[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]


                                     
 
                         [H.A.S.C. No. 115-97]

                                HEARING

                                   ON

                   NATIONAL DEFENSE AUTHORIZATION ACT

                          FOR FISCAL YEAR 2019

                                  AND

              OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS

                               BEFORE THE

                      COMMITTEE ON ARMED SERVICES

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

       SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES HEARING

                                   ON

                     A REVIEW AND ASSESSMENT OF THE

                     DEPARTMENT OF DEFENSE BUDGET,

                     STRATEGY, POLICY, AND PROGRAMS

    FOR CYBER OPERATIONS AND U.S. CYBER COMMAND FOR FISCAL YEAR 2019

                               __________

                              HEARING HELD
                             APRIL 11, 2018
                                     

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]





                            _________ 

                U.S. GOVERNMENT PUBLISHING OFFICE
                   
30-571                  WASHINGTON : 2019      



                                     
  


           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES

                ELISE M. STEFANIK, New York, Chairwoman

BILL SHUSTER, Pennsylvania           JAMES R. LANGEVIN, Rhode Island
BRAD R. WENSTRUP, Ohio               RICK LARSEN, Washington
RALPH LEE ABRAHAM, Louisiana         JIM COOPER, Tennessee
LIZ CHENEY, Wyoming, Vice Chair      JACKIE SPEIER, California
JOE WILSON, South Carolina           MARC A. VEASEY, Texas
FRANK A. LoBIONDO, New Jersey        TULSI GABBARD, Hawaii
DOUG LAMBORN, Colorado               BETO O'ROURKE, Texas
AUSTIN SCOTT, Georgia                STEPHANIE N. MURPHY, Florida
JODY B. HICE, Georgia
                Pete Villano, Professional Staff Member
              Lindsay Kavanaugh, Professional Staff Member
                          Neve Schadler, Clerk
                          
                            C O N T E N T S

                              ----------                              
                                                                   Page

              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Langevin, Hon. James R., a Representative from Rhode Island, 
  Ranking Member, Subcommittee on Emerging Threats and 
  Capabilities...................................................     2
Stefanik, Hon. Elise M., a Representative from New York, 
  Chairwoman, Subcommittee on Emerging Threats and Capabilities..     1

                               WITNESSES

Rapuano, Kenneth P., Assistant Secretary of Defense for Homeland 
  Defense and Global Security, U.S. Department of Defense........     7
Rogers, ADM Michael S., USN, Commander, U.S. Cyber Command, and 
  Director, National Security Agency.............................     4

                                APPENDIX

Prepared Statements:

    Rapuano, Kenneth P...........................................    46
    Rogers, ADM Michael S........................................    27
    Stefanik, Hon. Elise M.......................................    25

Documents Submitted for the Record:

    [There were no Documents submitted.]

Witness Responses to Questions Asked During the Hearing:

    Mr. Langevin.................................................    67
    Mrs. Murphy..................................................    68
    Ms. Stefanik.................................................    67

Questions Submitted by Members Post Hearing:

    [There were no Questions submitted post hearing.]
A REVIEW AND ASSESSMENT OF THE DEPARTMENT OF DEFENSE BUDGET, STRATEGY, 
 POLICY, AND PROGRAMS FOR CYBER OPERATIONS AND U.S. CYBER COMMAND FOR 
                            FISCAL YEAR 2019

                              ----------                              

                  House of Representatives,
                       Committee on Armed Services,
         Subcommittee on Emerging Threats and Capabilities,
                         Washington, DC, Wednesday, April 11, 2018.
    The subcommittee met, pursuant to call, at 3:30 p.m., in 
room 2212, Rayburn House Office Building, Hon. Elise M. 
Stefanik (chairwoman of the subcommittee) presiding.

 OPENING STATEMENT OF HON. ELISE M. STEFANIK, A REPRESENTATIVE 
FROM NEW YORK, CHAIRWOMAN, SUBCOMMITTEE ON EMERGING THREATS AND 
                          CAPABILITIES

    Ms. Stefanik. The subcommittee will come to order.
    Welcome, everyone, to today's hearing of the Emerging 
Threats and Capabilities Subcommittee on the posture of cyber 
operations and U.S. Cyber Command [CYBERCOM] for fiscal year 
[FY] 2019.
    This hearing is the second of three cyber events today. 
This morning, we heard from former Secretaries of Homeland 
Security Chertoff and Johnson, as well as former CYBERCOM 
Commander Keith Alexander.
    Adversaries such as China and Russia aggressively leverage 
and integrate cyber information and communications technologies 
for geopolitical and economic gain, and they do so in a 
seamless way. Dictatorships have those advantages, and their 
control over these technologies and information is as much 
about exerting control over their own populations as it is 
confronting free societies such as ours.
    As discussed in the Worldwide Threat Assessment for 2018 
from the Director of National Intelligence [DNI], Iran and 
North Korea also continue to increase their offensive cyber 
capabilities and techniques. Over the last few years, both of 
these nations are believed to be behind cyber attacks that 
demonstrate not only a capability to deploy a variety of 
techniques and tools, but also a willingness to use cyber 
attacks as a means to achieve their national objectives.
    Needless to say, cyber threats today from state and non-
state adversaries are real, pervasive, and growing. Cyberspace 
and the information domain writ large remains contested and 
under continual stress. We are no longer peerless, and cyber 
superiority is not assured.
    Yet, while these adversaries continue to use cyber as a 
means to achieve strategic objectives, I remain concerned that 
we, as a government, do not have a strategy in place to 
mitigate, deter, or oppose their advances. It is safe to say 
that we have improved our military cyberspace and cyber warfare 
capabilities and also improved our resilience in many areas, 
but I am sure not the same can be said of the rest of our 
government--most notably, the protection of our critical 
infrastructure that preserves our economic security and ensures 
our way of life.
    Further work is needed to build interagency partnerships to 
ensure a whole-of-government approach to countering the growing 
cyber threat. The Department of Defense [DOD] plays an 
important role in this area, certainly when considering a 
significant cyber incident that may require their expertise 
during a time-sensitive emergency.
    From where I sit, a great deal of work remains to be done 
to improve our ability to defend, fight, and win in this 
critical domain, and also to improve and align our decision-
making processes and operational authorities so that we are 
fast, agile, and relevant. Only then will our Nation be 
prepared for the 21st-century challenges we face.
    Our witnesses today are very well-qualified to help us 
navigate these multidimensional challenges. Appearing before 
our subcommittee, we have Admiral Mike Rogers, Commander of 
U.S. Cyber Command and Director of the NSA [National Security 
Agency], and the Honorable Kenneth Rapuano, Assistant Secretary 
of Defense for Homeland Defense and Global Security and 
Principal Cyber Advisor for the Secretary of Defense.
    Thank you both for being here today.
    Admiral Rogers, this will be your last appearance before 
this subcommittee, and I want to extend my sincerest thanks and 
appreciation for your decades of service to our country and for 
the relationship that you have built with so many of our 
members on the House Armed Services Committee [HASC]. We wish 
you great success in your next chapter and wish your family 
well. Thank you again for your service.
    I would now like to recognize my friend and the ranking 
member, Jim Langevin, for his opening remarks.
    [The prepared statement of Ms. Stefanik can be found in the 
Appendix on page 25.]

  STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM 
RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS 
                        AND CAPABILITIES

    Mr. Langevin. Thank you, Chairwoman Stefanik.
    And thank you to both of our witnesses for being here 
today. I look forward to your testimony. I have certainly been 
studying cybersecurity issues now for over a decade, and I have 
to say, I still learn something every day as the domain and the 
actors in it continue to evolve.
    Secretary Rapuano, it is good to see you once again. We 
certainly appreciated your testimony on countering weapons of 
mass destruction a few weeks ago, and I certainly look forward 
to today's testimony that you will provide on cyber.
    And, Admiral Rogers, it is a pleasure to have you back 
before us again today, and I want to thank you for your service 
to the Nation. It has been many years that you and I have had 
the opportunity to interact, whether it is here on the HASC or 
in my years on the HPSCI [House Permanent Select Committee on 
Intelligence], and it has been an honor to work with you. And I 
am just grateful for everything that you have done and all your 
contributions to better protecting our Nation's cyberspace. I 
certainly wish you and your family well as you start the next 
chapter as well.
    2018 is poised to be a notable year for U.S. Cyber Command. 
Following the legislative action out of this subcommittee over 
the past several years, CYBERCOM will be elevated to a new 
unified combatant command [COCOM] after confirmation of the 
next commander.
    Additionally, a cyber posture review is being conducted for 
the first time, and a legislative framework is in place for 
notification of sensitive cyber operations. Cyber evaluations 
of major defense systems continue to be conducted to mitigate 
known vulnerabilities posing operational or other risk.
    Furthermore, cyber activities supporting named and 
contingency operations overseas have also matured, allowing the 
Department to leverage lessons learned when it comes to 
tactics, techniques, and procedures, as well as command and 
control of our forces.
    All teams of the Cyber Mission Force [CMF] are expected to 
achieve full operational capability [FOC] by the end of the 
year.
    These are all excellent steps forward, toward maintaining 
our superiority in an ever-changing domain, but, though 
progress has been made, of course, these efforts and 
achievements do not mean we have reached the finish line. 
Instead, I would argue that we have just begun the race.
    In addition to reaching FOC, we must ensure that the CMF 
has the right people, continuous training and education, and 
the best capabilities in our toolbox to perform against any 
threats that may confront us. We must be able to measure the 
readiness of these teams, define the requirements against which 
they are being or may be employed, and the frameworks in place 
to rapidly employ them and enable them to respond, when 
appropriate, based on clear legal policy and operational 
authorities.
    Existing frameworks are too ambiguous to effectively, 
clearly, concisely, and consistently employ the CMF against all 
mission sets. Effective and comprehensive policies to deter and 
respond to adversarial actors, as well as efforts to shape 
international norms of state behavior, particularly regarding 
use of military cyber capabilities outside of a combat zone, 
are progressing more slowly than desired.
    As I said at the outset, this domain continues to evolve 
quickly, and it is simply not good enough to just keep up with 
our adversaries. Instead, we must set the pace. However, we 
must not compromise our morals and values when employing cyber 
forces, for those qualities are what set us apart from those 
who seek to do us harm.
    We must also avoid a cyber cold war of sustained activities 
carried out by proxies or below the level of armed conflict. 
Instead, the U.S. must continue leading in crafting of sound 
domestic and international policies and laws for cyberspace and 
cyber warfare, working with our allies to assert and enforce 
rules of the road, rather than letting malicious actors do it 
for us.
    With that, I would like to once again thank our witnesses 
for being here.
    Take care, Admiral Rogers. I thank you again for your 
service and wish you well.
    And, again, thank you for being here today to discuss such 
an important aspect of our military's capabilities. I strongly 
believe that each and every conflict we face in the future will 
contain some element of cyber, and, as such, we must be 
prepared for all activities in the cyber domain.
    With that, I want to thank you all again, and Madam Chair, 
I yield back.
    Ms. Stefanik. Thank you, Jim.
    I would also like to remind members that immediately 
following this open hearing the subcommittee will reconvene 
right next door--oh, upstairs for a closed, classified 
roundtable with our witnesses.
    Before we move to our opening statements, I ask unanimous 
consent that non-subcommittee members be allowed to participate 
in today's briefing after all subcommittee members have had the 
opportunity to ask questions. Is there objection?
    Without objection, non-subcommittee members will be 
recognized at the appropriate time for 5 minutes.
    Welcome again to our witnesses.
    Admiral Rogers, the floor is yours.

