[Senate Hearing 115-181]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 115-181

                CYBER STRATEGY, POLICY AND ORGANIZATION

=======================================================================

                                HEARINGS

                               BEFORE THE

                      COMMITTEE ON ARMED SERVICES
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                        MARCH 2 AND MAY 11, 2017

                               __________

         Printed for the use of the Committee on Armed Services
         
 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]        


       Available via the World Wide Web: http://www.Govinfo.gov/
       
       
                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
28-907 PDF                  WASHINGTON : 2019                     
          
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected]. 

                      COMMITTEE ON ARMED SERVICES

 
 JOHN McCAIN, Arizona, Chairman
                         
 JAMES M. INHOFE, Oklahoma		JACK REED, Rhode Island
 ROGER F. WICKER, Mississippi		BILL NELSON, Florida
 DEB FISCHER, Nebraska			CLAIRE McCASKILL, Missouri
 TOM COTTON, Arkansas			JEANNE SHAHEEN, New Hampshire
 MIKE ROUNDS, South Dakota		KIRSTEN E. GILLIBRAND, New York
 JONI ERNST, Iowa			RICHARD BLUMENTHAL, Connecticut
 THOM TILLIS, North Carolina		JOE DONNELLY, Indiana
 DAN SULLIVAN, Alaska			MAZIE K. HIRONO, Hawaii
 DAVID PERDUE, Georgia			TIM KAINE, Virginia
 TED CRUZ, Texas				ANGUS S. KING, JR., Maine
 LINDSEY GRAHAM, South Carolina		MARTIN HEINRICH, New Mexico
 BEN SASSE, Nebraska			ELIZABETH WARREN, Massachusetts
 LUTHER STRANGE, Alabama              	GARY C. PETERS, Michigan
                                      
                                  
                                      
                Christian D. Brose, Staff Director
             Elizabeth L. King, Minority Staff Director
 
                                  (ii)
 
 
                             C O N T E N T S

_________________________________________________________________

                             March 2, 2017

                                                                   Page

Cyber Strategy and Policy........................................     1

Alexander, General Keith B., USA, Retired, CEO and President,         4
  Ironnet Cybersecurity.
Fields, Dr. Craig I., Chairman, Defense Science Board............     9
Miller, Honorable James N., Member, Defense Science Board and        12
  Former Under Secretary of Defense for Policy.
Waxman, Matthew C., Liviu Librescu Professor of Law, Columbia        18
  University Law School.

                              May 11, 2017

Cyber Policy, Strategy, and Organization.........................    47

Clapper, Honorable James R., Jr., Senior Fellow at the Belfer        50
  Center for Science and International Affairs and Former 
  Director of National Intelligence.
Stavridis, Admiral James G., USN, Retired, Dean of the Fletcher      53
  School of Law and Diplomacy at Tufts University and Former 
  Commander, United States European Command.
Hayden, General Michael V., USAF, Retired, Principal, The            59
  Chertoff Group and Former Director, Central Intelligence 
  Agency.

                                 (iii)

 
                       CYBER STRATEGY AND POLICY

                              ----------                              


                        THURSDAY, MARCH 2, 2017

                                       U.S. Senate,
                               Committee on Armed Services,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 9:40 a.m. in Room 
SH-216, Hart Senate Office Building, Senator John McCain 
(chairman) presiding.
    Committee members present: Senators McCain, Inhofe, Wicker, 
Fischer, Rounds, Ernst, Perdue, Sasse, Strange, Reed, Nelson, 
McCaskill, Shaheen, Gillibrand, Blumenthal, Donnelly, Hirono, 
Kaine, King, Heinrich, Warren, and Peters.

       OPENING STATEMENT OF SENATOR JOHN McCAIN, CHAIRMAN

    Chairman McCain. Our first panel of witnesses is Keith 
Alexander, CEO and President of IronNet Cybersecurity; Dr. 
Craig Fields, Chairman of the Defense Science Board; Dr. Jim 
Miller, former Under Secretary of Defense for Policy; and 
Matthew Waxman, Professor of Law at Columbia University Law 
School.
    Threats to the United States in cyberspace continue to grow 
in scope and severity, but our nation remains woefully 
unprepared to address these threats, which will be a defining 
feature of 21st century warfare.
    This committee has not been shy about expressing its 
displeasure over the lack of policy and strategy for deterring, 
defending against, and responding to cyber attacks. Treating 
every attack on a case-by-case basis, as we have done over the 
last eight years, has bred indecision and inaction. The 
appearance of weakness has emboldened our adversaries, who 
believe they can attack the United States in cyberspace with 
impunity.
    I have yet to find any serious person who believes we have 
a strategic advantage over our adversaries in cyberspace. In 
fact, many of our civilian and military leaders have explicitly 
warned the opposite. In short, this committee is well aware 
that bold action is required, and we will continue to apply the 
appropriate pressure to ensure that the new administration 
develops a cyber strategy that represents a clean break from 
the past.
    Such a strategy must address the key gaps in our cyber, 
legal, strategic, and policy frameworks. That's the topic of 
today's hearing, which is part of this committee's focused 
oversight on cyber strategy and policy. Each of our witnesses 
brings a unique perspective to these issues.
    General Alexander recently served on the Presidential 
Commission on Enhancing National Cyber Security. Given his 
extensive experience as Director of the National Security 
Agency and the first commander of the United States Cyber 
Command, we welcome his insights and guidance as we seek to 
ensure that our policies, capabilities, and the organization of 
the Federal Government are commensurate with the cyber 
challenges we face.
    Dr. Fields and Dr. Miller have been involved with the 
Defense Science Board's Task Force on Cyber Deterrence, which 
was established in October of 2014 to evaluate the requirements 
for effective deterrence of cyber attacks. We're pleased that 
the Defense Science Board has completed its evaluation, and we 
urge the new administration to immediately focus its attention 
on deterrence in cyberspace, which requires a comprehensive 
strategy for imposing costs on those seeking to attack our 
country.
    Cyber also involves complex but highly consequential legal 
questions, which is why I'm pleased that we have Mr. Waxman 
with us to shed some light on these challenges. For example, 
understanding what constitutes an act of war in cyberspace is a 
central question for any cyber policy or strategy, but it is 
one we as a government have failed to answer.
    As cyber threats have evolved rapidly, our legal frameworks 
have failed to catch up, and this is just one of a long list of 
basic cyber questions we as a nation have yet to answer. What 
is our theory of cyber deterrence, and what is our strategy to 
implement it? Is our government organized appropriately to 
handle this threat, or are we so stovepiped that we cannot deal 
with it effectively? Who is accountable for this problem, and 
do they have sufficient authorities to deliver results? Are we 
in the Congress just as stovepiped on cyber as the executive 
branch such that our oversight actually reinforces problems 
rather than helping to resolve them? Do we need to change how 
we are organized?
    Meanwhile, our adversaries are not waiting for us to get 
our act together. They're defining the norms of behavior in 
cyberspace while reaction in the United States is in a reactive 
crouch. We have to turn this around and ensure cyber norms 
reflect the values of a free and open society and do not 
undermine our national security.
    Cyber may be one of the most consequential national 
security challenges in a generation, and it will not grow 
easier with time. Our adversaries now believe that the reward 
for attacking the United States in cyberspace outweighs the 
risk. Until that changes, until we develop a policy and 
strategy for cyber deterrence, until we demonstrate that an 
attack on the United States has consequences, cyber attacks 
will grow more frequent and more severe. This is the urgent 
task before us, and that's why this series of hearings is so 
critical.
    I thank each of our witnesses for appearing today, and I 
look forward to their testimony.
    Senator Reed?

                 STATEMENT OF SENATOR JACK REED

    Senator Reed. Thank you very much, Mr. Chairman. I want to 
thank you for holding this very timely and incredibly important 
hearing.
    I want to welcome our distinguished panelists. Gentlemen, 
your service to the nation is deeply appreciated.
    I think the Chairman realized that General Alexander and I 
were both going to be here, so he called for reinforcements 
from the Naval Academy. We have midshipmen, but we can handle 
it.
    As the Chairman has indicated, this is an incredibly 
complex and diverse set of issues, each of which might merit a 
separate hearing. Indeed, I would concede in the future we have 
additional hearings on these topics. But we're asking for 
comments on the President's Commission on Enhancing National 
Cyber Security. Secretary Carter's Multiple Defense Science 
Board studies on cyber resilience and deterrence, and Professor 
Waxman's research on the international law aspects are part of 
this very complicated issue.
    Each of these important projects seek to help the United 
States define a coherent and effective cyber policy and 
strategy. Your presence today will help us put these pieces 
together in a much more effective and thoughtful way. Thank 
you.
    Professor Waxman rightly observes that international law 
governing actions in cyberspace is an important guide to 
behavior in international law and has inherent ambiguities and 
develops slowly in new areas like cyber. However, Professor 
Waxman nevertheless urges that U.S. policy draw sharper red 
lines than exist today, a recommendation clearly in line with 
the views of our other witnesses who emphasize the urgency of 
improving our deterrence and defensive capabilities.
    One important element of Professor Waxman's statement is 
the principle of sovereignty in international law. In the 
physical world, international law does not allow the aircraft 
to transit through our nation's airspace without permission, 
nor is it permissible to take military actions in a territory 
of non-belligerence. By analogy, would this mean that it would 
be legal to send a cyber weapon to a distant target through 
networks of other sovereign nations without their permission? 
Would it be illegal to take down a Syrian jihadist website 
hosted on a server that is in South Africa without the host 
nation's permission?
    This committee has been asking these questions at least 
since General Alexander was nominated to lead the newly-
established Cyber Command seven years ago. I would be 
interested in hearing each of the witnesses' views on these 
critical issues and more.
    The Defense Science Board Task Force on Cyber Deterrence 
that Dr. Miller co-chaired makes a noteworthy recommendation 
directly pertinent to cyber attacks, such as the Russian 
intervention in our election last year. This task force report 
recommends that a key component of cyber deterrence is a 
development by the United States of capabilities to conduct 
what I will call information operations against the most valued 
assets or relationships of the leadership of a country that 
conducts a cyber attack on us. The report specifically cites 
Russia, Iran, North Korea, and China.
    Dr. Miller, I'm interested in concrete examples of these 
most valued assets or relationships and what might be done to 
hold them at risk and what goal that accomplishes.
    The recommendation to develop a capability to conduct 
information operations is an important one. However, I would 
note that we currently have very limited capabilities for 
mounting effective information operations that are sought and 
called for in this report. The report calls for assigning this 
responsibility to Cyber Command, but the cyber mission forces 
were built for a different role. They were built for defending 
networks against intrusion and for penetrating and disrupting 
others' networks, but not for conceiving and conducting 
operations involving content or cognitive manipulation.
    Other organizations are currently assigned the 
responsibility for information operations, but they have been 
focused on supporting military forces in combat at the 
operational and tactical levels, not on strategic objectives. I 
look forward to hearing our witnesses' perspectives on specific 
steps to achieve this important capability both within and 
across the government.
    Once again, Mr. Chairman, let me thank you for calling this 
incredibly important hearing. Thank you.
    Chairman McCain. Thank you.
    As the members know, there's a vote that will begin at 10 
o'clock. Usually we just kind of keep the hearing going, but I 
feel that this hearing is so important that maybe we'll wait 
until there's about 5 minutes left in the vote, in the first 
vote, take a brief recess, and come back after the second vote. 
I just think that the issue wants us to hear the full 
testimony.
    So we will begin with you, General Alexander. Welcome back. 
I know how much you look forward to appearing before us again.

STATEMENT OF GENERAL KEITH B. ALEXANDER, USA, RETIRED, CEO AND 
                PRESIDENT, IRONNET CYBERSECURITY

    General Alexander. Chairman McCain, Ranking Member Reed, 
members of the committee, it's an honor and privilege to be 
here. I provided a written statement and would ask that that be 
included in the record.
    I want to address some of the things, Chairman, that we saw 
on the President's Commission on Enhancing National Cyber 
Security, and give you my insights on the path ahead, and it 
will address some of the statements that both you and Ranking 
Member Reed made.
    First, I agree, our nation is woefully unprepared to handle 
cyber attacks in government and in the commercial sector, and 
this came out loud and clear in the Commission's hearing. 
There's a lack of policy, strategy, understanding of roles and 
responsibilities, and of rules of engagement. It requires a 
comprehensive architecture if we are to successfully defend 
this nation against a cyber attack. That architecture does not 
exist. While there are rules and laws in place that would allow 
it to exist, it doesn't exist today.
    So the honor of sitting on that Commission was to identify 
and address some of these problems and push them forward for 
the next president, now President Trump and this administration 
to take on.
    I want to give you some insights why I made those 
statements and what's in that commission report that we have.
    First, if you look at technology and the way technology is 
advancing, it's doubling every two years. The amount of unique 
information that's being created doubles every year, which 
means this year we'll create more unique information than the 
last 5,000 years combined.
    What that means for all of us is the rate of change in 
technology is going so fast that our IP and cyber personnel are 
having a very difficult time staying up. At the same time, as 
you identified, Chairman, the attacks are getting greater. If 
you think just 10 years ago the iPhone was created, and that's 
when the first nation-state attack occurred from Russia on 
Estonia, and then in 2008 from Russia on Georgia, and in 2008 
we saw the penetration into the Defense Department networks 
that led to the creation of Cyber Command. In 2012 we saw the 
destructive attack against Saudi Aramco, and that was followed 
by 350 disruptive attacks on Wall Street, and it's getting 
worse.
    Over the last three months we've seen destructive attacks 
on Saudi Arabia by Iran, and we are not prepared as a nation to 
handle those. Our industry and government are not working 
together. My experience in the last three years of being a 
civilian is that industry does want to work with government, 
but we haven't provided the relationships, and the roles and 
responsibilities of the different departments are not well 
understood. So I'll give you my insights of how those roles 
should be.
    First, we have to have a government-industry partnership. 
If we think about the attack on Sony, the question is should 
Sony have been allowed to attack back. The answer we would come 
up with is no, because if Sony attacks back and the North 
Korean government thought that was an attack by our government, 
and it started a land war on the Korean Peninsula, we would all 
say that's industry starting a war; that's a government role 
and responsibility.
    If it's the government's role and responsibility, how does 
the government do it, and who does it?
    Senator Reed brought up the forces that we put in Cyber 
Command. We developed those forces to defend this country and 
our networks and provide offensive capabilities. In the last 
hearing we had a year ago, one of the statements that we 
jointly made was we should rehearse that. We should practice 
between key industry sectors, the energy sector, the financial 
sector, health care, the Internet service providers, and 
government on how we're going to defend this nation, and we 
should just do that, and we have failed to do that. I think 
that's one of the things that this committee can help push.
    It's my opinion that the role and responsibility, as 
articulated in the Federal Roles and Responsibilities in 
Cyberspace, for defending this nation rests with the Defense 
Department. It's stated there. It's clearly to defend this 
country. Yet, when we talk to all of the departments about 
roles and responsibilities, it was clear that that was mixed up 
because we talked about different levels of roles and 
responsibilities, whether it was incident response, the role 
that DHS [Department of Homeland Security] would have, by 
defending the nation.
    So we have to have, in my opinion, exercises and training 
where we bring the government, Congress, the administration, 
and industry together and practice this so we can all see how 
we're going to defend this country.
    I believe that in doing that, the technology exists. More 
importantly, it's been my experience that industry wants to 
work with government to help make this happen, and this is an 
opportunity for our government to stand together and do this.
    One of the comments that I heard during the commission was 
it's too hard, there's too much data, and I brought out--and 
you would have been proud of this, Chairman McCain. I brought 
out the Constitution that I've read multiple times, and I said, 
well, here it says for the common defense. It doesn't say for 
the common defense unless it's too hard. It says we created 
this government, us, for the common defense of this nation, and 
we aren't doing that job.
    That doesn't mean that we pay for industry doing their 
part. I think industry is more than willing to pay their part. 
But we in the government must help industry do it, especially 
when a nation-state attacks us.
    So I think there is a way to overcome the lack of a 
strategy by creating a framework, setting up those roles and 
responsibilities, and the rules of engagement, and we ought to 
get on with it.
    Thank you very much, Mr. Chairman.
    [The prepared statement of General Alexander follows:]

     Prepared Statement by General (Retired) Keith B. Alexander \1\
---------------------------------------------------------------------------
    \1\ GEN (Retired) Keith Alexander is the former Commander, United 
States Cyber Command and Director, National Security Agency. Currently, 
he is the President and CEO of IronNet Cybersecurity and recently 
completed service as a member of the President's Commission on 
Enhancing National Cybersecurity.
---------------------------------------------------------------------------
    Chairman McCain, Ranking Member Reed, Members of the Committee: 
thank you for inviting me to discuss cyber strategy and policy with you 
today, and specifically for asking this panel to engage in a dialogue 
with this Committee about how we might provide for the common defense 
of the nation in cyberspace. I plan to speak candidly about these 
issues, including the current organizational construct for 
cybersecurity within the federal government, the need for joint cyber 
defense capabilities and operations between the public and private 
sector, and the insights and recommendations of the Commission for 
Enhancing National Cybersecurity, of which I was a member.
    Before I begin my testimony, I want to note the leadership, Mr. 
Chairman, that you and the Ranking Member are demonstrating by taking 
the time to look at how we might architect the federal government to 
deal with the reality of the threats that our nation faces in this 
rapidly-evolving, technology-driven, highly-networked global 
environment. The series of hearings focused on the future of warfare, 
global cyber threats, and cyber strategy and policy that you and the 
Ranking Member continue to chair will help ensure the security of our 
nation and allies for many decades going forward.
    Mr. Chairman, we must fundamentally rethink our nation's 
architecture for cyber defense. We must recast the way we think of the 
respective roles and responsibilities of the government and private 
entities, bringing a new jointness to our work in cyber defense. We 
must develop a cadre of trained professionals that provides the public 
and private sectors a collective technical edge.
    Overall, Mr. Chairman, I am concerned that as a nation, we have not 
made the key decisions necessary to put in place the foundational 
capabilities, provide the right authorities, and assign the critical 
responsibilities that are necessary to properly protect our nation in 
this new domain. I believe the cybersecurity Executive Order will be a 
key step in addressing some of these issues. In addition, I think it is 
critical that Congress, the White House, and the private sector work 
closely together to address the critical gaps that we face today.
    For over 200 years, our Constitution has made clear that one of the 
core goals of the federal government is to provide ``for the common 
defense.'' \2\ Today, that common defense and the needed partnership 
between public and private sector is clearly lacking.
---------------------------------------------------------------------------
    \2\ U.S. Const., preamble (emphasis added).
---------------------------------------------------------------------------
    During my almost 40 years of service, it was an honor and privilege 
to work side-by-side with those who worked tirelessly to defend our 
nation. We worked hard to put in place the capabilities and to build 
the forces and structures needed to provide for the physical defense of 
our nation--both within our borders and abroad--and to do the same in 
cyberspace. Within the Department of Defense (DOD) alone, we 
fundamentally re-architected the way that the National Security Agency 
operated and created a key component of our nation's cyber defense, the 
U.S. Cyber Command.
    In 2012, then-Secretary of Defense Leon Panetta made clear that the 
policy of the U.S. Government was that ``the Department [of Defense] 
has a responsibility not only to defend DOD's networks, but also to be 
prepared to defend the nation and our national interests against an 
attack in or through cyberspace.'' \3\ At that time, it was clear that 
in order to make our overall national cyber architecture truly 
defensible, we needed to establish a shared understanding of our 
respective roles and responsibilities, first within the government, 
then between the government and the private sector.
---------------------------------------------------------------------------
    \3\ See Department of Defense, Remarks by Secretary Panetta on 
Cybersecurity to the Business Executives for National Security, New 
York City (Oct. 11, 2012), available online at .
---------------------------------------------------------------------------
    Initially, we worked closely with our colleagues in other agencies 
across the government to put in place a workable structure for sharing 
authorities and assigning responsibilities at the national level. 
Indeed, by one count, it took 75 drafts to obtain an agreement on a 
single slide regarding the national division of responsibilities for 
cybersecurity. \4\
---------------------------------------------------------------------------
    \4\ See Department of Defense Information Operations Center for 
Research and Army Reserve Cyber Operations Group, Cyber Endeavor 2014: 
Final Report--When the Lights Go Out, at 5 (June 26, 2014), available 
online at  (``The need to define these 
partnerships and relationships [] led the Government and U.S. Federal 
Cybersecurity Operations Team to define their national roles and 
relationships as highlighted in Figure 1, which is commonly referred to 
as the `Bubble Chart.' There were seventy-five (75) versions made of 
this chart before all parties agreed on how this works, and it was 
powerful and important just to get an agreement.'')
---------------------------------------------------------------------------
    At the end of that process, we assigned the responsibilities as 
follows: The Justice Department would, among other things, 
``[i]nvestigate, attribute, disrupt, and prosecute cyber crimes; [l]ead 
domestic national security operations; [and] [c]onduct domestic 
collection, analysis, and dissemination of cyber threat intelligence;'' 
Department of Homeland Security (DHS) would, among other things 
``[c]oordinate the national protection, prevention, mitigation of, and 
recovery from cyber incidents; [d]isseminate domestic cyber threat and 
vulnerability analysis; [and] [p]rotect critical infrastructure;'' and 
DOD would ``[d]efend the nation from attack; [g]ather foreign threat 
intelligence and determine attribution; [and] [s]ecure national 
security and military systems.'' \5\ Moreover, the ``bubble chart,'' as 
this document was called, assigned the following lead roles: DOJ: 
investigation and enforcement; DHS: protection; and DOD: national 
defense. \6\
---------------------------------------------------------------------------
    \5\ See id. at 6, Fig. 1.
    \6\ See id.
---------------------------------------------------------------------------
    The position that DOD has the lead for national defense in 
cyberspace has been reiterated in both the 2014 Quadrennial Defense 
Review as well as the 2015 DOD Cyber Strategy, the latter of which also 
highlights the critical role that private sector entities must take in 
protecting themselves against threats in cyberspace. \7\ While it may 
be clear that as a policy matter that DOD has the responsibility for 
defending the nation from nation-state attacks, the reality is that 
today U.S. Cyber Command lacks the clear authorities and rules of 
engagement to make this policy effective, even though it continues to 
build the forces and capabilities necessary to do so. It is critical 
that we work together, as a nation, to provide these authorities and 
rules of engagement now, when things are relatively calm, rather than 
seeking to identify and create them during a crisis. Mr. Chairman, I 
know that you and the Ranking Member have both taken the lead on 
working this effort, and I stand ready to assist you as needed.
---------------------------------------------------------------------------
    \7\ See Department of Defense, 2014 Quadrennial Defense Review at 
14-15, available online at  (``The Department of Defense will 
deter, and when approved by the President and directed by the Secretary 
of Defense, will disrupt and deny adversary cyberspace operations that 
threaten U.S. interests. To do so, we must be able to defend the 
integrity of our own networks, protect our key systems and networks, 
conduct effective cyber operations overseas when directed, and defend 
the Nation from an imminent, destructive cyberattack on vital U.S. 
interests.''); Department of Defense, 2015 Department of Defense Cyber 
Strategy at 5 (Apr. 15, 2015), available online at  (``If directed by the 
President or the Secretary of Defense, the U.S. military may conduct 
cyber operations to counter an imminent or on-going attack against the 
U.S. Homeland or U.S. interests in cyberspace. The purpose of such a 
defensive measure is to blunt an attack and prevent the destruction of 
property or the loss of life . . . .As a matter of principle, the 
United States will seek to exhaust all network defense and law 
enforcement options to mitigate any potential cyber risk to the U.S. 
Homeland or U.S. interests before conducting a cyberspace operation. 
The United States government has a limited and specific role to play in 
defending the nation against cyberattacks of significant consequence. 
The private sector owns and operates over ninety percent of all of the 
networks and infrastructure of cyberspace and is thus the first line of 
defense. One of the most important steps for improving the United 
States' overall cybersecurity posture is for companies to prioritize 
the networks and data that they must protect and to invest in improving 
their own cybersecurity. While the U.S. Government must prepare to 
defend the country against the most dangerous attacks, the majority of 
intrusions can be stopped through relatively basic cybersecurity 
investments that companies can and must make themselves.'')
---------------------------------------------------------------------------
    While the primary responsibility of government is to defend the 
nation, the private sector also shares responsibility in creating the 
partnership necessary to make the defense of our nation possible. 
Neither the government nor the private sector can capably protect their 
systems and networks without extensive and close cooperation. The 
private sector controls most of the real estate in cyberspace, 
particularly when it comes to critical infrastructure and key 
resources, \8\ and the notion that government might have control over, 
or even a constant, active defensive presence on these private systems 
and networks, is simply not something that our nation seeks today. 
Thus, given our current cyber architecture, if we are to create a truly 
defensible cyber environment, the government and the private sector 
must work closely together.
---------------------------------------------------------------------------
    \8\ See, e.g., Office of the Director of National Intelligence, 
Office of the Program Manager-Information Sharing Environment, Critical 
Infrastructure and Key Resources, available online at  
(``The private sector owns and operates an estimated 85 percent of 
infrastructure and resources critical to our Nation's physical and 
economic security.'').
---------------------------------------------------------------------------
    Consequently, the most important thing the government can do is to 
build connectivity and interoperability with the private sector. This 
is not simply connectivity and interoperability on a technology level, 
but on a policy and governance level. To that end, the Commission 
recommended the creation of a National Cybersecurity Public-Private 
Partnership (NCP3). \9\ This entity, as set forth in Commission's 
report, would serve the President directly, reporting through the 
National Security Advisor and would function as ``a forum for 
addressing cybersecurity issues through a high-level, joint public-
private collaboration.'' \10\ Part of the NCP3's key function would be 
to ``identify clear roles and responsibilities for the private and 
public sectors in defending the nation in cyberspace,'' including 
addressing critical issues like ``attribution, sharing of classified 
information . . . [and] an approach--including recommendations on the 
authorities and rules of engagement needed--to enable cooperative 
efforts between the government and private sector to protect the 
nation, including cooperative operations, training, and exercises.''
---------------------------------------------------------------------------
    \9\ Id. at 14 (action item 1.2.1)
    \10\ Id. at 14-15.
---------------------------------------------------------------------------
    In line with this recommendation, the Commission also recommended 
that ``[t]he private sector and Administration [] launch a joint 
cybersecurity operation program for the public and private sectors to 
collaborate on cybersecurity activities in order to identify, protect 
from, detect, respond to, and recover from cyber incidents affecting 
critical infrastructure.'' \11\ Empowering such joint efforts is 
critical to ensuring our long-term national security in cyberspace. As 
the Commission indicated, ``[k]ey aspects of any collaborative 
defensive effort between the government and private sector [will] 
include coordinated protection and detection approaches to ensure 
resilience; fully integrated response, recovery, and plans; a series of 
annual cooperative training programs and exercises coordinated with key 
agencies and industry; and the development of interoperable systems.'' 
\12\ Having such mechanisms in place well ahead of crisis is critical 
so that public and private sector entities can jointly train and 
exercise these rules of engagement and mitigate any potential spillover 
effects on ongoing business or government activities. Implementing 
these two Commission recommendations are amongst the most important 
things we might do as a nation in the near-term.
---------------------------------------------------------------------------
    \11\ Id. at 15 (action item 1.2.2.)
    \12\ Id.
---------------------------------------------------------------------------
    Finally, it is critical that the collaboration between the 
government and private sector is a two-way partnership. The government 
can and must do more when it comes to partnering with the private 
sector, building trust, and sharing threat information--yes, even 
highly classified threat information--at network speed and in a form 
that can be actioned rapidly. Building out a cross-cutting information 
sharing capability allows the government and private sector to develop 
a common operating picture, analogous to the air traffic control 
picture. As the air traffic control picture ensures our aviation safety 
and synchronizes government and civil aviation, the cyber common 
operational picture can be used to synchronize a common cyber defense 
for our nation, drive decision-making, and enable rapid response across 
our entire national cyber infrastructure. This would provide a critical 
defensive capability for the nation.
    The cyber legislation enacted by Congress last year is a step in 
the right direction; however, it lacks key features to truly encourage 
robust sharing, including placing overbearing requirements on the 
private sector, overly limiting liability protections, restricting how 
information might effectively be shared with the government, and 
keeping the specter of potential government regulation looming in the 
background. \13\ Moreover, while the government has placed this 
responsibility with DHS today, \14\ it is important to recognize the 
perception in industry is that DHS faces significant challenges in this 
area, in particular that it simply lacks the technical capabilities 
necessary to succeed. \15\ More can be done here, and I stand ready to 
work with this Committee and others in Congress and the Administration 
as we seek a path forward on this important issue. As with the 
recommendations of the Commission above, I believe that implementing 
robust, real-time threat information sharing across the private sector 
and with the government would be a game-changer when it comes to cyber 
defense.
---------------------------------------------------------------------------
    \13\ See, e.g., Jamil N. Jaffer, Carrots and Sticks in Cyberspace: 
Addressing Key Issues in the Cybersecurity Information Sharing Act of 
2015,_S. Car. L. Rev._(forthcoming 2017).
    \14\ See, e.g., Executive Order 13691, Promoting Private Sector 
Cybersecurity Information Sharing (Feb. 13, 2015), available online at 
 (``The 
National Cybersecurity and Communications Integration Center (NCCIC), 
established under section 226(b) of the Homeland Security Act of 2002. 
. . shall engage in continuous, collaborative, and inclusive 
coordination with ISAOs on the sharing of information related to 
cybersecurity risks and incidents.'').
    \15\ See Commission on Enhancing National Cybersecurity, Testimony 
of Greg Rattray, Director of Global Cyber Partnerships & Government 
Strategy, J.P. Morgan Chase (May 16, 2016) (describing DHS's six 
information sharing initiatives, as ``too broad and [simply] not 
meet[ing] the need[] to enhance cyber defense''); Testimony of Mark 
Gordon, n. 13 supra (arguing that while tactically accelerating 
automating and systemizing threat indicator content with the government 
is a big vision, it is not a reality today); see also Jaffer, n. 14 
supra, at_(``DHS is generally seen as facing major challenges in 
capability in the cyber area and a number of other agencies, from DOD/
NSA to FBI, are seen by industry as more capable, reliable, or 
secure.'').
---------------------------------------------------------------------------
    In sum, Mr. Chairman, I think much remains to be done to fully put 
our nation on a path to real security in cyberspace, and I am strongly 
hopeful for our future. With your leadership and that of the Ranking 
Member, working together collaboratively across the aisle and with the 
White House and key players in the private sector, we can achieve real 
successes in securing our nation in cyberspace.
    Thank you for the opportunity to appear before this committee.

