[Senate Hearing 115-418]
[From the U.S. Government Publishing Office]
S. Hrg. 115-418
FOREIGN CYBER THREATS TO THE
UNITED STATES
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON ARMED SERVICES
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
JANUARY 5, 2017
__________
Printed for the use of the Committee on Armed Services
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.Govinfo.gov/
__________
U.S. GOVERNMENT PUBLISHING OFFICE
33-940 PDF WASHINGTON : 2019
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON ARMED SERVICES
JOHN McCAIN, Arizona, Chairman
JAMES M. INHOFE, Oklahoma JACK REED, Rhode Island
ROGER F. WICKER, Mississippi BILL NELSON, Florida
DEB FISCHER, Nebraska CLAIRE McCASKILL, Missouri
TOM COTTON, Arkansas JEANNE SHAHEEN, New Hampshire
MIKE ROUNDS, South Dakota KIRSTEN E. GILLIBRAND, New York
JONI ERNST, Iowa RICHARD BLUMENTHAL, Connecticut
THOM TILLIS, North Carolina JOE DONNELLY, Indiana
DAN SULLIVAN, Alaska MAZIE K. HIRONO, Hawaii
DAVID PERDUE, Georgia TIM KAINE, Virginia
TED CRUZ, Texas ANGUS S. KING, JR., Maine
LINDSEY GRAHAM, South Carolina MARTIN HEINRICH, New Mexico
BEN SASSE, Nebraska ELIZABETH WARREN, Massachusetts
LUTHER STRANGE, Alabama GARY C. PETERS, Michigan
Christian D. Brose, Staff Director
Elizabeth L. King, Minority Staff Director
(ii)
C O N T E N T S
_________________________________________________________________
January 5, 2017
Page
Foreign Cyber Threats to the United States....................... 1
Lettre, Honorable Marcel J., II, Under Secretary of Defense for 5
Intelligence.
Clapper, Honorable James R., Jr., Director of National 7
Intelligence.
Rogers, Admiral Michael S., USN, Commander, United States Cyber 10
Command; Director, National Security Agency; Chief, Central
Security Services.
Questions for the Record......................................... 52
(iii)
FOREIGN CYBER THREATS TO THE
UNITED STATES
----------
THURSDAY, JANUARY 5, 2017
U.S. Senate,
Committee on Armed Services,
Washington, DC.
The committee met, pursuant to notice, at 9:29 a.m. in Room
SD-G50, Dirksen Senate Office Building, Senator John McCain
(chairman) presiding.
Committee members present: Senators McCain, Inhofe, Wicker,
Fischer, Cotton, Rounds, Ernst, Tillis, Sullivan, Graham, Cruz,
Reed, Nelson, McCaskill, Shaheen, Gillibrand, Blumenthal,
Donnelly, Hirono, Kaine, King, and Heinrich.
Other Senators Present: Senators Purdue, Warren, Peters,
and Sasse.
OPENING STATEMENT OF SENATOR JOHN McCAIN, CHAIRMAN
Chairman McCain. Well, good morning, everyone.
Before we begin, I want to welcome all our members back to
the committee and extend a special welcome to the new members
joining us. On the Republican side, we are joined by Senator
Purdue and Senator Sasse. On the Democrat side, we are joined
by Senator Warren and Senator Peters.
It is a special privilege to serve on this committee, most
of all because it affords us the opportunity to spend so much
time in the company of heroes, the men and women who serve and
sacrifice on our behalf every day. I hope you will come to
cherish your service on this committee as much as I have over
the years, and I look forward to working with each of you.
The committee meets this morning for the first in a series
of hearings on cybersecurity to receive the testimony on
foreign cyber threats to the United States. I would like to
welcome our witnesses this morning: James Clapper, Director of
National Intelligence; Marcel Lettre, Under Secretary of
Defense for Intelligence; and Admiral Mike Rogers, Commander of
U.S. Cyber Command, Director of the National Security Agency,
and Chief of the Central Security Service.
This hearing is about the range of cybersecurity challenges
confronting our Nation, threats from countries like Russia,
China, and North Korea and Iran, as well as non-state actors
from terrorist groups to transnational criminal organizations.
In recent years, we have seen a growing series of cyber attacks
by multiple actors, attacks that have targeted our citizens,
businesses, military, and government. But there is no escaping
the fact that this committee meets today for the first time in
this new Congress in the aftermath of an unprecedented attack
on our democracy.
At the President's direction, Director Clapper is leading a
comprehensive review of Russian interference in our recent
election with the goal of informing the American people as much
as possible about what happened. I am confident that Director
Clapper will conduct this review with the same integrity and
professionalism that has characterized his nearly half a
century of government and Military Service. I am equally
confident in the dedicated members of our intelligence
community.
The goal of this review, as I understand it, is not to
question the outcome of the presidential election. Nor should
it be. As both President Obama and President-elect Trump have
said, our Nation must move forward. But we must do so with full
knowledge of the facts. I trust Director Clapper will brief the
Congress on his review when it is completed. This is not the
time or place to preview its findings.
That said, we know a lot already. In October, our
intelligence agencies concluded unanimously that, quote, the
Russian Government directed compromises of emails from United
States persons and institutions, including from United States
political organizations. They also assessed that, quote,
disclosures of alleged hacked emails were consistent with the
methods and motivations of Russian-directed efforts and that
these thefts and disclosures were intended to interfere with
the United States election process.
Since then, our intelligence community has released
additional information concerning these Russian activities,
including a joint analysis report that provided technical
details regarding the tools and infrastructure used by the
Russian civilian and military intelligence services to attack
the United States.
Every American should be alarmed by Russia's attacks on our
Nation. There is no national security interest more vital to
the United States of America than the ability to hold free and
fair elections without foreign interference. That is why
Congress must set partisanship aside, follow the facts, and
work together to devise comprehensive solutions to deter,
defend against and, when necessary, respond to foreign cyber
attacks.
As we do, we must recognize that the recent Russian attacks
are one part of a much bigger cyber problem. Russian cyber
attacks have targeted the White House, the Joint Staff, the
State Department, our critical infrastructure. Chinese cyber
attacks have reportedly targeted NASA, the Departments of State
and Commerce, congressional offices, military labs, the Naval
War College, and United States businesses, including major
defense contractors. Most recently, China compromised over 20
million background investigations at the Office of Personnel
Management. Iran has used cyber tools in recent years to attack
the United States Navy, United States partners in the Middle
East, major financial institutions, and a dam just 25 miles
north of New York City. Of course, North Korea was responsible
for the massive cyber attack on Sony Pictures in 2014.
What seems clear is that our adversaries have reached a
common conclusion: that the reward for attacking America in
cyberspace outweighs the risk. For years, cyber attacks on our
Nation have been met with indecision and inaction. Our Nation
has no policy and thus no strategy for cyber deterrence. This
appearance of weakness has been provocative to our adversaries
who have attacked us again and again with growing severity.
Unless we demonstrate that the costs of attacking the United
States outweigh the perceived benefits, these cyber attacks
will only grow.
This is also true beyond the cyber domain. It should not
surprise us that Vladimir Putin would think he could launch
increasingly severe cyber attacks against our Nation when he
has paid little price for invading Ukraine, annexing Crimea,
subverting democratic values and institutions across Europe,
and of course, helping Bashar Assad slaughter civilians in
Syria for more than a year with impunity. The same is true for
China, Iran, North Korea, and any other adversary that has
recently felt emboldened to challenge the world order. Put
simply, we cannot achieve cyber deterrence without restoring
the credibility of United States deterrence more broadly.
To do so, we must first have a policy, which means finally
resolving the long list of basic cyber questions that we as a
Nation have yet to answer. What constitutes an act of war or
aggression in cyberspace that would merit a military response,
be it by cyber or other means? What is our theory of cyber
deterrence, and what is our strategy to implement it? Is our
Government organized appropriately to handle this threat, or
are we so stove-piped that we cannot deal with it effectively?
Who is accountable for this problem, and do they have
sufficient authorities to deliver results? Are we in the
Congress just as stove-piped on cyber as the executive branch
such that our oversight actually reinforces problems rather
than helping to resolve them? Do we need to change how we are
organized?
This committee intends to hold a series of hearings in the
months ahead to explore these and other questions. We look
forward to hearing the candid views of our distinguished
witnesses today who have thought about and worked on these
questions as much as anyone in our Nation.
Senator Reed?
STATEMENT OF SENATOR JACK REED
Senator Reed. Well, thank you very much, Mr. Chairman. I
want to commend you for your leadership in promptly scheduling
this hearing on foreign cyber threats.
I would also like to welcome our witnesses: Director
Clapper, Under Secretary Lettre, and Admiral Rogers. Thank you,
gentlemen, for your service and your dedication.
While I understand that our witnesses will be discussing
the cyber threats that many countries, including China and
India, pose to our Nation, I would like to focus for a few
minutes on the widely reported instances of Russian hacking and
disinformation that raised concerns regarding the election of
2016.
In addition to stealing information from the Democratic
National Committee and the Clinton campaign and cherry-picking
what information it leaked to the media, the Russian Government
also created and spread fake news and conspiracies across the
vast social media landscape. At the very least, the effect of
Russia's actions was to erode the faith of the American people
in our democratic institutions. These and other cyber tools
remain highly active and engaged in misinforming our political
dialogue even today.
There is still much we do not know, but Russia's
involvement in these intrusions does not appear to be in any
doubt. Russia's best cyber operators are judged to be as
elusive and hard to identify as any in the world. In this case,
however, detection and attribution were not so difficult, the
implication being that Putin may have wanted us to know what he
had done, seeking only a level of plausible deniability to
support an official rejection of culpability.
These Russian cyber attacks should be judged within the
larger context of Russia's rejection of the post-Cold War
international order and aggressive actions against its
neighbors. Russia's current leaders, and President Putin in
particularly, perceive the democratic movements in the former
Soviet states, the West's general support for human rights,
press freedoms, the rule of law and democracy, as well as NATO
and EU enlargement, as a threat to what they believe is
Russia's sphere of influence.
Putin's Russia makes no secret of the fact that it is
determined to aggressively halt and counter what it
characterizes as Western encroachment on its vital interests.
The invasion of Georgia, the annexation of Crimea, the
aggression against Ukraine featuring sophisticated hybrid
warfare techniques, the continuing military buildup despite a
declining economy, saber-rattling in the Baltics and Baltic
Sea, the authoritarian onslaught against the press, NGOs, and
what remains of the Russian democratic opposition, the
unwavering campaign for national sovereignty over the Internet,
and the creation of an ``iron information curtain'' like
China's Great Firewall and its aggressive interference in
Western political processes all are of one piece. Russia's
efforts to undermine democracy at home and abroad and
destabilize the countries on its border cannot be ignored or
traded away in exchange for the appearance of comity.
Furthermore, what Russia did to the United States in 2016,
it has already done and continues to do in Europe. This
challenge to the progress of democratic values since the end of
the Cold War must not be tolerated.
Despite the indifference of some to this matter, our Nation
needs to know in detail what the intelligence community has
concluded was an assault by senior officials of a foreign
government on our electoral process.
Our electoral process is the bedrock of our system of
government. An effort to manipulate it, especially by a regime
with values and interests so antithetical to our own, is a
challenge to the Nation's security which much be met with
bipartisan and universal condemnation, consequences, and
correction.
I believe the most appropriate means to conduct an inquiry
is the creation of a special select committee in the Senate,
since this issue and the solutions to the problems it has
exposed spill across the jurisdictional divides of the standing
committees on Armed Services, Intelligence, Foreign Relations,
Homeland Security, and Judiciary. Failing that, our committee
must take on as much of this task as we can, and I again
commend the chairman for his commitment to do so.
Therefore, I am pleased and grateful that his efforts will
be extended, the energy will be invested on the matters that
are so critical to the American people. I also want to applaud
President Obama's initial steps publicized last week to respond
to Russia's hostile actions.
General Clapper, Under Secretary Lettre, Admiral Rogers, we
appreciate your urgent efforts to discover what happened and
why and to make these facts known to the President, the
President-elect, Congress, and the American people. Although
your investigation and report to President Obama is not yet
public, we hope you will be able to convey and explain what has
been accomplished so far, including the steps already announced
by the President.
In addition, I am sure we will have many questions about
how we are organized in the cyber domain and what changes you
have recommended going forward, subjects that President Obama
referenced in his signing statement of the National Defense
Authorization Act for Fiscal Year 2017.
These are difficult issues, but they are of vital
importance to our Nation, our security, and our democracy. Mr.
Chairman, I look forward to working with you in a bipartisan
manner to conduct a thorough and thoughtful inquiry and to do
more to address the cyber threats our Nation faces more broadly
by state and non-state actors. Thank you very much.
Chairman McCain. Welcome to the witnesses, and Mr.
Secretary, we will begin with you for any opening statements or
comment you might have.
STATEMENT OF HONORABLE MARCEL J. LETTRE II, UNDER SECRETARY OF
DEFENSE FOR INTELLIGENCE
Mr. Lettre. Thank you, Chairman, Ranking Member Reed,
members of the committee. I appreciate the opportunity to be
here today. I will shortly turn the microphone over to Director
Clapper for some comments, followed by Admiral Rogers. As this
is my last appearance before this committee before stepping
down from 8 years of Pentagon service in a few weeks, I want
to----
Chairman McCain. I am sure you will regret not having that
opportunity again.
[Laughter.]
Mr. Lettre. It will be nice to be skiing a little bit in
February. That is for sure.
But having said that, since I am just a few weeks from
stepping down, I do want to thank this committee for its
partnership and I want to thank Director Clapper and Admiral
Rogers for the privilege of being able to serve together with
them in the leadership of the U.S. intelligence community. To
the men and women of the U.S. intelligence community, civilian
and military, thousands of whom are deployed today around the
world advancing U.S. interests and protecting America, I do
admire your integrity. I admire your service. It has been an
honor to serve with you over the last many years.
In the interest of time, I will briefly note the Department
of Defense's views on cyber in three core themes: first, the
threats we must address; second, what we are doing to address
them now; and third, the difficult but urgent work we know
still lies ahead.
First, the threats. As you know, the Department of
Defense's leadership believes we confront no fewer than five
immediate but also distinct and evolving challenges across all
operating domains. We are countering the prospect of Russian
aggression and coercion, especially in Europe, something we
unfortunately we have had to energetically renew our focus on
in the last several years.
We are also managing historic change in perhaps the most
consequential region for America's future, the Asia-Pacific,
and watching for risks associated with China's destabilizing
actions in the region.
We are checking Iranian aggression and malign influence
across the Middle East.
We are strengthening our deterrent and defense forces in
the face of North Korea's continued nuclear and missile
provocations.
We are countering terrorism with the aim of accelerating
the lasting defeat of ISIL [Islamic State of Iraq and the
Levant] and al Qaeda.
These are what many in the Department of Defense have
termed the Four Plus One, four state-based challenges and an
ongoing condition of battling terrorism.
As our joint written statement for the record has detailed,
each of these security challenges, China, Russia, Iran, North
Korea, and global terrorist groups such as ISIL, presents a
significant cyber threat dimension to the United States
military. Cyber is an operating domain that is real, complex,
dynamic, contested, and must be addressed.
Second, what we are doing about it. The Department of
Defense has for several years pursued a comprehensive strategy
for maintaining the necessary strategic dominance in this
domain. Secretary of Defense Ash Carter has pressed for DOD
[Department of Defense] to change, to adapt, and to innovate
not only to meet today's challenges but also to ensure that we
effectively defend against cyber threats well into an uncertain
future.
We have built and continue to build the means and methods
that will strengthen our relative position against each of
these dimensions of the cyber threat. The Government cyber
policies, reflected in presidential policy directives and
executive orders, provide guidance on the absolute necessity of
a whole-of-government approach critical to protecting our
Nation.
The Department has developed, refined, and published its
cyber strategy which clearly lays out three key DOD cyber
missions: defending DOD networks, providing cyber options for
our military commanders, and when called upon by our Nation's
leaders, defending the Nation against cyber attacks of
significant consequence.
As the Director and Admiral Rogers will note, since 2009,
the Department has matured Cyber Command to ensure clear
command responsibility and authority and growing capabilities
essential to our unity of effort for cyber operations.
We also continue to mature our cyber mission forces which
this fall achieved initial operating capability, or IOC,
status. This force is providing military capability to execute
our three missions in cyberspace. We are building new
capabilities and new tools for the cyber mission force to use.
Third, what remains to be done. As much as we have done, we
recognize there is much more to do. Let me mention just a
couple of those most important tasks here.
First, we need to continue to develop and refine our
national cyber policy framework, which includes the evolution
of all dimensions of our deterrence posture: the ability to
deny the adversary's objectives, to impose costs, and to ensure
that we have a resilient infrastructure to execute a multi-
domain mission. This refinement in evolution in our deterrent
thinking and capability will further empower decision-making at
net speed.
Second, within the Department, Cyber Command has matured
and is doing more to protect the Nation and support global
operations than ever before, and we need to continue, in fact,
accelerate this maturation. Accordingly, the Secretary of
Defense supports the elevation of Cyber Command to a unified
combatant command and supports ending the dual hat arrangement
for the leadership of NSA [National Security Administration]
and Cyber Command and doing so through a deliberate conditions-
based approach while continuing to leverage the shared
capabilities and synergies.
Finally, we must redouble our efforts to deepen
partnerships between government and the private sector and
between the U.S. Government and our allies. We must continue to
seek help from American industry, the source of much of the
world's greatest technology talent, in innovating to find cyber
defense solutions, build resiliency into our critical
infrastructure systems, and strengthen our deterrence. With our
international allies and partners, we must work together to
promote stability in cyberspace, universal recognition that
existing international law applies in cyberspace, and the
adoption of voluntary peacetime norms of responsible state
behavior.
Mr. Chairman, thanks. I look forward to your questions. I
will now pass the baton to Director Clapper. Thank you.
Chairman McCain. General Clapper?
STATEMENT OF HONORABLE JAMES R. CLAPPER, JR., DIRECTOR OF
NATIONAL INTELLIGENCE
Director Clapper. Chairman McCain, Ranking Member Reed, and
distinguished members of the committee, first thanks very much
for your opening statements. Obviously, we are here today to
talk about cyber threats that face our Nation, and I will offer
some brief valedictory recommendations and a few parting
observations. I certainly want to take note of and thank the
members of the committee who are engaged on this issue and have
spoken to it publicly.
I know there is a great interest in the issue of Russian
interference in our electoral process based on the many
classified briefings the intelligence community has already
provided on this topic to the Congress. Secretary of Homeland
Security Jeh Johnson and I have issued statements about it. The
joint analysis report that you alluded to publicly issued by
the Department of Homeland Security and the Federal Bureau of
Investigation provided details on the tools and infrastructure
used by the Russian intelligence services to compromise
infrastructure associated with the election, as well as a range
of United States Government political and private sector
entities, as you described.
As you also noted, the President tasked the intelligence
community to prepare a comprehensive report on Russian
interference in our election. We plan to brief the Congress and
release an unclassified version of this report to the public
early next week with due deference to the protection of highly
sensitive and fragile sources and methods. But until then, we
are really not prepared to discuss this beyond standing by our
earlier statements. We are prepared to talk about other aspects
of the Russian cyber threat.
We also see cyber threats challenging public trust and
confidence in information services and institutions. Russia has
clearly assumed an even more aggressive cyber posture by
increasing cyber espionage operations, leaking data stolen from
these operations, and targeting critical infrastructure
systems.
