[Senate Hearing 115-716]
[From the U.S. Government Publishing Office]
S. Hrg. 115-716
STATE-SPONSORED CYBERSPACE THREATS:
RECENT INCIDENTS AND U.S. POLICY RESPONSE
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON EAST ASIA, THE
PACIFIC, AND INTERNATIONAL
CYBER SECURITY POLICY
OF THE
COMMITTEE ON FOREIGN RELATIONS
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
JUNE 13, 2017
__________
Printed for the use of the Committee on Foreign Relations
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web:
http://www.govinfo.gov
___________
U.S. GOVERNMENT PUBLISHING OFFICE
38-379 PDF WASHINGTON : 2019
COMMITTEE ON FOREIGN RELATIONS
BOB CORKER, Tennessee, Chairman
JAMES E. RISCH, Idaho BENJAMIN L. CARDIN, Maryland
MARCO RUBIO, Florida ROBERT MENENDEZ, New Jersey
RON JOHNSON, Wisconsin JEANNE SHAHEEN, New Hampshire
JEFF FLAKE, Arizona CHRISTOPHER A. COONS, Delaware
CORY GARDNER, Colorado TOM UDALL, New Mexico
TODD, YOUNG, Indiana CHRISTOPHER MURPHY, Connecticut
JOHN BARRASSO, Wyoming TIM KAINE, Virginia
JOHNNY ISAKSON, Georgia EDWARD J. MARKEY, Massachusetts
ROB PORTMAN, Ohio JEFF MERKLEY, Oregon
RAND PAUL, Kentucky CORY A. BOOKER, New Jersey
Todd Womack, Staff Director
Jessica Lewis, Democratic Staff Director
John Dutton, Chief Clerk
SUBCOMMITTEE ON EAST ASIA, THE PACIFIC,
AND INTERNATIONAL CYBERSECURITY POLICY
CORY GARDNER, Colorado, Chairman
JAMES E. RISCH, Idaho EDWARD J. MARKEY, Massachusetts
MARCO RUBIO, Florida JEFF MERKLEY, Oregon
JOHN BARRASSO, Wyoming CHRISTOPHER MURPHY, Connecticut
JOHNNY ISAKSON, Georgia TIM KAINE, Virginia
(ii)
C O N T E N T S
----------
Page
Gardner, Hon. Cory, U.S. Senator from Colorado................... 1
Markey, Hon. Edward J., U.S. Senator from Massachusetts.......... 2
Merkley, Hon. Jeff, U.S. Senator from Oregon..................... 3
Ravich, Dr. Samantha, Senior Advisor, Foundation For Defense of
Democracies, Washington, DC.................................... 4
Prepared statement........................................... 25
Rosenbach, Hon. Eric, Co-Director, Belfer Center for Science and
International Affairs, Harvard University, Cambridge, MA....... 6
Prepared statement........................................... 8
(iii)
STATE-SPONSORED CYBERSPACE
THREATS: RECENT INCIDENTS
AND U.S. POLICY RESPONSE
----------
TUESDAY, JUNE 13, 2017
U.S. Senate,
Subcommittee on East Asia, The Pacific,
and International Cybersecurity,
Committee on Foreign Relations,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:50 p.m. in
Room SD-419, Dirksen Senate Office Building, Hon. Cory Gardner,
chairman of the subcommittee, presiding.
Present: Senators Gardner [presiding], Markey, Merkley, and
Kaine.
OPENING STATEMENT OF HON. CORY GARDNER,
U.S. SENATOR FROM COLORADO
Senator Gardner. Well, thank you. I will call this hearing
to order.
Thank you all for being here and welcome to the third
hearing in the East Asia, The Pacific, and International
Cybersecurity Policy Subcommittee meeting in the 115th
Congress.
Today's topic is state-sponsored threats in cyberspace,
which has emerged as one of the primary national security
challenges for the United States Government, the primary risk
to the U.S. economy in the private sector, and the primary
threat to our Nation's critical infrastructure.
Simply put, our national and economic security depends on
both securing our networks and effectively deterring our
adversaries who are getting stronger, not weaker, by the day.
According to the 2017 Worldwide Threat Assessment of the
United States intelligence community, ``our adversaries are
becoming more adept at using cyberspace to threaten our
interests and advance their own, and despite improving cyber
defenses, nearly all communication networks and systems will be
at risk for years.''
The report specifically mentions China, Russia, Iran, and
North Korea as the four cyber actors of greatest concern. These
countries have developed asymmetric cyber capabilities that can
cause significant damage to the United States and American
interests with little public awareness of the immense
consequences.
Yesterday, the ``Washington Post'' reported hackers, allied
with the Russian Government, have devised a cyber weapon that
has the potential to be the most disruptive yet against
electric systems that Americans depend on for daily life. This
is the same group that attacked Ukraine's electric grid in
2015, leaving 225,000 people without power. Last month, the so-
called WannaCry ransomware affected over 200,000 users in 151
countries, allegedly by exploiting certain machines with an
unpatched software flaw.
Our policies have not effectively kept up with the threat.
The U.S. international strategy for cyberspace is now over 6
years old, and so in technology terms, it is a fossil.
Our efforts to develop effective global cyber norms and the
components that are necessary for global partnerships have also
sputtered. As the 2017 Worldwide Threat Assessment stated,
although efforts are ongoing to gain adherence to certain
voluntary, non-binding norms of responsible state behavior in
cyberspace, they have not gained universal acceptance, and
efforts to promote them are increasingly polarized. The good
actors are being outpaced by the dark arts of cyber.
Our diplomatic and economic response has been similarly
lacking. Despite the bevy of executive orders and legal
authorities available for successive administrations to punish
state-sponsored actors, only a handful of North Korean actors
were designated after the Sony attack in 2014.
Last year, Senator Menendez and I led the passage of the
North Korea Sanctions and Policy Enhancement Act, the first
legislation to mandate sanctions on malicious cyber actors
working on behalf of that regime regardless of where they are
based. Not one--not one--has been designated to date under this
legislation.
Cyber attackers do not sleep. They do not sleep at the
switch. They reprogram it. We must choose to either use all
instruments of national power, including diplomacy, economic
sanctions, and offensive capabilities to deter the malicious
cyber actors or cede the field to our adversaries and face
catastrophic consequences.
I look forward to hearing from our distinguished witnesses
today on ways that we can strengthen U.S. policy to address
these grave threats.
With that, I will turn it over to our ranking member,
Senator Markey from Massachusetts.
STATEMENT OF HON. EDWARD J. MARKEY,
U.S. SENATOR FROM MASSACHUSETTS
Senator Markey. Thank you, Mr. Chairman, very much. And
thank you for convening what I believe is going to be one of
the most important hearings that is conducted here in
Washington this week.
As you mentioned, the recent WannaCry ransomware attack has
yet again highlighted the vulnerability of digital devices to
exploitation and disruption by malicious actors. Today's era is
known as the IOT, the Internet of Things. But IOT can also
stand for Internet of Threats.
And 24 years ago in April of 1993, I, as the chairman of
the Telecommunications Committee in the House of
Representatives, conducted a hearing in 1993, during which a
group of specialists from Sun Microsystems demonstrated in real
time how simple tools could be used to steal data from personal
electronic devices. That hearing showed that the architecture
of the Internet was created for ease of access, not for
security. And as Secretary Rosenbach notes in his testimony
today, heavy U.S. reliance on digital devices and
communications means that these security gaps could have an
outsized impact on U.S. national security and economic
prosperity. That hearing in 1993 also demonstrated, as they
pointed out, how there could be a cracking into the Kremlin or
to the Pentagon or to our South Pacific fleet.
So these are not new issues. These are issues that we just
cited not to fully deal with in terms of what the implications
are for our Nation.
And just yesterday, the ``Washington Post'' reported that
Russian hackers have developed a cyber weapon that can attack
our electricity systems. They were already successful in
disrupting an energy system in the Ukraine, making it that much
more important that we double down on protections to have our
grid at home be protected.