    Chairman McCain. Thank you for your testimony.
    Dr. Fields?

  STATEMENT OF DR. CRAIG I. FIELDS, CHAIRMAN, DEFENSE SCIENCE 
                             BOARD

    Dr. Fields. Good morning, Chairman McCain, Ranking Member 
Reed, members of the committee. Jim, thank you for the 
microphone.
    Dr. Miller. It's a technology issue.
    Dr. Fields. It's a technology issue.
    We're here to talk about cyber deterrence. Jim and I have 
divided the presentation into two parts, and we ask that our 
written testimony be entered into the record.
    What I want to do is to start by giving you a little view 
of the landscape of the Defense Science Board's study on cyber 
more generally, because there are actually a lot of pieces of 
the puzzle, and then offer to you eight principles that cyber 
has to comply with if we're going to be effective. These 
principles do not dictate the details of what to do in any 
circumstance, but they're like laws of physics; you have to 
comply. Then I'm going to turn it over to Jim and he's going to 
give you the main points, given time constraints, of our cyber 
deterrence task force. Then, of course, we'll enter into 
discussion later.
    Again, in the interest of time, I'll be incredibly brief.
    What is the DSB [Defense Science Board] going to do? Our 
study of cyber resilience, the main finding that's germane 
being that it's simply not possible to defend against a high-
level threat. We can defend against mid- and low-level threats, 
but the high-level threats, like we could have from China or 
Russia, we have to deter. That's not a statement of criticism 
of our capabilities. That's true basically of any country 
because the means of deterring of defense are just not up to 
the means of offense at this point in time.
    Cyber and cloud computing. How can DOD [Department of 
Defense] take advantage of the benefits of cloud computing 
without the risks?
    Cyber defense management, some actionable recommendations 
for the Defense Department on how to basically optimally use 
financial resources, what are the most important things to do, 
what are the best practices in order to do cyber defense.
    Cyber corruption of the supply chain. We get an awful lot 
of our micro-electronics from foreign sources. Sometimes what's 
inside is not what we think is inside. What do we do about 
that?
    Cyber offense as a strategic capability. Right now we have 
good capabilities, but they're used episodically. How can we 
provide the President and the Congress with more of a strategic 
foundation so that when the unexpected arises, we're ready?
    Acquisition of software. Parallel to a previous comment on 
micro-electronics, what we get is not always what we expect to 
get. How can we mitigate the risk?
    Twenty-first century multi-domain. How do we harmonize 
kinetics, electronic warfare in cyber, in training, in 
authority, et cetera?
    Then today's study, cyber deterrence. In addition, every 
one of our studies nowadays has a cyber component, be it 
unmanned vehicles or survival logistics or electronic warfare. 
I could go through a long list; I'm not going to. It pervades 
everything.
    Just to give you a taste of the main features of what we've 
been doing, all of these studies contain what we call 
actionable recommendations for the Defense Department, and we 
think they're actually doable, versus just sort of high-level 
aspirations.
    Part two, fundamental principles. These are the eight 
principles that I think we should all pay attention to as we 
address the issue of cyber deterrence.
    Number one, you don't deter countries; you deter people. So 
you have to identify whose behavior you want to change, who you 
want to be deterred. If you can't do that, you can't get there. 
Trying to deter a mid- or low-level person, punishing a low-
level person really doesn't work. You have to get to decision-
makers, and they have to be deterred.
    Number two and implied by the first, deterrence of an 
individual is a matter of an exercise of psychology, not of 
physics. Physics is a lot easier. Psychology is hard, 
especially when it crosses countries, is situationally 
dependent, and so on. But if we don't accept the fact that 
we're going to have to make judgments about what will deter 
individuals and it's a matter of psychology, we can't really 
make progress.
    Number three, we should assume that people act on what they 
think is their self-interest, which is to say if we want to 
deter someone, we have to make their expected cost greater than 
their expected benefit. We can do that by reducing their 
expected benefit. We can do that by increasing their expected 
cost. There are notions and ideas for doing both, but that's 
the way you have to think about it. It has to be in scale. If 
the expected benefit is high, then if we want to deter we have 
to raise the expected cost considerably.
    Number four and related, cyber deterrence does not have to 
be like for like. If you want to deter the use of cyber, you 
don't have to use cyber. You can use economic means or any 
number of other means. While we should act prudently, we should 
think broadly.
    Number five, and again implied above, is U.S. responses to 
cyber attacks do not have to impose only a similar level of 
cost on an adversary. It can be greater. We have to obey the 
law. Mr. Waxman will address that, and I don't want to practice 
law without a license here. But we should be, again, flexible 
in our thinking even if we're prudent in our actions.
    Number six, escalation. Escalation is always a concern, and 
it should be a concern. What we're typically facing is this: 
anything we do to deter contains some possibility of 
escalation. But not deterring carries a certainty of 
escalation. A possibility versus a certainty. But in other 
terms, we can have a certainty of a death of a thousand cuts or 
the possibility of escalation if we try to deter. So if we want 
to avoid all possibility of escalation, you can't deter. We 
have to accept the realities.
    Some people think we live in a glass house and other 
countries don't. That's another whole discussion. That's just 
not true. Everybody, all major countries live in a glass house 
nowadays.
    Seventh is chronology. It's a lot more effective to take 
deterring action quickly after something happens that you don't 
want to happen rather than waiting days, weeks, months, years. 
Chronology counts. That means you have to be prepared. The 
intelligence community has to collect the information in order 
to take action. CYBERCOM and other organizations have to be 
prepared to take action based on and using that information. 
The executive branch has to be able to orchestrate if it goes 
across various departments.
    Number eight and last, credibility is critical. If no one 
believes that we're going to actually do what we say, then it 
doesn't matter what our capabilities are, it doesn't deter. 
Stating a red line and then letting people cross it with no 
consequence cuts down on our credibility. There may be good 
reasons for doing it, but that's a consequence. It cuts down on 
our credibility and hence our ability to deter, because the 
fact is we don't want conflict, we don't want war, we want a 
deterrent.
    So again, these eight principles that I commend to you are 
not specific to this case or that. But as we plan for 
individual cases, I think we have to obey these as what 
citizens call boundary conditions. If we don't comply with 
these rules, we're not going to deter.
    So at this point, I'll turn things over to Jim to talk 
about some of the specifics of our cyber deterrence task force.
    Chairman McCain. Thank you.
    Dr. Miller, welcome back.

STATEMENT OF HONORABLE JAMES N. MILLER, MEMBER, DEFENSE SCIENCE 
     BOARD AND FORMER UNDER SECRETARY OF DEFENSE FOR POLICY

    Dr. Miller. Thank you, Chairman McCain, Ranking Member 
Reed, members of the committee. It is an honor to be here 
again.
    I'd like to start also by thanking Dr. Fields for allowing 
me to be the policy wonk among a number of technical gurus on 
the Defense Science Board. It's been a pleasure.
    Finally I want to thank our task force members who are not 
here, and particularly my co-chair, Jim Gosler.
    Our study on cyber deterrence with the Defense Science 
Board focused on the United States ability to deter cyber 
attacks such as Iran's distributed denial of service attacks 
that were conducted on Wall Street, as General Alexander 
mentioned, in 2012 to 2013; North Korea's cyber attack on Sony 
Pictures in 2014. We also covered what we described as costly 
cyber intrusions, such as the Chinese theft of intellectual 
property over the course of at least 10 years, and also the 
Russian hack of United States institutions which were intended 
to affect voter confidence and ultimately to affect the outcome 
of the recent United States presidential election.
    In looking at the problem set, we found it useful to 
distinguish between three different sets of cyber challenges. 
The first is that major powers, Russia and China specifically, 
have a significant and growing ability to hold United States 
critical infrastructure at risk through cyber attack, and also 
a growing capability to hold at risk the United States 
military, and so to potentially undermine United States 
military responses. As Dr. Fields indicated, for at least the 
next decade the offensive cyber capabilities of these major 
powers are likely to far exceed the United States' ability to 
defend our critical infrastructure. At the same time, the 
United States military has a critical dependence on information 
technology, and these actors are pursuing the capability 
through cyber to thwart our military responses.
    This emerging situation has the potential to place the 
United States in an untenable strategic position.
    The second category of problem we looked at comes from 
regional powers such as Iran and North Korea. They have a 
growing potential to use either indigenous or purchased cyber 
tools to conduct catastrophic or significant attacks on United 
States critical infrastructure. For this problem set, the 
United States response capabilities need to be part of the tool 
kit, but they need to be added to what we do on cyber defenses 
and cyber resilience. It's no more palatable to allow the 
United States to be vulnerable to a catastrophic cyber attack 
by an Iran or a North Korea than it is to allow us to be 
vulnerable to a catastrophic nuclear attack by those actors.
    Third, and the problem set with which we've had the most 
direct and immediate experience, is that a range of state and 
non-state actors have the capacity for persistent cyber attacks 
and costly cyber intrusions against the United States, some of 
which individually may be relatively inconsequential or only be 
one element of a broader campaign but which cumulatively 
subjects the nation, as Dr. Fields noted, to a death of a 
thousand hacks.
    To address these three problem sets, the task force 
recommends three groups of initiatives. First, and consistent 
with what Chairman McCain said at the outset, the 
recommendation is that the United States Government plan and 
conduct tailored deterrence campaigns. A campaign approach is 
required to avoid piecemeal responses to cyber attacks and 
intrusions, and a tailored approach is needed to deal with both 
the range of actors and the range of potential scenarios that 
we may face. Clearly, for cyber deterrence, one size cannot fit 
all.
    More specifically in this category, the task force 
recommended the following: update a declaratory policy that 
makes clear that the United States will respond to cyber 
attacks. The question is not whether; the question will only be 
how. Second, cyber deterrence campaign plans focused on the 
leadership of each potential adversary. Third----
    Chairman McCain. Excuse me. I don't mean to interrupt. Your 
first point, we haven't done that.
    Dr. Miller. That's correct, sir.
    Chairman McCain. Okay.
    Dr. Miller. The third element of this first section, 
adversary-specific playbooks are response options for cyber 
attacks to include both cyber and non-cyber, military and non-
military responses. We can speak to why we need all those in 
the discussion if you'd like.
    Fourth in this category, specific offensive cyber 
capabilities to support these playbook options, because one of 
the capabilities we certainly want in response to offensive 
cyber is offensive cyber. These capabilities need to be built 
out in a way that does not require burning intelligence axes 
when we exercise them.
    Finally in this category, we recommend an offensive cyber 
capability Tiger Team be established consistent with Congress' 
direction for the Department to build Tiger Teams, and this one 
would look to develop options for accelerating acquisition, in 
particular offensive cyber capabilities.
    The second broad category of recommendations was that the 
Defense Department develop what we described as a cyber 
resilient thin line of key United States strike systems. To 
credibly be able to impose unacceptable costs in response to 
cyber attack by major powers, Russia and China, the United 
States needs key strike systems--cyber, nuclear, and non-
nuclear strike--to be able to function even after the most 
advanced cyber attack, and this is not a simple task. The task 
force made some specific recommendations and examples of long 
link strike systems to include--that's included in the prepared 
statement.
    In support of this thin line cyber secure force, the task 
force recommended three actions in particular. First, an 
independent strategic cyber security program housed at NSA 
[National Security Agency] to perform top-tier cyber red 
teaming on the thin line of cyber long-range strike and nuclear 
deterrence systems. The model is similar to what we have with 
the SSBN [Submersible Ship Ballistic Nuclear] security program, 
which I know the committee is familiar with, looking at not 
just what could be done today but what could be done in future 
that has significant consequence.
    A second component is a new best-of-breed cyber resilience 
program to identify the best security concepts in government 
and, importantly, in the private sector as well, and to bring 
them to bear in a systematic way.
    Third, an annual assessment of the cyber resilience of the 
U.S. nuclear deterrent, similar to what's done currently for 
the nuclear deterrent more broadly. This would be conducted by 
the commander of the Strategic Command, and the certification 
would go to the Secretary of Defense, to the President, and to 
the Congress.
    The third broad category of recommendation the task force 
made, and the final category, is that the Department needs to 
continue to pursue and in some cases increase its efforts on 
foundational capabilities. That includes cyber attribution. It 
includes continued overall enhancement of the cyber resilience 
of the joint force. We put this as a lower priority than the 
so-called thin line capabilities, but it's important as well.
    A third element here is continued and more aggressive 
pursuit of innovative technologies that can help reduce the 
vulnerability of U.S. critical infrastructure.
    Fourth in this category is U.S. leadership, and define 
appropriate extended deterrence postures, and working with our 
allies and partners.
    Finally, and last but certainly not least, is sustained and 
enhanced recruitment, training, and retention of a top-notch 
cyber cadre.
    At the end of the day, from all the importance of 
technology in this area, the most important strategic advantage 
of the United States in cyber, as in other domains, is the 
incredible capabilities of our military, of our civilians, and 
of our private sector. DOD [Department of Defense] has taken 
some important steps to move forward on recommendations of this 
report over the course of its conduct, in parallel with its 
establishing its 133 cyber mission force teams. The 
recommendations which I've just described are intended to build 
on what the Department is doing to expand it and to accelerate 
it.
    Again, thank you for the opportunity to testify today.
    [The joint prepared statement of Dr. Fields and Dr. Miller 
follows:]

    Joint Prepared Statement by Dr. Craig Fields and Dr. Jim Miller
                              introduction
    Chairman McCain, Ranking Member Reed, Members of the Committee. We 
are here today to discuss cyber deterrence.
    By ``cyber deterrence'' we mean how to deter major cyber attacks on 
the United States, largely by foreign states, particularly great 
powers, but someday perhaps by capable non-states.
    We want to begin by briefly introducing the Defense Science Board 
(DSB) and telling you about DSB's substantial agenda of studies 
regarding cyber. Then I have some fundamental principles to offer 
regarding how to be successful with cyber deterrence.
    We will then turn to Jim Miller, co-chair with Jim Gosler of DSB's 
recent comprehensive study of cyber deterrence. He will present the 
major findings and recommendations of that investigation.
    We would also like to underscore that the findings we reference are 
the Defense Science Board's and do not necessarily represent the 
perspectives, policies, or positions of the Department of Defense.
                         defense science board
    For 60 years the Defense Science Board (DSB) has tackled highly 
unstructured, irksome and consequential problems for the Secretary of 
Defense that involve science and technology. And, inevitably, also 
strategy, tactics, management, rules of engagement and operational 
concepts as related to science and technology.
    The members of DSB are senior executives from defense and 
commercial industry; retired flag officers; former senior officials 
from the Department of Defense, Department of State and the 
Intelligence Community; University professors, e.g. from MIT; CEOs of 
Federally Funded Research and Development Centers; National Laboratory 
Directors; and many members of the National Academy of Science and the 
National Academy of Engineering.
    All with a strong background in science and technology; and with 
knowledge of DOD and national security matters.
                 defense science board studies on cyber
    DSB's first study on cyber dates from 1967, and to my knowledge 
that work was the first major investigation of the cyber threat with 
recommendations regarding how to mitigate and manage the threat.
    Much more recently DSB has conducted a series of studies that in 
union provide a comprehensive set of findings and recommendations for 
the Department of Defense.
    Cyber Resilience--recommendations for defense against low- and 
medium-level threats, and the recognition that we cannot adequately 
defend against high-level threats. Those must be deterred.
    Cyber and Cloud Computing--How can DOD realize the tremendous 
benefits of economy of scale of cloud computing, while mitigating the 
risks of such shared and remote computing?
    Cyber Defense Management--Insofar as cyber defense can be 
expensive--noting that lack of cyber defense can be considerably more 
expensive!--how should DOD optimally allocate its resources to provide 
the best protection?
    Cyber Corruption of the Supply Chain--How can DOD mitigate the risk 
of malicious insertions in the microelectronics it buys?
    Cyber Offense as a Strategic Capability--What does DOD have to do 
to ensure that the President has strategic options at hand to use 
prudently as unpredicted needs arise?
    Acquisition of Software--In general how can DOD acquire software 
better, and in particular how can DOD mitigate the risk of cyber 
intrusion into our software?
    Twenty-first Century Multi-Domain Integration--harmonizing cyber, 
kinetics and EW in all domains, in terms of capabilities, planning, 
training, C3 and so on
    Cyber Deterrence--What needs to be done to effectively deter major 
cyber attacks on the United States?
    In addition, cyber considerations play a role in almost all DSB 
studies. Most DOD systems contain computing, and most computing is 
vulnerable to cyber.
    Thus, cyber considerations play a role in many DSB studies, 
including: information operations in gray zone conflicts; unmanned 
undersea vehicles; autonomous systems; countering autonomous systems; 
survivable logistics; electronic warfare (EW); ballistic and cruise 
missile defense; MILSAT and tactical communications; resilience of 
space capabilities; air dominance; and more.
            some fundamental principles of cyber deterrence
    I would like to offer eight (8) fundamental principles that apply 
to cyber deterrence. The principles do NOT dictate exactly what to do 
in particular circumstances, but what to do in particular circumstances 
should conform to the principles.
    First, we must deter specific people, specific individuals, the 
decision makers of foreign states, not countries. They decide whether 
or not to unleash a cyber attack on the United States. Trying to deter 
lower level individuals, e.g. 22-year-old hackers, mid-career civil 
servants, lower level military officers who are ``following orders'' is 
not effective.
    Second, deterrence of an individual is an exercise in psychology, 
not physics. Physics is easier. It is an exercise in cross-cultural 
psychology, to make it more difficult. It is an exercise in situation-
dependent psychology to make it more difficult still. Finally it is an 
exercise in psychology done from a distance insofar as the U.S. 
Government personnel charged with deterrence will likely have never met 
the individual we want to deter, or certainly have not spent sufficient 
time with them to develop deep understanding. That's the way it is. The 
implication is that we have to do the best we can, meaning be sure that 
the U.S. Government personnel charged with cyber deterrence have access 
to the very best analysis regarding the individuals we want to deter.
    Third, to deter a leader who might decide to order a cyber attack 
on the U.S. we need to hold at risk what they hold dear. We have to 
make their expected cost greater than their expected benefit. Where 
feasible at reasonable cost we should also decrease their expected 
benefit of a cyber attack on the U.S., e.g. with defense, protection, 
resilience or reconstitution of our critical infrastructure, but for 
the most capable adversaries, e.g. great powers, that is difficult.
    Fourth, cyber deterrence does not have to be `like for like', `tit 
for tat'. Cyber does not have to be deterred with cyber. Deterrence 
could involve economic sanctions or other means.
    Fifth, and related, U.S. responses to cyber attack do not have to 
aim to impose (only) a similar level of costs on the adversary as it 
imposed on the United States. While a response must meet legal 
requirements such as proportionality (avoiding unnecessary civilian 
loss of life or hardship), it must also be effective. That means 
imposing sufficient costs to deter future such attacks.
    Sixth, escalation is always a concern and should always be a 
concern. All deterrence is accompanied by the possibility of 
escalation. But lack of deterrence is accompanied by the certainty of 
escalation. We are often faced with the alternatives of a certainty of 
`a death of a thousand cuts' if we take no deterring action or the 
possibility of escalation if we take deterring action. There is no 
perfect solution but there is a constructive approach, namely to employ 
approaches to deterrence that are graded--do a little, see what 
happens, do a little more . . . --and reversible.
    Seventh, chronology. It is considerably more effective to take 
deterring action sooner rather than later. Being prepared to act sooner 
carries some operational implications. Long in advance the Intelligence 
Community has to be tasked to collect the underlying information 
required to compose strategy, tactics and operational plans for 
deterring specific individuals. Long in advance the organizations that 
would be tasked with affecting deterrence, e.g. DOD, Treasury, need to 
have capabilities prepared and in place and compose the aforementioned 
strategy, tactics and operational concepts. And all this has to be 
orchestrated across various organs of the Executive Branch with 
effective communication with the appropriate elements of the Congress.
    Eighth, credibility is a necessary enabler of deterrence. If the 
leader we want to deter does not believe we will act it is difficult to 
deter. Announcing `red lines' and then overlooking offenses is not 
constructive.
    To repeat, these eight principles do not dictate specific deterring 
actions for particular circumstances, but if we want to be effective in 
deterring major cyber attacks on the U.S. we should comply with the 
principles.
            defense science board study of cyber deterrence
    The DSB Cyber Deterrence Task Force was asked to consider the 
requirements for deterring cyber attacks against the United States and 
U.S. allies/partners, and to identify critical capabilities (cyber and 
non-cyber) needed to support deterrence, warfighting, and escalation 
control against highly cyber-capable adversaries. In conducting its 
work, the fifteen task force members received more than forty briefings 
from government, the national laboratories, academia, and the private 
sector.
Three Key Cyber Deterrence Challenges
    The task force determined that the United States faces three 
distinct sets of cyber deterrence challenges.
    First, major powers (Russia and China) have a significant and 
growing ability to hold United States critical infrastructure at risk 
via cyber attack--and to simultaneously use cyber to undermine U.S. 
military responses. The unfortunate reality is that for at least the 
next decade, the offensive cyber capabilities of these major powers are 
likely to far exceed the United States' ability to defend essential 
critical infrastructure. At the same time, they recognize that the U.S. 
military itself has an extensive dependence on information technology, 
and they are pursuing the capability to use cyber to thwart U.S. 
military responses. This emerging situation threatens to place the 
United States in an untenable strategic position.
    Second, regional powers (such as Iran and North Korea) have a 
growing potential to use indigenous or purchased cyber tools to conduct 
catastrophic attacks on United States critical infrastructure. The U.S. 
Government must work with the private sector to intensify efforts to 
defend and boost the cyber resilience of U.S. critical infrastructure 
in order to avoid allowing extensive vulnerability to these nations. 
The United States would have a range of options to respond to any 
attack (cyber or other) by such nations. But these response 
capabilities must be additive to our defenses. It is no more palatable 
to allow the United States to be held hostage to catastrophic attack 
via cyber weapons by such actors than via nuclear weapons.
    Third, a range of state and non-state actors have the capacity for 
persistent cyber attacks and costly cyber intrusions against the United 
States, which individually may be inconsequential (or be only one 
element of a broader campaign) but which cumulatively subject the 
Nation to a ``death by 1,000 hacks.''
    To address these three challenges, bolstering the U.S. cyber 
deterrence posture must be an urgent priority. The task force 
recommended that the Department of Defense and broader U.S. Government 
pursue three broad sets of initiatives.

    1. Plan and Conduct Tailored Deterrence Campaigns
    The United States cyber deterrence posture must be ``tailored'' to 
cope with the range of potential attacks that could be conducted by 
each potential adversary--including Russia, China, Iran, North Korea, 
and non-state actors including ISIS. And it must do so in contexts 
ranging from peacetime to ``gray zone'' conflicts to crisis to war. 
Clearly, for United States cyber deterrence (as with deterrence more 
broadly), one size will not fit all.
    This requires, and the task force recommended:
      Updated declaratory policy that makes clear the United 
States will respond to all cyber attacks; the question will not be 
whether but how.
      Cyber deterrence campaign plans focused on the leadership 
of each potential adversary.
      Adversary-specific ``playbooks'' of response options to 
cyber attacks on the United States or its interests, ranging from low 
level hacks to major attacks, including cyber and non-cyber military 
responses, and potential non-military responses.
      Specific offensive cyber capabilities to support approved 
``playbook'' options by holding at risk what is valued by adversary 
leaders; this should include capabilities that do not require 
``burning'' intelligence accesses (sources and methods) when exercised.
      An offensive cyber capability tiger team to develop 
options to accelerate acquisition of offensive cyber capabilities to 
support deterrence, such as additional acquisition authorities for 
USCYBERCOM, and establishment of a small elite rapid acquisition 
organization.
    The intention is not to create a ``cookbook'' approach to cyber 
deterrence. Rather it is to establish a clear policy and planning 
framework, to help drive prioritized cyber offensive capability 
development, and ultimately to give a range of good cyber and non-cyber 
options to support deterrence of--and as necessary response to--cyber 
attack.