China continues to succeed in conducting cyber espionage
against the United States Government, our allies, and United
States companies. The intelligence community and the security
experts, however, have observed some reduction in cyber
activities from China against United States companies since the
bilateral September 2015 commitment to refrain from espionage
for commercial gain.
Iran and North Korea continue to improve their capabilities
to launch disruptive or destructive cyber attacks to support
their political objectives.
Non-state actors, notably terrorist groups most especially
including ISIL, also continue to use the Internet to organize,
recruit, spread propaganda, raise funds, collect intelligence,
inspire action by disciples, and coordinate operations. In this
regard, I want to foot stomp a few points that I have made here
before.
Rapidly advancing commercial encryption capabilities have
had profound effects on our ability to detect terrorists and
their activities. We need to strengthen the partnership between
government and industry and find the right balance to enable
the intelligence community and law enforcement both to operate,
as well as to continue to respect the rights to privacy.
Cyber operations can also be a means to change, manipulate,
or falsify electronic data or information to compromise its
integrity. Cyberspace can be an echo chamber in which
information, ideas, or beliefs, true or false, get amplified or
reinforced through constant repetition. All these types of
cyber operations have the power to chip away at public trust
and confidence in our information, services, and institutions.
By way of some observations and recommendations, both the
Government and the private sector have done a lot to improve
cybersecurity, and our collective security is better but it is
still not good enough. Our Federal partners are stepping up
their efforts with the private sector but sharing what they
have remains uneven. I think the private sector needs to up its
game on cybersecurity and not just wait for the Government to
provide perfect warning or a magic solution.
We need to influence international behavior in cyberspace.
This means pursuing more global diplomatic efforts to
promulgate norms of behavior in peacetime and to explore
setting limits on cyber operations against certain targets.
When something major happens in cyberspace, our automatic
default policy position should not be exclusively to counter
cyber with cyber. We should consider all instruments of
national power. In most cases to date, non-cyber tools have
been more effective at changing our adversaries' cyber
behavior. When we do choose to act, we need to model the rules
we want others to follow since our actions set precedents.
We also need to be prepared for adversary retaliation,
which may not be as surgical, either due to our adversary's
skill or the inherent difficulty in calibrating effect and
impact of cyber tools. That is why using cyber to counter cyber
attacks risks unintended consequences.
We currently cannot put a lot of stock, at least in my
mind, in cyber deterrence. Unlike nuclear weapons, cyber
capabilities are difficult to see and evaluate and are
ephemeral. It is accordingly very hard to create the substance
and psychology of deterrence in my view.
We also have to take some steps now to invest in the
future. We need to rebuild trusted working relationships with
industry and the private sector on specific issues like
encryption and the roles and responsibilities for government,
users, and industry.
I believe we need to separate NSA and CYBERCOM [Cyber
Command]. We should discontinue the temporary dual hat
arrangement, which I helped design when I was Under Secretary
of Defense for Intelligence 7 years ago. This is not purely a
military issue. I do not believe it is in the NSA's or the IC's
[intelligence community] long-term best interest to continue
the dual hat setup.
Third, we must hire, train, and retain enough cyber talent
and appropriately fuse cyber as a whole-of-IC workforce.
Clearly cyber will be a challenge for the U.S., the
intelligence community, and our national security for the
foreseeable future, and we need to be prepared for that.
Adversaries are pushing the envelope since this is a tool that
does not cost much and sometimes is hard to attribute.
I certainly appreciate, as we all do, the committee's
interest in this difficult and important challenge.
I will wrap up by saying after 53 years in the intelligence
business in one capacity or another, happily I have just got 15
days left.
[Laughter.]
Director Clapper. I will miss being involved in the
intelligence mission, and I will certainly miss the talented
and dedicated patriots who are in the United States
intelligence community. I am very proud of the community of
professionals I have represented here for the last 6-\1/2\
years who do not get much public recognition and who like it
that way. They have always supported me and I am confident they
will do no less for my successor, whoever that turns out to be.
With that, let me stop and pass to Admiral Rogers.
Chairman McCain. Thank you, General.
Admiral Rogers?
STATEMENT OF ADMIRAL MICHAEL S. ROGERS, USN, COMMANDER, UNITED
STATES CYBER COMMAND; DIRECTOR, NATIONAL SECURITY AGENCY;
CHIEF, CENTRAL SECURITY SERVICES
Admiral Rogers. Chairman McCain, Ranking Member Reed,
members of the committee, good morning and thank you for the
opportunity to appear before the committee today on behalf of
the United States Cyber Command and the National Security
Agency.
I am honored to appear beside Director Clapper and Under
Secretary Lettre and I applaud them both for their many years
of public service. It has been a true honor, gentlemen.
When we last met in September, I discussed the changing
cyber threat environment, and today I look forward to further
discussing this complex issue. Of course, some aspects of what
we do must remain classified to protect our Nation's security.
Today I will limit my discussion to those in the public domain.
We have seen over the course of the last year how this
cyber threat environment is constantly evolving. We have all
come to take for granted the interconnectivity that is being
built into every facet of our lives. It creates opportunities
and vulnerabilities. Those who would seek to harm our fellow
Americans and our Nation utilize the same Internet, the same
communications devices, and the same social media platforms
that we, our families and our friends here and around the world
use. We must keep pace with such changes in order to provide
policymakers and our operational commanders the intelligence
and cyber capabilities they need to keep us safe. That means
understanding our adversaries to the best of our ability and
understanding what they mean to do and why. We are watching
sophisticated adversaries involved in criminal behavior,
terrorism planning, malicious cyber activities, and even
outright cyber attacks. While this is a global problem, we have
also recently witnessed the use of these tactics here at home.
The statement for the record that we have provided jointly
to this committee covers the threat picture worldwide, but I
know this hearing today will inevitably focus on reports of
interference in our recent elections. I echo Director Clapper
in saying that we will await the findings of the just-completed
intelligence review ordered by the President and defer our
comments on its specifics until after that review is shared
with our leaders and congressional overseers.
I do want to add, however, that over this last year, NSA
and Cyber Command have worked extensively with our broader
government partners to detect and monitor Russian cyber
activity. The hacking of organizations and systems belonging to
our election process is of great concern, and we will continue
to focus strongly on this activity.
For NSA's part, we focus on the foreign threat actor in
foreign spaces, but we share our information as readily as
possible with the rest of our partners in the Department of
Defense, the intelligence community, and Federal law
enforcement, as well as others within the U.S. Government and
the private sector.
As you know, Russian cyber groups have a history of
aggressively hacking into other countries' government
infrastructure and even election systems. As I have indicated,
this will remain a top priority for NSA and U.S. Cyber Command.
In this changing threat environment, I would like to take
this opportunity to emphasize the importance of improving
cybersecurity and working related issues across public and
private sectors. We continue to engage with our partners around
the world on what is acceptable and unacceptable behavior in
cyberspace, and we clearly are not where we want to be, nor
where we need to be in this regard.
We continue to make investments in technologies and
capabilities to improve detection of malicious cyber activities
and make it more difficult for malicious cyber actors intending
to do us harm. Combating cyber threats take more than
technology. It takes talented, motivated people, and we are
investing more than ever in the recruitment and retention of a
skilled workforce that is knowledgeable, passionate, and
dedicated to protecting the Nation for the safety of our
citizens and of our friends and allies around the world.
Innovation is one of the key tenets of NSA and Cyber
Command and we need to invigorate the cyber workforce that
think creatively about challenges that do not ascribe to
traditional understandings of borders and boundaries. This
remains a key driver and a key challenge as we look to the
future.
Cyber Command is well along in building our cyber mission
force, deploying teams to defend the vital networks that
support DOD operations, to support combatant commanders in
their missions worldwide, and to bolster DOD's capacity and
capabilities to defend the Nation against cyber attacks of
significant consequence.
The organizations I lead, the U.S. Cyber Command and the
National Security Agency, have provided intelligence, expert
advice, and tailored options to the Nation's decision-makers in
response to recent events. Much of their activity can only be
discussed in classified channels, but I must say I am proud of
what both organizations have accomplished and will accomplish,
even as we acknowledge we have to do more.
I look forward to your questions.
Finally, on one personal note, I apologize to all of you. I
have an ongoing back issue, and if I have to stand up in the
course of this time period, please do not take that as a sign
of disrespect in any way. I guess I am just getting older.
That is all I have for you, sir.
Chairman McCain. I know how you feel.
[Laughter.]
[The joint prepared statement of Director Clapper, Mr.
Lettre, and Admiral Rogers follows:]
Joint Prepared Statement by The Honorable James R. Clapper, The
Honorable Marcel Lettre and Admiral Michael S. Rogers
introduction
Chairman McCain, Vice Chairman Reed, and Members of the Committee
thank you for the invitation to offer the testimony of the Department
of Defense and the Intelligence Community on cyber threats to U.S.
national security. Our statement reflects the collective insights of
the Intelligence Community's extraordinary men and women whom we are
privileged to lead. We in the Intelligence Community are committed
every day to provide the nuanced, multidisciplinary intelligence that
policymakers, warfighters, and domestic law enforcement personnel need
to protect American lives and America's interests anywhere in the
world.
The order of the topics presented in this statement does not
necessarily indicate the relative importance or magnitude of the threat
in the view of the Intelligence Community.
Information available as of 1 January 2017 was used in the
preparation of this assessment.
joint statement for the record
Information and communication technologies play an increasing role
in the security of the United States. Cyberspace is both a resource on
which our continued security and prosperity depends, and a globally
contested medium within which threats manifest themselves. As their
cyber capabilities grow, our adversaries are demonstrating a
willingness to use cyberspace as a platform for espionage, attack, and
influence. Foreign Intelligence Entities continue to quietly exploit
our nation's public and private sectors in the pursuit of policy and
military insights sensitive research, intellectual property, trade
secrets, and personally identifiable information.
Cyber threats have already challenged public trust and confidence
in global institutions, governance, and norms, while imposing costs on
the global economy. These threats pose an increasing risk to public
safety, as cyber technologies are integrated with critical
infrastructure in key sectors. Adversaries also continue to use cyber
operations to undermine U.S. military and commercial advantage by
hacking into U.S. defense industry and commercial enterprises. The
breadth of cyber threats posed to U.S. national and economic security
has become increasingly diverse, sophisticated, and serious, leading to
physical, security, economic, and psychological consequences.
Despite ever-improving cyber defenses, nearly all information,
communication networks, and systems will be at risk for years to come
from remote hacking to establish persistent covert access, supply chain
operations that insert compromised hardware or software, malicious
actions by trusted insiders, and mistakes by system users. In short,
the cyber threat cannot be eliminated. Rather, cyber risk must be
managed in the context of overall business and operational risk. At
present, however, the risk calculus some private and public sector
entities employ does not adequately account for foreign cyber threats
or systemic interdependencies between different critical infrastructure
sectors.
We assess that some countries might be willing to explore limits on
cyber operations against certain targets, although few are likely to
support total bans on the development of offensive capabilities. Many
countries view cyber capabilities as a useful foreign policy tool that
also is integral to their domestic security, and will continue
developing these capabilities. Some also remain undeterred from
conducting reconnaissance, espionage, and even preparation for attacks
in cyberspace.
physical consequences
Our adversaries have capabilities to hold at risk U.S. critical
infrastructure as well as the broader ecosystem of connected consumer
and industrial devices known as the ``Internet of Things.'' Security
researchers continue to discover vulnerabilities in consumer products
including automobiles and medical devices. Examples of cyber incidents
with real world consequences include a cyber attack on a Ukrainian
power network in 2015 that caused power outages for several hours and a
``ransomware''--software designed to block a user's access to data
sometimes by encrypting it--infection that forced a hospital in the
United Kingdom in late 2016 to cancel scheduled medical procedures,
divert trauma patients to other hospitals, and impact access to
essential services such as blood transfusions. If adversaries achieve
the ability to create significant physical effects inside the United
States via cyber means, this would provide them new avenues for
coercion and deterrence.
commercial and security consequences
Our adversaries continue to use cyber operations to undermine U.S.
military and commercial advantage by hacking into U.S. defense industry
and commercial enterprises in the pursuit of scientific, technical, and
business information. Examples include theft of data on the F-35 Joint
Strike Fighter, the F-22 Raptor fighter jet, and the MV-22 Osprey. This
espionage reduces our adversaries' costs and accelerates their weapon
systems development programs, enables reverse-engineering and
countermeasures development, and undermines U.S. military,
technological, and commercial advantage. In addition, adversaries often
target personal accounts of government and industry officials as well
as their close associates to enable cyber operations.
psychological consequences
The impact of cyber threats extends beyond the physical, security
and commercial realms. Online information operations and manipulation
from both states and non-state actors can distort the perceptions of
the targeted victim and other audiences through the anonymous delivery
of manipulative content that seeks to gain influence or foment
confusion and distrust. Information taken through cyber espionage can
be leaked intact or selectively altered in content. For example,
Russian actors have seeded falsified information into social media and
news feeds and websites in order to sow doubt and confusion, erode
faith in democratic institutions, and attempt to weaken Western
governments by portraying them as inherently corrupt and dysfunctional.
cyber policy, diplomacy, and warfare
Foreign Cyber Policies. National and domestic security interests
are an important component of global Internet policy, as is a robust
and stable global digital economy and the free flow of information
online. As foreign countries seek to balance security, economic growth,
and interoperability objectives, many are implementing new laws and
technical changes to monitor and control access to information within
and across their borders and to control user access through means such
as restrictions on encryption and steps to reduce anonymity online.
However, these states will probably not significantly erode the
overall global connectivity of the Internet. Furthermore, some state
information control efforts will almost certainly be challenged by a
broad coalition of states and non-state cyber stakeholders, including
innovative technologists, industry leaders, privacy advocates, hackers,
and others with an interest in opposing censorship or government
control of cyberspace.
Diplomacy. In 2015, following a China-United States bilateral joint
statement on this issue, G-20 leaders affirmed that that no country
should conduct or support cyber-enabled theft of intellectual property
with the intent of providing competitive advantages to companies or
commercial sectors. U.S. diplomatic efforts continue to focus on the
promotion of a strategic framework of international cyber stability
during peacetime and during armed conflict that is built on three
pillars: global affirmation of the applicability of existing
international law to State activity in cyberspace; the development of
international consensus on certain additional voluntary, nonbinding
norms of responsible State behavior in cyberspace during peacetime; and
the development and implementation of practical confidence-building
measures to facilitate inter-State cooperation on cyber-related
matters. The promotion of this framework is complicated by efforts to
build and enhance international cooperation to address shared threats.
These efforts also are hampered by the lack of consensus over key
concepts such as what constitutes an armed attack, act of aggression,
or the use of force in cyberspace. Furthermore, countries do not widely
agree on how such principles of international law as proportionality of
response or even the application of sovereignty apply in cyberspace.
Cyber Warfare. As of late 2016 more than 30 nations are developing
offensive cyber attack capabilities. The proliferation of cyber
capabilities coupled with new war-fighting technologies will increase
the incidence of standoff and remote operations, especially in the
initial phases of conflict. Cyber attacks against critical
infrastructure and information networks also will give actors a means
of bypassing traditional defense measures and minimizing the advantage
of geography to impose costs directly on their targets from a distance.
Russian officials, for example, have noted publicly that initial
attacks in future wars might be made through information networks in
order to destroy critically important infrastructure, undermine an
enemy's political will, and disrupt military command and control.
Adversaries equipped with similar offensive cyber capabilities could be
prone to preemptive attack and rapid escalation in a future crisis,
because both sides would have an incentive to strike first. Cyber
attacks against private sector networks and infrastructure could
provoke a cyber-response by the intended target, raising the
possibility of corporate and other non-state actor involvement in
future cyber conflict and blurring the distinction between state and
non-state action. Protecting critical infrastructure, such as crucial
energy, financial, manufacturing, transportation, communication, and
health systems, will become an increasingly complex national security
challenge.
cyber threat actors
Russia. Russia is a full-scope cyber actor that poses a major
threat to U.S. Government, military, diplomatic, commercial, and
critical infrastructure and key resource networks because of its highly
advanced offensive cyber program and sophisticated tactics, techniques,
and procedures. In recent years, we have observed the Kremlin assume a
more aggressive cyber posture. Russian cyber operations targeted
government organizations, critical infrastructure, think tanks,
universities, political organizations, and corporations often using
spearphishing campaigns. In foreign countries, Russian actors conducted
damaging and/or disruptive cyberattacks, including attacks on critical
infrastructure networks. In some cases Russian intelligence actors have
masqueraded as third parties, hiding behind false online personas
designed to cause the victim to misattribute the source of the attack.
We assess that only Russia's senior-most officials could have
authorized the recent election-focused data thefts and disclosures,
based on the scope and sensitivity of the targets. Russia also has used
cyber tactics and techniques to seek to influence public opinion across
Europe and Eurasia. Looking forward, Russian cyber operations will
likely target the United States to gather intelligence, support Russian
decisionmaking, conduct influence operations to support Russian
military and political objectives, and prepare the cyber environment
for future contingencies.
China. Beijing continues to conduct cyber espionage against the
United States Government, our allies and U.S. companies. Since the
China-United States cyber commitments in September 2015, private-sector
security experts continue to detect cyber activity from China, although
at reduced levels and without confirmation that stolen data was used
for commercial gain. Beijing has also selectively used cyber attacks
against foreign targets that it probably believes threaten Chinese
domestic stability or regime legitimacy. China continues to integrate
and streamline its cyber operations and capabilities into a dedicated
cyber element that will be increasingly difficult to detect or counter.
Iran. Tehran continues to leverage cyber espionage, propaganda, and
attacks to support its security priorities, influence events and
perceptions, and counter threats--including against United States
allies in the Middle East. Iran has also used its cyber capabilities
directly against the United States, as in distributed denial of service
attacks in targeting the United States financial sector in 2012-13.
North Korea. Pyongyang remains capable of launching disruptive or
destructive cyber attacks to support its political objectives, as
demonstrated by its destructive attack against Sony Pictures
Entertainment in 2014. South Korean officials have also concluded that
North Korea was probably responsible for the 2014 compromise,
exfiltration, and disclosure of data from a South Korean nuclear plant,
and for numerous denial of service and data deletion attacks.
Terrorists. Terrorists groups--to include al Qaeda, Hizballah,
HAMAS, and the Islamic State of Iraq and the Levant (ISIL)--continue to
use the Internet to collect intelligence, coordinate operations, raise
funds, spread propaganda, and incite action. Groups such as the Taliban
also use Internet-based technology for similar purposes. While not as
sophisticated as some state actors, Hizballah and HAMAS will continue
to build on their cyber successes inside and outside the Middle East.
ISIL personnel will continue to seek opportunities to target and
release sensitive information about United States citizens in an effort
to spur ``lone-wolf' attacks as demonstrated in their 2015 operations
that disclosed potential targeting information about U.S. military
personnel.
Criminals. Cybercrime remains a persistent and prevalent malicious
activity in cyberspace. Criminals develop and use sophisticated cyber
tools for a variety of purposes including theft, extortion, and
facilitation of other criminal activity. ``Ransomware has become a
particularly popular and effective tool for extortion, one for which
few options for recovery or remediation are available if the victim has
not previously backed up the affected data. In 2016, criminals
employing ransomware targeted the medical sector, disrupting patient
care and undermining public confidence in medical institutions. Some
criminals use markets conducted on the so-called dark web to sell or
lease malware to anyone willing to pay, including state and non-state
actors.
responses
Perhaps the most significant counterintelligence threat to our
nation, both currently and in the future, involves the rapid
development and proliferation of disruptive, advanced technologies that
provide adversaries with capabilities that even just a few years ago
were not considered plausible. Sophisticated technical collection
through a variety of means is available to more adversaries than ever
before and can occur virtually anywhere and involve telephones,
computers, Internet, cell phones, wired and wireless networks, as well
as conversations and activities in offices, homes, vehicles, and public
spaces. Disruptive technology is being built and fielded at an
unprecedented rate, and we are already dealing with the consequences of
a hyperconnected world. The complexity of technological advances, both
in the tools themselves and the methods used to compromise them,
necessitates a much greater technical and cyber literacy than what was
required of us even five years ago.
