[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]


                    U.S. CYBERSECURITY PREPAREDNESS
                      AND H.R. 7331, THE NATIONAL
                           CYBER DIRECTOR ACT

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
                          OVERSIGHT AND REFORM
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 15, 2020

                               __________

                           Serial No. 116-102

                               __________

      Printed for the use of the Committee on Oversight and Reform
      
      
[GRAPHIC NOT AVAILABL IN TIFF FORMAT]      


                       Available on: govinfo.gov,
                         oversight.house.gov or
                             docs.house.gov
                             
                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
40-844 PDF                  WASHINGTON : 2020                     
          
--------------------------------------------------------------------------------------                           
                             
                             
                   COMMITTEE ON OVERSIGHT AND REFORM

                CAROLYN B. MALONEY, New York, Chairwoman

Eleanor Holmes Norton, District of   James Comer, Kentucky, Ranking 
    Columbia                             Minority Member
Wm. Lacy Clay, Missouri              Paul A. Gosar, Arizona
Stephen F. Lynch, Massachusetts      Virginia Foxx, North Carolina
Jim Cooper, Tennessee                Thomas Massie, Kentucky
Gerald E. Connolly, Virginia         Jody B. Hice, Georgia
Raja Krishnamoorthi, Illinois        Glenn Grothman, Wisconsin
Jamie Raskin, Maryland               Gary Palmer, Alabama
Harley Rouda, California             James Comer, Kentucky
Ro Khanna, California                Michael Cloud, Texas
Kweisi Mfume, Maryland               Bob Gibbs, Ohio
Debbie Wasserman Schultz, Florida    Clay Higgins, Louisiana
John P. Sarbanes, Maryland           Ralph Norman, South Carolina
Peter Welch, Vermont                 Chip Roy, Texas
Jackie Speier, California            Carol D. Miller, West Virginia
Robin L. Kelly, Illinois             Mark E. Green, Tennessee
Mark DeSaulnier, California          Kelly Armstrong, North Dakota
Brenda L. Lawrence, Michigan         W. Gregory Steube, Florida
Stacey E. Plaskett, Virgin Islands   Fred Keller, Pennsylvania
Jimmy Gomez, California
Alexandria Ocasio-Cortez, New York
Ayanna Pressley, Massachusetts
Rashida Tlaib, Michigan
Katie Porter, California

                     David Rapallo, Staff Director
                       Emily Burns, Chief Counsel
                    Mark Stephenson,  Chief Counsel
                          Amy Stratton, Clerk

                      Contact Number: 202-225-5051

               Christopher Hixon, Minority Staff Director
                                 ------                                
                        
                        C  O  N  T  E  N  T  S

                              ----------                              
                                                                   Page
Hearing held on July 15, 2020....................................     1

                               Witnesses

Panel 1
The Honorable James R. Langevin, Member of Congress, 
  Commissioner, U.S. Cyberspace Solarium Commission
    Oral Statement...............................................     7
The Honorable Mike Gallagher, Member of Congress, Co-Chair, U.S. 
  Cyberspace Solarium Commission
    Oral Statement...............................................     9
Panel 2
The Honorable Michael J. Rogers, David Abshire Chair, Center for 
  the Study of the Presidency, and Former Congress and Chairman, 
  House Permanent Select Committee on Intelligence (2011-2015)
    Oral Statement...............................................    18
J. Michael Daniel, President and Chief Executive Officer, Cyber 
  Threat Alliance,White House Cybersecurity Coordinator (2012-
  2017)
    Oral Statement...............................................    21
Amit Yoran, Chairman and Chief Executive Officer, TenableFounding 
  Director, U.S. Computer Emergency Readiness Team (US-CERT) 
  (2003-2004)
    Oral Statement...............................................    22
Suzanne Spaulding, Senior Adviser, Homeland Security, 
  International Security Program,Center for Strategic & 
  International Studies, Commissioner, U.S. Cyberspace Solarium 
  Commission
    Oral Statement...............................................    24
Jamil N. JafferFounder & Executive Director, National Security 
  InstituteGeorge Mason University
    Oral Statement...............................................    28

Written opening statements and witnesses' written statements are 
  available at the U.S. House of Representatives Repository: 
  docs.house.gov.
                           INDEX OF DOCUMENTS

                              ----------                              

The documents entered into the record are available at: 
  docs.house.gov.

  * Letter of Endorsement of National Cybersecurity Director by 
  US Chamber of Commerce; submitted by Rep. James R. Langevin.

  * Questions for the Record: to Mr. Daniel; submitted by 
  Chairwoman Maloney.

  * Questions for the Record: to Mr. Jaffer; submitted by 
  Chairwoman Maloney.

  * Questions for the Record: to Mr. Rogers; submitted by 
  Chairwoman Maloney.

  * Questions for the Record: to Ms. Spaulding; submitted by 
  Chairwoman Maloney.

  * Questions for the Record: to Mr. Yoran; submitted by 
  Chairwoman Maloney.

  * Questions for the Record: to Mr. Daniel; submitted by Ranking 
  Member Comer.

  * Questions for the Record: to Mr. Jaffers; submitted by 
  Ranking Member Comer.

  * Questions for the Record: to Mr. Rogers; submitted by Ranking 
  Member Comer.

  * Questions for the Record: to Ms. Spaulding; submitted by 
  Ranking Member Comer.

  * Questions for the Record: to Mr. Yoran; submitted by Ranking 
  Member Comer.
.................................................................

 
                    U.S. CYBERSECURITY PREPAREDNESS
                      AND H.R. 7331, THE NATIONAL
                           CYBER DIRECTOR ACT

                              ----------                              


                        Wednesday, July 15, 2020

                  House of Representatives,
                 Committee on Oversight and Reform,
                                                    Washington, DC.

