[Senate Hearing 115-862]
[From the U.S. Government Publishing Office]





                                                        S. Hrg. 115-862
 
  THE DEPARTMENT OF DEFENSE'S ROLE IN PROTECTING DEMOCRATIC ELECTIONS

=======================================================================

                                HEARING

                               before the

                     SUBCOMMITTEE ON CYBERSECURITY

                                 of the

                      COMMITTEE ON ARMED SERVICES
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                           FEBRUARY 13, 2018

                               __________

         Printed for the use of the Committee on Armed Services
         
         
         
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 


                 Available via: http://www.govinfo.gov
                 
                 
                 
                            ______                       


             U.S. GOVERNMENT PUBLISHING OFFICE 
44-117 PDF            WASHINGTON : 2021                 


                      COMMITTEE ON ARMED SERVICES

  JOHN McCAIN, Arizona, Chairman   JACK REED, Rhode Island
JAMES M. INHOFE, Oklahoma          BILL NELSON, Florida
ROGER F. WICKER, Mississippi       CLAIRE McCASKILL, Missouri
DEB FISCHER, Nebraska              JEANNE SHAHEEN, New Hampshire
TOM COTTON, Arkansas               KIRSTEN E. GILLIBRAND, New York
MIKE ROUNDS, South Dakota          RICHARD BLUMENTHAL, Connecticut
JONI ERNST, Iowa                   JOE DONNELLY, Indiana
THOM TILLIS, North Carolina        MAZIE K. HIRONO, Hawaii
DAN SULLIVAN, Alaska               TIM KAINE, Virginia
DAVID PERDUE, Georgia              ANGUS S. KING, JR., Maine
TED CRUZ, Texas                    MARTIN HEINRICH, New Mexico
LINDSEY GRAHAM, South Carolina     ELIZABETH WARREN, Massachusetts
BEN SASSE, Nebraska                GARY C. PETERS, Michigan
TIM SCOTT, South Carolina            
                                
                                     
                 Christian D. Brose, Staff Director
                  Elizabeth L. King, Minority Staff 
                               Director
                               
                     Subcommittee on Cybersecurity

MIKE ROUNDS, South Dakota,       BILL NELSON, Florida
             Chairman            CLAIRE McCASKILL, Missouri
DEB FISCHER, Nebraska            KIRSTEN E. GILLIBRAND, New York
DAVID PERDUE, Georgia            RICHARD BLUMENTHAL, Connecticut
LINDSEY GRAHAM, South Carolina
BEN SASSE, Nebraska  


                                 (ii)

  


                         C O N T E N T S
                         
                         
                           February 13, 2018

                                                                   Page

The Department of Defense's Role in Protecting Democratic             1
  Elections.

Butler, Robert J., Cofounder and Managing Director, Cyber             4
  Strategies, LLC.
Conley, Heather A., Director, Europe Program, Center for              9
  Strategic and International Studies.
Harknett, Dr. Richard J., Professor of Political Science and Head    14
  of Political Science Department, University of Cincinnati.
Sulmeyer, Dr. Michael L. Director, Cyber Security Project, Belfer    18
  Center for Science and International Affairs, Harvard 
  University.

APPENDIX A
  The State and Local Election Cybersecurity Playbook............    36
  Election Cyber Incident Communications Coordination Guide......   106
  Election Cyber Incident Communications Plan Template...........   140

                                 (iii)


  THE DEPARTMENT OF DEFENSE'S ROLE IN PROTECTING DEMOCRATIC ELECTIONS

                              ----------                              


                       TUESDAY, FEBRUARY 13, 2018

                      United States Senate,
                     Subcommittee on Cybersecurity,
                               Committee on Armed Services,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 2:34 p.m. in 
Room SR-222, Russell Senate Office Building, Senator Mike 
Rounds (Chairman of the Subcommittee) presiding.
    Subcommittee Members present: Senators Rounds, Fischer, 
Sasse, Nelson, McCaskill, Gillibrand, and Blumenthal.

            OPENING STATEMENT OF SENATOR MIKE ROUNDS

    Senator Rounds. Good afternoon.
    The Cybersecurity Subcommittee meets this afternoon to 
receive testimony on the Department of Defense's (DOD) role in 
protecting the U.S. election process.
    The witnesses are Mr. Bob Butler, Co-founder and Managing 
Director of Cyber Strategies, LLC; Adjunct Senior Fellow at the 
Center for a New American Security; Senior Vice President of 
Critical Infrastructure Protection Operations for AECOM; Ms. 
Heather Conley, the Senior Vice President for Europe, Eurasia, 
and the Arctic and Director of the Europe Program at the Center 
for Strategic and International Studies; Dr. Richard Harknett, 
head of political science at the University of Cincinnati and a 
former scholar in residence at U.S. Cyber Command and the 
National Security Agency; and Dr. Michael Sulmeyer, the 
Director of the Cyber Security Project at the Harvard Kennedy 
School.
    At the conclusion of Ranking Member Nelson's comments, we 
will ask our witnesses to make their opening remarks. After 
that, we will have a round of questions and answers.
    There is no dispute about what Russia did during the 2016 
election cycle. There is clear evidence that Russia attempted 
to undermine our democratic process through the hacking of 
independent political entities, manipulation of social media, 
and use of propaganda venues such as Russia Today. Evidence to 
date indicates that no polls or State election systems were 
manipulated to change the outcome of the vote. However, there 
was evidence of Russian probing of certain election systems in 
21 states.
    The Department of Defense has a critical role to play in 
challenging and influencing the mindset of our cyber 
adversaries and defending the homeland from attacks, attacks 
that could include cyber attacks by other nations against our 
election infrastructure. We look forward to the Department 
approaching these issues with a heightened sense of urgency.
    The threat is not going away. Just a couple of weeks ago, 
the Director of the Central Intelligence Agency warned that 
Russia will seek to influence the upcoming midterm elections. 
The White House National Security Advisor stated that they will 
seek to influence the Mexican presidential campaign as well. 
This is all in addition to Russian attempts to influence the 
elections in France and Germany last year.
    Each of us on this panel has been quite vocal about the 
need for a strategy that seizes the strategic high ground in 
cyberspace. Whether you call it deterrence or something else, 
we need a strategy that moves out of the trenches and imposes 
costs on our adversaries. The lack of consequences for the 
countless attacks over the past decade has emboldened our 
adversaries and left us vulnerable to emboldened behavior. The 
attacks we experienced during the 2016 election are just the 
latest rung on that escalation ladder. As long as our 
adversaries feel that they can act with impunity, they will 
press further.
    Our witnesses offer unique perspectives on the challenges 
we face. We look to them to help us understand why our posture 
restraint has not worked, if we can reverse the damage already 
done, and what it will take to develop and implement a strategy 
that limits our exposure and imposes costs on malicious 
behavior.
    We invited Dr. Richard Harknett to explain his theory of 
cyber persistence, specifically on how our failure to tailor 
our strategies to the uniqueness of the cyber domain limits our 
ability to confront challenges we face. Our adversaries 
actively exploit us because they see great benefit and little 
consequence in doing so. I agree with Dr. Harknett that the 
Cold War models of deterrence will not work and look forward to 
hearing what he believes it will take to influence the mindset 
of our adversaries.
    In addition to his writings on cyber deterrence and 
election attacks, Dr. Michael Sulmeyer has focused a great deal 
of his research on the organizational challenges we face as a 
government. We understand that Dr. Sulmeyer is working on a 
paper addressing some of the challenges we examined during our 
full committee hearings in October on the whole-of-government 
approach to cybersecurity. We look forward to hearing more from 
Dr. Sulmeyer on the gaps and the seams he sees in our 
organizational model and what lessons we can learn from 
analyzing like the British.
    Ms. Heather Conley provides an expertise in Russian 
politics and foreign policy. Russia has yet to face serious 
consequences in the cyber or other domains for its 2016 
elections interference. We look forward to Ms. Conley's 
testimony on how the United States can tailor and implement 
these penalties and how the Department can best deter or 
dissuade further Russian election meddling.
    We also look forward to the testimony of Mr. Bob Butler who 
brings extensive cyber experience in both the Department of 
Defense and the private sector. Mr. Butler has been involved in 
numerous studies on the cyber deterrence, including the recent 
Defense Science Board Task Force on Cyber Deterrence.
    Let me close by thanking our witnesses for their 
willingness to appear today before our subcommittee.
    Senator Nelson?

                STATEMENT OF SENATOR BILL NELSON

    Senator Nelson. Thank you, Mr. Chairman.
    First of all, I want to make sure that, since this is a 
hearing on elections, everybody understands that this Senator 
feels that this is about the foundation of our democracy and 
that we as a government ought to be doing more to defend 
ourselves.
    The second thing I want to make sure everybody understands 
is that this is not a partisan issue. This can happen to either 
party or the non-party candidates as well. It ought to be all 
hands on deck.
    The chairman and I in public and in closed meetings because 
of the clearance level--we have been quite disturbed about 
wondering if we are doing as much as we should as a government 
to protect ourselves. So in a recent closed hearing of this 
subcommittee, the Department of Defense demonstrated that it is 
not taking appropriate steps to defend against and deter this 
threat to our democracy.
    So, Mr. Chairman, I join you in welcoming these witnesses 
and hope that some practical suggestions are going to come out. 
Now, I want to mention just a few things.
    First, the Department has cyber forces designed and trained 
to thwart attacks on our country through cyberspace, and that 
is why we created the Cyber Command's National Mission Teams. 
Members of this subcommittee, Senator Blumenthal, Senator 
Shaheen--we all wrote to the Secretary of Defense last week 
that they, the Department, ought to be assigned to identify 
Russian operators responsible for the hacking, stealing 
information, planting misinformation, and spreading it through 
all the botnets and fake accounts on social media. They ought 
to do that. The Cyber Command knows who that is.
    Then we ought to use our cyber forces to disrupt this 
activity. We are not.
    We should also be informing the social media companies of 
Russia's fake accounts and other activities that violate those 
companies' terms of service so that they can be shut down.
    Second I would ask us to look at that as the Department's 
own Defense Science Board Task Force on Cyber Deterrence 
concluded last year--we ought to show Mr. Putin that two can 
play in this game. We ought to consider information operations 
of our own to deter Mr. Putin like exposing his wealth and that 
of his oligarchs.
    Third, I would suggest the Department should ensure that 
its active and reserve component cyber units are prepared to 
assist the Department of Homeland Security and the governors to 
defend our election infrastructure, not just after the attack 
but proactively before and during the Russian attacks.
    Fourth, I would suggest that the Department must integrate 
capabilities and planning into cyber warfare and information 
warfare to conduct information warfare through cyberspace as 
last year's defense bill mandated. Our adversaries recognize 
the importance of this kind of integration, but today cyber 
warfare and information warfare are separated in the Department 
of Defense and involve multiple organizations.
    Fifth, I would recommend, as one of our witnesses I think 
will testify today, the Department must help develop an 
effective whole-of-government response to Russia's strategic 
influence operation through things like a joint interagency 
task force and a fusion center. Our colleagues on the Foreign 
Relations Committee have proposed something similar. The threat 
is not going away. It is likely to intensify. As our 
intelligence community has been warning and as DNI [Director of 
National Intelligence] Coats has just testified to the Senate 
Intelligence Committee, that threat is not going away.
    So the 2018 elections are upon us. We cannot sit idly by 
and watch this happen again.
    Thank you, Mr. Chairman.
    Senator Rounds. Thank you.
    Welcome to all of our panelists here today, our witnesses. 
We would ask that, first of all, you limit your opening remarks 
to 5 minutes, but your entire statements will be made a part of 
the record. We would like to begin with Mr. Butler.

