b"<html>\n<title> - FISCAL YEAR 2020 BUDGET REQUEST FOR U.S. CYBER COMMAND AND OPERATIONS IN CYBERSPACE</title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                         [H.A.S.C. No. 116-14]\n\n                                HEARING\n\n                                   ON\n\n                   NATIONAL DEFENSE AUTHORIZATION ACT\n                        FOR FISCAL YEAR 2020\n\n                                  AND\n\n              OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS\n\n                               BEFORE THE\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             FIRST SESSION\n                               __________\n\n       SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND\n                          CAPABILITIES HEARING\n\n                                   ON\n\n                    FISCAL YEAR 2020 BUDGET REQUEST\n                       FOR U.S. CYBER COMMAND AND\n                        OPERATIONS IN CYBERSPACE\n                               __________\n\n                              HEARING HELD\n                             MARCH 13, 2019\n                                     \n                  [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n                              ___________\n\n                    U.S. GOVERNMENT PUBLISHING OFFICE\n                    \n36-300                    WASHINGTON : 2019                                        \n  \n\n\n   SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND CAPABILITIES\n\n               JAMES R. LANGEVIN, Rhode Island, Chairman\n\nRICK LARSEN, Washington              ELISE M. STEFANIK, New York\nJIM COOPER, Tennessee                SAM GRAVES, Missouri\nTULSI GABBARD, Hawaii                RALPH LEE ABRAHAM, Louisiana\nANTHONY G. BROWN, Maryland           K. MICHAEL CONAWAY, Texas\nRO KHANNA, California                AUSTIN SCOTT, Georgia\nWILLIAM R. KEATING, Massachusetts    SCOTT DesJARLAIS, Tennessee\nANDY KIM, New Jersey                 MIKE GALLAGHER, Wisconsin\nCHRISSY HOULAHAN, Pennsylvania       MICHAEL WALTZ, Florida\nJASON CROW, Colorado, Vice Chair     DON BACON, Nebraska\nELISSA SLOTKIN, Michigan             JIM BANKS, Indiana\nLORI TRAHAN, Massachusetts\n                Josh Stiefel, Professional Staff Member\n                Peter Villano, Professional Staff Member\n                         Caroline Kehrli, Clerk\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nLangevin, Hon. James R., a Representative from Rhode Island, \n  Chairman, Subcommittee on Intelligence and Emerging Threats and \n  Capabilities...................................................     1\nStefanik, Hon. Elise M., a Representative from New York, Ranking \n  Member, Subcommittee on Intelligence and Emerging Threats and \n  Capabilities...................................................     3\n\n                               WITNESSES\n\nNakasone, GEN Paul M., USA, Commander, U.S. Cyber Command, and \n  Director, National Security Agency.............................     8\nRapuano, Kenneth P., Assistant Secretary of Defense for Homeland \n  Defense and Global Security, and Principal Cyber Advisor, U.S. \n  Department of Defense..........................................     6\n\n                                APPENDIX\n\nPrepared Statements:\n\n    Langevin, Hon. James R.......................................    33\n    Nakasone, GEN Paul M.........................................    50\n    Rapuano, Kenneth P...........................................    36\n\nDocuments Submitted for the Record:\n\n    [There were no Documents submitted.]\n\nWitness Responses to Questions Asked During the Hearing:\n\n    Ms. Stefanik.................................................    69\n\nQuestions Submitted by Members Post Hearing:\n\n    Mr. Larsen...................................................    73\n\n\n \n                FISCAL YEAR 2020 BUDGET REQUEST\n                   FOR U.S. CYBER COMMAND AND\n                    OPERATIONS IN CYBERSPACE\n\n                              ----------                              \n\n                  House of Representatives,\n                       Committee on Armed Services,\n     Subcommittee on Intelligence and Emerging Threats and \n                                              Capabilities,\n                         Washington, DC, Wednesday, March 13, 2019.\n    The subcommittee met, pursuant to call, at 2:19 p.m., in \nroom 2118, Rayburn House Office Building, Hon. James R. \nLangevin (chairman of the subcommittee) presiding.\n\n OPENING STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE \n FROM RHODE ISLAND, CHAIRMAN, SUBCOMMITTEE ON INTELLIGENCE AND \n               EMERGING THREATS AND CAPABILITIES\n\n    Mr. Langevin. The subcommittee will come to order.\n    I want to welcome everyone to today's hearing on the fiscal \nyear 2020 budget request for the military operations in \ncyberspace. I was unavoidably detained, so I apologize to \neveryone for making you wait, but I am glad we could get this \nunderway.\n    Technology and the internet have fundamentally changed how \ncitizens, the Nation, the military, and our adversaries in the \nworld operate. We have more access to information and lower \nbarriers to conduct commerce. We collectively benefit from the \nopportunities afforded by the technology that we incorporate \ninto our lives. However, the connections that we rely on also \ncreate vulnerabilities and new potential avenues for our \nadversaries to exploit at our Nation's expense.\n    Cyber, as we understand it in government, will always be \nsomething that creates risk to go along with its great promise. \nThe issues that stem from our increasing dependence on \ntechnology will never be purely military or solely for the \nmilitary to solve. Technology has increased the \ninterconnectedness of our society, and the problems that have \ncome with it will only be solved with interconnected, \ninterdisciplinary approaches.\n    The Department [of Defense] will have to work in new ways \nwith stakeholders from agencies as varied as the Department of \nCommerce and the Department of Education and with \nnongovernmental stakeholders such as private industry and \nacademia.\n    The executive branch will have to work diligently to \naddress and solve the cyber challenges facing the Nation. Yet \nthis administration has taken actions that call into question \nthe seriousness with which it views this emerging domain. Most \nnotably, the administration eliminated the cybersecurity \ncoordinator position at the National Security Council.\n    Relatedly, there are several documents pertaining to cyber \nthat Congress has repeatedly requested from the administration \nand has yet to receive. This includes recent guidance \npertaining to operations in cyberspace. Such documents are \nimportant to creating a congressional framework for oversight. \nWithholding these critical documents from Congress impacts our \nability to appropriately support the command and may have far-\nreaching consequences for the National Defense Authorization \nAct.\n    At the Cabinet level, the Department of Defense, the U.S. \nCyber Command have no shortage of challenges in front of them, \nissues that often develop and change as fast as the \ntechnological landscape. Today we will hear about some of those \nchallenges, including personnel recruitment and retention as \nwell as efforts to protect critical infrastructure in tandem \nwith domestically oriented departments and agencies.\n    The Cyber Mission Force achieved full operational \ncapability [FOC] last year. This was a notable event, but it \nwould be a mistake to assume that FOC is synonymous with \nreadiness. We must begin to examine the differing standards by \nwhich the services are training the teams and whether CYBERCOM \n[U.S. Cyber Command] is adequately fulfilling its mandate to \nset training standards and ensure compliance.\n    Readiness is especially important in the context of the \ncurrent strategic landscape, which has evolved significantly \nover the last year. In the fall, the DOD [Department of \nDefense] released a new cyber strategy that articulated the \nintent to defend forward and operate across the full spectrum \nof conflict through persistent engagement.\n    DOD also completed the inaugural Cyber Posture Review. \nUnder the auspices of new guidance from the administration and \nthe new DOD strategy, CYBERCOM played a crucial role in \ndefending the 2018 elections from interference.\n    The military's actions in cyberspace were also enabled by \nmultiple provisions in the fiscal year 2019 National Defense \nAuthorization Act [NDAA]. This includes the provision to \nrecognize the activities conducted in cyberspace as traditional \nmilitary activities.\n    The fiscal year 2019 NDAA also allowed the National Command \nAuthority to take direct and proportional action in cyberspace \nagainst Russia, China, North Korea, and Iran upon determination \nof a cyberattack against the homeland or U.S. citizens.\n    Congress and this subcommittee will continue to support \nmilitary operations and provide the legal authority to enable \nCYBERCOM success against adversaries in cyberspace. However, we \nwill also remain judicious in our oversight responsibilities to \nensure that the Department operates in a manner that enhances \nstability in cyberspace and that is consistent with both \ncongressional intent and American values.\n    So I commend CYBERCOM for its efforts during the 2018 \nelections. However, as a Nation, we can never rest on our \nlaurels. We need to examine the strategic impacts that CYBERCOM \noperations and other whole-of-government efforts had on an \nactor seeking to interfere in our elections. Much like the \ntraditional battlefield, we must measure the impact of our \noperations to assess our warfighting effectiveness toward the \nlarger objectives and ensure that our strategic vision reflects \nthe realities of our engagement in cyberspace.\n    CYBERCOM's ability to execute its operations is closely \ntied to and enabled by its partnership with the National \nSecurity Agency [NSA]. These organizations will always have a \nrobust partnership given the dynamism of cyberspace and NSA's \ndeep expertise and enabling role in military cyberspace \noperations.\n    At this time, there is still one individual that leads both \nof these organizations. This arrangement is quite unique within \nthe national security establishment and the intelligence \ncommunity. However, this arrangement allows for the CMF [Cyber \nMission Force] to mature, enables better synchronization of \ncyberspace operations, and permits proper consideration of the \nintelligence and military objectives in the domain.\n    Before any significant changes are implemented in the dual-\nhat arrangement, this subcommittee expects a robust \nunderstanding of how and why it is necessary to split the \nleadership function of NSA Director and CYBERCOM commander. I \nbelieve it would be premature to split these organizations in \nthe immediate future.\n    CYBERCOM is a maturing organization, and I am proud of the \nwork that we have done on the subcommittee to support its \nmaturation. I have often said that we will never again see \nmodern warfare without a cyber component, so CYBERCOM's \ncontinued development will remain an urgent priority.\n    But it is therefore important that we build for the long \nterm with this sustainable, scalable approach to integrating \nCYBERCOM into DOD operations and into our whole-of-government \napproach to protecting our Nation's cyberspace. This is no \nsmall task, especially given the newness of this domain. But \nworking together with full transparency, I am confident that we \ncan head off any problems early and ensure that we reap the \nbenefits of a free, open, interoperable, and secure internet.\n    Before I close, I want to just introduce our two witnesses, \nwhich I will do in just a minute. But before I do that, I am \ngoing to turn it over to the ranking member for her comments.