[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]


                         [H.A.S.C. No. 116-14]

                                HEARING

                                   ON

                   NATIONAL DEFENSE AUTHORIZATION ACT
                        FOR FISCAL YEAR 2020

                                  AND

              OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS

                               BEFORE THE

                      COMMITTEE ON ARMED SERVICES

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             FIRST SESSION
                               __________

       SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND
                          CAPABILITIES HEARING

                                   ON

                    FISCAL YEAR 2020 BUDGET REQUEST
                       FOR U.S. CYBER COMMAND AND
                        OPERATIONS IN CYBERSPACE
                               __________

                              HEARING HELD
                             MARCH 13, 2019
                                     
                  [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

                              ___________

                    U.S. GOVERNMENT PUBLISHING OFFICE
                    
36-300                    WASHINGTON : 2019                                        
  


   SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND CAPABILITIES

               JAMES R. LANGEVIN, Rhode Island, Chairman

RICK LARSEN, Washington              ELISE M. STEFANIK, New York
JIM COOPER, Tennessee                SAM GRAVES, Missouri
TULSI GABBARD, Hawaii                RALPH LEE ABRAHAM, Louisiana
ANTHONY G. BROWN, Maryland           K. MICHAEL CONAWAY, Texas
RO KHANNA, California                AUSTIN SCOTT, Georgia
WILLIAM R. KEATING, Massachusetts    SCOTT DesJARLAIS, Tennessee
ANDY KIM, New Jersey                 MIKE GALLAGHER, Wisconsin
CHRISSY HOULAHAN, Pennsylvania       MICHAEL WALTZ, Florida
JASON CROW, Colorado, Vice Chair     DON BACON, Nebraska
ELISSA SLOTKIN, Michigan             JIM BANKS, Indiana
LORI TRAHAN, Massachusetts
                Josh Stiefel, Professional Staff Member
                Peter Villano, Professional Staff Member
                         Caroline Kehrli, Clerk


                            C O N T E N T S

                              ----------                              
                                                                   Page

              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Langevin, Hon. James R., a Representative from Rhode Island, 
  Chairman, Subcommittee on Intelligence and Emerging Threats and 
  Capabilities...................................................     1
Stefanik, Hon. Elise M., a Representative from New York, Ranking 
  Member, Subcommittee on Intelligence and Emerging Threats and 
  Capabilities...................................................     3

                               WITNESSES

Nakasone, GEN Paul M., USA, Commander, U.S. Cyber Command, and 
  Director, National Security Agency.............................     8
Rapuano, Kenneth P., Assistant Secretary of Defense for Homeland 
  Defense and Global Security, and Principal Cyber Advisor, U.S. 
  Department of Defense..........................................     6

                                APPENDIX

Prepared Statements:

    Langevin, Hon. James R.......................................    33
    Nakasone, GEN Paul M.........................................    50
    Rapuano, Kenneth P...........................................    36

Documents Submitted for the Record:

    [There were no Documents submitted.]

Witness Responses to Questions Asked During the Hearing:

    Ms. Stefanik.................................................    69

Questions Submitted by Members Post Hearing:

    Mr. Larsen...................................................    73


 
                FISCAL YEAR 2020 BUDGET REQUEST
                   FOR U.S. CYBER COMMAND AND
                    OPERATIONS IN CYBERSPACE

                              ----------                              

                  House of Representatives,
                       Committee on Armed Services,
     Subcommittee on Intelligence and Emerging Threats and 
                                              Capabilities,
                         Washington, DC, Wednesday, March 13, 2019.
    The subcommittee met, pursuant to call, at 2:19 p.m., in 
room 2118, Rayburn House Office Building, Hon. James R. 
Langevin (chairman of the subcommittee) presiding.

 OPENING STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE 
 FROM RHODE ISLAND, CHAIRMAN, SUBCOMMITTEE ON INTELLIGENCE AND 
               EMERGING THREATS AND CAPABILITIES

    Mr. Langevin. The subcommittee will come to order.
    I want to welcome everyone to today's hearing on the fiscal 
year 2020 budget request for the military operations in 
cyberspace. I was unavoidably detained, so I apologize to 
everyone for making you wait, but I am glad we could get this 
underway.
    Technology and the internet have fundamentally changed how 
citizens, the Nation, the military, and our adversaries in the 
world operate. We have more access to information and lower 
barriers to conduct commerce. We collectively benefit from the 
opportunities afforded by the technology that we incorporate 
into our lives. However, the connections that we rely on also 
create vulnerabilities and new potential avenues for our 
adversaries to exploit at our Nation's expense.
    Cyber, as we understand it in government, will always be 
something that creates risk to go along with its great promise. 
The issues that stem from our increasing dependence on 
technology will never be purely military or solely for the 
military to solve. Technology has increased the 
interconnectedness of our society, and the problems that have 
come with it will only be solved with interconnected, 
interdisciplinary approaches.
    The Department [of Defense] will have to work in new ways 
with stakeholders from agencies as varied as the Department of 
Commerce and the Department of Education and with 
nongovernmental stakeholders such as private industry and 
academia.
    The executive branch will have to work diligently to 
address and solve the cyber challenges facing the Nation. Yet 
this administration has taken actions that call into question 
the seriousness with which it views this emerging domain. Most 
notably, the administration eliminated the cybersecurity 
coordinator position at the National Security Council.
    Relatedly, there are several documents pertaining to cyber 
that Congress has repeatedly requested from the administration 
and has yet to receive. This includes recent guidance 
pertaining to operations in cyberspace. Such documents are 
important to creating a congressional framework for oversight. 
Withholding these critical documents from Congress impacts our 
ability to appropriately support the command and may have far-
reaching consequences for the National Defense Authorization 
Act.
    At the Cabinet level, the Department of Defense, the U.S. 
Cyber Command have no shortage of challenges in front of them, 
issues that often develop and change as fast as the 
technological landscape. Today we will hear about some of those 
challenges, including personnel recruitment and retention as 
well as efforts to protect critical infrastructure in tandem 
with domestically oriented departments and agencies.
    The Cyber Mission Force achieved full operational 
capability [FOC] last year. This was a notable event, but it 
would be a mistake to assume that FOC is synonymous with 
readiness. We must begin to examine the differing standards by 
which the services are training the teams and whether CYBERCOM 
[U.S. Cyber Command] is adequately fulfilling its mandate to 
set training standards and ensure compliance.
    Readiness is especially important in the context of the 
current strategic landscape, which has evolved significantly 
over the last year. In the fall, the DOD [Department of 
Defense] released a new cyber strategy that articulated the 
intent to defend forward and operate across the full spectrum 
of conflict through persistent engagement.
    DOD also completed the inaugural Cyber Posture Review. 
Under the auspices of new guidance from the administration and 
the new DOD strategy, CYBERCOM played a crucial role in 
defending the 2018 elections from interference.
    The military's actions in cyberspace were also enabled by 
multiple provisions in the fiscal year 2019 National Defense 
Authorization Act [NDAA]. This includes the provision to 
recognize the activities conducted in cyberspace as traditional 
military activities.
    The fiscal year 2019 NDAA also allowed the National Command 
Authority to take direct and proportional action in cyberspace 
against Russia, China, North Korea, and Iran upon determination 
of a cyberattack against the homeland or U.S. citizens.
    Congress and this subcommittee will continue to support 
military operations and provide the legal authority to enable 
CYBERCOM success against adversaries in cyberspace. However, we 
will also remain judicious in our oversight responsibilities to 
ensure that the Department operates in a manner that enhances 
stability in cyberspace and that is consistent with both 
congressional intent and American values.
    So I commend CYBERCOM for its efforts during the 2018 
elections. However, as a Nation, we can never rest on our 
laurels. We need to examine the strategic impacts that CYBERCOM 
operations and other whole-of-government efforts had on an 
actor seeking to interfere in our elections. Much like the 
traditional battlefield, we must measure the impact of our 
operations to assess our warfighting effectiveness toward the 
larger objectives and ensure that our strategic vision reflects 
the realities of our engagement in cyberspace.
    CYBERCOM's ability to execute its operations is closely 
tied to and enabled by its partnership with the National 
Security Agency [NSA]. These organizations will always have a 
robust partnership given the dynamism of cyberspace and NSA's 
deep expertise and enabling role in military cyberspace 
operations.
    At this time, there is still one individual that leads both 
of these organizations. This arrangement is quite unique within 
the national security establishment and the intelligence 
community. However, this arrangement allows for the CMF [Cyber 
Mission Force] to mature, enables better synchronization of 
cyberspace operations, and permits proper consideration of the 
intelligence and military objectives in the domain.
    Before any significant changes are implemented in the dual-
hat arrangement, this subcommittee expects a robust 
understanding of how and why it is necessary to split the 
leadership function of NSA Director and CYBERCOM commander. I 
believe it would be premature to split these organizations in 
the immediate future.
    CYBERCOM is a maturing organization, and I am proud of the 
work that we have done on the subcommittee to support its 
maturation. I have often said that we will never again see 
modern warfare without a cyber component, so CYBERCOM's 
continued development will remain an urgent priority.
    But it is therefore important that we build for the long 
term with this sustainable, scalable approach to integrating 
CYBERCOM into DOD operations and into our whole-of-government 
approach to protecting our Nation's cyberspace. This is no 
small task, especially given the newness of this domain. But 
working together with full transparency, I am confident that we 
can head off any problems early and ensure that we reap the 
benefits of a free, open, interoperable, and secure internet.
    Before I close, I want to just introduce our two witnesses, 
which I will do in just a minute. But before I do that, I am 
going to turn it over to the ranking member for her comments.
    [The prepared statement of Mr. Langevin can be found in the 
Appendix on page 33.]

