[Senate Hearing 115-298]
[From the U.S. Government Publishing Office]
S. Hrg. 115-298
CYBER THREATS FACING AMERICA: AN OVERVIEW OF THE CYBERSECURITY THREAT
LANDSCAPE
=======================================================================
HEARING
before the
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
MAY 10, 2017
__________
Available via the World Wide Web: http://www.fdsys.gov/
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
27-390 PDF WASHINGTON : 2018
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin, Chairman
JOHN McCAIN, Arizona CLAIRE McCASKILL, Missouri
ROB PORTMAN, Ohio THOMAS R. CARPER, Delaware
RAND PAUL, Kentucky JON TESTER, Montana
JAMES LANKFORD, Oklahoma HEIDI HEITKAMP, North Dakota
MICHAEL B. ENZI, Wyoming GARY C. PETERS, Michigan
JOHN HOEVEN, North Dakota MAGGIE HASSAN, New Hampshire
STEVE DAINES, Montana KAMALA D. HARRIS, California
Christopher R. Hixon, Staff Director
Gabrielle D'Adamo Singer, Chief Counsel
Colleen Berny, Professional Staff Member
Margaret E. Daum, Minority Staff Director
Julie Klein, Minority Professional Staff Member
Laura W. Kilbride, Chief Clerk
Bonni Dinerstein, Hearing Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Johnson.............................................. 1
Senator McCaskill............................................ 2
Senator Lankford............................................. 15
Senator Daines............................................... 18
Prepared statements:
Senator Johnson.............................................. 31
Senator McCaskill............................................ 32
WITNESSES
Wednesday, May 10, 2017
Jeffrey E. Greene, Senior Director, Global Government Affairs and
Policy, Symantec Corporation................................... 4
Steven R. Chabinsky, Global Chair of Data, Privacy, and Cyber
Security, White and Case LLP................................... 6
Brandon Valeriano, Ph.D., Donald Bren Chair of Armed Politics,
Marine Corps University, and Adjunct Fellow, Niskanen Center... 8
Kevin Keeney, Captain, Missouri National Guard, and Director,
Cyber Incident Response Team, Monsanto Company................. 10
Alphabetical List of Witnesses
Chabinsky, Steven R:
Testimony.................................................... 6
Prepared statement........................................... 42
Greene, Jeffrey E.:
Testimony.................................................... 4
Prepared statement........................................... 34
Keeney, Kevin:
Testimony.................................................... 10
Prepared statement........................................... 69
Valeriano, Brandon Ph.D.:
Testimony.................................................... 8
Prepared statement........................................... 58
APPENDIX
Center for Strategic and International Studies report submitted
by Senator Johnson............................................. 73
EPIC statement for the Record.................................... 97
Kaspersky Lab statement for the Record........................... 99
Responses to post-hearing questions for the Record
Mr. Greene................................................... 106
Mr. Chabinsky................................................ 115
Mr. Valeriano................................................ 124
Mr. Keeney................................................... 133
CYBER THREATS FACING AMERICA: AN
OVERVIEW OF THE CYBERSECURITY THREAT LANDSCAPE
----------
WEDNESDAY, MAY 10, 2017
U.S. Senate,
Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 10:06 a.m., in
room SD-342, Dirksen Senate Office Building, Hon. Ron Johnson,
Chairman of the Committee, presiding.
Present: Senators Johnson, Lankford, Daines, McCaskill,
Carper, Tester, Heitkamp, Peters, and Hassan.
OPENING STATEMENT OF CHAIRMAN JOHNSON
Chairman Johnson. Good morning. This hearing will come to
order. I apologize for my tardiness. I thought the vote was
actually scheduled for 10.
I want to welcome the witnesses. I want to thank you for
your thoughtful testimony. I think this will be an excellent
hearing based on reading the testimony.
This Committee has four primary goals: border security, we
have held, I think, 23 or 24 hearings on it now; cybersecurity,
the subject of this Committee hearing; protecting our critical
infrastructure, which has a lot of cybersecurity components to
that as well, and combating Islamist terror, any type of
extreme violent behavior, also definitely has a cyber component
to it as well.
So, this is going to continue to be a focus. I really do
appreciate the way we are going to discuss this today. Again,
based on the testimony, it is going to be a very good
presentation of a variety of views in terms of what we need to
do.
What I am hoping to certainly get out of this is what we
have gotten out of some earlier hearings. We held a hearing on
agents on the front line trying to secure our border and
enforce our immigration laws, and out of that hearing, I think,
we developed a consensus and a process for trying to give those
agencies the authority to fix their personnel issues so they
can actually hire the people and treat them with parity.
Last week we had a hearing on the Government Accountability
Office (GAO) duplication, and I think we also developed a
consensus that we need to take GAO's recommendation to actually
produce legislation to force the agencies to actually implement
their recommendations.
What I am hoping we get out of this hearing, because I
think this is really the crux of what we need to do in
government, is we have to figure out how we can employ, engage,
utilize the absolute best and brightest minds when it comes to
dealing with this enormously difficult, enormously complex
issue of how do we protect the Internet, the Internet of Things
(IOT), our cyber assets from the relentless and incredibly
destructive attacks that are just ongoing virtually every
second of the day.
It was General Keith Alexander, the former National
Security Agency (NSA) Director, who said that cyber attacks
represent the greatest transfer of wealth in history. I have a
report here, I guess by the Center for Strategic and
International Studies.\1\ They did an estimate. Somewhere
between $375 and $575 billion per year is what they are
estimating is the global economic cost of all these cyber
attacks.
---------------------------------------------------------------------------
\1\ The report referenced by Senator Johnson appears in the
Appendix on page 73.
---------------------------------------------------------------------------
Again, this is an important hearing. It is just going to be
one in a series as we try and grapple with this. But, again,
what I am hoping is we all recognize we have to figure out how
to break through the bureaucratic rules, our pay scales, or how
do we engage the private sector so we literally do have the
best and brightest.
And, by the way, we have some really fabulous patriots who
are working at way below what they can make in the marketplace
already working in different agencies here addressing this. We
just need to make sure we get as many bright minds as possible
working on such a difficult issue.
I do ask unanimous consent that my written statement be
entered in the record.\2\ Without objection, so ordered.
---------------------------------------------------------------------------
\2\ The prepared statement of Senator Johnson appears in the
Appendix on page 31.
---------------------------------------------------------------------------
Chairman Johnson. And, with that, I will turn it over to
Senator McCaskill.
OPENING STATEMENT OF SENATOR MCCASKILL\3\
Senator McCaskill. Thank you, Chairman Johnson.
---------------------------------------------------------------------------
\3\ The prepared statement of Senator McCaskill appears in the
Appendix on page 32.
---------------------------------------------------------------------------
This hearing is an important opportunity for us to focus on
the threats we face and to begin talking about how to address
our Nation's cybersecurity needs.
We have critical vulnerabilities in cybersecurity, and they
impact our Nation and countries around the globe. The Federal
Government, States, and the private sector have all experienced
cyber breaches with devastating outcomes.
Just last week, a candidate in the French Presidential race
had electronic messages and documents from his campaign hacked
and posted online in an attack that looks remarkably similar to
the attack on the Democratic National Committee (DNC) just
prior to the party's summer convention, nominating convention,
and prior to the Presidential elections.
The perpetrators of these types of attacks are trying to
undermine our democracy by tarnishing particular candidates. In
this instance, those attacks were, in fact, carried out by
Russia to influence voters and portray our electoral system as
flawed.
Make no mistake about it: Russia is trying to break the
backbone of democracies across the world. We need to figure out
how to protect our governments and our institutions and our
elections from further cyber attacks, and we need to do it now.
One of the problems we face as a Nation is we do not have
all the trained, qualified professionals we need to adequately
address these threats. Right now, the demand for cyber
professionals is far greater than the supply, both in
government and in the private sector.
We are also missing leadership on cybersecurity. Today
scores of senior cyber-related positions in agencies throughout
the government remain unfilled. We are waiting for nominees to
be announced for two of the top cyber-related jobs at the
Department of Homeland Security (DHS): Under Secretary at the
National Protection and Programs Directorate (NPPD) and Deputy
Under Secretary for Cybersecurity and Communications. There are
essential cyber-related positions at the Department of Defense
(DOD), Judiciary, State, and Commerce that are still awaiting
nominations from the White House as well.
Right now, we are needlessly fighting with one hand tied
behind our back. I implore the President to fill these
positions with qualified nominees as quickly as possible.
Cybersecurity is an area that demands bipartisan solutions.
To begin with, we need to ensure our government is properly
organized to protect the country against cyber threats. Mr.
Chairman, I am pleased that our staffs have begun discussions
with our House colleagues on elevating cybersecurity within the
Department of Homeland Security. Despite the significant role
the Department plays in the Nation's cybersecurity efforts,
cyber appears to be a secondary function within DHS. That needs
to change, which is why I am excited that our bipartisan and
bicameral staffs are discussing legislation that aims to
appropriately elevate and operationalize DHS' cyber mission.
Federal efforts alone cannot guarantee cybersecurity.
States and the private sector are presenting pioneering
solutions to confront serious threats. The private sector owns
and operates the majority of the critical infrastructure in
this country and serves as our engine of innovation.
I look forward to hearing the testimony from our witnesses
from the private sector who spend every day working hard to
understand the nature of the threat. I take great pride that
the citizens of Missouri have vital roles in defending our
country from cyber attacks. Mr. Kevin Keeney is here today, and
he is an excellent example of a State tapping into existing
resources to amplify its talent pool and protect its
infrastructure. He has been integral in developing the Missouri
National Guard's cyber architecture, which is playing a key
role in training units throughout the country to safeguard
their systems. It is probably not a surprise that in his
civilian life he is the director of cyber incident response at
a Fortune 200 company. He is well aware of the threats we face
and has firsthand experience defending against them. The
citizen warriors in the National Guard are one important step
toward solving the Nation's growing cyber workforce problems,
and I am pleased to welcome him.
