b"<html>\n<title></title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                                  \n\n                         [H.A.S.C. No. 116-43]\n\n              SECURING THE NATION'S INTERNET ARCHITECTURE\n\n                               __________\n\n                             JOINT HEARING\n\n                               BEFORE THE\n\n   SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND CAPABILITIES\n\n                                 OF THE\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        MEETING JOINTLY WITH THE\n\n                   SUBCOMMITTEE ON NATIONAL SECURITY\n\n                                 OF THE\n\n                   COMMITTEE ON OVERSIGHT AND REFORM\n\n                          [Serial No. 116-57]\n\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              HEARING HELD\n\n                           SEPTEMBER 10, 2019\n\n                                     \n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n\n                               __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n40-505 PDF                  WASHINGTON : 2020                     \n          \n--------------------------------------------------------------------------------------\n                                     \n  \n\n                      COMMITTEE ON ARMED SERVICES\n   SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND CAPABILITIES\n\n               JAMES R. LANGEVIN, Rhode Island, Chairman\n\nRICK LARSEN, Washington              ELISE M. STEFANIK, New York\nJIM COOPER, Tennessee                SAM GRAVES, Missouri\nTULSI GABBARD, Hawaii                RALPH LEE ABRAHAM, Louisiana\nANTHONY G. BROWN, Maryland           K. MICHAEL CONAWAY, Texas\nRO KHANNA, California                AUSTIN SCOTT, Georgia\nWILLIAM R. KEATING, Massachusetts    SCOTT DesJARLAIS, Tennessee\nANDY KIM, New Jersey                 MIKE GALLAGHER, Wisconsin\nCHRISSY HOULAHAN, Pennsylvania       MICHAEL WALTZ, Florida\nJASON CROW, Colorado, Vice Chair     DON BACON, Nebraska\nELISSA SLOTKIN, Michigan             JIM BANKS, Indiana\nLORI TRAHAN, Massachusetts\n                Josh Stiefel, Professional Staff Member\n                Peter Villano, Professional Staff Member\n                         Caroline Kehrli, Clerk\n                                 \n                                 ------                                \n\n                   COMMITTEE ON OVERSIGHT AND REFORM\n                   SUBCOMMITTEE ON NATIONAL SECURITY\n\n               STEPHEN F. LYNCH, Massachusetts, Chairman\n\nJIM COOPER, Tennessee                JODY B. HICE, Georgia, Ranking \nPETER WELCH, Vermont                     Minority Member\nHARLEY ROUDA, California             PAUL A. GOSAR, Arizona\nDEBBIE WASSERMAN SCHULTZ, Florida    VIRGINIA FOXX, North Carolina\nROBIN L. KELLY, Illinois             MARK MEADOWS, North Carolina\nMARK DeSAULNIER, California          MICHAEL CLOUD, Texas\nSTACEY E. PLASKETT, Virgin Islands   MARK E. GREEN, Tennessee\nBRENDA L. LAWRENCE, Michigan         CLAY HIGGINS, Louisiana\n    Dave Rapallo, Staff Director, Committee on Oversight and Reform\n     Dan Rebnord, Staff Director, Subcommittee on National Security\n                          Amy Stratton, Clerk\n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nHice, Hon. Jody B., a Representative from Georgia, Ranking \n  Member, Subcommittee on National Security, Committee on \n  Oversight and Reform...........................................     8\nLangevin, Hon. James R., a Representative from Rhode Island, \n  Chairman, Subcommittee on Intelligence and Emerging Threats and \n  Capabilities, Committee on Armed Services......................     1\nLynch, Hon. Stephen F., a Representative from Massachusetts, \n  Chairman, Subcommittee on National Security, Committee on \n  Oversight and Reform...........................................     6\nStefanik, Hon. Elise M., a Representative from New York, Ranking \n  Member, Subcommittee on Intelligence and Emerging Threats and \n  Capabilities, Committee on Armed Services......................     4\n\n                               WITNESSES\n\nManfra, Jeanette, Assistant Director for Cybersecurity, \n  Cybersecurity and Infrastructure Security Agency, U.S. \n  Department of Homeland Security................................     9\nRinaldo, Diane, Acting Assistant Secretary for Communications and \n  Information, and Administrator, National Telecommunications and \n  Information Administration, U.S. Department of Commerce........    11\nWilson, B. Edwin, Deputy Assistant Secretary of Defense for Cyber \n  Policy, Office of the Under Secretary of Defense for Policy, \n  U.S. Department of Defense.....................................    12\n\n                                APPENDIX\n\nPrepared Statements:\n\n    Langevin, Hon. James R.......................................    43\n    Manfra, Jeanette.............................................    46\n    Rinaldo, Diane...............................................    54\n    Wilson, B. Edwin.............................................    61\n\nDocuments Submitted for the Record:\n\n    [There were no Documents submitted.]\n\nWitness Responses to Questions Asked During the Hearing:\n\n    Mr. Waltz....................................................    73\n\nQuestions Submitted by Members Post Hearing:\n\n    Ms. Houlahan.................................................    82\n    Mr. Kim......................................................    81\n    Ms. Stefanik.................................................    77\n              \n              \n              SECURING THE NATION'S INTERNET ARCHITECTURE\n\n                              ----------                              \n\n        House of Representatives, Committee on Armed \n            Services, Subcommittee on Intelligence and \n            Emerging Threats and Capabilities, Meeting \n            Jointly with the Committee on Oversight and \n            Reform, Subcommittee on National Security, \n            Washington, DC, Tuesday, September 10, 2019.\n\n    The subcommittees met, pursuant to call, at 2:01 p.m., in \nroom 2118, Rayburn House Office Building, Hon. James R. \nLangevin (chairman of the Subcommittee on Intelligence and \nEmerging Threats and Capabilities) presiding.\n\n OPENING STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE \n FROM RHODE ISLAND, CHAIRMAN, SUBCOMMITTEE ON INTELLIGENCE AND \n EMERGING THREATS AND CAPABILITIES, COMMITTEE ON ARMED SERVICES\n\n    Mr. Langevin. The subcommittee will come to order.\n    So, good afternoon, everyone. I am pleased to welcome \neveryone here today to the joint hearing with the Committee on \nOversight and Reform Subcommittee on National Security about \nthe security of the Nation's internet architecture. I am \nparticularly thankful to my good friend Congressman Lynch from \nMassachusetts, my neighbor in New England, and his staff for \nworking so diligently in making today possible, along with the \nranking members of both subcommittees.\n    Today we are here to conduct what I believe is much-needed \noversight regarding the security of the internet's underlying \narchitecture, namely, the components, physical sites, and the \nassets that are necessary for the internet to operate.\n    Defending the United States assets in this global \ntelecommunications network requires a whole-of-government \napproach, and I am concerned that the government is not \napproaching the subject in a cohesive or comprehensive manner, \ncreating significant risk for the Nation.\n    Both the Oversight subcommittee and the Armed Services \nsubcommittee are seeking a better understanding of the \npolicies, regulations, and guidelines and interagency \nagreements that govern the protection of this critical \ninfrastructure. To the extent that there are gaps, we are also \ninterested in learning whether legislative solutions may be \nneeded.\n    Most people think of the internet as the sites they visit, \nthe applications they use, and the emails they send. In other \nwords, the people's understanding of what the internet is, is \nvery much tied to how they engage with it. However, this leaves \nout an entire architecture that enables the flow of information \naround the world and into people's palms. This architecture \nincludes the high-capacity cables buried under the ground and \nlaid below the sea, the cable landing stations that connect the \ncables from continent to continent, and the internet exchange \npoints, or IXPs, that serve as a clearinghouse for data between \ninternet service providers and content delivery networks. These \nare all examples of physical sites and tangible items that are \nrequired for the internet to operate effectively.\n    While these physical sites are critical components of the \ncyber landscape, they are generally viewed as distinct from the \nnetwork's protocols and software that are more familiar to \npeople's understanding of the internet. However, they are just \nas important to internet operations. After all, unplugging a \nnetwork cable is just as effective as a denial-of-service \nattack, maybe even more so.\n    From the government's perspective, attacking the subject of \ninternet architecture security is difficult, due to the \ndepartments' and agencies' overlapping jurisdictions, \nresponsibilities, and capabilities. And I am concerned that the \nexecutive branch has fragmented internet architecture security \namong multiple departments as opposed to conceptualizing the \ninternet as a single ecosystem with departments working \ncollaboratively.\n    For example, the Department of Homeland Security serves as \nthe government lead for all critical infrastructure, and as the \nsector-specific agency for the telecommunications sector. \nMeanwhile, the Department of Commerce's National \nTelecommunications and Information Administration, or NTIA, is \nprincipally responsible for advising the President on \ntelecommunications and information policy issues, and develops \nnational policies on internet use and cybersecurity.\n    Separately, the Department of Defense is broadly \nresponsible for defense of the Nation. Independent regulatory \nagencies, like the Federal Communications Commission, also have \nimportant responsibilities for ensuring security. To top it all \noff, many of these exchange points are connected to \ninternational providers.\n    So I have no doubt that these agencies work together \nbroadly. However, I am very worried that by carving out \ndiscrete lanes in the road, there are seams left unaddressed in \nthe middle, and I am concerned that internet architecture \nsecurity is one of those seam issues.\n    Holistic internet architecture security has been generally \nneglected, I believe, with organizations remaining firmly in \ntheir lanes rather than approaching the problem collectively. \nSo, for example, the Department of Homeland Security serves as \nthe government lead for--so, in any event, separately, the \nDepartment of Defense--and DOD [Department of Defense] is \nbroadly responsible for defense of the Nation.\n    Our Nation's newest cybersecurity organization, the \nCybersecurity and Infrastructure Security Agency, has \nrecognized the inherent challenges in using the critical sector \nframework, particularly with respect to interdependencies \nbetween sectors.\n    The National Risk Management Center's National Critical \nFunctions Set explicitly recognizes internet architecture \nfunctions, such as ``Operate Core Network'' and ``Provide \nInternet Routing, Access, and Connection Services.'' I am \nhopeful that this new framing will help stimulate more cross-\nagency and cross-sector discussion, interaction, and policy \ndevelopment.\n    So the purpose of today's hearing is to better understand \nhow the interagency is approaching internet architecture \nsecurity, including with respect to engagement with the private \nsector. In particular, I will be interested in hearing from the \nwitnesses how their agencies deal with the fact that internet \narchitecture security is not purely a cyber problem and it is \nnot a purely physical problem. In order to effectively reduce \nour risks, DOD will have to engage actively and eagerly non-\nsecurity-centric agencies such as NTIA and regulatory bodies \nsuch as the Federal Communications Commission, and vice versa.\n    Our country's cyber experts will have to sit down with \nspecialists in physical security and electrical distribution \nprofessionals, because at the end of the day, it won't matter \nif these sites and systems are taken offline by cyberattack, \nsabotage, or natural disaster.\n    There is no greater sign of how cross-cutting this issue is \nthan the fact that the IETC [Intelligence and Emerging Threats \nand Capabilities] Subcommittee is joined today by the Oversight \nCommittee's National Security Subcommittee. Even within the \nHouse of Representatives, we are inclined to handle things \nwithin caucuses or within committees; but in recognition of the \nproblem's scale, we are here today tackling this issue \ntogether, because that is exactly what it will take at the end \nof the day.\n    So, with that, and before turning to the Ranking Member \nStefanik and then to Chairman Lynch and Ranking Member Hice, \nlet me take a minute just to introduce today's witnesses.\n    Ms. Jeanette Manfra serves as the inaugural Assistant \nDirector for Cybersecurity with the Department of Homeland \nSecurity's Cybersecurity and Infrastructure Security Agency \n[CISA]. Ms. Manfra served as Assistant Secretary with the \nOffice of Cybersecurity Communications at CISA's predecessor \norganization, the National Protection and Programs Directorate, \nbefore assuming her current role. Ms. Manfra has held numerous \nother roles within DHS [Department of Homeland Security], and \nshe has also served on the National Security Council staff. \nBefore joining DHS, Ms. Manfra served in the U.S. Army as a \ncommunications specialist and as a military intelligence \nofficer. I have known Jeannette now for several years, and I \nhave great confidence in her and Director Krebs' leadership at \nCISA.\n    Joining us also today we have Deputy Assistant Secretary of \nDefense for Cyber Policy, Mr. Ed Wilson. In his capacity as the \ndirector of--in his capacity, he supports the Secretary of \nDefense and other senior leaders by formulating, recommending, \nintegrating, and implementing policies and strategies to \nimprove DOD's ability to operate in cyberspace. Prior to this \nduty, General Wilson retired from the United States Air Force \nafter serving on Active Duty for over 32 years, to include the \ntriple-hatted role of Commander, 24th Air Force; Commander, Air \nForces Cyber; and Commander, Joint Force Headquarters-Cyber. \nWelcome, and General, thanks for your service.\n    And finally, Ms. Diane Rinaldo is the Acting Assistant \nSecretary for Communications and Information for the Department \nof Commerce and the Administrator of the National \nTelecommunications and Information Administration. Ms. Rinaldo \nalso serves as the Deputy Assistant Secretary for \nCommunications and Information. I have closely tracked several \nof NTIA's cybersecurity initiatives, including on cybersecurity \nvulnerabilities, disclosure and software component \ntransparency, and I appreciate her continued support in that \nagency for multi-stakeholder processes to improve internet \nsecurity. I will also note that Ms. Rinaldo is a proud veteran \nof the House Permanent Select Committee on Intelligence, where \nshe and I worked before, where she served as the lead committee \nstaffer on our information-sharing legislation, the \nCybersecurity Act of 2015.\n    So I welcome all of our witnesses today. And, with that, I \nwant to turn to Ranking Member Stefanik for any comments that \nshe may have.\n    [The prepared statement of Mr. Langevin can be found in the \nAppendix on page 43.]\n\nSTATEMENT OF HON. ELISE M. STEFANIK, A REPRESENTATIVE FROM NEW \nYORK, RANKING MEMBER, SUBCOMMITTEE ON INTELLIGENCE AND EMERGING \n     THREATS AND CAPABILITIES, COMMITTEE ON ARMED SERVICES\n\n    Ms. Stefanik. Thank you, Jim. I want to start by thanking \nboth Chairman Langevin and Chairman Lynch for holding such an \nimportant and cross-cutting hearing. I am also pleased to be \nhere with my fellow ranking member, Mr. Hice.\n    We are fortunate that we are joined by such an excellent \ninteragency panel of witnesses to guide us today. Ms. Manfra, \nit is great to see you again before this committee. When last \nwe spoke, it was regarding election security, and I am pleased \nthat today's hearing will span many of the other important \nmissions of your organization, the CISA.\n    Ms. Rinaldo, given the important role that NTIA plays, we \nare fortunate to have you here as well. And since, as the \nchairman mentioned, you are a former professional staff member \nfrom HPSCI [House Permanent Select Committee on Intelligence], \nwe can say welcome back to the House.\n    And, Mr. Wilson, it is always great to see you back before \nthe subcommittee. We look forward to hearing how the Department \nof Defense supports these agencies and our broader national \nsecurity objectives.\n    As we look to further improve the security of our Nation's \ninternet architecture, we should remind ourselves of the \nurgency of this task. First, the physical enormity of the topic \nand related challenges are worth mentioning. The world's \ninternet architecture and, by extension, our domestic \ninfrastructure is highly integrated with varying levels of \nresiliency and redundancy. In some cases, there are \ninternational norms, although laws and policies often vary by \ncountry and by sector. There are many points of failure in this \nphysical internet, and it remains so contested and complex that \neven risk managers lack full awareness on how to identify and \nmitigate threats or weaknesses.\n    Second, our own intelligence community provides sobering \nassessments on adversarial use and exploitation of the \ninternet. The DNI [Director of National Intelligence], in the \nmost recent Worldwide Threat Assessment, has noted that, quote, \n``Our adversaries and strategic competitors will increasingly \nuse cyber capabilities, including cyber espionage, attack, and \ninfluence, to seek political, economic, and military advantage \nover the United States and its allies and partners,'' end \nquote.\n    And the physical internet architecture we will talk about \ntoday is the highway upon which these adversaries travel. So \nwhat is crystal clear, going into today's hearing, is that our \nadversaries understand our vulnerabilities and will not \nhesitate to exploit these weaknesses to further their strategic \nand economic objectives.\n    We are no longer peerless and security is not assured. In \nfact, we see these same adversaries, most notably China and \nRussia, adapting to and learning from our own weaknesses by \nbuilding what amounts to their own state-controlled internet \narchitecture to monitor, control, and influence their own \npopulations. These very same controls will make it harder for \nus to preserve and protect geopolitical, offensive, and \nstrategic options for our Nation and our economy.\n    As I have said many times before, cyber threats from state \nand non-state adversaries are real, pervasive, and growing. \nThey leverage and integrate cyber information and \ncommunications technologies for geopolitical and economic gain \nin a seamless way. Yet while these adversaries continue to use \nthe internet as a means to achieve strategic objectives, I \nremain concerned that we as a Nation do not yet have a holistic \nstrategy in place to mitigate, deter, or oppose their advances. \nThis is particularly true regarding the security of our \nphysical internet architecture, the topic for today's timely \nhearing.\n    Although not the lead agency on this topic, I am pleased \nthat the Department of Defense is represented at the table \ntoday, since they play such an important role in this area, not \nthe least of which may be providing expertise to other agencies \nduring sensitive national emergencies.\n    We all know that DOD research played a central role in the \ndevelopment of today's internet through the creation of ARPANET \n[Advanced Research Projects Agency Network]. And today, the \nDefense Advanced Research Projects Agency, or DARPA, continues \nto advance our national security through projects related to \nthe resiliency of our Nation's internet architecture, and \nvarious other sectors, such as the electrical grid, through \ntheir Information Innovation Office.\n    In the oversight we have conducted on the Armed Services \nCommittee, I feel confident saying that we have improved our \nmilitary cyberspace and information warfare capabilities, and \nalso improved our resilience in many areas. And while a great \ndeal of broader interagency cooperation and coordination has \ntaken place over the past few years, much work remains to \nsecure our Nation's internet architecture and related sectors, \nto ensure we remain fast, agile, and resilient even during \ntimes of crisis.\n    And although today's panel is comprised of government \nexperts, we should not forget about the important role that the \nprivate sector and defense innovation and industrial bases \nplay, so that we develop a truly whole-of-nation strategy to \nunderstand and mitigate these vulnerabilities. Only then will \nour Nation be prepared for the 21st century challenges we face.\n    Our witnesses, again, are very well-qualified to help us \nnavigate these multidimensional problems, and I thank them for \nbeing here today.\n    Thank you, again, to the chairman. And, with that, I yield \nback.\n    Mr. Langevin. I thank the ranking member.\n    And now, I would like to recognize and turn to my partner, \nmy colleague, the chairman of the Government Oversight and \nReform's Subcommittee on National Security, Mr. Lynch.