    The committee met, pursuant to notice, at 12:16 p.m., via 
WebEx, Hon. Carolyn B. Maloney [chairwoman of the committee] 
presiding.
    Present: Representatives Maloney, Norton, Lynch, Connolly, 
Raskin, Rouda, Khanna, Mfume, Sarbanes, Welch, Speier, 
DeSaulnier, Tlaib, Porter, Comer, Jordan, Gosar, Massie, 
Grothman, Cloud, and Keller.
    Chairwoman Maloney. Good afternoon. The committee will come 
to order. Without objection, the chair is authorized to declare 
a recess of the committee at any time.
    I recognize myself for an opening statement.
    Ladies and gentlemen, thank you all for being here today. 
As our Nation reckons with the monumental human and economic 
toll of the coronavirus crisis, we must look critically at the 
warnings we had and the decisions made about them.
    The most recent Worldwide Threat Assessment of the U.S. 
Intelligence Community, released in January 2019, warned, and I 
quote, ``The United States and the world will remain vulnerable 
to the next flu pandemic or large-scale outbreak of a 
contagious disease that could lead to massive rates of death 
and disability, severely affect the world economy, strain 
international resources, and increase calls on the United 
States for support.''
    We must ask ourselves what other warnings are going 
unheeded, and what can we do right now to protect the American 
people from other catastrophic threats? Before the unthinkable 
happens in the future, how can we exercise strategic, decisive 
foresight to the best of our ability today to ensure we are a 
nation prepared tomorrow?
    That same Worldwide Threat Assessment lists cyber attacks 
as a top global threat, with China, Russia, Iran, and North 
Korea waging a silent war capable of shutting down critical 
infrastructure, breaching sensitive information systems, and 
jeopardizing critical sectors in America and globally.
    The report states, and I quote, ``Our adversaries and 
strategic competitors will increasingly use cyber 
capabilities--including cyber espionage, attack, and 
influence--to seek political, economic, and military advantage 
over the United States and its allies and partners.''
    Cyber-attacks are a critical, complex, prevalent, and 
growing threat to the Nation's safety and economic security, 
touching nearly every aspect of our lives. This assessment was 
upheld by recent findings from the U.S. Cyberspace Solarium 
Commission, which was established by the 2019 National Defense 
Authorization Act to review the state of our cybersecurity 
posture and develop bipartisan solutions for defending America 
against cyber-attacks.
    This commission of congressional, executive branch, and 
private sector cybersecurity leaders sounded the alarm that, in 
addition to millions of intrusions that disrupt operations in 
America on a daily basis, we remain vulnerable to catastrophic 
attacks on critical infrastructure and economic systems that 
could cause widespread damage and death.
    A number of the commission's recommendations fall within 
the legislative jurisdiction of this committee. This includes 
one that has sparked a high level of interest on both sides of 
the aisle, the recommendation for a centralized cybersecurity 
position at the White House to develop and streamline the 
Federal Government's strategy, coordination, and response to 
cyber-attacks.
    This role was first formalized during the George W. Bush 
Administration and then elevated and expanded during the Obama 
Administration. But in 2018, then-National Security Adviser 
John Bolton eliminated the role, reportedly to cut ``another 
layer of bureaucracy.''
    The move generated widespread bipartisan concern. In 2019, 
the United States was rated as the fifth most cyber-secure 
nation in the world. In 2020, it dropped to the seventeenth.
    Today, we will review H.R. 7331, which would implement the 
commission's recommendation to establish a National Cyber 
Director in the Executive Office of the President. This new 
position would restore that cyber coordination and planning 
function to the White House. In addition, for the first time, 
it would be backed with resources and statutory authority to 
lead strategic planning efforts, review cybersecurity budgets, 
and coordinate national incident response.
    A challenge as complex and pervasive as cybersecurity 
requires that our Government be strategic, organized, and 
ready. Democrats and Republicans agree we need a National 
Cybersecurity Director to ensure we are fully prepared for, and 
coordinated in, our response to cyber-attacks as our Nation 
fights this silent war. Our mission today is to gain a detailed 
understanding of the threats we face and to thoroughly examine 
H.R. 7331 as the vehicle for preparing our country against 
those threats.
    I now recognize the distinguished ranking member for his 
opening statement. Representative Comer?
    Mr. Comer. Thank you, Chairwoman Maloney, for holding this 
hearing to address our Nation's cybersecurity posture and to 
explore the merits of U.S. Cyberspace Solarium Commission's 
recommendations to establish a National Cyber Director office 
within the Executive Office of the President.
    The Federal cyber domain, we can all agree, is dynamic and 
dispersed, with varying jurisdictions and expertise across the 
Federal Government. These agencies are organized to combat 
cyber-crime, defend against national security intrusions, and 
support the security needs of the private sector's critical 
industries and commercial interests.
    Our Nation has continuously become more and more reliant on 
technology over the last three decades. Our reliance on 
technology and interconnected information systems is more 
important than ever, with the pandemic forcing organizations to 
quickly build out remote operations and our Nation's work force 
pivoting to a work from home posture. Increasingly, foreign 
state actors, extremist groups, domestic agitators, and 
criminal enterprises all have a vested interest in exploiting 
U.S. networks.
    The remote operations of the pandemic have created new 
cyber vulnerabilities for these malicious actors to take 
advantage of. These are the same actors who also target our 
private sector partners and state and local institutions. 
Breaches in Federal and commercial networks by foreign 
governments have exposed sensitive intelligence data, 
proprietary military designs, and Government personnel data.
    Because of cybersecurity risks, we must all do our part to 
maintain a safe and secure national cyber infrastructure, and 
by continuing to foster relationships across the private sector 
and our state and local partners, we can share vital cyber 
threat information that helps secure our critical 
infrastructure.
    We will hear today from notable subject matter experts who 
have deep experience navigating the Nation's cybersecurity 
environment. They also have experience with efforts to combat 
damaging cyber-attacks from foreign adversaries like China. 
Historically, China has hacked into the FDIC, stolen valuable 
U.S. R&D, and paid our university professors to improperly 
share valuable intellectual property. I would welcome the 
opportunity to work with the majority to hold China accountable 
for these bad acts, as well as their deceptive tactics over the 
course of this pandemic. That would be a great hearing, Madam 
Chairman.
    Today, however, we look forward to evaluating the proposal 
to establish a National Cyber Director to oversee the 
cybersecurity policy, planning, and operations of the Federal 
Government. In evaluating this legislative proposal, we have a 
duty to the American people to be a good steward of taxpayer 
dollars and not create more bureaucracy. Establishing a clear 
and convincing rationale for establishing such a critical 
position requires the kind of due diligence and thoughtful 
assessment that our committee's hearing processes afford. The 
current and projected cybersecurity landscape is complicated 
with many actors and operations that must work in harmony.
    While there have been more than several high-profile 
cybersecurity incidents over the past decade, I must note that 
recent attempts at targeting our Nation's coronavirus 
biomedical research activities and use of remote work platforms 
have been taken very seriously by Homeland Security and law 
enforcement officials within the Trump administration. The 
administration has done what is expected of cybersecurity 
professionals. It has prioritized defending against potentially 
harmful cyber incidents wherever and whenever threats are 
found.
    I think we all want our Nation's cybersecurity to be 
effective, both defensively and offensively. To this end, it is 
imperative that Congress and this committee fully evaluate the 
reasons why the commission recommended the statutory creation 
of the National Cyber Director.
    The main questions I have toward this goal are, ``Is it 
necessary to create another Federal office to have someone 
truly in charge, and if so, will that official, in fact, have 
the authority to make the decisions that need to be made? Will 
everyone else fall in line and work in harmony?
    We know that multiple Federal agencies have a piece of the 
cybersecurity pie. So, by authorizing a new oversight and 
coordinating official, are we legitimately creating a system 
that will be more prepared to face growing cyber threats? Will 
the National Cyber Director utilize the existing cyber 
leadership and expertise in our Government, or do we risk 
making that bureaucratic pie bigger and creating duplicating 
functions? Will a National Cyber Director add value to this 
Nation's cybersecurity infrastructure, or should we align and 
support systems already in place?
    I look forward to hearing about tangible examples of how 
this National Cyber Director would actually respond to a cyber 
incident and how that might be better than the system already 
in place. In a fluid environment, when response time and 
expertise are paramount, we cannot afford to introduce 
inefficiencies or bureaucratic hurdles to the Government's 
ability to respond to a national cybersecurity incident in real 
time.
    Madam Chairwoman, I think we agree our Nation's 
cybersecurity enterprise deserves a supported public policy 
that will not hinder dynamic, focused, and strategic planning 
and operation. I am pleased to be working with you on this 
issue, but again, I want to ensure that we are not fostering 
redundant efforts across the Federal cyber sector. In 
establishing a Senate-confirmed cybersecurity leader, we need 
to be comfortable in limiting Presidential prerogative to 
implement preferred policies on behalf of the American people.
    Again, I appreciate this opportunity to review this 
recommendation and hear from these expert witnesses. I yield 
back.
    Chairwoman Maloney. Thank you, Mr. Comer.
    I now recognize the distinguished chairman of the 
Subcommittee on National Security, Mr. Lynch, for an opening 
statement.
    Mr. Lynch. Now thank you, Madam Chair, and thank you for 
convening today's important hearing on H.R. 7331, which allows 
for the creation of a National Cyber Director, which is an idea 
that is not only reasonable, but necessary and long overdue 
given the world in which we live.
    I am well aware of the lengthy review and study that Mr. 
Langevin has engaged in over the years on this issue. He has 
been nothing short of relentless in his mission, and I thank 
him and our friend and colleague Mr. Gallagher for their 
bipartisan commitment to defending our Nation's cybersecurity 
and for their testimony before our committee.
    I also want to take a minute just to thank Mr. Katko, Mr. 
Ruppersberger, and Mr. Hurd, who are also original co-sponsors 
of H.R. 7331.
    Now for years, foreign policy and national security experts 
have considered cyber to be the battlefield of the future. And 
for anyone paying attention, that future is already here. Back 
in 2014, hackers, likely affiliated with the Chinese 
government, breached the information system of the Office of 
Personnel Management, compromising the personal data of at 
least 22 million people, including, most notably, Federal 
employees who had either applied for or received security 
clearances for access to classified information.
    We are also well aware of Russia's sweeping and systemic 
efforts in 2016 to interfere in the Presidential election by 
hacking the computer network of the Democratic National 
Committee and attempting to penetrate the election 
infrastructure in all 50 states.
    To speak to some of Mr. Comer's concerns, most recently our 
National Security Subcommittee staff, which I chair, we held a 
briefing with the Federal Bureau of Investigation and the 
Cybersecurity Infrastructure Security Agency to discuss the 
latest uptick in cyber-attacks during the coronavirus pandemic 
against the Federal Government agencies, research and academic 
institutions, and even private citizens. During the briefing, 
our committee was told that every institution or agency 
conducting coronavirus vaccine research is a target for--is a 
current target for foreign cyber attackers.
    As our intelligence agencies warned before 9/11, the system 
is blinking red. Yet only two years ago, then-National Security 
Adviser John Bolton dismantled the national cyber coordinator 
position at the National Security Council, leaving the U.S. 
cybersecurity policy rudderless and disjointed.
    The need for greater leadership, strategic planning, and 
policy coordination to ensure the security of our Nation in the 
cyber domain could not be more urgent or important. So, I am 
pleased to support H.R. 7331, which will allow for the creation 
of a National Cyber Director, and I would encourage all of my 
colleagues to do the same.
    Again, I want to thank the chairwoman for her willingness 
to hold this hearing today, and I want to thank all of our 
witnesses for testifying. I look forward to the discussion and 
for building even greater bipartisanship and consensus around 
the importance of H.R. 7331.
    Last, I am also currently in a markup over in T&I--I am at 
the Capitol today--where I have an amendment pending. So, I am 
going to have to jump out and then jump back in. I apologize 
for that, but that is our schedule. I yield back. Thank you, 
Madam Chair.
    Chairwoman Maloney. Thank you, Mr. Lynch. I now recognize 
Mr. Grothman for an opening statement.
    Mr. Grothman. OK. Can you hear me?
    Chairwoman Maloney. Yes. We can hear you.
    Mr. Grothman. Good. I appreciate this opportunity in my 
role--first of all, it is good to see we got our witness on 
here from Wisconsin. So, I thank you for bringing him in. I 
appreciate this opportunity in my role as ranking member of the 
National Security Subcommittee on Oversight to address an issue 
with major national security ramifications.
    As Ranking Member Comer addressed in the opening comments, 
our Nation's adversaries will stop at nothing to steal our 
secrets, commercial expertise, and sensitive information held 
on a sprawling computer network connecting both public and 
private sector organizations. Chief among these cyber offenders 
is the Chinese government.
    Unfortunately, despite a desire to play by the rules in 
international commerce, as President Trump says, we have been 
treated unfairly by the Chinese. Oftentimes, this well-
intentioned global posture costs the United States our valuable 
intellectual property, which flows out of our Nation's research 
institutions into Chinese hands. The hearing today will help us 
determine whether our Federal Government needs support in 
defending against these high-stakes malicious cyber attacks and 
continual intrusions.
    One of the proposals by the Cyberspace Solarium Commission 
was the formation of a new National Cyber Director office and a 
Senate-confirmed official inside the White House. While I 
appreciate the commission's desire to ensure that the Federal 
Government's cybersecurity infrastructure includes a one-stop 
shop for cyber guidelines, I wonder whether we might be too 
quick to create yet another new bureaucracy by not carefully 
considering potential downsides to this reform.
    We must keep in mind the Trump administration's success in 
protecting our last mid-term elections from disruptive cyber 
incidents, and the administration's strong stance against those 
who wish to take advantage of international attempts to exploit 
the technology challenges presented by the pandemic. Would we 
be doing a disservice to various agencies which already 
effectively coordinate cybersecurity responses for our Nation?
    I want to keep an open mind on the merits of any proposal 
to improve our national cybersecurity, and I appreciate today's 
witnesses and the time and attention they have each dedicated 
to protecting our Nation's information and critical 
infrastructures.
    I look forward to the witnesses' testimony and their 
perspectives on whether the creation of a National Cyber 
Director will add value to the current multi-agency cyber 
framework to properly de-conflict and coordinate effective 
responses to cyber attacks against our Government and private 
sector.
    Thank you, Chairwoman Maloney and my counterpart on the 
National Security Subcommittee, Chairman Lynch, and Ranking 
Member Comer, for all of your interest in these pressing 
issues. I look forward to working with each of you to ensure 
that we strengthen America's cybersecurity against all types of 
threats and any foes from abroad who wish to do Americans harm. 
I yield back.
    Chairwoman Maloney. Thank you, Mr. Grothman.
    I will now introduce our first panel of witnesses 
consisting of our colleagues here in the House of 
Representatives who served on the U.S. Cyberspace Solarium 
Commission--Congressman Jim Langevin of Rhode Island, 
commissioner of the Cyberspace Solarium Commission and chairman 
of the Emerging Threats and Capabilities Subcommittee of the 
House Armed Services Committee, who has been championing this 
effort for many, many years, and Congressman Mike Gallagher of 
Wisconsin, co-chair of the commission and a proud new father of 
Grace Ellen Gallagher. Congratulations on truly life's greatest 
experience of becoming a father, and it is the best job in the 
world. So, we are very pleased to have you both here today.
    With that, Mr. Langevin, you are now recognized to provide 
your testimony.

   STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE IN 
CONGRESS FROM THE STATE OF RHODE ISLAND AND COMMISSIONER, U.S. 
                 CYBERSPACE SOLARIUM COMMISSION

    Mr. Langevin. Very good. Well, thank you, and good 
afternoon, Chairwoman Maloney, Ranking Member Comer, and 
distinguished members of the committee. It is always humbling 
to sit on this side of the table, the witness table, even when 
it is virtual. I want to begin my remarks by thanking all of 
you for the important work that you do. I particularly want to 
thank Chairwoman Maloney for convening this hearing and for her 
partnership in raising the issue of creating a National Cyber 
Director.
    I join you today as a representative of the Cyberspace 
Solarium Commission. I am proud to be joined by my colleague, 
Congressman Mike Gallagher, one of the co-chairs of the 
Solarium Commission.
    I also want to congratulate him on being the newest father 
in the House to his daughter Grace. Congratulations, Mike. I 
know you are coming off paternity leave to be here for this 
hearing, so thanks, and I commend you for your work.
    In the 2019 National Defense Authorization Act, Congress 
charged the Solarium Commission with developing a consensus on 
a strategic approach to defending the United States in 
cyberspace against cyber attacks of significant consequence. In 
our first meeting, however, outside experts on congressional 
commissions told us that we were attempting the impossible. We 
were trying to have a 9/11 Commission-level of impact without 
the precipitating event of a September 11.
    Well, Madam Chair, I reject that cynical view. I believe 
that if we come together in a nonpartisan fashion to implement 
the Solarium Commission recommendations, we can alter the trend 
that sees our cyber risk grow year after year. We can push back 
on our adversaries, who see the cyber domain as the ultimate 
realm for asymmetric operations in the gray zone short of war. 
We can seize the initiative and ensure that we are not left to 
wonder the day after an attack what more could we have done.
    So, that is how I view the work of the Cyberspace Solarium 
Commission. That is the urgency I bring to the table. And more 
so than any of the other 82 recommendations the Solarium 
Commission proposes, the National Cyber Director is essential 
to seizing the initiative from our adversaries.
    It is essential because cybersecurity permeates every 
aspect of our society and every aspect of our Government. Every 
department and agency, from the Department of Agriculture to 
the Department of Veterans Affairs, relies on secure 
information technology to conduct business, yet very few of 
them have cybersecurity as part of their mission, nor is it 
their primary focus.
    Because cybersecurity is difficult to measure, we end up 
with misaligned incentives. People skimp on cybersecurity 
because they would rather invest in operationally relevant 
programs in their department. We need a strong leader in the 
White House to defeat the inertia that pushes investments in 
cybersecurity down the road or until a devastating breach 
occurs. We also need as strong cyber leader in the White House 
to coordinate strategy.
    Beyond Government systems, our national and economic 
security rely on critical infrastructure, most of which is 
owned and operated by the private sector. Where once we could 
rely on two oceans and friendly neighbors to insulate us, today 
our banks, hospitals, and power plants are on the front lines 
of shadow campaigns to undermine our way of life. Only within 
the White House can we break down agency silos to ensure that 
we have a ``whole of nation'' effort to protect our networks.
    Finally, Madam Chair, we need a National Cyber Director in 
the White House to coordinate incident response. We are living 
through a public health crisis right now, the likes of which we 
have not seen in over a century. When our adversaries strike us 
in cyberspace, we must be prepared to defend early, to stamp 
out the infections from computer viruses, to quarantine 
affected networks, and to inoculate uninfected machines by 
patching them. This is only possible with a National Cyber 
Director.
    This idea, of course, is not new. I worked on it with the 
CSIS Commission for the 44th Presidency in 2008. But as my 
friend Mr. Gallagher has taken great pains to describe at 
length, the Solarium process pioneered by President Eisenhower 
has a way of refining one's thinking. We debated the proposal 
for a National Cyber Director extensively, and we were very 
deliberate in our decision-making.
    We chose an office in the White House because only the 
White House can truly reach across departments and agencies to 
manage a risk so pervasive as cyber. We chose a Senate-
confirmed position because congressional oversight and buy-in 
is critical to the success of the office. We chose to preserve 
a coordinative rather than operational bend to the role because 
our cyber defenders need strategic guidance, not tactical 
advice.
    Madam Chair, just to conclude, there are some who argue 
that the National Cyber Director is congressional overreach. 
There are those who say that the President is the ultimate 
arbiter of the Executive Office of the President and that 
Congress has no business interfering in these Article II 
affairs. Those people, respectfully, disregard history, as 
Congress has helped to guide White House structure in the past 
when the moment demanded it, such as when Congress created the 
Office of Science and Technology Policy or the U.S. Trade 
Representative. But more concerning to me, these people 
implicitly endorse the status quo, and that scares me.
    It scares me because every day I wake up and see our 
adversaries making gains in cyberspace. I saw it under 
President Bush, I saw it under President Obama, and I see it 
today under President Trump. I see our adversaries stealing our 
intellectual property, shaping norms that suit their interest 
on the international stage, striking out at our partners and 
allies, and attempting to undermine our elections.
    Madam Chair, it is time we seize the initiative. It is time 
we set the agenda, pushing back on our competitors and shaping 
their behavior by improving our resilience and in strengthening 
the cyber ecosystem. It is time we empower the National Cyber 
Director at the White House.
    Madam Chair, with that, serving on the Cyber Solarium 
Commission with Mr. Gallagher has been one of the most 
rewarding experiences of my life. His leadership and that of 
Senator King, the contributions of our fellow commissioners, 
and the enormous dedication of our immensely talented staff are 
all reflected in the bill that we are discussing today. It is 
an honor to have the opportunity to present it before you, and 
I look forward to answering any questions that you may have.
    Chairwoman Maloney. Thank you so much, Congressman 
Langevin, and thank you for your leadership and passion for the 
security of our Nation. I now recognize Mr. Gallagher.

STATEMENT OF HON. MIKE GALLAGHER, A REPRESENTATIVE IN CONGRESS 
   FROM THE STATE OF WISCONSIN AND CO-CHAIR, U.S. CYBERSPACE 
                      SOLARIUM COMMISSION

    Mr. Gallagher. Thank you, Chairwoman Maloney and the rest 
of the committee, and thank you for the kind words about my 
newborn daughter. If I pass out during this hearing, it is not 
only because I am nervous to be on the wrong side of the 
hearing here as a Member, but because I haven't had much sleep 
in the last two weeks. But we are truly blessed, and I 
appreciate the kind words.
    As Dwight Eisenhower said, ``We do not keep security 
establishments merely to defend property or territory or rights 
abroad or at sea. We keep the security forces to defend a way 
of life.''
    And right now, emerging technology empowered by stronger 
and more capable digital networks is being infused into every 
part of our Government, economy, and our way of life. How we 
navigate the resulting opportunities and challenges will 
determine the effectiveness of our Nation to deal with future 
cyber-driven or cyber-enabled contingencies. For the past 20 
years, commissions, initiative studies, and even four 
Presidential administrations have been challenged to define and 
establish an effective national-level model for coordinating 
cyber strategy, policy, and operations.
    I believe it is imperative that the executive branch have a 
strong, stable, and expert-led cyber office and leader within 
the White House. Whether to create the position of a National 
Cyber Director, however, and what that position would entail 
was one of the most spirited and important debates we had over 
the course of the commission.
    My colleague Jim Langevin was absolutely incredible in his 
thought leadership and his dedication to the integrity of the 
Cyberspace Solarium Commission process, and I learned a ton 
from him throughout. And due to Jim's leadership, we really 
considered, one, how to address the gap in national leadership 
and coordination and consistent prioritization; two, whether to 
recommend Senate confirmation; and three, the size, structure, 
and scope of authorities for the coordinator and leadership 
office.
    Ultimately, we decided that the Federal Government would be 
better equipped by strengthening existing department and agency 
efforts in cybersecurity, including the Cybersecurity and 
Infrastructure Security Agency, rather than the creation of a 
new department, as many advocated for. Therefore, without a new 
agency, the commission deemed the institutionalization of a 
cyber coordinator position in the White House within the 
Executive Office of the President to be essential to give the 
position a high enough level of prominence to effectively 
coordinate national strategy and provide much-needed leadership 
internationally, with state, local, tribal, and territorial 
governments, and with the private sector.
    And in recognition of that need for better collaboration, 
the Chamber of Commerce recently endorsed the National Cyber 
Director Act, our bipartisan legislation that Representative 
Langevin has led.
    The commission spent an enormous amount of time weighing 
the pros and cons of this position and in contemplating the 
stature of the position. We determined that requiring it to be 
Senate-confirmed, similar to the way in which the U.S. Trade 
Representative is Senate-confirmed, would not only signal that 
Congress is committed to cyber issues but also afford us, as 
legislators, a level of access to that conversation, but also 
the person that occupies that position a level of political 
support that bipartisan endorsement would bring while 
maintaining the discretion of the President in selecting that 
candidate.
    Making the role Senate-confirmed, in other words, would 
provide greater permanence by institutionalizing the position's 
existence and ensuring the role would endure throughout 
Presidential transitions and not just be dependent on the whim 
of a particular President or a particular National Security 
Adviser.
    I understand there are those, particularly my Republican 
colleagues, who may be skeptical that this is an added layer of 
bureaucracy. I just would say to you that I came into this 
discussion with that as my ideological prior. But unless you 
believe that the status quo is, indeed, getting the job done, 
unless you believe that we are, at present, well-structured to 
avoid a cyber 9/11, as my colleague referred to, then you have 
to consider how we can make a meaningful reform of the status 
quo.
    Indeed, rather than creating an entirely new agency, which 
would take years to create, which would be much more complex 
and would further muddy the bureaucratic waters, I view the 
creation of a single focal point in the White House, a single 
person--or to quote my co-chair Angus King, a single throat to 
choke--someone who is responsible for this effort, to be the 
least bureaucratic, the least onerous, and the most efficient 
of all possible options. It also gives Congress a greater 
window into this discussion, as I alluded to.
    I believe, in closing, that we in Congress must 
sufficiently enable the Federal Government to create a cohesive 
national strategy and defense in the cyber domain, as we do in 
all other domains of battle, and we must do so today. So, I 
urge you to support the commission's recommendation on the 
creation of a National Cyber Director so that, in Ike's words, 
``When we fight, we will fight in all elements as one single, 
concentrated effort.''
    With that, I will close my comments. I thank you for your 
time and consideration.