\n    [The prepared statement of Mr. Langevin can be found in the \nAppendix on page 33.]\n\nSTATEMENT OF HON. ELISE M. STEFANIK, A REPRESENTATIVE FROM NEW \nYORK, RANKING MEMBER, SUBCOMMITTEE ON INTELLIGENCE AND EMERGING \n                    THREATS AND CAPABILITIES\n\n    Ms. Stefanik. Thank you, Chairman Langevin. Welcome to our \nwitnesses. Secretary Rapuano, welcome back to the committee. \nAnd General Nakasone, welcome to your first posture hearing \nsince assuming command in May of last year.\n    It is fitting that we begin our fiscal year 2020 posture \nhearing series with cyber policy and U.S. Cyber Command, given \nthe importance of this topic to our overall national security \nand, indeed, our society as a whole.\n    The Director of National Intelligence [DNI] in his most \nrecent Worldwide Threat Assessment stated, quote, ``At present, \nChina and Russia pose the greatest espionage and cyber attack \nthreats, but we anticipate that all our adversaries and \nstrategic competitors will increasingly build and integrate \ncyber espionage, attack, and influence campaigns into their \nefforts to influence U.S. policies and advance their own \nnational security interests,'' end quote.\n    In our oversight role as a subcommittee, we have seen China \nand Russia aggressively leverage and integrate cyber \ninformation and communication technologies in a seamless way, \nwhile also utilizing top-down, government-driven agendas and \nstrategies. As I have said before, dictators have that \nadvantage, and their use of technologies and information is as \nmuch about exerting control over their own populations as it is \nconfronting free societies like ours.\n    Since our last Cyber Command posture hearing and over the \ncourse of the last year, a lot has happened. Given this, I \nconsider us to be at a major inflection point. We have seen \nCyber Command fully elevated as a functional combatant command, \nand the force has achieved full operational capability, or FOC.\n    Recent changes to Presidential cyber policies and \nstrategies, as well as authorities granted in the NDAA, have \nfocused the mission set, yielded impressive operational \nresults, and postured our Nation for strategic challenges \nahead. And while we have seen these successes, the DNI's recent \ntestimony reminds us that our adversaries are not giving us any \nroom to breathe.\n    Case in point: While many of our recent operational \nsuccesses have been related to securing our 2018 midterm \nelections, I can assure you that the adversarial influence \ncampaign for the 2020 elections is already underway.\n    Further, while most of our cyber forces are fully capable \non paper, they are not fully ready in practice. Standards and \ncapabilities have yet to be defined and understood across each \nof the services. Relationships and responsibilities are still \nbeing worked out between Cyber Command, regional combatant \ncommanders, and each of the services.\n    In short, we continue to mature, and the road ahead to true \ncyber readiness remains long. I am confident that our witnesses \nbefore us today fully understand these challenges and I look \nforward to our dialogue.\n    It is worth noting that our military cyber forces are only \nas good as the technology they depend on, and if we don't \nconcurrently modernize our information and communication \ntechnologies across the Department, we will continue along with \none hand tied behind our back.\n    And when I think about the promise of emerging and \nrevolutionary technologies such as artificial intelligence, 5G, \nhigh-performing computing, and even quantum computing, my \nenthusiasm is unfortunately dampened when I am reminded of our \nAchilles' heel that is the Department's outdated and vulnerable \nIT [information technology] infrastructure.\n    So in our conversation today and moving forward, as we \nbuild the National Defense Authorization Act for fiscal year \n2020, we must continually keep in mind that IT modernization, \ncybersecurity, and information assurance are primary \nprerequisites for the future of warfare, where information and \ndata are strategic resources to be fully protected, preserved, \nand enabled.\n    The Department can and must do better in this area. As \nbefore, I trust each of our witnesses here today understand \nthese challenges.\n    Lastly, I would be remiss if I didn't mention the \nimportance of congressional oversight of current operations, \nincluding cyber operations. Now, more than ever, it is critical \nthat the DOD communicates with this committee early and often \non all aspects of cyber operations and related intelligence \nactivities.\n    This will ensure that we, as your principal oversight \ncommittee, remain fully and currently informed so that we can \nresource you properly and provide relevant authorities that \nallow us to stay well ahead of our adversaries in cyberspace \nand information warfare.\n    I look forward to talking about that in our closed \nclassified session. We have a lot to talk about. So again, \nthank you, and I yield back to Chairman Langevin.\n    Mr. Langevin. I want to thank the ranking member.\n    I want to now welcome our witnesses here today, starting \nwith Mr. Kenneth Rapuano, who serves as both the Assistant \nSecretary of Defense for Homeland Defense and Global Security \nand as the Principal Cyber Advisor to the Secretary of Defense.\n    Prior to returning to government service, Mr. Rapuano \nworked for the federally funded research and development \ncorporations, focusing on issues related to homeland security, \ncounterterrorism, and countering weapons of mass destruction.\n    Mr. Rapuano served as the Deputy Homeland Security Advisor \nin the George W. Bush administration. He served 21 years in \nActive Duty and the Reserves as a Marine Corps infantry and \nintelligence officer, and we want to welcome Mr. Rapuano here \ntoday.\n    Also, General Paul Nakasone serves in three capacities \ncurrently: Commander of U.S. Cyber Command, Director of the \nNational Security Agency, and the Chief of the Central Security \nService.\n    Before his current role, he commanded U.S. Army Cyber \nCommand and has served as a career intelligence officer through \nhis 32 years in uniform. This is General Nakasone's first \nappearance before the subcommittee since assuming command of \nCYBERCOM.\n    General Nakasone, it is a pleasure to welcome you here \ntoday.\n    And I thank both of you for your service to the country and \nthank you again for being here today.\n    As a reminder, after this open session, we are going to \nmove into room 2216 for a closed, member-only session.\n    So with that, before opening statements, though, I do have \nto note that Secretary Rapuano's statement was delivered only \nthis morning. That is more than 40 hours past the committee \nrules deadline and only 6 hours before the start of this \nhearing. Getting the testimony that late does the subcommittee \na disservice, and really it does the Department a disservice.\n    I know that there are many hoops that you have to go \nthrough before the statement in the interagency is approved, \nbut that is way past the time that is acceptable, especially \ngiven the importance of today's topic and the subcommittee's \ncontinued interest in advancing our Nation's cyber \ncapabilities.\n    So although I am going to allow for the reading of the \nstatement today, in the future I expect full compliance with \nthe committee rules, as outlined by the staff and as outlined \nin your official invitation letters.\n    So with that, we will now hear from our witnesses and then \nwe are going to move to the question-and-answer period.\n    Secretary Rapuano, we will start with you.\n\nSTATEMENT OF KENNETH P. RAPUANO, ASSISTANT SECRETARY OF DEFENSE \n FOR HOMELAND DEFENSE AND GLOBAL SECURITY, AND PRINCIPAL CYBER \n                 ADVISOR, DEPARTMENT OF DEFENSE\n\n    Secretary Rapuano. Thank you, Chairman Langevin, Ranking \nMember Stefanik, and members of the committee. I am pleased to \nbe here with General Nakasone, Commander of U.S. Cyber Command, \nto report on the significant progress the Department of Defense \nhas made over the last year in regard to cyber strategy and \noperations.\n    Over the last year, the Department published a new, more \nproactive strategy for cyberspace and is moving forward with \nimplementation of that strategy, using the first-ever Cyber \nPosture Review and the elevation of U.S. Cyber Command.\n    Our new approach has been enabled by the issuance of new \nPresidential guidance on cyberspace authorities and \nlegislation. We leveraged all of these tools last year as we \nworked with our partners to ensure the security of the 2018 \nU.S. midterm elections.\n    The DOD Cyber Strategy makes clear that the ongoing \ncampaigns of malicious cyber activity conducted by states like \nChina and Russia are a strategic threat. Our competitors are \nconducting long-term, strategically focused campaigns in and \nthrough cyberspace that include stealing sensitive Department \nof Defense information to undermine our military advantages and \nplace our critical infrastructure at risk.\n    For this reason, DOD Cyber Strategy embraces a proactive \nand assertive approach during day-to-day competition to deter, \ndisrupt, and defeat these threats. Our systems must be cyber-\nhardened, resilient, and secure. We must defend national \ncritical infrastructure from attacks, a new area of emphasis \nfor the Department of Defense, and secure Department of Defense \ninformation wherever it resides.\n    This strategy prioritizes expanding cyber cooperation with \nour interagency, industry, and international partners to \nadvance our mutual interests. The Defense Cyber Strategy \nmandates that the Department of Defense cyberspace forces must \nbe defending forward, disrupting threats at the source before \nthey reach U.S. networks. The Department must routinely operate \nin non-U.S. networks in order to observe threats as they are \nforming and have the ability to disrupt them.\n    This is critical to increasing military readiness. We \ncannot be fully prepared to take effective action in a \npotential conflict unless we have already developed the tools, \naccesses, and experience through our actions day to day.\n    We have worked in partnership with Congress to ensure that \nthe authorities and policies currently in place governing \ncyberspace operations enable our strategic approach to \ncompeting and prevailing in this domain.\n    Several changes during 2018 have been particularly \nimpactful. This includes the President's approval of an updated \npolicy on U.S. cyber operations.\n    The 2019 NDAA affirms the President's authority to counter \nactive, systemic, and ongoing campaigns in cyberspace by our \nadversaries against the government and people of the United \nStates, as well as clarifies that certain cyber operations and \nactivities are traditional military activities. Thank you very \nmuch for your support.\n    We have also focused on how our cyber forces operate in the \nhomeland. For example, we are currently reissuing a memorandum \ndetailing how National Guard personnel can use certain DOD \ninformation, networks, software, and hardware for cyberspace op \n[operation] activities in State status.\n    We have also devoted focused attention during the last year \nto building and enhancing our relationships with other U.S. \nGovernment department and agencies, industry, and our allies \nand partners. Last year, the Department signed a joint \nmemorandum of understanding with the Department of Homeland \nSecurity detailing how our two departments can cooperate in \norder to secure and defend the homeland from cyber threats.