[Senate Hearing 115-40, Part 2]
[From the U.S. Government Publishing Office]
S. Hrg. 115-40, Pt. 2
DISINFORMATION: A PRIMER IN RUSSIAN ACTIVE
MEASURES AND INFLUENCE CAMPAIGNS
PANEL II
=======================================================================
HEARING
BEFORE THE
SELECT COMMITTEE ON INTELLIGENCE
OF THE
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
THURSDAY, MARCH 30, 2017
__________
Printed for the use of the Select Committee on Intelligence
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.fdsys.gov
______
U.S. GOVERNMENT PUBLISHING OFFICE
25-998 PDF WASHINGTON : 2017
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
SELECT COMMITTEE ON INTELLIGENCE
[Established by S. Res. 400, 94th Cong., 2d Sess.]
RICHARD BURR, North Carolina, Chairman
MARK R. WARNER, Virginia, Vice Chairman
JAMES E. RISCH, Idaho DIANNE FEINSTEIN, California
MARCO RUBIO, Florida RON WYDEN, Oregon
SUSAN COLLINS, Maine MARTIN HEINRICH, New Mexico
ROY BLUNT, Missouri ANGUS KING, Maine
JAMES LANKFORD, Oklahoma JOE MANCHIN, West Virginia
TOM COTTON, Arkansas KAMALA HARRIS, California
JOHN CORNYN, Texas
MITCH McCONNELL, Kentucky, Ex Officio
CHUCK SCHUMER, New York, Ex Officio
JOHN McCAIN, Arizona, Ex Officio
JACK REED, Rhode Island, Ex Officio
----------
Chris Joyner, Staff Director
Michael Casey, Minority Staff Director
Kelsey Stroud Bailey, Chief Clerk
CONTENTS
----------
MARCH 30, 2017
OPENING STATEMENTS
Burr, Hon. Richard, Chairman, a U.S. Senator from North Carolina. 1
Warner, Hon. Mark R., Vice Chairman, a U.S. Senator from Virginia 2
WITNESSES
Mandia, Kevin, Chief Executive Officer, FireEye, Inc............. 2
Prepared statement........................................... 6
Alexander, General (Ret.) Keith B., President and Chief Executive
Officer, Ironnet Cyberspace.................................... 13
Prepared statement........................................... 15
Rid, Thomas, Ph.D., Professor of Security Studies, King's
College, London................................................ 19
Prepared statement........................................... 22
SUPPLEMENTAL MATERIAL
Prepared statement of Senator Burr............................... 68
DISINFORMATION: A PRIMER IN RUSSIAN
ACTIVE MEASURES AND INFLUENCE CAMPAIGNS
PANEL II
----------
THURSDAY, MARCH 30, 2017
U.S. Senate,
Select Committee on Intelligence,
Washington, DC.
The Committee met, pursuant to notice, at 2:05 p.m. in Room
SD-106, Dirksen Senate Office Building, Hon. Richard Burr
(Chairman of the Committee) presiding.
Committee Members Present: Senators Burr, Warner, Risch,
Rubio, Blunt, Lankford, Cotton, Cornyn, Feinstein, Wyden,
Heinrich, King, Manchin, Harris, and Reed.
OPENING STATEMENT OF HON. RICHARD BURR, CHAIRMAN, A U.S.
SENATOR FROM NORTH CAROLINA
Chairman Burr. I'd like to call this hearing to order. This
morning the committee examined the history and characteristics
of the Russian active measures campaign as it led up to this,
our second panel, which will examine the role cyber operations
play in support of these activities.
I'd like to welcome our witnesses: Mr. Kevin Mandia, Chief
Executive Officer of FireEye, a global cyber security company.
Prior to founding the cyber security company Mandiant, which
was acquired by FireEye in 2013, Mr. Mandia served in the
United States Air Force as a computer security officer and
later as a special agent in the Air Force Office of Special
Investigations, where he worked as a cyber crime investigator.
Mr. Mandia, I thank you for being here today and, more
importantly, thank you for your service.
General Keith Alexander is the CEO and President of IronNet
Cybersecurity, another global cyber security firm on the
forefront of our Nation's commercial efforts to mitigate cyber
security threats. Prior to founding IronNet, General Alexander
served for 40 years in our armed forces, culminating with his
tenure as the Director of the National Security Agency from
2005 to 2014 and concurrent service as Director of U.S. Cyber
Command from 2010 to 2014.
General, thank you for being here today and, more
importantly, for your service to the country.
Also, Dr. Thomas Rid is a Professor of Security Studies at
Kings College, London. He has studied and written extensively
on cyber security issues. He has worked at Hebrew University in
Jerusalem, John Hopkins School for Advanced International
Studies, and the Rand Corporation.
Dr. Rid, thank you as well for your expertise and we look
forward to your testimony, as well as we do the other two
witnesses.
I'd like to note for the public and for my fellow members
that the level of cyber expertise in front of us is truly
remarkable. These witnesses will be able to provide at an
unclassified level some extremely useful texture and detail to
the discussion that we began this morning, and I feel certain--
and I say this to all three of you--that the committee in a
closed setting might want to reach out to you as we begin to
dig a little deeper, so that we can get your thoughts and tap
into your expertise in a setting that might be able to explore
a little further than the open setting of this hearing.
So once again I'll say to members that for this hearing we
will be recognized by order of seniority for five-minute
rounds. I would note for members that we are targeted to have a
vote somewhere between 4:00 and 4:30. It would be my hope that
we could wrap up prior to that vote and not hold our witnesses
open, and that way we would conclude Senate business for the
week with that vote.
Vice Chairman.
OPENING STATEMENT OF HON. MARK R. WARNER, VICE CHAIRMAN, A U.S.
SENATOR FROM VIRGINIA
Vice Chairman Warner. Thank you, Mr. Chairman. I don't have
any statement other than one to welcome all the witnesses and
to point out that before Mr. Mandia's company was acquired by a
California company he was based in Alexandria, Virginia, where
he did great, great work. And we'd be happy to have you bring
your company back, with all due deference to Senator Harris,
back to Virginia.
Senator Harris. Stay in the sunshine.
Chairman Burr. With that, Kevin, I'm going to recognize you
to start, and recognize there's a big difference between the
tech company you ran and the tech company he claims that he
ran.
[Laughter.]
STATEMENT OF KEVIN MANDIA, CHIEF EXECUTIVE OFFICER, FIREEYE,
INC.
Mr. Mandia. Thank you. I'd like to start by thanking the
Chairman, thanking the Vice Chairman, and the whole Senate
Intelligence Committee for this opportunity to share some of
the experiences and observables I've had in cyberspace over the
last 22 years. What I'm going to speak about today is the cyber
capabilities and techniques attributed to Russian hackers,
specifically the threat group that we refer to as APT28. I want
to talk also about recommendations to prevent or mitigate the
impact of these efforts to compromise.
Before I answer your questions, I want to give you a little
bit of my background or the background of our company so you
understand the context of my narrative. As I sit here right
now, we have hundreds of employees responding to computer
security breaches. We think it's critical to own that moment of
responding to a breach, collecting the trace evidence, and
analyzing that evidence.
So as I give you my narrative today, it's based on really
three things. It's based on: one, what we are learning as we
respond to hundreds of breaches a year. We're cataloguing that
trace evidence and we're putting it into a linked database.
Then we have over 150 threat analysts worldwide who speak 32
languages. They're in 32 countries, and they're trying to marry
up what we're seeing in cyberspace to what we're seeing in the
geopolitical world out there today.
Then the third source of my dialogue, the third source of
evidence, is in fact we have 5,000-plus customers who are
relying on our technology to protect them on a daily basis.
Let me first speak to the methodologies being used by APT
Group 28. We attribute many intrusions to these folks. You
might have heard about the Worldwide Antidoping Agency, the DNC
breach, the DCC breach, the Ukrainian Central Election
Commission, TV5Monde, and I can keep going on. I believe the
Doctor will mention some more of these victims.
But all the breaches that we attribute to APT28 in the last
two years involved the theft of internal data as well as the
leaking of this data by some other party, potentially APT28,
potentially some other arm of the organization, into the
public.
During the course of our APT28 investigations, we've had a
significant amount of evidence. We've looked at 550 or more
pieces of custom malware. A lot of people will think, well,
what's that mean? We don't see this malware publicly available.
It's not available to any of you to download and use tomorrow.
It's being crafted by somebody in a building somewhere. It's
being shared by people in a closed loop and it's not widespread
or available to anybody.
We've identified over 500 domains or IP addresses used by
this group when they attack. To put that in perspective, almost
every modern nation that develops an operational capability in
cyberspace, the first thing they need to do is get an
infrastructure they use to then attack the real site of their
attacks, the real intent, the real target. So there's a huge
infrastructure of compromised machines or false fronts or
organizations that are used for these attacks, and we found
over 500 of those.
We've analyzed over 70 lure documents written in many
different languages. These are the documents that you receive
during a spear phishing and they're armed documents if you open
up and peruse them. What's interesting is when you assess the
lure documents they're related to the subjects and interests of
the people who are receiving these documents. So a lot of work
is going into the backdrop or the background of the people that
are being spear phished.
I can go on and on. I've got 40, 50 more pages of what they
do. But I'll focus on a couple things that also help us
attribute APT28's activities to the Russian government. In 2015
alone, we saw APT28 leverage five zero-days, at least based on
our observables. A zero-day is an attack that does not have a
patch available for it. It will work if received and you
execute the file.
The best way to liken the value of a zero-day is, the
minute it's used and it's been weaponized, its value goes down
incredibly fast. So when you see these things, they're mostly
in the--they're mostly in the toolbox of a nation-state at this
point. Over the last ten years, the security industry has done
a great job making the cost of zero-days go up and to the
right, and we're seeing APT28 deploy zero-days as needed.
They're also extremely hard to detect once they're in your
network, because they rely on the tools your system
administrators rely on. So they're pretty--I always say they
turn to ghosts almost. The minute they're in, you're likelihood
of detecting them if you don't detect the initial breach goes
down exponentially. So they have zero-day capability. They
operate using your tools and they operate very hard to detect.
I want to share with you three observations that I saw
emerge in 2014 that I did not see prior to responding to these
state actors. I had the privilege of responding to them when I
was in the Air Force, probably a different group, but a group
that we attributed to the Russian government. Every time I
responded to them on the front lines, if they knew we were
watching them they would evaporate. We never got to observe the
tools, tactics, and procedures of Russian state-sponsored
intrusions in the late 1990s and early 2000s. They didn't let
us do it.
For some reason, in August of 2014 we were responding to a
breach at a government organization and during our response our
front-line responder said: They know we're there, they know
we're observing them, and they're still doing their activities.
So I actually flew in, sat on the front lines. It's the first I
have seen it.
To me that was big news because I had a 20-year run from
1993 to about 2014 where they never changed the rules of
engagement. I'd say they changed in August or September 2014.
The second thing they did, they started operating at a
scale and scope where you could easily detect them. We were
observing and orienting on them. They were letting us do it,
but their scale and scope became widely known to many security
organizations, and we all started working together to get
better visibility and fidelity into their tools, tactics, and
procedures.
Lastly, something that I wouldn't have predicted, but we
also witnessed for the first time in 2014, is a group that we'd
attribute to the Russian government compromising organizations
and then suddenly the documents were being leaked out in a
public forum through hacktivist personas, which we have not
seen.