STATEMENT OF HON. ELISE M. STEFANIK, A REPRESENTATIVE FROM NEW 
YORK, RANKING MEMBER, SUBCOMMITTEE ON INTELLIGENCE AND EMERGING 
                    THREATS AND CAPABILITIES

    Ms. Stefanik. Thank you, Chairman Langevin. Welcome to our 
witnesses. Secretary Rapuano, welcome back to the committee. 
And General Nakasone, welcome to your first posture hearing 
since assuming command in May of last year.
    It is fitting that we begin our fiscal year 2020 posture 
hearing series with cyber policy and U.S. Cyber Command, given 
the importance of this topic to our overall national security 
and, indeed, our society as a whole.
    The Director of National Intelligence [DNI] in his most 
recent Worldwide Threat Assessment stated, quote, ``At present, 
China and Russia pose the greatest espionage and cyber attack 
threats, but we anticipate that all our adversaries and 
strategic competitors will increasingly build and integrate 
cyber espionage, attack, and influence campaigns into their 
efforts to influence U.S. policies and advance their own 
national security interests,'' end quote.
    In our oversight role as a subcommittee, we have seen China 
and Russia aggressively leverage and integrate cyber 
information and communication technologies in a seamless way, 
while also utilizing top-down, government-driven agendas and 
strategies. As I have said before, dictators have that 
advantage, and their use of technologies and information is as 
much about exerting control over their own populations as it is 
confronting free societies like ours.
    Since our last Cyber Command posture hearing and over the 
course of the last year, a lot has happened. Given this, I 
consider us to be at a major inflection point. We have seen 
Cyber Command fully elevated as a functional combatant command, 
and the force has achieved full operational capability, or FOC.
    Recent changes to Presidential cyber policies and 
strategies, as well as authorities granted in the NDAA, have 
focused the mission set, yielded impressive operational 
results, and postured our Nation for strategic challenges 
ahead. And while we have seen these successes, the DNI's recent 
testimony reminds us that our adversaries are not giving us any 
room to breathe.
    Case in point: While many of our recent operational 
successes have been related to securing our 2018 midterm 
elections, I can assure you that the adversarial influence 
campaign for the 2020 elections is already underway.
    Further, while most of our cyber forces are fully capable 
on paper, they are not fully ready in practice. Standards and 
capabilities have yet to be defined and understood across each 
of the services. Relationships and responsibilities are still 
being worked out between Cyber Command, regional combatant 
commanders, and each of the services.
    In short, we continue to mature, and the road ahead to true 
cyber readiness remains long. I am confident that our witnesses 
before us today fully understand these challenges and I look 
forward to our dialogue.
    It is worth noting that our military cyber forces are only 
as good as the technology they depend on, and if we don't 
concurrently modernize our information and communication 
technologies across the Department, we will continue along with 
one hand tied behind our back.
    And when I think about the promise of emerging and 
revolutionary technologies such as artificial intelligence, 5G, 
high-performing computing, and even quantum computing, my 
enthusiasm is unfortunately dampened when I am reminded of our 
Achilles' heel that is the Department's outdated and vulnerable 
IT [information technology] infrastructure.
    So in our conversation today and moving forward, as we 
build the National Defense Authorization Act for fiscal year 
2020, we must continually keep in mind that IT modernization, 
cybersecurity, and information assurance are primary 
prerequisites for the future of warfare, where information and 
data are strategic resources to be fully protected, preserved, 
and enabled.
    The Department can and must do better in this area. As 
before, I trust each of our witnesses here today understand 
these challenges.
    Lastly, I would be remiss if I didn't mention the 
importance of congressional oversight of current operations, 
including cyber operations. Now, more than ever, it is critical 
that the DOD communicates with this committee early and often 
on all aspects of cyber operations and related intelligence 
activities.
    This will ensure that we, as your principal oversight 
committee, remain fully and currently informed so that we can 
resource you properly and provide relevant authorities that 
allow us to stay well ahead of our adversaries in cyberspace 
and information warfare.
    I look forward to talking about that in our closed 
classified session. We have a lot to talk about. So again, 
thank you, and I yield back to Chairman Langevin.
    Mr. Langevin. I want to thank the ranking member.
    I want to now welcome our witnesses here today, starting 
with Mr. Kenneth Rapuano, who serves as both the Assistant 
Secretary of Defense for Homeland Defense and Global Security 
and as the Principal Cyber Advisor to the Secretary of Defense.
    Prior to returning to government service, Mr. Rapuano 
worked for the federally funded research and development 
corporations, focusing on issues related to homeland security, 
counterterrorism, and countering weapons of mass destruction.
    Mr. Rapuano served as the Deputy Homeland Security Advisor 
in the George W. Bush administration. He served 21 years in 
Active Duty and the Reserves as a Marine Corps infantry and 
intelligence officer, and we want to welcome Mr. Rapuano here 
today.
    Also, General Paul Nakasone serves in three capacities 
currently: Commander of U.S. Cyber Command, Director of the 
National Security Agency, and the Chief of the Central Security 
Service.
    Before his current role, he commanded U.S. Army Cyber 
Command and has served as a career intelligence officer through 
his 32 years in uniform. This is General Nakasone's first 
appearance before the subcommittee since assuming command of 
CYBERCOM.
    General Nakasone, it is a pleasure to welcome you here 
today.
    And I thank both of you for your service to the country and 
thank you again for being here today.
    As a reminder, after this open session, we are going to 
move into room 2216 for a closed, member-only session.
    So with that, before opening statements, though, I do have 
to note that Secretary Rapuano's statement was delivered only 
this morning. That is more than 40 hours past the committee 
rules deadline and only 6 hours before the start of this 
hearing. Getting the testimony that late does the subcommittee 
a disservice, and really it does the Department a disservice.
    I know that there are many hoops that you have to go 
through before the statement in the interagency is approved, 
but that is way past the time that is acceptable, especially 
given the importance of today's topic and the subcommittee's 
continued interest in advancing our Nation's cyber 
capabilities.
    So although I am going to allow for the reading of the 
statement today, in the future I expect full compliance with 
the committee rules, as outlined by the staff and as outlined 
in your official invitation letters.
    So with that, we will now hear from our witnesses and then 
we are going to move to the question-and-answer period.
    Secretary Rapuano, we will start with you.

STATEMENT OF KENNETH P. RAPUANO, ASSISTANT SECRETARY OF DEFENSE 
 FOR HOMELAND DEFENSE AND GLOBAL SECURITY, AND PRINCIPAL CYBER 
                 ADVISOR, DEPARTMENT OF DEFENSE

    Secretary Rapuano. Thank you, Chairman Langevin, Ranking 
Member Stefanik, and members of the committee. I am pleased to 
be here with General Nakasone, Commander of U.S. Cyber Command, 
to report on the significant progress the Department of Defense 
has made over the last year in regard to cyber strategy and 
operations.
    Over the last year, the Department published a new, more 
proactive strategy for cyberspace and is moving forward with 
implementation of that strategy, using the first-ever Cyber 
Posture Review and the elevation of U.S. Cyber Command.
    Our new approach has been enabled by the issuance of new 
Presidential guidance on cyberspace authorities and 
legislation. We leveraged all of these tools last year as we 
worked with our partners to ensure the security of the 2018 
U.S. midterm elections.
    The DOD Cyber Strategy makes clear that the ongoing 
campaigns of malicious cyber activity conducted by states like 
China and Russia are a strategic threat. Our competitors are 
conducting long-term, strategically focused campaigns in and 
through cyberspace that include stealing sensitive Department 
of Defense information to undermine our military advantages and 
place our critical infrastructure at risk.
    For this reason, DOD Cyber Strategy embraces a proactive 
and assertive approach during day-to-day competition to deter, 
disrupt, and defeat these threats. Our systems must be cyber-
hardened, resilient, and secure. We must defend national 
critical infrastructure from attacks, a new area of emphasis 
for the Department of Defense, and secure Department of Defense 
information wherever it resides.
    This strategy prioritizes expanding cyber cooperation with 
our interagency, industry, and international partners to 
advance our mutual interests. The Defense Cyber Strategy 
mandates that the Department of Defense cyberspace forces must 
be defending forward, disrupting threats at the source before 
they reach U.S. networks. The Department must routinely operate 
in non-U.S. networks in order to observe threats as they are 
forming and have the ability to disrupt them.
    This is critical to increasing military readiness. We 
cannot be fully prepared to take effective action in a 
potential conflict unless we have already developed the tools, 
accesses, and experience through our actions day to day.
    We have worked in partnership with Congress to ensure that 
the authorities and policies currently in place governing 
cyberspace operations enable our strategic approach to 
competing and prevailing in this domain.
    Several changes during 2018 have been particularly 
impactful. This includes the President's approval of an updated 
policy on U.S. cyber operations.
    The 2019 NDAA affirms the President's authority to counter 
active, systemic, and ongoing campaigns in cyberspace by our 
adversaries against the government and people of the United 
States, as well as clarifies that certain cyber operations and 
activities are traditional military activities. Thank you very 
much for your support.
    We have also focused on how our cyber forces operate in the 
homeland. For example, we are currently reissuing a memorandum 
detailing how National Guard personnel can use certain DOD 
information, networks, software, and hardware for cyberspace op 
[operation] activities in State status.
    We have also devoted focused attention during the last year 
to building and enhancing our relationships with other U.S. 
Government department and agencies, industry, and our allies 
and partners. Last year, the Department signed a joint 
memorandum of understanding with the Department of Homeland 
Security detailing how our two departments can cooperate in 
order to secure and defend the homeland from cyber threats.
    The theft of sensitive DOD information from our defense 
industrial base [DIB] is something that puts our future 
military technological advantage at risk. DOD is intensifying 
its efforts with industry and across the U.S. Government to 
implement cybersecurity protections and to share cyber threat 
information with our DIB partners.
    The Department continues to work to strengthen the capacity 
of our international allies and partners to increase DOD's 
ability to leverage its partners' unique skills, resources, 
capabilities, and perspectives to enhance our cybersecurity 
posture.
    We advocate for our allies and partners to secure their 
telecom networks and supply chains. We are also pressing our 
global partners to hold states that are acting irresponsibly in 
cyberspace accountable for their actions.
    The Cyber Posture Review [CPR] identified gaps between 
where we are today and where we need to go to achieve our 
strategic objectives and drove the development of actionable 
lines of effort that are guiding the work of our Principal 
Cyber Advisor [PCA] team.
    For example, the CPR made it clear that when it comes to 
cybersecurity we need to more effectively prioritize how we are 
spending money, allocating resources, and how we recruit and 
retain the most qualified people.
    Our PCA team has also worked with the DOD Chief Information 
Officer to identify the top 10 areas where we face the greatest 
risk. We are currently working through pilot programs to 
complete and implement solutions for these challenges.
    Another new Department initiative is the Protecting 
Critical Technology Task Force, established last year to 
integrate and accelerate the disparate DOD technology 
protection activities occurring across the Department and 
develop new, innovative solutions for currently unaddressed 
problems.
    In conclusion, our new strategy has provided us with a 
roadmap for achieving our objectives in cyberspace, which we 
are rapidly implementing. We have expanded authorities that 
enable our mission to defend forward, and we are doubling down 
on collaborating with other departments and agencies, industry, 
and international partners and allies.
    I look forward to working with you and our critical 
stakeholders to ensure that the United States military will 
continue to compete, deter, and win in cyberspace.
    Thank you.
    [The prepared statement of Secretary Rapuano can be found 
in the Appendix on page 36.]
    Mr. Langevin. Thank you, Mr. Secretary.
    General Nakasone, the floor is yours.