\n    The theft of sensitive DOD information from our defense \nindustrial base [DIB] is something that puts our future \nmilitary technological advantage at risk. DOD is intensifying \nits efforts with industry and across the U.S. Government to \nimplement cybersecurity protections and to share cyber threat \ninformation with our DIB partners.\n    The Department continues to work to strengthen the capacity \nof our international allies and partners to increase DOD's \nability to leverage its partners' unique skills, resources, \ncapabilities, and perspectives to enhance our cybersecurity \nposture.\n    We advocate for our allies and partners to secure their \ntelecom networks and supply chains. We are also pressing our \nglobal partners to hold states that are acting irresponsibly in \ncyberspace accountable for their actions.\n    The Cyber Posture Review [CPR] identified gaps between \nwhere we are today and where we need to go to achieve our \nstrategic objectives and drove the development of actionable \nlines of effort that are guiding the work of our Principal \nCyber Advisor [PCA] team.\n    For example, the CPR made it clear that when it comes to \ncybersecurity we need to more effectively prioritize how we are \nspending money, allocating resources, and how we recruit and \nretain the most qualified people.\n    Our PCA team has also worked with the DOD Chief Information \nOfficer to identify the top 10 areas where we face the greatest \nrisk. We are currently working through pilot programs to \ncomplete and implement solutions for these challenges.\n    Another new Department initiative is the Protecting \nCritical Technology Task Force, established last year to \nintegrate and accelerate the disparate DOD technology \nprotection activities occurring across the Department and \ndevelop new, innovative solutions for currently unaddressed \nproblems.\n    In conclusion, our new strategy has provided us with a \nroadmap for achieving our objectives in cyberspace, which we \nare rapidly implementing. We have expanded authorities that \nenable our mission to defend forward, and we are doubling down \non collaborating with other departments and agencies, industry, \nand international partners and allies.\n    I look forward to working with you and our critical \nstakeholders to ensure that the United States military will \ncontinue to compete, deter, and win in cyberspace.\n    Thank you.\n    [The prepared statement of Secretary Rapuano can be found \nin the Appendix on page 36.]\n    Mr. Langevin. Thank you, Mr. Secretary.\n    General Nakasone, the floor is yours.\n\n STATEMENT OF GEN PAUL M. NAKASONE, USA, COMMANDER, U.S. CYBER \n        COMMAND, AND DIRECTOR, NATIONAL SECURITY AGENCY\n\n    General Nakasone. Chairman Langevin, Ranking Member \nStefanik, and distinguished members of the committee, thank you \nfor your enduring support and the opportunity to testify today \nabout the hardworking men and women of the United States Cyber \nCommand. I am honored to lead them. I am also honored to sit \nalongside Assistant Secretary of Defense Rapuano.\n    As the commander of U.S. Cyber Command, I am responsible \nfor conducting full-spectrum cyberspace operations supporting \nthree mission areas: defend the Nation against cyber threats, \ndefend the Department of Defense information networks, and \nenable our joint force commanders in pursuit of their mission \nobjectives.\n    In the cyber domain, we are in constant contact with our \nadversaries, who continue to increase in sophistication and \nremain a threat to our national security interests and economic \nwellbeing.\n    The National Security Strategy highlighted the return of \ngreat power competition. Beyond the near-peer competitors of \nChina and Russia, rogue regimes like Iran and North Korea \ncontinue to grow their capabilities. Using aggressive methods, \nadversaries have until recently acted with little concern for \nconsequences.\n    The DOD Cyber Strategy identifies the need to defend \nforward during day-to-day competition with our adversaries. \nThis strategy aims to maintain our superiority in cyberspace \nthrough protection of our critical infrastructure and networks. \nAt U.S. Cyber Command, we implement the DOD strategy by \nadopting an approach of persistent engagement, persistent \npresence, and persistent innovation.\n    This past year witnessed the elevation of U.S. Cyber \nCommand to combatant command status, the opening of our \nIntegrated Cyber Center, and our shift from building the force \nto the readiness of the force.\n    The defense of the 2018 midterm elections posed a \nsignificant strategic challenge to our Nation. Ensuring a safe \nand secure election was our number one priority and drove me to \nestablish a joint U.S. Cyber Command-National Security Agency \neffort called the Russia Small Group.\n    The Russia Small Group tested our new operational approach. \nWith direction from the President and the Secretary of Defense, \nthe Russia Small Group enabled partnerships and action across \nthe government to counter a strategic threat.\n    Our response demonstrated the value of a tight-knit \nrelationship between U.S. Cyber Command and the National \nSecurity Agency, bringing together intelligence, cyber \ncapabilities, interagency partnerships, and our willingness to \nact.\n    Through persistent engagement, we enabled critical \ninteragency partners to act with unparalleled coordination and \ncooperation. Through persistent presence, U.S. Cyber Command \nand NSA contested adversarial actions, improving early warning \nand threat identification in support of DHS [Department of \nHomeland Security] and the Federal Bureau of Investigation.\n    Beyond the interagency, we partnered and engaged with \nallies in public and private sectors to build resiliency. For \nthe first time, we sent our cyber warriors abroad to secure \nnetworks outside of the DOD Information Network. Our operations \nallowed us to identify and counter threats as they emerged to \nsecure our own elections and prevent similar threats \ninterfering in those of our partners and allies.\n    The Russia Small Group effort demonstrated that persistent \nengagement, persistent presence, and persistent innovation \nenables success. Effective cyber defense requires a whole-of-\nnation effort. Our actions are impacting our adversaries. Our \nshift in approach allows us to sustain key competitive \nadvantages while increasing our cyber capabilities.\n    As we review lessons learned from securing the 2018 midterm \nelections, we are now focused on potential threats we could \nface in 2020.\n    Looking forward, we need to continue to build a warrior \nethos, similar to other warfighting domains. Cyber warriors are \nand will continue to be in constant contact with our \nadversaries. There are no operational pauses or sanctuaries. We \nmust ensure sufficient capacity and capability, people, \ntechnology, and infrastructure, which we are decisively focused \non now.\n    Through persistent presence, we are building a team of \npartners that enable us and them to act more effectively. The \ncomplex and rapid pace of change in this environment requires \nus to leverage cyber expertise broadly across public and \nprivate sectors, academia, and industry. Therefore, we aspire \nto increase our effectiveness and capabilities through \npersistent innovation across these partnerships.\n    Cyber defense is a team effort. Critical teammates such as \nthe National Guard and Reserve are integral parts of our cyber \nforce. They provide strategic depth and provide the Nation a \nreserve capacity of capable cyber warriors.\n    Finally, improving readiness is my key focus area. I \ncontinue to work with the services and the Department to \naccurately measure and maintain readiness, manning, training, \nequipping, and an ability to perform the mission.\n    After a year of change and progress, we see 2019 as the \nyear of opportunity. We have much work ahead of us as CYBERCOM \nmatures. I assure you that our people merit the trust you have \nplaced in them and that, with your support, they will \naccomplish a task that our Nation expects.\n    Thank you again for inviting me here on behalf of U.S. \nCyber Command and for your continued support. I look forward to \nyour questions.\n    [The prepared statement of General Nakasone can be found in \nthe Appendix on page 50.]\n    Mr. Langevin. Thank you, General.\n    I want to thank both General Nakasone and Secretary Rapuano \nfor your testimony.\n    We are going to now go to questions, myself and then the \nranking member, and then we will go to members in the order of \ntheir appearance according to seniority.\n    General, let me start with you. You assessed one year ago \nto the Senate Armed Services Committee that the Cyber Mission \nForce and all of its--133 of its teams would be fully \noperationally capable by June of 2018. Yet, given the different \ntraining regimes, the services, there are differences among the \nteams themselves.\n    So I just wanted to say, how do you set performance metrics \nfor the 133 teams within the Cyber Mission Force, and how does \nCyber Command assess and measure the readiness of all of its \nteams?\n    General Nakasone. Chairman, with regards to readiness, we \ntake a look at two factors: first of all, a measure of \nquantity, and, secondly, a measure of quality.\n    The measure of quantity is very familiar to all of the \nmilitary services. It is the manning, the training, the \nequipping of a force. It is very easy to calculate it. It is \none that our services excel at.\n    One of the things that we have done at U.S. Cyber Command \nis establish a joint training standard. That is very important \nto get at the point of your question with regards to leveling \nthe playing field. One joint standard is important for all our \nteams to be able to operate under. So whether or not it is a \nMarine team, an Army team, an Air Force team, that same \ntraining standard has been established by U.S. Cyber Command.\n    I mentioned the quantity aspect. Let me now shift to the \nquality aspect of how we measure readiness. We can have all the \nteams that are fully manned, fully equipped, and fully trained, \nbut if you don't have the access, if you don't have the \nauthorities, if you don't have the intelligence, if you don't \nhave the platform, if you don't have the capabilities to \naccomplish your mission, that is something in cyberspace that \nputs you uniquely in a very, very difficult position.\n    So I see that measurement of both quality and quantity as \nsomething we will continue to work towards at U.S. Cyber \nCommand.\n    Mr. Langevin. So let me ask this other follow-up question. \nSo how do you ensure that the teams also are continuously \ntrained and then certified and recertified and prepared for the \nmissions at the individual and the team levels? Since we can't, \nyou know, believe that, you know, it is one and done once it is \ncertified, but, again, the recertification process.\n    General Nakasone. Chairman, I think you are speaking of \ncollective training, as we take a look at how our teams are \nable to perform together. We evaluate that through a number of \ndifferent mannerisms.\n    First of all, the ability to do a real-world mission, being \nable to evaluate what they are doing on a daily basis. Also \nwithin exercise. We have a series of exercises that are set up \nwhere we are able to measure the training standard of that \nteam. And then finally, we set parameters in terms of ensuring \neach team has annual evaluations by third parties. This is \nsomething that we have instituted over the past several months. \nI think it is very effective in terms of being able to take a \nsnapshot in time.\n    However, with that being said, let me make sure that I \nreiterate, the teams that we have today are operating every \nsingle day against our adversaries. They are very, very capable \npeople, and we will continue to measure their capability. But \none of the benefits of working at U.S. Cyber Command is there \nis never a lack of training opportunities. It is real world \nevery single day.