As we face this ever-changing cyber threat environment, the
Intelligence Community and U.S. Cyber Command have been hardening
internal U.S. Government systems, increasing knowledge and awareness
among industry and the community, and engaging more closely with a host
of partners to share best practices and threat information. The
National Security Agency, in particular, has taken aggressive measures
to hire and retain the cybersecurity talent needed to operate in this
challenging environment. In addition, Cyber Command leverages the
capacity and capabilities of 133 Cyber Mission Force teams that are
responsible for synchronizing and executing cyber operations to support
combatant command operations, and for the defense and security of
service component and Department of Defense Information Networks. Cyber
Command has established close working relationships with both
international and interagency partners and stands ready to support a
whole of nation response. The National Counterintelligence and Security
Center's (NCSC) innovative public awareness campaign has resulted in
placing numerous short informative videos on its public-facing website
concerning cyber and associated threats, which are of immediate,
practical use to federal, industry and community partners alike. NCSC
also established a National Counterintelligence Task Force for Critical
Infrastructure to coordinate counterintelligence efforts to mitigate
this threat.
While many government organizations can make a unique contribution
to securing our networks and the nation, no one agency has the
capability to do so alone. The security of systems and networks is not
the responsibility of one person or one agency or one industry, but
rather requires a whole of nation response and a culture of
cybersecurity among all users of the information space across private
and public sectors.
The Intelligence Community and U.S. Cyber Command have been working
to provide the Secretary of Defense and DOD policymakers with effective
options for operational cyber responses to threats to U.S. interests.
This remains a work in progress, and we welcome the assistance of this
Committee in ensuring that we have the resources and authorities to
succeed in this mission.
conclusion
In summary, the breadth of cyber threats to U.S. national and
economic security has become increasingly diverse, sophisticated, and
dangerous. Over the next five years, technological change will only
accelerate the intersection of cyber and physical devices, creating new
risks. Adversaries are likely to further explore cyber-enabled
psychological operations and may look to steal or manipulate data to
gain strategic advantage or undermine confidence. The Intelligence
Community has been vigilant in the detecting and sharing of cyber
threat information with partners such as U.S. Cyber Command, as well as
our nation's network protection organizations such as the Department of
Homeland Security, and will continue to do so for the safety of our
nation.
Chairman McCain. Director, I just have to--General Clapper,
I just have to mention the name, Mr. Assange, has popped up,
and I believe that he is the one who is responsible for
publishing names of individuals that work for us that put their
lives in direct danger. Is that correct?
Director Clapper. Yes, he has.
Chairman McCain. Do you think that there is any credibility
we should attach to this individual given his record of----
Director Clapper. Not in my view.
Chairman McCain. Not in your view.
Admiral Rogers?
Admiral Rogers. I second those comments.
Chairman McCain. Thank you.
For the record, on October 7th, the Homeland Security and
Office of the Director of National Intelligence--their
assessment was that the United States intelligence community is
confident that the Russian Government directed the recent
compromise of emails from United States persons and
institutions, including from United States political
organizations. It goes on to say these thefts and disclosures
are intended to interfere with the United States election
process. Quote, such activity is not new to Moscow. Russians
have used similar tactics and techniques across Europe and
Eurasia. Quote, based on the scope and sensitivity of these
efforts, only Russia's senior most officials could have
authorized these activities.
General Clapper, those are still operable and correct
statements?
Director Clapper. Yes, Chairman McCain, they are. As I
indicated in my statement, we stand actually more resolutely on
the strength of that statement that we made on the 7th of
October.
Chairman McCain. I thank you.
Really what we are talking about is if they succeeded in
changing the results of an election, which none of us believe
they were, that would have to constitute an attack on the
United States of America because of the effects if they had
succeeded. Would you agree with that?
Director Clapper. First, we cannot say--they did not change
any vote tallies or anything of that sort. We had no way of
gauging the impact that--certainly the intelligence community
cannot gauge the impact it had on choices the electorate made.
There is no way for us to gauge that.
Whether or not that constitutes an act of war I think is a
very heavy policy call that I do not believe the intelligence
community should make. But it certainly would carry in my view
great gravity.
Chairman McCain. Thank you.
Admiral Rogers, have you seen this problem in your position
getting worse or better? In other words, it is my information
that their techniques have improved, their capabilities
improved. The degree of success has improved. Is that your
assessment?
Admiral Rogers. I have publicly said before that the
Russians are a peer competitor in cyber. If you look broadly
beyond the Russians to cyber at large, the level of capability
of nation states and actors around the world continues to
increase. I cannot think of a single significant actor out
there who is either decreasing their level of investment,
getting worse in their tradecraft or capability, or in any way
backing away from significant investments in cyber.
Chairman McCain. With all due respect to you, Mr.
Secretary, I have not seen a policy. In other words, I do not
think any of our intelligence people know what to do if there
is an attack besides report it. I do not think that any of our
people know, if they see an attack coming, what specific
actions should be taken. Maybe I am missing something, but I
have asked time after time, what do you do in the case of an
attack? There has not been an answer. There has not been an
answer. I believe that unless we have specific instructions to
these wonderful men and women who are doing all this work, then
we are going to be bystanders and observers. I am glad to hear
you respond to that.
Mr. Lettre. Mr. Chairman, you are right that we have a lot
more work to do to put the right deterrence and response
framework in place on cyber. This is somewhat of a new domain
of operations and in some cases warfare. In my personal
opinion, the next administration would be well served to focus
very early on those questions of continuing to develop our
overarching policy, a comprehensive approach, and an
increasingly robust and refined deterrence framework.
Chairman McCain. I thank you.
Finally, Director and Admiral, would it make your job
easier if you did not have to report to seven different
committees?
Director Clapper. Chairman McCain, my hands have been
slapped before when I ventured into the delicate area of
congressional jurisdiction. In the remaining 15 days that I am
in office, I do not think I am going to speak to that.
Afterwards that might be different.
Chairman McCain. Well, we will look forward to calling you
back.
[Laughter.]
Chairman McCain. Admiral Rogers?
Admiral Rogers. Can I second the comments of the Director
of National Intelligence?
Chairman McCain. But it does make it difficult, does it
not? It is not exactly stove-piping, but overlapping
jurisdictions I think makes your job a little harder, does it
not, I mean in all candor, Admiral?
Admiral Rogers. The way I would phrase is I think clearly
an integrated approach is a key component of our ability to
move ahead here. I would say that in the Government, in the
private sector, there is no particular one slice where that is
not applicable.
Chairman McCain. Thank you.
Senator Reed?
Senator Reed. Well, thank you very much, Mr. Chairman.
General Clapper, you responded to the chairman that in
October you and the Director of Homeland Security concluded
that the Russian Government intervened in the election. Admiral
Rogers also seconded that view. That is also today the view,
for the record, of the FBI [Federal Bureau of Investigations]
and the Central Intelligence Agency [CIA], in fact, all the
intelligence community. Is that correct?
Director Clapper. Yes. The forthcoming report is done
essentially by those three agencies, CIA, FBI, and NSA.
Senator Reed. The same conclusion with respect to the
involvement of high-level Russian authorities is shared by all
these agencies?
Director Clapper. Yes.
Senator Reed. The chairman just noticed the legislative
compartmentalization. Is that reflected also in terms of
operations, in terms of, for example, Admiral Rogers, if you
through NSA or through your sources detect something that is
obviously a disruption, something that is patently wrong, you
can communicate to the FBI or law enforcement, but there is no
mechanism to make things happen administratively. Is that fair?
Admiral Rogers. There is certainly a process, and in fact,
there have been several instances that I can think of in the
last 18 months where we have run through that exact same
scenario. Intelligence, as it does in many other areas, other
domains, will detect incoming activity of concern. We, NSA,
will partner with FBI, the Department of Homeland Security,
U.S. Cyber Command to ensure the broader government, the
Department of Defense and FBI in its relationship with the
private sector.
But the biggest frustration to me is speed, speed, speed.
We have got to get faster. We have got to be more agile. For me
at least within my span of control, I am constantly asking the
team what can we do to be faster and more agile. How do we
organize ourselves? What is the construct that makes the most
sense? We cannot be bound by history and tradition here, so to
speak. We have to be willing to look at alternatives.
Senator Reed. Thank you.
General Clapper, one of the aspects of this Russian hacking
was not just disseminating information that they had exploited
from computers, but also the allegations of fake news sites,
fake news stories that were propagated. Is that accurate, or is
that one aspect of this problem?
Director Clapper. Yes. Without getting too far in front of
the headlights of our rollout next week to the Congress, this
was a multifaceted campaign. The hacking was only one part of
it, and it also entailed classical propaganda, disinformation,
fake news.
Senator Reed. Does that continue?
Director Clapper. Yes.
Senator Reed. The Russians particularly are very astute at
covering up their tracks. It appears that they were not quite
as diligent or--let me ask a question.
Do you believe that they made little attempts to cover up
what they were doing as a way to make a point politically?
Director Clapper. Well, again, without preempting the
report, that is classical tradecraft that the Russians have
long used. Particularly when they are promulgating so-called
disinformation, they will often try to hide the source of that
or mask it to deliberately mask the source.
Senator Reed. Let me just ask one more time. In this
situation, though, were there attempts to mask their
involvement, very elaborate and very, very sophisticated, or
was it just enough to have plausible deniability?
Director Clapper. Sir, I would rather not get into that.
That kind of edges into the sources and methods and I would
rather not speak to that publicly.
Senator Reed. Fair enough.
These activities are ongoing now in Europe as Europe
prepares for elections. Is that a fair assumption?
Director Clapper. It is.
Senator Reed. Thank you.
Yesterday, the ``Wall Street Journal'' indicated that the
President-elect is considering changes to the intelligence
community. Have you at all, as the experts in this field, been
engaged in any of these discussions, deliberations, advice?
Director Clapper. No, we have not.
Senator Reed. Thank you, Mr. Chairman.
Chairman McCain. Senator Inhofe?
Senator Inhofe. Thank you, Mr. Chairman.
I heard this morning that a lot of the news media was
characterizing this as a hearing on Russian hacking, and
actually it is on foreign cyber threats to the United States. I
am trying to cover a couple of the other ones.
First of all, I received something this morning, Director
Clapper, that I was very glad to read. I have often said that
the threats we are facing today are greater. I look wistfully
back at the days of the Cold War. Your statement that was in
print this morning said sometimes all of this makes me long for
the Cold War when the world essentially had two large mutually
exclusive--and so forth.
I think it is important that we talk about this because the
general public is not aware of the nature of the threats that
are out there that have not been out there before.
Admiral--no. Director Clapper, we have had a lot of most
damaging cyber attacks perpetrated against the American people.
When the chairman gave his opening statement, he singled out
three or four of them. One of them was the OPM [Office of
Personnel Management] incident. That was 2014 and 2015, Office
of Personnel Management. It was a breach and threat to personal
information, birthdates, home addresses, Social Security
numbers of over 22 million individuals.
I would like to ask you what action was taken after that
and what kind of effect that might have had on the behavior of
the Chinese.
Director Clapper. Well, the major action that we took, of
course, was remediation in terms of advising people of what the
potential risks were. And, of course, there was a lot of work
done. NSA was deeply involved in this in enhancing or improving
the cybersecurity posture of OPM, and Admiral Rogers might
speak to that.
I would say that this was espionage. It was not an attack
per se. And, of course, I am always a bit reticent about people
who live in glass houses should not throw publicly too many
rocks. There is I think a difference between an act of
espionage, which we conduct as well and other nations do,
versus an attack.
Mike, do you want to comment?
Admiral Rogers. Just as a broader point, I think the OPM
issue highlights that massive data concentrations increasingly
have value all of their own. What do I mean by that? I can
remember 10 years ago earlier in my time in cyber thinking to
myself large databases like OPM are so large. The ability of an
intruder, an external actor to actually access, fully extract,
and bore their way through millions upon millions of records
would be difficult. But with the power of big data analytics,
large data concentrations now become increasingly attractive
targets because the ability to mine that data for insights,
which is what we think drove this action in the first place,
becomes more and more easily done.
Senator Inhofe. Okay. I appreciate that very much.
In your joint statement--by the way, I like the idea of
joint statements. It makes our questioning a lot easier.
You talk about the--you end up stating through one of your
paragraphs, in short, cyber threat cannot be eliminated.
Rather, cyber threat must be managed. It is interesting that in
the Edison Electric Institute--it is a publication. I think it
just came in this morning--they say exactly the same thing.
This seems to be one of the rare cases where we have government
and industry working together. Their statement was the electric
power industry recognizes it cannot protect all assets from all
threats and instead must manage risk.
Now, they go on to describe working together with
government, and they say the industry's security strategy is
constantly evolved and are closely coordinated with the Federal
Government through a partnership called the Electricity
Subsector Coordinating Council, ESCC. Can you comment? Are we
looking at getting some success out of that?
Director Clapper. I think it is emblematic of a lot of work
that the intelligence community has done, the Department of
Homeland Security in engaging with each of the, I think, 16 key
infrastructure sectors in this country and providing--what we
have embarked on is providing them, tailored to each one of
those sectors, intelligence estimates of what the threats and
vulnerabilities are in order to help them take measures to
enhance their cybersecurity.
I think the major point here is that if there is any
connection whatsoever with the Internet, there is an inherent
security vulnerability, and we have to manage the risk that is
generated accordingly with full knowledge of that fact. If
there is an Internet connection, there is always going to be a
vulnerability.
Mike?
Admiral Rogers. I would echo that. I think part of our
challenge is our defensive strategy must be two-pronged. We
have to spend time making it difficult for people to gain
access, but we must acknowledge that despite our best efforts,
there is a probability that they are still going to get in.
What do you do? As a guy who defends networks on the Cyber
Command side, I would tell you it is a whole different process,
methodology, prioritization, and risk approach in dealing with
someone who is already in your network versus trying to keep
them out in the first place. We have to do both.
Senator Inhofe. I appreciate that. My time has expired. I
have one last question just for the record. You cannot answer
it at this time.
But a year ago--it is a year and 2 months ago I think it
was, Admiral Rogers--you made the statement before this
committee that, quote, we have peer competitors in cyberspace
and some of them have already hinted that they hold the power
to cripple our infrastructure and set back our standard of
living if they choose. I would like for the record if you could
just kind of outline which of our peer competitors might be the
closest to choosing to use their power.
Admiral Rogers. As I have publicly said before, the
Russians are the peer competitor to us. But I look at other
nations. You look at China, for example, and the level of
capability and investment they are making. I am watching their
abilities rise significantly. Iran, North Korea, currently at a
moderate level. But clearly the level of investment, the
capability we are seeing, and their willingness to employ cyber
in some very aggressive ways that would be way beyond our
normal risk calculus is of concern.
Senator Inhofe. Thank you, Mr. Chairman.
Chairman McCain. Senator Nelson?
Senator Nelson. I think it is the general assumption that
you all have said that our systems can be invaded that has the
American people, we as policymakers concerned, but the average
American concerned that there is no privacy anymore.
General, do you think in the report next week that you all
will ascribe a motivation to Putin for the election attempt?
Director Clapper. Yes, we will ascribe a motivation. I
would rather not, again, preempt the report.
Senator Nelson. Understood.
Well, then will you discuss after the report what is
sufficient in the future to impose enough cost to make them
stop this kind of activity?
Director Clapper. No. If we are going to speak to that,
that would be separate from the report. What the report will
include, per the President's tasking, was a section contributed
by the Department of Homeland Security and NIST [National
Institute of Standards and Technology], I believe, on best
practices for defending, but it does not speak to that, which
is really out of our lane. That is a policy call.
Senator Nelson. We are now talking about deterrence, and as
one of you said in your testimony, it is not like the nuclear
standoff of mutually assured destruction because we do not have
a particular deterrence now. Would you discuss that?
Director Clapper. The point I was trying to make is that in
the case of nuclear deterrence, there are instruments you can
see, feel, touch, measure, weaponry. We have had a
demonstration a long time ago of the impact of nuclear
weaponry. That is what creates both the physical substance of
deterrence, as well as the psychology. The problem with the
cyber domain--it does not have those physical dimensions that
you can measure, see, feel, and touch as we do with nuclear
deterrence.
Senator Nelson. Let me give you an example. Help us
understand had the supposed invasion into the Vermont utility
been in fact an invasion by a foreign power and ascribed to
that was shutting it down, if that had been the case, what
would be some of the options we would do.
Director Clapper. Well, again, this would be a--as I
understand it, by the way, it was not. But had it been from the
malware planted by a foreign power, I think that is something
that would be very situational dependent as to what to do about
it. As I indicated in my remarks, perhaps a cyber reaction to a
cyber act may not be the best course of action. Some other form
of national power. Sanctions is what we have traditionally
used.
As I also indicated, the problem, at least for me, is-- and
I will ask others to speak if they want to--if you do retaliate
in a cyber context, not knowing exactly what counter-
retaliation you will get back. We go through all kinds of
exquisite thought processes on deciding how to react. We try to
be very surgical, very precise. We try to gauge what the second
order or unintended consequences might be. I do not think
others are similarly disposed to consider such precision and
such exactness when they respond. There is always that issue of
counter-retaliation, ergo my brief mention that it is in my
view best to consider all instruments of national power.
Senator Nelson. I think that is what is concerning us.
Could we, the United States--do we have the ability that we
could make it so tough on North Korea with a cyber attack that
it would deter them from some of their strange behavior?
Director Clapper. Not necessarily via a direct cyber
reaction, given the difficulty of gaining access to their cyber
networks.
Chairman McCain. Senator Wicker?
Senator Wicker. Thank you.
Director Clapper, you are pretty far along on the report
that will be released next week, obviously. How far along are
you? What do you lack and how will this be released? Will it be
in a classified format? Will you be willing to testify in an
opening hearing like this, or will we need to go down the SCIF
to hear this?
Director Clapper. What is planned is a series of briefings
in the Congress. I think I have four more hearings to do, first
with our oversight committees, which will be closed hearings I
believe. Then there will be all-House, all-Senate hearings I
believe next week as we roll out a version of the report----
Senator Wicker. Those will be classified.
Director Clapper.--followed by an unclassified version.
Senator Wicker. I see. The public will not hear sources and
methods, but you think it will be fairly convincing without
going beyond what----
Director Clapper. I assure you that I intend to push the
envelope as much as I can particularly on the unclassified
version because I think the public should know as much about
this as possible. This is why I felt very strongly about the
statement we made in October. We will be as forthcoming as we
can, but there are some sensitive and fragile sources and
methods here, which is one reason why we are reticent to talk
about it in this setting.
Senator Wicker. You have said that, and I expect you will
be challenged with some very talented questioners up and down
the dais here today on that.
I would have to support what Senator Nelson has said. As
regrettable and reprehensible as the hacking of political
parties is, I do think Senator Nelson has touched on really the
larger issue which really is the subject matter of this hearing
and that is what the real threats are. It concerns me that we
really do not know what the deterrence ought to be. I wonder at
what level are conversations taking place within the
administration or within the intelligence community about what
is appropriate in terms of a response. You mentioned countering
cyber with cyber is not necessarily the number one solution.