STATEMENT OF ADM MICHAEL S. ROGERS, USN, COMMANDER, U.S. CYBER 
        COMMAND, AND DIRECTOR, NATIONAL SECURITY AGENCY

    Admiral Rogers. Thank you, Chairwoman Stefanik, Ranking 
Member Langevin, and distinguished members of the committee. 
Thank you for your enduring support and the opportunity to talk 
to you today about the hardworking men and women of United 
States Cyber Command.
    On behalf of those hardworking men and women, I am here to 
discuss the command's posture and describe how we prepare for 
and execute operations in the cyberspace domain to support the 
Nation's defense against increasingly sophisticated and capable 
adversaries.
    The cyberspace domain that existed when we first 
established Cyber Command 8 years ago has evolved dramatically. 
Today, we face threats that have increased in sophistication, 
magnitude, intensity, velocity, and volume, threatening our 
vital national security interests and economic well-being.
    Russia and China, which we see as peer or near-peer 
competitors respectively in cyberspace, remain our greatest 
concern. But rogue nations like Iran and North Korea have 
growing capabilities and are using aggressive methods to 
conduct malicious cyberspace activities. Further, several 
states have mounted sustained campaigns against our cleared 
defense contractors to identify and steal key enabling 
technologies, capabilities, platforms, and systems.
    Our adversaries have grown more emboldened, conducting 
increasingly aggressive activities to extend their influence, 
with limited fear of consequences. We must change our 
approaches and responses here if we are to change that dynamic.
    While the domain has evolved, Cyber Command's three mission 
areas endure. Our first priority is the defense of the 
Department of Defense Information Networks, or DODIN. Second, 
we support other joint force commanders through the application 
of offensive cyber capabilities. And, finally, when directed to 
do so by the President or the Secretary of Defense, we defend 
critical U.S. infrastructure against a range of significant 
cyber consequences in support of the Department of Homeland 
Security [DHS] and others.
    In concert with the National Defense Strategy, we are 
charting a path to achieve and sustain cyberspace superiority 
to deliver strategic and operational advantage and generate 
increased options for combatant commanders and policymakers. 
Without cyberspace superiority on today's battlefield, risk to 
mission increases across all domains and endangers our 
security.
    Since my last update, Cyber Command has achieved a number 
of significant milestones.
    First, Joint Force Headquarters DODIN, our subordinate 
headquarters responsible for securing, operating, and defending 
the Department's complex IT [information technology] 
infrastructure, has achieved full operational capability.
    Secondly, Joint Task Force-Ares [JTF], our warfighting 
construct focused on the fight against ISIS [Islamic State of 
Iraq and Syria], has successfully integrated cyberspace 
operations into the broader military campaign to defeat ISIS. 
And we will continue to pursue ISIS in support of the Nation's 
objectives.
    Third, we have enhanced our training in cyber operations to 
prepare the battle space against our key adversaries.
    This year will bring several additional accomplishments.
    Cyber Command will be elevated to a unified combatant 
command. As a combatant command, we will have the unique 
responsibilities of being a joint force provider and a joint 
force trainer, responsible for providing mission-ready 
cyberspace operations forces to other combatant commanders and 
ensuring that joint cyber forces are trained to a high standard 
and remain interoperable.
    In addition, this month, we will start moving in several 
hundred people into our new, state-of-the-art integrated cyber 
center and joint operations center at Fort Meade. This will be 
our first fully integrated operations center that enhances a 
whole-of-government coordination and improves planning and 
operations against a range of growing cyber threats.
    And within this dynamic domain, it is imperative to 
continually evolve our training and our tools for our 
operators. We have recently delivered the first of several 
foundational toolkits, enabling the Cyber Mission Force to work 
against adversary networks while reducing risk of exposure, as 
well as equipping JTF-Ares with capabilities to disrupt ISIS's 
use of the internet.
    Innovation and rapid development demand competition and the 
ability to leverage all partners, including that of small 
businesses in the private sector. We intend to create an 
unclassified collaboration venue where businesses and academia 
can help tackle tough problems with us without needing to jump 
through clearance hurdles, which are often very difficult for 
some of them.
    Of course, all of our tools require a talented and 
sophisticated workforce to operate them. The Cyber Excepted 
Service, which Congress has helped create, will help us 
recruit, manage, and retain cyber expertise in a highly 
competitive talent market.
    Our success also hinges and remains entwined with continued 
integration of the Reserve and National Guard. In our 
headquarters, for example, we currently employ more than 300 
full-time and part-time reservists. And, in addition, Reserve 
and National Guard members are mobilized every day to lead and 
execute cyberspace operations.
    Perhaps most significantly, in the coming year, we are 
nearing completion of the build-out of our Cyber Mission Force, 
with all of our teams on a glide path to reach full operational 
capability by the end of fiscal year 2018. And, in fact, we 
will achieve this goal ahead of time.
    And as the teams reach FOC, our focus is on shifting from 
beyond the build, i.e., creating this force, to ensuring that 
this force is ready to perform their mission and is optimized 
to sustain mission outcomes year after year after year.
    Now, I fully realize that cybersecurity is a national 
security issue that requires a whole-of-nation approach that 
brings together not only government departments like the DOD 
and other agencies, but also the private sector and our 
international partners. And over the last year, we have also 
increased our interaction with critical infrastructure elements 
within the private sector and the broader set of U.S. 
Government partners supporting them.
    And, as you know, I serve as both Commander of United 
States Cyber Command and the Director of the National Security 
Agency. This dual-hat appointment underpins the close 
partnership between these two organizations. The fiscal year 
2017 National Defense Authorization Act [NDAA] includes a 
provision that describes the conditions for any potential split 
of this dual-hat arrangement. And the Department is working its 
way through this question. And, ultimately, the Secretary, in 
conjunction with the Director of National Intelligence, will 
provide a recommendation as to the way ahead here to the 
President.
    All of us are proud of the roles we play in our Nation's 
cyber efforts and are motivated to accomplish our assigned 
missions, overseen by the Congress, particularly this 
committee.
    And, finally, as you have already mentioned, after serving 
for over 4 years as the Commander of United States Cyber 
Command, and after nearly 37 years of service in uniform, I am 
set to retire later this spring. And, as I do so, I am grateful 
for the committee and its past and continued support and its 
confidence in me and in the Cyber Command team.
    And I look forward to answering your questions. Thank you 
very much.
    [The prepared statement of Admiral Rogers can be found in 
the Appendix on page 27.]
    Ms. Stefanik. Thank you.
    Assistant Secretary Rapuano.

STATEMENT OF KENNETH P. RAPUANO, ASSISTANT SECRETARY OF DEFENSE 
 FOR HOMELAND DEFENSE AND GLOBAL SECURITY, U.S. DEPARTMENT OF 
                            DEFENSE