\n    Mr. Langevin. Thank you. And again to you, General, in your \nprepared testimony, you noted the incalculable value of the \nCYBERCOM-NSA relationship when discussing Joint Task Force \nAres.\n    Last Wednesday, Defense One ran a story that you \nrecommended to then-Secretary Mattis in August 2018 that NSA \nand CYBERCOM be split in 2020. Can you comment on the veracity \nof the story? And if the story is accurate, can you please \nexplain your recommendations?\n    General Nakasone. Chairman, a year ago, when I testified \nfor my confirmation hearings, one of the points that I made in \nboth the Senate Armed Services Committee and the Senate Select \nCommittee on Intelligence was that in my first 90 days as both \nthe commander and the director, I would conduct an assessment \nof the dual hat and provide those recommendations to the \nSecretary of Defense and the Chairman of the Joint Chiefs. I \ncompleted that assessment in August. The assessment was \nclassified, and it was provided to the Secretary and the \nChairman.\n    I am familiar with the article. I will tell you that the \narticle is not accurate and that, you know, the topics and the \nactual facts behind that are classified. And so if I could save \nthat, perhaps, for closed testimony.\n    Mr. Langevin. Fair enough. Thank you. We will follow up on \nthat then, sure, in the closed session.\n    To Mr. Rapuano, can you describe DOD and specifically \nCYBERCOM's support to homeland defense, specifically as it \nrelates to the defending-forward concept in the strategy? How \nis the Department supporting DHS efforts in coordinating with \nFBI [Federal Bureau of Investigation]?\n    And how does the Department coordinate with the \nCybersecurity and Infrastructure Security Agency at DHS, which \nhas the lead role in protecting civilian government and \ncritical infrastructure?\n    You know, I think it is important for people to understand, \nwe talk about defending forward and being more proactive, who \nhas responsibility for what though. You know, what is critical \ninfrastructure supposed to do on their own? What is DHS--what \nis their responsibility? And then also what is DOD, CYBERCOM, \nNSA's responsibility in all of this, and how does it fit \ntogether seamlessly?\n    Secretary Rapuano. Thank you, Chairman Langevin.\n    I would start by saying, of course, that the one mission \nthat only DOD has the authority capabilities, including the \nbreadth and scope, to conduct is warfighting overseas, \naddressing adversaries overseas and threats overseas.\n    That said, we have a renewed focus on supporting our fellow \nagencies domestically. We really start that in a tri-approach.\n    First is sharing intelligence and warning, and we do that \nwith the Department of Homeland Security and the FBI. And they \nprovide that information, DHS, to State and local governments; \nand the FBI, to commercial and other entities.\n    We defend forward in terms of identifying the source of \nmalevolent cyber activities that are threatening U.S. critical \ninfrastructure or other equities, including malign-influence-\ntype activities that were a significant concern during the \nrecent elections process.\n    We also have the defense support to civil authorities. As I \nnoted in my statement, we have a memorandum of understanding \nwith DHS to facilitate and expedite our defense support to \ncivil authorities, including DHS but other agencies as well, \nwhen they have needs that go beyond what their capacity is to \nrespond to a particular circumstance or threat associated with \ncyber.\n    So we are working closely with them. I met with their \nleadership this week. We meet routinely now to discuss how we \nmove forward, to discuss priorities. We are adding details in \nterms of how we can facilitate and expedite different levels of \nsupport, how we can develop and maintain real-time, full-time \nconnectivity with the Department. We have detailees who perform \nthose kind of roles, and we are looking to instantiate it in \nthe longer-term context.\n    Mr. Langevin. Thank you, Secretary.\n    The Chair now recognizes the ranking member for questions.\n    Ms. Stefanik. Thank you.\n    Secretary Rapuano, you mentioned that the new cyber \nstrategy highlights defend forward and persistent presence as \nmajor aspects of our new posture. And your statement also \noutlined some of the steps we are taking to shift to this \nfooting.\n    But from a policy perspective and with respect to \nescalation dynamics, have we thought about potentially when and \nif this more forward and persistent posture could be \ninterpreted as escalatory in nature by our adversaries and \nperhaps preemptively trigger escalation or retribution?\n    Secretary Rapuano. Absolutely. Escalation is a significant \nconcern with all military operations.\n    In what we call activities in the gray zone or below the \nspectrum of armed conflict, cyber is an especially attractive \ntool to our adversaries. And we have noted China and Russia as \nsignificant concerns in that context, and we see them applying \nasymmetric warfare below the spectrum of conflict against us.\n    We have come to the conclusion--and that is what informed \nthe strategy--that continuing to not respond to those behaviors \nand those threats that will manifest in a cumulative context--\nno one of these activities has clearly crossed that line in \nwhich a kinetic or military strike would be a response. So if \nwe ignore them, they will continue them, and they will \nundermine our security in a strategic way.\n    We have a process that is very risk-based in terms of \ninforming the risk-benefit assessment associated with how we \ntarget malevolent activities, how we achieve access. It is a \nprocess mentioned that was enshrined in the Presidential \nmemorandum providing policy guidance to the process that takes \nplace.\n    The first requirement is a Presidential determination for \ncertain types of operations. That then goes into a coordination \nprocess in terms of engaging on the development of the concept \nof operations, particularly with those agencies with the most \nequities involved. And then, ultimately, there is a \ndeconfliction execution process in terms of, if there are \nconflicts between key equities or elements or there are \nconcerns, for example, about the potential for unintended \nescalation, those issues are addressed.\n    So we do have a very thoughtful process but also a process \ndesigned to operate with the speed of relevance.\n    Ms. Stefanik. Thank you.\n    General Nakasone, what exactly does our cyber posture look \nlike when we defend forward with persistent engagement? Does \nthis simply mean that we are positioned to conduct more \noffensive operations or positioned to conduct more collection \nactivities?\n    And when you answer that, can you also touch upon the \ninteragency aspects and how we work with our international \npartners?\n    General Nakasone. Ranking Member Stefanik, if you think \nabout persistent engagement, I would offer two different \ncomponents that are very, very important, that are foundational \nto persistent engagement.\n    First of all is the idea of enabling. How do we enable our \npartners? That partner could be Department of Homeland \nSecurity, the Federal Bureau of Investigation. It could be \nanother service. It could be another member of our interagency. \nIt could be an allied partner.\n    A big portion of what we do in persistent engagement, as \nAssistant Secretary of Defense Rapuano said, is providing \ninformation or intelligence. If I might give you an example. \nDuring the security of the midterm elections, U.S. Cyber \nCommand, working in partnership with the National Security \nAgency, provided indicators of compromise to the Federal Bureau \nof Investigation and the Department of Homeland Security. That \nis an example of enablement.\n    The other foundational concept of persistent engagement is \nto act. Just as the Secretary mentioned, act is everything from \nunderstanding what our adversaries are doing within their \nnetworks; providing early warning; ensuring that we understand \nthe malware, the infrastructure, the other capabilities that an \nadversary might be accumulating to perhaps conduct an action \nagainst the United States.\n    But it is also the idea of sending teams forward. So we \nsent defensive teams forward in November to three different \nEuropean countries. That is acting outside of our borders that \nimpose cost against our adversaries.\n    Those are the two fundamental components of persistent \nengagement: enabling and acting.\n    Ms. Stefanik. My final question is for you, General \nNakasone. You have been given flexible acquisition authorities \nthat, frankly, the command has yet to fully use or mature into. \nSo my question is to figure out if this unique acquisition \nauthority for your command is even still needed, certainly \nsince over the years we have worked to give the services more \nflexible acquisition authorities.\n    Can you provide this committee with an update on why you \nthink you need this unique acquisition authority and what the \ncurrent state of implementation is? And then specifically, how \nwould you define cyber-peculiar acquisitions, as it is called \nin the law?\n    General Nakasone. If I might start with the question of a \nquick status update.\n    So this year, in fiscal year 2019, I believe the amount was \n$75 million for acquisition. And we have executed right now \nabout $44 million of that. We would anticipate by the end of \nthe fiscal year to execute about $60 million to $65 million. \nThat is not $75 million, and I obviously accept the fact that \nwe are short of that.\n    But what did we invest it in? And I think it is important \nthat we outline this. One, we invested it in tools, significant \ntools for how we operate with our teams. Secondly, big data \nanalysis. Thirdly, an opportunity for our developers to operate \noff-site at a facility to look at new networks, new \ncapabilities, new infrastructures. It was done rapidly. It was \ndone, I think, obviously, very effectively and certainly within \nthe law.\n    We are not to the point yet where I am satisfied with \nregards to operating at the amount that has been authorized for \nus, but we will get there. And I think the important piece is, \nwhen I think of why it is so important to us, our adversaries \nare rapidly changing. And we see that every single day as we \noperate against them. The authorities that you have granted our \ncommand to be able to do this is a first start for us to be \nable to operate at their speed.\n    The last thing I would say is, we have 10 openings that, \nyou know, are foundational for what we do for that acquisition \nauthority. We have filled six of them. We will fill the final \nfour by the end of the year, and I think this will be extremely \nhelpful for us to be able to execute the moneys.\n    Thank you.\n    Ms. Stefanik. And just to follow up, how do you define \ncyber-peculiar? Because that is how it is written.\n    General Nakasone. So if I might take that for the record, \nRanking Member, just to make sure that I have that fully \naccurate.\n    [The information referred to can be found in the Appendix \non page 69.]\n    Ms. Stefanik. Thank you. I yield back.\n    Mr. Langevin. I thank the ranking member.\n    Mr. Brown is now recognized for 5 minutes.\n    Mr. Brown. Thank you, Mr. Chairman.\n    In the most recently enacted Defense Authorization Act, we, \nthe Congress, directed the Department to study the feasibility \nand advisability of the establishment of Reserve Component \ncyber civil support teams to be assigned to each State due to \nthe lapse in appropriation associated with the 35-day recent \ngovernment shutdown. The Department did request an extension to \nsubmitting that report to Congress.