Mr. Chairman, I also want to bring your attention to an
emergency meeting on a troubling development in the
investigation of an act of cyber warfare by Russia against our
country that will occur at 10:30. I will certainly remain here
at the hearing for the testimony, remain to question the
witnesses, but I wanted to explain to you why many of my
colleagues will be leaving the hearing in order to attend this
emergency meeting.
Chairman Johnson. I understand. I appreciate it.
It is the tradition of this Committee to swear in
witnesses, so if you will all rise and raise your right hand.
Do you swear that the testimony you will give before this
Committee will be the truth, the whole truth, and nothing but
the truth, so help you God?
Mr. Greene. I do.
Mr. Chabinsky. I do.
Mr. Valeriano. I do.
Captain Keeney. I do.
Chairman Johnson. Please be seated.
Our first witness is Jeffrey Greene. Mr. Greene currently
serves as senior director of Global Government Affairs and
Policy at Symantec Corporation. He is a member of the National
Institute of Standards and Technology's (NIST) Internet
Security and Privacy Advisory Board (ISPAB), and served as a
guest researcher on President Obama's Commission on Enhancing
National Cybersecurity. Mr. Greene.
TESTIMONY OF JEFFREY E. GREENE,\1\ SENIOR DIRECTOR, GLOBAL
GOVERNMENT AFFAIRS AND POLICY, SYMANTEC CORPORATION
Mr. Greene. Thank you, Chairman. Thank you, Ranking Member
McCaskill. I appreciate the opportunity to be here today.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Greene appears in the Appendix on
page 34.
---------------------------------------------------------------------------
Understanding the current threat environment is essential
if we are going to craft good policy and develop good defenses,
and I am pleased to see that the Committee is continuing its
focus on this issue.
2016 was a year that we saw new levels of cyber attacks. It
was a year marked by multi-million dollar virtual bank heists,
explosive growth of ransomware, attacks on the power grid in
the Ukraine, exposure of over 1.1 billion identities through
data breach, and massive denial-of-service attacks launched
from compromised Internet of Things devices. And, of course,
there was the operation to influence our Presidential election.
But, perhaps the most striking feature of 2016 is that
instead of using valuable zero-day and sophisticated malware,
attackers increasingly attempted to hide in plain sight. We
call this ``living off the land,'' illicitly using legitimate
network administration tools and software features.
In 2016, the world of cyber espionage shifted dramatically
toward overt activity. In addition to the attacks in the
Ukraine and our election, we saw an attack on the World Anti-
Doping Agency and destructive, widespread attacks on computers
in Saudi Arabia.
Interestingly, this shift coincided with a decline in
economic espionage. After the 2015 agreement between the United
States and China not to conduct economic espionage, detections
of malware linked to suspected Chinese groups dropped
considerably. Notably, though, we did see some of these groups
appear to shift their focus to what were more political
targets.
In the financial realm, at least two outfits targeted the
Society for Worldwide Interbank Financial Telecommunications
(SWIFT) network. In one instance, North Korea-based attack
groups stole $81 million from Bangladesh's central bank after
stealing their SWIFT credentials. And, they would have made off
with more but for a typographical error. It is important to
note that SWIFT itself was not compromised. It was the theft of
credentials that allowed this theft.
Business email compromise (BEC), scams also skyrocketed.
These are also known as ``Chief Executive Officer (CEO) fraud''
or ``whaling,'' and these scams are a low-tech form of fraud
where criminals will send spoofed emails to an organization's
financial staff, directing them to make large wire transfers or
other fund transfers.
During the first half of 2016, we saw more than 400
businesses targeted every day in these type of scams, and just
last week, the Federal Bureau of Investigation (FBI) put out an
alert that said that over $5 billion has been lost to this type
of scam over the past 4 years.
Ransomware also continued its explosive growth. In 2016, we
saw three times as many new malware families as we had in the
previous 2 years. And, the average ransom tripled from $294 to
$1,077.
2016 was also the first major incident originating from IOT
devices. The Mirai botnet was made up of compromised routers,
digital video recorders, and security cameras, and it was used
to carry out the largest denial-of-service attacks we have ever
seen. In October, it took down some of the world's most popular
websites and applications. Weak security, particularly in the
form of hard-coded and default passwords, made these devices
easy pickings for attackers.
There was some good news, though. In December of last year,
three Romanian nationals who ran the Bayrob gang were arrested
and extradited to the United States and are currently waiting
trial. This was the culmination of an 8-year investigation, and
we are proud to have assisted throughout that.
Security starts with basic measures such as strong
passwords and up-to-date patch management. But, while these
steps may stop some older, simpler exploits, they will be
little more than a speed bump for even a moderately
sophisticated attack and will do little to slow a determined,
targeted attacker.
Effective protection requires a modern security suite that
is being fully utilized. This includes multifactor
authentication, advanced exploit detection and prevention
technologies, encryption, and data loss prevention tools. IOT
presents its own challenges, and while the tools to secure
these devices are available, too often manufacturers are not
building them in. The Chairman mentioned earlier that attacks
are happening every second. By our statistics, we are seeing
our IOT honeypots attacked on average every 2 minutes, and
based on what I have seen from some of our competitors and
friends in the security community, that may actually be longer
than the average.
For these types of devices, we developed Norton Core, which
is a home router specifically designed to secure these devices
from attacks.
Good security is not going to happen by accident. It
requires planning and continued attention. But, criminals are
always evolving. The shifting tactics demonstrate the
resourcefulness of the criminals, but they also show that
improved defenses and a concerted effort to address
vulnerabilities can make a difference. The attacks are evolving
and developing new ways to go after us, but that evolution does
come at a financial cost to the attacker. So, we need to keep
in mind that we need to go after the business model of the
attackers, not just the technological.
Thank you again for the opportunity to testify, and I am
happy to answer any questions.
Chairman Johnson. Thank you, Mr. Greene.
Our next witness is Steven Chabinsky. Mr. Chabinsky
currently serves as Global Chair of Data, Privacy, and Cyber
Security at White & Case LLP. He formerly served as Deputy
Assistant Director of the FBI's Cyber Division and as a senior
cyber adviser to the Director of National Intelligence. He was
also a member of President Obama's Commission on Enhancing
National Cybersecurity. Mr. Chabinsky.
TESTIMONY OF STEVEN R. CHABINSKY,\1\ GLOBAL CHAIR OF DATA,
PRIVACY, AND CYBER SECURITY, WHITE & CASE LLP
Mr. Chabinsky. Good morning, Chairman Johnson, Ranking
Member McCaskill, and distinguished Members of the Committee.
My name is Steven Chabinsky, and it is my privilege to appear
before you today to discuss cyber threats facing America.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Chabinsky appears in the Appendix
on page 42.
---------------------------------------------------------------------------
Let me begin by stating what by now seems clear. The cyber
threat is real and growing, as is the risk to our national
security, our finances, our energy sector, our automobiles, our
biomedical implants, and our health records. These and more all
appear to be at growing risk. In short, the problem is getting
worse, and we are losing. I believe we are following a failed
strategy that can and must be changed. But, before I describe
what it would take to solve this problem, let me describe what
we are up against.
First, when it comes to organized cyber crime, some groups
exhibit a level of skill and logistics that appear to be taken
straight from a Hollywood script. Consider the international
crime group from a few years ago that hacked into a credit card
processor's network. They found the databases containing
prepaid debit cards, changed security protocols, increased
account balances, eliminated account withdrawal limits, and
distributed card numbers to members in 24 countries throughout
the world. Within 10 hours, they conducted 36,000 automated
teller machine (ATM) transactions and stole $40 million.
Second, Internet attacks are becoming more destructive. In
addition to ransomware, one of the more troubling episodes we
witnessed recently was the rise of botnets formed out of
compromised IOT devices. Just last October, we witnessed a
distributed denial-of-service attack against a single company
that had the domino effect of taking dozens of popular websites
offline, all based on hacked IOT devices. A friend of mine told
me her grandfather apologizes if he helped bring down the
Internet.
Third, we continue to expect the private sector to defend
itself against foreign military and intelligence services that
want to steal their intellectual property (IP). Just 2 weeks
ago, the Department of Homeland Security warned of an emerging,
sophisticated campaign, almost certainly foreign State-
sponsored, that is targeting a wide range of sectors, including
information technology (IT), energy, health care,
communications, and manufacturing.
Last, our military dominance is at risk. Countries that
could not overpower us with traditional weapons now can reach
us through the Internet. During times of conflict or simply as
a matter of sabotage, enemies can target our critical
infrastructure which is compromised in no small part of
antiquated, hard-to-defend control systems.
All of this leads us to observe that things are bad and
getting worse. Still, our downward spiral is not inevitable. We
can improve our security considerably. But, there is a catch.
Doing so will require that we reconsider and change the
fundamental nature of our efforts.
Most important, we have to stop thinking that cybersecurity
is a problem that users can fix. We are not going to get
ourselves out of this mess by having every consumer, every
business owner, and every operator of critical infrastructure
practice good cyber hygiene, or even by having them adopt the
NIST Cybersecurity Framework.
Instead, the burden for cybersecurity must be moved as far
away as possible from the end user. That will require a 180-
degree shift from what we are doing now.
We must adopt higher-level international solutions that
include greater threat deterrence, the design of more secure
products and protocols, and a safer Internet ecosystem. Put
differently, we must resolve cybersecurity problems primarily
at their source rather than at their destination.
