[Senate Hearing 115-298]
[From the U.S. Government Publishing Office]




                                                        S. Hrg. 115-298
 
 CYBER THREATS FACING AMERICA: AN OVERVIEW OF THE CYBERSECURITY THREAT 
                               LANDSCAPE

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS


                             FIRST SESSION

                               __________

                              MAY 10, 2017

                               __________

        Available via the World Wide Web: http://www.fdsys.gov/

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
        
        
        
        
        
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]        





                  U.S. GOVERNMENT PUBLISHING OFFICE
                   
 27-390 PDF             WASHINGTON : 2018               
        
        

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS       

                    RON JOHNSON, Wisconsin, Chairman
JOHN McCAIN, Arizona                 CLAIRE McCASKILL, Missouri
ROB PORTMAN, Ohio                    THOMAS R. CARPER, Delaware
RAND PAUL, Kentucky                  JON TESTER, Montana
JAMES LANKFORD, Oklahoma             HEIDI HEITKAMP, North Dakota
MICHAEL B. ENZI, Wyoming             GARY C. PETERS, Michigan
JOHN HOEVEN, North Dakota            MAGGIE HASSAN, New Hampshire
STEVE DAINES, Montana                KAMALA D. HARRIS, California

                  Christopher R. Hixon, Staff Director
                Gabrielle D'Adamo Singer, Chief Counsel
                Colleen Berny, Professional Staff Member
               Margaret E. Daum, Minority Staff Director
            Julie Klein, Minority Professional Staff Member
                     Laura W. Kilbride, Chief Clerk
                    Bonni Dinerstein, Hearing Clerk
                    

                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Johnson..............................................     1
    Senator McCaskill............................................     2
    Senator Lankford.............................................    15
    Senator Daines...............................................    18
Prepared statements:
    Senator Johnson..............................................    31
    Senator McCaskill............................................    32

                               WITNESSES
                        Wednesday, May 10, 2017

Jeffrey E. Greene, Senior Director, Global Government Affairs and 
  Policy, Symantec Corporation...................................     4
Steven R. Chabinsky, Global Chair of Data, Privacy, and Cyber 
  Security, White and Case LLP...................................     6
Brandon Valeriano, Ph.D., Donald Bren Chair of Armed Politics, 
  Marine Corps University, and Adjunct Fellow, Niskanen Center...     8
Kevin Keeney, Captain, Missouri National Guard, and Director, 
  Cyber Incident Response Team, Monsanto Company.................    10

                     Alphabetical List of Witnesses

Chabinsky, Steven R:
    Testimony....................................................     6
    Prepared statement...........................................    42
Greene, Jeffrey E.:
    Testimony....................................................     4
    Prepared statement...........................................    34
Keeney, Kevin:
    Testimony....................................................    10
    Prepared statement...........................................    69
Valeriano, Brandon Ph.D.:
    Testimony....................................................     8
    Prepared statement...........................................    58

                                APPENDIX

Center for Strategic and International Studies report submitted 
  by Senator Johnson.............................................    73
EPIC statement for the Record....................................    97
Kaspersky Lab statement for the Record...........................    99
Responses to post-hearing questions for the Record
    Mr. Greene...................................................   106
    Mr. Chabinsky................................................   115
    Mr. Valeriano................................................   124
    Mr. Keeney...................................................   133


                    CYBER THREATS FACING AMERICA: AN



             OVERVIEW OF THE CYBERSECURITY THREAT LANDSCAPE

                              ----------                              


                        WEDNESDAY, MAY 10, 2017

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:06 a.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Ron Johnson, 
Chairman of the Committee, presiding.
    Present: Senators Johnson, Lankford, Daines, McCaskill, 
Carper, Tester, Heitkamp, Peters, and Hassan.

             OPENING STATEMENT OF CHAIRMAN JOHNSON

    Chairman Johnson. Good morning. This hearing will come to 
order. I apologize for my tardiness. I thought the vote was 
actually scheduled for 10.
    I want to welcome the witnesses. I want to thank you for 
your thoughtful testimony. I think this will be an excellent 
hearing based on reading the testimony.
    This Committee has four primary goals: border security, we 
have held, I think, 23 or 24 hearings on it now; cybersecurity, 
the subject of this Committee hearing; protecting our critical 
infrastructure, which has a lot of cybersecurity components to 
that as well, and combating Islamist terror, any type of 
extreme violent behavior, also definitely has a cyber component 
to it as well.
    So, this is going to continue to be a focus. I really do 
appreciate the way we are going to discuss this today. Again, 
based on the testimony, it is going to be a very good 
presentation of a variety of views in terms of what we need to 
do.
    What I am hoping to certainly get out of this is what we 
have gotten out of some earlier hearings. We held a hearing on 
agents on the front line trying to secure our border and 
enforce our immigration laws, and out of that hearing, I think, 
we developed a consensus and a process for trying to give those 
agencies the authority to fix their personnel issues so they 
can actually hire the people and treat them with parity.
    Last week we had a hearing on the Government Accountability 
Office (GAO) duplication, and I think we also developed a 
consensus that we need to take GAO's recommendation to actually 
produce legislation to force the agencies to actually implement 
their recommendations.
    What I am hoping we get out of this hearing, because I 
think this is really the crux of what we need to do in 
government, is we have to figure out how we can employ, engage, 
utilize the absolute best and brightest minds when it comes to 
dealing with this enormously difficult, enormously complex 
issue of how do we protect the Internet, the Internet of Things 
(IOT), our cyber assets from the relentless and incredibly 
destructive attacks that are just ongoing virtually every 
second of the day.
    It was General Keith Alexander, the former National 
Security Agency (NSA) Director, who said that cyber attacks 
represent the greatest transfer of wealth in history. I have a 
report here, I guess by the Center for Strategic and 
International Studies.\1\ They did an estimate. Somewhere 
between $375 and $575 billion per year is what they are 
estimating is the global economic cost of all these cyber 
attacks.
---------------------------------------------------------------------------
    \1\ The report referenced by Senator Johnson appears in the 
Appendix on page 73.
---------------------------------------------------------------------------
    Again, this is an important hearing. It is just going to be 
one in a series as we try and grapple with this. But, again, 
what I am hoping is we all recognize we have to figure out how 
to break through the bureaucratic rules, our pay scales, or how 
do we engage the private sector so we literally do have the 
best and brightest.
    And, by the way, we have some really fabulous patriots who 
are working at way below what they can make in the marketplace 
already working in different agencies here addressing this. We 
just need to make sure we get as many bright minds as possible 
working on such a difficult issue.
    I do ask unanimous consent that my written statement be 
entered in the record.\2\ Without objection, so ordered.
---------------------------------------------------------------------------
    \2\ The prepared statement of Senator Johnson appears in the 
Appendix on page 31.
---------------------------------------------------------------------------
    Chairman Johnson. And, with that, I will turn it over to 
Senator McCaskill.

           OPENING STATEMENT OF SENATOR MCCASKILL\3\

    Senator McCaskill. Thank you, Chairman Johnson.
---------------------------------------------------------------------------
    \3\ The prepared statement of Senator McCaskill appears in the 
Appendix on page 32.
---------------------------------------------------------------------------
    This hearing is an important opportunity for us to focus on 
the threats we face and to begin talking about how to address 
our Nation's cybersecurity needs.
    We have critical vulnerabilities in cybersecurity, and they 
impact our Nation and countries around the globe. The Federal 
Government, States, and the private sector have all experienced 
cyber breaches with devastating outcomes.
    Just last week, a candidate in the French Presidential race 
had electronic messages and documents from his campaign hacked 
and posted online in an attack that looks remarkably similar to 
the attack on the Democratic National Committee (DNC) just 
prior to the party's summer convention, nominating convention, 
and prior to the Presidential elections.
    The perpetrators of these types of attacks are trying to 
undermine our democracy by tarnishing particular candidates. In 
this instance, those attacks were, in fact, carried out by 
Russia to influence voters and portray our electoral system as 
flawed.
    Make no mistake about it: Russia is trying to break the 
backbone of democracies across the world. We need to figure out 
how to protect our governments and our institutions and our 
elections from further cyber attacks, and we need to do it now.
    One of the problems we face as a Nation is we do not have 
all the trained, qualified professionals we need to adequately 
address these threats. Right now, the demand for cyber 
professionals is far greater than the supply, both in 
government and in the private sector.
    We are also missing leadership on cybersecurity. Today 
scores of senior cyber-related positions in agencies throughout 
the government remain unfilled. We are waiting for nominees to 
be announced for two of the top cyber-related jobs at the 
Department of Homeland Security (DHS): Under Secretary at the 
National Protection and Programs Directorate (NPPD) and Deputy 
Under Secretary for Cybersecurity and Communications. There are 
essential cyber-related positions at the Department of Defense 
(DOD), Judiciary, State, and Commerce that are still awaiting 
nominations from the White House as well.
    Right now, we are needlessly fighting with one hand tied 
behind our back. I implore the President to fill these 
positions with qualified nominees as quickly as possible.
    Cybersecurity is an area that demands bipartisan solutions. 
To begin with, we need to ensure our government is properly 
organized to protect the country against cyber threats. Mr. 
Chairman, I am pleased that our staffs have begun discussions 
with our House colleagues on elevating cybersecurity within the 
Department of Homeland Security. Despite the significant role 
the Department plays in the Nation's cybersecurity efforts, 
cyber appears to be a secondary function within DHS. That needs 
to change, which is why I am excited that our bipartisan and 
bicameral staffs are discussing legislation that aims to 
appropriately elevate and operationalize DHS' cyber mission.
    Federal efforts alone cannot guarantee cybersecurity. 
States and the private sector are presenting pioneering 
solutions to confront serious threats. The private sector owns 
and operates the majority of the critical infrastructure in 
this country and serves as our engine of innovation.
    I look forward to hearing the testimony from our witnesses 
from the private sector who spend every day working hard to 
understand the nature of the threat. I take great pride that 
the citizens of Missouri have vital roles in defending our 
country from cyber attacks. Mr. Kevin Keeney is here today, and 
he is an excellent example of a State tapping into existing 
resources to amplify its talent pool and protect its 
infrastructure. He has been integral in developing the Missouri 
National Guard's cyber architecture, which is playing a key 
role in training units throughout the country to safeguard 
their systems. It is probably not a surprise that in his 
civilian life he is the director of cyber incident response at 
a Fortune 200 company. He is well aware of the threats we face 
and has firsthand experience defending against them. The 
citizen warriors in the National Guard are one important step 
toward solving the Nation's growing cyber workforce problems, 
and I am pleased to welcome him.
    Mr. Chairman, I also want to bring your attention to an 
emergency meeting on a troubling development in the 
investigation of an act of cyber warfare by Russia against our 
country that will occur at 10:30. I will certainly remain here 
at the hearing for the testimony, remain to question the 
witnesses, but I wanted to explain to you why many of my 
colleagues will be leaving the hearing in order to attend this 
emergency meeting.
    Chairman Johnson. I understand. I appreciate it.
    It is the tradition of this Committee to swear in 
witnesses, so if you will all rise and raise your right hand. 
Do you swear that the testimony you will give before this 
Committee will be the truth, the whole truth, and nothing but 
the truth, so help you God?
    Mr. Greene. I do.
    Mr. Chabinsky. I do.
    Mr. Valeriano. I do.
    Captain Keeney. I do.
    Chairman Johnson. Please be seated.
    Our first witness is Jeffrey Greene. Mr. Greene currently 
serves as senior director of Global Government Affairs and 
Policy at Symantec Corporation. He is a member of the National 
Institute of Standards and Technology's (NIST) Internet 
Security and Privacy Advisory Board (ISPAB), and served as a 
guest researcher on President Obama's Commission on Enhancing 
National Cybersecurity. Mr. Greene.