STATEMENT OF ROBERT J. BUTLER, COFOUNDER AND MANAGING DIRECTOR, 
                     CYBER STRATEGIES, LLC

    Mr. Butler. Thank you, Mr. Chairman, Ranking Member Nelson, 
and distinguished members of the Cyber Subcommittee. It is a 
privilege to be here. Thank you for the invitation.
    My views really represent my views and not that of any 
particular organization. I will just quickly hit the highlights 
of my written statement. They track very closely with a lot of 
the opening comments. My comments are really focused around my 
assessment of the threat in the electoral processes after 
interviewing a few different States; secondly, recommendations 
for the Federal Government partnered with a whole-of-America 
campaign; and then thirdly, what this subcommittee can do going 
forward.
    I have been watching the Russian influence operations 
threat for some time in uniform and out of uniform. Our ability 
to counter Russian influence operations is not only a function 
of what we know about the threat but our willingness and our 
ability address that threat through hardening resilience and 
other countermeasures.
    As I have looked at the election infrastructure in a few 
different States, we have learned from 2016, and our known 
vulnerabilities have been remediated. Whether you look at the 
voting registration systems in the election infrastructure 
proper, we are making progress there. However, the States do 
not know how to address the disinformation campaign. That is a 
struggle and the threat still remains very, very high.
    From my perspective looking at this particular threat, what 
we are talking about today is one line of operation within what 
I think has to be addressed through a National Security 
Council-led task force, a whole-of-America campaign not too 
much dissimilar from the NCTC [National Counterterrorisim 
Center], but with a strong, empowered private sector element. 
Again, I go back to the idea of a whole-of-America process.
    Two key components inside of this. One is the idea of 
having an element that is focused on strengthening States' 
election infrastructure and hardening American citizens, 
deterrence by denial some would say. A second component focused 
on cost imposition from botnet disruptions to other kinds of 
sanctioning activities, importantly reinforced multilaterally. 
I am a big proponent of an International Cyber Stability Board, 
a coalition of the willing, working to ensure the most 
effective way of doing cost imposition. Those two components 
then supported by an integrated fusion center that provides 
situational awareness, combines the best of intelligence both 
in the commercial and from the national security community with 
law enforcement and active defense actions, focused on a 
campaign that is centralized in its planning but decentralized 
in its execution.
    From my perspective, it really requires both cultural and 
legislative enablers. Culturally the President must lead, must 
rally the nation. There are opportunities already this week 
that can be used to help with that. The infrastructure proposal 
is a great example. I do not see anything about resilience in 
the infrastructure proposal. We should have a way of 
incorporating, especially as we are building new 
infrastructure, methods and strategies and incentives for 
strengthening the infrastructure here in this country.
    Additionally, we need to leverage the best of U.S. 
competencies across America. Defense is excellent at campaign 
planning and exercise. U.S. intelligence agencies, combined 
with web-scale companies, do a great job in intelligence 
generation and fusion. Web-scale companies are very good and 
growing in their ability to rapidly identify disinformation 
campaigns and response, and we will need some help from the 
legislative side.
    Specifically for DOD [Department of Defense], five 
recommendations that track very closely with what Senator 
Nelson was talking about. I think to jump start this NSC 
[National Security Council]-sponsored task force, we should 
coordinate with the Secretary of Defense to immediately stand 
up a JIATF, a joint interagency task force. Inside of that, 
again empowered private sector players. We typically do not 
think about that, but this really is something where we need to 
work together in a public-private partnership. We need to make 
arrangements with State and local officials through DHS 
[Department of Homeland Security] and the National Guard 
Bureau.
    The second recommendation really is to the NGB and working 
with the National Guard Bureau to really not only inventory 
what we have from a cyber and IO perspective. We have cyber 
units. We information operations units. But to begin to scale 
them to help the States and to help us as we think about 
incident response in general. I think they could be aligned 
with FEMA [Federal Emergency Management Agency] regions. I 
think they could be aligned in a lot of different ways, but we 
need to first get organized.
    The third is to actually have a session where we discuss 
courses of action. It would have to be a closed session. But I 
think that is where the request for authorities, new 
authorities, requests for new resources come out. It really 
gets at the point of not only looking at offensive actions but 
defensively what we are in store for as we begin to move 
offensively and what we are going to do from a continuity of 
government, continuity of business perspective.
    The last two relate to Senator Nelson's comments with 
regard to the DSB [Defense Science Board] task force. I think 
we should continue to push with the NDAA [National Defense 
Authorization Act] and operationalizing the rest of the Cyber 
Deterrence Task Force recommendations. I would advocate that 
this committee should have its own campaign of exercises to 
help it understand where the adversary is going and to be able 
to advance ideas with regard to looking at threat and 
countermeasures.
    I stand ready to answer any questions that you have.
    [The prepared statement of Mr. Butler follows:]

                 Prepared Statement by Robert J. Butler
    Mr. Chairman, Ranking Member Nelson, and distinguished members of 
the Cyber Subcommittee, thank you for inviting me to speak on the topic 
of countering Russian influence in the United States elections 
infrastructure. I would like to begin by noting that my opinions are 
mine and do not reflect the views of any organization.
    For more than 37 years, my work life has been about Information 
Technology (IT) and its application across Defense and other sectors. 
Along the way, I was afforded the opportunity to help guide the 
evolution of information warfare; information and cyberspace strategy 
and operations within the Department of Defense (DOD); and the United 
States Government (USG) as a planner and commander. My work in DOD 
included the stand-up of information operations (IO) organizations, 
development of IO campaign plans, and serving as the DOD lead in the 
first USG negotiation with the Russians on cyber arms control in 1998. 
I was also privileged to serve as the Director of Intelligence at U.S. 
Transportation Command (TRANSCOM) during Operations Enduring and Iraqi 
Freedom. I culminated my military career by commanding the intelligence 
operations organization that is now commonly referred to as NSA-Texas.
    After retirement from the United States Air Force (USAF), I served 
as the senior civilian executive for DOD's premiere joint information 
operations command before joining a U.S.-based global IT services firm 
as its Director of its Military Intelligence Programs. Returning to 
Government service in 2009, I served as the first Deputy Assistant 
Secretary of Defense (DASD) for Space and Cyber Policy. During my time 
as a DASD, I witnessed and was alarmed at the expansion of the cyber 
threat around the globe--specifically, China's rampant on-line theft of 
United States intellectual property and Russia's continued disruptive 
cyber-attacks in the Ukraine and other parts of the world.
    Since leaving government service in 2011, I have spent most of my 
time in the private sector. As a corporate Chief Security Officer and 
now as an AECOM \1\ security executive, I had the opportunity to build 
and implement enterprise security programs to countering foreign 
threats. Additionally, I have served and continue to serve as a 
consultant to various Defense Science Board (DSB) task forces including 
the recent cyber deterrence task force. It is from this experience 
base, I address you today. I've organized my remarks around three 
topics: 1) my assessment of the Russian threat, specifically to our 
electoral process; 2) my recommendations for what the federal--
including DOD--and state governments, along with United States industry 
should do to further counter Russian or any other foreign government 
influence; and 3) my suggestions for how this committee could help in 
this national security work. While my testimony focuses on enhancing 
the resilience of the U.S. electoral process, I have also made some 
suggestions regarding the resilience of critical infrastructures more 
generally as the threats and responses overlap.
---------------------------------------------------------------------------
    \1\ AECOM is an American multinational engineering firm that 
provides design, consulting, construction, and management services to a 
wide range of clients. AECOM has approximately 87,500 employees, and is 
number 156 on the 2016 Fortune 500 list. (2018, January 01). About 
AECOM. Retrieved February 06, 2018, from http://www.aecom.com/about-
aecom/
---------------------------------------------------------------------------
              the russian threat and our election process.
    Our ability to counter Russian influence operations is a function 
of what we know about the Russian threat and our ability to address 
that threat through hardening, resilience, and other countermeasures. 
The National Security Strategy (NSS) and the National Defense Strategy 
(NDS) identify Russia as ``attempting to erode American security and 
prosperity'' including ``using information tools in an attempt to 
undermine the legitimacy of democracies.'' \2\ As reported by our 
intelligence agencies, the Russian Federation has been engaged in a 
campaign aimed at interference with our 2016 presidential election 
process. Russian intelligence obtained and maintained access to 
elements of multiple United States state or local electoral boards. 
Russia's influence campaign has been multi-faceted and has included 
Russian Government cyber and media activities along with the use of 
third party intermediaries and social media ``trolls.'' \3\ 
Importantly, we have no indication that this Russian influence campaign 
against democratic elections has stopped. In fact, Russian Government 
interference in European national elections leads us to a very 
different judgment, namely that this type of Russian aggression is 
growing. \4\ NATO assessments about Russia's capabilities and intent 
confirm this assessment. \5\ CIA Director Pompeo has stated that Russia 
can be expected to meddle in the 2018 elections. \6\
---------------------------------------------------------------------------
    \2\ Trump, D. (2017, December). National Security Strategy. https:/
/www.whitehouse.gov/wp-content/uploads/2017/12/NSS-Final-12-18-2017-
0905.pdf pp. 2, 14.
    \3\ Director of National Intelligence. (2016, January). Background 
to ``Assessing Russian Activities and Intentions in Recent U.S. 
Elections''. https://www.dni.gov/files/documents/ICA--2017--01.pdf
    \4\ Greenberg, A. (2017, June 02). NSA Director Confirms That 
Russia Really Did Hack the French Election. Retrieved February 06, 
2018, from https://www.wired.com/2017/05/nsa-director-confirms-russia-
hacked-french-election-infrastructure/
    \5\ Giles, K. (2016, November). Handbook of Russian Information 
Warfare. https://krypt3ia.files.wordpress.com/2016/12/fm--9.pdf
    \6\ Cohen, Z. (2018, January 31). CIA director Pompeo met top 
Russian spies. Retrieved February 06, 2018, from https://www.cnn.com/
2018/01/30/politics/cia-director-pompeo-russia-spies/index.html
---------------------------------------------------------------------------
    A key focus of the Russian influence actions has been against the 
election infrastructure in our states. The threat to state electoral 
systems is dependent on the state election infrastructure architecture. 
Some states have highly automated infrastructure while others continue 
to employ paper ballot systems. In the latter case, digital 
interactions still exist with web interfaces for voter registration and 
election day voter verification along with the use of digital ballot 
counting machines which scan paper ballot and store results.
    Based on my conversations with Government representatives from 
geographically dispersed states, the integrity and quality of election 
infrastructure has improved since 2016. States have reviewed the 
exposure and configuration of their end-to-end voting system, and known 
areas of technical and procedural weaknesses have been remediated. \7\ 
Nonetheless, the threat to electoral processes remains high. For one, 
it is difficult to identify and nullify disinformation campaigns that 
are portrayed as news coverage.
---------------------------------------------------------------------------
    \7\ Department of Homeland Security. (2018, January). National 
Cyber Incident Coordination Center. https://www.dhs.gov/national-
cybersecurity-and-communications-integration-center
---------------------------------------------------------------------------
 recommendations to counter russian influence in our election process.
    America has been and will continue to be involved in a campaign of 
continuous engagement and pressure from the Kremlin to weaken United 
States and allied critical infrastructure and democratic processes. To 
counter, we need a ``whole of America'' campaign approach aimed 
directly at preventing Russian or any other foreign government 
interference. This campaign must be led by a National Security Council 
(NSC)-sanctioned task force (not too dissimilar to the National 
Counter-Terrorism Center) with membership from empowered government 
agencies and industry representatives. One line of operation in this 
campaign is countering Russian interference to influence our electoral 
process.
    This standing national task force needs to have two synchronized 
components--one focused on continuous strengthening of the states' 
election infrastructure as well as ``hardening'' American citizens to 
Russian media and other cyber-enabled influence operations. 
Importantly, these activities should include a partnership with 
industry to regularly red team state election infrastructure; share 
relevant intel with state election and cybersecurity officials; bar 
Russian or other foreign online election material (just as we bar 
foreign election contributions;) continuously identify fake and harmful 
messages; and quickly disseminate the truth about USG actions. As a 
starting point, this USG-industry partnership could build off the 
actions already underway to counter on-line terrorist propaganda. \8\
---------------------------------------------------------------------------
    \8\ Robertson, A. (2017, June 26). Facebook, Microsoft, Twitter, 
and YouTube launch anti-terrorism partnership. Retrieved February 06, 
2018, from https://www.theverge.com/2017/6/26/15875102/facebook-
microsoft-twitter-youtube-global-internet-forum-counter-terrorism.
---------------------------------------------------------------------------
    The second component of this task force should be focused to 
directly impose cost on the Russian Federation, including activities 
ranging from cyber-enabled social media operations and botnet 
disruptions to sanctions and other enforcement actions.
    Importantly, these cost imposition measures, when and where 
possible, need to be multilateral in nature, involving other allied 
nations and coordinated with appropriate private sector organizations. 
\9\ The formation of an International Cyber Stability Board (ICSB) of 
allied nations and industry partners could support rapid coordination 
and enforcement of actions across Internet infrastructure. The NSC 
staff should lead in the development of the ICSB.
---------------------------------------------------------------------------
    \9\ Frank Kramer, Bob Butler, and Catherine Lotrionte. (2017, 
November 06). Raising the Drawbridge with an ``International Cyber 
Stability Board''. Retrieved February 06, 2018, from https://
www.thecipherbrief.com/raising-drawbridge-international-cyber-
stability-board.
---------------------------------------------------------------------------
    The two components should be supported by an integrated fusion 
center that enables continuous situational awareness and engagement 
through human capital intelligence, intelligence at large, law 
enforcement, and active defense actions. Although centrally planned, 
execution of action must be decentralized to support persistent and 
agile engagement against Russian ``trolls,'' bots, and other surrogates 
of the Russian Government.
    To enable this type of organization and ensure its success will 
require both cultural and legislative changes. The President needs to 
rally the U.S. Government and U.S. industry. Infrastructure resilience 
and countermeasures need to be part of the President's ``call to 
action'' this year. Additionally, we need to leverage the best U.S. 
organizational core competencies to include the following:
      Defense for campaign planning and exercise,
      U.S. Intelligence Agencies and industry for rapid 
intelligence generation and
fusion,
      Webscale companies for rapid identification of 
disinformation campaigns and
response,
      Congress for potentially changing laws like the Computer 
Fraud and Abuse Act (CFAA) and enabling Government and industry to work 
together to actively defend this nation. \10\
---------------------------------------------------------------------------
    \10\ McCain, U. S. (2017, October). Press Releases. Retrieved 
February 06, 2018, from https://www.mccain.senate.gov/public/index.cfm/
2017/10/mccain-klobuchar-warner-introduce-legislation-to-protect-
integrity-of-u-s-elections-provide-transparency-of-political-ads-on-
digital-platforms. https://tomgraves.house.gov/uploadedfiles/
discussion_draft_active_cyber_defense_certainty _act_ 
2.0_rep._tom_graves_ga-14.pdf.; https://cchs.gwu.edu/sites/
cchs.gwu.edu/files/downloads/CCHS-ActiveDefenseReportFINAL.pdf. and 
https://www.mccain.senate.gov/public/index.cfm/2017/10/mccain-
klobuchar-warner-introduce-legislation-to-protect-integrity-of-u-s-
elections-provide-transparency-of-political-ads-on-digital-platforms.
---------------------------------------------------------------------------
    On the international front, it is critical to align our efforts 
with our allies and identify appropriate ``red lines'' for actions. For 
example, these would include attempts to hack or disrupt our electrical 
grid and voting machines. \11\
---------------------------------------------------------------------------
    \11\ Miller, J. (2018, January). Navigating Dangerous Pathways. 
Retrieved February 06, 2018, from https://www.cnas.org/publications/
reports/navigating-dangerous-pathways?utm_medium =email&utm 
_campaign=Project Pathways 3 Report Release&utm_content=Project 
Pathways 3 Report 
Release%2BCID_2bd61d40546a491ed2980e0568645014&utm_source=Campaign 
Monitor &utm_term=Navigating Dangerous Pathways A Pragmatic Approach to 
United States-Russian Relations and Strategic Stability
---------------------------------------------------------------------------
             proposals for the cyber subcommittee and sasc.
    To ``jump start'' the stand-up of an NSC-sponsored national task 
force, the SASC should coordinate with the Secretary of Defense in 
immediately establishing a joint interagency task force to begin and 
accelerate counter-Russian influence campaign planning. Key private 
sector elements from the Defense Industrial Base and webscale companies 
should be included as needed. Also, appropriate working arrangements 
with state and local officials through the Department of Homeland 
Security (DHS) and the National Guard Bureau (NGB) should be created. 
The SASC through its oversight jurisdiction should then monitor the 
progress of the task force.
    To further support the stand-up of the new national task force for 
countering Russian or other foreign government influence, I recommend 
the SASC direct the NGB, in conjunction with U.S. Cyber Command 
(CYBERCOM), to inventory and certify all cyber capable National Guard 
assets that could augment state resiliency and federal efforts. Working 
with other committees, the SASC should then develop a statute to grow 
ten NGB ``cross-state mutual assistance'' teams as certified active 
defense teams to work alongside Federal Emergency Management Agency 
(FEMA) regional leads, other government and industry partners at the 
state and federal level.
    The SASC should direct the Defense Leadership Team to develop 
Defense-Defense Industrial Base Courses of Action (COA) to support the 
new national task force, and to provide in a closed session a summary 
of these COAs along with new resources and authority requests to the 
Committee. Related to this point, the SASC should work with the DOD and 
other Committees to update all statutes for enabling Defense counter-
influence actions at home and abroad.
    To deter further adversary action, we must harden our critical 
infrastructure. This includes the election infrastructure, but also all 
infrastructure which ensures national security, public safety and 
democratic processes. From a defense standpoint, this starts with the 
resilience of our nuclear strike capabilities, non-nuclear capabilities 
such as conventional strike, missile defense and offensive cyber. 
Specific recommendations are included in the 2017 DSB report on Cyber 
Deterrence. \12\ The SASC should continue to act to operationalize 
these recommendations as part of developing the next National Defense 
Authorization Act.
---------------------------------------------------------------------------
    \12\ Defense Science Board. (2017, February). Task Force on Cyber 
Deterrence. https://www.acq.osd.mil/dsb/reports/2010s/DSB-
CyberDeterrenceReport_02-28-17_Final.pdf.
---------------------------------------------------------------------------
    Finally, the Committee should set up its own campaign of ``table 
top'' exercises that would help members to better understand different 
adversary scenarios which could involve defense capabilities and 
highlight the need to the Committee for other Congressional actions in 
countering Russian influence.
    Thank you again for the opportunity to share these thoughts. I 
stand ready to help the Committee as we seek to better protect and grow 
our nation.