    2. Create a Cyber-Resilient ``Thin Line'' of Key U.S. Strike 
Systems
    In order to support deterrence, the United States must be able to 
credibly threaten to impose unacceptable costs in response to even the 
most sophisticated large-scale cyber attacks. Meeting this requirement 
will require the Department of Defense to devote urgent and sustained 
attention to boosting the cyber resilience of select U.S. strike 
systems (cyber, nuclear, and non-nuclear) including their supporting 
critical infrastructures. In effect, DOD must create a second-strike 
cyber resilient ``Thin Line'' element of U.S. military forces to 
underwrite deterrence of major attacks by major powers.
    This requires a ``thin line'' cyber secure force comprised of 
select elements of offensive cyber capabilities, select non-nuclear 
long-range strike systems, and all nuclear-capable systems. The 
Department should further enhance investments to protect and make 
resilient these capabilities. Examples of long-range non-nuclear strike 
systems that should be made highly resilient to cyber (and other non-
nuclear attack) on an urgent basis include:
      A substantial number of general purpose attack submarines 
(SSNs) and guided missile submarines (SSGNs) armed with long-range 
strike systems (for example Tomahawk Land Attack Missiles (TLAMs));
      Heavy bombers armed with non-nuclear munitions capable of 
holding at risk a range of targets in standoff or penetrating mode (for 
example, extended range Joint Air to Surface Standoff Missiles (JASSM-
ER) and Massive Ordnance Penetrators (MOPs));
      Supporting Command, Control, Communications and 
Intelligence, Surveillance and Reconnaissance (C3ISR) essential to 
support mission planning and execution; and
      Critical infrastructure essential to support platforms, 
munitions, C3ISR, logistical support, and personnel.
    In support of this ``thin line'' cyber secure force, the task force 
recommended:
      An independent Strategic Cyber Security Program (SCSP) 
housed at the National Security Agency (NSA) to perform top tier cyber 
red teaming on selected offensive cyber, long-range strike, and nuclear 
deterrent systems. SCSP should look at current systems as well as 
future acquisitions before DOD invests in or employs new capabilities. 
The Navy's long-standing SSBN Security Program provides a useful model.
      A new ``best of breed'' cyber resilience program to 
identify the best available or emerging security concepts for critical 
information systems, drawing best practices and innovative ideas from 
across DOD and industry. This program should devise a broad portfolio 
of options to dramatically enhance cyber resilience of critical strike 
systems, ranging from emerging new technologies to the use of ``retro-
tech'' such as electro-mechanical switches.
      An annual assessment of the cyber resilience of the U.S. 
nuclear deterrent, conducted by the Commander of U.S. Strategic 
Command, and provided to the Secretary of Defense, President, and 
Congressional leadership. including all essential nuclear ``Thin Line'' 
components (e.g., nuclear C3, platforms, delivery systems, and 
warheads). Commander USSTRATCOM should state his degree of confidence 
in the mission assurance of the nuclear deterrent against a top tier 
cyber threat.

    3. Pursue Foundational Capabilities
    In addition to the measures outlined above, the Department of 
Defense and the broader U.S. Government must continue to innovate in 
order to improve the posture of the United States regarding several 
foundational capabilities:
      Cyber attribution;
      Continued enhancement of cyber resilience of the joint 
force--though to a lesser level and as a lower priority than for 
selected long-range strike systems as discussed above;
      Offensive and Defensive Cyber Security S&T: U.S. research 
in both of these areas need to inform the other;
      Innovative technologies that can enhance the cyber 
security of the most vital U.S. critical infrastructure;
      U.S. leadership in providing appropriate cyber ``extended 
deterrence'' to allies and partners; and over time perhaps most 
importantly,
      The sustained recruitment, training, and retention of a 
top-notch cyber cadre.
    Over the last several years, the Department of Defense has begun 
taking important steps to strengthen its cyber capabilities, including 
for example the establishment and initial operating capability of 133 
cyber mission force teams. If implemented and sustained over time, the 
task force recommendations (outlined in this statement and described in 
much greater detail in the DSB report) will build from this prior work, 
and help guide the urgent actions needed to bolster deterrence of cyber 
attacks on the United States and our allies and partners.

    Chairman McCain. Thank you.
    Mr. Waxman?

  STATEMENT OF MATTHEW C. WAXMAN, LIVIU LIBRESCU PROFESSOR OF 
              LAW, COLUMBIA UNIVERSITY LAW SCHOOL

    Mr. Waxman. Chairman McCain, Ranking Member Reed----
    Chairman McCain. I apologize. I think we've only got 5 
minutes left, so we'll take a brief recess. We have two votes, 
so it will probably be about 15 minutes, and we'll resume. 
Thank you.
    [Recess.]
    Chairman McCain. We'll resume the hearing. I'm sure that 
other members will be coming back shortly, but we don't want to 
take too much time, and we want to resume with you, Mr. Waxman. 
Thank you.
    Mr. Waxman. Thank you, Chairman McCain, Ranking Member 
Reed, committee members. I appreciate the opportunity to 
address some international law questions relevant to U.S. cyber 
strategy. These include when a cyber attack amounts to an act 
of war, as well as the international legal principle of 
sovereignty and how it could apply to cyber activities. I also 
have a written statement that I hope can be made part of the 
record.
    These are important questions because they affect how the 
United States may defend itself and what kinds of cyber actions 
the United States may take. They're difficult questions because 
they involve applying longstanding international rules 
developed in some cases over centuries to new and rapidly 
changing technologies and forms of warfare.
    To state up-front my main point, international law in this 
area is not settled. There is, however, ample room within 
existing international law, including the U.N. Charter's 
thresholds, to support a strong cyber strategy and powerful 
deterrent. The United States should continue to exercise 
leadership in advancing interpretations that support its 
interests, including operational needs, bearing in mind that we 
also seek to constrain the behaviors of others.
    It's important that the U.S. Government continue to refine 
and promote diplomatically its legal positions on these issues. 
Aside from the American commitment to the rule of law and 
treaty obligations, established rules help to influence 
opinions abroad, and they therefore raise or lower the cost of 
actions. Agreements on them internally within the government 
can speed decision-making, and agreements on them with allies 
can provide a basis for joint action.
    With those objectives in mind, I'll turn first to the 
question whether a cyber attack could amount to an act of war. 
When should a cyber attack be treated legally the same way we 
would, say, a ballistic missile attack versus an act of 
espionage, or should cyber attacks be treated altogether 
differently with entirely new rules?
    Different legal categories of hostile acts correspond to 
different legal options for countering them. The term ``act of 
war'' retains political meaning, but as a technical legal 
matter this term has been replaced by provisions of the United 
Nations Charter. Created after World War II, that central 
treaty prohibits the use of ``force by states against each 
other,'' and it affirms that states have a right of self-
defense against ``armed attacks.''
    Historically, those provisions were interpreted to apply to 
acts of physical or kinetic violence, but questions arise today 
as to how they might apply to grave harms that can be inflicted 
through hacking and malicious code. Even if the cyber attack 
does not rise to those U.N. Charter thresholds--take, for 
example, the hack of a government system that results in large 
theft of sensitive data--the United States would still have a 
broad menu of options for responding to them; and even cyber 
attacks that do not amount to force or armed attack may still 
violate other international law rules.
    However, a cyber attack that crosses the force or armed 
attack threshold would trigger legally an even wider set of 
responsive options, notably including military force or cyber 
actions that would otherwise be prohibited. In recent years the 
United States Government has taken the public position that 
some cyber attacks could cross the U.N. Charter's legal 
thresholds of force or armed attack. It is said that these 
determinations should consider many factors, including the 
nature and magnitude of injury to people and property.
    So at least for cases of cyber attacks that directly cause 
the sort of damage normally caused by, for example, a bomb or 
missile, the U.S. Government has declared it appropriate to 
treat them legally as one would an act of kinetic violence. 
Publicly, the United States Government usually provides only 
quite extreme scenarios, such as inducing a nuclear meltdown or 
causing aircraft to crash by interfering with control systems.
    This approach to applying by analogy well-established 
international legal rules and traditional thresholds to new 
technologies is not the only reasonable interpretation, but it 
is sensible and can accommodate a strong cyber strategy. It is 
likely better than alternatives such as declaring the U.N. 
Charter rules irrelevant or trying to negotiate new cyber rules 
from scratch.
    However, the United States Government's approach to date 
leaves a lot of gray areas. It leaves open how to treat some 
cyber attacks that do not directly and immediately cause 
physical injuries or destruction but that still cause massive 
harm. Take, for instance, a major outage of banking and 
financial services, or that weaken our defensive capabilities 
such as disrupting the functionality of military early warning 
systems. More clarity on this issue is important.
    Although the act of war or armed attack question usually 
attracts more attention, I want to raise another important 
international law issue, and that's the meaning of sovereignty 
in cyber. This could have significant impact on offensive and 
defensive options, and I'm glad that Ranking Member Reed 
mentioned this.
    Sovereignty is a well-established principle in 
international law. In general, it protects each state's 
authority and independence within its own territory. But 
sovereignty is not absolute, and its precise meaning is fuzzy. 
Because of the global interconnectedness of digital systems, 
including the fact that much data is stored abroad and 
constantly moving across territorial borders, questions could 
arise as to whether cyber activities, including U.S. offensive 
cyber actions or defensive cyber measures that occur in or 
transit third countries without their consent, might violate 
their sovereignty.
    Now, as a policy matter, we have a strong interest in 
limiting infiltration and manipulation of our own digital 
systems, and it may usually be wise to seek consent from states 
that host digital systems that might be affected or used in 
cyber operations. However, it is my view that there is not 
enough evidence of consistent and general practice among 
states, or a sense of binding legal obligation among them, to 
conclude that the principle of sovereignty would prohibit cyber 
operations just because, for example, some cyber activities 
take place within another state or even have some effects on 
its cyber infrastructure without consent, especially when the 
effects are minimal.
    I thank you very much for the opportunity to address the 
committee, and I look forward to your questions.
    [The prepared statement of Mr. Waxman follows:]

                Prepared Statement by Matthew C. Waxman
    Chairman McCain, Ranking Member Reed, members of the committee, and 
staff. I appreciate the opportunity to address this critical topic.
    In discussing cyber policy and deterrence, I have been asked 
specifically to address some of the international law questions most 
relevant to cyber threats and U.S. strategy. These include whether and 
when a cyber-attack amounts to an ``act of war,'' or, more precisely, 
an ``armed attack'' triggering a right of self-defense. I would also 
like to raise the issue of how the international legal principle of 
``sovereignty'' could apply to cyber activities, including to the 
United States' own cyber-operations.
    These are important questions because they affect how the United 
States may defend itself against cyber-attacks and what kinds of cyber-
actions the United States may itself take. They are difficult questions 
because they involve international rules, developed in some cases over 
centuries, to deal with new and rapidly changing technologies and forms 
of warfare.
    To state up-front my main points: International law in this area is 
not settled. There is, however, ample room within existing 
international law to support a strong cyber strategy, including a 
powerful deterrent. The answers to many international law questions 
discussed below depend on specific, case-by-case facts, and are likely 
to be highly contested for a long time to come. This means that the 
United States should continue to exercise leadership in advancing 
interpretations that support its strategic interests, including its own 
operational needs, bearing in mind that we also seek rules that will 
effectively constrain the behaviors of others. \1\
---------------------------------------------------------------------------
    \1\ This testimony draws heavily on two previous articles: Matthew 
C. Waxman, ``Cyber-Attacks and the Use of Force: Back to the Future of 
Article 2(4),'' Yale Journal of International Law, Vol. 36 (2011) 
(available at http://digitalcommons.law.yale.edu/cgi/
viewcontent.cgi?article= 1403&context=yjil); and Matthew C. Waxman, 
``Self-Defensive Force Against Cyber Attacks: Legal, Strategic and 
Political Dimensions,'' International Law Studies, Vol. 89 (2013) 
(available at http://stockton.usnwc.edu/ils/vol89/iss1/19/).
---------------------------------------------------------------------------
    Before turning to some specific questions, let me say a few words 
about why international law matters here, and why it is important that 
the U.S. Government continues to refine, explain and promote 
diplomatically its legal positions on these issues. Besides American 
commitment to rule of law and treaty obligations, international law is 
relevant to U.S. cyber strategy in several ways. Established rules and 
obligations help influence opinions and shape reactions among audiences 
abroad, and they therefore raise or lower the costs of actions. They 
may be useful in setting, communicating and reinforcing ``red lines,'' 
as well as for preserving international stability, especially during 
crises. Agreement on them internally within the government can speed 
decision-making. And agreement on them with allies can provide a basis 
for cooperation and joint action.
    In approaching these legal questions, the U.S. Government also must 
think through what legal rules or interpretations it seeks to defend 
itself as well as how those legal rules might limit its authority to 
carry out its own cyber-operations. And, of course, the same rules and 
interpretations advanced by the United States may be used by other 
states to help justify their own actions.
    With those objectives in mind, I will turn to some specific 
international legal questions.
    First, it is sometimes asked whether a cyber-attack could amount to 
an ``act of war.'' More broadly, how are cyber-attacks classified or 
categorized under international law? When should a cyber-attack be 
treated legally the same way we would treat a ballistic missile attack, 
for example, versus an act of espionage, or an act of economic 
competition? Or should actions carried out in cyberspace be treated 
altogether differently, with entirely new rules? One reason this 
matters is that certain broad categories of hostile actions are 
prohibited under well-established international law. Another reason is 
that how a hostile action is categorized under international law is 
relevant to what types and levels of defensive responses are permitted. 
That is, different legal categories of hostile acts correspond to 
different legal options for countering them.
    The term ``act of war'' retains political meaning, usually to 
signify the hostile intent and magnitude of threat posed by an 
adversary's actions. As a technical legal matter, this term has been 
replaced by provisions of the United Nations Charter. That central, 
global treaty created after World War II prohibits the use of ``force'' 
by states against each other, and it affirms that states have a right 
of self-defense against ``armed attacks.'' \2\ Historically, those 
provisions had generally been interpreted to apply to acts of physical 
violence. Questions arise today, though, as to how these provisions 
should be interpreted to account for the grave harms that can be 
inflicted through hacking and malicious code, rather than bombs and 
bullets.
---------------------------------------------------------------------------
    \2\ Most international lawyers agree that the right of self-defense 
includes right to use force in anticipatory self-defense to prevent an 
imminent attack, and this should be true in cyber as well, though 
determining the ``imminence'' of an attack is likely to be especially 
challenging.
---------------------------------------------------------------------------
    A more legally precise way to frame the ``act of war'' question, 
then, is whether a cyber-attack could violate the UN Charter's 
prohibitions of force or could amount to an armed attack. \3\ Even if a 
cyber-attack does not rise to those thresholds--take, for example, a 
hack of government systems that results in the theft of large amounts 
of sensitive data--the United States would still have a broad menu of 
options for responding to them. And even cyber-attacks that do not 
amount to force or armed attack may nevertheless violate other 
international law rules, some of which I discuss below. \4\ However, a 
cyber-attack that does cross the force or armed attack threshold would 
trigger legally an even wider set of responsive options, which notably 
could include military force or cyber-actions that would themselves 
otherwise constitute prohibited force.
---------------------------------------------------------------------------
    \3\ With regard to conventional military force, the United States 
has in the past taken the position that there is no gap between a use 
of ``force'' and an ``armed attack.'' Many international lawyers 
disagree, however, and treat armed attack as a higher threshold. I have 
noted in the past that the application of these rules to cyber-attacks 
may require some rethinking of this issue. Matthew C. Waxman, ``Cyber-
Attacks and the Use of Force: Back to the Future of Article 2(4),'' 
Yale Journal of International Law, Vol. 36 (2011), pp. 438-440.
    \4\ Some cyber-attacks that do not fall within these categories 
may, for example, still violate other international legal principles 
(such as the principle of ``sovereignty,'' discussed below); specific 
provisions of other bodies of international law, such as space law; or 
a state's domestic law. As a general matter, states may respond to 
violations of international law that do not constitute an armed attack 
with ``countermeasures.'' Countermeasures are defensive actions that 
would otherwise be illegal but are intended to bring a violator into 
compliance with international law. And even unfriendly actions that are 
within the bounds of international law, such as spying, may be 
addressed with ``retorsion,'' or unfriendly but legal acts. Examples of 
retorsion would be expelling diplomats or economic sanctions in 
response to a hack. While I do not endorse all of its interpretations, 
an important survey of many of these issues is contained the recently-
published Tallinn Manual 2.0 on the International Law Applicable to 
Cyber Operations (2017).
---------------------------------------------------------------------------
    Similar questions arise in interpreting mutual defense treaties, 
such as the North Atlantic Treaty, to account for cyber-threats. Those 
commitments include collective responses to ``attacks,'' which 
historically meant kinetic military attacks but might be invoked in 
response to attacks carried out in cyberspace. \5\
---------------------------------------------------------------------------
    \5\ NATO has declared collectively that its defense commitments 
extend to cyberspace, though questions of attack thresholds remain. See 
NATO, ``Cyber Defence'' (last updated Feb. 17, 2017), available at 
http://www.nato.int/cps/en/natohq/topics_78170.htm.
---------------------------------------------------------------------------
    In recent years the United States government has definitively taken 
the public position that some cyber-attacks, even though carried out 
through digital means rather than kinetic violence, could cross the UN 
Charter's legal thresholds of ``force'' or ``armed attack.'' \6\ In 
taking that position, it has said that these determinations, in a given 
case, should consider many factors including the nature and magnitude 
of injury to people and the damage to property. Other relevant factors 
include the context in which the event occurs, who perpetrated it (or 
is believed to have perpetrated it) and with what intent, and the 
specific target or location of the attack. At least for cases of cyber-
attacks that directly cause the sort of injury or damage normally 
caused by, for example, a bomb or missile, the U.S. Government has 
declared it appropriate to treat them legally as one would an act of 
kinetic violence. In explaining publicly this position, the United 
States usually provides only quite extreme scenarios, such as inducing 
a nuclear meltdown or causing aircraft to crash by interfering with 
control systems.
---------------------------------------------------------------------------
    \6\ This general position has been declared in a number of 
statements and official documents, including: Department of Defense Law 
of War Manual (Dec. 2016 edition); Paper submitted by the United States 
to the 2014-15 UN Group of Governmental Experts (Oct. 2014); Harold 
Hongju Koh, Legal Adviser, Department of State, International Law in 
Cyberspace: Remarks as Prepared for Delivery to the USCYBERCOM Inter-
Agency Legal Conference (Sept. 18, 2012).
    That position has developed over time and across presidential 
administrations, though it remains contested and leaves open many 
questions. See Jack Goldsmith, ``How Cyber Changes the Laws of War,'' 
European Journal of International Law, vol. 24 (2013), pp. 133-135. In 
testifying before the Senate Committee considering his 2010 nomination 
to head the new Pentagon Cyber Command, Lieutenant General Keith 
Alexander explained that ``[t]here is no international consensus on a 
precise definition of a use of force, in or out of cyberspace.'' He 
went on to suggest, however, that ``[i]f the President determines a 
cyber event does meet the threshold of a use of force/armed attack, he 
may determine that the activity is of such scope, duration, or 
intensity that it warrants exercising our right to self-defense and/or 
the initiation of hostilities as an appropriate response.'' Advance 
Questions for Lieutenant General Keith Alexander, USA Nominee for 
Commander, United States Cyber Command: Before the Senate Armed 
Services Committee (Apr. 15, 2010). A 1999 Defense Department 
Assessment of International Legal Issues in Information Operations 
that, taking account of their consequences, some cyber-attacks could 
constitute armed attacks giving rise to the right of military self-
defense.
---------------------------------------------------------------------------
    This approach to applying by analogy well-established international 
legal rules to new technologies is not the only reasonable 
interpretation, but it is generally sensible and can accommodate a 
strong cyber strategy. It is likely better than alternatives such as 
declaring the UN Charter rules irrelevant to cyber or trying to 
negotiate new international legal rules from scratch.
    However, the U.S. Government's approach to date in interpreting the 
UN Charter for cyber-attacks, at least as explained publicly, may seem 
unsatisfactory to policymakers and planners. It leaves a lot of gray 
areas (though even in the more familiar world of physical armed force 
there are many legal gray areas). It is difficult to draw clear legal 
lines in advance when the formula calls for weighing many factors. And 
it leaves open how to treat legally some cyber-attacks that do not 
directly and immediately cause physical injuries or destruction but 
that nevertheless cause massive harm--take, for instance, a major 
outage of banking and financial services--or that weaken our defense 
capability--such as disrupting the functionality of military early 
warning systems.
    In terms of policy, it may therefore be useful to draw sharper 
``red lines'' than the United States has done to date--though because 
of ambiguities it would be difficult to use international legal 
boundaries alone as the basis for clear and general line-drawing. The 
United States has been pushing for, and should push for, certain norms 
of expected behavior in cyberspace (which may not be formally 
required), and similarly it should continue to discuss or negotiate 
with rivals some specific mutual restraints on cyber-attacks on 
particular types of targets, along with confidence-building measures.
    In terms of international law, however, I do not expect that 
precise answers to these questions about ``force'' and ``armed attack'' 
will, or can, all get worked out quickly. The scenarios for cyber-
attacks are very diverse and the processes by which international law 
develops--much of it through the actions and arguments, counter-actions 
and counter-arguments of states--are slow. \7\
---------------------------------------------------------------------------
    \7\ As I have previously written:
       [I]ncremental legal development through State practice will be 
especially difficult to assess because of several features of cyber 
attacks. Actions and counteractions with respect to cyber attacks will 
lack the transparency of most other forms of conflict, sometimes for 
technical reasons but sometimes for political and strategic reasons. It 
will be difficult to develop consensus understandings even of the fact 
patterns on which States' legal claims and counterclaims are based, 
assuming those claims are leveled publicly at all, when so many of the 
key facts will be contested, secret, or difficult to observe or 
measure. Furthermore, the likely infrequency of ``naked'' cases of 
cyber attacks--outside the context of other threats or ongoing 
hostilities--means that there will be few opportunities to develop and 
assess State practice and reactions to them in ways that establish 
widely applicable precedent.
       Matthew C. Waxman, ``Self-Defensive Force Against Cyber Attacks: 
Legal, Strategic and Political Dimensions,'' International Law Studies, 
Vol. 89 (2013), p. 121.
---------------------------------------------------------------------------
    Although the ``act of war'' or, more precisely, ``armed attack'' 
question usually attracts more attention, I want to raise for your 
consideration another relevant international law issue: the meaning of 
state ``sovereignty'' in the cyber context. \8\ The United States cares 
deeply about preserving its own sovereignty. I would emphasize also, 
though, that the meaning of that concept in the cyber context--or how 
the U.S. Government interprets the principle of sovereignty as it 
applies to digital information and infrastructure--could have 
significant impact on the offensive and defensive operational options 
available to the United States. \9\
---------------------------------------------------------------------------
    \8\ Some of these issues are discussed in Brian J. Egan, Legal 
Adviser, Department of State, Remarks on International Law and 
Stability in Cyberspace, Berkeley Law School (Nov. 10, 2016).
    \9\ Very similar issues arise with respect to the international 
legal principle of ``neutrality'' during armed conflicts.
---------------------------------------------------------------------------
    ``Sovereignty'' is a well-established principle of international 
law. In general, it protects each state's authority and independence 
within its own territory (and a closely related concept in 
international law is the principle of ``non-intervention). \10\ But 
sovereignty is not absolute and its precise meaning is fuzzy--even in 
physical space, let alone cyberspace. Questions could arise as to 
whether cyber-activities, including U.S. offensive cyber-actions or 
defensive cyber-measures, that occur in or transit third-countries 
without their consent might violate their sovereignty. Because of the 
global interconnectedness of digital systems, including the fact that 
much data is stored abroad and constantly moving across territorial 
borders, the answer to such questions could have far-reaching 
implications for cyber-operations.
---------------------------------------------------------------------------
    \10\ For a discussion of these principles and some possible 
interpretations (among many) for cyber-operations, see the Tallinn 
Manual 2.0 on the International Law Applicable to Cyber Operations 
(2017), pp. 11-27, 312-325.
---------------------------------------------------------------------------
    I am mindful, as a policy matter, that we have a strong interest in 
limiting infiltration and manipulation of our own digital systems. 
However, it is my view that there is not enough evidence of consistent 
and general practice among states, or a sense of binding legal 
obligation among states, to conclude that the principle of sovereignty 
would prohibit cyber-operations just because, for example, some cyber-
activities take place within another state, or even have some effects 
on its cyber-infrastructure, without consent. It may usually be wise to 
seek that consent from states that ``host'' digital systems that might 
be affected or used in cyber-operations, but I am skeptical of legal 
interpretations of sovereignty that impose extremely strict 
requirements to obtain it, especially when the effects are minimal.
    This is not the setting to discuss operational issues in detail. I 
expect, though, that such questions about how sovereignty principles 
apply to cyber-operations, like questions ``force'' and ``armed 
attack'' thresholds, will remain the focus of intense discussion within 
the U.S. Government and with allies and partners abroad.

                                        * * *

    I will conclude by reiterating that existing international law, 
although not yet settled, is adequate to support a strong cyber-defense 
strategy, including a powerful deterrent. The answers to many 
international law questions, such as those I have discussed, depend on 
specific, case-by-case facts, and are likely to be highly contested for 
a long time to come. This means that the United States should continue 
to exercise leadership in advancing interpretations that support its 
strategic interests, including its own operational needs, bearing in 
mind that we also seek rules that will effectively constrain the 
behaviors of others.

