber defense measures will be \nhelpful to the private sector. And I would also urge Congress \nlook at the SAFETY [Support Anti-terrorism by Fostering \nEffective Technologies] Act, which has worked well in promoting \ncounterterrorism technologies, as perhaps legislation that \ncould be extended to counter cyberattacking technologies, and \nthat again would incentivize the private sector to invest in \nbetter cyber defense.\n    And the last area I would look at would be the so-called \n``internet of things.'' We are seeing a dramatic expanse--\nexpansion of the surface area of attacks through so-called \n``smart objects'' that have very little provision for security \nor cyber defense, including basic things like patching and \nupgrading. And we may need to look at some legal regulations or \npolicies that would promote some kind of at least minimal \nintegration or security capabilities into these increasingly \nwidespread smart devices.\n    Finally, on the issue of what we might do in terms of \neither active defense or offense, I would argue that there are \na couple of areas we should look at. And I don't think it's a \ncapabilities issue as much as it is a policy and strategy \nissue.\n    First, we need to be clear about standards for attribution. \nWhat do we expect in terms of the standard that we must meet to \nbe confident about our attribution, and how would we announce \nto the world that we have made--we have attributed something in \na way that we want to respond to?\n    Second, I think we need to marshal all of the tools in the \ntoolbox in terms of response. It can't only be cyber response. \nDepending on the nature of the attack, it has to be potentially \ncriminal, a prosecution, the use of sanctions, and even the use \nof cyber and physical tools to preempt something in an \nappropriate case, when we are dealing with something that \nthreatens life or property.\n    And finally, a couple of other areas where I think we need \nto focus on international responses. One is coordinating with \nour--our allies in NATO [North Atlantic Treaty Organization], \nin terms of having a common doctrine and a common set of \ncapabilities in cyber response, and then looking to creating a \nmore robust set of international norms and rules about what is \noff-limits in cyberspace as it is in physical space.\n    Because right now, we are not always clear about what ought \nto be considered to be illegal cyber activity under \ninternational law, and I think the time for some kind of a set \nof norms and laws in this respect is well overdue.\n    So with that, Mr. Chairman and Ranking Member, thank you \nvery much, and I will be pleased to answer questions.\n    [The prepared statement of Mr. Chertoff can be found in the \nAppendix on page 43.]\n    The Chairman. Thank you.\n    General Alexander.\n\nSTATEMENT OF GEN KEITH ALEXANDER, USA (RET.), FOUNDER AND CHIEF \n            EXECUTIVE OFFICER, IRONNET CYBERSECURITY\n\n    General Alexander. Mr. Chairman, Ranking Member Smith, \ndistinguished members of the committee, it's an honor and \nprivilege to be back here again. I want to hit, over the next 2 \nhours, no, the next 5 minutes, five key points.\n    First, technology. You both mentioned it. We live in \nexponential times. The amount of applications, the amount of \ndata, and the amount of technology is growing--almost doubling \nevery year in each category. That means cyber is going to grow \nexponentially, and the problems that we have today, a year from \nnow, will be more than twice as large.\n    The threats are growing with that. And nation-states are \nnow using cyber as an element of national power, not only to--\nfrom a criminal perspective, for stealing money and \nintellectual property, but now to impact other nation-states. \nWe see it in Ukraine, you saw it in Georgia, you saw it in \nEstonia. You see it now in the Middle East, in Kuwait, Bahrain, \nUAE [United Arab Emirates], Qatar, in Saudi Arabia, and you see \nit in Japan and Taiwan, and South Korea.\n    Countries are being hit with nation-state attacks, and we \nexpect, we should expect, that those countries we have \ndisagreements with will use cyber to attack us. And we are not \nready.\n    And the reason we are not ready is not because there aren't \ngood people in government working hard, it's because, in my \nopinion, we don't have the policies in place, we don't \nunderstand the roles and responsibilities sufficiently between \nthe departments, and we don't train between government and \nindustry.\n    Let me give you a few examples of what I think we need to \ndo, and why we need to do it. And then I will end up with four \nkey points that I think, as a government, we need to go forward \non.\n    With respect to the roles of government, it's clear, I \nthink, the missions of the Department of Homeland Security for \nincident response, for setting standards, it is clear for the \nDepartment of Justice what the FBI does in terms of law \nenforcement, and clear in the mission of the Defense Department \nto defend the Nation from cyberattacks, especially from nation-\nstates.\n    The problem. Government, one, can't see what is going on in \ncyberspace like we can in an integrated air defense system. You \ncan't see it, and so most of our response is incident response \nand falls on the Department of Homeland Security, who--who \nleverages everything from the other departments have--to help \ndo that.\n    But that's not what our Nation needs. If you go out and \ntalk to companies that have been attacked, they don't want you \nto come and tell you they have been attacked, they want help in \nstopping the attack. And to--to date, most people say it's too \nhard. In the Constitution it says our government is here for \nthe common defense. It doesn't say we are here for the common \ndefense unless it's hard, we are here for the common defense \nunless it's fast, or we are here in the common defense unless \nit's in cyber. Our job, your job, is how we defend this \ncountry. And I believe it is doable.\n    And the issue gets back to some of the things that you \nmention about the cloud. How do we leverage the cloud for \npushing up a common picture in cyber where malicious acts are \ngoing. Technically achievable. And we need to drive towards a \nsolution like that, that brings together our government players \nin a coherent, policy-provided path that allows our government \nto work with industry to actually defend this Nation. And I \nthink it's doable.\n    In my experience in talking to industry is they are--they \nare more than willing, and we have given them the authority to \nshare the necessary information with government under the CISA \n[Cybersecurity Information Sharing] Act. We now need to make \nthat real.\n    But there are still several things that I think limit that \nsharing. One of them is liability protection and the concerns \nof liability. For small and midsized companies, how do we \nincentivize them to actually have good cyber and the ability to \nshare real-time information? How do we share this information \nin a credible way, and make sure that the information flow that \ngoes back and forth between government and industry is there? \nAnd that may require, as Secretary Chertoff said, clearances \nfrom many of those in industry.\n    Let me give you one set of examples about how we could \ndefend this country. Today, if a bad actor--so, in running \nCyber Command [CYBERCOM], we would look at how the threat looks \nat attacking our Nation. They don't look at it by company. They \nlook at it by the effects they want to do to hurt our country. \nThat means the energy sector, the finance sector, the \nhealthcare sector, and the government.\n    And what they do is they look for weak spots, they get in, \nand then they can cause damage from there. But we look at \ndefending at a point, not collectively across sectors. So we \nnow have to look at our Nation, and use cyber in a networked \nway, just like we have the internet, so that we can defend it \nat network speed.\n    And I put that last part in there--it has to be--\ninformation sharing has to be at network speed if you want to \nstop the threat. And I believe that is viable and doable today, \nand something that we should collectively push for.\n    Thank you very much, Mr. Chairman.\n    [The prepared statement of General Alexander can be found \nin the Appendix on page 57.]\n    The Chairman. Thank you. Secretary Johnson.\n\n STATEMENT OF HON. JEH JOHNSON, PARTNER, PAUL, WEISS, RIFKIND, \n                     WHARTON & GARRISON LLP\n\n    Mr. Johnson. Mr. Chairman, Ranking Member Smith, members of \nthis committee, it is a pleasure to return to the House Armed \nServices Committee. When I was General Counsel of the \nDepartment of Defense, I testified several times before this \ncommittee in the years 2009 to 2012. While I was Secretary of \nHomeland Security, I had the pleasure of testifying before \nCongress 26 times in 37 months, and since I have been a private \ncitizen now for 14 months, I have testified--this will be my \nthird time.\n    As Senator Angus King said to me last month, when I \ntestified before the Senate Intel [Intelligence] Committee, \n``Mr. Secretary, how can I miss you if you never go away?'' And \nhe is right. And one of these days, I do expect to go away, but \nI welcome the opportunity to come here and testify with my two \nfriends and colleagues on this important topic.\n    You have my prepared statement, in which I tried to \ndescribe the range of cybersecurity threats that I see, ranging \nfrom those that this committee is well acquainted with, the \nprospect of a nation-state cyberattack on our critical \ninfrastructure, to the issue that the witness down the hall is \nprobably testifying about, the inappropriate or unauthorized \nuse of private data that American citizens make available on \nthe internet.\n    In my testimony, I also take on the legal question that \nmany ask: what type of cyberattack may constitute an act of \nwar? And I will be happy to answer questions along those lines, \nif the committee members have it. In general, I look forward to \nour discussion, and I am pleased to be here with General \nAlexander and Secretary Chertoff. Thank you.\n    [The prepared statement of Mr. Johnson can be found in the \nAppendix on page 68.]\n    The Chairman. Let me just ask each of you to respond to \nkind of two high-level questions, I guess. One is, my \nperception is the threat is going up far faster than our \nresponse. We are getting more capable, but as at least a couple \nof you mentioned, our policy's not there. Do you agree with me, \nis the question, that the threat is growing faster than our \nresponse?\n    And the second question is--and I will broaden this to \nCongress--if you could wave a magic wand and have Congress do \none thing this year in this area of cybersecurity, what would \nyou like to see us do?\n    Mr. Chertoff. I guess I will begin. I think the answer to \nthe first question is I agree with you. I think the threat is \nincreasing. I think, again, it's not a--on our side, an issue \nwith lack of capability, I think it is that we haven't firmed \nup a doctrine and a strategy for how to respond.\n    We are beginning to see some response. I mean, I think for \nexample in the criminal side you are seeing some indictments. I \nthink sanctions are a potential response. There may be things \ngoing on below the surface that are not--not visible. But \nthere's no question that the threat is intensifying, and the \nboldness of the bad actors is intensifying.\n    In terms of what Congress can do, I think on the issues of \nstrategy and doctrine, these are--are I think matters really \nmore for study than for some specific legislation.\n    But I come back to the SAFETY Act. I think in dealing with \nthe private sector, one of the issues I hear a lot is, ``Well, \nhow much do we invest, and what is the return on investment in \nterms of cybersecurity?'' And one thing that I think was \ndemonstrated in the counterterrorism area was the SAFETY Act \nreally incentivized the private sector to invest in tools that \ncould be used to counter terrorism. Because there was a \nliability protection that came with it.\n    And I think extending that to cyber would be a very easy, \nstraightforward thing that would begin to create some \nincentives for the private sector.\n    General Alexander. So I think, yes, the threat is going up \nexponentially, and technology is fueling that. So, consider \nthat they are getting more opportunities and going faster than \nour policy and doctrine is growing, so we are falling behind.\n    And if I were to give you one thing--I liked yours, so I \nwill add to--a slightly different--we don't have a common \noperating picture for cyber. We can't see, as a Nation, other \nnations attacking us. As a consequence, we have limited \nabilities to actually defend our Nation at network speed, which \nis what will be required, I think, in the next few years.\n    So one thing, if you could push to build a common operating \npicture for government and industry for attacks that are \nhitting our country.\n    Mr. Johnson. Mr. Chairman, I agree with your assessment \nthat the cyber threat to our country is getting worse. I \nbelieve it will get worse before it gets better, and I believe \nthose of us on defense struggle to keep up. I think that bad \ncyber actors, ranging from nation-states, to criminals, to \n``hacktivists,'' to those who engage in ransomware are becoming \nincreasingly aggressive, creative, and tenacious.\n    If I had a magic wand, and if I were Congress--or, I would \nsay a Congress of one--I would in some way--and politically, \nthis is very challenging, but in some way find a way to either \nregulate or encourage those in the private sector to embrace \ncertain minimum cybersecurity standards.\n    I note that the Senate Intel Committee report on election \ncybersecurity encourages voluntary compliance with certain \nminimum cybersecurity standards, but I think that that's a \ncommonsense solution to a lot of our problems here, and we \ndon't have that right now.\n    The Chairman. Let me pose one other brief question to \nGeneral Alexander and Secretary Johnson on the Department of \nDefense in particular. I pick up frustration with some of our \nmilitary folks that they are being held back from being able to \nuse cyber tools to the extent they think makes sense.\n    And I know there's a number of challenges. Using cyber \ntools may lose you intelligence-gathering capability, all sorts \nof difficult legal issues, and we don't have time at this point \nto go into all of that.