\n    Can you give us a status, and not just, you know, when you \nanticipate to submit that to Congress, but give us a little \nflavor on, you know, what kind of either conclusions, findings, \nor recommendations might be in that report?\n    Secretary Rapuano. Certainly, Congressman.\n    The Department traditionally has not assigned unique \nspecialty areas to the National Guard, like cyber, but we have \nbeen exploring whether and where--really where the National \nGuard can best support DOD missions, specifically things like \ndefense critical infrastructure, infrastructure for which we \nare dependent on for power projection as well as weapons \nsystems.\n    The defense industrial base is another area that is \ncritical to us, and we are at risk, as I noted in my statement, \nof losing our asymmetric superiority to others who are stealing \nour technology.\n    So those are areas that we are very focused on and believe \nthere is a potential role for the National Guard. And we \nactually have a cyber mission assurance team that is looking at \nthe potential role there.\n    In response to your question about the 2019 NDAA 1653 \ntasker, we have a report that is in drafting process right now. \nWe will get it to you all by the end of April. I really can't \ngo into details on it, but it is really looking about the trade \nspace and the return on investment from a total force \nperspective and how and where those roles would be most \nconsistent with the other priorities of the Department.\n    Mr. Brown. Thank you.\n    Question regarding the cyber workforce. Everyone is \ncompeting for a limited pool of highly skilled and highly \ntalented, technically trained personnel. What thoughts do you \nhave about the role of AI [artificial intelligence] in reducing \nthe demand signal for a cyber workforce?\n    Secretary Rapuano. Well, we are looking at all the tools \navailable out there, you know, in terms of where do we need to \nbuy either tools or capabilities, where do we need to hire \npeople for that human potential component of it. It is well-\nrecognized that hiring in the cyber field is very challenging \njust based on the very high demand signal, so we have a number \nof programs; CES [Cyber Excepted Service] is prime amongst them \nin terms of a new tool.\n    AI we are looking at very hard in terms of where we can \nleverage AI and other advanced capabilities, analytic \ncapabilities to perform some of those activities.\n    I might turn it over to General Nakasone. I know his team \nlooks at this very closely too.\n    General Nakasone. So, Congressman, I think that AI and \nmachine learning certainly has a place as we take a look at \nsome of the activities that we do day in and day out within our \nforce.\n    But I would offer, the people that make AI go, the people \nthat ensure that our algorithms are right for machine learning, \nthey are the folks that I am most focused on. Because I would \ncall them--they are the 10X or the 20X folks that do their \nmission 10 times or 20 times better than anyone else. That is \nthe competition that we are in today.\n    So I would just offer--I give great kudos to the services \nfor recruiting a great base of folks, and that is both military \nand civilian. I think we do a good job of training them; it is \ngetting better. The hard part and the one that we work at every \nsingle day is the retention part. That is the one that is most \nimpactful for us.\n    Mr. Brown. And you mentioned the CES, Cyber Excepted \nService. Can you tell us a little bit about your experience \nwith that? And is it working? Is it effective? Tell us about \nthat.\n    General Nakasone. Cyber Excepted Service, which just came \non board roughly over the past year, we at U.S. Cyber Command \nwere the first phase of that.\n    I can give you the metrics of now we are looking at a drop \nof 60 percent with regards to the hiring capabilities and the \ntimeline to hire someone. So we have metrics that show us 111 \ndays before CES. Now it is at about 44 days.\n    We have done over 21 different fairs. We have interviewed \nover 2,700 people. We have, you know, provided over 90 \nacceptances for job applications.\n    My perspective, early phase, I am a supporter of it, and I \nlook forward to continuing to utilize it.\n    Mr. Brown. Great. And I hope the University of Maryland at \nCollege Park is giving you a talent pool to work with.\n    I yield back, Mr. Chairman.\n    Mr. Langevin. Thank you, Mr. Brown.\n    You know, on the topic of the workforce and training, we \nrecently had testimony in reference to the Cyber Excepted \nService as a whole, and it is underresourced at this time. And \nI think it is important for it to have full support and full \nresourcing.\n    Can you comment on that, Secretary?\n    Secretary Rapuano. Yes, I can. I share your concern, Mr. \nChairman. I have engaged with Dana Deasy, our CIO [Chief \nInformation Officer], as well as the Under Secretary for \nPersonnel and Readiness. This is a priority. The challenge with \nthe Department is we have a lot of priorities, but everyone \nacknowledges there is no higher priority than this.\n    So we are looking at additional resources that we can get. \nWe have already put essentially two more people onto it, \nbecause we had a couple of them taken for another priority \ngroup, and that has been addressed. But we need to supplement \nthem going forward, and we believe we have a path to resources \nto do that in a relatively near term.\n    Mr. Langevin. Okay. Thank you. I think that has to be a \nhigh priority, and certainly more support for the Cyber \nExcepted Service is going to have the support of this \nsubcommittee and the committee as a whole.\n    Secretary Rapuano. Thank you. It very much is.\n    Mr. Langevin. Thank you.\n    Mr. Waltz is now recognized for 5 minutes.\n    Mr. Waltz. Thank you, Mr. Chairman.\n    I am also interested, very interested, with my colleague \nMr. Brown in the Guard and Reserve and the role that they can \nplay, and I would be very interested in seeing that report. I \nhave had the same conversations with General Kadavy, the head \nof the Army Guard. I mean, it seemed, you know, that the \nchallenge is with recruiting, the challenge is with keeping up \nwith the civilian sector and the pace of technology and who \nbridges those two worlds.\n    One of the questions I have asked him is, when you are \nrecruiting your cyber force into the Guard and Reserve, are you \ntaking, you know, the civilian occupation into account? Are we \nrecruiting people who are truck drivers during the day and then \ninto the cyber force, or people who are actually in the IT \nsector in Silicon Valley, in that space, so that you can \nleverage those two and build upon those two?\n    And it is not clear to me. I would be interested if the \nreport addresses that, if that is taken into account in the \nrecruiting on the front end, particularly for the Guard so that \nyou can build those going forward.\n    Do you have any additional comments on where that is going?\n    So, I mean, just to be candid, talking to the Guard about \ncounting tanks, counting aircraft, parity in fielding, that is \nimportant. They need to be interoperable with the force. But \nwhere they can uniquely, you know, take this leading role--and \nleveraging those civilian sector skills, I think, is something \nwe should take a hard look at.\n    Secretary Rapuano. Yes. While I cannot speak to the details \nof how the National Guard right now is conducting their \nrecruiting, I am familiar enough with their process to know \nthat they do look at what are those specialty areas that the \nindividual is being recruited for and what skills do they bring \nin addition to the basic elements of education.\n    Mr. Waltz. Okay.\n    Secretary Rapuano. So that is something. And then, again, \nit will be based on how the specialties develop and evolve and \npotentially expand.\n    Mr. Waltz. Thank you. I am eager to see the report.\n    General Nakasone, can you just talk to me about plans or \nwhat is in place or what is coming down the pipe to just kind \nof share and collaborate cyber threats ostensibly at network \nspeed, ostensibly at cloud scale with the top U.S. companies, \nwith industry, I mean, so we can leverage the full resources of \nthe U.S. Government and respond to our critical infrastructure?\n    Have we thought about--or is there--and forgive my \nignorance, if there is a cybersecurity cooperative agreement \nwith industry to detect, respond, mitigate cyber threats? I \nknow DHS has theirs, but I keep hearing consistently, frankly, \nthat it is not being utilized to its full extent and, frankly, \nnot useful to industry. I didn't know the relationship with \nyour command and industry.\n    General Nakasone. Congressman, we have been working closely \nwithin the Department on an initiative called the Pathfinder \nprogram. The Pathfinder program--and this is an outgrowth from \nthe Secretary of Defense and the Secretary of Homeland \nSecurity's memorandum of agreement to work together to look at \njoint ways that we can address the critical infrastructure \nsectors.\n    As you are aware, 17 different critical infrastructure \nsectors. We have started with the first one to look at, working \nvery, very closely with the financial industry, working closely \nwith the Department of Treasury, and the Department of Homeland \nSecurity, how do we share data, how do we share it rapidly. One \nof the things that we have done over the past several months is \nhad four different means of sharing data.\n    But it is more than just sharing data, because we are not \ngoing to get out of this issue with just sharing. It is also \nour technical experts talking to their technical experts, \ntalking to the Department of Homeland Security.\n    It shows great promise. And as they move on from the \nfinancial industry, I think that energy and other industries \nright behind it will be the beneficiaries of this.\n    Mr. Waltz. Along those lines, how are the delays in moving \nand DOD moving into the cloud architecture, how is that \naffecting your warfighting mission?\n    General Nakasone. So it hasn't affected my warfighting \nmission. I would offer that our ability to share right now is \nat a level that certainly is able for me to accomplish what I \nneed to be able to do.\n    I think, to your point, though, how do we increase our \nlethality in the future as a force, I think this is one of the \nareas that we are working towards. As the Department moves to \nits investment in the cloud experience, this is one of the \nthings we are working very, very closely with the Department, \nNSA, and Cyber Command to ensure that we are well-postured for \nit.\n    Mr. Waltz. Thank you. Then a final question, just in the \ninterest of time, and maybe we will take this for the closed \nsession, but I would be very interested.\n    Data is the new gold, new oil, whatever you want to call \nit, the coin of the realm. And back to your issue of \ncollaborating, particularly with sensitive data, with an eye \ntowards AI and 5G, because we can't really get to one without \nthe other.\n    But I will yield my time and look forward to the closed \nsession. Thank you.\n    Mr. Langevin. Thank you, Mr. Waltz.\n    Mr. Kim is now recognized for 5 minutes.\n    Mr. Kim. Thank you, Chairman.\n    Thank you so much for coming and speaking with us today.\n    I actually just wanted to take a step back for a second \nhere and just get some of your thoughts and advice here.\n    The issue of cyber threats is pervasive in my district. It \nis something that people worry about constantly, especially \ngiven the news and given all the talks about Russia and China. \nAnd I will tell you that these concerns are ones that I hear at \ntown halls, and they come up in a lot of different meetings. I \nthink there is a lot of confusion about what it is that we are \ndoing and what the capabilities are on the other side.