In fact, just a few Congresses ago, Congressman Fred Upton
and I were able to pass a bill through the House of
Representatives, which was called the GRID Act, that mandated
an upgrading in the overall protections against cyber attacks
which could occur in our country. But that was in 2010. It came
over here to the Senate, and unfortunately it died. But those
hearings--that record all was established because the National
Security Agency, because the intelligence agencies had come to
Fred and I asking us to do something because they felt the
threat was real.
So this is something that is possible. It already happened
in the Ukraine. It is something that keeps national security
people up at night worrying about how vulnerable our own
national electricity system could be and other parts of our
system as well. That is why this hearing is so important.
Thank you, Mr. Chairman.
Senator Gardner. Thank you, Senator Markey.
Senator Merkley, thanks for joining us. Anything that you
would like to say off the bat here as we begin?
STATEMENT OF HON. JEFF MERKLEY,
U.S. SENATOR FROM OREGON
Senator Merkley. It is extremely important, both as it
relates to the security of our infrastructure, certainly the
security of our elections, the security of our financial
systems. We have seen attacks in each area, and I am looking
forward to the testimony of our experts.
Senator Gardner. Thank you, Senator Merkley. Thanks for
joining us today.
We will turn to the testimony now. Our first witness is Dr.
Samantha Ravich who currently serves as a Senior Advisor to the
Foundation for the Defense of Democracies, or FDD, as well as
the principal investigator on cyber-enabled Economic Warfare
Project at FDD's Center for Sanctions and Illicit Finance. Dr.
Ravich is the former Deputy National Security Advisor for Vice
President Cheney and served in the White House for over 5
years. Following her time at the White House, Dr. Ravich was
the co-chair of the congressionally mandated National
Commission for Review of Research and Development Programs in
the United States intelligence community. Welcome, Dr. Ravich.
Our second witness today is the Honorable Eric Rosenbach,
who serves as Co-Director of the Belfer Center for Science and
International Affairs at the Harvard Kennedy School. Mr.
Rosenbach formerly served as chief of staff to Secretary of
Defense Ash Carter and also as Assistant Secretary of Defense
responsible for leading all aspects of the Department's cyber
strategy, policy, and operations. He also served here in the
Senate as national security advisor for then Senator Chuck
Hagel and as a professional staff member on the Senate Select
Committee on Intelligence. Welcome, Mr. Rosenbach.
And Dr. Ravich, thank you very much for being here, and we
will go ahead and proceed with your testimony.
STATEMENT OF DR. SAMANTHA RAVICH, SENIOR ADVISOR, FOUNDATION
FOR DEFENSE OF DEMOCRACIES, WASHINGTON, DC
Dr. Ravich. Thank you. Chairman Gardner, Ranking Member
Markey, distinguished members of the subcommittee, thank you
for inviting me to participate in this important hearing.
My testimony today focuses on an area that I believe is
woefully underappreciated, yet cannot be more important for our
country, and that is the use of cyber means by adversarial
states to purposefully undermine our economy in order to weaken
us militarily and politically.
It is my contention that the threats are real, the warfare
is ongoing, and that the U.S. Government is inadequately
structured to properly and comprehensively detect, evaluate,
and address cyber-enabled economic threats. The U.S. Government
has made great strides in organizing itself to protect and
defend the .gov and .mil realms, but our Nation's greatest
vulnerability may lie with adversarial attacks on the U.S.
private sector.
It is true that the business of America is business, and
the business of America is at risk of being hollowed out from
the inside by everything from theft of intellectual property to
the malicious infection of the supply chain to the degradation
of confidence in our commerce, banking, and transportation
sectors.
But it is not the pure cyber criminal that should keep this
committee up at night. Rather, it is the hostile state actor
who recognizes that while it may not be able to compete
directly with America's strength of arms, it holds a
significant asymmetric advantage in attacking our economic
wherewithal and, by so doing, weaken us militarily or
politically. We call this purposeful strategy cyber-enabled
economic warfare.
Two of the most active players in this field are the
Chinese and the North Koreans. For decades, China has been
engaged in a massive, prolonged campaign of intellectual
property theft against U.S. firms, costing potentially hundreds
of billions of dollars and more than 2 million jobs. China's IP
theft campaign constitutes a large, if not the largest, part of
what appears to be Beijing's overall cyber-enabled economic
warfare strategy against the U.S. and the West more generally,
which they themselves have described as, ``a form of non-
military warfare which is just as terribly destructive as a
bloody war but in which no blood is actually shed.''
Recently Beijing punished a private South Korean company in
part by denial of service attacks for participating in the
THAAD deployment. The revenue loss was marginal, but the move
has prompted deep concerns in Seoul. South Korea exported over
$120 billion to China last year, about a quarter of the
country's total exports, and is particularly vulnerable to
Chinese coercion. A possible result, South Korean President
Moon has suspended further deployment of THAAD.
However, Washington and its allies have been slow to
comprehend the threat from China primarily because they view
each cyber-enabled economic attack individually as separate
incidents instead of collectively as elements in an overall
coordinated campaign.
And North Korea. South Korean police cyber investigators
stated in 2016 that North Korea had operationalized a long-term
plan involving the seeding of malicious code at over 160 South
Korean private firms and government agencies, ``aimed to cause
confusion on a national scale by launching a simultaneous
attack.''
As well, North Korean hackers most likely initiated the
WannaCry ransomware attack. The monetary haul from the scheme
was minimal, leading some analysts to question if the effort
was a test for a larger attack. Similar assessments have been
made about the 2016 cyber bank heist on the New York Fed tied
to a North Korean cyber group. While some have remarked that it
appears that the North Koreans may now be robbing banks, it is
more chilling to consider that the North Koreans now may be
targeting our banking sector.
With a GDP per capita of barely $1,000, North Korea has an
obvious need to rob banks. But Kim Jong-un is not simply a
Korean Willie Sutton. In a military confrontation with the U.S.
and South Korea, Kim would look to any capability that could
help even out the overwhelming military advantage of the
allies. Attacking our economies, which he has already proven he
can and will do, may be the quickest way to gain battlefield
advantage since it could potentially cause panic in our markets
and on our streets.
Without a concerted effort, the United States' economy will
become increasingly vulnerable to hostile adversaries seeking
to undermine our military and political strength. The U.S.
Government must immediately undertake a number of actions to
prevail in this new battlespace, including sustained attention
in understanding the capabilities and intentions of adversarial
leadership with a long-term strategy to deter and defeat them.
But the U.S. cannot go it alone in its endeavors to
safeguard the networks and systems upon which our economy
depends and which we must take steps to formalize the cyber
partnerships that already exist with the other free market
democracies that are leaders in cyber science and technology,
specifically with the UK and Israel.
I have included additional recommendations and policy
prescriptions in my written testimony. I thank you for the
opportunity to testify, and I look forward to your questions.
[Dr. Ravich's prepared statement is located at the end of
this hearing transcript, beginning on page 25.]
Senator Gardner. Thank you, Dr. Ravich, and thank you for
being very prompt. Thank you.
Mr. Rosenbach?
STATEMENT OF HON. ERIC ROSENBACH, CO-DIRECTOR, BELFER CENTER
FOR SCIENCE AND INTERNATIONAL AFFAIRS, HARVARD UNIVERSITY,
CAMBRIDGE, MASSACHUSETTS
Mr. Rosenbach. Mr. Chairman, before I started, I wanted to
let you know something I hope does not get me in trouble with
Senator Markey. I was born and raised in Colorado, a die-hard
Denver Broncos fan. So despite the fact I live in Cambridge,
Massachusetts, I am going to fly a big Denver Broncos flag out
there all the time.
Senator Gardner. Did you go to school at the University of
Colorado, the hub of the West?
Mr. Rosenbach. I grew up in Colorado Springs and
Breckenridge. So not in college, but still cheering for the
Orange Crush. Sorry, Senator.
Chairman Gardner, Ranking Member Markey, and Senator
Merkley, thank you very much for the invitation and thank you
for calling this important hearing today.