    Chairman McCain. Thank you. Mr. Waxman, frankly, you raise 
more questions than answers. For example, if an enemy or an 
adversary is capable of changing the outcome of an election, 
that's a blow at the fundamentals of that country's ability to 
govern, right?
    Mr. Waxman. Senator, I would call that----
    Chairman McCain. If you destroy the election system of a 
democracy, if you destroy it, then you have basically dealt an 
incredible blow to that country which is probably far more 
severe than shutting down an electrical grid.
    Mr. Waxman. So, Senator, I would certainly call that a very 
hostile act that demands a strong response. It's certainly a 
threat to our democracy. Legally, though, I would not regard 
that as an armed attack that would justify a military response.
    Chairman McCain. I wouldn't call it an armed attack, but I 
would call it an attack that has more severe effects than 
possibly shutting down an electrical grid.
    Mr. Waxman. That's correct, Senator. I think there are 
certain categories of activity that can have tremendous effects 
on states' core interests. At least traditionally, at least 
traditionally, international law has recognized only certain 
categories as justifying armed force in response.
    Chairman McCain. Well, I thank you, but this is really--you 
raise several fundamental questions that have to be resolved by 
the Congress and the American people.
    What is an attack? If so, what response is proportionate? 
Should we always play defense? Should we, if we see an attack 
coming, should we attack first? Obviously, when we get into 
some of these issues concerning how we monitor possible acts of 
terrorism, we have this collision between the right to privacy 
and, of course, the public interest. But I'm sure this will be 
a discussion that we'll need to have with a bunch of the other 
lawyers on this committee.
    So, as I understand it, General Alexander and Dr. Fields 
and Dr. Miller, we have four agencies that are responsible 
against cyber attacks, the FBI [Federal Bureau of 
Investigation], Homeland Security, Intelligence, and Department 
of Defense. They're the ones that are in the lead for defending 
the Homeland, military computer networks, employing military 
cyber capabilities.
    It seems to me that there seem to be four different islands 
here. General Alexander, with your background, first of all, do 
you agree that the status quo isn't working? Second of all, 
what's the answer? What is the solution to what is clearly, it 
seems to me, a stovepiped scenario? We know that stovepipes 
don't work very well.
    General Alexander. Chairman McCain, I agree, it's not 
working. There are four stovepipes, and it doesn't make sense. 
If we were running this like a business, we'd put them 
together.
    The issue now gets to both the issue that you and Ranking 
Member Reed brought up. We now have all these committees in 
Congress looking at all these, and it's messed up.
    So the answer lies in a couple of areas, and I would 
recommend a discussion with former Secretary Gates because he 
and I had this, and I'll give you the gist of what we talked 
about, which was bring it together. We were looking at how 
you'd bring together at least Homeland Security, the law 
enforcement, and you already had the intel community and 
Defense Department together under one framework. I think that's 
where we need to go.
    Before we do that, I would highly recommend that we get 
those four groups together and practice. Do a couple of 
exercises with Congress and with the Government, and 
potentially with industry, and show how this would and should 
work. I think we've got to lay that out like we do with any 
other operation. We haven't done that.
    So what you have is people acting independently. With those 
schemes, we will never defend this country. More importantly, 
when industry looks at our government, they are, quite frankly, 
dismayed. We are all over the map, and no one can answer who is 
responsible. So you have to bring it together.
    Chairman McCain. Are you sure industry is that interested 
in cooperating?
    General Alexander. Absolutely. My experience--especially 
those who own critical infrastructure understand that they 
cannot defend that without government support. Working 
together, they see an opportunity.
    Chairman McCain. Dr. Fields?
    Dr. Fields. The situation is a little more complicated 
because if you want to look at both defense and deterrence, you 
have to bring in other organs of the executive branch, like 
Treasury, a very effective part in this respect.
    I don't see duplication of effort; I see gaps in effort, 
because we don't have an orchestra conductor to ensure that we 
don't have those gaps. Finding that orchestra conductor is not 
something that is easy. When we talked about it in the board we 
said, well, maybe the National Security Council, the National 
Security Advisor can play the role. We haven't had complete 
comfort with that as a solution.
    Is that a fair statement, Jim?
    Dr. Miller. That's very fair.
    Dr. Fields. So it is an unsolved problem. It's an unsolved 
problem because I actually think we do need a campaign strategy 
to make this a continuous process. This is not inflation 
exercises. The exercises are in service of high performance in 
executing the campaign.
    Chairman McCain. We should start with a policy.
    Dr. Fields. We need a policy, and we need a strategy to 
execute consistent with that policy, and we need a--again, I'm 
going to use the term ``orchestra conductor''--a more elegant 
term can no doubt be found--in order to make sure the gaps are 
filled. That, to me, is a much larger issue than some other 
issues in terms of is intelligence collecting the right stuff 
at the right time, do we have an adequate number of cyber 
offense folks, so on and so forth. There's a long list of 
execution issues. But unless we have the policy and the 
orchestra conductor and the strategy, we will never go where 
you want to go.
    Chairman McCain. Well, maybe for the record you can give 
us, all three of you, and you also, Mr. Waxman, who that 
conductor should be, who should be the members of the 
orchestra, and how legislatively we should act in order to make 
all that possible.
    Dr. Miller, real quick.
    Dr. Miller. Thank you, Chairman. I agree with your premise, 
and I agree with both General Alexander and Dr. Fields 
regarding the nature of the solution. I'm not convinced that a 
massive reorganization is appropriate, certainly at this point 
in time, and I'd be looking toward an integrating body.
    One option I believe should be considered is to build out 
from the so-called CTIIC, the Cyber Threat Intelligence 
Integration Center, which currently has an intelligence 
integration mission, and look to build at least toward a 
national counter-terrorism center model, if not towards a joint 
interagency task force model. If you had a so-called JIATF 
[Joint Interagency Task Force], it could have a civilian at the 
head, a military deputy, it could have different structures. 
But that would then bring a core team together that would be 
responsible for executing strategy following the policy, but to 
develop specific options in advance to conduct the planning and 
to be prepared to orchestrate responses of the nation in 
support of that strategy and policy.
    Chairman McCain. Thank you.
    Senator Reed?
    Senator Reed. Well, thank you very much, Mr. Chairman.
    Thank you, General, for your testimony. My sense from the 
testimony and your very astute comments is there is an 
interactive arrangement between strategy and exercises. You 
have to have a strategy to sort of get the exercise, but the 
exercise shows you how good or bad your strategy is.
    One of the things I share with General Alexander's concern 
is we're not really exercising with the commercial world and 
the governmental world. We do it ad hoc. We have overlaps in 
logistics, but we have to know what some commercial companies 
can do, but then we have huge gulfs. Again, just quickly, your 
comments about how to act, because I think in terms of getting 
something done quickly, testing even a bad strategy or even an 
incoherent strategy but just going out to see where the holes 
are is better than, frankly, theorizing.
    So, General Alexander, your comments. Then, Dr. Fields, I 
have a couple of other questions.
    General Alexander. Yes. So, Senator, I believe that the 
strategy we should put in place is the government is 
responsible for defending the nation, and how are we going to 
do it, and that covers the full spectrum, whether it is our 
electoral system or the power grid or government; how do we do 
it?
    Today, we take the approach that it's not doable. But let's 
put down a strategy that shows how we could do it, and then 
test that in this exercise program. That's what I think we 
should do. Then we'll get the organizational structure that 
supports it.
    Senator Reed. Again, we're getting to the point of if it's 
voluntary, some people might come and some people might not. To 
be effective, it's going to have to be comprehensive, and 
there's going to have to be a certain inducement, either an 
incentive or a disincentive.
    Dr. Fields, your comments quickly.
    Dr. Fields. What he said is just right. Strategy creation, 
exercise. Exercises go hand in hand, writing a strategy. 
Exercises without a strategy won't be good enough. I would add 
to that that we want an exercise program which consists of do 
an exercise, fix what's wrong, do an exercise, fix what's 
wrong. Too often it's open loop and not closed loop. But in any 
case, we're not doing it. The sooner we do it, the better.
    Senator Reed. Dr. Miller, do you have a comment?
    Dr. Miller. Senator Reed, I agree with General Alexander 
and Dr. Fields, and I would add two points. First is the task 
force recommendations on campaign, finding and developing an 
effective tool kit of potential responses, a so-called playbook 
of potential responses. That would be an important mechanism 
for getting below the level of strategy to planning, and to get 
to actual responses, as well as to prioritize where additional 
investments should be made in resilience.
    Second, the type of systematic approach to exercises would 
also serve to demonstrate our resilience and to show gaps. But 
over time we'd demonstrate our resilience and begin to show the 
nation's willingness to respond, as well, to attacks.
    Senator Reed. Mr. Waxman, sort of a variation on that, 
because you've been talking in the context of international 
law, and these aspects can be incorporated also into exercises 
as to what do we have to stop or where do we have to refine the 
law, and use that as the basis. Is that accurate?
    Mr. Waxman. That is accurate. I would echo the points that 
were just made and say this is an area where because of some 
ambiguities and gray areas of unsettled law, it's very 
important that lawyers be working hand in hand with the 
policymakers, the strategists, and the operators. This is not 
an area where you want to say lawyers, you go off into a room, 
figure it out, and then come back and tell us where the limits 
are.
    The fact that there is some unsettled gray area in the law 
here, on the one hand, makes it difficult to know where the 
boundaries are, but it's also an opportunity if we think about 
this strategically. We want the lawyers to be consulting with 
the policymakers on where they want to go and asking questions 
together, like what does a particular interpretation get us 
that we wouldn't otherwise be able to do; how might this limit 
us in other areas, let's say if we're engaging in offensive 
cyber operations; would this open the door to unintended 
consequences. So I think they need to be linked up.
    Senator Reed. Just a final question. I have a couple of 
seconds left.
    Dr. Fields, you talked about deterrence, and one of the 
things that impressed me was that nowadays it's more of a 
psychological dimension than a physical destruction dimension, 
which leads to the target at the focus. You're really talking 
about individuals in the case of hypothetically between Russia 
and the United States, and conversely in terms of Russia and 
the United States from their direction, our president. Is that 
a fair estimate of where the new deterrence is headed?
    Dr. Fields. The principle actually is quite old. In fact, 
it may be as old as mankind. You change the behavior of people, 
and that's what we're trying to do with deterrence, unless you 
decide something different, something we want.
    Senator Reed. [Presiding] On behalf of Chairman McCain, I 
recognize Senator Inhofe.
    Senator Inhofe. Thank you. First of all, let me say to you, 
General Alexander, that it was back in 2001 that we talked 
about involving the university. The University of Tulsa has 
become quite a leader in this area. Have you had a chance to 
see some of the progress since you left this job?
    General Alexander. Yes. The last I saw, Senator, was what 
they were doing in industrial control systems. I think that's 
really good, and I think the capabilities and the students they 
provide back to the government is great. So I do think pushing 
with universities education, just as you brought up, is 
something that we have to do.
    Senator Inhofe. Okay. The Chairman talked about the 
stovepipes. I want to go back and just repeat a couple of 
things here. The FBI has involvement in this thing, the 
Homeland Security, the Intelligence Committee, Department of 
Defense, and it's kind of in this chart all of you have seen. 
It's a little bit convoluted for those of us who are not as 
familiar with it as you folks are.
    Do each of you agree that the current structure should 
require some fundamental change?
    Dr. Miller. Senator, I do.
    Dr. Fields. I echo Jim's comments of a moment ago, namely 
reorganizing. Rewiring is not the solution; too disruptive. A 
fundamental change in how it works, absolutely.
    General Alexander. I have the chart, and I'll tell you that 
first, when we talk to the different agencies, they don't 
understand their roles and responsibilities. So when you ask 
them who is defending what, you get a different response. So 
even though this is the federal cyber security ops team, and 
this was put out by the White House to the commission, when we 
asked the individuals, they couldn't do it.
    The second part that you asked is, yes, I do think, 
Senator, that it needs to be brought together. That's the 
strategy we should put in place, how do we defend this country, 
and then let's walk through it, with the exercising continually 
evolving.
    Senator Inhofe. Yes, but the reason I--last week Senator 
Rounds and I were in Israel, and we were talking to the head of 
Israel's national cyber directorate, Dr. Evatar Mitana. He said 
Israel has been one of the first countries to prepare for cyber 
security challenges using three primary processes: providing 
education and information on all cyber-related issues through 
business and industry leaders; establishing the Israeli 
National Cyber Authority; and pursuing the development of cyber 
technology throughout the country, including academic and 
educational institutions.
    He also said during the meeting that Israel has unified all 
cyber operations under one doctrine, one strategy, and a single 
point of accountability.
    I would ask, are there some lessons we could learn? 
Generally, we're pretty turf oriented in this country. But do 
his comments make any sense to you as to how they're doing it?
    Dr. Miller. Senator, your comments make a lot of sense. A 
common approach to engaging industry with information and a 
systematic effort to do that would be very valuable. I second 
General Alexander's earlier comments that in my experience 
sometimes industry is unsure with whom to engage, and the 
people on the government side are sometimes unsure who has that 
responsibility as well.
    Then fundamentally as you look at going from not just 
strategy but to the ability to implement strategy, having a 
single point of accountability and responsibility below the 
level of the national security advisor or a deputy security 
advisor who ought to be focused on policy and strategy, that 
does make a lot of sense to me, and I think that's why the task 
force makes sense as a model to look at.
    Senator Inhofe. I agree, and I appreciate that.
    General Alexander, they told us that you are going to be 
speaking over there in June. You might get with them and go 
over this. There are always other ideas out there. Does that 
sound like a pretty good idea?
    General Alexander. Will do, Senator.
    Senator Inhofe. Okay. One thing, one issue, and you brought 
this up, Dr. Miller, in your statement you said, ``the 
declaratory policy that makes clear the United States will 
respond to all cyber attacks. The question will not be whether 
but how.'' Of course, you brought up something, Dr. Fields. In 
your eighth point you said, ``Credibility is a necessary 
enabler of deterrence. If a leader we want to deter does not 
believe we will act, it is difficult to deter. Announcing red 
lines and then overlooking offenses is not constructive.''
    I think that that has happened. How do you reestablish 
credibility, assuming that some of it has been lost?
    Dr. Fields. You reestablish credibility not by making a 
declaration alone but by acting. We have so many cyber 
intrusions going on every day that there's plenty of 
opportunity to act.
    Senator Inhofe. Thank you.
    Thank you, Mr. Chairman.
    Chairman McCain. [Presiding] Senator Shaheen?
    Senator Shaheen. Thank you, Mr. Chairman.
    Thank you gentlemen for being here today.
    I would like to pick up on Senator McCain's point about the 
Russian hacking into our electoral system because, Mr. Waxman, 
I do believe that that's a strategy that Russia is using, just 
as they're using military conflict, propaganda to undermine 
Western democracy. So I think we should think about whether 
it's an act of war or not.
    I was in Poland with Senator Durbin last week, and one of 
the things that we heard from some of the civil society leaders 
in Poland was they were asking about the hacking of our 
electoral system, and they said if the United States isn't 
going to take any action in response to that Russian intrusion 
against your elections, then how can we think that the United 
States is going to take any action to protect us against 
Russia?
    So, Drs. Field and Miller, given your credibility is a 
necessary enabler of deterrence, and if a leader we want to 
deter does not believe we will act, then it's difficult to 
deter, what kind of message does it send to Vladimir Putin and 
to the rest of the world if we don't take action in response to 
Russian hacking in our elections? I'm happy to have anybody 
answer that, or General Alexander.
    Dr. Fields. I don't feel qualified to observe whether or 
not hacking into our election is an act of war or isn't an act 
of war.
    Senator Shaheen. I'm not asking you to determine on act of 
war. I'm asking what message it sends to others who are looking 
at the United States' response to that hacking.
    Dr. Fields. I think the question that I'm worried about is 
what do we want to do so that it doesn't happen in 2018 and 
doesn't happen in 2020. Taking no action guarantees escalation. 
Taking action has the possibility of escalation but also the 
possibility of deterrence. There are many possible actions we 
can take, not for this hearing, unclassified, but we have to do 
it.
    Senator Shaheen. General Alexander?
    General Alexander. Senator, I think we have to do two 
things. One, I do think we have to push back overtly so that 
the rest of the world knows that, but we also need to fix our 
defense. It's wide open, and what happened, and what's been 
happening, people can get in and take what they want. Without 
any defensive architecture or framework, that's where we are. 
So we ought to do both. We ought to push back, but we also 
ought to fix our defense, come up with a comprehensive 
strategy. We can defend this country in cyberspace. We're not 
doing it, and that's what I think we need to do.
    Senator Shaheen. Well, I certainly agree with that. That 
makes sense.
    To your point about cooperating with the private sector, 
the Department of Defense has issued regulations that require 
all DOD contractors, including small businesses, to comply with 
a series of cyber security requirements by December 31st of 
this year. As part of this rulemaking process, the Small 
Business Administration--I sit on the Small Business Committee, 
so that's why this has come to my attention--their Office of 
Advocacy has claimed that DOD underestimated the number of 
small businesses that are going to be affected by the rule, the 
costs of the rule, and the ability of small businesses to 
comply. In the final rule issued last October, DOD claimed it 
was not feasible to implement recommendations from the Office 
of Advocacy to provide some financial help to small business 
and some guidance, and they admitted that the cost of complying 
with the rule was unknown.
    Now, this week I had a small business contractor from New 
Hampshire in my office who was very concerned about how to 
comply with these requirements, and not even having information 
about what they needed to do to comply.
    So I guess my question for you, General Alexander, is 
should DOD be doing more to work with small businesses, and do 
you have any recommendations if the commission looked at this, 
and does it have any recommendations on how to help small 
businesses comply?
    General Alexander. So there are actually two sets of issues 
that you bring up. First, it is really difficult to comply with 
these types of standards. One is the international standard 
27,001, one is the NIST [National Institute of Standards and 
Technology] framework. As you look at it, how do companies 
certify that they've met all of those? That's a year-long 
process. It's very expensive, and you need a lot of people to 
do it. So a small business that has five people, it's going to 
be difficult.
    So I think we have to set up realistic expectations. How do 
they do that, or could they sub to a contractor who has that 
authority? The answer is I think you can get there. We are 
actually going through that in my company, so I can tell you 
how hard it is. We're doing it, and we have some people with 
perhaps some security background. So when we look at it, it's 
very difficult.
    The second part, think about all the industrial control 
systems out there. The standards on those are even worse. If 
you look at the threats that hit the Eastern seaboard last 
fall, it was caused by, in large part, by printers and by 
cameras and other things that had been coopted to help in the 
distributed service attacks. There is no way that we can today 
ensure that those are protected. So the IT [Information 
Technology] portion of the commission, what we've laid out 
there is you need to come up with some way of measuring how 
companies do that, first in the United States and then 
globally.
    Senator Shaheen. Thank you.
    Thank you, Mr. Chairman.
    Chairman McCain. Thank you.
    Senator Fischer?
    Senator Fischer. Thank you, Mr. Chairman.
    Dr. Miller and Dr. Fields, the Defense Science Board 
recently released a final report on cyber deterrence and 
included a recommendation that the commander of CYBERCOM should 
develop scalable and strategic offensive cyber capabilities in 
order to deter cyber attacks against our critical 
infrastructure here in this country. Can you elaborate on this 
and what types of capabilities the DSB believes are needed, and 
tell us what the basis was for that recommendation?
    Dr. Miller. Senator, the basis for the recommendation was 
that although the United States should have the available 
option of not just cyber but other responses, whether 
diplomatic, economic and so forth, that one of the most 
credible potential responses in offensive cyber in use against 
us is to use offensive cyber back against the state that 
undertook the attack. Following what Dr. Fields talked about, 
what we want to do in developing that portfolio of options to 
go against Russia or China or North Korea or Iran in particular 
is to look at the leadership values and to look across a range 
of potential targets that would hold at risk what they value. 
Then the value of having this, the campaign funding that we 
talked about, is to have a sense of what level of response and 
what specific types of targets might be most appropriate for a 
given scenario, and there's a risk of both doing too little, 
responding too weakly, and there's a risk of responding too 
strongly in the sense that in some instances you may want to 
reserve something to deter additional attacks.
    So that's the fundamental structure of it, and as you look 
at those strategic options, the final point is to differentiate 
between those cyber actions by the military that are intended 
to have tactical or operational level effects on the 
battlefield and those that are intended to have psychological 
effects on the leadership of our potential adversaries.
    Senator Fischer. As you said in your opening, you're 
weighing the cost and the benefit, the increase and the 
decrease, on each of these; correct?
    Dr. Miller. Yes, ma'am. In fact, when we look at the 
offense, we're looking to increase the cost of a potential 
adversary using cyber attack or these costly cyber intrusions 
against us and our allies and partners.
    Senator Fischer. Another recommendation in the final report 
focused on acquisition of these offensive cyber capabilities. 
Specifically, it called for improved and accelerated 
acquisition authorities for CYBERCOM and also the establishment 
of a special organization for rapid acquisition.
    In the fiscal year 2016 [NDAA National Defense 
Authorization Act], the Emerging Threats and Capabilities 
Subcommittee, which I chaired at that time with Senator Nelson, 
included language that provided the commander of CYBERCOM some 
acquisition authority. In the fiscal year 2017 bill, it greatly 
expanded the commander's role in the requirement to process. I 
know some of the changes are still waiting to be implemented, 
but can you talk about how this dovetails with what the DSB was 
thinking, and are there other areas where further congressional 
action would be helpful?
    Dr. Miller. I'm glad to respond first and then turn it to 
my colleagues. In my view, it does dovetail very nicely with 
the prior congressional action. The recommendation we had was 
to establish a small team that had not just support but direct 
access to the senior leadership that would then look at how the 
efforts to date are going with respect to CYBERCOM acquisition 
authorities, to look at something like a rapid acquisition 
team. It could be embedded within CYBERCOM. It could be 
embedded beside it, in principle. What other steps should be 
taken, because although rapid acquisition is important in 
general, if you look at cyber tools and moving potential 
targets that we face, it is particularly important to be able 
to do that more quickly than we have to date.
    Dr. Fields. I want to be sure that the committee is 
calibrated properly on the speed that Jim is talking about. 
We're used to, in acquisitions, a system that responds in 
years. For this we need days and weeks, maybe less. It's a 
rapid-fire exchange. If we can't respond, we lose.
    Senator Fischer. Thank you, sir.
    Thank you, Mr. Chairman.
    Chairman McCain. Thank you.
    Senator Kaine?
    Senator Kaine. Thank you, Mr. Chairman.
    Thank you to the witnesses.
    General Alexander, in your testimony you have a quote: ``We 
must fundamentally rethink our nation's architecture for cyber 
defense,'' and all of the testimony today is a tribute to that. 
I want to switch gears to a closely related topic, which is 
information warfare. That's often closely connected with cyber 
attacks. So much of cyber attacks is to suck out personal 
information, and then with that personal information you can 
target false information to people, and it's part of a 
propaganda campaign.
    Last week, Russia's defense minister appeared in their 
parliament and bragged about the Russian military's new 
information warfare and propaganda efforts. We had testimony 
here from Director Clapper in January, and he said, quote, ``We 
need a U.S. information agency on steroids to fight this 
information war a lot more aggressively than we're doing right 
now, one that deals with the totality of the information in all 
forms, to include social media.'' ISIL [Islamic State of Iraq 
and the Levant] is also using social media platforms to do this 
kind of thing.
    Do you agree with Director Clapper's assessment, and what 
role do you think the public and private sector should play in 
an effort to counter information warfare connected to these 
cyber attacks?
    General Alexander. Senator, thanks. That's a great 
question. I'm not fully aware of all of Director Clapper's 
comments, but I do believe that we have to have some way of 
looking at how countries are pushing at us using information 
warfare and what we do on that. It gets to some really tough 
issues that have to be integrated across the entire government.
    As a consequence, some of the comments that we made earlier 
about an organized and central framework for this is what we're 
going to need to do. One of the questions that you put out to 
all of us was is there an organizational structure that needs 
to occur, and I think that's part of what needs to be tested in 
a strategy that we put out there.
    I think the government needs to say here's how we're going 
to defend this country from these types of attacks, whether 
it's information warfare or destroying data or stealing data, 
and we ought to then go through and see what the roles and 
responsibilities of each organization are. If it's a nation-
state and there is a possibility or probability that it will 
lead to war, then it's my belief it should be the Defense 
Department. If it's a law enforcement, then FBI/Justice. When I 
dealt with Director Mueller, we had a great partnership. We 
worked together eight years, and we had a great division of 
effort there. There were no seams between us.
    We can get there and do this, but there's no architecture 
today, Senator, and that's what I think we need to do.
    Senator Kaine. Other thoughts?
    Dr. Miller. Senator, I'd like to add that from my 
perspective--this is not reflecting the Defense Science Board--
from my perspective, because we are in a competition between 
models of government as well with respect to Russia and China, 
it seems pretty obvious to us and our allies and partners and 
most of the globe which is the preferred model. But we need to 
build on our strengths, and that includes a free press.
    So I would suggest that a fundamental goal should be to 
knock down fake news. As we think about that, we think largely 
of rhetorical steps, but cyber is a tool to knock down fake 
news and to take down fake websites and so forth. Having a set 
of rules of engagement and policies associated with that I 
believe could be valuable as well. I just want to emphasize the 
point that the last thing that any of us I know would want is 
something that would be portrayed or have any sniff of the type 
of propaganda that we're seeing from some of these other 
actors.
    Senator Kaine. Yes, we want to counter it but counter it in 
accord with our values, not contrary to our values.
    Dr. Fields. You were correct in noting that information 
ops, influence ops of the sort you're talking about, go beyond 
cyber and not only include cyber. Some examples: a foreign 
power buying a television station so it can make its point of 
view known because television is so influential; making 
campaign contributions through cutouts to particular political 
candidates. It's widespread.
    Last summer we spent a great deal of time on this, and we 
had 80 people working 9 months to come up with a set of 
actionable recommendations of how to both conduct and counter 
such operations. It starts with good intelligence collections, 
and know they're happening, and it goes beyond that into both 
defense and deterrence.
    So again, this is something that we can do. We just aren't 
doing it.
    Senator Kaine. Great. Let me just ask one other question 
quickly, workforce. The DOD used to have a scholarship for 
service program for cyber students. It helped about 600 
students learn cyber skills and then work at the DOD in cyber 
fields. That program within DOD was scrapped in 2013 during a 
period of the sequester and budgetary confusion.
    There is a similar program, a kind of ROTC [Reserve 
Officers' Training Corps] type program that is done through the 
National Science Foundation called Cyber Corps. But are 
programs like this necessary to try to bring in the talent that 
we need to ultimately fill the structure that we hope we might 
create that would be effective?
    General Alexander. I believe so, and I would take one step 
further. I think we should really push science and technology 
and engineering and math for the ROTC and the military 
academies as a strong, fundamental thing that students should 
understand, because as future leaders they're going to be 
expected to help guide their people to this, and if they don't 
understand it, they're not going to be able to do that.
    Dr. Fields. I would just add that there isn't a 
comprehensive program of the sort you're talking about and 
there should be. There are activities. DARPA [Defense Advanced 
Research Projects Agency] was very, very active in trying to 
engage young people, holding contests, and it's really very 
effective, if not comprehensive.
    Senator Kaine. Thank you.
    Thank you, Mr. Chairman.
    Chairman McCain. Thank you.
    Senator Rounds?
    Senator Rounds. Thank you, Mr. Chairman.
    Mr. Waxman, I find it fascinating the discussion on 
sovereignty and the challenges that that would have for our 
country when we're talking about other players, whether they be 
first-tier competitors or non-country actors, non-national 
actors. They don't seem to have much concern about whether or 
not they move through the cyber world in the sovereignty area 
of other countries, or at least those areas that may very well 
come through lines that are in other countries.
    TALLINN 2.0--and you and I have discussed earlier that 
TALLINN 2.0 has not been released, and the discussion there has 
to do with sovereignty, and some of our allies may very well 
have a different point of view of what sovereignty should be 
considered with regard to cyber security.
    Could you share with us a little bit the challenges that we 
have if we don't come up with an appropriate determination for 
what sovereignty really means and the impact it has on our 
ability to come back in and respond to an attack?
    Mr. Waxman. Sure, Senator. I do worry about some overly-
restrictive interpretations of sovereignty. As I said in my 
opening statement, I'm concerned that some interpretations of 
sovereignty would go too far in limiting both our offensive 
cyber as well as our defensive cyber operations, especially if 
they involve cyber activities with relatively small effects on 
unconsenting third countries.
    As you said, recently published is a book, an effort called 
TALLINN 2.0. This was something that was conducted under the 
auspices of NATO's Center of Excellence for cyber issues, and 
it's an impressive and very important product for surveying the 
many international law issues that come up. I don't agree with 
all of its conclusions, though, and in particular I worry that 
it's an example of overly-restrictive interpretations of 
sovereignty that could needlessly and perhaps dangerously 
restrict our operational flexibility.
    Senator Rounds. Thank you.
    Any other thoughts or comments on that particular issue 
among the rest of the members?
    Dr. Miller. I don't want to give you a legal opinion 
because I'm not a lawyer, but I will say that some policy steps 
can be taken that can reduce that. For example, if we work with 
our allies and partners to have reciprocal arrangements where 
if we see something on their networks that's a threat we will 
take care of it, understanding that the presumption would be 
that there is no or minimal side effects associated with it, 
this could allow faster action, at least within that federation 
of allies and partners. I think there are a number of other 
steps that we should be looking at, and it reinforces Mr. 
Waxman's earlier point that the lawyers and policy people have 
to work closely together, and to do so in real time, the real 
world, and working through real problems.
    Senator Rounds. Thank you.
    Dr. Fields. Just to add that the Internet knows no bounds. 
If there is a communication, one communication might go through 
many countries, and we might not even know what countries it 
goes through. That's an issue, and also that our adversaries 
are mindful of our concerns on this matter and have the 
opportunity to locate their facilities in places where we don't 
want to go because of our concerns with sovereignty. That's 
using the cracks, the seams that we attend to is not really 
helpful for us. Intentionally or not, that's what they're 
doing, and in most cases intentionally.
    General Alexander. Senator, I would take one step further 
and say, for example, ISIS [Islamic State in Iraq and Syria] 
and other terrorism on the network, we shouldn't allow it, and 
we should work with our allies. If they have anything on that 
network, we should all work to take it down and identify where 
it is and tell those countries to take it down.
    There are things like that that are criminal in nature that 
we ought to all push for. The Internet isn't a free way for 
them to go out and recruit and train people and get funding. We 
ought to shut that down, and we ought to look at what are the 
other core values that we share with countries in this area 
that we could do. You've got those on child pornography and 
other areas. So we ought to just put that out there and do it.
    Senator Rounds. The supply chain for civilian and military 
technology is largely shared and increasingly produced 
offshore, particularly in the realm of microcontroller 
enterprise management software. This marks the first time in 
history that a critical weapons system is potentially dependent 
on commercially produced components which are produced 
overseas, perhaps by one of our allies and which, if subject to 
tampering, could create a cyber vulnerability for one of our 
weapons systems.
    My question is, what is your policy recommendation for 
securing the IT supply chain that originates in foreign 
countries to include our allies? One small part of it, but I 
think an important part of it.
    Dr. Fields. We have a very large study with a dozen 
recommendations for specific things the Department can do in 
order to mitigate the risk. Bringing all microelectronics back 
on shore is not going to happen. Mitigating the risk can 
happen. I can't do justice to that report in minus 21 seconds, 
but there are really things we can do. It's not impossible. The 
options are available.
    Senator Rounds. Mr. Chairman, thank you.
    Chairman McCain. Senator King?
    Senator King. Thank you, Mr. Chairman. I think this may be 
the most important hearing that we've had since I've been here, 
and I want to put a fine point on that. To me, the most 
chilling finding of the board was--and this is a direct quote--
``The unfortunate reality is that for at least the next decade, 
the offensive cyber capabilities of our most capable 
adversaries are likely to far exceed the United States' ability 
to defend key critical infrastructure.'' That is a powerful 
statement, and it seems to me that what we are observing here 
is a fundamental change in the nature of warfare that's 
occurring right before our eyes.
    The historical example I think of is the Battle of 
Agincourt in October of 1415, when a ragtag British army of 
7,000 soundly defeated a French army estimated between 20,000 
and 30,000. The British lost 600. The French lost 7,000. The 
difference was technology, the long bow. That is what changed 
the course of history, and it was because the mightiest army in 
the world, the French, did not wake up to the change in 
technology represented by the long bow.
    We're the mightiest military in the world right now, but 
for the cost of one F-35 the Russians can hire 5,000 hackers, 
and we are seeing this happen. What bothers me, Mr. Chairman, 
if there is an attack--and I don't think it's if, I think it's 
when--and we go home, and I go home to Maine and say, well, we 
couldn't really defend ourselves because we had four committees 
that couldn't get the jurisdiction together, I don't think 
anybody in Maine is going to buy that.
    So we've got to get this right. If you're right, that 
technically we can't defend ourselves, then deterrence is the 
only answer. So I have several questions on that.
    One is you list your eight principles of deterrence, which 
I think are very important. One that's not there, I think 
number 9 is whatever we have for deterrence has to be public. 
It's not deterrence unless the other side knows what's there.
    Do you concur that there has to be some, maybe not all the 
technical things that we have, but people to be deterred have 
to know there's a threat they're going to be whacked with if 
they come against us?
    Dr. Fields. My list is much longer, but I tried to keep it 
to 5 minutes. So your addition is a good one, but there are 
several others as well. What you say is absolutely correct.
    Senator King. Well, I think we've got to have the capacity 
to deter.
    The other question, and this gets back to my comment about 
congressional jurisdiction and committees, does this need 
congressional action, or is this something the executive has 
responsibility for because of their being the Commander in 
Chief? Is this something that can be done within the 
organization of the executive branch, or is there legislation 
necessary? If there is, tell us what it is so we can move on 
it.
    General Alexander?
    General Alexander. If I could, I think, Senator, that, one, 
if we go the path we're on right now, we will be behind in 10 
years. But I do believe there is a solution out there where 
government and industry could work together and provide a much 
better defensible----
    Senator King. Much better, but do you think it's capable to 
defend entirely? I don't think that's possible technologically.
    General Alexander. Well, you see, I think what we should do 
is say how do we want to do that, and then put together a 
framework to do it, and test it. But right now what we've done, 
in my opinion, is we've said it's too hard, and I actually 
believe it can be done.
    Now, will it be perfect in the first five years? Probably 
not. But I think we could set together a framework to defend 
this nation where industry and government work together.
    Senator King. Well, I don't think we have five years. This 
is the longest windup for a punch in the history of the world.
    General Alexander. Right, so we ought to get on with it. 
What we've done since 7 years ago when I went before this 
committee--thank you--and you guys confirmed me despite all 
that, at that time we talked about defending this country. 
Here's how I think we should do it. Put together a framework, 
but also have the rules of engagement so when somebody comes at 
us, we go back at them.
    Senator King. That gets to my point about it has to be 
public. People have to know what the rules are.
    General Alexander. That's right, exactly, and we don't have 
those, so we ought to create it. I think it's a combination 
between the administration and Congress, because there is going 
to have to be some reorganization that will come out of this 
strategy and training. But we ought to do it. We've spent--year 
after year we come back and have the same meeting, and we're 
not getting progress. We need to get this fixed.
    Senator King. I agree. Thank you.
    Dr. Miller. Chairman, can I add very quickly, Mr. Chairman? 
There's no question there's an important role for Congress. 
We're seeing some of it today, but funding, organizational 
change, policy issues and so on.
    I want to emphasize that it's fundamentally important to 
improve the defense and resilience of our critical 
infrastructure. It was the judgment of the task force that even 
with substantial efforts there, we are not going to be able to 
prevent the most capable actors, by which I specifically mean 
China and Russia, from being able to----
    Senator King. That was the sentence I read.
    Dr. Miller.--get in to produce significant, if not 
catastrophic, effects. But we can raise the level of difficulty 
for them so it's more challenging for them. That will give 
better indicators, a better chance to interdict, as General 
Alexander talked about, and fundamentally so that we don't 
allow us to get into the same position with respect to an Iran 
or a North Korea or a terrorist group, which is completely 
untenable.
    Chairman McCain. But doesn't this go back to what won the 
Cold War? Peace through strength. If they commit one of these, 
a price, that they would pay for it, that it would be 
unacceptable. Rather than trying to devise--General Alexander 
said 5 years or so to construct the defenses. In the meantime, 
the response will be such that it will cost them a hell of a 
lot more than anything they might gain. Does that make any 
sense?
    General Alexander. Absolutely. What we do right now is 
there are no rules of engagement and there is no integrated 
infrastructure between industry and the government. Both of 
those are things that could and should be done in parallel.
    Chairman McCain. But as all the witnesses have said, we 
don't want to create another bureaucracy, right?
    Senator Wicker?
    Senator Wicker. Mr. Chairman, if Senator King wants to 
quote a few lines from the St. Crispin's Day speech, I'll yield 
him two minutes.
    [Laughter.]
    Senator King. ``Oh, ye brothers, ye band of brothers, ye 
precious few.''
    Senator Wicker. But this is a different bunch we're talking 
about in this day and age.
    Gentlemen, in the paper from Dr. Fields and Dr. Miller, we 
have three cyber deterrence challenges--Russia, China, regional 
powers, Iran and North Korea, and then the non-state actors. I 
don't want to ask you to reiterate things that have already 
been said, but I did check with staff and I understand we 
haven't really had much of a talk about the non-state actors.
    Senator King mentioned to defend versus deter, and 
particularly with regard to the non-state actors, a deterrence 
against them would have to look far different from a deterrence 
against a nation-state. So would anyone like to help us out on 
that?
    Dr. Fields. To date, non-state actors haven't demonstrated 
the cyber power that the major state actors have demonstrated. 
That won't last forever, but it's the case today.
    So today, a reasonable approach to non-state actors is, in 
fact, a defense strategy with a little bit of deterrence. At 
the point where we have to deal with deterrence as their power 
grows, their capability in cyber grows, the same principles 
apply but all the details would be completely different.
    We have to identify them, we have to identify what they 
hold dear, we have to understand what the leaders hold dear, 
all the things we said earlier. We're not at that point yet, 
but inevitably we will be.
    Dr. Miller. I'll just add very briefly that as we think 
about non-state actors, we want to differentiate between two 
broad groups. One is a set of criminal activists and so on, 
that we would expect that would be subject to cost-benefit 
calculations, and if we have credible threats, to impose costs 
on them, that we can be successful with a deterrence strategy. 
It doesn't mean stopping all criminal hacking and so forth, but 
being able to impose costs, and that should be a fundamental 
part of the strategy.
    As we think about terrorists groups, any groups that are 
willing to not just cause the loss of life but have its members 
lose their lives, whether through suicide bombings and so on, 
we really do need to focus on deterrence by denial and a 
defensive posture. As we think about that defensive posture, 
it's not just rope-a-dope. It's also the ability to preempt, as 
we do for other terrorist threats.
    Senator Wicker. Deterrence by denial.
    Dr. Miller. By denial it means that we're looking to reduce 
any benefits that they would gain, and in the case of 
terrorists in particular, to prevent them from the ability to 
conduct an attack, deny them either the ability to conduct the 
attack through preemption or prevention, and then reduce the 
benefits, in a sense, and the reduction of benefits from their 
perspective comes by hardening our infrastructure.
    Senator Wicker. Yes, sir, General Alexander.
    General Alexander. Senator, you bring out a good point that 
binds together what Senator King and the Chairman brought up, 
which is non-nation-state actors, we should be elevating the 
defense so they can't get in and cause it, cause a problem for 
us, and we can do that and should be building that.
    On nation-state, just as the Chairman said, we go back to 
them and say if you do A, we're going to do B, and let them 
know it, and then do that. I think that's how we get through 
the next few years while we continue to evolve our defense. But 
there is a way to do this, and I think we can do both.
    Senator Wicker. We haven't really sent very good signals 
the last few years about consequences and crossing lines.
    Thank you, Mr. Chairman.
    Chairman McCain. Senator Warren?
    Senator Warren. Thank you, Mr. Chairman.
    Thank you all for being here today.
    I want to follow up on this question about the distinction 
between cyber defense, stopping a hacker before they can do 
damage, and cyber deterrence, as Chairman McCain was talking 
about, preventing a hacker from ever making the calculation 
that it's worthwhile to try to attack the system in the first 
place.
    I go back to what Chairman McCain and Senator Shaheen were 
talking about, the information gathered by CIA [Central 
Intelligence Agency], the FBI, NSA. The Director of National 
Intelligence recently assessed with high confidence that the 
Russian government conducted an influence campaign aimed at the 
U.S. presidential election which included both propaganda and 
covert cyber activity, and I think most senators would agree 
that is completely unacceptable in the United States.
    So for 70 years the U.S. has had a policy of nuclear 
deterrence that has been a bedrock of our security. Given what 
happened last year, it seems clear that we need cyber 
deterrence, not just defense but deterrence as well. I know 
that, Dr. Miller and Dr. Fields, you've issued a report on 
this. We want to talk about the organization of how that would 
work, but I want to ask a different question, and that is 
substantively, what should the United States do to deter these 
types of attacks in the future? At least describe somewhat the 
range of options that are available to us for deterrence, not 
defense but deterrence.
    Dr. Miller?
    Dr. Miller. Thank you, Senator. I'll defer coverage of some 
of the key elements. I'll just emphasize three of them in 
particular.
    First, in order to avoid being reactive, you've got to do 
prior strategy and planning, and that includes communication to 
our potential adversaries that there will be a response to any 
cyber attack, or what we call costly cyber intrusions, 
supporting information operations and so on. That planning 
process needs to be in a campaign construct so it's not just 
one-off and so on, and it means that that plan is being 
executed every day. You're looking to influence the perception 
of the leadership of these countries about the viability of any 
such actions.
    To reiterate earlier points, as we think about Russia we 
need to think not only about the 2018 elections here but about 
our allies' elections that are coming up in Europe in the 
coming year.
    So first is a campaign planning construct.
    Senator Warren. Okay. So I'm hearing you say be sure that 
they know what we're going to do. I'm not sure I'm hearing what 
the range of options are for us to do.
    Dr. Miller. So then the range of options. For years we've 
said that we will not limit ourselves to cyber responses, to 
cyber reactions, and that's fine. Fundamentally, our 
recommendation for declaratory policy and for real action is 
that the United States Government, the President can say if we 
are attacked with cyber, we will respond.
    So what is the range? The response is going to depend both 
on who is attacking and what is their purpose. One thing you 
want to do is deny their benefits. In the case of Russian 
hacking of various accounts to try to influence our election 
and to try to denigrate our model of governance, prevention, 
including in my view getting that information out earlier, 
would have been very helpful.
    Then the specific responses would be looking at what 
imposes costs on President Vladimir Putin and his inner circle 
that would cause them to not just pause and reconsider but to 
not conduct this type of activity in the future. It will not 
have zero escalation risk, as Dr. Fields talked about before. 
So it includes offensive cyber, it includes more significant 
diplomatic and economic steps.
    Senator Warren. Dr. Fields, do you want to add something 
here?
    Dr. Fields. I do, two things. Number one, we're not quite 
answering your question----
    Senator Warren. Yes, that's right.
    Dr. Fields.--because we'd like to do so in closed session.
    Senator Warren. All right. Fair enough.
    Dr. Fields. We can in closed session.
    Number two is in terms of this defense/deterrence issue, 
which I consider we need both, the fact is that today, 2017, 
the techniques that the best cyber offense people can use trump 
the techniques that the best cyber defense people can use. That 
may not be true five years from now because the defense 
capabilities are improving, but so are offense capabilities.
    Senator Warren. But doesn't that argue, then, even more 
strongly for a deterrence strategy?
    Dr. Fields. Absolutely.
    Senator Warren. Rather than relying exclusively on a 
defense strategy, and not confusing a defense strategy with a 
deterrent strategy, as I heard it discussed earlier?
    Dr. Fields. That's why we did our study, and you'll notice 
that the study actually included some defense elements as well, 
but those would be for certain cases, for certain actors, and 
really at a lower level. The top level should be deterrence.
    Senator Warren. I appreciate that, and I recognize I'm over 
my time. It sounds like Mr. Waxman would like to add, but 
that's up to the Chairman.
    Mr. Waxman. Thank you, Mr. Chairman, because this actually 
goes back to your question before about Russia. I was cautious 
in how I would classify the Russian action as a matter of 
international law because political interference is not an 
uncommon thing in international affairs.
    However, the fact that I'm cautious in how I'd classify it 
does not mean we need to sit back and take it. There are a menu 
of options that ought to be part of our policy in deterring 
these kinds of actions, including sanctions, including engaging 
in our own cyber operations, diplomatic steps, intelligence 
operations, law enforcement operations in certain 
circumstances, and even taking some military steps to apply 
pressure, such as moving forces, conducting exercises, 
providing more military assistance to our allies.
    Senator Warren. All right. That's very helpful.
    I just want to say on this, nuclear deterrence works in 
part because we all knew it was out there. When we can't 
describe even in the most general terms what will happen if you 
engage in a cyber attack against us, and indeed it's clear that 
we have been the victims of a cyber attack by the Russians, and 
we can't describe any kind of response to that, it seems to me 
that deterrence at that moment melts away to nothing. So I'm 
glad to take this into another setting to hear more about it, 
but there has to be some kind of response that is publicly 
known.
    Thank you, Mr. Chairman.
    Senator Peters. Thank you, Mr. Chairman.
    Thank you to our panelists for a fascinating hearing here.
    In 2016 the NDAA, specifically section 1647, Congress 
provided funding enabling the DOD to accelerate cyber mission 
assurance efforts relating to major weapons systems and 
platforms. These cyber assessments, of course, are critical to 
ensuring that key DOD systems are free of adversary threats and 
resilient to cyber attack, particularly in contested 
environments. But in parallel, I do have a concern, and 
actually echoing the concern that Senator Rounds mentioned in 
his questions.
    We have a limited understanding of supply chain risk in the 
defense industrial base. As all of you know, these risks could 
include counterfeit components that end up in war-fighting 
platforms; or worse, undetectable hardware or software 
modifications that are perpetrated by a very sophisticated 
adversary.
    I know, Dr. Fields, you began to answer the question and 
didn't have sufficient time. I'd like to give you some time now 
to tell us exactly what we should be doing.
    Dr. Fields. As I said, there's a pretty long list of things 
to do, and I'll give you some examples, concrete examples 
without naming names.
    If you find something that's wrong with one of your 
systems, you should have a database of knowing where all of the 
other systems are so that you can actually stop using them and 
repair them. You should know where that component is in other 
systems. You should check in advance the supplier that's 
providing it to see what else they have provided. Everything 
I'm saying and would say if we had much more time, that's just 
common sense. It takes a lot of work to do it, and we're 
starting to do it. It would be wrong to say DOD is not starting 
to do it, but there's also a long way to go.
    Senator Peters. Sometimes you don't find out something is 
wrong with a system until it's too late.
    Dr. Fields. That's also the case.
    Senator Peters. So how do we deal with that?
    Dr. Fields. There are going to be such cases. In fact, we 
can build systems, although we don't always do so, that are 
more fault tolerant, because many of the things that are put 
into microelectronics are very similar to what happens when a 
mistake is just an accidental mistake, and we do work hard to 
design systems that compensate for accidental mistakes.
    So again, we can do better. I know I'm not giving you a 
very complete answer because it would take another hour. But 
there is actually a whole action list of things to do that the 
Department has started to do.
    Senator Peters. I'd like to spend more time with you. So 
maybe offline we'll be able to spend that hour talking more in-
depth about this, because I think it's a significant issue that 
was brought to my attention by some other suppliers that have 
issues, or concerns I should say, related to that.
    Being proactive--this is a question really for General 
Alexander--do you believe that the Department's cyber 
protection teams have the background information necessary to 
assess which systems, components, software, and organizational 
processes may have exploitable supply chain vulnerabilities?
    General Alexander. I think that's going to be a continuous 
work in progress, Senator. I think getting the information, 
because these systems are changing every couple of years, the 
technology that's going in, especially in the IT area, that's 
something that they have to be on top of. You bring out a good 
point. The cyber protection teams have to work with the 
customers they're supporting, and if we look at where we put 
them, that may include industry as well, and parts of critical 
infrastructure.
    That's a big set of technology area that these teams have 
to be up on, and so constant training. Are they there today? I 
doubt it. I think they're working towards that.
    Senator Peters. All right. Thank you.
    The next question relates to the U.S. semiconductor 
industry which, as all of you know, is facing some major 
challenges here. In addition to confronting the fundamental 
technological changes that are moving the industry, there's 
also been a very concerted push by the Chinese to reshape that 
market in their favor using industrial policies that are backed 
by hundreds of billions of directed government funds. With 
semiconductor technology critical to defense systems and 
overall military strength, China's industrial policies I think 
pose some real threats for semiconductor innovation in the U.S. 
national security interest.
    I know that we have a range of tools to deal with this, 
including the CFIUS [Committee on Foreign Investment in the 
U.S.] committee, but while the overall number of CFIUS reviews 
has risen steadily since 2008, the increase, as you know, is 
disproportionately small when compared to the ratio of 
completed transactions.
    So, to the panel, if CFIUS is unable to slow China's 
advance, what are the implications for United States 
technological superiority, in your mind?
    Dr. Fields. My colleagues turned to me. We've done several 
studies on this over the years, we being the Defense Science 
Board, and I'm sorry to say that we've come up with no solution 
that I'll call a good solution. We have solutions for some 
things; not for this. In some areas we can continue to stay 
ahead. I'll call those areas software and some aspects of 
manufacturing. But this has proven to be a tough nut to crack. 
So I can offer you nothing that I have confidence in.
    Senator Peters. A tough nut to crack, but one that we have 
to crack.
    Dr. Fields. Yes.
    Senator Peters. Thank you very much, appreciate it.
    Chairman McCain. Mr. Waxman, during the debate on how we 
would combat terrorist attacks in the United States, we got 
heavily into this issue as to when government should intervene, 
and yet we should also respect the fundamental right of 
Americans to privacy. Do you see that issue looming here as we 
try to counteract or improve our ability to address the issue 
of cyber?
    Mr. Waxman. Yes, Senator, I absolutely do. I think where 
I've seen it certainly very present is in legislative 
discussions about improving information sharing between the 
private sector and the government. I think pretty much 
everybody agrees that that's critical to improving our cyber 
defenses, but I think the public and certainly segments of the 
public are very wary of sharing information with the 
government. Companies in some cases are leery of giving 
information to the government because they fear criticism on 
the civil liberties front.
    Chairman McCain. So we're really going to have to wrestle 
with that issue when we heed the recommendation of this 
committee of a much closer relationship between industry and 
government.
    Mr. Waxman. Yes, Senator.
    Chairman McCain. It's not easy.
    Mr. Waxman. No, Senator.
    Chairman McCain. But given the fact that you're a great 
lawyer, you're going to give us the answer. Is that right?
    Mr. Waxman. I hope so, Senator. I also think this is one 
reason why issues of cyber security, surveillance, other 
intelligence activities are interconnected. Certainly a big 
issue here is improving trust that the public has in 
intelligence agencies, and anything that we can do to build and 
improve that trust will pay dividends when trying to come up 
with solutions on cyber security.
    Chairman McCain. Well, General Alexander, on your watch, 
you gave us a lot of confidence, and we are very glad that you 
are back here before the committee, and we will continue to 
call on you for your unique experience and knowledge.
    I want to thank you, Dr. Fields and Dr. Miller. It's great 
to see you again.
    This is going to be not the beginning but sort of the 
beginning of a series of hearings that this committee has to 
have. We understand a lot of the conventional weapons and 
strategic weapons. I don't think amongst this committee or 
amongst the American people the dimensions of this challenge 
are fully understood. Until we fully understand the dimensions 
of the challenge, then I'm not sure we're able to address it 
adequately from a legislative standpoint. I think we would all 
agree that first we have to have a policy, and then we have to 
have a strategy, and unfortunately we have not achieved that 
first wicket in this process that we're going through.
    I'm especially grateful that you're here today because 
right now, besides funding, this is the highest priority that 
this committee should have, and I think if you're looking at 
vulnerabilities that this nation has, that that's an 
appropriate priority.
    Senator Reed?
    Senator Reed. Mr. Chairman, I concur entirely. I thank you 
again for hosting this hearing. I think it's our mutual desire 
and wish that these hearings lead to prompt remedial action, 
and I know with the Chairman's leadership that will happen. 
Thank you.
    Chairman McCain. I thank the witnesses.
    General, I promise we won't make you come here very often.
    Thanks again.
    [Whereupon, at 12:03 p.m., the committee was adjourned.]