In conclusion, today and into the foreseeable future it is
our view that the United States is going to continue to see
these things happen. While many organizations are actively
trying to counter these attacks, there is such an asymmetry
between offense and defense in cyberspace that it's really hard
for any organization to modernize and prevent these intrusions
from occurring when you have a state-sponsored attacker.
Therefore, we need to explore ways both within and outside
of the cyber domain to help deter these attacks.
Lastly, I always say if I had five minutes to talk to the
Senate, what would I say? Well, here it is. I think we have to
first start with we've got to get attribution right. We've got
to know who's hacking us so we can establish a deterrent, and
this gives us a great opportunity to make sure we have the
tools necessary and the international cooperation necessary to
have attribution. When you have attribution right, then you can
consider the proportional response and the other tools at your
disposal as diplomats to make sure we have the deterrence we
need.
Thank you very much for this opportunity.
[The prepared statement of Mr. Mandia follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Burr. Thank you.
General, welcome.
STATEMENT OF GENERAL (Ret.) KEITH B. ALEXANDER, PRESIDENT AND
CHIEF EXECUTIVE OFFICER, IRONNET CYBERSPACE
General Alexander. Chairman, Ranking Member, distinguished
members of the committee: It's an honor to be here, I think. I
want to pick up from where Kevin left off. I want to raise it
up a strategic level.
I had the opportunity this morning to see on the news you
and the Ranking Member talk about approaching this in a
bipartisan way, approaching the solution in a bipartisan way.
When you look at the problem and what we're facing, it's not a
Republican problem, it's not a Democratic problem. This is an
American problem and we all have to come together to solve it.
I think that's very important.
If we step back and look at this, I want to cover several
key areas to give my perspective on what's going on. First with
respect to technology, communications is doubling every year.
We're getting more devices attached to the network. This
network is growing like crazy, and so are the vulnerabilities.
Our wealth, our future, our country is stored in these devices.
We've got to figure out how to secure them.
With those vulnerabilities, we've seen since 2007 attacks
on countries like Estonia, Georgia, Ukraine, Saudi Arabia--a
whole series of attacks, and then Crimea and others, and then
the attacks on the power grid in the Ukraine. What's clear is
this network and these tools have gone from interesting
exploitation for governments and crime to elements of national
power.
I think from my perspective, when we consider that this is
now an element of national power, we have to step back and say:
What's their objective? Sun-Tzu said: ``Know yourself and know
your enemy and you'll be successful in a thousand campaigns.''
What's Russia trying to do and why are they trying to do it?
From my perspective as I look at it from my background,
it's clear it's not just trying to go after the Democratic
National Convention or others. This is widespread and a
campaign that they're looking at doing that will drive wedges
between our own political parties and between our country and
NATO and within NATO and within the European Union.
Why? I believe when you look at Russia and if you were to
play out on a map what's happened over the last 25 or 30 years,
they see the fall of the Soviet Union and the impacts on their
near border and all these as impacts on them.
I bring all this up because one of the questions that's out
in the press is: Do we engage the Russians or do we not? Every
administration that I'm familiar with, including the Obama
administration, started out with: We're going to engage them.
In fact it was called ``the reset button.'' While that didn't
go far, I believe this Administration should do the same.
When I look at what's going on here, there's another
opportunity that we have. When you look at the characteristics
of leaders in this Administration, we have people with great
business experience--the President and the Secretary of State--
and great national security experience. In addressing the
problem that we're now dealing with, this is a new area. We're
seeing cyber as an element of national power. How do we now
engage Russia and other countries and set the right framework?
I believe we have to engage and confront: engage them in
those areas that we can, set up the right path, reach out, and
cool this down, I really do. We've got to fix that.
At the same time, we've got to let them know what things
they can't do and why they cannot do those--set those
standards. I think what this group can do and what you are
doing, Chairman and Vice Chairman, is make this a bipartisan
approach: solve this for the good of the Nation.
We look at cyber security and what Kevin gave you in terms
of what industry sees and what government sees. Over the last
decade, we have jointly worked on coming up with cyber
legislation, how industry and government works together. If
we're going to address attribution and other issues, we also
have to set up the way for our industry and sectors to work
with the government so that that attribution of things that the
government knows and those things that industry knows can be
used for the common good.
It's interesting that sitting in the presidential
commission, one of the things that came out when we looked at
what's going on was, what's our strategy? At times people
looked at this as it's a government issue and it's an industry
issue. It's not. This is something that we need to look at as a
common issue. ``For the common defense,'' it's in the preamble
to the Constitution and it's something that we should all look
at. Then we should see, how do we extend that to our allies?
So I would step back and encourage, encourage you to step
back and look at the strategy: What's Russia trying to do and
why are they trying to do it, and how do we engage them? At the
same time, we need to address our cyber security issues and go
fix those and get on with that.
Thank you very much, Mr. Chairman.
[The prepared statement of General Alexander follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Burr. Thank you, General.
Mr. Rid.
STATEMENT OF THOMAS RID, Ph.D., PROFESSOR OF SECURITY STUDIES,
KING'S COLLEGE, LONDON
Dr. Rid. Chairman Burr, Vice Chairman Warner, members of
the committee: Thank you for giving me the opportunity to speak
today about active measures.
Understanding cyber operations in the 21st century is
impossible without first understanding intelligence operations
in the 20th century. Attributing and countering disinformation
today is therefore also impossible without first understanding
how the United States and its allies attributed and countered
hundreds of active measures throughout the Cold War.
Nobody summarized this dark art of disinformation better
than Colonel Rolf Wagenbreth from the Stasi, who headed the
Department X there. He said, and I quote: ``A powerful
adversary can only be defeated through a sophisticated,
methodical, careful, and shrewd effort to exploit even the
smallest cracks within our enemies and within their elites.''
The tried and tested way of active measures is to use an
adversary's existing weaknesses against himself, to drive
wedges into preexisting cracks. The more polarized a society,
the more vulnerable it is; and America in 2016, of course, was
highly polarized, with lots of cracks to drive wedges into. But
not all wedges; improved high-tech wedges that allowed the
Kremlin's operatives to attack their target faster, more
reactively, and at a far larger scale than ever before.
But the Russian operatives also left behind more clues and
more traces than ever before, and assessing these clues and
operations requires context. First, in the past 60 years--and
we talked about this already this morning--active measures
became the norm. The Cold War likely saw more than 10,000
active measures across the world. This is a remarkable figure.
The lull in the 1990s and the 2000s I think was an exception.
Second, in the past 20 years aggressive Russian digital
espionage campaigns--Kevin Mandia mentioned one of them--became
the norm as well. The first major state-on-state campaign was
called Moonlight Maze, and it started in 1996. In 2000 a shift
in tactics became apparent, especially in Moscow's military
intelligence agency, GRU. A once careful, risk-averse, and
shrewd and stealthy espionage actor became more careless, risk-
taking, and error-prone. One particularly revealing slip-up
resulted in a highly granular view of just one slice of GRU
targeting between March 2015 and May 2016 in the lead-up to the
election. That slice contained more than 19,000 malicious links
targeting nearly 7,000 individuals across the world, really.
Third, in the past two years now, coming closer to the
present, Russian intelligence operations began to combine those
two things, hacking and leaking. By early 2015, military
intelligence was targeting defense and diplomatic entities at
high tempo. Among the targets were the private accounts, for
example, of the current Chairman of the Joint Chiefs of Staff,
General Dunford, or current Assistant Secretary of the Air
Force Daniel Ginsberg, or the current U.S. Ambassador to Russia
John Tefft, and his predecessor Michael McFaul; a large number
of diplomatic and military officials in Ukraine, Georgia,
Turkey, Saudi Arabia, Afghanistan, and many countries bordering
Russia, especially their defense attaches.
All, I add, are legitimate and predictable targets for a
military intelligence agency. Russia intelligence, curiously,
also targeted inside Russia, critics inside Russia, for
example, the hacker group Shaltay Boltai. In early 2015, GRU
breached successfully not just the German Parliament, but also
the Italian military and the Saudi foreign ministry.
Between June 15 and November 16, at least six different
front organizations appeared, very much Cold War style, to
spread some of the stolen information to the public in a
targeted way.
Finally, in the past year the timeline here in the U.S.
election campaign began to align. Between March 10th and April
7, GRU targeted at least 109 full-time Clinton campaign
staffers. These are only full-time core staffers, not their
volunteers. These are not even counted here. Russian
intelligence targeted Clinton's senior advisor Jake Sullivan in
at least 14 different attempts beginning on 19 March. GRU
targeted even Secretary Clinton's personal email account, but
the data show that she did not fall for the trick and didn't
actually reveal her password.
Military intelligence agency GRU also targeted DNC staffers
between March 15 and April 11, the timing lines up nearly
perfectly. About one week later, after the events that I just
mentioned, the DCLeaks website was registered, getting ready to
spread these data publicly. The overlap between individuals
hacked by GRU and leaked on DCLeaks is nearly perfect. Out of
13 named leak victims, the available forensic evidence
identifies 12 as targeted by GRU, with the exception of George
Soros, by the way.
But a narrow technical analysis would miss the main
political and ethical challenge. Soviet bloc disinformation
specialists preferred the art of exploiting what was then
called ``unwitting agents.'' There is no contradiction in their
reading between being an honest American patriot and at the
same time furthering the cause of Russia. In the peace movement
in the 1980s we saw that people were genuinely protesting, say,
the NATO double track decision, but at the same time advancing
Russian goals. There is no contradiction.
Three types of unwitting agents--and I would like to close
with that--stand out: WikiLeaks; Twitter, the company itself,
and I'm happy to expand later; and over-eager journalists
aggressively covering the political leaks while neglecting or
ignoring their provenance.
In 1965 the KGB's grandmaster of dezinformatsiya, General
Ivan Agayants, inspected his active measures outpost in Prague,
a particularly effective and aggressive one, and he said,
quote: ``Sometimes I am amazed how easy it is to play these
games. If they did not have press freedom, we would have to
invent it for them.''
Later the Czech operative that he was speaking with in that
very moment defected to the United States and testified in
Congress, and I quote him to close. He said: ``The press should
be more cautious with anonymous leaks. Anonymity is a signal
indicating that the Big Russian Bear might be involved.''
Thank you.
[The prepared statement of Dr. Rid follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Burr. I want to thank all three of you for your
testimony. I think it's safe to say that this is probably a
foundational hearing for our investigation, to have three
people with the knowledge that you do. I hope when you do get
that second call or third call that you'll sit down with us as
we have peeled back the onion and a little bit and we have
technical questions. But we've got some technical expertise on
the committee. You can look at a lot of gray hair and realize
that my technology capabilities are very shallow and that many
of us struggle to understand not just what they can do, but
even the lingo that's used, the dark side of the web, the open
side of the web. These things are amazing and would be shocking
to most people.
I'm going to turn to the Vice Chairman for his questions.
Vice Chairman Warner. Thank you, Mr. Chairman. Let me echo
what you said. I think we've got an incredible panel of
experts, and you're here because of that expertise.
I've got three questions that I'd like to try to get
through, the first one hopefully fairly quickly. Based upon
your expertise and knowledge, do you have, any of you, have any
doubt that it was Russia and Russian agents that perpetrated
during the 2016 presidential campaign the hacks of the DNC and
the Podesta emails and the misinformation and disinformation
campaign that took place during the election? A short answer
will do. Do any of you have any doubt that it was Russia?