Secretary Lettre mentioned that we should impose costs, and
perhaps after you answer, I can ask him to expound on that
also.
Director Clapper. Well, we have had many discussions in the
White House situation room at Deputies Committee, Principals
Committee, and NSC [National Security Council] meetings about
what to do when we have these attacks. I think the Sony attack
by the North Koreans is a case in point. There you get into the
complexities of if you launch a counter cyber attack--I want to
be careful here, but you have to use some other nation's
infrastructure in order to mount that attack. That gets into,
as I have learned, complex legal issues involving international
law. The judgment was to impose some other costs other than a
direct cyber retaliation.
Senator Wicker. Did you recommend the President's
sanctions? Were his actions in response to the Russian hacking
part of your recommendation, or did that come from someone
else?
Director Clapper. Well, without going into internal
decision-making, I think that was a consensus interagency view.
Senator Wicker. Secretary Lettre, what about imposing
costs? What did you mean by that?
Mr. Lettre. Well, as part of an approach to deterrence that
takes each case as it comes up case by case, we need to look at
ways to respond--first deter and then respond to attacks at a
time and a place of our choosing that favors advantages that we
have as we use all of the instruments available. We look to
deny objectives and then impose costs, as you indicated,
Senator.
Imposing costs really can come from things like were
announced last week with the sanctions that were applied in the
case of the Russian hacking situation, but they can go more
broadly than that. From the military's perspective, we are
concerned not just about Russia's cyber hacking, but also about
a range of aggressive actions by Russia across multiple regions
of the globe. We look to impose costs on Russia by a range of
measures across multiple regions in partnership with our allies
through NATO [North Atlantic Treaty Organization], where we
can, to push back on Russian actions and deter future
aggressive actions. That is a bit of what we mean by imposing
costs here.
Senator Wicker. Thank you.
Chairman McCain. It seems that every attack is handled on a
case-by-case basis, and that is not a strategy.
Senator McCaskill?
Senator McCaskill. Thank you.
I know this will probably confuse you a little bit, General
Clapper, but review again how long you have been working in
intelligence.
Director Clapper. I started in 1963.
Senator McCaskill. You enlisted in 1963. Correct?
Director Clapper. No. I enlisted in the Marine Corps in
1961.
Senator McCaskill. Then transferred to the Air Force?
Director Clapper. Right.
Senator McCaskill. You flew support for combat missions in
Vietnam?
Director Clapper. I did two tours in Southeast Asia, one in
Vietnam in 1965 and 1966, and then I was stationed in Thailand
flying the reconnaissance missions over Laos and Cambodia in
1970 and 1971.
Senator McCaskill. Would you say that your experience in
the military and especially your service for the Government has
always been for either political party and apolitical in terms
of your mission and your job?
Director Clapper. Absolutely. I have served--I toiled in
the trenches in intelligence for every President since
President Kennedy. I have served as a political appointee in
both Republican and Democratic administrations. I am
apolitical.
Senator McCaskill. By the way, without getting into
classified information, there are thousands of men and women
who are working in the intelligence community right now,
General Clapper. Correct?
Director Clapper. Absolutely.
Senator McCaskill. Would you say that their experience in
many instances mirrors yours, in terms of military experience,
many of them being either Active military or retired military?
Director Clapper. Yes. A large part of the intelligence
community workforce are military, and of course, there are many
former military, either those who completed full careers or
those who served enlistments briefly and then came to the
intelligence community as civilians.
Senator McCaskill. Would you think it any less important
that we maintain the intelligence community as a foundational,
apolitical bloc of our country in terms of its protection?
Director Clapper. I could not feel stronger about exactly
that. I think it is hugely important that the intelligence
community conduct itself and be seen as independent, providing
unvarnished, untainted, objective, accurate, and timely and
relevant intelligence support to all policymakers, commanders,
diplomats, et cetera.
Senator McCaskill. Do, in fact, members of the intelligence
community engage in life-threatening and very dangerous
missions every day, particularly as it relates to the war on
terror?
Director Clapper. You only need to walk into the lobby of
CIA and look at the stars on the wall or the front lobby of
NSA, and the number of intelligence people that have paid the
ultimate price in the service of their country.
Senator McCaskill. Let us talk about who benefits from a
President-elect trashing the intelligence community. Who
benefits from that, Director Clapper? The American people, them
losing confidence in the intelligence community and the work of
the intelligence community? Who actually is the benefactor of
someone who is about to become commander-in-chief trashing the
intelligence community?
Director Clapper. I think there is an important distinction
here between healthy skepticism, which policymakers, to include
policymaker number one, should always have for intelligence,
but I think there is a difference between skepticism and
disparagement.
Senator McCaskill. I assume the biggest benefactors of the
American people having less confidence in the intelligence
community are in fact the actors you have named today, Iran,
North Korea, China, Russia, and ISIS.
Director Clapper. The intelligence community is not
perfect. We are an organization of human beings, and we are
prone sometimes to make errors. I do not think the intelligence
community gets the credit it is due for what it does day in and
day out to keep this Nation safe and secure in the number of
plots, just one example, terrorist plots that have been
thwarted, both those focused on this country and other
countries.
Senator McCaskill. I want to thank the chairman and I want
to thank Senator Graham and others. There have been others I
can count on maybe a little bit more than one hand who have
stood up in a nonpolitical way to defend the intelligence
community over the last few weeks. The notion that the soon-
elected leader of this country would put Julian Assange on a
pedestal compared to the men and women of the intelligence
community and the military that is so deeply embedded in the
intelligence community--I think it should bring about a hue and
cry no matter whether you are a Republican or a Democrat. There
should be howls. Mark my word. If the roles were reversed,
there would be howls from the Republican side of the aisle.
Thank you, Mr. Chairman.
Chairman McCain. Thank you for that nonpartisan comment.
[Laughter.]
Chairman McCain. Director Clapper, how would you describe
Mr. Assange?
Director Clapper. How would I describe?
Chairman McCain. Mr. Assange.
Director Clapper. Well, he is holed up in the Ecuadorian
embassy in London because he is under indictment I believe by
the Swedish Government for a sexual crime. He has, in the
interests of ostensibly openness and transparency exposed in
his prior exposures, put people at risk by his doing that. I do
not think those of us in the intelligence community have a
whole lot of respect for him.
Chairman McCain. Admiral?
Admiral Rogers. I would echo those comments.
Chairman McCain. Thank you.
Senator Fischer?
Senator Fischer. Thank you, Mr. Chairman.
Thank you, gentlemen, for being here today and I do thank
you for your service.
Gentlemen, as you all know, about a year ago, Congress
passed the Cybersecurity Information Sharing Act. Director
Clapper, could you comment on what steps have been taken to
implement the act in particular to provide cyber threat
information in the possession of the Federal Government to non-
government entities?
Director Clapper. There has been a lot of work done--and
this is principally through both the FBI and Department of
Homeland Security--to share more broadly with the private
sector. Prior to the enactment of this act, I think this has
been a theme that we have all worked hard. Certainly one of the
reasons for the creation of the Office of Director of National
Intelligence was to assume a domestic role as well and to
promote sharing as much as we can. I think a lot of improvement
has been made, as I look back over the last 15 years, but there
is more work to do.
We have done a lot of work with, for example, fusion
centers, the 76 or so fusion centers that exist throughout the
country, to convey more information to them. I have a network
of 12 domestic DNI [Director of National Intelligence] reps,
Director of National Intelligence representatives, which are
FBI special agents in charge. We work through them, those
instrumentalities, on a regional basis to convey more
information particularly on cyber threats to State and local
officials, as well as the private sector.
Senator Fischer. Thank you, sir.
Admiral Rogers, what is your assessment of the current
state of information sharing between the Government and the
private sector, especially regarding cybersecurity threats?
More importantly, what is the appropriate level of expectation
to have with respect to that information sharing?
Admiral Rogers. In some ways I would characterize it as
uneven. Some sector relationships, as you heard General Clapper
talk about, the 16 sectors within the critical infrastructure
of our Nation--in some sectors, the relationship is very
mature. Information tends to flow very regularly. Other
sectors, it is not quite as mature. I think the positive side
is, with the legislation, we have now developed a framework for
how we do it. I still am concerned on the Government side. I
will only speak for NSA and Cyber Command. On the Government
side, I am not entirely comfortable that the products that I am
generating are optimized to achieve outcomes for our private
counterparts. I am always trying to remind our team our success
needs to be defined by the customer, not what we think is the
right format or the right things to share.
Senator Fischer. Do you think there is any additional
legislation that is going to be required? I guess I am asking,
what do you need? Do you think there are proper authorities
that are currently in place, or do we need new legislation? Or
do you guys just need to improve on your execution of it?
Admiral Rogers. Probably all of the above, to be very
honest.
I look at what are the changes that we are going to need
collectively to create the workforce of the future. I work
within the DOD in an intel framework. But I would argue this is
kind of universal. It does not matter where you are working.
Where does the structure--what is the recruitment and the
benefit process that we need to retain and attract a workforce?
I am curious with the new administration coming in their
broad view of roles and responsibilities--are they comfortable
with the current structure? Will their view be that we need to
fundamentally relook at something different? I would be the
first to acknowledge, as I previously said this morning, we
have got to get faster. We have got to get faster.
Senator Fischer. You know, you have talked about case by
case and the ad hoc nature of our policies when it comes to
cyberspace before this committee many, many times, and that has
been an issue that this committee and the ETC [Emerging Threats
and Capabilities] Subcommittee in particular has tried to
address by requiring strategies so that we can deter these
hostile actors and delegations of authority, a definition of
what an act of war in cyberspace is. You know, we can go on and
on. The chairman just mentioned we do not have a strategy. Some
of us just do not feel there is a strategy that is laid out
there.
When you talk about speed and dealing with cyber attacks, I
assume you are just referring to our agencies in responding to
attack that is directly upon us. Do you think there needs to be
any kind of consensus-building on the international stage with
our allies in order to increase speed, or would that delay it
even more trying to run this through channels in trying to
respond quickly? Do we reach out to allies, or do we perform
our first duty in protecting this country?
Admiral Rogers. We routinely do that now. You clearly have
highlighted it is a bit of a double-edged sword. But it goes to
the point from my perspective, cyber just does not recognize
many of these boundaries. When you are trying to deal with an
incident, is this something that is really truly totally
domestic, or has it originated from somewhere external to our
Nation? What kind of infrastructure did it pass through? There
is a whole lot of complexity to this. I apologize. It is not a
simple binary choice there, even as I acknowledge there are
tradeoffs.
Senator Fischer. Thank you.
Thank you, Mr. Chair.
Chairman McCain. Senator Blumenthal?
Senator Blumenthal. Thanks, Mr. Chairman.
I want to join Senator McCaskill in expressing my
appreciation for the service of our intelligence community and
to you, Mr. Chairman, for your very strong and courageous
statements in support of the work of this committee to give
credit and credibility to that intelligence community and to
your statements also about the importance of cyber warfare. It
is not the first time we have been here on this topic, and you
have been resolute and steadfast in seeking to elevate public
awareness and public consciousness about the importance of
cyber attacks on this country and the threat of cyber warfare.
I want to explore a little bit why these very demeaning and
dismissive comments about our intelligence community are so
dangerous to our Nation. Is it not true, Mr. Clapper, that
public support for robust responses to cyber attacks on our
Nation depends on the credibility of our intelligence community
and dismissing the conclusions, very credible and significant
conclusions, about the Russian attack undermines public support
for actions that the President must take to deter and punish
these kinds of actions?
Director Clapper. I do think that public trust and
confidence in the intelligence community is crucial, both in
this country and I think the dependence that other countries,
other nations, have on the U.S. intelligence community. I have
received many expressions of concern from foreign counterparts
about the disparagement of the U.S. intelligence community or,
I should say, what has been interpreted as disparagement of the
intelligence community.
Senator Blumenthal. Well, there is no question about the
disparagement. There is no question about the dismissing and
demeaning of the intelligence community, entirely unmerited.
Would you agree, in light of your saying that you are even more
resolute now in your conclusion about Russian involvement in
this hacking, that comparing it to the judgment made about
weapons of mass destruction in the Iraq situation is totally a
red herring, totally wrong?
Director Clapper. Yes, I agree with that.
My fingerprints were on that national intelligence
estimate. I was in the community then. That was 13 years ago.
We have done many, many things to improve our processes,
particularly with respect to national intelligence estimates,
in order to prevent that from happening again.
Whatever else you want to say about the intelligence
community, it is a learning organization, and we do try to
learn lessons. It is a very difficult business and getting
harder all the time. There will be mistakes. But what we do try
to do, as we did after the NIE [National Intelligence Estimate]
from October 2002 on weapons of mass destruction in Iraq, was
to learn from that, profit, and make change. Our posture,
particularly with respect to a very important document, the
apex of our product line, national intelligence estimates, it
is the difference of night and day.
Senator Blumenthal. I appreciate the extraordinary humility
of that statement, especially in light of the excellence and
expertise that your organization and you personally have
brought to this very, very difficult endeavor to provide--and I
am quoting you I think--unvarnished, untainted, timely,
accurate information to the most critical national security
decisions that this Nation makes. I want to express my
appreciation for it and say that I think some of the
disparagement has been a terrible disservice to our Nation and
to the very brave and courageous men and women who put their
lives at risk so that this Nation can be better informed in
using our military and other force. I hope that we will see a
change.
I also join the chairman in saying that we need better
policies on what constitutes a cyber attack on this Nation and
provide a more robust response, for example, against the
Russians not necessarily in cyber but to impose stronger
sanctions on their oil exports, on their use of foreign
exchange. The response to cyber attacks need not be one in the
cyber domain and in fact might be even more effective if it
hits their economy and their pocketbook and their livelihoods.
Mr. Under Secretary, I appreciate your comments in that
regard. I do not know whether you want to comment in response
to what I have said. I am out of time. Maybe we can get that in
writing.
Director Clapper. Senator Blumenthal, I do want to thank
you--on behalf all the women and men of the intelligence
community, I want to thank you for that.
Senator Blumenthal. Thank you.
Chairman McCain. Senator Cotton?
Senator Cotton. Thank you all for appearing before us.
Mr. Secretary, Director Clapper, since this is your final
appearance, I know you hope, thank you very much for your many
years of service, Director Clapper, particularly you.
I will add my voice to Senators Blumenthal and McCaskill in
my admiration for the men and women in our intelligence
agencies. I have had a chance as a member of the Intelligence
Committee to meet them here at hearings and at their
headquarters around the world. They do not get the credit they
often deserve. The troops that we help provide for in this
committee usually do because they wear uniforms and they are
known in public, but intelligence officers do not wear uniforms
and they are frequently undercover. I want to express my
admiration and deepest respect and gratitude for what they do.
We have heard a lot of imprecise language here today--and
it has been in the media as well--phrases like ``hacked the
election,'' ``undermine democracy,'' ``intervened in
election.'' I want to be more precise here. Director Clapper,
let us go to the October 7th statement. That says, quote, the
recent compromises of emails from United States persons and
institutions, including from United States political
organizations, were instructed by the Russian Government. Are
we talking there specifically about the hack of the DNC
[Democratic National Committee] and the hack of John Podesta's
emails?
Director Clapper. Yes.
Senator Cotton. Are we talking about anything else?
Director Clapper. That was essentially at the time what we
were talking about.
Senator Cotton. At the time then--it says that the recent
disclosures through websites like DCLeaks and WikiLeaks are
consistent with the methods and motivations of Russian-directed
efforts. DNC emails were leaked first, I believe, in July. Is
that what the statement is talking about there?
Director Clapper. I believe so.
Senator Cotton. Mr. Podesta's emails I believe were not
leaked until that very day on October 7th. Was the statement
referring to that yet, or was that not intended to be included?
Director Clapper. I would have to research the exact
chronology of when John Podesta's emails were compromised. But
I think, though, that bears on my statement that our assessment
now is that is even more resolute than it was with that
statement on the 7th of October.
Senator Cotton. Thank you.
Admiral Rogers, in November at the Wall Street Journal
Forum, you stated, quote, this was a conscious effort by a
nation state to attempt to achieve a specific effect. End
quote. By that, did you also refer to the hack of the DNC, the
hack of John Podesta's email and the leaks of those emails?
Admiral Rogers. Yes.
Senator Cotton. Did you refer to anything else besides
those two things?
Admiral Rogers. To be honest, I do not remember the
specifics of that one particular 30-minute engagement, but
clearly what you outlined was part of my thought process.
Senator Cotton. Okay.
Then further on in that statement, Director Clapper, the
intelligence community says, quote, it would be extremely
difficult for someone, including a nation state actor, to alter
actual ballot counts or election results by cyber attack or
intrusion. End quote. You stated that earlier today as well,
that we have no evidence that vote tallies were altered or
manipulated in any way.
Director Clapper. That is correct.
Senator Cotton. That is what happened. Let us discuss why.
Director Clapper, in response to Senator Nelson, you stated
that the report soon to be released will discuss the motive.
Would you care to give any kind of preview today?
Director Clapper. I would rather not.
Senator Cotton. I did not think so.
Director Clapper. There is actually more than one motive.
That will be described in the report.
Senator Cotton. In your 53 years of intelligence, is
ascertaining the motives, plans, and intentions of foreign
leaders among the hardest tasks that we ask our intelligence
services to perform?
Director Clapper. It always has been.
Senator Cotton. There is a widespread assumption--this has
been expressed by Secretary Clinton herself since the
election--that Vladimir Putin favored Donald Trump in this
election. Donald Trump has proposed to increase our defense
budget to accelerate nuclear modernization and to accelerate
ballistic missile defenses and to expand and accelerate oil and
gas production which would obviously harm Russia's economy.
Hillary Clinton opposed or at least was not as enthusiastic
about all those measures.
Would each of those put the United States in a strong
strategic position against Russia?
Director Clapper. Well, certainly anything we do to enhance
our military capabilities, absolutely.
Senator Cotton. There is some contrary evidence, despite
what the media speculates, that perhaps Donald Trump is not the
best candidate for Russia.
Okay. That is what happened. That is why it happened, or at
least a preview that we are going to know why it happened. Let
us move on to the impact.
Director Clapper, you said to Senator McCain earlier,
quote, the intelligence community cannot gauge the impact, end
quote, on the election. Is that because that kind of electoral
analysis is not a task that is within the traditional
responsibility and skill sets of intelligence services?
Director Clapper. That is correct.
Senator Cotton. That is something that is more suited for
someone Shawn Hannity or Michael Barone or Nate Silver,
election analysts that have written extensively on the
election.
Director Clapper. Well, it certainly is not the purview of
the U.S. intelligence community.
Senator Cotton. Thank you.
Chairman McCain. Senator Heinrich?
Senator Heinrich. Thank you, Chairman.
Since this will likely be the last hearing that some of you
will attend in front of this committee, I just want to thank
you all for your service and thank all the men and women who
work for you. I want to say a special note of gratitude to
Director Clapper for 50 years of incredible service to this
country.
I think what makes America great has been our ability to
elect leaders through a fair, through a peaceful and a
transparent process without fear of rigging or interference in
elections. Unfortunately, in this past election, we know that
interference occurred. When I say ``interference,'' I want to
be specific. It is not about someone physically stuffing ballot
boxes or someone hacking our electronic voting machines to give
one candidate more votes than the other. It is about
selectively and deliberately releasing damaging information in
hopes of furthering one's strategic objectives, in this case,
Russia's strategic objectives.
I believe this is going to happen again unless there is a
price to be paid. This interference impacts the foundation of
our democracy, our elections, which is why I welcomed the
sanctions against Russia announced by the President and why I
believe we need to be evaluating additional Russian sanctions.