  TESTIMONY OF JEFFREY E. GREENE,\1\ SENIOR DIRECTOR, GLOBAL 
      GOVERNMENT AFFAIRS AND POLICY, SYMANTEC CORPORATION

    Mr. Greene. Thank you, Chairman. Thank you, Ranking Member 
McCaskill. I appreciate the opportunity to be here today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Greene appears in the Appendix on 
page 34.
---------------------------------------------------------------------------
    Understanding the current threat environment is essential 
if we are going to craft good policy and develop good defenses, 
and I am pleased to see that the Committee is continuing its 
focus on this issue.
    2016 was a year that we saw new levels of cyber attacks. It 
was a year marked by multi-million dollar virtual bank heists, 
explosive growth of ransomware, attacks on the power grid in 
the Ukraine, exposure of over 1.1 billion identities through 
data breach, and massive denial-of-service attacks launched 
from compromised Internet of Things devices. And, of course, 
there was the operation to influence our Presidential election.
    But, perhaps the most striking feature of 2016 is that 
instead of using valuable zero-day and sophisticated malware, 
attackers increasingly attempted to hide in plain sight. We 
call this ``living off the land,'' illicitly using legitimate 
network administration tools and software features.
    In 2016, the world of cyber espionage shifted dramatically 
toward overt activity. In addition to the attacks in the 
Ukraine and our election, we saw an attack on the World Anti-
Doping Agency and destructive, widespread attacks on computers 
in Saudi Arabia.
    Interestingly, this shift coincided with a decline in 
economic espionage. After the 2015 agreement between the United 
States and China not to conduct economic espionage, detections 
of malware linked to suspected Chinese groups dropped 
considerably. Notably, though, we did see some of these groups 
appear to shift their focus to what were more political 
targets.
    In the financial realm, at least two outfits targeted the 
Society for Worldwide Interbank Financial Telecommunications 
(SWIFT) network. In one instance, North Korea-based attack 
groups stole $81 million from Bangladesh's central bank after 
stealing their SWIFT credentials. And, they would have made off 
with more but for a typographical error. It is important to 
note that SWIFT itself was not compromised. It was the theft of 
credentials that allowed this theft.
    Business email compromise (BEC), scams also skyrocketed. 
These are also known as ``Chief Executive Officer (CEO) fraud'' 
or ``whaling,'' and these scams are a low-tech form of fraud 
where criminals will send spoofed emails to an organization's 
financial staff, directing them to make large wire transfers or 
other fund transfers.
    During the first half of 2016, we saw more than 400 
businesses targeted every day in these type of scams, and just 
last week, the Federal Bureau of Investigation (FBI) put out an 
alert that said that over $5 billion has been lost to this type 
of scam over the past 4 years.
    Ransomware also continued its explosive growth. In 2016, we 
saw three times as many new malware families as we had in the 
previous 2 years. And, the average ransom tripled from $294 to 
$1,077.
    2016 was also the first major incident originating from IOT 
devices. The Mirai botnet was made up of compromised routers, 
digital video recorders, and security cameras, and it was used 
to carry out the largest denial-of-service attacks we have ever 
seen. In October, it took down some of the world's most popular 
websites and applications. Weak security, particularly in the 
form of hard-coded and default passwords, made these devices 
easy pickings for attackers.
    There was some good news, though. In December of last year, 
three Romanian nationals who ran the Bayrob gang were arrested 
and extradited to the United States and are currently waiting 
trial. This was the culmination of an 8-year investigation, and 
we are proud to have assisted throughout that.
    Security starts with basic measures such as strong 
passwords and up-to-date patch management. But, while these 
steps may stop some older, simpler exploits, they will be 
little more than a speed bump for even a moderately 
sophisticated attack and will do little to slow a determined, 
targeted attacker.
    Effective protection requires a modern security suite that 
is being fully utilized. This includes multifactor 
authentication, advanced exploit detection and prevention 
technologies, encryption, and data loss prevention tools. IOT 
presents its own challenges, and while the tools to secure 
these devices are available, too often manufacturers are not 
building them in. The Chairman mentioned earlier that attacks 
are happening every second. By our statistics, we are seeing 
our IOT honeypots attacked on average every 2 minutes, and 
based on what I have seen from some of our competitors and 
friends in the security community, that may actually be longer 
than the average.
    For these types of devices, we developed Norton Core, which 
is a home router specifically designed to secure these devices 
from attacks.
    Good security is not going to happen by accident. It 
requires planning and continued attention. But, criminals are 
always evolving. The shifting tactics demonstrate the 
resourcefulness of the criminals, but they also show that 
improved defenses and a concerted effort to address 
vulnerabilities can make a difference. The attacks are evolving 
and developing new ways to go after us, but that evolution does 
come at a financial cost to the attacker. So, we need to keep 
in mind that we need to go after the business model of the 
attackers, not just the technological.
    Thank you again for the opportunity to testify, and I am 
happy to answer any questions.
    Chairman Johnson. Thank you, Mr. Greene.
    Our next witness is Steven Chabinsky. Mr. Chabinsky 
currently serves as Global Chair of Data, Privacy, and Cyber 
Security at White & Case LLP. He formerly served as Deputy 
Assistant Director of the FBI's Cyber Division and as a senior 
cyber adviser to the Director of National Intelligence. He was 
also a member of President Obama's Commission on Enhancing 
National Cybersecurity. Mr. Chabinsky.

  TESTIMONY OF STEVEN R. CHABINSKY,\1\ GLOBAL CHAIR OF DATA, 
         PRIVACY, AND CYBER SECURITY, WHITE & CASE LLP

    Mr. Chabinsky. Good morning, Chairman Johnson, Ranking 
Member McCaskill, and distinguished Members of the Committee. 
My name is Steven Chabinsky, and it is my privilege to appear 
before you today to discuss cyber threats facing America.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Chabinsky appears in the Appendix 
on page 42.
---------------------------------------------------------------------------
    Let me begin by stating what by now seems clear. The cyber 
threat is real and growing, as is the risk to our national 
security, our finances, our energy sector, our automobiles, our 
biomedical implants, and our health records. These and more all 
appear to be at growing risk. In short, the problem is getting 
worse, and we are losing. I believe we are following a failed 
strategy that can and must be changed. But, before I describe 
what it would take to solve this problem, let me describe what 
we are up against.
    First, when it comes to organized cyber crime, some groups 
exhibit a level of skill and logistics that appear to be taken 
straight from a Hollywood script. Consider the international 
crime group from a few years ago that hacked into a credit card 
processor's network. They found the databases containing 
prepaid debit cards, changed security protocols, increased 
account balances, eliminated account withdrawal limits, and 
distributed card numbers to members in 24 countries throughout 
the world. Within 10 hours, they conducted 36,000 automated 
teller machine (ATM) transactions and stole $40 million.
    Second, Internet attacks are becoming more destructive. In 
addition to ransomware, one of the more troubling episodes we 
witnessed recently was the rise of botnets formed out of 
compromised IOT devices. Just last October, we witnessed a 
distributed denial-of-service attack against a single company 
that had the domino effect of taking dozens of popular websites 
offline, all based on hacked IOT devices. A friend of mine told 
me her grandfather apologizes if he helped bring down the 
Internet.
    Third, we continue to expect the private sector to defend 
itself against foreign military and intelligence services that 
want to steal their intellectual property (IP). Just 2 weeks 
ago, the Department of Homeland Security warned of an emerging, 
sophisticated campaign, almost certainly foreign State-
sponsored, that is targeting a wide range of sectors, including 
information technology (IT), energy, health care, 
communications, and manufacturing.
    Last, our military dominance is at risk. Countries that 
could not overpower us with traditional weapons now can reach 
us through the Internet. During times of conflict or simply as 
a matter of sabotage, enemies can target our critical 
infrastructure which is compromised in no small part of 
antiquated, hard-to-defend control systems.
    All of this leads us to observe that things are bad and 
getting worse. Still, our downward spiral is not inevitable. We 
can improve our security considerably. But, there is a catch. 
Doing so will require that we reconsider and change the 
fundamental nature of our efforts.
    Most important, we have to stop thinking that cybersecurity 
is a problem that users can fix. We are not going to get 
ourselves out of this mess by having every consumer, every 
business owner, and every operator of critical infrastructure 
practice good cyber hygiene, or even by having them adopt the 
NIST Cybersecurity Framework.
    Instead, the burden for cybersecurity must be moved as far 
away as possible from the end user. That will require a 180-
degree shift from what we are doing now.
    We must adopt higher-level international solutions that 
include greater threat deterrence, the design of more secure 
products and protocols, and a safer Internet ecosystem. Put 
differently, we must resolve cybersecurity problems primarily 
at their source rather than at their destination.
    By way of analogy, when faced with the Flint, Michigan, 
water crisis, a Federal State of emergency was declared, and 
solutions are being put in place to repair and upgrade the 
city's water system and to replace the pipes. Nobody could 
imagine opting instead for establishing NIST guidelines that 
would require every home and every business operating in Flint 
to purchase their own state-of-the-art water filtration system 
and to hire the experts needed to continuously monitor and 
upgrade those systems.
    Financially incentivizing the companies that can add 
security higher up in the Internet stack should be considered a 
budget priority with perhaps as much as 10 percent of our 
roughly $600 billion defense budget being set aside for the 
advancement of higher-level cybersecurity solutions.
    We should explore other financial models as well. Is it not 
odd that we have a Connect America Fund that brings broadband 
to rural markets, but we do not have a Protect America Fund to 
bring cybersecurity to the entire Nation.
    I have elaborated upon each of these ideas, as well as a 
number of others, in my written testimony. I would like to 
thank you again for this opportunity, and I look forward to 
answering any questions you may have.
    Chairman Johnson. Thank you, Mr. Chabinsky.
    Our next witness is Dr. Brandon Valeriano. Dr. Valeriano is 
the Donald Bren Chair of Armed Politics at the Marine Corps 
University and an adjunct fellow at the Niskanen Center. Dr. 
Valeriano has published numerous books and journals on 
cybersecurity. He also serves as the area editor for 
international relations and strategy for the Journal of 
Cybersecurity. Dr. Valeriano.