\n\n   STATEMENT OF HON. STEPHEN F. LYNCH, A REPRESENTATIVE FROM \n  MASSACHUSETTS, CHAIRMAN, SUBCOMMITTEE ON NATIONAL SECURITY, \n               COMMITTEE ON OVERSIGHT AND REFORM\n\n    Mr. Lynch. Thank you very much, Mr. Chairman.\n    Good afternoon to our distinguished panel of witnesses. \nThank you for your willingness to help the subcommittees with \nour work.\n    Before I begin, I would like to first personally thank my \ngood friend Chairman Jim Langevin and his staff, as well as \nRanking Members Stefanik and Hice and their staff, for their \ncooperation and willingness to collaborate with us on this very \nimportant hearing.\n    Mr. Langevin, in particular, has been a strong and longtime \nadvocate for improving the infrastructure of our country in \nthis measure, and ensuring that necessary cybersecurity \nsafeguards are in place to protect the United States against \nthe multitude of threats that we face each and every day. He \nhas made this issue a priority and it is one that I share, as \nchairman of the House Oversight Subcommittee on National \nSecurity.\n    Today's hearing will examine how Federal departments and \nagencies work together to protect the critical architecture \nupon which U.S. internet and telecommunications systems depend. \nBy working together on the issue, we hope that our \nsubcommittees will better understand and be better positioned \nto identify and fill gaps and vulnerabilities across the \nvarious Federal agencies and private sector for the purpose of \nprotecting our Nation's internet infrastructure.\n    Uninterrupted and secure access to the internet is critical \nto daily life in the 21st century. Our constituents rely on the \ninternet to search for jobs, access bank accounts, read the \nnews, and communicate with family. Companies in every industry, \nfrom Midwest manufacturers to the financial sector in New York, \nneed the internet to participate in the national and \ninternational economy. The U.S. military requires reliable and \nsecure access to the internet to conduct overseas operation, \nand it is also tasked with protecting our networks from cyber \nintrusions by foreign actors.\n    Improving secure and reliable access to the internet is \nalso vital to economic development and promoting livelihoods in \nless-developed countries or areas. In fact, our committee, I \njust came back from last weekend, in a congressional delegation \nto Jakarta, where I met with young entrepreneurs from the \nIndonesian financial technology sector, who all highlighted the \nneed and importance of expanding internet connectivity across \nIndonesia, more than 7,000 islands, to bring additional \ncustomers into the digital financial market, and to bank the \nunbanked.\n    Given our growing dependence on the internet, even \ntemporary disruptions, regardless of whether they are \nintentional or accidental, can have serious and cascading \neffects across industries and among our Nation's critical \ninfrastructure sectors. Yet no single U.S. Government entity is \nresponsible for securing the internet and its underlying \narchitecture. Instead, we have multiple departments and \nagencies, which have various jurisdictional roles, including \nthe Department of Homeland Security, the Department of Defense, \nthe Department of Commerce, from which we are fortunate to have \nrepresentatives before us today, in addition to the White \nHouse, the Department of Energy, the Department of Justice, the \nFederal Communications Commission, which all have a role to \nplay in securing this infrastructure.\n    Adding to the complexity of this task is the fact that the \nphysical components of our Nation's telecommunications \ninfrastructure, such as fiberoptic cables and data centers and \ninternet exchange points, are largely owned by the private \nsector. This means that coordination and communication within \nthe Federal Government, and across the public and private \nsectors, are all crucial to the internet security.\n    The challenge we therefore face is that when everyone is in \ncharge, then nobody is in charge. And while internet activity \nappears to move seamlessly across digital pathways, this \nmovement is cemented in real physical architecture and \ninfrastructure. The security, which has often been taken for \ngranted, in physical fiber cables buried under our streets and \nunder international waters, carries this traffic from point A \nto point B. Data centers and internet exchange points serve to \nstore and transfer this traffic from network to network.\n    All of these physical assets can be damaged by natural \ndisasters, human-caused accidents, or intentional attacks by \nsophisticated malign actors. As Ranking Member Stefanik has \nnoted and as former Director of National Intelligence Dan Coats \nhighlighted in his 2019 Worldwide Threat Assessment, we know \nthat our adversaries are already probing U.S. electric utility \ngrids, election systems, pipelines, and financial networks for \nany signs of weakness. China, Russia, Iran, and North Korea are \nall increasingly using cyber operations to steal data, \ndisseminate misinformation, and I quote, ``to disrupt critical \ninfrastructure,'' close quote.\n    Russia, Director Coats said, and I quote, ``is mapping out \ncritical infrastructure with the long-term goal of being able \nto cause substantial damage,'' close quote. Multiple open \nsource reports in recent years have also noted increased \nforeign military activity around undersea data cables, raising \nconcerns that hostile actors could be looking for ways to \ninterfere with this critical infrastructure.\n    To our witnesses, I realize that some of today's questions \nmay drift into topics not suitable for an unclassified hearing. \nWith that in mind, I just ask that you do your best to answer \nmembers' questions as candidly as possible, but you should not \ndisclose any classified or sensitive security information. \nInstead, please let us know that you would prefer not to \nrespond for national security reasons in an unclassified \nsetting, and we can move on to the next question. We will, \nhowever, reserve the right to request that that information be \ndisclosed in a more appropriate setting at a later date.\n    So, Mr. Chairman, I want to thank you, again, for your \ncourtesy in holding this important hearing with me, and with \nthat, I yield back.\n    Mr. Langevin. Thank you, Chairman Lynch. And I appreciate \nyour dedication to national security issues. It has been great \npartnering with you on this topic and look forward to others as \nwell.\n    With that, I would like to recognize Ranking Member Hice \nfor comments.\n\nSTATEMENT OF HON. JODY B. HICE, A REPRESENTATIVE FROM GEORGIA, \nRANKING MEMBER, SUBCOMMITTEE ON NATIONAL SECURITY, COMMITTEE ON \n                      OVERSIGHT AND REFORM\n\n    Mr. Hice. Thank you very much, Mr. Chairman, and I would \nlike to thank you and Ranking Member Stefanik for hosting this. \nAnd always an honor to work with Chairman Lynch. We appreciate \nyou having us here today, as members of the Subcommittee on \nNational Security as part of the Committee on Oversight and \nReform. We appreciate you having us here, and for having this \nimportant hearing.\n    You know, I sometimes have been, with this hearing, \nsomewhat struck by the reactions of different people to this \ntopic. Some may look at this as not among the most flashy \ntopics, but it has got to be among the most important. And more \nand more, whether we realize it or not, our lives are happening \non the internet. Whether it be in commerce or energy or health \ncare or national security, our lives are impacted greatly by \nthe topic and the discussion today. And that is why it is \nimperative for us to be able to come together and to have a \nheart-to-heart, honest, open discussion as to what is involved \nin keeping our Nation's infrastructure safe and secure.\n    And so I want to sincerely say thank you to each of our \nwitnesses for your role and for you being a part of this \nhearing today, and I look forward to hearing how you are \nengaging the various stakeholders, whether they be in \ngovernment or in the private sector. I want to personally \nbetter understand how we are taking a whole-of-government \napproach to this issue, and if we are not, then I want us to \ntalk about how we get there.\n    I am also curious to know how each of your components are \nworking together. And there are a lot of seats, if you will, at \nthe internet architecture table, if we can put it that way. And \nif there are too many seats, we need to know about that; if \nthere need to be fewer seats, we need to know about that.\n    The internet, for a lot of people, is an unknown territory, \nbut for those of us here in Congress, this is certainly an area \nthat we need to dig deeper into, and make sure that we are \nsecure. And, you know, this is not something that we can say \nthis is in the future. This is where we are currently living. \nAnd so, we have got to address this straight up. And so, I \ndeeply thank you for being here. I look forward to our \ndiscussion today.\n    And, again, many thanks to you, Mr. Chairman. And with \nthat, I yield back.\n    Mr. Langevin. Thank you, Ranking Member Hice.\n    With that, the chair now recognizes Ms. Manfra, Director \nManfra, for her opening statement for 5 minutes. Ms. Manfra, \nthe floor is yours.\n\n     STATEMENT OF JEANETTE MANFRA, ASSISTANT DIRECTOR FOR \n   CYBERSECURITY, CYBERSECURITY AND INFRASTRUCTURE SECURITY \n          AGENCY, U.S. DEPARTMENT OF HOMELAND SECURITY\n\n    Ms. Manfra. Thank you, sir. Chairman Langevin, Chairman \nLynch, Ranking Member Stefanik, Ranking Member Hice, and \nmembers of the subcommittees, thank you for today's opportunity \nto discuss this very important issue around securing our \nNation's internet architecture, and, specifically, our role, \nthe Cybersecurity and Infrastructure Security Agency, or CISA, \nrole in securing that.\n    Safeguarding and securing cyberspace has long been a core \nHomeland Security mission. In today's globally interconnected \nworld, our critical infrastructure and American way of life \nface a wide array of serious risks. Nation-state adversaries \nand competitors seek to advance their objectives through \nvarious hybrid tactics, including subtle actions that \nsignificantly weaken the foundations of U.S. power, degrade \nsociety's functions, and increase adversaries' ability to hold \nour critical infrastructure at risk.\n    As network devices further weave into our lives and \nbusinesses, their vulnerabilities provide additional attack \nvectors. Global supply chains introduce risks of malicious \nactivity in software and hardware. Many of these risks are \ncomplex and dispersed geographically and across stakeholders.\n    To meet this urgent national security need, Congress \nestablished CISA last year. CISA is the Nation's risk adviser, \nand we are uniquely positioned to serve this role. By statute, \nand at the President's direction, we lead the Nation's risk \nmanagement efforts by bringing together diverse stakeholders to \ncollaboratively identify risks, prioritize them, develop \nsolutions, and drive those solutions, to ensure the stability \nof our most crucial systems.\n    An important note is that we don't just think about threat \nor vulnerability or consequence; we think about them all \ntogether and how they interact in order to establish risk. And \nso, we try to understand things, how could an adversary \nactually accomplish something, can they have an actual \nconsequence. So when I talk about risk management, that is how \nwe frame it.\n    So, as the Nation's risk adviser, we must also unify two \nstrategic goals across all of our mission space. We must \nsimultaneously mobilize strong public-private partnerships to \ndefend against the most urgent threats and hazards, while not \nlosing sight of the need to build a more secure tomorrow. Our \nforemost responsibility is to safeguard the American people, \nand we prioritize our efforts at all levels to focus on the \ngreatest risks facing the homeland. In order to successfully \naccomplish this, we must be able to understand and manage this \nrisk holistically. And, again, that means we must understand \nboth threat and vulnerability and the consequence, and we must \nalso understand how that manifests across the country.\n    This is why we established the National Risk Management \nCenter. CISA, while often referred to as a cyber agency, is \nmore than just cyber. In fact, we have a long history in \nthinking about infrastructure security holistically, both \nagainst natural and man-made hazards. By establishing the \nNational Risk Management Center within CISA, this brings \ntogether all our different disciplines to better understand \nwhat is the risk to the Nation as a whole.\n    Our first important step was to reframe the conversation. \nInstead of thinking about industry-specific activities, but to \nthink about cross-cutting functions, because in the end, \nadversaries are interested in causing consequences to the \nfunctioning of our society, or holding those at risk. \nTherefore, we worked across multiple sectors of the economy and \ngovernment partners to establish the first set of national \ncritical functions in early April of this year. These national \ncritical functions support the operations of nearly all \nbusinesses, public safety organizations, and government, and \nare so vital that their disruption, corruption, or dysfunction \nwould have a debilitating effect on our Nation.\n    The global internet architecture includes an array of \ncomponents that enable these national critical functions. Going \nforward, we will prioritize our efforts and resources, both \nwithin CISA and across the government, to ensure we are \nreducing risk to these functions and bringing the full power of \nthe U.S. Government to bear to do so.\n    At CISA, our vision is to fully realize this national \neffort that I just described. This means breaking down the old \norganizational and institutional divides that impede our \nability to provide for our collective defense in cyberspace. \nOur adversaries are targeting systems that are across sector, \nand the growing interdependencies demand an integrated \napproach. To achieve this integrated approach, we are working \nand we will continue to work with numerous stakeholders, \nincluding my colleagues joining me today.\n    Specifically, we have been working with the National \nTelecommunications and Information Administration, or NTIA, for \nmany years on multiple internet governance issues from Domain \nName System, or DNS, issues to participating in our multi-\nstakeholder process to publish a report on botnets.\n    We also have expanded our partnership with DOD. Almost a \nyear ago, DHS and DOD finalized an agreement which reflects the \ncommitment of both departments to this important issue. This \nagreement clarifies roles and responsibilities to enhance U.S. \nGovernment readiness to respond to cyber threats, and \nestablishes coordinated lines of efforts to secure, protect, \nand defend the homeland.\n    Today's national security challenges require innovation in \ngovernment as well as in the economy and throughout the world, \nand I am proud to be working with two partners who share that \ndesire for innovation and partnership.\n    The heart of CISA's purpose is to mobilize a collective \ndefense of our Nation's critical infrastructure, and we cannot \ndo this alone. My colleagues on this panel represent some of \nthose critical partnerships in order to achieve this goal.\n    Tomorrow is the anniversary of the September 11th attacks \non our country. As we learned from that event 18 years ago, \ninformation and Federal operations must not be siloed. We see \nthese same lessons amplified and complicated by the global, \nborderless, interconnected nature of cyberspace, where \nstrategic threats can manifest in the homeland without advance \nwarning.\n    I thank you again for starting this important conversation \nand holding this hearing, and I look forward to further \ndiscussing our efforts. Thank you, and I look forward to your \nquestions.\n    [The prepared statement of Ms. Manfra can be found in the \nAppendix on page 46.]\n    Mr. Langevin. Thank you, Director Manfra.\n    Administrator Rinaldo, you are recognized next.\n\n  STATEMENT OF DIANE RINALDO, ACTING ASSISTANT SECRETARY FOR \n  COMMUNICATIONS AND INFORMATION, AND ADMINISTRATOR, NATIONAL \n    TELECOMMUNICATIONS AND INFORMATION ADMINISTRATION, U.S. \n                     DEPARTMENT OF COMMERCE\n\n    Ms. Rinaldo. Chairman Langevin, Chairman Lynch, Ranking \nMember Stefanik, Ranking Member Hice, and members of the \ncommittee, thank you for the opportunity to testify today on \nthe role of the U.S. Government in securing the Nation's \ninternet architecture.\n    The National Telecommunications and Information \nAdministration in the Department of Commerce is responsible for \nadvising the President on telecommunications and information. \nNTIA collaborates with other Commerce bureaus and executive \nbranch agencies to advocate for domestic and international \npolicies that preserve the open internet and advance the key \nU.S. interests.\n    NTIA is involved in a host of policy issues that affect the \nsecurity of critical elements of our Nation's \ntelecommunications infrastructure. Our support includes working \nwith our interagency partners to enhance the security of our \nNation's telecommunications supply chain. We are supporting the \nSecretary of Commerce on the implementation of the Executive \norder on securing the information and communications technology \nand services supply chain.\n    NTIA is the lead executive branch expert agency on issues \nrelating to the Domain Name System, a critical component of the \ninternet architecture. The DNS functions similar to an address \nbook for the internet by allowing users to identify websites, \nmail servers, and other internet destination using easy-to-\nunderstand names.\n    NTIA supports a multi-stakeholder approach to the \ncoordination of the DNS to ensure long-term viability of the \ninternet. NTIA collaborates across the government on numerous \nefforts related to the security of the Nation's internet \narchitecture.\n    We have been working closely with the National Security \nCouncil and the interagency colleagues on implementing the \nNational Cyber Strategy. In that effort, we share our \nactivities across the interagency and look for synergies to \nmaximize the impact of the strategy. NTIA will continue to \nparticipate in these efforts.\n    One significant example of NTIA's contribution to the \nprotection of the internet infrastructure is our work with NIST \n[National Institute of Standards and Technology] and DHS on the \nBotnet Report, delivered to the President in May of 2018. \nBotnet attacks can have large and damaging effects, and they \nput the broader network at risk.\n    Botnets now capitalize on the sheer number of Internet of \nThings connections and devices. We have seen attacks that have \ntopped a terabyte per second. Dealing with an attack of this \nmagnitude can take time, which is a major concern when dealing \nwith critical infrastructure.\n    The Botnet Report outlines a positive vision for the \nfuture, cemented by six principal themes and five complementary \ngoals that would improve the resilience of the internet \necosystem. The Departments of Commerce and Homeland Security \ndeveloped the report through an open and transparent process \nfor the specific purpose of identifying stakeholder actions as \nopposed to government regulation.\n    We are tracking progress through a document known as the \nBotnet Road Map. More than half of the identified tasks are \nalready in progress or completed. At the end of this year, the \nDepartments of Commerce and Homeland will provide a status \nupdate to the President that reviews progress, tracks the \nimpact of the road map, and sets further priorities.\n    NTIA's cybersecurity multi-stakeholder processes also \ncontribute to the security of the Nation's internet \narchitecture. Most recently, we have been working on a software \ncomponent bill of materials. Most modern software is not \nwritten completely from scratch, but includes existing \ncomponents from the open source and commercial software world, \nwhich can be challenging to track. Our ultimate objective is to \nfoster a more resilient ecosystem through industry-led, market-\nbased cybersecurity solutions.\n    Over the past three decades, the internet has been \ntransformational for the American economy. America's \nestablished leadership in technology has resulted in millions \nof jobs and remarkable prosperity. Because of this, we must \nwork harder than ever to ensure that the infrastructure \nsupporting the internet is secure. NTIA is committed to \ncoordinating across the Federal Government and engaging with \nthe private sector to ensure the United States can continue to \nharness the economic benefits of this vital part of the economy \nfor American businesses and for American workers.\n    Thank you for this opportunity to testify, and I look \nforward to your questions.\n    [The prepared statement of Ms. Rinaldo can be found in the \nAppendix on page 54.]\n    Mr. Langevin. Thank you, Ms. Rinaldo.\n    Mr. Wilson, you are now recognized for 5 minutes.\n\n  STATEMENT OF B. EDWIN WILSON, DEPUTY ASSISTANT SECRETARY OF \n  DEFENSE FOR CYBER POLICY, OFFICE OF THE UNDER SECRETARY OF \n         DEFENSE FOR POLICY, U.S. DEPARTMENT OF DEFENSE\n\n    Mr. Wilson. Chairman Langevin, Chairwoman Stefanik, Ranking \nMember Hice, and Ranking Member Stefanik, my apologies, \nChairman Lynch, and the members of the subcommittee, thank you \nfor the opportunity to testify before you today.\n    Mr. Langevin. Can you pull the mic a little closer to you, \nGeneral?\n    Mr. Wilson. Absolutely. Is that better, sir?\n    Mr. Lynch. You might want to turn it on.\n    Mr. Langevin. Is it on?\n    Mr. Wilson. I have got a green light. My apologies.