b"<html>\n<title> - [H.A.S.C. No. 115-97] HEARING ON NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2019 AND OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS BEFORE THE COMMITTEE ON ARMED SERVICES HOUSE OF REPRESENTATIVES ONE HUNDRED FIFTEENTH CONGRESS SECOND SESSION</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                                     \n \n                         [H.A.S.C. No. 115-97]\n\n                                HEARING\n\n                                   ON\n\n                   NATIONAL DEFENSE AUTHORIZATION ACT\n\n                          FOR FISCAL YEAR 2019\n\n                                  AND\n\n              OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS\n\n                               BEFORE THE\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n       SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES HEARING\n\n                                   ON\n\n                     A REVIEW AND ASSESSMENT OF THE\n\n                     DEPARTMENT OF DEFENSE BUDGET,\n\n                     STRATEGY, POLICY, AND PROGRAMS\n\n    FOR CYBER OPERATIONS AND U.S. CYBER COMMAND FOR FISCAL YEAR 2019\n\n                               __________\n\n                              HEARING HELD\n                             APRIL 11, 2018\n                                     \n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n\n                            _________ \n\n                U.S. GOVERNMENT PUBLISHING OFFICE\n                   \n30-571                  WASHINGTON : 2019      \n\n\n\n                                     \n  \n\n\n           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES\n\n                ELISE M. STEFANIK, New York, Chairwoman\n\nBILL SHUSTER, Pennsylvania           JAMES R. LANGEVIN, Rhode Island\nBRAD R. WENSTRUP, Ohio               RICK LARSEN, Washington\nRALPH LEE ABRAHAM, Louisiana         JIM COOPER, Tennessee\nLIZ CHENEY, Wyoming, Vice Chair      JACKIE SPEIER, California\nJOE WILSON, South Carolina           MARC A. VEASEY, Texas\nFRANK A. LoBIONDO, New Jersey        TULSI GABBARD, Hawaii\nDOUG LAMBORN, Colorado               BETO O'ROURKE, Texas\nAUSTIN SCOTT, Georgia                STEPHANIE N. MURPHY, Florida\nJODY B. HICE, Georgia\n                Pete Villano, Professional Staff Member\n              Lindsay Kavanaugh, Professional Staff Member\n                          Neve Schadler, Clerk\n                          \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nLangevin, Hon. James R., a Representative from Rhode Island, \n  Ranking Member, Subcommittee on Emerging Threats and \n  Capabilities...................................................     2\nStefanik, Hon. Elise M., a Representative from New York, \n  Chairwoman, Subcommittee on Emerging Threats and Capabilities..     1\n\n                               WITNESSES\n\nRapuano, Kenneth P., Assistant Secretary of Defense for Homeland \n  Defense and Global Security, U.S. Department of Defense........     7\nRogers, ADM Michael S., USN, Commander, U.S. Cyber Command, and \n  Director, National Security Agency.............................     4\n\n                                APPENDIX\n\nPrepared Statements:\n\n    Rapuano, Kenneth P...........................................    46\n    Rogers, ADM Michael S........................................    27\n    Stefanik, Hon. Elise M.......................................    25\n\nDocuments Submitted for the Record:\n\n    [There were no Documents submitted.]\n\nWitness Responses to Questions Asked During the Hearing:\n\n    Mr. Langevin.................................................    67\n    Mrs. Murphy..................................................    68\n    Ms. Stefanik.................................................    67\n\nQuestions Submitted by Members Post Hearing:\n\n    [There were no Questions submitted post hearing.]\nA REVIEW AND ASSESSMENT OF THE DEPARTMENT OF DEFENSE BUDGET, STRATEGY, \n POLICY, AND PROGRAMS FOR CYBER OPERATIONS AND U.S. CYBER COMMAND FOR \n                            FISCAL YEAR 2019\n\n                              ----------                              \n\n                  House of Representatives,\n                       Committee on Armed Services,\n         Subcommittee on Emerging Threats and Capabilities,\n                         Washington, DC, Wednesday, April 11, 2018.\n    The subcommittee met, pursuant to call, at 3:30 p.m., in \nroom 2212, Rayburn House Office Building, Hon. Elise M. \nStefanik (chairwoman of the subcommittee) presiding.\n\n OPENING STATEMENT OF HON. ELISE M. STEFANIK, A REPRESENTATIVE \nFROM NEW YORK, CHAIRWOMAN, SUBCOMMITTEE ON EMERGING THREATS AND \n                          CAPABILITIES\n\n    Ms. Stefanik. The subcommittee will come to order.\n    Welcome, everyone, to today's hearing of the Emerging \nThreats and Capabilities Subcommittee on the posture of cyber \noperations and U.S. Cyber Command [CYBERCOM] for fiscal year \n[FY] 2019.\n    This hearing is the second of three cyber events today. \nThis morning, we heard from former Secretaries of Homeland \nSecurity Chertoff and Johnson, as well as former CYBERCOM \nCommander Keith Alexander.\n    Adversaries such as China and Russia aggressively leverage \nand integrate cyber information and communications technologies \nfor geopolitical and economic gain, and they do so in a \nseamless way. Dictatorships have those advantages, and their \ncontrol over these technologies and information is as much \nabout exerting control over their own populations as it is \nconfronting free societies such as ours.\n    As discussed in the Worldwide Threat Assessment for 2018 \nfrom the Director of National Intelligence [DNI], Iran and \nNorth Korea also continue to increase their offensive cyber \ncapabilities and techniques. Over the last few years, both of \nthese nations are believed to be behind cyber attacks that \ndemonstrate not only a capability to deploy a variety of \ntechniques and tools, but also a willingness to use cyber \nattacks as a means to achieve their national objectives.\n    Needless to say, cyber threats today from state and non-\nstate adversaries are real, pervasive, and growing. Cyberspace \nand the information domain writ large remains contested and \nunder continual stress. We are no longer peerless, and cyber \nsuperiority is not assured.\n    Yet, while these adversaries continue to use cyber as a \nmeans to achieve strategic objectives, I remain concerned that \nwe, as a government, do not have a strategy in place to \nmitigate, deter, or oppose their advances. It is safe to say \nthat we have improved our military cyberspace and cyber warfare \ncapabilities and also improved our resilience in many areas, \nbut I am sure not the same can be said of the rest of our \ngovernment--most notably, the protection of our critical \ninfrastructure that preserves our economic security and ensures \nour way of life.\n    Further work is needed to build interagency partnerships to \nensure a whole-of-government approach to countering the growing \ncyber threat. The Department of Defense [DOD] plays an \nimportant role in this area, certainly when considering a \nsignificant cyber incident that may require their expertise \nduring a time-sensitive emergency.\n    From where I sit, a great deal of work remains to be done \nto improve our ability to defend, fight, and win in this \ncritical domain, and also to improve and align our decision-\nmaking processes and operational authorities so that we are \nfast, agile, and relevant. Only then will our Nation be \nprepared for the 21st-century challenges we face.\n    Our witnesses today are very well-qualified to help us \nnavigate these multidimensional challenges. Appearing before \nour subcommittee, we have Admiral Mike Rogers, Commander of \nU.S. Cyber Command and Director of the NSA [National Security \nAgency], and the Honorable Kenneth Rapuano, Assistant Secretary \nof Defense for Homeland Defense and Global Security and \nPrincipal Cyber Advisor for the Secretary of Defense.\n    Thank you both for being here today.\n    Admiral Rogers, this will be your last appearance before \nthis subcommittee, and I want to extend my sincerest thanks and \nappreciation for your decades of service to our country and for \nthe relationship that you have built with so many of our \nmembers on the House Armed Services Committee [HASC]. We wish \nyou great success in your next chapter and wish your family \nwell. Thank you again for your service.\n    I would now like to recognize my friend and the ranking \nmember, Jim Langevin, for his opening remarks.