TESTIMONY OF BRANDON VALERIANO, PH.D.,\1\ DONALD BREN CHAIR OF 
 ARMED POLITICS, MARINE CORPS UNIVERSITY, AND ADJUNCT FELLOW, 
                        NISKANEN CENTER

    Mr. Valeriano. Yes, thank you to the Chairman and the 
Members of the Committee for allowing me to offer this 
testimony today. I offer an empirical perspective of the macro 
dynamics of the cybersecurity field. The cyber challenge is 
neither new nor is it revolutionary. Instead, it is a 
continuation of international rivalries and grievances, but now 
also fought in cyberspace at a low level of intensity.
---------------------------------------------------------------------------
    \1\ The prepared statement of Dr. Valeriano appears in the Appendix 
on page 58.
---------------------------------------------------------------------------
    But, understanding active cyber operations in their proper 
context, which is as methods of coercion, we can seek to 
understand how the international cyber threat landscape works, 
what challenges will continue to proliferate, and how to fight 
back by establishing resiliency in cyberspace. Yet only by 
understanding the macro picture of the cybersecurity landscape 
can we articulate policy goals to move forward to meet the 
challenge. While dangerous, the cyber threat landscape exhibits 
genuine stability, aided by complexity and restraint which 
leads to careful action in cyberspace. This relative stability 
and restraint, however, is often in danger of being upset 
without maintenance and attention.
    The universe of cyber threats is pretty clear. Of course, 
there are States; then there are non-state actors and proxies; 
and then there are cyber criminals. Each of these actors has 
distinct motivations, abilities, and limitations. It makes 
little analytical sense to lump them together as one unified 
cyber threat actor.
    For States, the cyber strategies are a new way of 
communicating threats and undertaking aggressive operations. 
Yet there are no new digital avenues of conflict. We have yet 
to witness a cyber conflict where the genesis all occurred 
solely in cyberspace.
    Cyber methods are typically used as methods of coercion. 
States use cyber tools to create leverage against the 
opposition and change strategic calculations, therefore 
influencing behavior.
    Within coercion, there are three types of cyber operations:
    There are cyber disruption operations, which are short-term 
harassment operations meant to influence the opposition, but at 
the same time expend minimal effort and require few resources 
beyond coordination.
    Espionage operations are long-term activities meant to 
manipulate information. The goal is either take, steal, or 
alter information the target has in order to alter the 
bargaining situation between two parties.
    Last, we have degrade operations which seek to damage the 
opposition's ability to maintain control of operations, destroy 
opposition targets, and sabotage procedures. Degrade operations 
seek to punch at the heart of the target and escalate costs in 
order to provoke a change in behavior. But, they also the 
costliest, most time intensive, and riskiest operations we have 
seen.
    In terms of cyber threat actors, of course, the most 
prominent is Russia. Yet Russia has demonstrated no great 
sophistication in cyber operations. As opposed to the media 
coverage, it is often shocking how low tech their techniques 
are. However, their evident willingness to conduct political 
espionage and utilize information warfare tactics is a 
troubling aspect of Russian behavior.
    In many ways, it seems that Russia is trying to remain 
relevant on the international scene by sending cheap signals 
when they have few capabilities to challenge the dominant 
powers conventionally.
    It must be remembered that the Russian influence operations 
have been attempted in Ukraine in 2014, the United States in 
2016, and France in 2017, with no discernible effect on actual 
election outcomes. Each time they have failed and provoked a 
reaction that both hardens the target but also alerts the next 
target of the likely incoming attacks.
    China, on the other hand, focuses mainly on cyber 
espionage. China has entered into a cycle of probe, 
penetration, and retrenchment with the United States. Every few 
years the United States launches a successful counterespionage 
operation that either halts China or forces them to reset their 
efforts. Yet China does maintain the ability to contest 
international decisions and actions that they feel go against 
their interests. They have launched cyber actions directed 
against missiles in South Korea and other actors in the South 
China Sea.
    Finally, we have Iran. Iran is thought to be a serious and 
sophisticated cyber actor, but evidence suggests the opposite 
of this conclusion. Past attacks did not meet objectives. They 
have failed to ever target the United States directly except 
for financial institutions. And, their attacks are built on 
past malware. The main danger from Iran though is the high 
probability that it will use proxy actors to attack Western 
targets.
    Now, thinking about moving forward and restoring 
resilience. That digital violence is rare between States might 
suggest that we have gotten this era of cyber conflict wrong.
    Moving forward, we need a holistic view of the cyber 
challenge. It cannot be studied purely as a technical domain, 
but also we need to include international conflict, the 
motivations of criminals, which would be sociology, the 
psychological impact of threats, the ethics of cyber action, 
legality, the dynamics of coercion in security frameworks, and 
also now the biological implications of digital connectivity.
    The manipulation of information is the most dangerous 
aspect of cyber conflict, and it introduces a new style of 
political warfare. But, we should be not be shocked or 
unprepared to meet this challenge.
    The problem is active measures to defend the Nation and go 
on aggressive attacks are often ineffective and 
counterproductive. There is very little utility in using cyber 
operations to compel the opposition to behave as expected or 
desired because these strategies fail more often than not.
    Yet we also must strive not to normalize malicious cyber 
actions. Being hacked is not the price of running a government 
in the modern international system. It is a perverse outcome of 
building a structure and system that has little concern for 
security.
    Now, I know I am running out of time, so let me conclude. 
In short, the geopolitics matter. Intention and willingness 
matter in addition to capabilities. What we observe in 
cyberspace should not be shocking or confusing because cyber 
conflict is generally an extension of typical international 
interests.
    Thank you.
    Chairman Johnson. Thank you, Doctor.
    Our final witness is Captain Kevin Keeney. He serves as 
Captain in the Missouri National Guard--thank you for your 
service--where he leads--is it just ``M-O-CYBER?''
    Captain Keeney. MOCYBER, Sir.
    Senator McCaskill. We call it ``ROCK.'' [Laughter.]
    Chairman Johnson. An umbrella entity for multiple cyber 
teams. He is also director of the Cyber Incident Response Team 
(CIRT) at Monsanto, a sustainable agricultural company. Captain 
Keeney.

TESTIMONY OF KEVIN KEENEY,\1\ CAPTAIN, MISSOURI NATIONAL GUARD, 
 AND DIRECTOR, CYBER INCIDENT RESPONSE TEAM, MONSANTO COMPANY 
             (TESTIFYING IN HIS PERSONAL CAPACITY)