    Chairwoman Maloney. Thank you, Mr. Gallagher. This is truly 
a bipartisan goal to protect our country.
    We will be limiting questions for the first panel. I now 
recognize myself for five minutes for questions, and Mr. 
Gallagher, I want to start with you.
    The current coronavirus crisis has created a systemic shock 
that has exposed a number of critical ways in which our country 
failed to prepare for what many would call the ``inevitable.'' 
In our increasingly connected and technology-driven world, many 
experts warn that a large-scale cyber-attack is also 
inevitable.
    The Solarium Commission recently released a white paper 
examining cybersecurity in the context of the pandemic, and Mr. 
Gallagher, your white paper lays out some interesting parallels 
between lessons learned during the coronavirus pandemic and how 
these lessons can inform our preparation for significant cyber-
attacks. Can you share some of these parallels and your 
recommendations with us?
    Thank you.
    Mr. Gallagher. Absolutely. You know, obviously, they are 
not perfectly analogous events, but I would highlight a few 
similarities. There are really three stand out in my mind that 
we analyzed in our white paper, our pandemic annex. First, both 
the pandemic and a significant cyber-attack can be global in 
nature, requiring that nations simultaneously look inward to 
manage a crisis as well as work across borders to contain its 
spread. Both are difficult to contain across borders as well.
    Second, I would argue that both the coronavirus pandemic 
and a significant cyber-attack require a whole of nation 
response effort and are likely to challenge existing incident 
management doctrine and coordinating mechanisms, as we are 
discovering right now with every state, every county, every 
city government, and a bunch of nonprofits having to figure out 
how they can all work together in order to slow the spread of 
the disease.
    And finally, and perhaps most importantly, I would argue 
the similarity is that prevention is far cheaper and pre-
established relationships far more effective than a strategy 
based solely on detection and response. That is why if you read 
not only our pandemic annex but our broader Cyberspace Solarium 
report, which we had the unfortunate timing of releasing on 
March 12, 2020, the last week we were in session in the House 
before shutting down, you will see that a lot of what we are 
trying to do is to get left of boom, for lack of a better term, 
figuring out how we can force the Federal Government--in 
partnership with Congress, in partnership with state 
governments, tribal governments, territorial governments--to 
think through the unthinkable. Think through how we can rapidly 
restore our economy in the event of a cyber-attack, to be able 
to come back stronger and strike back against our enemies and, 
therefore, restore deterrence.
    So, you know, I will be cautious about extending the 
similarities between the pandemic and a cyber-attack too far, 
but those three stand out in my mind.
    Chairwoman Maloney. Well, thank you. Thank you very much.
    Mr. Langevin, the commission recommends establishing a 
National Cyber Director to coordinate the Federal Government's 
incident response activities. Can you share examples of how the 
coronavirus pandemic and shifts to remote services have led to 
additional cybersecurity challenges?
    Mr. Langevin. Sure. Thank you for the question, Madam 
Chair.
    Certainly, the pandemic influence has shown the challenges 
of needing a coordinated response, and when you have a diffused 
response and many people in charge--for example, just so you 
can get to the states as we have--it makes it more challenging 
to have a cohesive direction in which to go. So, we want to 
make sure that with respect to a cyber incident that we are 
both having someone that thinks about this in terms of pre-
planning, so looking at the most vulnerable areas, say, of 
potential cyber-attacks on critical infrastructure, which is 
owned and operated in the private sector, and figuring out how 
we can make our cyber networks more resilient and how we would 
get them back up and running more quickly.
    But in the actual incident, if it were to occur, that you 
have a single point of contact that is both the principal 
adviser to the President, he or she is the coordinator to bring 
the interagency together, or the National Security Council 
together, or the Economic Security Council together to lay out 
options for response and have a more coordinated, cohesive, and 
effective response.
    Chairwoman Maloney. Thank you. How would establishing this 
role have made a difference in our response to the COVID-19 
pandemic?
    Mr. Langevin. Well, I think it is probably more analogous 
to how we would, say, respond to a cyber-attack or intrusions 
on our elections, but certainly, there are elements of cyber 
response to COVID. For example, what we know of the Chinese and 
other entities trying to steal intellectual property for the 
development of a coronavirus vaccine or therapeutics. We would 
have a much more focal point in which the Cyber Director would, 
again, be able to coordinate the relevant departments and 
agencies or private sector entities to effectively coordinate 
the response that needs to be taken to protect those networks 
and prevent intellectual property, hopefully, from occurring in 
the first place.
    Chairwoman Maloney. Thank you.
    Now for both of you, is it your opinion that establishing a 
National Cyber Director is an essential step in ensuring the 
U.S. is in the best position to prevent and, if necessary, 
respond to a crisis induced by a significant cyber-attack?
    Mr. Langevin. I certainly feel that that is the most 
effective way to both prevent and also respond to a cyber 
incident of significant consequence. We thought this through 
very clearly, and as my colleague pointed out, of the various 
ways we could have gone having this at an existing department, 
existing agency, or having the authority in a new cybersecurity 
agency, or having it in the Senate-confirmed Executive Office 
of the President position, we felt this was the best way to go 
of the various options we would have recommended.
    Again, it doesn't create an excessive new bureaucracy. I 
believe it is very streamlined, very focused. It gives 
strategic guidance and both advice to the President, but it is 
going to--the coordinating authority to make sure all the oars 
are pulling in the same direction in the event of a cyber 
incident.
    Chairwoman Maloney. Well, thank you.
    Mr. Gallagher. I would second----
    Chairwoman Maloney. Mr. Gallagher, do you want to add to 
that?
    Mr. Gallagher. Well, I just would second Jim's remarks and 
say I think of it as a necessary, but insufficient 
recommendation. It is part of a broader suite of 
recommendations. I think, if you read our final report, what 
you see is a genuine attempt from commissioners on both sides 
of the aisle to elevate and empower existing agencies rather 
than create a bunch of overlapping new bureaucratic structures.
    And I do want to commend the work of a lot of great leaders 
we have at the NSA, at CISA, who have really learned a lot of 
lessons in the last four years and come a long way. We are not 
saying they haven't done good work. We view this as a way to 
better empower them and build upon the lessons of the last few 
years.
    Chairwoman Maloney. Well, I agree with the commission and 
my bipartisan colleagues in Congress that we need a centralized 
cybersecurity position at the White House to develop and 
streamline the Federal Government's strategy, coordination, and 
response to cyber threats and strengthen all activities that 
are taking place now. I thank you all for your hard work and 
your testimony today.
    I now recognize the distinguished ranking member for five 
minutes for questions. Representative Comer?
    Mr. Comer. Thank you, Chairwoman. I had a very good 
conversation with Jim yesterday about this legislation, and I 
am going to direct my questions to my good friend Mike 
Gallagher. Will the National Cyber Director legislation create 
budgetary hurdles in how it works with the Office of Management 
and Budget, OMB, that might artificially constrain a 
President's cyber policy decisions?
    Mr. Gallagher. We examined that in depth. Ultimately, I 
don't think so. We are giving--in our construct, giving the 
National Cyber Director budget certification authority, which 
effectively means he has the ability to look at various 
executive branch agencies when it comes to cyber elements 
within their budget and flag effectively for the President 
something of concern, but the President still retains the 
ultimate authority to adjudicate that dispute.
    If, for example, there was a disagreement between OMB and 
the National Cyber Director, just as there is often a 
disagreement within different executive branch agencies, the 
President, and working through his National Security Adviser, 
can adjudicate those disputes, and he can choose whether or not 
to follow the advice of the National Cyber Director. So, while 
the National Cyber Director would have that budget 
certification authority, he can't go in and mess the entire 
process up, for lack of a better way to describe it.
    Mr. Comer. OK. I have heard different people describe what 
they view this might entail, but would the new office comprise 
a large new staff? I have heard between 75 and 100 new 
staffers. Obviously, that would create a new bureaucracy, and 
we are always careful about creating new bureaucracies.
    So, what is the prediction of a budget? How much will this 
cost? How many staffers are we talking about here?
    Mr. Gallagher. I would say, as we estimate, 75 is about 
right, and I understand your concern. That is not nothing. That 
would replace about the 15 that are there right now.
    I just would say if you look right now at the, let us say, 
the comparison of people and resources we devote for its 
offensive operations with NSA and Cyber Command versus what 
CISA has to do defensive operations, you will see a dramatic 
imbalance in terms of the personnel that we have, thousands of 
personnel difference. So, even though we would be adding 
anywhere between 75 to 100, that would be a small step toward 
perhaps correcting that imbalance, giving the White House 
better purview into defensive operation.
    What the budgetary impact of that would be, we think it 
would be in the low, you know, about $10 million to $15 
million, but some of that depends on whether these people are 
detailees from other agencies. But I am not suggesting it is 
nothing. It is a growing of an office within the organization, 
but that is also consistent with precedent for other Senate-
confirmed offices within the Executive Office of the President.
    Mr. Comer. And I certainly understand the concern and 
appreciate the effort here to alleviate that, but if this is 
staffed by career officials or detailees from other agencies, 
why won't it become another bastion for employees who refuse to 
honor the policy prerogatives of an incumbent President, 
something that this President has been battling, as you know, 
for the last 3 1/2 years?
    Mr. Gallagher. Well, I don't doubt that that is a problem 
within the executive branch, and having worked in the executive 
branch, I think there is always a tendency, you know, for--if 
you are a bureaucrat, you sort of believe in the status quo. 
The old saying goes, ``Where you stand depends on where you 
sit.''
    But at the end of the day, that is a broader cultural issue 
where everybody that works in the executive branch, whether 
they are wearing a uniform or they are a civilian, needs to 
understand that they work for the President, regardless of that 
President's party. So, I don't think this would solve that 
problem necessarily, but I don't think it would make it 
dramatically worse.
    Mr. Comer. Just out of curiosity, have you had any 
conversations with anyone in the White House to gauge their 
level of support or opposition for this proposal?
    Mr. Gallagher. I have had conversations with the White 
House.
    Mr. Comer. OK. Well, good deal. Well, my time is about to 
expire, and I have the utmost respect for you, Representative 
Gallagher. You and Will Hurd on our side certainly are the 
foremost experts on cybersecurity. I appreciate what you are 
doing here and look forward to further conversations. With 
that, Madam Chairman, I yield back.
    Chairwoman Maloney. I understand that--right now? Thank 
you, Mr. Comer.
    I understand Representative Chairman Lynch is at another 
meeting. So, I now recognize the distinguished ranking member 
for the Subcommittee on National Security, Mr. Grothman, for 
his questions.