\n    [The prepared statement of Ms. Stefanik can be found in the \nAppendix on page 25.]\n\n  STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM \nRHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS \n                        AND CAPABILITIES\n\n    Mr. Langevin. Thank you, Chairwoman Stefanik.\n    And thank you to both of our witnesses for being here \ntoday. I look forward to your testimony. I have certainly been \nstudying cybersecurity issues now for over a decade, and I have \nto say, I still learn something every day as the domain and the \nactors in it continue to evolve.\n    Secretary Rapuano, it is good to see you once again. We \ncertainly appreciated your testimony on countering weapons of \nmass destruction a few weeks ago, and I certainly look forward \nto today's testimony that you will provide on cyber.\n    And, Admiral Rogers, it is a pleasure to have you back \nbefore us again today, and I want to thank you for your service \nto the Nation. It has been many years that you and I have had \nthe opportunity to interact, whether it is here on the HASC or \nin my years on the HPSCI [House Permanent Select Committee on \nIntelligence], and it has been an honor to work with you. And I \nam just grateful for everything that you have done and all your \ncontributions to better protecting our Nation's cyberspace. I \ncertainly wish you and your family well as you start the next \nchapter as well.\n    2018 is poised to be a notable year for U.S. Cyber Command. \nFollowing the legislative action out of this subcommittee over \nthe past several years, CYBERCOM will be elevated to a new \nunified combatant command [COCOM] after confirmation of the \nnext commander.\n    Additionally, a cyber posture review is being conducted for \nthe first time, and a legislative framework is in place for \nnotification of sensitive cyber operations. Cyber evaluations \nof major defense systems continue to be conducted to mitigate \nknown vulnerabilities posing operational or other risk.\n    Furthermore, cyber activities supporting named and \ncontingency operations overseas have also matured, allowing the \nDepartment to leverage lessons learned when it comes to \ntactics, techniques, and procedures, as well as command and \ncontrol of our forces.\n    All teams of the Cyber Mission Force [CMF] are expected to \nachieve full operational capability [FOC] by the end of the \nyear.\n    These are all excellent steps forward, toward maintaining \nour superiority in an ever-changing domain, but, though \nprogress has been made, of course, these efforts and \nachievements do not mean we have reached the finish line. \nInstead, I would argue that we have just begun the race.\n    In addition to reaching FOC, we must ensure that the CMF \nhas the right people, continuous training and education, and \nthe best capabilities in our toolbox to perform against any \nthreats that may confront us. We must be able to measure the \nreadiness of these teams, define the requirements against which \nthey are being or may be employed, and the frameworks in place \nto rapidly employ them and enable them to respond, when \nappropriate, based on clear legal policy and operational \nauthorities.\n    Existing frameworks are too ambiguous to effectively, \nclearly, concisely, and consistently employ the CMF against all \nmission sets. Effective and comprehensive policies to deter and \nrespond to adversarial actors, as well as efforts to shape \ninternational norms of state behavior, particularly regarding \nuse of military cyber capabilities outside of a combat zone, \nare progressing more slowly than desired.\n    As I said at the outset, this domain continues to evolve \nquickly, and it is simply not good enough to just keep up with \nour adversaries. Instead, we must set the pace. However, we \nmust not compromise our morals and values when employing cyber \nforces, for those qualities are what set us apart from those \nwho seek to do us harm.\n    We must also avoid a cyber cold war of sustained activities \ncarried out by proxies or below the level of armed conflict. \nInstead, the U.S. must continue leading in crafting of sound \ndomestic and international policies and laws for cyberspace and \ncyber warfare, working with our allies to assert and enforce \nrules of the road, rather than letting malicious actors do it \nfor us.\n    With that, I would like to once again thank our witnesses \nfor being here.\n    Take care, Admiral Rogers. I thank you again for your \nservice and wish you well.\n    And, again, thank you for being here today to discuss such \nan important aspect of our military's capabilities. I strongly \nbelieve that each and every conflict we face in the future will \ncontain some element of cyber, and, as such, we must be \nprepared for all activities in the cyber domain.\n    With that, I want to thank you all again, and Madam Chair, \nI yield back.\n    Ms. Stefanik. Thank you, Jim.\n    I would also like to remind members that immediately \nfollowing this open hearing the subcommittee will reconvene \nright next door--oh, upstairs for a closed, classified \nroundtable with our witnesses.\n    Before we move to our opening statements, I ask unanimous \nconsent that non-subcommittee members be allowed to participate \nin today's briefing after all subcommittee members have had the \nopportunity to ask questions. Is there objection?\n    Without objection, non-subcommittee members will be \nrecognized at the appropriate time for 5 minutes.\n    Welcome again to our witnesses.\n    Admiral Rogers, the floor is yours.\n\nSTATEMENT OF ADM MICHAEL S. ROGERS, USN, COMMANDER, U.S. CYBER \n        COMMAND, AND DIRECTOR, NATIONAL SECURITY AGENCY\n\n    Admiral Rogers. Thank you, Chairwoman Stefanik, Ranking \nMember Langevin, and distinguished members of the committee. \nThank you for your enduring support and the opportunity to talk \nto you today about the hardworking men and women of United \nStates Cyber Command.\n    On behalf of those hardworking men and women, I am here to \ndiscuss the command's posture and describe how we prepare for \nand execute operations in the cyberspace domain to support the \nNation's defense against increasingly sophisticated and capable \nadversaries.\n    The cyberspace domain that existed when we first \nestablished Cyber Command 8 years ago has evolved dramatically. \nToday, we face threats that have increased in sophistication, \nmagnitude, intensity, velocity, and volume, threatening our \nvital national security interests and economic well-being.\n    Russia and China, which we see as peer or near-peer \ncompetitors respectively in cyberspace, remain our greatest \nconcern. But rogue nations like Iran and North Korea have \ngrowing capabilities and are using aggressive methods to \nconduct malicious cyberspace activities. Further, several \nstates have mounted sustained campaigns against our cleared \ndefense contractors to identify and steal key enabling \ntechnologies, capabilities, platforms, and systems.\n    Our adversaries have grown more emboldened, conducting \nincreasingly aggressive activities to extend their influence, \nwith limited fear of consequences. We must change our \napproaches and responses here if we are to change that dynamic.\n    While the domain has evolved, Cyber Command's three mission \nareas endure. Our first priority is the defense of the \nDepartment of Defense Information Networks, or DODIN. Second, \nwe support other joint force commanders through the application \nof offensive cyber capabilities. And, finally, when directed to \ndo so by the President or the Secretary of Defense, we defend \ncritical U.S. infrastructure against a range of significant \ncyber consequences in support of the Department of Homeland \nSecurity [DHS] and others.\n    In concert with the National Defense Strategy, we are \ncharting a path to achieve and sustain cyberspace superiority \nto deliver strategic and operational advantage and generate \nincreased options for combatant commanders and policymakers. \nWithout cyberspace superiority on today's battlefield, risk to \nmission increases across all domains and endangers our \nsecurity.\n    Since my last update, Cyber Command has achieved a number \nof significant milestones.\n    First, Joint Force Headquarters DODIN, our subordinate \nheadquarters responsible for securing, operating, and defending \nthe Department's complex IT [information technology] \ninfrastructure, has achieved full operational capability.\n    Secondly, Joint Task Force-Ares [JTF], our warfighting \nconstruct focused on the fight against ISIS [Islamic State of \nIraq and Syria], has successfully integrated cyberspace \noperations into the broader military campaign to defeat ISIS. \nAnd we will continue to pursue ISIS in support of the Nation's \nobjectives.