\n    But I am just wondering if either of you-all have an \nopinion about whether, for the military use of cyber to create \ncertain effects, are we moving at an appropriate pace, or are \nwe too hesitant to give, say, our combatant commanders and \nother military leaders the tools that we could give them, but \nbecause this is new and difficult, we are reluctant to do so?\n    Mr. Johnson. Mr. Chairman, I think that the perception you \nhave detected is probably accurate. Among our military \ncybersecurity personnel, without getting into too much detail, \nI know that some feel that the law and traditional law of armed \nconflict principles, traditional international law principles, \nrestrain our ability to use some of our current capabilities.\n    And so I share your perception.\n    General Alexander. Mr. Chairman, I think what is lacking in \nthat regard is rules of engagement. So you have U.S. Cyber \nCommand, who has the responsibility to defend the Nation, and \nthe issue really comes down to when do you fire back, and what \nauthorities do you need to get before you fire back to defend \nthe country?\n    Most of the time, it would be up to the commander of Cyber \nCommand to do it and ask forgiveness. That's not a good place \nto put a military person in. You need rules of engagement that \nsay, ``If I see an attack that is going to destroy our energy \nsector, our finance sector, or something, and I have got 60 \nseconds to act,'' you want that person to do the right thing. \nYou need to give them rules of engagement, and get the \ngovernment to agree, and you all to agree to those, and then \ntrain to them.\n    And that's something I think that's sorely lacking, at \nleast when I was commander of Cyber Command.\n    The Chairman. Okay, thank you. Mr. Smith.\n    Mr. Smith. Thank you. We have talked a little bit about the \nsort of rules of engagement. I think this is one thing that is \na significant problem is our adversaries feel like they can \noperate, to a certain degree, with impunity, because we have \nnot made clear how to respond.\n    What I would like from you--and I will get a little bit \nmore of a preview of this is--what would that look like? If you \nsaid if you were God, you know, what would you say what should \nour rules of engagement be? You know, some have said that, you \nknow, a cyberattack is an act of war--I don't want to go there.\n    I don't think that a cyberattack is equivalent to 9/11, or \nequivalent to if, you know, Russia or anyone else were to \nlaunch missiles at us. I don't--I don't believe that if we \nsuffer a cyberattack, we should start bombing whoever it is we \nthink attacked us.\n    What would be an appropriate response, so that people felt \nlike there was a price to pay if they continued to attack us \nthrough cyber? And they--they could do a lot worse than they \nhave done, but they--there certainly have been--you know, even \nas we sit here, I am sure there are cyberattacks going on. No \none knows what the consequences are. What should they be?\n    General Alexander. So I will give you my thoughts----\n    Mr. Smith. Sure.\n    General Alexander [continuing]. On responding to an attack \nagainst the country, and I will use the 2012 attacks that \noccurred. And in those time, it was my experience that the \nattacks that were coming against our country could have been \nstopped and turned off, not destructive attacks, but blocking \nattacks. But some of those blocking attacks would be in foreign \nspace. So that creates the norms that Secretary Chertoff \nbrought up, and some of the issues.\n    Now, interestingly, most of those systems that are being \nattacked have been exploited by a bad guy to attack us. So the \ncountry that's--whose device--computer sits in their turf is \nactually being used to shoot us. In physical space, if somebody \nput a weapon in neutral space and started shooting at you, you \nhave the right--inherent right for self-defense. I think we \nneed a similar thing in cyber, where you can defend it.\n    Now, the administration needs, beyond the blocking \nmechanism--so, my rules of engagement aren't to go out and try \nto take out a country, it would be stop it, give the \nadministration the opportunity to think of what elements of \nnational power they want to use to counter it, and that could \nbe diplomatic all the way to the military.\n    But what--what you are asking, and the Cyber Command forces \nto do, is block that attack and give you the time you need to \nmake a decision on what elements of national power.\n    Mr. Smith. I guess one sub-question on that: How easy is it \nto know where the attack is coming from? This is a matter of \nno--no small importance, given our current debate about Russia \nand what they are doing to elections and everything, you know, \nyou--you have sat there, and you have--you have looked at that, \nso all of you have.\n    Is it really true that sometimes you can't tell, or are you \npretty confident from your position that after a few hours that \nyou know where it's coming from?\n    General Alexander. I think our attribution improved \nimmensely. And you would have to ask them where they are today, \nbut from 2005 to 2014, it was significant growth in attribution \nat network speed. The issue may not be that you have it down \n100 percent of which element in a country is doing it----\n    Mr. Smith. Right.\n    General Alexander. But for the picture that I talked about, \nif you had that picture, it becomes increasingly clear. And the \nintelligence agencies can provide the rest of the picture if \nyou give them the information at network speed. So hopping \nthrough a number of channels, what you need to do is see those \nat network speed. You can see how that plays out, and pinpoint \nwhere it goes back.\n    Mr. Smith. The bottom line is we ought--we ought to be able \nto do it, so then we can have the--that's once we figure out \nwhat the appropriate response is to this, at least we know who \nto send it to. Do either of you----\n    Mr. Chertoff. I would just--I would add just a couple of \nelements to this. First of all, on the issue of attribution, \nthe challenge is not only to determine which is the server from \nwhich the attack originates, but to what extent you can--you \ncan----\n    Mr. Smith. Who did it?\n    Mr. Chertoff [continuing]. You can pin that on a--on a \ngovernment agency. And one thing we have seen the Russians do \nis create a deniability situation with criminal groups, where \nthe--essentially, the argument is as long as you don't commit \ncrimes in Russia, you--feel free to go and do whatever you have \nto do overseas, but when we call on you, you will help us get \ninto something. So that gets into a legal issue about how we \nhold countries accountable when they provide tacit \nencouragement.\n    The second issue, which is challenging, is unlike in the--\nin the physical world, where you could see a missile or a \nbomber coming from overseas, you could easily have a nation-\nstate attack launched from a cafe down the street here in \nWashington from a thumb drive. We have built our doctrine in \nterms of what the military can do, and in terms of the away \ngame and the home game, and we may need to revisit when we use \nsome of our away powers for attacks that emanate from home.\n    Mr. Smith. I want to let some other people get in here, so \njust very, very quickly, how does the DOD's plan to move into \nthe cloud and more use of open source software impact \ncybersecurity? If you can give me, like, just 30 seconds apiece \non--because that's the direction we are heading in. How does \nthat impact our ability to protect ourselves?\n    General Alexander. I think by and large it's a good thing. \nWe need to do that to get the collective picture. So going \nthere, I think you can provide the security--the secure web \ngateways and stuff that are coming in, the tools that are \ngoing--I think it provides better security. You alluded to \nthat, and I think you are correct.\n    It's more--it's easier to do it in that way. You just make \nit--need to make sure you have the resilience.\n    Mr. Smith. Okay. Anybody else want to comment on that? \nOkay. Thank you very much, Mr. Chairman, I yield back.\n    The Chairman. Mr. Wilson.\n    Mr. Wilson. Thanks, Mr. Chairman, and thank each of you for \nbeing here today, and your obvious many years of service to our \ncountry and dedication to the American people. And I want to \nbegin by thanking Chairman Mac Thornberry for this very \nimportant hearing, as I believe that information warfare will \nexpand beyond the current and future battlefield.\n    I would also like to thank and congratulate Chairwoman \nElise Stefanik for her leadership on the Emerging Threats and \nCapabilities Subcommittee, advancing American interests in \ncybersecurity to protect American families.\n    A concern that I have in--General, you actually brought it \nup, and then you have all touched on it, but it's so critical \nand that is how do U.S. agencies conduct a measure of \ncyberattack? Do all agencies share a common metric to measure a \ncyber incident?\n    Last year, I introduced H.R. 1030, the Cyber Attack \nStandards of Measurement Study Act, which would require the \nDirector of National Intelligence, in consultation with the \nSecretary of Homeland Security, the Director of the FBI, and \nthe Secretary of Defense, to conduct a study to determine \nappropriate standards to measure the damage of cyber incidents \nfor the purposes of determining the response to such \nincidences, and to include a method for quantifying the damage.\n    And General, beginning with you, but actually all three of \nyou, I would like to know: Do you believe that we--having a \ncommon interagency metric for measuring a cyberattack would \nbenefit the coordination of a response? And then secondly, \nshould there be an appropriate counter response to whoever \nconducts the attack?\n    General.\n    General Alexander. I have some out of bounds thinking here \nin terms of DHS, but yes, I think you ought to do standards. I \nthink I would take it one step further. I think the Department \nof Homeland Security, with what they are running in the NPPD \n[National Protection and Programs Directorate], and where they \nhave the security operations centers, should actually provide \nfor the common defense for the rest of government and the \nability to do it.\n    I don't think the smaller government agencies have the \ntechnology and the people to do that. I would consolidate that, \njust as business does, and give that authority there. I think \nthat would help in what you are trying to do.\n    Mr. Johnson. Congressman, I think that the legislation you \ncited sounds like a good idea to me. I would be careful, \nthough, that in terms of trying to measure the effects of a \ncyberattack, it's not necessarily one-size-fits-all, because \nyou are assessing, say, the theft of personnel security \nrecords, versus the theft of something in the Department of \nDefense.\n    And I endorse what General Alexander said, that there are \nsmaller Federal agencies that are simply not equipped, and need \nthe Department of Homeland Security for a lot of help in this \narea.\n    Mr. Chertoff. And I am in complete agreement with that \nsuggestion as well.\n    Mr. Wilson. Thank you, again, and it is really just so \nfrustrating to think of how blatant the attacks on American \ncitizens, our government, our businesses--but not just us, as \nwe see our allies in the Baltic States, or our allies in Korea, \nin Japan.\n    Another concern I have is with attribution. We have a \nsignificant and persistent obstacle in--facing our ability to \nrespond. Do you believe that state actors--and again, General, \nyou get stuck with this first, okay? But that state actors such \nas China and Russia take advantage of vulnerabilities in our \nability to legally attribute a cyberattack.\n    What can Congress do to address this issue of attribution?\n    General Alexander. Well, I think, first--and Secretary \nChertoff made a comment on the attribution, and I would just \nagree with that. That's very difficult. Something that we need \nto work, and I believe Russia and China use forces that they \ncan push out there to go after us, which makes this very hard.\n    I don't know the best legal way to do it, but I think \nthat's a discussion that has to be had as a Nation. I think we \nare going to see that--and you have mentioned the Baltic \nStates, Eastern Europe, and we are going to see it in the \nMiddle East, and I believe with events going on in Syria and \nelsewhere, it's going to hit our country. So we need to get out \nin front of that.\n    Mr. Chertoff. I mean, I agree with what General Alexander \nsaid. Look, the challenge with attribution I don't think is so \nmuch a technical challenge as a decision we have to make about, \nA, the level of certainty we need for certain kinds of \nresponses, and B, the extent to which we are prepared to \npublicly reveal why we make a certain attribution.\n    So we have seen lately, for example, the Department of \nJustice charged a couple of FSB [Federal Security Service] \nRussian intelligence agents in the case involving the Yahoo \nhack. That's a good thing. I think sanctions can be a better \nthing.\n    Now, if we were to get into something that was really \nseriously destructive, with a loss of life, such that it might \nwarrant a response at the level of warfare, then we might want \na higher standard. I would rather have that discussion, at \nleast quietly, now, than try to figure it out when we are in \nthe middle of an attack.\n    Mr. Wilson. Thank you very much. And Secretary Johnson, I \nlook forward to getting with you later. Thank you.\n    The Chairman. Ms. Davis.\n    Mrs. Davis. Thank you, Mr. Chairman, and thank you to all \nof you for being here. Along with the--the discussion that we \nwere just having, little bit about IP [intellectual property] \nabuse, and we know how destructive that can be. And what is a \nrealistic course of action? And at what point do we know \nwhether the actors have actually changed their behavior?\n    Mr. Chertoff. So, let me take a crack at this. And as--I \nbegin by saying IP theft is not, in my mind, an act of war, but \nit's obviously wrong. I think one thing we could consider doing \nis this: If we see stolen IP actually being used by an \nenterprise, we could then, I think, go after the enterprise \nlegally for that, and exact a serious economic injury.