    Secretary Rapuano. Thank you, Chairman Stefanik, Ranking 
Member Langevin, and members of the committee. It is an honor 
to appear before you alongside Admiral Rogers, Commander of 
U.S. Cyber Command, to discuss the Department of Defense's 
priorities in cyberspace.
    In these roles, I oversee the development and 
implementation of the Department's cyber strategy and policy 
with regard to cyberspace, leading the Department's interagency 
cyber coordination efforts, advising the Secretary and the 
Deputy Secretary on cyberspace activities, and ensuring that 
the Department's cyber forces and capabilities are integrated 
across the joint force to support the missions assigned by the 
President and the Secretary of Defense.
    The Department's primary mission is to defend the United 
States and its interests. My focus from the outset has been on 
ensuring we are organizing, resourcing, and posturing ourselves 
to be ready to fight in and through cyberspace in a conflict 
with great-power competitors.
    To that end, we have prioritized the three themes of the 
2018 National Defense Strategy: increasing lethality, 
strengthening alliances, and reforming the Department's 
practices.
    The Department is pushing hard to ensure that we can deter 
aggression and out-think, out-maneuver, out-partner, and out-
innovate our competitors and adversaries in cyberspace.
    2018 will be a landmark year when U.S. Cyber Command will 
elevate to a unified combatant command, welcome a new 
commander, and complete the force-generation phase of the Cyber 
Mission Force.
    DOD's cyber forces are uniquely responsible for executing 
both offensive and defensive cyber operations, but national 
cybersecurity is inherently a team sport. Individuals, 
corporations, and organizations that own and operate critical 
networks must take appropriate steps to implement best 
practices in configuring connected devices and systems to 
mitigate known vulnerabilities, to harden the most critical 
networks' systems and information, and to implement basic cyber 
hygiene and security measurers.
    Cybersecurity experts estimate that some 90 percent of 
cyber attacks could be defeated by better implementation of 
better cyber hygiene practices and best-practice sharing. 
Therefore, an essential element of cyber deterrence must be to 
minimize vulnerabilities that potential adversaries can exploit 
with significant effects.
    Through basic cyber hygiene and information sharing across 
the government and private sector, we can drastically decrease 
the opportunities for our adversaries to hold us at risk, and 
the amount of time and resources we must spend responding to 
malicious cyber activity directed against us.
    We can then devote more capacity to developing and 
maintaining capabilities to hold our adversaries at risk. The 
Department is focused on preparations to defend the United 
States by halting or degrading strategic cyber attacks using 
cyber effects operations. We also seek to leverage the 
Department's extensive information collection mechanisms to 
provide timely indicators and warnings to public and private 
owners and operators.
    If a cyber attack of significant consequence should occur, 
the Department of Homeland Security and the Department of 
Justice, with other departments and agencies in support, would 
take the lead in responding to, recovering from, and 
investigating the different elements of a significant cyber 
incident.
    The DOD stands ready to provide additional support to DHS 
and other Federal agencies upon request. The technical skills 
possessed by the Cyber Mission Force can augment our 
interagency partners when the magnitude of a cyber event calls 
for a collaborative government response. We are currently 
working with the Department of Homeland Security to determine 
the most effective and efficient ways for DOD to enhance our 
support to these efforts.
    We must always keep in mind that the capabilities of the 
Cyber Mission Force were developed and optimized for DOD's 
warfighting mission. Offensive operations are the means by 
which the military seizes and retains the initiative while 
maintaining freedom of action and achieving decisive results.
    If and when the Nation faces a large-scale cyber attack, 
DOD cyber resources will be focused on and most effectively 
employed in our adversaries' networks--detecting, preventing, 
preempting, degrading, or defeating malicious cyber activities 
at their source, as well as holding at risk other critical 
equities and capabilities of the adversary.
    DOD cyber forces must also protect our networks and weapons 
systems against malicious cyber activity. The Department 
conducts network defensive operations every day in order to 
enhance our cyber resiliency. Defending DOD systems also 
requires identifying and mitigating our own vulnerabilities. We 
are moving forward to assess and redress major weapons 
platforms and critical infrastructure vulnerabilities, as 
mandated by the NDAAs for fiscal years 2016 and 2017.
    As outlined in the National Defense Strategy, the 
Department's weight of effort must be directed toward 
preparedness for war. At all times we must be ready to respond 
with both cyber and non-cyber capabilities to malicious cyber 
activity that results in loss of life, major damage to 
property, serious adverse foreign policy consequences, or 
serious economic impact to the United States.
    DOD must be prepared to compete and win in conflict below 
the threshold of conventional war as well. This is commonly 
referred to as the gray zone.
    Our adversaries are adept at calibrating their actions in 
both the physical and cyber domains so that no single event 
rises to the level that would merit a significant United States 
response. However, the cumulative effect of these actions can 
be significant.
    The Department's cyber forces must be prepared to respond 
to malicious cyber activity in the gray zone by preempting 
imminent malicious cyber operations, disrupting ongoing 
malicious cyber activities, supporting other agencies with our 
technical skills and capacity, and working with and through our 
allies and partners to apply diplomatic and economic pressure 
on these actors.
    I am grateful for the support we have received from 
Congress. The hiring authorities you have provided us have been 
critical to creating the Cyber Excepted Service. And your 
generous resourcing of DOD cyber activities has allowed us to 
stand up the Cyber Mission Force and put U.S. Cyber Command on 
the path to elevation.
    The President's request for FY 2019 helps us sustain that 
momentum and continue to strengthen DOD's ability to operate in 
and through cyberspace. The request includes $8.6 billion for 
cyber-related activities and represents an increase of roughly 
$600 million over the FY 2018 budget request.
    In closing, I would like to thank the subcommittee members 
for your time and your assistance working alongside us to 
develop the cyber force the Nation needs. The people in our 
cyber community are the best in the world, and I am honored to 
serve with them.
    The Department is committed to approaching the development 
of our cyber capabilities with the sense of urgency warranted 
by the gravity of threats we face. Our strong relationship with 
Congress has been a critical component of our success and will 
remain vital as we continue our work to ensure that the 
Department's cyber forces are prepared to compete, deter, and 
win against any opponent.
    I look forward to your questions.
    [The prepared statement of Secretary Rapuano can be found 
in the Appendix on page 46.]
    Ms. Stefanik. Thank you for those opening remarks.
    I am going to stick to the 5 minutes aggressively to make 
sure we can get through all of our questions, but I gave you 
guys some flexibility.
    So my first question is: This morning, we heard from former 
Secretaries Chertoff and Jeh Johnson, as well as General 
Alexander, former Commander of CYBERCOM, about the importance 
of continuing to improve interagency collaboration.
    And, Assistant Secretary Rapuano, you just referenced in 
your opening statement how we are currently working with DHS to 
determine the best way forward, in terms of what DOD's role is.
    What steps specifically are being taken by Cyber Command 
and DOD to build this more integrated, whole-of-government 
approach? So not broadly that we are working on it, but what 
are the specific steps?
    I will start with you, Assistant Secretary.
    Secretary Rapuano. Thank you.
    First, I think it is useful to quickly just review our 
current activities in terms of working the interagency process.
    We chair three of the six Federal centers associated with 
cyber and cybersecurity. I won't walk through them all, but the 
Defense Cyber Crime Center; the Cyber Command Joint Ops 
[Operations] Center, the JOC; and the National Operations 
Center that is run by NSA. And in all three of those centers, 
we are engaging with them on a routine basis, all of the key 
players in the interagency, as well as industry with some of 
them, to understand both the threats and the areas for 
collaboration and cooperation.
    We are also part of the NCCIC [National Cybersecurity and 
Communications Integration Center], which the DHS runs at DHS, 
in terms of coordinating interagency with critical 
infrastructure and other industry on response to specific cyber 
threats.
    So we have a very solid foundation in terms of relationship 
and understanding. The issue really is what specific types of 