\n    Third, we have enhanced our training in cyber operations to \nprepare the battle space against our key adversaries.\n    This year will bring several additional accomplishments.\n    Cyber Command will be elevated to a unified combatant \ncommand. As a combatant command, we will have the unique \nresponsibilities of being a joint force provider and a joint \nforce trainer, responsible for providing mission-ready \ncyberspace operations forces to other combatant commanders and \nensuring that joint cyber forces are trained to a high standard \nand remain interoperable.\n    In addition, this month, we will start moving in several \nhundred people into our new, state-of-the-art integrated cyber \ncenter and joint operations center at Fort Meade. This will be \nour first fully integrated operations center that enhances a \nwhole-of-government coordination and improves planning and \noperations against a range of growing cyber threats.\n    And within this dynamic domain, it is imperative to \ncontinually evolve our training and our tools for our \noperators. We have recently delivered the first of several \nfoundational toolkits, enabling the Cyber Mission Force to work \nagainst adversary networks while reducing risk of exposure, as \nwell as equipping JTF-Ares with capabilities to disrupt ISIS's \nuse of the internet.\n    Innovation and rapid development demand competition and the \nability to leverage all partners, including that of small \nbusinesses in the private sector. We intend to create an \nunclassified collaboration venue where businesses and academia \ncan help tackle tough problems with us without needing to jump \nthrough clearance hurdles, which are often very difficult for \nsome of them.\n    Of course, all of our tools require a talented and \nsophisticated workforce to operate them. The Cyber Excepted \nService, which Congress has helped create, will help us \nrecruit, manage, and retain cyber expertise in a highly \ncompetitive talent market.\n    Our success also hinges and remains entwined with continued \nintegration of the Reserve and National Guard. In our \nheadquarters, for example, we currently employ more than 300 \nfull-time and part-time reservists. And, in addition, Reserve \nand National Guard members are mobilized every day to lead and \nexecute cyberspace operations.\n    Perhaps most significantly, in the coming year, we are \nnearing completion of the build-out of our Cyber Mission Force, \nwith all of our teams on a glide path to reach full operational \ncapability by the end of fiscal year 2018. And, in fact, we \nwill achieve this goal ahead of time.\n    And as the teams reach FOC, our focus is on shifting from \nbeyond the build, i.e., creating this force, to ensuring that \nthis force is ready to perform their mission and is optimized \nto sustain mission outcomes year after year after year.\n    Now, I fully realize that cybersecurity is a national \nsecurity issue that requires a whole-of-nation approach that \nbrings together not only government departments like the DOD \nand other agencies, but also the private sector and our \ninternational partners. And over the last year, we have also \nincreased our interaction with critical infrastructure elements \nwithin the private sector and the broader set of U.S. \nGovernment partners supporting them.\n    And, as you know, I serve as both Commander of United \nStates Cyber Command and the Director of the National Security \nAgency. This dual-hat appointment underpins the close \npartnership between these two organizations. The fiscal year \n2017 National Defense Authorization Act [NDAA] includes a \nprovision that describes the conditions for any potential split \nof this dual-hat arrangement. And the Department is working its \nway through this question. And, ultimately, the Secretary, in \nconjunction with the Director of National Intelligence, will \nprovide a recommendation as to the way ahead here to the \nPresident.\n    All of us are proud of the roles we play in our Nation's \ncyber efforts and are motivated to accomplish our assigned \nmissions, overseen by the Congress, particularly this \ncommittee.\n    And, finally, as you have already mentioned, after serving \nfor over 4 years as the Commander of United States Cyber \nCommand, and after nearly 37 years of service in uniform, I am \nset to retire later this spring. And, as I do so, I am grateful \nfor the committee and its past and continued support and its \nconfidence in me and in the Cyber Command team.\n    And I look forward to answering your questions. Thank you \nvery much.\n    [The prepared statement of Admiral Rogers can be found in \nthe Appendix on page 27.]\n    Ms. Stefanik. Thank you.\n    Assistant Secretary Rapuano.\n\nSTATEMENT OF KENNETH P. RAPUANO, ASSISTANT SECRETARY OF DEFENSE \n FOR HOMELAND DEFENSE AND GLOBAL SECURITY, U.S. DEPARTMENT OF \n                            DEFENSE\n\n    Secretary Rapuano. Thank you, Chairman Stefanik, Ranking \nMember Langevin, and members of the committee. It is an honor \nto appear before you alongside Admiral Rogers, Commander of \nU.S. Cyber Command, to discuss the Department of Defense's \npriorities in cyberspace.\n    In these roles, I oversee the development and \nimplementation of the Department's cyber strategy and policy \nwith regard to cyberspace, leading the Department's interagency \ncyber coordination efforts, advising the Secretary and the \nDeputy Secretary on cyberspace activities, and ensuring that \nthe Department's cyber forces and capabilities are integrated \nacross the joint force to support the missions assigned by the \nPresident and the Secretary of Defense.\n    The Department's primary mission is to defend the United \nStates and its interests. My focus from the outset has been on \nensuring we are organizing, resourcing, and posturing ourselves \nto be ready to fight in and through cyberspace in a conflict \nwith great-power competitors.\n    To that end, we have prioritized the three themes of the \n2018 National Defense Strategy: increasing lethality, \nstrengthening alliances, and reforming the Department's \npractices.\n    The Department is pushing hard to ensure that we can deter \naggression and out-think, out-maneuver, out-partner, and out-\ninnovate our competitors and adversaries in cyberspace.\n    2018 will be a landmark year when U.S. Cyber Command will \nelevate to a unified combatant command, welcome a new \ncommander, and complete the force-generation phase of the Cyber \nMission Force.\n    DOD's cyber forces are uniquely responsible for executing \nboth offensive and defensive cyber operations, but national \ncybersecurity is inherently a team sport. Individuals, \ncorporations, and organizations that own and operate critical \nnetworks must take appropriate steps to implement best \npractices in configuring connected devices and systems to \nmitigate known vulnerabilities, to harden the most critical \nnetworks' systems and information, and to implement basic cyber \nhygiene and security measurers.\n    Cybersecurity experts estimate that some 90 percent of \ncyber attacks could be defeated by better implementation of \nbetter cyber hygiene practices and best-practice sharing. \nTherefore, an essential element of cyber deterrence must be to \nminimize vulnerabilities that potential adversaries can exploit \nwith significant effects.\n    Through basic cyber hygiene and information sharing across \nthe government and private sector, we can drastically decrease \nthe opportunities for our adversaries to hold us at risk, and \nthe amount of time and resources we must spend responding to \nmalicious cyber activity directed against us.\n    We can then devote more capacity to developing and \nmaintaining capabilities to hold our adversaries at risk. The \nDepartment is focused on preparations to defend the United \nStates by halting or degrading strategic cyber attacks using \ncyber effects operations. We also seek to leverage the \nDepartment's extensive information collection mechanisms to \nprovide timely indicators and warnings to public and private \nowners and operators.\n    If a cyber attack of significant consequence should occur, \nthe Department of Homeland Security and the Department of \nJustice, with other departments and agencies in support, would \ntake the lead in responding to, recovering from, and \ninvestigating the different elements of a significant cyber \nincident.