    Senator Rounds. Thank you, Mr. Butler.
    Ms. Conley?

   STATEMENT OF HEATHER A. CONLEY, DIRECTOR, EUROPE PROGRAM, 
         CENTER FOR STRATEGIC AND INTERNATIONAL STUDIES

    Ms. Conley. Thank you so much, Chairman Rounds, Ranking 
Member Senator Nelson, and esteemed colleagues. Thank you for 
this very timely opportunity to speak to you this afternoon and 
what a timely moment as United States intelligence agencies 
have now assessed that Russia will continue to make bold and 
more disruptive cyber operations focused on the midterm 
elections. CIA [Central Intelligence Agency] Director Mike 
Pompeo also stated publicly that he fully expects that Russia 
will attempt to disrupt the United States midterm elections. So 
we know they are doing it and will do it, but we as a nation 
are not prepared to effectively combat what I believe is an 
intensifying disinformation operation and influence operation.
    I am a bit of a contrarian on this panel. I am not a 
cybersecurity expert. But what I am most concerned about is 
that we have 9 months, and the American people are not educated 
as to what is going to happen to them. That is where I think 
our focus must lie. I am less concerned about the mindset of 
President Putin. I know his mindset. I am more concerned about 
the mindset of the American people as we head towards this 
election.
    You asked us what role DOD could play to protect the U.S. 
elections. I think simply DOD, working with Congress, has got 
to demand a whole-of-government strategy to fight against this 
enduring disinformation and influence operation. We do not have 
a national strategy. Unfortunately, modernizing our nuclear 
forces will not stop a Russian influence operation. That is 
where we are missing a grave threat that exists in the American 
people's palm of their hand and on their computer screens. It 
is vital that we start talking publicly about this threat and 
educating the American people on a bipartisan basis.
    Tragically the Russian campaign has already deeply 
polarized our country, which only serves the Kremlin's 
interests. As one of the most trusted institutions in the 
United States, the Department of Defense must leverage that 
trust with the American people to mitigate Russian influence. 
Simply put, the Department of Defense has to model the 
bipartisan and fact-based action, behavior, and awareness that 
will help reduce societal division. This is about leadership. 
It is about protecting the United States, and as far as I can 
see, that is in the Department of Defense's job description.
    So a good place to begin is using DOD's extensive employee 
and military networks to provide timely policy guidance and 
statements about the threat the Russian influence operation 
poses to election security. Secretary Mattis and General 
Dunford should provide extensive public outreach to the defense 
community about the threat and how to counter it. Perhaps they 
should think about forming public service announcements. 
European governments have been very effective in warning their 
publics about the danger of Russian disinformation. France and 
Germany were very strong on that, but you have to put the 
message out and we have not.
    I offered one suggestion in my written testimony to look at 
how we could leverage the National Guard Bureau, working 
closely with State and local leaders in cooperation with the 
Department of Homeland Security, to enhance cybersecurity 
awareness and be able to detect patterns of influence, for 
example, if packed emails surface online in conjunction with 
the false rumors about potential electoral candidates. We need 
to start talking about this.
    Another instrument is the State Partnership Program. The 
National Guard has partnered with the Lithuanian military, the 
Estonian military. They can bring back to their States 
information about how Russian influence works.
    We are speaking today about protecting the homeland from 
continuous disinformation attacks, which alter how the average 
American thinks about their system of governance and their 
government. What the American people may end up thinking is 
that everyone is lying, everything is fake, and there is 
nothing that can be trusted. Then even the most trusted of 
American institutions, the Defense Department, the Justice 
Department, the FBI [Federal Bureau of Investigation], the 
Department of Homeland Security, the Office of the President, 
will mean very little to the American people. This is exactly 
how you break the internal coherence of the enemy's system 
according to Russian military doctrine. Unfortunately today we 
are doing most of this to ourselves without assistance from the 
Kremlin.
    This is a matter of urgency. We have 9 months. We need to 
educate the American people in addition to enhancing, of 
course, our cybersecurity protections. But as the French 
disinformation attacks showed, what many of the organizations 
that looked like that disinformation was coming from--it was 
coming from American organizations. This is designed to be 
hidden. It adapts. We have to educate the American people about 
what they are going to confront on the November elections.
    Thank you.
    [The prepared statement of Ms. Conley follows:]