capabilities and what thresholds of capacity other agencies 
would need in different types of circumstances. And then we 
need to assess that against what our warfighting requirements 
are and how do we do that balance.
    Ms. Stefanik. Admiral Rogers.
    Admiral Rogers. So, in addition to the individuals 
integrated from DHS, FBI [Federal Bureau of Investigation], and 
other partners within my ops structure and my integration in 
their ops structure, if you will, a series of specific 
exercises.
    We do two major exercises with our DHS and interagency 
teammates twice a year--I am sorry. It is two exercises occur, 
two times total for the year. In addition, a series of tabletop 
exercises. You look at some of the things we have planned in 
the next 90 days, for example, we are going to be doing some 
election interaction at a tabletop kind of level with our DHS 
partners.
    The area that I have--you know, I am leaving, as you are 
aware. The area that I have talked to the team about I really 
want us to get into next is: Let's get down to the actual 
center and sector level, because that is where it comes to the 
day-to-day execution. Guys, if we want to get to speed, we want 
to get to agility--because, as operational commander, those are 
big to me. I want to get to speed, and I want to get to agility 
to actually execute. Let's look at what we can do to actually 
perhaps integrate at that level.
    So that is kind of a future focus for us, as I am moving 
forward.
    Ms. Stefanik. And I want to build on that. One of the 
statements this morning was that the lack of a common operating 
picture impedes our ability to have this comprehensive cyber 
strategy. What do we do to address this lack of a coherent 
operating picture?
    Admiral Rogers. For me--I apologize, Ken--first, it is a 
common operating picture of what? You want an operating picture 
of critical infrastructure? You want an operating picture of 
all of private infrastructure?
    Ms. Stefanik. Well, that is part of the question, is----
    Admiral Rogers. Right.
    Ms. Stefanik [continuing]. What is the role of Cyber 
Command to drive those conversations? What is that interagency 
process? I think we need to have the answer to all of those.
    Admiral Rogers. So, for me, my input would be, the mission 
set that I am directly responsible for within the broader DOD 
effort is the critical infrastructure piece. So I am really 
interested--so how do we get to an integrated, real-time 
picture that enables us to have an accurate sense of what is 
going on that enables decision making and helps to speed that 
decision making?
    So that would be my recommendation for a kind of first 
focus, even though, as I acknowledge, that is not going to be 
DOD's lead here. We are in a support team role. But I like to 
think we need to be part of this discussion and we can help.
    Ms. Stefanik. So how do we spur that, though? I think the 
status quo is unsustainable. Obviously, we need to spur that 
interagency integration.
    Secretary Rapuano. I appreciate that you are familiar with 
the National Cyber Incident Response Framework, but that really 
does drive how we organize and operate within the Federal 
Government in terms of our engagement with industry and other 
players.
    And in the DHS role, in terms of the asset response piece, 
the FBI has the threat response piece, and then we have the 
DNI, who has the intelligence integration function.
    Ms. Stefanik. Okay. I am going to have to take the rest for 
the record.
    Mr. Langevin.
    [The information referred to can be found in the Appendix 
on page 67.]
    Mr. Langevin. Thank you, Elise.
    And I want to again thank our witnesses for being here 
today.
    Secretary Rapuano, as I mentioned in my opening statement, 
I believe that U.S. policy on title 10 cyber operations needs 
to be advanced both domestically and internationally in order 
to effectively employ the force, deter adversarial actors, 
respond to adversarial cyber actors, and shape international 
norms for the military use of cyber capabilities.
    So what actions are the Department and the administration 
taking to advance the understanding of and the gaps in existing 
laws, authorities, and policies relating to cyber operations to 
develop standard frameworks and guidance?
    Secretary Rapuano. Thank you for the question, Congressman.
    As you all appreciate, the challenge associated with 
defining traditional military activities in the cyber domain 
is, typically, that is done by looking back historically at 
what are traditional types of military operations.
    In a domain that is so novel in many respects and for which 
we do not have the empirical data and experience associated 
with military operations per se, particularly outside zones of 
conflict, there are some relatively ambiguous areas associated 
with, well, what constitutes traditional military activities.
    This is something that we are looking at within the 
administration, and we have had a number of discussions with 
Members and your staffs. So that is an area that we are looking 
at, in terms of understanding what the trades are and what the 
implications are of changing the current definition if that 
were deemed to be warranted.
    Mr. Langevin. Okay. That is certainly something the 
committee is going to continue to provide rigorous oversight on 
and work with you as we develop.
    So how do you intend to ``defend forward,'' in quotes, as 
is outlined in the new command vision? Do you envision this 
defensive posture as using CYBERCOM capabilities and 
intelligence to provide targeted assistance to national assets, 
including, for example, critical infrastructure? Or would this 
involve title 10 activities being used to disrupt platforms 
potentially before an operation actually begins?
    Secretary Rapuano. So, defending forward, in the DOD 
context, is really looking at the source of the cyber attacks 
or otherwise malevolent activities. And it is looking at how we 
can get at it, how we can uproot it, and also how we can hold 
other equities valued by the adversary perpetrating the act at 
risk.
    And, with that, I will just turn it to Admiral Rogers.
    Admiral Rogers. So the vision you outline is--my goal as a 
commander is to try to get ahead of problem sets before they 
occur. Therefore, I am interested in asking myself within the 
authorities granted to me and within the broad legal framework 
that we use for the application of DOD capabilities, how can we 
attempt to forestall activity before it even happens? Failing 
that, how can we very quickly stop that activity before it has 
the time or the ability to generate significant impact, if you 
will, against our critical infrastructure?
    And so our strategy is about, how do you tie--or vision is, 
how do you tie together the power of intelligence and the 
insights that generates with the operational capability that 
DOD has invested in the Cyber Command structure in its mission 
force teams?
    And so that is our vision for the future. This capability 
that we have invested, that we have built, how do we use it in 
a way that attempts to forestall the opponent's ability to gain 
advantage in the first place? And, failing that, how do we stop 
that activity before they are able to have significant impact?
    Mr. Langevin. I think it is important to be forward-
leaning. I like kind of the shift in focus. And I think the 
American people, quite frankly, expect that we will be more 
forward-leaning.
    Admiral Rogers and Secretary Rapuano, leveraging the 
lessons that we have learned to date is important to achieving 
success in the cyber domain, especially since we are learning 
as we go. We benefit, obviously, from every success and every 
failure.
    How are our lessons learned from CYBERCOM's mission and 
operations being leveraged and instituted? And how is readiness 
being defined for the CMF? And how is this readiness being 
measured? How are training and recertification processes co-
evolving with the threat and the technology landscape?
    We will probably run out of time, but I would like that for 
the record.
    Admiral Rogers. Yes, Sir. So, a lot in that question. Very 
quickly, it doesn't matter if it is something we do 
offensively, if it is something we do defensively; every time, 
part of our mission structure is post-event debrief, analysis, 
lessons learned, and then how do we tie this into what we are 
doing next. So there is a cumulative impact there which, as a 
commander, I really like. You learn----
    Ms. Stefanik. We will have to take the rest for the record.
    [The information referred to can be found in the Appendix 
on page 67.]
    Admiral Rogers. Okay. Got it.
    Ms. Stefanik. We have to move along.
    Ms. Cheney.
    Ms. Cheney. Thank you, Madam Chairwoman.
    And thanks, Admiral Rogers and Secretary Rapuano.
    I am concerned, as is the subcommittee and the entire 
committee, about the lack of any cyber strategy. We haven't 
seen anything from the administration, despite the fact that we 
made requests for it in the NDAA last year.
    And I wonder if you could shed some light on why that is, 
why there is no strategy, number one, and, number two, how we 
can be in a position, in light of the threats we are facing, in 
light of the action that we are seeing, the active measures by 
our adversaries, to be engaged in any sort of effort to defend 
or to act offensively without understanding what the overall 
mission and goals and objectives are in the absence of a 