    [Pause.]
    Mr. Grothman. Can you hear me? Can you hear me now? Can you 
hear me?
    Mr. Gallagher. Yes, loud and clear.
    Mr. Grothman. OK. OK, did the Solarium Commission take a 
position on whether our Nation's cybersecurity posture has 
improved over the years? Are things getting better or worse, I 
guess?
    Mr. Gallagher. I will offer my view. I think after a year 
of extensive conversations with General Nakasone, Chris Krebs, 
and a lot of talented people in DOD, many of whom participate 
in the commission, I think we have gotten a lot better. And a 
lot of that is due to legislation that we have passed in 
Congress. On the Armed Services Committee, we have effectively 
devolved greater authority down to lower levels so that people 
can operate in cyber with the speed and agility that is 
necessary to have an effect.
    I think if you look at sort of lessons learned from 2016, 
there was a concerted effort in 2018 to protect our democracy. 
So, I have actually been very impressed with the work of 
General Nakasone and a lot of other dedicated cyber warriors in 
this space.
    Mr. Grothman. OK----
    Mr. Langevin. Now if I could add, and I would agree with 
my--again, as the chairman of the Intelligence, Emerging 
Threats, and Capabilities Subcommittee, I oversee both NSA and 
U.S. Cyber Command. I see the extraordinary work that General 
Nakasone and his team are doing at U.S. Cyber Command. Also 
sitting on the Homeland Security Committee and on the 
subcommittee that helps to oversee CISA, we are getting better 
and better and more effectively organized to combat this 
growing threat.
    So, we have gotten better, and I support, for example, the 
administration's new guidance on cyber, NSPM-13, so we are more 
forward leaning. So, defending forward, if you will. I think we 
were probably too reserved in past years, and now under the 
current construct, we are more forward leaning. So, as Chris 
Engels liked to say, it is defending early, or you could say it 
is often said defending forward. But I think it is the right 
strategy.
    But our enemies and adversaries are getting more and more 
effective and more successful and sophisticated in their 
ability to carry out cyber-attacks of significant consequence. 
So, we need to continue to evolve, and that is why this new 
added position is helping us to get even better. Going from the 
category of, say, good, better, best----
    Mr. Grothman. We are moving to get better even faster. Is 
that what you are saying?
    Mr. Langevin. Yes.
    Mr. Grothman. We are only going to get better faster. Do we 
have a data bank of breaches or incidents that we feel we are 
going to try to prevent in the future? I mean, can you like 
rattle off the top 5 problems we have had in the last three 
years, say?
    Mr. Langevin. Well, just by way of example, and this is an 
example that I use pretty frequently, we are trying to prevent 
the next OPM breach, for example. The breach that occurred at 
the Office of Personnel Management happened because there was a 
Department of----
    Mr. Grothman. That is one. Why don't you rattle off like 
the three or four worst breaches in the last, say, four years 
that you feel concerned about?
    Mr. Langevin. Well, there was the WannaCry incident that 
occurred, the Sony breach that occurred that North Korea 
carried out. Of course, the WannaCry was probably one of the 
most costly cyber incidents that occurred in world history, and 
it cost FedEx and Merck and Maersk billions of dollars in lost 
revenue when their computers were wiped out or damaged. So, the 
amount of intellectual property theft that has occurred over 
the years, it has cost U.S. jobs and economic competitiveness 
to the tune of hundreds of billions, if not trillions, of 
dollars.
    So, the list goes on and on, not to mention, of course, the 
amount of personal private information that has been stolen. We 
are getting better at responding to and protecting against 
these things, but we are not----
    Mr. Grothman. Well, why don't you just forward to me, you 
know, six or seven ones that we are trying to prevent in the 
future.
    I missed something. One of you guys talked about John 
Bolton dismantling some agency or commission or whatever. Could 
you go over that a little bit?
    Mr. Langevin. Yes, if I could jump in on that? I know Mike 
is going to want to comment. But under every administration, we 
were making forward progress on cybersecurity. John Bolton was 
the first person really in an administration to take us 
backward when he eliminated the cybersecurity coordinator 
position.
    Now that wasn't Senate-confirmed, didn't have policy or 
budgetary authority, but at least it was there. In fact, one of 
the people on the second panel, Michael Daniel, was the 
cybersecurity coordinator under President Obama. Rob Joyce 
under the Trump administration----
    Mr. Grothman. It just hits me as odd. I wonder what his 
logic was. Why did he do that?
    Mr. Langevin. I think he sold the President a bill of goods 
by eliminating the position. I think he did a disservice to the 
President.
    Mr. Gallagher. I think he might argue he is streamlining 
the overall NSC process, and indeed, his predecessor--or his 
successor has tried to continue that process. I think what we 
are arguing is that even that status quo ante with a cyber 
coordinator was not sufficient really to get the overall 
interagency, interdisciplinary oversight you need of cyber, as 
well as develop long-term expertise.
    Again, to go back to the Senate-confirmed bit, you know, we 
want this person to not only have the ear of the President, but 
be, you know, a single bellybutton that we, as legislators, can 
push to get answers when it comes to Congress.
    As for your earlier question, Glenn, I will send you on--
throughout our report, we really go through all of the major 
infiltrations attributed to China, Russia, North Korea, and 
Iran, as well as non-state actors, and lay it out. And just one 
that always comes to mind for me as a defense guy, basically, 
from 2006 to 2018 something called Advanced Persistent Threat 
10, when China was conducting systematic cyber espionage 
campaigns, stealing IP and compromising computer systems 
containing personal information from over 100,000 U.S. Navy 
personnel.
    So, in addition to OPM--and I have the letter I received 
from OPM framed somewhere here in my basement, saying my 
records have been hacked--there has been a lot of these little 
attempts to exfiltrate data directly from our military and 
compromise the data of military personnel.
    Mr. Grothman. I don't even know, Mike, if someone tries to 
do that, do we find out right away? Or might all sorts of 
things be going on, and we have no idea it happened?
    Mr. Gallagher. It just depends. I mean, certainly there has 
been lag time in detection for some of the major breaches we 
have had. Again, I would say that we have gotten better in 
detecting how this happens. We are going to have testimony from 
a variety of true experts in this space, like our former 
colleague Mike Rogers, who can speak to that.
    So, I think we are getting better at rapid detection, rapid 
attribution, and a better process for response. But as Jim 
rightly pointed out, the threats are getting better as well and 
better at anonymizing the origin of the threat.
    Mr. Grothman. Thank you.
    Chairwoman Maloney. Thank you very much to my esteemed 
colleagues for their tireless work on the commission and for 
sharing their work with us today.
    Would either Mr. Langevin or Mr. Gallagher like to stay for 
panel two? You have been generous with your time, but we would 
be very happy to waive you in. Would you like to stay?
    Mr. Langevin. Yes, I would like to stay for a bit, Madam 
Chair[SA1]. And if I could ask unanimous consent that a letter 
of endorsement of the National Cyber Director by the U.S. 
Chamber of Commerce be added into the record? Could I ask 
unanimous consent to do that?
    Chairwoman Maloney. Absolutely. Absolutely. So ruled.
    Mr. Gallagher. I, too, have the T&I markup going on right 
now. So, I may have to go in and out, as well as many diapers 
that I have to change upstairs. So, if you will indulge me with 
that, I may not be able to attend the whole second session.
    Chairwoman Maloney. Thank you. So, without objection, the 
gentleman from Rhode Island will be permitted to join the 
committee for this hearing on the virtual dais and question the 
second panel.
    Now I would like to introduce our second panel. The 
Honorable--what? And the gentleman from Wisconsin. OK.
    I will now introduce our second panel. The Honorable Mike 
Rogers, former Member of Congress, chairman of the House 
Permanent Select Committee on Intelligence from 2011 to 2015.
    Michael Daniel, president and CEO of the Cyber Threat 
Alliance and former cybersecurity coordinator for President 
Obama from 2012 to 2017.
    Amit Yoran, chairman and CEO of Tenable; founding director, 
U.S. Computer Emergency Readiness Team.
    Suzanne Spaulding, Senior Adviser for Homeland Security at 
the International Security Program at the Center for Strategic 
and International Studies; commissioner, U.S. Cyberspace 
Solarium Commission.
    Jamil Jaffer, founder and executive director of George 
Mason University's National Security Institute.
    The witnesses will be unmuted so we can swear them in now.
    So, please raise your right hand. Do you swear or affirm 
that the testimony you are about to give is the truth, the 
whole truth, and nothing but the truth, so help you God?
    [Response.]
    Chairwoman Maloney. Let the record show that the witnesses 
answered in the affirmative. Thank you, and without objection, 
your written statements will be made part of the record.
    With that, Chairman Rogers, it is nice to see you again. 
You are recognized to provide your testimony.