As technology advances and we become more connected, we
increasingly live in a digital glass house that must be much
better protected. I like to use the glass house analogy because
it helps to illustrate two important points.
First, that cyber warfare is truly asymmetric: a small
nation with an offensive cyber capability can have an outsized
effect on a larger power. For example, the U.S., a
technological and economic powerhouse, is significantly more
vulnerable to cyber attack than North Korea, as we just heard
from Dr. Ravich, a nation most citizens do not even have an
Internet connection. We should, therefore, think very carefully
about the implications of a possible North Korean cyber attack
against the United States, something that I unfortunately
believe is likely to happen within the next year if current
trends continue.
Second, democracies' transparent, open societies also make
them vulnerable to foreign information operations. This
vulnerability is exacerbated by high levels of Internet
accessibility and the rapid pace and breadth of information
sharing. In contrast, authoritarian societies like China,
Russia, and North Korea often control the media, censor
domestic online activity, and shield their nations to some
degree from outside information and cyber operations through
the use of national-level firewalls like the Great Firewall of
China, for example.
Unfortunately, no nation, including the United States, has
responded to Russia's recent potent hybrid of cyber and
information attacks in a way that is visible and forceful
enough to deter future attacks. The fragility of our national
security posture, combined with our adversaries' perception
that Russia's recent actions achieved unprecedented success,
increases the likelihood that the U.S. and our allies will
experience more serious attacks like this in the coming years.
Thus, the U.S. needs to bolster its deterrence posture by
both raising the costs and decreasing the benefits to hostile
actors of engaging in this conduct.
In 2015, the Department of Defense articulated for the
first time our strategy on deterrence in cyberspace. In short,
the strategy said that deterrence is partially a function of
perception. We said that deterrence works by convincing a
potential adversary that it will suffer unacceptable costs if
it conducts an attack against the United States and by
decreasing the likelihood that the potential adversary's attack
will succeed. And this is all based on their perception of
that.
In terms of increasing the costs of an attack, the U.S. and
international community should be less circumspect about
employing all available foreign policy tools, particularly
those outside of the cyber domain. Given the glass house effect
that I previously described, we should be careful about
responding to cyber attacks with military options. However, we
should be prepared to use our superior cyber capabilities
strategically and creatively to demonstrate our willingness to
act in the face of serious provocations.
Additionally, the U.S. must increase the costs of cyber and
information operations by using foreign policy tools outside
the military domain such as: 1) attributing publicly cyber and
information attacks as soon as we have confidence in their
origins and not waiting for months or longer; 2) pushing for
sustained multilateral economic sanctions against states that
use cyber and information weapons; 3) reinventing our
capabilities with respect to information operations and our
strategy for countering them; and 4) taking a leading role in
building international capacity to disrupt the proliferation of
black market destructive malware.
As I mentioned, reducing the benefits that adversaries
derive from cyber and information operations is another key
aspect of bolstering our deterrence posture. To do this, the
administration, Congress, and the private sector should work
together to: first, pass legislation that the government and
the private sector can share threat information, including with
State election bodies and campaigns to facilitate that; two,
legislate mandatory compliance of the new Cybersecurity
Framework, something that I know you have done some work on;
three, pursue aggressive steps to mitigate the effect of
information operations on the platforms of leading tech
companies, including Facebook, Twitter, and Google; and four,
incentivize private sector investment in cloud-based security,
blockchain-enabled transactions, and quantum computing.
In the interest of time, I will submit the rest of my
testimony for the record.
But I would like to say that the strength of the American
tech sector has driven the American economy for almost 2
decades, driven our democracy. It is very important that we
protect that center of gravity by bolstering our deterrence
posture and doing some of the things that I spoke about and
some of the things also that Dr. Ravich just mentioned as well.
Thank you very much.
[Mr. Rosenbach's prepared statement follows:]
-Prepared Statement of Hon. Eric Rosenbach
``Living in a Glass House: The United States Must Better Defend Against
Cyber and Information Attacks''
Chairman Gardner, Ranking Member Markey and other distinguished
members of the Committee, thank you for calling today's hearing on
cybersecurity and for the invitation to testify.
As technology advances and we become more connected, we
increasingly live in a digital ``glass house'' that must be much better
protected. I like to use the glass house analogy because it helps
illustrate two important points.
First, that cyber warfare is truly asymmetric: a small nation with
an offensive cyber capability can have an outsized effect on a larger
power. For example, the U.S.--a technological and economic powerhouse--
is significantly more vulnerable to cyberattack than North Korea, a
nation where most citizens do not even have an internet connection. We
should therefore think very carefully about the implications of a
possible North Korean cyberattack on the United States, something that
I believe is likely to happen within the next year if current trends
continue.
Second, that democracies' transparent, open societies also make
them vulnerable to foreign information operations. This vulnerability
is exacerbated by high levels of internet accessibility and the rapid
pace and breadth of information sharing. In contrast, authoritarian
societies like China, Russia and North Korea often control the media,
censor domestic online activity and shield their nations (to some
degree) from outside information and cyber operations through the use
of national-level firewalls, such as the Great Firewall of
China.Unfortunately, no nation, including the United States, has
responded to Russia's recent potent hybrid of cyber and information
attacks in a way that is visible and forceful enough to deter future
attacks. The fragility of our national cybersecurity posture, combined
with our adversaries' perception that Russia's recent actions achieved
unprecedented success, increases the likelihood that the U.S. and our
allies will experience more serious attacks in the coming years.
Thus, the U.S. needs to bolster its deterrence posture by both
raising the costs and decreasing the benefits to hostile actors of
engaging in this conduct.
In 2015, the Department of Defense articulated for the first time
our strategy on deterrence in cyberspace. In sum, the strategy
articulated that deterrence is partially a function of perception. As
the DoD strategy explains, deterrence works by ``convincing a potential
adversary that it will suffer unacceptable costs if it conducts an
attack on the United States, and by decreasing the likelihood that a
potential adversary's attack will succeed.'' \1\
---------------------------------------------------------------------------
\1\ The Department of Defense Cyber Strategy, April 2015, p.11.
---------------------------------------------------------------------------
In terms of increasing the costs of an attack, the U.S. and
international community should be less circumspect about employing all
available foreign policy tools, particularly those outside of the cyber
domain. Given the ``glass house effect'' that I previously described,
we should be careful about responding to cyberattacks with military
options since the U.S. has more to lose from an escalation in cyber-
initiated conflict. We should, however, be prepared to use our superior
cyber capability strategically and creatively in order demonstrate our
willingness to act in the face of serious provocations.
Additionally, the U.S. must increase the costs of cyber and
information operations by using foreign policy tools outside the
military domain, such as: 1) attributing publicly cyber and information
attacks as soon as we have confidence the origins; 2) pushing for
sustained multilateral economic sanctions against states that use cyber
and information weapons; 3) reinventing our capabilities with respect
to information operations and our strategy for countering them; and 4)
taking a leading role in building international capacity to disrupt the
proliferation of black-market destructive malware.\2\
---------------------------------------------------------------------------
\2\ By disrupting the black market for destructive malware and
other exploits, the international community would increase the costs
associated with conducting? cyber and information attacks. This is a
difficult challenge, but the Proliferation Security Initiative for
weapons of mass destruction--a global initiative supported by over 100
countries--provides an analogous model for action.
---------------------------------------------------------------------------
As I mentioned, reducing the benefits that adversaries derive from
cyber and information operations is a key aspect of bolstering our
deterrence posture. To do this, the administration, Congress and
private sector should work together to: 1) pass legislation that
improves the ability for the government and private sector to share
cyber threat information, including with state election bodies and
campaigns; 2) legislate mandatory compliance with the NIST's
Cybersecurity Framework for critical infrastructure providers; 3)
pursue more aggressive steps to mitigate the effect of information
operations on the platforms of leading tech companies, including
Facebook, Twitter and Google; and 4) incentivize investment in cloud-
based security, blockchain-enabled transactions and quantum computing.