\n    Chairman Langevin, Chairman Lynch, Ranking Member Stefanik, \nRanking Member Hice, it is really an honor to be here before \nyou and the subcommittee members. It is good to be back in this \nChamber, as well, testifying again. I look forward to \ndiscussing the role of the U.S. Government in securing the \nNation's internet architecture alongside my counterparts from \nthe Department of Homeland Security and Department of Commerce. \nIt is a critically important topic. We understand the sense of \nurgency behind this.\n    First, on behalf of Secretary Esper, thank you for the \ntremendous support that Congress has given the Department of \nDefense in our effort to improve our overall defense posture \nrelated to cyber threats. We have made significant progress, \nbut with your support we continue to make significant progress \nto deter, disrupt, and defeat strategic malicious cyber threats \ndirected at our national interests. Despite this progress, we \nunderstand there is much more that needs to be done. And, with \nthat, we have been very, very focused on the progress ahead.\n    As the 2018 National Defense Strategy and the 2018 DOD \nCyber Strategy make clear, the U.S. homeland is no longer a \nsanctuary from cyber threats. Our strategic competitors, such \nas China and Russia, are conducting persistent cyber-enabled \ncampaigns to erode U.S. military advantage, threaten our \nNation's critical infrastructure, and reduce our economic \nprosperity, which includes threats to our telecommunications \nand information technology sectors.\n    These campaigns are being conducted below the threshold of \narmed conflict, but collectively pose long-term strategic risk \nto the Nation, our allies, and our partners. In response, the \nDepartment adopted a proactive posture to compete with and \ncounter determined and rapidly maturing cyber adversaries. Our \nobjective is to prevent or mitigate significant threats before \nthey reach U.S. soil. We refer to this strategy as defending \nforward. It is the core of our DOD Cyber Strategy.\n    This approach is focused on enabling our interagency, \nindustry, and international partners to strengthen their \nresilience, close vulnerabilities, and defend critical networks \nand systems, while simultaneously imposing costs on adversary \nmalicious cyber actors when called upon. Towards this end, the \nDepartment is continually working with our partners, both \ndomestically and internationally, to strengthen the resilience \nof networks and systems that contribute to current and future \nmilitary advantages.\n    The Department previously focused its defensive efforts \nalmost exclusively on military platforms, systems, and \nnetworks. However, the evolving cyber threat [and] increasingly \nproactive activities of key competitors have demonstrated \nvulnerabilities that extend beyond our DOD systems and \nnetworks. The vulnerability of critical infrastructure to \ncyberattacks means that adversaries could disrupt military \ncommand and control, banking and financial operations, the \ntransportation sector, the energy sector, various means of \ncommunication, and a variety of other sectors. As a result, \nsupporting U.S. Government efforts in securing and defending \nthe Nation's critical infrastructure is a key priority under \nour DOD Cyber Strategy.\n    Partnerships are an essential element of our National \nDefense Strategy. We understand that our interagency, \ninternational, and industry partners are vital to ensuring that \nDOD can operate and project power in a contested cyber \nenvironment. DOD's role in defending the homeland is outwardly \nfocused, like it is in any other domain of operations, focused \non strategic threats and supports our interagency partners, \nincluding the Department of Homeland Security and the other \nsector-specific agencies.\n    The U.S. Government has a limited and specific role to play \nin defending against attacks on our Nation's internet \narchitecture, including through our trusted relationships with \nindustry. As we all recognize, security was not a primary \nconsideration when the internet was designed and fielded. \nAlthough computers and network technologies underpin U.S. \nmilitary warfighting superiority by enabling the joint force to \ngain the information advantage, strike at long distances, and \nexercise global command and control, the private sector was and \noperates now well over 90 percent of the interdependent \nnetworks of information technology infrastructure across the \ncyberspace domain. At the same time, the Nation's \ntelecommunications infrastructure is primarily owned by \ncommercial entities.\n    Our adversaries target our Nation's weakest links, and \nvulnerabilities are consistently found across the full scope of \nthe internet ecosystem, be it government or industry.\n    The Department, which views the challenges it faces in \nperformance of its critical missions principally through a \nnational security lens, is nonetheless highly dependent on \nprivately owned infrastructure, decisions concerning which are \nregularly guided by ordinary business or economic \nconsiderations. Recognizing this inherent tension, defending \nnational critical infrastructure, including the Nation's \ninternet architecture, from significant foreign malicious cyber \nactivity has become an area of interest and emphasis for the \nDepartment.\n    A large-scale disruption or degradation of national \ncritical infrastructure would constitute a national security \nconcern, as would threats to the DOD critical technology \ninformation, other controlled unclassified information, \nprocesses stored on non-DOD-owned systems and networks, which \ndemands a close cooperation alongside our partners.\n    This reinvigorated partnership alongside the FBI [Federal \nBureau of Investigation], intelligence community, was \ninstrumental to the whole-of-government efforts to protect and \ndefend the 2018 U.S. midterm elections from foreign \ninterference. We continue to leverage the lessons from this \nexperience and these activities to help shape and further \nimprove how we secure 2020 elections and other ongoing efforts \nrelated to protecting and defending the Nation's critical \ninfrastructure.\n    Again, thank you for the opportunity to appear before you \ntoday and for the continued support you and your staffs provide \nas we address these challenges. I look forward to your \nquestions.\n    [The prepared statement of Mr. Wilson can be found in the \nAppendix on page 61.]\n    Mr. Langevin. Thank you, Mr. Wilson.\n    We are going to go and do questions at this point. Members \nare recognized for 5 minutes. Before we go to that, though, I \njust want to mention that we are expecting votes in just a few \nminutes, so we will get through as many of the questions as \npossible. So if we can all stick to as close to 5 minutes in \nquestions and answers, that will move things along.\n    So, with that, I want to begin for all of our witnesses the \nquestion: What role does the National Security Council and the \nWhite House play in facilitating and coordinating amongst all \nthe Federal agencies, and can you describe efforts led by the \nWhite House to address internet architecture security? Ms. \nManfra, if we could start with you.\n    Ms. Manfra. Thank you for the question, sir. Well, the \nNational Security Council, as a policy coordination body, \nfocuses on, from the cyber perspective, but also on the \nresilience side, areas that we need to either identify or \nimplement policies as an interagency body.\n    They coordinated the National Cyber Strategy, which was \nreleased some time ago. And in focusing specifically on, as an \nexample, things like the DNS ecosystem, supply chain for our \nICT [information and communication technologies] ecosystem, and \nas well as other threats that may come up, coordinating both \nthe policy and any kind of response that we may need to do, \neither urgently or in the long term.\n    Mr. Langevin. Ms. Rinaldo or Mr. Wilson, can you comment on \nany aspects of interactions with the White House on \ncoordination?\n    Ms. Rinaldo. Yes. As Ms. Manfra said, the White House \nroutinely convenes meetings to bring us together to talk about \nissues as the cyber strategy, supply chain, as well as other \nissues that come up, as needed. It is an opportunity to bring \nnot only my two fellow witnesses to the table, as well as other \nparts of the government that may have equities in these \nprocesses as well.\n    So they are fairly routine, and with the cyber strategy we \nhave due out, so we regularly meet to see where we are on the \nprocess of implementing that.\n    Mr. Langevin. Thank you.\n    Mr. Wilson.\n    Mr. Wilson. And I would just add, in the series of sessions \nthat we do do across the interagency led by the NSC [National \nSecurity Council] team----\n    Mr. Langevin. Can you pull that microphone a little closer?\n    Mr. Wilson. Can do. I am going to put on my command voice \nand project, if that is okay then. My apologies.\n    As we do, we look at a lot at the threat, we bring in \nespecially the intelligence community to understand the threat, \nas well as a series of functional reviews that we do with \nrecommendations that follow. And that could be the report that \nwas referenced earlier about the botnet. It could be work that \nis going on regarding ransomware across the interagency.\n    Sometimes it will start domestically, but then we will \nbring in a larger team if we see some initial work at the \ndirection of the NSC team. And so, depending on the topic, \nthere is usually a series, but many times, we are organized to \nbe able to address specific threats and understand that threat \nso that we have the right actions.\n    Mr. Langevin. Ms. Manfra, what is the role of law \nenforcement agencies, such as the FBI and CISA's own Federal \nProtective Service [FPS], in protective or defensive functions \nsuch as hardening cable landing stations and IXPs that are \nowned and operated by the private sector?\n    Ms. Manfra. Sir, we have a very close partnership with the \nFBI in particular, specifically on some of these issues. The \nFBI is able to kind of cross both on the intelligence side as \nwell as law enforcement authority, both to take actions, you \nknow, legal actions, if needed, through the justice process \nagainst those who may not be following legal laws related to \nhow they are deploying their systems as well as conducting \ninvestigations that we may be gathering from intelligence \nsources, so working domestically to further investigation to \ndetermine is there an issue.\n    Other law enforcement entities are not as involved on the \ninternet architecture issue itself, though they have the \nability to collect information, or if they have a related case, \nto share that information.\n    FPS is primarily focused on physical protection of \ngovernment buildings, and we have worked with them on ensuring \nthat building owners are thinking holistically about cyber and \nphysical threats to their buildings, but not particularly \nrelevant, probably, to the internet architecture conversation.\n    Mr. Langevin. I think that is--again, the whole purpose of \nthis hearing is so we get a better understanding of what we \nneed to continue to focus on, in terms of hardening these \nsites.\n    Let me just----\n    Mr. Wilson. Chairman Langevin, if I could maybe just add \non, the DOD has a very active role alongside DHS as well, both \ndomestically and internationally. And so we work with industry \npartners, but domestically, especially with DHS, to understand \nwhat information flows are moving through, so from a command \nand control perspective or communications flow to our forces to \ndo assessments, and to understand that we have enough capacity \nand diversity of undersea cable, you know, capability to be \nable to execute our DOD missions.\n    To go into more detail, I probably need to go into a \nclassified session, but just to make you aware that we have a \nvery active relationship alongside our interagency partners, \nvery tied to our mission and execution of the DOD missions \naround the world. So it is more of an international \nperspective.\n    Mr. Langevin. Thank you.\n    I believe my time is expired, so I am going to stop there. \nWe are going to have some follow-up questions I would like to \nsubmit for the record, and I ask you to respond to those. And, \nwith that, I believe votes have been called.\n    I am going to yield to Ranking Member Stefanik and, \nhopefully, we can get through her questions.\n    Ms. Stefanik. Great.\n    Given the complexities of the ecosystem that we are talking \nabout today, I want to focus on supply chain security and \nintegrity, which many of you referenced in your opening \nstatement. I would like to understand in more detail, given how \ncomplex the global telecommunications supply chain already is, \ncombined with emerging technologies like 5G, Internet of \nThings, even cloud computing, how are you specifically \nimproving our supply chain security? Ms. Rinaldo, I will start \nwith you. That is question one.\n    The second one is, are there any specific technologies you \nare more concerned about than others in securing our supply \nchain; and specifically, what collaboration needs to happen \nwith industry and the private sector? So, Ms. Rinaldo, I will \nstart with you.\n    Ms. Rinaldo. Great, thank you. As you may know, on May 15th \nof this year, the President issued Executive Order 13873, \nsecuring the information and communications technology and \nservices supply chain, which gives the Secretary of Commerce \nIEEPA [International Emergency Economic Powers Act] authority, \nemergency powers to act on national security concerns with the \nimplementation of infrastructure into our telecommunications \nnetworks.\n    This is something that NTIA is working with the Secretary's \noffice on. We are currently developing the interim-final rule \nof the regulations on how this process will work out. We \nbelieve that we are on track to have that delivered to the \nPresident the middle of October.\n    But as well, through our multi-stakeholder processes, which \nwe are probably most known for, is an opportunity for us to \nmeet with technologists, policy makers, academia, civil society \nto talk about these important issues. The thing that I really \nlove about NTIA is that we are able to pull back to the 50,000-\nfoot level and look, and then hone in on certain issues and go \ndown and tackle certain concerns or issues. And this is the \nformat that we use.\n    So we talk about vulnerabilities. We are currently working \non the software bill of materials specific to supply chain. We \ndefinitely have concerns moving forward, especially as we move \nto fifth-generation technologies. And I think it really gives \nus an opportunity, as we talked about, is it, you know, baked \nin or bolted on, that it gives us the opportunity to bake in \nsecurity as we move forward.\n    Ms. Stefanik. Ms. Manfra.\n    Ms. Manfra. Yes, ma'am. I will just touch high level, and \nthen we can--always happy to come back and go in more depth. \nThere is a lot to talk about on supply chain.\n    As Diane noted, around the Executive order, that is a key \ncomponent of the administration's approach, we at CISA have \nalso stood up an ICT Supply Chain Task Force, which is mostly \nmade up of private sector, but also colleagues across the \ngovernment, to focus on what are the most important things that \nwe can actually make progress on, what are the tangible things \nwe can do. And they have been working along a few of those \nlines, particularly around procurement, government procurement, \nwhich, to segue into what we are doing for government \nprocurement, following up on the law that was passed last \nDecember around Federal acquisition security and supply chain \nchaired by Grant [Schneider], but an interagency body to look \nat how do we reform and modernize our Federal procurement \nsystem to ensure that we are taking mission risk, I will call \nit, into account when we are procuring and maintaining IT \n[information technology] products and services.\n    So those are some of the things that we are doing. Specific \ntechnology, I would say it is not necessarily a specific type \nof technology that is concerning. What we have, really, from a \nDHS perspective is we really think of it as a framework that \nstarted with our experience in Kaspersky, but that you have to \nreally look at where is this product or data being held, what \nare the laws of the country that mandate how that data or \nproducts are treated, but you also have to look at what is the \nlevel of access that that piece of software, or that piece of \nhardware, that somebody would be able to gain access to. And at \nvarious pieces of software, you have tremendous access into a \ncomputer.\n    So that, combined with a country's laws that we have \nconcern about that would compel access, those things together \nare what would cause us concern. So we are looking at a lot of \nthings and across the government is how do we understand things \nlike foreign ownership and controlling influence? How do we \nunderstand what that means to risk? But looking at it through \nthat framework. And then, of course, what would always be the \nconsequence, that somebody who had that access and those laws, \nis there any sort of significant consequence? So it is less \nabout the technology and more about the context that that \ntechnology lives.\n    Ms. Stefanik. My time is expired. Mr. Wilson, I will take \nyours for the record since we have expired.\n    I yield back.\n    [The information referred to was not available at the time \nof printing.]\n    Mr. Langevin. I thank the ranking member. So votes have \nbeen called. We are going to recess at this point. We will \nreturn right after. There are three votes, so hopefully we will \nget through those quickly and we will come right back, and then \nChairman Lynch will be up next for questions.\n    The committee stands in recess.\n    [Recess.]\n    Mr. Langevin. The subcommittee will come to order. I will \nnext recognize the chairman of the Oversight and Reform \nCommittee, National Security, Mr. Lynch.\n    Mr. Lynch. Thank you, Mr. Chairman. Again, I really \nappreciate your willingness to come here and help us grapple \nwith these problems. Recently, I have had groups ask to meet \nwith me about the need for more funding from the government for \ninfrastructure security. And when you sort of look at the \nlandscape here, you know, you have Facebook and Apple and \nGoogle and other private sector players that have a major role \nhere, and that have an intense investment, I think, in \nmaintaining security themselves.\n    Do you think there is a significant role here to play in \nfunding the necessary improvements to our infrastructure on the \npart of, you know, internet companies, including mobile banking \nand others, much the same way that, you know, we have a gas tax \nfor the users of our roads and highways that goes into the \ntransportation trust fund and helps with an enormous part of \nthe funding for that infrastructure?\n    Have you thought about this from a funding side in terms of \nhow we have to continually maintain the integrity of the \ninternet architecture, and in a way of doing that over the long \nterm? So I would offer it to the three of you, if you have \nthought about this aspect of it. Ms. Manfra.\n    Ms. Manfra. Yes, sir, I can start. Yes, the funding \nquestion is something we grapple with in a lot of areas. I will \nsay, when you are talking about those companies that provide \nthe internet architecture, the ecosystem that we are talking \nabout, as you noted, they have a lot of economic incentives to \nhave a secure and reliable infrastructure. So I don't know that \nwe have considered sort of funding those organizations. They \nare also doing very well, as I understand it, and have a fair \namount of funding. There are other elements when you get into \nState and local organizations and others that I think is a \nseparate conversation.\n    I will say when we think about how the government could \nprovide resources in this space in either complementing private \nsector investment or driving change, it would be in the area of \nstandards and research and development. In how do we think \nabout--what sort of--there are some standards bodies, there \ncould potentially be new standards bodies, or existing ones \nthat evolve, to think about things like 5G, and as our, kind \nof, overall internet architecture evolves, the government \nthinking about how do we participate in that process either \nthrough resourcing or participation.\n    And, importantly, I think in research and development, how \ndo we think of new ways to build more resilient infrastructure, \nboth resilient from a physical perspective and a cyber. So \nthose would be the areas that we have most thought about the \nfunding.\n    Mr. Lynch. Thank you. Ms. Rinaldo.\n    Ms. Rinaldo. When you look at the ecosystem as a whole, \nmost private companies underpin the internet architecture. So \nwhat added benefit can government bring them to help move the \nball? At NTIA, we currently work with the private sector \nthrough our webinars. We have a broadband group that actually \nreaches out to rural areas to talk to local providers on how \ncan we help them improve their security and their resiliency.\n    We work through the American Broadband Initiative, which \nthe President initiated last year. We lead that on behalf of \nthe government, to, again, have these conversations on how can \nwe as a government help improve security and resiliency? And \none of the things that we hear back is information sharing, \nsomething as--Chairman Langevin, we talked about just before \nthe hearing that I have been working on for a very long time. \nWhat information can we pass as a government to local \nproviders, to vendor manufacturers, to ensure that they are \ngetting the quality of information to help them protect their \nproducts that are being implemented throughout the supply \nchain?\n    Mr. Lynch. Thank you. Mr. Wilson.