By way of analogy, when faced with the Flint, Michigan,
water crisis, a Federal State of emergency was declared, and
solutions are being put in place to repair and upgrade the
city's water system and to replace the pipes. Nobody could
imagine opting instead for establishing NIST guidelines that
would require every home and every business operating in Flint
to purchase their own state-of-the-art water filtration system
and to hire the experts needed to continuously monitor and
upgrade those systems.
Financially incentivizing the companies that can add
security higher up in the Internet stack should be considered a
budget priority with perhaps as much as 10 percent of our
roughly $600 billion defense budget being set aside for the
advancement of higher-level cybersecurity solutions.
We should explore other financial models as well. Is it not
odd that we have a Connect America Fund that brings broadband
to rural markets, but we do not have a Protect America Fund to
bring cybersecurity to the entire Nation.
I have elaborated upon each of these ideas, as well as a
number of others, in my written testimony. I would like to
thank you again for this opportunity, and I look forward to
answering any questions you may have.
Chairman Johnson. Thank you, Mr. Chabinsky.
Our next witness is Dr. Brandon Valeriano. Dr. Valeriano is
the Donald Bren Chair of Armed Politics at the Marine Corps
University and an adjunct fellow at the Niskanen Center. Dr.
Valeriano has published numerous books and journals on
cybersecurity. He also serves as the area editor for
international relations and strategy for the Journal of
Cybersecurity. Dr. Valeriano.
TESTIMONY OF BRANDON VALERIANO, PH.D.,\1\ DONALD BREN CHAIR OF
ARMED POLITICS, MARINE CORPS UNIVERSITY, AND ADJUNCT FELLOW,
NISKANEN CENTER
Mr. Valeriano. Yes, thank you to the Chairman and the
Members of the Committee for allowing me to offer this
testimony today. I offer an empirical perspective of the macro
dynamics of the cybersecurity field. The cyber challenge is
neither new nor is it revolutionary. Instead, it is a
continuation of international rivalries and grievances, but now
also fought in cyberspace at a low level of intensity.
---------------------------------------------------------------------------
\1\ The prepared statement of Dr. Valeriano appears in the Appendix
on page 58.
---------------------------------------------------------------------------
But, understanding active cyber operations in their proper
context, which is as methods of coercion, we can seek to
understand how the international cyber threat landscape works,
what challenges will continue to proliferate, and how to fight
back by establishing resiliency in cyberspace. Yet only by
understanding the macro picture of the cybersecurity landscape
can we articulate policy goals to move forward to meet the
challenge. While dangerous, the cyber threat landscape exhibits
genuine stability, aided by complexity and restraint which
leads to careful action in cyberspace. This relative stability
and restraint, however, is often in danger of being upset
without maintenance and attention.
The universe of cyber threats is pretty clear. Of course,
there are States; then there are non-state actors and proxies;
and then there are cyber criminals. Each of these actors has
distinct motivations, abilities, and limitations. It makes
little analytical sense to lump them together as one unified
cyber threat actor.
For States, the cyber strategies are a new way of
communicating threats and undertaking aggressive operations.
Yet there are no new digital avenues of conflict. We have yet
to witness a cyber conflict where the genesis all occurred
solely in cyberspace.
Cyber methods are typically used as methods of coercion.
States use cyber tools to create leverage against the
opposition and change strategic calculations, therefore
influencing behavior.
Within coercion, there are three types of cyber operations:
There are cyber disruption operations, which are short-term
harassment operations meant to influence the opposition, but at
the same time expend minimal effort and require few resources
beyond coordination.
Espionage operations are long-term activities meant to
manipulate information. The goal is either take, steal, or
alter information the target has in order to alter the
bargaining situation between two parties.
Last, we have degrade operations which seek to damage the
opposition's ability to maintain control of operations, destroy
opposition targets, and sabotage procedures. Degrade operations
seek to punch at the heart of the target and escalate costs in
order to provoke a change in behavior. But, they also the
costliest, most time intensive, and riskiest operations we have
seen.
In terms of cyber threat actors, of course, the most
prominent is Russia. Yet Russia has demonstrated no great
sophistication in cyber operations. As opposed to the media
coverage, it is often shocking how low tech their techniques
are. However, their evident willingness to conduct political
espionage and utilize information warfare tactics is a
troubling aspect of Russian behavior.
In many ways, it seems that Russia is trying to remain
relevant on the international scene by sending cheap signals
when they have few capabilities to challenge the dominant
powers conventionally.
It must be remembered that the Russian influence operations
have been attempted in Ukraine in 2014, the United States in
2016, and France in 2017, with no discernible effect on actual
election outcomes. Each time they have failed and provoked a
reaction that both hardens the target but also alerts the next
target of the likely incoming attacks.
China, on the other hand, focuses mainly on cyber
espionage. China has entered into a cycle of probe,
penetration, and retrenchment with the United States. Every few
years the United States launches a successful counterespionage
operation that either halts China or forces them to reset their
efforts. Yet China does maintain the ability to contest
international decisions and actions that they feel go against
their interests. They have launched cyber actions directed
against missiles in South Korea and other actors in the South
China Sea.
Finally, we have Iran. Iran is thought to be a serious and
sophisticated cyber actor, but evidence suggests the opposite
of this conclusion. Past attacks did not meet objectives. They
have failed to ever target the United States directly except
for financial institutions. And, their attacks are built on
past malware. The main danger from Iran though is the high
probability that it will use proxy actors to attack Western
targets.
Now, thinking about moving forward and restoring
resilience. That digital violence is rare between States might
suggest that we have gotten this era of cyber conflict wrong.
Moving forward, we need a holistic view of the cyber
challenge. It cannot be studied purely as a technical domain,
but also we need to include international conflict, the
motivations of criminals, which would be sociology, the
psychological impact of threats, the ethics of cyber action,
legality, the dynamics of coercion in security frameworks, and
also now the biological implications of digital connectivity.
The manipulation of information is the most dangerous
aspect of cyber conflict, and it introduces a new style of
political warfare. But, we should be not be shocked or
unprepared to meet this challenge.
The problem is active measures to defend the Nation and go
on aggressive attacks are often ineffective and
counterproductive. There is very little utility in using cyber
operations to compel the opposition to behave as expected or
desired because these strategies fail more often than not.
Yet we also must strive not to normalize malicious cyber
actions. Being hacked is not the price of running a government
in the modern international system. It is a perverse outcome of
building a structure and system that has little concern for
security.
Now, I know I am running out of time, so let me conclude.
In short, the geopolitics matter. Intention and willingness
matter in addition to capabilities. What we observe in
cyberspace should not be shocking or confusing because cyber
conflict is generally an extension of typical international
interests.
Thank you.
Chairman Johnson. Thank you, Doctor.
Our final witness is Captain Kevin Keeney. He serves as
Captain in the Missouri National Guard--thank you for your
service--where he leads--is it just ``M-O-CYBER?''
Captain Keeney. MOCYBER, Sir.
Senator McCaskill. We call it ``ROCK.'' [Laughter.]
Chairman Johnson. An umbrella entity for multiple cyber
teams. He is also director of the Cyber Incident Response Team
(CIRT) at Monsanto, a sustainable agricultural company. Captain
Keeney.
TESTIMONY OF KEVIN KEENEY,\1\ CAPTAIN, MISSOURI NATIONAL GUARD,
AND DIRECTOR, CYBER INCIDENT RESPONSE TEAM, MONSANTO COMPANY
(TESTIFYING IN HIS PERSONAL CAPACITY)
Captain Keeney. Chairman Johnson, Ranking Member McCaskill,
and distinguished Members of the Committee, thank you for
inviting me here today. To respect everyone's time, I will keep
my opening comments brief. My hope is to leave as much time as
possible to answer the Committee's questions in a meaningful
way.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Keeney appears in the Appendix on
page 69.
---------------------------------------------------------------------------
The cyber threat landscape is not defined by segmented
military, government, and commercial networks. It is all one
Internet. As Americans, we are extremely connected and impacted
by the Internet and its security every day of our lives.
Whether you know it or not, I would like to share two examples
that the Committee may or may not be aware of that I hope to
demonstrate how our current approach to deal with the cyber
threat landscape is not broad enough.
U.S. Transcom provides logistics and projects the U.S.
military's power around the world to conduct full-spectrum
military operations, to include things like humanitarian
relief. These fine men and women must leverage private
companies to achieve the mission and, thus, must leave the
protective enclaves of the military network to do so. This
leaves the military reliant on others for its security.
Is it right for these companies to need to defend
themselves against nation-state actors and larger entities that
have much broader capabilities themselves because they are
providing a service to the U.S. Government? This needs to
change. The U.S. Government has a role here as well.
Homeland Security might be the answer, but they lack the
authorities or capabilities to address a nation-state that
might try to conduct espionage on the movement of military
personnel and supplies. The active military might be the
answer, but they lack authorities on their standing how to
fully interact with commercial companies providing logistics to
the U.S. military that they are reliant upon to conduct
military missions around the world.
My second example is in corporate America. They create
amazing intellectual property that solves the problems and
fulfills the needs and wants of the global market. In doing so,
they operate on the Internet and are exposed to predatory
nation-states who wish to steal this intellectual property and
profit from it without having to make the large investments in
research that are needed to create it.
Senator Johnson, you kind of stole one of my lines here
because as General Alexander said in 2012, it is the greatest
transfer of wealth in history; the U.S. Government has a role
here, too.
The point I am trying to make here to the Committee is that
we need a whole-of-nation response to properly deal with this
threat landscape that we have been living with for quite some
time, much to the delight of our adversaries.