Mr. Mandia. I think basically, from the observables we get
at the victim sites you can't always connect the dots. We can't
show you a picture of a building. We can't give you a list of
names of people who did it. We have to look at a lot of other
factors, some of which is incredible amounts of detail.
But we've got ten years of observation here. We've seen
similar behaviors in the past. My best answer is it absolutely
stretches credulity to think they were not involved.
Vice Chairman Warner. General Alexander.
General Alexander. I believe they were involved.
Vice Chairman Warner. Dr. Rid.
Dr. Rid. I believe they were involved as well.
Vice Chairman Warner. Thank you.
It has been reported that some of the techniques--and I say
to my good friend Richard Burr, I used to be technologically
savvy up until about year 2000, 2001, which still puts me a
decade ahead of some of my colleagues.
But it's been reported in the press and elsewhere that by
using internet trolls and then the botnets and that exponential
ability then to kind of flood the zone that in the
misinformation and disinformation campaign they were, the
Russians, were able to flood the zone, actually not in a broad-
based, across the whole country, but literally target it down
to precinct levels in certain states.
Is that capable to do, if you could have the botnet network
that would in effect put out misinformation or disinformation
and then all of the other accessory sites that would then gang
up on that and target that down to a geographic location?
General Alexander. I think it's technically possible. I
don't know that you have--that I have enough information to say
that was done at each one of those locations. But I think it's
technically possible. If you put enough people on it, yes, you
could do that.
Vice Chairman Warner. Dr. Rid or Mr. Mandia.
Dr. Rid. It's very technically possible. May I just make an
important distinction here between a ``botnet,'' which is
usually remotely controlling somebody's computing resources and
machine, and ``bots,'' that is fake Twitter accounts that are
automated.
Vice Chairman Warner. But they both have the effect.
Somebody's campaign--somebody's computer that is accessed or
fake Twitter accounts, bots, they still have the same effect of
pushing a news story higher on a news feed, for example, a
Twitter news feed or a Facebook news feed?
Dr. Rid. That is mostly done by bots within social media
networks, that can be any social media network. Botnets are
usually used for different purposes.
Vice Chairman Warner. Kevin, do you want to?
Mr. Mandia. Yes. Peeling back the question, there's a
couple things. I think you can always try to get public
perception to go certain ways based on the results of Google
searches and things like that, and you can automate ways to up-
level people's attention to things, with all the social media.
The good news is during the election a lot of states had
the foresight to, let's do shields up and let's be very
diligent, let's watch all the cyber traffic we can. And we
didn't see any evidence, at least in the DDOS side or
distributed denial of service attacks or attacks--we didn't see
anything that harmed the actual election process.
Vice Chairman Warner. That was not the--but the question of
targeting in.
So here's the last question. I've heard and it's been
reported that part of the misinformation-disinformation
campaign that was launched was launched in three key states--
Wisconsin, Michigan, and Pennsylvania--and it was launched,
interestingly enough, not to reinforce Trump voters to go out,
but actually targeted at potential Clinton voters with
misinformation in the last week where they were not suddenly
reading, if they got their news from Facebook or Twitter,
Clinton and Trump back and forth, but stories about Clinton
being sick and other things.
I guess my final point here is--and this may be beyond
anybody's expertise, but my understanding is the Russians,
although very good at some of this technology piece, they might
not have been so good at being able to target to a precinct
level American political turnout; that that would mean they
might be actually receiving some information or alliance from
some American political expertise to be able to figure out
where to focus these efforts.
Dr. Rid. I haven't seen a detailed analysis of the
precinct-level targeting that would be good enough to
substantiate this assumption. But this relates to a more
fundamental problem. One different, separate entire group of
actors and some completely legitimate within the campaign were
taking advantage of social media. So it's really difficult to
distinguish for researchers after the fact what actually is a
fake account and what is a real account.
Ultimately, we need the cooperation of some of the social
media companies to give us heuristics and visibility into the
data that only they have.
General Alexander. I would take it a step higher, that,
Senator, I think what they were trying to do is to drive a
wedge within the Democratic Party between the Clinton group and
the Sanders group, and then within our Nation between
Republicans and Democrats. I think what that does is it drives
us further apart, that's in their best interest. And we see
that elsewhere.
I'm not sure I could zone it down to a specific precinct,
but I think what we would expect is for them to create
divisions within the whole framework and destroy our unity. And
you can see, actually, if you look back over the last year, we
didn't need a lot of help in some of those areas.
So now the question is, and where I think you have the
opportunity, is how do we build that back?
Chairman Burr. Let me say before I recognize Senator Rubio,
I want to clarify what I said about Senator Warner's business.
My reference meant that it was about 14 years ago, 15 years
ago. And I think it was you, General Alexander, that came in
front of the committee and said: In the future, people won't
file technological patents because technology will change so
quickly that you won't have a year and a half's time to go
through the patent approval process before your technology is
obsolete.
I think we have reached that point of technological
explosion, that what we're talking about today we could have a
hearing six months from now and probably talk about something
different.
Vice Chairman Warner. But I would say that the cell phones
that I was involved with in the early 1980s have become a bit
ubiquitous.
Chairman Burr. Well, we all wish we had flip phones again,
I can tell you that.
[Laughter.]
Senator Rubio.
Senator Rubio. Thank you, Mr. Chairman, and to the Ranking
Member.
Before I get to my question, Mr. Chairman, in the first
panel one of the individuals that appeared before us mentioned
me in connection with efforts in the 2016 presidential primary.
I am not prepared to comment on that and any information on
that issue hopefully will be reflected in our report, if any.
I do think it is appropriate, however, to divulge to the
committee, since a lot of this has taken a partisan tone, not
in the committee but in the broader perspective, the following
facts. In July of 2016, shortly after I announced that I would
seek reelection to the United States Senate, former members of
my presidential campaign team who had access to the internal
information of my presidential campaign were targeted by IP
addresses with an unknown location within Russia. That effort
was unsuccessful.
I'd also inform the committee that within the last 24
hours, at 10:45 a.m. yesterday, a second attempt was made,
again against former members of my presidential campaign team
who had access to our internal information, again targeted from
an IP address from an unknown location in Russia. That effort
was also unsuccessful.
My question to all the panelists: I have heard a lot on the
radio and on television an advertisement for a firm in the
United States actively marketed in Best Buy and other places by
the name of Kaspersky Labs. There have been open source reports
which I can cite that basically say that Kaspersky Labs has a
long history connecting them with the KGB's successor, the
Russian security services. I have a Bloomberg article here and
others.
I would ask the panelists: In your capacity as experts in
information technology, would any of you ever put Kaspersky
Labs on any device that you use, and do you think any of us
here in this room should ever put Kaspersky Labs products on
any of our devices or computers or IT material?
Mr. Mandia. I think the way I'd address that is, generally
people's products are better based on where they're most
located and what attacks they defend against. For example, you
think about Symantec or McAfee or my company and other
companies. We are prominently used in the U.S., so we get to
see the best attacks from China and cyber espionage campaigns
in Russia. In the Middle East, it's already in massive
escalation mode and we're all prominent there.
I think what we're starting to see is an alignment where
Japan will let a U.S. company secure Japan, South Korea will
let a U.S. company defend South Korea, the Middle East will let
a U.S. company defend it, but you almost see lines being drawn.
There's no doubt the efficacy of Kaspersky's products. They
probably get to see different things than we see, being this
relevant here.
Senator Rubio. My question was not about whether it's an
effective tool. My question about it is whether you would ever
put it on your computer.
Mr. Mandia. My answer indirectly would be there would be
better software probably available to you than Kaspersky to
defend you here.
General Alexander. I'll answer by, no, I wouldn't, and I
wouldn't recommend that you do it either. There's better
capabilities here that you can use, FireEye, for example, and
I'm being credited now with that--no. There are other U.S.
firms that answer and solve problems that will face you for the
issues that you described earlier, Senator, that I think would
be better at blocking them.
Dr. Rid. I would, yes. I would also use a competing product
at the same time. Always a bit of redundancy never harms.
But it's important to say that Kaspersky is not an arm of
the Russian government if we look at the publicly available
evidence. Kaspersky has published information about Russian
cyber attack, cyber intrusion campaigns, digital espionage,
about several different Russian campaigns. Name any American
company that publishes information about American digital
espionage?
Senator Rubio. My second question to the panel in the time
that I have remaining is: My concern in our debate here is that
we're so focused on the hacking and the emails that we've
lost--and I think others have used this terminology--we've
focused on the trees and have lost sight of the forest.
The hacking is a tactic to gather information, for the
broader goal of introducing information into the political
environment, into the public discourse, to achieve an aim and a
goal. It is the combination of information leaked to the media,
which of course is always very interested in salacious things,
as is their right in a free society. The public wants to read
about that, too, sometimes.
But it's also part of this other effort of misinformation,
fake news, and the like. Would you not advise this panel to
look simply beyond the emails--that's an important part--to the
broader effort in which the emails in the strategic placement
of information in the press is one aspect of a much broader
campaign?
General Alexander. Senator, that was part of my point about
bringing this up to a strategic level and saying that what's
Russia trying to accomplish with respect to NATO, the European
Union, and the U.S., and driving a wedge between those and
creating tensions between those countries and ours.
If you were to go back and look at what's happened to
Russia over the last 30 years and then play that forward and
see what they're now doing, you can see a logic to their
strategy. I think that's something that we now need to address.
I do think we ought to address this with the Russians and get
the Administration to do that. It's not something that we want
to go to war on. It's something that we want to resolve by
engagement and confrontation.
Dr. Rid. How are active measures today different from in
the Cold War? This is in answer to your question. In the Cold
War, active measures were really artisanal--very quiet,
craftsmanship, a lot of hard work, forging letters, doing
research. It was a real undertaking. Today they're not
artisanal; they're outsourced, outsourced in part to the
victim, and especially to journalists, American journalists.
They add the value to these active measures.
This is important because if we look at the operations in
hindsight they appear a lot more sophisticated than they
actually were. So we run the risk of overestimating Russian
capabilities here.
Chairman Burr. Senator Feinstein.
Senator Feinstein. Thank you very much, Mr. Chairman.
Kevin Mandia, it's good to see you again. I want you to
know how much your nation report was appreciated. You spoke
before this committee and I think everybody very much
appreciated it and I think it had some good results. So thank
you very much.
General Alexander, this is the first time I've seen you out
of uniform. Civilian clothing is becoming. I'd like to
personally welcome you.
I don't know our third gentleman, but I want to address
this to General Alexander. You were Cyber Command for a number
of years. You spoke about the fact that the time has come for
us to get tough. We have talked about that before. We have
WikiLeaks and stream after stream after stream of release of
classified information, which has done substantial harm to this
Nation.
Yet we do nothing. And everybody says, well, we'd like to
do something, but we don't quite know what it is. I never
thought we would be in a situation where a country like Russia
would use this kind of active measure in a presidential
campaign. The size of this, the enormity of it, is just
eclipsing everything else in my mind.
Yet there is no response. As you have left now and you've
put the Cyber Command on your desk, what would you do? What
would you recommend to this government?
General Alexander. I think there are two broad objectives
we ought to do. We ought to fix the defense between the public
and private sector, between government and industry.
Senator Feinstein. You've said that.