\n    And frankly, I think one of the reasons the Chinese agreed, \nseveral years ago, that commercial espionage to help their \nenterprises was not appropriate was a recognition that the \nsauce for the goose could become sauce for the gander as well. \nAnd I am not naive, I don't believe they have totally stopped \nit, but I do think that using that kind of economic leverage \ncan help.\n    Mrs. Davis. Uh huh.\n    General Alexander. I think it's the greatest theft of--and \ntransfer of wealth in history, from our Nation. It affects our \nfuture generations. So that IP theft we have got to stop. I \nthink sanctions and tariffs and other things are one way.\n    More importantly, we need to fix our defense. Right now, we \nare so porous because, as a Nation, we are doing point defense \non every point, and they are looking at this as a large target \nand only find one ``in'' and they are in. And everybody's going \nto make a mistake. So we have got to come up with a more \ncomprehensive collective solution.\n    Mrs. Davis. Is--go ahead.\n    Mr. Johnson. I agree that IP theft is a significant \nproblem, and it encompasses national security as well. Theft of \nintellectual property by nation-states is a significant problem \nthat this committee should be very concerned about.\n    Mrs. Davis. Could you speak a little bit more to who's in \ncharge? Because we talk about--excuse me--we talk about the \nintegration of effort, and yet it's difficult, who actually is \nin charge? And when it comes to private companies, who do they \nsee as in charge? What is their perception of who's actually \nmaking the rules?\n    Mr. Johnson. We--we made an effort at this in the last \nadministration, and there's always the temptation, with every \nnew administration, to try to reinvent the wheel. But in \ngeneral, the Department of Defense, NSA [National Security \nAgency], Cyber Command, should be responsible for defending the \nNation against an attack and the security of our military \nsystems.\n    Law enforcement is--should be responsible for the threat \nresponse. In other words, you report the crime to law \nenforcement, whether it's the FBI, the Secret Service, or HSI \n[Homeland Security Investigations], and the Department of \nHomeland Security should be responsible for asset response, the \nforensics, patching the vulnerabilities. And so, the way I used \nto describe it when I was in office, ``Jim Comey is the cop and \nI am the fireman, and you call both of us when you have an \nattack.''\n    Mrs. Davis. Yes, yes. But at the same time, I think \nthere's--you are--we are talking about a common operating \ntheater, and are there authorities that still are unclear? And, \nyou know, just to what extent have we been a little slower to \ncome to that, so that--so that there is a common sense, or a \ncommon knowledge, really, of----\n    Mr. Johnson. Well, despite what I just articulated, I think \nthat there is still a lot of--a lack of public awareness about \nwho is in charge. And it has to be a whole of government \napproach, but the lines of authority need to be reiterated and \nstressed over and over----\n    Mrs. Davis. Is there a cultural problem in doing that?\n    Mr. Johnson. In my experience, cultural problems stem from \nthe leadership. If the leaders of the organizations know and \ntrust and respect each other, then that filters down in the \nculture. But leaders turn over. I thought at DHS we had an \nexcellent working relationship with the FBI in part because Jim \nand I were friends for over 25 years. And that filters down.\n    But with each political turnover, with each new \nadministration----\n    Mrs. Davis. Right.\n    Mr. Johnson. The personalities change.\n    Mrs. Davis. What role does the executive play in that?\n    Mr. Johnson. I think that it's important for the executive \nto reinforce continuity and consistency in the protocols and \nhow everyone should work together, so that it eventually \nsettles in to how we approach this issue.\n    Mrs. Davis. Yes. Thank you. Thank you, Mr. Chairman.\n    General Alexander. Can I add to that one? Because I think \nit's important. The question that you are asking is who's in \ncharge. You know, we had--when we were starting out in standing \nup Cyber Command, Secretary Gates had some great ideas about \nhow you pull together all of government into a comprehensive \nsolution.\n    And he thought of, how do I pull what we are doing in the \nDefense Department, Justice Department, and Homeland Security \nall together, so that we can act in peacetime--seamless from \npeacetime to crisis to a war? And I think that's the kind of \nsolution that we need to look at as a country.\n    And right now, as you note, it's fragmented. And it was \ngreat working with Secretary Johnson, it was great with \nSecretary Chertoff, but the reality is there are personnel \nissues, resource issues, technology things.\n    And I agree, the FBI was great to work with for me. You \nknow, it was--they were amazing, and whenever--we would assume \nthey would have had the lead because of law enforcement, but if \nit was nation-state it would flip to us.\n    So I think you need to figure out--we need, as a \ngovernment, to put that together somehow. Some have talked \nabout a Secretary of Cyber. I am not sure I would go that far, \nbut I would sure look at how you nest between Homeland Security \nand Defense Department common authorities and a common \nstructure between those to get that going, and append to that \nFBI.\n    The Chairman. Mr. Scott.\n    Mr. Scott. Thank you, Mr. Chairman. Mr. Johnson, you went \nto school in Atlanta, at Morehouse, I know, and as we discussed \nearlier, and the city of Atlanta on March 22nd was attacked \nwith--as I understand it, the SamSam ransomware. The people \nasked for a $51,000 ransom, a fairly small amount, but my \nunderstanding is that that group has raised almost a million \ndollars from different attacks, and these attacks have been \ngoing on since 2015, with that type of ransomware.\n    Now the $51,000 is not a whole lot of money to a city like \nthe city of Atlanta. The damage that was done and the cost to \nthe city of Atlanta is going to be in the millions, in shutting \ndown courts, the inability to pay fines online, the loss of \ntime of employees. I don't know what it will total up to, but \nit will be millions of dollars that the ransomware costs.\n    My question gets into, since this has gone on since 2015, \nthe SamSam ransomware, has there been a coordinated effort from \nthe U.S. Government to find out where these attacks, these \nSamSam attacks are originating and how will we stop them? And \nif we do find out where they are originating from and who is \ndoing it, how effective are our laws with regard to the \nprosecution of that crime if it is in the U.S. or if it is \noutside of the United States?\n    Mr. Johnson. A coordinated effort to--you know, I don't \nknow that there is, within the FBI, for example, a ransomware \nbureau devoted to those who engage in this, and as I think you \npoint out, those who engage in ransomware are open and \nnotorious. It's becoming a bigger and bigger business.\n    I suspect that--and Mike could probably speak to this, \ntoo--I suspect that the existing laws in title 18 are \nsufficient to deal with this as a crime, but in my experience, \nmost often ransomware stems from a simple act of phishing or \nspear phishing, where an employee who uses the system opens up \nan email or an attachment that they shouldn't, and the actor is \nin the system and they can steal things in the system.\n    And so a large part of the answer to the ransomware problem \nis simply raising the awareness of those who use systems about \nopening emails that you don't recognize and attachments you \ndon't recognize.\n    But I suspect and believe that the existing laws are \nprobably sufficient to deal with this once you can track down \nthe bad actor.\n    Mr. Scott. So one of the questions that has been asked of \nMark Zuckerberg is about the fiduciary duty to protect \ninformation. So banks, financial institutions, the government, \nthe city of Atlanta would have a fiduciary duty to protect the \ninformation that they had in their computer systems.\n    What about the networks? Should the networks have a \nfiduciary duty to protect the information that they are \nhousing?\n    Mr. Johnson. A fiduciary duty, if not a legal duty, to \nprotect the information that they are the custodians of. A bank \ncertainly has a fiduciary duty to protect the information with \nwhich it is entrusted, and the management of these banks have \nfiduciary duties to their shareholders as well.\n    And so I am sure that there are certain obligations that \nthose who manage networks have to the customers that rely on \nthem.\n    Mr. Scott. I am short on time. I guess that the challenge I \nsee in this area--if someone goes to work for a Google or an \nOracle or a technology company, they may make in a month, if \nthey are good, what we pay people in a year. And it--it seems \nto me that some way, some how, the laws are going to have to \nincentivize those companies to do everything they can to stop \nthese types of attacks. Not because we don't have capable \npeople, but because there's so much of it going on out there \nthat we need--we need their help in doing this.\n    And so sometimes they see it--would see it even before--\neven before we would see it. So I have an Ag [Agriculture] \nmeeting at the top of the hour, but I appreciate all of you \nbeing here, and thank you for your service to the country.\n    The Chairman. Mr. Langevin.\n    Mr. Langevin. Thank you, Mr. Chairman, and I want to thank \nour witnesses for your testimony today and for your service to \nthe country. Over the many years that we have all worked on \nthis issue of cybersecurity, I have had the pleasure of having \nyou testify before me, whether it's on the House Armed Services \nCommittee, or the House Intelligence Committee, or the House \nHomeland Security Committee, and I have always deeply \nappreciated your thoughtful answers and your contributions to \nbetter protecting the country in cyberspace.\n    So, you know, the one question that I still continue to get \nfrom--from people back home is, you know, why aren't we more \neffective at defending the country in cyberspace? Why are we \nstill seeing these high-profile cyber intrusions or attacks, if \nyou will? And I--you know, obviously the answer is we are \ngetting better at it, but it's a very hard thing to defend \nagainst.\n    And we have the NSA with Cyber Command that is trying to--\nbasically defending the dot-mil network. The Department of \nHomeland Security is in charge of defending the dot-gov \nnetwork, although they don't have the policy or budgetary \nauthority to reach government to actually compel departments \nand agencies yet to do what needs to be done. That's why I have \nlong advocated for the bill I put in, the Executive Cyberspace \nAuthorities Act, to have someone with that kind of policy and \nbudgetary authority.\n    But yet most of the damage can still be done in the dot-com \nworld, particularly in critical infrastructure, and no one \nreally is in charge there, and no one has the authority, and I \ndon't know the American people, you know, would accept--and I \ndon't think they would accept having NSA or Cyber Command \nsitting on the network internally to defend in the dot-com \nworld.\n    So, what is the best way forward to in fact defend the \ncountry? And, General Alexander, you and I have talked about \nthis--you know, right now--and you have often referred to it \nas, you know, ``We are still playing clean-up on aisle 9.''\n    I am interested further in your thoughts about the idea of \ndeterrence in cyberspace. The new U.S. CYBERCOM Command vision \ntalks about defending forward as far as possible before \nadversaries penetrate our defenses. And this sounds somewhat \nlike the old adage of the best defense is a good offense.\n    And so do you agree with this posture? And if we see things \nin cyber that--whether it's a nation-state or criminal \nenterprise about to do something--is it best that NSA or U.S. \nCyber Command inform private industry about--about the \nimpending damage that could be inflicted and let them defend or \nfix the problem? Should NSA or U.S. Cyber Command take the \naction to stop it, or turn it off, as you say?\n    What is the best way forward to handle these challenges?\n    General Alexander. So first, I think the--in setting the \ndefensive infrastructure, the first thing we need to do--and \nDHS would have the lead on--set the standards of what industry \nhas to do. Here's how you lock your doors, here's how you \nencrypt your stuff. And set standards, and Congress can set \nincentives for small, midsize, large companies to do that. Then \nif they are attacked by something that exceeds those standards, \nthey should have some form of protection.\n    And part of that standard should include sharing \ninformation under law--CISA-level information, not personally \nidentifiable, but threat intelligence, cyber intelligence \ninformation at network speed with the government so the \ngovernment can do what you suggest.\n    And it falls then on the government--who's role is it? If \nit's criminal, it's going to go to FBI. If it's a nation-state, \nand an attack that's going to hurt our country, that's where \nyou want Cyber Command and NSA to be actively involved. And if \nit's foreign coming in, you want NSA's intelligence to help \ninform law enforcement and the defense on how to defend that \ngovernment.\n    So I think the key thing that you can help do here is help \nindustry set standards, give them the incentive to do that, and \nthe liability protection if they meet those. Because the \nlawsuits are way out--way out of bounds, and companies that are \nbeing attacked by nation-states don't have the ability to \ndefend. Sir.\n    Mr. Johnson. So in the Cyber Security Act of 2015, Congress \nestablished limits on criminal and civil liability for those \nwho share cyber threat indicators with the Department of \nHomeland Security. So that's a good thing.\n    The problem we have is--and we set up, on my watch, \nautomated information sharing with the private sector--and \nKeith is right, there's a lot that private sector can benefit \nfrom if we at the national level are able to share the threat \nstreams that we see, but there's also a lot that the government \ncan learn from the private sector. Things that are happening \nwithin the private sector that the government doesn't \nnecessarily know about right away.