                Prepared Statement by Heather A. Conley
    Mr. Chairman, Ranking Member Nelson and distinguished members of 
the Cybersecurity Subcommittee of the Senate Armed Services Committee, 
thank you for the invitation to speak before this important 
subcommittee on a topic that is of utmost importance to the future of 
the United States and its national security: The essential need to 
ensure that the American people have complete trust and confidence in 
the fairness and accuracy of U.S. elections, be they at the local, 
state or federal level.
    I am a professional outlier on this panel for I am not a cyber 
security expert, but I have spent the last several years at CSIS 
studying and understanding how malign Russian influence works in 
Europe, which we have described in detail in our seminal report, The 
Kremlin Playbook. \1\ We have studied in detail how Russian economic 
influence has worked in five European countries (Latvia, Hungary, 
Slovakia, Bulgaria and Serbia) over a ten-year period to understand how 
Russia infiltrates a democracy and erodes confidence and credibility in 
how that democracy works. We have extended our research to include six 
more European countries (Italy, Austria, the Netherlands, Romania, the 
Czech Republic and Montenegro) which will culminate in a new report, 
The Kremlin Playbook 2, in early 2019. The Central and Eastern European 
region has constituted an extensive Russian laboratory for a variety of 
influence operations for nearly two decades. European Governments and 
citizens have been exposed to a full spectrum of Russian influence 
tactics that have collapsed weakened governments as well as 
systemically important financial institutions. Russian influence has 
fomented societal unrest and altered Western-oriented government 
policies.
---------------------------------------------------------------------------
    \1\ Heather A. Conley and Ruslan Stefanov, The Kremlin Playbook, 
Center for Strategic and International Studies, October 2016, https://
www.csis.org/analysis/kremlin-playbook.
---------------------------------------------------------------------------
    Having said this, I believe Russian influence is less about 
physical cyber security (although cyberattacks are a useful tool) and 
more about (dis)information and influence superiority, which is how the 
Kremlin believes it will maintain its global preeminence as it 
addresses slow and long-term decline. According to the Czech Security 
Information Service, it is the Kremlin's goal to convince the average 
citizen that ``everyone is lying,'' which in turn will ``weaken 
society's will to resist'' Russian interests. \2\
---------------------------------------------------------------------------
    \2\ Jakub Janda, ``How Czech President Milos Zeman Became Putin's 
Man,'' Observer, January 26, 2018, http://observer.com/2018/01/how-
czech-president-milos-zeman-became-vladimir-putins-man/.
---------------------------------------------------------------------------
    Therefore, one of our first lines of defense is to develop a much 
deeper understanding of and a body of research into how Russia 
practices its influence operations as well as to study how European 
countries defend themselves against these ongoing operations. Europe 
has been at this longer than we have. Our knowledge has atrophied. Our 
defense and intelligence officials must have the closest possible 
relationship with our European partners to develop effective and 
sustainable countermeasures against Russian influence.
    Secondly, it needs to be understood that Russian influence does not 
simply occur in and around a national election; it is a continuous and 
holistic series of operations that are designed to break the ``internal 
coherence of the enemy system.'' \3\ It is true that elections are the 
most visible opportunity to harm a democracy when it is at its most 
vulnerable. We can observe that Russian influence operations and cyber 
infiltration may accelerate approximately two years prior to an 
election but this does not mean that Russian operations cease after an 
election. If anything, they simply adapt their methods to the outcome 
and alter their strategies to continue to degrade confidence in 
democratic institutions. Sustained Russian influence operations focus 
on those issues that are deeply divisive within a society, such as 
issues related to migration or questions of history or national, racial 
or religious identity. Today's Russian influence operations, just as 
their predecessor, Soviet active measures, exploit the weaknesses that 
are present within a society but they benefit from increasingly 
sophisticated means amid increasingly confused Western societies that 
are overwhelmed daily by a growing amount of information.
---------------------------------------------------------------------------
    \3\ Dimitry Adamsky, ``Cross-Domain Coercion: The Current Russian 
Art of Strategy,'' Proliferation Paper no. 54, Institut Francais des 
Relations Internationales, November 30, 2015, https://www.ifri.org/en/
publications/enotes/proliferation-papers/cross-domain-coercion-current-
russian-art-strategy.
---------------------------------------------------------------------------
    My contribution to this important discussion is to offer you what I 
believe European countries have done successfully to combat malign 
Russian influence and disinformation as well as increase cyber-
protection. But before doing this, I will address the questions posed 
to all the witnesses today.
    I do not believe the Department of Defense has a leading role to 
play in the cyber protection of U.S. elections. This is the purview of 
the Department of Homeland Security, which has struggled to develop 
effective policies to protect critical election infrastructure as 
distrust between the Federal Government and state as well as local 
election officials has grown. However, I believe the Department of 
Defense can play a role that is highly complementary to the work of the 
Department of Homeland Security by rebuilding trust between state and 
federal officials, and building knowledge and awareness of the ever-
present threat. This will not be easy. State and local election 
officials are unable to receive classified intelligence briefings. 
Candidates for office may not have received cybersecurity training or 
know whom to contact should they become the victim of illicit hacking 
or an influence operation.
    We can learn from the French Government about how to combine 
military and civilian efforts to prevent cyber-destabilization. This 
month the French Ministry of Defense released its Military Planning 
Law, which prioritizes cyber risks and seeks to increase cooperation 
with telecommunication companies to enable them to scan networks for 
technical clues of ongoing or future cyberattacks. The civilian French 
Network and Information Security Agency (ANSSI) will provide a list of 
risk indicators to the Defense Ministry. These risk indicators only 
focus on technical aspects of security breaches and not on content 
(which is important to ensure First Amendment protections in the United 
States). The goal is to enhance early detection. A French white paper 
was released in conjunction with the planning law which outlined and 
defined the possible cyberattacks that France could suffer and 
identifies cyber-protection as a strategic priority. \4\ The strategic 
review of France's cyber defense sets out six main goals: prevention, 
anticipation, protection, detection, attribution, and reaction. \5\ The 
ANSSI provides cybersecurity awareness-raising seminars to politicians 
and parties. Could DOD produce something similar in cooperation with 
DHS?
---------------------------------------------------------------------------
    \4\ Martin Untersinger, ``Cybersecurite: le gouvernement veut 
mettre les telecoms a la contribution pour detecter les attaques,'' Le 
Monde, February 8, 2018, http://www.lemonde.fr/pixels/article/2018/02/
08/cybersecurite-le-gouvernement-veut-mettre-les-telecoms-a-
contribution-pour-detecter-les-attaques_5253808_4408996.html.
    \5\ Olivier Berger, ``Revue strategique de cyberdefense : l'Etat et 
les operateurs pourront collaborer pour traquer les attaques 
informatiques,'' La Voix du Nord, February 8, 2018, http://
defense.blogs.lavoixdunord.fr/archive/2018/02/08/l-etat-et-les-
operateurs-pourront-collaborer-pour-traquer-le-15570.html
---------------------------------------------------------------------------
    While there is a role for the Defense Department to play in 
deploying offensive cyber capabilities should there be an attributable 
Russian attack on the United States election process, it would have to 
be part of a whole-of-government policy and strategy toward Russian 
influence operations, which at present the United States Government 
does not have--but urgently needs. Perhaps a more credible policy of 
deterrence would be for the United States Government to notify the 
Kremlin that future attributable attacks against United States 
elections would force the United States to seek to block Russia's 
access to the Society for Worldwide Interbank Financial 
Telecommunications (SWIFT). Although the Russian Government has 
developed an alternative system that may mitigate financial disruption 
internally, it could certainly hamper access to international bank 
accounts from the Kremlin's very wealthy inner circle--which may have 
more immediate impact.
    There are two additional areas that the Defense Department could 
explore to enhance disinformation awareness and cyber-protection prior 
to the 2018 mid-term and 2020 presidential elections. First, it could 
use its extensive employee and military network to provide timely 
policy guidance and statements about the threat that Russian influence 
operations pose to election security. Secretary Mattis and General 
Dunford should provide extensive public outreach to the defense 
community about the nature of the threat and how best to counter it to 
sensitize the DOD community to the threat of Russian influence and 
misinformation operations in a public service announcement format. 
Another idea would be to consider engaging the National Guard Bureau to 
help develop and facilitate training of state and local election 
officials to enhance cybersecurity awareness and to be able to detect 
patterns of influence (for example, hacked e-mails surfacing online in 
conjunction with the spread of false rumors about candidates) in 
partnership with the Department of Homeland Security. Those National 
Guard units that have participated in the State Partnership Program 
(SPP) have served and developed relationships with European partners, 
and could also be particularly helpful in sharing information about 
Russian influence operations (United States forces serving in these 
countries have been the recipients of Russian misinformation campaigns) 
through the State Adjutant Generals who are very well regarded among 
state and local officials. State Partnership Programs particularly well 
placed for this would be the Pennsylvania National Guard (Lithuania), 
the Maryland National Guard (Estonia), the Texas National Guard (the 
Czech Republic) and the Michigan National Guard (Latvia). \6\
---------------------------------------------------------------------------
    \6\ See more at ``State Partnership Program,'' National Guard, 
http://www.nationalguard.mil/Leadership/Joint-Staff/J-5/International-
Affairs-Division/State-Partnership-Program/.
---------------------------------------------------------------------------
    Simply put, the Defense Department must model the bipartisan and 
fact-based actions, behavior and awareness that will reduce societal 
division and help bridge the state and federal divide. As one of the 
most trusted institutions in the United States, the Defense Department 
must leverage that trust to mitigate malign Russian influence.
    Turning now to the European laboratory of Russian cyber-
destabilization, there are several important lessons that the 2017 
European election cycle has taught us (and that Europeans have 
learned):
      The necessity of having a paper ballot either as the 
ballot of record or as a back-up to an electronic ballot. The Dutch and 
German national elections use paper ballots. The German Government has 
also focused on protecting the software that tallies the election 
results to ensure that these systems are not vulnerable to cyberattack.
      A unified and all-political party message on what is at 
stake as well as how to detect and understand Russian influence. The 
French and German Governments were particularly effective at early 
notification regarding the likelihood of Russian influence and 
announcing when data breaches occurred. There was sufficient trust in 
the institutions and their leaders to ensure that a majority of the 
public took heed of the warning, which reduced the impact of the 
Russian misinformation campaign.
      French and German media organizations set up fact-
checking teams and social media platforms that cooperated with 
authorities to protect sensitive accounts. The French polling 
commission went so far as to warn against illegitimate polls coming 
from Kremlin-affiliated outlets that did not fit legal criteria for 
accurate polling. \7\
---------------------------------------------------------------------------
    \7\ Laura Daniels, ``How Russia hacked the French election,'' 
Politico, April 23, 2017, https://www.politico.eu/article/france-
election-2017-russia-hacked-cyberattacks/.
---------------------------------------------------------------------------
      In Sweden, ahead of the September 2018 elections, the 
Government plans to create a new agency to enhance the public's 
``psychological defense'' against influence by identifying, analyzing 
and reacting to Russian influence attempts; this would also take place 
through increased funding for the Swedish intelligence services, and 
cyber-defense. \8\ In January 2018, the Swedish head of security 
services (Sapo) warned against increased foreign influence operations 
ahead of the election, citing as examples forged letters of arms deals 
with Ukraine or fake reports that Muslims had vandalized a church. \9\
---------------------------------------------------------------------------
    \8\ Andrew Rettman and Lisbeth Kirk, ``Sweden raises alarm on 
election meddling,'' January 15, 2018, https://euobserver.com/foreign/
140542.
    \9\ Gordon Corera, ``Swedish security chief warning on fake news,'' 
January 4, 2018, http://www.bbc.com/news/world-europe0-42285332.
---------------------------------------------------------------------------
      Swedish Prime Minister Lofven plans to convene political 
parties to share protection and resilience strategies throughout the 
election process. The media would also take part in some of these 
meetings to bolster awareness of foreign influence.
      The chief of Sapo has increased information-sharing with 
European partners, and with other security services to better protect 
the election process; he argued that despite being a security service, 
openness was important to inform the public on the threat. \10\
---------------------------------------------------------------------------
    \10\ 10 Ibid.
---------------------------------------------------------------------------
      The Swedish Government is also discussing the inclusion 
of critical thinking skills in primary school curricula, teaching 
children how to spot fake news. Swedish Government authorities have 
initiated a series of public news literacy activities to help the 
Swedish public discern how truthful and fact-based information that 
receive. \11\
---------------------------------------------------------------------------
    \11\ ``A practical approach on how to cope with disinformation,'' 
Government of Sweden, October 6, 2017, http://www.government.se/
articles/2017/10/a-practical-approach-on-how-to-cope-with-
disinformation/.
---------------------------------------------------------------------------
    The U.S. Government has taken none of these positive, proactive 
steps--to my knowledge. The most proactive work being done in this 
space is taking place in U.S. think-tanks and universities through 
independent funding.
    If we understood 2016 and 2017 to be exceptional years for all-
encompassing Russian influence operations, we must reckon with the fact 
that 2018 has already witnessed significant Russian influence 
activities, particularly around the Czech presidential elections. 
There, in a close second-round election, the opponent (a former 
president of the Czech Academy of Sciences) of the preferred Russian 
candidate (outgoing president Milos Zeman) received an onslaught of 
disinformation during the second and final round of the campaign, from 
being called a pedophile to a Communist secret police agent who stole 
intellectual property. Milos Zeman won 51.4 percent to 48.6 percent. 
\12\
---------------------------------------------------------------------------
    \12\ Marc Santora, ``Czech Republic Re-elects Milos Zeman, Populist 
Leader and Foe of Migrants,'' The New York Times, January 27, 2018, 
https://www.nytimes.com/2018/01/27/world/europe/czech-election-milos-
zeman.html.
---------------------------------------------------------------------------
    We watch with particular concern the upcoming Italian 
parliamentarian elections (March 4), Montenegro's presidential 
elections (April 15), Latvian parliamentary elections (September/
October), Swedish parliamentary elections (September 8), and Moldovan 
elections (to be held before April 2019), where Russia has long-
standing investments and would potentially seek to influence the 
outcome of elections in support of the Kremlin's interests. The very 
same methods that are being deployed to undermine the credibility of 
these elections are being actively pursued in the United States. This 
has been recently acknowledged by CIA Director Mike Pompeo. \13\ So 
perhaps the most immediate and important step the Department of Defense 
could take--in concert with Congress--is to demand a whole-of-
government approach to minimize the impact of Russian influence 
operations in the United States. A disjointed approach by the United 
States Government and the daily undermining of the legitimacy of United 
States intelligence and law enforcement agencies does the Kremlin's 
work far better (and cheaper) than any Russian influence operation 
could.
---------------------------------------------------------------------------
    \13\ Scott Neuman, ``CIA Director Has `Every Expectation' Russia 
Will Try To Influence Midterm Elections,'' NPR, January 30, 2018, 
https://www.npr.org/sections/thetwo-way/2018/01/30/581767028/cia-
director-has-every-expectation-russia-will-try-to-influence-mid-term-
electio.

    Senator Rounds. Thank you, Ms. Conley.
    Dr. Harknett?

 STATEMENT OF DR. RICHARD J. HARKNETT, PROFESSOR OF POLITICAL 
SCIENCE AND HEAD OF POLITICAL SCIENCE DEPARTMENT, UNIVERSITY OF 
                           CINCINNATI

    Dr. Harknett. Chairman Rounds, Ranking Member Nelson, 
distinguished members, thank you for this opportunity to speak 
to you about this critical issue today.
    We have a big picture problem. Throughout international 
political history, states have at times misaligned their 
security approaches to the strategic realities in which they 
tried to secure themselves.
    In 1914, every general staff in Europe thought that 
security rested on the offense, and they found out 
devastatingly in World War I that they were tragically wrong.
    France in the 1930s said, okay, we learned from the last 
war. It is a defense-dominant environment. We are going to rest 
our security on the most technologically advanced defensive 
works in history. But again, the fundamentals had changed and 
the Germans simply went around the Maginot Line.
    Senators, with all due respect, I do not want to be France 
in the 1930s, but I think we are coming dangerously close to 
that myopia and the misalignment of strategy that follows from 
it. Our adversaries are working through a new seam in 
international politics. Cyberspace is that seam. Its unique 
characteristics have created a strategic environment in which 
our national sources of power can be exposed without having to 
violate traditional territorial integrity through war.
    What we have been witnessing are not hacks. They are not 
thefts. It is not even simple espionage. What we must accept is 
the fact that we are facing comprehensive strategic campaigns 
that undermine our national sources of power, be they economic, 
social, political, or military. Therefore, I agree we must 
develop a counter strategic campaign to protect those sources 
that has as its overall objective a more secure, stable, 
interoperable, and global cyberspace.
    With regard to the integrity of our elections, we have 
effectively left civilians, whose main focus is not security, 
on the front lines. That is not a recipe for success.
    Specific to the Department of Defense's role in producing 
greater security in, through, and from cyberspace, we must 
adopt a seamless strategy of what I call cyber persistence, in 
which our objective is to seize and maintain the initiative. We 
must defend forward as close to adversary capacity and planning 
as possible so that we can watch and inform ourselves, disrupt 
and disable if necessary.
    Our immediate objective must be to, first, erode the 
confidence adversaries now have in their ability to achieve and 
enable objectives. They are very confident.
    Second, we have to erode their confidence in their own 
capabilities.
    Third, we must erode those capabilities themselves.
    We are well past the post on this. We need a comprehensive, 
seamless, integrated strategy that pulls to get a greater 
resiliency, forward defense, and when necessary, countering and 
testing cyber activity to reverse current behavior. We are not 
at step one. We are well past that. We actually have to reverse 
behavior.
    Our security will rest on our ability to simultaneously 
anticipate how adversaries will exploit our vulnerabilities and 
how we can exploit theirs.
    Cyberspace is an interconnected domain of constant contact 
that creates a strategic imperative for us to persist. This is 
a wrestling match in which we have to grapple with who actually 
has the initiative, being one step ahead in both knowledge and 
in action. If we do not adjust to this reality, our national 
sources of power will remain exposed and more of those who wish 
to contest our power will pour into this seam.
    I, therefore, argue that we must make three critical 
adjustments.
    The first is we have to adjust our overall strategic 
perspective. War and territorial aggression, which can 
effectively be deterred, are not the only pathways for 
undermining our national sources of power. In fact, because we 
have this effective strategic deterrent, we should expect our 
adversaries to move into this new seam of strategic behavior 
below the threshold of war.
    Second, we must move our cyber capabilities out of their 
garrisons and adopt a security strategy that matches the 
operational environment of cyberspace. We must meet the 
challenge of an interconnected domain with a distinct strategy 
that continuously seeks tactical, operational, and strategic 
initiative.
    Third, we must make the fundamental alterations to 
capabilities development, operational tempo, decision-making 
processes, and most importantly, as Bob referred to, overall 
authorities that will enable our forces to be successful. We 
cannot succeed using authorities that assume territoriality and 
segmentation in an environment of interconnectedness, constant 
contact, and initiative persistence. We cannot secure an 
environment of constant action through inaction. Strategic 
effect in cyberspace comes from the use of capabilities and 
having the initiative over one's adversaries. It is time for us 
to seize that initiative.
    I look forward to explaining in more detail how we can 
pursue security through persistence during our Q and A. Thank 
you, Mr. Chairman.
    [The prepared statement of Dr. Harknett follows:]

          Prepared Statement by Professor Richard J. Harknett
  ``department of defense's role in protecting democratic elections''
    The Subcommittee is concerned that, in the lead-up to the 2018 and 
2020 elections, the Department and Government as a whole have not 
sufficiently deterred future interference, leaving our democratic 
institutions at risk to foreign intrusion.
    The Subcommittee is correct in its concern. The likelihood of 
foreign intrusion (not just Russia, but other revisionist actors as 
well) is high due to the nature of this domain. Cyberspace is an 
interconnected domain and yet all our approaches rest on a principle of 
segmentation, instead of seeking synergies of expertise. Our 
adversaries have figured this out. Cyberspace is a new Seam in 
international power competition in which strategic effect can be 
produced below the threshold of war and the reach of traditional 
deterrence strategies. We should assume as a starting point that 
adversaries will engage in cyber operations against our national 
sources of power, including economic wealth and social-political 
cohesion. If we do not actively engage these strategic cyber campaigns, 
we will suffer. We need a new strategy that rests on a seamless 
operational environment of 1) integrated resiliency, 2) forward 
defense, 3) contesting adversaries' capabilities and 4) countering 
their campaigns. Through this new strategy, we can actively erode the 
confidence that our adversaries have in achieving their objectives and 
in their capabilities. Over time this may produce a deterrent effect, 
but that can only be achieved through persistent efforts to seize the 
cyber initiative away from our adversaries. \1\
---------------------------------------------------------------------------
    \1\ For more on persistence, see M. Fischerkeller and R. Harknett, 
``Deterrence is Not a Credible Strategy for Cyberspace,'' Orbis 63 1 
(Summer 2017): 381-393.
---------------------------------------------------------------------------
    In traditional great power politics, national sources of power were 
vulnerable only through direct violation of the territory upon which 
they centered. Thus, we came to equate strategic effects with war, and 
to narrow the central role of the state to promoting territoriality 
(its sovereign territorial integrity). The interconnected nature of 
cyberspace, however, means that now our national sources of power are 
vulnerable to manipulation without direct assault across territory. 
Strategic effects can occur without war through this new seam--and we 
should expect adversaries to explore it. We must contest this effort 
and seize back the initiative. In order for this to occur and 
positively affect the electoral cycle, we must position the Department 
to contribute to the defense of electoral integrity, protecting the 
vote and the voter. Electoral integrity cannot be protected by leaving 
civilians alone on the front lines.