\n    The DOD stands ready to provide additional support to DHS \nand other Federal agencies upon request. The technical skills \npossessed by the Cyber Mission Force can augment our \ninteragency partners when the magnitude of a cyber event calls \nfor a collaborative government response. We are currently \nworking with the Department of Homeland Security to determine \nthe most effective and efficient ways for DOD to enhance our \nsupport to these efforts.\n    We must always keep in mind that the capabilities of the \nCyber Mission Force were developed and optimized for DOD's \nwarfighting mission. Offensive operations are the means by \nwhich the military seizes and retains the initiative while \nmaintaining freedom of action and achieving decisive results.\n    If and when the Nation faces a large-scale cyber attack, \nDOD cyber resources will be focused on and most effectively \nemployed in our adversaries' networks--detecting, preventing, \npreempting, degrading, or defeating malicious cyber activities \nat their source, as well as holding at risk other critical \nequities and capabilities of the adversary.\n    DOD cyber forces must also protect our networks and weapons \nsystems against malicious cyber activity. The Department \nconducts network defensive operations every day in order to \nenhance our cyber resiliency. Defending DOD systems also \nrequires identifying and mitigating our own vulnerabilities. We \nare moving forward to assess and redress major weapons \nplatforms and critical infrastructure vulnerabilities, as \nmandated by the NDAAs for fiscal years 2016 and 2017.\n    As outlined in the National Defense Strategy, the \nDepartment's weight of effort must be directed toward \npreparedness for war. At all times we must be ready to respond \nwith both cyber and non-cyber capabilities to malicious cyber \nactivity that results in loss of life, major damage to \nproperty, serious adverse foreign policy consequences, or \nserious economic impact to the United States.\n    DOD must be prepared to compete and win in conflict below \nthe threshold of conventional war as well. This is commonly \nreferred to as the gray zone.\n    Our adversaries are adept at calibrating their actions in \nboth the physical and cyber domains so that no single event \nrises to the level that would merit a significant United States \nresponse. However, the cumulative effect of these actions can \nbe significant.\n    The Department's cyber forces must be prepared to respond \nto malicious cyber activity in the gray zone by preempting \nimminent malicious cyber operations, disrupting ongoing \nmalicious cyber activities, supporting other agencies with our \ntechnical skills and capacity, and working with and through our \nallies and partners to apply diplomatic and economic pressure \non these actors.\n    I am grateful for the support we have received from \nCongress. The hiring authorities you have provided us have been \ncritical to creating the Cyber Excepted Service. And your \ngenerous resourcing of DOD cyber activities has allowed us to \nstand up the Cyber Mission Force and put U.S. Cyber Command on \nthe path to elevation.\n    The President's request for FY 2019 helps us sustain that \nmomentum and continue to strengthen DOD's ability to operate in \nand through cyberspace. The request includes $8.6 billion for \ncyber-related activities and represents an increase of roughly \n$600 million over the FY 2018 budget request.\n    In closing, I would like to thank the subcommittee members \nfor your time and your assistance working alongside us to \ndevelop the cyber force the Nation needs. The people in our \ncyber community are the best in the world, and I am honored to \nserve with them.\n    The Department is committed to approaching the development \nof our cyber capabilities with the sense of urgency warranted \nby the gravity of threats we face. Our strong relationship with \nCongress has been a critical component of our success and will \nremain vital as we continue our work to ensure that the \nDepartment's cyber forces are prepared to compete, deter, and \nwin against any opponent.\n    I look forward to your questions.\n    [The prepared statement of Secretary Rapuano can be found \nin the Appendix on page 46.]\n    Ms. Stefanik. Thank you for those opening remarks.\n    I am going to stick to the 5 minutes aggressively to make \nsure we can get through all of our questions, but I gave you \nguys some flexibility.\n    So my first question is: This morning, we heard from former \nSecretaries Chertoff and Jeh Johnson, as well as General \nAlexander, former Commander of CYBERCOM, about the importance \nof continuing to improve interagency collaboration.\n    And, Assistant Secretary Rapuano, you just referenced in \nyour opening statement how we are currently working with DHS to \ndetermine the best way forward, in terms of what DOD's role is.\n    What steps specifically are being taken by Cyber Command \nand DOD to build this more integrated, whole-of-government \napproach? So not broadly that we are working on it, but what \nare the specific steps?\n    I will start with you, Assistant Secretary.\n    Secretary Rapuano. Thank you.\n    First, I think it is useful to quickly just review our \ncurrent activities in terms of working the interagency process.\n    We chair three of the six Federal centers associated with \ncyber and cybersecurity. I won't walk through them all, but the \nDefense Cyber Crime Center; the Cyber Command Joint Ops \n[Operations] Center, the JOC; and the National Operations \nCenter that is run by NSA. And in all three of those centers, \nwe are engaging with them on a routine basis, all of the key \nplayers in the interagency, as well as industry with some of \nthem, to understand both the threats and the areas for \ncollaboration and cooperation.\n    We are also part of the NCCIC [National Cybersecurity and \nCommunications Integration Center], which the DHS runs at DHS, \nin terms of coordinating interagency with critical \ninfrastructure and other industry on response to specific cyber \nthreats.\n    So we have a very solid foundation in terms of relationship \nand understanding. The issue really is what specific types of \ncapabilities and what thresholds of capacity other agencies \nwould need in different types of circumstances. And then we \nneed to assess that against what our warfighting requirements \nare and how do we do that balance.\n    Ms. Stefanik. Admiral Rogers.\n    Admiral Rogers. So, in addition to the individuals \nintegrated from DHS, FBI [Federal Bureau of Investigation], and \nother partners within my ops structure and my integration in \ntheir ops structure, if you will, a series of specific \nexercises.\n    We do two major exercises with our DHS and interagency \nteammates twice a year--I am sorry. It is two exercises occur, \ntwo times total for the year. In addition, a series of tabletop \nexercises. You look at some of the things we have planned in \nthe next 90 days, for example, we are going to be doing some \nelection interaction at a tabletop kind of level with our DHS \npartners.\n    The area that I have--you know, I am leaving, as you are \naware. The area that I have talked to the team about I really \nwant us to get into next is: Let's get down to the actual \ncenter and sector level, because that is where it comes to the \nday-to-day execution. Guys, if we want to get to speed, we want \nto get to agility--because, as operational commander, those are \nbig to me. I want to get to speed, and I want to get to agility \nto actually execute. Let's look at what we can do to actually \nperhaps integrate at that level.\n    So that is kind of a future focus for us, as I am moving \nforward.\n    Ms. Stefanik. And I want to build on that. One of the \nstatements this morning was that the lack of a common operating \npicture impedes our ability to have this comprehensive cyber \nstrategy. What do we do to address this lack of a coherent \noperating picture?\n    Admiral Rogers. For me--I apologize, Ken--first, it is a \ncommon operating picture of what? You want an operating picture \nof critical infrastructure? You want an operating picture of \nall of private infrastructure?\n    Ms. Stefanik. Well, that is part of the question, is----\n    Admiral Rogers. Right.\n    Ms. Stefanik [continuing]. What is the role of Cyber \nCommand to drive those conversations? What is that interagency \nprocess? I think we need to have the answer to all of those.\n    Admiral Rogers. So, for me, my input would be, the mission \nset that I am directly responsible for within the broader DOD \neffort is the critical infrastructure piece. So I am really \ninterested--so how do we get to an integrated, real-time \npicture that enables us to have an accurate sense of what is \ngoing on that enables decision making and helps to speed that \ndecision making?