                CYBER POLICY, STRATEGY, AND ORGANIZATION

                              ----------                              


                         THURSDAY, MAY 11, 2017

                                       U.S. Senate,
                               Committee on Armed Services,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 9:30 a.m. in Room 
SD-G50, Dirksen Senate Office Building, Senator John McCain 
(chairman of the committee) presiding.
    Committee members present: Senators McCain, Wicker, 
Fischer, Cotton, Rounds, Ernst, Tillis, Perdue, Sasse, Reed, 
Nelson, Shaheen, Gillibrand, Blumenthal, Donnelly, Hirono, 
King, Warren, and Peters.

       OPENING STATEMENT OF SENATOR JOHN McCAIN, CHAIRMAN

    Chairman McCain. Well, good morning. The committee meets 
today to receive testimony on cyber policy, strategy, and 
organization, of which there is very little.
    We are fortunate to be joined this morning by an expert 
panel of witnesses: General Jim Clapper, who enjoys nothing 
more than testifying before Congress and is making his second 
appearance on the Hill this week. I hope you are scheduled for 
a couple more next week. Anyway, General Clapper, there is a 
reason why you are in demand and that is because of the 
incredible esteem in which you are held by Members of Congress. 
I know that this is not your favorite activity, but I would 
argue that this issue deserves your input and your knowledge 
and background.
    Jim Stavridis, who is the Dean of the Fletcher School of 
Law and Diplomacy at Tufts University and former Commander of 
U.S. European Command, in which he did an outstanding job. It 
is not his first appearance before this committee.
    Michael Hayden, Principal at The Chertoff Group and former 
Director of the Central Intelligence Agency and the National 
Security Agency. Again, a man of great credentials.
    As Admiral Rogers told this committee earlier this week--
and I quote--we face a growing variety of advanced threats in 
cyberspace from actors who are operating with evermore 
sophistication, speed, and precision. Those are the words of 
Admiral Rogers.
    As with every cyber hearing this committee has held in 
recent years, we heard how the lack of a strategy and policy 
continues to undermine the development of a meaningful 
deterrence in cyberspace. The threat is growing. Yet, we remain 
stuck in a defensive crouch, forced to handle every event on a 
case-by-case basis and woefully unprepared to address these 
threats.
    Our hearing today brings together some of our Nation's most 
experienced and thoughtful national security leaders to help us 
better understand our cyber deficiencies but, even more 
importantly, to better understand how we can begin addressing 
these deficiencies.
    A long list of fundamental policy questions remains 
unanswered.
    What is our theory of cyber deterrence, and what is our 
strategy to implement it?
    What is an act of war in cyberspace?
    What are the rules of engagement for responding when 
attacked?
    Who is accountable for this problem, and do they have 
sufficient authorities to deliver results?
    Does over-classification undermine our ability to talk 
openly and honestly about cyber deterrence?
    How should we address issues of sovereignty that may or may 
not apply to data as it moves from country to country?
    What about cyber collateral damage?
    Organizational questions are equally unresolved.
    Should we have a cyber service?
    What is the long-term relationship between Cyber Command 
and NSA [National Security Agency]?
    How should we organize our efforts in the interagency?
    Who are our cyber first responders?
    No matter how well organized and prepared the Department of 
Defense may be, glaring gaps in our national cyber policy, 
strategy, and organization undermine our ability to defend the 
homeland and deter those seeking to undermine our national 
security in cyberspace.
    While we remain stuck, others have made considerable 
progress in policy formulation and organizational alignment. 
For example, the United Kingdom recently established its 
National Cyber Security Centre, a centralized organization that 
brings the disparate organizations across the British 
Government under one roof sitting side by side with industry. I 
look to the views of our witnesses as to whether we should 
consider a similar organization in the United States.
    Another model worth consideration is an organization akin 
to the U.S. Coast Guard with its flexible mix of law 
enforcement and military authorities.
    Today we lack true cyber first responders. Neither the 
Department of Homeland Security nor the Department of Defense 
know who should arrive first on the scene to stabilize and 
assess a major cyber attack. We should consider developing a 
Coast Guard-like hybrid organization that can defend our 
territorial cyber boundaries, be our first responders, and if 
necessary, gracefully transition and support DOD [Department of 
Defense], DHS [Department of Homeland Security], or FBI 
[Federal Bureau of Investigation], depending on the situation.
    Each of our witnesses have written or spoken extensively on 
how cyber has and will continue to shape our national security. 
We look forward to hearing more from each of you about the 
actions we can and should take to defend our Nation in 
cyberspace.
    Senator Reed?

                 STATEMENT OF SENATOR JACK REED

    Senator Reed. Thank you very much, Mr. Chairman. I want to 
join you in welcoming our distinguished witnesses and in 
holding this important hearing.
    General Clapper, General Hayden, Admiral Stavridis all have 
significant experience and expertise in cyber from their 
service in the military, the intelligence community, the 
private sector, and academia. We thank you all, gentlemen, for 
your service to the Nation.
    Russia's campaign last year to influence our election 
undermined faith in our democracy, and the objective truth of 
the news has been matched or surpassed by its years' long 
efforts to undermine democracy and the free press in Europe, 
the NATO [North Atlantic Treaty Organization] alliance, and 
European unity in general. Russia's ambitious and aggressive 
use of information as a weapon adds a whole new dimension and 
urgency to the task of confronting and deterring hostile 
actions through cyberspace.
    We heard testimony 2 days ago from Admiral Rogers that the 
Russians are still actively trying to influence our domestic 
politics and are very likely to attack our midterm 
congressional elections next year. There is not a moment to 
lose in addressing this challenge to our national security.
    However, as Admiral Rogers also acknowledged earlier this 
week, Cyber Command's Cyber Mission Forces are neither trained 
nor tasked to operate in this cognitive dimension of 
information warfare.
    By the same token, the elements within the Defense 
Department that are responsible for information operations have 
no cyberspace responsibilities or expertise.
    This disconnect is replicated across the other disciplines 
that make up the totality of information warfare and across 
multiple organizations in the Defense Department and the 
interagency process.
    Additionally, I would like our witnesses to consider the 
advice of the Defense Science Board task force on cyber 
deterrence. Prominent former officials such as former Under 
Secretary of Defense for Policy Dr. James Miller served on this 
task force and have testified to this committee twice this 
year. They advocate rapidly developing the ability to conduct 
operations through cyberspace to threaten, quote, what key 
leaders on the other side value the most, close quote, which in 
the case of Russia could include their own financial wellbeing 
and status in order to deter influence operations and cyber 
attacks against us.
    The threats that we face call for leadership and action. To 
date, however, despite the many large-scale and impactful cyber 
events of recent years, the executive branch has not acted to 
create an effective, whole-of-government capability to defend 
against and ultimately deter damaging cyber attacks. Congress, 
challenged by the overlap of committee jurisdictions and 
concerns of numerous outside stakeholders, has also been unable 
to design and impose the comprehensive solutions that this 
problem requires.
    However, it is imperative that there be a renewed effort. 
We must fashion an effective, integrated, and coordinated 
capability to detect and counter the kind of influence 
operations that Russia now routinely and continuously conducts. 
Likewise, we must act to ensure that our military and the 
government as a whole has a strategy and capability to deter 
such actions through the demonstrated ability conduct our own 
operations of this type. We must also act to bolster the 
resilience of our society in the face of attempts to manipulate 
our perceptions and our decision-making.
    I know that each of you think deeply about and have 
recommendations to address these critical issues. I look 
forward to your testimony and discussion of these urgent 
matters.
    Thank you very much.
    Chairman McCain. General Clapper?