    Captain Keeney. Chairman Johnson, Ranking Member McCaskill, 
and distinguished Members of the Committee, thank you for 
inviting me here today. To respect everyone's time, I will keep 
my opening comments brief. My hope is to leave as much time as 
possible to answer the Committee's questions in a meaningful 
way.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Keeney appears in the Appendix on 
page 69.
---------------------------------------------------------------------------
    The cyber threat landscape is not defined by segmented 
military, government, and commercial networks. It is all one 
Internet. As Americans, we are extremely connected and impacted 
by the Internet and its security every day of our lives. 
Whether you know it or not, I would like to share two examples 
that the Committee may or may not be aware of that I hope to 
demonstrate how our current approach to deal with the cyber 
threat landscape is not broad enough.
    U.S. Transcom provides logistics and projects the U.S. 
military's power around the world to conduct full-spectrum 
military operations, to include things like humanitarian 
relief. These fine men and women must leverage private 
companies to achieve the mission and, thus, must leave the 
protective enclaves of the military network to do so. This 
leaves the military reliant on others for its security.
    Is it right for these companies to need to defend 
themselves against nation-state actors and larger entities that 
have much broader capabilities themselves because they are 
providing a service to the U.S. Government? This needs to 
change. The U.S. Government has a role here as well.
    Homeland Security might be the answer, but they lack the 
authorities or capabilities to address a nation-state that 
might try to conduct espionage on the movement of military 
personnel and supplies. The active military might be the 
answer, but they lack authorities on their standing how to 
fully interact with commercial companies providing logistics to 
the U.S. military that they are reliant upon to conduct 
military missions around the world.
    My second example is in corporate America. They create 
amazing intellectual property that solves the problems and 
fulfills the needs and wants of the global market. In doing so, 
they operate on the Internet and are exposed to predatory 
nation-states who wish to steal this intellectual property and 
profit from it without having to make the large investments in 
research that are needed to create it.
    Senator Johnson, you kind of stole one of my lines here 
because as General Alexander said in 2012, it is the greatest 
transfer of wealth in history; the U.S. Government has a role 
here, too.
    The point I am trying to make here to the Committee is that 
we need a whole-of-nation response to properly deal with this 
threat landscape that we have been living with for quite some 
time, much to the delight of our adversaries.
    While trying to be brief, which is not easy in these 
complex topics, I hope these examples serve to demonstrate the 
seams that exist in our current approach. We have organized 
ourselves in a way that provides opportunities to criminals, 
hactivists, nation-states, and generally malicious actors.
    In closing, cyber threats facing America are many and 
cannot effectively be dealt with Committee by Committee. It is 
my hope that the Senate will work to address the cybersecurity 
threat landscape as a whole body, combining for the defense of 
the military, government, and commercial networks, like the 
Internet works, not how we have organized ourselves.
    Thank you for the time today, and I look forward to your 
questions.
    Chairman Johnson. Thank you, Captain Keeney.
    We are going to turn it over to Senator McCaskill for her 
questioning first.
    Senator McCaskill. Thank you so much, Mr. Chairman. I 
appreciate your consideration.
    Let us start, Captain, with telling the Committee about the 
cyber kits that you have made, and I think that the part that 
the Chairman and Senator Lankford will be most interested in is 
that you have done this with zero--count it, zero--additional 
public money, zero additional Federal dollars. It is very 
impressive. And, would you explain what these kits are and how 
you are sharing this across the country with other units?
    Captain Keeney. Absolutely. I would be glad to. It is an 
honor to serve with the men and women that have created this 
capability on their own time.
    I will tell you it was born out of an exercise in which I 
first met General Alexander, actually, in 2012. Cyber Guard was 
the exercise, and we were National Guardsmen responding to 
critical infrastructure key resources, and we brought our 
little cyber kit in there, and we jumped in the mud with the 
adversary. And guess what? We got bruised up, because getting 
in the network which the adversary has already compromised 
creates some real problems.
    So, we went home, put our thinking caps on, like Guardsmen 
do, and we tried to figure out a way that we could interact 
with the adversary in a safe manner or passively, yet identify 
their attacks. That was born out of an open-source project 
known as ``ROCK,'' for network security monitoring (NSM). This 
project has taken off like a rocketship. It is now by my 
estimation, through talking 
with various team members, used by 40 different government 
entities--military, Federal agencies, research entities--and it 
is also being used in the commercial market.
    I think it is pretty successful. As a matter of fact, I am 
collaborating with some folks from the Wisconsin Guard that I 
met last week at Cyber Shield for them to start leveraging the 
capability in their National Guard.
    I hope I have answered your question.
    Senator McCaskill. Well, you have, and I think it is really 
important that, I think this is one example of where the 
National Guard does not get all of the love it deserves because 
you have a very big and important job in an environment at a 
company that is constantly under attack by not just hactivists 
but also nation-states. And, we know that if we just look at 
the F-35 and what China is fielding right now, those 
similarities are not accidental. They are, in fact, a product 
of cyber warfare. So, I am really proud of what you all have 
done.
    I think your recommendation is very interesting, and I 
would like to spend the rest of our time today talking about 
your recommendation. What you are saying is we should have a 
new uniform service that is U.S. Cyber that brings everything 
under, one roof. Why don't you talk about that a moment and 
talk about why you think it is important to separate U.S. Cyber 
from the rest of the military and the rest of the civilian 
workforce.
    Captain Keeney. OK. Pretty complex topic. Obviously, 
creation of an entire new uniform service is nothing that we 
are going to solve here today in this room exactly, but I would 
like to share some thoughts on the problems I have seen.
    I do not mean to speak disparagingly, but there is a little 
bit of rice bowl fighting amongst the services for cyber----
    Senator McCaskill. Horrible turf wars everywhere, 
especially on cyber.
    Captain Keeney. Absolutely, because it is the cool new 
thing and everybody wants a piece of the action.
    Senator McCaskill. Right.
    Captain Keeney. In particular, I see pretty hard lines 
drawn between the active duty and the National Guard and 
Reserve component. I find that very interesting because many of 
the folks on the active duty that I have the opportunity to 
train, they are wonderful. But, they are also a lot younger and 
a lot less experienced than the folks that I have worked with 
in the National Guard due to their experience in industry for 
10, 15, or 20 years, and they are still wearing the uniform. 
The things they bring to that cyber fight are rather unique. 
But, I digress. I am bragging on my boys in the National Guard, 
obviously.
    But, U.S. Cyber I think would enable us to consolidate 
training, the training that is being repeated across the 
different services. How about studying how to fight this threat 
and adversary through university programs that are not looking 
at it through the lens of the Navy, the Army, or the Air Force, 
but holistically, how do we fight this as a Nation?
    And, I think there are opportunities. If we made a force 
that was made of active component and Reserve component and 
leveraged the titles available to each of those components, 
what I mean by that is, for example, Title 32 and Title 18 
authorities that people in uniform, in the National Guard, can 
partner with law enforcement and with the Governors of their 
States and interact with that critical infrastructure or just 
businesses in corporate life.
    We are not structured that way today. We look at that as 
that is a Homeland Security issue, but I would question how 
much that is actually happening in corporate America and what 
does that collaboration look like between companies and 
Homeland Security, even though that is their role, as I 
understand it.
    Senator McCaskill. Do you interact with Homeland Security 
in your role at Monsanto?
    Captain Keeney. I do not. Now, we do interact with the FBI 
when we have an investigation.
    Senator McCaskill. Right.
    But, there is not an ongoing communication or integration 
in terms of critical infrastructure?
    Captain Keeney. We do subscribe to some of the government's 
threat feeds through Homeland Security, but, honestly, I think 
that the corporate solutions have far surpassed that with 
companies like Symantec, CrowdStrike, many others. This sharing 
that we are all talking about, they have an entire ecosystem 
and a business model built around it that is lightning fast, 
that shares information across all sectors.
    Senator McCaskill. So, you are envisioning 50 percent 
active, 50 percent Reserve, and what about qualifications? I 
mean, one of the things I learned when I visited your unit--by 
the way, if you go visit their unit, you do not get a coin. You 
get a rock, which I thought was very cool. What I learned was 
that there was somebody who was very talented in the unit that 
almost was not allowed to continue because of a pull-up 
requirement.
    Captain Keeney. Yes, he had to meet physical fitness 
requirements of the Army, yet this soldier in my unit is a 
multi-millionaire, owns multiple businesses, is extremely 
successful, and as I joke around with him, he can bend, time 
and space on a keyboard. And, he is an E5 sergeant, makes--by 
the way, he travels from another State and probably at the cost 
to himself. Like many of the members of my unit travel from all 
over the country to come to Missouri and work on ROCK and 
innovative projects like that. To think that we would kick him 
out of the military and not have him as--when we are all 
talking about the critical shortage of resources and human 
capital, it just does not make sense. We need to change how we 
are approaching the skills gap and how we are recruiting and 
retaining talent. And, I do not know if we can do that inside 
the existing military construct.
    Senator McCaskill. The mental stamina is important, but 
there is no reason--as you said in your written testimony for 
this Committee, there is no reason a double amputee could not 
perform at the highest standard in a unit that was, in fact, 
dedicated to U.S. Cyber.
    Captain Keeney. Absolutely. And, what purpose it would give 
that individual to continue to their country in that way.
    Senator McCaskill. One of the problems we have with this 
area is that we are trying to approach this like we have 
approached every other problem. We had a cyber hearing in Armed 
Services yesterday, and my staff did a chart of the Cyber 
Command within the military, and then did a chart with NPPD at 
Homeland, and I got to tell you, it is worse than spaghetti. It 
is so confusing and so disparate, and there is no wonder that 
we are having all these turf wars.
    So, I think, even though this is a bold idea--and a lot of 
people around here would just go, ``Well, we cannot do that,'' 
and there is probably going to be significant pushback from the 
military--I think this is a really good idea, and I think it is 
time we think outside the box. And, I appreciate you bringing 
it to us today.
    Captain Keeney. I think the U.S. Army pushed back pretty 
hard. They did not want to lose a thing called the U.S. Army 
Air Corps, and the creation of the U.S. Air Force, thanks to 
Billy Mitchell, it worked out pretty nicely for us.
    Senator McCaskill. It sure did, so that is a great example 
that we need to think boldly and be aggressive here. I do think 
in the long run it is going to save us resources, too, and up 
our capability, especially in terms of interaction with the 
private sector. So, I really thank you, Captain, for being here 
today.
    Captain Keeney. Thank you, ma'am.
    Chairman Johnson. Thank you, Senator McCaskill.
    We will turn it over to Senator Lankford, but I just want 
to quick follow up because the question I have in terms of what 
you do, what threats are you addressing in your exercises? Is 
it strictly threats against the military? Is it against the 
homeland? What are you exercising?
    Captain Keeney. So, I would say it depends on which 
exercise you go to, the focus of that exercise. Cyber Shield is 
the exercise the National Guard Bureau hosted last week in 
Utah. It was definitely focused and had a leaning toward 
protecting critical infrastructure and key resources inside a 
State and leveraging Title 32 ability for a Governor to say, 
hey, in a State of emergency, go help these guys, they have not 
delivered water in a week, or something, and they need help.
    Senator McCaskill. Or there is no light.
    Captain Keeney. Right, or there is no lights or whatever. 
So, those scenarios are being built for sure, but there is not 
a 
whole lot of personnel, manning, training, funding, all of 
that, because--and the buildup of the cyber mission force that 
General 
Alexander kind of kicked off--I think it is 5,000 to 6,000 
personnel--it does not include those elements at all.
    Chairman Johnson. But, again, your exercise is primarily 
about critical infrastructure in your States as opposed to 
exercises in terms of military assets.
    Captain Keeney. Absolutely, which is a great step in the 
right direction.
    Chairman Johnson. Again, that is really what we are 
concerned about here in the Committee.
    Captain Keeney. Sure.
    Chairman Johnson. I will turn it over to Senator Lankford.