Developing and employing operational cyber capabilities is an
important way to advance U.S. national interests. That said, we simply
must keep sensitive vulnerabilities and exploits secure. Allowing this
type of sensitive knowledge to get into the public domain damages
American tech firms and increases the likelihood that hostile actors
will conduct malicious actions against the U.S.
In sum, the strength of the tech sector and the internet has driven
American economic growth and strengthened our democracy for the past
two decades. The corollary of this success, though, is that the U.S. is
increasingly vulnerable to cyber and information attacks. In order to
maintain the ``center of gravity'' for the United States, we must
bolster America's cybersecurity posture and rethink our strategy for
countering foreign information operations.
Senator Gardner. Thank you, Mr. Rosenbach.
And we will proceed with questions.
I guess I would kind of lay out just a question about
process and the construct of our ability to deal with cyber
threats. You both mentioned various elements and various
dimensions of the cyber challenge we face. You talked about
cyber-enabled economic warfare. In your testimonies, you talked
about IP theft. You talked about theft of intellectual property
in the United States, which some estimate as high as $540
billion a year I believe is in your testimony. We have talked
about how North Korea has hacked Sony Pictures. We have talked
about the ransomware. And so there are so many different
elements of cyber policy.
We have different elements within the Federal Government to
respond to those. We have a tech czar at the White House. We
have a cyber position at the Department of State. We have
offices within the Pentagon.
As you look at the Federal Government, who is in charge of
our cyber policy? Either one of you.
Mr. Rosenbach. Senator, I think that is a great question.
And I have to be honest, when I look at the administration
right now, I am not as sure about that. There is still the
White House cyber coordinator, but I am not sure, even during
the Obama administration, that that position was empowered
enough to bring all of the people from around the government to
the table and to really drive some of the change that is
necessary to make a big difference.
I think when it comes down to it, there has to be
collaboration between all the departments and agencies. When I
first started in the Obama administration almost 8 years ago,
it was a mess in terms of figuring out even what the roles and
responsibilities were and the lanes and the roads were for
defending the country and working with the private sector. I
think that is more established now, but we still could use a
very strong leadership position there.
Senator Gardner. Dr. Ravich, who is in charge?
Dr. Ravich. Well, I have to agree with my co-panelist that
for the entire apparatus there currently is not an empowered
either an individual or an agency to do what I think is
necessary which, borrowing a phrase from the military, is a bit
of an OODA loop. I mean, how are we going to understand the
threat that is out there so that we make sure that as we are
putting in the right--either on the defense or an offense, it
is having the effect that we want.
Right now, still cyber war is not run by computers. It is
run by the man behind the man behind the computer. These are
decisions being made on the adversarial state level by
leadership and people empowered by the leadership in
adversarial states. It does not just all of a sudden happen.
So the first of the OODA loop, observe. Do you we really
know who is in charge of making these decisions in a Russia, in
a China, in Pyongyang, in a Tehran so that we can exploit
fissures and vulnerabilities to go after the people that are
making those decisions and then funneling it down to the
operators and being able to see the effects? I do not see this
loop.
Senator Gardner. And I think that is a significant problem
that we face because we do not know who is in charge, and that
is a big challenge because in your testimony I think you lay
out as the U.S. economy grows and as an economy anywhere on the
globe becomes more sophisticated, then they are more vulnerable
and more susceptible to cyber attacks. And as the asymmetric
ability of North Korea or Iran rises, it is pretty doggone
important that we have somebody that we can turn to and say you
are in charge of this government's cyber policy.
One of the things that I have supported and others on the
committee have supported is the creation of a select committee
on cybersecurity that would take the ranking member and the
chair of each committee that has jurisdiction over
cybersecurity, put them on one committee so that they can have
a whole-of-government view because this is a complex issue.
This is not just about weapons systems that the Defense
Department Science Board noted that the nation's weapons
systems are at risk from the malicious insertion of defects or
malware. It is not just about that. It is not just about North
Korea's Sony attacks. It is about changing decimal points at
hospitals that could result in deaths. It is about a whole-of-
government view, and we need to know who is in charge.
So with that being said, a scale of preparedness. Where on
the scale of preparedness, 0 to 100, where is the United States
Government in preparedness against some kind of major cyber
event?
Dr. Ravich. Well, given what I wrote in my testimony and
what I said, that the U.S. Government looks after .mil and .gov
and .com is essentially on your own, right there you are
starting from less than 50 percent or more because who is
watching out for the very lifeblood of our country? We would
not be the number one military if we were not the number one
economy. So I think right there you are starting out and you
have the beginning of your answer.
Senator Gardner. Mr. Rosenbach, just to maybe ask a
different question to you. You talked about raising costs and
decreasing benefits for the acts of a cyber hack. Did we make
the costs sufficient enough on North Korea in relation to Sony?
Did we make it sufficient enough in Iran after a variety of
hacks of electric facilities in this country? Did we make it
sufficient toward Russia? And I have an amendment to the
sanctions bill that would require cyber sanctions on Iran. Just
briefly if you could hit that and then we will turn to Senator
Markey.
Mr. Rosenbach. Yes, sir. I think in the case of the North
Korean cyber attacks against Sony that the response was strong
enough and was quite good because it then mitigated attacks
from North Korea down the road.
That said, I do not think the response in the case of the
recent Russian cyber and information operations against the
United States was strong enough at all, which leaves,
unfortunately, I think the perception that other adversaries
will try to take advantage of our system to do something
similar down the road.
Senator Gardner. We are going to work on this week. So
thank you.
Senator Markey?
Senator Markey. Thank you, Mr. Chairman, very much.
Turning to those Russian elections--the Russian
interference in our elections, it does not have to be complex.
It can be a relatively simple spear phishing attack, and that
can ultimately have very important consequences within our
country and just luring someone into giving over their
credentials to an attacker. And by the way, the same thing
could happen in China, lure people in in utilities to give over
information that can be valuable then for the subsequent, much
more devastating attack.
So when you were answering the questions of the chairman
about the vulnerability of our government, when you look at the
utility sector, Mr. Rosenbach, do they take it seriously enough
yet? Do they actually want to spend the money in order to
ensure that they have got state-of-the-art protections which
are built in? Are they just willing to run kind of the risk
that maybe they will be lucky and it will never hit them but
they never had to spend the money in order to protect against
an attack, which we know that Russia already launched against
Ukraine successfully and that they or the North Koreans or
other could launch against us? So does the utility industry
take it seriously enough?
Mr. Rosenbach. Senator, it is definitely on their radar.
They have dedicated efforts. All of the utility companies look
at this, but they do not take it seriously enough. And that is
the right way to ask the question I think.
Senator Markey. Why is that?
Mr. Rosenbach. I think when it comes down to it, some of
this stuff can be expensive and it can be complicated. And
normally you are not forced to do things unless you have to or
there is a return to your bottom line. Cybersecurity is a cost
center. In some domains--banks, for example--they are willing
to spend the extra money because they see that it is a good
investment. I am not sure it is the same in the utility sector.
Senator Markey. Joe Tucci is a friend of mine. He is the
CEO of EMC. He was until Dell purchased EMC. But that is the
largest company in Massachusetts. But within that company is a
subgroup called RSA, which is kind of state-of-the-art cyber
protections. And I asked Mr. Tucci. I said why do companies not
buy the state-of-the-art from RSA? He said, well, they do not
want to spend the money. And I said, well, what if they did
spend the money? Well, he said, then they would be protected
because we are constantly upgrading, but they do not want to
spend the money. And then I continued to pursue it because it
goes to government contractors or to private sector companies
as well, just trying to probe why they will not spend the
money. And as you said, it is a cost center. They do not want
to spend it, but it causes inevitably kind of a catastrophic
event.
So can you get into that mentality a little bit more and
what your recommendations would be to us in order to make sure
that we prepare our country properly for the inevitable, which
is that cyber is going to become the tool which is used in so
many more instances than conventional weapons because they do
not potentially cause fatalities, but the disruptions could be
catastrophic?