 STATEMENT OF GEN PAUL M. NAKASONE, USA, COMMANDER, U.S. CYBER 
        COMMAND, AND DIRECTOR, NATIONAL SECURITY AGENCY

    General Nakasone. Chairman Langevin, Ranking Member 
Stefanik, and distinguished members of the committee, thank you 
for your enduring support and the opportunity to testify today 
about the hardworking men and women of the United States Cyber 
Command. I am honored to lead them. I am also honored to sit 
alongside Assistant Secretary of Defense Rapuano.
    As the commander of U.S. Cyber Command, I am responsible 
for conducting full-spectrum cyberspace operations supporting 
three mission areas: defend the Nation against cyber threats, 
defend the Department of Defense information networks, and 
enable our joint force commanders in pursuit of their mission 
objectives.
    In the cyber domain, we are in constant contact with our 
adversaries, who continue to increase in sophistication and 
remain a threat to our national security interests and economic 
wellbeing.
    The National Security Strategy highlighted the return of 
great power competition. Beyond the near-peer competitors of 
China and Russia, rogue regimes like Iran and North Korea 
continue to grow their capabilities. Using aggressive methods, 
adversaries have until recently acted with little concern for 
consequences.
    The DOD Cyber Strategy identifies the need to defend 
forward during day-to-day competition with our adversaries. 
This strategy aims to maintain our superiority in cyberspace 
through protection of our critical infrastructure and networks. 
At U.S. Cyber Command, we implement the DOD strategy by 
adopting an approach of persistent engagement, persistent 
presence, and persistent innovation.
    This past year witnessed the elevation of U.S. Cyber 
Command to combatant command status, the opening of our 
Integrated Cyber Center, and our shift from building the force 
to the readiness of the force.
    The defense of the 2018 midterm elections posed a 
significant strategic challenge to our Nation. Ensuring a safe 
and secure election was our number one priority and drove me to 
establish a joint U.S. Cyber Command-National Security Agency 
effort called the Russia Small Group.
    The Russia Small Group tested our new operational approach. 
With direction from the President and the Secretary of Defense, 
the Russia Small Group enabled partnerships and action across 
the government to counter a strategic threat.
    Our response demonstrated the value of a tight-knit 
relationship between U.S. Cyber Command and the National 
Security Agency, bringing together intelligence, cyber 
capabilities, interagency partnerships, and our willingness to 
act.
    Through persistent engagement, we enabled critical 
interagency partners to act with unparalleled coordination and 
cooperation. Through persistent presence, U.S. Cyber Command 
and NSA contested adversarial actions, improving early warning 
and threat identification in support of DHS [Department of 
Homeland Security] and the Federal Bureau of Investigation.
    Beyond the interagency, we partnered and engaged with 
allies in public and private sectors to build resiliency. For 
the first time, we sent our cyber warriors abroad to secure 
networks outside of the DOD Information Network. Our operations 
allowed us to identify and counter threats as they emerged to 
secure our own elections and prevent similar threats 
interfering in those of our partners and allies.
    The Russia Small Group effort demonstrated that persistent 
engagement, persistent presence, and persistent innovation 
enables success. Effective cyber defense requires a whole-of-
nation effort. Our actions are impacting our adversaries. Our 
shift in approach allows us to sustain key competitive 
advantages while increasing our cyber capabilities.
    As we review lessons learned from securing the 2018 midterm 
elections, we are now focused on potential threats we could 
face in 2020.
    Looking forward, we need to continue to build a warrior 
ethos, similar to other warfighting domains. Cyber warriors are 
and will continue to be in constant contact with our 
adversaries. There are no operational pauses or sanctuaries. We 
must ensure sufficient capacity and capability, people, 
technology, and infrastructure, which we are decisively focused 
on now.
    Through persistent presence, we are building a team of 
partners that enable us and them to act more effectively. The 
complex and rapid pace of change in this environment requires 
us to leverage cyber expertise broadly across public and 
private sectors, academia, and industry. Therefore, we aspire 
to increase our effectiveness and capabilities through 
persistent innovation across these partnerships.
    Cyber defense is a team effort. Critical teammates such as 
the National Guard and Reserve are integral parts of our cyber 
force. They provide strategic depth and provide the Nation a 
reserve capacity of capable cyber warriors.
    Finally, improving readiness is my key focus area. I 
continue to work with the services and the Department to 
accurately measure and maintain readiness, manning, training, 
equipping, and an ability to perform the mission.
    After a year of change and progress, we see 2019 as the 
year of opportunity. We have much work ahead of us as CYBERCOM 
matures. I assure you that our people merit the trust you have 
placed in them and that, with your support, they will 
accomplish a task that our Nation expects.
    Thank you again for inviting me here on behalf of U.S. 
Cyber Command and for your continued support. I look forward to 
your questions.
    [The prepared statement of General Nakasone can be found in 
the Appendix on page 50.]
    Mr. Langevin. Thank you, General.
    I want to thank both General Nakasone and Secretary Rapuano 
for your testimony.
    We are going to now go to questions, myself and then the 
ranking member, and then we will go to members in the order of 
their appearance according to seniority.
    General, let me start with you. You assessed one year ago 
to the Senate Armed Services Committee that the Cyber Mission 
Force and all of its--133 of its teams would be fully 
operationally capable by June of 2018. Yet, given the different 
training regimes, the services, there are differences among the 
teams themselves.
    So I just wanted to say, how do you set performance metrics 
for the 133 teams within the Cyber Mission Force, and how does 
Cyber Command assess and measure the readiness of all of its 
teams?
    General Nakasone. Chairman, with regards to readiness, we 
take a look at two factors: first of all, a measure of 
quantity, and, secondly, a measure of quality.
    The measure of quantity is very familiar to all of the 
military services. It is the manning, the training, the 
equipping of a force. It is very easy to calculate it. It is 
one that our services excel at.
    One of the things that we have done at U.S. Cyber Command 
is establish a joint training standard. That is very important 
to get at the point of your question with regards to leveling 
the playing field. One joint standard is important for all our 
teams to be able to operate under. So whether or not it is a 
Marine team, an Army team, an Air Force team, that same 
training standard has been established by U.S. Cyber Command.
    I mentioned the quantity aspect. Let me now shift to the 
quality aspect of how we measure readiness. We can have all the 
teams that are fully manned, fully equipped, and fully trained, 
but if you don't have the access, if you don't have the 
authorities, if you don't have the intelligence, if you don't 
have the platform, if you don't have the capabilities to 
accomplish your mission, that is something in cyberspace that 
puts you uniquely in a very, very difficult position.
    So I see that measurement of both quality and quantity as 
something we will continue to work towards at U.S. Cyber 
Command.
    Mr. Langevin. So let me ask this other follow-up question. 
So how do you ensure that the teams also are continuously 
trained and then certified and recertified and prepared for the 
missions at the individual and the team levels? Since we can't, 
you know, believe that, you know, it is one and done once it is 
certified, but, again, the recertification process.
    General Nakasone. Chairman, I think you are speaking of 
collective training, as we take a look at how our teams are 
able to perform together. We evaluate that through a number of 
different mannerisms.
    First of all, the ability to do a real-world mission, being 
able to evaluate what they are doing on a daily basis. Also 
within exercise. We have a series of exercises that are set up 
where we are able to measure the training standard of that 
team. And then finally, we set parameters in terms of ensuring 
each team has annual evaluations by third parties. This is 
something that we have instituted over the past several months. 
I think it is very effective in terms of being able to take a 
snapshot in time.
    However, with that being said, let me make sure that I 
reiterate, the teams that we have today are operating every 
single day against our adversaries. They are very, very capable 
people, and we will continue to measure their capability. But 
one of the benefits of working at U.S. Cyber Command is there 
is never a lack of training opportunities. It is real world 
every single day.
    Mr. Langevin. Thank you. And again to you, General, in your 
prepared testimony, you noted the incalculable value of the 
CYBERCOM-NSA relationship when discussing Joint Task Force 
Ares.
    Last Wednesday, Defense One ran a story that you 
recommended to then-Secretary Mattis in August 2018 that NSA 
and CYBERCOM be split in 2020. Can you comment on the veracity 
of the story? And if the story is accurate, can you please 
explain your recommendations?
    General Nakasone. Chairman, a year ago, when I testified 
for my confirmation hearings, one of the points that I made in 
both the Senate Armed Services Committee and the Senate Select 
Committee on Intelligence was that in my first 90 days as both 
the commander and the director, I would conduct an assessment 
of the dual hat and provide those recommendations to the 
Secretary of Defense and the Chairman of the Joint Chiefs. I 
completed that assessment in August. The assessment was 
classified, and it was provided to the Secretary and the 
Chairman.
    I am familiar with the article. I will tell you that the 
article is not accurate and that, you know, the topics and the 
actual facts behind that are classified. And so if I could save 
that, perhaps, for closed testimony.
    Mr. Langevin. Fair enough. Thank you. We will follow up on 
that then, sure, in the closed session.
    To Mr. Rapuano, can you describe DOD and specifically 
CYBERCOM's support to homeland defense, specifically as it 
relates to the defending-forward concept in the strategy? How 
is the Department supporting DHS efforts in coordinating with 
FBI [Federal Bureau of Investigation]?
    And how does the Department coordinate with the 
Cybersecurity and Infrastructure Security Agency at DHS, which 
has the lead role in protecting civilian government and 
critical infrastructure?
    You know, I think it is important for people to understand, 
we talk about defending forward and being more proactive, who 
has responsibility for what though. You know, what is critical 
infrastructure supposed to do on their own? What is DHS--what 
is their responsibility? And then also what is DOD, CYBERCOM, 
NSA's responsibility in all of this, and how does it fit 
together seamlessly?
    Secretary Rapuano. Thank you, Chairman Langevin.
    I would start by saying, of course, that the one mission 
that only DOD has the authority capabilities, including the 
breadth and scope, to conduct is warfighting overseas, 
addressing adversaries overseas and threats overseas.
    That said, we have a renewed focus on supporting our fellow 
agencies domestically. We really start that in a tri-approach.
    First is sharing intelligence and warning, and we do that 
with the Department of Homeland Security and the FBI. And they 
provide that information, DHS, to State and local governments; 
and the FBI, to commercial and other entities.
    We defend forward in terms of identifying the source of 
malevolent cyber activities that are threatening U.S. critical 
infrastructure or other equities, including malign-influence-
type activities that were a significant concern during the 
recent elections process.
    We also have the defense support to civil authorities. As I 
noted in my statement, we have a memorandum of understanding 