\n    I have been disappointed that not more entities in the \nprivate sector are willing to share information----\n    Mr. Langevin. I agree.\n    Mr. Johnson [continuing]. With the Department of Homeland \nSecurity because they are concerned that it will go public, it \nwill be compromised in some way, and that's a--that's a real \nproblem, that's a real dilemma. There are many, including \npeople in Congress, who believe that there ought to be \nmandatory disclosure by Federal agencies in certain \ncircumstances if we know about something.\n    And that, frankly, compromises DHS's ability to encourage \nthe private sector to come to us and work with us.\n    Mr. Langevin. Well, my time expired, but thank you all for \nyour testimony here today, and your answers, and I yield back.\n    The Chairman. Ms. Stefanik.\n    Ms. Stefanik. Thank you, Mr. Chairman. I have three \nquestions, and I am hoping to get through all three, so I will \nstart with you, General Alexander.\n    You helped build Cyber Command. What steps do we need to \ntake in this year's NDAA process to mature Cyber Command? And \nthen, look forward 5 years. What does Cyber Command need to \nlook like 5 years from now?\n    General Alexander. I think first the unified command is the \nright next step, getting to a unified command. I think the \nrules of engagement discussion that we have is the second thing \nthat I would push at. The third is with government as a whole, \nincluding Cyber Command, how do we defend the country?\n    How do we, as a government, work together to defend this \nNation? And bring it out and have a public discourse on how we \nare going to do that. Don't go into the tools and all that, but \ntalk about why the information that's being shared is necessary \nto defend this country.\n    Ms. Stefanik. Thank you for that. My second question has to \ndo with emerging technologies. When we consider what the world \nof cyber looks like, quite soon I think of threats like AI \n[artificial intelligence] and quantum computing. What--how do \nthese technologies play into the future of cyber warfare, and \nwe need to be thinking about as policy makers? I will start \nwith you, Mr. Chertoff.\n    Mr. Chertoff. Well, I think on--on AI, as with most \ntechnologies, there's an upside and a downside. There's no \nquestion from a threat standpoint the ability of an adversary \nto automate the ability to test and try to break into a \nnetwork, or even to use that for kinetic purposes, increases \nthe threat.\n    But the good news is I think, particularly if you use \nbehavioral analytics, AI can be a good way of defending the \nnetwork in depth, which is what we need to do.\n    Quantum computing, I think it raises some issues about \nencryption. And encryption is a major security tool. There's a \nview, however, that quantum computing can eventually make it \nvery easy to penetrate encryption. It may also be the case, \nthough, that it may be a tool to actually enhance encryption.\n    So in both of these cases I think we have to watch \ncarefully to make sure that, to the extent the threat is \nincreasing, we are using these technologies to increase our \nresistance.\n    Ms. Stefanik. General Alexander, I will go to you next, but \nI want to also add an additional question related--are we \nunderinvesting in these spaces?\n    General Alexander. No, I was going to hit just on that, Ms. \nStefanik. I think first we have to lead globally in quantum \ncomputing and AI. The country that is the leader in those two \ntechnologies will be the future superpower. That needs to be \nus. And so we aren't investing enough, and this is a huge area.\n    And there are some great experts in government at \nclassified levels in both, and I would encourage you to get \nwith those.\n    I think in quantum computing what Secretary Chertoff said \nis exactly right, both good and bad. AI the same thing, and you \nhave seen Elon Musk and Gates go at this, both pro and con. I \nthink the good part of it, it will help us solve cancer and \nother things, and I think there's tremendous good. The bad \nparts, it means your decision cycle is going to be extremely \nfast in cyber and the attacks are going to grow, so we have to \nbe ready.\n    Ms. Stefanik. Mr. Johnson.\n    Mr. Johnson. I agree with what Keith just said. I think \nthat we need to invest in cyber talent in the Federal \nworkforce. All of our best talent in the DHS, the people that \ncan actually explain this to me, get stolen into the private \nsector because they are able to pay multiples of what we pay in \nthe Federal Government.\n    Congress has done some things to enhance our ability to \nhire cyber talent, but I think that's definitely a work in \nprogress.\n    Ms. Stefanik. Thank you. And my last question I will try to \nget through quickly, each of you have testified to the \nimportance of improving interagency coordination and \ninformation sharing. I want to drill down into the specifics. \nWhat specific actions can we take from the HASC [House Armed \nServices Committee] perspective to improve this interagency \ncollaboration and ensure that we are improving our readiness?\n    Mr. Chertoff. So one suggestion--and actually back in 2008, \nGeneral Alexander and I talked about this--would actually be to \ncreate--to co-locate representatives of the three major \ngovernment agencies in a setting that would allow them to have \na common operating picture in real time about what is going on.\n    General Alexander. We actually built an integrated cyber \ncenter up at Fort Meade, where you would see the center of some \nof that, and so I would encourage that, to build that common \noperating picture so that you can see the attacks, and each \npart of government could coordinate what their response would \nbe. Right.\n    Mr. Johnson. DHS has actually built an integrated cyber \ncenter, too, called the NCCIC, the National Cyber \nCommunications Integration Center. And it's an interagency \noperation, and I think we need to bolster that and improve upon \nthat.\n    Ms. Stefanik. Thank you, my time is about to expire. I \nappreciate the answers.\n    The Chairman. Mr. Larsen.\n    Mr. Larsen. Thank you, Mr. Chairman. I would like to yield \nmy time to Mr. Khanna.\n    Mr. Khanna. Thank you, Mr. Larsen. Thank you, Mr. Chairman. \nThank you to our witnesses for your service to our country.\n    Secretary Johnson, I was very impressed by footnote 5 in \nyour testimony, where you talk about the definition of cyber \nwarfare. And you explain your view that we should have a \nlimited definition of cyber warfare. One could imagine the \nRussians creating cyber dislocation in Latvia, and the last \nthing we would want is to be bound, under NATO, to go to war \nover that.\n    And I was surprised reading it that you wrote that we don't \nhave a definition of cyber warfare in the government, and I \nwould be curious about your thoughts of what Congress or the \ngovernment should do so we have a clearly defined standard for \ncyber warfare.\n    Mr. Johnson. You are correct. We spent, in the Department \nof Defense, as some members of this committee will know, \nliterally decades writing a law of war manual that I think \nstarted in the 1970s. And it was finally published in 2013 or \n2014. And it barely touches upon cyber, because cyber didn't \nexist when we began writing it.\n    And so beyond answering the question, may a cyberattack \nconstitute an act of war? There is a lot more that needs to be \nfilled in in the blanks. You know, what constitutes a \ncyberattack? What are the implications of that? What are the \nacceptable parameters for how we respond? What are the limits \non the private sector in their responses?\n    But the basic legal question is one I was interested in, \nand I basically defer to those who have already written on \nthis, which is what I said in my statement. That you have to \nlook at the kinetic effects rather than the kinetic means. And \nI caution against reaching for something that's too creative \nand too expansive, because it would have implications globally. \nAnd so it's sort of like be careful what you ask for.\n    But I think there's a lot more work that needs to be done, \nlimited simply to cyber--if you will, cyber warfare, what \nconstitutes a cyberattack, and what their--what are the \nacceptable protocols. And there are aspects of the existing \nlaws of armed conflict that we can borrow from. Necessity, \nproportionality, distinction in a cyber response; I think there \nare elements of law of war principles that are useful in \ndeveloping this, but it's something we have to undertake to do.\n    Mr. Khanna. Well, I appreciate it. I certainly learned a \nlot, and I hope you will use your expertise to help guide this \ncommittee, Congress, and the Executive Branch as we try to \ndefine that, so that we don't find ourselves in a war, \nescalating because of too creative or expansive a definition.\n    I was also struck, where you talked about the coordination \nin the private sector with cybersecurity. I mean, it's always \nstruck me that we don't have companies having their own armies. \nThat thought would be absurd. And yet, we have all of these \ncompanies having their own cybersecurity operations.\n    And the question, to any of the witnesses, is what can we \ndo to make that less of a burden, so that if you are a small \nbusiness or you are a company, you don't have to have your own \narmy to protect your cybersecurity? Is there a role for the \nFederal Government to do this, like we have an Army, and an Air \nForce, and a Navy to protect our Nation?\n    Mr. Johnson. Well, it's the basic response of the national \ngovernment to defend the Nation against an attack. And on the \ncivilian side, law enforcement, the Department of Homeland \nSecurity can share information, encourage best practices, but \nat the end of the day, whether you are the CEO [chief executive \nofficer] of a large public company or you are the manager of \nyour own business, you have to be responsible for the security \nof your own systems. And there are a lot of outside experts \nthat can help with that in the private sector.\n    This inevitably has to be a public-private endeavor, \nbecause of the nature of cybersecurity.\n    Mr. Chertoff. Yes, I would add to that, that I think for \nthe smaller enterprises, there are now managed security \nservices that can actually do that as an outsourced function. \nAnd one of the benefits they have is if they are working with a \nlot of different companies, they are seeing a lot of activity \nover the landscape, and that actually makes them better.\n    General Alexander. And I agree with that approach. I think \nthe key is, and this is where Congress could help, if you set \nstandards through DHS that industry meets, and you are \nprotecting against what I will call a reasonable threshold of \nattacks, and then somebody comes in with a nation-state-like \nattack, just as in the physical world, you have all your bank \nguards, you have all these folks working it, and if the--a \nmotorized rifle regiment comes in and wipes them out, you would \nsay, well, shoot, you should have had air defense systems.\n    And the reality is when it gets to nation-state level, you \nhave to have nation-state response. I think getting there means \neverybody gets to a certain standard, and then shares at \nnetwork speed across government so the government agencies can \ndo their specified roles.\n    Mr. Khanna. That's very thoughtful. I really appreciate the \ntestimony of the witnesses on this issue.\n    The Chairman. Mr. Banks.\n    Mr. Banks. Thank you, Mr. Chairman. Gentlemen, in my State \nwe have already seen the consequences of cyberattacks. This \npast January, a criminal hacking group was paid $55,000 in \nBitcoin as ransom to regain access to a hospital computer \nsystem at Hancock Regional Hospital in Greenfield, Indiana. \nThis came at a time during flu season, when the systems and the \ninformation they contain was critical to providing health care.\n    With--while this was a criminal action by one group \ntargeting a single hospital, the effects of a state actor using \ncyberattacks on the public health system or other critical \ninfrastructure would be disastrous, given the systematic \nvulnerabilities.\n    So my first question, for all three of you, is since much \nof the Nation's critical infrastructure is privately owned, \nwhat if--what efforts need to be taken now to better secure \ncyberspace activities essential to their daily operations? And \nwe can start with you, Mr. Chertoff.\n    Mr. Chertoff. Well, you know, I think this is--again, \nthere's not a magic bullet answer to this. And the analogy I \noften use is the public health analogy. You know, how do we \nprotect ourselves against disease and illness? It requires some \nthings the government does in terms of formulating vaccines, \nbut it requires us to take certain steps.\n    So in the case you are talking about, look, a lot of these \nransomware attacks occur because somebody downloads something \nthey shouldn't, or because you haven't patched or updated. And \nthose are things which are on the responsibility of the private \nsector actor to do.\n    Then there are other elements, you know, particularly when \nyou are dealing with a nation-state, where our ability to \nperceive that something is being readied for an attack could \narguably call for us to act preemptively. Certainly, if there \nwas the possible consequence of loss of life.\n    So I think this is--there's not going to be a single step, \nit's about raising the level of cyber hygiene for the owners or \noperators of the critical infrastructure. It's about backup for \nthe critical data. It's about training people about the silly \nthings they ought not to be doing. And then when you do see a \nnation-state fixing to do something, then there's a--I think \nroom to have a discussion about do we act to blunt that away \nbefore it hits us at home?\n    Mr. Banks. General.\n    General Alexander. So I agree. I think setting the \nstandards, getting everybody to build and work at those \nstandards, and then sharing information across the government \nis the way to do this. Ransomware, the year of ransomware, of \n2016, 2017, it's going to continue. They are making money on \nit.\n    And so the issue for the government will be how do we \nrespond, between law enforcement, intel, and defense? And then \nwhat can we do in hygiene to help defend against that?