Mr. Rosenbach. Senator, like I mentioned in my opening
comments, a starting point is to make the NIST framework
mandatory for critical infrastructure and the energy sector in
particular. And remember, the private sector, the energy sector
works with NIST on this to come up with the framework. It is
not as if it is legislated in law that you need to have three
firewalls and your networked needs to be architected in that
way. When you read the ``Washington Post'' article from
yesterday and you see what happened in Ukraine, you better take
the warning because, if you do not both play defense and then
have a strong deterrence posture, something bad is going to
happen and we will regret we did not do more.
Senator Markey. And then you turn to the industry and you
say to the industry, let us have standards. And they go, yes,
but voluntary standards. Please do not make it mandatory. That
would be like financially catastrophic for us. But we agree
with you. It could be catastrophic if there is an attack on the
electric grid.
So how do we deal with that issue if we know what the
threat is, we know it happened in Ukraine, we know it could
apply just as easily to the electric grid of the United States,
and we have an industry that wants voluntary, not mandatory
protections which are built into the system?
Mr. Rosenbach. Sir, I think you need to legislate on it.
You know, there have been various bills that incorporate both
information sharing and some sort of standard for
infrastructure protection. Do it in certain sectors. Make sure
that it is not overly burdensome, that it is done in
conjunction with the private sector. I also believe that it is
a little counterintuitive but that it would do something to
spur the economy and the tech sector because there would end up
being more demand for that. And in the end, it would be two net
positives rather than something that would be an overly
burdensome regulatory regime.
Senator Markey. And I agree with you.
Do you agree with Mr. Rosenbach, Dr. Ravich?
Dr. Ravich. I do. But I think this also points to an area
where government-funded research and development is needed,
whether we are talking about new advances in SCADA legacy
systems or the truly long tail R&D that the private sector has
a hard time making a case for up front with its investors
because when they are going to get the returns from it is a
little unknown are perfect areas for serious cyber R&D that I
believe the U.S. Government should be on the forefront of
promoting with, I would add, two of our closer friends and
allies that are the other two most technologically savvy
countries in the world, the UK and Israel. We should be
thinking about working closer with those two nations in some
form of cyber co-op with a structured R&D agenda as potentially
the first thing that we go ahead on, things that the private
sector may not put their money to do but is necessary for the
security of our economies and our systems.
Senator Markey. Senator Merkley and I were in--Senator
Gardner--we were in Israel last year, and that is one of the
points that the prime minister was making to us, that they are
really focusing upon cybersecurity. It is a big, new industry
for them. And so when I got back up to Boston, I asked one of
the cyber company CEOs about Israel. And he said, oh, they are
the best. They are state-of-the-art. We bought five of their
companies this year.
So you are right. There is a close working
interrelationship, and it would get better if there is a
mandate that especially the critical infrastructure in our
country had to be protected. You would not have to worry. It
would get developed and the costs would go down. The technology
would become more ubiquitous, but until that signal is sent, I
think we are going to just see a constant repetition syndrome
of a cycle where the same thing happens. Everyone responds.
They are actually shocked. They hope that the issue goes away.
And then we wait for the very next thing to occur but in a
slightly different setting.
Thank you, Mr. Chairman.
Senator Gardner. Thank you, Senator Markey.
Senator Merkley?
Senator Merkley. Well, thank you, Mr. Chair.
And thank you both for your testimony.
Dr. Ravich, I was fascinated by your story about South
Korea and China. If I understand right--is it pronounced Lotte?
Dr. Ravich. Lotte.
Senator Merkley. The Lotte Company. That, of course, makes
we want to go out and buy some coffee.
But the Lotte Company sold its golf course to the
Government of South Korea so that they could put up the THAAD,
the terminal high altitude area defense anti-missile system.
And then the Chinese said, well, we will make an example out of
them. They shuttered their stores, a traditional type of
response. They then took down the Lotte website with a denial
of service attack, so a cyber attack. And then the Chinese
retailers dropped Lotte products from their sites. And all of
this just as there was a new prime minister in South Korea--a
new president who then sent an emissary to President Xi of
China. And in short order, Lotte was unblocked and South Korea
suspended the THAAD program.
Is it your understanding that really the suspension of the
THAAD program came directly as a response to the Chinese cyber
attack on South Korea?
Dr. Ravich. Well, I do not know if it was a direct result
or it is part of a larger pattern of Chinese coercion against
the South Koreans in this context. When China looks at all of
the different muscles that it can flex when it has that type of
trading arrangement with the South Koreans and know that the
South Koreans have that much product that they are selling into
China, China holds a lot cards. And this was clearly a shot
across the bow in Seoul. You do this. These are the types of
effects you are going to feel. The DDoS attack was a small
attack monetarily-wise but clearly these things are all part of
a pattern. I do not think it goes too far to say that this was
something that the Chinese lifted when the South Koreans----
Senator Merkley. Have we seen China enact similar patterns
of retaliation against companies that are engaged in things it
does not like? Or is this kind of a new test?
Dr. Ravich. No. We see pattern--I see Eric shaking his head
yes--after pattern. There was an example in Vietnam not too
long ago, actually after the Hague decision for the Philippines
and against China. It appears that China wanted to send a
specific message to Vietnam. Don't you get any ideas in those
territorial waters. And there were certain trade actions taken
against Vietnam.
Senator Merkley. I wanted to turn to North Korea because
here in the United States, we have the NSA full of some of the
brightest computer minds to be found certainly throughout our
country and probably beyond. And I think about so here is North
Korea that does not have a lot of contact with the outside
world. What is our assessment on how they developed such
enormous capability? Are they benefiting from cyber expertise
being shared from the Chinese? Or have they simply made this
such a priority for their country that they are harvesting
every great mathematical computer code mind to go to work on
this project?
Dr. Ravich. So the answer is certainly the latter, but how
they effect that--they have made this a clear priority. They
know that this is one of their greatest asymmetric strengths to
be able to go after the economy in South Korea.
But the North Korean scientists do travel the world. They
do go to conferences. They do have access to journals and
online resources. They are not growing up in a bubble, so to
speak. They are learning from potentially other hostile state
and non-state actors.
Senator Merkley. Here is a question then. So we have seen
North Korea with the WannaCry ransomware attack, the Sony
attack, the DarkSeoul attack, the Bangladesh account, attempted
$1 billion heist. And I am sure there is a much longer list
than that. So why is North Korea not concerned about extensive
retaliation? And is it because in part that their own economy
is not computerized in a way that makes it very vulnerable to
such retaliation?
Dr. Ravich. I think they have learned a valuable lesson
over the last 20 years, that they can get away with a lot
without facing any punishment that they feel the pain. Even
with the sanctions regime they keep getting layered and layered
over them, they continue with their nuclear missile programs.
The elite still get to live like elites. The burden falls on
the average person. So they continue to do what they want to do
when they want to do it, and they have not had enough of a
persuasion to change their pathway.
Senator Merkley. So in conventional warfare, one thing that
deters folks is if I attack them, they will attack back. So my
time is running out, so I will just ask you two pieces of this
question.
Should we send a message that we are going to respond
ferociously if we are attacked in a cyber manner, if attacked
by North Korea again?
And second of all, should we take sanctions against their
computer scientists traveling the world and attending
conferences, if you will, a privilege that you have noted that
they still enjoy?
Dr. Ravich. Taking the second part first, absolutely. It
gets to understanding who is in the command and control
apparatus of North Korea's cyber and who is operationalizing
it. And absolutely that should be clearly on the docket.
On the first, we do need and will need to respond more
forcefully but we better ensure that our castle walls are
strong enough, and that is of great concern.
Senator Merkley. Which they are not even close.
Thank you.
Senator Gardner. Senator Kaine?
Senator Kaine. Thank you, Mr. Chair.
And thanks to the witnesses.