General Alexander. We have to fix that, because much of
what we're seeing is impacting the commercial--or the private
sector. Yet the government can't really see that. So the
government's not going to be able to help out and the ability
to take actions to actively mitigate it therefore are
nonexistent or after the fact.
If you think about Sony as an example and imagine that as
the attack coming in, the government couldn't see that at
network speed and so the government came in and did incident
response. Everything could happen to Sony. What you really want
the government to do is just stop a nation-state like North
Korea or Russia from attacking us. But the government can't do
that if it can't see it.
So we have to put this together. We have to come up with a
way of sharing threat intelligence information at network speed
and practicing what our government and industry do together and
work that with our allies. I believe we can do this and protect
civil liberties and privacy. I think we often combine those
two, but we can actually separate and show that you can do
both.
Senator Feinstein. How?
General Alexander. Well, for first, the information that
we're talking about here doesn't involve our personally
identifiable information. Think of this as looking at airplane
traffic over the country. When you see radars looking at those
airplanes that are going by--think of those as pieces of
information--they aren't reading everybody in the airplane.
They're seeing an airplane and they're passing it on to another
controller, who sees a comprehensive picture.
What we see is what radar sees today. So we don't
actually--we're not talking about reading threat information.
We want to know what's that packet of information doing, why is
it coming here, and can I or should I share the fact that a
threat is coming to us.
Senator Feinstein. I understand what you're saying. But
what I'm asking you for is different. It is your expertise
based on this, based on the fact that the Russian government,
including two intelligence services, made a major cyber attack
on a presidential election in this country, with a view of
influencing the outcome.
What would you recommend?
General Alexander. The first step was fix the defense,
because if you take offense and you don't have a defense then
the second step of going after the power or other sectors puts
us at greater risk. So from a National Security Council
perspective, what I would expect any administration to do is to
look at the consequences of the actions that they take.
So when I said engage and confront, in this regard what I
would do, what I would recommend, is first and foremost a quiet
engagement with the Russian government about what we know and
why we know it, without giving away our secrets, and say,
that's got to stop. We need an engagement here.
If we're going to confront them, it would be: We know
you're doing this right now; stop that. We had a channel in the
Cold War for doing it. We need a channel to get that and build
back the ability to stop things, from my perspective.
I would be against using cyber only as a tool against
Russia when we have these vulnerabilities we haven't addressed
here in our own country. I think it would be a mistake until we
fix that. So that's why I say we have to do both.
I actually--and it was interesting. We were talking
beforehand, and Thomas can add to this. One of the things that
as you look at this--I don't believe Russia understood the
impact their decisions would have in this area. It's far
exceeded it. With all the discussion going on in our country
today, I am sure that people in Russia are saying: Oops, we
overdid this.
Now is the time for us to say: not only did you overdo it,
we need to set a framework for how we're going to work in the
future, and we need to set that now. That can only be done by
engaging them face to face, and I think that's what has to be
done.
Senator Feinstein. Thank you. Very helpful.
Thank you, Mr. Chairman.
Chairman Burr. Senator Blunt.
Senator Blunt. Let's start with General Alexander. I asked
a question this morning, which was, after all the discussion of
the long history of Russian involvement in European elections,
of things that have happened for a long time and really in a
significant way in the last 15 years, why do you think that we
were not better prepared for this?
General Alexander, you just said that we needed to have a
defense. Why wouldn't we have had a defense? What was this
about this particular thing that had been so anticipated that
the intelligence community, the U.S. Government, even the
media, appears not to have had the defense you just mentioned
we should have now?
General Alexander. Senator, this has been a great
discussion that you and the other House of Congress have talked
about, and that's how do we put together our country's cyber
legislation? Right now we do not have a way for industry and
government to work together. So if you think about the DNC or
the RNC or the electricity sector and others, when they're
being attacked the ability for the government to see and do
something on that doesn't exist.
Everybody recognizes that we need to do it. We talk about
it. In fact, we had at the Armed Services Committee a
discussion on it. But we haven't taken the steps to bind that
together. We allow it, but we haven't created it.
I believe that's the most important thing that we could do
on that one vector that Senator Feinstein brought up: fix the
defense. The reason is the government's not tracking the RNC
and the DNC. Now, industry sees it, and Kevin brought out some
key points of what was going on and what they were seeing from
an industry perspective. But the reality is we haven't brought
these two great capabilities together.
The other part, it's my personal experience the government
can help on attribution several times greater than what we see
in industry. If you put those two together, we could act a lot
better.
Senator Blunt. Let's go to Mr. Rid. Mr. Rid, should we
have--was there nothing we could have done here? Were we not
paying the level of attention that we should have paid? Or is
it just we just aren't ready because our structure doesn't
allow us to anticipate what we know was happening in elections
all over the world before 2015 and 2016 here? Particularly in
Europe. Maybe ``all over the world'' might be a stretch, but
all over Europe, not a stretch.
Dr. Rid. There's a lot we can do in order to increase
defenses here, as well as to minimize the effect of active
measures that are already taking place. Let me name an example.
Let's make this concrete. You as members of the legislative
body are--and the same is true in Europe--the soft underbelly
of the government of the wider administration and government,
because--this is true for all parliaments--the IT security is
notoriously bad.
The chip card that many of your staff members carry around
their neck, the CAC card, as it's called, here in Congress, if
my information is correct, doesn't actually have the proper
chip. It has a picture of a chip. Try feeling. Try to feel the
chip with your fingernail. There is no chip. It's only to
prevent chip environment if you meet with other parts of the
Executive Branch. That tells you that there's a very serious IT
security problem. It should be mandatory--and potentially this
is something you would think about as we move forward--it
should be mandatory for all campaigns, just like you have to
disclose financial records, it should be mandatory by default
to have two-factor authentication. So not just a password, but
actually a second thing, like a number that is generated by an
app or a specific key.
Senator Blunt. Thank you.
We had somebody this morning say it should be mandatory for
the State Department to have a program to every day say what
was true and what wasn't true. There are certain levels beyond
what you can require people to do that really don't make that
kind of sense.
Mr. Mandia--and I don't mean your comment didn't, but there
are practical levels now. I also say the ``soft underbelly'' is
one of the nicer things the Legislative Branch would be called
these days. But your thoughts on why we didn't see this coming?
The earlier panel had a more robust sense of where we should
have been understanding what was going on than this one.
Mr. Mandia. There's probably a lot of ways to answer that.
I'll answer it this way. When it comes to cyber security, first
off, I don't want to destroy anybody's hopes. When we say fix
the problem, we've known about cancer for 4,000 years; we
haven't cured it yet. The reality is this: when we fix the
problem here, we're still going to have incidents, we're still
going to have something of impact and consequence.
My experience is this: People get serious about cyber
security when they have two things: either, A, a compliance
driver and they take it seriously; or, B, they have the ``oh,
crap'' moment, quite frankly, and they've been breached.
We published reports, my company did, in 2014 that had a
lot of the allusions to what just happened. But sometimes you
have to have it happen before you recognize that, wow, that was
really on the table. I doubt it'll happen again, but now we're
having the dialogue to make sure that it doesn't.
Senator Blunt. Thank you, Chairman.
Chairman Burr. Senator Wyden.
Senator Wyden. Thank you, Mr. Chairman. I think it's been a
very good panel.
I want to talk about one of our most significant
vulnerabilities as it relates to cyber security. I have been
working for some time now with Congressman Ted Lieu of
California, who is a real expert in this field. One of the
things that I'm particularly troubled by is our vulnerabilities
in what's called ``SS7,'' Signaling System 7. This essentially
allows cellular networks to be able to talk to one another. We
seem to have some very significant vulnerabilities that could
allow a foreign actor, Russians and a variety of other
interests hostile to our country, to hack, tap, or track an
American's mobile phone. The hackers could be just about
anybody, but certainly a foreign government, and the victim
could be just about any American.
I think, Dr. Rid--and I welcome anyone who'd like to talk.
But I think, Dr. Rid, you've done some serious analysis of
these vulnerabilities in SS7 and I would be interested in
hearing, A, how serious you think this is, and, B, what do you
think our government ought to do about it, particularly in
connection to the topic at hand, which is dealing with these
Russian hacks?
Dr. Rid. Thank you for this very specific question,
although I have to say that I'm not an SS7 expert and I don't
want to pretend to be one here. But the technology that you're
referring to is certainly a weak point and can easily be
exploited, ultimately because it is a trust-based system, a
trust-based protocol. And if you have a landscape of a lot of
mobile phone providers, it's relatively easy to undermine, that
some one entity essentially undermines, can essentially exploit
the trust here.
There are ways to remedy the problem, but I will just add
one observation, that if--and I think many people in Congress
will be doing this already--if you use an encrypted app for
your communications, then you will most likely defeat some of
that vulnerability there.
Senator Wyden. I hope that's the case. I think the
Congressman and I have been concerned that that may not be
enough, because largely what has happened thus far is there
have been self-regulatory approaches and that and other
approaches weren't pursued. So we're going to continue this
discussion. As I understood it, you had talked to some of our
folks. You may not think yourself--you may not consider
yourself an expert, but our folks thought you were very
knowledgeable.
Dr. Rid. Well, may I respond?
Senator Wyden. Sure.
Dr. Rid. I think we're looking in multiple ways at market
failures here. So two-factor authentication, which I mentioned,
we're looking at a market failure there because it's still an
opt-in situation. If you have an opt-in situation, most people
will not opt in and hence remain vulnerable.
The market, when we look at active measures--and this is
one of the most fundamental ethical dilemmas here. The market
favors disinformation today, and I can go into specifics on how
we can remedy this if you like.
Senator Wyden. Well, the Congressman and I feel that we
ought to get the FCC, the Federal Communications Commission,
off the dime, too, because it is clear that they have been
slow-walking the various kinds of approaches that could provide
an added measure of security.
Let me ask one other question and any of you three can get
into it. In January the IC assessment, the intelligence
community assessment, said that Russian intelligence accessed
elements of multiple State or local electoral boards. So I
asked the FBI Director then what exactly had been compromised
and what was the nature and the extent of the compromise.
Director Comey responded that the Russians had attacked
State voter registration databases and taken data from those
databases. Can you add anything else to that? Any of you three
are welcome to do it, because that sounds to me like pretty
alarming stuff. The FBI Director in January--and I wish I'd had
more time to get into it with him--essentially said that this
was a problem, and I would be curious whether you knew anything
more about this topic.
We can just go right down.
General Alexander. I don't. I have talked to some of the--
one of the Secretaries of State on just this and the issue that
you brought up, the polling data, the registration data, is
something that's at risk and something that the states are
looking at. So I do think that's important.
Senator Wyden. Great.
Thank you, Mr. Chairman.
Chairman Burr. Senator Cornyn.
Senator Cornyn. Thank you for being here and testifying.
I think maybe we assume that people know more about what
we're talking about than maybe they actually do. So I'd like to
kind of get basic maybe for my benefit and maybe some other
people will learn some things as well. But I think we've
referred to something that's called spear phishing. So I'd like
to have one of you explain what that is.
Let me just tell you, by the way, that occasionally my junk
email box on my personal email, I'll get emails that purport to
be from the FBI Director or the Army Chief of Staff, Mark
Milley, my friend from Fort Hood who's now the Army Chief of
Staff, or maybe from Apple, telling me that I need to reset my
password, or from Google saying I need to execute some sort of
maneuver.