\n    So that would be my recommendation for a kind of first \nfocus, even though, as I acknowledge, that is not going to be \nDOD's lead here. We are in a support team role. But I like to \nthink we need to be part of this discussion and we can help.\n    Ms. Stefanik. So how do we spur that, though? I think the \nstatus quo is unsustainable. Obviously, we need to spur that \ninteragency integration.\n    Secretary Rapuano. I appreciate that you are familiar with \nthe National Cyber Incident Response Framework, but that really \ndoes drive how we organize and operate within the Federal \nGovernment in terms of our engagement with industry and other \nplayers.\n    And in the DHS role, in terms of the asset response piece, \nthe FBI has the threat response piece, and then we have the \nDNI, who has the intelligence integration function.\n    Ms. Stefanik. Okay. I am going to have to take the rest for \nthe record.\n    Mr. Langevin.\n    [The information referred to can be found in the Appendix \non page 67.]\n    Mr. Langevin. Thank you, Elise.\n    And I want to again thank our witnesses for being here \ntoday.\n    Secretary Rapuano, as I mentioned in my opening statement, \nI believe that U.S. policy on title 10 cyber operations needs \nto be advanced both domestically and internationally in order \nto effectively employ the force, deter adversarial actors, \nrespond to adversarial cyber actors, and shape international \nnorms for the military use of cyber capabilities.\n    So what actions are the Department and the administration \ntaking to advance the understanding of and the gaps in existing \nlaws, authorities, and policies relating to cyber operations to \ndevelop standard frameworks and guidance?\n    Secretary Rapuano. Thank you for the question, Congressman.\n    As you all appreciate, the challenge associated with \ndefining traditional military activities in the cyber domain \nis, typically, that is done by looking back historically at \nwhat are traditional types of military operations.\n    In a domain that is so novel in many respects and for which \nwe do not have the empirical data and experience associated \nwith military operations per se, particularly outside zones of \nconflict, there are some relatively ambiguous areas associated \nwith, well, what constitutes traditional military activities.\n    This is something that we are looking at within the \nadministration, and we have had a number of discussions with \nMembers and your staffs. So that is an area that we are looking \nat, in terms of understanding what the trades are and what the \nimplications are of changing the current definition if that \nwere deemed to be warranted.\n    Mr. Langevin. Okay. That is certainly something the \ncommittee is going to continue to provide rigorous oversight on \nand work with you as we develop.\n    So how do you intend to ``defend forward,'' in quotes, as \nis outlined in the new command vision? Do you envision this \ndefensive posture as using CYBERCOM capabilities and \nintelligence to provide targeted assistance to national assets, \nincluding, for example, critical infrastructure? Or would this \ninvolve title 10 activities being used to disrupt platforms \npotentially before an operation actually begins?\n    Secretary Rapuano. So, defending forward, in the DOD \ncontext, is really looking at the source of the cyber attacks \nor otherwise malevolent activities. And it is looking at how we \ncan get at it, how we can uproot it, and also how we can hold \nother equities valued by the adversary perpetrating the act at \nrisk.\n    And, with that, I will just turn it to Admiral Rogers.\n    Admiral Rogers. So the vision you outline is--my goal as a \ncommander is to try to get ahead of problem sets before they \noccur. Therefore, I am interested in asking myself within the \nauthorities granted to me and within the broad legal framework \nthat we use for the application of DOD capabilities, how can we \nattempt to forestall activity before it even happens? Failing \nthat, how can we very quickly stop that activity before it has \nthe time or the ability to generate significant impact, if you \nwill, against our critical infrastructure?\n    And so our strategy is about, how do you tie--or vision is, \nhow do you tie together the power of intelligence and the \ninsights that generates with the operational capability that \nDOD has invested in the Cyber Command structure in its mission \nforce teams?\n    And so that is our vision for the future. This capability \nthat we have invested, that we have built, how do we use it in \na way that attempts to forestall the opponent's ability to gain \nadvantage in the first place? And, failing that, how do we stop \nthat activity before they are able to have significant impact?\n    Mr. Langevin. I think it is important to be forward-\nleaning. I like kind of the shift in focus. And I think the \nAmerican people, quite frankly, expect that we will be more \nforward-leaning.\n    Admiral Rogers and Secretary Rapuano, leveraging the \nlessons that we have learned to date is important to achieving \nsuccess in the cyber domain, especially since we are learning \nas we go. We benefit, obviously, from every success and every \nfailure.\n    How are our lessons learned from CYBERCOM's mission and \noperations being leveraged and instituted? And how is readiness \nbeing defined for the CMF? And how is this readiness being \nmeasured? How are training and recertification processes co-\nevolving with the threat and the technology landscape?\n    We will probably run out of time, but I would like that for \nthe record.\n    Admiral Rogers. Yes, Sir. So, a lot in that question. Very \nquickly, it doesn't matter if it is something we do \noffensively, if it is something we do defensively; every time, \npart of our mission structure is post-event debrief, analysis, \nlessons learned, and then how do we tie this into what we are \ndoing next. So there is a cumulative impact there which, as a \ncommander, I really like. You learn----\n    Ms. Stefanik. We will have to take the rest for the record.\n    [The information referred to can be found in the Appendix \non page 67.]\n    Admiral Rogers. Okay. Got it.\n    Ms. Stefanik. We have to move along.\n    Ms. Cheney.\n    Ms. Cheney. Thank you, Madam Chairwoman.\n    And thanks, Admiral Rogers and Secretary Rapuano.\n    I am concerned, as is the subcommittee and the entire \ncommittee, about the lack of any cyber strategy. We haven't \nseen anything from the administration, despite the fact that we \nmade requests for it in the NDAA last year.\n    And I wonder if you could shed some light on why that is, \nwhy there is no strategy, number one, and, number two, how we \ncan be in a position, in light of the threats we are facing, in \nlight of the action that we are seeing, the active measures by \nour adversaries, to be engaged in any sort of effort to defend \nor to act offensively without understanding what the overall \nmission and goals and objectives are in the absence of a \nstrategy.\n    And I guess I would go to you first, Secretary Rapuano.\n    Secretary Rapuano. Thank you.\n    I think one of the reasons is it is very hard. There are a \nlot of evolving dynamics at play. And we still have a \nrelatively new administration. And there are competing views as \nto what the right trade space is associated with a variety of \nequities and risks.\n    That said, it is at the White House, the national cyber \nstrategy, and I understand that it should be forthcoming in the \nnear future.\n    We are looking to then enhance our cyber posture approach, \nwhich we will be providing by August, to sync with that \nnational strategy. DOD is one key member of the whole of \ngovernment, and we want to make sure that we are very \nthoughtful in terms of very synthesized integration with the \nnational approach.\n    Admiral Rogers. And I would only add, I don't think you \nshould feel for 1 minute that that means the DOD, for example, \nhas stood pat and done nothing. We have got a National Security \nStrategy and a National Defense Strategy in which cyber is a \ncomponent. As the operational commander, I have tried to take \nthat broad, strategic vision, and, as Representative Langevin \nhas articulated, I have laid out in writing to my team, here is \nkind of the vision I think that we need to be building to that \nreflects that broader strategic underpinning, even as I \nacknowledge we have not yet completed a specific cyber \nstrategy, although that work is, we think, getting close.