It is simply too important for both parties and for the future
of our country.
Secretary Lettre, given the need for deterrence in this
atmosphere which, as you said, is not always achieved by a
cyber response, how important are tools like sanctions to
imposing the kind of clear costs that you articulated?
Mr. Lettre. Sanctions are a very useful tool in that
toolkit. I think in the case of the current situation that we
find ourselves in, it would be prudent to continue to look at
other options to impose more sanctions on Russian actors as the
facts continue to develop.
Senator Heinrich. I would agree with that estimate and I
hope that folks on both sides of the aisle will be looking at
those additional tools.
For any of you who want to answer this, I would like to
know how has the President-elect's at least inferred dismissive
attitude towards the intelligence community broadly impacted
morale in your agencies?
Director Clapper. Well, I have not done a climate survey,
but I hardly think it helps it.
Senator Heinrich. Does anyone want to add to that?
Admiral Rogers. I do not want to lose good, motivated
people who want to help serve this Nation because they feel
they are not generating value to help that Nation. I am the
first to acknowledge there is room for a wide range of opinions
of the results we generate. We do not question that for one
minute, and every intelligence professional knows that. I have
had plenty of times in my career when I have presented my
intelligence analysis to commanders and policymakers, and they
have just looked at me and said, hey, Mike, thanks but that is
not the way I see it or you are going to have to sell me on
this. That does not bother any of us. What we do I think is
relevant, and we realize that what we do is in no small part
driven in part by the confidence of our leaders in what we do.
Without that confidence, I just do not want a situation where
our workforce decides to walk because I think that really is
not a good place for us to be.
Senator Heinrich. I think many of us could not agree more.
If the underlying facts that the intelligence community brings
us are incorrect, we should call that out. I just have not seen
any evidence indicating that in this case. Oftentimes we come
to different strategic or policy points of view based on that
information, but that is an entirely different thing.
Director Clapper, I want to go to a little bit more of not
just the classified information, but the relevance of publicly
available information of the whole picture of Russia's
activities within the context of this election. Can you talk a
little bit about the activities of the Russian Government's
English language propaganda outlets, RT [Russian International
Television], Sputnik, as well as the fake news activity we saw,
as well as the social media and how those paint a complete
picture that is supplemental to what we saw with the hacking in
this case?
Director Clapper. I appreciate your raising that because
while there has been a lot of focus on the hacking, this was
actually part of a multi-faceted campaign that the Russians
mounted. And, of course, RT, which is heavily supported, funded
by the Russian Government, was very, very active in promoting a
particular point of view, disparaging our system, our alleged
hypocrisy about human rights, et cetera, et cetera. Whatever
crack, fissure they could find in our tapestry, if you will,
they would exploit it. All of these other modes, whether it was
RT, use of social media, fake news--they exercised all of those
capabilities in addition to the hacking. And, of course, the
totality of that I think, regardless of what the impact was
which we cannot gauge, just the totality of that effort not
only as DNI but as a citizen I think is of grave concern.
Senator Heinrich. Thank you, Mr. Chair.
Chairman McCain. Senator Ernst?
Senator Ernst. Thank you, Mr. Chair.
Gentlemen, thank you very much. I also want to thank you
and the men and women that work diligently in the intelligence
community for the work that they do for the United States of
America.
Admiral Rogers, you have stated twice now--you have really
stressed this point--that you must be faster and more agile in
your responses. Our discussion this morning will go back to a
discussion that we had in September of this last year in front
of this body because I believe it is important that you
understand the capabilities that exist out there and are
readily available to the United States Cyber Command.
This past September, I asked you about a Government
Accountability Office report that stated the Department of
Defense does not have visibility of all National Guard units'
cyber capabilities because the Department has not maintained a
database that identifies the National Guard units' cyber-
related emergency response capabilities, as required by law.
I was a bit alarmed when you stated that you have not seen
the report. It was a report that took about a year to compile
and was presented to both this committee and the House Armed
Services Committee. Four months later, I still have not
received an answer from you, my questions for the record. All
of this morning, all of the GAO [Government Accountability
Office] recommendations are still open from this report.
It has been 4 months and I would just like an update on
that, if you have been able to read the report and where is the
Department at in regards to tracking National Guard cyber
capabilities?
Admiral Rogers. Yes, ma'am. First, we did not get your
question until December, but I acknowledge that you have
formally asked us this.
First, as U.S. Cyber Command, I am the operational
commander. Manning, training, and equipping is a function of
services and the Department. For me in my role, I track the
operational readiness levels of all National Guard and Reserve
units that are allocated to the mission force. I bore into them
in the exact same way I do the active side.
In terms of more broadly, how is the Department tracking
the set of skills that are available both in the Reserve
component, I would argue it is the same challenges that are in
the Active component. How do you take advantage of the breadth
of capability that is broader than just a particular military
occupational specialty, for example? I am the first to
acknowledge, after talking to my teammates at OSD and the
services, I do not think we have a good answer for you. I will
have something in writing for you within the next week or so
because I do acknowledge that we need to do that.
Senator Ernst. I do appreciate that because how long has
the United States been experiencing attacks from entities
outside of the United States.
Admiral Rogers. You could argue we have been in this cyber
dynamic for over a decade. It has gotten worse.
Senator Ernst. A decade. We have taken the steps of
developing Cyber Command and the capabilities that exist both
in our Reserves, National Guard, and the Active component
units. To become faster and more agile, we need to know what
those capabilities are. If you have a solution to that on how
we can track those capabilities, we need to figure that out.
Many of these units have the capability of defending networks
and yet we are not utilizing those capabilities. We do not know
where they exist, to be honest.
Admiral Rogers. Please do not take from my comment that we
do not believe that the role of the Guard and Reserve is not
important. If you look in the last 12 months, we have got two
cyber protection teams from the Guard that have been mobilized.
We have brought online in the Guard and the Reserve national
mission teams for the first time within the last year. I mean,
it is great to see how the Guard and Reserve are developing
more and more capability. That is a real strength for us.
Senator Ernst. Absolutely, and I think we will continue to
see those develop even more in the future, but we need to be
able to utilize those capabilities that exist out there.
You know that many of our best soldiers in the National
Guard and Reserve come from the private sector. I know this
from some of my own guardsmen that work full-time in computer
technology and cyber technology. You stated in September, you
were trying to figure out how better to leverage the National
Guard. Do you have a response for that? Have you thought of
ways that we might be able to use those Guard units more
readily?
Admiral Rogers. This is a topic that in fact I just was
talking to General Lengyel, the Director of the Guard Bureau, a
few weeks ago to say, hey, look, this is something in 2017 I
want us to sit down. I think there is a couple of specific
mission areas where the capabilities of the Guard and Reserve
are really well optimized because I would be the first to admit
the answer cannot be every time we will just throw the Active
component at this. I do not think that is an optimal approach
for us to do in business.
You will see this play out for us in 2017. We got to work
through the title 32 versus title 10 issue, what role, what is
the right way to do this.
Senator Ernst. Absolutely.
Admiral Rogers. Do we put it within the defense support to
civil authority construct? I would like that because it is a
framework that we already have. I am a big fan of let us not
reinvent the wheel when it comes to cyber, how do we take
advantage of processes and the structures and authorities that
are already in place. That is one thing you will see some
specific changes on within the Department. We are working
through that right now on the policy side.
Senator Ernst. Very good. Well, I appreciate it. I know my
time is expiring. I look forward to working with you on that,
Admiral Rogers.
Chairman McCain. Senator Donnelly?
Senator Donnelly. Thank you, Mr. Chairman.
I want to thank all of you for all your efforts today, for
the amazing careers you have had.
Mr. Chairman, thank you for holding this hearing. I think
it is critically important to our Nation. I want to be clear
that the purpose of today's hearing is not to debate the
validity of the election, but to discuss foreign attempts to
use cyber attacks to attack our country, including the recent
Russian actions intended to influence our elections. I
appreciate the bipartisan effort to get our people the answers
they deserve.
I am grateful for the amazing efforts that our intelligence
agencies put forth every single day, that every day lives are
on the line to make sure that we are safe and to make sure that
all Americans have a chance to take care of their families and
go to sleep at night and not have to worry while your people
are on the front lines all around the world. I can tell you on
behalf all Hoosiers that when it comes down to a choice between
your people, our intelligence agencies, and Julian Assange, we
are on your team every time. I actually find it stunning that
there is even a discussion in our country about the credibility
of our intelligence agencies versus Mr. Assange. It is
astounding to me that we would even make that comparison when
you see the stars in the CIA headquarters of all the people who
have lost their lives and all who have lost their lives in our
agencies to keep us safe.
Director Clapper, how would you describe your confidence in
attributing these attacks to the Russian Government as opposed
to someone in their basement?
Director Clapper. It is very high.
Senator Donnelly. The Government has named those
responsible for the DNC hacks as APT-28 and APT-29, part of the
Russian intelligence services, the GRU and the FSB [Federal
Security Service]. Are all these actors targeted by these two
entities known to the public, sir?
Director Clapper. I am sorry, sir. The question again? Were
all what?
Senator Donnelly. All the actors targeted by these two
entities, the GRU, the FSB, APT-28, 29--do we know everybody?
Have you told us who is involved, or are there more that you
cannot discuss at this time?
Director Clapper. Right. I do not think I can discuss that
in this forum.
Senator Donnelly. Okay.
How far up the chain, in what you can tell us, does this go
in regards to the Russians? At what level were the instructions
to take these actions given?
Director Clapper. Again, sir, I cannot speak to that in
this setting.
Senator Donnelly. Thank you.
Do you think we are communicating clearly to our
adversaries in a language that they will understand that the
costs will outweigh any gains they get if they try this again?
Not only you, Director, but the others, and how do we best send
that message, do you think?
Director Clapper. Well, certainly the sanctions that have
been imposed, the expulsion of the 35 intelligence operatives,
the closure of the two facilities which were used for
intelligence purposes, and the other sanctions that were
levied, I think does convey a message. It is open to debate
whether more should be done. I am a big fan of sanctions
against the Russians, but that is just me.
Senator Donnelly. Admiral, what would you say, sir?
Admiral Rogers. I would agree. I mean, the challenge here
is, look, I do not think it is in the best interest of any of
our nations to be in this confrontational approach to doing
business, and we have got to figure out how do we articulate
what is acceptable, what is no acceptable in a way that enables
us to move forward in a productive relationship. That is not
unique to the Russians. I would argue that that is a challenge
for us with a whole host of actors out there. This has just, in
some ways, been the poster child for this challenge of late.
Director Clapper. I would add to that, if I may, that it
certainly would be a good thing if we could find areas where
our interests converge. I am speaking of ours and the Russians.
We have done that in the past. Just to foot stomp Admiral
Rogers' point. But I think there is a threshold of behavior
that is just unacceptable, and somehow that has to be conveyed.
Senator Donnelly. Well, I am out of time, but on behalf of
all the American people, we want to thank you. You have
dedicated your lives to keeping us safe, and we are incredibly
grateful for it.
Thank you, Mr. Chairman.
Chairman McCain. Senator Sullivan?
Senator Sullivan. Thank you, Mr. Chairman. Thank you and
the ranking member for holding this hearing.
I also want to thank you, General Clapper, Mr. Secretary,
for your service, as this might be your last hearing, and the
men and women you lead.
You described in your testimony the increasing attacks we
are seeing not just from Russia but China and other actors,
Iran, North Korea, their increasing capabilities. The
chairman's opening statement pretty much stated that it is his
view--and I certainly share the view--that we are being hit
repeatedly because the benefits outweigh the costs for those
who are taking these actions against us. Do you agree with
that?
Director Clapper. I do and I think we all do. For
adversaries like--I will just name--North Korea and Iran, it is
relatively low-cost acts that can cause havoc. What I think we
have seen over time is that they keep pushing the envelope
because as their capabilities improve and they are willing to
exercise those capabilities.
Senator Sullivan. If that is the case--I was glad that I
think there is some consensus here. You are talking about
retaliating, upping the costs with all instruments of power,
Mr. Secretary, you mentioned at the time of our choosing, in
the realm of our choosing. But it does not seem to be
happening. It does not seem to be happening because the attacks
continue.
Let me just give an example. Let us say Iran conducted--and
you mentioned that they are being more aggressive more risky
than North Korea--some kind of cyber attack. If we did
something maybe without announcing it, like the President
announced the Russian counteraction, but let us say we did not
announce it and let us say we did something where we
essentially collapsed their financial system or something
pretty dramatic. We let them know we did it, but we do not have
to publicize it. Do you think that is the kind of action that
would say, hey, do not do this or we are going to come back and
retaliate at our time, our choosing, and crush you? How come we
have not done that yet, and do you think if we did something
like that with the Iranians or the North Koreans, would that
deter them in the future, Mr. Secretary?
Mr. Lettre. Senator, I think you are getting right at the
question of what do we mean by a proportional response in some
instances.
Senator Sullivan. Or asymmetric. You are talking about
asymmetric responses, which I fully agree with.
Mr. Lettre. That is right. Or in instances that are
significantly serious and grave, whether a more than a
proportional response is required to really set that deterrence
framework in place.
Senator Sullivan. But is the key question not right now--it
came from the chairman's opening statement, which I think you
agreed with--is that nobody seems to be intimidated by us right
now.
Let me give another example. Senator Inhofe asked a
question early on about China. China hacked allegedly--maybe
you can confirm that--government-led--22 million files, a lot
of the SF-86 files that you use for background clearances. They
have mine I was informed by the Government. Very sensitive
information, as you know, that they could use against
intelligence operatives and military members. Senator Inhofe
asked the question, what did we do? The answer that I heard
from all of you was, well, we try to protect people like me
and, I am sure, others whose sensitive intel information and
background information was compromised. But I did not hear any
claim of a retaliation on a huge hack--huge. 22 million
American Federal, military, intel workers got hacked by the
Chinese.
The President signed this statement with President Xi
Jinping, the United States-China Security Agreement, but
obviously, General Clapper, from your testimony the Chinese
have not abided by that. Have they?
Director Clapper. They have.
Senator Sullivan. I am sorry. I thought you said in your
testimony today that they continue to conduct cyber attacks.
Director Clapper. They continue to conduct cyber espionage.
They have curtailed--as best we can tell, there has been a
reduction, and I think the private sector would agree with
this. There has been some reduction in their cyber activity.
The agreement simply called for stopping such exfiltration for
commercial gain.
Senator Sullivan. Let me just ask a final question. Did we
retaliate and up the costs against China after an enormous
cyber attack against our Nation?
Director Clapper. We did not retaliate against an act of
espionage any more than other countries necessarily have
retaliated against us for when we conduct espionage.
Senator Sullivan. But is that answer not part of the
problem that we are showing that we are not going to make it
costly for them to come in and steal the files of 22 million
Americans, including many intel officers?
Director Clapper. Well, as I say, people who live in glass
houses need to think about throwing rocks because this was an
act of espionage. We and other nations conduct similar acts of
espionage. If we are going to punish each other for acts of
espionage, that is a different policy issue.
Chairman McCain. Senator King?
Senator King. Thank you, Mr. Chairman. Your opening
statements are always erudite and thoughtful, but I thought
today's was particularly so. You touched on all the important
points that have really formed the basis for this hearing. I
want to thank you for that.
Director Clapper, I think it is important to put some
context around some of these discussions. One of the most
important things to me is that your public statement in
October, along with Jeh Johnson, was prior to the election, and
you were simply telling facts that you had observed. In my
experience of reading intelligence community communications, it
is one of the more unequivocal that I have seen. You have
stated here you have high confidence in those conclusions that
the Russians were behind it, that it was intended to interfere
with our elections, and that approval went to the highest
levels of the Russian Government. Have you learned anything
subsequently that you can tell us here today to contradict
those findings that you publicly stated last October?
Director Clapper. No. In fact, if anything, what we have
since learned just reinforces that statement of the 7th of
October.
Senator King. There was no political intention. You were
simply reporting facts as you saw them. I presume that is
correct. Your history is one of being nonpolitical.
Director Clapper. Absolutely. I felt particularly strongly,
as did Secretary Johnson, that we owed it to the American
electorate to let them know what we knew.
Senator King. Now, people in Maine are skeptical and they
want to have evidence and proof. I am hearing from people,
prove it. The problem, as I understand it, is the desire to
provide evidence that is convincing that your conclusions are
correct versus the danger of compromising national security on
sources and methods. Can you sort of articulate that? Because I
think that is an important point.
Director Clapper. We have invested billions, and we put
people's lives at risk to glean such information. If we were to
fulsomely expose it in such a way that would be completely
persuasive to everyone, then we can just kiss that off because
we will lose it, and then that will endanger our--imperil our
ability to provide such intelligence in the future. That is the
dilemma that we have in intelligence. We want to be as
forthcoming and transparent as possible, but we feel very, very
strongly, as we do in this case, about protecting very fragile
and sensitive sources and methods.
Senator King. Let us again turn to a question of context.
What we saw in this country this fall and going back actually
almost a year was an example of a Russian strategy that has
been playing out in Europe for some time that includes not just
hacking, as you said, but disinformation, propaganda.
I heard just from a senior commander--I took a break here
from the hearing--in Europe that Russia is actually buying
commercial TV stations in western Europe at this point. This is
a comprehensive strategy that we have seen playing out in
eastern Europe, and also there was a report this morning that
they are funding one of the candidates for the presidency of
France in the election this May.
Director Clapper. Well, the Russians have a long history of
interfering in elections, theirs and other people's. There is a
long history in this country of disinformation. This goes back
to the 1960s, you know, the heyday of the Cold War--funding
that they would share or provide to candidates they supported,
the use of disinformation. But I do not think that we have ever
encountered a more aggressive or direct campaign to interfere
in our election process than we have seen in this case.
Senator King. There are so many more channels of
disinformation today than there were in the past.
One final point.
Director Clapper. That is exactly right, and that is a very
key point about the--of course, the cyber dimension and social
media and all these other modes of communication that did not
exist in the Cold War.
Senator King. One final point. We had a meeting with the
committee with a group of representatives from the Baltic
States, and I know the chairman was just in the Baltic States.
They are just deluged with this. I mean, they have been warning
us about this for years, about the messing around with
elections. I said, so what do you do? How do you defend
yourself? They said, well, we are trying to defend ourselves in
various ways, but the best defense is for our public to know
what is going on so they can take it with a grain of salt. I
thought that was a very interesting observation because their
people now say, oh, yeah, that is just the Russians.
That is why I think public hearings like this and the
public discussion of this issue is so important because we are
not going to be able to prevent this altogether. But we need to
have our people understand when they are being manipulated.
Would you agree with that conclusion?
Director Clapper. Absolutely. That is why I felt so
strongly about the statement in October.
Senator King. Thank you.
Thank you, Mr. Chairman.
Chairman McCain. Just to follow up, General Clapper. During
the Cold War we had a strategy and we had Radio Free Europe. We
had Voice of America. Senator Graham, who will be speaking
next, will attest that in our recent trip they do not have a
strategy. They do not have a counter-propaganda--the United
States of America I am talking about. We have got to develop
that strategy even if it encompasses the Internet and social
media. But they are doing pretty significant stuff particularly
in the Baltics and Eastern Europe. Would you agree, Senator
Graham?
Senator Graham. Yes. I appreciate being before the
committee. Thank you.
[Laughter.]
Senator Graham. Yes, I would.
Would you agree with me that Radio Free Europe is outdated?
Director Clapper. I am frankly not up on----
Senator Graham. Well, it says ``radio,'' and a lot of
people do not listen to the radio like they used to.