Then there's a link for me to click on. Is that what is
commonly known as spear phishing, and once you click on that
link then they basically could take over your machine?
Mr. Mandia. Yes, you've basically got that right. Looking
back at 2015 and 2016, we did nearly 1,000 investigations into
computer intrusions, and we have a skewed vantage point because
no one hires us to respond to an intrusion when they're five
minutes behind the hack. They hire us when the hack and the
breach is already at a scale and scope where they need help.
In 91 percent of those breaches, victim zero was in fact
spear phishing, meaning that's how the Russian groups, the
Chinese cyber espionage campaigns, and every capable hacking
threat actor is breaking in. It is in fact a link that
purports--it's a link or an attacked document that comes to
you. It looks like it's coming from someone that knows you and
it's got something relevant attached or the link is to
something you consider relevant to what you do for a living.
That's what we were talking about earlier, is that's how we
kind of know what the Russians were targeting, is they're doing
very specific spear phishes to very specific people. But that
is the number one way human trust is being exploited and that's
how folks are breaking in.
Senator Cornyn. Would you be surprised if a member of
Congress was being targeted by a Russian or a foreign
government spear phishing?
Mr. Mandia. I would not be, and I would expect every one of
you is targeted on a near-daily basis.
Senator Cornyn. General Alexander, you were going to say
something?
General Alexander. Yes, I was going to add to what Kevin
said. They're going to do research on you, know who your
friends are, so they know you with Mark Milley from Texas, they
know key things about you. Perhaps you golf and you have a
friend that golfs, and they're going to send you something:
Hey, how about this golfing thing? Click here or do this. And
that's how they do it.
Spear phishing is targeted on an individual. They do
research and understand more about you to go after you as a
person.
Senator Cornyn. Well, Dr. Rid, you talked about the poor IT
and cyber hygiene in the government space. I think some of this
could be as simple as updating your antivirus software,
scanning your machine periodically, and the like. But let me
just mention the specific hack of the OPM, the Office of
Personnel Management. I mentioned it at an earlier panel. 21
million Americans had their personal information stolen in
government custody.
So even though they may have considered it private
information, they were forced to give it to the government for
security clearance or some other purpose, and now some foreign
state actor through a cyber hack has access to 21 million
private records, including more than 5 million sets of
fingerprints.
Is that the kind of information that cyber actors, either
criminals or espionage agents, foreign governments, would use
to further collect espionage or to steal or to implant
ransomware or something in a machine or in a business and then
shake them down for money?
Dr. Rid. Yes, absolutely. The more information, the more
confidential information also, you have, the easier it is to
craft a spear phishing, a targeted email, a deceptive email, a
forged email so to speak. In my written testimony I included a
number of samples, a number of exhibits----
Senator Cornyn. I saw that.
Dr. Rid [continuing]. Including John Podesta's.
Senator Cornyn. Thank you. Thank you for doing that.
Well, we don't have control over everybody's private
computer or what kind of software they use. But we do have
something to say, I think, about what the United States
Government does. And I think one of the things we need to be
attentive to is to make sure that the United States Government
networks are adequately protected.
I know, General Alexander, you had something to do about
that at the NSA. But you didn't have the ability to protect all
of this other information.
Let me just ask--I just have a couple of seconds and since
you're here, General Alexander, we're going to have to take up
the reauthorization of the Foreign Intelligence Surveillance
Act, particularly Section 702. I just would like to ask you,
since we have you here, a little bit about its importance to
detecting and countering foreign cyber activity. And if you
would also include in your answer the privacy protections that
are a very, very important part of that and oversight that you
got to see first-hand in your capacity as head of NSA and Cyber
Command.
General Alexander. I think that's the most important
program that's out there, especially in counterterrorism. I can
give you a real quick example. Najibullah Zazi in Denver was
detected by that specific authorization. NSA saw that, provided
it to the FBI, and Nazibullah Zazi was the individual in 2009
who was driving across the country to New York City when they
arrested the individual in New York City based off of the other
program and they found several backpacks in various states of
readiness to attack the New York City subway--done by that
program.
I think that's the most effective counterterrorism program
we have, and I think it will be also effective in some areas
for cyber security, although I don't have any examples off the
top of my head here.
Senator Cornyn. Could you conclude your answer and talk a
little about minimization and other privacy protections,
because I think that's important to the American people, to
know that we're very vigilant and diligent in that area as
well?
General Alexander. Yes. It's interesting because we did a
series of presidential review groups on NSA after the Snowden
leaks about these programs. At the time one of the board
members of the ACLU, Geoffrey Stone, was on that panel. I was
kind of skeptical about this individual being on there, and I'm
sure he looked at me somewhat askance.
After five weeks of sitting down with our people and going
through every one of those, he came up to me and he said: Your
people have the greatest integrity of any agencies I've seen.
And I said: Don't tell me; tell the American people; tell
Congress; tell the people of NSA and tell the White House. And
he did.
So there are some key statements by Geoffrey Stone that
show that we can protect civil liberties and privacy. I think
it's important to see some of his statements there, because
what it did is--he also asked me to write an op-ed. So imagine
an Army officer and a board member of the ACLU writing an op-ed
on reauthorizing the metadata program, with some changes. And
we did.
The reason--I asked him: Why are you doing that? And he
said: The reason that I'm doing this is that if we don't have
programs like this and we're attacked, we won't have civil
liberties and privacy, and the mechanisms and the capabilities
you have here to protect it are overseen by Congress, overseen
by the courts, and overseen by the Administration. Everything
has 100 percent review on it. And I think that's the best way
to do it.
You know, he is right. If we do get another attack, they're
going to ask Congress, they're going to ask the Administration,
why we didn't stop those. I think this is exactly why we have
to move down. I do think we have to be more transparent. I
think as we bring cyber security in here, having a discussion
like this open hearing about how we can protect these is
absolutely critical for our country.
I have some statements, but I think your folks can pull
those off the web, from Geoffrey Stone, with a ``G''. Thank
you.
Chairman Burr. Senator Heinrich.
Senator Heinrich. Let me start by saying that I guess I can
take some comfort now knowing that Senator Rubio and Senator
Cornyn and quite a few of us have had these sort of
sophisticated targeting examples where you end up having to
make sure that everything's in place, that your devices were
not penetrated. I've certainly had staff targeted. I've had
family members who have received these very sophisticated spear
phishing and other kinds of approaches. Sometimes you know
where the IP address is coming from because your provider
literally tells you: Oh, by the way, if you didn't try to reset
your account from Russia yesterday at 3:22 p.m., let us know.
And having been through that a few times, one of the things
that I've certainly shared with my colleagues--and you
mentioned this, Dr. Rid, is the importance of two-step
authentication. I think it just can't be oversold to the
public. Do you want to say just a couple more words about that
and why that's so important?
Dr. Rid. Had John Podesta had two-factor authentication the
last month of the campaign, the last month of the campaign
would have looked very different. I think that says it all.
Senator Heinrich. That says it all. Yes, I could not agree
more.
Given what we saw in 2016 and how easy it is to sometimes
drive these wedges within our own society, what should we be
expecting in 2018 and how should we be preparing for that?
That's open-ended for any of the three of you if you want to
share your thoughts.
Mr. Mandia. It took about 18 years for me even to figure
out as I responded to breaches they reflected geopolitical
conditions, but they actually do. What I think we're going to
observe in 2017 and 2018, the attacks will always exploit human
trust. There will be clever ways to do it. There are ways to
get around two-factor authentication, which we've seen Russians
use as well as the Chinese government use.
I think it's going to be more what's fair game to
espionage. I think that governments are going to start working
on defining what are the industries that are fair game, what
are the activities that are fair game and what aren't, because,
quite frankly, every nation can get sucker-punched in cyber
space, because we're exploiting human trust.
Senator Heinrich. How do you send those signals about what
is over the line and what the consequences of crossing that
line might be?
Mr. Mandia. Well, that's why we have diplomats. I think
we're going to have doctrine. We're going to have things that
we publish. We're going to have to let people know what we
think are the right activities and are the wrong activities.
The private sector will participate. Governments will
participate. We'll get alignment with some nations and
misalignment with others, and we'll adapt to that.
General Alexander. Could I add to that?
Senator Heinrich. Go ahead, General.
General Alexander. I believe that one of the things that
you could do and encourage is with the states setting up an
exercise program between the State governments and the Federal
Government about how you're actually going to improve the
security of that and what they need to do, set the standards.
So I'd go beyond the National Institute of Standards and
Technology. How do we know we're protecting voter registration
databases, and what are the standards that we're holding them
to and who's watching that, and setting the controls in place.
I think that the states would greatly appreciate, so what are
you going to do when we're being pummeled by a persistent? Now
the government, the Federal Government, needs to step in.
That's part of Senator Feinstein's question: How do you? Well,
we haven't practiced that. We should practice that.
Senator Heinrich. Dr. Rid.
Dr. Rid. A very concrete suggestion that I think would
actually make a difference. How many of the social media
interactions, especially Twitter interactions, during the
campaign of the most important Twitter accounts were created by
bots?
Senator Heinrich. Yes.
Dr. Rid. Were created by automated scripts and not humans?
The answer to that question--we don't know the answer to that
question because Twitter and other social media networks have
not provided the data. You could write a letter to these
companies and ask them to provide the heuristics, to provide
the data: How much of a problem is our bots?
Senator Heinrich. That actually, that's very much in line
with my next question that I was going to direct to you, which
is: In addition to looking at the data, are there things that
we should be doing working in concert with those social media
companies to dampen the effectiveness of this feedback loop in
the media cycle that is being exploited?
Dr. Rid. Absolutely. You could, for instance, ask social
media companies to provide detailed data, including a
methodology of how they arrived at those data. It's very
difficult for outsiders to get to the answer to these
questions: How much of a problem are bots? I think it is a very
significant problem.
When you sign up for a new Twitter account today, you can
say--you know, the new accounts all have an egg face. You can
say: I don't want any eggs, people who never change their
account picture. No eggs is a good thing. You can say, I don't
want eggs, but you can't say, I don't want bots. Bots are more
of a problem than eggs, I believe.
So we should be in a position to, by default, move into an
environment where we switch out abuse and bots out of our
vision, if you like, as users.
Senator Heinrich. Very helpful. Thank you all very much.
Chairman Burr. Senator Collins.
Senator Collins. Thank you, Mr. Chairman.
General Alexander, first of all, it's nice to see you once
again. Section 501 of the fiscal year 2017 intelligence
authorization bill, which, regrettably, has not yet become law,
requires the President to establish an interagency committee to
counter active measures by Russia, including efforts to
influence people and governments through covert and overt
broadcasting.
The purpose of this committee would be to expose
falsehoods, agents of influence, corruption, human rights
abuses carried out by the Russian Federation or its proxies.
Like the U.S. Information Agency, there once was an Active
Measures Working Group that worked to counter covert
disinformation from the Soviet Union, and that was disbanded.
Is this a recommendation, as we search for ways to counter
the Russian attempts to spread propaganda, outright lies,
influence our people--is this a recommendation that you believe
should be implemented?
General Alexander. I do. I think I would look at giving the
Administration a suite of capabilities from diplomatic through
cyber to what you just said, active measures, what we can do to
expose that. I think we also need to give them the freedom to
determine what's shared and what's not shared in terms of
protecting the Nation in that regard, sharing it all with
Congress of course, but how you publicize that if you know
something is going on and you've got it through other means.