\n    So I would only--please don't think that we are just \nstanding still, waiting for someone to tell us, you know, what \nwe----\n    Ms. Cheney. No, I appreciate that. I was not under any \nillusions that you were just standing still, and appreciate \nvery much the work you have done. We want to be helpful, but I \nthink it is also absolutely incumbent upon this administration, \nin light of this threat, to provide some guidance.\n    And precisely, Secretary Rapuano, as you said, it is hard, \nbut it is hard because we are in a whole new world, and our \nadversaries, in fact, are moving forward, and the lack of \nability for us, on our part, to say, look, this is what we have \nto deal with, this is how we are going to operate, this is what \nwe have to guard against.\n    And, frankly, both in a public and classified setting, \nbeing able to say to our adversaries, these are the kinds of \nthings that will result in a response from us, and laying that \nout so we have a much more effective deterrent policy in place \nis something that I think we as a subcommittee have got \ntremendous oversight obligations in looking at it.\n    And the administration itself--now we have seen significant \nturnover at the NSC [National Security Council]. I see just \nnews reports now that Nadia Schadlow has resigned. Obviously, \nMr. Bossert has moved on. We can't let those add to the amount \nof time that is going to be dedicated now or taken up in \nputting the strategy together.\n    So it is something we will continue to work on in a way so \nwe can ensure that the Nation is, in fact, got a strategy in \nplace to deal with one of the most important and dangerous \nthreats we face.\n    And I will yield back the balance of my time.\n    Ms. Stefanik. Mr. Larsen.\n    Mr. Larsen. Thank you, Madam Chair. I will yield my time to \nRepresentative Murphy.\n    Ms. Stefanik. Mrs. Murphy, you are recognized.\n    Mrs. Murphy. Thank you, Admiral Rogers and Mr. Rapuano, for \nbeing here.\n    I am encouraged that the Department is making progress on \nfielding the Persistent Cyber Training Environment [PCTE], \nwhich is, as you know, the training platform that allows cyber \nforces to train in simulated network environments.\n    I represent Orlando, which is home to Army's Program \nExecutive Office for Simulation, Training, and Instrumentation, \nor PEO STRI. PEO STRI was tapped to develop and acquire the \nPCTE which will also incorporate the work of the National Cyber \nRange in Orlando.\n    In your view, what do you think the value of a Persistent \nCyber Training Environment is for readiness? What kinds of \nindividual and collective training objectives do you think you \ncan support? And then, as you look into the future, what sorts \nof capabilities and infrastructure do you foresee these PCTEs \nrequiring?\n    Admiral Rogers. So, for me, Cyber Command, we are the ones \nwho articulated the operational requirement, because my vision, \nour vision, if you will, is I want to be able to, wherever our \ncyber forces are garrisoned or stationed--we started early on \nin this process large exercises, brought together literally a \nthousand individuals, teams from across our force. Those are \nall good things.\n    But when I said to myself, look at the time it takes to \nbuild this network, the money it costs to do this, while this \nshould be a component of our training strategy, this does not \nscale for a day-to-day effort. And we need a day-to-day \ncapability that you can train in garrison where, defensively, I \ncan create, I can mirror my own networks, I can simulate an \nopposing force attempting to penetrate the network, and I can \nuse my defensive techniques to train against it.\n    Likewise, I can use this, I want to build this over time so \nI can bring my allies into this so it is not just us, it is our \nbroader international partners, because if it is expensive for \nus, imagine what it is with some of the work we are doing with \nnations spread around the world in cyber right now, trying to \nget them to bring their entire team structure to the United \nStates.\n    This is also good for me because I want to be able to \ncreate network structures that, from an offensive standpoint, I \ncan model. So how am I going to penetrate this? What actions \nmight the defensive team take?\n    I can use offensive and defensive capability together in \nhead-to-head scenarios where, quite frankly, they are each \ntrying to get the better of the other. Never underestimate the \npositive impact of competition and a little head-to-head \ncontest to keep teams motivated.\n    So those are all examples of why I think PCTE is so \nimportant for us because that goes to the ability to retain \nreadiness and the ability to be ready now, not, well, if you \ngive me 3 months, if you give me 4 months, whatever. We can't \nwork that way.\n    Mrs. Murphy. And you just mentioned the idea of integrating \nallies and partners into, you know, training together. Where do \nyou think there are some opportunities for enhanced training \nand security cooperation activities in this space?\n    And then, do you have some examples of allies and partners \nwhere this is already happening that are maybe benchmarks or \nbest practices for how we can move forward?\n    Admiral Rogers. So I haven't--most of our international \npartners, quite frankly, are in the same place we are. They see \na need; they see a requirement. They don't yet have in place \nthe long-term solution that they would like.\n    There's three or four off the top of my head where I have \nactually sat down with them and said, ``Hey, walk me through \nyour system. Can I see what you do?''\n    We participate in some foreign exercises as well. It isn't \njust everybody comes to us. I want to learn from others. We \nparticipate in foreign cyber exercises.\n    But I think the ability, particularly for our key--the Five \nEyes \\1\\ and a handful of other nations, where we are just part \nof an ongoing coalition in cyber, if you will, focused on both \nthe defensive side and in some cases the offensive side, the \nability to put together an integrated training structure where, \nagain, I can have their units in garrison, we can model the \nexact terrain that we think we are going to be dealing with \nlive, that is going to be so impactful for our ability to \nactually execute mission.\n---------------------------------------------------------------------------\n    \\1\\ An intelligence alliance comprising Australia, Canada, New \nZealand, the United Kingdom, and the United States.\n---------------------------------------------------------------------------\n    Mrs. Murphy. Yeah. And do you envision that, as you run \nthese exercises and identify vulnerabilities, whether it is in \nplatforms that are ours or allies and partners and their \nnetworks, that you will be able to----\n    Admiral Rogers. Right, that I would turn them around?\n    Mrs. Murphy [continuing]. Turn it around and get it to \nthe----\n    Admiral Rogers. Yes, ma'am.\n    Mrs. Murphy [continuing]. Folks who are building that so \nthat they can address them?\n    Admiral Rogers. Yep. That is part of the idea here.\n    Mrs. Murphy. Great.\n    And then you have stated in your testimony that CYBERCOM is \nworking to synchronize cyber planning and operations across the \nentire joint force and that CYBERCOM is helping the combatant \ncommands improve command and control by establishing integrated \nplanning elements----\n    Admiral Rogers. Right.\n    Mrs. Murphy [continuing]. At each COCOM.\n    Can you provide a little more detail on exactly how \nCYBERCOM is standing up--is it CO-IPEs [Cyber Operations-\nIntegrated Planning Elements]?\n    Admiral Rogers. CO-IPEs, yes, ma'am.\n    Mrs. Murphy [continuing]. At each COCOM?\n    Admiral Rogers. So there`s nine other COCOMs besides us. We \nbecome the 10th one effective with the new commander being \nconfirmed and assuming the duties.\n    I thought one of the biggest shortfalls we had was--I \nthought we did a great job with the Cyber Mission Force in \ncreating a higher headquarters in the form of Cyber Command. \nBut if you truly want to integrate cyber into the breadth of \noperations across this Department, then you have to integrate \nthis capability at all the COCOMs. And so we----\n    Ms. Stefanik. Admiral Rogers, we will have to take the rest \nfor the record. It was a good question.\n    [The information referred to can be found in the Appendix \non page 68.]\n    Mrs. Murphy. Thank you.\n    Ms. Stefanik. Mr. Scott.\n    Mr. Scott. Thank you, Madam Chair.