\n    Mr. Wilson. I would just echo. I think when we look from a \nDOD perspective, we look for the nexus when it revolves around \nnational security. And so, we are very active in standards \nboards, not just domestically, but globally, associated with \nthe internet. In addition, we look at capability that could be \nbrought to bear from a DOD perspective.\n    We are very active in the research and development, it was \nhighlighted in the introductory comments, the defense--the \nDARPA team. Also, our service laboratories, and I would also \nhave to tip my hat to the Department of Energy lab environment. \nThey do some great work in this arena. There is a lot of \npartnering that goes on to bring innovation to the game--to \nthis table in terms of solutions. To be really a catalyst for \nchange. And there is several different----\n    Mr. Lynch. What about cost sharing, that is what I am \nasking. From the private sector, you know, they are the major \nbeneficiaries, these private companies that are, you know, \nhugely successful.\n    Mr. Wilson. Uh-huh. So in the Department of Defense, we use \na vehicle such as cooperative research and development \nagreements with industry partners, really a sharing of either \npersonnel in intellectual property as well as resources. So we \nmay have a range in the Department of Defense where we can do, \nyou know, experimentation, et cetera. So we use several \ndifferent vehicles along those lines to be able to get after \nhigh-priority requirements.\n    Again, we look for the national security nexus when it \ncomes to research and development standards, et cetera.\n    Mr. Lynch. Okay. Thank you very much, Mr. Chairman. I yield \nback.\n    Mr. Langevin. Thank you very much. And Mr. Hice--\nRepresentative Hice is now recognized.\n    Mr. Hice. Thank you very much, Mr. Chairman. Mr. Wilson, \nwhile you were talking, we will just keep going here. About \nthis time last year, the Department of Defense released a cyber \nstrategy where it was highlighted the need to conduct \ncyberspace operations. It is very intriguing to me, and \nspecifically to determine and to make sure that we are able to \nmaintain our U.S. military advantage, and at the same time, to \ndefend our national interest.\n    And in an interesting quote, and also, quote: To prepare \nmilitary and cyber capabilities to be used in the event of a \ncrisis or conflict. Those three areas are extremely important \nto me, and I know in my own district, Fort Gordon, the Cyber \nCenter of Excellence resides there and they are very much \ninvolved in all three of these areas.\n    Obviously, without going into classified information, but \nwould you be able to share some of the specific actions that \nthe Department has taken in light of that cyber strategy to--\njust some insight on how things are going to protect our \ninfrastructure?\n    Mr. Wilson. Absolutely. So in August of last year, the \nSecretary signed, Secretary Mattis at the time, signed out the \nDOD Cyber Strategy. Some very core missions. Number one being \nthe ability to operate DOD joint force. So kinetic forces \nalongside all the other forces in a cyber contested \nenvironment, to be able to build resiliency into our joint \nforce. That was priority one from Secretary Mattis' \nperspective.\n    In addition, we wanted to be able to bring cyber effects \noperations, defensive and offensive, alongside our normal \nkinetic operations. And so, we have been hard at work at doing \nthat. We have worked with Congress, with authorities, to be \nable to execute in that arena. We usually are pretty--we do \nsome really good work in the area of hostilities in competition \nwith the revisionist powers we have seen, that they are \noperating below our normal traditional response mechanisms. And \nso, we have been very focused on that, so the strategy \naddresses that.\n    Down at Fort Gordon, they are doing some great work, \nLieutenant General Fogarty and team, in terms of--that is the \nARCYBER, the Army Cyber team. They are focused right now in \nCENTCOM [U.S. Central Command] theater, AFRICOM theater, the \nAfrica Command, doing some fantastic work.\n    When it comes to critical infrastructure, there was a \nrecognition that the Department of Defense had a role. And I \nthink if you had asked us maybe 2 or 3 years ago, it wasn't as \nclear. We brought a strategy forward called the ``defend \nforward.'' We focus in the Department, just like we do in any \nother domain of operations, on external threats to the Nation, \nand so in cyberspace we do the same things. We focus on those \nexternal threats. We want to be able to see those threats, \nunderstand those threats, see indications and warnings if there \nis attack on critical infrastructure for the Nation, or DOD \nforces or allies. And we want to be postured and prepared to be \nable to respond to those attacks; preferably in a preemptive \nfashion, if needed, versus waiting to take a strike and then \nhave to be----\n    Mr. Hice. Would you believe--how are we doing is kind of \nwhat I want to know. Are we prepared offensively? Are we \nprepared defensively? Are we prepared in the event of a crisis \nhere? I mean, where are we on these three areas? On a scale of \n1 to 10, I mean, are we----\n    Mr. Wilson. So it depends on which category, and it is best \ndone in a classified setting, but maybe I can put a backdrop \nbehind it. We are making tremendous progress. Over the last \nyear, we have executed operations which we have briefed in the \nArmed Services updates, and we are getting ready to do one here \nshortly, across different--several different mission types. And \nso, that is going very well on the offensive side.\n    On the defensive side, we are building tremendous \nresiliency in the force; we have a long way to go. So, if you \nare talking about the network, we have tremendous activity \ngoing on end point security zero trust environment, and the \nteam is doing really good work. We also have activity going on \nassociated with weapons systems to make them more resilient. \nAnd then we are beginning to look at defensive cyber effects \noperations broadly to be able to mitigate risk to the best of \nour ability.\n    Mr. Hice. Okay. Well, Mr. Chairman, I don't have time to \nget into the next question, so I will go ahead and yield back. \nThank you.\n    Mr. Langevin. Thank you. Mr. Kim, I recognize you for 5 \nminutes.\n    Mr. Kim. Thank you, Mr. Chairman. I thank you so much for \nbeing here and being able to have an interagency discussion \nabout this. I would like to just hone in on just some of my \nunderstandings about some vulnerabilities and try to get a \nbetter sense of how different agencies and departments are \nhoned in on this.\n    A concern that we have is certainly about the different \nnodes in which the information is coming to us through internet \nexchange points. We have one in New Jersey and we understand \nsome of the vulnerabilities that come with that. When \ninformation is being transmitted through, let's say, the \nundersea cables, through the internet exchange points, I, from \nmy understanding, is that the undersea cables is something \nunder the jurisdiction of DOD. The internet exchange points are \nones under the jurisdiction and oversight of DHS.\n    So I guess my understanding is how do we structure the \npreparations or the coordination that is involved in that to \ntry to understand if we were to have any disruptions along \nthose points that we can understand what role different \nagencies and departments play? Are there particular exercises \nthat are being done? Are there other ways that we can \nunderstand who all is engaged, because from what I understand, \nit's lots of different departments and agencies and offices \nthat are involved in that type of process.\n    So if you don't mind, I would love to just hear from across \nthe board what we can be doing on that front, and who are the \nmain actors that need to be at that table?\n    Ms. Manfra. Thank you for the question, sir. I don't know \nthat I would use the term ``jurisdiction.'' You know, we \ndon't--I wouldn't say we have jurisdiction over internet \nexchange points, and I would defer to DOD, but I don't think \nthey have jurisdiction over undersea cables. What it is more \nis, we have some interagency bodies, such as Team Telecom and \nthings like CFIUS [Committee on Foreign Investment in the \nUnited States], other sort of bodies where we work together, \nour three agencies plus others, to understand the risk and make \ndecisions, and are able to intervene, if necessary, in market \ndecisions in those particular cases.\n    In other areas where there is not a specific investment or \nacquisition happening, we continue to work together. You know, \nonce you start getting further beyond the borders of U.S. \nwaters, obviously, there are others who start to have insight, \nbut we recognize the connectedness of that. So specifically on \nundersea cables, we worked with the DNI, 2 years ago, issued a \nreport on threats to undersea cables, working very closely with \nthe DOD, DNI, and others to both better understand the threat, \nbut then on the DHS side, given sort of our authorities and the \npublic private partnerships, what can we do to counter that \nthreat, build more resilience, and, of course, DOD has \ncapabilities to use those tools as well as NTIA.\n    So it is not so much that here is clear jurisdiction and it \nends at this part of the internet architecture, and then the \nnext person picks it up. It is really largely private sector \nled in all cases, and what we have are different tools to \nanalyze and make assessments and take action if we have some \nconcerns. Is there potential--more tools and better \ncooperation? Absolutely, we can always continue to improve the \ncoordination, and that is why I think we have got those \nnational critical functions focused on, you know, how is the \nstability of the internet overall? How are we focusing on that? \nWhat are those different mechanisms and those tools and those \npartners? That is how I would--I hope that is helpful.\n    Mr. Kim. No, that is helpful. Any of the other witnesses \nwant to jump in on this? Mr. Wilson.\n    Mr. Wilson. From a DOD perspective, what we really focus \nand understand, try to understand the threat. So we work with \nthe intelligence community, and then our own insights. Also, we \ndo assessments so that we understand our reliance on cable \nlanding sites or any type of infrastructure. And then we \nconstantly are planning and coming up with contingencies. So \nbased on that reliance, we want to understand if that is lost, \nin whatever fashion, however complex that looks like, our \nability to roll off and conduct operations maybe in a minimized \nfashion with high-priority taskings. So that is a natural \nrhythm that we move through in our war plan and OPLAN \n[operations plan] activities. In addition, in our Tier 1 \nexercises, we do exercise in the loss of critical \ninfrastructure, which might include cable landing sites or \nother undersea cables; that is a normal battle rhythm of \nactivity that we look at.\n    Just, I would point to maybe day-to-day. We do have--there \nis just, you know, anchor drags and cable losses, and so just \nnaturally, we see in a day-to-day fashion the loss of \ncapability, whether it is natural disasters or man-made \ncalamities out there under the sea, we see that happen on \noccasion on a very routine basis. And so we are constantly \nhaving to already do this for a living, if you will, to \nmaintain mission.\n    Mr. Kim. Yeah.\n    Mr. Wilson. So we gain a lot of insight, and we do a lot of \nafter-actions and lessons learned, based on those experiences. \nAnd so a pretty deep well of knowledge there and we share and \nwork hand in hand with DHS. We have natural rhythms. They see \nour tasking orders, we share that from a cyber perspective.\n    Mr. Kim. Well, thank you for your insights. Mr. Chairman, I \nyield back.\n    Mr. Langevin. Thank you, Mr. Kim. Mr. Banks is recognized.\n    Mr. Banks. Thank you, Mr. Chairman. I think we all agree as \nthe DOD moves toward an increasingly internet-integrated \nwarfighting posture, it is critically important to identify \nvulnerabilities in software and hardware within the DOD \nnetwork.\n    Mr. Wilson, as identified in DOD's 2019 Digital \nModernization Strategy, DOD utilizes 10,000 operational IT \nsystems. I am concerned about the number of access points \nwithin the DOD network. Does DOD have a complete inventory of \nall items that can access the network?\n    Mr. Wilson. Today, the answer would be we do not. We are \ndriving very, very diligently to have insight and to be able to \nsee. We have several modernization efforts and several \ninitiatives underway, end point security and visibility being \nthe number one. So that we have visibility to all those end \npoints. Ten thousand end points, sir, would probably be a low \nestimate.\n    So when you just look at end users out there, given we have \nseveral million people inside the Department of Defense, that \nnumber is much higher than that. And so, we need to be able to \nhave visibility to be able to mitigate risk. And so step one \nhas been insight, and end point security initiative that has \nbeen underway. We are really driving hard. We are getting \ntremendous traction alongside the services and our Fourth \nEstate in the DOD enterprise.\n    In addition, we have an initiative underway called Zero \nTrust where we are driving, so that we validate and limit the \nmovement so if something is exploited inside the network, that \nwe contain that to the best of our ability. So Admiral Norton \nand the DISA [Defense Information Systems Agency] team are hard \nat work on that alongside the service components. And so, it \nhas been a high-priority task. The deputy is taking reviews on \nall of these initiatives plus more on a very routine basis, so \nthe sense of urgency is high on this one.\n    Mr. Banks. Good. Ms. Manfra, you testified that the CISA \nworks across government and industry to ensure the national \nsecurity and the emergency preparedness community has access to \npriority telecommunications and restoration. Are government \nagencies able to keep up with industry in issuing security \nupdates?\n    Ms. Manfra. I think much of what we use is industry \nproducts. So it is more about ensuring the behavior that people \nare actually, if you are referring to patching and those sorts \nof things. We have had a lot of work that we have done around \nthis to focus behavior on those types of things. Are they \npatching vulnerabilities that are identified? And we have \nactually made a tremendous amount of progress.\n    I think we--I think we are able to keep up with them. In \nsome cases, we are actually leading industry. There is work \nthat we have done under one of our directives to improve web \nand email security, and the government went from least secure \nby an independent auditor to actually leading all industries in \nthe security of our websites.\n    So I think that there is--and I think that is what we need \nto be doing. We should be not just talking about it, but \nactually leading and putting these things in place. But it is a \nmix of behavior and resource. Sometimes there is technical \nchallenges and we work with agencies in particular to assist \nthem on that.\n    But if that is getting at your question.\n    Mr. Banks. Yes. Mr. Wilson, back to you. How does the role \nof the CIO [Chief Information Officer] coordinate with the DISA \nregarding the responsibility of the DOD IT security?\n    Mr. Wilson. So the DOD CIO, by statute, has responsibility \nfor the standards and technology and the fielding of \ncapability. DISA is their operations arm. And so, DISA has \npurview, and there is two roles, organizing, training, and \nequipping alongside the services, all of our IT fielding.\n    In addition, the DISA commander, Admiral Norton, also wears \nwhat we call the Joint Force Headquarters commander hat for the \nDODIN, the DOD Information Network. So in that role, she is \nable to direct activity in terms of orders out to the DOD at \nlarge. And so that kind of is the arm that is able to execute \noperationally day to day to mitigate risk. If there is an \nincident, to be able to harness the power of the Department at \nlarge and be able to mitigate that risk, to be able to drive \ninitiatives like the Zero Trust activity that I just \nhighlighted.\n    So DOD CIO is responsible statutorily for the Department in \nterms of standards and compliance. And then the operation arm \nis DISA that reports up through the DOD CIO.\n    Mr. Banks. Okay. Thank you very much. I yield back.\n    Mr. Langevin. Thank you. Mr. Higgins is now recognized.\n    Mr. Higgins. Thank you, Mr. Chairman. Ladies and gentlemen, \nthank you for being here this afternoon. I have two questions. \nOne is very basic and the other is rather not. So let's handle \nthe basic question first. How do you ladies and gentlemen feel \nabout securing our undersea submarine cables that transmit most \nof our signals? How do you feel about that? Where are we right \nthere?\n    Ms. Manfra. Well, sir, I would argue that----\n    Mr. Higgins. It has been identified as an area of potential \nthreat.\n    Ms. Manfra. Yes.\n    Mr. Higgins. And this could disrupt internet services \nglobally, and have serious economic impact, and perhaps \nmilitary implications, communications, et cetera. So without \ngetting into the weeds or revealing anything that shouldn't be \nspoken of, what is your opinion? Is there more that should be \ndone and could be done?\n    Ms. Manfra. Yes, sir. This is a high priority for us, both \nmy agency and those here, as well as others that aren't \nrepresented, and we are very focused on this. And, yes, there \nis absolutely more that we will do and can do--is the short \nanswer.\n    Mr. Higgins. You concur, sir?\n    Mr. Wilson. Yes. For the Department of Defense, it is core \nto what we do. And so I would just kind of maybe walk back \nthrough. One, we want to understand the threat against undersea \ncables in particular, because we are relying on them. Any time \nthat the DOD is relying on any kind of capability, we want to \nunderstand the threat to it, where the vulnerabilities are, and \nthen----\n    Mr. Higgins. Those threats and vulnerabilities, in your \nopinion, are being addressed?\n    Mr. Wilson. We understand the threat, and we understand the \nvulnerabilities. So the next is, how do you mitigate those \nrisks? For us in the military, that would be an operations--the \nexecution of our operations day to day. So we have a very \nrobust effort that we continually look and assess undersea \ncables, because it is the crux of and we rely on it for lot of \nour communications----\n    Mr. Higgins. So in the interest of time, and thank you for \nanswering, please, just all of you, stay in very efficient \ncommunications with both of these committees, whereby we can \ngive you anything you need because it would be a disaster for \nthe world if those things got hit.\n    So let's move to my question that is actually my concern. I \nam concerned about national security issues regarding \nprotection from emerging technologies sponsored by nation-\nstates with global aspirations and strategies like China. \nSpecifically, I am talking about quantum computing. We have a \nresponsibility to protect the people's treasure, and, of \ncourse, we have a responsibility to provide national security.\n    But are we talking about investing money on protecting ones \nand zeros, long streams of ones and zeros, when China could be \non the verge of using entangled photons to communicate. They \nrecently had this public data and satellite transmission to two \nseparate land stations 1,200 miles apart, and achieved quantum \nentanglement successfully.\n    A professor from LSU [Louisiana State University] in my \nhome State of Louisiana, a physics professor that spends a \nlarge part of the year at the University in Shanghai, the \nScience and Technology of China university, stated that he \nbelieves China will go dark in 2 to 3 years, meaning we won't \nbe able to--we won't be able to understand and read their \ncommunications. So if they reach a point through quantum \ncomputing before we do, because we are spending money on VHS \ntapes while the world moved to DVD, if they reach a point of \nquantum entanglement and quantum computing efficiently and we \ncan't read them, then how would we know that they are reading \nus? Remainder of my time, please, whoever feels qualified to \nanswer that question.\n    Ms. Manfra. Sir, first, I would offer that I think us and \npotentially some other agencies would be happy to come in and \nhave a longer conversation about this, both quantum computing \nand other emerging technologies are definitely top of mind, not \njust our agencies, but many others. And I would argue that the \nU.S. Government is investing a lot in ensuring that we continue \nto maintain leadership in this space. And while, yes, we \nabsolutely have to----\n    Mr. Higgins. So we can look forward to a SCIF [Sensitive \nCompartmented Information Facility] briefing on this?\n    Ms. Manfra. Yes, sir, we will----\n    Mr. Higgins. I would ask the chairman to consider that.\n    Mr. Langevin. Okay.\n    Mr. Wilson. And I would just add. I think quantum computing \nis at the core. Digital modernization at large, 5G, quantum \ncomputing, AI [artificial intelligence], large data or big data \nanalytics, et cetera, are all converging. And so, in the \nDepartment of Defense, we see that as opportunity to field the \nright kinds of capability, both for productivity, but for \neffectiveness--mission effectiveness, but we also are looking \nat it through the lens of risk. So how do we mitigate that risk \nalongside our interagency partners?\n    We have the challenge of low-end and high-end conflict. And \nso, we have a reliance and we are becoming more reliant on \nthose capabilities, so it is of utter importance. But we would \nlove to join----\n    Mr. Higgins. Thank you. So we look forward to a more \nextensive briefing in a secure setting. Thank you, Mr. \nChairman.