I think those things you'd want the Administration to at
least be reasonable about, but I do think these are the kinds
of things that should be put on the table. I would have to go
back and look at all the tools that you're going to give them
and say, does that meet the objectives of engaging Russia and
confronting them when they cross the line on something? I think
in this case this is something that would give them a tool, if
they've crossed that line, to say, stop, here's what we know
and here's the consequences.
Senator Collins. Because one of the aspects of this
investigation that I found troubling that we've already learned
is how weak our response is when we have a disinformation
campaign. It seems to me that this working group could be
useful. I realize it's a delicate issue in some ways because
you don't want to sweep up legitimate--you don't want to be
trying to set the rules for journalists, for example.
But that brings me to another issue for Professor Rid. That
is, in your testimony you talked about how Russian
disinformation specialized the act--specialists, I'm sorry,
perfected the act of exploiting the unwitting agent. I assume
by that you mean that individuals or entities who don't know or
realize that they are being used by the Russians, but
nevertheless are.
In your testimony you use examples of Twitter and
journalists who cover political leaks without describing the
origins of those leaks as examples of unwitting agents that
were involved in the Russian influence campaign in 2016. You
also list WikiLeaks. I would put WikiLeaks in a different
category personally.
But what can we do about the unwitting agent? I mean the
truly unwitting agent.
Dr. Rid. Yes, I agree, in the case of WikiLeaks it's
unclear whether they are unwitting indeed or just witting, so
to speak.
Senator Collins. Right.
Dr. Rid. But I think we are trained, the Western mind, if
you like, is trained to think in contradictions. It's either
this or that. But here I think we're looking at a situation--
and this has been a pattern throughout the Cold War--where
active measures operators recognize that unwitting agents--this
could be journalists, politicians even; members of Parliament
in the past have been the case--just because they're genuinely
so passionate and engaged and activist in their outlook further
the Russian cause.
So we have to recognize that this will continue to be a
problem. We cannot simply get rid of that problem. It is
something--for instance, we have documents from the Cold War
time where disinformation active measures operators say they
actually want conflict between the unwitting agent and the
actual adversary, say WikiLeaks and the U.S. Government,
conflict is good. So that's how far you can take. If the goal
is driving wedges, then the unwitting agent is a trump card in
your sleeve.
Senator Collins. Thank you, Mr. Chairman.
Chairman Burr. Senator King.
Senator King. Following up on that, it seems to me that the
unwitting agent is a key part of this entire process,
particularly where you're talking about disinformation. I think
you make the point in your prepared statement that anonymity,
anonymous leaks, there should be more work on where did it come
from. Is that correct?
Dr. Rid. Yes, absolutely. WikiLeaks was purpose-built to
hide the source. That is the goal of the entire platform. Of
course, I think--and I do take Julian Assange seriously when
initially at least, historically, he was just an activist.
Senator King. He was a clearinghouse, but now he's a
selective leaker.
Dr. Rid. That seems to be the case, yes.
Senator King. General Alexander, we've been talking about
this for at least four years. One of the problems--and you
talked about this with Senator Collins--this country has no
strategy or doctrine around cyber attacks; isn't that correct?
And isn't that part of the problem? We need to have a doctrine
and our adversaries need to know what it is.
General Alexander. Absolutely, Senator, and I would add
rules of engagement. We don't have--the consequence is if there
were a massive attack we'd have to go back and get authority to
act, where if it were missiles coming in we already have rules
of engagement. So I think we need to step that up as well.
Senator King. Ironically, part of that is transparency,
because if we have a capability that would act as a deterrent
but our adversaries don't know we have it, it doesn't act as a
deterrent. Is that correct?
General Alexander. That's correct. In fact, if I could,
just to add something, because Thomas brought out another
issue. I think it would be good also for the American people to
release perhaps collectively the number of vulnerabilities our
government has pushed out to industry, that has been identified
by government, because often that's opaque. So what you
wouldn't see is how much of that is actually being pushed to
industry and how that's cleared. But you could get a collective
summary from the departments and agencies that have pushed
those out and see what's being shared. I think that's a good
thing and it's a good way to start that dialogue.
Senator King. That's a positive development, but I still
believe that we need to develop a deterrence 2.0 to deal with
the nature of the threats. And it doesn't have to be cyber for
cyber. It could be sanctions or other. But there needs to be a
certain response, a defined response and a timely response.
Otherwise it's not going to have the deterrent effect.
General Alexander. That's right, and we have to get the
roles and responsibilities of the different agencies. Who's
actually going to conduct that response? I think that has to be
set straight and clear. We discussed that in the other hearing,
but I think that's something that also means that if we had to
react we wouldn't have the right people set up to react.
Senator King. Mr. Mandia, one of the things--and I think
this has been touched upon in the hearing--is the question of
the vulnerability of our State election systems. We know that
the Russians were poking around, if you will, in our State
election systems. I learned recently that more than 30 states
now allow internet voting and 5 have gone completely paperless.
Doesn't this create a significant vulnerability?
Mr. Mandia. It also creates an opportunity to do things
even better. At the end of the day, when we look at--I go right
to Estonia and what they do in their election process. I'm not
totally intimate with it, but they have an identity management
that's far better than our State, for our Nation.
When you have anonymity, it's really, really hard to secure
the internet. Obviously, we're going to always have attacks on
these areas. But what we're seeing is every election year--and
I've responded to breaches every election year since 2004--both
sides get targeted, things happen. We are still going up and to
the right. I'm confident a modern nation--and probably others
could speak better to this--would reserve the tool of tweaking
electoral votes or ballots to the last resort. I've never seen
evidence of that and I think we'll always have a natural risk
profile to show great diligence in how we secure the election
process and go forward.
Senator King. My understanding of the intelligence is that
it doesn't appear that they changed votes or vote tallies in
this election.
Mr. Mandia. No.
Senator King. But they weren't going into those State
election systems just for recreation. There was some purpose. I
think one question, which I think any of you could answer, but
you can answer: 2016 wasn't a one-off. This is a continuing
ongoing and certainly future threat, is it not?
Mr. Mandia. I think so. I think right now when you look at
intelligence, it's been totally redefined by the internet.
People are searching YouTube every day to see what operations
are going on by ISIS. So the intelligence collection that we
have today has never existed in the past. It's just that during
this election we saw Russia break rules of engagement they had
traditionally followed in that they added collections with
computer intrusion, stealing documents and leaking them. But
yes, I think this is a tool everybody's going to use.
Senator King. Dr. Rid, do you want to respond?
Dr. Rid. The great active measures campaign of 2016 will be
studied in intelligence schools for decades to come, not just
in Russia, of course, but in other countries as well.
Senator King. So not only will it be studied; it will be
attempts made to replicate it.
Dr. Rid. That we can only assume, but it will certainly be
studied.
Senator King. Thank you.
Thank you, Mr. Chairman.
Chairman Burr. Senator Lankford.
Senator Lankford. Thank you, Mr. Chairman.
Let me ask you a question, Mr. Mandia. Your company has
gone through an extensive amount of background to be able to
look at the DNC hack and the exfiltration of their data. I want
to repeat again what you have said orally and what is in your
statement. Any other details that you can give us. You felt
that this was Russian intelligence. You have answered that yes.
But much of what you have put in your written statement seems
to be a circumstantial look at it, that you were basically
eliminating other things.
So let me ask you a question. Is this a process of
elimination much like a doctor doing a diagnosis, saying it's
not this, this, this, and it must be this? Or do you think
there's something that zeroes in and says, no, that's really it
and here's the evidence that links it?
Mr. Mandia. I think that the intelligence available to the
private sector is different for attribution than it is in the
government. We can only take it so far. We're not going to fly
people into Moscow and troll the streets trying to find a
building. We have to do it by process of elimination. We have
to do it by just deduction. But at the same timeframe, we hope
the level of exactitude needed will come from the intelligence
communities.
But we've done this with China. China, we just got lucky.
Their operational security broke down so we could get an exact
building and some people. Russia's operational security on the
internet is better than that.
Senator Lankford. So let me ask: There has been
conversation about Guccifer 2 being linked to the Russian
government. Do you have any evidence of that or anything that
would lead you to conclude that is true or lead you to at least
disagree with the intelligence community on that?
Mr. Mandia. I think it would be hard to think of any
other--here's what we do know. I would attribute the Russian
government to the breaches. We cannot connect all the dots from
the breach, at least with the observables available to my
company and our investigators. We can't go from breach and
leaked data to suddenly Guccifer 2.0. We just don't have the
means to do that.
Senator Lankford. But you think they're consistent?
Mr. Mandia. I think it's remarkably consistent. APT28
intrusions are occurring and it's APT28 stolen data that's
being leaked by DCLeaks, Guccifer, Anonymous Poland, and a
bunch of other what we call fake personas or false personas.
Senator Lankford. Great, fair enough. So how confident are
you that there's not any false flag operations that are
involved in this?
Mr. Mandia. We've observed this since 2007. I'm confident
that APT28, the hacking group, is in fact sponsored by the
government, the Russian government.
Senator Lankford. Fair enough. So let me ask you a question
and it's the ongoing dialogue that we have here all the time.
How do you define any difference in what's thrown around
commonly as ``We've had a cyber attack'' or, as has been used
in this conversation, ``They've crossed the line''? We continue
to talk about things like cyber doctrine, giving clear
boundaries. We don't have any of those things. This has been an
ongoing conversation for a while about who would set them, how
they would be set. But at some point we have to have a clearer,
a clear statement of what is crossing the line.
Earlier you made a statement it would depend on the State,
it would depend on the situation and such. Can you give me an
example--obviously, this is an example.
Mr. Mandia. Right.
Senator Lankford. So other than this one, but give me an
example of what it means to have a cyber attack that we can
communicate to the American people, this is not just a nuisance
hacker stealing information, this is an attack from a foreign
government on our sovereignty?
Mr. Mandia. First off, I go back to somebody made a comment
once: It's hard to define pornography, but we know it when we
see it. The reality is it's hard to delineate the cyber attack.
I'll give you an example, though. I received a phone call once
from one of our intrusion responders saying: We think North
Korea hacked Sony Pictures. We went on site, we did the work,
and we were as shocked as everyone that we even attributed it
at, via our means, to most likely North Korea.
Then you start wondering, what levers do we have on North
Korea to change their behaviors? That's why I think, A,
attribution's critical. Got to know who did it. But I think the
response will probably depend on our relations with those
nations and their cooperation.
Senator Lankford. Talking to the difficulty of identifying
who did it, as far as linking places when you get a chance to
bounce and to be able to hide it different ways, is that
becoming more difficult or easier based on the tools that we
have or based on the tools that they have to be able to hide
their location?
Mr. Mandia. In the private sector, it's becoming more
difficult for us to do attribution categorically. We used to
have--we respond to hundreds of intrusions a year. By the end
of 2010, six years of doing this, we only had 40 buckets of
evidence. Every time we responded to a breach to figure out
what happened and what to do about it, the trace evidence of
what happened, cleanly into 40 buckets. Now we're into the
thousands.
The TTPs and the malware's change, the infrastructure's
changing. I would say actors are getting smarter about
remaining anonymous in their attacks.