strategy.
    And I guess I would go to you first, Secretary Rapuano.
    Secretary Rapuano. Thank you.
    I think one of the reasons is it is very hard. There are a 
lot of evolving dynamics at play. And we still have a 
relatively new administration. And there are competing views as 
to what the right trade space is associated with a variety of 
equities and risks.
    That said, it is at the White House, the national cyber 
strategy, and I understand that it should be forthcoming in the 
near future.
    We are looking to then enhance our cyber posture approach, 
which we will be providing by August, to sync with that 
national strategy. DOD is one key member of the whole of 
government, and we want to make sure that we are very 
thoughtful in terms of very synthesized integration with the 
national approach.
    Admiral Rogers. And I would only add, I don't think you 
should feel for 1 minute that that means the DOD, for example, 
has stood pat and done nothing. We have got a National Security 
Strategy and a National Defense Strategy in which cyber is a 
component. As the operational commander, I have tried to take 
that broad, strategic vision, and, as Representative Langevin 
has articulated, I have laid out in writing to my team, here is 
kind of the vision I think that we need to be building to that 
reflects that broader strategic underpinning, even as I 
acknowledge we have not yet completed a specific cyber 
strategy, although that work is, we think, getting close.
    So I would only--please don't think that we are just 
standing still, waiting for someone to tell us, you know, what 
we----
    Ms. Cheney. No, I appreciate that. I was not under any 
illusions that you were just standing still, and appreciate 
very much the work you have done. We want to be helpful, but I 
think it is also absolutely incumbent upon this administration, 
in light of this threat, to provide some guidance.
    And precisely, Secretary Rapuano, as you said, it is hard, 
but it is hard because we are in a whole new world, and our 
adversaries, in fact, are moving forward, and the lack of 
ability for us, on our part, to say, look, this is what we have 
to deal with, this is how we are going to operate, this is what 
we have to guard against.
    And, frankly, both in a public and classified setting, 
being able to say to our adversaries, these are the kinds of 
things that will result in a response from us, and laying that 
out so we have a much more effective deterrent policy in place 
is something that I think we as a subcommittee have got 
tremendous oversight obligations in looking at it.
    And the administration itself--now we have seen significant 
turnover at the NSC [National Security Council]. I see just 
news reports now that Nadia Schadlow has resigned. Obviously, 
Mr. Bossert has moved on. We can't let those add to the amount 
of time that is going to be dedicated now or taken up in 
putting the strategy together.
    So it is something we will continue to work on in a way so 
we can ensure that the Nation is, in fact, got a strategy in 
place to deal with one of the most important and dangerous 
threats we face.
    And I will yield back the balance of my time.
    Ms. Stefanik. Mr. Larsen.
    Mr. Larsen. Thank you, Madam Chair. I will yield my time to 
Representative Murphy.
    Ms. Stefanik. Mrs. Murphy, you are recognized.
    Mrs. Murphy. Thank you, Admiral Rogers and Mr. Rapuano, for 
being here.
    I am encouraged that the Department is making progress on 
fielding the Persistent Cyber Training Environment [PCTE], 
which is, as you know, the training platform that allows cyber 
forces to train in simulated network environments.
    I represent Orlando, which is home to Army's Program 
Executive Office for Simulation, Training, and Instrumentation, 
or PEO STRI. PEO STRI was tapped to develop and acquire the 
PCTE which will also incorporate the work of the National Cyber 
Range in Orlando.
    In your view, what do you think the value of a Persistent 
Cyber Training Environment is for readiness? What kinds of 
individual and collective training objectives do you think you 
can support? And then, as you look into the future, what sorts 
of capabilities and infrastructure do you foresee these PCTEs 
requiring?
    Admiral Rogers. So, for me, Cyber Command, we are the ones 
who articulated the operational requirement, because my vision, 
our vision, if you will, is I want to be able to, wherever our 
cyber forces are garrisoned or stationed--we started early on 
in this process large exercises, brought together literally a 
thousand individuals, teams from across our force. Those are 
all good things.
    But when I said to myself, look at the time it takes to 
build this network, the money it costs to do this, while this 
should be a component of our training strategy, this does not 
scale for a day-to-day effort. And we need a day-to-day 
capability that you can train in garrison where, defensively, I 
can create, I can mirror my own networks, I can simulate an 
opposing force attempting to penetrate the network, and I can 
use my defensive techniques to train against it.
    Likewise, I can use this, I want to build this over time so 
I can bring my allies into this so it is not just us, it is our 
broader international partners, because if it is expensive for 
us, imagine what it is with some of the work we are doing with 
nations spread around the world in cyber right now, trying to 
get them to bring their entire team structure to the United 
States.
    This is also good for me because I want to be able to 
create network structures that, from an offensive standpoint, I 
can model. So how am I going to penetrate this? What actions 
might the defensive team take?
    I can use offensive and defensive capability together in 
head-to-head scenarios where, quite frankly, they are each 
trying to get the better of the other. Never underestimate the 
positive impact of competition and a little head-to-head 
contest to keep teams motivated.
    So those are all examples of why I think PCTE is so 
important for us because that goes to the ability to retain 
readiness and the ability to be ready now, not, well, if you 
give me 3 months, if you give me 4 months, whatever. We can't 
work that way.
    Mrs. Murphy. And you just mentioned the idea of integrating 
allies and partners into, you know, training together. Where do 
you think there are some opportunities for enhanced training 
and security cooperation activities in this space?
    And then, do you have some examples of allies and partners 
where this is already happening that are maybe benchmarks or 
best practices for how we can move forward?
    Admiral Rogers. So I haven't--most of our international 
partners, quite frankly, are in the same place we are. They see 
a need; they see a requirement. They don't yet have in place 
the long-term solution that they would like.
    There's three or four off the top of my head where I have 
actually sat down with them and said, ``Hey, walk me through 
your system. Can I see what you do?''
    We participate in some foreign exercises as well. It isn't 
just everybody comes to us. I want to learn from others. We 
participate in foreign cyber exercises.
    But I think the ability, particularly for our key--the Five 
Eyes \1\ and a handful of other nations, where we are just part 
of an ongoing coalition in cyber, if you will, focused on both 
the defensive side and in some cases the offensive side, the 
ability to put together an integrated training structure where, 
again, I can have their units in garrison, we can model the 
exact terrain that we think we are going to be dealing with 
live, that is going to be so impactful for our ability to 
actually execute mission.
---------------------------------------------------------------------------
    \1\ An intelligence alliance comprising Australia, Canada, New 
Zealand, the United Kingdom, and the United States.
---------------------------------------------------------------------------
    Mrs. Murphy. Yeah. And do you envision that, as you run 
these exercises and identify vulnerabilities, whether it is in 
platforms that are ours or allies and partners and their 
networks, that you will be able to----
    Admiral Rogers. Right, that I would turn them around?
    Mrs. Murphy [continuing]. Turn it around and get it to 
the----
    Admiral Rogers. Yes, ma'am.
    Mrs. Murphy [continuing]. Folks who are building that so 
that they can address them?
    Admiral Rogers. Yep. That is part of the idea here.
    Mrs. Murphy. Great.
    And then you have stated in your testimony that CYBERCOM is 
working to synchronize cyber planning and operations across the 
entire joint force and that CYBERCOM is helping the combatant 
commands improve command and control by establishing integrated 
planning elements----
    Admiral Rogers. Right.
    Mrs. Murphy [continuing]. At each COCOM.
    Can you provide a little more detail on exactly how 
CYBERCOM is standing up--is it CO-IPEs [Cyber Operations-
Integrated Planning Elements]?
    Admiral Rogers. CO-IPEs, yes, ma'am.
    Mrs. Murphy [continuing]. At each COCOM?
    Admiral Rogers. So there`s nine other COCOMs besides us. We 
become the 10th one effective with the new commander being 
confirmed and assuming the duties.
    I thought one of the biggest shortfalls we had was--I 
thought we did a great job with the Cyber Mission Force in 
creating a higher headquarters in the form of Cyber Command. 
But if you truly want to integrate cyber into the breadth of 