\n    And I think that's where the common operating pictures of \nwhat you are doing for incident response and helping critical \ninfrastructure, and what you are doing to defend the Nation \nneed to be merged.\n    Mr. Johnson. I agree with everything that's been said. I \nwould add to that that there are lots of people who are part of \ncritical infrastructure who don't know that they are part of \ncritical infrastructure. For example, arguably election \ninfrastructure, before I made it explicit, was already part of \ncritical infrastructure, because it's part of government \ninfrastructure.\n    And so a beginning point is to educate those in critical \ninfrastructure that they have a heightened duty, and, \ntherefore, need a heightened awareness.\n    Mr. Banks. So along those same lines, one of the difficult \nissues, culturally, for hospitals and other private sector \nentities is information sharing with the government about their \nsystematic vulnerabilities. What--what can we or should we do \nto improve the culture of information sharing between the \nprivate sector and the government that would involve critical \ninfrastructure? And, Mr. Johnson, we can start with you.\n    Mr. Johnson. We have already done a fair amount. Congress \nhas already done a fair amount, as I mentioned earlier, by \nenacting limits on criminal and civil liability for those who \nshare cyber threat indicators. DHS has established automated \ninformation sharing that has a privacy scrub that goes with it.\n    And I think it's really a matter of raising the levels of \ntrust and lowering the barriers of suspicion that exist right \nnow. And there's a lot more work that needs to be done there, \nbecause not enough in the private sector, in critical \ninfrastructure, have the type of partnership that I think they \nneed to have with DHS to effectively deal with this issue.\n    General Alexander. I think for most hospitals--there's two \nhundred and some in New York City alone, they should outsource \nit and get a comprehensive solution across all of them. Their \nfocus is on saving people. And if they are spending a lot of \ntime trying to defend their networks and keep their equipment \nup, then they are not doing this. I think we have to look at it \nmore like that. Secretary Chertoff brought up part of that, and \nI believe that's the correct way to go do it.\n    Mr. Chertoff. I would simply add to that, I think we need \nto educate hospitals and medical facilities that they are in \nfact critical infrastructure, and they are in fact targets. We \nhave information sharing and analysis organizations that are \nplatforms for sharing.\n    One other thing that I would say--and I have talked to \npeople in the medical community on this--as we multiply smart \nmedical devices that are connected to the internet, we have to \nbe very careful we are not creating serious vulnerabilities \nthat would lead to a loss of life. So pacemakers or various \nkinds of injection pumps, if they were wirelessly connected can \nbe very beneficial, but the devices could also be an attack \nvector and we need to look to the FDA [Food and Drug \nAdministration] as well as the industry to focus on that.\n    Mr. Banks. Thank you. My time is expired.\n    The Chairman. Mr. Veasey\n    Mr. Veasey. Thank you, Mr. Chairman. General Alexander \nmentioned something earlier, but I think that anyone can answer \nthis. And I wanted to know, do you think that we should be \nlooking at bolstering the military and State Department when it \ncomes to dealing with this issue?\n    And the reason why I mention that is because it seems to me \nthat if attacks on small to midsize allies are occurring, that \nthey may--that that also may be an issue of governance that \nthey have within their countries by not being able to manage \nall of this. And just wanted to know if you had any thoughts on \nthat.\n    General Alexander. I do think alliances are going to be \nextremely important in cyber. And it's important for two \nreasons. One, to get the norms and the group together, and \nsecond, we learn a lot by seeing where others are attacking. \nMost attacks that hit our country are tested elsewhere. The \nmore partners we have, the smarter we will be in defending \nourselves.\n    Mr. Veasey. And also, General Alexander, I wanted to ask \nyou, because small and midsize allies in certain countries that \nwe are trying to give assistance to, they have had trouble \nmanaging their natural resources. How--how do you help \ncountries like that manage something as sophisticated as cyber, \nyou know, defense? Like, how do you empower them to do that \nwhen they have had trouble just managing just basic needs of \nrunning a country, you know, previous to all the cyber issues \nthat we had?\n    General Alexander. So that's more difficult. I think there \nare some countries that you can help right off the bat, and I \nencourage our government to work with those that they can help \nprotect. You can see a live fire, in terms of cyber going on in \nthe Middle East. Partnering with the Middle East to help solve \nthat is going to be extremely important. The same in Asia; we \nare seeing a lot of attacks. And in Eastern Europe.\n    Each of those have different groups. I was in a discussion \nwith some of the folks from NATO a couple days ago. Doing a \ncommon defense with NATO and helping them set a standard would \nlighten our load, increase what they could do, and bring that \ncollective body together as well.\n    Mr. Veasey. And Secretary Johnson, I wanted to ask you, you \nsaid in your comments earlier that you think that there \nshould--if you had your way, that you would have, in businesses \nand governmental entities, have some sort of minimal standards \nwhen it comes to protecting their cyber.\n    I wanted to ask you about the cost to that. Do you think \nthat, in order for smaller or midsized businesses, and even \nsmaller municipalities, to be able to really put the \nprotections in place that they need--like, how much money would \nsomething like that run a smaller entity?\n    That could certainly be maybe a softer target, it wouldn't \nbe as large of a target as a large city, but could certainly be \na softer target. Like, what sort of resources would they need \nto bring to the table in order to meet those minimal standards?\n    Mr. Johnson. Well it depends on the nature of a business \nand the nature of the information it possesses and how it \nconducts business. Without a doubt, encouraging companies, \neither legislatively or otherwise, to embrace best practices \nprobably means embracing a certain level of technology.\n    But we are all as strong as our weakest link. And so if you \nhave a company in a supply chain that invest millions and \nmillions of dollars in their own cybersecurity, but they do \nbusiness with a supplier that doesn't, then the big supplier up \nthe chain is at risk because they are doing business with \nsomebody who doesn't see this as an issue.\n    But in my engagements in the private sector, I would \nencourage CEOs to view cybersecurity in the same way they would \nview physical security, the care and custody of their \ncustomers' intellectual property, and so forth, so that we \ndon't view this as simply a side issue that's going to require \nsome money.\n    It's a basic issue of security. As someone mentioned \nearlier, in many cases it implicates a fiduciary duty that \nsomeone may have. And so, sure, is it going to be an \ninvestment? Absolutely. But if you want to be the best at \nsomething, you have got to make investments in technology.\n    Mr. Veasey. Right. And it would be interesting--my time is \nabout to expire, and I will just add this at the end--you know, \nit would be interesting to get your comments on, like, as a--\nsay a company that supplies a defense contract or a small, you \nknow, midsize company that is a supplier--for them to be able \nto meet those same requirements could be much more onerous than \nthe defense contractor, for instance. So, just something to \nthink about.\n    Mr. Chairman, I yield back my time. Thank you.\n    The Chairman. Mr. Hice.\n    Mr. Hice. Thank you, Mr. Chairman. General Alexander, you \nare--you have made a recommendation to bring the responsibility \nfor private sector outreach and the defense community under a \nsingle authority. Can you elaborate further on that, and why \nthat's important?\n    General Alexander. Well, I think having unity of effort is \nvery important. And right now, everybody's really busy. And I \nlook at how hard Homeland Security, with all the things that \nthey are doing, Defense Department with what they are doing--\nwhen I was asked earlier by one of the members why aren't we \nmaking more progress, and the answer is everybody's busy \nhandling a lot of things. Do you appoint somebody and hold them \naccountable for moving this, and going back to Homeland \nSecurity, and the Defense Department, and Justice to get it \ndone?\n    I think the answer is yes. And where and how you place that \nentity is where I would get the Secretaries of Defense, \nHomeland Security, and Department of Justice together and say, \niron it out. I think with Secretary Gates, Secretary Chertoff, \nin their seats back then, another couple of years and I think \nthat would have been solved. And now I think what we need to do \nis look at that and say, how do you do that?\n    Because there are specific missions. You don't want the \nDefense Department going out and trying to police up all the \nincident response. You don't want them setting standards and \nlooking--that's Homeland Security, and they have that, and they \nshould do that. You want the Defense Department to defend the \ncountry. But both of those require for you to see this, and \nhave this entire spectrum of cybersecurity visible to all the \nactors. It's not there. And we need to fix that.\n    Mr. Hice. I would like to hear the opinion from the other \ngentlemen. Mr. Chertoff.\n    Mr. Chertoff. I mean, I agree with General Alexander. I do \nthink that there are distinct roles and responsibilities. The \nkey is to have clarity about who supports and who's being \nsupported in each of those roles.\n    Mr. Hice. Okay.\n    Mr. Johnson. I agree with that, yes, sir.\n    Mr. Hice. So all three of you agree that there ought to be \na single authority, however that's decided, then? Now, when I \nwalked in a little while ago, Secretary Johnson, you were \ntouching on this, so I would like to--I will just go to General \nAlexander--regarding how to improve the ability to recruit and \nretain our cyber experts. Do you have any thoughts on that?\n    General Alexander. Yes. What we did, Congressman, at Cyber \nCommand--we are not going to keep all these guys for a long \ntime, but if you can get them to commit for 6 years, and get \nthem in training for a year, this would be great for our \ncountry both in the military, in government, and then in \nindustry.\n    So I think what the government can do is help train and \neducate a large population, not just for the Defense \nDepartment, but also for Homeland Security. And part of that \ntraining could be we will provide your training, you commit to \na period of time in government.\n    And, you know, I really believe that young people should \nserve in government. I really do. And so this is a way to \nincentivize it, and you give them a future, and you help our \ncountry. That's what I would do. There are many young folks out \nthere that can't afford college, but they are built for cyber. \nAnd we ought to latch on to them.\n    Mr. Hice. So what timeframe do you think they ought to be \nable to make a commitment?\n    General Alexander. Well, I would go for 6 years, with one \nof those or one and a half being a commitment for education, \nand I would advance the education, similar to what the Defense \nDepartment does for the joint cyber ops [operations] center--\nschool, but I would do that a little bit longer with some of \nthe defense and all that, and I would mix them all together.\n    And the reason is you want the people that work in \ngovernment to work together.\n    Mr. Hice. Okay.\n    General Alexander. And so the military and civilian.\n    Mr. Hice. I see some head-nodding.\n    Mr. Johnson. I would concur with what he said. My message, \nwhen I was in office, to young people continually was if you \nwant to--if you want to go work for The City Group, or Goldman \nSachs, or J.P. Morgan Chase in cyber, come serve your country \nfor a few years and get that benefit of those insights.\n    And then the struggle becomes they all are drawn to the, \nyou know, perceived ``cool'' agencies, like NSA, and so we have \nto encourage them to want to work in the civilian agencies as \nwell.\n    Mr. Hice. Okay. Last question. Is the--in your opinion, is \nthe Cyber Mission Force adequately sized for the challenges it \nfaces? General.\n    General Alexander. I think it is right now.\n    Mr. Hice. Okay.\n    General Alexander. What I would encourage is a set of \nexercises with that force with the rest of government, and \nperhaps key players from industry and Congress, to look at that \nand see the challenges. I think the teams and the construct of \nthe teams were right. We have based those on other teams that \nwere very successful for our country. So I think it was the \nright thing.\n    We were encouraged initially to cut it back. And I said, \nbut this is what it takes. And we--40 teams of a certain type \noffensive, 68 defensive teams that would work with--DHS and \nothers, and the 25 analytic teams. I still think that's right.\n    Mr. Hice. Thank you. Thank you, Mr. Chairman, I yield.\n    The Chairman. Mr. Garamendi.\n    Mr. Garamendi. First of all, Mr. Chairman, thank you for \nsetting up this hearing. It's extremely important and the three \ngentlemen that are testifying have a wealth of wisdom.\n    If I might, recently the Department of Homeland Security \nissued a--an alert that Russia had hacked into critical \ncivilian infrastructure, gaining access to our power grids, \npower plants, and other industrial plants, and in some \ninstances, gaining operational control.\n    Is this an act of war? I think that word was used by the \nDepartment of Homeland Security. If yes, what is the \nappropriate response?\n    Mr. Johnson. Congressman, I would characterize what is in \nthat statement as a very significant threat to our Nation and \nour national security, but I would not characterize it, in and \nof itself, as an act of war.