\n    So I would start this by urging the two of you to think \nabout ways that we can invest in lifting up some of that veil, \nmaking sure that--I understand the difficulties and the \nsensitivities of the work you are doing. But as a new command, \nI think it is important for the American people to understand \nwhat it is that you are working towards, what it is that we are \ntrying to do, and what it is that we are trying to defend \nagainst.\n    Because this is a different type of threat than the \nAmerican people in my district, in Burlington County and Ocean \nCounty, to understand compared to conventional, traditional.\n    With that, I want you to just imagine yourself with me in \nmy district at a town hall when I get these questions. I would \nlike to hear from you what you would say in response to someone \nwho is saying, are we getting outgunned by China and Russia? \nWhere are our capabilities and our personnel and our resources \ncompared to these near-peers?\n    When we are talking and looking at our cyber budget, how \ndoes that stack up with how our competitors are spending and \nmoving forward in this? How would you respond to someone in \nthat way without having to get into the classified material?\n    Secretary Rapuano. I will start, and then I can hand it \nover to General Nakasone.\n    I think when you look at the United States and you look at \nit, certainly, from a Department of Defense perspective, we \noperate around the world. We have to have systems that can \ncommunicate and engage around the world. So that presents a lot \nof surface for adversaries in terms of who are looking to \ntarget us.\n    We have an open system in terms of the internet. You may \nhave heard that China has the Great Firewall of China. So we \nprize free communication of information. So an open internet is \nsomething that is consistent with the way that we have operated \nin the world from early on, and we would like to maintain that.\n    So it is not an apple-for-apple in terms of our \nvulnerabilities and adversary vulnerabilities is something that \nI would offer.\n    We have just increased, as you know from the budget, the \nbudget for cyber, $9.6 billion and 10 percent increase over \nlast year. So that is in recognition of the importance of this \narea, the evolution of the threat, which we see. We believe \nthat we are developing the critical capabilities necessary to \naddress the threat, but, as you know, it is a very complex and \ndiverse threat. So walking through each of those areas can take \na little bit of effort.\n    But I would just say that I think that, with the advent of \nthis strategy and authorities from a national defense \nperspective, we have made tremendous progress. We are making \nthe necessary investment to keep up with the threat and be able \nto prevail, if necessary, in all warfighting domains, including \ncyber.\n    General Nakasone.\n    General Nakasone. Congressman, I think I would begin, if I \nhad an opportunity to speak at your town hall, by saying the \nNational Security Strategy identifies our threats very well. We \ntalk about, you know, strategic and great power competition in \nthe realm of both China and Russia. They are near-peer \ncompetitors. They have been able over the past 17 to 20 years \nto shrink the gap.\n    And then there are rogue nation-states, such as Iran and \nNorth Korea, that continue to conduct malfeasance in the \ndomain.\n    But with that being said, there is still a gap between \nthose actors and ourselves. And while I obviously hear a number \nof the different challenges that we have, I would also offer to \nyour town hall that there are some strengths that are \nendemically part of the United States.\n    First of all, partnerships. We have a series of \npartnerships--partnerships with other allied countries, \npartnerships with academia, partnerships with industry--that I \nthink are second to none.\n    Secondly, innovation. When we think about innovation, where \ndo we think about? We think about Silicon Valley. We think \nabout Austin. We think about Boston. We think about sectors \nwithin the United States. That is very, very important because \nwe are in, obviously, a domain that is rapidly changing.\n    The other piece I would say is we are well-resourced. Thank \nyou very much for, obviously, the resourcing that you have done \nfor our efforts over this budget. I think that is tremendously \npowerful for us.\n    And the last thing is that we are also a country--and I \nwould say, certainly within the Department of Defense, that we \nlearn our lessons. And so we have learned our lessons. And I \nthink that over the past several months we have been able to, \nobviously, apply those lessons in a manner that has addressed \nsome of the actions of our adversaries.\n    Mr. Kim. Well, I look forward to working with all of you on \nhow it is we can better explain this to the American people. \nThank you.\n    I will yield back.\n    Mr. Langevin. Thank you, Mr. Kim.\n    Before we go to Mr. Bacon, Mr. Secretary, you mentioned the \n$9.6 billion cyber budget request. And can you tell me what \ndoes the $9.6 cyber budget encompass? Is it IT as well as \nmilitary cyber operations? And what is the totality of the \nbudget for CMF and operations?\n    Secretary Rapuano. So I will leave CMF to General Nakasone, \nbut just in terms of the broad brush of the budget, it really \nstarts with cybersecurity. So that is both hardware and \nsoftware. We have to reduce the risk to DOD information \nsystems.\n    Then it really gets to cyber operations. General Nakasone \nmentioned the tools, the training, all of the elements \nnecessary for us to conduct cyber operations effectively.\n    And the third is the R&D [research and development] across \nall of these areas that we must continue to support so we can \nout-innovate our adversaries.\n    Mr. Langevin. So give me, the committee, just kind of an \nunderstanding between those three categories, which--the \nvarious--the percentages, if you will, what is going to----\n    Secretary Rapuano. Well, I mean, I think General Nakasone \nhas more details on the splits.\n    General Nakasone. Within that, Chairman, of the $9.6 \nbillion, $532 million to the headquarters of U.S. Cyber \nCommand. That is roughly 6 percent of the budget. And then $1.9 \nbillion for a build an infrastructure. That is infrastructure \nacross all of our four different locations that we have our \nteams. That will be--roughly 87 percent of that will go to the \nservices, and the rest, about $200 million of that will stay \nwithin U.S. Cyber Command.\n    Mr. Langevin. All right. That is helpful. Thank you.\n    Mr. Bacon, you are now recognized for 5 minutes.\n    Mr. Bacon. Thank you, Mr. Chairman.\n    And appreciate both of you being here and appreciate your \nleadership on cyber.\n    A couple questions for General Nakasone.\n    I read that you were recommending the NSA and Cyber split \nsometime in 2020. Is that indeed your position?\n    General Nakasone. Congressman, I had seen the article that \nwas written. That is not accurate.\n    And last year about this time, during my confirmation \ntestimony, I had indicated I would do a 90-day assessment. I \ndid that assessment, provided it to the Secretary of Defense \nand the Chairman. The assessment is classified, so we can talk \nabout it later in closed session.\n    But, again, to your point, that was not accurate. And, \nagain, the final decision, obviously, rests with----\n    Mr. Bacon. Right.\n    General Nakasone [continuing]. Not with me, so----\n    Mr. Bacon. But maybe is it fair enough to say that you \nnow--you would say your position is to keep them together then, \nthe two commands, under one four-star?\n    General Nakasone. So again, I think on this topic, \nCongressman, it is much more accurate for me to be able to talk \nin closed session----\n    Mr. Bacon. Okay.\n    General Nakasone [continuing]. Just to bring out the facts.\n    Mr. Bacon. Just my view on it, without probing for your \nposition, I just don't see how you can have them separate. I \nhave worked in this community a little bit, with my 30 years in \nthe Air Force, and our cyber teams are a good mix of \nintelligence and cyber folks that will probe or defend.\n    And it seems to me, from a cyber perspective, it is a \nsymbiotic relationship with NSA. You can't do the two separate. \nI would be a little afraid, if you had two four-star generals, \none in charge of the intelligence force and one in charge of \nthe cyber portion, you could be pulling that team apart in two \ndifferent directions.\n    And so I have always been a proponent that you need a \nunified leadership under one four-star and have the two three-\nstars guiding the two different ships.\n    But it just doesn't make sense to me from my experience in \nthere. So I hope, at least my view or at least my \nrecommendation would lean towards how we have it. I think we \nhave it right.\n    How many cyber teams do we have?\n    General Nakasone. We have 133, Congressman.\n    Mr. Bacon. And is there a requirement for more, or is it \nabout right?\n    General Nakasone. So right now what we are doing is, \nthrough a series of both exercises and real world, looking at \nour force in total. My anticipation is after we have taken a \nthorough look at that we will make some recommendations. But \nright now 133 is what we have, and we are able to do our \nmissions with them.\n    Mr. Bacon. And all 133 are FOC, or fully operational?\n    General Nakasone. Right. They are fully operational.\n    Mr. Bacon. I have done exercises in the past in the Air \nForce, and we would do a full planning where you have your air \ntargeting order or air tasking order and you build this whole \nplan, and then everybody leaves the room and cyber will come in \nand say, here are some other options.\n    Are we doing a better job now integrating cyber into the \nCOCOM [combatant command] planning, where it is really baked in \nfrom the start, not an add-on after the fact?\n    General Nakasone. While I hate to speak for my fellow COCOM \ncommanders, I would say yes.\n    Mr. Bacon. I hope so.\n    General Nakasone. A couple things that have enabled us: \nfirst of all, the ability to put cyber operational integrated \nplanning elements--those are planning elements that are well-\nversed in cyber--at each of the combatant commands. That has \nhelped.\n    Secondly, that we have had a lot of operational experience \nin places like Afghanistan, Iraq, other places around the world \nwhere we have been able to do this. And even with the midterm \nelections, working with U.S. European Command, General \nScaparrotti and myself, learned a tremendous amount of lessons \nin the way we need to do this.\n    Mr. Bacon. Well, I am glad to hear that. I am glad we are \nevolving to where it is baked in from the beginning. Because I \nhave been there where you do all your combat planning or this \nor that in space, and then everybody leaves, and it's like, \nokay, now what do I do with cyber? It should be integrated in \nfrom the beginning.\n    One last question. You know, there is a lot of convergence \nbetween cyber and electronic warfare [EW]. How much do you \nthink cyber should be involved with electronic warfare? Is that \na totally separate science, from your perspective?\n    General Nakasone. So from my perspective, having worked \nthis both as the Army service commander and now as the \ncommander of U.S. Cyber Command, these are non-kinetic \ncapabilities. And being able to synchronize non-kinetic \ncapabilities, whether or not it is EW or cyber or information \noperations, bringing that closer together provides tremendous \namount of capability for our commanders. And so that is why \nthat close working relationship, I think, is very important.\n    Mr. Bacon. So you would say the cyber role with EW would be \nmore of a planning--to use an EW weapon versus a cyber weapon, \nbut Cyber Command within itself would not have the EW weapons \nsystem. Do I have that right?