STATEMENT OF HONORABLE JAMES R. CLAPPER, JR., SENIOR FELLOW AT 
  THE BELFER CENTER FOR SCIENCE AND INTERNATIONAL AFFAIRS AND 
            FORMER DIRECTOR OF NATIONAL INTELLIGENCE

    Mr. Clapper. Chairman McCain and Ranking Member Reed and 
members of the committee, first I think I want to commend you 
for your sustained interest in this subject of cyber and 
cybersecurity and what we as a Nation should be doing about it.
    It is certainly an honor to be on the same panel with the 
likes of Jim Stavridis and Mike Hayden, both old colleagues and 
friends.
    I had some introductory comments about the threat, but I do 
not think I will dwell on that in the interest of time.
    Chairman McCain. Before you leave the threat, though, 
General, would you say the threat is worsening, the same----
    Mr. Clapper. I do. Since you have asked me, one of the 
themes that I have talked about in my former capacity at 
worldwide threat hearings, to include the last one we had here, 
was the fact that we in the past have taken some comfort in the 
fact that the entities which can do us the most harm, meaning 
Russia and China, probably have perhaps lesser intent, and then 
the entities which have more nefarious intent, meaning 
terrorists, criminals, et cetera, have lesser capability. The 
problem is that gap between the two is closing. The terrorists, 
criminals, et cetera, hacktivists are going to exploit the 
technology. That comfort that we may have taken in the past I 
do not think is something we should count on. So that is an 
overall comment about the threat. So the short answer to your 
question is yes.
    The other comment I would make is I think what to do about 
all this transcends the Department of Defense and the 
intelligence community. We have a huge education challenge 
getting both institutions and individuals to practice common 
sense cybersecurity, sort of like the same way that we 
habitually lock our doors and windows, brush our teeth, or 
hopefully wear seat belts. There is not that mindset certainly 
at the individual level or the institutional level.
    In response to your request for thoughts on policy, 
strategy, and organization, I want to offer one overarching 
thought. To me, the first order of business is defense and 
resilience. We got to focus on this because without it, we will 
never be in a position to launch a counter-attack even if we 
can quickly and accurately attribute who attacked us which, by 
the way, is not in itself a trivial task. We are always going 
to doubt our ability to withstand a counter-retaliation. I saw 
examples of this during my time as DNI [Director of National 
Intelligence].
    One case in point. When the Iranians launched a series of 
denial of service attacks against our financial sector--I think 
it was in 2013 or so--the initial interagency impulse was to 
counter-attack but in a measured, precise way. What restrained 
us was lack of confidence in our ability to absorb a counter-
retaliation. We could not be sure it would be similarly 
measured and proportional and legalistic, which is the way we 
do it, or what the second order or third order or unintended 
effects might be.
    So we have to recognize and accept that it is inevitable 
that we are going to be attacked, and the real issue is how 
resilient can we be to recover. In the absence of that 
resilience and the confidence it gives us, it will continue to 
inhibit our responses.
    This imperative on defense and resilience applies not just 
to the Federal Government at large and to DOD and the 
intelligence community but applies equally to people sitting in 
the White House situation room or board rooms. So defense and 
resilience must, in my view, be the pillars of whatever 
policies and strategy that we adapt. That to me is the very 
foundation for deterrence.
    A related point--and I have said this before--is I think 
accordingly we should use all the tools potentially available 
to us, diplomacy, economic sanctions, and other forms of 
military power, when we consider responses to cyber threats. 
Just because someone attacks us using cyber should not 
automatically mean that we should respond the same way. In 
fact, if the adversary chose cyber because it asymmetrically 
favored them, responding in kind means we are sort of letting 
them define the terms of the engagement and fighting on their 
terms. Of course, intelligence, by the way--I would mention 
this--has a crucial role to play in identifying ways to 
leverage a cyber adversary.
    With respect to the current posture of the U.S. Government, 
I would say--my mild understatement--it is not very good. 
Still, many organizations across the government have old, hard 
to defend IT [Information Technology] architectures, and 
certainly the OPM [Office of Personnel Management] breach got 
everybody's attention but it is probably the tip of the 
iceberg.
    One trade publication recently reported that 34 percent of 
U.S. Government agencies surveyed experienced data breaches in 
the past year, and 65 percent reported experiencing a data 
breach at some time in their history. These agencies cited old 
systems, lack of funding, and staffing shortages as the cause.
    The Trump administration, I understand, is preparing a new 
executive order on strengthening the cybersecurity of federal 
networks and critical infrastructure. It emphasizes 
accountability, managing the government IT architecture as a 
federated enterprise, and all that. What I expect is, though, 
that the accompanying authorities and resources will not match 
these bold goals.
    This leads me to another crucial point. Even if the 
agencies in the government complied with this forthcoming 
executive order, both the spirit and substantively, we will 
still have no recognized standardized way to measure whether we 
are more secure or not. To me, this is a major deficiency that 
must be addressed. The term ``cyber metrics'' applies to at 
least six different dimensions of cyber. Do we measure 
compliance with standards or how much we are spending or what 
functions we are performing or how we gauge the threat or 
calculate risk or measure return on investment? There is no 
consensus on any of these six ways or some combination thereof 
to measure whether we are actually improving cybersecurity.
    On organizational things, you asked about the suitability 
of the Federal Government's organizational structure. Here I 
will probably, I am sure, present a contrarian view to my 
colleagues.
    As a general comment, the older I have gotten, the less 
appealing reorganizations are to me. I say this both as a 
victim and an instigator of reorganizations. Big ones are 
hugely disruptive and distracting and take years to gel. The 
way the government is organized now can work provided that each 
component has the authorities clearly defined and the resources 
to perform its mission. So I do not have any big, lofty ideas 
on reorganizing the government's approach to cyber.
    I do, however, have two related organizational comments 
that are maybe less lofty but to me important.
    First, I feel compelled to repeat something I said last 
January when I appeared here on the 5th of January, and that is 
my strong conviction about separating Cyber Command and NSA. If 
you invite me here to speak about cyber, I am always going to 
bring that up. NSA is a crucial component of the intelligence 
community, and I do not believe it is healthy for it to be 
essentially subordinated to a sub-unified command of DOD.
    I was the Under Secretary of Defense for Intelligence when 
we came up with this arrangement and had a lot to do with it. I 
believed in it at the time. But it was never intended to be 
permanent. This was 7 or 8 years ago.
    So I would urge the establishment of a date certain to 
separate and then work to make it happen. NSA will always have 
to provide support to the Command, but I believe an 
intelligence agency director should be focused full-time on the 
mission of their agencies. Again, I repeat NSA is a crucial 
part of the intelligence community.
    The Commander of CYBERCOM [Cyber Command] and Director of 
NSA are each a full-time job. If CYBERCOM is elevated to 
unified command status, which I believe it should be, then 
separation is even more urgent. As the late Johnnie Cochran 
might say, if you elevate, you must separate.
    Second, I do not support establishing a separate cyber 
service in the military, just as I am not a fan of having a 
separate space service. I think such proposals, if implemented, 
would create even more stovepipes, complicate personnel 
management, and I think make career progression for the people 
in it harder.
    Finally, I have three brief comments on cyber issues in the 
intelligence community which maybe are a self-criticism.
    First, the intelligence community needs to strengthen how 
it reports cyber intelligence to users with differing 
perspectives and needs. This means providing reporting to 
policymakers that is timely and relevant but not head-hurting 
technical and importantly identifies the so-what implications 
for action. Intelligence needs to move from reporting cyber 
anecdotes to a systematic framework that focuses on trends and 
the big picture.
    Secondly, the IC needs to improve its support to state, 
local, tribal and private sector entities. This requires a 
better understanding of them and what their needs are. There 
are probably three kinds of customers for cyber intelligence, 
policymakers, line or core business people, and IT staffs, 
which are kind of like the military categories of strategic, 
operational, and tactical. I think it would be useful if the IC 
kind of thought about how they relate to the various customer 
sets using that analogy.
    Third, an always hardy perennial recommendation for the 
intelligence community is to enhance information sharing. This 
gets to your point about classification. Yes, we over-classify. 
No question about it. All I ask, though, is that when we look 
into this, we do consider the equities from the standpoint of 
the intelligence community. If we are going to declassify, 
transparency is always a double-edged sword. It is good but 
adversaries go to school on that transparency.
    The other point I would make here is that information 
sharing has got to be a two-way street. The private sector is 
often the first to know of a cyber attack, and so rapid sharing 
must work both ways. Companies cannot depend on the government 
to provide just-in-time warning that its intellectual property 
clock is about to be cleaned. There are some understandable 
inhibitions on both sides that prevent this, but we must do 
better.
    So with that, I will turn to, I guess, Admiral Stavridis. 
Thank you.

STATEMENT OF ADMIRAL JAMES G. STAVRIDIS, USN, RETIRED, DEAN OF 
                 THE FLETCHER SCHOOL OF LAW AND
  DIPLOMACY AT TUFTS UNIVERSITY AND FORMER COMMANDER, UNITED 
                    STATES EUROPEAN COMMAND

    Mr. Stavridis. Good morning. Chairman McCain, Ranking 
Member Reed, members of the committee, again thank you for 
asking me to come down and speak.
    I think we are facing potentially the most disruptive force 
in this cyber world, and we have a gaping vulnerability in my 
view.
    I do want to mention that in the course of the panel, I 
think we are probably not going to agree on everything, but you 
will be pleased to know we coordinated our hairlines for 
disagreeing.
    [Laughter.]
    Chairman McCain. I know how you feel.
    [Laughter.]
    Mr. Stavridis. You look like a potential donor to me, 
Senator.
    [Laughter.]
    Mr. Clapper. Grass does not grow on a busy street. Or as my 
wife is quick to remind, nor out of a concrete block either.
    [Laughter.]
    Mr. Stavridis. So I will talk very briefly about kind of 
three threat vectors. One is pretty obvious. It is national 
security. This is what General Clapper has outlined for us. I 
think the commercial sector is second, and then thirdly we 
should recall there is a very personal vector to cybersecurity 
that potentially influences each of us as you think about what 
that super computer you are carrying around in your pocketbook 
or purse say about you. So those three vectors I think are 
merging in a dangerous way today.
    There are 7 billion people on the planet, probably 20 
billion devices connected to the Internet of Things. Fairly 
recently we just saw an attack that turned the Internet of 
Things into an Internet of Botnets, creating real havoc in a 
variety of crucial commercial sites. We have seen hundreds of 
millions of accounts hacked, most recently Yahoo. We have seen 
multiple actual thefts occur, $87 million from the Federal 
Reserve Bank trying to get money from Bangladesh to the 
Philippine Islands.
    On the national security perspective, we see attacks, I 
would argue, from North Korea, Russia, certainly brushing up 
against attacks from China. Iran I would categorize an attack. 
These vulnerabilities come together in two fundamental points. 
We are deeply challenged. As both the chairman and the ranking 
member have said, and as General Clapper has said, we are not 
particularly well organized. Yet, we as the United States have 
the largest threat surface of any nation in the world.
    So what do we do about it? I will launch a few ideas. All 
of these ought to be considered as modest proposals at this 
time. These are things we should think about doing and have 
more conversation about.
    One I would say I am firmly in favor of--and I am going to 
agree with General Clapper on this one--I do believe that the 
NSA and Cyber Command should be separated. I have been speaking 
and writing about this for several years. To me, the jobs are 
too big. The missions are different. The span of control is a 
deep concern and rising. I think Cyber Command should be 
elevated to being a full combatant command and, as the General 
says, separated, and I think probably two fundamentally 
different leaders are needed at those two commands.
    Secondly, the idea of a cyber force. Here I am going to 
disagree with General Clapper. I think we should take a serious 
look at it. What I try and do at times is reach back into 
history, and I am mindful that I am flanked by two Air Force 
generals. If we were having this hearing about 100 years ago, 
the Army and the Navy would be adamantly saying, hey, we do not 
need an Air Force. Why do we want that? We can handle that. 
Yet, today I do not think we could imagine our military 
functioning without all that the Air Force brings to the table. 
I think cyber is kind of like that, and I think in 100 years we 
will look back and say, boy, were we really having a debate 
about whether or not to have some kind of cyber force?
    So I would say let us take a serious look at this, whether 
it is a separate force in the same model as the Army, the Navy, 
the Air Force, the Marine Corps, perhaps not. A Coast Guard 
model I think is a very intriguing way to think about this. But 
I think at a minimum this would be something the Congress would 
be interested in hearing more views about and recognize, again, 
looking to the history of the creation of the U.S. Air Force, 
you are going to get enormous pushback from the Department, 
from the individual services. I know Admiral Mike Rogers was 
just up testifying, disagreeing with the idea as well. Fair 
enough. Let us bring that debate on.
    A second idea I think that is worth thinking about at least 
is being more demonstrative of our offensive cyber 
capabilities. I think that would help create more deterrence if 
we did so.
    I agree with General Clapper. We do not need to reach into 
the cyber toolkit every time we are cyber attacked. But I think 
in our zeal, appropriate enough, to try and protect the nature 
of our cyber tools and our sources and our capability, we can 
lead some to underestimate our ability to retaliate. Eventually 
we are going to have to build a deterrent regime of some kind. 
We ought to be having a coherent conversation about levels of 
classification and how we would want to do demonstrations.
    Fourth I would say doctrine. This is always kind of the 
military bugbear in me. But what is the definition of a cyber 
attack? I think it is time we really grappled with that, and on 
a spectrum that runs from nuisance defacing of websites to 
kinetic demonstrations that actually kill people and destroy 
massive amounts of material and equipment, somewhere on that 
spectrum lies what we ought to think about as a cyber attack. I 
would argue what North Korea did to Sony Pictures, an American 
corporation, which included kinetic damage and a high degree of 
business and economic damage does, in fact, verge into an 
attack, not as was categorized at the time as cyber vandalism.
    Sixth--and then I will kind of stop there because you asked 
specifically about this--organizing the government. Taking 
Director Clapper's views about skepticism of both 
reorganizations and creation of new bureaucracies, I will put 
it this way. I think there needs to be a voice in the cabinet 
that focuses on cyber. Now, you could take the Director of 
National Intelligence and make that the Director of National 
Intelligence and Cybersecurity, for example. You could have a 
new department. We have a Department of Agriculture, a 
Department of the Interior. These are important organizations, 
but they reflect where we were as a Nation 150 years ago. The 
idea of having a dedicated voice in the cabinet talking about 
cyber has appeal to me.
    I will conclude by saying I had a wonderful career in the 
military. Now I am an educator. I am the Dean of the Fletcher 
School of Law and Diplomacy at Tufts University. I have come to 
value education even more.
    I will close with something the Director said at the 
beginning. 65-70 percent of the cyber intrusions and attacks 
occur because of bad cyber hygiene, which is bad cyber 
education. The more we emphasize science, technology, 
engineering, math, computer science, coding, the more we have 
an informed population, the better protected we will be. That 
may be the most important thing we can do of all.
    Thank you for listening to a few ideas. I will close by 
saying, because I have two Air Force generals with me, in the 
world of cyber, we are kind of on the beach at Kitty Hawk. We 
have got some work to do ahead of us. Thank you very much.
    [The prepared statement of Mr. Stavridis follows:]

             Prepared Statement by Admiral James Stavridis
    Thank you for the invitation to appear before you today to discuss 
the most disruptive force facing America's military and society today: 
the rapid emergence of cyberspace as an operational domain for armed 
conflict, as well as a gaping vulnerability in our commercial, 
financial, and infrastructure systems. I commend the members of this 
Committee for their continued commitment to advancing America's defense 
interests in cyberspace, and I ask that my remarks, which were provided 
to the committee previously, be entered into the record.
    I am honored to appear with two Air Force Generals whom I have 
known and deeply admired for decades. You may also note this is a panel 
that may not always agree on our views and but we have managed to 
coordinate our hairlines.
    Cyberspace is indeed a new domain of warfare but it is one unlike 
sea, air, and land in that it is not physically traversable by our 
sailors, airmen, and soldiers. The digital battle space of the twenty-
first century is not marked by geographic landmarks or public 
infrastructure, but rather operating systems, routers, switches, and 
servers--most of which are designed, manufactured, owned and operated 
by both American and international companies and citizens, i.e. the 
private sector. As a nation we are under-educated in these systems, and 
few could actually explain how an email gets from their iPhone 7 to 
their grandmother's iPad. Yet these systems are highly at risk at every 
level, from our national security--proven by well-documented attacks 
from Iran, North Korea, China, and Russia; in our commercial sector, 
with cyber crime rising rapidly and approaching perhaps hundreds of 
billions of dollars globally on an annual basis; and indeed in the most 
intimate details of our personal lives, which are far-too-often carried 
unprotected in the super computers we casually carry in our pockets and 
purses. Of all the threats our nation faces, only cyber cuts across so 
many dimensions.
    There are 7 billion people on the planet, but perhaps 20 billion 
(or more) devices connected to the Internet. As we saw during the 
recent attack on Dyn, the internet of things became a ``botnet of 
things'' creating significant commercial havoc and threatening consumer 
confidence in the security and reliability of commoditized online 
services. There are 23 victims of malicious cyber activity per second 
according to a 2016 report from Norton, and many studies suggest that 
damage to our national economy approaches $200 billion per year. We 
have seen North Korea, China, Iran, and Russia--among other nations--
attempt to penetrate of cyber defenses and conduct a wide variety of 
espionage, commercial damage, data manipulation, and kinetic 
destruction to infrastructure. The Department of Justice has brought 
indictments against agents from all of those nations
    Because we are under-educated and lightly protected, offensive 
cyber actors, comparatively large in numbers and concealed by the 
identity-obfuscating properties of cyberspace, enjoy a significant 
advantage over the defense, which, in the United States, is necessarily 
constrained in its maneuverability to protect our citizens' privacy and 
civil liberties.
    Today, therefore, I would like to preface my opening comments by 
declaring two seemingly obvious but fundamental truisms that I would 
suggest inform the Department of Defense's and the Nation's cyber 
policies and strategies in this decade and beyond.
    First, the United States military is today deeply challenged in 
preventing destructive cyber attacks against the nation from capable 
adversaries, to include state and non-state actors. While we have made 
progress, we have not trained, equipped, and organized ourselves to be 
safe in cyber space.
    Second, and closely related, the United States is undoubtedly most 
visible, exposed and lucrative target Nation in this new military 
domain and therefore subject to disruptive and destructive attacks from 
not just well resourced nation-states and sophisticated criminals, but 
also jihadist and other terrorist organizations.
    Given these basic facts, the Department's cyber posture must shift 
from one that is primarily focused on mitigating and defending from 
malicious cyber activity to one that also aims to deter state and non-
state adversaries and belligerents in cyberspace while reducing the 
threat from lower level actors. Raising the barriers to entry for bad 
actors will require a stronger and more robust military capability; 
better organization within the US government at the cabinet and agency 
level; higher levels of societal education about the risks and concerns 
we face; better technology and equipment; and a vastly improved level 
of private-pubic cooperation. Overall, we must make it harder, 
costlier, and more time intensive for our adversaries to effectively 
operate in cyberspace.
    Creating real deterrence in cyberspace against opposing national 
actors will be challenging. If we can agree that deterrence is the 
combination of both capability and credibility, it is clear that we 
have work to do on both fronts.
    In terms of capability, we have extraordinary offensive and 
defensive cyber tools, but we must continue to improve as our opponents 
are doing so rapidly. I would argue that it is also time to strongly 
consider whether or not we want to create a dedicated cyber force.
    While the individual services today--Army, Navy, Marine Corps, Air 
Force and Coast Guard--are working hard, they are like five horses who 
can often pull in slightly different directions. Unfortunately the 
current distributed force structure across each of the services not 
only breeds redundancies, threatens unity of command, and fosters 
unproductive competition within the Department, but it also dilutes the 
increasingly rare and therefore precious core competencies of our cyber 
planners, operators, trainers, and commanders.
    United States Cyber Command declared Full Operational Capability 
(FOC) in 2010 and seven years later, despite the valiant and well-
intentioned efforts of Admiral Mike Rogers and his predecessor, General 
Keith Alexander, the Cyber Mission Force has demonstrated to be a less 
than formidable and sustainable model. Most recently, of the 126 airmen 
who completed their first tour with the Cyber Mission Force, zero were 
retained for a second tour. In other words, all 126 airmen were 
assigned to other Air Force missions with no cyber nexus whatsoever. In 
this regard, establishing an independent cyber force would constitute a 
show of force--sending a message to our allies and adversaries alike 
that the United States is committed to recruiting, retaining, and 
training cyber warriors not just for a single tour but for a career--
one that is in some ways traditional to military life and in other ways 
wildly different and perhaps more representative of life at a Silicon 
Valley start-up.
    From an historical perspective, we have stood at this moment 
before, roughly a hundred years ago, as we contemplated another new 
medium in which combat would occur: the air. The Navy and Army fought 
the idea of an Air Force for decades until forced to concede after 
Congressional action. Today, and I think my esteemed panelists would 
agree, we cannot imagine our joint warfighting capability without a US 
Air Force. It is time we at least began a conversation about a US Cyber 
Force. The idea will be vehemently opposed by the services, just as the 
Army and Navy fought the idea of an Air Force. But sooner or later, 
common sense tells us we will end up with a specialized force in this 
zone of combat.
    I will also observe that many of these same arguments would apply 
to both Space warfare specifically and Information Dominance broadly. 
It is certainly worth exploring whether a Cyber force, a Space force, 
or a broad Information Dominance force makes the most sense. Chairman 
Rogers in the House gave a powerful and sensible speech on the space 
aspects of this. Since we are looking today at Cyber, I will keep my 
arguments focused on a cyber force; but I freely admit this is a 
broader question that encompasses space and information dominance 
together.
    A good model to consider as a ``starter step'' for a cyber force 
would be to fully make Cyber Command independent and then use the 
Special Forces model--a defined budget, specialized operators form the 
services (think SEALS, Rangers, Green Berets, PJs, and Recon Marines), 
but a defined career path in Cyber much as a Navy SEAL largely has a 
defined operational career path in the Special Forces. Over time, we 
may want to shift beyond this to a full blown individual service.
    This could start relatively small, with numbers in the 5-10,000 
range, a lean administrative structure, and connectivity to the larger 
services.
    The Congress may want to task the Department of Defense with 
studying the idea and reporting on the options worth considering. The 
administrative path of Goldwater-Nichols may be instructive.
    While standing-up a U.S. Cyber Force would constitute a major step 
towards establishing a credible deterrent, it is not sufficient by 
itself. In addition to signaling our long-term commitment to defending 
our interests in cyberspace, we must also signal both the capability 
and the will to project cyber force across the globe. For this to 
happen, we must satisfy two conditions.
    First, we must somewhat lift the veil off of military cyber 
operations. I have no doubt that the United States' Armed Forces boasts 
some of the most advanced, if not the most advanced, cyber capabilities 
in the world. But if we refuse to demonstrate or even acknowledge this 
capability we are only encouraging aggression from other, less capable 
actors against our highly vulnerable infrastructure. In a world in 
which the number of networked devices exceeds the world's population by 
more than three fold, we simply cannot afford to confine cyber 
operations to the covert toolkit. To the contrary, cyber operations are 
a legitimate means of projecting national power, especially when 
proportionately supplemented by kinetic force, and we should advertise 
them accordingly.
    In addition to shedding light on our non-kinetic military 
capabilities, we must convince the world that we, despite living in a 
glass house, are not afraid to throw stones. Interestingly, the United 
States' unwillingness to operate offensively in cyberspace is driven 
less by a fear of retaliation and more by a fear of compromising our 
Intelligence Community's sensitive tradecraft. The diminished stature 
of United States Cyber Command as a Sub-Unified Combatant Command 
(COCOM) under United States Strategic Command, combined with its 
institutional, leadership, and technical ties to the National Security 
Agency (NSA), has limited our Armed Forces' cyber freedom of maneuver 
in support of military objectives.
    We should also increase our work with allies, many of whom are 
quite adept in this sphere. In addition to NATO partners like the UK, 
France, Germany, and Estonia, other nations with significant ability 
include Israel, Japan, South Korea, Singapore, Sweden, Australia, and 
others. Cyber security is a team sport not only in the interagency, but 
within our international alliances and coalitions.
    Related to this, the Department must embrace and employ an agile 
software development lifecycle and mindset that accommodates 
development sprints and high rates of failure. These methodologies, 
tested and proven in the private sector, will enable our cyber warriors 
to keep pace with what is certain to be a more fluid and dynamic 
operational tempo than ever before.
    It is also imperative that the Department establish a solid 
doctrinal foundation. The policies governing how our military operates 
in cyberspace will likely change many times over in the next decade, 
but we must quickly establish a common vernacular--not just within the 
Pentagon but across the national security apparatus and the government 
as a whole. For starters, we must not diminish the many forms of cyber 
aggression our governments, companies, and citizens are experiencing. 
Consider, for example, the Sony hack in 2014 reportedly attributed to 
North Korean and dubbed an act of ``cyber vandalism'' by former 
President Obama. ``Cyber vandalism'' is defacing a webpage over an 
ideological difference; the Sony hack could certainly be considered as 
an act of war--in addition to millions of dollars of kinetic damage to 
Sony's hardware, a high level of business value was destroyed. While no 
one died, the damage was significant. We, of all Nations, cannot afford 
to understate or diminish the significance of force projection in 
cyberspace. We need to create a ``definition of a cyber attack,'' which 
differentiates among surveillance, espionage, commercial interference, 
data modification and manipulation, data destruction, infrastructure 
attack on critical infrastructure, kinetic damage, and loss of human 
life.
    We should be thinking more holistically about how the US government 
conducts cyber security and the role of the Department of Defense in 
that mission. Today, cyber security falls under a plethora of different 
cabinet departments--DHS, DOJ (FBI), DOD (NSA), and DNI. There are six 
different cyber security centers run by the US Government. We have a 
Secretary of Agriculture and a Secretary of the Interior in the 
Cabinet, but not a single voice for Cyber. There are a number of ways 
to address this, from a Department of Cyber that fuses all of those 
functions and centers (much like the British have done with the 
creation of their National Cybersecurity Centre NCSC, embedded in GCHQ) 
to giving a unifying voice to one Cabinet Secretary (perhaps the DNI 
becomes the DNIC, Director of National Intelligence and Cyber 
Security). Many of these ideas were explored by the Commission on 
Enhancing National Cybersecurity, led by fomer National Security 
Adviser Tom Donilon--I endorse many of its findings. As a side note, I 
think it is also time to strongly consider splitting the positions of 
US Cyber Command (a military warfighting Combatant Command) and the 
Director of the National Security Agency (fundamentally an intelligence 
gathering operation, although also invested with cyber activities both 
offensive and defensive). The span of control and differing missions 
makes continuing to merge those in one person--even one as good as the 
two officers with me today or Admiral Mike Rogers--less than optimal. 
Bottom line--we are not organized to seamlessly defend or fight in 
cyberspace as a nation and have a great deal of work to do, both as a 
nation and within the Department of Defense.
    Finally, as an educator myself these days, I cannot resist making a 
comment about the role of education in increasing our national security 
and indeed our own efficiency within the Department of Defense. We have 
to improve all level of Science, Technology, Engineering, and Math in 
our educational system, of course; but there needs to be particular 
emphasis on the practical skills of cyber as well as understanding how 
to defend ourselves individual. Over 70% of all hacks, intrusions, 
cyber crimes, and so forth result from simple failures in cyber 
hygiene. This is true for society at large and the Department of 
Defense. More emphasis on this aspect is like ``soft power'' in the 
context of national strategy--it is preventative, cheap, and has 
enormous ancillary benefits. While not specifically under the purview 
of this Committee, it is something the Congress can be influential in 
pushing and would go far toward helping with the overall mission of 
cyber security.
    In so many ways, in the world of cyber security we are still ``on 
the beach'' at Kitty Hawk to use an aviation analogy. Or to shift to a 
maritime one, we are sailing in very choppy seas. The Congress can play 
an important role, as it has historically, in helping the Department of 
Defense and the rest of the Federal Government to improve all elements 
of our security.
    Again, thank you for asking me to come and testify. I am happy to 
answer any questions the Committee may have.