Are the roles and expectations of the Department clearly defined with 
respect to protecting U.S. elections process from foreign influence in 
the cyber domain?
    They currently are not sufficiently defined nor enabled. Most 
importantly, we must move away from 1) our ``doctrine of restraint'' 
\2\ that forces us to defend in our own space after the first breach is 
detected, and 2) away from the tendency o view every intrusion as a law 
enforcement problem first. Cyberspace is an interconnected domain of 
constant contact, which creates a structural imperative to persist. 
Persistence in resiliency, forward defense and countering is necessary 
because the analytical categories of offense and defense do not 
actually hold in this space--it is too fluid and dynamic. As former 
Deputy Director of the National Security Agency Chris Inglis put it: 
``It's almost impossible to achieve a static advantage in cyberspace--
whether that's a competitive [offensive] advantage or a security 
[defensive] advantage--when things change every minute of every hour of 
every day. And it's not just the technology that changes; it's the 
employment of that technology; the operations and practices.'' \3\
---------------------------------------------------------------------------
    \2\ Department of Defence, DOD Cyber Strategy (2015).
    \3\ Chris Inglis as quoted in Amber Corrin, ``Is Government on the 
wrong road with cybersecurity?, FCW: The Business of Federal Technology 
(May 21, 2013), https://fcw.com/articles/2013/05/21/csis-
cybersecurity.aspx.
---------------------------------------------------------------------------
    Our protection posture must be moved as close to the sources of 
adversarial action and capability as possible so that we can watch, 
react, disable, and disrupt at a speed of relevance (defined as one 
step ahead of the adversary). We forward deploy in terrestrial space, 
where actual time and distance still matter for defense, so why do we 
hesitate to do so in the one domain where time and distance are crushed 
and cannot be leveraged for defense? Garrisoning our cyber forces has 
created a great disadvantage for us and invites opportunity for our 
adversaries. DOD is not on the front lines, which because of 
interconnectedness, are everywhere. We need to secure through a 
persistent pursuit of the initiative if we are to manage this new seam 
in international power competition.

How can the Department use its national mission teams' offensive 
capabilities to improve deterrence?
    National Mission Teams (NMTs) can eventually produce a deterrence 
effect, but not by relying on deterrence strategy. Cyber strategic 
effects do not come from mere possession and the threat of employment, 
but from actual use. It is critical to differentiate between deterrence 
strategy and deterrence effects in answering this question because they 
get conflated too often. We can achieve a deterrent effect through 
other means than a deterrence strategy. Deterrence strategy rests on 
the prospective threat of punishment or denial to convince someone not 
to take an action. This dynamic cannot work in a strategic environment 
of constant action. Cyberspace is a strategic environment of initiative 
persistence (one can always find the willingness and capacity to get 
one step ahead). Our NMTs must be charged with eroding adversary 
confidence and deployed capability, not sit idle as prospective threats 
to impose costs in the face of cyber operations below the level of war. 
Cyberspace operations should be treated as a necessary national 
security activity and as a traditional military activity. Persistent 
erosion of confidence and capability will shape adversaries' behavior, 
over time, toward more stable norms. If we make the strategic effects 
sought by adversaries inconsequential, their penchant for attack may 
diminish--then we may get a deterrent effect (i.e., adversaries may 
determine it is not worth it to confront us). But we will not get there 
without allowing our NMTs to hunt, disrupt, disable cyber activities, 
and thereby seize the initiative back from our adversaries. We must 
understand this cyber persistent space not as an unstable escalatory 
environment, but rather as a fluid environment in which the initiative 
is always in play and we must seek initiative control.

Is the Department's conception and implementation of deterrence 
sufficient?
    The Department's Cold War conception of deterrence does not map to 
the realities of this new strategic environment. Deterrence is an 
approach to security, not the approach. We cannot rely on a strategy in 
which the measure of effectiveness is the absence of action if we hope 
to manage an environment of constant action. The cost-benefit calculus 
an adversary may hold within cyberspace is never stable enough for us 
to be certain that our static deterrent threats are credibly 
influencing adversaries. There are always new and cost-effective 
opportunities for them to explore. They can constantly manipulate the 
data, networks, tools, and vulnerabilities that are coming on-line 
daily thanks to the efforts of malware developers and the innovations 
of the market. The cyber terrain to secure and the means to traverse 
that terrain are always changing. There is too much incentive and 
potential for adversaries to refrain from persisting in cyber 
activities below the level of war.
    In short, deterrence is a strategy reinforced by segmentation 
(borders/thresholds), sovereignty, relative certainty, and 
territoriality. Cyberspace by contrast is defined by none of those 
conditions; it is defined instead by its interconnectedness, constant 
contact, relative anonymity, and a lack of territoriality. Just as 
nuclear weapons precluded defense and necessitated deterrence, 
cyberspace below the threshold of war precludes deterrence and 
necessitates persistence. We must understand this space as a wrestling 
match in which we are in constant contact with the adversary and we are 
grappling to sustain the initiative through both our knowledge of what 
the adversary is likely to do and through our action anticipating what 
they wish to do.

How should our posture be improved to combat the threat of future 
Russian interference?
    First, we need to build a posture focused not just on Russia, but 
on revisionist actors across the globe. We need to focus on the effects 
on our national sources of power we wish to prevent. To achieve this 
outcome, we need an alignment of forces, capabilities development, 
operational tempo, and, critically new authorities and decision-making 
processes that allow the Department to gain tactical, operational, and 
strategic initiative, continuously. We must operate in cyberspace 
globally and continuously, seamlessly shifting between defensive and 
offensive tactics to create an operational advantage--i.e., cyber 
initiative. By understanding our own vulnerability surface better than 
our enemies do, we can through resiliency and defending forward render 
much of their activity inconsequential. This can in turn help free our 
forces to focus on the truly consequential potential of strategic 
action below war, to disrupt and disable their cyber activities, 
creating enough tactical friction in our adversary's operations to 
shift their focus toward their own vulnerabilities and defending their 
own networks. This can produce a strategic effect for us.
    This will also require a new alignment with the private sector that 
makes a clear demarcation around protecting human speech. Bots cannot 
be afforded First Amendment rights. Trending on social media must 
reflect human majoritarian aggregation, and automated manipulation of 
that speech needs to be examined in our public policy. The Department 
should be enabled to disrupt foreign attempts at technical 
manipulation. 2016 was the Stone Age relative to the sophistication of 
cyber activities we are likely to see. Before the next presidential 
election, for instance, we will lose the capacity for audio-visual 
authentication due to Artificial Intelligence manipulation. We need 
policy changes to make the Department's capabilities more relevant to 
the private sector's defense.

What can the Department do to close the gaps--across the Federal 
Government and between state and local governments--that inhibit the 
protection of election infrastructure?
    First, it is critical to recognize that there are gaps and that our 
adversaries are likely to engage in operations that exacerbate them. 
These gaps exist in the authorities, roles and responsibilities that we 
have put in place for protecting the voting infrastructure, and exist 
in the absence of a plan for protecting the information space so that 
the competition of election campaigns can be conducted fairly by 
Americans. Based on open source reporting, most State election boards 
have not prioritized security based on open source reporting and we 
have not aligned with the private sector social media platforms to 
produce a coherent plan of how Department resources could contribute to 
the nation's defense. Our current policy framework essentially rests on 
a reactive context. The Defense Support to Civil Authorities has not 
been construed in a proactive and on-going context of defense, which is 
what is needed to map to the realities of cyberspace. We cannot succeed 
with an emergency management/disaster relief/crisis framework that 
places us on the back foot and relegates action to `cleaning up on 
aisle nine.' We need to consider authorities that allow DOD, DHS, and 
our intelligence community to employ a coordinated strategy of cyber 
persistence as described above. If one considers the approaches 
emerging among all of our allies, particularly the British, Germans, 
Australians and Israelis, they are all moving toward increased policy 
and organizational coordination and synergy. They understand that the 
answer to the challenge of interconnectedness is not segmentation of 
roles, responsibilities, and authorities but synergies across pockets 
of expertise. The policy framing question you should ask yourselves in 
every discussion you have is whether the policy under question advances 
synergy or segmentation. If it is the latter it should be rejected; if 
it is the former it should be explored. Right now our approach to 
defending our electoral integrity rests on the principle of high 
segmentation. That will expose us to clever adversaries moving forward.

    Senator Rounds. Thank you, Dr. Harknett.
    Dr. Sulmeyer?

STATEMENT OF DR. MICHAEL L. SULMEYER, DIRECTOR, CYBER SECURITY 
 PROJECT, BELFER CENTER FOR SCIENCE AND INTERNATIONAL AFFAIRS, 
                       HARVARD UNIVERSITY

    Dr. Sulmeyer. Thank you, Chairman Rounds, Ranking Member 
Nelson, and distinguished members of the subcommittee. It is an 
honor to be with you today.
    Before I get to the military's role, however, I would like 
to note that I am part of a team at the Kennedy School's Belfer 
Center that released a report a couple hours ago. It is a 
playbook for State and local election administrators, and it 
has got steps they can take to improve the cybersecurity of 
systems that they administer. It is based on field research by 
a wonderful research team. Many, many students contributed. I 
am very lucky to have one of the wonderful students here with 
us today. Corina Faist has flown down to join us.
    So regardless of the role of the Department of Defense, 
these defensive improvements are essential. I want to make sure 
I hit that right up front. Those recommendations that we put 
out today complement our last playbook for political campaigns 
to also improve their cybersecurity. It is essential that we 
make our elections harder to hack and that we improve 
resiliency in case critical systems are compromised. But we 
should also consider how best to counter threats abroad before 
they hit us at home.
    So let me transition to how I see some potential roles for 
the military outside of the United States to protect our 
elections. There are two necessary conditions of posture that I 
see as critical: reconnaissance posture and force posture.
    First, reconnaissance posture. Our cyber mission forces 
should constantly conduct reconnaissance missions abroad to 
discover election-related threats to the United States and 
provide indicators and warnings to our forces and decision-
makers. There will never be sufficient resources to address all 
threats equally, so prioritizing threats to our democratic 
processes is critical. Otherwise, we cannot hope to disrupt 
these threats.
    On force posture, our forces must be sufficiently ready to 
strike, strike against targets abroad that threaten our 
elections. Readiness is a critical issue for our armed forces 
today, and I would encourage Senators on this subcommittee to 
ensure they are asking tough questions about the readiness of 
our cyber forces just as they would about any other part of our 
military.
    If the military's reconnaissance and forces are postured to 
focus on threats to our elections from abroad, there are four 
objectives that I think our forces should be prepared to 
pursue. It should go without saying that undertaking these 
actions should be consistent with international law and other 
relevant U.S. commitments.
    Those objectives are: first, preventing attacks from 
materializing; second, preempting imminent attacks; third, 
halting attacks in progress; and fourth, retaliating, if 
necessary, after an attack.
    On the fourth, let me just note I would emphasize that this 
retaliation needs to be timely. It has got to be timely since 
the more time that elapses after an adversary's initial attack, 
the harder it will be to message and communicate that our 
action is a direct response.
    Across those objectives, proper training, thorough 
rehearsals, and coordination with other parts of our government 
are essential. Bringing military capabilities to bear inside or 
outside of cyberspace is always a serious matter, so it is 
critical to ensure that rules of engagement and questions about 
authorities are settled well in advance of any order to strike. 
Here, I would note that some of our closest allies like the 
United Kingdom and Israel have undertaken some national-level 
organizational reforms to streamline responsibilities for cyber 
issues. We may at some point want to consider something similar 
here.
    One of the best cyber-related investments the Nation has 
made is in the national mission force, an elite group of 
network operators at Cyber Command. They defend the nation from 
an attack of significant consequence in cyberspace. I think it 
is very much worth considering what role the NMF [National 
Mission Force] can play to accomplish the objectives I 
described just now.
    I might note for Senators that I have not discussed 
deterrence much so far. I very much support calls to deter our 
adversaries from meddling in elections. Do not get me wrong. 
However, I would not want to bet the cybersecurity of U.S. 
elections on a policy of deterrence if I did not have to. 
Sometimes, like the prospect of defending against thousands of 
nuclear-tipped missiles, deterrence is the least bad option. 
That is not the case in cybersecurity. We have other options, 
like the ones I described just now, and we should employ them 
alongside strong policies of deterrence.
    Finally, I would just note that information derived abroad 
from reconnaissance should be shared with relevant parties at 
the State and local level. I want to commend the Department of 
Homeland Security for working hard to promote information 
sharing over the last few years.
    I would also like to encourage more thinking, especially 
among my colleagues in academia, to help Congress protect 
itself since Congress is so critical as a part of our 
democratic process, not just work accounts but also campaign 
accounts, personal accounts. These cannot be left vulnerable.
    That concludes my prepared testimony. I look forward to 
taking your questions.
    [The prepared statement of Dr. Sulmeyer follows:]