             OPENING STATEMENT OF SENATOR LANKFORD

    Senator Lankford. Thank you, Mr. Chairman.
    Mr. Greene, let me ask you about the threats and the 
quantity of threats worldwide at this point. Give me a best 
guess here, cyber criminals versus State actors versus folks 
that are just hactivists that are trying to just cause mayhem 
in a certain area. Give me a percentage of the threat.
    Mr. Greene. Well, it depends upon the sector being 
attacked. I do not mean to lawyer the answer. One of the other 
issues you run into is there are not clear lines. A lot of 
times you will have a nation-state either acting as a so-called 
hactivist or using hactivists without knowledge. I would say 
that on the financial fraud, until this year, it was 99 percent 
criminals. This year was the first year we saw a major nation-
state engage in major bank fraud, the North Korea attacks on 
Bangladesh and elsewhere. So, the pure dollars is probably 
still low. As I said, the FBI put the BEC scam at $5 billion 
over 4 years. The Lazarus Group took, I believe, $81 million 
from Bangladesh.
    In cyber espionage, I am purely guessing. A guesstimate, I 
would say you are looking at the majority of it, if not more, 
being nation-state, or certainly appearing to come from nation-
state regions. The issue there you have sometimes, though, is 
something could look like a nation-state, but you do not know 
whether someone is doing it as part of their day job or is 
taking the skills they learned in their day job and are using 
it at night and selling it on the black market.
    Is there a third component I missed?
    Senator Lankford. No. That is fine. That gives me a good 
balance there. How many of those are outside of the United 
States when we deal with cyber criminals? Obviously, all 
nation-states are outside the United States. But, the actual 
individual on the keyboard is outside the United States?
    Mr. Greene. The percentage of--the large criminal groups 
are typically based outside of the United States. Their 
infrastructure, though, is global, so you will see a lot of 
attacks. The actual launch point will come from inside the 
United States. I believe that still the majority of the launch 
points come from an actual computer in the United States. But, 
the major gangs that we see, Bayrob that I mentioned, which was 
taken down in Romania, there was an Estonian group a few years 
ago, you see a lot--the overall majority of that activity is 
not U.S.-based in terms of the top leadership at this point.
    Senator Lankford. OK. So, let me broaden this out to a 
broader conversation as well. We have talked for years about 
having a cyber doctrine, a clear set of lines and boundaries 
where the United States would be able to announce worldwide 
here are the boundaries for what we would accept or what we 
would not accept, and here are the responses that we would 
have. That has been discussed but has not been implemented.
    So, my question of any of you is: What are the major 
features of that cyber doctrine that we need to make sure that 
they are there from your perspective so we can actually work 
toward getting this implemented? And, as we deal with nation-
states and we deal with international actors, what are the 
pressure points to be able to apply to people, to be able to 
make sure there is actual enforcement? Anybody can jump in.
    Mr. Chabinsky. I will take a shot at this, Senator 
Lankford. In my time with the intelligence community (IC), I 
found that the aspect that was lacking most was what I would 
refer to as ``options analysis,'' meaning that the intelligence 
community did then and does now quite well a review of the 
threat itself and, in fact, even within incidents, the ever-
increasing ability to find attribution. And, then, we would 
write it all up as an incident report and hand it to the 
President of the United States, essentially saying this is what 
happened. And, what was clearly missing was, well, what can we 
do about it? What are the options?
    No one in the private sector ever would provide their boss 
with a copy of a problem without some reasonable basis of what 
the options are, but the intelligence community to this day is 
not set up with a group of career intelligence analysts across 
what I would call the Diplomatic, Information, Military, 
Economic, and Law Enforcement (DIME/LE) options--all elements 
of national power as can be provided by the government or the 
private sector or the government and the private sector working 
in concert.
    So, we do not know what works, and we do not know how that 
applies to specific criminal groups or specific nation-states. 
As a result, to answer the question becomes hard because we 
have not created the intelligence that would allow us to 
understand what our options are.
    Senator Lankford. Great, but when I move back to this 
intelligence, it really provides us information for 
policymakers to be able to make the decisions. I think my 
question for you is: Who is helping develop that list of 
options that you are articulating to say this is the boundary? 
It is one thing to be able to know where it is coming from. It 
is another thing to be able to know what is a reasonable, 
effective deterrent.
    Mr. Chabinsky. So, clearly, when it comes to critical 
infrastructure, there has been a large series of normative 
discussions internationally about taking down destructive 
attacks on the energy grid, on the financial services grid, as 
these types of boundaries, but less understood on what the 
boundaries are or what we would do about it. And, I am not 
aware of groups that are exploring those types of options.
    Senator Lankford. OK.
    Mr. Valeriano. I think this is the next step. We need to 
have a comprehensive list of all cyber incidents, and that 
could be something the DHS or another organization could start. 
There has been talk, but we have not actually done that, and 
that is the problem. We do not have a basis of evidence. We do 
a lot of speculation, and we cannot make policy based on 
speculation.
    There is only one real line that we need to institute, and 
that line is violence; that line is destruction. Anything more 
than that will limit our own ability to respond and act. So, 
that is a problem with setting up lines in cyberspace. The 
clear thing is to stop any attack on critical infrastructure--
anything that can cause death and destruction, if we have not 
seen it yet, and hopefully we never will see.
    Mr. Greene. If I could answer, I think one important point, 
there has been a lot of literature written about could we have 
cyber norms, and the argument against it frequently is, well, 
we will not have compliance, how will we know? I think we need 
to have the conversation going in, understanding that there 
will not be perfect compliance. It is impossible. President 
Reagan said, ``Trust, but verify,'' in a different context. We 
need to understand that we need to do it as best we can. An 80-
percent solution would be better than where we are today. So, I 
think one of the things that has stopped a lot of the 
conversations is this debate over can we come up with perfect 
norms, and the answer is no. But, that does not mean we do not 
try.
    Senator Lankford. Right. Well, this continues to 
accelerate, and I know I am running out of time. I will honor 
that as well. But, this continues to accelerate. I was with one 
of our universities doing research on cyber activity where they 
have developed the capability, which many others have--and they 
are studying the opportunities there--of pulling up next to a 
vehicle, hacking into their Bluetooth from the vehicle, and 
taking control of the vehicle. That is something that most 
Americans do not consider, that there is the possibility that 
someone could get close to them and be able to do that. But, 
they are trying to evaluate not only how easily can it be done, 
how many things can you operate once you are in the system, 
whether it is a heart monitor that is connected, whether it is 
the Internet of Things, whether it is operating systems, 
whether it is a small manufacturer that bought a piece of 
equipment but then has not upgraded the software in years, and 
the vulnerabilities are there. We are exceptionally vulnerable 
in our system. And, I do agree that one of the prime things we 
have to move is in actual deterrence, that if someone reaches 
it and uses that, what is the consequence of it? And, that 
helps provide us the next step of what needs to be done, and I 
would hope we could work with this Administration to help 
actually get that close and so that worldwide there is a 
relationship internationally, if you hack into our systems and 
if you steal our information or if you destroy systems, here 
are the boundaries and here is what our response is.
    I yield back.
    Chairman Johnson. Senator Lankford, I will turn it over to 
Senator Daines. And, I will turn it back to you if you want to 
stick around. I am here for the duration, anyway. Senator 
Daines.