\n    Mr. Chertoff. I agree with that. I mean I think that--and \nit's often difficult to tell when you find malware in a \nnetwork, what the purpose of it is. And often it has multiple \npurposes.\n    You know the--it could be at one level, reconnaissance. It \ncould be deterrence in the sense of a way of signaling to the \nU.S., look what we can do and, therefore, if you mess with us \nwe are going to do this. Or it could be prepositioning \nsomething for an attack, or all three of those.\n    But I would agree with Secretary Johnson that positioning \nis not the same thing as actually carrying out an act of war. \nNow, if you shut the lights off and there was a serious loss of \nlife, then we are getting into territory----\n    Mr. Garamendi. Well, they did shut down a reservoir, if I \nrecall correctly.\n    Let me just move on. So, it's not an act of war. That \nbrings us to the rules of engagement, doesn't it, and to the \ndefinition thereof. We are not going to get to that today, but \nboth of you--all of you have said this is critically important.\n    General Alexander, you have danced around this issue of \nbeing able to comprehend when an attack is underway, and to be \nable to act. You haven't been specific about that. If you would \ntake a moment or two to discuss that, and then my final \nquestion is, we have an annual exercise with CYBERCOM working \nwith DHS and so forth.\n    Let me just--I am going to hold General Alexander my \nquestion. Do you all want to stay with this other question I \nhad.\n    So that annual exercise would seem to be exactly what this \nRussian intervention--we won't call it an act of war, but \nintervention into our critical grids, was designed to deal \nwith.\n    So what comes of this? Should we not be using the \ntechniques that come from that annual exercise to deal with \nthis Russian hacking into these grids?\n    General Alexander. Sir, I think the issue for them hacking \ninto this grid is they are trying to gain insights into the \noperations of our network for future use. I agree with what \nSecretary Chertoff said. I don't think this is an act of war. I \nthink it's an act of intelligence gathering and positioning for \nfuture conflict.\n    What it does show you is that we have to have visibility of \nthose types of attacks. So you asked specifically, what does \nthat mean? And I will give you an example.\n    If you look at what happened to Saudi Aramco, the \ndestructive attack into Saudi Aramco with a wiper virus \nactually went on for about 2 months. No one had insights into \nthat because nobody's looking at Saudi Aramco. And our \ngovernment cannot see today actively what is going against our \nenergy sector.\n    The energy sector actually has been the great--the best to \nwork with in this area. They are pushing to really step that \nup. I think their--their strategic infrastructure, coordinating \ncouncil and things that they put forward is exactly right. But \nit needs to go to the next step. How do you get that data up to \ngovernment so you can build that picture so you can see Russia \ncoming in.\n    And the answer is you don't see that. NSA doesn't see it, \nCYBERCOM doesn't see it, DHS doesn't see it. So what happens is \nthey are getting hit, they are--they don't have the ability to \nshare it. They don't know they are getting hit or they would \nhave stopped it. So our common operating picture, it's like \nit's free for them to get in. We have to build the system up \nand make that visible.\n    Mr. Garamendi. We are going to write the National Defense \nAuthorization Act in the next 2 months. What should be written \ninto that to deal with this precise problem?\n    Mr. Alexander. Well, I think it's to build a common \noperating picture and sharing. I would emphasize that the CISA \nAct of 2015 and take it to the next step and say--and encourage \ncompanies and government to work together and to train and \npractice so that--I would look at this as strategic \ninfrastructure coordinating council and encourage councils like \nthat, where you bring industry into government to share this \ninformation is exactly right.\n    That puts CEOs in the seat.\n    Mr. Garamendi. You used the word encourage.\n    General Alexander. Strongly. I don't know what you can do \nwith industry, but you know----\n    Mr. Garamendi. Encourage them hard.\n    General Alexander. I think--I don't know that you need to \nmandate it, because I do believe they are sitting forward. They \nwant help. They want the government to help them. They know \nthey can't defend against a nation-state. And they know that--\nespecially in the energy sector, they are critical to the \nfuture of this country.\n    Mr. Garamendi. I am well over my time. I will yield back, \nbut I would love to have you gentlemen help us write that \nencouragement.\n    The Chairman. Ms. Hartzler.\n    Mrs. Hartzler. Thank you, gentlemen. I appreciate your \nexpertise and insights on this really critical issue. The \nMissouri National Guard was the first State to fully staff a \nNational Guard computer network defense team to respond to \ncyber threats and attacks. And this unit, located at Jefferson \nBarracks in St. Louis, is consistently sought out to train both \nNational Guard forces across the country as well as Active \nDuty.\n    These National Guard members are in a unique position \nbecause they can utilize their civilian roles, training, and \nexpertise into their military cybersecurity roles. And I think \nwe can all agree that the private sector moves faster with \ntechnological innovation so by using citizen soldiers, we can \nleverage new ways of thinking into the military. So what do you \nthink should be the force structure of Active Duty, Reserve, \nand National Guard cyber warriors? I am not sure who wants to \nstart off.\n    General Alexander. So actually, you have hit on it. When--\nat Cyber Command, we encouraged, and we had several States set \nup National Guard with cyber forces--Delaware, Mississippi, \nWashington, and others for just that reason. I think that is an \nexceptional way and you hit all the key points. There are great \npeople in the commercial sector who want to help the government \nbut they don't want to sacrifice the--the pay.\n    So they can do both and they do--and there are great people \nthere. I think that's exactly the way to go. The issue that \nwill come up is now how do we bring those all together for the \ncommon defense, as things go from peacetime to crisis to war, \nsomething that we need to look at.\n    Mrs. Hartzler. And I think you mentioned as well that they \nare--you support training them and then having a 6-year \nrequirement. In a way, this kind of fulfills that a little bit. \nWe train you and then you can go out in the private sector, but \nthen come in on the weekends and you bring your expertise and \nto address things and be called up when needed. Secretary \nChertoff.\n    Mr. Chertoff. Yes. I was going to say, I think that it is a \nlittle bit like the ROTC [Reserve Officer Training Corps]. I \nthink that's a great idea. I mean, these days, we are looking \nto train people for the 21st century skills. If you bring them \nin and you train and they make a commitment to serve Active for \na period of time and then they work in the National Guard, \nthat's a win-win for everybody.\n    There are two other advantages. One is the relationships \nthat are built wind up, you know, going on beyond the actual \nterm of service. And one of the things I learned in law \nenforcement was a lot of the sharing and a lot of the \ncoordination comes from personal relationships. And secondly, \nin terms of a common language and a common approach, it gives \nyou a baseline commonality.\n    So I mean, I--if you were going to do something relatively \ndramatic, I think having an ROTC-type program to train and get \nservice in this area would actually be a real benefit.\n    Mrs. Hartzler. Makes sense. When I visited this unit, even \nthough it's not in my district, I was so impressed. Several of \nthem said we are in charge of security for Fortune 500 \ncompanies. And we see things during the week. And we are saying \noh my goodness, we need to come--when we come back on--on our \nActive Duty assignment and apply those things to protect our \nNation. So it makes sense to me. Mr. Johnson, did you--were you \nwanting to add something there?\n    Mr. Johnson. No, I endorse everything that's been said.\n    Mrs. Hartzler. Oh, good. I wanted to go back, General \nAlexander, to something you said that piqued my attention in \nyour testimony. And then just recently, as you were talking \nabout integration of infrastructure. And I understand this \nisn't quite the same. But there's a lot of discussion about the \nDOD's contract and building the cloud and whether it should be \none cloud or whether there should be multiple clouds that we \nwould use. Do you have an opinion on that?\n    General Alexander. Well, I think in any instance, a cloud \nprovider is going to have multiple instances. And so I would \nlook for multiple instances for resilience. And no matter which \none you choose and how you choose it, that means you don't put \nall your eggs in one facility. So when you think about the \ncloud, they build up a huge set of capabilities in a facility \nand then they build multiple facilities to give you that \nresilience.\n    I would look at the facilities, the resilience. And there \nare tremendous companies out there doing cloud capabilities and \nthat's growing. I think that's part of the future, especially \nfor mobile communication.\n    Mrs. Hartzler. Okay. And the last question. Switching gears \na little bit. What are we doing to mitigate the exfiltration of \nmassive amounts of unclassified data from our cleared defense \ncontractors? And is it working? And what would you do \ndifferently to protect this data? Who's going to take that?\n    General Alexander. Well, I worked with the defense \nindustrial base [DIB]. And great people. I would pull them \ntogether into an integrated infrastructure, call it a DIB \ninfrastructure that works together so you can see what nations \nare going after defense information or related information, \nencourage those. We actually ran that. When you were the \ngeneral counsel, we would call the defense industrial base \nworking group.\n    We didn't go into it to that level, but I would build that \nup analogous to the way we recommended doing the same thing for \nsmall and midsize agencies, I would do that and offer that the \nDIB as part of the way of them bringing in. So beyond FedRAMP \n[Federal Risk and Authorization Management Program], which is \nthe standards that they have to achieve in cybersecurity, I \nwould go for a collective security approach.\n    Mrs. Hartzler. Thank you. Yield back.\n    The Chairman. Mr. Gallego.\n    Mr. Gallego. Thank you, Mr. Chair. Kind of attaching some \nquestions onto my good friend from Missouri, you know, and \ntalking to some of my friends, we have to--we have a dearth of \nactual capable cyber warriors. And I had some friends that I \nserved with in the war that actually came out and created and \nwent through all these different programs to actually retrain \nthem to being quote, unquote ``cyber warriors.'' I have heard \ncriticisms from colleges and universities that these programs \nare too staid and too static to adequately train students for \nthe real world threats that are always changing.\n    So do you, one, see the quality and quantity of \ncybersecurity graduates as a problem? Number two, if so, what \ncan be done to improve the dynamism and efficacy of \ncybersecurity education currently right now through our public \nand private schools or any other methods. We need to start from \nleft to right.\n    Mr. Johnson. Well, I have to say I have been impressed \nrecently when I've visited colleges and universities at the \nlevel of interest in a cybersecurity education. And very often \nthere's also an interest in serving in national security in \ncybersecurity. It doesn't surprise me that you you have heard \nsome of the concerns that have been expressed because really of \nthe newness of the topic.\n    And so there probably needs to be a concerted effort at who \nare the educators because this is rather new generation \nphenomenon, so a lot of interesting stuff----\n    Mr. Gallego. And who is going to be providing the \ncurriculum also. I know the educators are important, but also \nsometimes the educators are behind the eight ball when it comes \nto curriculum.\n    Mr. Johnson. Correct. Right. I agree with that.\n    General Alexander. So let me just add. DHS and NSA actually \nhave a joint venture to work with colleges to set up a level of \ncurriculum. So I think that's a great starting point. More \nimportantly, look at the change in technology. It's doubling \nevery 2 years. That means half of what kids learn in their \nfreshman year is outdated by their junior year.\n    So we are training people for technology that doesn't \nexist, hence the problem that you bring up. Using applications \nthat haven't been created. And so what that means is we now \nneed to teach people how to learn, not just what to learn. And \nthat's got to be part of this whole process and that's what I \nthink you are actually getting to.\n    Mr. Chertoff. I would agree to that. I think a critical \npoint is what you are doing is training people how to train \nthemselves and that way can be a continuous process because \nit's not going to be like most subjects where you learn it and \nthen it remains current. It's going to change very very \nquickly.\n    Mr. Gallego. In many of the universities that I visited or \neven community colleges there is usually like a corporate \nadvisory board just basically that meets with the professors \nand with the educators who create a curriculum that is always \nstaying up to date with whatever changes. Not to just \nobviously, cybersecurity or technology, but whatever field that \nthey are working on.\n    What is our equivalent in our government to that? Is there \na working group of both national leaders, defense leaders, as \nwell as private sector leaders that are helping--who are \nhelping our educators, whether it's community colleges or \nuniversities, keep up to date the curriculum? I know we kind of \nhit on that, but is there an actual formalized structure for \nthis kind of interaction?\n    General Alexander. So they actually do that between DHS and \nNSA, and now Cyber Command. They update that curriculum all the \ntime and it's on the web so you can actually go to the \ninformation assurance director dot-gov I think is the IAD \n[Information Assurance Directorate]. And I think DHS has the \nsame one. And it lays out all the standards and they update \nthat continuously.