                 Prepared Statement by Michael Sulmeyer
    Chairman Rounds, Ranking Member Nelson, and distinguished members 
of the committee, it is an honor to be with you today. The need to 
protect the foundations of our democratic system is of vital 
importance, and there are several potential roles the military can 
play.
    I am proud to be part of a team at the Belfer Center that is 
releasing a new report in the coming days: a playbook for state and 
local election administrators with steps they can take to improve the 
cybersecurity of the systems they administer. Regardless of what roles 
the Department of Defense assumes, these defensive improvements we 
recommend are essential. These 10 recommendations reflect months of 
fieldwork by the research team, including several exceptionally 
talented students. They are:
      Create a proactive security culture,
      Treat elections as an interconnected system,
      Have a paper vote record,
      Use audits to show transparency and maintain trust in the 
elections process,
      Implement strong passwords and two-factor authentication,
      Control and actively manage access,
      Prioritize and isolate sensitive data and systems,
      Monitor, log, and backup data,
      Require vendors to make security a priority, and
      Build public trust and prepare for information 
operations.
    These recommendations complement our last playbook, which contained 
recommendations for political campaigns to improve their cybersecurity. 
Both reports can be downloaded from our website, belfercenter.org. It 
is essential that we make our elections harder to hack and to improve 
resiliency in case critical systems are compromised. Bolstering federal 
capacity to provide the kinds of support that state and local 
administrators request should be a priority.
    In addition to improving defenses and becoming more resilient, we 
should also consider how best to counter threats abroad before they hit 
us at home. To that end, let me transition to how I see some potential 
roles for the military in protecting our elections. I will focus my 
remarks on roles that the military could play outside of the United 
States.
    There are two necessary conditions of posture that I see as 
critical:
    1.  Reconnaissance Posture: Our cyber mission forces should be 
constantly conducting reconnaissance missions abroad to discover 
election-related threats to the United States and provide indicators 
and warnings to our forces and decision-makers. There will never be 
sufficient resources to prioritize all threats equally, so prioritizing 
threats to our elections and our democratic processes is crucial. If we 
do not prioritize collecting information abroad about election-related 
threats, than we cannot hope to disrupt them.
    2.  Force Posture: Our cyber mission forces must be sufficiently 
ready to strike against targets abroad identified by reconnaissance as 
threats to our election. Readiness is a critical issue for our armed 
forces today, and I would encourage the Senators on this committee to 
ensure they are asking tough questions about the readiness of our cyber 
mission forces just as they would about any other area of our military. 
Our forces must be ready to create different effects against a range of 
targets. Sometimes, they will not have much notice, so developing 
tactics that can be employed on the fly is important.
    If the military's reconnaissance and forces are postured to focus 
on threats to our elections from abroad, there are four objectives that 
our forces should be prepared to pursue. It should go without saying 
that undertaking these actions would need to be consistent with 
international law and other relevant U.S. commitments.
    1.  Preventing Attacks from Materializing: Based on election-
focused reconnaissance, U.S. cyber mission forces should develop 
options to disrupt the activities of those planning to meddle in our 
elections, and those who are in the early steps of doing so. Because 
these would be actions conducted by U.S. forces with a relatively long 
lead time, scenario-based plans should be developed and socialized with 
decision-makers so they are aware of the viability, risks, and benefits 
of different options.
    2.  Preempting Imminent Attacks: Reconnaissance abroad may provide 
indicators and warnings of an imminent cyber attack against election-
related infrastructure, campaigns, and media and social media 
platforms. Our forces can prepare to neuter those attacks before they 
commence. Such actions would need to be undertaken rapidly as 
opportunities to strike may be fleeting, so developing options in 
advance to deliver effects promptly when so ordered is essential.
    3.  Halting Attacks in Progress: There may be situations when an 
adversary has already established access to a system, is in the process 
of denying access to data by legitimate users in the United States, or 
is already conducting operations to inject misinformation or steal 
information. In these cases, our cyber forces should provide options to 
decision-makers to disable these attacks by taking actions outside of 
the United States at the source of an attack.
    4.  Retaliating after Attacks: If the United States suffers an 
attack on its election infrastructure and democratic processes, 
policymakers may request options to respond in a timely manner. I would 
place emphasis on timely retaliation, since the more time that elapses 
after the adversary's initial attack, the harder it will be to 
communicate that our action is a direct response to that attack.
    Across all of these objectives, proper training, thorough 
rehearsals, and coordination with other parts of our government are 
essential. Bringing military capabilities to bear, inside or outside of 
cyberspace, is always a serious matter, so making sure that rules of 
engagement and questions about authorities are settled in advance of 
any order to strike is critical. Here, I would note that some of our 
closest allies like the United Kingdom and Israel have undertaken some 
national-level organizational reforms to streamline responsibilities 
for cyber issues. We may at some point want to consider something 
similar.
    I always appreciated how the Armed Services Committee has been a 
champion of supporting the Department of Defense's cyber mission force. 
Through the last several National Defense Authorization Acts, this 
committee, and its counterpart in the House of Representatives, has 
empowered Cyber Command with unique authorities and has engaged in 
necessary civilian oversight. One of the best cyber-related investments 
the nation has made is in the National Mission Force, an elite group of 
network operators under the command of the Commander of U.S. Cyber 
Command. According to the 2015 DOD Cyber Strategy, their mission is to 
defend the nation from a cyber attack of significant consequence. I 
think it is very much worth considering what role the National Mission 
Force could play to accomplish the objectives I described.
    Senators might note that I have not discussed deterrence in this 
testimony. I very much support calls to deter adversaries from meddling 
in our elections. However, I would not want to bet the cybersecurity of 
U.S. elections on a policy of deterrence if I did not have to. 
Sometimes, like the prospect of defending against thousands of nuclear-
tipped missiles, deterrence is the least bad option. That is not the 
case in cybersecurity. We have other options, like the ones I described 
previously, and we should employ them alongside deterrence.
    Let me conclude with one final proposal for the military: when 
possible, relevant information derived from the reconnaissance it 
conducts should be shared with relevant parties at home. At times, some 
of this information may be useful to officials at the state and local 
level. I want to commend the Department of Homeland Security for 
working hard to promote information sharing over the last several 
years, and more recently to provide clearances to state officials so 
they have greater access to important information.
    That concludes my prepared testimony. I look forward to taking your 
questions.