\n    General Nakasone. Yeah, so how we organize it, I think that \nis still to be determined. But in terms of the planning \ncapability and synchronizing that, I definitely see that this \nis one where we would provide a synchronized look and say, hey, \nthis is an opportunity for our combat commanders to leverage.\n    Mr. Bacon. And from my background, the NSA has a great team \nworking on the EW side, or at least on the ELINT [electronic \nintelligence], and we couldn't do it without you.\n    Sir, with that, I will yield back, Mr. Chairman.\n    General Nakasone. So, Congressman, I would just offer that \nI agree with that.\n    Mr. Bacon. Okay. Good. You get to take praise both ways.\n    General Nakasone. It goes both ways.\n    Mr. Langevin. On the EW issue, General, let me ask this. I \nknow that after--I think it was Secretary Ash Carter that stood \nup the EW EXCOM [Electronic Warfare Executive Committee]. And \nwhat interaction do you all have with that body as they avail \nyou with our EW capability? Do either one want to comment on \nthat?\n    General Nakasone. So I am not familiar with the EW EXCOM. \nThat may have been renamed. There is a working body right now \nthat discusses electronic warfare at the Vice Chairman level \nwith the Deputy Secretary that normally we have, but I think it \nis the same purpose, and, again, the idea of how do we bring \nthis together in a more compactful manner.\n    Mr. Langevin. Okay. Thank you. Thank you.\n    And on Mr. Bacon's comment on the splitting of dual hats--\nsee, bipartisanship isn't dead--I think you and I are \ndefinitely in sync on that one. So thanks for your comments on \nthat.\n    Ms. Houlahan is recognized for 5 minutes.\n    Ms. Houlahan. Thank you, Chairman.\n    And thank you very much for your testimony today, \ngentlemen.\n    And, General, thank you for allowing us all to come as \nfreshmen and tour your amazingly powerful facility.\n    My questions, I have two, a fairly unrelated one. The first \none is to General Nakasone.\n    The President's budget does call for a pretty big \ninvestment in developing what he is terming a Space Force. \nObviously, the space domain is very important for cyber \noperations.\n    And I was hoping--and this relates, I think, to \nRepresentative Bacon's comments and questioning--if you could \ntalk a little bit about the relationship between CYBERCOM and \nthe Air Force currently as it relates to the space domain and \nsatellites in particular.\n    And help me assess whether or not the creation of a Space \nForce would either complicate CYBERCOM's work, help CYBERCOM's \nwork, be redundant to CYBERCOM's work. How do you see that \nunfolding?\n    General Nakasone. So we have worked very closely with the \nAir Force on the development of our cyber capabilities, to the \nfirst part of your question. In fact, roughly 39 of our 133 \nteams are from the U.S. Air Force. So we have a very strong \nworking relationship with the Air Force and a very, very good \njoint force headquarters in Lackland Air Force Base in Texas \nthat we have been reliant upon for many missions.\n    In terms of space, we at U.S. Cyber Command are in close \npartnership with not only the Air Force but U.S. Space Command, \nworking with General Raymond, in terms of how do we ensure a \ncouple of things: first of all, the defense of his networks. So \nworking between U.S. Cyber Command, the National Security \nAgency, USSPACECOM, how do we ensure the criticality of his \ncommunications?\n    Secondly, what are the options for full-spectrum operations \nthat we might be able to conduct from space that impact cyber? \nWe are very, very excited about the possibility of the, you \nknow, instantiation of U.S. Space Command. Being the newest kid \non the block, I think that they would obviously provide, as the \nDepartment and the administration have indicated, a great \ncapability.\n    We see the importance of space every single day, not only \nfor our intelligence gathering, but also for looking at \npossible options as we look at adversaries for the future.\n    Ms. Houlahan. So do you have any reticence at all in terms \nof the interaction of what would be a new force? Or are you \nlooking forward to that opportunity to integrate with something \nlike that?\n    General Nakasone. Really looking forward to integrating \nwith it. I think they are a great capability. We see the \nimportance of space, whether or not we are on the defensive \nside or the offensive side. And this is one of the areas that \nwe think is going to create capability.\n    Ms. Houlahan. Thank you so much for the answer to that \nquestion.\n    My second one, fairly unrelated, has to do with memory \nchips and the fact that we only manufacture about 20 percent of \nthe world's memory chips.\n    And I am wondering if you could comment, either one of you, \non whether or not you feel as though we need to have organic \ncapability of doing that domestically, whether for defense or \ncivilian purposes, and how you think we as a Congress might be \nhelpful in helping that, if you, in fact, believe that we \nshould be more independent in that area.\n    Secretary Rapuano. I will just give a high level on that.\n    We are very concerned about supply-chain security, \nparticularly for sensitive systems or systems that may provide \naccess to adversaries. So we are looking at the entire supply \nchain to understand where and what systems might be most \nvulnerable and how we can improve the surety associated with \nthese chips and other elements.\n    Ms. Houlahan. Sir, do you have any other----\n    General Nakasone. Yeah. So I think that the Secretary has \ncharacterized it well, in terms of, one the areas that we have \nto ensure--and this is the world in which we live, where they \nare being made today--is we have to have verification.\n    And the way that we do that verification, whether or not it \nis appropriately written into our contracts or whether or not \nit is being conducted, you know, periodically to ensure the \nveracity of these chips and their assurance that they will be, \nobviously, effective in their doing is really important to us.\n    Ms. Houlahan. Can you comment--I have another 49 seconds or \nso--on anything that we as a Congress can be doing to be \nhelpful to begin the process of allowing us to be a little bit \nmore independent in that area?\n    Secretary Rapuano. Well, I would just say that we are \nworking very closely with industry, as well as with the \ncrosscutting teams associated with the assessment, the \nvulnerability assessment, to inform what the most effective \napproach is going to be to ensuring the surety of, first, \nnational defense systems, but it expands more widely to that.\n    So there are locations in the United States where secure \nchips are built, but it is not at the scale that would cover \nall the needs, if there are concerns of a range of systems that \ncould be entry points. So I don't know that we are at the point \nright now, but we may be coming to that point going forward.\n    Ms. Houlahan. Thank you very much, gentlemen.\n    I yield back.\n    Mr. Langevin. The Chair recognizes Mrs. Trahan.\n    Mrs. Trahan. Thank you, Mr. Chairman.\n    So recognizing that scaling is--I mean, that that is a \nchallenge no matter what industry you are in, in terms of the \nCyber Mission Force, the 4,400 people, 133 teams, can you just \ngive us a sense of how this team needs to grow in the next 2 to \n3 years not just to meet the threat or catch up but, you know, \nto lead on cybersecurity?\n    General Nakasone. Congresswoman, I think the piece I would \noffer is--so we have 133 teams on the Active side. The piece \nthat we are focusing now is the growth on the Reserve and the \nNational Guard side.\n    So the Army is going to build 21 additional teams. They are \ndefensive teams. They will be built, all of the National Guard \nteams done by 2022 and all of the Army Reserve teams done by \n2024. Twenty-one more teams is a tremendous amount of capacity \nthat brings to us. I think it is the strategic depth that we as \na Nation need.\n    To your point, then, one of the areas that we are starting \nto think through is, how do we effectively use that new \ncapacity that is going to come on board in the next couple \nyears? That is what we are starting to assess now, to the point \nof, are there critical infrastructure partnerships that we \nshould start forming now with the teams that are coming on? Are \nthere other mission sets that make a lot of sense for this new \ncapacity?\n    So we are excited about that. The Army has moved out on \nthat, and they are ahead of schedule in building those teams.\n    Mrs. Trahan. Great.\n    So you had mentioned, General Nakasone, that the biggest \nchallenge is retention. Can you comment on the challenges or, \nyou know, the root cause of retaining our talent?\n    General Nakasone. I think that if you think about the \ntalent that I was describing, the people that really are, you \nknow, 10 or 20 times better than their peers, the first \nchallenge is that they are looking for great missions that they \ncan work. And that is one of the things that we think we offer, \nmany times. I mean, it is hard to imagine places that you could \ngo to do the things that we do in our mission force at the \nNational Security Agency.\n    But that is only so far. And I think that the other piece \nof it is that we realize that there may be folks that want to \ncome into the Army, whether or not it is as a military or \ncivilian member, that only want to stay for 5 or 6 years. Not \neveryone is like yourself, in terms of staying 20 or 25 or 30, \nI guess now, years.\n    Mrs. Trahan. I just got here. I just got here.\n    General Nakasone. Myself, I should say.\n    But that is a little bit of change in our thinking. And so \nwe have to change, too, and say, if they are only going to be \nhere 5 or 6 years, how do we effectively use them? Because \nthose 5 or 6 years, they can be really, really impactful for \nthe Nation.\n    Mrs. Trahan. Sure. And, you know, optimizing around that, \nonce you know what your churn rate is, I think is important.\n    And so I guess my follow-on question--I came from business \noperations, so you will have to forgive me. But if retention is \nan issue and we know that folks are going to churn after 5 \nyears, is the Guard enough to fill the pipeline, given, you \nknow, the cost of training and onboarding and, you know, the \ncurrent churn rate or even your projected churn rate? Is that \nenough?\n    And I guess where I am going--you can answer that question, \nbut I will just give you my end question. Is there anything \nthat Congress can be doing to address cybersecurity education, \nworkforce development, those challenges with filling your \npipeline beyond, you know, what we are thinking about today?\n    General Nakasone. I think the last point that you made with \nregards to building a supply base is really important.\n    So when we look to recruit, we are looking for, you know, a \npopulation that is science, technology, engineering, \nmathematics enabled. And so, as we think about this as a \nNation, we think about it, obviously, in the Department of \nDefense as, how do we engender that type of support within our \nyoung people?\n    I know at the National Security Agency we are working \nthrough a series of different camps that we sponsor from K-12. \nLast year, we touched 13,000 young people and 3,000 teachers, \nfor a fairly small investment. That is the kind of, I guess, \npopulation that we are trying to develop so not only that the \nDepartment can recruit from but, obviously, our Nation can as \nwell.\n    Mrs. Trahan. Thank you.\n    Did you have anything to comment, Mr. Secretary?