\n    Mr. Gallego. And then is the private sector at all involved \nin this curriculum--making of this curriculum?\n    General Alexander. Well to the extent that they reach out, \nbut they aren't part of the accreditation process.\n    Mr. Gallego. Right\n    General Alexander. I believe they provide input from both \nDHS and NSA.\n    Mr. Gallego. Understood. Thank you. I yield back.\n    The Chairman. Mr. Bacon.\n    Mr. Bacon. Thank you, Mr. Chairman and I want to thank all \nthree for your service and your leadership. Appreciate you \nbeing here. I have a few questions for General Alexander, and \nif time permits, one for the whole panel.\n    First of all, for General Alexander, right now we have one \nfour-star for NSA, Cyber Command, and the two deputies, the \nthree-stars, sort of run those organizations. But that provides \nus cohesion, unity of command, but yet I know there's proposals \nto provide two different four-stars, one for each NSA and Cyber \nCommand.\n    And I fear that that will pull those teams apart, because I \nknow and you know--I am a cyber and SIGINT [signals \nintelligence] guy by trade as well--that our intelligence seems \nto be closely linked with our offensive and defensive \ncapabilities. I would like to know, where do you fall on this, \nand where are we at with this discussion?\n    General Alexander. Well, I--I actually believe you have to \nhave unity of command. If the decision is made that it's too \nbig for one person, and then you put two four-stars, you then \nhave to put somebody over top of both of them.\n    Mr. Bacon. Absolutely.\n    General Alexander. Between them and the Secretary [of \nDefense] and the DNI, and so that creates additional \ninfrastructure.\n    So before we do that, I would encourage us to look at how \nwe are going to fight in cyberspace, and the roles and missions \nof both NSA for reconnaissance and Cyber Command for military \nactions. And NSA may have responsibility in covert actions----\n    Mr. Bacon. Yes.\n    General Alexander. So you have this nesting. I think I \nwould look towards unifying versus diversifying those \ncapabilities.\n    Mr. Bacon. My experience is the same. I just know there's \nproposals here to do that, to separate it, and I think it would \nbe damaging to the cyber mission, because the intelligence \nportions of this are so closely linked to our offensive and \ndefensive, you can't have two four-stars with two different \npriorities and keep those teams cohesive. So I just wanted to \nmake that point, and I appreciate that you feel the same way.\n    On the cyber mission teams, are we fully operational, or \ninitial operational? Where are we at?\n    General Alexander. Well, so I am a bit dated. I have talked \nto Admiral Rogers, and they have made great progress. My \nunderstanding is they are, in most of them, fully operational-\ncapable, but I am not sure how many of the 40 are at the level \nand where they have tested them.\n    So I know we were making progress 4 years ago. I have not \nkept up specifically on that. I do think this will get back \nto--now we have another group that we are going to be training, \nand always going through, so I don't know the answer to that.\n    Mr. Bacon. Okay, thank you. One more question, and then I \nhave got one for the panel. I think you talked about the right \nto self defense? Let me just play on that a little bit. I \nthink, if we are only defensive--if we play defensive only, it \ndoesn't serve deterrence well, and I think it makes us more of \na punching bag.\n    I think we do need to have some--to practice some of our \noffensive muscles, mainly to serve as deterrence and make \nattacks on us less often. Are we doing enough in the offensive \nrealm to show, hey, when you attack us, you are vulnerable for \na counterstrike?\n    Where do you all--and I'll open it up for anybody, if you \nfeel like we are in this--in the right spot here.\n    Mr. Johnson. Congressman, as long as our intelligence \nchiefs tell us that certain nation-states are continuing to \nengage in bad behavior against us in cyberspace, then we--then \nthe answer is no, we are not doing enough, obviously.\n    And nation-states, whether they are communist regimes, \ndictatorships, monarchies, all behave a certain way. They all \ndecline to engage in behavior that is cost-prohibitive if there \nis a sufficient deterrent in place.\n    And to go back to what you said earlier, I believe that \ncomponents of an effective defense can also include offense.\n    Mr. Bacon. All right. Yes, go ahead, sir.\n    Mr. Chertoff. Yes, I would, I would agree. I would say \nthere are two elements in deterrence. Deterrence by denial, \nwhich means we raise the barrier to doing something, and \ndeterrence by response. We have done some things, particularly \nlately, that are a little more responsive, but as we see bad \nbehavior we may need to dial that up a little bit.\n    And the one thing I want to just be careful about is not to \ntreat the issues about information operations as the same thing \nas cyberattacks----\n    Mr. Bacon. Right.\n    Mr. Chertoff. Because that raises a whole set of \ncomplicated issues.\n    Mr. Bacon. Intelligence versus offensive is----\n    Mr. Chertoff. Correct.\n    Mr. Bacon. Totally two different things, and reconnaissance \nhas a long history of being not a combat operation, so I \ntotally agree. And it's my feeling, too, that we are not \nshowing enough teeth or offensive muscle and it doesn't serve \ndeterrence well. It makes us more vulnerable to the other \nnations' attacks. One last question. And this gets to some of \nthe earlier questions on the energy grid.\n    I am deeply alarmed by it. I think we are vulnerable to the \nnext December 7th not being airplanes and torpedoes, but \nrolling blackouts and--and havoc in our society. Are we doing \nenough to build resilience in the defensive realm to protect \nour energy grid? And I realize that is more of a homeland \nsecurity perspective.\n    Mr. Johnson. I have been impressed that certainly larger \nentities and public utilities recognize their vulnerabilities \nand the risk and are doing a fair amount. Again, I come back to \nthe importance of information sharing about threat streams. And \nno matter how sophisticated you are, you can always benefit \nfrom more information, the larger picture at work.\n    And that's where I think we need to continue to focus and \nwhere I think Congress should continue to encourage the private \nand public sectors to work together and share information.\n    Mr. Gaetz. Thank you, Mr. Secretary. I am out of time, so I \nyield back. Thank you.\n    The Chairman. Mr. Panetta.\n    Mr. Panetta. Thank you, Mr. Chairman and thanks to the \nthree gentlemen who are here today. I appreciate you being here \nas well as, of course, your stellar service, so thank you very \nmuch. Clearly cyberattacks are one of the main tools of what \nhas been termed lately as guerrilla geopolitics, and what are \nbeing used more and more by the revisionist powers that we are \nhearing about.\n    You today have done a good job saying what is not an act of \nwar. And Mr. Chertoff, you started to get to the point in--in \nMr. Garamendi's questioning about shutting off the lights, \nsignificant loss of life. Could the three of you please give me \nfurther examples--in your opinion, obviously, of what you would \nfeel would qualify as an act of war using this tool?\n    Mr. Johnson. Congressman, any cyberattack that has kinetic \neffects--physical destruction, death, physical injury--in my \njudgment would constitute an act of war.\n    Mr. Chertoff. I agree with and I--what I would emphasize is \nthis. It's effects based. It's not based on the particular \ntool. Whether you are dropping a bomb or you are--you are \nsending something over a network, if you are killing people, \nthat's an act of war.\n    Mr. Johnson. For example, we look at chemical weapons and \nwe measure the impact by the effects that chemical weapons \nhave, then we see the images. So I think you have to focus on \nthe effects.\n    Mr. Panetta. Understood.\n    General Alexander. I would add in intent. So there I \nbelieve you are going to see some countries who push out \nsomething--and we have seen this already here in our country, \nwhere the attack was going against a different--but the malware \nhit our country and hit some of our industry. The intent wasn't \nto hit us. It was the collateral damage, not an act of war, but \nsomething that they should be held accountable for. I do think \nso.\n    If they have the intent to do us harm and they have the \nkinetic effects to go with it, I believe that's an act of war.\n    Mr. Panetta. And if the means were solely done through \ncyber, should the response be solely done through cyber?\n    Mr. Johnson. As a legal matter, the answer is not \nnecessarily. There--there is no legal requirement for a \nresponse in kind.\n    General Alexander. Yes. And I--I agree. I think you want to \nhold all the elements of power and give the administration the \nauthority to use them all.\n    Mr. Chertoff. I also agree.\n    Mr. Panetta. Good. Good. And are--I would imagine the three \nof you are familiar with the Tallinn Manual 2.0. Would you feel \nthat this is--that basically that the principles that are \narticulated in this under international law, are they \neffective?\n    Mr. Chertoff. It depends what you mean by effective. I \nthink that international law and law of armed conflict ought to \napply against cyber as well as kinetic. Whether people are \nobserving them is a different issue. Where the challenger \nbecomes, it's easier to mask what you are doing in cyberspace, \ngenerally, than what you are doing in the physical space.\n    So you get a lot of denial and deniability, which is why \nultimately, enforcing the rules comes back to the level of \ncertainty you need to have with attribution. The value of this, \nthough, is--particularly with respect to our allies--and I have \nhad discussions with them about this. If they agree with us \nthat there's a violation of international law by what another \ncountry does, then they are prepared to take countermeasures \nthat would be more vigorous than if they viewed it as not being \na violation of law of armed conflict.\n    Mr. Panetta. Would you agree? Great. And Mr. Johnson.\n    Mr. Johnson. The one legal issue that I think deserves a \nlot of attention in this area are the principles around \nneutrality. We talked about this earlier and Mike talked about \nthis earlier, where there's a nation-state that is doing \nsomething directed at us, originating from a neutral country. \nAnd the current principles, frankly, are insufficient to deal \nwith this problem.\n    And it's something that we confronted time and again at \nDOD, and I am acquainted with at DHS. And so I think that more \nthinking needs to be put into what do you deal with when an \nattack is originating from or working its way through a neutral \ncountry. How do you deal with that?\n    Mr. Panetta. Got it. Got it. Gentlemen, thank you. I yield \nback. Mr. Chairman, thank you.\n    Ms. Stefanik. Mr. Carbajal.\n    Mr. Carbajal. Thank you, Madam Chair. Enemies that wish to \ndestabilize our democracy have found a new frontier that I \nbelieve we are not adequately prepared for. And as you have \ntouched on in your testimony. Today, I am interested in the \nrole of the National Guard in response to a potential \ncyberattack. As a military asset with dual State and Federal \nroles, I believe they have a critical role to play in \nprotecting our Nation's critical infrastructure.\n    If a cyberattack were to shut down critical infrastructure \nsectors such as the electrical grid, water, banking or \ntransportation systems in California, an interagency response \nwould be necessary. Law enforcement, first responders, owners \nof infrastructure sectors, the National Guard, and other \nFederal and State entities must have an integrated response and \nknow how to work together. This requires us to train in a more \nintegrated environment.\n    In this regard, I believe there is a significant training \ngap. Currently, there are no local programs in place that I am \naware of for cyber network defense teams to receive continuous \ntraining to defend the Department of Defense information \nnetworks while exercising their defense capabilities in a State \nenvironment. Army cyber protection teams currently report to \nFort Meade to receiving training in their title 10 mission.\n    But they still lack training relative to defending critical \ninfrastructure. In California, the National Guard has embarked \non a collaborative multiagency cybersecurity training effort \nthat provides an environment specifically created for \nintegrated training, allowing them to exercise their defense \ncapabilities in both a Federal and State environment. Now, I \nknow you have touched on this already, but I am hoping that you \ncould elaborate on it a little bit more.\n    What are your thoughts on the need to expand integrated \ntraining efforts, including interagency cyber training \nfacilities?\n    General Alexander. So I think we absolutely need to do it. \nAnd you bring out some good points in terms of what are the \nroles and responsibilities at the State level, what are the \nroles and responsibility at the Federal level, and how do you \nconnect those two? And then how do you build both the bridges \nto the private sector? And all of that has to work seamlessly \ntogether.\n    I think it's about training. I think, first and foremost, \nwe have to come up with a vision of how we are going to defend \nthis country in cyberspace and get everybody to agree. That's \npart of that common operating picture.\n    With that picture, then, the second question that you just \nposed is, so, what is the role of State and National Guard and \nother forces in helping to accomplish that mission? How far can \nthey go? Because what you don't want is States that \nindependently attack back, you want them to defend. Or if they \nare going to attack, to be part of the Federal--the national \nresponse, not individual.\n    So we have to ensure that all that is bound together. And \nthat is a tremendous training requirement, from my perspective.\n    Mr. Johnson. I agree with everything General Alexander \nsaid.