\n    Mr. Langevin. I thank the gentleman. Ms. Wasserman Schultz.\n    Ms. Wasserman Schultz. Thank you, Mr. Chairman. Ms. Manfra, \nearlier this year CISA released a list of 56 national critical \nfunctions. You defined these as functions, quote, ``so vital to \nthe United States that their disruption, corruption, or \ndysfunction would have a debilitating effect on security, \nnational economic security, and national public health and \nsafety.'' Is that correct?\n    Ms. Manfra. Yes, ma'am.\n    Ms. Wasserman Schultz. As it pertains to internet \narchitecture, how does the identification of these 56 critical \nfunctions alter CISA's approach to protecting our Nation's \ninternet infrastructure?\n    Ms. Manfra. Thank you for the question, ma'am. What it does \nis more holistically defines what functions we are concerned \nabout. So, previously, while it is important to continue to \nhave these sector-specific approaches, but when we are talking \nto the IT community and the communications community, we felt \nit was important to narrow in a little bit more on what \nspecifically. So are we talking about routing and addressing. \nAre we talking about the internet exchange point conversation \nand physical infrastructure that supports the internet.\n    So we felt it was important to start to disentangle so it \nis not just all, here is an IT and communications broad \nstructure. Industry already thought this way. It was really us \nsort of catching up. And we will now shift how we prioritize \nour resources and our engagements to ensure that we have the \nright people in the room and we are taking the right actions \nagainst those critical functions.\n    Ms. Wasserman Schultz. Thank you. And how does this change \nCISA's outreach and coordination with the private sector and \nwith your partners at other agencies?\n    Ms. Manfra. What it really means is we were going to ensure \nthat the right players are in the room. We have great \npartnerships with the IT and communications industries, but as \nwe started to think about a functional approach, which is, \nfrankly, the way the adversaries are thinking about it, we \nrecognize that not all of the correct players were in those \nconversations.\n    So, we want to ensure that the owners and the operators, \nthe providers of services, are also a part of whether it is \njust information sharing back and forth so they can give us \ninformation about what may be going on, or we can provide them \ninformation. But also, they are part of this broader policy \nconversation when we are thinking about risks and what we want \nto do about it.\n    Ms. Wasserman Schultz. Thank you. That list of national \ncritical functions includes providing internet-based content \ninformation and communications services, and it also includes \nconducting elections. Is that correct?\n    Ms. Manfra. Yes, ma'am.\n    Ms. Wasserman Schultz. Of course, our internet architecture \nis connected to election security in many places across the \ncountry. So let me start by asking you a question that I have \nasked CISA Director Krebs multiple times since May of this \nyear.\n    Russia intentionally influenced our 2016 elections and is \nexpected to try again in 2020. Has the President received a \ncomprehensive briefing from CISA on potential Russian influence \nin the 2020 elections?\n    Ms. Manfra. My understanding is the President has received \nbriefings and continues to receive briefings on threats.\n    Ms. Wasserman Schultz. No, no, I am asking you, has he \nreceived a comprehensive briefing from CISA on potential \nRussian influence in the 2020 elections?\n    Ms. Manfra. He has not directly received a briefing from \nus, but he has received comprehensive briefings that we have \ninformed.\n    Ms. Wasserman Schultz. Okay. That is new information \nbecause as that--since the last time I spoke with Director \nKrebs where he said no, or he was not aware that--small \nbriefings here and there, that is different than a \ncomprehensive briefing, specifically given to the President of \nthe United States, on Russia's desire and intention to \ninfluence the 2020 election. So since the last time I asked \nhim, that comprehensive briefing for the President of the \nUnited States has taken place?\n    Ms. Manfra. Ma'am, to be honest, I am not in the meetings \nwhere the President receives these, but I do understand that \nthe President has received multiple briefings on----\n    Ms. Wasserman Schultz. Okay. So essentially, you are giving \nme the same answer that Director Krebs--he has not, to your \nknowledge, had a comprehensive briefing from CISA on this risk?\n    Ms. Manfra. We have not directly provided him with \nbriefing.\n    Ms. Wasserman Schultz. Okay. Okay. Are there plans to brief \nthe President on this critical issue in a comprehensive way \nfrom CISA?\n    Ms. Manfra. I have would have to defer to others on that.\n    Ms. Wasserman Schultz. And, lastly, are you familiar with \nthe Quadrennial Homeland Security Review?\n    Ms. Manfra. Yes, ma'am.\n    Ms. Wasserman Schultz. That is a critical document that is \nused for assessing the Department's overall security strategy \nand what it views as the most pressing threats to U.S. \nsecurity, including threats to critical infrastructure. \nCongress mandates that DHS produce this review every 4 years. \nCan you tell me the last time DHS submitted a Quadrennial \nHomeland Security Review to Congress?\n    Ms. Manfra. Off the top of my head, I can't remember the \nexact year.\n    Ms. Wasserman Schultz. It is 2013 or 2014.\n    Ms. Manfra. Okay.\n    Ms. Wasserman Schultz. And the most recent version of this \ndocument was due to Congress in December 2017, but more than 20 \nmonths later, DHS has not submitted this critical document. \nWhat is the status of the now long overdue 2018 Quadrennial \nHomeland Security Review?\n    Ms. Manfra. Ma'am, I have to get back to you on that.\n    Ms. Wasserman Schultz. Okay. If you could. The bottom line, \nMr. Chairman, is not having an up-to-date Quadrennial Homeland \nSecurity Review makes it more difficult for Congress to \nevaluate DHS's strategy and coordinate with Federal agencies, \nwhich you very effectively answered on homeland security \npriorities, including our internet architecture.\n    So I would ask that you take it back to your bosses that it \nis time to comply with the law. And if you actually take this \nissue seriously, making sure that this report is issued in a \ntimely fashion is essential. Thank you, I yield back.\n    Mr. Langevin. I thank the gentlelady. And Mr. Waltz is \nrecognized for 5 minutes.\n    Mr. Waltz. Thank you, Mr. Chairman. Ms. Manfra, obviously, \nDHS defends the homeland and defends our critical \ninfrastructure here, including our internet infrastructure. And \nMr. Wilson, DOD, in a number of briefings, has described its \nposture now as defending forward in both classified and \nunclassified briefings, and I have received a number of \nbriefings on what those activities have entailed, particularly \nas it pertained to 2018 and our elections there.\n    Is there any discussion in the Department--in the Defense \nDepartment, in particular amongst the interagency of moving to \na deterrent strategy, rather than a purely defensive strategy, \nwhether we are defending forward or defending the homeland. \nWhat I mean by that is, you know, to use as an analogy, \nterrorism.\n    We cannot bat 1,000, so to speak, using a baseball analogy. \nAt some point, we have to alter our adversary's decision \ndynamic, and I think some members have described it as perhaps \nblinking the lights in the Kremlin or holding their assets at \nrisk. What is the Department, from a policy standpoint, are \nthey moving that direction? Have you made a decision not to \nmove that direction, and we take a purely defensive posture? We \ncould talk across a number of domains, obviously, where we have \na deterrent strategy to stop and try and alter the behavior \nrather than simply defend against it. Does that make sense? And \nI would welcome your thoughts.\n    Mr. Wilson. Absolutely, sir. So last year, as part of our \ncyber posture review, we delivered a report to Congress, really \nhit two pieces. That was in early September. One was a holistic \nassessment of our ability to execute the missions as \narticulated in our DOD Cyber Strategy. So we did a gap \nassessment that is a classified report that we can make \navailable.\n    In addition, we were asked to do some work on deterrence. \nSpecifically, deterrence in cyberspace. And so a couple of the \nkey takeaways: One, we believe that deterrence comes in a few \nflavors, it is not just consequences. We think the first step \nis deterrence by denial. So we want to deny adversaries the \nbenefit of what they are trying to achieve through a cyber \neffects operation, or any other type of activity directed at \nthe U.S., our allies, or the Nation at large. And so, that is \nwhere you see the partnership between DHS and the other \ndepartments and agencies of the U.S. Government, where we have \nstepped in and began to assist, enable, support the resiliency \nof our critical infrastructure segments. Not just focused on \nDOD systems, networks, weapon systems, et cetera. So our focus \nis much broader because we do rely and we see the importance of \ndenying an adversary the benefit.\n    In addition, we look very hard at the ability, if called \nupon, to deliver consequences, not just kinetically, or in all \nthe other domains of operation that the Department has, but \nalso in the domain of cyberspace. And so, a lot of assistance \nfrom Congress with regards to some clarity on authorities. We \nhave also in the strategy tried to articulate our role uniquely \nfocused against external threats. And, in addition, the NSC \nteam in the White House has led us and the interagency through \na process with a new National Security Presidential Memorandum \n13, which focuses on the decision process for either offensive \nor defensive cyber effects operations. The details of that we \nwould have to go into a classified session, but that has been \nin play and I think just----\n    Mr. Waltz. I would like to follow up and better understand \nthat. And then also, better understand how that has been \ncommunicated to our adversaries, because obviously deterrence \nis only effective if they understand the consequences.\n    Mr. Wilson. Absolutely. So strategy, a clarity of \nauthorities, and then the process for making decisions have \nbeen very key in the consequences part. In addition, we look at \ndeterrence, really what I would describe as entanglement. So \nhow do we entangle ourselves, or use and leverage one of our \nstrengths as a Nation in the international arena?\n    So how do we bring alongside our close partners and operate \ntogether, and make the complexity of a targeting problem for an \nadversary more difficult. And then, lastly, how do we \nstrategically communicate any actions we are taking across as a \nwhole of government, not just the----\n    Mr. Waltz. Just in the interest of time, I will take that \nfor follow-up. Thank you and we will reach out to your staff. \nVery quickly. Who has--I know there was a question earlier, and \nI apologize if I am repeating it, on undersea cables. Who has \nauthority on--or who has responsibility for defending undersea \ncables that directly affect the United States, its ability to \ncommunicate in our economy and international waters? It is just \nnot clear to me, and if anyone wants to send that for the \nrecord, in the interest of time, Mr. Chairman, I believe my \ntime is expired, I would appreciate it.\n    Ms. Manfra. I think it would probably be best if we \nfollowed up with more details.\n    Mr. Waltz. Thank you.\n    [The information referred to can be found in the Appendix \non page 73.]\n    Mr. Langevin. Ms. Stefanik.\n    Ms. Stefanik. Thank you, Chairman Langevin. Mr. Wilson, my \nquestion is for you. With respect to helping secure our \nNation's infrastructure and even responding to an incident or \nan attack upon our critical infrastructure, can you clarify the \nrole that U.S. Cyber Command and U.S. Northern Command plays \nand the relationship between the two? What role does DISA play \nhere? And are there clear chains of command so that these \norganizations and commands understand their particular role? \nWho is responsible for what? And then, how do they interface \nwith DHS?\n    Mr. Wilson. So if there is an attack on the Nation that \ninvolves kind of a multi-domain attack, so kinetic strikes \nagainst the Nation, NORTHCOM [U.S. Northern Command] has the \npoint. They have the lead for the defense of the Nation. So \nfrom a supporting/supported relationship, NORTHCOM is point. If \nthere are activities that would require a cyber effects \noperations, or any type of response, Cyber Command would be in \nsupport of NORTHCOM in those instances.\n    If there is a unique, and it is a fairly contained, but \nvery focused on a cyber security threat or activity, then there \nis a decision to be made, and in most cases, then we would look \nto Cyber Command to be the lead, and they would be the \nsupported command, because it would be really contained within \ntheir purview, in direct coordination with and lots of \ncommunication and coordination so we are all on the same sheet \nof music.\n    So that activity, we have exercised that on many occasions, \nand that is maturing. I think if you had asked just a few years \nago, that was a bit cloudy. I think we are doing great work in \nthat front. Our Tier 1 exercises is beginning to really mature \nthose relationships and the command and control activity that \ngoes alongside those.\n    DHS is alongside in anything domestically along with FBI \nrepresentation, and so, when required, if it is a domestic \nincident, there would be support either provided to DHS as part \nof our normal defense support to civil authorities, or DSCA \nroles, there is a mechanism to put that in play, and then we \nwould institute that.\n    Ms. Stefanik. Let me ask a more specific--let me use a more \nspecific example. As we are heading towards 2020, obviously one \nof the focuses of every Member of Congress is making sure that \nwe have secure resilient elections. And we are well-positioned \nto ensure that the lessons learned from 2016 in terms of our \nvulnerabilities that we are being offensive in terms of \nprotecting our elections infrastructure.\n    So in that case, you know, let's say there are cyber \neffects, how does that responsibility--can you go through that \ndecision-making process for that particular example. So online \nelection system as part of a critical infrastructure, who is \nresponsible for what?\n    Mr. Wilson. So we look at it through three really lines of \neffort, or lines of operation. The first is associated with \nelection security infrastructure. So, in support of the DHS \nteam, because they have purview, and so whether that is \ninformation, intelligence information sharing, activity \ndirected at helping to secure, share any threats, any \nindicators of compromise, to make sure that the robust defenses \nthat are in place to secure elections infrastructure. So that \nis kind of job one, if you will, for elections support.\n    The second line of effort we have within the DOD, and \nGeneral Nakasone is at the helm here, is associated with \ndisinformation, or malign influence. And so, FBI has point with \nregards to disinformation associated with elections or any \nother activity in the United States as a law enforcement \nactivity. And, so, likewise, the combined team of U.S. Cyber \nCommand and NSA [National Security Agency] would provide \nsupport to the FBI in the form of information sharing, any \nintelligence indicators we may have alongside the intelligence \ncommunity. So we are one of many that would be supporting.\n    FBI does the vast majority of outreach to, like, social \nmedia to give them heads up that there is issues, that there is \na threat associated with, you know, a malign actor, Russia or \nwhoever, using social media to spread disinformation or try to \nsway the public as part of the elections, or just day to day.\n    And then, the last would be if we are called upon as a \nDepartment of Defense to deliver consequences in any form, \nwhether it be cyber effects operations or anything else, then \nthat is wholly within the Department of Defense, and we have \nthe procedures, ma'am, as you have been briefed on with regards \nto the process for approval on those as part of the NSPM-13 \n[National Security Presidential Memorandum-13] process.\n    And so, we have executed some of those in the past, as you \nhave been briefed, I can't get into details in this forum. So \nwe are postured to be able to execute those types of operations \nin the future from an offensive or defensive activity. At \ntimes, we may partner with international partners, like we did \nduring the 2018 election, and close partners and providing \nsupport in that arena, in what we would describe as hunt \nforward as part of our defend forward construct.\n    Those are the structures we have used that was very \nsuccessful. We have gone in and looked at the after-actions and \nare tuning that, but we are well underway with all three of \nthose lines of efforts for the 2020 elections.\n    Ms. Stefanik. Yeah, I think fine-tuning that is going to \ncontinue to be important, because as you laid out, the \ninfrastructure, the disinformation, and the third bucket, you \nhave a lot of agencies who are in the mix, whether it is U.S. \nCyber Command, NSA, DHS, FBI, so making sure that there is--\nDOD--there is a holistic approach and an understanding of who \nis responsible, because oftentimes, the attacks, and we saw \nthis in 2016, it was multifaceted, it checked multiple boxes.\n    And thanks for the leniency. I yield back.\n    Mr. Langevin. Excellent points. And it is one thing when we \nknow the bad actor or what is coming; for example, we need to \nbe prepared for the upcoming 2020 elections. And just as in \n2018, we had a whole-of-government, whole-of-nation approach, \nwe will do that again, I am confident, in 2020. The American \npeople should know that.\n    It is the things that we can't anticipate coming up that--\nthis is well-harmonized and the left hand knows what the right \nhand is doing. So it is going to be well thought-out, and it \nbecomes muscle memory going forward.\n    Thank you, Ranking Member. Chairman Lynch is now recognized \nfor 5 minutes.\n    Mr. Lynch. Thank you very much. So we have about 2,600 \ninternet companies, and I think there are no less than 90 \nundersea fiber cables that feed both the United States and its \nterritories. The trend has been that those cables are clustered \non a select number of landing stations. Is that clustering \neffect, even though it creates redundancy, I guess, because you \ngot all these cables, which is good, the redundancy is good, \nbut the vulnerability that that prevents is--excuse me, that \nthat presents, is that a problem for us? Ms. Manfra.\n    Ms. Manfra. I would say----\n    Mr. Lynch. And by the way, the maps that show the cable are \nall publicly available, so I am not giving up any----\n    Ms. Manfra. No, you are not, sir.\n    Mr. Lynch [continuing]. National secrets there.\n    Ms. Manfra. Most of what we actually see in the risks for \nsome of the co-location and consolidation comes from natural \nhazards or accidents.\n    Mr. Lynch. Okay.\n    Ms. Manfra. And now that does also mean that other threats \ncould potentially take advantage of that, and we have done--\nusually we are working jointly with the FBI, working to, you \nknow, understand, do physical security assessments of those \ncable landing stations, helping the owners of those--of that \nparticular infrastructure, improve both their physical security \nand the resilience, as well as----\n    Mr. Lynch. Okay.\n    Ms. Manfra [continuing]. Kind of how it gets passed from \nthe cable landing station into sort of the rest of the internet \necosystem. So there is some--there is definitely concern around \nsome of that consolidation, but it usually manifests itself \nwhen you have, say, a hurricane or something like that. So they \nhave already built a lot of resilience into that to combat some \nof these natural disasters.\n    Mr. Lynch. Okay. Let me just rephrase the question a little \nbit more generally. Do you repeatedly and continuously monitor \nand do threat assessments on individual aspects of our internet \narchitecture?\n    Ms. Manfra. Yes, sir, we do.\n    Mr. Lynch. Once a year? Is that what we do it?\n    Ms. Manfra. It depends. We do probably--I don't know that \nwe would do any of them once a year. Many of these would be \nassessments that, ideally, they could use for multiple years, \nand would offer multiyear approaches to improving some of the \nsecurity. But in some of the areas where we have maybe \nidentified some weaknesses, or perhaps we have some threat \nintelligence that they may be a target, we do prioritize \nengagement, and we will continue to elevate the prioritization \nof those. I think this is really in the last few years that we \nhave started to prioritize this.\n    Mr. Lynch. Speaking very generally, what keeps you up at \nnight? What do you worry about most when we look at the whole, \nyou know, the scheme of our internet architecture? What do you \nthink--and, again, being sensitive to the nature of the \nquestion, what do you think we should be doing to, you know, \nbetter protect ourselves?\n    Ms. Manfra. When it comes to internet architecture, I think \nincreased visibility, and working with those companies and \nensuring resilience. There is a lot of talk about security, but \nI think resilience in this space, and it is already something \nthat the community understands.