with DHS to facilitate and expedite our defense support to 
civil authorities, including DHS but other agencies as well, 
when they have needs that go beyond what their capacity is to 
respond to a particular circumstance or threat associated with 
cyber.
    So we are working closely with them. I met with their 
leadership this week. We meet routinely now to discuss how we 
move forward, to discuss priorities. We are adding details in 
terms of how we can facilitate and expedite different levels of 
support, how we can develop and maintain real-time, full-time 
connectivity with the Department. We have detailees who perform 
those kind of roles, and we are looking to instantiate it in 
the longer-term context.
    Mr. Langevin. Thank you, Secretary.
    The Chair now recognizes the ranking member for questions.
    Ms. Stefanik. Thank you.
    Secretary Rapuano, you mentioned that the new cyber 
strategy highlights defend forward and persistent presence as 
major aspects of our new posture. And your statement also 
outlined some of the steps we are taking to shift to this 
footing.
    But from a policy perspective and with respect to 
escalation dynamics, have we thought about potentially when and 
if this more forward and persistent posture could be 
interpreted as escalatory in nature by our adversaries and 
perhaps preemptively trigger escalation or retribution?
    Secretary Rapuano. Absolutely. Escalation is a significant 
concern with all military operations.
    In what we call activities in the gray zone or below the 
spectrum of armed conflict, cyber is an especially attractive 
tool to our adversaries. And we have noted China and Russia as 
significant concerns in that context, and we see them applying 
asymmetric warfare below the spectrum of conflict against us.
    We have come to the conclusion--and that is what informed 
the strategy--that continuing to not respond to those behaviors 
and those threats that will manifest in a cumulative context--
no one of these activities has clearly crossed that line in 
which a kinetic or military strike would be a response. So if 
we ignore them, they will continue them, and they will 
undermine our security in a strategic way.
    We have a process that is very risk-based in terms of 
informing the risk-benefit assessment associated with how we 
target malevolent activities, how we achieve access. It is a 
process mentioned that was enshrined in the Presidential 
memorandum providing policy guidance to the process that takes 
place.
    The first requirement is a Presidential determination for 
certain types of operations. That then goes into a coordination 
process in terms of engaging on the development of the concept 
of operations, particularly with those agencies with the most 
equities involved. And then, ultimately, there is a 
deconfliction execution process in terms of, if there are 
conflicts between key equities or elements or there are 
concerns, for example, about the potential for unintended 
escalation, those issues are addressed.
    So we do have a very thoughtful process but also a process 
designed to operate with the speed of relevance.
    Ms. Stefanik. Thank you.
    General Nakasone, what exactly does our cyber posture look 
like when we defend forward with persistent engagement? Does 
this simply mean that we are positioned to conduct more 
offensive operations or positioned to conduct more collection 
activities?
    And when you answer that, can you also touch upon the 
interagency aspects and how we work with our international 
partners?
    General Nakasone. Ranking Member Stefanik, if you think 
about persistent engagement, I would offer two different 
components that are very, very important, that are foundational 
to persistent engagement.
    First of all is the idea of enabling. How do we enable our 
partners? That partner could be Department of Homeland 
Security, the Federal Bureau of Investigation. It could be 
another service. It could be another member of our interagency. 
It could be an allied partner.
    A big portion of what we do in persistent engagement, as 
Assistant Secretary of Defense Rapuano said, is providing 
information or intelligence. If I might give you an example. 
During the security of the midterm elections, U.S. Cyber 
Command, working in partnership with the National Security 
Agency, provided indicators of compromise to the Federal Bureau 
of Investigation and the Department of Homeland Security. That 
is an example of enablement.
    The other foundational concept of persistent engagement is 
to act. Just as the Secretary mentioned, act is everything from 
understanding what our adversaries are doing within their 
networks; providing early warning; ensuring that we understand 
the malware, the infrastructure, the other capabilities that an 
adversary might be accumulating to perhaps conduct an action 
against the United States.
    But it is also the idea of sending teams forward. So we 
sent defensive teams forward in November to three different 
European countries. That is acting outside of our borders that 
impose cost against our adversaries.
    Those are the two fundamental components of persistent 
engagement: enabling and acting.
    Ms. Stefanik. My final question is for you, General 
Nakasone. You have been given flexible acquisition authorities 
that, frankly, the command has yet to fully use or mature into. 
So my question is to figure out if this unique acquisition 
authority for your command is even still needed, certainly 
since over the years we have worked to give the services more 
flexible acquisition authorities.
    Can you provide this committee with an update on why you 
think you need this unique acquisition authority and what the 
current state of implementation is? And then specifically, how 
would you define cyber-peculiar acquisitions, as it is called 
in the law?
    General Nakasone. If I might start with the question of a 
quick status update.
    So this year, in fiscal year 2019, I believe the amount was 
$75 million for acquisition. And we have executed right now 
about $44 million of that. We would anticipate by the end of 
the fiscal year to execute about $60 million to $65 million. 
That is not $75 million, and I obviously accept the fact that 
we are short of that.
    But what did we invest it in? And I think it is important 
that we outline this. One, we invested it in tools, significant 
tools for how we operate with our teams. Secondly, big data 
analysis. Thirdly, an opportunity for our developers to operate 
off-site at a facility to look at new networks, new 
capabilities, new infrastructures. It was done rapidly. It was 
done, I think, obviously, very effectively and certainly within 
the law.
    We are not to the point yet where I am satisfied with 
regards to operating at the amount that has been authorized for 
us, but we will get there. And I think the important piece is, 
when I think of why it is so important to us, our adversaries 
are rapidly changing. And we see that every single day as we 
operate against them. The authorities that you have granted our 
command to be able to do this is a first start for us to be 
able to operate at their speed.
    The last thing I would say is, we have 10 openings that, 
you know, are foundational for what we do for that acquisition 
authority. We have filled six of them. We will fill the final 
four by the end of the year, and I think this will be extremely 
helpful for us to be able to execute the moneys.
    Thank you.
    Ms. Stefanik. And just to follow up, how do you define 
cyber-peculiar? Because that is how it is written.
    General Nakasone. So if I might take that for the record, 
Ranking Member, just to make sure that I have that fully 
accurate.
    [The information referred to can be found in the Appendix 
on page 69.]
    Ms. Stefanik. Thank you. I yield back.
    Mr. Langevin. I thank the ranking member.
    Mr. Brown is now recognized for 5 minutes.
    Mr. Brown. Thank you, Mr. Chairman.
    In the most recently enacted Defense Authorization Act, we, 
the Congress, directed the Department to study the feasibility 
and advisability of the establishment of Reserve Component 
cyber civil support teams to be assigned to each State due to 
the lapse in appropriation associated with the 35-day recent 
government shutdown. The Department did request an extension to 
submitting that report to Congress.
    Can you give us a status, and not just, you know, when you 
anticipate to submit that to Congress, but give us a little 
flavor on, you know, what kind of either conclusions, findings, 
or recommendations might be in that report?
    Secretary Rapuano. Certainly, Congressman.
    The Department traditionally has not assigned unique 
specialty areas to the National Guard, like cyber, but we have 
been exploring whether and where--really where the National 
Guard can best support DOD missions, specifically things like 
defense critical infrastructure, infrastructure for which we 
are dependent on for power projection as well as weapons 
systems.
    The defense industrial base is another area that is 
critical to us, and we are at risk, as I noted in my statement, 
of losing our asymmetric superiority to others who are stealing 
our technology.
    So those are areas that we are very focused on and believe 
there is a potential role for the National Guard. And we 
actually have a cyber mission assurance team that is looking at 
the potential role there.
    In response to your question about the 2019 NDAA 1653 
tasker, we have a report that is in drafting process right now. 
We will get it to you all by the end of April. I really can't 
go into details on it, but it is really looking about the trade 
space and the return on investment from a total force 
perspective and how and where those roles would be most 
consistent with the other priorities of the Department.
    Mr. Brown. Thank you.
    Question regarding the cyber workforce. Everyone is 
competing for a limited pool of highly skilled and highly 
talented, technically trained personnel. What thoughts do you 
have about the role of AI [artificial intelligence] in reducing 
the demand signal for a cyber workforce?
    Secretary Rapuano. Well, we are looking at all the tools 
available out there, you know, in terms of where do we need to 
buy either tools or capabilities, where do we need to hire 
people for that human potential component of it. It is well-
recognized that hiring in the cyber field is very challenging 
just based on the very high demand signal, so we have a number 
of programs; CES [Cyber Excepted Service] is prime amongst them 
in terms of a new tool.
    AI we are looking at very hard in terms of where we can 
leverage AI and other advanced capabilities, analytic 
capabilities to perform some of those activities.
    I might turn it over to General Nakasone. I know his team 
looks at this very closely too.
    General Nakasone. So, Congressman, I think that AI and 
machine learning certainly has a place as we take a look at 
some of the activities that we do day in and day out within our 
force.
    But I would offer, the people that make AI go, the people 
that ensure that our algorithms are right for machine learning, 
they are the folks that I am most focused on. Because I would 
call them--they are the 10X or the 20X folks that do their 
mission 10 times or 20 times better than anyone else. That is 
the competition that we are in today.
    So I would just offer--I give great kudos to the services 
for recruiting a great base of folks, and that is both military 
and civilian. I think we do a good job of training them; it is 
getting better. The hard part and the one that we work at every 
single day is the retention part. That is the one that is most 
impactful for us.
    Mr. Brown. And you mentioned the CES, Cyber Excepted 
Service. Can you tell us a little bit about your experience 
with that? And is it working? Is it effective? Tell us about 
that.
    General Nakasone. Cyber Excepted Service, which just came 
on board roughly over the past year, we at U.S. Cyber Command 
were the first phase of that.
    I can give you the metrics of now we are looking at a drop 
of 60 percent with regards to the hiring capabilities and the 
timeline to hire someone. So we have metrics that show us 111 
days before CES. Now it is at about 44 days.
    We have done over 21 different fairs. We have interviewed 
over 2,700 people. We have, you know, provided over 90 
acceptances for job applications.
    My perspective, early phase, I am a supporter of it, and I 
look forward to continuing to utilize it.