              OPENING STATEMENT OF SENATOR DAINES

    Senator Daines. Thank you, Mr. Chairman. And, thank you for 
your testimony today on this critical area of national 
security.
    My observation has been that over several years 
policymakers have lamented this growing problem, yet there have 
been few meaningful solutions beyond saddling businesses with 
more regulations.
    Mr. Chabinsky, I appreciate your comment around it is kind 
of, I think, embedded in the culture of this town, and that is, 
we will answer the question, ``So what?'' but not the question, 
``Now what?'' in terms of optionality and action plans.
    I spent 12 years in the cloud computing industry before 
coming to Congress. I do understand how important it is for 
businesses to guard sensitive data. Our hosting operations were 
targeted. Our business model was selling to Fortune 500's and 
large public institutions. I do understand how important it is 
to guard that data and the responsibility you have to your 
customers to protect it. Securing sensitive information is an 
important part of the conversation, but there is more to be 
done. I do believe that as lawmakers we need to widen our 
aperture a bit, and I do appreciate being here today and you 
all being here.
    I venture a guess that many here would not dispute that the 
private sector rapidly outpaces the Federal Government in its 
ability to adapt and respond to rising trends in cyber crime. 
In fact, that is why just back in February I introduced the 
Support for Rapid Innovation Act of 2017, which allows DHS to 
foster and enable progress rather than impeding it by setting 
static requirements. This bill would promote deployment of more 
secure information systems, better detection and discovery of 
malicious code, faster recovery.
    Mr. Keeney, you are the director of a Cyber Incident 
Response Team for a publicly traded company. Where could you 
use more help from the Federal Government? And, conversely, 
where does government interference simply get in the way?
    Captain Keeney. So, speaking from my opinion, I would say 
that the way the government could help most corporate America 
is to do the things that corporate America cannot do for 
itself. So, U.S. law does not allow for corporate America to 
strike back against an adversary that continues to bloody their 
nose and do damage to their shareholders, which are likely 
American citizens.
    The U.S. Government, when they do targeted offensive cyber 
operations, they are generally in response to traditional 
military operations. But, I do not hear much or see much about 
offensive operations being done as a counterpoint, as somebody 
crossed a red line, you are not going to steal intellectual 
property of a company valued at $1 billion or some number, some 
threshold; every situation is different. But, the U.S. 
Government can do those things because U.S. law does not allow 
those corporations to do it for themselves.
    If a tanker ship full of goods sailed out of the port in 
Delaware and in the middle of the Atlantic got sunk by a 
nation-state adversary, what would be the response of the U.S. 
Government? I think it would be pretty clear. We would go after 
quite quickly whatever nation-state did that. Why is it any 
different in cyber?
    I hope, Senator, I have answered your question on the front 
half of what I think the government can do. It is mainly the 
things that we cannot do for ourselves.
    Senator Daines. Yes, I think that is kind of along the line 
where Senator Lankford was headed here in terms of kind of 
rules of engagement in defining a doctrine as it relates to 
cyber. I was an advocate and supported, as we debated last 
year, elevating cyber to its own combatant command, Cyber 
Command, to try to focus efforts here and get ahead of this.
    I joined our cloud computing company in 2000, a few years 
after it started up. We grew the company, took it public. It 
was acquired by a large corporation. But, back then, it was 
trying to let bankers understand the fact that basically our 
asset here was IP. You cannot come and count and measure the 
asset. We always said if our cloud computing company ever went 
out of business, all that was left was cubicles and some 
computers. So, it is all in the power of the electrons. That is 
the power, the IP. And, when you have whether it is a nation-
state, some bad actor out there destroy electrons in this case, 
or code, from a cyber attack, that really is not any different. 
You used a good analogy there of destroying a physical asset. 
When you start thinking that way, that is helpful feedback for 
us here, how we can help the private sector.
    Let me shift gears here and talk about another subject: 
attribution. It concerns me that policy discussions on cyber 
too often default to mitigation and recovery. If we compare 
cyber crime with a physical robbery, we are focused entirely on 
building a bigger, better fence. Physical security around a 
house or a building works not because the barrier is 
impenetrable, but because there are consequences for getting 
caught. We use floodlights for deterrence, cameras to identify 
criminals. We provide information to the police, and that leads 
to an arrest. Right now, there are few, I would argue no, 
consequences for cyber criminals.
    Mr. Chabinsky, I refuse to accept that attribution is an 
unsolvable problem or something that can only exist in the 
shadows of the intelligence community. Given your experience 
with the FBI's Cyber Division, how can we hold these hackers 
accountable?
    Mr. Chabinsky. Senator Daines, let me start by saying when 
I was growing up, I used to be impressed when I saw that there 
were Members who were medical doctors, and I am still impressed 
by that, but I do not know how useful that is for 
representation. I am far more impressed now when there are 
Members who have a technical background, and so it is really 
quite important for our Nation that you are representing us, 
and I appreciate your service.
    If I could agree more than 100 percent, we have completely 
looked at this topic in a way that would never be acceptable in 
any other context by going and blaming the victims. Time and 
again, we see after an intrusion that the CEO is called to 
testify, even before committees in this institution, of how 
this could happen and what they are going to do about it. But, 
what we do not see is the FBI call to ask what are we doing to 
catch the bad guys and when is this ever going to end.
    Attribution is not as large a problem as one might expect 
when you have attackers who are working over time, whether they 
are criminal actors or nation-states, it is actually quite 
difficult to keep anonymity for any meaningful length of time.
    There is this phrase in the security community that the 
defender has to get it right all the time, but the attacker 
only has to get it right.
    Well, with respect to attribution, as far as the bad guy is 
concerned, it is just the opposite. You have to have your 
tradecraft right 100 percent of the time, and losing it just 
once leads to attribution. And, the headlines will show that we 
are much more confident with attribution. What we are not 
confident yet with--and this is what Senator Lankford was 
saying--is what are we going to do about it. And, that is where 
the government--again, with Captain Keeney to my left leading 
the charge, that is where the government needs to come in. We 
have spent even on the government side tens of billions of 
dollars on information security to patch systems, billions of 
dollars, but our funding for law enforcement is perhaps in the 
millions. The FBI, with over 14,000 special agents, has a few 
hundred special agents that are involved in this type of 
investigation and attribution and then penalty.
    There is just no doubt that businesses cannot defend 
against the types of organized criminals and intelligence 
services we have. Until we realize that it is not the 
government's role to help the private sector better protect 
itself by giving them guidelines and giving them information 
about patches, but to get out there and get rid of the threat, 
we really are going to see this rise to unsustainable levels.
    Senator Daines. Well, Mr. Chabinsky, you asked if you could 
agree with me more than 100 percent. I would ask the same of 
you, actually. [Laughter.]
    It is interesting, you have lawmakers who want to run to 
say how can we better protect the private sector as it relates 
to technically. There would be a few things there, but 
generally it is tap it light. Every private sector 
organization, one of the greatest fears you have is making the 
front page of the Wall Street Journal because you just 
compromised the information of your customers. That is built 
in--that is why in the C-suite now, of course, the Chief 
Information Officers (CIOs) and Chief Technology Officers 
(CTOs) are certainly sitting right by the CEO because of the 
risk and the downside consequences of that kind of a 
compromise.
    But, I think you have provided some guidance and some 
clarity here around what real help might look like and what the 
Federal Government's role ought to be focused on, and I thank 
you for those comments.
    Mr. Chabinsky. Thank you, Senator Daines.
    Chairman Johnson. Thank you, Senator Daines.
    Let me follow up on that thread of questioning, because we 
are still asking the question: What can you do about it? And, 
that is fine to set up a cyber force, fund more law 
enforcement. Once they have the resources, what will they do 
about it? It is nice to hear that we are better at attributing 
these things, which is part of the problem, but you have that 
same problem in kinetic warfare as well, potentially. Who 
perpetrated this attack?
    Once we have attributed it, and let us say there is a state 
actor, I want to know your suggestion. Here is your chance. 
What will we do about it? I will start with you, Mr. Chabinsky.
    Mr. Chabinsky. Thank you, Senator Johnson. I think as 
earlier testimony from Mr. Greene supports, when we decided to 
make a full effort to address Chinese cyber espionage, economic 
espionage, it, in fact, was quite successful. But, it took 
everybody realizing that they had to stop telling people to 
patch their systems and live with Chinese economic espionage. 
It became a central focus of Congress as well as the last 
Administration. At every single high-level meeting with Chinese 
officials, this topic was addressed, and it ended up resulting 
in an agreement that, by and large, has been effective for what 
it was hoping to achieve.
    Chairman Johnson. You are saying publicly exposing, public 
pressure, sanctions potentially on the actors, those types of 
things, is what would be your first line of response?
    Mr. Chabinsky. Every nation-state responds differently to 
there are different carrots and sticks for different nations. 
Sometimes you can do things positively. We have also seen on 
the criminal front enormously successful international 
takedowns of organized crime groups, but they are too few and 
far between because they are underfunded.
    Chairman Johnson. Well, but also protected by rogue regimes 
as well, right? They are outside the long arm of the law if 
they are potentially in Russia, potentially in China. What 
about North Korea? What do you do about North Korea?
    Mr. Chabinsky. To some extent, but I do not need to remind 
the Senator that we are the United States of America.
    Chairman Johnson. I understand.
    Mr. Chabinsky. And, if we are going to be here hand-
wringing that we have no influence internationally against 
rogue nation regimes, then we might as well hang it up and call 
it a day as a country. OK? We have enormous elements of 
national power. It is time to get serious and create a 
strategy----
    Chairman Johnson. I was not hand-wringing----
    Mr. Chabinsky. I know the good Senator was not. And so, I 
believe that we have the capabilities. We just have not been 
funding any thought leadership in those areas to figure out 
what to do about it.
    Chairman Johnson. Dr. Valeriano, what are your thoughts on 
this?
    Mr. Valeriano. There is a reason we have not seen much 
escalation in the cyber domain, and that is because everyone is 
vulnerable. Asking for more escalation, asking for responses, 
looking for conventional or even cyber responses to cyber 
violations is a dangerous step that we have not taken yet, 
other nations have not taken yet, and there is a reason why, 
because we are all vulnerable.
    So, what we are asking for here is dangerous, and that is 
why we have instituted a system of norms that seems to have 
worked so far. And, what we have done to reply in terms of 
sanctions or diplomacy has generally kept a lid on the cyber 
escalation so far. And, the worry is if we go further, what 
will happen next?
    Chairman Johnson. So, you are agreeing with Mr. Chabinsky 
on this one? Because I think in testimony you were pushing 
deterrence, and you were saying it is impossible.
    Mr. Valeriano. It is more that I just do not believe in the 
word ``deterrence'' in cyberspace because of the way that term, 
what it really means, it does not fit. But, we do need 
responses. It is just these responses need to be managed, and 
they need to fit into the international context as they operate 
now.
    Chairman Johnson. Mr. Greene, do you want to chime in on 
this one?
    Mr. Greene. On the criminal front?
    Chairman Johnson. I mean, the response. So, again, just to 
summarize what I am hearing, on the one hand, to respond 
offensively with other cyber attacks we are saying is pretty 
dangerous. We are all vulnerable. We are going to ramp it up. 
So, what has been effective is raising the issue, having 