\n    So having a lack of resilience, and whether that is through \nmarket pressures or others, would be a concern in that somebody \ncould take advantage of that, and you would have single points \nof failure. I am not saying that we have that now, but that we \nwould get to a point where we did, and the adversary would be \nable to have real, you know, catastrophic consequences as a \nresult.\n    Mr. Lynch. So the redundancy aspect of it, in many cases.\n    Ms. Manfra. Oftentimes, resiliency through redundancy. \nThere are other mechanisms for resiliency, but yes, redundancy, \nI think, is important.\n    Mr. Lynch. Okay. Thank you very much.\n    I will yield back.\n    Mr. Langevin. Thank you.\n    And on that point on the redundancy and the resiliency, \nobviously, things happen. There are physical failures. We \ntalked about the anchor drags, and so, it is not the first time \nthat a node has been damaged. And how quickly, give us a sense \nof how that can be reconstituted, or you have that resiliency, \nso you have another way of performing the same function through \nsome other mechanism. And with that, also, how many points of \nfailure then become on the scale of more catastrophic or \nserious, where resiliency is harder, and it takes longer?\n    Ms. Manfra. I will take a stab at that, and then I can--so, \nit is hard to provide sort of one answer to that, because I \nthink it depends on which part of it you are talking about. \nWhen you are talking about submarine cables, cable landing \nstations, internet exchange points, that part, you know, that \nis a knowable universe of who owns that; and so, it means it is \nalso a little bit, I think, simpler, in terms of who we are \nengaging with and how we improve the security and the \nresilience.\n    You know, I think we have identified some really good best \npractices. And, honestly, industry has really led largely \nthrough telecommunications companies needing to build \nresilience in hurricanes, or whatever. So they have created \nmutual assistance agreements, essentially, in terms of when you \nare thinking about roaming. And if one company can't handle a \ncustomer set, because their infrastructure has gone down, they \nhave agreements in place. And they have been doing this for a \nwhile. I think that is starting to evolve in broader than just \nthese TELCOs [telephone companies], and that is something that \nwe definitely welcome and want to encourage.\n    You also have to think about as the market is sort of--\nthere are new players now coming into the market that didn't \ntypically have cable landing stations or submarine cables. So \nhow do we kind of think about these different market players, \nwhether that is providing mutual assistance or the government \nensuring that we prioritize?\n    We learned about this, whether it was, you know, Puerto \nRico, Virgin Islands, some of these significant events in the \nCaribbean that had impact to critical nodes of our \ncommunications infrastructure. How do we ensure that working \nwith FEMA [Federal Emergency Management Agency], that we are \nprioritizing the restoration of those services or we are \nhelping industry prioritize the restoration of those services?\n    Ms. Rinaldo. I think we often hear that the internet was \nnot built with security in mind, but it was built upon to be \nresilient, and it is very resilient.\n    You know, a couple of things: With a routing cable, if \nthere is a glitch, it can reroute traffic. It does reroute \ntraffic. For the DNS system, DNS--NTIA represents the United \nStates at ICANN [Internet Corporation for Assigned Names and \nNumbers] on these issues. We lead the DNS Interagency Working \nGroup. There are the authoritative route servers, but there are \nalso more than 1,000 route server instances, or anycasts, that \nare distributed all throughout the world. And this is done for \nsecurity, for stability. It is done for the consumer.\n    So there are many instances that resiliency has been built \ninto the system, and even to this day, we keep building and \nmaking sure that the system remains and is stable, because it \nis such a driver of our economic lives in this country as well \nas how we operate.\n    Mr. Langevin. Mr. Wilson, do you have anything to add on \nthat?\n    Mr. Wilson. Chairman Langevin, I would just add that, you \nknow, just based on experience, the answer is it depends, in \nterms of a cable outage. If there is a cable outage at sea and \nyou are, you know, a 2-day steam out to, you know, fix that \ncable, the diversity and the resiliency of the architecture can \nwork around that.\n    As cables converge and if there is an incident like in a \nharbor or something, that may have more consequential outcomes. \nHowever, it is closer, so the remedy is typically quicker. In a \nlot of cases, it is just a physical restoration of services.\n    So the answer is, it depends. It can be very quick, a \nmatter of hours. It can be several days, if not more, depending \non the location and the type of fix action that is required. \nBut I would just echo that these systems are built with \nresiliency.\n    Chairman Lynch, to your question, what is the threat? I \nthink it would be the miscalculation of an adversary that is \ntrying to seek or take--seek an outcome. It miscalculates with \nregards to how they go about doing it, the WannaCry-like \nincident that maybe has much more implications, worldwide or \nglobally, than what an actor would have anticipated. That is \nwhat, I guess, keeps me up in the middle of the night.\n    Mr. Langevin. So I want to just go back to the role of \nCYBERCOM and NORTHCOM in defending physical sites that are part \nof the internet architecture ecosystem. Do you have that worked \nout? And we have kind of touched upon that, but who has primary \nresponsibility in defending those sites?\n    Mr. Wilson. So for the Department of Defense, we have very \ngood knowledge about which systems we rely on. We have good \nplans in terms of mitigation with regards to moving to \nsecondary or tertiary capability, whether that is cable systems \nor whatever portion of the architecture.\n    When it comes to defending--most of these are owned and \noperated by commercial vendors, in terms of these heavy-haul \nsystems that we are talking about. So defending is a bit of a \ndifferent question. It is the resiliency that is built in. But \nwe understand our reliance, and if we need to take action to, \nif it is not happening naturally, is to be able to bring online \nother systems.\n    Many times for the Department, that may be prioritization \nof mission. In other words, we may have to go without that \nbroadband or that very large bandwidth support in terms of \ncomms. We may have to go to a much more minimized posture. We \nunderstand how to do that, and we have moved to that \ncontingency action, set of actions. That is part of how we do \nbusiness day in and day out.\n    Mr. Langevin. Thank you.\n    I guess the last question that I will have is for Ms. \nRinaldo. Given NTIA's role in international standards bodies, \ncan you speak to how this issue is viewed by other countries \nand your international counterparts?\n    Ms. Rinaldo. Thank you for the question. Yes. We represent \nthe United States at ICANN, as well as we are very active in \nstandards bodies 3GPP [Third Generation Partnership Project], \nIETF [Internet Engineering Task Force], as well as others, ITU \n[International Telecommunication Union], which is the \ntelecommunications arm for the U.N [United Nations]. We have \ngreat allies around the world. We coordinate with them often. \nWe coordinate with them through different conferences as well \nas bilats throughout the course of the year. We want to make \nsure that as we face threats to our infrastructure, threats to \nthe networks, that we are speaking with one voice and making \nsure that we are pushing back.\n    There are more of us than them, so we want to make sure \nthat we continue these conversations, so when foreign \nadversaries do pose threats, that we keep having those lines of \ncommunication open. And these four that do occur around the \nworld, it is an amazing opportunity to not only exchange notes, \nbut to further deepen those bonds.\n    Mr. Langevin. Thank you.\n    With that, Mr. Higgins is now recognized for 5 minutes.\n    Mr. Higgins. Thank you, Mr. Chairman.\n    Mr. Wilson, if a United States Navy ship is fired upon by \nan identified approaching vessel, an aggressor, do we return \nfire?\n    Mr. Wilson. There are standard rules of engagement \nregarding----\n    Mr. Higgins. Yes, sir.\n    Mr. Wilson. Absolutely.\n    Mr. Higgins. If a soldier in a theater of engagement is \nfired upon by an identified aggressor, do we return fire?\n    Mr. Wilson. Yes.\n    Mr. Higgins. Ms. Manfra, do you see the comparison? So \nplease explain to America what the difference of our policy is \nwhen we come under cyberattack, our policy regarding preemptive \nattack, or our policy regarding return fire. If the aggressor \ncan be identified, there is a growing consensus on the part of \nthat group that if we can identify these guys, why don't we \nstrike back?\n    Ms. Manfra. Well, sir, I think the Department of Defense is \ndoing a lot of work to be well-postured and to do just that. I \nthink it is important, though, to not conflate every cyber \nincident as having the same consequences, shooting on one of \nour sailors or soldiers.\n    Mr. Higgins. Why not? If we come under cyber fire, why \nwould we not return cyber fire?\n    Ms. Manfra. I would say two things: Cyber fire, it could \noften just be a--it could be a data breach. I would argue that \nthat is not an act of war. That is why we focus so much on the \nconsequences.\n    Mr. Higgins. Well, let's talk about that with America for a \nmoment.\n    Ms. Manfra. Okay, sir.\n    Mr. Higgins. If a database--let's refer to it as that--\ncomes under missile attack, is that an act of war? If it is \ndestroyed by a missile that is an act of war, but if it is \ndestroyed by cyber, that is not? These are legitimate \nquestions.\n    Ms. Manfra. A very legitimate question, sir, and one that a \nlot of people are thinking very hard about. I just--I would \nsay----\n    Mr. Higgins. Let me compare it to sniper fire.\n    Ms. Manfra. From my perspective, sir----\n    Mr. Higgins. Like returning sniper fire, very targeted \nreturn fire.\n    Ms. Manfra. We have a long history of defining what it \nmeans to escalate and to have an act of war. And the digital, \nsort of, modernization of our economy has forced us to think \ndifferently about that. I don't want to suggest that we are not \nreturning fire when we are attacked. I only mean to suggest \nthat it is important to understand what the consequences are \nthat they are achieving and that we use the right tools.\n    It is not always necessary to return a cyber fire, as you \nsaid, sir, with a cyber gun. There are many other tools that \nthe government has and does use, but I think one of the things \nthat I am proudest of is the work that we are doing with DOD to \nensure that both of us are postured and positioned to not only \ndefend what we can domestically, but so that DOD is better \npostured to take such actions.\n    Mr. Higgins. Very well. That was an intelligent answer. Let \nme just close by saying that America is not accustomed to \nhiding when we come under fire. And Americans watching right \nnow, they think we are returning fire, and we are largely not, \nnot to the standards that it is common knowledge that if a Navy \nship comes under fire, that other ship is about to get \nsomething back.\n    Ms. Manfra. Yes, sir.\n    Mr. Higgins. If a soldier comes under fire, we are going to \nreturn that with superior fire and training. But cyberattack is \nlegitimate, is dangerous. It threatens our commerce, our \nindustry, our grid, our internet infrastructure, our military, \nour financial institutions. It is certainly a legitimate \nthreat. We are talking about it today. And America expects us \nto return fire.\n    Ladies and gentlemen, sir, thank you for being here today.\n    Mr. Chairman, I yield.\n    Mr. Langevin. I thank the gentleman.\n    I want to thank all of our witnesses for your testimony \ntoday. Members may have additional questions, and we would ask \nthat you be responsive in answering those questions and \nsubmitting them to the committee.\n    Again, I want to thank you for the important topics we have \ndiscussed today. The answers--obviously, this is going to be an \nongoing dialogue. It is something we have to pay continued \nattention to. I also just want to thank Chairman Lynch and \nRanking Member Stefanik and Ranking Member Hice for their \nparticipation and support of this hearing.\n    I yield to Mr. Lynch for any final comments that he would \nlike to make before we adjourn.\n    Mr. Lynch. I think these witnesses have suffered enough. I \nthink we should probably let them go.\n    Mr. Langevin. Very good. I thank you all for being here and \nwhat you do on behalf of the country.\n    This meeting stands adjourned.\n    [Whereupon, at 4:42 p.m., the subcommittees were \nadjourned.]\n\n     \n=======================================================================\n\n                            A P P E N D I X\n\n                           September 10, 2019\n\n      \n=======================================================================\n\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                           September 10, 2019\n\n=======================================================================\n\n      \n      \n    [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] \n      \n=======================================================================\n\n\n              WITNESS RESPONSES TO QUESTIONS ASKED DURING\n\n                              THE HEARING\n\n                           September 10, 2019\n\n=======================================================================\n\n      \n\n              RESPONSE TO QUESTION SUBMITTED BY MR. WALTZ\n\n    Ms. Manfra. The majority of submarine cables are privately owned by \na mix of domestic and foreign entities. The protection of these cables \nis a complex question, considering they travel through domestic and \ninternational waters, some of which are contested areas. While the U.S. \nand its allies have significant interest in ensuring the safety and \ncontinued functionality of submarine cables, it will require a \n``concerted effort'' from the United States and its allies to ensure \nthe confidentiality, integrity, and availability of the data that \ntraverses subsea systems, in addition to the physical security of the \ncable and cable landing station. While DHS is the communications \nsector-specific agency per PPD-21, the current responsibility for \ndefending undersea cables landing in the United States involves a \n``whole of government'' approach, which includes the Navy in our \nExclusive Economic Zone (EEZ) and the Coast Guard within our 12 mile \nnautical sovereignty zone. Team Telecom--primarily made up of executive \nbranch agencies DOD, DHS, and DOJ--acts as an advisory committee to the \nFCC in matters related to foreign investment into US domestic \ncommunications infrastructure. Letters of Assurance (LOAs) and Network \nSecurity Agreements (NSAs) are memorandums of understanding between the \nUSG and the cable owners/operators that govern the location of assets, \ntypes of principal equipment, physical access controls, and other \nrelevant factors surrounding the functionality and protection of \nundersea cable systems. DOD, DHS, and DOJ enforce Team Telecom \nagreements through periodic compliance and mitigation visits to cable \nlanding sites, network operations centers, and other relevant \ninfrastructure. The Department of Justice and Federal Bureau of \nInvestigation investigate and prosecute criminal acts and espionage-\nrelated activities. These activities are informed by reporting from the \nintelligence community and various other federal agencies.   [See page \n30.]\n\n     \n=======================================================================\n\n\n              QUESTIONS SUBMITTED BY MEMBERS POST HEARING\n\n                           September 10, 2019\n\n=======================================================================\n\n      \n\n                  QUESTIONS SUBMITTED BY MS. STEFANIK\n\n    Ms. Stefanik. As you think about our vulnerabilities, are insider \nthreats an area of concern with respect to our Nation's internet \narchitecture, from either within government or even industry and the \nprivate sector? How do you monitor for insider threats? Are there \npolicies in place that allow you to have a dialogue and understand \ninsider threats from within industry and the private sector, or is this \ndifficult given privacy issues?\n    Ms. Manfra. Malicious insiders pose a serious threat to \norganizations in the public and private sectors, including those that \nown, operate and support our internet architecture. Insiders' \nauthorized access and detailed knowledge of critical assets offers them \nopportunities to compromise information, sabotage infrastructure, or \ninflict harm upon co-workers. While insider-threats will always remain \na concern, it is possible to significantly limit the amount of damage a \nbad insider can do by properly implementing hardware, software, and \nprocedural controls to sensitive networks To help counter this threat, \nthe Cybersecurity and Infrastructure Security Agency (CISA) strongly \nadvocates for an engaged workforce, one that is trained to recognize \nand report suspicious behavior or activity and can help defend against \ninsider threats. Personnel security, as well as technical and \nprocedural countermeasures, can also assist in detecting suspicious \nbehavior and minimizing the risk that insider threats present. In \naddition to free educational materials, CISA's Protective Security \nAdvisors work with organizations throughout the U.S. to learn how they \nare prepared to deal with insider threats, and to help organizations \ndevelop capabilities to mitigate potential insider threats through in-\nperson training workshops. Voluntary information sharing and \ncollaboration with industry and private-sector organizations on the \nvalue of insider threat programs and mitigation techniques has been a \nvaluable tool in CISA's infrastructure security and cybersecurity \nmissions.\n    Ms. Stefanik. Given the private sector and industry own the \noverwhelming majority of communications infrastructure, how do you \nengage on a recurring basis with the private sector, especially major \ncarriers and telecommunications companies? What are the recurring \nthemes in these conversations? Are there policy differences, or \nspecific problems you are currently working through?\n    Ms. Manfra. Information and Communication Technology (ICT) Supply \nChain Risk Management Task Force\n    <bullet>  The Communications Sector co-chairs the ICT Supply Chain \nRisk Management Task Force (Task Force).\n    <bullet>  The Task Force was formed in 2018, with strategic \nmandates to provide a forum for the collaboration of private sector \nowners and operators of ICT critical infrastructure and to provide \nadvice and recommendations to the U.S. Department of Homeland Security \n(DHS) on means for assessing and managing risks associated with the ICT \nsupply chain.\n    <bullet>  The working groups have developed policy recommendations \nand guidance documents for the Federal Acquisition Security Council's \nconsideration. The Task Force has produced an Interim Report on its \nactivities for the first year and will begin its year-two activities in \nthe fall of 2019. National Critical Functions\n    <bullet>  DHS, through the CISA National Risk Management Center \n(NRMC), released a set of National Critical Functions in April 2019. \nThe Communications Sector actively participated in this work effort and \nwill continue to be a key partner as CISA begins to build a risk \nregister that will add a more prioritized and strategic overlay to \nCISA's critical infrastructure protection efforts.\n\n    Tri-Sector Executive Working Group\n    <bullet>  Actively participates as a member of this Critical \nInfrastructure Partnership Advisory Council Working Group that was \nestablished by the NRMC to collaborate, to understand, prioritize, and \nmanage systemic risk, and plan for and respond to cross sector \nincidents. Specifically, the Communications Sector, along with the \nFinancial Services Sector and Electricity Sub-sector worked together to \n(1) better understand systemic risk that might impact all three \nsectors; (2) build cross-sector incident response playbooks; and (3) \ndirect the development of better intelligence collection requirements \nto these sectors.\n\n    National Security Telecommunications Advisory Committee\n    <bullet>  The President's National Security Telecommunications \nAdvisory Committee (NSTAC) provides industry-based analysis and \nrecommendations to the President and the Executive Branch regarding a \nwide range of policy and technical issues related to \ntelecommunications, information systems, information assurance, \ninfrastructure protection, and other national security and emergency \npreparedness (NS/EP) concerns.\n    <bullet>  President Ronald Reagan created the NSTAC when he signed \nExecutive Order (EO) 12382, President's National Security \nTelecommunications Advisory Committee. The NSTAC is composed of up to \n30 Presidentially-appointed senior executives, who represent various \nelements of the telecommunications and information technology \nindustries. The NSTAC meets quarterly to report its activities, while \nproviding recommendations to the President on policy and enhancements \nto NS/EP telecommunications.\n    <bullet>  The NSTAC recently completed a study of the technology \ncapabilities critical to NS/EP functions in the evolving ICT ecosystem. \nThe goal was to determine what Government measures and policy actions \ncould be taken to manage near-term risks, support innovation, and \nenhance vendor diversity in this industry. Specifically, the NSTAC \nanalyzed threats to supply chain security and resiliency that exist due \nto the diminishing number of trusted manufacturers producing ICT \ncomponents.