\n    Secretary Rapuano. I was just going to note that--and this \nis certainly embodied in Cyber Excepted Service, which we very \nmuch appreciate from Congress--but it is a soup-to-nuts in \nterms of, as General Nakasone mentioned, how and where do we \nbest recruit? How do we develop an understanding amongst this \ntalent pool about what we offer within the Department of \nDefense? And then it is, how do we ensure that they are getting \nprofessional development, horizontally and vertically?\n    And, ultimately, as all very capable people who are driven, \nthey want to understand and they want to have offered to them \nability to advance. So how are we ensuring that we are doing \nthat so we are able to keep the best and the brightest? We know \nthat a number of them will rotate out, but we want to build a \ncertain percentage that are going to stay over the longer term.\n    Mrs. Trahan. Yep. I couldn't agree more. I mean, look, this \nis an enormous opportunity for our economy while also, you \nknow, securing our country. So thinking through and co-\nproducing programs beyond K-12 to get people the credentials \nthat they need to serve, I think, is a noble partnership on our \nbehalf.\n    Thank you. I yield back.\n    Mr. Langevin. Thank you, Mrs. Trahan.\n    I just wanted to mention, General Nakasone, you had \nmentioned the collaboration and synchronization with the Space \nForce. But now, obviously, that also could mean that you are \ngoing to be competing with their people, talent, and dollars \nfor resources as well. So another challenge you are going to \nhave to deal with.\n    Ms. Slotkin is recognized for 5 minutes.\n    Ms. Slotkin. Thank you. I apologize for being late. We had \nanother subcommittee hearing right in the middle.\n    My question actually goes back to something that \nCongressman Kim was talking about. I am a former Pentagon \nAssistant Secretary, and I cannot explain to people in public \nwhat we are doing to push back. And all of the people that come \nto my--you know, on cyberattacks. I am sorry. Let me finish my \nsentence.\n    People will ask me, from the small township officials to \nthe average person who has had their credit card data taken by \na corporation, ``It feels like we are being smacked in the face \nevery single day. You know, Elissa, you are from the Pentagon. \nWhat are we doing to actually fight back?''\n    And it is concerning to me that I can't tell them--I don't \nwant to tell them anything classified, but I want to be able to \nsay, we are not just sitting down and taking it, and here are \nsome things I can say in an unclassified basis.\n    And then, secondly, just help me understand, you know, if \nyou grow up in the defense world, you grew up with a model of \ndeterrence, right? Conventionally, nuclear weapons. We need to \nmaintain a strong deterrent. And I would love your help in \nunderstanding how we are doing that in the cyber realm. What \nare we doing to deter what feels like constant attacks on us in \na way that, again, reassures me and others who are concerned \nthat there is some price to pay for the constant barrage that \nwe are receiving?\n    Secretary Rapuano. I will take your second question and \nhave General Nakasone take your first.\n    Deterrence is really about denying benefits and imposing \nconsequences on adversaries in a way that is predictable enough \nfor them that it dissuades or deters them from continuing them.\n    Historically, we have not done that in cyberspace. And that \nreally is the paradigm shift that is really laid out in our \nstrategy.\n    The third component of that is strategic messaging. How do \nwe ensure that we, in concert with allies and partners, the \nrest of the international community that also abhors this kind \nof malevolent cyber activities, how do we galvanize this, in \nsome sense or sometimes silent majority, to really focus on \nthose actors who are creating the most problems?\n    So that is really what defending forward is all about. That \nis what persistent engagement at the combatant-command level is \nall about. It is the engagement, and it is about addressing the \nsource of these threats.\n    General Nakasone. Congresswoman, to your first point, I \nwould turn back to, again, the recent elections, and what did \nwe as a government do to ensure safe and secure elections. I \nthink that, you know, the model of bringing together, whether \nor not it was the Department of Defense, the Federal Bureau of \nInvestigation, Department of Justice, Department of Homeland \nSecurity, throughout the summer, very, very public appearances \nin terms of we are going to ensure a safe and secure election.\n    So we did work very, very closely with the Department of \nHomeland Security to protect our election infrastructure. We \ndid work very, very closely with the Federal Bureau of \nInvestigation to stop influence operations from other non-\nnation-states and nation-states from impacting our people. And \nwe did, you know, obviously, conduct actions to ensure that any \nadversary that was attempting to interfere with our democratic \nprocesses, that we would address.\n    That is different than what we had done in the past, as the \nSecretary had mentioned. And I think that that is a very, very \ngood model of where we need to move forward. Because we have to \nmake sure that obviously our adversaries and certainly the \nAmerican people understand that this is something that is \nobviously worth defending.\n    Ms. Slotkin. So just so I understand, you think that our \nresponse to attempts to meddle in our elections, that response \nprovided some pain or put some pain on those who were trying to \nmeddle, and therefore they won't do it again?\n    General Nakasone. So I certainly can't assert they won't do \nit again. But they should certainly know, after what has \noccurred, that we are not going to stand back and be responsive \nin our approach, that we are going to defend, obviously, one of \nthe most important things that we have in our Nation, which is \nour democratic processes.\n    Ms. Slotkin. Thank you. I yield back.\n    Mr. Langevin. Thank you for the line of questioning.\n    And whether it is election operations or other things in \nthe gray zone conflict, I think it is important that we meet \nthem at every challenge. And I think we are going to see more \nand more of this conflict in the gray zone below the threshold \nof armed conflict. And I think we ignore those activities, I \nthink, at our detriment.\n    And so, you know, we have to run the board and confront \nthem everywhere. Anytime that our enemies or adversaries do \nsomething that goes unanswered, I think it just emboldens them \nfurther, in my opinion. So I think that is all part of the \nwhole concept that we have now undertaken of defending forward. \nIt is confronting them when and where we have to meet them.\n    Unless Mr. Cooper or Mr. Conaway have questions, we are \ngoing to now go to the closed session. So the committee stands \nin recess until the closed session begins.\n    Thank you.\n    [Whereupon, at 3:45 p.m., the subcommittee proceeded in \nclosed session.]\n\n\n      \n=======================================================================\n\n                            A P P E N D I X\n\n                             March 13, 2019\n\n=======================================================================\n\n    \n=======================================================================\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                             March 13, 2019\n\n=======================================================================\n\n      \n      \n   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n      \n=======================================================================\n\n              WITNESS RESPONSES TO QUESTIONS ASKED DURING\n\n                              THE HEARING\n\n                             March 13, 2019\n\n=======================================================================\n      \n\n             RESPONSE TO QUESTION SUBMITTED BY MS. STEFANIK\n\n    General Nakasone. Section 807 of the FY 2016 NDAA does not \nspecifically define cyber-peculiar. However, the 2016 DOD \nimplementation plan submitted pursuant to Section 807 of the FY 2016 \nNDAA provides ``cyber operations-peculiar (CO-peculiar)'' and ``cyber \ncapability-peculiar'' equipment, capabilities and services as \n``Equipment, materiel, supplies, non-materiel solutions, and services \nrequired for select joint CO-peculiar requirements or established DOD \nAgency-provided service or product.'' In the Report on USCYBERCOM \nAcquisition Authority submitted pursuant to the Joint Explanatory \nStatement accompanying Section 1635 of the FY19 National Defense \nAuthorization Act, dated Oct 2018, USCYBERCOM defined cyber-peculiar \ncapabilities and services as: Any acquisition effort that supports or \nfacilitates any of the three Cyberspace Missions as defined in Joint \nPub 3-12; Offensive Cyber Operations, Defensive Cyber Operations, or \nDepartment of Defense Information Network operation. These three \nmission types comprehensively cover the activities of the cyberspace \nforces.   [See page 14.]\n\n      \n=======================================================================\n\n\n              QUESTIONS SUBMITTED BY MEMBERS POST HEARING\n\n                             March 13, 2019\n\n=======================================================================\n      \n\n                   QUESTIONS SUBMITTED BY MR. LARSEN\n\n    Mr. Larsen. Given adversary exfiltration of sensitive data from the \nDIB: How can the Department of Defense work to promote cybersecurity \nwithin the DIB? What tools exist to require robust cybersecurity as \npart of the contracting process? How does the Department help the DIB \ndetect and report cyber incidents? What potential consequences exist \nfor a contractor that fails to practice robust cybersecurity?\n    Secretary Rapuano. The Department of Defense (DOD) promotes \ncybersecurity within the defense industrial base (DIB) through two \nprimary means: a voluntary information sharing program with DIB \nentities and through requirements directed by the Defense Federal \nAcquisition Regulation Supplement (DFARS).\n    <bullet>  Voluntary Information Sharing: DOD's DIB Cybersecurity \n(CS) Program enhances and supplements DIB participants' capabilities to \nsafeguard DOD information that resides on or transits DIB unclassified \nnetworks or information systems. Under the DIB CS Program, DOD and DIB \nparticipants share unclassified and classified cyber threat information \nto bolster public and private cybersecurity postures and receive \ntechnical assistance from the DOD Cyber Crime Center (DC3) including \nanalyst-to-analyst exchanges, mitigation and remediation strategies, \nand best practices.\n    <bullet>  Mandatory Reporting Requirements: DFARS 252.204-7012 \ndirects contractors to rapidly report cyber incidents to DOD when \nincidents are discovered that affect a covered contractor information \nsystem or the covered defense information residing therein, or that \naffects the contractor's ability to perform the requirements of the \ncontract that are designated as operationally critical support. When \ncontractors discover malicious software in connection with a reported \ncyber incident, that malicious software must be submitted to DC3.\n    <bullet>  Minimum Cybersecurity Standards: DFARS 252.204-7012 \nrequires contractors to safeguard covered defense information that \nresides on a contractor's internal unclassified information system by \nimplementing the security requirements in National Institute of \nStandards and Technology (NIST) Special Publication 800-171 \n``Protecting Controlled Unclassified Information in Nonfederal \nInformation Systems and Organizations.'' Contractors that fail to \nimplement DFARS 252.204-7012 requirements when applicable to contract \nperformance may be subject to contractual, administrative, and civil \nremedies by DOD.\n\n                                  [all]\n</pre></body></html>\n"