    Mr. Brown. Great. And I hope the University of Maryland at 
College Park is giving you a talent pool to work with.
    I yield back, Mr. Chairman.
    Mr. Langevin. Thank you, Mr. Brown.
    You know, on the topic of the workforce and training, we 
recently had testimony in reference to the Cyber Excepted 
Service as a whole, and it is underresourced at this time. And 
I think it is important for it to have full support and full 
resourcing.
    Can you comment on that, Secretary?
    Secretary Rapuano. Yes, I can. I share your concern, Mr. 
Chairman. I have engaged with Dana Deasy, our CIO [Chief 
Information Officer], as well as the Under Secretary for 
Personnel and Readiness. This is a priority. The challenge with 
the Department is we have a lot of priorities, but everyone 
acknowledges there is no higher priority than this.
    So we are looking at additional resources that we can get. 
We have already put essentially two more people onto it, 
because we had a couple of them taken for another priority 
group, and that has been addressed. But we need to supplement 
them going forward, and we believe we have a path to resources 
to do that in a relatively near term.
    Mr. Langevin. Okay. Thank you. I think that has to be a 
high priority, and certainly more support for the Cyber 
Excepted Service is going to have the support of this 
subcommittee and the committee as a whole.
    Secretary Rapuano. Thank you. It very much is.
    Mr. Langevin. Thank you.
    Mr. Waltz is now recognized for 5 minutes.
    Mr. Waltz. Thank you, Mr. Chairman.
    I am also interested, very interested, with my colleague 
Mr. Brown in the Guard and Reserve and the role that they can 
play, and I would be very interested in seeing that report. I 
have had the same conversations with General Kadavy, the head 
of the Army Guard. I mean, it seemed, you know, that the 
challenge is with recruiting, the challenge is with keeping up 
with the civilian sector and the pace of technology and who 
bridges those two worlds.
    One of the questions I have asked him is, when you are 
recruiting your cyber force into the Guard and Reserve, are you 
taking, you know, the civilian occupation into account? Are we 
recruiting people who are truck drivers during the day and then 
into the cyber force, or people who are actually in the IT 
sector in Silicon Valley, in that space, so that you can 
leverage those two and build upon those two?
    And it is not clear to me. I would be interested if the 
report addresses that, if that is taken into account in the 
recruiting on the front end, particularly for the Guard so that 
you can build those going forward.
    Do you have any additional comments on where that is going?
    So, I mean, just to be candid, talking to the Guard about 
counting tanks, counting aircraft, parity in fielding, that is 
important. They need to be interoperable with the force. But 
where they can uniquely, you know, take this leading role--and 
leveraging those civilian sector skills, I think, is something 
we should take a hard look at.
    Secretary Rapuano. Yes. While I cannot speak to the details 
of how the National Guard right now is conducting their 
recruiting, I am familiar enough with their process to know 
that they do look at what are those specialty areas that the 
individual is being recruited for and what skills do they bring 
in addition to the basic elements of education.
    Mr. Waltz. Okay.
    Secretary Rapuano. So that is something. And then, again, 
it will be based on how the specialties develop and evolve and 
potentially expand.
    Mr. Waltz. Thank you. I am eager to see the report.
    General Nakasone, can you just talk to me about plans or 
what is in place or what is coming down the pipe to just kind 
of share and collaborate cyber threats ostensibly at network 
speed, ostensibly at cloud scale with the top U.S. companies, 
with industry, I mean, so we can leverage the full resources of 
the U.S. Government and respond to our critical infrastructure?
    Have we thought about--or is there--and forgive my 
ignorance, if there is a cybersecurity cooperative agreement 
with industry to detect, respond, mitigate cyber threats? I 
know DHS has theirs, but I keep hearing consistently, frankly, 
that it is not being utilized to its full extent and, frankly, 
not useful to industry. I didn't know the relationship with 
your command and industry.
    General Nakasone. Congressman, we have been working closely 
within the Department on an initiative called the Pathfinder 
program. The Pathfinder program--and this is an outgrowth from 
the Secretary of Defense and the Secretary of Homeland 
Security's memorandum of agreement to work together to look at 
joint ways that we can address the critical infrastructure 
sectors.
    As you are aware, 17 different critical infrastructure 
sectors. We have started with the first one to look at, working 
very, very closely with the financial industry, working closely 
with the Department of Treasury, and the Department of Homeland 
Security, how do we share data, how do we share it rapidly. One 
of the things that we have done over the past several months is 
had four different means of sharing data.
    But it is more than just sharing data, because we are not 
going to get out of this issue with just sharing. It is also 
our technical experts talking to their technical experts, 
talking to the Department of Homeland Security.
    It shows great promise. And as they move on from the 
financial industry, I think that energy and other industries 
right behind it will be the beneficiaries of this.
    Mr. Waltz. Along those lines, how are the delays in moving 
and DOD moving into the cloud architecture, how is that 
affecting your warfighting mission?
    General Nakasone. So it hasn't affected my warfighting 
mission. I would offer that our ability to share right now is 
at a level that certainly is able for me to accomplish what I 
need to be able to do.
    I think, to your point, though, how do we increase our 
lethality in the future as a force, I think this is one of the 
areas that we are working towards. As the Department moves to 
its investment in the cloud experience, this is one of the 
things we are working very, very closely with the Department, 
NSA, and Cyber Command to ensure that we are well-postured for 
it.
    Mr. Waltz. Thank you. Then a final question, just in the 
interest of time, and maybe we will take this for the closed 
session, but I would be very interested.
    Data is the new gold, new oil, whatever you want to call 
it, the coin of the realm. And back to your issue of 
collaborating, particularly with sensitive data, with an eye 
towards AI and 5G, because we can't really get to one without 
the other.
    But I will yield my time and look forward to the closed 
session. Thank you.
    Mr. Langevin. Thank you, Mr. Waltz.
    Mr. Kim is now recognized for 5 minutes.
    Mr. Kim. Thank you, Chairman.
    Thank you so much for coming and speaking with us today.
    I actually just wanted to take a step back for a second 
here and just get some of your thoughts and advice here.
    The issue of cyber threats is pervasive in my district. It 
is something that people worry about constantly, especially 
given the news and given all the talks about Russia and China. 
And I will tell you that these concerns are ones that I hear at 
town halls, and they come up in a lot of different meetings. I 
think there is a lot of confusion about what it is that we are 
doing and what the capabilities are on the other side.
    So I would start this by urging the two of you to think 
about ways that we can invest in lifting up some of that veil, 
making sure that--I understand the difficulties and the 
sensitivities of the work you are doing. But as a new command, 
I think it is important for the American people to understand 
what it is that you are working towards, what it is that we are 
trying to do, and what it is that we are trying to defend 
against.
    Because this is a different type of threat than the 
American people in my district, in Burlington County and Ocean 
County, to understand compared to conventional, traditional.
    With that, I want you to just imagine yourself with me in 
my district at a town hall when I get these questions. I would 
like to hear from you what you would say in response to someone 
who is saying, are we getting outgunned by China and Russia? 
Where are our capabilities and our personnel and our resources 
compared to these near-peers?
    When we are talking and looking at our cyber budget, how 
does that stack up with how our competitors are spending and 
moving forward in this? How would you respond to someone in 
that way without having to get into the classified material?
    Secretary Rapuano. I will start, and then I can hand it 
over to General Nakasone.
    I think when you look at the United States and you look at 
it, certainly, from a Department of Defense perspective, we 
operate around the world. We have to have systems that can 
communicate and engage around the world. So that presents a lot 
of surface for adversaries in terms of who are looking to 
target us.
    We have an open system in terms of the internet. You may 
have heard that China has the Great Firewall of China. So we 
prize free communication of information. So an open internet is 
something that is consistent with the way that we have operated 
in the world from early on, and we would like to maintain that.
    So it is not an apple-for-apple in terms of our 
vulnerabilities and adversary vulnerabilities is something that 
I would offer.
    We have just increased, as you know from the budget, the 
budget for cyber, $9.6 billion and 10 percent increase over 
last year. So that is in recognition of the importance of this 
area, the evolution of the threat, which we see. We believe 
that we are developing the critical capabilities necessary to 
address the threat, but, as you know, it is a very complex and 
diverse threat. So walking through each of those areas can take 
a little bit of effort.
    But I would just say that I think that, with the advent of 
this strategy and authorities from a national defense 
perspective, we have made tremendous progress. We are making 
the necessary investment to keep up with the threat and be able 
to prevail, if necessary, in all warfighting domains, including 
cyber.
    General Nakasone.
    General Nakasone. Congressman, I think I would begin, if I 
had an opportunity to speak at your town hall, by saying the 
National Security Strategy identifies our threats very well. We 
talk about, you know, strategic and great power competition in 
the realm of both China and Russia. They are near-peer 
competitors. They have been able over the past 17 to 20 years 
to shrink the gap.
    And then there are rogue nation-states, such as Iran and 
North Korea, that continue to conduct malfeasance in the 
domain.
    But with that being said, there is still a gap between 
those actors and ourselves. And while I obviously hear a number 
of the different challenges that we have, I would also offer to 
your town hall that there are some strengths that are 
endemically part of the United States.
    First of all, partnerships. We have a series of 
partnerships--partnerships with other allied countries, 
partnerships with academia, partnerships with industry--that I 
think are second to none.
    Secondly, innovation. When we think about innovation, where 
do we think about? We think about Silicon Valley. We think 
about Austin. We think about Boston. We think about sectors 
within the United States. That is very, very important because 
we are in, obviously, a domain that is rapidly changing.
    The other piece I would say is we are well-resourced. Thank 
you very much for, obviously, the resourcing that you have done 
for our efforts over this budget. I think that is tremendously 
powerful for us.
    And the last thing is that we are also a country--and I 
would say, certainly within the Department of Defense, that we 
learn our lessons. And so we have learned our lessons. And I 
think that over the past several months we have been able to, 
obviously, apply those lessons in a manner that has addressed 
some of the actions of our adversaries.
    Mr. Kim. Well, I look forward to working with all of you on 
how it is we can better explain this to the American people. 
Thank you.
    I will yield back.
    Mr. Langevin. Thank you, Mr. Kim.
    Before we go to Mr. Bacon, Mr. Secretary, you mentioned the 
$9.6 billion cyber budget request. And can you tell me what 
does the $9.6 cyber budget encompass? Is it IT as well as 