While trying to be brief, which is not easy in these
complex topics, I hope these examples serve to demonstrate the
seams that exist in our current approach. We have organized
ourselves in a way that provides opportunities to criminals,
hactivists, nation-states, and generally malicious actors.
In closing, cyber threats facing America are many and
cannot effectively be dealt with Committee by Committee. It is
my hope that the Senate will work to address the cybersecurity
threat landscape as a whole body, combining for the defense of
the military, government, and commercial networks, like the
Internet works, not how we have organized ourselves.
Thank you for the time today, and I look forward to your
questions.
Chairman Johnson. Thank you, Captain Keeney.
We are going to turn it over to Senator McCaskill for her
questioning first.
Senator McCaskill. Thank you so much, Mr. Chairman. I
appreciate your consideration.
Let us start, Captain, with telling the Committee about the
cyber kits that you have made, and I think that the part that
the Chairman and Senator Lankford will be most interested in is
that you have done this with zero--count it, zero--additional
public money, zero additional Federal dollars. It is very
impressive. And, would you explain what these kits are and how
you are sharing this across the country with other units?
Captain Keeney. Absolutely. I would be glad to. It is an
honor to serve with the men and women that have created this
capability on their own time.
I will tell you it was born out of an exercise in which I
first met General Alexander, actually, in 2012. Cyber Guard was
the exercise, and we were National Guardsmen responding to
critical infrastructure key resources, and we brought our
little cyber kit in there, and we jumped in the mud with the
adversary. And guess what? We got bruised up, because getting
in the network which the adversary has already compromised
creates some real problems.
So, we went home, put our thinking caps on, like Guardsmen
do, and we tried to figure out a way that we could interact
with the adversary in a safe manner or passively, yet identify
their attacks. That was born out of an open-source project
known as ``ROCK,'' for network security monitoring (NSM). This
project has taken off like a rocketship. It is now by my
estimation, through talking
with various team members, used by 40 different government
entities--military, Federal agencies, research entities--and it
is also being used in the commercial market.
I think it is pretty successful. As a matter of fact, I am
collaborating with some folks from the Wisconsin Guard that I
met last week at Cyber Shield for them to start leveraging the
capability in their National Guard.
I hope I have answered your question.
Senator McCaskill. Well, you have, and I think it is really
important that, I think this is one example of where the
National Guard does not get all of the love it deserves because
you have a very big and important job in an environment at a
company that is constantly under attack by not just hactivists
but also nation-states. And, we know that if we just look at
the F-35 and what China is fielding right now, those
similarities are not accidental. They are, in fact, a product
of cyber warfare. So, I am really proud of what you all have
done.
I think your recommendation is very interesting, and I
would like to spend the rest of our time today talking about
your recommendation. What you are saying is we should have a
new uniform service that is U.S. Cyber that brings everything
under, one roof. Why don't you talk about that a moment and
talk about why you think it is important to separate U.S. Cyber
from the rest of the military and the rest of the civilian
workforce.
Captain Keeney. OK. Pretty complex topic. Obviously,
creation of an entire new uniform service is nothing that we
are going to solve here today in this room exactly, but I would
like to share some thoughts on the problems I have seen.
I do not mean to speak disparagingly, but there is a little
bit of rice bowl fighting amongst the services for cyber----
Senator McCaskill. Horrible turf wars everywhere,
especially on cyber.
Captain Keeney. Absolutely, because it is the cool new
thing and everybody wants a piece of the action.
Senator McCaskill. Right.
Captain Keeney. In particular, I see pretty hard lines
drawn between the active duty and the National Guard and
Reserve component. I find that very interesting because many of
the folks on the active duty that I have the opportunity to
train, they are wonderful. But, they are also a lot younger and
a lot less experienced than the folks that I have worked with
in the National Guard due to their experience in industry for
10, 15, or 20 years, and they are still wearing the uniform.
The things they bring to that cyber fight are rather unique.
But, I digress. I am bragging on my boys in the National Guard,
obviously.
But, U.S. Cyber I think would enable us to consolidate
training, the training that is being repeated across the
different services. How about studying how to fight this threat
and adversary through university programs that are not looking
at it through the lens of the Navy, the Army, or the Air Force,
but holistically, how do we fight this as a Nation?
And, I think there are opportunities. If we made a force
that was made of active component and Reserve component and
leveraged the titles available to each of those components,
what I mean by that is, for example, Title 32 and Title 18
authorities that people in uniform, in the National Guard, can
partner with law enforcement and with the Governors of their
States and interact with that critical infrastructure or just
businesses in corporate life.
We are not structured that way today. We look at that as
that is a Homeland Security issue, but I would question how
much that is actually happening in corporate America and what
does that collaboration look like between companies and
Homeland Security, even though that is their role, as I
understand it.
Senator McCaskill. Do you interact with Homeland Security
in your role at Monsanto?
Captain Keeney. I do not. Now, we do interact with the FBI
when we have an investigation.
Senator McCaskill. Right.
But, there is not an ongoing communication or integration
in terms of critical infrastructure?
Captain Keeney. We do subscribe to some of the government's
threat feeds through Homeland Security, but, honestly, I think
that the corporate solutions have far surpassed that with
companies like Symantec, CrowdStrike, many others. This sharing
that we are all talking about, they have an entire ecosystem
and a business model built around it that is lightning fast,
that shares information across all sectors.
Senator McCaskill. So, you are envisioning 50 percent
active, 50 percent Reserve, and what about qualifications? I
mean, one of the things I learned when I visited your unit--by
the way, if you go visit their unit, you do not get a coin. You
get a rock, which I thought was very cool. What I learned was
that there was somebody who was very talented in the unit that
almost was not allowed to continue because of a pull-up
requirement.
Captain Keeney. Yes, he had to meet physical fitness
requirements of the Army, yet this soldier in my unit is a
multi-millionaire, owns multiple businesses, is extremely
successful, and as I joke around with him, he can bend, time
and space on a keyboard. And, he is an E5 sergeant, makes--by
the way, he travels from another State and probably at the cost
to himself. Like many of the members of my unit travel from all
over the country to come to Missouri and work on ROCK and
innovative projects like that. To think that we would kick him
out of the military and not have him as--when we are all
talking about the critical shortage of resources and human
capital, it just does not make sense. We need to change how we
are approaching the skills gap and how we are recruiting and
retaining talent. And, I do not know if we can do that inside
the existing military construct.
Senator McCaskill. The mental stamina is important, but
there is no reason--as you said in your written testimony for
this Committee, there is no reason a double amputee could not
perform at the highest standard in a unit that was, in fact,
dedicated to U.S. Cyber.
Captain Keeney. Absolutely. And, what purpose it would give
that individual to continue to their country in that way.
Senator McCaskill. One of the problems we have with this
area is that we are trying to approach this like we have
approached every other problem. We had a cyber hearing in Armed
Services yesterday, and my staff did a chart of the Cyber
Command within the military, and then did a chart with NPPD at
Homeland, and I got to tell you, it is worse than spaghetti. It
is so confusing and so disparate, and there is no wonder that
we are having all these turf wars.
So, I think, even though this is a bold idea--and a lot of
people around here would just go, ``Well, we cannot do that,''
and there is probably going to be significant pushback from the
military--I think this is a really good idea, and I think it is
time we think outside the box. And, I appreciate you bringing
it to us today.
Captain Keeney. I think the U.S. Army pushed back pretty
hard. They did not want to lose a thing called the U.S. Army
Air Corps, and the creation of the U.S. Air Force, thanks to
Billy Mitchell, it worked out pretty nicely for us.
Senator McCaskill. It sure did, so that is a great example
that we need to think boldly and be aggressive here. I do think
in the long run it is going to save us resources, too, and up
our capability, especially in terms of interaction with the
private sector. So, I really thank you, Captain, for being here
today.
Captain Keeney. Thank you, ma'am.
Chairman Johnson. Thank you, Senator McCaskill.
We will turn it over to Senator Lankford, but I just want
to quick follow up because the question I have in terms of what
you do, what threats are you addressing in your exercises? Is
it strictly threats against the military? Is it against the
homeland? What are you exercising?
Captain Keeney. So, I would say it depends on which
exercise you go to, the focus of that exercise. Cyber Shield is
the exercise the National Guard Bureau hosted last week in
Utah. It was definitely focused and had a leaning toward
protecting critical infrastructure and key resources inside a
State and leveraging Title 32 ability for a Governor to say,
hey, in a State of emergency, go help these guys, they have not
delivered water in a week, or something, and they need help.
Senator McCaskill. Or there is no light.
Captain Keeney. Right, or there is no lights or whatever.
So, those scenarios are being built for sure, but there is not
a
whole lot of personnel, manning, training, funding, all of
that, because--and the buildup of the cyber mission force that
General
Alexander kind of kicked off--I think it is 5,000 to 6,000
personnel--it does not include those elements at all.
Chairman Johnson. But, again, your exercise is primarily
about critical infrastructure in your States as opposed to
exercises in terms of military assets.
Captain Keeney. Absolutely, which is a great step in the
right direction.
Chairman Johnson. Again, that is really what we are
concerned about here in the Committee.
Captain Keeney. Sure.
Chairman Johnson. I will turn it over to Senator Lankford.
OPENING STATEMENT OF SENATOR LANKFORD
Senator Lankford. Thank you, Mr. Chairman.
Mr. Greene, let me ask you about the threats and the
quantity of threats worldwide at this point. Give me a best
guess here, cyber criminals versus State actors versus folks
that are just hactivists that are trying to just cause mayhem
in a certain area. Give me a percentage of the threat.