Mr. Rosenbach, in your written testimony, you quote from a
Department of Defense document, a cyber strategy document,
dated 2015. And the quote is about deterrence, and it says it
works by ``convincing a potential adversary that it will suffer
unacceptable costs if it conducts an attack on the United
States and by decreasing the likelihood of a potential
adversary's attack will succeed.''
Reporting today suggests that as part of the growing facts
that are available about the Russian cyber attack on the
election, that 39 State boards of elections were hacked in some
way by the Russians. So clearly we did not convince a potential
adversary that it will suffer unacceptable consequences.
Have you delved into why we did not? I think the testimony
is that President Obama in September told Vladimir Putin to,
quote, knock it off, and then there was even a use of the red
phone right before the election to reach out and say, hey, we
know what you are doing. Why was more not done and why was more
not done publicly to discuss the fact of this Russian incursion
into our elections?
Mr. Rosenbach. Senator, that is a really hard question for
me because I was so involved in all of the deliberations about
that. And so I would just say this that I personally believe
that we should have done much more, that we should have done
much more sooner to send a signal that this is not something
that would be acceptable to the United States, recognizing that
an attack on our democracy in the way that it happened is
probably the most serious attack on a vital U.S. national
interest. It is hard for me to imagine that we should not have
been more muscular in our response.
But I will have to tell you at the time that this was going
on, there were different ideas about what the outcomes might be
and that sometimes influences foreign policy decisions as well.
Senator Kaine. And regardless of the outcomes, an attack is
an attack, and the integrity of the system is something we
should protect one way or other. Correct?
Mr. Rosenbach. Yes, sir. I think the thing I am most
concerned about now is even after the fact, we still have not
responded to the Russians in a way that the rest of the world
sees that you cannot get away with doing this to the United
States. So I am concerned now that in the next election--the
North Koreans--they definitely watch that. So do the Iranians.
Senator Kaine. Would you not think the rest of the world
would also potentially draw the message, wow, if the U.S. would
not act vigorously to defend itself, what is the likelihood
that they would defend us against an attack?
Mr. Rosenbach. Yes, sir. Absolutely. I think that is a
great point. And this is not a political thing. I know there is
a lot of stuff going on associated with issues political right
now. But we, as a country, need to raise above the political
fear about it and do something about cyber and information
attacks against the democracy, or otherwise in the years to
come, it is just going to get worse.
Senator Kaine. I mean, I will just say kind of to my
surprise in the aftermath of the election, I was amazed how
much of it was known by folks with the administration and how
little was done. Calculations, as you say. I know a lot more
after November 8, but I was amazed how much of that was known
long before November 8 with little action.
And I contrast it--and I am not sure it is a completely
fair comparison but with the French experience. So when they
were aware that there was a Russian effort to suck data and
emails away from candidates, they made that very public. And
then when there started to be the dumping of such data, they
also made that very public. They made a very different
calculation than we did. And that may be the ability to take
advantage of learning. And a Sony attack is early, then
involvement in a Brexit vote, and then involvement in the U.S.
election. And by now there is an opportunity, wow, this is
really happening. We better talk about it. But they really made
a different calculation as a nation, not any particular party.
As a nation, they made the calculation Russia is doing this. We
are going to call them out on it on the actual attack and
taking of data and emails, and then as soon as they start to
dump them, we are also going to call them out on it, which led
voters to at least maybe have a little sense of skepticism
about what they might hear. That is not the only way to respond
to an attack, but being transparent to the public about what is
going on, that would seem to be in accord with our own values
as well. Would you not agree?
Mr. Rosenbach. I really strongly agree, Senator. I think
the way the French handled it was very sophisticated. They did
have the huge advantage of seeing that it was probably coming
because of things that the Russians had done. However, they
were not afraid to go out there. And then they also did things
that were kind of creative with information ops themselves.
Those are things that we should learn from and that we should
watch out for with our allies. Again, the point here is we need
to think about this domain in a more creative way and realize
that it has grave consequences for the country if we are not
going to be tough and think about it in a sophisticated way
like other foreign policy issues.
Senator Kaine. And, Mr. Chair, if I could just say one
thing. It is not really a question. But I really appreciated
that aspect of Dr. Ravich's testimony because it kind of
challenged my own thinking. I am on the Armed Services
Committee too and in Foreign Relations. Virtually everything we
talk about, military operation, we talk about our allies, what
are we going to do together with our allies. But often when we
have cyber discussions, we have cyber discussions, you know,
just what should the U.S. do, and we do not talk about it so
much with respect to allies other than intelligence sharing.
But in terms of what we might do together with allies, we talk
about that in other realms of defense, not in cyber defense.
And your notion of cyber co-ops and why are we not doing more
with the UK and Israel kind of reminds us, oh, yes, if this is
a domain of warfare, we should be thinking about alliances just
as we do whether we are talking about training exercises,
European Reassurance Initiative, and others. And I really
appreciated that aspect of your testimony.
Thank you, Mr. Chair.
Senator Gardner. Please go ahead.
Senator Markey. Mr. Vice President--Senator, do not believe
the fake news. [Laughter.]
Senator Markey. I think the warning that you are giving us
just by sitting here is something that we have to heed, and the
consequences can be historic if you ignore the lessons of this
last election and what happened in these other places. Such
things can turn the whole arc of history. So thank you for
being here. Thank you for your leadership on the issue.
Senator Gardner. Thank you, Senator Kaine.
And if you do not mind, we will just go back and forth with
continued conversation, if that is all right with you if you do
not have anything else going on right now.
We started this conversation off--I think there are a lot
of things that we could follow up on. You know, South Korea and
China. I think it is unacceptable. What China has done to South
Korea is basically a schoolyard bully when it comes to
retaliating against South Korea's decision that they would make
for its self-protection and the placement of THAAD. That is an
alliance decision. Obviously, we continue to work to strengthen
that alliance with South Korea and the United States. But that
was an important decision that we have to make sure remains
part of that alliance framework.
By the way, China has cost South Korea in South Korean
estimates $7 billion in economic damage as a result of their
retaliation over South Korea's self-defense efforts.
Going back to the question that we talked about, who is in
charge, the cyber coordinator at the State Department, the
Defense Department offices, the White House offices--you know,
China has a cyber administration. President Xi placed himself
on the cyber committee, this super cyber committee. Other
countries may be doing other things. Is there a different
construct that we should be looking at? Do we need a cyber
administration? I do not want to create bureaucracy for the
sake of creating a bureaucracy. Do we need an envoy,
ambassador-level position at the State Department? How do we
get to the point where we have somebody that is the
identifiable lead when it comes to a whole-of-government cyber
policy?
Dr. Ravich. Well, one thing that you might want to
consider--harkening back to the Eisenhower administration and
their Solarium Project with how do we actually prevail in a
battlespace that is going to last into the future and looking
at the hard choices of containment, of deterrence, you know,
the big muscle movements of a government, how do we do
targeting, and who is part of it. These were taken on very
specifically and focused.
So right now, in answer to your question, I do not think
there is any place in the U.S. Government that could undertake
a Solarium Project, drawing in the right people to be able to
do it. Whether that first sits on the outside, and the
knowledge gained from that exercise is then imported onto a
functioning process on the inside, or whether those things
happen simultaneously needs to be kind of parsed out. But it is
needed and it is needed immediately.
Senator Gardner. Mr. Rosenbach?
Mr. Rosenbach. You know, I honestly think that we are at
the point now where most of the known answers are there and
available, and the biggest problem is implementation and
finding people to get stuff done, particularly in the
government. So I like the idea that there could be a very
senior person in the White House driving this in the
interagency, interacting with the private sector, doing some
things internationally, but it would have to be someone who has
gravitas, has clout, and also who has the backing of the
President.
Senator Gardner. Can a coordinator do this, or does it need
to be a cabinet-level official?
Mr. Rosenbach. I would say the coordinator, as has it has
been in this iteration--Rob Joyce is a great guy, very smart,
very capable, but he does not have the stature and the backing
probably to really move things, I think similar to Michael
Daniels. It is not a political thing. I think it needs to be
something that it is a more senior-level position, and it
cannot be within one of the departments I do not think.