military cyber operations? And what is the totality of the 
budget for CMF and operations?
    Secretary Rapuano. So I will leave CMF to General Nakasone, 
but just in terms of the broad brush of the budget, it really 
starts with cybersecurity. So that is both hardware and 
software. We have to reduce the risk to DOD information 
systems.
    Then it really gets to cyber operations. General Nakasone 
mentioned the tools, the training, all of the elements 
necessary for us to conduct cyber operations effectively.
    And the third is the R&D [research and development] across 
all of these areas that we must continue to support so we can 
out-innovate our adversaries.
    Mr. Langevin. So give me, the committee, just kind of an 
understanding between those three categories, which--the 
various--the percentages, if you will, what is going to----
    Secretary Rapuano. Well, I mean, I think General Nakasone 
has more details on the splits.
    General Nakasone. Within that, Chairman, of the $9.6 
billion, $532 million to the headquarters of U.S. Cyber 
Command. That is roughly 6 percent of the budget. And then $1.9 
billion for a build an infrastructure. That is infrastructure 
across all of our four different locations that we have our 
teams. That will be--roughly 87 percent of that will go to the 
services, and the rest, about $200 million of that will stay 
within U.S. Cyber Command.
    Mr. Langevin. All right. That is helpful. Thank you.
    Mr. Bacon, you are now recognized for 5 minutes.
    Mr. Bacon. Thank you, Mr. Chairman.
    And appreciate both of you being here and appreciate your 
leadership on cyber.
    A couple questions for General Nakasone.
    I read that you were recommending the NSA and Cyber split 
sometime in 2020. Is that indeed your position?
    General Nakasone. Congressman, I had seen the article that 
was written. That is not accurate.
    And last year about this time, during my confirmation 
testimony, I had indicated I would do a 90-day assessment. I 
did that assessment, provided it to the Secretary of Defense 
and the Chairman. The assessment is classified, so we can talk 
about it later in closed session.
    But, again, to your point, that was not accurate. And, 
again, the final decision, obviously, rests with----
    Mr. Bacon. Right.
    General Nakasone [continuing]. Not with me, so----
    Mr. Bacon. But maybe is it fair enough to say that you 
now--you would say your position is to keep them together then, 
the two commands, under one four-star?
    General Nakasone. So again, I think on this topic, 
Congressman, it is much more accurate for me to be able to talk 
in closed session----
    Mr. Bacon. Okay.
    General Nakasone [continuing]. Just to bring out the facts.
    Mr. Bacon. Just my view on it, without probing for your 
position, I just don't see how you can have them separate. I 
have worked in this community a little bit, with my 30 years in 
the Air Force, and our cyber teams are a good mix of 
intelligence and cyber folks that will probe or defend.
    And it seems to me, from a cyber perspective, it is a 
symbiotic relationship with NSA. You can't do the two separate. 
I would be a little afraid, if you had two four-star generals, 
one in charge of the intelligence force and one in charge of 
the cyber portion, you could be pulling that team apart in two 
different directions.
    And so I have always been a proponent that you need a 
unified leadership under one four-star and have the two three-
stars guiding the two different ships.
    But it just doesn't make sense to me from my experience in 
there. So I hope, at least my view or at least my 
recommendation would lean towards how we have it. I think we 
have it right.
    How many cyber teams do we have?
    General Nakasone. We have 133, Congressman.
    Mr. Bacon. And is there a requirement for more, or is it 
about right?
    General Nakasone. So right now what we are doing is, 
through a series of both exercises and real world, looking at 
our force in total. My anticipation is after we have taken a 
thorough look at that we will make some recommendations. But 
right now 133 is what we have, and we are able to do our 
missions with them.
    Mr. Bacon. And all 133 are FOC, or fully operational?
    General Nakasone. Right. They are fully operational.
    Mr. Bacon. I have done exercises in the past in the Air 
Force, and we would do a full planning where you have your air 
targeting order or air tasking order and you build this whole 
plan, and then everybody leaves the room and cyber will come in 
and say, here are some other options.
    Are we doing a better job now integrating cyber into the 
COCOM [combatant command] planning, where it is really baked in 
from the start, not an add-on after the fact?
    General Nakasone. While I hate to speak for my fellow COCOM 
commanders, I would say yes.
    Mr. Bacon. I hope so.
    General Nakasone. A couple things that have enabled us: 
first of all, the ability to put cyber operational integrated 
planning elements--those are planning elements that are well-
versed in cyber--at each of the combatant commands. That has 
helped.
    Secondly, that we have had a lot of operational experience 
in places like Afghanistan, Iraq, other places around the world 
where we have been able to do this. And even with the midterm 
elections, working with U.S. European Command, General 
Scaparrotti and myself, learned a tremendous amount of lessons 
in the way we need to do this.
    Mr. Bacon. Well, I am glad to hear that. I am glad we are 
evolving to where it is baked in from the beginning. Because I 
have been there where you do all your combat planning or this 
or that in space, and then everybody leaves, and it's like, 
okay, now what do I do with cyber? It should be integrated in 
from the beginning.
    One last question. You know, there is a lot of convergence 
between cyber and electronic warfare [EW]. How much do you 
think cyber should be involved with electronic warfare? Is that 
a totally separate science, from your perspective?
    General Nakasone. So from my perspective, having worked 
this both as the Army service commander and now as the 
commander of U.S. Cyber Command, these are non-kinetic 
capabilities. And being able to synchronize non-kinetic 
capabilities, whether or not it is EW or cyber or information 
operations, bringing that closer together provides tremendous 
amount of capability for our commanders. And so that is why 
that close working relationship, I think, is very important.
    Mr. Bacon. So you would say the cyber role with EW would be 
more of a planning--to use an EW weapon versus a cyber weapon, 
but Cyber Command within itself would not have the EW weapons 
system. Do I have that right?
    General Nakasone. Yeah, so how we organize it, I think that 
is still to be determined. But in terms of the planning 
capability and synchronizing that, I definitely see that this 
is one where we would provide a synchronized look and say, hey, 
this is an opportunity for our combat commanders to leverage.
    Mr. Bacon. And from my background, the NSA has a great team 
working on the EW side, or at least on the ELINT [electronic 
intelligence], and we couldn't do it without you.
    Sir, with that, I will yield back, Mr. Chairman.
    General Nakasone. So, Congressman, I would just offer that 
I agree with that.
    Mr. Bacon. Okay. Good. You get to take praise both ways.
    General Nakasone. It goes both ways.
    Mr. Langevin. On the EW issue, General, let me ask this. I 
know that after--I think it was Secretary Ash Carter that stood 
up the EW EXCOM [Electronic Warfare Executive Committee]. And 
what interaction do you all have with that body as they avail 
you with our EW capability? Do either one want to comment on 
that?
    General Nakasone. So I am not familiar with the EW EXCOM. 
That may have been renamed. There is a working body right now 
that discusses electronic warfare at the Vice Chairman level 
with the Deputy Secretary that normally we have, but I think it 
is the same purpose, and, again, the idea of how do we bring 
this together in a more compactful manner.
    Mr. Langevin. Okay. Thank you. Thank you.
    And on Mr. Bacon's comment on the splitting of dual hats--
see, bipartisanship isn't dead--I think you and I are 
definitely in sync on that one. So thanks for your comments on 
that.
    Ms. Houlahan is recognized for 5 minutes.
    Ms. Houlahan. Thank you, Chairman.
    And thank you very much for your testimony today, 
gentlemen.
    And, General, thank you for allowing us all to come as 
freshmen and tour your amazingly powerful facility.
    My questions, I have two, a fairly unrelated one. The first 
one is to General Nakasone.
    The President's budget does call for a pretty big 
investment in developing what he is terming a Space Force. 
Obviously, the space domain is very important for cyber 
operations.
    And I was hoping--and this relates, I think, to 
Representative Bacon's comments and questioning--if you could 
talk a little bit about the relationship between CYBERCOM and 
the Air Force currently as it relates to the space domain and 
satellites in particular.
    And help me assess whether or not the creation of a Space 
Force would either complicate CYBERCOM's work, help CYBERCOM's 
work, be redundant to CYBERCOM's work. How do you see that 
unfolding?
    General Nakasone. So we have worked very closely with the 
Air Force on the development of our cyber capabilities, to the 
first part of your question. In fact, roughly 39 of our 133 
teams are from the U.S. Air Force. So we have a very strong 
working relationship with the Air Force and a very, very good 
joint force headquarters in Lackland Air Force Base in Texas 
that we have been reliant upon for many missions.
    In terms of space, we at U.S. Cyber Command are in close 
partnership with not only the Air Force but U.S. Space Command, 
working with General Raymond, in terms of how do we ensure a 
couple of things: first of all, the defense of his networks. So 
working between U.S. Cyber Command, the National Security 
Agency, USSPACECOM, how do we ensure the criticality of his 
communications?
    Secondly, what are the options for full-spectrum operations 
that we might be able to conduct from space that impact cyber? 
We are very, very excited about the possibility of the, you 
know, instantiation of U.S. Space Command. Being the newest kid 
on the block, I think that they would obviously provide, as the 
Department and the administration have indicated, a great 
capability.
    We see the importance of space every single day, not only 
for our intelligence gathering, but also for looking at 
possible options as we look at adversaries for the future.
    Ms. Houlahan. So do you have any reticence at all in terms 
of the interaction of what would be a new force? Or are you 
looking forward to that opportunity to integrate with something 
like that?
    General Nakasone. Really looking forward to integrating 
with it. I think they are a great capability. We see the 
importance of space, whether or not we are on the defensive 
side or the offensive side. And this is one of the areas that 
we think is going to create capability.
    Ms. Houlahan. Thank you so much for the answer to that 
question.
    My second one, fairly unrelated, has to do with memory 
chips and the fact that we only manufacture about 20 percent of 
the world's memory chips.
    And I am wondering if you could comment, either one of you, 
on whether or not you feel as though we need to have organic 
capability of doing that domestically, whether for defense or 
civilian purposes, and how you think we as a Congress might be 
helpful in helping that, if you, in fact, believe that we 
should be more independent in that area.
    Secretary Rapuano. I will just give a high level on that.
    We are very concerned about supply-chain security, 
particularly for sensitive systems or systems that may provide 
access to adversaries. So we are looking at the entire supply 
chain to understand where and what systems might be most 
vulnerable and how we can improve the surety associated with 
these chips and other elements.
    Ms. Houlahan. Sir, do you have any other----
    General Nakasone. Yeah. So I think that the Secretary has 
characterized it well, in terms of, one the areas that we have 
to ensure--and this is the world in which we live, where they 
are being made today--is we have to have verification.
    And the way that we do that verification, whether or not it 
is appropriately written into our contracts or whether or not 
it is being conducted, you know, periodically to ensure the 