Mr. Greene. Well, it depends upon the sector being
attacked. I do not mean to lawyer the answer. One of the other
issues you run into is there are not clear lines. A lot of
times you will have a nation-state either acting as a so-called
hactivist or using hactivists without knowledge. I would say
that on the financial fraud, until this year, it was 99 percent
criminals. This year was the first year we saw a major nation-
state engage in major bank fraud, the North Korea attacks on
Bangladesh and elsewhere. So, the pure dollars is probably
still low. As I said, the FBI put the BEC scam at $5 billion
over 4 years. The Lazarus Group took, I believe, $81 million
from Bangladesh.
In cyber espionage, I am purely guessing. A guesstimate, I
would say you are looking at the majority of it, if not more,
being nation-state, or certainly appearing to come from nation-
state regions. The issue there you have sometimes, though, is
something could look like a nation-state, but you do not know
whether someone is doing it as part of their day job or is
taking the skills they learned in their day job and are using
it at night and selling it on the black market.
Is there a third component I missed?
Senator Lankford. No. That is fine. That gives me a good
balance there. How many of those are outside of the United
States when we deal with cyber criminals? Obviously, all
nation-states are outside the United States. But, the actual
individual on the keyboard is outside the United States?
Mr. Greene. The percentage of--the large criminal groups
are typically based outside of the United States. Their
infrastructure, though, is global, so you will see a lot of
attacks. The actual launch point will come from inside the
United States. I believe that still the majority of the launch
points come from an actual computer in the United States. But,
the major gangs that we see, Bayrob that I mentioned, which was
taken down in Romania, there was an Estonian group a few years
ago, you see a lot--the overall majority of that activity is
not U.S.-based in terms of the top leadership at this point.
Senator Lankford. OK. So, let me broaden this out to a
broader conversation as well. We have talked for years about
having a cyber doctrine, a clear set of lines and boundaries
where the United States would be able to announce worldwide
here are the boundaries for what we would accept or what we
would not accept, and here are the responses that we would
have. That has been discussed but has not been implemented.
So, my question of any of you is: What are the major
features of that cyber doctrine that we need to make sure that
they are there from your perspective so we can actually work
toward getting this implemented? And, as we deal with nation-
states and we deal with international actors, what are the
pressure points to be able to apply to people, to be able to
make sure there is actual enforcement? Anybody can jump in.
Mr. Chabinsky. I will take a shot at this, Senator
Lankford. In my time with the intelligence community (IC), I
found that the aspect that was lacking most was what I would
refer to as ``options analysis,'' meaning that the intelligence
community did then and does now quite well a review of the
threat itself and, in fact, even within incidents, the ever-
increasing ability to find attribution. And, then, we would
write it all up as an incident report and hand it to the
President of the United States, essentially saying this is what
happened. And, what was clearly missing was, well, what can we
do about it? What are the options?
No one in the private sector ever would provide their boss
with a copy of a problem without some reasonable basis of what
the options are, but the intelligence community to this day is
not set up with a group of career intelligence analysts across
what I would call the Diplomatic, Information, Military,
Economic, and Law Enforcement (DIME/LE) options--all elements
of national power as can be provided by the government or the
private sector or the government and the private sector working
in concert.
So, we do not know what works, and we do not know how that
applies to specific criminal groups or specific nation-states.
As a result, to answer the question becomes hard because we
have not created the intelligence that would allow us to
understand what our options are.
Senator Lankford. Great, but when I move back to this
intelligence, it really provides us information for
policymakers to be able to make the decisions. I think my
question for you is: Who is helping develop that list of
options that you are articulating to say this is the boundary?
It is one thing to be able to know where it is coming from. It
is another thing to be able to know what is a reasonable,
effective deterrent.
Mr. Chabinsky. So, clearly, when it comes to critical
infrastructure, there has been a large series of normative
discussions internationally about taking down destructive
attacks on the energy grid, on the financial services grid, as
these types of boundaries, but less understood on what the
boundaries are or what we would do about it. And, I am not
aware of groups that are exploring those types of options.
Senator Lankford. OK.
Mr. Valeriano. I think this is the next step. We need to
have a comprehensive list of all cyber incidents, and that
could be something the DHS or another organization could start.
There has been talk, but we have not actually done that, and
that is the problem. We do not have a basis of evidence. We do
a lot of speculation, and we cannot make policy based on
speculation.
There is only one real line that we need to institute, and
that line is violence; that line is destruction. Anything more
than that will limit our own ability to respond and act. So,
that is a problem with setting up lines in cyberspace. The
clear thing is to stop any attack on critical infrastructure--
anything that can cause death and destruction, if we have not
seen it yet, and hopefully we never will see.
Mr. Greene. If I could answer, I think one important point,
there has been a lot of literature written about could we have
cyber norms, and the argument against it frequently is, well,
we will not have compliance, how will we know? I think we need
to have the conversation going in, understanding that there
will not be perfect compliance. It is impossible. President
Reagan said, ``Trust, but verify,'' in a different context. We
need to understand that we need to do it as best we can. An 80-
percent solution would be better than where we are today. So, I
think one of the things that has stopped a lot of the
conversations is this debate over can we come up with perfect
norms, and the answer is no. But, that does not mean we do not
try.
Senator Lankford. Right. Well, this continues to
accelerate, and I know I am running out of time. I will honor
that as well. But, this continues to accelerate. I was with one
of our universities doing research on cyber activity where they
have developed the capability, which many others have--and they
are studying the opportunities there--of pulling up next to a
vehicle, hacking into their Bluetooth from the vehicle, and
taking control of the vehicle. That is something that most
Americans do not consider, that there is the possibility that
someone could get close to them and be able to do that. But,
they are trying to evaluate not only how easily can it be done,
how many things can you operate once you are in the system,
whether it is a heart monitor that is connected, whether it is
the Internet of Things, whether it is operating systems,
whether it is a small manufacturer that bought a piece of
equipment but then has not upgraded the software in years, and
the vulnerabilities are there. We are exceptionally vulnerable
in our system. And, I do agree that one of the prime things we
have to move is in actual deterrence, that if someone reaches
it and uses that, what is the consequence of it? And, that
helps provide us the next step of what needs to be done, and I
would hope we could work with this Administration to help
actually get that close and so that worldwide there is a
relationship internationally, if you hack into our systems and
if you steal our information or if you destroy systems, here
are the boundaries and here is what our response is.
I yield back.
Chairman Johnson. Senator Lankford, I will turn it over to
Senator Daines. And, I will turn it back to you if you want to
stick around. I am here for the duration, anyway. Senator
Daines.
OPENING STATEMENT OF SENATOR DAINES
Senator Daines. Thank you, Mr. Chairman. And, thank you for
your testimony today on this critical area of national
security.
My observation has been that over several years
policymakers have lamented this growing problem, yet there have
been few meaningful solutions beyond saddling businesses with
more regulations.
Mr. Chabinsky, I appreciate your comment around it is kind
of, I think, embedded in the culture of this town, and that is,
we will answer the question, ``So what?'' but not the question,
``Now what?'' in terms of optionality and action plans.
I spent 12 years in the cloud computing industry before
coming to Congress. I do understand how important it is for
businesses to guard sensitive data. Our hosting operations were
targeted. Our business model was selling to Fortune 500's and
large public institutions. I do understand how important it is
to guard that data and the responsibility you have to your
customers to protect it. Securing sensitive information is an
important part of the conversation, but there is more to be
done. I do believe that as lawmakers we need to widen our
aperture a bit, and I do appreciate being here today and you
all being here.
I venture a guess that many here would not dispute that the
private sector rapidly outpaces the Federal Government in its
ability to adapt and respond to rising trends in cyber crime.
In fact, that is why just back in February I introduced the
Support for Rapid Innovation Act of 2017, which allows DHS to
foster and enable progress rather than impeding it by setting
static requirements. This bill would promote deployment of more
secure information systems, better detection and discovery of
malicious code, faster recovery.
Mr. Keeney, you are the director of a Cyber Incident
Response Team for a publicly traded company. Where could you
use more help from the Federal Government? And, conversely,
where does government interference simply get in the way?
Captain Keeney. So, speaking from my opinion, I would say
that the way the government could help most corporate America
is to do the things that corporate America cannot do for
itself. So, U.S. law does not allow for corporate America to
strike back against an adversary that continues to bloody their
nose and do damage to their shareholders, which are likely
American citizens.
The U.S. Government, when they do targeted offensive cyber
operations, they are generally in response to traditional
military operations. But, I do not hear much or see much about
offensive operations being done as a counterpoint, as somebody
crossed a red line, you are not going to steal intellectual
property of a company valued at $1 billion or some number, some
threshold; every situation is different. But, the U.S.
Government can do those things because U.S. law does not allow
those corporations to do it for themselves.
If a tanker ship full of goods sailed out of the port in
Delaware and in the middle of the Atlantic got sunk by a
nation-state adversary, what would be the response of the U.S.
Government? I think it would be pretty clear. We would go after
quite quickly whatever nation-state did that. Why is it any
different in cyber?
I hope, Senator, I have answered your question on the front
half of what I think the government can do. It is mainly the
things that we cannot do for ourselves.
Senator Daines. Yes, I think that is kind of along the line
where Senator Lankford was headed here in terms of kind of
rules of engagement in defining a doctrine as it relates to
cyber. I was an advocate and supported, as we debated last
year, elevating cyber to its own combatant command, Cyber
Command, to try to focus efforts here and get ahead of this.
I joined our cloud computing company in 2000, a few years
after it started up. We grew the company, took it public. It
was acquired by a large corporation. But, back then, it was
trying to let bankers understand the fact that basically our
asset here was IP. You cannot come and count and measure the
asset. We always said if our cloud computing company ever went
out of business, all that was left was cubicles and some
computers. So, it is all in the power of the electrons. That is
the power, the IP. And, when you have whether it is a nation-
state, some bad actor out there destroy electrons in this case,
or code, from a cyber attack, that really is not any different.