Director Clapper. Well, actually radio is a very popular
mode in many parts of the world.
Senator Graham. Radio is big in your world?
Director Clapper. In my world?
Senator Graham. Yes.
Director Clapper. Not so much.
Senator Graham. Yes. I do not listen to the radio much
either.
The bottom line is you are going to be challenged tomorrow
by the President-elect. Are you okay with being challenged?
Director Clapper. Absolutely.
Senator Graham. Do you both welcome it?
Director Clapper. We do.
Senator Graham. Do you think it is appropriate?
Director Clapper. We do.
Senator Graham. Are you ready for the task?
Director Clapper. I think so.
Senator Graham. Good.
Is there a difference between espionage and interfering in
an election?
Director Clapper. Yes. Espionage implies, to me at least, a
passive collection, and this was much more activist.
Senator Graham. When it comes to espionage, we better be
careful about throwing rocks. When it comes to interfering in
our election, we better be ready to throw rocks. Do you agree
with that?
Director Clapper. That is a good metaphor.
Senator Graham. I think what Obama did was throw a pebble.
I am ready to throw a rock.
Would I be justified as a United States Senator taking your
information about Russia's involvement in our election and what
they are doing throughout the world and be more aggressive than
President Obama if I chose to?
Director Clapper. That is your choice, Senator.
Senator Graham. Do you think he was justified in imposing
new sanctions based on what Russia did?
Director Clapper. I do.
Senator Graham. To those of you who want to throw rocks,
you are going to get a chance here soon, and if we do not throw
rocks, we are going to make a huge mistake.
Admiral Rogers, is this going to stop until we make the
cost higher?
Admiral Rogers. We have got to change the dynamic here
because we are on the wrong end of the cost equation.
Senator Graham. Yes. You got that right.
Could it be Republicans' next election?
Admiral Rogers. This is not about parties per se.
Senator Graham. Yes. It is not like we are so much better
at cybersecurity than Democrats.
Admiral Rogers. Right.
Senator Graham. Now, I do not know what Putin was up to,
but I do not remember anything about Trump in the election.
Now, if Trump goes after the Iranians, which I hope he
will, are they capable of doing this?
Admiral Rogers. They clearly have a range of cyber
capability and they have been willing to go offensively. We
have seen in the United States in the one dam.
Senator Graham. If Trump takes on China, which I hope he
will, are they capable of doing this?
Admiral Rogers. Yes.
Senator Graham. We got a chance as a Nation to lay down a
marker for all would-be adversaries. Do you agree with that?
Admiral Rogers. Yes, and I would be the first to
acknowledge we need to think about this broadly.
Senator Graham. We should take that opportunity before it
is too late.
Admiral Rogers. Yes, sir.
Senator Graham. Do you agree with me that the foundation of
democracy is political parties, and when one political party is
compromised, all of us are compromised?
Admiral Rogers. Yes, sir.
Senator Graham. All right.
Now, as to what to do, you say you think this was approved
at the highest level of government in Russia, generally
speaking. Is that right?
Director Clapper. That is what we said.
Senator Graham. Who is the highest level of government?
Director Clapper. Well, the highest is President Putin.
Senator Graham. Do you think a lot happens in Russia big
that he does not know about?
Director Clapper. Not very many.
Senator Graham. Yes. I do not think so.
Director Clapper. Certainly none that are politically
sensitive in another country.
Senator Graham. Okay.
Now, as we go forward and try to deter this behavior, we
are going to need your support now and in the future. I want to
let the President-elect know that it is okay to challenge the
intel. You are absolutely right to want to do so. But what I do
not want you to do is undermine those who are serving our
Nation in this arena until you are absolutely sure they need to
be undermined. I think they need to be uplifted, not
undermined.
North Korea. Let me give you an example of real world stuff
that he is going to have to deal with Trump. Do you believe
that North Korea is trying to develop an ICBM [Intercontinental
Ballistic Missile] to hit the United States or that could be
used to hit the United States?
Director Clapper. That could be, yes.
Senator Graham. Do you agree with that, Admiral Rogers?
Admiral Rogers. Yes.
Senator Graham. When the North Korean leader says that they
are close to getting an ICBM, he is probably in the realm of
truth?
Admiral Rogers. He is certainly working aggressively to do
that.
Senator Graham. If the President of the United States says
it will not happen, he is going to have to come to you all to
figure out how far along they are because you would be his
source for how far along they are. Is that right?
Director Clapper. I hope we would be the source.
Senator Graham. Yes. I hope he would talk to you too. Here
is what I hope he realizes, that if he has to take action
against North Korea, which he may have to do, I intend to
support him, but he needs to explain to the American people
why. One of the explanations he will give is based on what I
was told by the people who are in the fight. Let me tell you
this. You do not wear uniforms, but you are in the fight. We
are in a fight for our lives.
I just got back from the Baltics, Ukraine, and Georgia. If
you think it is bad here, you ought to go there.
Ladies and gentlemen, it is time now not to throw pebbles
but to throw rocks. I wish we were not here. If it were up to
me, we would all live in peace, but Putin is up to no good and
he better be stopped. Mr. President-elect, when you listen to
these people, you can be skeptical but understand they are the
best among us and they are trying to protect us.
Thank you all.
Chairman McCain. Would you have any response to that
diatribe?
[Laughter.]
Director Clapper. Senator Graham and I have had our innings
before, but I find myself in complete agreement with what he
just said and I appreciate it.
Chairman McCain. Thank you.
Director Clapper. Chairman McCain, if I might just pick up
on a comment of yours and that has to do with the information
fight, if you will. This is strictly personal opinion, not
company policy. But I do think that we could do with having a
USIA [United States Information Agency] on steroids, United
States Information Agency, to fight this information war a lot
more aggressively than I think we are doing right now.
Chairman McCain. You know, I agree, General, and I think
one of the areas where we are lacking and lagging more than any
other area is social media. We know these young people in the
Baltics are the same as young people here. They get their
information off the Internet, and we have really lagged behind
there.
Senator Gillibrand?
Senator Gillibrand. Thank you, Mr. Chairman and Mr. Ranking
Member, for hosting this very important hearing.
I want to follow on some of the questioning that Senator
Ernst started concerning the National Guard and cyber. I have
been pushing DOD to use the Guard for years and appreciate that
this is beginning to happen. Members of the Guard bring unique
skills and capabilities, and we should be leveraging them.
Admiral Rogers, I look forward to working with you on how
best to do this. Can you tell me whether there has been
movement on the Army National Guard cyber protection teams
being included in the cyber mission forces?
Admiral Rogers. Yes. We brought two online that have been
activated in the last year, two additional that are coming
online in 2017, the first of which just came online. Yes,
ma'am.
Senator Gillibrand. How much more is left to be done?
Admiral Rogers. The Guard and Reserve are bringing on an
additional 21 teams. Those will not be directly affiliated with
the mission force. But one of the things I think we are going
to find over time, the only way to generate more capacity in a
resource-constrained world is to view this as an entire pie,
not just, well, here is one sliced off area, the mission force,
and here is a separate area, the Guard and Reserve. I think
what we are going to be driven to is we are going to have to
look at this as much more integrated whole.
Senator Gillibrand. I do too because at the end of the day,
our Guard and Reserve--they have day jobs and they may be
working at Google and Microsoft and Facebook and all these
technology companies and have extraordinary skills. As a way to
tap into the best of the best, I think we should look at people
who already have these skills who are already committed to
serving our Nation as best we can. I appreciate your work.
Admiral Rogers. If I could, one area that I would be
interested in your help in--for many employers in the Guard and
Reserve--and I say this as the son of guardsman when I was a
kid growing up--they often--sometimes--tend to view that
service as something that you do overseas. Hey, I am willing to
let you go because you are going to Afghanistan, you are going
to Iraq. In the world of cyber, we are operating globally from
a garrison, pick the location----
Senator Gillibrand. From any location in the world.
Admiral Rogers. Anywhere.
This just came up. General Lengyel and I were just talking
about this yesterday, as a matter of fact. I said one of the
things we need to do is educate employers about what is the
nature of this dynamic, and it is every bit as relevant as we
are sending somebody to Afghanistan or Iraq.
Senator Gillibrand. I think that is right.
On a separate topic but related, I have long been
advocating for aggressive development of the manpower that we
need to support our cybersecurity mission. In particular, I
continue to believe that we have to not only develop the
capability in our military and the interest in cyber among
young Americans, but that the military must be creative when
thinking about recruitment and retention of cyber warriors.
How would you assess our current recruitment and retention
of cyber warriors? What challenges do you foresee in the
future, and what recommendations do you have to address them?
Because, obviously, we are competing with some of the most
dynamic, innovative companies in the world, but we need them to
be our cyber defense and our cyber warriors.
Admiral Rogers. Knock on wood. In the military aspect, we
are exceeding both our recruiting and retention expectations. I
worry about how long can we sustain that over time in the
current model. My immediate concern is a little less on the
uniform side in part because if money was a primary driver for
them, they would not have come to us in the first place.
On the civilian side, however, that is probably my more
immediate concern. I am finding it more challenging. We are
able to recruit well. Retaining them over time--I am really
running into this on the NSA side right now. How do you retain
high-end, very exquisite civilian talent for extended periods
of time?
Senator Gillibrand. Well, I would be delighted to work with
you over the next year on that.
Director Clapper, I was very interested in your opening
remarks and the initial conversation you were having about the
Russian hack onto the DNC and to various personnels' emails and
the question of whether it was a declaration of war. Given that
that is such a serious statement, I want to ask you, do you
think we should take things like the Democratic or Republican
Party infrastructure and consider them to be critical
infrastructure? Should we actually be looking at our
infrastructure differently because of this recent event?
Director Clapper. That has been a subject of discussion
about whether, you know, our political infrastructure should be
considered critical infrastructure. I know Secretary Johnson
has had a discussion with State officials about that, and there
is some pushback on doing that. It is a policy call. Whatever
additional protections that such a declaration would afford, I
think that would be a good thing. But whether or not we should
do that is really not a call for the intelligence community to
make.
Senator Gillibrand. Well, I hope it is one that the members
here on this committee will discuss because if it does result
in such a grave intrusion, maybe it should be critical
infrastructure. Certainly politics and political parties are
not set up that way, and so it would be quite a significant
change.
Thank you.
Chairman McCain. Director Clapper has to leave in about 20
minutes. We will enforce the time.
Senator Tillis?
Senator Tillis. Thank you, Mr. Chair.
Gentlemen, thank you all for your service. I for one have
high confidence in the community that you represent, and I hope
that they recognize that I speak for most of the Senators here
that share the same view.
Director Clapper, I am going to spend most my time probably
reflecting on some of the comments that you have made. The
glass house comment is something I think is very important.
There has been research done by a professor up at Carnegie-
Mellon that has estimated that the United States has been
involved in one way or another in 81 different elections since
World War II. That does not include coups or regime changes.
Tangible evidence where we have tried to effect an outcome to
our purpose. Russia has done it some 36 times. In fact, when
Russia apparently was trying to influence our election, we had
the Israelis accusing us of trying to influence their election.
I am not here to talk about that, but I am here to say that we
live in a big glass house and there are a lot of rocks to
throw. I think that is consistent with what you said on other
matters.
I want to get back to the purpose of the meeting, the
foreign cyber threats. I think, Admiral Rogers and Director
Clapper, you all have this very difficult thing to communicate
to policy people who many not have subject-matter expertise in
this space. For example, Director Clapper, you were saying that
one of the problems with the counterattack--I think it was you.
It could have been Admiral Rogers--is that you may have to use
an asset that is actually a presence on some other nation where
that nation may or may not know that we have a presence there.
In fact, we have presences across cyberspace that are not known
that as a part of a counterattack, the counterattack could be
nothing more than exposing our presences because we know a lot
of our adversaries may or may not be aware of presences that we
have out there in appropriate locations. Is that correct?
Director Clapper. Yes, and I think you have succinctly
illustrated the complexities that you run into here.
Senator Tillis. That is why as thrilling as somebody who
has written the precursors to phishing code before and stolen
passwords as a part of ethical hack testings--I was paid to do
this. That underscores the need for us to really be educated
about the nature of this battle space and how more often than
not, it is probably more prudent to seek a response that is not
a cyber response given the fluid nature.
We are in an environment now where we see a threat and we
build a weapon system. It is on the water. It is on the air. It
is on the ground. Then we kind of counter that threat and we
come up with war plans to use that capability.
In cyberspace, major weapon systems get created in 24-hour
cycles. You have no earthly idea whether or not you have a
defensive capability against them. If you all of a sudden think
let us go declare war in cyberspace, be careful what you ask
for because collectively there are 30 nations right now that
have some level of cyber capability. There are four or five of
them that are near peer to the United States. There are two or
three that I think are very threatening and in some cases
probably have superior capabilities to us in terms of
presences, maybe not as sophisticated but potentially in a
cyber context more lethal.
I think there are a lot of questions. One of the beauties
of being a freshman--I guess now I am not a freshman--being at
the end of the dais, all the good questions have been asked.
But one of the things that I would suggest that we do is we as
members really get educated on the nature of this threat and
the manner in which we go about fighting it and understanding
that the iterative nature of weapons creations on the Internet
are unlike anything we have seen in record human history for
warfare, and we need to understand that.
We also need to understand what the rules of engagement are
going to be and how future AUMFs actually include a specific
treatment for behaviors that are considered acts of war and
then a whole litany of things that we should do for appropriate
responses so that we can begin to make more tangible the
consequences of inappropriate behavior in cyberspace.
That is not so much a diatribe, but it probably is a
speech, Mr. Chair.
The last thing I will leave you with is, Admiral Rogers, I
would like for my office to get with you and continue to talk
about how we get these bright people, retained and recruited,
to stay up to speed with developing these threats. We need to
understand that they are secret to creating these weapon
systems to counter the malicious acts like Russia, China, Iran,
and a number of other nations are trying to develop against us.
Thank you.
Chairman McCain. Senator Hirono?
Senator Hirono. Thank you, Mr. Chairman.
Thank you, gentlemen, for your service.
I think it is clear that we have tremendous concerns about
the Russian hacking in our elections, and I think it is more
than ironic that we have a President-elect who kept talking
about our elections being rigged, which I would consider trying
to interfere with our elections to be a part of a rigged kind
of an election. At the same time, he denied Russia's activities
in this regard.
Some of this was already touched on regarding the
President-elect's attitudes toward the intelligence community,
the impact on morale. Going forward, as we are challenged by
the need to have more cyber-aware or skilled cyber workforce,
if this attitude toward the intelligence community does not
change on the part of decision-makers, including the President,
would you agree that it would make it that much harder,
Director Clapper and Admiral Rogers, to attract the kind of
cyber-experienced workforce that we need to protect our
country?
Director Clapper. Well, it could. I do not know that we
could say some of these statements have had any impact on
recruiting. It could.
Senator Hirono. Or retention.
Director Clapper. I think it could.
On retention, I think just maybe to embellish what Admiral
Rogers was saying, I do think that consideration needs to be
given to having more flexibility and more latitude on
compensation for our high-end cyber specialists who are lured
away by industry that are paying huge salaries. That is not why
you are in the Government, not why you serve in the
intelligence community, not obviously for money. But I do think
in those highly technical, high-end skill sets that we badly
need in the Government in the intelligence community, that it
would be helpful to have more latitude on compensation.
Admiral Rogers. I would agree, Senator.
Senator Hirono. Very briefly.
Admiral Rogers. Both of these individuals know within the
last 24 hours, which I said using my authority as the Director
of NSA, I am going to authorize the following increased
compensations for the high-end cyber part of our workforce
because I am just watching the loss.
Senator Hirono. Yes, of course. It is not just compensation
that attracts people to what we are doing in our intelligence
community because service to the country is a very important
motivation. And, of course, I would think that morale would be
very much attendant to that.
There was some discussion about what would constitute, in
the cyber arena, an act of war. Director Clapper, I note in
your testimony that I think this is one of the reasons that we
want to develop international norms in this arena. Who should
be the key players in developing agreeing to these
international norms in the cyber arena? If the big players are
United States, China, Russia, if we do not have those players
at the table to come up with these international norms, how
realistic is it to develop and----
Director Clapper. Well, that is exactly the challenge.
Those are the key nation states that we would need to engage.
There has been work done under the auspices of the United
Nations to attempt to come up with cyber norms, but I think we
are a ways away from those having impact.
Senator Hirono. Would you agree, Admiral Rogers?
Admiral Rogers. Yes, ma'am.
Senator Hirono. Turning to the awareness of the public as
to the extent of the threat, a 2016 opinion piece by two
members of the 9/11 Commission--basically they said that the
most important thing government and leaders in the private
sector can do is to clearly explain how severe this threat is
and what the stakes are for the country.
Director Clapper, do you think that the general public
understands the severity of the cyber threat and the stakes for
the country? What should Americans keep in mind with regard to
this threat? What can ordinary Americans do to contend with
this threat?
Director Clapper. I think there is always room for more
education, and certainly we have a role to play in the
intelligence community in sharing as much information as we can
on threats posed by both nation states, as well as non-nation
states.
I think there are simple things that Americans can do to
protect themselves. You know, be aware of the threat posed by
spear phishing, for example, which is a very common tactic that
is used yet today. We have a challenge in the Government
getting our people to respond appropriately to cyber threats.
This is one case where communicate, communicate, communicate is
the watchword.
Chairman McCain. Senator Cruz?
Senator Cruz. Thank you, Mr. Chairman.
Gentlemen, thank you for being here. Thank you for your
service to our Nation.
The topic of this hearing, cybersecurity, cyber attack, is
a growing threat to this country and one that I think will only
become greater in the years ahead. We have seen in recent years
serious attacks from, among others, Russia, China, North Korea.
Indeed, it is with some irony--I spent a number of years in the
private sector, and to the best of my knowledge never had my
information hacked. Then all I had
to do was get elected to the United States Senate and the
Office of Personnel Management was promptly hacked and everyone
on this bench had our information stolen by a foreign assault.
My question, Admiral Rogers, starting with you is what do
you see as the greatest cybersecurity threats facing our
country, and what specifically should we be doing about it to
protect ourselves?
Admiral Rogers. A small question.
When I look at the challenges and the threats, it is, in no
particular order, significant extraction of information and
insight that is generating economic advantage for others, that
is eroding operational advantage at times for us as a Nation.
That is, as you have seen in this Russian piece, where not just
the extraction but then the use of this information adds a
whole other dimension. What concerns me beyond all that is what
happens as we start to move in an environment in which not only
is information being--I have heard some people use the phrase
``weaponized.'' What happens when now we see people suddenly
manipulating our networks so we cannot believe the data that we
are looking at. That would be a real fundamental game-changer
to me, and to me it is only a question of the ``when'' not the
``if'' this is going to happen. What happens when the non-state
actor decides that cyber offers an asymmetric advantage to
them? Because their sense of risk and their willingness to
destroy the status quo is significantly different and greater
than your typical nation state. Those are the kinds of long-
term things.
As we talked about more broadly today, we have got to get
better on the defensive side because part of deterrence is
making it harder for them to succeed. I acknowledge that. But a
defensive strategy alone is not going to work. It is a
resource-intensive approach to doing business, and it puts us
on the wrong end of the cost equation. That is a losing
strategy for us, but it is a component of a strategy. We have
got to ask ourselves how do we change this broader dynamic. To
go the point you have heard repeatedly today, how do we
convince nations and other actors out there that there is a
price to pay for this behavior, that in fact it is not in your
best interest.
Senator Cruz. What should that price be?