reports, saying that we have this little directorate in a 
particular nation-state exposing that, putting diplomatic 
pressure on it, seems to have provided some measure of success. 
What else can we do? Or what is your reaction to--I think I 
summarized that properly.
    Mr. Greene. We are not going to arrest our way out of this 
problem, but we can help it, and I go back to when I talked 
about how we address security generally, there is no 100-
percent solution. There might be 5, 6, 7, or 10-percent 
solutions. The arrest of the three Romanians who were 
extradited had a deterrent impact on other criminals. 
Indictment alone, even if we cannot reach out and touch them, 
if you have an international indictment, international scope, 
you limit the ability of a criminal to travel, to use their 
funds. It has an impact.
    Chairman Johnson. To travel, to use their funds, transfer 
those around the world.
    Put them in a safer place.
    Mr. Greene. I suspect that the Chinese military folks who 
were indicted 2 or 3 years ago probably did not like seeing 
their faces on FBI wanted posters, the same with the seven 
Iranians who were indicted. But, it does, as Mr. Chabinsky 
said, come back to resources. The FBI is doing what it can. 
They have some really great people, and they partner really 
well with the private sector. But, we can amp up that 
deterrence if we have more folks working it.
    Chairman Johnson. Let us make the analogy to criminal 
statutes. You have a very well defined crime. We all know 
exactly what it is. I am not going to use an analogy, but you 
can think of your own. And, then, you have very well defined 
penalties in law.
    We do not have that for cyber criminals--I mean, we do but 
we do not. Correct? For example, cyber warfare, what is the 
definition really of cyber warfare? And, I think, Doctor, you 
were talking about if it crossed the threshold of violence, I 
think that is what you said.
    Mr. Valeriano. Yes, war denotes violence.
    Chairman Johnson. And, that could be violence against 
things as well as people, correct?
    Mr. Valeriano. Not necessarily.
    Chairman Johnson. You would confine it to people?
    Mr. Valeriano. Yes.
    Chairman Johnson. So, you would not consider it warfare 
then when, for example, we believe North Korea destroyed how 
many computers at Sony? If a bomb were dropped and thousands of 
computers were destroyed at a company, would we not consider 
that warfare?
    Mr. Valeriano. Conventionally, in academic discourse, it is 
a thousand battle deaths. That is what warfare----
    Chairman Johnson. Pardon?
    Mr. Valeriano. A thousand battle deaths is what warfare is 
in terms of figuring out what it is and what it is not.
    Chairman Johnson. OK.
    Mr. Valeriano. And, that is how we have always defined it, 
and that is how we continue to define it. And, I do not see any 
need to change it with cyber warfare.
    Chairman Johnson. So, would you say that we have defined 
cyber crime, cyber warfare, well enough?
    Mr. Valeriano. I think so. I think we use the term ``war'' 
too much. You could maybe call this ``political warfare,'' 
``gamesmanship,'' things like that. But, it is not war.
    Chairman Johnson. But, it would if they started attacking 
critical infrastructure----
    Mr. Valeriano. Yes.
    Chairman Johnson [continuing]. And lives were----
    Mr. Valeriano. And, the reason you do not want to call it 
``war'' is because that demands a response. And, it is not 
clear we can respond at this point, so we want to save it for 
those real instances where we have to respond.
    Chairman Johnson. Can you guys comment on what the doctor 
just said there? We will start with you, Captain.
    Captain Keeney. I would like to tie together a few of these 
things that we have been talking about over the last couple 
minutes.
    So, from an attribution perspective, I think pretty 
recently CrowdStrike did some attribution of--it is a public 
company, not a U.S. intelligence agency, so, therefore, anyone 
who pays for their subscription gets this information, right?
    On Ukraine in specific, there was an application that the 
Russians were using that soldiers in the Ukrainian military had 
on their smartphones, which then led the Russian military to be 
able to target those soldiers in the Ukrainian military who 
were using artillery pieces. How interesting.
    Well, guess what? In the battle, warfare, they were able to 
target the high-end artillery pieces with 80 percent success in 
destruction and like 50 percent in the lower-end pieces of 
artillery. So, that is great. That is what I would call hybrid 
warfare. So, it is the mixing of both of these domains.
    So, then how do we respond to that? I believe that is the 
question we are kind of talking about. I think we have to 
define, Did they cross a red line? If they did, is their intel 
gain lost? Do we need to attack back or not? Do we lose 
something if we do? The whole impacts of DIME obviously have to 
be assessed.
    Then we target it, and that targeting could then pick an 
effect. It could be cyber in nature; it could be physical 
destruction in nature; it could be political in nature. And, 
then, we deliver the effect, especially if they cross a red 
line. And, we should not reveal what those are to our adversary 
either, which we have done in the past.
    Chairman Johnson. I would argue in that case you are 
already in a kinetic war. I think we already define that as 
war, and we just assume that the armies are going to be using 
whatever cyber assets they have to conduct that war. I think 
really what is more troubling is outside of kinetic war, you 
are just sitting here minding your own business, and all of a 
sudden there is an attack, whether it is a denial-of-service 
attack or----
    Captain Keeney. I could give you a very relevant example 
from corporate America. So, if China has been stealing our 
intellectual property and doing things like that pretty in the 
open and hacking, and we had a pretty good response through 
political means to change that, what I think would happen--what 
I think has happened is our adversaries changed their tactics. 
The war is still ongoing. They are just not using overt hacking 
techniques. Instead, they have moved to human intelligence 
collection operations inside of corporate America. I know this 
to be true.
    Chairman Johnson. Well, there is a reason their fighter jet 
looks a lot like ours.
    Captain Keeney. Exactly.
    Chairman Johnson. Doctor, you were going to say something?
    Mr. Valeriano. I would just add that changing the tactics 
means that what we are doing actually is working, and if they 
are reverting to conventional intelligence means, that actually 
is a very useful result.
    The other thing about the CrowdStrike issue and Ukraine is 
that was retracted by CrowdStrike, and they said that they 
overestimated the impact of these attacks on the artillery 
pieces. So, we are not even sure we have very good examples of 
active cyber warfare.
    Chairman Johnson. Well, let us put the kinetic part of that 
Ukrainian conflict aside and just open source, the attack on 
the electrical grid twice now. Pretty sophisticated cyber 
attack. That is what I am talking about. That type of thing is 
really coming close to maybe what you want to define as cyber 
warfare, but I think most people would probably consider it to 
be so.
    Mr. Valeriano. It does seem to be, though, basically probes 
and testing how far they can go. And, the solution was very 
conventional in that they just flipped the switch and turned 
things back on.
    Chairman Johnson. Well, they had breakers. They could do 
that. I am not sure--as I understand the American--and I am no 
electrical engineer here, sorry. I am an accountant. But, at 
least I am an accountant, OK? I am a business guy. We would 
have a much more difficult time. We are probably more 
vulnerable because of the advancement of our technology. That 
is part of the problem. With the Internet of Things, all the 
explosive devices, we have become more and more dependent on 
our electrical grid, more and more dependent on the Internet, 
and as a result, we are far more vulnerable, which I guess 
would indicate to me we better start defining these things. We 
probably ought to start laying out some pretty strong lines and 
be very predictable. You cross this and, this is something that 
we would define as war, and, then, of course, policymakers, 
Presidents, Congress, would have to decide what the response 
would be.
    Does anybody want to argue against that point?
    Mr. Valeriano. No, and I would just add that we should not 
blame the victim, but we also have to look to the victim and 
see what they are doing, and that is clear from your example.
    Chairman Johnson. Sure. But, again, I think Mr. Chabinsky's 
point is very appropriate, that analogy, in terms of blaming 
the end user and Flint. Would we really expect every household 
to put in a filtration system? Does it not make a lot more 
sense at the source? And, that would really get me into my next 
line of questioning, the personnel issue.
    I want to visit your--whatever you call it, the ROCK or 
MOCYBER. I think it is a really intriguing process because I 
think that is what we need to do, is we need to figure out how 
do we tap into the brilliant minds in the private sector across 
the board, not just as it relates to this. I mean, you take a 
look at our IT resources here in the Federal Government. They 
are just antiquated. We are still using floppy disks 
apparently. Some of these are just legacy systems that are 
ridiculous, but we have layer upon layer of procurement 
policies that make it almost impossible to update and 
modernize. We cannot afford to let the bureaucratic, sclerosis 
prevent us from really addressing these cyber threats.
    So, how do we do that? I mean, we have one example of how 
we did it with the Missouri National Guard. Can you just kind 
of speak to that? Mr. Chabinsky, you are at the ready there.
    Mr. Chabinsky. Thank you, Chairman Johnson. First, I would 
say we have to really figure out what we want our people to do. 
I think that the workforce development issue runs the risk of 
training a lot of science, technology, engineering and 
mathematics (STEM) minds and taking them away from innovation 
and curing the problems, the bigger problems of----
    Chairman Johnson. Well, I would rather have them in the 
private sector, but we have to figure out how to tap into----
    Mr. Chabinsky. But, what I am suggesting is that I do not 
want to have to have them at all. In other words, if we solve 
this problem correctly, we do not need more and more people to 
solve the problem. So, if we can get this up to a higher level, 
the first question is: What is our strategy, and what people we 
need--the fewer amount of people that are needed to execute on 
a strategy that will reach the greatest goal?
    Chairman Johnson. Just to clarify, what you are saying is 
what you would like to see is in the private sector, every time 
you design a new device, that source is where you build the 
protection, the defense so it cannot be----
    Mr. Chabinsky. So a four-part plan. One is threat 
deterrence. The other is at the Internet ecosystem itself where 
there is much greater visibility on where botnets are, where 
the command and control is and the ability to take those down. 
And, then, at the device level, making sure that the market 
works better through more transparency and what the security 
is. And, finally, better metrics that are designed to show is 
what we are doing actually working against the threat.
    In each of those instances, what is clearly not needed are 
more people on the ground in every agency and every business 
that are running cybersecurity. You might only need 1,000 
people at the Internet ecosystem level. You might end up 
needing 40,000 people for workforce development at the business 
level.
    Chairman Johnson. Again, I get your point, but how do you 
organize and how do you direct those 1,000 people?
    Mr. Chabinsky. So, one area that we had recommended on the 
Commission for Enhancing National Cybersecurity is that we 
should consider apprenticeships, because the pace of this 
problem is moving so quickly, and going through school and 
building up debt and then getting out only to find out that 
what you learned 4 years ago has no practical application to 
the current threat just is not working for us. In some parts of 
Europe, including the United Kingdom (U.K.), there are 
apprenticeships where the Federal Government actually helps 
sponsor what the credentialing would be, where a company brings 
people in, it is on-the-job training, they are getting paid for 
doing it, and we could have a better workforce immediately. So, 
that would be one example of a way to get more people into this 
battle.
    Chairman Johnson. So, where would those apprenticeships--in 
which companies?
    Mr. Chabinsky. Well, currently----
    Chairman Johnson. Service providers or----
    Mr. Chabinsky. Everywhere, unfortunately, now, because it 
is needed everywhere. One day I would like to have a strategy 
that would focus them up to higher levels.
    Chairman Johnson. Does anybody else want to speak to what 
Mr. Chabinsky is saying? We will start with you Mr. Greene.
    Mr. Greene. Two points. On the apprenticeship point, we 
have a program similar to that in our company, Symantec Career 
Connection, where we work with high school and college-level 
students to get them on-the-job training, help place them when 
they get out, tend to serve military and underserved 
communities.
    The second point, though, is identifying what resources you 
have is really important. We just finished internal cyber war 
games that we do every year, and part of that is to motivate 