Senator Gardner. President Xi, of course, came to
Washington last year, and the Obama administration and
President Xi came to some kind of an agreement as it relates to
China's cyber efforts against the United States. This is an
outgrowth of the OPM breach. Is China living up to its end of
the bargain from the conversations it had here in Washington
last year?
Dr. Ravich. It seems that there was a dip at first, but the
anecdotes that are coming in because--Eric and I were talking
about this--the lack of a comprehensive database on cyber
incidents against our private sector is not there. It looks
like business as usual, meaning the wholesale theft of IP on
the private sector side. I will let others talk about the
infiltration on the government side of the house. There is a
little bit of we do not know what we do not know, but again,
anecdotally, it looks like they are back to business.
Senator Gardner. Mr. Rosenbach?
Mr. Rosenbach. I hate to sound cynical but Chris Painter
and I were the two representatives to go and negotiate with the
Chinese on issues like this back in the day. And they would
tell us every single time that we met with them that they were
not doing economic espionage, that it was not the Chinese.
There was no way to know that. So I do not want to sound
cynical, but I believe they are now just better at doing what
they were doing before and they found new ways and that their
leadership told them don't you dare get caught again.
Senator Gardner. So a quick question for the two of you.
And you may not feel like you can answer this question. I do
not know. But I had a meeting with the CEO of a major tech
company in the United States, and he brought up five points:
multi-factor authentication, strong encryption of data, micro-
segmentation, consistent and automatic patches and upgrades,
and consistent education and testing of the workforce. Pretty
simple and basic hygiene points. And his point was that these
five things, had they been implemented, would have prevented
the OPM breach, would have prevented the Sony breach, would
have prevented the ransomware spread.
Do you feel comfortable in answering that question? Is that
true? Is that something as simple as requiring vendors to do
this kind of thing? Would that solve a significant portion of
this threat?
Dr. Ravich. I think it solves a portion of it, but I think
what the answer to you completely misses is that state
adversaries, very, very aggressive, very technologically
sophisticated state adversaries, are looking to hollow out
portions of our economy. And while the five steps will go very
nicely to locking doors, maybe getting a guard dog if the state
actor wants to get in there, it is not going to suffice. And
the action has to be taken against the state actor themselves
to push back on them.
Senator Gardner. Mr. Rosenbach, just a last question and
then I will turn it over to Senator Markey.
Do we have a nuclear deterrent in cyber?
Mr. Rosenbach. We do, of course. So just like in any other
domain, if there were a cyber attack against the United States
that resulted in death or significant destruction, the nuclear
option would be on the table.
Senator Gardner. I do not mean an actual use of a nuclear
bomb. I mean is there a sort of theoretical digital version of
a nuclear deterrent within the cyber realm should somebody do
something so bad to the United States that we can send
something back as a so-called cyber umbrella. And I think Dr.
Ravich has written about this.
Mr. Rosenbach. I do not think from everything I have done
that I have ever seen the cyber nuke, so to speak. And the
issue is it takes a lot of preparatory work to get everything
in place to be able to take something down. But it would be
great if there were such a thing, and you would have to use it
in conjunction with other military options I believe.
Dr. Ravich. No, but these are the kind of policy options
that we definitely do need to develop, along with a very clear
declaratory policy. Where are we in terms of if a country takes
an action or allows for an action to be taken from their
domain? Right? It kind of harkens back to the declaratory
policy that was created after 9/11. You sponsor terrorism, you
actually do it, or you allow others to use your territory to do
it. I do not think that either we or our adversaries understand
our declaratory policy. I think we need to work on that. I
think we need to have one. And again, it goes to not just the
adversary themselves but if they are sponsoring proxies, we see
it the same way as if they did it themselves to us.
Senator Gardner. Thank you and I apologize.
Senator Markey?
Senator Markey. I think it is very important.
Like Stuxnet, we probably have some capacity which has been
developed that we could paradox the Russians' or any other
country's electrical grid system if they really wanted us to
have to prove to them that we could reciprocate. Do you not
think, Dr. Ravich?
Dr. Ravich. Could we? Would we?
Senator Markey. What Senator Gardner was asking is if we
get attacked, can we attack back. You knock down our
electricity system. Can we knock down their electricity system?
Dr. Ravich. I assume, but do not know, that we have those
capabilities.
Senator Markey. Thank you.
Do you agree with that, Mr. Rosenbach?
Mr. Rosenbach. I think this is a really important question.
So the worst case would be that someone thought the United
States was an emperor that had no clothes when it came to cyber
capability. And so when I was overseeing cyber things at the
Department of Defense, I was very worried that we did not have
enough capability and often would talk bigger than what the
capability warranted. So I think it is a really important
question that you are all are asking to push the country to
have that type of real capability that you could use quickly
and is not wrapped in all kinds of bureaucracy.
Senator Markey. So in the spy versus spy world that we
live, the fact that the National Security Agency lost control
of powerful cyber weapons to the group known as Shadow Brokers
raises questions about our own government, about our own NSA.
Who do you think Shadow Brokers are?
Mr. Rosenbach. You know, Senator, I have read a lot of
intelligence on this topic, so I just cannot talk about that.
Senator Markey. How about you, Dr. Ravich?
Dr. Ravich. Kind of the same. I am not comfortable talking
about the----
Senator Markey. So we probably need a discussion about
that. If there is some group out there that can crack into the
NSA and steal our cyber weapons and then we cannot talk about
who they are, it is hard to have a public policy response in
terms of what our paradox of them would be, you know, what we
would be trying to create as public policy. So that is a
conundrum for us.
Mr. Rosenbach. There is one thing that is important I was
not able to say orally but is in my statement is that if we are
going to build these type of cyber weapons, it is very, very
important that we take care of them. So I was an Army officer.
When you are in the Army, if you have an accidental discharge
even with a single round, there is accountability for that. The
company commander will be relieved. I am not sure we have that
same kind of accountability right now.
Senator Markey. So you are saying that these are powerful
cyber weapons, and they were not properly protected by the NSA.
That is what you are saying. You used the metaphor for your
gun.
Mr. Rosenbach. I will use a metaphor because I cannot
comment specifically----
Senator Markey. I understand.
Mr. Rosenbach. There are ongoing legal things, but I think
you all understand.
Senator Markey. Yes.
So if the United States is going to develop capabilities
that allow our military and intelligence community to penetrate
widely-used commercial software like Microsoft Windows, then we
need to be far more vigilant to ensure that these tools are not
stolen, much like we take steps, as you said, to make sure that
other weapons arsenals are safe from theft and misuse, and we
have to do the same for these tools. In fact, I do not think it
overstates the severity of the risk we face to suggest that it
is time for the intelligence community to develop features akin
to the permissive action links that ensure that our nuclear
weapons cannot be used except when authorized by the President.
Do you agree with that, Mr. Rosenbach?
Mr. Rosenbach. I think that is a very interesting idea and
something that is technically completely possible. And I only
wonder why we have not done it already.
Senator Markey. Dr. Ravich, do you agree with that?
Dr. Ravich. I do agree with it with the proviso that--there
is a disconnect that has developed between the operators and
senior policymakers in the last administration and this
administration in terms of the operators not being able to
fully, adequately, comprehensively explain what they need to do
and the ramifications of it, leaving the policymakers to say do
not do anything. There is a dangerous kind of gap in
understanding that has arisen I believe leading us to not take
actions when we could for fear from the senior leadership that
it will have unintended consequences which many times it will
not.
Senator Markey. So do you have any other ideas for us in
terms of tools that the NSA and other law enforcement agencies
should adopt in order to ensure that tools such as those used
in WannaCry are not stolen and misused by bad actors? Any other
suggestions?
Mr. Rosenbach. Senator, this is less specific to the U.S.