\n    Mr. Chertoff. I would add one thing. I would like the \ntraining to include not only defending, but the ability to \nrecover when something goes down, as we do in the area of \ntraining the National Guard when we have a natural disaster.\n    Mr. Carbajal. Thank you. And a follow-up question. I know \nthis has been touched on as well today. Cybersecurity is such \nof a--a complicated issue. And you touched on earlier about \nthreats emanating from neutral areas, or neutral countries.\n    How--how difficult is it to pinpoint the origination of the \nattack? Is it 100 percent of the time, we ultimately get to \nthat source? Or sometimes we never get to that source? What is \nthe percentage success rate, that we are aware, in pinpointing \nthe actual threats? Because that leads to attacking, or \ncounterattacking, somebody who may or may not be the original \nsource.\n    Mr. Johnson. In my observation, it's often the case that we \ncan identify where the attack is originating from, what \nplatform, but then the challenge becomes: Who's pulling the \nstrings? Who's ultimately responsible, and who's ultimately \norchestrating the attack? And I am sure the other two witnesses \nwill have views on that as well.\n    General Alexander. I actually agree, and Secretary Chertoff \nbrought some of those same points out earlier, that you can see \nwhere it starts from, so it might start in Russia, but Russia \ncould say--Russian government could say, ``That's not us, \nthat's a hacker, he is outside.''\n    Having said that, the problem that our companies would have \nin the National Guard and others is they can see the last point \ncoming to them. What they can't do is see all the other points \nleading back to Russia. That's where your national intelligence \nsystem has to work, and it goes back to Mr. Bacon's question. \nYou need to have the ability to see that whole threat and then \nrespond, title 10 and title 50, integrated.\n    And so I think that's going to be the key for our country.\n    Mr. Carbajal. Thank you very much. I yield back, Mr. Chair.\n    Ms. Stefanik. Thank you. That concludes our member \nquestions. I want to thank the three witnesses here today for \nsharing your policy expertise and your recommendations as we \nmove forward.\n    Just as an announcement, the Emerging Threats and \nCapabilities Subcommittee, which I chair, is having our cyber \nposture hearing at 3:30 p.m. with Admiral Rogers and Assistant \nSecretary Ken Rapuano to continue this conversation.\n    Thank you very much for your service to our Nation, and \nthis hearing is adjourned.\n    [Whereupon, at 11:55 a.m., the subcommittee was adjourned.]\n\n     \n=======================================================================\n\n                            A P P E N D I X\n\n                             April 11, 2018\n      \n=======================================================================\n\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                             April 11, 2018\n\n=======================================================================\n\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n      \n=======================================================================\n\n\n              QUESTIONS SUBMITTED BY MEMBERS POST HEARING\n\n                             April 11, 2018\n\n=======================================================================\n\n      \n\n                    QUESTIONS SUBMITTED BY MS. ROSEN\n\n    Ms. Rosen. As we form public-private partnerships between DOD and \nindustry, I'm worried about protecting the integrity of systems and the \nintegrity of user data. As DOD moves to the cloud, what are the \nimplications regarding public-private partnerships? How do we ensure \nthat we have parallels and redundancies to protect systems and users? \nWho owns the proprietary information? If not the U.S. Government, how \ndo we ensure that the owner will do their due diligence in safeguarding \nsystems and user information? What happens to data when businesses \nclose or technology is replaced? Is data destroyed when it's no longer \nused?\n    Mr. Chertoff. The vast majority of the DOD's work with industry \ncomes in the form of traditional procurements, which are subject to a \nmyriad of information security requirements that dictate how government \ndata is secured, handled, processed, retained, and managed within \nsystems provided by industry partners. These requirements are included \nin all DOD contracts and procurements and are also included in programs \nsuch as FedRAMP, which is designed to streamline certification of \ncommercial offerings for use in Federal IT environments. All of DOD's \nbaseline requirements are managed by the Defense Information Systems \nAgency (DISA) and some procurements may have additional requirements \ndictated by the individual service, command, or component within DOD. \nUnder these agreements, all government data remains the property of the \nU.S. government and is subject to the handling requirements set forth \nby DOD. This includes data retention and destruction policies, which \nproviders are contractually obligated to comply with. These \nrequirements may vary widely depending on the needs of the particular \ncomponent, the type of data, and the level of sensitivity. It is the \nresponsibility of DOD to ensure that its vendors meet these \nrequirements through code reviews, audits, and other means of \noversight. Failure to comply with these requirements can result in \ncivil and criminal penalties for both the vendor and its \nrepresentatives. At present, all these requirements also apply to \nvendors offering cloud services to DOD, though there are efforts \nunderway to streamline some of these requirements and adapt them to the \nrealities of cloud environments, which are free of many of the \nconstraints of traditional IT infrastructure. The largest ongoing DOD \nCloud procurement, the Joint Enterprise Defense Infrastructure Contract \n(JEDI), is subject to these requirements, though DOD has pledged to \nwork with the eventual awardee to identify erroneous requirements to \nspeed and streamline adoption. In my view, this is the correct course \nof action--Cloud environments offer new approaches to security that can \nenhance data security while allowing for a more flexible and efficient \ninfrastructure. These approaches, such as attribute-based security \ncontrols, are promising ways to enhance security and efficiency within \nits IT enterprise. DOD Cloud contracts also require some level of \nredundancy for cloud services, generally expressed with uptime \nrequirements (99.99999%, for example) and/or requirements regarding the \nnumber and location of data centers, remote storage sites, and hybrid-\ncloud technologies that can help to ensure the underlying system \nremains available. That said many large Cloud providers have \nexperienced at least partial outages within their private-sector cloud \nenvironments, emphasizing the need for redundancy and resilience in any \ncloud offering that might underpin DOD operations. To that end, many \ncompanies in the private sector utilize what is referred to as a \n``multi-cloud'' environment, which leverages the cloud services of \nmultiple vendors to help ensure that the company's cloud-based IT \nenterprise remains available even when a single cloud vendor \nexperiences an outage. I think it also worth noting that most major \ncloud vendors offer government-specific clouds separate from their \nprivate sector clouds. These environments are built on separate \ninfrastructure designed to ensure that sensitive government data is not \ncomingled with data from the private sector. In fact, several cloud \nproviders have built cloud computing offerings specific to various \nlevels of classified environments for DOD and the Intelligence \nCommunity and include additional safeguards and protections as required \nby those organizations for the storage and handling of classified \ninformation. Beyond traditional procurements, DOD utilizes pilot \nprograms, research agreements, and specialized programs such as Defense \nInnovation Unit Experimental (DIUx) to work with technology start-ups, \nlabs, academic institutions, and even established technology providers \nto identify and develop technologies that meet the unique needs of DOD \nand its components. Agreements with these entities can sometimes \nresemble traditional procurements, subjecting the partner to many of \nthe same IT security requirements. In instances where the intent is for \nthe partner to demonstrate and develop a particular technology these \nrequirements are generally less stringent, intended to allow the \npartner to first build-out and prove a technology before it is \nincorporated into the broader DOD environment and thus become subject \nto the department's stringent requirements. In such a development \nenvironment the data being leveraged is non-production data, that is, \ndata that is either scrubbed clean of any sensitive or identifying \ninformation or a dummy dataset that resembles an actual dataset but is \ncreated artificially for development purposes.\n    Ms. Rosen. As we form public-private partnerships between DOD and \nindustry, I'm worried about protecting the integrity of systems and the \nintegrity of user data. As DOD moves to the cloud, what are the \nimplications regarding public-private partnerships? How do we ensure \nthat we have parallels and redundancies to protect systems and users? \nWho owns the proprietary information? If not the U.S. Government, how \ndo we ensure that the owner will do their due diligence in safeguarding \nsystems and user information? What happens to data when businesses \nclose or technology is replaced? Is data destroyed when it's no longer \nused?\n    General Alexander. The questions you raise about the cloud and \nrelevant public-private partnerships are important ones. I am a strong \nbeliever in the notion that cloud-based systems are inherently more \nsecure and more survivable than classic on-premises systems. At the \nsame time, it is critically important that in implementing the move to \nthe cloud, the government puts in place provisions, in partnership with \nkey cloud providers, for ensuring redundancy of systems and the backup \nand availability of data, particularly for mission-critical systems. \nSimilarly, the government can and should expect cloud providers to \nprovide assurances regarding the safeguarding of systems, user \ninformation, and critical data; it should also make clear--in \ncontractually binding language--what it expects to be done when data is \nno longer being used, when business closed or are acquired, or when \ndomestic firms come under significant foreign influence. If the \ngovernment is the buyer, it has every right to set clear and fair \nconditions on what it buys. These conditions should be vendor- and \ntechnology-neutral, but, if put in place should leverage the carrot of \nCongress's purchasing power. Either along or accompanied by Congress's \nprovision of economic incentives to encourage the development of \ngovernment-level security, such conditions can incentivize the creation \nof a more robust cybersecurity environment generally. As a large \neconomic actor--and a key buyer of cybersecurity goods and services--\nthe government has outsized influence on vendors, influence that can \nreasonably be used to achieve such larger goals of creating a more \ncyber-secure environment for government and industry alike. A good \nexample of this recently was CIA's work with Amazon to create the \nsecure C2S cloud environment. The outgrowths of this capability are \nmaking public and private systems with highly sensitive data more \nsecure and resilient. Likewise, the government can and should work with \na broad array of vendors in order to find the most capable players in \nthis area and to align these capabilities with government needs on a \ngoing-forward basis. Pivoting to cloud makes good sense from a security \nand resilience perspective and the government should not step back from \nthis effort simply because of issues that can and should be reasonably \naddressed by industry as part of the government purchasing process.\n    Ms. Rosen. As we form public-private partnerships between DOD and \nindustry, I'm worried about protecting the integrity of systems and the \nintegrity of user data. As DOD moves to the cloud, what are the \nimplications regarding public-private partnerships? How do we ensure \nthat we have parallels and redundancies to protect systems and users? \nWho owns the proprietary information? If not the U.S. Government, how \ndo we ensure that the owner will do their due diligence in safeguarding \nsystems and user information? What happens to data when businesses \nclose or technology is replaced? Is data destroyed when it's no longer \nused?\n    Mr. Johnson. The following response is on my own behalf, and not on \nbehalf of my law firm or any of its clients. To formulate this \nresponse, I consulted cybersecurity experts I know and trust. As the \nQFR notes, DOD has determined to move toward a public cloud-based \nsolution for the storage of its data, classified and unclassified. DOD \nrecognizes that its thousands of current networks and data centers is \nnot a best practice, and is disadvantageous for DOD and the taxpayers. \nI appreciate DOD's cautious two-phase approach to the issue, beginning \nwith a tailored acquisition process. To be sure, there are both risks \nand opportunities for DOD associated with moving toward a public cloud. \nHowever, the risks can be minimized and opportunities maximized through \nthe careful negotiation of a contract with the cloud provider, and such \na contract should be designed to address many of the concerns reflected \nin the QFR. Contract provisions should include at least the following:\n    (1) enhancement of the cloud's security capabilities and the \nsharing of classified threat information with the appropriate personnel \nof the cloud provider; (2) appropriate protocols for incident \nnotification to DOD and response; (3) the ability of DOD to directly \ndetect and address any malicious activity around its stored data in the \ncloud; (4) appropriate redundancies to protect data systems and users; \n(5) an acknowledgement that DOD data remains the property of DOD; (6) a \nprovision to protect DOD data and interests in the event the cloud \nprovider closes or is replaced; and (7) adherence by the cloud provider \nto U.S. government and DOD standards for the retention and destruction \nof data.\n\n                                  [all]\n</pre></body></html>\n"