   STATEMENT OF HON. MICHAEL J. ROGERS, DAVID ABSHIRE CHAIR, 
    CENTER FOR THE STUDY OF THE PRESIDENCY; FORMER REP. AND 
   CHAIRMAN, HOUSE PERMANENT SELECT COMMITTEE ON INTELLIGENCE

    Mr. Rogers. Thank you, Madam Chair. It's good to see so 
many colleagues I had the privilege to work with and some new 
ones as well and to be on a panel of very distinguished experts 
in the field of cybersecurity and actually how we approach it.
    This has been a very long journey for me, Madam Chair, to 
get to where I would sit in front of the committee and say I 
support a Cyber Director, as Congressman Langevin and my good 
friend Congressman Ruppersberger both have reminded me over the 
years how I was just wrong about this. Matter of fact, they've 
invited me to dinner under the--under the understanding that 
they want to watch me eat crow, as I testify today in my 
support, my wholehearted support for the National Cyber 
Director bill that you propose today.
    I'll tell you why. I looked at it certainly when I was 
chairman, prior to being chairman on the Intelligence 
Committee, and now subsequently, in my private sector life 
doing both policy work with the center and the study of the 
presidency looking at all the machinations of how we can combat 
this threat. And in the private sector, I am part of several 
small cybersecurity startup companies that have had the 
opportunity to view how the Government is doing some of these 
things and offer products out into the commercial market to 
help defend our private sector from aggressive cybersecurity 
threats.
    All of those things have led me to really change my mind. I 
looked back and have a lot of the same arguments. If it was--
and if Congressman Langevin and Dutch Ruppersberger and myself 
and Representative Comer sitting in a meeting probably in 2008, 
I think it would have been two people on one side of the table 
and two people on the other. I was worried about this 
expansion. So, there was a lot of talk at that time about an 
agency or a czar, and I just didn't think we should go there, 
and we've had lots and lots of discussions.
    What I find this bill does that I think was different than 
previous discussions is that it doesn't expand government, 
which I'm really concerned about, it focuses government. And if 
we need anything now in the cyberspace, we need focus on what 
our Government is doing, and does it have the right resources?
    You know, we've taken some important steps in the past in 
Congress. The Federal Information Security Management Act of 
2002 kind of got it started. There was a modernization in 2014. 
But here is the problem.
    Imagine if you take the quarterback and not let that 
quarterback train with the football team all year until the 
first game you put him out on the field. We're going to have 
problems. This is exactly how we have set up our ability to 
monitor, to oversee the large enterprise which is the Federal 
Government.
    If you think about it, I know there's been a lot of talk 
about incidents, and we certainly need to be prepared there. 
And certainly, the NSA has that ticket. But think of these 
agencies--I'm just going to read off three of them. I went 
online on the Inspector General reports, and there are hundreds 
and hundreds and hundreds of these agencies, by the way, who 
are getting paid auditors to come in and do their basically 
review of their cybersecurity programs, if they're meeting 
Federal guidelines.
    We think of the big ones, but we don't think of the Farm 
Credit Administration, or we don't think of the Committee for 
Purchase from People Who Are Blind or Severely Disabled. And 
think of the information that those organizations have that are 
pretty sensitive information, the Pension Benefit Guaranty 
Corporation. So, when you look at this whole--and I have dozens 
of these. I could go through them for an hour.
    On all of the agencies who are absolutely under siege 
today, think of it. Billions of times a day, somebody is 
getting up in the morning with a sole purpose and job to try to 
penetrate the U.S. Government at any level. That happens every 
single day. Every agency I mentioned plus the hundreds others 
are under siege from cyber either espionage or destruction of 
data.
    That's happening, and it's happening in a pretty big and 
significant way. And we're going to need to do something, and 
so we're looking at it from the wrong end. And I want to tell 
you two reasons why here, and my testimony highlights some of 
the threats that we've been dealing with. But I just want to 
give you an example of why I thought, all right, we have to 
change the way we're thinking. We can't continue to do it the 
same way and expect a different outcome here.
    There was an OIG inspection of a particular agency of which 
we would all be concerned about if that data were exposed. And 
what they found is they found about 25 serious changes that 
needed to be made. This was in 2019. And here is the 
conclusion. So, remember, outside firm hired to come in and say 
these are the things you're doing wrong. We'll be back next 
year to see if you've corrected them.
    Next year, right? A year in cyberspace is a lifetime. A 
quarterly report is a lifetime. That means we've got lots of 
exposure there.
    And this was the one that got me. Here is one of their 
recommendations. If this agency continues a delay in corrective 
actions, a material weakness in information technology security 
control may be reported in 2020. That tells me we are not 
prepared for the threat that is knocking on our door today.
    And part of the reason is they have to coordinate through a 
whole series of bodies. Let me just give you a little bit. It's 
OMB. They have to do with DHS. They have to coordinate with all 
of these different agencies to come up with what the guidelines 
are to move out.
    All of those agencies are under their own attacks, by the 
way. They all have their own cyber operations, by the way. And 
there is no person, no organization set over top of it to say 
I'm going to be either the cavalry to help you in your 
deficiencies, or I'm going to help you find out what's wrong 
and how we fix it in a short order.
    Nothing is steering that. So, yep, we're going to need--
we're going to need help on the fact that we are going to have 
incidents, that we are one keystroke away from an incident that 
has major consequences in the United States. Why? Because we 
just under siege.
    The Chinese has been highlighted in intellectual property 
theft and now disruption. They're changing their policy. They'd 
like to disrupt things. Remember, if American people stop 
trusting their institutions to the point where it's not 
governable, guess what? Bad guys win. China wins. Russia wins. 
Iran wins. North Korea wins. And they all know it.
    Matter of fact, I just want to read you this quick quote, 
if I may, Madam Chair. And this was done by General Gerasimov 
of Russia. ``A perfectly thriving state can in a matter of 
months, even days, be transformed into an arena of fierce armed 
conflict, become a victim of foreign intervention, and sink 
into a web of chaos, humanitarian catastrophe, and civil war. 
The role of nonmilitary means of achieving political and 
strategic goals has grown.'' And he's talking about 
cybersecurity and cyber influence operations and disruption 
cyber activities for the public to lose trust.
    ``And in many cases, these tools have exceeded the power 
and force of weapons in their effectiveness.'' That was 2013.
    Fast forward, what's happened since 2013? We've watched the 
Russians engage in aggressive information operations, including 
the attempts to penetrate networks of which our concern to 
disrupt things. And public reports show that the electric grid 
was attempted to be penetrated. There are reports that they 
tried to penetrate our stock market.
    Why? Disruption leads to chaos, leads to distrust in 
American institutions. This is as serious a problem as we can 
get.
    And that conclusion that I came to, and I'm going to have 
to eat crow with my good friends Mr. Langevin and Mr. 
Ruppersberger, is that if we don't have something--and I don't 
agree with a big agency. If we don't have something that 
doesn't expand Government but focuses our cybersecurity 
efforts, we are going to be in for a long run.
    We've had these conversations. We've admired the problem. 
We've worshipped the problem. Now we have to do something about 
it.
    I think that this agency will help all of the agencies get 
to where they need to go, and that's why I'm before the 
committee today, offering my support for this legislation.
    Chairwoman Maloney. Thank you so much, Chairman Rogers. 
That was a very, very powerful and moving presentation.
    And Mr. Daniel, you are now recognized.

 STATEMENT OF J. MICHAEL DANIEL, PRESIDENT AND CHIEF EXECUTIVE 
      OFFICER, CYBER THREAT ALLIANCE; FORMER WHITE HOUSE 
                   CYBERSECURITY COORDINATOR

    Mr. Daniel. Thank you. Good afternoon.
    Thank you, Chairwoman Maloney, Ranking Member Comer, and 
other distinguished members of the committee, for the 
opportunity to testify before you today on the topic of this 
legislation and the National Cyber Director.
    I'm also happy to be on the panel with people that I 
consider friends and colleagues, all of whom we've worked 
together and have known each other for many years.
    As you might imagine, I think about this issue a lot. I 
served for 4 1/2 years as the special assistant to the 
President and cybersecurity coordinator on President Obama's 
National Security Council staff. And since then, I've served as 
the president and CEO of the Cyber Threat Alliance, which is a 
nonprofit threat and talent sharing organization.
    And cybersecurity is a tough issue for almost any 
organization to manage, and that is certainly true for the 
Federal Government. Yet as our digital dependence continues to 
increase, something we've actually talked about this morning--
this afternoon already, the imperative for the Federal 
Government to get better at managing cybersecurity also 
increases. The rapid shift of certain economic activities 
online as a result of the pandemic has only heightened this 
need.
    One aspect that makes cybersecurity particularly tough for 
the Federal Government is that it doesn't fit neatly into one 
bureaucratic bucket. Cybersecurity is a national security, 
economic security, commercial, intelligence, law enforcement, 
public safety, military, foreign policy issue all rolled into 
one.
    Yet at the same time, cybersecurity is highly 
interdependent. Just like the Internet, all of those aspects 
that I just mentioned are all connected, and they all affect 
each other. And they affect each other in some unanticipated 
ways many times, and that means all of these disparate pieces 
have to coordinate and work together in order for the whole to 
be effective and not undermine each other.
    And we've actually--to some of the questions and commentary 
from the first panel, we have made excellent progress over the 
last few years--actually, over the last two decades--in laying 
the foundation for better cybersecurity. We've put in place 
better policies. We've enacted laws that have been mentioned, 
including like the Cybersecurity Information Sharing Act from 
2015.
    We've put in place organizational structures like CISA at 
the Department of Homeland Security and U.S. Cyber Command. But 
we still face certain structural impediments to improving our 
cybersecurity, and these include cybersecurity's cross-cutting 
nature, the lack of incentives for coordination across 
agencies, and the need for incident response coordination, as 
well as the issue's complexity and its effect on major policy 
decisions.
    So, after wrestling with these issues for several years, I 
have come to the conclusion that we need a strong position 
along the lines of a National Cyber Director like the Solarium 
Commission recommends and like the bill that Representative 
Langevin is sponsoring. And I don't come to this conclusion 
lightly.
    Prior to serving as the cybersecurity coordinator, I spent 
17 1/2 years at the Office of Management and Budget, and I have 
a career OMBer's natural skepticism for creating new entities 
in the Federal Government. But in this case, I think it's 
really the only viable approach that we have. In particular, an 
EOP-level organization is really the only one that's going to 
be able to overcome a very significant factor in the Federal 
bureaucracy, and that's the ``You're not the boss of me'' 
problem. And that is just rampant among the Federal agencies, 
and only something centered at the White House can overcome 
that.
    That said, I would urge Congress to think through the scope 
and authorities for this position very carefully. It would be 
very easy to get something--to get it wrong and to end up with 
something that does take up bureaucratic bandwidth and does not 
focus things like Congressman Rogers recommended.
    Most importantly, this position has to cover all of the 
aspects of cybersecurity and not just some of them. It has to 
have oversight of law enforcement, military, and intelligence-
related offensive and defensive cyber activities, in addition 
to network defense. We cannot exclude those positions and 
expect the position to be a success.
    It has to tightly integrate with the OMB budget process and 
the NSC policy process, or even in the EOP, it won't be 
effective. It has to have a big enough office to get the job 
done, but not so big that it is tempted to become operational. 
And it needs to have a clear relationship with the Federal CIO 
and the Federal CISO.
    At the end of the day, we need a position like the National 
Cybersecurity Director. Cybersecurity is not just a technical 
problem. It's also an organizational problem. So, as a result, 
we're going to need to take some additional organizational 
steps to address it. We've taken the first few steps along that 
path, and now it's time to create a position that can bring it 
all together.
    Thank you for giving me the opportunity to testify for you 
today, and I'm looking forward to your questions.
    Thank you very much.
    Chairwoman Maloney. Thank you. And now, Mr. Yoran, you are 
now recognized.