Government and us taking care of our cyber arsenal, so to
speak. In particular, because you are the Foreign Relations
Committee, there is an analogy to the proliferation security
initiative where if you were to work on a bilateral basis on
building the capacity of nations to stop the proliferation of
destructive malware, I think that is something that can make a
difference. There is a little bit of deterrence aspect in that
as well because a lot of countries buy those type of
capabilities on the black market with bitcoin or straight out
cash. It is sometimes hard to develop. If we were able to do
something about that, I think it can make a difference.
Senator Markey. Thank you, Mr. Chairman.
Senator Gardner. Senator Kaine?
Senator Kaine. I will come back to Dr. Ravich on allies and
cyber co-ops. I think that is a fascinating part of your
testimony. And you are with the Foundation of Defense of
Democracies, and one of the analogous challenges we are
grappling with on the Armed Services--I am kind of interested
in putting it into this context--is the battle against ISIS.
So in the summer of 2014, ISIS had its biggest advance of
real estate. And the U.S. and the coalition effort to defeat
ISIS on the battlefield has been pretty successful, squeezing
them down, painful, slow, but they are losing. And they know it
and we know it, and they know that we know it. But ISIS now has
decided, okay, if we are losing space on the battlefield, then
what we probably should do is focus more on one-off attacks,
whether it is an airliner in the Sinai, a mausoleum in Tehran,
Manchester, London, San Bernardino. They are going to try to
inspire attacks.
You do not beat those attacks with a battalion. You beat
those attacks with intelligence sharing. So kind of again, this
is a kind of warfare where the quality of your alliances and
the quality of the information that you share is probably the
most important thing to defeat the attacks.
So now I am putting myself into the cyber realm. It may be
that, as we think about cyber defense, the quality of these
alliances will end up being very critically important to
whether we can defend our own democracies, protect our own
internal democracy.
How should we gauge the--it is one thing to judge the
capacity of another nation to be a battlefield, you know,
fighting force alongside with us, choose them to be a partner
because we trust their on-the-ground combat capacity. How about
gauging allies in the cyber realm for working cooperatively?
The one that I am thinking about is under P.M. Modi, they have
shed a little bit of the Congress' party nonalignment
philosophy and they do more military training exercises with
the United States than any other nation. And it is also a
nation with a strong technological capacity. Just to use them
as an example, analyzing India as a potential--this is the
region we are talking about analyzing India as a potential ally
in a cyber co-op arrangement as you describe in your testimony.
Dr. Ravich. It is very interesting. How we are thinking
about it is so the easiest hurdle to cooperate is probably on
the R&D agenda because sharing of intelligence gets a little
bit tricky, and different countries have different trust
levels. So the idea was, well, let us walk into this in a way
that we can actually good news, not a talk shop, but actually
create something. We all have comparative advantages. When I
started out looking at the United States, the Israelis, the UK,
we have different comparative advantages technologically to go
forward on that.
But then as you start to kind of broaden out, other
countries, while they may not be technological super stars,
have particular windows into a certain threat. Ukraine has a
window into a threat. They can understand a certain actor.
There are other countries in the world that are also good
friends or partners or allies with us on other things that have
a window into a threat. Do they share the similar goals with
us? So in terms of where India places, I think high and
evolving on the technology, certainly a window into a threat
from where they are, and certain shared goals going ahead.
Senator Kaine. And I guess another area of shared interest
you might want to look at is if they are facing a problem
similar to us. So there might be a threat like a country, but
there also could be is there a particular sector where you are
facing challenges and we are facing challenges in the same
sector. And that might suggest not cooperation on all of cyber
defense, but at least let us strengthen our utility sector or
our financial sector--those that are at risk--so that for
purposes of R&D or other things, we could focus on a sector and
make each of our nations stronger. So that would be probably
another area that we should look at.
Dr. Ravich. I agree.
Senator Kaine. Thank you. That is very helpful.
Senator Gardner. Thank you. And, Senator Kaine, thanks to
referring to India. I had hoped to use this committee to
adversely possess India as jurisdiction for the Indo-Pacific--
--
Senator Kaine. I am on the committee that oversees India. I
am always grasping. [Laughter.]
Senator Gardner. Thank you.
Senator Markey?
Senator Markey. Thank you, Mr. Chairman.
I want to follow up on Senator Kaine because following the
WannaCry attack, Microsoft's President, Brad Smith, called the
attack a wakeup call for the world's governments, and Smith
called for a digital Geneva Convention in which governments
would agree not to retain vulnerabilities for cyber weapons
development and would, instead, reveal those vulnerabilities to
software developers to protect consumers against attack. In
essence, Smith was calling for a kind of cyber arms control
comparable to the arms control regimes we have developed in the
nuclear weapons domain.
Of course, the analogy only goes so far. Nuclear weapons
are physical objects. Cyber weapons are digital objects which
can be hidden far more effectively. Cyber arms control would
face far greater difficulties when it comes to verification and
enforcement, but that does not mean that governments have no
interest in cooperating. For example, if a country's hospitals
are vulnerable to cyber attacks, that could impact global
health. If a country's airports are vulnerable, that could
impact travelers from beyond its borders. And if a country's
stock market can be manipulated, that could affect the global
financial system.
Can you both discuss your thoughts on global cooperation
intended to improve cybersecurity? What are the limits of cyber
arms control? And are there remaining opportunities for
international cooperation that we have not fully explored?
Dr. Ravich. I have reservations about a push towards
broader cyber norms and these large-scale elements that you are
discussing that they can rapidly turn into a lot of wonderful
language with lofty goals but crumble because of two things:
one, because too many people are in it with too many different
visions of what they want to do and capabilities to actually do
them; and the second being that somebody opens the door to
hostile adversaries being part of the discussion.
So I kind of fall back on some of the earlier discussions.
Let us start with a small group of likeminded countries that
can actually put real technology to starting to solve some of
these problems and have the wherewithal and the will to take
actions when needed, show great results in that front and then
slowly open up to who else do we want to protect under our
cyber umbrella.
Senator Markey. Thank you.
Senator Gardner. Thanks, Senator.
Mr. Rosenbach. You remember how President Reagan said trust
but verify when he was talking about arms control? I think that
trust part with the Russians right now in particular would be
very difficult when it comes to cyber arms control.
So I think it is an interesting idea. Personally I think we
should go for more practical projects, for example, like trying
to stop proliferation working together and doing that with the
private sector as well. Down the road, I think it is an
interesting idea but I am not sure, in particular from the
Department of Defense perspective, where I used to sit, that
that is something we would be that supportive of.
Senator Markey. Thank you, Mr. Rosenbach. And I appreciate
this Russia-U.S. tension. It is not quite Broncos-Patriots, but
I appreciate your living in Cambridge in the era of Tom Brady
in football. So thank you both for your testimony.
Senator Gardner. Yes. And thank you both for being here.
And I think one of the things the Senate should look at
soon is the PATCH Act. It is legislation that would address
some of the efforts and vulnerabilities that we have seen. If
the U.S. Government knows of a patch and it is not a national
security issue, then we ought to be making sure that that patch
is available and out there. So there are a number of ways that
we can work to make sure that we address some of these issues.
I think it is interesting questions that we have to continue to
build upon, understanding how our global alliances work when it
comes to issues of cyber, understanding who is in charge, and
understanding that perhaps Russia and China are not going to--
will not hold the same kind of interest that we do as it
relates to these issues. And so how do we move forward with
common interests around the globe to develop the kinds of norms
that we need to and not wait to convince people who we may not
be able to convince.
So I want to thank all of you, thanks to both of you for
your testimony today. Very interesting and actionable. Thanks
to all the Senators who attended today's hearing. And the
witnesses, again thank you.
For the information of the members, the record will remain
open until the close of business on Thursday, including for
members to submit questions for the record.
This is your homework assignment. I would just ask kindly
that the dog not eat your homework, and you return the homework
as quickly as possible. I ask the witnesses to respond as
promptly as possible, and your responses will be made a part of
the record.
And again, with the thanks of the committee, the hearing is
now adjourned.
[Whereupon, at 4:00 p.m., the hearing was adjourned.]
Prepared Statement of Samantha F. Ravich, Ph.D.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]