You used a good analogy there of destroying a physical asset.
When you start thinking that way, that is helpful feedback for
us here, how we can help the private sector.
Let me shift gears here and talk about another subject:
attribution. It concerns me that policy discussions on cyber
too often default to mitigation and recovery. If we compare
cyber crime with a physical robbery, we are focused entirely on
building a bigger, better fence. Physical security around a
house or a building works not because the barrier is
impenetrable, but because there are consequences for getting
caught. We use floodlights for deterrence, cameras to identify
criminals. We provide information to the police, and that leads
to an arrest. Right now, there are few, I would argue no,
consequences for cyber criminals.
Mr. Chabinsky, I refuse to accept that attribution is an
unsolvable problem or something that can only exist in the
shadows of the intelligence community. Given your experience
with the FBI's Cyber Division, how can we hold these hackers
accountable?
Mr. Chabinsky. Senator Daines, let me start by saying when
I was growing up, I used to be impressed when I saw that there
were Members who were medical doctors, and I am still impressed
by that, but I do not know how useful that is for
representation. I am far more impressed now when there are
Members who have a technical background, and so it is really
quite important for our Nation that you are representing us,
and I appreciate your service.
If I could agree more than 100 percent, we have completely
looked at this topic in a way that would never be acceptable in
any other context by going and blaming the victims. Time and
again, we see after an intrusion that the CEO is called to
testify, even before committees in this institution, of how
this could happen and what they are going to do about it. But,
what we do not see is the FBI call to ask what are we doing to
catch the bad guys and when is this ever going to end.
Attribution is not as large a problem as one might expect
when you have attackers who are working over time, whether they
are criminal actors or nation-states, it is actually quite
difficult to keep anonymity for any meaningful length of time.
There is this phrase in the security community that the
defender has to get it right all the time, but the attacker
only has to get it right.
Well, with respect to attribution, as far as the bad guy is
concerned, it is just the opposite. You have to have your
tradecraft right 100 percent of the time, and losing it just
once leads to attribution. And, the headlines will show that we
are much more confident with attribution. What we are not
confident yet with--and this is what Senator Lankford was
saying--is what are we going to do about it. And, that is where
the government--again, with Captain Keeney to my left leading
the charge, that is where the government needs to come in. We
have spent even on the government side tens of billions of
dollars on information security to patch systems, billions of
dollars, but our funding for law enforcement is perhaps in the
millions. The FBI, with over 14,000 special agents, has a few
hundred special agents that are involved in this type of
investigation and attribution and then penalty.
There is just no doubt that businesses cannot defend
against the types of organized criminals and intelligence
services we have. Until we realize that it is not the
government's role to help the private sector better protect
itself by giving them guidelines and giving them information
about patches, but to get out there and get rid of the threat,
we really are going to see this rise to unsustainable levels.
Senator Daines. Well, Mr. Chabinsky, you asked if you could
agree with me more than 100 percent. I would ask the same of
you, actually. [Laughter.]
It is interesting, you have lawmakers who want to run to
say how can we better protect the private sector as it relates
to technically. There would be a few things there, but
generally it is tap it light. Every private sector
organization, one of the greatest fears you have is making the
front page of the Wall Street Journal because you just
compromised the information of your customers. That is built
in--that is why in the C-suite now, of course, the Chief
Information Officers (CIOs) and Chief Technology Officers
(CTOs) are certainly sitting right by the CEO because of the
risk and the downside consequences of that kind of a
compromise.
But, I think you have provided some guidance and some
clarity here around what real help might look like and what the
Federal Government's role ought to be focused on, and I thank
you for those comments.
Mr. Chabinsky. Thank you, Senator Daines.
Chairman Johnson. Thank you, Senator Daines.
Let me follow up on that thread of questioning, because we
are still asking the question: What can you do about it? And,
that is fine to set up a cyber force, fund more law
enforcement. Once they have the resources, what will they do
about it? It is nice to hear that we are better at attributing
these things, which is part of the problem, but you have that
same problem in kinetic warfare as well, potentially. Who
perpetrated this attack?
Once we have attributed it, and let us say there is a state
actor, I want to know your suggestion. Here is your chance.
What will we do about it? I will start with you, Mr. Chabinsky.
Mr. Chabinsky. Thank you, Senator Johnson. I think as
earlier testimony from Mr. Greene supports, when we decided to
make a full effort to address Chinese cyber espionage, economic
espionage, it, in fact, was quite successful. But, it took
everybody realizing that they had to stop telling people to
patch their systems and live with Chinese economic espionage.
It became a central focus of Congress as well as the last
Administration. At every single high-level meeting with Chinese
officials, this topic was addressed, and it ended up resulting
in an agreement that, by and large, has been effective for what
it was hoping to achieve.
Chairman Johnson. You are saying publicly exposing, public
pressure, sanctions potentially on the actors, those types of
things, is what would be your first line of response?
Mr. Chabinsky. Every nation-state responds differently to
there are different carrots and sticks for different nations.
Sometimes you can do things positively. We have also seen on
the criminal front enormously successful international
takedowns of organized crime groups, but they are too few and
far between because they are underfunded.
Chairman Johnson. Well, but also protected by rogue regimes
as well, right? They are outside the long arm of the law if
they are potentially in Russia, potentially in China. What
about North Korea? What do you do about North Korea?
Mr. Chabinsky. To some extent, but I do not need to remind
the Senator that we are the United States of America.
Chairman Johnson. I understand.
Mr. Chabinsky. And, if we are going to be here hand-
wringing that we have no influence internationally against
rogue nation regimes, then we might as well hang it up and call
it a day as a country. OK? We have enormous elements of
national power. It is time to get serious and create a
strategy----
Chairman Johnson. I was not hand-wringing----
Mr. Chabinsky. I know the good Senator was not. And so, I
believe that we have the capabilities. We just have not been
funding any thought leadership in those areas to figure out
what to do about it.
Chairman Johnson. Dr. Valeriano, what are your thoughts on
this?
Mr. Valeriano. There is a reason we have not seen much
escalation in the cyber domain, and that is because everyone is
vulnerable. Asking for more escalation, asking for responses,
looking for conventional or even cyber responses to cyber
violations is a dangerous step that we have not taken yet,
other nations have not taken yet, and there is a reason why,
because we are all vulnerable.
So, what we are asking for here is dangerous, and that is
why we have instituted a system of norms that seems to have
worked so far. And, what we have done to reply in terms of
sanctions or diplomacy has generally kept a lid on the cyber
escalation so far. And, the worry is if we go further, what
will happen next?
Chairman Johnson. So, you are agreeing with Mr. Chabinsky
on this one? Because I think in testimony you were pushing
deterrence, and you were saying it is impossible.
Mr. Valeriano. It is more that I just do not believe in the
word ``deterrence'' in cyberspace because of the way that term,
what it really means, it does not fit. But, we do need
responses. It is just these responses need to be managed, and
they need to fit into the international context as they operate
now.
Chairman Johnson. Mr. Greene, do you want to chime in on
this one?
Mr. Greene. On the criminal front?
Chairman Johnson. I mean, the response. So, again, just to
summarize what I am hearing, on the one hand, to respond
offensively with other cyber attacks we are saying is pretty
dangerous. We are all vulnerable. We are going to ramp it up.
So, what has been effective is raising the issue, having
reports, saying that we have this little directorate in a
particular nation-state exposing that, putting diplomatic
pressure on it, seems to have provided some measure of success.
What else can we do? Or what is your reaction to--I think I
summarized that properly.
Mr. Greene. We are not going to arrest our way out of this
problem, but we can help it, and I go back to when I talked
about how we address security generally, there is no 100-
percent solution. There might be 5, 6, 7, or 10-percent
solutions. The arrest of the three Romanians who were
extradited had a deterrent impact on other criminals.
Indictment alone, even if we cannot reach out and touch them,
if you have an international indictment, international scope,
you limit the ability of a criminal to travel, to use their
funds. It has an impact.
Chairman Johnson. To travel, to use their funds, transfer
those around the world.
Put them in a safer place.
Mr. Greene. I suspect that the Chinese military folks who
were indicted 2 or 3 years ago probably did not like seeing
their faces on FBI wanted posters, the same with the seven
Iranians who were indicted. But, it does, as Mr. Chabinsky
said, come back to resources. The FBI is doing what it can.
They have some really great people, and they partner really
well with the private sector. But, we can amp up that
deterrence if we have more folks working it.
Chairman Johnson. Let us make the analogy to criminal
statutes. You have a very well defined crime. We all know
exactly what it is. I am not going to use an analogy, but you
can think of your own. And, then, you have very well defined
penalties in law.
We do not have that for cyber criminals--I mean, we do but
we do not. Correct? For example, cyber warfare, what is the
definition really of cyber warfare? And, I think, Doctor, you
were talking about if it crossed the threshold of violence, I
think that is what you said.
Mr. Valeriano. Yes, war denotes violence.
Chairman Johnson. And, that could be violence against
things as well as people, correct?
Mr. Valeriano. Not necessarily.
Chairman Johnson. You would confine it to people?
Mr. Valeriano. Yes.
Chairman Johnson. So, you would not consider it warfare
then when, for example, we believe North Korea destroyed how
many computers at Sony? If a bomb were dropped and thousands of
computers were destroyed at a company, would we not consider
that warfare?
Mr. Valeriano. Conventionally, in academic discourse, it is
a thousand battle deaths. That is what warfare----
Chairman Johnson. Pardon?
Mr. Valeriano. A thousand battle deaths is what warfare is
in terms of figuring out what it is and what it is not.