    Senator Rounds. Thank you, Dr. Sulmeyer.
    First of all, let me thank all of you for some great 
insight, and I look forward to your thoughts in terms of the 
questions that we ask.
    What I would like to do is to do what we call 5-minute 
rounds here. We will alternate back and forth. Then after we 
have done that once through, if we have time, I would go back 
through and do a second round depending upon the amount of time 
that we have and whether or not other members come.
    Let me begin with mine. I am going to start with Dr. 
Harknett. You have written that restraint and reactive postures 
are not sustainable, that the United States needs a strategy 
that capitalizes on the unique attributes of the cyber domain. 
You have called for a strategy of cyber persistence where we 
are constantly engaged with our adversaries seeking to 
frustrate, confuse, and challenge.
    How would your strategy calling for persistent engagement 
apply in the Russian meddling with our election as an example? 
Should this involve us contesting the malicious behavior at its 
source? What do you believe are the consequences of our failure 
to respond in cyberspace to the Russian election interference? 
Because, number one, we have got to be able to provide 
attribution to where it is coming from, and hopefully we have 
got that completed. But give me your thoughts on it. What would 
you say would be an example of persistent engagement with 
regard to what they have done already and what we expect them 
to do?
    Dr. Harknett. Thank you, Senator.
    So let us think about the Internet Research Agency. Right? 
I mean, we know about this center in St. Petersburg. We know 
that it controls a series of automated bots that are driving 
particularly well conceived information operations that are 
meant to be divisive. I do not know why we are according or why 
we should accord First Amendment rights to bots. It is not a 
free speech issue. If we have evidence of foreign manipulation, 
technical manipulation, of the social media space, that is not 
what the American people, from an educated standpoint, actually 
understand is coming at them. They think that this is a 
majoritarian aggregator trending. It is telling me, hey, this 
is where everybody is going. But if that trend is being driven 
by automated foreign intrusion, that is not an issue over free 
speech. That is an issue of direct foreign manipulation.
    I agree with Dr. Sulmeyer. We need to have the 
reconnaissance, to your point about attribution. That is what 
persistence enables you to do, to start to get better at 
attribution. But we need to be able to move at the speed of 
relevance. So if in fact those bots are hitting us in a 
particular trend that is meant to be divisive, we should be 
able to have the capacity to at least disrupt if not disable 
that capacity.
    So we do know where some of these capacities lie. By being 
persistent in our reconnaissance, we will get a better 
understanding of what our vulnerability surface is. We have to 
think about it that way. We tend to think about an attack 
surface. That is from their perspective. We have to get a 
better handle on what our vulnerability surface is. By being 
able to understand where our vulnerabilities are and anticipate 
where their capabilities map to that, again, a product of being 
persistent in this space, we can start to take those 
capabilities away.
    Senator Rounds. Dr. Sulmeyer, do you agree with that?
    Dr. Sulmeyer. I do. I agree with the vast majority of what 
my colleague, Dr. Harknett, just said.
    For me, even just to get a little more specific, the kinds 
of options that I would want to be seeing presented need to 
allow decision-makers some flexibility from lower-level actions 
like denying troll farm access to compromised infrastructure, 
to deleting some accounts, to erasing some systems if it comes 
to it. It is too important to take options off the table ahead 
of time. So as long as the option space is kept open, we can do 
it persistently or less persistently, but a wide range of 
options.
    Senator Rounds. Mr. Butler, your thoughts?
    Mr. Butler. I agree with both Michael and Richard on this. 
I would say that we need to be asymmetrical in our response. So 
I am a big believer in botnet disruptions and taking down bot 
infrastructure, as we just saw with Levashov, but we need to do 
that in a continuous way and that is a symmetrical response.
    I think if you look at the Internet Research Agency in St. 
Petersburg, they are coupled to the Kremlin. You need to have 
an information operations counter-influence campaign where you 
begin to cut the funding and cut the support enablers behind 
that infrastructure. So we need to think about things 
differently. It should not be cyber on cyber, social media on 
social media. It has got to be a broader campaign.
    Senator Rounds. Ms. Conley?
    Ms. Conley. Yes. I will agree with absolutely the 
asymmetrical response. While trying to bring down the 
infrastructure of those bots, what they are doing, though, 
Russia exploits the weaknesses that it finds. So it is 
amplifying the weaknesses and divisions that are already 
appearing on social media. So how do we try to reduce the 
weaknesses?
    This, again, gets back to the critical importance of 
exactly what this committee represents, the bipartisanship, 
fact-based, and getting to communities through a variety of 
methods to help inform the American people so when they see a 
trending site, let us look at that. What is underneath that? 
The only way we can really stop this from changing hearts and 
minds among the American people is helping them discern what is 
coming. We can do everything we can technologically to 
eliminate it. But the other part is just missing. We are not 
educating.
    On the asymmetrical sanctions, my frustration--and I am 
sure many on this committee as well----
    Senator Rounds. I am going to ask you to shorten it up 
because my time has expired.
    Ms. Conley. Absolutely, sorry about that. Is to think about 
ways that we can focus on the Kremlin, on financial sanctions, 
on sanctioning the inner circle as ones attributable back to 
that, so not just in the cyber domain, focusing on financial 
sanctions and individual sanctions. That could be very powerful 
as well.
    Senator Rounds. Thank you.
    Senator Nelson?
    Senator Nelson. So all of you sound like that you just do 
not think enough has been done and that we are not ready. Dr. 
Harknett, you have said that 2016 was the Stone Age compared to 
what is going to happen. So do you want to trace what you think 
will happen?
    Dr. Harknett. Well, one of the things, back to the 
chairman's question about whether the lingering effects, is 
again we have got adversaries who are confident. There are 
other actors aside from Russia out there as well that are going 
to look at this space and say, hey, this is a space that I can 
play in and I can work in. Until we start to reverse that 
confidence, we are going to see greater experimentation.
    Technologically, I will give you one example, Senator. My 
concern with regard to leveraging artificial intelligence and 
machine learning. I mean, this will be a step function, thus my 
Stone Age allusion, from where we are. We are going to--within 
the next 16 months, I am going to be able to take you and put 
you in a video in which you are saying something that you never 
said in a place that you have never been, and you are not going 
to be able to authenticate that you were not doing--that you 
had not done that and not been there. Just think about that as 
a tool for an adversary who wants to engage in disruptive 
social cohesion types of information campaigns.
    Senator Nelson. Right.
    Dr. Harknett. That is around the corner.
    Senator Nelson. So, Ms. Conley, given that, you have 
already said that you do not think we have taken any positive 
proactive steps. Why do you think that is the case?
    Ms. Conley. I think the executive branch refuses to 
recognize the threat. It refuses to put forward a national 
whole-of-government, whole-of-society strategy and bring all 
the agencies and tools of influence to bear on this. We have to 
think of this as a direct threat to the national security of 
this country. It has to receive the priority.
    Also, to focus on what Dr. Harknett said, this is 
adaptation. If we are preparing for what Russia did in 2016, it 
will be very different in November. It will be very different 
in 2020. It will look more American. It will look less Russian. 
This is adaptation. We are already fighting the last war. We 
are not ahead of the new one, which is why I think education is 
so critical, that absent a U.S. Government approach, we are all 
going to have to do our part in our communities to inform the 
American people about the threat. It is unfortunate we cannot 
pull together and do this in a unified way.
    Senator Nelson. So if we cannot get the Government to move, 
are there any private initiatives that would help?
    Ms. Conley. What I am seeing is some very effective news 
literacy campaigns. I think, again, news sources, social media 
are doing fact checking. The pressure that Congress has brought 
to bear on the social media companies is changing their 
perspective. But, again, we are so late to need. This has been 
ongoing. This campaign is only intensifying, and we are just 
getting our arms wrapped around this. So this is where every 
Member of Congress has to return to their home district and 
talk about this in very clear ways.
    Senator Nelson. Amen to that.
    Dr. Harknett, on the example that you gave of the next 
level of technology, of which something can be created that 
looks real, acts real, feels real, et cetera, if Cyber Command 
were to adopt your thinking, knowing what the threat is even 
greater in the future, what would you suggest that they change 
the way that they are doing their operations?
    Dr. Harknett. I think it is very important to expand this 
notion of defending forward, this notion that we need to be as 
close to the source of adversarial capability and decision-
making as possible. This is not a space in which time and 
geography is leveragable for defense. So when we think about 
the notion of front lines, the front lines are everywhere. 
Right now, our general approach has been to defend at our 
borders, at our network, which actually means that we start 
defending after the first breach, and we are already playing 
catch-up.
    So I concur with the notion of adaptability here. It is all 
about anticipation. So when Bob Butler talks about asymmetric, 
that is what I would talk about in terms of being able to be 
one step ahead. We have to be able to anticipate the 
exploitation of our vulnerabilities. You need to be able to be 
defending as far forward as possible. In terrestrial space, we 
defend forward. We are not defending forward in cyberspace 
right now.
    Senator Nelson. Thank you.
    Senator Rounds. Senator Gillibrand?
    Senator Gillibrand. Thank you, Mr. Chairman and Mr. Ranking 
Member, for having this hearing.
    Thanks to all of you for your testimony. I agreed with a 
lot of it.
    So to Professor Harknett, I appreciate your effort to 
redefine cyberspace and the challenges we face in operating 
within it. Were Russia to have bombed one of our States rather 
than attacked our election infrastructure, we would treat it 
just like an attack, as you said. But because of the way in 
which we set up our cyber capabilities, which we have done for 
good reasons, including privacy and States rights, it seems to 
me that the DOD is hamstrung in trying to properly respond to 
an attack on our democracy.
    I have asked this in many settings, and every single time 
they said it is not our job.
    So you argue that we need to consider authorities that 
allow DOD, DHS, and our intelligence community to employ a 
coordinated strategy of cyber persistence and recommend looking 
at approaches emerging among all of our allies. Can you expand 
on what kind of authorities we should be considering and what 
we might learn from our allies?
    I ask this because I have put this question to the 
Department of Defense in every setting we have had, any 
conversation about cyber, and every response is we do not have 
the authorities and the States rights issue. It is not our job. 
I cannot, for the life of me, understand why they do not see it 
as their job because if another country bombed any one of our 
States, then that is a declaration of war and we would have 
responded from the military. We are not doing that in this 
regard, and it seems really off-putting to me. Their response 
is often, that is Homeland Security's job. They can call us if 
they need us, but they have not. I understand why that is 
probably not the case because a lot of secretaries of state in 
a lot of States think it is their job, not anyone else's job, 
and they do not want to relinquish that control.
    So I would like your suggestions on how to write the 
authorities that you think are necessary, but also I have 
really tried to push National Guard as a possible place where 
this can be done because the National Guard already serves the 
States. They are already under control of the governors. So why 
not amplify what we are already doing with our National Guard 
and Reserve to give them the expertise in cyber but actually 
delegate this mission specifically to them in conjunction with 
all the other assets in the military?
    So to all of you, you can answer this question. You start, 
Dr. Harknett, since you addressed it a little bit in your 
opening remarks about what authorities can we give. How can the 
National Guard be useful, and how do we get this done? Because 
it is frustrating to me that we are not doing it.
    Then just a third thing to add to your answer. I do have a 
bill with Lindsey Graham to do a 9/11 deep dive style analysis 
of the cyber threat to our electoral infrastructure. It is a 
bipartisan bill. You know, whether we ever get a vote on it, I 
will never know, but that would be a great first step in my 
mind to at least just get a report and say these are the 10 
things you need to do to harden our infrastructure. So maybe 
comment on those three ideas.
    Dr. Harknett. Thank you, Senator.
    You mentioned our allies, and I think Michael had some work 
that he has been doing as well analyzing them. I think if you 
look at the UK [United Kingdom], for example, you look at the 
Israelis, you look at the Australians, their first default in 
cyberspace is to ask how do we find synergy, not segmentation. 
Our entire approach to this space has been starting with who 
has divided roles and responsibilities. So I think we can learn 
something from our allies right now in terms of their 
orientation to trying to find synergy rather than segmentation. 
That should be our first policy framework question.
    But in terms of authorities, I think there is a false 
debate, say, for example, between 10 and 50. So when I argue 
for a seamless notion, I am suggesting that we understand title 
10 and title 50 as actually mutually reinforcing, not defined 
as, again, segmentating. They segment in Congress in terms of 
oversight, and I get that, but they do not segment in 
operational space. We should actually understand and 
reinterpret, I would argue, those authorities to emphasize 
where a synergy and where there is seamless reinforcement 
rather than looking at those authorities as something that 
divides and puts us into different lanes.
    In terms of the National Guard, I think the cyber 
protection teams and force type of an approach would be 
appropriate. We need to get at this, Senator. So if that is the 
best mechanism, there is expertise at that level.
    Ms. Butler has talked about leveraging our private sector. 
Through National Guard, as well as Reserve, we have a capacity. 
If you look at the Brits, they are looking at cyber civilian 
reserve force. I think that is another interesting way of 
thinking about this.
    So ultimately if we need to do a deep dive, I think we do. 
Right? I think we have authorities that are structured for a 
terrestrial space that do not map to the realities of this 
human-made interconnected space. Authorities are what we should 
do last. We should figure out what our mission is. We should 
develop the organizations to pursue those missions, and then we 
should authorize them to do it.
    I would submit to you that one of the major problems that 
we have faced is we have been continually trying to shoehorn 
our cyber forces into existing authorities and working 
backwards from the way we should be working.
    Senator Gillibrand. Ms. Conley?
    Ms. Conley. Senator, I think the National Guard is an area 
that we absolutely should explore, and I mentioned it in my 
written as well as far as education, bringing together DHS, 
DOD, working with community leaders at the State and local 
level.
    On the 9/11 Commission style, cyber is critical pillar of 
this, but it transcends it as well. We need to look at Russian 
economic influence. We have to look at a whole range not just 
of Russia as the adversary but other adversaries that will use 
cyber disinformation and economic. So please broaden that out. 
They will find any seam, State, federal, First Amendment, 
privacy. That is where they will be, and that is why we cannot 
get locked into those seams.
    Mr. Butler. Senator, I take it from two different angles. 
One is clean-sheet everything. What do you want to do? Let us 
refocus the authorities. Catherine Lotrionte's work here in 
looking at countermeasures is a great example of that. Her 
legal interpretation of the Tallinn Manual is very different 
than what most people are saying these days.
    The other thing is I am involved in exercises where I am 
blending physical and cyber together and looking at what we can 
do with physical authorities in cyberspace. So I am working 
with the Army Cyber Institute on an activity where we have a 
natural hazard and a nation state actor is manipulating inside 
of it. How do you get a rolling start? You can use our 
authorities. The military has the ability to use an immediate 
response authority to create a rolling start. We need to 
leverage. We need to reinterpret and leverage these kinds of 
things as we go forward.
    A part of that is the National Guard Bureau. We have 
unevenness within the stand-up of our National Guard activities 
both in the air and now with the Army. We have both cyber and 
information operations. I think we could create pockets of 
talent. I mean, Washington State has a phenomenal industrial 
control system security unit. Maryland has a fantastic unit 
where they leverage a lot of NSA [National Security 
Administration] expertise. We have got units spread around the 
country. We need to create a construct of cyber mutual 
assistance across boundaries, across State borders. Again, I 
think we can do that. We have just got to sit down and plan 
together a campaign in that regard.
    Senator Rounds. While the Senator's time has expired, if 
you could expedite your answer, we will let you finish up as 
well, sir.
    Dr. Sulmeyer. I will go real quick. I support all the 
goodness just said.
    Abroad, I do not believe the kinds of activities I 
described earlier need new authorities.
    On the deep dive, I would say great. The Belfer Center's 
work over the last year has tried to get a start on that. So we 
hope we can be of support.
    On coms and education, there is a part of me that wonders 
if that by saying ``cyber,'' the response is help desk. By not 
describing it in a way about warfare and propaganda and foreign 
influence, we do a disservice to the real problem.
    Thank you.
    Senator Rounds. Senator Blumenthal?
    Senator Blumenthal. Thank you, Mr. Chairman.
    I want to thank all of you for being here. I am very 
familiar with the work done by the Belfer Center in particular, 
and thank you all for the work that is done by each of your 
organizations.
    I want to first tell you--you probably already know--that 
the immediacy and urgency of this task was reinforced this 
morning before the Senate Intelligence Committee where Dan 
Coats, the Director of National Intelligence, said, ``There 
should be no doubt that Russia perceives its past efforts as 
successful and views the 2018 midterm elections as a potential 
target for Russian influence operations.'' That statement would 
be beyond conventional wisdom. It would be unnecessary to state 
because it is the consensus of our intelligence community. It 
has been broadly accepted by everyone except the President of 
the United States. In my view that is the elephant in this 
room, that the President refuses to acknowledge this threat to 
our national security.
    So I put that on the record simply because we can propose 
all the great ideas in the world. Some very good ideas, as a 
matter of fact, came from a report done by the Senate Foreign 
Relations Committee. It is a minority report by my colleague, 
then-Ranking Member Senator Cardin, called, ``Putin's 
Asymmetric Assault on Democracy and Russia and Europe 
Implications for United States National Security.'' It makes 
some very good proposals.
    I would be interested to see the Belfer Center's release 
today, and in fact, without even having seen it, Mr. Chairman, 