    Chairman McCain. General Hayden?

         STATEMENT OF GENERAL MICHAEL V. HAYDEN, USAF,
  RETIRED, PRINCIPAL, THE CHERTOFF GROUP AND FORMER DIRECTOR, 
                  CENTRAL INTELLIGENCE AGENCY

    Mr. Hayden. Thank you, Mr. Chairman, Senator Reed. Let me, 
first of all, violently agree with the diagnosis that both of 
you laid out in your opening comments. I think you have got the 
symptoms we are trying to treat here exactly right.
    I first encountered this cyber thing more than 20 years 
ago. I was pulled out of Bosnia, a war that was essentially 
medieval in its conduct and in its causes, and parachuted into 
San Antonio, Texas at the Air Intelligence Agency, which was 
actually on the cutting edge of thinking about cyber then. I 
still remember the introduction I got from my staff. They never 
quite said what I am going to tell you now, but if I boiled it 
down, it was, General, we are glad you are here. Take out a 
clean sheet of paper and a number 2 pencil and write this down. 
Land, sea, air, space, cyber. It is a domain. It is a theater. 
It is a location. It is not bandwidth. It is not a budget line 
item. It is a place where we are going to go and operate. By 
the way, I think that is exactly right and it is now American 
military doctrine.
    I think what we are debating for the next 20 years is what 
of our life experience and lessons in these domains transfer or 
do not transfer into this new cyber domain. So, Senator, you 
mentioned questions of sovereignty or what is an act of war, 
what is legitimate state espionage, what are the principles of 
deterrence. I could go on. But there is really no consensus yet 
even within the armed forces as to what experience here still 
applies up here.
    I think one of the reasons we lack consensus is as a 
Nation, not just as a military, we lack policy because we lack 
consensus. We lack consensus because we have not had that adult 
discussion that we need to have, and we have not had the adult 
discussion because frankly I do not think we have a common view 
of the reality, a common view of the battlespace. That is 
inhibited, as has already been mentioned by both of you and by 
General Clapper, by the lack of knowledge, information in this 
space, over-classification. Before I focus exclusively on the 
government, let me include industry in that as well because 
they keep the ball on their hip a lot of times too for their 
own purposes. I do think we need to have far more openness as 
to what goes on, what our capabilities are, what the threats 
are, and frankly, exactly what happened.
    General Clapper just mentioned the Iranian attacks against 
the banking system in New York, massive denial of service 
attacks, but something our government will not go out of its 
way to actually say has happened with the clarity that Jim had 
just used.
    Part of the over-classification problem--and General 
Clapper and I probably share guilt here--is that our cyber 
thinking in the armed forces and in the government is rooted in 
the American intelligence community. If this had been developed 
at another part of our structures, I think a lot less of this 
would be on the other side of the door and a lot more would be 
open. Of course, without consensus on policy and these basic 
foundational definitions, the organizational structures that 
should follow that is always in flux, always subject to debate.
    I was, to be fair, present at the creation when we decided 
to put a Title 10 warfighting function at Fort Meade. It was 
not quite Cyber Command then. It was Joint Functional Component 
Command Net Warfare, but I am the first Director of NSA who 
actually had Title 10 warfighting abilities and authorities 
under Strategic Command.
    Even when we did that--and I still recall briefing the 
Chairman of the Joint Chiefs of Staff and he turned to me--it 
was General Dick Myers, whom I had known for a long time--and 
said, Mike, is this going to solve this. My response was, oh, 
no, sir, not at all, but we will be back to you in a couple 
years messing this up at a much higher level than we are 
currently. That has been the evolution. As we develop 
technology, a trained workforce, a deeper understanding, the 
structures will change as our understanding changes.
    Let me join consensus here. I think there is a point in 
time--and I do not think it is very far away--where the 
structures have to adjust to changing capacities and Cyber 
Command and NSA have to be separated. That is not a panacea. It 
is not the philosopher's stone. It is not going to turn digital 
lead into digital gold for us, but I think it is a powerful 
step forward.
    Senator McCain, I was really intrigued by your comment 
about perhaps the U.S. Coast Guard is a workable model. I 
actually joined an effort by the American Enterprise Institute 
about a year and a half ago that actually tried to seek how 
should we organize as a government not just as the armed forces 
to deal with the cyber domain. The Coast Guard model really 
does offer some interesting examples. It is an educational 
organization. It is dedicated to public safety. It is a first 
responder. It conducts search and rescue. It is a law 
enforcement element of our government and in extremis, we can 
use it as a combat arm of the American Government. Obviously, 
it does not transfer perfectly, but I do think there is some 
really interesting parallels here that we could profit from as 
we try to move forward and create a whole-of-government 
response.
    Again, one more time, let me join consensus. The Coast 
Guard is an intriguing model because it straddles government 
and private sector. We really do have to do that in terms of 
cybersecurity. So any model that allows us to put our arms 
around the private sector where, frankly, I think most of these 
battles will be won or lost, is one that we should pursue.
    I look forward to your questions and learning a great deal 
from my colleagues here.
    Chairman McCain. Do you think the private sector is eager 
to cooperate?
    Mr. Hayden. The private sector gets it as victim. This is 
life experience. I am out of government 8 years now. When I 
first started talking with them, we were a nuisance talking 
about cybersecurity. They now know that cybersecurity is not a 
subtraction from the bottom line, but it is integral to the top 
line. That part they get.
    What they have not yet embraced is that they could enter 
into a deeper relationship with the government that would not 
inhibit either their financial or their cybersecurity success. 
The burden of proof might be a bit more on us than on them.
    Chairman McCain. I get the impression that a lot of these 
particularly major Silicon Valley corporations would like to 
stay as far away as possible from the Federal Government.
    Mr. Hayden. Senator, we are probably still feeling the 
after-effects, the second and third order effects, of the 
Snowden revelations and so on. I would have agreed with you 
more strongly 2 or 2 and a half years ago, but in my recent 
dialogue with them, I do see a shift. Let me give you an 
example.
    I will be a little oblique here. Vault 7, which was 
allegedly an awful lot of CIA [Central Intelligence Agency] 
cyber tools going public. We have not seen Silicon Valley 
rending their garments in outrage about this. I think their 
response to this has been far more mature, far more 
understanding of the appropriate role of government than we saw 
2 or 3 years ago.
    Chairman McCain. Thank you.
    I take it our witnesses agree that until our adversaries 
believe the consequences of an attack in cyberspace will 
outweigh the benefits, behaviors will not change.
    Mr. Stavridis. Yes, sir.
    Mr. Clapper. Yes, sir.
    Mr. Hayden. Yes, sir.
    Chairman McCain. Every event is being handled on a case-by-
case basis. Is that appropriate or sustainable?
    Mr. Clapper. That is true, but I think that is a swing at 
me from the prior administration. Every case is a little 
different, at least for the cases we encounter. It would be 
nice to have a broad policy, though, that you could start with, 
which we really do not have.
    Mr. Hayden. Let me go deeper than Jim. In the Bush 
administration, we could not do a cyber thing without having a 
meeting in the situation room.
    Chairman McCain. What are the impediments? There is a 
common refrain here, constant refrain, we do not have a 
strategy, we do not have a policy, therefore, we have huge 
problems. What is the impediments here? What is keeping us 
from--the last administration and then the administration 
before that were all good people. They all understood the 
threat, but yet, we have not developed a policy or a coherent 
strategy. Is it a lack of leadership? Is it a lack of focus? Is 
it a lack of evolving technologies? What is the problem here? I 
am not sure we can solve it without defining the problem.
    Mr. Clapper. I will take a try at that, although I do not 
think it will be satisfactory to you, Senator McCain, is what I 
tried to get at in my statement about lack of confidence in our 
ability to absorb a counter-retaliation. That is why to me, if 
you are going have a serious discussion about deterrence, the 
fundamental underpinning of deterrence has got to be defense 
and resilience. Unless we are confident that we can withstand a 
counter-retaliatory action, which may not be as measured and 
precise as we might employ, having a serious discussion and 
writing things down in the absence of that is pretty hard.
    The other thing I ran into, not to sound like an excuse 
here, but are legalities. I think Jim mentioned the Sony 
attack. Of course, putting aside the issue of whether that 
impacted the national security of not, the First Amendment I 
guess, so if we consider only using the single domain of cyber 
to retaliate, then the issue comes up, well, we have to execute 
and attack through someone else's infrastructure in order to 
get ultimately at the target. Is that an act of war against 
that intermediary or not? Lawyers have a field day with that 
kind of an issue.
    So in the end, in the case of Sony, we ended up not doing 
anything in the cyber domain but using other tools, sanctions 
against North Koreans, which for me were ceremonially 
satisfying but really did not have a lot of impact.
    So those are the complexities. It sounds legalistic and 
bureaucratic, but to me, those are the kinds of things that 
have inhibited us.
    But the main point I would make is that unless we have 
confidence in our ability to absorb an attack and be resilient, 
it is always going to inhibit a single domain response, that is 
in cyber. That is why I mentioned using all the other tools.
    Mr. Stavridis. Senator, if I could, Chairman McCain. I 
think those are salient points.
    I would add back to this theme of education. For the Senate 
Armed Services Committee, the question becomes are those in the 
military under the purview of this committee receiving enough 
computer science. Are each of the academies training to this, 
the ROTC [Reserve Officers' Training Corps] programs? Over 
time, I think some of these problems will be solved simply by 
demographics, as younger people who are digital natives come 
into positions of authority. But I think that is part of the 
problem we are trying to solve here.
    Mr. Hayden. Senator, I would just add one thought. I 
totally agree with Jim's analysis about our defense. We self-
deter because we do not understand how well we could deal with 
the second and third steps.
    But with regard to what is legal, what fits policy, the 
problem is we do not have any case law. We do not have any 
generalized recognition of what constitutes accepted 
international practice.
    One way to create accepted international practice is to 
practice. We actually have the opportunity to establish case 
law. We have the opportunity to begin to set out what is 
accepted international practice. I would suggest a country like 
ours with checks and balances and transparency would be doing 
the world a service by creating an accepted regime in this 
domain by prudently using some of the capacities we have.
    Chairman McCain. Well, I thank the witnesses.
    On the issue of the cyber corps, or whatever you want to 
call it, I do not know if we ought to establish that. But right 
now I do not see a clear career pattern and a path to success 
for these very valuable individuals who have these special 
talents, maybe not to be a fighter pilot or a tank commander, 
but to be able to engage in this hand-to-hand combat that we 
are involved in. Again, I am not sure whether it is a cyber 
corps, but we better establish a path and incentives for people 
to engage in countering what we all agree is a major threat to 
American security.
    Senator Reed?
    Senator Reed. Well, thank you very much, Mr. Chairman.
    Thank you, gentlemen, for your excellent testimony.
    Just a quick follow-up, General Hayden. We can make some 
law by doing things that are accepted either explicitly or 
implicitly by the intelligence community. We also can sit down 
and try to essentially do an agreement. We did it with the 
financial world after World War II with Bretton Woods. I do not 
sense any effort anywhere to try to do that. Am I missing 
something?
    Mr. Hayden. There has been an effort. Actually Michele 
Markoff at the State Department, who takes the Acela up to New 
York routinely and tries to use the U.N. to transfer the 
accepted laws of armed conflict here and transfer them up here 
into the cyber domain--and she has been somewhat successful.
    Beyond that, though, Senator, I think the real issue we 
have is there is a big chunk of the world--and some of it 
comprises our friends--a big chunk of the world who consider 
cybersecurity preventing that for which we think we have the 
Internet in the first place, which is the free flow of 
information. Their definition of cybersecurity is control of 
data entering into their sovereign space where ours is quite 
different. We run headlong into this lack of consensus. Hence, 
my approach to begin to create a normative regime established 
in essence by practice by a prudent, law-abiding nation.
    Senator Reed. With respect to a normative regime, as I 
indicated in my opening statement, the task force on cyber 
deterrence suggested that we develop the ability to hold at 
risk key aspects of potential opponents or adversaries, 
including in some cases the individual wealth or the individual 
status of potential opponents.
    Is that something that is in this concept of trying to 
establishing the rules of the road, General Clapper?
    Mr. Clapper. Well, I think what you are getting at--at 
least it conjures up in my mind, Senator Reed--is the notion of 
using sanctions, economic sanctions, to leverage identified 
cyber opponents.
    Senator Reed. I think you could almost go further than that 
of using as cyber operations to literally go after the 
resources and the finances of individuals.
    Mr. Clapper. Sure, I think that would be useful to have in 
the toolkit.
    Senator Reed. Again, going back to the point that General 
Hayden made, if we have it in the toolkit, we never use it, it 
is not seen as deterrence. Do we have to use it at some point?
    Mr. Clapper. Well, yes. Of course, you kind to come to 
think about why does the nuclear deterrent work. It has so 
far--knock on wood--for 70 years. But that really is not a very 
good comparison when you think about it because they are 
different, and there are only nine countries that have that. 
The fact that we have not, no one has used nuclear weapons 70 
years in itself--and the problem with cyber it is so 
ubiquitous, it pervades so many aspects, and there are so many 
things that go into the cyber world that do not merit--you 
know, they are annoyances, and they do not merit certainly a 
nation state response. So those comparisons to me are not very 
satisfactory.
    Senator Reed. Admiral Stavridis, your comment.
    Mr. Stavridis. Just to pick it up, as I was saying 
earlier--and I think this is where General Hayden and I are on 
the same page--using an appropriate, demonstrative, offensive 
capability can have a wonderfully clarifying effect on the 
minds of your enemies. I think it is time to lift the veil a 
little bit. Finances are one thing, I think absolutely. I think 
another is military forces, not the nuclear forces, though, 
should be off the table, but showing that we have real 
capability against nation state actors I think it is time to 
strongly consider some form of that. Again, as General Hayden 
says, it builds a regime in international law that I think 
would be salutary.
    Senator Reed. Just a final point. I think your comments 
clearly reveal that we have significant vulnerabilities, 
particularly on our civilian sector. We have done a lot more 
for the military, but we could do much more. But when we come 
to the civilian sector, it is quite vulnerable--our critical 
infrastructure.
    It seems to me there are a couple of paths to pursue. One 
would be pass laws, regulations, require them to do this or 
that. Second is to use the insurance market perhaps to get them 
to include in their operating costs the costs of protection. 
One element is insurance--we have the terrorism reinsurance 
initiative, which is essentially designed for structures that 
might be destroyed. But I think we are getting to a point in 
the world where the structures are less vulnerable in some 
respects than the electronic infrastructure. But, again--
quickly because my time has expired--are there any thoughts?
    Mr. Clapper. If I could just foot stomp something that 
Admiral Stavridis said, which is the huge importance of 
education. At my headquarters, just ODNI, Office of the 
Director of National Intelligence--and you know, this is 
composed of intelligence professionals that understand the 
threat. Yet, the only way we could improve their sensitivity to 
spear phishing, you know, a fairly common thing out there, is 
to test and then throw up the results on the screen once a week 
at the staff meeting, embarrass the senior leaders about your 
folks need to be better educated, and we just keep testing and 
the grade scores would go up. Well, we do not do that. To me, 
it is just fundamentally important that institutionally and 
individually, there needs to be better recognition and better 
education about the threat.
    Mr. Hayden. Senator Reed, can I just double down on the 
cyber insurance question?
    Senator Reed. With the chairman's permission.
    Mr. Hayden. That unleashes a business case for businesses 
to actually increase their cybersecurity without the negative 
effects of a compliance mindset coming out of government 
regulations. So anything the Congress could do to make that 
more possible, whether it is second insurer or other aspects of 
the insurance industry, I think would be a real plus.
    Senator Reed. Thank you.
    Mr. Stavridis. I agree with that, and I want to be on 
record as such. Thank you.
    Senator Reed. Thank you.
    Chairman McCain. Senator Wicker?
    Senator Wicker. Admiral Stavridis, give us an example 
scenario of how we would demonstrate openly our offensive cyber 
capability.
    Mr. Stavridis. Following an intrusive attack into our 
electoral process, bank accounts disappear from leading Russian 
oligarchs who are connected closely to the regime, sort of 
level C; government officials, many of whom are moving money 
offshore in Russia, level B; or go after Vladimir Putin, level 
A. You want to think very carefully as you go up that ladder of 
escalation, just like you do with traditional----
    Senator Wicker. Go after Vladimir Putin specifically how?
    Mr. Stavridis. Two ways. By attacking his accounts and 
diminishing them or by simply revealing them to his people. You 
are currently seeing Prime Minister Medvedev under enormous 
political pressure in Russia, a whole series of demonstrations 
around the country tied to revelations about his offshore 
financing, his yachts, his multiple luxury goods. That kind of 
reveal I think would have a salutary effect.
    Senator Wicker. General Hayden, are you wanting to jump in 
there?
    Mr. Hayden. Yes, just very briefly. Jim wrote about this 
right after the attacks became public, and one of the other 
ideas I think that was contained in his original article is so 
you have the Russians attacking the foundations of American 
democracy. So we return the favor. We use cyber tools to attack 
the foundations of Russian autocracy, which is the ability of 
the Russian surveillance state to track its own citizens. So 
pushing in a covert way tools into the Russian cyberspace that 
make it more difficult, anonymizing tools to make it more 
difficult for their security services to follow their own 
citizens demonstrates the cost to Putin of his fooling with our 
processes.
    Senator Wicker. General Clapper, what might the counter-
response be?
    Mr. Clapper. Well, you preempted me, Senator. I am all for 
doing this, but there needs to be also due consideration for 
what the potential counter-retaliation might be. Of course, 
while we think in terms of very specific attacks, Putin's bank 
account or the oligarchs' around him, they may not react in 
kind. That is not to say not to do it. It is just that we need 
to consider what the potential domain or expanse of--what the 
space would be that they might retaliate against us. Ergo, my 
point about resilience.
    Senator Wicker. For instance, how might they?
    Mr. Clapper. Well, they could go after our critical 
infrastructure, for example, unrelated to the fairly narrow 
attack we might mount using Admiral Stavridis' example. That is 
not to say that, well, let us go after President Trump's bank 
account or something. That would be pretty big. It may not be a 
good example. But anyway, we cannot----
    Senator Wicker. Or General Clapper's bank account.
    Mr. Clapper. Well, that will be trivial.
    All I am trying to say is we cannot count on an equal or 
symmetrical counter-retaliation if we retaliate. That is not to 
say we should not think about it and consider it. All I am 
asking or plugging for is that we also consider about what the 
total space might be for a response.
    Senator Wicker. General Clapper, you felt that the response 
in the example of North Korea was unsatisfactory. What might we 
have done other than sanctions, which you viewed as ceremonial, 
that might actually have helped the situation?
    Mr. Clapper. Our leverage, U.S. direct leverage, over North 
Korea is kind of limited. You know, we are pretty much out of 
Schlitz on direct binary sanctions. Of course, what we have 
tried to do is to influence the Chinese, who do have some 
leverage over the North Koreans. What we wanted to do, of 
course, was to counter-attack. We knew what it was because it 
was attributed exactly. But then you run into the complication 
of you have to go through another country's infrastructure to 
get to the target. We were inhibited from doing that primarily 
from the standpoint of--again, this gets back to the definition 
of what is an act of war. Would that have been an act of war 
against a third country?
    Senator Wicker. Quickly. We have talked about state actors 
and then non-state actors. How expensive is it to be in this 
business, if you are a non-state actor?
    Mr. Clapper. How expensive is it?
    Senator Wicker. Yes.
    Mr. Clapper. Not very. Not very. If you want to roam around 
the dark Web and acquire tools and capabilities, it is not all 
that expensive.
    Senator Wicker. So how expensive would it be for our 
government to gear up significantly in this regard?
    Mr. Clapper. To gear up for an attack?
    Senator Wicker. Well, to be more of a major player and to 
get organized and do what has been recommended at this table.
    Mr. Clapper. Well, I do not know. I cannot answer the 
question, how much it would cost. I just would again foot 
stomp. I am sorry to sound like a broken record, but to me I do 
not think it is within the realm of possibility to completely 
foreclose a counter-attack. If we attack, we are going to be 
counter-attacked I would guess, and we need to be prepared for 
that eventuality. I guess what it does say, if we have money to 
invest, we need to think about defense first before we get off 
on all of the offensive tools which we are going to be 
inhibited from using unless we are confident in our resilience.
    Senator Wicker. Thank you, gentlemen.
    Chairman McCain. Senator Shaheen?
    Senator Shaheen. Thank you, Mr. Chairman.
    Thank you all very much for being here.
    I just want to follow up a little bit on the whole issue of 
sanctions because, as you said, General Clapper, you felt the 
sanctions against North Korea were not very satisfying. That is 
kind of how I felt about the sanctions that we did against 
Russia after the elections. They were not very satisfying.
    On the other hand, there is a much more comprehensive 
sanctions bill that is sponsored by Senator McCain and has 
bipartisan cosponsors that would go after the energy sector, 
for example, and some of the financing in Russia. Do you think 
that would be a better way to hold Russia accountable for what 
they did?
    Mr. Clapper. Well, it would certainly convey a message to 
them, no question about it. But again, what will they do in 
response? I am all for sanctions----
    Senator Shaheen. Well, it is not a cyber response.
    Mr. Clapper. The sanctions that we have imposed 
particularly after Ukraine were effective. They probably 
lowered the GDP [Gross Domestic Product] of Russia 2 or 3 
percent. But, of course, the major problem Russia has is the 
price of oil going up and down. That is really what affects 
them.
    But I think we could do and could have done more targeted 
sanctioning against certain figures in Russia. I do think 
kicking out 35 intelligence operatives and closing the two 
dachas was a great first step.
    Senator Shaheen. I agree.
    Mr. Clapper. But I would have like to have seen more.
    Senator Shaheen. But I understood you all to say that if we 
do not take action in response to what has happened, whether it 
is Russia or North Korea, that we will continue to see these 
kinds of intrusions.
    Mr. Clapper. Absolutely. That has been the pattern. You 
know, there has been an insidious increase. As adversaries, 
whether a nation state or a non-nation state, they are 
encouraged to push the envelope, and how much can we get away 
with? If there is no reaction, they will keep pushing that 
envelope.
    Mr. Stavridis. I will just add a way to think about this is 
the old saying if you live in a glass house, you should not 
throw stones. I do not agree with that in this case. We do live 
in a glass house. I think we need to throw a few stones, or we 
are going to see more and more of this and it will ratchet up 
over time.
    As to the point about being unable to go after somebody 
because it goes through another nation's server setup, I take 
the point. I would counter by saying we fly Tomahawk missiles 
over other countries' airspace pretty consistently when we want 
to go after a target. So while I understand the legality piece 
of that, I think tactically that is not an insurmountable 
barrier.
    Mr. Clapper. We do not do that over China or Russia.
    Mr. Hayden. That was one of the issues I was suggesting of 
what down here applies up here. So I can offer just an 
hypothesis. Does a server in Malaysia enjoy as much Malaysian 
sovereignty as the building it which that server is located? 
The fact of the matter is I have seen very good legal minds 
take that on, and the answer is, no, it does not because it 
exists up here. In addition to its physical location, it also 
exists up here in this global commons, as if it were in space 
or at sea.
    Senator Shaheen. Well, I think it is no doubt that our 
legal framework has not caught up with our technological 
framework.
    I would go to your point, Admiral Stavridis, about 
education. I think one of the challenges is that this a topic 
that is so foreign to so many people that they do not have any 
idea how to address it. I mean, witness the audience at the 
hearing today. I think that is an example of that.
    One of the things that struck me reading about the hack 
into Macron and the French elections was how simple the 
response of the Macron campaign was to what Russia was doing. 
They only had 15 people, and what they figured out was if they 
put out a lot of decoys basically with a lot of information, 
that it would really blunt that attack. I think part of our 
education effort needs to be to explain to people that this is 
not as complicated as it seems and in terms of personal 
security hygiene.
    But could government, knowing that the aversion to 
regulation that we have--would it not be possible for us to 
require any system that could be hacked that is sold to the 
government to have certain security requirements that would 
make it difficult to hack? Is that an option that we should be 
thinking about?
    Mr. Hayden. Absolutely, ma'am. What that does because the 
government is such a big consumer, the water level of security 
in the country then goes up.
    Mr. Clapper. To be religious about somehow mandating 
staying up with patches. Whenever there are changes, make sure 
that those are updated and somehow making that mandatory.
    Senator Shaheen. Let me just ask a final question, if I 
could, Mr. Chairman, and that is, what is the current or 
potential cyber threat to this country that you all are most 
concerned about?
    Mr. Hayden. I will jump in first. There is always a 
possibility of the apocalyptic attack, turning out all the 
lights east of the Mississippi. That is not where I focus. I 
cannot say that is zero. So, ma'am, if I draw a chart here in 
the ether between us as to how bad could it be, Hayden, and 
this arm is, yeah, but how likely is it, where I end up with is 
kind of Sony North America plus what the North Koreans did 
against Sony North America, perhaps enriched by new technology 
and more aggressiveness in the 2 years. So that is kind of my 
circle as most likely, most dangerous right now, which if done 
in sequence over multiple firms, I mean, that is a foreign 
government attacking a North American firm to coerce its 
behavior. Wow.
    Mr. Stavridis. I am just going to add to that. Even though 
I agree completely with the General that the likelihood is low, 
I think the grid is very vulnerable. I think that is worth 
spending more time to my other General's point about resilience 
because that is really the dark end of the spectrum, as General 
Hayden says.
    Mr. Clapper. I think your question was most likely. I worry 
about the worst case, which is an attack on our infrastructure. 
I think the Russians particularly have reconnoitered it and 
probably at a time of their choosing, which I do not think 
right now is likely, but I think if they wanted to, they could 
do great harm.
    Senator Shaheen. Thank you all very much.
    Thank you, Mr. Chairman.
    Chairman McCain. Senator Fischer?
    Senator Fischer. Thank you, Mr. Chairman.
    Thank you, gentlemen, for being here today.
    As the chairman said at the beginning of this hearing, many 
of us on this committee have talked for years about the need 
for a strategy and policy and a definition of terms basically. 
I think, Admiral, we continue to struggle in defining some key 
terms when it comes to cybersecurity. In your statement, you 
mentioned establishing a solid doctrinal foundation, a common 
vernacular for cybersecurity policy throughout our government.
    General Hayden, you spoke about we have the opportunity 
before us right now where we can establish some case law 
internationally, a normative regime.
    On an international stage, what are the consequences for 
our reluctance to move forward in establishing those terms, and 
how do you view the leadership of the United States in this 
process? I would ask you all to comment on that please.
    Mr. Hayden. We suffer from a lack of internal consensus, 
and therefore it is hard for us to begin to build outward from 
that. If you are asking so if we were to go do that, how would 
we do that, my instincts are you begin within the Five Eyes 
community, likeminded English speaking democracies. You develop 
a consensus there, build out to maybe the G-7 countries who 
have real skin in the game in terms of cybersecurity, and then 
maybe out to the G-20. If you get broad normative consensus, 
not treaty consensus, in those groupings, then I think you have 
established international norms.
    Keith Alexander, my successor at Fort Meade, had a 
wonderful question to a group once. Is there anyone in this 
room who knows a redeeming social value for a botnet? Of 
course, the answer is no. I mean, we can establish normative 
behavior that if you have a botnet on your network, it is kind 
of like you have biological weapons. There is no good reason 
for you to allow that to continue. Again, it requires consensus 