the workforce, to have something everyone enjoys working on, 
but also we identify skills in people that we may not know they 
have, they may not know they have. We come out of that with a 
better knowledge of what our workforce can do and how best to 
use the skills that they have.
    So, there are ways that you can do it. I think that there 
are probably folks within agencies, companies, whatever, who 
can do a lot more than they are. It is easier to take someone 
who knows a network, teach them how to secure it, than to bring 
in someone who does not know that network, has a school book 
knowledge of security, and have them learn both things at once. 
So, we need to make better use of the resources that companies 
and government already have.
    Chairman Johnson. By the way, I am all for efficiency and 
doing things smart. So, in addition to the apprenticeship, are 
you pretty well buying into what Mr. Chabinsky is saying here 
in terms of the approach, invest it at the source as opposed to 
the end user?
    Mr. Greene. Yes, I think----
    Chairman Johnson. That is the right direction?
    Mr. Greene. Yes.
    Chairman Johnson. Doctor, do you have an opinion on that?
    Mr. Valeriano. Well, I think what we have here is education 
in universities, and we are not leveraging the power of our 
universities so far. We have NSA accreditation on different 
levels, but that is about it, and it is not really used to 
great effectiveness. We have not seen great programs built. We 
have seen a lot of money go to private universities, but it has 
not been used very well. We need to expand diversity. We need 
to expand access. We need to do this throughout the United 
States, and we have not done that so far.
    Chairman Johnson. By the way, last week we had the 
Chancellor of UW-Madison talking about 42 percent of researcher 
time on Federal grants in research universities is spent 
complying with Federal regulations, pushing paperwork. So, no 
kidding we are not very effective at this.
    Captain, do you want to comment on this part of the 
discussion?
    Captain Keeney. Yes, it reminds me of a book I read 
recently about the history of the American Telephone and 
Telegraph Company (AT&T) and Bell Labs and how Bell Labs grew 
into AT&T and created satellite and fiber optics and all the 
things that we take advantage of today. They got so big and so 
dominant that we had to break them up into smaller pieces, 
right?
    Chairman Johnson. And, they got more competitive.
    Captain Keeney. All that kind of stuff, right?
    Chairman Johnson. By the way, I like small business myself. 
That is where I come from. I like competition.
    Captain Keeney. Sure. Me, too.
    I have owned a couple along the way. But, my point there is 
in reading that book, one of the things that stuck out to me 
and I think is relevant to this conversation is the people that 
made the biggest leaps were not the engineers; they were not 
the guys that studied and got a degree in physics. They were 
important to solve technical problems, but it was the 
innovators in the early days of Bell Labs, the guys and gals 
who thought outside the box, who just wanted to tactically 
solve problems, who then went to an engineer who was certified 
and trained in all those things, and said, ``I need to solve 
this piece of the puzzle,'' but they were able to innovate. 
And, I think in the cyberspace, by apprenticeship programs and 
getting younger minds engaged and not having to go get $100,000 
in debt and take 6 years to get through a program before we get 
them applied to the problem, I am always impressed by young 
people when you just give them a problem to solve.
    Chairman Johnson. By the way, it is interesting you just 
mentioned this. I just pulled up a quote I sent myself, George 
Bernard Shaw: ``The reasonable man adapts himself to the world; 
the unreasonable one persists in trying to adapt the world to 
himself. Therefore, all progress depends on the unreasonable 
man.''
    Kind of adapting to what you are talking about is you do 
need people thinking outside the box, looking at this, and it 
is not necessarily coming from computer scientists, though. It 
might come from somebody--and that is why the more people you 
have looking--I would say it is smaller innovative companies is 
I think where the solution lies, as opposed to some massive 
Federal bureaucracy trying to really dictate this, which is one 
of the parts you pointed out, too, is let us address this from 
the standpoint as it is as opposed to the way we have 
constructed our bureaucracy. Is that a valid point?
    Mr. Chabinsky. And, Chairman Johnson, if I could just pull 
a thread on what Captain Keeney said, he said that the young 
minds were brought problems to solve. We have an enormous 
capacity in the cybersecurity world never to define what the 
actual problem is that we are looking to solve. And so, we have 
a lot of information sharing where people are just throwing 
things at each other, but there is really no goal at the end of 
it all. And, we somehow think that it will all magically come 
together to solve the cybersecurity problem. Why do we not 
define first what are the five largest cybersecurity problems 
our Nation is facing, then figure out who are the--but, let us 
figure out who the fewest number of companies, who the fewest 
people are to create the solutions for the top problems to 
inure to the benefit of the most.
    Chairman Johnson. So let me just, a little off topic, but 
my perspective, coming from the private sector, in Washington, 
D.C., is everything is tactical. My problem-solving process in 
the private sector starts with laying out reality, strengths, 
weaknesses, opportunities and threats (SWOT) analysis, root 
cause analysis based on that reality. And, by the way, we are 
trying to lay out that reality here. That is what these 
hearings are about. You establish goals. Once you agree on what 
the goals are, then you start developing the strategies, and 
the tactics are there to support the strategies. But, if you 
are at the tactical level, they are not tied to a strategy. 
They are divorced--if they are not directed toward a goal--they 
are divorced from reality. I think I just described the Federal 
Government versus the private sector.
    So, we need to lay out the reality, and the problem we have 
in cyber is it is very complex, and we do not have very many 
members with Senator Daines' experience on this. I was at an 
American Enterprise Institute (AEI) conference, and we were 
talking about the whole encryption issues. And, one of the 
points I made is on this island we are primarily Gilligans; not 
too many professors here.
    So, it is a real challenge, the complexity of this, and you 
just have people that do not--there are very few professors. 
So, it starts with that knowledge.
    But, let me close this out because I have to close this 
hearing in 6 minutes. What would you say are the top 
priorities, what are the things that, this dysfunctional place 
needs to do to start addressing this more effectively? And, I 
will start with you, Mr. Greene. Then we will just go right 
down the aisle. Give us the number one thing we have to do, or 
number two. And, I will just tell you, in the first 4 years 
where everybody was saying, ``Hey, you got to do 
cybersecurity.'' It was always, ``You have to start sharing 
information more effectively.'' And, we kind of did that a 
little bit, but we have just barely scratched the surface on 
what we need to do. Mr. Greene.
    Mr. Greene. The thing that worries me the most long term on 
a national scale is the explosive growth--and we are still at 
the lip of the curve--of connected devices. And, the point you 
made about Ukraine getting the power grid back online because 
they could go flip a breaker, we need to start building systems 
that--assessing how critical they are, if they are truly 
critical, either not connecting them--that has to be an option; 
it is not considered today--or making sure we have some manual 
way to fix it if we are talking truly critical. So, securing 
those critical devices that are going to be connected.
    The other half of that piece is shifting the market 
incentives. Right now, there is all the incentive to be first 
to market. There is no incentive to be secure to market. Most 
of the incentives should be functionality, speed getting to 
market, but we need to build in in the design phase at least 
the thought to the security piece. So, if we can introduce the 
concept of secure to market, either through empowering 
consumers, understanding what they are doing, how the 
government purchases, but we need to focus on that as we 
connect everything.
    Chairman Johnson. In Israel, they have the cyber director 
now reporting right to the Prime Minister, and they have the 
three R's: two of them are resiliency, building it so it is 
resilient, but then be able to recover. That is what you were 
just talking about. Mr. Chabinsky.
    Mr. Chabinsky. Mr. Chairman, I would recommend that the 
United States take immediate international leadership to create 
what I would call a ``moon shot,'' which would be to rid the 
entire international community of all major botnets within 2 
years. If you look at what botnets generate, it includes 
economic espionage with command and control. It includes 
financial theft with the command and control of credential-
stealing malware. And, it obviously includes attacks through 
distributed denial of service (DDOSs) of our energy grid and 
other critical infrastructure.
    I believe that that is possible. I believe that it would be 
an effective way of building international communities as well 
as determining the vast different roles of governments and the 
private sector. And, I think that if we were able to achieve 
that, not only would we resolve an enormous amount of problems 
before they ever reach our financial sector, our power grid, 
or, companies; but it also would end up building the type of 
thought processes that could tackle a lot of the other problems 
we are seeing. And, I would look forward to working with the 
Chairman to scope that measure out.
    Chairman Johnson. OK. I like the idea. Doctor.
    Mr. Valeriano. Of course, the challenge is critical 
infrastructure, including things like cars, because you should 
not be able to drive a car and hack into it. That is just 
absurd. We did the same thing with airplanes. We were 
connecting entertainment systems to navigation systems.
    But, to me the second challenge is about individual 
reaction, and we have not done a whole-nation kind of plan to 
figure out what to do next. We did that during nuclear war. We 
had a bunch of options about what we would do to solve the 
problem. We have not reassured the civilian population about 
what will happen if there are cyber attacks. We have not talked 
about what we have done to protect the civilian population. We 
are always talking about cyber Pearl Harbor. We are not talking 
about the daily battles. And, because of this, people overreact 
too much to the cyber threat, and they perform badly when 
challenged with even simple things like emails and clicking on 
Twitter links.
    So, we have not even begun to study the psychology of the 
user of the Internet. What is this doing to our biology? What 
is this doing to our stress levels? And, I think that is a 
clear challenge that we have not even begun to start to talk 
about right now.
    Chairman Johnson. OK. Captain?
    Captain Keeney. Senator, I would say my advice would be to 
expand the role of the military, both active, Reserve. Another 
idea came to me----
    Chairman Johnson. You know that will face some resistance.
    Captain Keeney. Yes. Also, another interesting one would be 
State militias. Not every State has them, but many do, and 
these State militias could be an ability to bypass the 
traditional military basic training, all those sorts of 
requirements that a lot of people in private industry do not 
want to partake in for some reason. They are scared of push-
ups, or pull-ups or whatever it is. But, leverage the State 
militias may be another way the Federal Government could help 
fund some State initiatives to get more cyber hands on the rope 
helping at the State and local idea is an idea.
    And, then, I was thinking about certifying in some way, 
like the Underwriters Laboratories (UL), when you buy some 
piece of electric, it has UL certification. I am sure this is 
not my idea and many others have thought of it, but maybe that 
is a way we could begin to address this. If I buy the Internet-
connected light bulb thing I have on my bedroom lamp and I tell 
Alexa to turn it on and off, if that in some way was able to be 
updated and was resilient, if there was a new exploit than when 
I bought it, I would have more confidence in it. That is maybe 
an approach at the consumer IOT level.
    Chairman Johnson. We might be able to pass by unanimous 
consent (UC), if you are good enough with a keyboard, we will 
waive the push-up requirement. [Laughter.]
    Listen, this has been, I think, very informative. I want to 
continue to work with you gentlemen. We want to work with the 
private sector to figure out exactly what we need to do here, 
because this is, I think you all recognize--which is why you 
are involved in this sector--incredibly important. So, thank 
you for your testimony. I appreciate your answers to our 
questions.
    The hearing record will remain open for 15 days until May 
25th at 5 p.m. for submission of statements and questions for 
the record. This hearing is adjourned.
    [Whereupon, at 11:29 a.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------  
                              
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]