veracity of these chips and their assurance that they will be, 
obviously, effective in their doing is really important to us.
    Ms. Houlahan. Can you comment--I have another 49 seconds or 
so--on anything that we as a Congress can be doing to be 
helpful to begin the process of allowing us to be a little bit 
more independent in that area?
    Secretary Rapuano. Well, I would just say that we are 
working very closely with industry, as well as with the 
crosscutting teams associated with the assessment, the 
vulnerability assessment, to inform what the most effective 
approach is going to be to ensuring the surety of, first, 
national defense systems, but it expands more widely to that.
    So there are locations in the United States where secure 
chips are built, but it is not at the scale that would cover 
all the needs, if there are concerns of a range of systems that 
could be entry points. So I don't know that we are at the point 
right now, but we may be coming to that point going forward.
    Ms. Houlahan. Thank you very much, gentlemen.
    I yield back.
    Mr. Langevin. The Chair recognizes Mrs. Trahan.
    Mrs. Trahan. Thank you, Mr. Chairman.
    So recognizing that scaling is--I mean, that that is a 
challenge no matter what industry you are in, in terms of the 
Cyber Mission Force, the 4,400 people, 133 teams, can you just 
give us a sense of how this team needs to grow in the next 2 to 
3 years not just to meet the threat or catch up but, you know, 
to lead on cybersecurity?
    General Nakasone. Congresswoman, I think the piece I would 
offer is--so we have 133 teams on the Active side. The piece 
that we are focusing now is the growth on the Reserve and the 
National Guard side.
    So the Army is going to build 21 additional teams. They are 
defensive teams. They will be built, all of the National Guard 
teams done by 2022 and all of the Army Reserve teams done by 
2024. Twenty-one more teams is a tremendous amount of capacity 
that brings to us. I think it is the strategic depth that we as 
a Nation need.
    To your point, then, one of the areas that we are starting 
to think through is, how do we effectively use that new 
capacity that is going to come on board in the next couple 
years? That is what we are starting to assess now, to the point 
of, are there critical infrastructure partnerships that we 
should start forming now with the teams that are coming on? Are 
there other mission sets that make a lot of sense for this new 
capacity?
    So we are excited about that. The Army has moved out on 
that, and they are ahead of schedule in building those teams.
    Mrs. Trahan. Great.
    So you had mentioned, General Nakasone, that the biggest 
challenge is retention. Can you comment on the challenges or, 
you know, the root cause of retaining our talent?
    General Nakasone. I think that if you think about the 
talent that I was describing, the people that really are, you 
know, 10 or 20 times better than their peers, the first 
challenge is that they are looking for great missions that they 
can work. And that is one of the things that we think we offer, 
many times. I mean, it is hard to imagine places that you could 
go to do the things that we do in our mission force at the 
National Security Agency.
    But that is only so far. And I think that the other piece 
of it is that we realize that there may be folks that want to 
come into the Army, whether or not it is as a military or 
civilian member, that only want to stay for 5 or 6 years. Not 
everyone is like yourself, in terms of staying 20 or 25 or 30, 
I guess now, years.
    Mrs. Trahan. I just got here. I just got here.
    General Nakasone. Myself, I should say.
    But that is a little bit of change in our thinking. And so 
we have to change, too, and say, if they are only going to be 
here 5 or 6 years, how do we effectively use them? Because 
those 5 or 6 years, they can be really, really impactful for 
the Nation.
    Mrs. Trahan. Sure. And, you know, optimizing around that, 
once you know what your churn rate is, I think is important.
    And so I guess my follow-on question--I came from business 
operations, so you will have to forgive me. But if retention is 
an issue and we know that folks are going to churn after 5 
years, is the Guard enough to fill the pipeline, given, you 
know, the cost of training and onboarding and, you know, the 
current churn rate or even your projected churn rate? Is that 
enough?
    And I guess where I am going--you can answer that question, 
but I will just give you my end question. Is there anything 
that Congress can be doing to address cybersecurity education, 
workforce development, those challenges with filling your 
pipeline beyond, you know, what we are thinking about today?
    General Nakasone. I think the last point that you made with 
regards to building a supply base is really important.
    So when we look to recruit, we are looking for, you know, a 
population that is science, technology, engineering, 
mathematics enabled. And so, as we think about this as a 
Nation, we think about it, obviously, in the Department of 
Defense as, how do we engender that type of support within our 
young people?
    I know at the National Security Agency we are working 
through a series of different camps that we sponsor from K-12. 
Last year, we touched 13,000 young people and 3,000 teachers, 
for a fairly small investment. That is the kind of, I guess, 
population that we are trying to develop so not only that the 
Department can recruit from but, obviously, our Nation can as 
well.
    Mrs. Trahan. Thank you.
    Did you have anything to comment, Mr. Secretary?
    Secretary Rapuano. I was just going to note that--and this 
is certainly embodied in Cyber Excepted Service, which we very 
much appreciate from Congress--but it is a soup-to-nuts in 
terms of, as General Nakasone mentioned, how and where do we 
best recruit? How do we develop an understanding amongst this 
talent pool about what we offer within the Department of 
Defense? And then it is, how do we ensure that they are getting 
professional development, horizontally and vertically?
    And, ultimately, as all very capable people who are driven, 
they want to understand and they want to have offered to them 
ability to advance. So how are we ensuring that we are doing 
that so we are able to keep the best and the brightest? We know 
that a number of them will rotate out, but we want to build a 
certain percentage that are going to stay over the longer term.
    Mrs. Trahan. Yep. I couldn't agree more. I mean, look, this 
is an enormous opportunity for our economy while also, you 
know, securing our country. So thinking through and co-
producing programs beyond K-12 to get people the credentials 
that they need to serve, I think, is a noble partnership on our 
behalf.
    Thank you. I yield back.
    Mr. Langevin. Thank you, Mrs. Trahan.
    I just wanted to mention, General Nakasone, you had 
mentioned the collaboration and synchronization with the Space 
Force. But now, obviously, that also could mean that you are 
going to be competing with their people, talent, and dollars 
for resources as well. So another challenge you are going to 
have to deal with.
    Ms. Slotkin is recognized for 5 minutes.
    Ms. Slotkin. Thank you. I apologize for being late. We had 
another subcommittee hearing right in the middle.
    My question actually goes back to something that 
Congressman Kim was talking about. I am a former Pentagon 
Assistant Secretary, and I cannot explain to people in public 
what we are doing to push back. And all of the people that come 
to my--you know, on cyberattacks. I am sorry. Let me finish my 
sentence.
    People will ask me, from the small township officials to 
the average person who has had their credit card data taken by 
a corporation, ``It feels like we are being smacked in the face 
every single day. You know, Elissa, you are from the Pentagon. 
What are we doing to actually fight back?''
    And it is concerning to me that I can't tell them--I don't 
want to tell them anything classified, but I want to be able to 
say, we are not just sitting down and taking it, and here are 
some things I can say in an unclassified basis.
    And then, secondly, just help me understand, you know, if 
you grow up in the defense world, you grew up with a model of 
deterrence, right? Conventionally, nuclear weapons. We need to 
maintain a strong deterrent. And I would love your help in 
understanding how we are doing that in the cyber realm. What 
are we doing to deter what feels like constant attacks on us in 
a way that, again, reassures me and others who are concerned 
that there is some price to pay for the constant barrage that 
we are receiving?
    Secretary Rapuano. I will take your second question and 
have General Nakasone take your first.
    Deterrence is really about denying benefits and imposing 
consequences on adversaries in a way that is predictable enough 
for them that it dissuades or deters them from continuing them.
    Historically, we have not done that in cyberspace. And that 
really is the paradigm shift that is really laid out in our 
strategy.
    The third component of that is strategic messaging. How do 
we ensure that we, in concert with allies and partners, the 
rest of the international community that also abhors this kind 
of malevolent cyber activities, how do we galvanize this, in 
some sense or sometimes silent majority, to really focus on 
those actors who are creating the most problems?
    So that is really what defending forward is all about. That 
is what persistent engagement at the combatant-command level is 
all about. It is the engagement, and it is about addressing the 
source of these threats.
    General Nakasone. Congresswoman, to your first point, I 
would turn back to, again, the recent elections, and what did 
we as a government do to ensure safe and secure elections. I 
think that, you know, the model of bringing together, whether 
or not it was the Department of Defense, the Federal Bureau of 
Investigation, Department of Justice, Department of Homeland 
Security, throughout the summer, very, very public appearances 
in terms of we are going to ensure a safe and secure election.
    So we did work very, very closely with the Department of 
Homeland Security to protect our election infrastructure. We 
did work very, very closely with the Federal Bureau of 
Investigation to stop influence operations from other non-
nation-states and nation-states from impacting our people. And 
we did, you know, obviously, conduct actions to ensure that any 
adversary that was attempting to interfere with our democratic 
processes, that we would address.
    That is different than what we had done in the past, as the 
Secretary had mentioned. And I think that that is a very, very 
good model of where we need to move forward. Because we have to 
make sure that obviously our adversaries and certainly the 
American people understand that this is something that is 
obviously worth defending.
    Ms. Slotkin. So just so I understand, you think that our 
response to attempts to meddle in our elections, that response 
provided some pain or put some pain on those who were trying to 
meddle, and therefore they won't do it again?
    General Nakasone. So I certainly can't assert they won't do 
it again. But they should certainly know, after what has 
occurred, that we are not going to stand back and be responsive 
in our approach, that we are going to defend, obviously, one of 
the most important things that we have in our Nation, which is 
our democratic processes.
    Ms. Slotkin. Thank you. I yield back.
    Mr. Langevin. Thank you for the line of questioning.
    And whether it is election operations or other things in 
the gray zone conflict, I think it is important that we meet 
them at every challenge. And I think we are going to see more 
and more of this conflict in the gray zone below the threshold 
of armed conflict. And I think we ignore those activities, I 
think, at our detriment.
    And so, you know, we have to run the board and confront 
them everywhere. Anytime that our enemies or adversaries do 
something that goes unanswered, I think it just emboldens them 
further, in my opinion. So I think that is all part of the 
whole concept that we have now undertaken of defending forward. 
It is confronting them when and where we have to meet them.
    Unless Mr. Cooper or Mr. Conaway have questions, we are 
going to now go to the closed session. So the committee stands 
in recess until the closed session begins.
    Thank you.
    [Whereupon, at 3:45 p.m., the subcommittee proceeded in 
closed session.]