\n    Admiral, you mentioned authorities a little earlier. What \nwould CYBERCOM require to move from a defensive support posture \nto an active deterrence posture, where you were actually \nhunting and denying malicious operators before they inflicted \ndamage?\n    Admiral Rogers. So, for right now, if you look at day-to-\nday authority that is currently granted to the commander of \nCyber Command, on the defensive side, I feel very good that I \nhave the authorities that I need to defend the DODIN, the DOD \nnetworks.\n    But one of the questions I think we need to ask ourselves \nis, for example, with the defense industrial base, or if DOD's \nrole is going to be to partner in defending critical \ninfrastructure, what level of ability to operate outside the \nDODIN would be appropriate for the Cyber Mission Force. I think \nthat is a good conversation for us to have. Because, right \nnow--again, not a criticism; an observation. Right now, you \nknow, the current construct, I don't operate outside the DODIN. \nSo I would suggest we ought to take a look at that.\n    On the offensive side, I very feel very comfortable about \nthe authorities that we have currently put in place to apply \ncyber in areas of designated hostility--the Syrias, the Iraqs, \nthe Afghanistans of the world. And we are doing operations \nthere almost every day.\n    The area where I think we still need to get to a little \nmore speed and agility--and, as Mr. Rapuano has indicated, it \nis an area that is currently under review right now; we are \nworking our way through--is what is the level of comfort in \napplying those capabilities outside of designated areas of \nhostility and how could we potentially speed that up.\n    I don't believe that anybody should grant Cyber Command or \nAdmiral Rogers a blank ticket to do whatever they want. That is \nnot appropriate. The part I am trying to figure out is what is \nan appropriate balance to ensure that the broader set of \nstakeholders here have a voice in what we do but, at the same \ntime, we empower our capabilities with speed and agility to \nactually have meaningful impact. And I think that is what we \nare trying to work our way through right now.\n    Mr. Scott. And so that brings me to the next question, \nwhich deals with the Guard as they establish cyber units. I \nknow you said you had 300 full- and part-time working with you \nright now at U.S. CYBERCOM. These units, I mean, they will not \nonly be supportive of their home States, but I assume that we \nwould want them to have the authority to be supportive of other \nStates as well.\n    Admiral Rogers. A lot of it depends--so, first of all, I am \nthe son of a Guardsman, so I grew up--my father was in the \nIllinois Guard for 27 years, so, as a kid--you know, so I feel \nvery strongly about the value of the Guard. I have lived this \npersonally, and I saw the difference my father made when he \nserved.\n    The challenge, I think, is: How do we view this as an \nintegrated whole? So one of the points I make to the Guard and \nI make to the Governors when they ask me this question: \nRemember, we are all competing for the same manpower pool, if \nyou will. There are only so many people out there with the \nrequisite skills and kind of background. So be leery of doing \nsolution sets where we try to replicate, for example, 50 \ndifferent independent capabilities across every single State. \nIt is, how do we synchronize this?\n    The other point I try to make is: Remember, cyber doesn't \nrecognize geography. So I am a resident of the State of \nIllinois. And if you are trying to protect infrastructure in \nIllinois, the challenge might be that much of that \ninfrastructure physically doesn't even reside in Illinois. It \nis the way that the digital backbone has been built.\n    So title 32 and the Guard's employment outside of title 10 \nis all based on legal authority that also has a key geography \ncomponent. You are acting in a title 32 capacity within your \nState. What do we do when the cyber infrastructure that you are \ntrying to defend or impact doesn't reside in that physical \nlocation?\n    So my only argument is: We need to work our way through \nthis, and we need to think more broadly and in a more \nintegrated approach. So I don't think it is only Guard and \nReserve. Likewise, I don't think it is only Active. We have to \nget across the spectrum. And we have to ask ourselves, whatever \nwe create, how do we do it in a way that maximizes its ability \nto be employed in potentially multiple different scenarios, not \njust a scenario, if that makes sense.\n    Mr. Scott. Absolutely. It is complex.\n    And the city of Atlanta, as you know, was subject to a \nransomware attack. And, you know, I can see that--I mean, I \nthink the SamSam ransomware has been around for 8 years now. I \nmean, I can see this as we talk about infrastructure; it is not \njust going to be attacks on DOD and on U.S. Government \noperations. It is going to be attacking State operations and \ncity operations.\n    And I, quite honestly, don't care where the person comes \nfrom that stops the attack, nor do I think any other government \nofficial would. And just, we will need help with how we draft \nthat language for you.\n    And, with that, I yield the remainder of my time.\n    Ms. Stefanik. Mrs. Murphy.\n    Mrs. Murphy. Thank you, Madam Chair.\n    I just wanted to use the rest of my time to let you finish \nthat question. Because you were talking about, you know, that \nit needs to be integrated into the COCOMs.\n    Admiral Rogers. Right.\n    Mrs. Murphy. But, as you finish that, also, if you can talk \nto me a little bit about how J5 will integrate with these CO-\nIPEs and whether or not you have both the manpower and the \ncapacity to and a solid handle on the CYBERCOM plans in order \nto make sure that they are synchronized.\n    Admiral Rogers. Right.\n    So one component was we have to get knowledge and \nexperience at the COCOM level on how you plan and execute cyber \noperations.\n    Secondly, that capability has to be able to be integrated \nnot just within that particular COCOM--Honolulu, Stuttgart, \nTampa, fill in the blank--but it has also got to tie back to \nCyber Command so that we have one integrated approach to how we \nare doing business here, particularly since the majority, all \nof the offensive capability within the Department, for example, \nremains under my, Cyber Command's operational control. We apply \nit in support of the other combatant commanders. So we have got \nto tie this together.\n    We are starting the build in 2018. It is going be finished \nby 2023, so it is a 5-year build-out. We will have IOC [initial \noperational capability] at all nine projected by the end of \n2019, so by the end of the next fiscal year. That gets an \ninitial operating capability to all of the other nine combatant \ncommanders. And then we will flesh it out over the course of \nthe next 3 years.\n    A couple of COCOMs are a little further than others, and we \nare using as kind of a test case then. I would highlight--and \nno disrespect to any, but I would highlight PACOM [U.S. Pacific \nCommand] and CENTCOM [U.S. Central Command], probably the two \nwhere, at the moment, we have started to get the initial \ninvestments, and because of some of the broader activity in \ntheir theaters that are of high interest, that are bringing our \ncyber capability to bear, along with a lot of other \ncapabilities, we have kind of decided to use them as a bit of a \ntest case, if you will.\n    Mrs. Murphy. Uh-huh. Great.\n    And, I guess, are you going to be also providing the \ntraining and resources to help people have the cyber fluency to \nbe able to engage even if that is not their primary mission?\n    Admiral Rogers. Right. So part of this is we will help \ndevelop the training standards for every one of the billets.\n    This is also a good example of how, once--with each service \nhaving created a core cyber competency, one of my visions is, \nso you could do one tour at a combatant commander, you could do \nanother tour in one of our mission teams, you could do another \ntour at Cyber Command, you could do another tour in ASD \n[Assistant Secretary of Defense] in Cyber Policy, you could go \nto the Joint Staff and do cyber work.\n    Mrs. Murphy. Uh-huh.\n    Admiral Rogers. One of the values of this \nprofessionalization that, as a Department, we have put in place \nnow is that we will get recurring benefit by moving people so \nwe don't have to train every--so it is the first time you have \never done this; we don't want to go through that every time. \nThere is always a first time, but I don't want to have to do \nthat every time, if I can avoid it.