operations across this Department, then you have to integrate 
this capability at all the COCOMs. And so we----
    Ms. Stefanik. Admiral Rogers, we will have to take the rest 
for the record. It was a good question.
    [The information referred to can be found in the Appendix 
on page 68.]
    Mrs. Murphy. Thank you.
    Ms. Stefanik. Mr. Scott.
    Mr. Scott. Thank you, Madam Chair.
    Admiral, you mentioned authorities a little earlier. What 
would CYBERCOM require to move from a defensive support posture 
to an active deterrence posture, where you were actually 
hunting and denying malicious operators before they inflicted 
damage?
    Admiral Rogers. So, for right now, if you look at day-to-
day authority that is currently granted to the commander of 
Cyber Command, on the defensive side, I feel very good that I 
have the authorities that I need to defend the DODIN, the DOD 
networks.
    But one of the questions I think we need to ask ourselves 
is, for example, with the defense industrial base, or if DOD's 
role is going to be to partner in defending critical 
infrastructure, what level of ability to operate outside the 
DODIN would be appropriate for the Cyber Mission Force. I think 
that is a good conversation for us to have. Because, right 
now--again, not a criticism; an observation. Right now, you 
know, the current construct, I don't operate outside the DODIN. 
So I would suggest we ought to take a look at that.
    On the offensive side, I very feel very comfortable about 
the authorities that we have currently put in place to apply 
cyber in areas of designated hostility--the Syrias, the Iraqs, 
the Afghanistans of the world. And we are doing operations 
there almost every day.
    The area where I think we still need to get to a little 
more speed and agility--and, as Mr. Rapuano has indicated, it 
is an area that is currently under review right now; we are 
working our way through--is what is the level of comfort in 
applying those capabilities outside of designated areas of 
hostility and how could we potentially speed that up.
    I don't believe that anybody should grant Cyber Command or 
Admiral Rogers a blank ticket to do whatever they want. That is 
not appropriate. The part I am trying to figure out is what is 
an appropriate balance to ensure that the broader set of 
stakeholders here have a voice in what we do but, at the same 
time, we empower our capabilities with speed and agility to 
actually have meaningful impact. And I think that is what we 
are trying to work our way through right now.
    Mr. Scott. And so that brings me to the next question, 
which deals with the Guard as they establish cyber units. I 
know you said you had 300 full- and part-time working with you 
right now at U.S. CYBERCOM. These units, I mean, they will not 
only be supportive of their home States, but I assume that we 
would want them to have the authority to be supportive of other 
States as well.
    Admiral Rogers. A lot of it depends--so, first of all, I am 
the son of a Guardsman, so I grew up--my father was in the 
Illinois Guard for 27 years, so, as a kid--you know, so I feel 
very strongly about the value of the Guard. I have lived this 
personally, and I saw the difference my father made when he 
served.
    The challenge, I think, is: How do we view this as an 
integrated whole? So one of the points I make to the Guard and 
I make to the Governors when they ask me this question: 
Remember, we are all competing for the same manpower pool, if 
you will. There are only so many people out there with the 
requisite skills and kind of background. So be leery of doing 
solution sets where we try to replicate, for example, 50 
different independent capabilities across every single State. 
It is, how do we synchronize this?
    The other point I try to make is: Remember, cyber doesn't 
recognize geography. So I am a resident of the State of 
Illinois. And if you are trying to protect infrastructure in 
Illinois, the challenge might be that much of that 
infrastructure physically doesn't even reside in Illinois. It 
is the way that the digital backbone has been built.
    So title 32 and the Guard's employment outside of title 10 
is all based on legal authority that also has a key geography 
component. You are acting in a title 32 capacity within your 
State. What do we do when the cyber infrastructure that you are 
trying to defend or impact doesn't reside in that physical 
location?
    So my only argument is: We need to work our way through 
this, and we need to think more broadly and in a more 
integrated approach. So I don't think it is only Guard and 
Reserve. Likewise, I don't think it is only Active. We have to 
get across the spectrum. And we have to ask ourselves, whatever 
we create, how do we do it in a way that maximizes its ability 
to be employed in potentially multiple different scenarios, not 
just a scenario, if that makes sense.
    Mr. Scott. Absolutely. It is complex.
    And the city of Atlanta, as you know, was subject to a 
ransomware attack. And, you know, I can see that--I mean, I 
think the SamSam ransomware has been around for 8 years now. I 
mean, I can see this as we talk about infrastructure; it is not 
just going to be attacks on DOD and on U.S. Government 
operations. It is going to be attacking State operations and 
city operations.
    And I, quite honestly, don't care where the person comes 
from that stops the attack, nor do I think any other government 
official would. And just, we will need help with how we draft 
that language for you.
    And, with that, I yield the remainder of my time.
    Ms. Stefanik. Mrs. Murphy.
    Mrs. Murphy. Thank you, Madam Chair.
    I just wanted to use the rest of my time to let you finish 
that question. Because you were talking about, you know, that 
it needs to be integrated into the COCOMs.
    Admiral Rogers. Right.
    Mrs. Murphy. But, as you finish that, also, if you can talk 
to me a little bit about how J5 will integrate with these CO-
IPEs and whether or not you have both the manpower and the 
capacity to and a solid handle on the CYBERCOM plans in order 
to make sure that they are synchronized.
    Admiral Rogers. Right.
    So one component was we have to get knowledge and 
experience at the COCOM level on how you plan and execute cyber 
operations.
    Secondly, that capability has to be able to be integrated 
not just within that particular COCOM--Honolulu, Stuttgart, 
Tampa, fill in the blank--but it has also got to tie back to 
Cyber Command so that we have one integrated approach to how we 
are doing business here, particularly since the majority, all 
of the offensive capability within the Department, for example, 
remains under my, Cyber Command's operational control. We apply 
it in support of the other combatant commanders. So we have got 
to tie this together.
    We are starting the build in 2018. It is going be finished 
by 2023, so it is a 5-year build-out. We will have IOC [initial 
operational capability] at all nine projected by the end of 
2019, so by the end of the next fiscal year. That gets an 
initial operating capability to all of the other nine combatant 
commanders. And then we will flesh it out over the course of 
the next 3 years.
    A couple of COCOMs are a little further than others, and we 
are using as kind of a test case then. I would highlight--and 
no disrespect to any, but I would highlight PACOM [U.S. Pacific 
Command] and CENTCOM [U.S. Central Command], probably the two 
where, at the moment, we have started to get the initial 
investments, and because of some of the broader activity in 
their theaters that are of high interest, that are bringing our 
cyber capability to bear, along with a lot of other 
capabilities, we have kind of decided to use them as a bit of a 
test case, if you will.
    Mrs. Murphy. Uh-huh. Great.
    And, I guess, are you going to be also providing the 
training and resources to help people have the cyber fluency to 
be able to engage even if that is not their primary mission?
    Admiral Rogers. Right. So part of this is we will help 
develop the training standards for every one of the billets.
    This is also a good example of how, once--with each service 
having created a core cyber competency, one of my visions is, 
so you could do one tour at a combatant commander, you could do 
another tour in one of our mission teams, you could do another 
tour at Cyber Command, you could do another tour in ASD 
[Assistant Secretary of Defense] in Cyber Policy, you could go 
to the Joint Staff and do cyber work.
    Mrs. Murphy. Uh-huh.
    Admiral Rogers. One of the values of this 
professionalization that, as a Department, we have put in place 
now is that we will get recurring benefit by moving people so 
we don't have to train every--so it is the first time you have 
ever done this; we don't want to go through that every time. 
There is always a first time, but I don't want to have to do 
that every time, if I can avoid it.
    Mrs. Murphy. Great. Thank you very much.
    And I yield back.
    Ms. Stefanik. Mr. Garamendi.
    Mr. Garamendi. I will pass.
    Ms. Stefanik. That concludes the open portion of this 
session. We are now going to move to 2337.
    I also want to just let the members know we are going to 
have a quarterly cyber briefing. So if there are questions you 
have that we didn't get to today, that will be scheduled in the 
coming weeks.
    So, with that, this is gaveled out, and we will hustle 
upstairs.
    [Whereupon, at 4:23 p.m., the subcommittee proceeded in 
closed session.]