\n    <bullet>  In September 2019, the NSTAC submitted its \nrecommendations in the NSTAC Report to the President on Advancing \nResiliency and Fostering Innovation in the ICT Ecosystem. In the \nreport, the NSTAC recommended that the President create a new role \nwithin the White House called the Senior Advisor to the President for \nICT Resiliency; and develop a national strategy on advancing resiliency \nand fostering innovation in the ICT ecosystem, empowering whole-of-\nnation resources to pursue a more fundamentally safe internet \nenvironment for critical services.\n    <bullet>  On October 17, 2019, the NSTAC kicked off its next study, \nexamining the importance of software-defined networking (SDN). This \nstudy will examine the importance of SDN; identify the challenges and \nopportunities related to SDN; and assess the utilization of SDN and \ncorresponding mitigation issues. The goal of the study is for the NSTAC \nto (1) develop a strategic plan and best practices for deploying SDN in \nFederal networks and critical infrastructure; and (2) provide the \nGovernment with a better understanding of how SDN can potentially \naddress security challenges including ICT supply chain risks.\n\n    Network Security Information Exchange\n    <bullet>  The Network Security Information Exchange (NSIE) is an \ninformation sharing forum charged with devising strategies for \nmitigating cyber threats to the Public Network (PN). The NSIE's primary \nobjective is to enhance the security of communications networks \nrequired for NS/EP.\n    <bullet>  CISA participates in bi-monthly joint NSIE meetings, \nwhich include membership across U.S. Government and industry. NSIE \nmembership also includes industry and Government participation from the \nFive Eyes. Industry participation includes major carriers and \ntelecommunications companies (i.e., NSTAC NSIE members, including AT&T, \nVerizon, etc.). CISA provides NSIE leadership in the form of the U.S. \nGovernment NSIE chair and program manager.\n    <bullet>  Joint NSIE meetings include a closed session, where NSIE \nmembers share information on emerging network security challenges, \nvulnerabilities, and mitigation strategies.\n    <bullet>  The NSIE periodically assesses risks to the PN from \nelectronic intrusions. In December 2014, the NSIE completed An \nAssessment of the Risk to the Cybersecurity of the Public Network, \nwhich focused on how changes in technology have affected the PN and \nrecommended effective mitigation strategies. NSIE members plan to \nupdate the risk assessment in 2020, and may examine new issues such as \nDNS encryption, log management, workforce training, 5G, and insider \nthreat. CISA will support development of the document.\n\n    National Security and Emergency Preparedness (NS/EP) Communications\n    <bullet>  The Department maintains a unique contractual \nrelationship with the private sector, through major carriers and \ntelecommunications companies to fulfill responsibilities of EO 13618, \nAssignment of National Security and Emergency Preparedness \nCommunications Functions.\n    <bullet>  CISA's Emergency Communications Division conducts a bi-\nmonthly Service Provider Council forum to address nonproprietary \ntelecommunications service matters dealing with NS/EP Communications \nrequirements for priority service capabilities within the carrier \nnetworks as they upgrade switching technologies to all internet \nprotocol based.\n    Ms. Stefanik. With regard to emerging technologies, specifically 5G \ntechnology, and the exponential increase in the number of connected \ndevices and services in the very near future, how exactly are you \nfactoring this technological evolution into your strategies and your \ncoordination with the private sector, to fully understand the impacts \nand risks?\n    Are there any policy limitations or laws limiting your approach? \nHow about the challenges with spectrum, the limited availability, and \nthe potential for dynamic spectrum sharing technologies to help manage \nthe on-ramp of things such as 5G?\n    Ms. Rinaldo. The National Telecommunications and Information \nAdministration (NTIA) is taking a multifaceted approach to address the \nchallenges of the proliferation of 5G. This starts with assessing how \nsuch technologies will alter the communications marketplace and the \nimpact they will have on numerous adjacent industries and applications. \nConsistent with the Administration's view that the private sector must \nlead in 5G development and deployment, NTIA works to support U.S. \ntechnological leadership by making sufficient spectrum available, \nfacilitating broadband deployment, ensuring U.S. networks are secure, \nsupporting industry in global technology standards development, and \npromoting needed research, development, testing and evaluation efforts. \nAccess to spectrum is critical to 5G. Although spectrum is a limited \nresource, NTIA has been very successful in its continuing collaboration \nwith the Federal Communications Commission to make additional spectrum \nbands available for commercial use while ensuring federal agencies have \nthe spectrum needed to perform their important missions. In some \ninstances, exclusive-use licenses are made available but, because of \nthe congested nature of the spectrum environment, increasingly most \nspectrum bands are shared, including between federal government and \nnon-federal government users. Traditional, static methods of sharing, \nprincipally by excluding new entrants from using specific frequencies \nor from operating in specific geographic areas, are starting to be \nreplaced by more dynamic sharing models, such as the newly launched \nCitizens Broadband Radio Service (CBRS) 3.5 GHz band. CBRS represents a \nsignificant advance in dynamic spectrum sharing and may prove \napplicable to future spectrum management frameworks.\n    Ms. Stefanik. As you think about our vulnerabilities, are insider \nthreats an area of concern with respect to our Nation's internet \narchitecture, from either within government or even industry and the \nprivate sector? How do you monitor for insider threats? Are there \npolicies in place that allow you to have a dialogue and understand \ninsider threats from within industry and the private sector, or is this \ndifficult given privacy issues?\n    Ms. Rinaldo. Every organization faces internal threats, including \nInternet infrastructure organizations. Identifying and responding to \nthese threats requires careful risk management practices, which can \ninclude practices ranging from controlling use of administrative \nprivileges, to data loss and theft prevention, to physical security of \nkey assets. A number of resources exist to help organizations assess \ninsider risks and develop an insider threat program, including those \npublished by the Cybersecurity and Infrastructure Security Agency, the \nNational Institute for Standards and Technology, and the SANS \nInstitute. For its part, NTIA participates in interagency discussions \nwith our federal partners, and works through a range of industry fora \nto help the private sector better address their cybersecurity risks, \nincluding insider threats.\n    Ms. Stefanik. Given the private sector and industry own the \noverwhelming majority of communications infrastructure, how do you \nengage on a recurring basis with the private sector, especially major \ncarriers and telecommunications companies? What are the recurring \nthemes in these conversations? Are there policy differences, or \nspecific problems you are currently working through?\n    Ms. Rinaldo. NTIA engages with the private sector, including major \ncarriers and telecommunications companies, in multiple ways. For \nexample, NTIA is an active participant in the Government Coordinating \nCouncils (GCC) for the Communications (CGCC) and Information Technology \n(ITGCC) sectors, and regularly attends both the ``joint'' and ``quad'' \nmeetings with private sector participants. These Department of Homeland \nSecurity and Sector-Specific Agency-led councils provide a useful forum \nfor bringing together government and private sector organizations. NTIA \nhas established its leading role in cybersecurity through use of the \nmultistakeholder process to convene stakeholders to address pressing \ncybersecurity concerns. These efforts have broad participation from \nindustry, academia, research institutions, and federal departments and \nagencies. Our multistakeholder process efforts have addressed a wide \nrange of topics, including software component transparency, Internet of \nThings (IOT) component upgrades and software patching, and coordinated \nvulnerability disclosure. NTIA's current multistakeholder process \nbrings stakeholders who draft documents that are approved by a \nconsensus of the stakeholders on how to develop a ``software bill of \nmaterials'' that list the components that make up software--a concept \nsimilar to a food ingredients list for products on grocery store \nshelves. The goal of the multistakeholder process is to increase \ntransparency around the use of third-party software components so that \nwhen vulnerabilities are detected, there is a way to quickly respond to \nand recover from risks.\n    Ms. Stefanik. As you think about our vulnerabilities, are insider \nthreats an area of concern with respect to our Nation's internet \narchitecture, from either within government or even industry and the \nprivate sector? How do you monitor for insider threats? Are there \npolicies in place that allow you to have a dialogue and understand \ninsider threats from within industry and the private sector, or is this \ndifficult given privacy issues?\n    Given DOD's connections to the Defense Industrial Base, what unique \nresponsibilities does the Department have as the lead for the DIB as a \ncritical sector?\n    Mr. Wilson. Insider threats to the Department, the Defense \nIndustrial Base (DIB), and Defense Critical Infrastructure are of great \nconcern to the Department. The Office of the Under Secretary of Defense \nfor Intelligence (USDI) is the overall lead for countering insider \nthreats in DOD. As the Sector Specific Agency (SSA) for the DIB, DOD \nfacilitates its DIB partners' efforts to improve the security and \nresilience of DIB networks and systems, in close coordination with the \nDepartment of Homeland Security (DHS), the Federal Bureau of \nInvestigation (FBI), and others. In addition, USDI and the Office of \nthe Chief Information Officer (CIO) have forged a partnership to secure \nnetworks within the perimeter to monitor for potential insider threats. \nThe National Industrial Security Program (NISP) is administered by the \nDefense Counterintelligence and Security Agency (DCSA) on behalf of the \nDepartment of Defense and 33 other Federal departments and agencies. \nUnder the NISP, cleared industrial facilities are required to have an \ninsider threat program consistent with E.O. 13587 and the National \nInsider Threat Policy and Minimum Standards for Executive Branch \nInsider Threat Programs. The intent is to ensure that insider threat \nprograms at commercial facilities are organized and run like those \nfound at Executive Branch departments and agencies. Many of the major \ndefense contractors have established corporate insider threat programs. \nThe Department remains committed to enabling robust security practices \nbeyond cleared facilities in partnership with the private sector. \nRecently, both the White House Office of Science and Technology Policy \n(OSTP) and the Under Secretary of Defense for Research and Engineering \nsent letters to the U.S. research community to increase awareness of \ninsider threats like foreign talent programs that seek to undermine, \nexploit, and erode our world class research enterprise. DOD shares \ninsider threat related data with industry partners, as permitted by \nlaw. Through a series of pathfinder initiatives, the Department is \nfocused on improving its collaboration with DHS, other SSAs, and \nappropriate private sector entities--including select critical \ninfrastructure partners--by sharing threat information, conducting \ncollaborative analysis of vulnerabilities and threats, and, when \nauthorized, mitigating those risks. These pathfinders, in turn, enable \nthe Department and its Federal partners to leverage private sector \nthreat information to support DOD's mission.\n    Ms. Stefanik. Given the private sector and industry own the \noverwhelming majority of communications infrastructure, how do you \nengage on a recurring basis with the private sector, especially major \ncarriers and telecommunications companies? What are the recurring \nthemes in these conversations? Are there policy differences, or \nspecific problems you are currently working through?\n    Who specifically in the Department of Defense does this outreach \nand maintains awareness?\n    Mr. Wilson. DHS serves as the SSA for the Communications and \nInformation Technology Sectors, and works closely with DOD, the \nDepartment of Justice (DOJ), the Department of Commerce, the Federal \nCommunications Commission (FCC), the General Services Administration, \nthe Intelligence Community, and the private sector to address both \nshort-term and longer-term challenges regarding risks to \ntelecommunications networks. Within DOD, the Office of the Chief \nInformation Officer is the lead for the Department's participation on \nTeam Telecom, an interagency working group of representatives from \nFederal government entities, including the DHS and DOJ co-chairs, \ncharged with ensuring the national security of our telecommunications \nnetworks and infrastructure. Team Telecom is involved in reviewing \nforeign acquisitions of U.S. communications infrastructure as well as \nevaluating FCC Section 214 license applications to operate or provide \ntelecommunications networks in the United States for national security, \npublic safety, and law enforcement concerns.\n                                 ______\n                                 \n                     QUESTIONS SUBMITTED BY MR. KIM\n    Mr. Kim. There was mention of individual agency exercises, but what \nabout real-world exercises between different agencies? Who do you think \nshould be invited to these exercises? And what are the roles for \nprivate companies and State and local governments? And who should be in \ncharge of running these?\n    Ms. Manfra. CISA conducts exercises with agencies to help increase \ncybersecurity preparedness and resilience. Some exercises are internal \nto a single agency, while others include multiple agencies or even \nprivate sector partners. One noteworthy effort is Cyber Storm, CISA's \nbiannual capstone cyber exercise. This includes multiple federal \nagencies, as well as state and international governments, and the \nprivate sector. The exercise engages players in the discovery of and \nresponse to a widespread cyber incident. Agencies walk through their \nplans and procedures to share information, coordinate with partners, \nand simulate response actions. Currently, approximately 150 \norganizations are slated to participate in Cyber Storm 2020. \nParticipants vary, based on the specific goal and objectives of the \nexercise. CISA usually recommends a cross-section of people who have a \nrole in cybersecurity. This can include senior leadership, \ncybersecurity or information technology (IT) security staff, incident \nresponse teams, analysts, legal, public affairs, human resources (HR), \nor the data or system owners. Private companies and state and local \ngovernments often participate in exercises as players. Cyber Storm is \none example of an exercise that engages all stakeholders in one \ncoordinated effort. CISA also conducts exercises for major events like \nthe Super Bowl, which bring together government and private sector to \ntalk about how they would share information or respond to a cyber \nincident that would have impacts across their organizations. CISA is \nwell-positioned to run these types of exercises for various reasons. \nFirst, we have responsibilities for federal cybersecurity and asset \nresponse, so the exercises outputs inform potential plans and \nprocedures and help educate people on CISA's role. Second, CISA has \nexisting relationships across federal agencies, state and local \ngovernments, and the private sector, which enables us to engage a wide \nswath of stakeholders in exercises. Finally, CISA has analysts and \nsubject matter experts looking at cyber threats daily, who can feed \nthat information into exercises to ensure they address current and \nrealistic threats and vulnerabilities.\n    Mr. Kim. There was mention of individual agency exercises, but what \nabout real-world exercises between different agencies? Who do you think \nshould be invited to these exercises? And what are the roles for \nprivate companies and State and local governments? And who should be in \ncharge of running these?\n    Ms. Rinaldo. The Department of Commerce is a member of the Federal \nEmergency Management Agency's (FEMA) Exercise Implementation Committee \nand the National Security Council's (NSC) Exercise and Evaluation Sub-\nPolicy Coordinating Committee. NTIA participates in national level \nexercises, coordinated among Commerce agencies at the Department level. \nNTIA's level of participation is determined by the specifics of the \nexercise and its relevance to NTIA's statutory responsibilities. For \nexample, NTIA participates in the Eagle Horizon and CyberStorm \nexercises. Eagle Horizon is the mandatory, annual, integrated \ncontinuity exercise for all federal executive branch departments and \nagencies, as required by National Continuity Policy. CyberStorm is the \nDepartment of Homeland Security's biennial exercise series to \nstrengthen cyber preparedness in the public and private sectors. The \nDepartment also coordinates participation in senior official exercises \ndirected by the NSC. These exercises are held at the Assistant \nSecretary through Secretary level. In addition to NTIA's direct \nparticipation in national-level exercises, members of the First \nResponder Network Authority (FirstNet Authority) and FirstNet personnel \nfrom AT&T have engaged with state, local, and tribal entities through \ndemonstrations and independent exercise activities. Typically, FirstNet \nwill collaborate with a state or local entity to conduct the exercise. \nThis summer, FirstNet participated in FEMA's Shaken Fury exercise near \nMemphis, Tennessee, involving a series of tabletop, functional, and \nfull-scale exercises in partnership with the U.S. Department of Energy, \nU.S. Northern Command, state and local governments, and the private \nsector.\n    Mr. Kim. There was mention of individual agency exercises, but what \nabout real-world exercises between different agencies? Who do you think \nshould be invited to these exercises? And what are the roles for \nprivate companies and State and local governments? And who should be in \ncharge of running these?\n    Mr. Wilson. The Federal Emergency Management Agency (FEMA) is the \nlead for the National Exercise Program (NEP), which addresses National \nresponse across Federal, State, and local levels, and includes non-\ngovernmental organization, private sector, and private citizen \nparticipation, depending on the scenario. NEP exercises are mandatory \nfor Executive Branch departments and agencies and are used to address \nmulti-agency coordination in the performance of National Essential \nFunctions. For example, in 2020, DOD will participate in the FEMA-led \nNational Level Exercise, which is focused on domestic cyber incidents \nand is intended to link together a broad range of interagency exercises \naround a common theme. Additionally, each Federal department and agency \nhosts exercises to inform their respective missions, learn lessons, and \nimprove mission readiness. The goals and objectives of an exercise \ndrive the scope, scenarios, and participation. Although some exercises \nare internally focused on an individual department or agency, others \ninclude broad interagency and other participation. DOD hosts a range of \ninternal and interagency exercises, and supports and participates in \nexercises hosted by DHS, the Department of Energy, the Intelligence \nCommunity, and others. In August 2019, DOD hosted a table-top exercise \nto improve DOD's ability to provide Defense Support of Civil \nAuthorities (DSCA) in response to a cyber incident. The exercise \nincluded representatives from DOD, other Federal departments and \nagencies, the energy sector, and State and local governments. U.S. \nNorthern Command (USNORTHCOM) hosted a table-top exercise in October \n2019 focused on improving DOD's operational coordination structure for \nDSCA responses to cyber incidents, with the goal of improving and \nstreamlining interagency integration in advance of a cyber incident. \nU.S. Cyber Command (USCYBERCOM) hosts the annual CYBER GUARD exercise, \nwhich focuses on refining DOD's readiness to respond to a domestic \ncyber incident. CYBER GUARD includes a wide range of participants from \nFederal departments and agencies and other entities.\n                                 ______\n                                 \n                  QUESTIONS SUBMITTED BY MS. HOULAHAN\n    Ms. Houlahan. I also serve on the Foreign Affairs Committee. I am \ncurious what collaboration has looked like and will look like for each \nof your respective agencies as the Department of State stands up the \nBureau of Cyberspace Security and Emerging Technologies and as other \nagencies consider creating similar teams? Further, do you see a need \nfor the Presidential Policy Directive 21 (PPD-21), which divvies up \nresponsibilities within the Federal Government for cyber, to be updated \nto reflect the emergence of these new departments?