Admiral Rogers. It is a wide range of things. There is no
one silver bullet, which is another point I would make. If we
are looking for the perfect solution, there is not one. This
will be a variety of incremental solutions and efforts that are
going to play out over time. There is no one single approach
here.
Senator Cruz. Well, and your point about manipulating data,
about a month ago I chaired in a different committee a hearing
on artificial intelligence and our economy's growing reliance
on artificial intelligence. One of the things that the
witnesses testified there was concern on the cybersecurity side
of a hack that would modify the big data that is being relied
on for artificial intelligence to change the decision-making in
a way nobody is even aware it has been changed. I think that is
a threat I hope that you all are examining closely, and it is
the sort of threat that could have significant repercussions
without anyone even being aware it is happening.
Let me shift to a different topic. Director Clapper, you
have testified before this committee that Cuba is an
intelligence threat on par with Iran and listed below only
Russia and China. There are reports that Lourdes, the Russian-
operated signal intelligence base in Cuba, will be reopened.
Additionally, this past summer Russia and Nicaragua struck a
deal to increase military and intelligence cooperation,
resulting in an influx of Russian tanks into Managua and an
agreement to build an electronic intelligence base, which may
be disguised as a satellite navigation tracking station.
To the best of your knowledge, what is Russia's strategy in
the western hemisphere, and how concerned are you about the
Russians expanding their influence in Cuba and Nicaragua?
Director Clapper. Well, the Russians are bent on
establishing both a presence in the western hemisphere and they
are looking for opportunities to expand military cooperation,
sell equipment, airbases, as well as intelligence gathering
facilities. It is just another extension of their
aggressiveness in pursuing these interests.
With respect to Cuba, Cuba has always had long-standing,
very capable intelligence capabilities, and I do not see a
reduction of those capabilities.
Senator Cruz. Thank you.
Chairman McCain. Senator Kaine?
Senator Kaine. Thank you, Mr. Chair.
Thanks to the witnesses for today and for your service.
Mr. Chair, I appreciate you calling this hearing. I think
this hearing is a test of this body, the Article 1 branch of
Congress, this hearing and others to follow.
I was chairman of the Democratic National Committee for a
couple years, and we had a file cabinet in the basement that
had a plaque over it. It was a file cabinet that was rifled by
burglars in an invasion of the Democratic National Committee in
1972. It was a bungled effort to take some files and plant some
listening devices.
That small event led to one of the most searching and
momentous congressional inquiries in the history of this
country. It was not partisan. One of the leaders of the
congressional investigation was a great Virginian called Will
Butler, who was my father-in-law's law partner in Roanoke,
Virginia before he went to Congress, played a major role. It
was not an investigation driven because something affected the
election. The 1972 presidential election was the most one-sided
in the modern era. But it was a high moment for Congress
because Congress in a bipartisan way stood for the principle
that you could not undertake efforts to influence an American
presidential election and have there be no consequence.
The item that we will discuss and we will discuss more when
the hearing comes out is different. That was a burglary of a
party headquarters that was directed to some degree from the
Office of the President. But this is very serious. The combined
intelligence of this country has concluded that efforts were
undertaken to influence an election by an adversary, an
adversary that General Joe Dunford, the head of the Joint
Chiefs of Staff, said in testimony before this hearing, was in
his view the principal adversary of the United States at this
point.
In addition, the attack was not just on a party
headquarters. The October 7 letter that you have referred to
talked about attacks on individuals, current and former public
officials with significant positions, and also attacks on State
boards of elections. The letter of October 7 traced those
attacks to Russian entities, Russian companies, and did not
ascribe, at least in that letter, to that directed by the
Russian Government, but I am curious about what the full report
will show.
It is my hope that this Congress is willing to stand in a
bipartisan way for the integrity of the American electoral
process and will show the same backbone and determination to
get all the facts and get them on the table, as the Congress
did in 1974.
There was another congressional inquiry that was directed
after the attacks on 9/11, and there was a powerful phrase in
that report that I just want to read. The commission concluded,
quote, the most important failure was one of imagination. We do
not believe leaders understood the gravity of the threat. That
is something I think we will have to grapple with. Did we have
sufficient warning signs? I think we did. Having had sufficient
warning signs, why did we not take it more seriously? That
question is every bit as important as a question about what a
foreign government, an adversary, did and how we can stop it
from happening.
Three quick points.
One, is the report next week that is going to be issued not
solely going to be confined to issues of hacking but also get
into the dimension of this dissemination of fake news? Will
that be one of the subject matters covered?
Director Clapper. Without preempting the report, we will
describe the full range of activities that the Russians
undertook.
Senator Kaine. I think that is incredibly important.
I had a little role in this election. I was along for he
ride for 105 days and was the subject of a couple of fake news
stories. It was interesting. There were at least three that the
mainstream media did not cover because they were so incredible
that like why would they. But I looked at one of the stories
that had been shared 800,000 times. When I see an
administration who has put in place as the proposed national
security advisor someone who traffics in these fake news
stories and retweets them and shares them, who betrays a sense
of either gullibility or malice that would kind of be--these
are stories that most fourth graders would find incredible.
That a national security advisor would find them believable
enough to share them causes me great concern.
Second, go back to Joe Dunford. He talked about Russia as a
potential adversary because they have capacity and they have
intent. With respect to our cyber, I think we have capacity,
but I think what we have shown is we have not yet developed an
intent about how, when, why, whether we are going to use the
capacity we have. If we are going to shore up our cyber
defense, in one word do you think what we really need to shore
up is our capacity, or do we need to shore up our intent?
Director Clapper. As we look at foreign adversaries, that
is always the issue is capability and intent. Certainly in the
case of the Russians, they do pose an existential threat to the
United States. I agree with Chairman Dunford on that. It is
probably not our place, at least my place, in the intelligence
community to do an assessment of our intent. That is someone
else's place. It is not mine.
Chairman McCain. Senator Shaheen?
Senator Shaheen. Thank you, Mr. Chairman and Senator Reed,
for holding this hearing.
Thank you all very much for testifying this morning and for
your service to the country.
Dr. Robert Kagan testified before this committee last
December with respect to Russia. At that time, there was less
information known to the public about what had happened in
their interference in the elections.
But one of the things he pointed out was that Russia is
looking at interference in elections, whether that be cyber or
otherwise, the whole messaging piece that you discussed with
Senator Heinrich, as another strategy along with their military
action and economic and other diplomatic methods to undermine
Western values, our Euro-Atlantic alliance, and he very
democracies that make up that alliance. Is that something that
you agree with, Director Clapper?
Director Clapper. Yes. That is clearly a theme. It is
certainly something that the Russians are pushing in messaging
in Europe. They would very much like to drive wedges between us
and Western Europe, the alliances there, and between and among
the countries in Europe.
Senator Shaheen. I assume that there is agreement on the
panel. Does anybody disagree with that?
One of the things that I think has emerged, as I have
listened to this discussion, is that we do not have a strategy
to respond to that kind of an effort. We do not have a
strategy, it has been testified, with respect to cyber, but a
broader strategy around messaging around how to respond to that
kind of activity. Do you agree with that?
Director Clapper. I am speaking personally.
Senator Shaheen. Sure.
Director Clapper. This is not an institutional response. As
I commented earlier to Senator McCain, I do think we need a
U.S. Information Agency on steroids that deals with the
totality of the information realm and to mount in all forums
and to include the social media.
Senator Shaheen. I am sorry to interrupt, but can I just
ask why do you believe that has not happened. Director Clapper,
Admiral Rogers?
Director Clapper. For my part, I do not know why it has
not. I cannot answer that.
Senator Shaheen. Admiral Rogers?
Admiral Rogers. From my perspective, in part because I do
not think we have come yet to a full recognition of the idea
that we are going to have to try to do something fundamentally
different. I think we still continue to try to do some of the
same traditional things we have done and expecting to do the
same thing over and over again, yet achieve a different result.
Senator Shaheen. No. That is the definition of ``crazy.'' I
think we have determined that.
Secretary Lettre?
Mr. Lettre. I would just add that in this area, the
capability and intent framework is useful to think about. I
think it is only in the last few years that we have seen
adversaries with true intent to use propaganda and the ability
to reach out as terrorists are doing and try to incite and
match that up with the tremendous power that social media tools
allow to make that easy and simple and effective and broadly
applicable.
Senator Shaheen. Given that this is a strategy and given
that it is aimed not just at the United States particularly
with respect to interference in our elections but at Western
Europe and Eastern Europe for that matter, is there an effort
underway to work with our allies through NATO or otherwise? I
have been to the cybersecurity center in Estonia, but there did
not seem to be a NATO agreement that this was something that we
should be working on together to respond to. Is this an effort
that is underway?
Mr. Lettre. Just speaking from my lens on things, there is
a lot of interest in doing that and doing it more effectively
and more comprehensively, but we have not cracked the code on
doing it effectively yet. We need to keep the pressure on
ourselves and our NATO allies who are likeminded in this regard
to keep improving our approach.
Admiral Rogers. It has also got to be much broader than
just cyber.
Senator Shaheen. Thank you.
Director Clapper, my time is almost up, but before you go
since this is the last opportunity we will have to hear from
you, can I just ask you, do you think the DNI needs reform?
Director Clapper. Well, there is always room for
improvement. I would never say that this is the ultimate. I do
think it would be useful, though, if we are going to reform or
change the DNI or change CIA, that some attention be given to,
in our case, the legislative underpinnings that established the
DNI in the first place and then have added additional functions
and responsibilities over the years, that the Congress has
added, to our kit bag of duties. But to say that there is not
room for improvement, I would never suggest that.
Senator Shaheen. I appreciate that. I certainly agree with
you. I think that if there is going to be this kind of major
reform, hopefully both legislators and others who have been
engaged in the intelligence community will be part of that
effort.
Director Clapper. I certainly agree the Congress, no pun
intended, gets a vote here I think.
Senator Shaheen. Thank you.
Chairman McCain. I know that our time has expired, and I
apologize to our new members that you will not have time
because you have to go. But maybe, Director Clapper, since this
may be, hopefully, your last appearance, do you have any
reflections that you would like to provide us with,
particularly the role of Congress or the lack of the role of
Congress in your years of experience?
Director Clapper. I am going to have to be careful here.
Chairman McCain. I do not think you have to be.
[Laughter.]
Director Clapper. I was around in the intelligence
community when the oversight committees were first established
and have watched them and experienced them ever since. Congress
does have clearly an extremely important role to play when it
comes to oversight of intelligence activities, and unlike many
other endeavors of the Government, much of what we do,
virtually all of what we do is done in secrecy. The Congress
has a very important, a crucial responsibility on behalf of the
American people for overseeing what we do particularly in terms
of legality and protection of facilities and privacy.
At risk of delving into a sensitive area, though, I do
think there is a difference between oversight and
micromanagement.
Chairman McCain. Well, we thank you. We thank the
witnesses. This has been very helpful. Director Clapper, we
will be calling you again.
Director Clapper. Really?
[Laughter.]
Chairman McCain. This meeting is adjourned.
[Whereupon, at 12:09 p.m., the committee was adjourned.]
[Questions for the record with answers supplied follow:]
Questions Submitted by Senator James Inhofe
cyber deterrence
1. Senator Inhofe. Director Clapper, is it possible to deter
adversaries from attacking America in an environment where the
strategic capability and weapon system is available to anyone with
broadband internet access?
Director Clapper. [Deleted.]
2. Senator Inhofe. Director Clapper, do you believe that sanctions
like the ones levied against Russia in response to its election-related
cyber activities are the proper tool to discourage future such
behavior? What other tools would you recommend?
Director Clapper. [Deleted.]
3. Senator Inhofe. Director Clapper, do you believe that Obama
Administration's response to Russia's recent activities represents a
blueprint for effectively dealing with state-orchestrated malicious
cyber activity?
Director Clapper. [Deleted.]
china
4. Senator Inhofe. Director Clapper, do you believe China is
abiding by its commitment not to support cyber enabled theft of
intellectual property including trade secrets or other confidential
business information for commercial advantage? Are they still
conducting cyberattacks on the United States?
Director Clapper. [Deleted.]
telecom companies with ties to foreign governments
5. Senator Inhofe. Director Clapper, in 2012, the House
Intelligence Committee determined that China-based telecommunications
companies Huawei and ZTE posed potential dangers to national security
due to their entanglements with the Chinese Government. The same year,
Australia denied a $41-billion national broadband contract to Huawei
over similar concerns. However, Huawei is again trying to making
inroads in Australia, and is working in the state of Victoria on data
analysis and key utility systems. Do you believe significant
involvement by our close allies with companies like Huawei poses a
significant threat?
Director Clapper. [Deleted.]
__________
Questions Submitted by Senator David Perdue
threats to u.s. infrastructure and how to respond
6. Senator Perdue. Admiral Rogers, you have stated several times
that other nation states, such as Russia, China, Iran, and North Korea,
have the power to cripple our critical infrastructure. Could these
actors take down the U.S. power grid with their current capabilities
today?
Admiral Rogers. [Deleted.]
7. Senator Perdue. Admiral Rogers, do such actors have the power to
take down our banking and/or transportation infrastructure grids today?
Admiral Rogers. [Deleted.]
8. Senator Perdue. Admiral Rogers, if a state actor, or state-
sponsored actor, were to take down any of our critical infrastructure
(specifically, one of the 17 infrastructure subsecors designated as
``critical infrastructure subsectors'' by the Department of Homeland
Security), would you consider this an act of war?
Admiral Rogers. I defer to the Office of the Secretary of Defense,
as the determination of what constitutes an ``act of war'' is a policy
and legal decision. U.S. Cyber Command could respond to a Defense
Support to Civil Authorities (DSCA) request if the request is routed
through the Department of Homeland Security to the Secretary of
Defense, and subsequently approved by the Secretary of Defense.
9. Senator Perdue. Admiral Rogers, how would you recommend the U.S.
respond to such an attack?
Admiral Rogers. As commander of U.S. Cyber Command, I would present
our Nation's leaders with suitable options for the employment of
cyberspace capabilities in response to the incident, and to deter or
prevent further hostile acts. However, it is important to recognize
that a cyber attack does not necessarily require a cyber response.
Cyber is only one element of national power our leaders can consider
when developing a U.S. Government response to any type of attack on our
Nation.
10. Senator Perdue. Admiral Rogers, what are we prepared to do in
response to such an attack?
Admiral Rogers. Cyberspace response options, which vary by
adversary and must be addressed on a case-by-case basis, should include
whole-of-government considerations/response, and are subject to policy
considerations. It is important to recognize that a cyber attack does
not necessarily require a cyber response. Cyber is only one element of
national power our leaders can consider when developing a U.S.
Government response to any type of attack on our nation. U.S. Cyber
Command's efforts to develop a rapidly maturing Cyber Mission Force
(including those in the National Guard), coupled with strong
relationships with intelligence organizations, foreign partners,
allies, industry, academia, and joint partners, provide a resilient
foundation from which we are developing cyberspace options to defend
our networks, deter adversaries, and help defend the nation. U.S. Cyber
Command is actively developing additional capabilities and capacities,
aligned against our adversaries, so that when called upon by our
nation's leaders, we are ready to support with full-spectrum cyberspace
options.
definition of cyber ``act of war'' and international consensus
11. Senator Perdue. Director Clapper and Admiral Rogers, you raised
in your joint testimony that the key problem in dealing with cyber
issues with our adversaries is that there is not an international
consensus over key concpets regarding what constitutes an act of
aggression or use of force in cyberspace and what international laws
should govern this debate. What efforts are being undertaken to advance
a sense of consensus on how we define cyberattacks on the world stage?
Director Clapper. [Deleted.]
Admiral Rogers. [Deleted.]
12. Senator Perdue. Director Clapper and Admiral Rogers, how can we
better define the rules of the road for cyber internationally so we can
appropriately defend our NATO allies when necessary, and so that any
actions that we deem as appropriate countermeasures don't get blown out
of proportion and elicit unforeseen consequences?
Director Clapper. [Deleted.]
Admiral Rogers. [Deleted.]
13. Senator Perdue. Director Clapper, you said in your February
2016 threat assessment that you would continue to monitor compliance
with China's September 2015 commitment to refrain from conducting or
knowingly supporting cyber-enabled theft of intellectual property for
providing a completive advantage. Could you provide us with an update
on China's compliance with the September 2015 agreement?
Director Clapper. [Deleted.]
14. Senator Perdue. Director Clapper, does China continue to
sponsor hacking and cyber espionage for commercial gain?
Director Clapper. [Deleted.]
``dual hat'' issue
15. Senator Perdue. Admiral Rogers, in the president's signing
statement of the 2017 NDAA, President Obama expressed his displeasure
with the new limitations preventing the premature separation of Cyber
Command and NSA. Is it still your professional military advice that
maintaining the ``dual hat'' is in our best national security interest?
Admiral Rogers. My professional military advice is that separation
is the right step in the future, but it will take dedicated effort and
resources to ensure the long-term success of both organizations
following separation. Therefore, upon elevation of U.S. Cyber Command,
the Commander, USCYBERCOM, should provide the Secretary of Defense and
Chairman of the Joint Chiefs of Staff a vision and plan for potential
future separation. This vision and plan would define the required
resources and associated time table for separation.
16. Senator Perdue. Secretary Lettre and Admiral Rogers, the
President's statement suggests that the Department of Defense and the
Office of the Director of National Intelligence are taking steps to
begin the separation. Have you been asked to take any irreversible
steps that may undermine the law the President signed a few weeks ago
prohibiting the separation until a number of specific conditions have
been met?
Secretary Lettre. [Deleted.]
Admiral Rogers. No.
17. Senator Perdue. Admiral Rogers, how would you advise the next
administration to consider the ``dual hat'' issue?
Admiral Rogers. I would advise the administration that elevation
and the dual-hat issue are separate and distinct. My professional
military advice is that separation is the right step in the future, but
it will take dedicated effort and resources to ensure the long-term
success of both organizations following separation. Additionally, I
recommend the elevation of U.S. Cyber Command to a combatant command
occur now. Upon the elevation of U.S. Cyber Command, the Commander, U.S
Cyber Command, should provide the Secretary of Defense and Chairman of
the Joint Chiefs of Staff a vision and plan for potential future
separation. This vision and plan would define the required resources
and associated time table for separation.
isis--disrupt v. destroy
18. Senator Perdue. Secretary Lettre and Admiral Rogers, according
to Secretary Carter, we are ``using cyber tools to disrupt ISIS's
ability to operate and communicate over the virtual battlefield.'' Why
are we only trying to ``disrupt'' ISIS's ability to operate and
communicate in cyberspace? Shouldn't we aspire to destroy ISIS's
ability to leverage cyberspace to its advantage?
Secretary Lettre. [Deleted.]
Admiral Rogers. [Deleted.]
19. Senator Perdue. Admiral Rogers, to what extent are overly
restrictive limitations or the lack of clear policy guidance from the
Obama Administration impeding your ability to utilize cyber on the
battlefield?
Admiral Rogers. Cyber has been successfully used on the battlefield
in support of and in executing primary military objectives; we are
getting better at delivering cyber effects to support our National
objectives every day. That said, it is a complex domain that requires a
better coordinated whole-of-government approach and allocation of
commensurate resources so that the speed at which cyber effects can be
delivered meet the timing and tempo required on the battlefield.
Currently, outside of existing authorities granted under the Countering
Adversary Use of the Internet (CAUI) EXORD, operations that will create
a cyber effect must be approved by the President (PPD-20).
20. Senator Perdue. Admiral Rogers, how could the military better
use the cyber tools at our disposal to target ISIL's ability to operate
and communicate over the virtual battlefield?