on our part and building out from that consensus to likeminded 
nations.
    Mr. Stavridis. I agree with all that. I will add to it. 
Over time when you really want to build that out, there is kind 
of a rough analogy, Senator, to what we did in the oceans in 
the creation of the Law of the Sea. You will recall before the 
1980s, some nations had 200-mile territorial seas. Others had 3 
nautical miles. Crazy claims were coming into place. The 
international community came together and created a Convention 
on the Law of the Sea. There is long back story about U.S. 
involvement there that we will not go into at this hearing. But 
the point is the international community eventually is going to 
grapple with this in some form or another.
    The botnets are like pirates at sea. Nobody wants them. 
There are real demand signals emerging for more organization. 
We do not want to outsource this to the United Nations. We do 
want to build it from the inside out.
    Senator Fischer. So you agree with General Hayden when he 
said it is up to us, that we have to establish it first.
    Mr. Stavridis. Emphatically.
    Senator Fischer. Before you speak, General Clapper, in the 
NDAA [National Defense Authorization Act] we have included some 
things on cyber mostly to train, equip a force. But do you 
think this burden lies on us here in Congress, or does it take 
leadership from an administration willing to step up?
    Mr. Stavridis. I take the easy way out. It is both. You 
have to have a driver at the other end of Pennsylvania Avenue, 
but you have a role, obviously, in the ultimate disposition, as 
well as at times driving the other end.
    Senator Fischer. And defining it? Thank you.
    General Clapper?
    Mr. Clapper. I was just going to strongly endorse the Air 
Force guy, but I think the Law of the Sea is a great metaphor. 
I would also point out that took years and years, decades, 
hundreds of years to evolve. But there is a pretty 
sophisticated set of laws that seafaring nations generally 
abide by, and I think that is not a bad basis for thinking 
about the cyber domain.
    So could we prevail upon countries to not attack civilian 
targets, for example, which would be to everyone's mutual 
advantage?
    I think the United States must take the leadership here if 
for no other reason than the dominance of the United States in 
the technology and as much of the world's infrastructure that 
originates here or passes through this country. The obvious 
international leader here has got to be the United States.
    Senator Fischer. Thank you.
    Thank you, Mr. Chairman.
    Chairman McCain. Senator King?
    Senator King. Thank you, Mr. Chair.
    First, I want to say this is one of the most informative 
and interesting and important hearings that I have attended in 
this or any other committee. I want to thank all three of you. 
It has been very provocative.
    On Senator Wicker's question about cost, remember he was 
saying what it will cost. Just a rough calculation, for the 
cost of one jet aircraft, the Russians can hire 4,000 hackers. 
I mean, what the Russians did in our elections was warfare on 
the cheap. I mean, it was very low cost and very disruptive. I 
think that is part of the new reality that we are facing here.
    I think Senator McCain asked a relevant question. We keep 
talking about a policy and a doctrine, and it never seems to 
happen. In my view, the major impediment is the structure which 
is so cumbersome and confusing and overlapping and dispersed 
that that produces cumbersome, overlapping, and dispersed 
policy. Structure is policy in my experience.
    I think this really has to start with the only centralized 
authority we have in this country and that is the President. It 
has got to start with the direction from the President that we 
are going to have a policy. We are going to call together the 
intelligence community, the defense community, Homeland 
Security, and we are going to develop a policy and a doctrine.
    I think the other piece that is very important that you 
have talked about is digital literacy. I think it needs to 
start in the third grade. Every American child at some point in 
their youth starts carrying around a computer, and they have 
got to be educated. In Maine, we have a very extensive--
computers in our schools. Every middle school student in Maine 
has a laptop--every seventh and eighth grader in the whole 
state. We call it digital literacy, digital citizenship. People 
need to understand how to block their doors.
    I was really struck, Admiral, by your statement that 65 or 
70 percent of the attacks are essentially preventable. That is 
really a huge--our education has not caught up with it. We 
teach kids how to do things in day-to-day life, but we got to 
teach them how to distinguish truth from fiction on the 
Internet. My wife has a sign in our kitchen that says, ``the 
problem with quotes on the Internet is it is difficult to 
determine if they are authentic,''--Abraham Lincoln. We have 
got to be teaching those things.
    Deterrence. I completely agree. We are all aging ourselves, 
but the relevant case to me is Dr. Strangelove. If you have the 
ultimate deterrent device but do not tell anybody, it is not 
deterrence. It does not work. Dmitri, why did you not tell us? 
Well, we were going to wait until May Day or something like 
that.
    Then finally, there is a question in here somewhere. 
General Hayden, I think we have really got to be thinking hard 
about how we integrate with the private sector. Around here we 
always talk about whole-of-government. This has to be whole-of-
society. The business community is very suspicious of 
government. They are worried about regulation. They do not want 
the Federal Government telling them what they got to do in 
their networks.
    Give me some thoughts about how we can bridge that gap 
because if we do not, it is the private sector, it is the grid, 
the financial system. That is where the bombs are going to 
fall, in effect. That is why there has got to be more 
communication and cooperation, it seems to me, or it is just 
not going to work.
    Mr. Hayden. Two very quick thoughts, Senator.
    One, back to Senator Reed's comment about insurance. That 
is a far more attractive approach to the business community for 
the government to assist, support, unleash business to have 
better security through a return-on-investment model. That is 
one.
    Second, back to my hand puppet here, all of our cultural 
habits in the executive branch and in the Congress are that the 
government has primary responsibility, the government is in the 
lead in terms of providing safety in physical space. Therefore, 
the private sector is always subordinated to the government. 
That is our habit of thought. The government tells the private 
sector what it is it has to do. That may not actually be a 
suitable model for this. This is a place where the private 
sector might actually have a larger chunk of the responsibility 
for security----
    Senator King. In my experience, the private sector 
overestimates their invulnerability. If you ask any utility in 
the country, they will tell you we have got it covered. We are 
okay.
    Mr. Hayden. Perhaps because I am consulting with them and 
they want help, I see a different picture that they do 
recognize the issue.
    For example, we talk about classification. We just got to 
get better at metering out formally classified information to 
the private sector. Yes, I get that. But you realize that is 
embracing the old model where the government is in control of 
what information is shared. I think, given enough time, I can 
think of seven or eight examples where it is not about making 
the old model, government is on lead, but we will cooperate 
more with you, work better. But perhaps changing the paradigm 
that in all but the most extreme cases, we are going to win or 
lose a cyber engagement based upon the private sector's 
performance. So now it is about liberating, unleashing, 
removing liability, and a whole bunch of other things that 
would make the private sector more self-reliant and frankly 
probably a better partner with the government.
    Senator King. I think one thing that the government can 
do--and General Clapper mentioned this in his agency--is red 
teaming the dickens out of this, in other words, trying to 
break in and showing people where the problems are, whether it 
is within government or within the private sector.
    Mr. Clapper. Two other points just to reinforce what Mike 
just said is, first of all, the private sector could well be 
the first line, you know, the DEW [Distant Early Warning] line, 
to use a Cold War--a distant early warning line could come from 
the private sector that would know about an attack, 
particularly the beginning phases, before the government might.
    The other thing is the government cannot fully understand 
what is really important to the private sector segments. There 
has just got to be a better dialogue.
    Now, having said that, I have to plug the Department of 
Homeland Security because I do believe it should be the 
interface with the private sector, not the spy community 
directly. We need to support that, but there needs to be that 
buffer because there is concern, sensitivity, maybe some of it 
well justified, about the spy crowd doing that. But there needs 
to be a more robust partnership between what the government, 
which cannot necessarily dominate this--and I completely agree 
with what Mike said, that the paradigm here may be different.
    Senator King. Thank you.
    Thank you, Mr. Chairman.
    Chairman McCain. Senator Rounds?
    Senator Rounds. Thank you, Mr. Chairman.
    Gentlemen, first of all, let me begin just by saying thank 
you very much for your service to our country.
    I am just curious. If we had it to do over again and you 
could start right from 20 years ago and you were going to 
establish how we affected this domain, would you share with me, 
if you could begin at that time, what you would look at in 
terms of how we would establish this today? Where would we be 
today?
    Mr. Hayden. So I had something of this question when I got 
to NSA. That is 1999. I thought I was being overly dramatic by 
going to the private sector to do our IT system. So we actually 
went to the phones, the computers, the network that for me by 
2001 was actually being run by the private sector. My thought 
was that is good. That is an appropriate role. It would be 
inappropriate to more deeply involve the private sector in the 
mission aspects of what it was we did at NSA.
    I may have low balled that. That may have been a bad 
judgment. In other words, as we are breaking new trail here--I 
began this more than 20 years ago. So in the mid-1990s, we 
probably should have more aggressively pushed not to extract 
private sector technology--we did that all the time--but to 
engage the private sector, particularly in the defensive aspect 
of this, out of the gate, that this is going to be won or lost 
based on their performance.
    Mr. Stavridis. I would add I take General Clapper's point. 
I think we would probably have centralized this in one entity. 
DHS did not exist then, but let us hypothesize that it did. I 
think you would probably start off with a more centralized 
function in the government. I like General Hayden's points on 
private/public.
    As I mentioned in my initial thoughts, I would certainly 
consider building some kind of a cyber corps, a cyber service, 
a cyber first responder force. I would also add look at the 
very beginning at the international aspects of this. We are 
flying that airplane and trying to do significant 
reconstruction on it. If we could get the international 
community together. I think there are lessons in all of those 
for today as well, Senator.
    Mr. Clapper. Well, let me contradict what I said in my 
statement about if we could go back 20 years plus and start 
with a blank piece of paper, I think the notion of a cyber 
guard service, patterned somewhat after the Coast Guard--I am 
not even sure it needs to be a uniformed or could be a 
uniformed service. It may be better if it were not. I do not 
know. But that notion I think does have functional merit, and 
it would have been a lot easier had we grown that from the get-
go when all of this started. But as always, hindsight is 20/20.
    Mr. Hayden. Can I just add to that, Senator, very quickly? 
This is my talking about myself because I did this.
    We can be fairly accused of militarizing the cyber domain. 
It was our armed forces that went there first. As I said, it is 
a domain of operations rather than this global commons. What 
Jim just suggested if we had been smart enough in the 1990s to 
have begun this with the Coast Guard-ish model, we may actually 
be in a better place globally than we were by using the 
Department of Defense model.
    Mr. Stavridis. A lot of this is how you think about it. So 
General Hayden has been using his hand puppet all morning. I 
agree with that.
    I think another way to think about it is like an iceberg. 
The tip of the iceberg is really what the government can do. 
The mass of the iceberg here is really the private sector. If 
you hold that image in your mind 20 years ago, you would be in 
a very different place today.
    Mr. Clapper. 85 percent of the critical infrastructure in 
the United States is in the private sector.
    Senator Rounds. The Defense Science Board made it pretty 
clear that over the next 10 years, we are going to have to be 
able to deter those near-peer competitors because regardless of 
how hard we try, we can make it more expensive for them to get 
in. But we are not going to be able to necessarily stop them. 
Our defensive capabilities simply will not meet their offensive 
capabilities. There has to be a significant price to be paid 
for getting in. Agree or disagree?
    Mr. Clapper. For me, listening to what you just said, 
again, I am being a broken record here, but it emphasizes the 
importance of resilience in my mind.
    Mr. Hayden. I would just add do not confine your concept of 
defense as reducing vulnerabilities or defending at the 
perimeter. The best minds in this now in the private sector--it 
is presumption of breach. They are getting in. Get over it. 
Fight the fight. It is about discovery, recovery, response, 
resilience, not about the preventing penetration.
    Mr. Stavridis. If we can shift analogies yet again, think 
about it medically. If you go into a place with Ebola, today we 
go in with moon suits to try and protect our perimeter. The 
fight of the 21st century is inside the body. It is 
antibiotics. It is finding the immunotherapy. It is knowing 
that you are going to be infected. How are you going to deal 
with it medically in the aftermath?
    Senator Rounds. Thank you. My time has expired.
    Thank you, Mr. Chairman.
    Chairman McCain. Senator Peters?
    Senator Peters. Thank you, Mr. Chairman.
    Thank you, gentlemen, for very insightful testimony as 
always. I always appreciate your comments.
    I will just, before I ask a couple questions, pick up on a 
comment. Admiral, you mentioned the 65 and 70 percent of 
attacks with proper hygiene. As you were saying that, it 
reminded me of a recent trip I had to Microsoft with their 
cyber folks there and a statistic that was my main takeaway 
from it was that they said that if you buy a computer at your 
local store and plug it into the Internet and you do not put 
any kind of software protections against viruses, that that 
computer will be infected within 17 minutes, which is pretty 
frightening and should be a real clarion call to everyone why 
this hygiene is so important. In 17 minutes. Just doing your 
normal Internet stuff, in 17 minutes it will be infected. That 
is the magnitude of the threat that we face particularly in the 
civilian side as you mentioned.
    I want to continue to follow that line of thought because I 
think that is my major takeaway from this meeting as well. When 
you were asked, all three of you, the number one threat, each 
of those were in the civilian sector. They were critical 
infrastructure. It was the Sony attack. It was the grid. It was 
infrastructure generally.
    You also talked about the silos and the concerns. I know, 
General Clapper, you talked about concerns of silos if we have 
a different command as well.
    But I also appreciate your comments about how the 
Department of Homeland Security needs to be intricately 
involved in this whole aspect.
    So my question is, given the dual nature of how we deal 
with this threat with the FBI and Homeland Security, Department 
of Defense, what do we need to do to bring that collaboration 
together? Is that perhaps part of this new cyber command, 
however it may be constituted, to involve kind of a real 
paradigm shift when it comes to different agencies that have 
these different kinds of responsibilities? Would the FBI be 
part of it, for example? Or what are your thoughts about what 
that would look like to incorporate some of our homeland 
security elements? To all three of you actually.
    Mr. Clapper. Well, let me start. I guess I am the most 
recent graduate of the government. That is something actually 
we worked at pretty hard trying to graphically portray what the 
respective responsibilities are. I mean, the FBI, for example, 
hugely important. Of course, it all starts with attribution 
because then that determines the government response.
    So if it is a criminal hacktivist that is in the United 
States, the first question, where is this coming from. Is it 
coming from overseas? Is it coming from a nation state? Is it 
coming from a non-nation state entity overseas, or is it coming 
domestically? The way we are currently organized and the way 
our laws govern us, there is a division of effort here among 
those players.
    That is why the Department of Homeland Security I think is 
actually a very prominent player both for interface with the 
civilian sector and for resilience, you know, being the cyber 
FEMA [Federal Emergency Management Agency], if you will. When 
we have an attack--it is inevitable we are going to have them, 
and if it is of a sufficient magnitude, we have to have a 
mechanism for resilience, for recovery.
    I do think--that is why I alluded to this in my remarks--
that the setup we have today can be made to work provided 
people have the authorities that are supported by the Congress 
and the resources to discharge their respective 
responsibilities.
    Mr. Stavridis. I agree with that.
    Mr. Hayden. All true.
    A couple of additional thoughts. Number one, you got to man 
up. The Department of Homeland Security is notorious for having 
vacancies in senior leadership positions, particularly in the 
cyber aspects of it. So good talent there for extended periods 
of time.
    Second I think is to end any sense of competition between 
Homeland Security and NSA, to have Homeland Security and NSA 
totally agree that NSA can be the powerful back room, but the 
storefront always has to be the Department.
    Senator Peters. One follow-up, if I may, and I am running 
out of time. I think, General Hayden, you mentioned about the 
civilian sector is very engaged in this, and I agree. I am very 
involved in the area of self-driving vehicles coming from 
Michigan. This is transformative technology. Certainly they are 
very aware and are focused on cybersecurity in that area. It is 
bad enough when someone breaks into your bank account, steals 
your money. If they take over your automobile, that is an 
existential threat to you--and have formed ISACs [Information 
Sharing and Analysis Center] and other ways to cooperate.
    So your assessment of what you are seeing in the civilian 
sector with ISACs and other types of ideas that they are coming 
up with. What is your assessment of their effectiveness and how 
that might be able to be incorporated in this type of 
reorganization we are thinking about?
    Mr. Hayden. No. They are a good news story, but they are 
uneven. Across different industries, you get different degrees 
of commitment, largely based on sense of threat. I actually 
think that the power industry, financial services--they are 
ahead of the pack because they know the dangers out there. It 
is not surprising that you are seeing that kind of cooperation 
here. But that would be the word ``uneven'' today.
    Mr. Stavridis. I will give you one good one specifically is 
the banking sector. The eight largest banks in the United 
States have come together to form something called the FSARC 
[Financial Systemic Analysis & Resilience Center]. I will send 
something in for the record on that.
    Mr. Stavridis. But it is a good news story. Again, it goes 
to General Hayden's point about a sense of threat. They ought 
to feel threatened and they are working together to alleviate 
that threat.
    Mr. Clapper. I would just endorse that. The financial 
sector in this country has gotten religion about this for 
obvious reasons. That is a great model for this.
    Senator Peters. Thank you.
    Chairman McCain. Senator Nelson?
    Senator Nelson. Thank you, Mr. Chairman.
    Gentlemen, thank you for your public service.
    I get the impression from your testimony that we really 
have not responded in any way to give the deterrence that we 
want. So let us take a couple of examples: the intrusion into 
our election and now the French election and we expect the 
German election. Give me a scenario that you might think that 
we might respond so that anytime that the Russians are fooling 
around in the future in Ukraine, Syria, other elections, what 
would be a good deterrence.
    Mr. Clapper. Senator Nelson, I spoke briefly to this at my 
earlier hearing before Senator Graham's Judiciary Subcommittee. 
I think frankly--and I mentioned then, as much as I do not like 
doing hearings, that I thought it was a useful service for the 
public to have this discussion about the Russian interference, 
which in my mind far transcends leaks and unmaskings and all 
that. That is all internal stuff. But this assault on our 
democracy by the Russians I think is profound. The public has 
got to be educated and it starts with education, just as we 
were talking about with cyber.
    So I will again contradict myself about how the government 
is organized with respect to messaging or counter-messaging. I 
would vote for a USIA, a United States Information Agency, on 
steroids to do the counter-messaging for election interference 
or counter-message ISIS [Islamic State of Iraq and Syria] or 
any other message that is inimical to our interests and our 
values because our messaging right now is fragmented across the 
government. I have said this before, and the experience we had 
with this egregious interference in the most important process 
of our future of our democratic system has got to start with 
educating our public and doing the counter-messaging against 
those nefarious messages and the sources of them.
    I do think the French went to school on our experience. In 
the course of developing our intelligence community assessment, 
we shared with our friends and allies what we were 
experiencing. But that to me is a fundamental shortfall in the 
way we are organized now.
    Senator Nelson. Let us hope the Germans do as well.
    Mr. Hayden. Senator, I would do all that as part of a 
component of a broader response. Here, I would drop what you 
described not in the information warfare box or in the cyber 
box. I would drop this in the ``we got a problem with the 
Russians'' box. I would respond across the board.
    So in response to this, I would sell arms. I would give 
arms to the Ukrainians. I would do everything that Jim 
described in terms of cyber counterpunching. I think I would 
have the President fly up to Erie, get in a motorcade, stand on 
top of Marcellus shale and say this is going to Europe. This 
gas is going to wean our European friends off their dependence 
on Russian energy, and we are going to do that in 10 years.
    Senator Nelson. I happen to agree. I think we ought to make 
a bold display of our displeasure. Let us hope that because of 
our misfortune in our election that, again, it is arming the 
Germans, as it apparently has armed the French. Part of that 
was an education campaign, just what you said, General.
    All right. So the private sector, though. So, you know, 
they are really dragging their feet. We have not been able to 
get them to quickly share threat information with the 
government, and incentives are not working at the level that we 
need. So how do we need to change that private sector's 
thinking?
    Mr. Hayden. Very briefly. Number one, keep on doing what we 
are doing. Keep pressing ahead. Make ourselves a more welcoming 
and more generous partner in the dialogue, again, back to the 
paradigm where we are in charge of what is getting shared and 
they get whatever we decide, again, probably not the right 
model, far more cooperative.
    Mr. Stavridis. I would just add specifically the cyber 
insurance piece that we have talked about--that is a very 
practical piece of this. Doing a hearing like this--you 
probably are--with Eric Schmidt of Google, Dan Schulman of 
PayPal, Bill Gates of Microsoft, get those voices. You are 
probably already doing that.
    Mr. Clapper. I do want to mention, Senator Nelson, the 
pushback that Jeh Johnson, then Secretary of Homeland Security, 
got from state election officials when he attempted to engage 
with them particularly on the issue of including our voting 
apparatus at large as part of our critical infrastructure. So 
there is a lot of suspicion, whatever it is, pushback at the 
state level and local level about the Feds getting involved in 
things, just another manifestation of this reluctance on the 
part of the private sector to engage.
    Mr. Stavridis. Can I just pick up the last point about the 
states? We have not talked enough about the States and their 
role in all of this. I am joined today by Dave Weinstein, who 
is the head of cyber for the State of New Jersey. They have a 
hub and spoke relationship with the Federal Government. We need 
more of that to break down those stovepipes in this area like 
we try to do in law enforcement.
    Senator Nelson. Amen. Thank you.
    Chairman McCain. Senator Blumenthal?
    Senator Blumenthal. Thank you, Mr. Chairman. Thank you for 
having this hearing.
    This hearing illustrates for me one of the ironies of 
working here, which is that we are discussing one of the most 
important topics to our national defense with one of the most 
erudite, informative panels in my experience on this committee, 
and the room is empty.
    Mr. Stavridis. Hopefully, we are online somewhere.
    Senator Blumenthal. I am sure we are online somewhere, but 
it really illustrates I think the point that each of you has 
made about education and the focus that needs to be devoted to 
this topic. I was reminded--I do not know why exactly--as one 
of you was testifying of a book called ``Why England Slept,'' 
now a famous book because it is written by a former President, 
John F. Kennedy, about England's sleeping through the buildup 
in Germany and that buildup left it very far behind when it was 
directly and immediately threatened. I feel we are living 
through the same kind of era right now in cyber, and we will 
be, I fear, tragically awakened to our complacency at some 
point.
    General Clapper, you said in that Judiciary hearing--and 
you were very powerful on this topic of the assault on our 
democracy--that there needs to be--and I am quoting--I do think 
as well there needs to be more done in the way of sanctions to 
the Russians or any other government that attempts to interfere 
with our election process. End quote.
    I have cosponsored and helped to introduce two measures, 
Countering Russian Hostilities Act and Russia Sanctions Review 
Act, that seek to codify and impose greater sanctions on the 
Russians. I believe, as Senator Graham said at that hearing and 
both of us have said recently, that the Russians will continue 
to attack us--2018 is not very far away--as long as they are 
not made to pay a price or, as the chairman said, as long as 
the benefits outweigh the price that they pay. That is just the 
calculus for them, and they are going to continue to do it.
    But I also think that people who cooperate with them, aid 
and abet, collude also should be made to pay a price when they 
violate our laws. There is an ongoing investigation conducted 
by the FBI into not only the Russian interference with our 
election but also potential cooperation or collusion they 
receive from Americans, including members of the Trump 
campaign, Trump associates. Michael Flynn is subject to that 
investigation.
    Assuming that all of you agree that anybody in this country 
who cooperates or colludes with that kind of cyber attack, 
which I regard as an act of war on this country, I am wondering 
whether I could elicit from you support for appointment of a 
special prosecutor? I realize it may be somewhat outside the 
sphere directly of the technical issues that bring you here 
today, but I do think it is of paramount importance. You raised 
this issue by referring to domestic threats in the cyber 
sphere, General Clapper. You were on CNN [Cable News Network] 
this morning, General Hayden, talking about this topic exactly 
about your previous opposition to such special prosecutors but 
now perhaps you have a somewhat changed view because of the 
events of the last 48 hours and the need for what you called, 
quote, extraordinary structure to uncover the truth and impose 
accountability.
    So with that longwinded buildup--and I apologize for being 
so longwinded--let me ask you, General Clapper and the rest of 
the panel, maybe beginning with General Hayden.
    Mr. Hayden. I will go first because you are quoting me from 
a couple of hours ago in which I said I instinctively oppose--
these sorts of extraordinary structures go longer, deeper, 
broader than you want and they become destructive in their own 
right. But I have been disheartened by the events of the last 
48 to 72 hours. I am not yet decided, Senator, as I said on 
CNN, but I am very close to having--I have a far more open mind 
than I did before lunch 2 days ago, and we will see now whether 
the ordinary structures can give the Nation sufficient 
confidence that they will not be impeded, they will be 
enthused, and they will get to the truth and be able to tell us 
the truth.
    Mr. Clapper. I worry about multiple investigations in the 
Congress, which I think have the effect of dissipating energy. 
As a frequent witness to these many investigations, I am in the 
same place that Mike is where I have reached the point where I 
believe that we need to think about that.
    I have previously spoken in hearings that I thought 
probably the best hope in the Congress was the Senate 
Intelligence Committee, but in light of the events of the last 
day or so, I am moving toward that pendulum swinging more 
towards some kind of independent effort. Whether it is a 
commission or a special prosecutor, I do not know.
    What I do know is we have got to get rid of this cloud over 
this country. This is in the best interest of the President. It 
is in the best interest of the Republicans or Democrats. I do 
not care what the stripe is. But this is a profoundly serious 
thing for this country. We are in a bad place. I do not know 
what the solution is, whether it is some kind of independent 
body. Maybe that is where we need to go next.
    Senator Blumenthal. Admiral?
    Mr. Stavridis. I think this is beyond the scope of the 
executive branch. The events call for something outside the 
executive branch, much as an IG [inspector general] in the 
military sits outside a chain of command and can, therefore, 
effectively look. What that exact structure is I do not know, 
and I yield to the Congress to determine it. That is why we 
have a separation of powers in this Nation.
    Senator Blumenthal. I am way over my time, Mr. Chairman. I 
apologize.
    Chairman McCain. Well, it is an important question.
    Senator Blumenthal. Thank you.
    Chairman McCain. Could I just say to the witnesses this has 
been very important for this committee? We appreciate the 
gravity of the challenge, and you have certainly given us a lot 
of good advice and counsel.
    Could I finally say that there are very few benefits of 
being around a long time that I know of.
    We are about to adjourn, Senator Warren.
    There are very few benefits, but one of them is the great 
honor that I have had to know the three witnesses over the 
years. I appreciate their wisdom, their counsel, and their 
outstanding service to our Nation. I know you had other things 
to do besides coming here this morning, but I am speaking for 
the entire committee. I am very grateful.
    This hearing is adjourned.
    [Whereupon, at 11:12 a.m., the committee was adjourned.]

                                 [all]