Chairman Johnson. OK.
Mr. Valeriano. And, that is how we have always defined it,
and that is how we continue to define it. And, I do not see any
need to change it with cyber warfare.
Chairman Johnson. So, would you say that we have defined
cyber crime, cyber warfare, well enough?
Mr. Valeriano. I think so. I think we use the term ``war''
too much. You could maybe call this ``political warfare,''
``gamesmanship,'' things like that. But, it is not war.
Chairman Johnson. But, it would if they started attacking
critical infrastructure----
Mr. Valeriano. Yes.
Chairman Johnson [continuing]. And lives were----
Mr. Valeriano. And, the reason you do not want to call it
``war'' is because that demands a response. And, it is not
clear we can respond at this point, so we want to save it for
those real instances where we have to respond.
Chairman Johnson. Can you guys comment on what the doctor
just said there? We will start with you, Captain.
Captain Keeney. I would like to tie together a few of these
things that we have been talking about over the last couple
minutes.
So, from an attribution perspective, I think pretty
recently CrowdStrike did some attribution of--it is a public
company, not a U.S. intelligence agency, so, therefore, anyone
who pays for their subscription gets this information, right?
On Ukraine in specific, there was an application that the
Russians were using that soldiers in the Ukrainian military had
on their smartphones, which then led the Russian military to be
able to target those soldiers in the Ukrainian military who
were using artillery pieces. How interesting.
Well, guess what? In the battle, warfare, they were able to
target the high-end artillery pieces with 80 percent success in
destruction and like 50 percent in the lower-end pieces of
artillery. So, that is great. That is what I would call hybrid
warfare. So, it is the mixing of both of these domains.
So, then how do we respond to that? I believe that is the
question we are kind of talking about. I think we have to
define, Did they cross a red line? If they did, is their intel
gain lost? Do we need to attack back or not? Do we lose
something if we do? The whole impacts of DIME obviously have to
be assessed.
Then we target it, and that targeting could then pick an
effect. It could be cyber in nature; it could be physical
destruction in nature; it could be political in nature. And,
then, we deliver the effect, especially if they cross a red
line. And, we should not reveal what those are to our adversary
either, which we have done in the past.
Chairman Johnson. I would argue in that case you are
already in a kinetic war. I think we already define that as
war, and we just assume that the armies are going to be using
whatever cyber assets they have to conduct that war. I think
really what is more troubling is outside of kinetic war, you
are just sitting here minding your own business, and all of a
sudden there is an attack, whether it is a denial-of-service
attack or----
Captain Keeney. I could give you a very relevant example
from corporate America. So, if China has been stealing our
intellectual property and doing things like that pretty in the
open and hacking, and we had a pretty good response through
political means to change that, what I think would happen--what
I think has happened is our adversaries changed their tactics.
The war is still ongoing. They are just not using overt hacking
techniques. Instead, they have moved to human intelligence
collection operations inside of corporate America. I know this
to be true.
Chairman Johnson. Well, there is a reason their fighter jet
looks a lot like ours.
Captain Keeney. Exactly.
Chairman Johnson. Doctor, you were going to say something?
Mr. Valeriano. I would just add that changing the tactics
means that what we are doing actually is working, and if they
are reverting to conventional intelligence means, that actually
is a very useful result.
The other thing about the CrowdStrike issue and Ukraine is
that was retracted by CrowdStrike, and they said that they
overestimated the impact of these attacks on the artillery
pieces. So, we are not even sure we have very good examples of
active cyber warfare.
Chairman Johnson. Well, let us put the kinetic part of that
Ukrainian conflict aside and just open source, the attack on
the electrical grid twice now. Pretty sophisticated cyber
attack. That is what I am talking about. That type of thing is
really coming close to maybe what you want to define as cyber
warfare, but I think most people would probably consider it to
be so.
Mr. Valeriano. It does seem to be, though, basically probes
and testing how far they can go. And, the solution was very
conventional in that they just flipped the switch and turned
things back on.
Chairman Johnson. Well, they had breakers. They could do
that. I am not sure--as I understand the American--and I am no
electrical engineer here, sorry. I am an accountant. But, at
least I am an accountant, OK? I am a business guy. We would
have a much more difficult time. We are probably more
vulnerable because of the advancement of our technology. That
is part of the problem. With the Internet of Things, all the
explosive devices, we have become more and more dependent on
our electrical grid, more and more dependent on the Internet,
and as a result, we are far more vulnerable, which I guess
would indicate to me we better start defining these things. We
probably ought to start laying out some pretty strong lines and
be very predictable. You cross this and, this is something that
we would define as war, and, then, of course, policymakers,
Presidents, Congress, would have to decide what the response
would be.
Does anybody want to argue against that point?
Mr. Valeriano. No, and I would just add that we should not
blame the victim, but we also have to look to the victim and
see what they are doing, and that is clear from your example.
Chairman Johnson. Sure. But, again, I think Mr. Chabinsky's
point is very appropriate, that analogy, in terms of blaming
the end user and Flint. Would we really expect every household
to put in a filtration system? Does it not make a lot more
sense at the source? And, that would really get me into my next
line of questioning, the personnel issue.
I want to visit your--whatever you call it, the ROCK or
MOCYBER. I think it is a really intriguing process because I
think that is what we need to do, is we need to figure out how
do we tap into the brilliant minds in the private sector across
the board, not just as it relates to this. I mean, you take a
look at our IT resources here in the Federal Government. They
are just antiquated. We are still using floppy disks
apparently. Some of these are just legacy systems that are
ridiculous, but we have layer upon layer of procurement
policies that make it almost impossible to update and
modernize. We cannot afford to let the bureaucratic, sclerosis
prevent us from really addressing these cyber threats.
So, how do we do that? I mean, we have one example of how
we did it with the Missouri National Guard. Can you just kind
of speak to that? Mr. Chabinsky, you are at the ready there.
Mr. Chabinsky. Thank you, Chairman Johnson. First, I would
say we have to really figure out what we want our people to do.
I think that the workforce development issue runs the risk of
training a lot of science, technology, engineering and
mathematics (STEM) minds and taking them away from innovation
and curing the problems, the bigger problems of----
Chairman Johnson. Well, I would rather have them in the
private sector, but we have to figure out how to tap into----
Mr. Chabinsky. But, what I am suggesting is that I do not
want to have to have them at all. In other words, if we solve
this problem correctly, we do not need more and more people to
solve the problem. So, if we can get this up to a higher level,
the first question is: What is our strategy, and what people we
need--the fewer amount of people that are needed to execute on
a strategy that will reach the greatest goal?
Chairman Johnson. Just to clarify, what you are saying is
what you would like to see is in the private sector, every time
you design a new device, that source is where you build the
protection, the defense so it cannot be----
Mr. Chabinsky. So a four-part plan. One is threat
deterrence. The other is at the Internet ecosystem itself where
there is much greater visibility on where botnets are, where
the command and control is and the ability to take those down.
And, then, at the device level, making sure that the market
works better through more transparency and what the security
is. And, finally, better metrics that are designed to show is
what we are doing actually working against the threat.
In each of those instances, what is clearly not needed are
more people on the ground in every agency and every business
that are running cybersecurity. You might only need 1,000
people at the Internet ecosystem level. You might end up
needing 40,000 people for workforce development at the business
level.
Chairman Johnson. Again, I get your point, but how do you
organize and how do you direct those 1,000 people?
Mr. Chabinsky. So, one area that we had recommended on the
Commission for Enhancing National Cybersecurity is that we
should consider apprenticeships, because the pace of this
problem is moving so quickly, and going through school and
building up debt and then getting out only to find out that
what you learned 4 years ago has no practical application to
the current threat just is not working for us. In some parts of
Europe, including the United Kingdom (U.K.), there are
apprenticeships where the Federal Government actually helps
sponsor what the credentialing would be, where a company brings
people in, it is on-the-job training, they are getting paid for
doing it, and we could have a better workforce immediately. So,
that would be one example of a way to get more people into this
battle.
Chairman Johnson. So, where would those apprenticeships--in
which companies?
Mr. Chabinsky. Well, currently----
Chairman Johnson. Service providers or----
Mr. Chabinsky. Everywhere, unfortunately, now, because it
is needed everywhere. One day I would like to have a strategy
that would focus them up to higher levels.
Chairman Johnson. Does anybody else want to speak to what
Mr. Chabinsky is saying? We will start with you Mr. Greene.
Mr. Greene. Two points. On the apprenticeship point, we
have a program similar to that in our company, Symantec Career
Connection, where we work with high school and college-level
students to get them on-the-job training, help place them when
they get out, tend to serve military and underserved
communities.
The second point, though, is identifying what resources you
have is really important. We just finished internal cyber war
games that we do every year, and part of that is to motivate
the workforce, to have something everyone enjoys working on,
but also we identify skills in people that we may not know they
have, they may not know they have. We come out of that with a
better knowledge of what our workforce can do and how best to
use the skills that they have.
So, there are ways that you can do it. I think that there
are probably folks within agencies, companies, whatever, who
can do a lot more than they are. It is easier to take someone
who knows a network, teach them how to secure it, than to bring
in someone who does not know that network, has a school book
knowledge of security, and have them learn both things at once.
So, we need to make better use of the resources that companies
and government already have.
Chairman Johnson. By the way, I am all for efficiency and
doing things smart. So, in addition to the apprenticeship, are
you pretty well buying into what Mr. Chabinsky is saying here
in terms of the approach, invest it at the source as opposed to
the end user?
Mr. Greene. Yes, I think----
Chairman Johnson. That is the right direction?
Mr. Greene. Yes.
Chairman Johnson. Doctor, do you have an opinion on that?