      
=======================================================================

                            A P P E N D I X

                             March 13, 2019

=======================================================================

    
=======================================================================

              PREPARED STATEMENTS SUBMITTED FOR THE RECORD

                             March 13, 2019

=======================================================================

      
      
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

      
=======================================================================

              WITNESS RESPONSES TO QUESTIONS ASKED DURING

                              THE HEARING

                             March 13, 2019

=======================================================================
      

             RESPONSE TO QUESTION SUBMITTED BY MS. STEFANIK

    General Nakasone. Section 807 of the FY 2016 NDAA does not 
specifically define cyber-peculiar. However, the 2016 DOD 
implementation plan submitted pursuant to Section 807 of the FY 2016 
NDAA provides ``cyber operations-peculiar (CO-peculiar)'' and ``cyber 
capability-peculiar'' equipment, capabilities and services as 
``Equipment, materiel, supplies, non-materiel solutions, and services 
required for select joint CO-peculiar requirements or established DOD 
Agency-provided service or product.'' In the Report on USCYBERCOM 
Acquisition Authority submitted pursuant to the Joint Explanatory 
Statement accompanying Section 1635 of the FY19 National Defense 
Authorization Act, dated Oct 2018, USCYBERCOM defined cyber-peculiar 
capabilities and services as: Any acquisition effort that supports or 
facilitates any of the three Cyberspace Missions as defined in Joint 
Pub 3-12; Offensive Cyber Operations, Defensive Cyber Operations, or 
Department of Defense Information Network operation. These three 
mission types comprehensively cover the activities of the cyberspace 
forces.   [See page 14.]

      
=======================================================================


              QUESTIONS SUBMITTED BY MEMBERS POST HEARING

                             March 13, 2019

=======================================================================
      

                   QUESTIONS SUBMITTED BY MR. LARSEN

    Mr. Larsen. Given adversary exfiltration of sensitive data from the 
DIB: How can the Department of Defense work to promote cybersecurity 
within the DIB? What tools exist to require robust cybersecurity as 
part of the contracting process? How does the Department help the DIB 
detect and report cyber incidents? What potential consequences exist 
for a contractor that fails to practice robust cybersecurity?
    Secretary Rapuano. The Department of Defense (DOD) promotes 
cybersecurity within the defense industrial base (DIB) through two 
primary means: a voluntary information sharing program with DIB 
entities and through requirements directed by the Defense Federal 
Acquisition Regulation Supplement (DFARS).
      Voluntary Information Sharing: DOD's DIB Cybersecurity 
(CS) Program enhances and supplements DIB participants' capabilities to 
safeguard DOD information that resides on or transits DIB unclassified 
networks or information systems. Under the DIB CS Program, DOD and DIB 
participants share unclassified and classified cyber threat information 
to bolster public and private cybersecurity postures and receive 
technical assistance from the DOD Cyber Crime Center (DC3) including 
analyst-to-analyst exchanges, mitigation and remediation strategies, 
and best practices.
      Mandatory Reporting Requirements: DFARS 252.204-7012 
directs contractors to rapidly report cyber incidents to DOD when 
incidents are discovered that affect a covered contractor information 
system or the covered defense information residing therein, or that 
affects the contractor's ability to perform the requirements of the 
contract that are designated as operationally critical support. When 
contractors discover malicious software in connection with a reported 
cyber incident, that malicious software must be submitted to DC3.
      Minimum Cybersecurity Standards: DFARS 252.204-7012 
requires contractors to safeguard covered defense information that 
resides on a contractor's internal unclassified information system by 
implementing the security requirements in National Institute of 
Standards and Technology (NIST) Special Publication 800-171 
``Protecting Controlled Unclassified Information in Nonfederal 
Information Systems and Organizations.'' Contractors that fail to 
implement DFARS 252.204-7012 requirements when applicable to contract 
performance may be subject to contractual, administrative, and civil 
remedies by DOD.

                                  [all]