Senator Lankford. Mr. Rid, quickly I want to be able to ask
you a question because you were alluding to this earlier. A
matter of an attack is not just a matter of going and deleting
files or creating chaos. It could be manipulating an existing
file where you lose trust for it or adding a file that was
never there, and suddenly there's something appearing on your
computer that you never put there, someone else added to you.
So the threats of the attack that is out there, what could
that look like?
Dr. Rid. We have concrete examples. A recent one is a
critic of President Putin in London was hacked and allegedly--
and I think the evidence is quite good--illegal child abuse
imagery was uploaded to his computer as an active measure to
undermine his--to make him into a criminal in the U.K.
Senator Lankford. So they added child pornography onto his
computer?
Dr. Rid. You can just download something, as in the case of
the DNC hack, where they uploaded something.
Senator Lankford. Thank you.
Chairman Burr. Senator Manchin.
Senator Manchin. Thank you, Mr. Chairman.
Thank you all for your testimony today and helping us as
much as you possibly can. We appreciate that. Let me ask this
question. Could Russia have made a difference in the outcome if
they wanted to? Did they get to the level that they could have
gone further, but stopped and we fell into the trap?
Mr. Mandia.
Mr. Mandia. In regards to the computers----
Senator Manchin. Basically, I'm understanding they were
more aggressive than they've ever been and they got more
involved than they ever got. Could they have done more and just
stopped and we fell into the trap?
Mr. Mandia. I don't know if we fell into the trap. I don't
know what you mean by that.
Senator Manchin. The trap is basically what we're doing
right now.
Mr. Mandia. Could be. I can tell you this: I believe we
probably know 90 percent of their cyber capability, maybe even
only 80. They probably reserve their upper echelon for maybe--
--
Senator Manchin. Could they have basically changed the
outcome of the election?
Mr. Mandia. I have no idea. I don't know.
Chairman Burr. You don't know if they're capable of doing
that?
Mr. Mandia. I think--when I think of changing the outcome
of an election, I'm an engineer; I think ones and zeroes kind
of. I would say, could they have altered the votes? I think we
would have seen that. I think we'll see the shot across the bow
on some of the most severe attacks, things where we have lots
of observation. I think we'd catch the shot across the bow.
Senator Manchin. Let me ask this question for anybody who
wants to answer. How intense has their involvement been in
other countries that we know in the past? Is it to the level
they've gotten to with the United States in this past 2016
election? Are they that involved in France, Belgium, Germany?
Dr. Rid.
Dr. Rid. It depends on how far you want to go back in
history. The Stasi, we know that for a fact, affected the
outcome of one vote of no confidence in the Bundestag, which
kept Chancellor Brandt in power. So we have many, many
historical precedents of elections.
Senator Manchin. How about in France going right now?
Dr. Rid. Right now. We currently do not have a single
example in Europe to my knowledge where a hack and a leak were
combined in the way it would happen in the United States.
Senator Manchin. But their involvement in the election has
shown a desire to get people that are more friendly toward the
Russians?
Dr. Rid. Yes. I mean, I'm not saying there's nothing going
on. In fact, there are active measures under way. But they are
of a different kind, it seems at this stage at least, than what
we saw in 2016 here. They're more old-school, more forgeries,
like the Lisa case that Senator Rubio mentioned earlier.
Senator Manchin. From the technology end of it, from the
cyber end of it, do we have the ability to stop? And you're
saying, what can we use? Is there going to be cyber warfare
back to them? Is there something that we can do to a Russia
that would stop this behavior or they would be concerned about
we could intervene or interfere with their system?
Mr. Mandia. I think General Alexander should comment on
that, but I can tell you, at least on defense in the private
sector, probably the best analogy I can give you is a hockey
analogy. It's like going up against Gretzky on a penalty shot
when the Russian government targets your organization. They
have a good chance of putting the puck in the net.
General Alexander. There's a couple of things, Senator,
that I think we need to do. We talked about fix the defense. I
think what we're doing right now with this committee and others
is we have highlighted that we know they did this. They know
that we know, and now the issue is they've been put on notice
and now it's over to our government on the path forward.
We have an opportunity to engage and confront them on
different issues. I think that in and of itself was something
that perhaps they miscalculated. Now what we need to do is fix
the defense and see what other actions we should take to defend
our infrastructure, including the electoral infrastructure.
Senator Manchin. General, when Putin puts his statement out
that he put out today claiming no responsibility, no knowledge
whatsoever, and we know and the whole world should know--we've
made it official. He seems to have a very high rating in
Russia, so I don't think they're going to believe us. Do we
have the ability to show from a technical aspect what was done?
General Alexander. I think one of the benefits of his
actual active campaign is it's had a great impact on his
popularity in Russia. He's taken us on in these areas. I think
saying ``It wasn't us'' is something that he would say ad
infinitum. We saw this across the board, Thomas brought out,
all the way back from Moonlight Maze and before Russian
involvement, and they said it wasn't them. We knew it was.
Senator Manchin. Do any one of you three have what you
would recommend as the greatest retaliation for Russia for this
type of activity? Let's start right down the line if you will,
Dr. Rid. What would you recommend? How would we retaliate,
basically, to make sure that we harm them or hurt them to the
point they will not continue this type of behavior?
Dr. Rid. That's a tough question.
Senator Manchin. Militarily? Electronically?
Dr. Rid. Certainly not militarily as there would be an
escalation that is entirely inappropriate.
Senator Manchin. Economically?
Dr. Rid. In I believe it was the DHS publication at the end
of December, 29th, the then-Obama government pointed out, the
Administration pointed out, RT as a major outlet of Russian
active measures. At this stage RT has a license in the United
States.
General Alexander. I think we should step back, Senator,
and say what is our objective with Russia? This was a single
event. I think we should have--this is where the Administration
from Secretary of State, Secretary of Defense, and others
should get together--and we should give them the opportunity
and time to do this--and say, what's our strategy going to be
with Russia, which includes what you're asking? Because I don't
think we want to do it tit for tat on these things and just
retaliate.
What we really want to do is, how do we get an engagement
with Russia that puts us and the world in a better place? I
think it's part engagement and saying, here's what we want to
do, we know this, and we've got to figure out how to stop, and
here's what's going to happen if we don't, and put those on the
table. But I think that needs to be done more in private than
in public if we're going to have a chance of success.
You know, it's in our interests to address these problems
now, when you look at what's going on in the Middle East,
what's going on in Eastern Europe, and all the other problems
we have. We've got to solve some of these by allowing the
Administration to engage in that area. So I would push it over
to the Administration. They have good people in this area.
Senator Manchin. My time--go ahead.
Mr. Mandia. Yes, sir. A lot of comments here. I've got a
very simple--there's a carrot or a stick. There's either money
or the 82nd Airborne. I'd agree with everything the General
said--not time for that.
I would caution the response if it's just in cyber space,
the asymmetry. If all our tools work against them and all their
tools worked against us in cyber space, Russia wins. So I don't
think--there's too much asymmetry in cyber, based on our
economy relying on it, our communications relying on it, our
free press even. They can do an invasion on the privacy of
everybody in this room. We can't really reciprocate that, hack
Putin's email and post it and get the same results.
So I would just advise cyber-on-cyber just feels like we're
in the glass house throwing rocks at a mud hut. We're not going
to pan out very well there.
Senator Manchin. Thank you.
Chairman Burr. Senator Harris.
Senator Harris. Mr. Mandia, one main reason that we're
doing this public hearing is so that the American public can
actually understand what happened. So if we can just take a
step back, because this is a fairly complex issue, and
particularly when we start talking about bots and all these
other things. Some people wonder, is it just a short form for a
robot?
Let me ask you--Americans, I think many whom I've spoken
with can't help but feel that they have been played if they
made their decision in this election based on fake news. How
can they know that they are receiving fake news? How can they
detect it so that they can ultimately make decisions like who
will be their President based on accurate information?
Mr. Mandia. That goes beyond my expertise as a cyber
security individual. I can just say as a lay person everybody's
got to take everything they hear and vet it against multiple
sources. But I simply don't have the right tools to be an
expert on how do you determine fake from non-fake news.
Senator Harris. Do any of you feel experienced enough to
answer that question?
Dr. Rid. It's a simple answer. If it's in The New York
Times or the Washington Post, it's not fake news. I mean, we
have to believe in the center, so to speak. If we don't, if we
can't trust the mainstream media any more, then we've lost.
General Alexander. Could I add to that?
Senator Harris. Yes, please.
General Alexander. I think part of it is we at times
sensationalize and inflame, not inform. How do we get a more
informed set of reports out to the American people on some of
these issues? That's something I don't have an answer to, but
that's part of the problem. We've got to figure out how to
address that as we go into this next age of having all the
information available at an instant.
We saw the attack on the White House, the theoretical
attack about a year ago. It turned out to be fake news. I think
we've got to take another few steps on that. That's where the
news agencies, social media, and governments have to work
together to help get the facts out there. Just the facts,
ma'am.
Senator Harris. So tell me--I'm going to direct it--I'll
start with Mr. Mandia, but whoever can answer this question if
you feel you have an answer. How can we tell if Fox manipulated
a Google search to elevate the placement of fake news in the
2016 elections, and what partnerships might we take with Google
or any other search engine to avoid that happening in the
future?
Mr. Mandia. I think that's a great question. I think Google
probably has the answer. Here's the reality even that's going
to be difficult for them. There's a lot of ways. What you're
describing is what we used to call astroturfing. It's the way
to manipulate public opinion just based on the number of hits
and influences behind that. It depends on the platform. It's
actually a complex challenge for us to pierce anonymity behind,
is that a bot or a human, because bots keep getting smarter,
replicating us.
General Alexander. I would just add, I think Google has
some great folks in this area, and that may be something that
you get the folks at Google, Facebook, Twitter together along
with some of the other social media and ask them that question:
How can we jointly solve some of these issues? I think it's a
great question and one that they would take on.
Dr. Rid. Social media companies are--the market assesses
social media companies on the basis of active users, the active
user base. Now, if a certain amount of the active users are
simply bots. There's a commercial interest in not revealing the
fact that a tenth, a third of your user base actually is
machines.
Senator Harris. Thank you.
General Alexander, as a former General--I asked this
question of the earlier panel. We invest in our military and
our soldiers as part of our defense system and rightly. But
Russia seems to be investing a great amount in its cyber
security as a tool of warfare. What would you recommend we do
in terms of the United States Government to meet those
challenges in terms of how we're investing in infrastructure to
be able to combat, both on the point of deterrence, but also
resilience; after we do detect, when and if we do detect that
we've been hacked, how we can step back up and pick back up as
quickly as possible; and then obviously what we need to do in
terms of any sort of retaliation?
General Alexander. I think there are several key points
that we have to do. One is we have to fix the relationship
between industry and the government for sharing information so
that they can be protected. We have to set up the rules of
engagement and the rules of what each of the departments are
going to do and they have to understand and agree to those. We
have to rehearse that within the government and between
government and industry.
Senator Harris. I only have a few seconds left, so I'd like
you to direct your response--and I appreciate the points you
made earlier on this, on this point. But we have a budget
coming up. What would you advocate in terms of the budget that
is going to be before us to vote on? It's called a skinny
budget. There's a whole lot of discussion about where the
limited resources and dollars are going to go. On this point,
what would you advise us in terms of how we distribute those
limited resources to meet these challenges, the challenges in
terms of the Russian government and the finding by the FBI,
NSA, and CIA that they hacked our systems?