Mr. Valeriano. Well, I think what we have here is education
in universities, and we are not leveraging the power of our
universities so far. We have NSA accreditation on different
levels, but that is about it, and it is not really used to
great effectiveness. We have not seen great programs built. We
have seen a lot of money go to private universities, but it has
not been used very well. We need to expand diversity. We need
to expand access. We need to do this throughout the United
States, and we have not done that so far.
Chairman Johnson. By the way, last week we had the
Chancellor of UW-Madison talking about 42 percent of researcher
time on Federal grants in research universities is spent
complying with Federal regulations, pushing paperwork. So, no
kidding we are not very effective at this.
Captain, do you want to comment on this part of the
discussion?
Captain Keeney. Yes, it reminds me of a book I read
recently about the history of the American Telephone and
Telegraph Company (AT&T) and Bell Labs and how Bell Labs grew
into AT&T and created satellite and fiber optics and all the
things that we take advantage of today. They got so big and so
dominant that we had to break them up into smaller pieces,
right?
Chairman Johnson. And, they got more competitive.
Captain Keeney. All that kind of stuff, right?
Chairman Johnson. By the way, I like small business myself.
That is where I come from. I like competition.
Captain Keeney. Sure. Me, too.
I have owned a couple along the way. But, my point there is
in reading that book, one of the things that stuck out to me
and I think is relevant to this conversation is the people that
made the biggest leaps were not the engineers; they were not
the guys that studied and got a degree in physics. They were
important to solve technical problems, but it was the
innovators in the early days of Bell Labs, the guys and gals
who thought outside the box, who just wanted to tactically
solve problems, who then went to an engineer who was certified
and trained in all those things, and said, ``I need to solve
this piece of the puzzle,'' but they were able to innovate.
And, I think in the cyberspace, by apprenticeship programs and
getting younger minds engaged and not having to go get $100,000
in debt and take 6 years to get through a program before we get
them applied to the problem, I am always impressed by young
people when you just give them a problem to solve.
Chairman Johnson. By the way, it is interesting you just
mentioned this. I just pulled up a quote I sent myself, George
Bernard Shaw: ``The reasonable man adapts himself to the world;
the unreasonable one persists in trying to adapt the world to
himself. Therefore, all progress depends on the unreasonable
man.''
Kind of adapting to what you are talking about is you do
need people thinking outside the box, looking at this, and it
is not necessarily coming from computer scientists, though. It
might come from somebody--and that is why the more people you
have looking--I would say it is smaller innovative companies is
I think where the solution lies, as opposed to some massive
Federal bureaucracy trying to really dictate this, which is one
of the parts you pointed out, too, is let us address this from
the standpoint as it is as opposed to the way we have
constructed our bureaucracy. Is that a valid point?
Mr. Chabinsky. And, Chairman Johnson, if I could just pull
a thread on what Captain Keeney said, he said that the young
minds were brought problems to solve. We have an enormous
capacity in the cybersecurity world never to define what the
actual problem is that we are looking to solve. And so, we have
a lot of information sharing where people are just throwing
things at each other, but there is really no goal at the end of
it all. And, we somehow think that it will all magically come
together to solve the cybersecurity problem. Why do we not
define first what are the five largest cybersecurity problems
our Nation is facing, then figure out who are the--but, let us
figure out who the fewest number of companies, who the fewest
people are to create the solutions for the top problems to
inure to the benefit of the most.
Chairman Johnson. So let me just, a little off topic, but
my perspective, coming from the private sector, in Washington,
D.C., is everything is tactical. My problem-solving process in
the private sector starts with laying out reality, strengths,
weaknesses, opportunities and threats (SWOT) analysis, root
cause analysis based on that reality. And, by the way, we are
trying to lay out that reality here. That is what these
hearings are about. You establish goals. Once you agree on what
the goals are, then you start developing the strategies, and
the tactics are there to support the strategies. But, if you
are at the tactical level, they are not tied to a strategy.
They are divorced--if they are not directed toward a goal--they
are divorced from reality. I think I just described the Federal
Government versus the private sector.
So, we need to lay out the reality, and the problem we have
in cyber is it is very complex, and we do not have very many
members with Senator Daines' experience on this. I was at an
American Enterprise Institute (AEI) conference, and we were
talking about the whole encryption issues. And, one of the
points I made is on this island we are primarily Gilligans; not
too many professors here.
So, it is a real challenge, the complexity of this, and you
just have people that do not--there are very few professors.
So, it starts with that knowledge.
But, let me close this out because I have to close this
hearing in 6 minutes. What would you say are the top
priorities, what are the things that, this dysfunctional place
needs to do to start addressing this more effectively? And, I
will start with you, Mr. Greene. Then we will just go right
down the aisle. Give us the number one thing we have to do, or
number two. And, I will just tell you, in the first 4 years
where everybody was saying, ``Hey, you got to do
cybersecurity.'' It was always, ``You have to start sharing
information more effectively.'' And, we kind of did that a
little bit, but we have just barely scratched the surface on
what we need to do. Mr. Greene.
Mr. Greene. The thing that worries me the most long term on
a national scale is the explosive growth--and we are still at
the lip of the curve--of connected devices. And, the point you
made about Ukraine getting the power grid back online because
they could go flip a breaker, we need to start building systems
that--assessing how critical they are, if they are truly
critical, either not connecting them--that has to be an option;
it is not considered today--or making sure we have some manual
way to fix it if we are talking truly critical. So, securing
those critical devices that are going to be connected.
The other half of that piece is shifting the market
incentives. Right now, there is all the incentive to be first
to market. There is no incentive to be secure to market. Most
of the incentives should be functionality, speed getting to
market, but we need to build in in the design phase at least
the thought to the security piece. So, if we can introduce the
concept of secure to market, either through empowering
consumers, understanding what they are doing, how the
government purchases, but we need to focus on that as we
connect everything.
Chairman Johnson. In Israel, they have the cyber director
now reporting right to the Prime Minister, and they have the
three R's: two of them are resiliency, building it so it is
resilient, but then be able to recover. That is what you were
just talking about. Mr. Chabinsky.
Mr. Chabinsky. Mr. Chairman, I would recommend that the
United States take immediate international leadership to create
what I would call a ``moon shot,'' which would be to rid the
entire international community of all major botnets within 2
years. If you look at what botnets generate, it includes
economic espionage with command and control. It includes
financial theft with the command and control of credential-
stealing malware. And, it obviously includes attacks through
distributed denial of service (DDOSs) of our energy grid and
other critical infrastructure.
I believe that that is possible. I believe that it would be
an effective way of building international communities as well
as determining the vast different roles of governments and the
private sector. And, I think that if we were able to achieve
that, not only would we resolve an enormous amount of problems
before they ever reach our financial sector, our power grid,
or, companies; but it also would end up building the type of
thought processes that could tackle a lot of the other problems
we are seeing. And, I would look forward to working with the
Chairman to scope that measure out.
Chairman Johnson. OK. I like the idea. Doctor.
Mr. Valeriano. Of course, the challenge is critical
infrastructure, including things like cars, because you should
not be able to drive a car and hack into it. That is just
absurd. We did the same thing with airplanes. We were
connecting entertainment systems to navigation systems.
But, to me the second challenge is about individual
reaction, and we have not done a whole-nation kind of plan to
figure out what to do next. We did that during nuclear war. We
had a bunch of options about what we would do to solve the
problem. We have not reassured the civilian population about
what will happen if there are cyber attacks. We have not talked
about what we have done to protect the civilian population. We
are always talking about cyber Pearl Harbor. We are not talking
about the daily battles. And, because of this, people overreact
too much to the cyber threat, and they perform badly when
challenged with even simple things like emails and clicking on
Twitter links.
So, we have not even begun to study the psychology of the
user of the Internet. What is this doing to our biology? What
is this doing to our stress levels? And, I think that is a
clear challenge that we have not even begun to start to talk
about right now.
Chairman Johnson. OK. Captain?
Captain Keeney. Senator, I would say my advice would be to
expand the role of the military, both active, Reserve. Another
idea came to me----
Chairman Johnson. You know that will face some resistance.
Captain Keeney. Yes. Also, another interesting one would be
State militias. Not every State has them, but many do, and
these State militias could be an ability to bypass the
traditional military basic training, all those sorts of
requirements that a lot of people in private industry do not
want to partake in for some reason. They are scared of push-
ups, or pull-ups or whatever it is. But, leverage the State
militias may be another way the Federal Government could help
fund some State initiatives to get more cyber hands on the rope
helping at the State and local idea is an idea.
And, then, I was thinking about certifying in some way,
like the Underwriters Laboratories (UL), when you buy some
piece of electric, it has UL certification. I am sure this is
not my idea and many others have thought of it, but maybe that
is a way we could begin to address this. If I buy the Internet-
connected light bulb thing I have on my bedroom lamp and I tell
Alexa to turn it on and off, if that in some way was able to be
updated and was resilient, if there was a new exploit than when
I bought it, I would have more confidence in it. That is maybe
an approach at the consumer IOT level.
Chairman Johnson. We might be able to pass by unanimous
consent (UC), if you are good enough with a keyboard, we will
waive the push-up requirement. [Laughter.]
Listen, this has been, I think, very informative. I want to
continue to work with you gentlemen. We want to work with the
private sector to figure out exactly what we need to do here,
because this is, I think you all recognize--which is why you
are involved in this sector--incredibly important. So, thank
you for your testimony. I appreciate your answers to our
questions.
The hearing record will remain open for 15 days until May
25th at 5 p.m. for submission of statements and questions for
the record. This hearing is adjourned.
[Whereupon, at 11:29 a.m., the Committee was adjourned.]
A P P E N D I X
----------
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]