\n    Ms. Manfra. DHS collaborates and coordinates on international cyber \nengagements with the U.S. Departments of State, Defense, Justice, \nCommerce, and other federal agencies. At present, CISA and the U.S. \nDepartment of State's Office of the Coordinator for Cyber Issues \ncollaborate on a range of issues from cyber capacity building and \ncritical infrastructure protection, to cybersecurity awareness. As \nState stands up the Bureau of Cyberspace Security and Emerging \nTechnologies, DHS expects coordination to increase and for additional \npartnership with international counterparts on cybersecurity. This new \noffice at State will help enhance the outreach to international \npartners and be in direct support of what is already stated in \nPresidential Policy Directive 21 (PPD-21), which currently provides \nthat ``the Department of State, in coordination with DHS, Sector \nSpecific Agencies, and other Federal departments and agencies, shall \nengage foreign governments and international organizations to \nstrengthen the security and resilience of critical infrastructure \nlocated outside of the United States and to facilitate the overall \nexchange of best practices and lessons learned for promoting the \nsecurity and resilience of critical infrastructure on which the Nation \ndepends.'' As PPD-21 already provides for this role for the State \nDepartment, CISA does not see the need to update PPD-21.\n    Ms. Houlahan. I often ask our witnesses to speak on two workforce \nchallenges facing our government, as well as our society. First, do you \nfeel your organization has the necessary expertise to execute your \nmission? Is our workforce being adequately prepared to meet these \nemerging threats? Do you have any concerns that this pipeline is \nlacking? Finally, what sorts of challenges does your organization face \nwhen recruiting technical experts when competing with the private \nsector? What could we do to support these recruitment efforts?\n    Ms. Manfra. 1. The United States depends on the reliable \nfunctioning of critical infrastructure. Cybersecurity threats exploit \nthe increased complexity and connectivity of critical infrastructure, \npotentially placing the Nation's security, economy, and public safety \nand health at risk. Paramount to equipping the Federal Government and \nthe nation's critical infrastructure entities with cybersecurity \ninformation and assistance is a workforce with the right competencies, \nknowledge, skills, and abilities to underpin CISA's mission \ncapabilities, in support of the National Cybersecurity Strategy and \nRisk Management Framework. CISA recruits and builds these competencies \nthrough buying, building, and borrowing talent. CISA focuses on hiring \nthe best and brightest talent and augments its capability through \ncontractors. Training is paramount to mission success and CISA \ncontinues to cultivate and capitalize on opportunities to invest in its \nemployees and equip them with maturation of current skills, as well as \nexpand upon them. While CISA employs superior talent, expertise is not \na static endeavor; but rather, a continuous effort. Through training, \nCISA strives to prepare a cybersecurity workforce with the skills to be \nmore resilient and excel at mission capability requirements.\n    2. The President's Management Agenda laid out a long-term vision \nfor modernizing the Federal Government's key areas that will improve \nthe ability deliver mission outcomes. To drive the management \npriorities, the Administration created Cross-Agency Priority (CAP) \nGoals, centered on ``Modernizing Government for the 21st century.'' One \nof the three CAP Goals calls for investing in people and creating the \n``Workforce for the 21st Century.'' This theme is carried throughout \nthe National Cybersecurity Strategy and the DHS Cybersecurity Strategy, \ncalling for the use of innovative solutions to ``keep pace with the \ncurrent pace of change.'' The systematic approach to meet CISA's \nworkforce needs incorporates the concepts of buying, building, and \nborrowing talent. DHS has largely been focused on buying talent through \nthe existing hiring system and the future enhanced Cyber Talent \nManagement System. The DHS Office of the Chief Human Capital Officer \n(OCHCO) is leading the effort to prepare for the launch of the CTMS and \ncreate the DHS Cybersecurity Excepted Service. The effort will \nmodernize talent management to align to and keep pace with the \ncybersecurity work of the Department by taking a comprehensive approach \nto recruit and retain talent modeled after industry best practices. \nCompetition in the marketplace to recruit and retain cyber \nprofessionals continues to grow, along with the demand for cyber \ndefense experts to protect our nation's networks and information \nsystems. To overcome these challenges, the Administration has focused \non efforts under the Federal CAP Goal, Developing a Workforce for the \n21st Century, to improve service to America through enhanced alignment \nand strategic management of the Federal workforce. To further build \nupon the work already done and increase employee engagement, on May 2, \n2019, the Administration published the Executive Order on America's \nCybersecurity Workforce, with the direction to strengthen the \ncybersecurity capability of the Federal workforce through increased \nintegration and skills enhancement opportunities under a rotational \nprogram. The Federal Cybersecurity Rotation Program is a career \nbroadening opportunity for cybersecurity practitioners to expand their \ncybersecurity competencies, expand the depth of their Federal \ncybersecurity knowledge and experiences, and strengthen their skills. \nIt will allow current Federal employees to gain exposure to a range of \ncybersecurity functional areas to improve their cybersecurity \nperspective and learning agility through stretch assignments. The \nprogram will also expand upon the successful Federal Cybersecurity \nReskilling Academy, executed by OMB, OPM and the Department of \nEducation in FY 2019, DHS will develop non-cyber federal employees who \nare interested in a cyber-career and have the necessary competencies by \nassessing their capability and aligning training and career broadening \nopportunities to develop them into cyber practitioners. Participants \nwill gain development and skill enhancement through required and \nblended learning approaches such as work role-specific tours, \nconferences, cohort networking and training events, leveraging web-\nbased virtual labs, and mentoring, in addition to the on-the-job \nexperience. CISA is working alongside the Department of Veterans \nAffairs and Department of Defense to create career pathways using the \nNIST NICE Cybersecurity Workforce Framework, which build upon the \nworkforce development programs suggested in the report's \nrecommendations. CISA looks to continue to build upon training and \neducation programs that transform, elevate, and sustain the learning \nenvironment to grow a dynamic and diverse cybersecurity workforce. \nFurther, the CISA is working with the Department of Veterans Affairs, \nDepartment of Defense, and Office of Personnel Management to identify \nand leverage tools to assess aptitude and skills related to cyber \npositions. Many of these efforts, including the cataloguing of \ncybersecurity positions using the NIST framework, the rotational \nprogram and the reskilling academy are highlighted in the \nAdministration's Solving the Federal Cyber Workforce Shortage paper \nincluded in the June 2018 Delivering Government Solutions in the 21st \nCentury. In a field that experiences as much change as cybersecurity, \nupdating employee skills that will be critical as the threat landscape \nevolves is important. However, employee development can have a \nbeneficial effect on retention. Providing a well-defined career path, \nas well as associated trainings, that clearly map how a cybersecurity \nemployee can grow within the organization, may contribute to retention. \nIf provided a path to improve, acquire new skills, and progress along \nan exciting career path, whether it be technical or leadership in \nnature, employees will stay engaged and thus will be less likely to \nseparate. Support to publish these career pathways on the NIST NICE \nwebsite will benefit both the public and private sector. CISA believes \nit has exercised all available opportunities to recruit and retain \ntalent to the extent allowable.Finally, investment in the resources \nnecessary for the HR IT to recruit and serve existing employees is \ncritical to success. The current DHS HR IT solutions are predominately \ndisjointed and some business processes are still paper-based; which \nadversely impacts the ability of DHS HR professionals to deliver high \nquality, effective services to the DHS workforce, including the \nrecruitment and hiring of highly skilled personnel to meet the DHS \nmission. The Administration has recognized this and has included an \nincrease of $10.5M in the DHS Management Directorate's Fiscal Year 2021 \nBudget to continue enhancements of the HR IT Portfolio and provide \nadvanced automation capabilities across the DHS HR community, DHS \nworkforce, and in some cases, family members of the DHS workforce. \nThese improvements will provide DHS employees with self-service \ncapabilities and will have profound effects on the DHS workforce and \nits readiness to support the DHS mission. This funding will support \nrecruitment requirements and allow for a top-notch customer service \norganization capable of supporting a workforce to be on par and \nconsistent with its private sector competition. CISA will work through \nthe budget process to support this critical investment moving forward.\n    Ms. Houlahan. Google has announced that they are considering making \nchange to the DNS settings on their Chrome browser and Android \noperating system that would, reportedly, have the effect of displacing \nDNS services provided by ISPs and other third parties and making Google \nthe centralized encrypted DNS provider by default for most of the \nInternet. Is DHS/CISA aware of Google's plans? What are some of the \nimplications of Google's plan to centralize DNS data? Specifically, how \nwill Google's plan affect malware detection tools used to protect this \nnation's Critical Infrastructure?\n    Ms. Manfra. The characterization that Google will become ``the \ncentralized encrypted DNS provider by default for most of the \nInternet'' is incorrect. Google's plan, as shared in a September 10 \nblog post, is that the DNS settings for Chrome will be upgraded to a \nsecure connection, only if the current DNS provider offers a secure \nconnection. As Kenji Baheux, Chrome Product Manager, says in the post, \n``the DNS service will not change, only the protocol will. As a result, \nexisting content controls of your current DNS provider, including any \nexisting protections for children, will remain active.'' The post then \ndescribes in greater detail how this will occur and provides steps for \nusers who prefer an insecure connection to opt-out. Microsoft has also \nmade an announcement to offer DNS over HTTPS at the operating system \nlevel in a similar way Chrome does it within the browser. Mozilla \nFirefox is planning a change that would move users by default to a \nsingle, encrypted DNS provider, but Mozilla offered extensive \ndocumentation to continue supporting enterprise IT use cases; network-\nprovided DNS can still be made mandatory. While only a single DNS \nprovider is currently offered, Mozilla has made clear they are \n``working to build a larger ecosystem.'' CISA believes both approaches \nare thoughtful and helpful in driving users to more secure services. \nHowever, CISA also recognizes the side effects of increased DNS-over-\nHTTPS (DOH) use can cause--those enterprises that do not manage their \nassets effectively to lose visibility into DNS traffic leaving their \nendpoints. This also may inhibit CISA's ability to prevent malicious \ndomains from resolving in civilian executive branch networks using \nEINSTEIN 3 Accelerated intrusion prevention capabilities. Centralizing \nDNS resolution to any service operator could provide that entity with \nunique insights into the DNS behavior of users. It could also deprive \nenterprise network security operations, cybersecurity service \nproviders, and internet service providers of that same insight. \nHowever, as noted, enterprise policies can still be set on managed \ndevices to require the use of an enterprise's preferred DNS provider. \nAt the same time, CISA believes that Google and Mozilla's effort is \nintended to have positive security and privacy impacts of individual \nend users of their products, and to improve the performance of their \nsystems. Not all malware detection mechanisms rely on the analysis of \nDNS activity. CISA has always recommended that critical infrastructure \norganizations thoughtfully employ defense-in-depth strategies that \nallow for the detection and prevention of unauthorized access by \nmultiple means. However, in cases where DNS monitoring is used to \ndetect unauthorized activity on Android devices and the Chrome web \nbrowser in the business networks of critical infrastructure entities, \nGoogle's plan could create a blind spot for network security analysts \nwhere those devices are not configured to abide by enterprise policies.\n    Ms. Houlahan. The process of DNS resolution today is very \ndecentralized--it involves many DNS resolvers working in concert to \npower the Internet for this country and globally. What impact would \ncentralization of DNS resolution would have in terms of our nation's \ncyber preparedness, resiliency, and security?\n    Ms. Manfra. CISA seeks to champion technologies that help secure \nDNS and does not intend to re-engineer the distributed architecture of \nDNS infrastructure. Our intent is to re-route federal DNS traffic from \nuntrusted service providers (some of which may be owned and operated by \nforeign entities), to trusted, U.S. owned recursive DNS service \nprovider. CISA provided service will still offer distributed and \nresilient infrastructure in order to support our nation's preparedness, \nresiliency, and security. The service will provide managed federal DNS \ninfrastructure that supports the latest DNS technologies (e.g. DNS over \nHTTPS and DNS over TLS), applies consistent protections and state of \nthe art threat feeds, and provides CISA with visibility into the \nfederal DNS traffic for analysis and feature enhancements.\n    Ms. Houlahan. I also serve on the Foreign Affairs Committee. I am \ncurious what collaboration has looked like and will look like for each \nof your respective agencies as the Department of State stands up the \nBureau of Cyberspace Security and Emerging Technologies and as other \nagencies consider creating similar teams? Further, do you see a need \nfor the Presidential Policy Directive 21 (PPD-21), which divvies up \nresponsibilities within the Federal Government for cyber, to be updated \nto reflect the emergence of these new departments?\n    Ms. Rinaldo. NTIA does not see a need to revise PPD-21 based on the \ncreation of new agencies. PPD-21 is flexible in that it assigns general \nresponsibilities primarily at the department level, and relevant new \nagencies would be tasked at the direction of their departmental \nleadership. NTIA collaborates regularly with departments and agencies \non cybersecurity issues. Newly established agencies' missions will be \nincorporated into the interagency policy process and work flow.\n    Ms. Houlahan. The process of DNS resolution today is very \ndecentralized--it involves many DNS resolvers working in concert to \npower the Internet for this country and globally. What impact would \ncentralization of DNS resolution would have in terms of our nation's \ncyber preparedness, resiliency, and security?\n    Ms. Rinaldo. NTIA is actively monitoring recent protocol \ndevelopments and implementations to encrypt Domain Name System (DNS) \nqueries, such as DNS-over-Transport Layer Security and DNS-over-\nHypertext Transfer Protocol Secure. NTIA staff regularly consult with \nDNS technologists and experts to understand the impact that new DNS \nsecurity implementations may have on the Internet ecosystem. The \nInternet's decentralized architecture, including the DNS, Transmission \nControl Protocol/Internet Protocol, and physical infrastructure, has \nbeen one of its greatest strengths. It has contributed to innovations \nin connectivity and network performance, allowing companies to pursue \neconomies of scale in telecommunications, content delivery, Web \nservices, and other sectors and to offer greater connection speed and \nreliability for American consumers. The new protocol implementations \nrepresent a shift from current DNS resolution practice, but NTIA is \nclosely monitoring these developments and working to ensure that such \nimplementations do not introduce cyber threats to the Internet \necosystem or compromise its overall resiliency and security.\n    Ms. Houlahan. I also serve on the Foreign Affairs Committee. I am \ncurious what collaboration has looked like and will look like for each \nof your respective agencies as the Department of State stands up the \nBureau of Cyberspace Security and Emerging Technologies and as other \nagencies consider creating similar teams? Further, do you see a need \nfor the Presidential Policy Directive 21 (PPD-21), which divvies up \nresponsibilities within the Federal Government for cyber, to be updated \nto reflect the emergence of these new departments?\n    Mr. Wilson. DOD has been apprised of Department of State plans to \nreorganize internally. DOD does not anticipate a change in how DOD \ninteracts with the Department of State on cyberspace issues as a result \nof the reorganization. At this time, because broad department \nresponsibilities will not change as the result of internal departmental \norganizational changes, DOD does not anticipate a need to update PPD-\n21. Further, DOD encourages the critical infrastructure Sector Specific \nAgencies (SSAs) identified in PPD-21 to establish or bolster \ncybersecurity and cyber resilience measures to assure the protection \nand continued function of systems, capabilities, and assets for which \nthey are responsible. Through a series of pathfinder initiatives, DOD \nis focused on improving its collaboration with DHS, other SSAs, and \nappropriate private sector entities--including select critical \ninfrastructure partners--by sharing threat information, conducting \ncollaborative analysis of vulnerabilities and threats, and, when \nauthorized, mitigating those risks. These pathfinders, in turn, enable \nDOD and its Federal partners to leverage private-sector threat \ninformation to support DOD's mission.\n    Ms. Houlahan. In nuclear policy, the concept of deterrence is \nfounded in our understanding of our adversaries' nuclear capabilities \nand our adversaries' understanding our own nuclear capabilities. It is \nmy understanding that we don't have as thorough an understanding of our \nadversaries' capabilities when it comes to cyber. What work is being \ndone to establish global nuclear norms? What steps are being taken to \nimprove our partners' cybersecurity capabilities, especially those \ncountries at most risk of cyber attack from our adversaries? Which \ndepartment or agency is leading that effort?\n    Mr. Wilson. The Department of Defense works closely with the \nDepartment of State to deter malicious cyber activity and foster \nstability in cyberspace in part through the identification and \npromotion of peacetime norms of responsible state behavior in \ncyberspace. The 2015 report of the United Nations Group of Government \nExperts (UN GGE) on Information and Communications Technologies in the \nContext of International Security was instrumental in promoting certain \ncyberspace norms, and the GGE process is scheduled to resume in \nDecember 2019. As the lead foreign affairs agency, the Department of \nState has the lead role in coordinating foreign assistance, including \ncyberspace-related capacity-building assistance for international \npartners. DOD works to build the cyber capacity of its international \npartners, and the 2018 DOD Cyber Strategy lists expanding DOD cyber \ncooperation with international partners as one of the Department's key \ncyberspace objectives. DOD recently issued DOD International Cyberspace \nSecurity Cooperation Guidance to DOD components to facilitate and \nprioritize cyberspace capacity-building with allies and partners.\n    Ms. Houlahan. The process of DNS resolution today is very \ndecentralized--it involves many DNS resolvers working in concert to \npower the Internet for this country and globally. What impact would \ncentralization of DNS resolution would have in terms of our nation's \ncyber preparedness, resiliency, and security?\n    Mr. Wilson. Centralization of Domain Name System (DNS) resolution \noffers the idea of improved efficiency of system administration and has \nthe potential to reduce the costs for resources. However, the impact of \ncentralization of DNS resolution comes at the expense of security. \nFurther, having a national or international centralized DNS name space \nwould not be scalable. The DNS hierarchy was designed to be \ndistributed; this distribution provides technical diversity, \nresiliency, and stability.\n    DNS centralization would result in greater vulnerability of \nspecific targeted attacks and could increase the risk and threat \nlevels. Globally, any attempt by one country to centralize DNS of \nindependently managed country code domains and generic database Top \nLevel Domains would most likely not be approved by the multi-\nstakeholder Internet Governance organizations and model that governs \ntoday's Internet. To clarify, a centralized DNS created by the United \nStates would likely create opposition by foreign entities (e.g., \ncountries, corporations). This would likely culminate in the generation \nof a fragmented or splintered Internet.\n\n                                  [all]\n</pre></body></html>\n"