Admiral Rogers. [Deleted.]
cyber as a part of russian hybrid attacks and how to better aid
european allies
21. Senator Perdue. Director Clapper and Secretary Lettre, we're
seeing an intensification of so-called hybrid warfare by Russia not
only in the United States, but also against targets in Eastern Europe,
such as the use of a combination of cyberattacks, propaganda, and
little green men to destabilize and otherwise subvert Ukraine. Given
the fact that many of these actions can't be immediately confirmed as
attributed to Russia, what's the appropriate response of nation-states
to these types of actions?
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
22. Senator Perdue. Director Clapper and Secretary Lettre, how do
you think Russia might further use cyber warfare going forward to
destabilize Ukraine or the Baltics, especially as a part of a broader
hybrid warfare effort?
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
23. Senator Perdue. Secretary Lettre and Admiral Rogers, what are
we doing to assist states who may be vulnerable to future Russian
cyberattacks to help them build up their capabilities?
Secretary Lettre. [Deleted.]
Admiral Rogers. [Deleted.]
24. Senator Perdue. Director Clapper, Secretary Lettre and Admiral
Rogers, how concerned should we be in the United States about the
Russian capacity and capability in cyberspace?
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
Admiral Rogers. [Deleted.]
25. Senator Perdue. Director Clapper and Secretary Lettre, are we
prepared and postured to counter this threat?
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
cyber policy deficiencies
26. Senator Perdue. Secretary Lettre and Admiral Rogers, some have
expressed concern that the dysfunction of the White House policy
process has greatly restricted the Department of Defense's ability to
provide capabilities that could address urgent warfighter needs. From a
warfighting standpoint, would you characterize the authorities
delegated to you as being expansive or limited?
Secretary Lettre. [Deleted.]
Admiral Rogers. [Deleted.]
27. Senator Perdue. Admiral Rogers, how does the delegation of
authority for Cyber Command compare to the authorities you are
delegated as NSA director in emergency situations?
Admiral Rogers. [Deleted.]
28. Senator Perdue. Admiral Rogers, how has the uncertainty
hampered your ability to meet the needs of the geographic combatant
commands?
Admiral Rogers. Uncertainty in the emerging cyberspace domain is a
challenge; however, close interagency coordination, information
sharing, and planning has delivered positive mission outcomes in
support of combatant commander objectives around the globe. As we do
so, our greatest challenge is our combatant commanders want more and
more as we bring forces online. I believe that is a testament to what
our men and women bring to the fight. What I hear from my fellow
operational commanders is ``could you do even more and could you do it
faster''?
iranian cyber threats
29. Senator Perdue. Director Clapper, Secretary Lettre and Admiral
Rogers, it now appears that Iran has ramped up its use of cyberattacks
(including on U.S. financial institutions) as well as cyber
reconnaissance efforts on diplomats and critical infrastructure. Do you
believe that the Iranian regime has control over the majority of cyber
operations that emanate from Iran? Are most cyberattacks coming from
Iran state-directed?
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
Admiral Rogers. [Deleted.]
30. Senator Perdue. Director Clapper, Secretary Lettre and Admiral
Rogers, could you discuss Iran's cyber capabilities and how they impact
our national security?
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
Admiral Rogers. [Deleted.]
north korea cyber threats
31. Senator Perdue. Director Clapper, Secretary Lettre and Admiral
Rogers, last year, South Korean officials uncovered a North Korean plot
for a massive cyberattack where North Korea hacked into more than
140,000 computers at 160 South Korean firms and government agencies.
Have you found proof of any similar threats or attacks on United States
companies and government agencies from North Korea?
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
Admiral Rogers. [Deleted.]
32. Senator Perdue. Director Clapper, Secretary Lettre and Admiral
Rogers, what could be done to deter North Korean cyberattacks against
the United States?
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
Admiral Rogers. [Deleted.]
adequate cyber force
33. Senator Perdue. Admiral Rogers, the Services are largely on
track to meet the September 2018 goal for the training of a 6,200-
person cyber force. However, the same cannot be said concerning the
development and procurement of basic tools and capabilities required
for both defensive and offensive cyber operations. Unless the services
begin to prioritize the development of these capabilities, we could be
heading down the path to a hollow cyber force. Do you agree that we are
currently on the path of creating a hollow cyber force?
Admiral Rogers. [Deleted.]
34. Senator Perdue. Admiral Rogers, are you aware that some
services failed to fund even the most basic tools like those necessary
for the cyber protection teams to assess and triage compromised
networks?
Admiral Rogers. No. Each of the Services has funded its Deployable
Mission Support System (DMSS) solution to support the Cyber Protection
Teams. I signed the DMSS System Requirements Document (SRD) on August
16, 2016. The Services participated in the year-long drafting of the
DMSS SRD and either had or were in the development of their material
solution for the DMSS during SRD development. All have procured and
provided--to some level--their DMSS. U.S. Cyber Command has funded and
is in the process of conducting a formal assessment of each Service
DMSS solution to ensure the CPTs have the minimum capability to execute
their mission. Additionally, U.S. Cyber Command is drafting a TASKORD
to each of the Service Cyber Components directing specific software
solutions to ensure standardization to meet basic CPT requirements.
35. Senator Perdue. Admiral Rogers, are the services committed to
requesting the resources needed to make our cyber forces effective? If
not, what do we need to do to ensure that we are resourcing
appropriately?
Admiral Rogers. Yes. From our perspective, each Service recognizes
the needs of our cyber forces and is committed to force readiness. Each
has brought capabilities to the fight for both offensive and defensive
purposes. That said, because each Service uses a unique model for
recruiting, organizing, manning, training, and equipping the Cyber
Mission Force, we have disparate models that do not facilitate a
uniform or holistic approach to force management across the DOD cyber
enterprise.
Additionally, the Services continue to support most U.S. Cyber
Command requests for joint capability development (manpower, tools, and
infrastructure) through appropriate DOD processes.
36. Senator Perdue. Admiral Rogers, do you have the hiring
authorities needed to compete for talent with the private sector and
retain them once trained?
Admiral Rogers. [Deleted.]
__________
Questions Submitted by Senator Ted Cruz
iran-north korea cooperation
37. Senator Cruz. Director Clapper, thank you for the response to
the October 19th, 2016 letter I sent you expressing concern over the
possible nuclear cooperation between Iran and North Korea. To follow up
on your response, it would be helpful if you could provide input to the
below questions in an unclassified format.
Director Clapper. [Deleted.]
38. Senator Cruz. Director Clapper, does the Intelligence Community
need any additional tools or policies to track Iranian and North Korean
illicit activity?
Director Clapper. [Deleted.]
39. Senator Cruz. Director Clapper, does the Intelligence Community
assess that there has been a change in the level of their collaboration
following Implementation Day of the JCPOA?
Director Clapper. [Deleted.]
40. Senator Cruz. Director Clapper, does the Intelligence Community
assess that China has increased their economic ties to North Korea,
freeing the latter from some of the effects of sanctions?
Director Clapper. [Deleted.]
china
41. Senator Cruz. Admiral Rogers, I am concerned about the
increased global reach of Chinese telecom companies that have
established infrastructure in Iran, North Korea, Sudan, Syria, and now
Cuba. United States intelligence agencies have linked these nominally
private entities to China's military and internal Pentagon reports
found that Chinese-manufactured electronics had been loaded with
malware. It is my understanding the NSA, along with the FBI, has begun
a formal review to assess the national security implications of a
potential U.S. partnership with such a company. Can you confirm this?
Admiral Rogers. [Deleted.]
42. Senator Cruz. Admiral Rogers, what is your assessment of the
national security risk that would result from United States firms
entering joint enterprises with such Chinese telecom companies?
Admiral Rogers. [Deleted.]
43. Senator Cruz. Director Clapper, when China's compliance with
the September 2015 cyber agreement came up in last week's hearing, you
testified that China continues ``to conduct cyber-espionage. They have
curtailed, as best we can tell. There has been a reduction and I think
the private sector would agree with this. There has been some reduction
in their cyber activity. The agreement simply called for stopping such
exfiltration for commercial gain.'' However, this reduction does not
remove concern that China still seeks to appropriate United States
intellectual property via cyber intrusions. According to a 2016
Department of State Overseas Security Advisory Council report,
cyberattacks from Chinese hackers have continued and outpaced other
nation-state actors in consistency, volume, and severity. Moreover,
private firm Crowdstrike found that China continued cyberattacks on
United States technology and pharmaceutical firms--suggesting a
motivation to appropriate U.S. intellectual property. Despite the
Intelligence Community's assessed curtailment of cyber-espionage by
China, do you share the report's opinion that China remains the most
active nation-state with respect to cyberattacks against American
business enterprises?
Director Clapper. [Deleted.]
44. Senator Cruz. Director Clapper, what level of confidence does
the Intelligence Community provide their assessment that the September
2015 agreement successfully curtailed Chinese hacking and by how much
has it been curtailed?
Director Clapper. [Deleted.]
45. Senator Cruz. Director Clapper, does the Intelligence Community
believe that the People's Republic of China has taken action against
any independent cyber attackers within China?
Director Clapper. [Deleted.]
north korea
46. Senator Cruz. Director Clapper, North Korea demonstrated its
cyber capabilities in the 2014 hack on Sony Pictures. In reviewing the
statutory criteria of international terrorism--`violent acts or acts
dangerous to human life that . . . [that] appear to be intended to
intimidate or coerce a civilian population'', it is my estimation that
the Sony hack clearly rose to the level of coercion. In threatening
Sony executives, North Korea effectively committed cyber terrorism
against the United States. In your professional opinion, is the Sony
hack justification for re-designating North Korea as a state sponsor of
terrorism?
Director Clapper. [Deleted.]
__________
Questions Submitted by Senator Richard Blumenthal
north korea
47. Senator Blumenthal. Director Clapper, Secretary Lettre and
Admiral Rogers, a recent report by the South Korean Defense Agency for
Technology and Quality claims that North Korea possesses the capability
to take down PACOM's network and inflict damage upon the United States
power grid. What is your assessment of this report and North Korea's
progress in development of its cyber capabilities and do you believe
that they have the capacity to disrupt PACOM or the United States power
system?
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
Admiral Rogers. [Deleted.]
cybercom
48. Senator Blumenthal. Admiral Rogers, what is the timeline for
elevating CYBERCOM to a fully operational combatant command?
Admiral Rogers. I have recommended to the Secretary of Defense and
the Chairman of the Joint Chiefs that Elevation of U.S. Cyber Command
can occur immediately upon the decision of the President.
__________
Questions Submitted by Senator Elizabeth Warren
u.s. tools for cyber response and strategic calculus
49. Senator Warren. Director Clapper, Secretary Lettre and Admiral
Rogers, in public remarks at a conference on November 15, 2016, Admiral
Rogers described Russian-directed hacking to interfere with our
election as ``a conscious effort by a nation state to attempt to
achieve a specific effect.'' The Intelligence Community's January 6,
2017 declassified report, ``Assessing Russian Activities and Intentions
in Recent United States Elections,'' [hereinafter Intelligence
Community Assessment, or ICA] concluded with ``high confidence'' that
``Russian President Vladimir Putin ordered an influence campaign in
2016 aimed at the United States presidential election[,]'' that
``Russia's goals were to undermine public faith in the United States
democratic process,'' and that the Russian Government's ``influence
campaign [ . . . ] blends covert intelligence operations--such as cyber
activity--with overt efforts by Russian Government agencies, state-
funded media, third-party intermediaries, and paid social media users
or `trolls.' '' We have a diverse array of tools in our toolbox for
responding to a state-sponsored cyber-attack. The Administration
exercised some of these options on December 29, 2016--expelling spies
and sanctioning certain individuals and groups. When we respond to
cyberattacks with our own cyber-based countermeasures, what kind of
response do you generally believe is more effective: ``loud'' offensive
actions that plainly demonstrate the strength of our capabilities to
the enemy, or covert actions that might be incorrectly attributed or
otherwise misinterpreted but might have a greater effect over a longer
time? Please explain.
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
Admiral Rogers. [Deleted.]
qualification of a cyber-attack and protection of data integrity
50. Senator Warren. Director Clapper, Secretary Lettre and Admiral
Rogers, during the Committee's hearing, Director Clapper suggested a
distinction between a cyber-attack and an act of cyber-espionage.
Appearing before the House Intelligence Committee on September 10,
2015, Director Clapper said the July 2015 data breach of the Office of
Personnel Management [hereinafter OPM] ``really wasn't [an attack]
since it was entirely passive and didn't result in [ . . . ]
destruction of data or manipulation of data. It was simply stolen.'' If
OPM employee information--or voter registration rosters in the recent
election--had been manipulated or corrupted in any way, would this have
constituted a cyber-attack, and what would be the threshold of intent
or harm to constitute a cyber-attack? Please explain and cite any
applicable legal authority or policy.
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
Admiral Rogers. Whether a particular cyber activity rises to the
level of an armed attack or a use of force under international law, or
otherwise constitutes an unlawful intervention, is determined on a
case-by-case basis by our Nation's leaders. I defer to the Office of
the Secretary of Defense response submitted below for what the
threshold of intent or harm is for an action to constitute a cyber
attack.
Yes. Generally, what constitutes a cyber attack is any malicious
cyber activity that disrupts, denies, degrades, manipulates, or
destroys computers, computer networks, the data stored on them, or the
virtual or physical services and infrastructure that they support.
However, in this scenario, after a determination is made that
malicious cyber activity constituted a''cyber attack'' on the United
States, there are a number of other factors that must be determined
including attribution, the severity and impact of what is being done
with the exfiltrated employee information, degree of information
manipulation or corruption, and intent. Each malicious cyber activity
will then be examined on a case-by-case basis and against a variety of
the aforementioned factors to determine the most appropriate response.
(whether the cyber activity constitutes an ``armed attack'' under the
law of armed conflict is a slightly different question, but would
similarly require a case-by-case determination in light of the scale
and effects)
51. Senator Warren. Director Clapper, Secretary Lettre and Admiral
Rogers, the potential for data manipulation is a serious concern--both
for defense and civilian networks. The witnesses have previously
alluded to this point in public statements. For example, in public
remarks at a conference on November 19, 2015, Admiral Rogers shared
concerns about data manipulation stating ``what happens if what I'm
looking at does not reflect reality [ . . . and] leads me to make
decisions that exacerbate the problem I'm trying to deal with.'' Our
daily lives rely on confidence in the integrity of the data that is
used to keep our nation safe and our economy operating. In addition to
active cyber defense measures, such as firewalls, and offensive
deterrence measures, do we routinely create and monitor redundancies
for all critical data infrastructure such that, in the event of a
breach and manipulation, we are able to positively detect and correct
any distorted data? Please explain.
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
Admiral Rogers. [Deleted.]
norms of behavior in countering malicious cyber activity
52. Senator Warren. Director Clapper, Secretary Lettre and Admiral
Rogers, would both state-sponsored and non-state actor-sponsored
malicious cyber-attacks on the United States constitute acts of war?
Please explain and cite any applicable authority.
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
Admiral Rogers. [Deleted.]
53. Senator Warren. Director Clapper and Admiral Rogers, during the
Committee's hearing, USDI Lettre made a passing reference to ``what do
we mean by a proportional response.'' When the United States decides to
execute countermeasures in response to malicious cyber activity that we
can confidently attribute to a particular state, what are the primary
considerations associated with a proportional response--the malicious
nature of the cyber-attack, the unique vulnerabilities of our
adversary, or other factors? Please explain and cite any applicable
authority.
Director Clapper. [Deleted.]
Admiral Rogers. [Deleted.]
54. Senator Warren. Director Clapper, Secretary Lettre and Admiral
Rogers, what are the factors that determine whether malicious cyber
activity--state-sponsored or committed by a non-state actor--against
the United States requires a response? Please explain and cite any
applicable authority.
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
Admiral Rogers. [Deleted.]
55. Senator Warren. Director Clapper, Secretary Lettre and Admiral
Rogers, how do you determine when and whether it is appropriate for the
United States Government to publicly attribute malicious cyber activity
directed against the United States? Please explain and cite any
applicable authority.
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
Admiral Rogers. [Deleted.]
56. Senator Warren. Director Clapper, Secretary Lettre and Admiral
Rogers, how do you determine when and whether it is appropriate for the
United States Government to declassify information related to a
malicious cyber activity directed against the United States? Please
explain and cite any applicable authority.
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
Admiral Rogers. I concur with the response from Office of Secretary
of Defense and defer this question to the Director of National
Intelligence who is responsible for coordinating declassification
determinations in accordance with Executive Order 13526.
managing escalation in countering malicious cyber activity
57. Senator Warren. Director Clapper, Secretary Lettre and Admiral
Rogers, how do we respond to a state-sponsored malicious cyber-attack
while maintaining escalation dominance--in other words, the ability of
the United States to limit the risk of unintended and prolonged
escalation and end a cyber-based conflict on our terms?
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
Admiral Rogers. The decision of how our Nation responds to a state-
sponsored malicious cyberattack is one made by our Nation's leaders.
They have all instruments of national power on the table, including
other military capabilities and a whole-of-government approach as well.
As a matter of long-standing policy, we don't define how we would
respond to an adversary in any domain. My duty is to provide the
Secretary and President with credible options in cyberspace that, along
with options in other domains, offer our leadership multiple courses of
action to control escalation. From my perspective, that is best done
with policies and authorities that enable our cyber mission forces to
conduct their missions when directed.
enhancing cyber security in our democracy
58. Senator Warren. Director Clapper, Secretary Lettre and Admiral
Rogers, the United States has a highly-digitized, interconnected
economy that is more vulnerable to cyber intrusions because the
Government does not exercise authoritarian control over the Internet.
How do we fortify our own critical cyber-infrastructure against attacks
while maintaining the openness and transparency of our networks?
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
Admiral Rogers. [Deleted.]
59. Senator Warren. Director Clapper, Secretary Lettre and Admiral
Rogers, private businesses and other companies are increasingly the
targets of state-sponsored cyber-attacks, and protecting the
information held by these companies and their customers is important to
our citizens' privacy, our economic security, and our national
security. Cybersecurity presents many challenges, including the
potential friction between information sharing among government
agencies and private companies to pre-empt cyber threats, and the
desire to secure communications and devices through encryption. Given
the greater vulnerability of our open and interconnected networks, are
you concerned that the sharing of cyber threat data among the
Government and the private sector could make our country more
vulnerable to theft and other malicious cyber activity--in addition to
endangering the privacy of our citizens' data? Please explain,
including relevant concerns under both voluntary and mandatory sharing
scenarios.
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
Admiral Rogers. [Deleted.]
60. Senator Warren. Director Clapper, Secretary Lettre and Admiral
Rogers, would universal encryption--without any mandated backdoors--on
servers and devices help address the unintended consequences of well-
intentioned cyber threat information sharing?
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
Admiral Rogers. [Deleted.]
russian malicious cyber activity against other nations' elections
61. Senator Warren. Director Clapper, Secretary Lettre and Admiral
Rogers, the Intelligence Community Assessment observed that Russia
``will apply lessons learned from its campaign aimed at the United
States presidential election to future influence efforts in the United
States and worldwide, including against U.S. allies and their election
processes.'' With elections scheduled this year in the Netherlands,
France, Germany, and elsewhere, what steps are your agencies currently
taking to help strengthen these and other allies' cyber defense
capabilities against Russian and other election-related state-sponsored
malicious cyber activity? Please explain.
Director Clapper. [Deleted.]
Secretary Lettre. [Deleted.]
Admiral Rogers. [Deleted.]
[all]