General Alexander. I think we definitely need to continue
and increase the investment in what we have in our cyber
capabilities, the forces and the infrastructure and the tools
that we create. That's needed. I think we also have to look
at--and one of the members over here brought out--government.
Our IT in government is broke. We need to fix it, and we need
to look at how we secure it. OPM was a great example that they
used. I think that's something this Administration is already
looking at, but we need to help them get there and figure out
the best way to do that.
When you think about it, they don't have the IT resources
or the cyber security professionals to actually defend them.
The solution has got to look at what we do with the commercial
sector and how we add that to government. I think those are the
key things.
Senator Harris. I appreciate that. Thank you.
Chairman Burr. Do any other members seek additional
questions?
Vice Chair.
Vice Chairman Warner. I would just like to ask one quick
one. I think this line of questioning we've heard about how we
can react, very briefly because the Chairman hasn't asked his
questions yet. But I do wonder. We saw the example that
somebody did hack into former Prime Minister Medvedev's files,
which showed lots and lots of luxury properties all over the
world. In many ways that seemed to result in a series of
protests across Russia, where unfortunately protesters were
arrested.
But comment on that? Very briefly, since the Chairman
hasn't had his questions.
Dr. Rid. I'm not sure I understand the question properly.
Are you implying that----
Vice Chairman Warner. I'm inquiring whether the--I agree
with Kevin on the notion of simply tit-for-tat actions in cyber
because we're more technologically dependent. But there are
activities kind of around active measures where Prime Minister,
former President and now Prime Minister, Medvedev in Russia--
maybe I'm mispronouncing the name--suddenly all his extensive
property holdings became public, which caused great
consternation in Russia and a series of protests.
Dr. Rid. We know from publicly available information that
President Putin, Vladimir Putin, believes the Panama Papers
leak, which broke on the 3rd of April in 2016, so right in the
middle of the ramped-up targeting--targeting on their side
ramped up before Panama Papers broke as a story, but we have to
assume they knew about Panama Papers, that it was coming.
Putin seems to believe Panama Papers was an American active
measure against him. I don't think this was the case, but that
puts the entire operation into a slightly different light and
it's important to consider that.
Chairman Burr. Thank you, Vice Chairman.
Listen, we really are grateful to all three of you for
making yourselves available. Keith, you're a guy that the
committee has looked up to, not just because of the stars on
your shoulder, but it's the knowledge in your head and how you
have had a way for years to convey to the committee in a way
that we could understand what the threat was, what our
capabilities needed to be, the actions that we needed to take,
why we needed to take them, and the objective of the effort.
I think what concerns me is that this thing's speeding so
fast now, it's like you pulled the string on the top when we
were kids, and over time the top slowed down, and it looks like
now the top starts spinning faster and faster and faster once
you've pulled the string.
So I want you to understand that we're probably going to
invite you back in an informal setting, probably not a public
setting, where some of the things we got into today we couldn't
dig much deeper. And thank you for showing the constraint of
doing that. For that reason, I'm not going to include you in my
other two questions, because it might put you on the spot.
I'm going to turn first to Dr. Rid. Do we have any idea how
Russia transmitted emails to WikiLeaks? And if that's the
process that everybody assumes happened, then how could
WikiLeaks be, as you referred to, unwitting?
Dr. Rid. That's a good question. Guccifer 2.0, the front
that was created, tweeted that they gave emails to WikiLeaks.
WikiLeaks tweeted that they received something from Guccifer
2.0 before this was attributed to Russia. So that's the only
evidence that we have publicly and I think it's quite strong,
or it's certainly notable.
Is WikiLeaks an unwitting agent? In truth, we can't answer
the question because they haven't spoken on it. But we also
can't just assume that they're not an unwitting agent. But
ultimately it doesn't matter, because they are a very effective
unwitting agent.
Chairman Burr. Kevin, do the forensics that you're able to
have done suggest that WikiLeaks continues to hold additional
emails that have not been released?
Mr. Mandia. I can't answer that. I can tell you from all my
experience what we've seen publicly released is probably under
one percent of what we've attributed to the Russian government
stealing.
Chairman Burr. We're trying as a committee to come up to
speed on not just terminology, but what that terminology means.
So I'd like to give you an opportunity to walk us through how
you identify an actor like APT28?
Mr. Mandia. Yes, and here comes the details. First, for the
first time ever we started getting better software in place
beforehand so we'd see keystroke by keystroke what they're
doing. I think most Senators do not do command line execution,
but there's different commands you can type, there's different
letters that you type in different orders. You start getting to
know the attackers when you get that command-level access to
them.
Then it's the malware they've created, the IP addresses
they use, the infrastructure they use to attack, the people
that they actually target, the encryption algorithms they use,
the pass phrases they use when they encrypt things, and the
list goes on and on.
We tracked at one point--we created a scheme in about 2006
on how do you categorize the intelligence or the evidence, the
forensics, from an intrusion investigation, and we had over 650
categories. I can't go into all of them today, but trust me,
you observe a group for ten years or more; after a while, we
got the bucket right. APT28 to us is a bucket. Every time we
respond to them, there's enough criteria together that APT28 is
our APT28, APT29 is our APT29, APT1 was PLA Unit 61398.
The link is we couldn't take 28 and 29 and say GRU or FSB.
It just isn't available to us in the trace evidence when we
respond to intrusions. But it's time-stamps, compilations.
I'll give you one last example because this is
understandable. When you look at the malware that's been used
in these attacks and their compile times, 98 percent or higher
of it is compiled during business hours in Moscow or St.
Petersburg. That's a pretty good clue. And whoever's doing it
speaks Russian.
Chairman Burr. If you'd rather not answer this or don't
know the answer, punt it and I'll forget it. Had the DNC
decided to provide their system for FBI to do forensics on,
would we have gotten more information?
Mr. Mandia. I don't know. I can tell you--I can't speak
specifically to that one, but over the last five to six years
we respond to a lot of breaches now where the FBI is there, and
they are there. And they're not the ones traditionally doing
forensics. They are relying on a lot of the private sector
forensicators. That's a made-up word. But we're doing our
forensics. We're producing it. And the customers are choosing,
our clients are choosing, to share that with the FBI.
I think the group that responded to the DNC is highly
technical, highly capable. They got it right.
Chairman Burr. It was a diplomatic way of asking, do we
have different capabilities than the private sector. And you
said----
Mr. Mandia. Yes. We've had tremendous help. When we respond
and the FBI is in the room, it's fantastic help. Maybe they're
cleansing intel from another agency or not. But there's been
numerous cases where we're showing up and we know maybe three
things to look for, and the FBI says: here's another 80; go
look for those as well. So we are--and I've been doing this 20
years. It's more likely than not when we respond to intrusion
the FBI is actually there and responding with us.
Chairman Burr. I sort of leave this hearing not having
heard a word that I think we're going to use frequently based
upon what's going on, and that's ``dox.'' My understanding of
the term ``dox'' is it's the 21st century term for ``steal and
leak.'' Am I going to hear ``dox'' a lot in the future?
Mr. Mandia. It's an irritating word to hear, isn't it? But
at the end of the day, yes, you'll probably hear it. That's the
technique that, it looks like a state actor is using it. I can
tell you the first time we saw North Korea delete things in the
United States, that felt like it crossed a red line. Doxing
appears to be the thing that crossed the line with the Russian
activities.
Chairman Burr. Thomas.
Dr. Rid. One sentence on what Kevin just said about the FBI
there. Usually in an investigation of the kind he was
describing, you would make a so-called image of the computer
hard disk, and if the FBI has these images, which I understand
they may have, then you don't actually have to physically be
there. It's as good as being there physically.
But on the doxing observation, yes. Just to make another
observation that may be personal for many of you here in this
room, but the ethics rules in Congress may actually make
members of Congress and in the Senate more vulnerable, because
it forces you to use different devices, sometimes as many as
three devices, I understand, to make different calls and
different communications.
So even if the main work device is actually secured
properly, then it would push you down into a more vulnerable
area. That is a problem that possibly can also be fixed.
Chairman Burr. One last general statement, and I heed the
advice you gave, General, and you backed up, Thomas, and I
think, Kevin, you supported as well. Our response has to be
well thought through, and it's not just what we do in reaction
to, it's what we do as we set the course for some better
defensive mechanism in the future.
But you can't neglect the fact that Russia over a period of
time has done things outside of cyber--invasion of Ukraine,
Moldova, presence in Syria, presence in Egypt. It continues on.
We might look at this today in the rear view mirror and say:
Boy, they miscalculated. The only way they miscalculated is to
have taken our neglect of reaction to what they did as an
opportunity to push a little harder on the accelerator.
Not being critical, but we've done nothing to Russia when
they've made aggressive moves. And now all of a sudden this
happened at home. It happened with elections. When you look at
it from a standpoint of impact, I think the Ukrainian people
would tell me what happened to them is much worse, and if it
happened in the United States we would think that's much worse.
But the fact is that this is going to require a global
response, because the globe is just as exposed as the United
States. It was our election system in 2016. It is the French,
the Germans--I won't get into the long list of them. But we're
within 30 days of what is a primary election in France. It
could be that the Russians have now done enough to make sure
that a candidate that went to Russia recently and a socialist
make the runoff and they end up with a pro-Russian government
in France. They've won. That was their intent, I feel certain.
We're not sure what the effects are going to be in Germany,
but we've actually seen them build up a party in Germany, not
tear down but build up a party, and exploit things that were,
when you look back on them, fake news, not that we created, but
that was created within Germany, that never was news, but they
used it, they exploited it. And look at what it's turned into.
So we may have been the first victim, but we may not have
been victimized as much as others are going to be in the short
term, and we certainly should heed the warning and not be an
additional victim in 2018 or 2020.
Let me move to Senator King real quick.
Senator King. Just a follow-up question to Dr. Rid. Tell me
more about Guccifer 2.0. Is that a flesh-and-blood human being?
Is it an office? Second question: is there any doubt that
Guccifer 2.0 is an agent or somehow working for the Russian
government?
Dr. Rid. Guccifer 2.0 is--we know this from the evidence
that's available, not all of it public, but only private sector
sources and academic sources, I may say. Guccifer 2.0 is
certainly not just one individual, because in private
interactions with journalists we can literally see different
types of humans at play. Some use it consistently at a specific
time, lots of smileys and very informal. Others are more
formal. All communicating through the same channel.
On the links, Guccifer 2.0 to others, APT28, as I mentioned
and as I also lay out in my evidence in the written testimony,
hacked 12 of the targets that were leaked, doxed, on DCLeaks.
Guccifer 2.0 provided a password that was not publicly known,
provided a password to DCLeaks to the smoking gun, the outlet.
So that's a very strong forensic link there. The link I think--
the docs can be connected.
Senator King. But how about my second part of my question?
Is Guccifer 2.0 an agent of the Russian government in some way,
shape, or form?
Dr. Rid. If you mean by ``agent,'' an agency or sort of
organization, it could be a subcontractor, it could be a team
within an intelligence agency.
Senator King. Affiliated or associated with the Russian
government?
Dr. Rid. I am confident that the answer is yes.
Senator King. Thank you.
Thank you, Mr. Chairman.
Chairman Burr. I thank all the members, and I thank our
panel today. You have provided us some incredible insight and
knowledge. We're grateful to you.
This hearing is adjourned.
[Whereupon, at 4:02 p.m., the hearing was adjourned.]
Supplemental Material
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]