I ask that it be made part of our record.
    Senator Rounds. Without objection.
    [The information referred to in Appendix A.]
    Senator Blumenthal. But I think we need to make progress on 
gaining acceptance at the highest levels of the United States 
Government--let me put it as diplomatically as possible--for 
the proposition that Russia attacked our democracy. In my view 
it committed an act of war. They are going to do it again 
unless they are made to pay a price for it, and that includes 
enforcing sanctions passed overwhelmingly by this body 98 to 2, 
still unenforced. So the talk about retaliatory measures in 
real time, Dr. Sulmeyer, I think is very well taken. But why 
should the Russians take us seriously when the President denies 
the plain reality of their attacking our country and the 
sanctions that would make them pay a price are still 
unenforced?
    All of that said, I want to raise another topic, which I 
think so far has been untouched, the social media sites, 
Facebook, Google. Let me ask each of you if you could comment 
on what their responsibilities are and how they are meeting 
them in this disinformation, propaganda campaign using bots and 
fake accounts which have been appearing on those sites. Mr. 
Butler?
    Mr. Butler. I think, Senator, the response--and I have 
talked with a couple of the web-scale companies about this--is 
aligning with what we have already seen in the counterterrorism 
fight. In that space what you see is them actively, proactively 
looking for disinformation, in the case of terrorism, of 
course, looking for recruitment. I think the challenge is 
guidance with regard to counter-narratives or alternative 
narratives in that space. That needs to be done with others. 
But I think that is where we need to head. They have the 
ability based on their reach and their fusion engines to really 
help us move much more quickly into active defense in this 
space and not just to do it from a cyber perspective but from a 
counter-influence perspective which I think is so critical.
    Senator Blumenthal. Thank you.
    Ms. Conley?
    Ms. Conley. Thank you, Senator.
    I would just note that building the awareness of what 
Congress has already done to force the social media companies 
to really take a very deep look at this has been very helpful.
    I would suggest to you that I think Russia will adapt their 
tools, that this will look more and more American, which will 
get more and more into First Amendment issues because that is a 
weakness to exploit here.
    So what I would commend, in the interest of being ahead of 
the curve and not behind it, is we start looking at how social 
media engines can start detecting what looks like it is 
American origin but it in fact is not. So that would be the 
next step I would recommend.
    Senator Blumenthal. Thank you.
    Dr. Harknett. I think we have to move away from a 
partnership model, to be perfectly honest with you. We have 
been talking about a public-private partnership for 25 years. I 
published about this 25 years ago. The problem is that 
partnerships require shared interest in the beginning of the 
morning. The private sector has a very specific interest: 
profit making. The state has a very specific interest: security 
providing. We should recognize and grant that they have a 
different interest.
    We need to move us to an alignment model. How do we 
structure incentives within the marketplace for them to achieve 
their primary objective, which is profit making, while 
producing an effect that the state requires, which is enhanced 
security?
    Until we actually start to think about how can we shape and 
incentivize that behavior and recognize that we actually have 
very different interests in this space--I mean, that is Strava 
fitness band company a few weeks ago produced a heat map that 
exposes all of our forward-deployed troops. I would submit to 
you that nobody at their board meeting, when they came up with 
this really great idea of releasing that heat map--and they 
said, look, our stuff is in the real dark places, and they 
thought that was really cool. Ten years ago, the intelligence 
capacity that a state would have had to have found all of our 
forward-deployed troops--think about that. This was produced by 
a fitness company.
    There are non-security seeking, security relevant actors in 
this space. That is the way we have got to think about them. 
Let us meet them on their grounds and start to get them to 
align towards the security needs that we have.
    Senator Blumenthal. Thank you.
    Dr. Sulmeyer. Briefly I would just note the interests are 
not aligned, and that is really the most essential part and to 
not treat them all the same. Not all the companies have gone 
through the same amount of self-reflection. Some have not; some 
have. We should be honest about that.
    Finally I do not think we should limit this to social media 
companies. There is a lot of companies up and down the stack, a 
lot of different types of people on the Internet who have an 
interest in this type of work.
    Senator Blumenthal. Thank you all.
    I apologize, Mr. Chairman. I have gone over my time.
    Senator Rounds. What I would like to do is another round. 
Okay? Let us do it this way. Let us do one more round so that 
everyone has an opportunity. We will make it 5 minutes. I would 
simply say that for those of us up on this end--and I went over 
as well--let us phrase it so that when we hit the 5 minutes, 
whoever is final speaking on it will have their--that will be 
the last one and we will move from there.
    So with that, let me just begin with this very quickly. 
Right now, we are looking at changing our hats, our dual hats. 
Right now, within the cyber community, we have a dual-hatted 
individual for both title 10 and title 50 operations and so 
forth. We are looking at separating those into separate items: 
title 10 one side, title 50 on the other. The cybersecurity 
side would be separated out from the NSA side and so forth. We 
had a lot of discussions over it. We were concerned at first 
that they were going to go very, very rapidly. Now there is the 
discussion about whether or not moving in this particular way 
is quick enough.
    I just want to know your thoughts about whether or not we 
are actually approaching the challenges that are facing us in 
the right way with regard to the organization of government as 
a whole. Can I just very quickly go across and just ask each of 
your thoughts about whether or not we are moving in the right 
direction as to how we are arranging so that we can respond to 
these types of threats? I will begin with Mr. Butler.
    Mr. Butler. Thank you, Senator.
    Let me start with the CYBERCOM/NSA issue. My sense is we 
are at a point where we have got enough of the infrastructure 
developed to really work within Cyber Command, that we are not 
as dependent as we once were on the National Security Agency.
    I think the other part of this is as we move forward with 
the kinds of influence strategies that we are talking about, we 
need to have a way of checking and understanding whether it is 
working. We need an activity that understands this space that 
can help Cyber Command make adjustments along the way.
    So I support the split and support where we are trying to 
go as we move forward. As we take a look at those two elements 
and we put it into a larger DOD IC [Intelligence Community] and 
whole-of-government, whole-of-America construct, I go back to 
what I put in my written statement. I think from my 
perspective, having been through this both in uniform and doing 
information operations campaign planning and where we are 
today, we need to get the best of America into this space. 
There is a role for DHS. The FBI is very engaged. There is a 
role for the Department of Defense that goes beyond the 
National Guard Bureau that ties in with the intelligence 
community. There is a role for trusted private sector partners 
in this space. As a matter of fact, you cannot scale without 
it. So I think we have to align.
    Senator Rounds. Thank you.
    Ms. Conley?
    Ms. Conley. The organizational structure gets to the reason 
why we needed a comprehensive 9/11-type commission because we 
are horribly structured for this particular challenge. It falls 
within the streams of law enforcement, intelligence, defense, 
education, awareness, and that is why we need a deeper dive to 
get to a reconfiguration. Just as we did after 9/11 with the 
DNI and DHS, we restructured ourselves. We need to do that 
again.
    Senator Rounds. Thank you.
    Dr. Harknett?
    Dr. Harknett. I fully concur that we should do that deep 
dive, and I would urge us to reconsider the split of the dual 
hat. I know that that is not the current view. This notion of 
my litmus test. Are you producing more synergy or are you 
producing more segmentation? There is not one of our allies 
that is moving in that direction.
    Senator Rounds. Let me just ask one question on that very 
quickly because one of the items was is that we know that on 
the title 50 side, on the NSA side, they love to be deeply 
embedded and they do not want to be seen. There is a real 
concern out there that if they actually actively and more 
persistent that they are constantly being seen, that that 
interrupts their capabilities to be the intelligence gatherers 
that they are. How do we then allow for that constant and 
persistent activity if they have the same concern about they 
would really rather not been seen? They just simply want to be 
the deep ears for us.
    Dr. Harknett. So I think having the dual hat enables that 
kind of determination to be made. The sensitivity of both when 
and where we are going to make certain tradeoffs and where that 
seamless between intelligence and----
    Senator Rounds. But it is not working today. Is it?
    Dr. Harknett. No. I think it can. I think it can, sir.
    Senator Rounds. But we do not have evidence.
    Dr. Harknett. But if you look at our adversaries, why are 
they not worried about burning capabilities? Why are they not 
worried about--we have had a high-end right kind of focus to 
all of this both in the recon phase and in the force phase that 
I think has actually been distorting of this space.
    Senator Rounds. I am going to move over very quickly 
because Dr. Sulmeyer has been shorted each time around here.
    Dr. Sulmeyer. You always pick on the Harvard guy.
    [Laughter.]
    Dr. Sulmeyer. I think we are back to different interests. 
The two different institutions have matured and now they have 
different missions, different jobs to do. The current 
structure, what you can say for it, is very efficient decision-
making because it is one person who makes the decision. I think 
it is time, though, for two different and for an adjudication 
to be made for which priorities are going to take precedence 
each time.
    Senator Rounds. Thank you.
    Senator Nelson?
    Senator Nelson. But until we evolve into that new 
structure, we are stuck with what we have. We set up these 
Cyber Command national mission teams to disrupt the Russian 
troll farms, the botnets, the hackers, all engaged in attacks 
on our democracy, re the elections. We can identify them, the 
infrastructure they use. We can identify their plans, their 
operations. We can do everything that we can to stop these 
activities, but if you do not do anything, it is not going to 
happen. Until the existing structure that we have--the 
Secretary of Defense walks into the room and says, boss, and 
his boss is the commander-in-chief--until he says, boss, we 
have got to act, nothing is going to get done.
    So are we describing a situation that we are defenseless in 
this 2018 election?
    Mr. Butler. My sense, sir, is no. My recommendation is, in 
the homeland defense mission of the Department of Defense, we 
should stand up a JIATF [Joint Interagency Task Force] and move 
forward as we begin to move to another level, which would be a 
national security task force. But in the interim, this 
committee has jurisdiction. The Secretary has prerogatives to 
set up a JIATF in support of homeland defense. This is a 
homeland defense issue.
    Dr. Harknett. I would just add one. I think it is a defend 
the nation issue.
    Senator Nelson. I think you are right. I think this is as 
clear an attack on the country as if you lobbed a missile or if 
you lobbed an artillery shell.
    Senator Blumenthal wanted to ask the question. One of you 
had stated that it is going to morph into where the attacks are 
going to look more American. Would you expand on that, please?
    Ms. Conley. Senator, that was me.
    It is in part from some of the lessons we learned from the 
French presidential election. The last cyber attack, which 
happened within the last 24 hours of the campaign--it was a 
combination of both hacked emails from Macron's campaign, as 
well as made-up messages, and it was all mixed in between. What 
we understand--and I do not have access to classified briefings 
from our French colleagues--where the source came from looked 
like it was coming from the United States, from United States 
organizations. Some of this is tied into adaptation where they 
do not want it to look like a Russian bot. They do not want it 
to look Russian. They wanted to originate from other sources to 
confuse and make attribution questionable in those last few 
moments.
    So my intuition tells me that more and more of these 
attacks will look like they are coming from America. It will 
obscure attribution, and then people will say this is their 
First Amendment right to say these things and put forward 
these--that is the problem.
    Senator Nelson. How did the French counter that?
    Ms. Conley. Well, very gratefully, the French have a very 
unique--they have a blackout period 24 hours before an 
election. It is a reflection period. Because the French 
Government and intelligence agencies had made very clear 
repeatedly and publicly that this was likely to happen, French 
media were very responsible. They could not fact check the 
material in time. The reflection period would not move forward. 
In fact, that last major attack was really thwarted because 
both of a law but also a lot of French proactive steps to 
inform their public that this could happen.
    Senator Nelson. That was in the last 24 hours before the 
French election.
    Ms. Conley. So what had happened, it was the presidential 
election debate between Marine Le Pen and Emmanuel Macron. It 
was the Wednesday before the election on Sunday. In that 
debate, she began to hint that there may be some information 
about potentially Mr. Macron's overseas bank accounts and sort 
of hinted at this. Then about 24 hours later, the document 
release happened. So one could speculate that there was some 
coordination. But because it hit so late, it really did not 
have the impact. But, again, responsible media, Government 
warnings, and the reflection period all prevented something 
that, if it would have happened 72 hours before, may have had a 
different impact on that election.
    Senator Rounds. Senator Gillibrand?
    Senator Gillibrand. Thank you.
    Just following up on a couple things. You said the Belfer 
Center already has done a deep dive on how we were hacked and 
ways to prevent it. Is that true?
    Dr. Sulmeyer. Senator, the two reports are about the 
practices that campaigns and State and local officials can take 
based on field research about what they found as vulnerable and 
techniques that were effective in the past, so ways to shore up 
those defenses. It is not going to be that kind of a deep dive 
like you are----
    Senator Gillibrand. Have you distributed that to the 50 
States?
    Dr. Sulmeyer. I believe so, yes.
    Senator Gillibrand. Have you gotten comments or any 
response back?
    Dr. Sulmeyer. It went live today.
    Senator Gillibrand. So I would like to request that you 
brief this committee on what the responses are to each of those 
efforts to outreach the different States and a copy of the 
report for all committee members so that we have our own first 
draft of what our 9/11 deep dive might ultimately look like 
because this has to be done. It is striking to me that there is 
no sense of urgency by this administration. It is absolutely 
crazy as far as I am concerned. I want to work towards 
elevating this issue, and your work will help us do that.
    Dr. Harknett, you mentioned in your comments that bots do 
not have free speech rights. I could not agree with you more. 
So what kind of legislation do you think we could write or 
could be written to say we expect these platforms, whether it 
is Facebook or Twitter or Instagram or any other online 
community, to not sell its technology to fake entities who are 
posing as real people? The reason I say that is it is simple 
fraud, as far as I am concerned, because you are doing it for 
the purpose of changing someone's mind, distracting them, 
giving them false information. I believe it should be illegal 
under the same analysis that we have for fraud statutes. How 
would you go about trying to take away those free speech rights 
that are given to non-entities today?
    Dr. Harknett. Thank you, Senator.
    So I am not a lawyer, but I would build on what you just 
said. I think the notion of our default to fraud--so if in fact 
what you are trying to sell is trend, if that is the actual 
operative thing that you are trying to--then that actually 
should be capturing human behavior. We really have to think 
through--I mean, this is very tricky. But legislatively we have 
to separate out human behavior from automated behavior, and 
automated behavior can be classified as falsification of 
trending, if you wanted to capsulize it in that fashion. So I 
think the notion of understanding technical manipulation of the 
space is not smart marketing. It is manipulation and therefore 
should be out of bounds.
    Can I make one quick comment on your deep dive?
    Senator Gillibrand. Yes.
    Dr. Harknett. I would look as another example, Eisenhower's 
Solarium exercises back in the 1950s. President Eisenhower 
said, okay, what is going to be our macro level grand strategy? 
Set up three competing teams to come up with what those 
strategies should look like, and that is where containment and 
deterrence came from. It is an interesting alternative 
approach, but we get at the same sort of things that you are 
looking at.
    Senator Gillibrand. Like a national competition?
    Dr. Harknett. Well, he brought together three very specific 
groups of experts. They were given access to classified 
information, but they worked as independent teams. Then they 
were brought together to knock heads over what the best route 
to a grand strategy looks like.
    We do not have a cyber grand strategy, and we do not have a 
grand strategy for cyberspace. I can tell you the Chinese do. 
They have announced it. They are going to be the number one AI 
[Artificial Intelligence] country by 2030. We need to start to 
think in those kinds of grand strategic terms.
    Senator Gillibrand. Other thoughts?
    Mr. Butler. Yes. Senator, I would build on the Honest Ads 
Act. You have got elements in this particular legislation which 
gets to what we want online platforms to do. They can identify 
botnet infrastructure and are beginning to identify 
infrastructure that has origin in elements that are nefarious. 
I think I would add to that as one way of kind of tackling this 
issue.
    The second point. I do not want to disagree too strongly 
with my colleagues here, but I have worked in the private 
sector and I have worked on the public sector side. I know that 
there are models that can work to align incentives. The 
enduring security framework is a good example of that. We have 
had it work before. When you show private sector and national 
security government elements working together a threat of this 
magnitude and you provide some type of limited liability 
protection, you can get there. It took us a long time with 
Facebook, Twitter, and Microsoft to get to pulling terrorists' 
data offline, but they are doing it now. My sense is the sooner 
we get into this process with creating an alignment of not only 
incentives but understanding of the problem--and again, it is 
not with everyone. It is with folks who can do things on scale 
and really help us as a nation.
    Senator Gillibrand. Thank you.
    Thank you, Mr. Chairman.
    Senator Rounds. Thank you, Senator Gillibrand.
    First of all, let me just take this time to say thank you 
very much to all of our witnesses for your time. You spent an 
hour and a half with us today. It has been greatly appreciated. 
I would suspect that we will be speaking again in the future as 
we continue to learn more about the challenges and the threats 
that face our country. It is not going to get better. It is 
going to get worse. We all recognize that. Our challenge is to 
make sure that we have the right long-term strategies and that 
they are being properly implemented. As such, I think we have 
got a lot of work to do.
    With that, once again, thank you. Thank you for the 
participation of our members here today.
    At this time, this Subcommittee meeting is adjourned.
    [Whereupon, at 3:53 p.m., the Subcommittee adjourned.]



                     APPENDIX A

      
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]