      
=======================================================================




                            A P P E N D I X

                             April 11, 2018

=======================================================================

      



      
=======================================================================


              PREPARED STATEMENTS SUBMITTED FOR THE RECORD

                             April 11, 2018

=======================================================================

      
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  


      
=======================================================================


              WITNESS RESPONSES TO QUESTIONS ASKED DURING

                              THE HEARING

                             April 11, 2018

=======================================================================

      

            RESPONSES TO QUESTIONS SUBMITTED BY MS. STEFANIK

    Admiral Rogers. [The information is for official use only and 
retained in the committee files.]   [See page 11.]
    Secretary Rapuano. A common operating picture requires the Federal 
government and the private sector to share information rapidly. This 
means improving processes so that DOD and the intelligence community 
(IC) can push information to the Department of Homeland Security (DHS) 
and out to private sector critical infrastructure partners, but also so 
that those partners can share more threat data from their networks with 
the Federal government. This information could be critical in helping 
DOD conduct its mission to defend the homeland. By understanding the 
threats facing critical infrastructure, we can better prioritize DOD's 
operational activities. This is a collective responsibility to which 
both the public and private sectors must contribute.
    My staff and I work in close collaboration with the National 
Security Council staff and our interagency partners at the State 
Department, DHS, the Federal Bureau of Investigation (FBI), and other 
departments and agencies to ensure that the Federal Government has the 
necessary policies in place and is taking appropriate actions to 
address critical issues and potential threats in cyberspace. Beyond 
contractual relationships, and both the mandatory and voluntary 
information-sharing programs DOD has with the Defense Industrial Base, 
DOD works closely with DHS and the FBI to address threats to critical 
infrastructure.   [See page 11.]
                                 ______
                                 
            RESPONSES TO QUESTIONS SUBMITTED BY MR. LANGEVIN
    Admiral Rogers. [The information is for official use only and 
retained in the committee files.]   [See page 12.]
    Secretary Rapuano. USCYBERCOM incorporates lessons learned into its 
mission planning and operations by instituting a real-time review and 
feedback mechanism during its operations as well as conducting larger 
scale after-action sessions to identify strategic issues. All 
individual operations are planned, reviewed, and approved prior to 
execution by independent, senior-level technical advisors who provide 
guidance and modifications based on their experience and extensive 
knowledge.
    Once an operation is complete, the same individuals review and 
critique whether the operation was conducted according to plan and if 
any unanticipated challenges arose during execution. If a mistake 
occurs during the course of the operation, the senior technical 
advisors have the opportunity to determine whether the operator 
requires additional training or whether the mistake was due to a simple 
error. USCYBERCOM personnel also often conduct ``hot washes'' 
(debriefing meetings) on their strategic operations with senior leaders 
to identify the lessons learned and to propose recommendations for 
improving future operations. These recommendations can include resource 
shortfalls, process requirements, and decision-making efficiencies to 
be gained.
    Lessons learned from operational employment of the Cyber Mission 
Force (CMF) are being routinely captured and integrated into ever-
evolving curriculum. The Department of the Army, for example, is 
comparatively in the best position to ensure that it is able to 
leverage and institute ``lessons learned'' from real-world Cyberspace 
Operations and evolve curriculum, training, and recertification 
processes rapidly. The Army's decision to have its institutional CMF 
workforce collocated with a majority of its operational CMF workforce 
gives the Army a significant advantage in accessing, educating, 
training, developing, employing, and retaining this workforce.
    The decision to establish the U.S. Army Cyber School at Fort 
Gordon, Georgia, was made, in part, to co-locate the institutional and 
the operational force. Benefits of this colocation include, but are not 
limited to, gaining synergy across both workforces through shared 
experiences, the ability to take lessons learned and turn them rapidly 
into appropriate adjustments to the curriculum, an ability to ``re-
fresh'' instructors while they are still serving in instructor billets, 
an ability rapidly to establish critical training that is more 
immediately available to a large portion of the operational force, and 
an ability to extend the ``Schoolhouse'' learning environment by 
introducing students to the operational environment while they are 
still in training. Additionally, as the U.S. Army Cyber School began 
constructing curriculum specifically to meet the needs of its CMF, it 
turned to cloud-hosted storage and synchronization solutions that allow 
qualified members of the CMF to ``crowdsource'' on the curricula for 
both rapid creation and continual maintenance. To date, more than 100 
contributors have worked to provide almost 7,000 updates to courseware 
through their chosen distributed version-control system.
    During the establishment of the Joint Cyber Mission Force, the 
initial emphasis was simply on building the 133 teams across the 
Military Services and thus the Initial Operating Capability (IOC) and 
then Full Operating Capability (FOC) of the Joint Cyber Mission Force. 
Reporting by the units focused on rudimentary reporting of total 
personnel assigned to the teams against a percentage of personnel 
assigned to key work roles and their associated levels of training and 
certification.
    These teams are trained to deter and defeat strategic threats to 
U.S. interests and infrastructure, ensure DOD mission assurance, and 
achieve Joint Force Commander objectives. Accordingly, as we move 
forward, DOD recognizes the need to work with USCYBERCOM and the 
Military Services to effect joint standard reporting requirements and 
standards for both ``Capacity'' and ``Capabilities.'' As the Department 
resources and equips these teams with cutting-edge cyber tools, 
accesses, and platforms to protect against sophisticated cyberattacks 
and to ensure deterrence and military advantage in and through 
cyberspace, enhanced CMF Readiness reporting that assesses ``Capacity'' 
readiness across the Military Services to a common joint standard by 
measuring not only Personnel and Training, but also Equipment and 
Supplies and Condition of Equipment, will result in more deliberate and 
objective measures of force readiness. In addition, the Department 
needs to work with USCYBERCOM and the Military Services to effect 
``capabilities-based'' reporting against Mission-Essential Tasks that 
reflect fundamentals based on unit design and organization.   [See page 
12.]
                                 ______
                                 
             RESPONSE TO QUESTION SUBMITTED BY MRS. MURPHY
    Admiral Rogers. [The information is for official use only and 
retained in the committee files.]   [See page 16.]