STATEMENT OF AMIT YORAN, CHAIRMAN AND CHIEF EXECUTIVE OFFICER, 
 TENABLE, FOUNDING DIRECTOR, U.S. COMPUTER EMERGENCY READINESS 
                              TEAM

    Mr. Yoran. Chairwoman Maloney, Ranking Member Comer, 
members of the committee, thank you for the opportunity to 
testify today.
    I'd like to thank Representatives Langevin and Gallagher 
for their leadership on the Cyberspace Solarium Commission, the 
development of the commission's report, and for introducing 
H.R. 7331.
    I'd also like to thank Chairwoman Maloney for serving as 
cosponsor on the bill.
    I'm Amit Yoran, chairman and CEO of Tenable, the world's 
leading provider of vulnerability management technologies. 
Tenable empowers organizations of all sizes to understand and 
reduce their cyber risk. Our solutions serve just about every 
department and agency in the Federal Government and many state 
and local governments.
    Our customers include over 50 percent of the Fortune 500 
and over 25 percent of the Global 2000 and tens of thousands of 
mid-sized companies in every major industry. Simply put, we're 
instrumental to helping the Nation and organizations around the 
world quantify and understand and reduce their cyber risk.
    In H.R. 7331, the committee has the opportunity to 
significantly improve the Nation's cyber preparedness. The 
creation of the Office of the National Cyber Director within 
the Executive Office of the President is a critical step 
forward. My support for this office centers on the need for 
stronger enterprise risk management practices across the 
Federal Government and across the Nation.
    A whole of nation risk requires a whole of nation response, 
and indeed, a new, expanded attack surface stretches across the 
entire nation. This includes every aspect of government as well 
as private industry. None are immune from the threat of cyber-
attacks that imperil our national security, Government 
services, and the critical functions that citizens rely on.
    An accountable executive at the White House would also be 
helpful in coordinating a whole of government understanding of 
cyber risk and efforts to proactively reduce cyber risk and 
coordinate responses when needed. A National Cyber Director is 
needed to ensure that Government holds itself and industry 
accountable for baseline standards of care with regard to 
cybersecurity.
    Today, there remains a lackadaisical approach toward 
understanding cyber risk and proactively maintaining good cyber 
hygiene, resulting in the vast super majority of today's 
breaches and associated losses. This is negligent behavior 
through learned helplessness on the part of individuals, 
Federal Government agencies, and private industry.
    Many of the needed authorities have been outlined in the 
proposed legislation. In my written testimony, I recommend 
augmenting the National Cyber Director's authorities under 7331 
to include establishing a national encryption policy that 
balances the needs of law enforcement with those of 
cybersecurity and public safety; overseeing the vulnerabilities 
equities process; coordinating with regulatory agencies to set 
policies and practices which can improve understanding of cyber 
risk, increase transparency, and implement plans to adequately 
manage risk; focus efforts on cyber work force development 
initiatives, with emphasis on greater inclusiveness; and 
develop and maintain an international cyber strategy for the 
Nation and lead international cyber engagement efforts.
    It would be difficult to overstate the cyber risk that we 
face today. Governments and businesses utilize cloud computing, 
Internet of Things, and operational technologies. While these 
technologies optimize production, drive innovation, and 
increase sustainability, they also expand the overall 
cybersecurity attack surface and need to be an integral part of 
our risk management practices.
    These risk management practices must include services and 
industries essential to our public safety and well-being, such 
as power, water, transportation, and healthcare, as well as our 
industrial production. The risk is more than a technical one. 
It's political, it's social, it's physical, and it's economic.
    Cybersecurity can existentially threaten our way of life. 
There are important steps that we can take to improve our 
cybersecurity posture in advance of a national crisis, and 
those steps include the creation of an Office of the National 
Cyber Director at the White House.
    I'd like to thank Chairwoman Maloney, Ranking Member Comer, 
and members of the committee for their attention to this 
important topic, and I'll be happy to respond to your 
questions.
    Chairwoman Maloney. Thank you. Ms. Spaulding, you are now 
recognized.

   STATEMENT OF SUZANNE SPAULDING, SENIOR ADVISER, HOMELAND 
SECURITY, INTERNATIONAL SECURITY PROGRAM, CENTER FOR STRATEGIC 
   AND INTERNATIONAL STUDIES, COMMISSIONER, U.S. CYBERSPACE 
                      SOLARIUM COMMISSION

    Ms. Spaulding. Thank you, Chairwoman Maloney, Ranking 
Member Comer, and members of the committee. Thank you for this 
opportunity to be here today to testify in support of the 
Cyberspace Solarium Commission's recommendation to establish a 
National Cyber Director.
    It's really an honor to be here with my fellow 
distinguished witnesses and former colleagues, and it was a 
particular honor to serve on the commission alongside 
Representative Gallagher, Representative Langevin, and the 
other commissioners and inspiring to see the bipartisan and 
really nonpartisan approach that all of the commissioners 
brought to the work of the commission. And this recommendation 
is no exception.
    As has been noted, the commission considered alternative 
approaches to address what we all agreed was an urgent need for 
stronger coordination across the many entities engaged in 
cybersecurity for better integration of effort and for more 
robust strategic planning and prioritization to guide those 
efforts.
    The first panel addressed the alternatives that we 
considered. So, I won't go through all of them again, but I did 
want to emphasize the arguments against the alternative of 
pulling the various cyber entities out of the departments and 
agencies where they currently reside and putting them together 
in a new Department of Cybersecurity. I am strongly opposed to 
the creation of such a department because it would not solve 
our key coordination challenges and would cause huge disruption 
with little to no gain.
    The most important and challenging coordination issues in 
the interagency in my experience arise between DOD elements, 
including NSA; law enforcement, especially the FBI; and DHS. 
DOD and the IC are not going to relinquish their cyber 
activities to a new department. Nor is FBI going to turn over 
its law enforcement activity. Thus, the new department would 
still face those key coordination challenges.
    A National Cyber Director, on the other hand, could and 
must be empowered to address these key coordination challenges, 
with the backing of the President. To do this, the NCD must 
have the authority to convene and get information from law 
enforcement, the military, and the intelligence community, as 
well as DHS and the sector-specific agencies, about their 
operational plans and strategies.
    Another important reason I have opposed a new cybersecurity 
department is the risk that it would become singularly focused 
on technology. I watched this happen with our WMD efforts in 
the 1990's when I was at the Central Intelligence Agency, where 
folks working nuclear nonproliferation, for example, focused 
entirely on the technical aspects and failed to adequately 
integrate the regional experts and those studying the 
leadership and political dynamics within the various countries.
    I see these same tendencies in cyber. We tend to turn to 
technical experts, and they, not surprisingly, focus on the 
technical aspects, even though we know that understanding and 
mitigating cyber risks requires a much broader approach that 
fully recognizes the human element, integrates cyber and 
physical risks, including knowledge of the operational 
environment--whether it's financial services, electricity, or 
election infrastructure--and that incorporates knowledge of 
each of our adversaries and what drives them.
    I've always warned that a new cyber department would be 
staffed by technical experts and too focused on technical 
aspects. This could happen to the Office of the National Cyber 
Director as well, and it is something we must guard against. 
But sitting within the White House structure, having 
responsibility for interagency coordination, and working 
closely with the other elements like the NSC and the Council of 
Economic Advisers should help guard against that tendency.
    Another of the key recommendations from the commission is 
strengthening and reinforcing the great work that is being done 
by the group I used to lead at DHS now called Cybersecurity and 
Infrastructure Security Agency, or CISA. But at present, one of 
CISA's greatest barriers to effective operations is that 
numerous Federal departments and agencies often compete for 
resources and authorities. The NCD can support and enable CISA 
by pushing to a decision those ongoing battles that cloud the 
Federal Government in cybersecurity.
    The NCD is not intended to direct or manage day-to-day 
implementation of strategy by any Federal agency, but 
responsible for overall integration and execution of defensive 
strategy across the executive branch through strategic policy 
operations and budget. A National Cyber Director should do only 
what the agency and department leads cannot do themselves, de-
conflict and align cyber missions with national priorities, 
ensure visibility across the interagency on operational 
activities, and help push the process to active--into actual 
decisions.
    The NCD will fail if it adds further stovepiping and 
bureaucracy to our Nation's efforts to reduce cyber risks. 
Instead, the NCD needs to help empower, prioritize, and provide 
much-needed support for existing cyber entities within the U.S. 
Government.
    Thank you very much, and I look forward to your questions.
    Chairwoman Maloney. Thank you. Mr. Jaffer, you are now 
recognized. What?
    Voice. Go to questions.
    Chairwoman Maloney. Go to questions?
    Voice. Yes.
    Chairwoman Maloney. OK. I now recognize myself for five 
minutes for questions.
    Thank you very much to all of the panelists for your 
testimony, and I want to dig a little deeper into the 2017 
malware attack executed by North Korea. This attack disabled 
hundreds of thousands of computers in hospitals, schools, 
businesses, and homes in more than 150 countries. It even shut 
down a portion of Britain's National Health Service for a week.
    So, Chairman Rogers, can you describe the potential effect 
a cyber-attack on critical infrastructure like this could have 
in the United States?
    Mr. Rogers [continuing]. Fortunate it was North Korea. It 
was a ransomware-based attack that in some ways didn't even 
have a way to pay back the--pay the ransom. So, it was probably 
the least-capable actor, even at a high end, that was able to 
infect these systems.
    And it was--it had a global-wide impact, and sometimes 
surgeries were turned off because they couldn't actually access 
the right and appropriate records for the surgeons to do a 
surgery. So, you can imagine it had both health impacts of that 
sort, financial impacts, and as you said, schools. It was 
really, really dangerous, and it was very widespread. And part 
of it was they couldn't control it. It kind of fed on itself 
and spread without them directing it, which is a whole problem 
of probably not a top-tier nation-state actor.
    They've gotten better since then. That's the scary part. 
So, I would say that when you look at what the threats are, we 
know where our biggest adversaries are coming. So, China uses 
all of its state power to do and set themselves up for 
influence around the world. They use diplomacy.
    And if you look at the fact that they've confiscated masks 
from rightful contract owners that they were going to be 
delivered to, gave them to entities in China so they could 
deliver them in a way to try to get credit for their influence 
operations. They use military, defense, and intelligence cyber 
operations. They use cyber operations for espionage.
    I would look at all the ways they're coming at us. What we 
know is they'd love to get access to people's data from a 
nation-state perspective, but also cyber criminals, organized 
cyber criminals and others who would love to get the data that 
the U.S. Government collects from U.S. citizens. Everything 
from food stamp participation--think of all the information you 
have to give in order to get that program and qualify for that 
program. It's sitting in a repository at the Federal 
Government. That's valuable to a cyber thief.
    So, I would look at this. I mean, that was a massive attack 
by a nation-state, but we have all of these other attacks 
underneath it. And again, that's my argument for the Cyber 
Director is you want somebody not just to incident respond, you 
want somebody for pre-crisis.
    How do you help these agencies? Not hurt them, not hit with 
a club when they're not doing it right. But help them through 
what they need to look like in their cyber shops and the kind 
of tools that we do, and by the way, can we do this with a 
collective defense mentality so that when one gets attacked, 
everybody knows what that threat is moving forward?
    That's the way I would look at this. Let's try to be pre-
crisis. And having that Director whose sole job every day is to 
get up and she needs to think through all of those problems, my 
argument would be we're going to be better off.
    Because there is lots of talent. I think Mr. Gallagher and 
Mr. Langevin highlighted it, lots of great talent out there. We 
need to now coordinate it. Remember, not expanding it in 
Government, but focus it on the problem that helps us the most.
    Chairwoman Maloney. Mr. Yoran, I was shocked by the 
statistic from Tenable's 2019 report that 90 percent of 
critical infrastructure operators witnessed at least one 
damaging cyber-attack in the past two years. I understand that 
much of our Nation's critical infrastructure is managed by an 
array of different companies that are responsible for different 
parts of the process.
    Mr. Yoran, what would happen if one of these companies was 
compromised? Can you talk about these attacks and enlighten us 
more?
    Mr. Yoran. Yes, I think the effects of the attack can 
vary--of these attacks vary greatly. In many cases, outage can 
certainly ensue. In other cases, it's more of a preparation 
where systems are being compromised, information is being 
stolen, but the adversary has no desire to create an outage, 
unless perhaps it's during time of crisis.
    So, I think the impacts here could vary greatly, and it's 
one of the reasons why we need a systemic understanding of risk 
and why a National Cyber Director needs to work closely with 
the regulatory agencies that do exist to make sure that we're 
implementing a standard of care that makes sense, that we don't 
see the continued sort of negligent behavior where enterprises 
are not maintaining good hygiene of their systems. They're not 
providing patches and updates and doing the maintenance that's 
required to keep them in a secure state.
    And this sort of poor hygiene results in a vast super 
majority of the breaches, including the ones that were cited 
earlier perpetrated by North Korea and a lot of the damaging 
ones that we've read about in many of these high-profile cases.
    Chairwoman Maloney. Do you believe that this bill, H.R. 
7331, would help the Federal Government address these concerns 
more effectively?
    Mr. Yoran. I think there's no question in my mind, having 
done cybersecurity now for over 25 years and having spent time 
in multiple departments of the Federal Government, as well as 
serving with cybersecurity products to private sector and now 
also helping the Federal Government with technologies to 
protect itself. A role like this would help provide a 
coordinating capability and bring the maximum understanding and 
appropriate resources to bear in a coordinated fashion as the 
Federal Government.
    So, I think it was either Representative Langevin or 
Gallagher who said, you know, the preparation work that we do 
now can have a significant impact on the crisis that we face or 
how we deal with the crisis we might face down the road. So, I 
think the creation of the office and this role are absolutely 
critical steps forward.
    Chairwoman Maloney. Thank you.
    I now want to call on Jamil Jaffer--who disappeared for a 
while, but he is back with us--for his testimony. Mr. Jaffer?