\n    Mrs. Murphy. Great. Thank you very much.\n    And I yield back.\n    Ms. Stefanik. Mr. Garamendi.\n    Mr. Garamendi. I will pass.\n    Ms. Stefanik. That concludes the open portion of this \nsession. We are now going to move to 2337.\n    I also want to just let the members know we are going to \nhave a quarterly cyber briefing. So if there are questions you \nhave that we didn't get to today, that will be scheduled in the \ncoming weeks.\n    So, with that, this is gaveled out, and we will hustle \nupstairs.\n    [Whereupon, at 4:23 p.m., the subcommittee proceeded in \nclosed session.]\n\n\n\n      \n=======================================================================\n\n\n\n\n                            A P P E N D I X\n\n                             April 11, 2018\n\n=======================================================================\n\n      \n\n\n\n      \n=======================================================================\n\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                             April 11, 2018\n\n=======================================================================\n\n      \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  \n\n\n      \n=======================================================================\n\n\n              WITNESS RESPONSES TO QUESTIONS ASKED DURING\n\n                              THE HEARING\n\n                             April 11, 2018\n\n=======================================================================\n\n      \n\n            RESPONSES TO QUESTIONS SUBMITTED BY MS. STEFANIK\n\n    Admiral Rogers. [The information is for official use only and \nretained in the committee files.]   [See page 11.]\n    Secretary Rapuano. A common operating picture requires the Federal \ngovernment and the private sector to share information rapidly. This \nmeans improving processes so that DOD and the intelligence community \n(IC) can push information to the Department of Homeland Security (DHS) \nand out to private sector critical infrastructure partners, but also so \nthat those partners can share more threat data from their networks with \nthe Federal government. This information could be critical in helping \nDOD conduct its mission to defend the homeland. By understanding the \nthreats facing critical infrastructure, we can better prioritize DOD's \noperational activities. This is a collective responsibility to which \nboth the public and private sectors must contribute.\n    My staff and I work in close collaboration with the National \nSecurity Council staff and our interagency partners at the State \nDepartment, DHS, the Federal Bureau of Investigation (FBI), and other \ndepartments and agencies to ensure that the Federal Government has the \nnecessary policies in place and is taking appropriate actions to \naddress critical issues and potential threats in cyberspace. Beyond \ncontractual relationships, and both the mandatory and voluntary \ninformation-sharing programs DOD has with the Defense Industrial Base, \nDOD works closely with DHS and the FBI to address threats to critical \ninfrastructure.   [See page 11.]\n                                 ______\n                                 \n            RESPONSES TO QUESTIONS SUBMITTED BY MR. LANGEVIN\n    Admiral Rogers. [The information is for official use only and \nretained in the committee files.]   [See page 12.]\n    Secretary Rapuano. USCYBERCOM incorporates lessons learned into its \nmission planning and operations by instituting a real-time review and \nfeedback mechanism during its operations as well as conducting larger \nscale after-action sessions to identify strategic issues. All \nindividual operations are planned, reviewed, and approved prior to \nexecution by independent, senior-level technical advisors who provide \nguidance and modifications based on their experience and extensive \nknowledge.\n    Once an operation is complete, the same individuals review and \ncritique whether the operation was conducted according to plan and if \nany unanticipated challenges arose during execution. If a mistake \noccurs during the course of the operation, the senior technical \nadvisors have the opportunity to determine whether the operator \nrequires additional training or whether the mistake was due to a simple \nerror. USCYBERCOM personnel also often conduct ``hot washes'' \n(debriefing meetings) on their strategic operations with senior leaders \nto identify the lessons learned and to propose recommendations for \nimproving future operations. These recommendations can include resource \nshortfalls, process requirements, and decision-making efficiencies to \nbe gained.\n    Lessons learned from operational employment of the Cyber Mission \nForce (CMF) are being routinely captured and integrated into ever-\nevolving curriculum. The Department of the Army, for example, is \ncomparatively in the best position to ensure that it is able to \nleverage and institute ``lessons learned'' from real-world Cyberspace \nOperations and evolve curriculum, training, and recertification \nprocesses rapidly. The Army's decision to have its institutional CMF \nworkforce collocated with a majority of its operational CMF workforce \ngives the Army a significant advantage in accessing, educating, \ntraining, developing, employing, and retaining this workforce.\n    The decision to establish the U.S. Army Cyber School at Fort \nGordon, Georgia, was made, in part, to co-locate the institutional and \nthe operational force. Benefits of this colocation include, but are not \nlimited to, gaining synergy across both workforces through shared \nexperiences, the ability to take lessons learned and turn them rapidly \ninto appropriate adjustments to the curriculum, an ability to ``re-\nfresh'' instructors while they are still serving in instructor billets, \nan ability rapidly to establish critical training that is more \nimmediately available to a large portion of the operational force, and \nan ability to extend the ``Schoolhouse'' learning environment by \nintroducing students to the operational environment while they are \nstill in training. Additionally, as the U.S. Army Cyber School began \nconstructing curriculum specifically to meet the needs of its CMF, it \nturned to cloud-hosted storage and synchronization solutions that allow \nqualified members of the CMF to ``crowdsource'' on the curricula for \nboth rapid creation and continual maintenance. To date, more than 100 \ncontributors have worked to provide almost 7,000 updates to courseware \nthrough their chosen distributed version-control system.\n    During the establishment of the Joint Cyber Mission Force, the \ninitial emphasis was simply on building the 133 teams across the \nMilitary Services and thus the Initial Operating Capability (IOC) and \nthen Full Operating Capability (FOC) of the Joint Cyber Mission Force. \nReporting by the units focused on rudimentary reporting of total \npersonnel assigned to the teams against a percentage of personnel \nassigned to key work roles and their associated levels of training and \ncertification.\n    These teams are trained to deter and defeat strategic threats to \nU.S. interests and infrastructure, ensure DOD mission assurance, and \nachieve Joint Force Commander objectives. Accordingly, as we move \nforward, DOD recognizes the need to work with USCYBERCOM and the \nMilitary Services to effect joint standard reporting requirements and \nstandards for both ``Capacity'' and ``Capabilities.'' As the Department \nresources and equips these teams with cutting-edge cyber tools, \naccesses, and platforms to protect against sophisticated cyberattacks \nand to ensure deterrence and military advantage in and through \ncyberspace, enhanced CMF Readiness reporting that assesses ``Capacity'' \nreadiness across the Military Services to a common joint standard by \nmeasuring not only Personnel and Training, but also Equipment and \nSupplies and Condition of Equipment, will result in more deliberate and \nobjective measures of force readiness. In addition, the Department \nneeds to work with USCYBERCOM and the Military Services to effect \n``capabilities-based'' reporting against Mission-Essential Tasks that \nreflect fundamentals based on unit design and organization.   [See page \n12.]\n                                 ______\n                                 \n             RESPONSE TO QUESTION SUBMITTED BY MRS. MURPHY\n    Admiral Rogers. [The information is for official use only and \nretained in the committee files.]   [See page 16.]\n\n                                  <all>\n</pre></body></html>\n"