 STATEMENT OF JAMIL N. JAFFER, FOUNDER AND EXECUTIVE DIRECTOR, 
      NATIONAL SECURITY INSTITUTE, GEORGE MASON UNIVERSITY

    Mr. Jaffer. Ms. Chairwoman, thank you so much for the 
opportunity, and apologies for the technical difficulties.
    Chairwoman Maloney, Ranking Member Comer, members of the 
committee, thank you for inviting me here today to discuss our 
Nation's cybersecurity preparedness and the proposed 
legislation to establish a new Cyber Director.
    As the members of this committee all too well know, the 
cyber threats facing the United States, including our public 
and private sector, are, in a word, massive. It is no 
overstatement to say that for all practical intents and 
purposes, we are at war in cyberspace. And unfortunately, as a 
Nation, we remain woefully underprepared to deal with this 
serious and ongoing conflict.
    Now lawyers may quibble with whether we're actually at war, 
and they may point out that the United States nor any of our 
enemies actually declare that we're at war, but the fact is 
that for the better part of a decade, our Nation has been 
involved in a consistent and ongoing series of conflicts in 
cyberspace, albeit fairly low level. And regardless of whether 
we call this a war or not, there can be no question that it's 
had a huge impact on our Nation and its allies.
    Cyber-enabled economic warfare conducted by China, 
primarily focused on the U.S. private sector, drains private 
companies of billions of dollars a year, with total damages 
ranging into the trillions. Former NSA Director General Keith 
Alexander says that this activity represents the greatest 
transfer of wealth in human history.
    Chairman Rogers on this panel nearly a decade ago called 
attention to this economic threat posed by China and referred 
to the fact that we were actually in an economic cyber war 
nearly 10 years ago. And that there are two types of companies 
in this country, those that have been hacked and know it, and 
those that have been hacked and simply don't know it yet.
    We have also seen countries like North Korea and Iran 
engage in the destruction of data and bricking of computer 
systems here in the United States in the last half decade. We 
know that the DNI has told us that Iran is actively preparing 
for cyber-attacks against the U.S. and our allies. We've seen 
the highly corrosive effects of Russia's ongoing active 
measures campaign on the American body politic, undermining our 
elected officials, our rule of law institutions, including the 
Justice Department, the FBI, and the intelligence community.
    And to be sure, while we played a role in some of this, the 
Russians have paid very little price for this, and the Chinese 
and Russians both know this. We've already seen them mucking 
around with more covert operations on the COVID virus and the 
killing of George Floyd.
    Now we may see these same players become more active in the 
upcoming election cycle. In fact, as Chairwoman Maloney noted 
over three years ago, cybersecurity poses a greater and greater 
risk to the safety and soundness of our financial system. We 
know what a serious threat cyber poses to our economy and to 
our people, and with the current coronavirus situation and the 
new work from home environment with over 300 million workers 
around the globe working from home, including 90 percent of 
banking and insurance employees, these efforts represent a 
uniquely challenging threat to our economy and to our way of 
life.
    So, then the question becomes what should we do about it, 
and how much of a role can creating a new Cyber Director at the 
White House play in this process? While I completely agree with 
all the members of my panel as well as Congressman Gallagher 
and Congressman Langevin, who I've had the pleasure to work 
with in the past, that having a key strategic leader at the 
White House is critically important, I'm skeptical of the need 
for a large office of 75 people, fully one-third of the size of 
the existing entire National Security Council, and the need to 
have that individual Senate-confirmed.
    We know that almost any White House, whether Republican or 
Democrat, this administration or another, regardless of what 
you think about this administration, will be opposed to the 
creation of a new, yet one more Senate-confirmed individual in 
the White House office.
    Indeed, there are other alternatives for the committee to 
consider, right? The committee may consider creating a position 
in the White House office, but not making it Senate-confirmed. 
They may consider creating an office that is smaller and more 
leadership oriented, a 5-to 10-to 15-person office.
    The committee could work with the President to ensure that 
that person has the rank and stature of a Deputy Assistant to 
the President and is able to effectively work through the 
National Security Adviser, has full responsibility for the full 
range of issues in this space to ensure that we have unity of 
effort.
    There is no doubt with all the cooks in the kitchen from 
DHS, CISA, to NSA, to U.S. Cyber Command, to the FBI, better 
coordination, more aggressive coordination with the White House 
is necessary. The only question for the committee to consider 
is whether that requires Senate confirmation and a 75-person 
office. On that note, I am somewhat skeptical, but I recognize 
that there is a lot of--a lot of my friends and colleagues, my 
former boss Chairman Rogers, who support this, and I have a lot 
of respect for that position.
    With that, thank you, Ms. Chairwoman. Again, apologies for 
the technical difficulties earlier, and I yield back the 
balance.
    Chairwoman Maloney. Thank you. Thank you for your 
testimony.
    And I would like to ask you about the 2017 Russian cyber-
attack known as NotPetya. It froze computer systems around the 
world in exchange for ransom. And in Ukraine, the attacks hit 
hospitals, power companies, airports, banks, and practically 
every Federal agency. The U.S. was not immune. This attack hit 
FedEx and the drug company Merck, costing each more than $300 
million in lost business and clean-up.
    So, Mr. Jaffer, how great is the risk of a large-scale 
ransom attack hitting the United States today?
    Mr. Jaffer. Chairwoman Maloney, I think it's a huge issue. 
What you see there in that case was a very carefully crafted 
attack by Russia against Ukraine. So, a sophisticated actor.
    What happened was we had collateral damage, right? These 
American companies, $10 billion worldwide, the most destructive 
attack in the history of humankind. And as you mentioned, over 
five international companies, mostly in the West, who suffered 
between $250 million to $350 million of damage.
    What that demonstrates is that even if you think as a 
company you're not likely to be affected by a nation-state 
attack, the reality is you may very well be because you may be 
collateral damage in an attack by a sophisticated attacker 
against another nation-state as was the case of NotPetya, 
Russia against Ukraine.
    Chairwoman Maloney. Thank you. OK, thank you. And a 
centralized cybersecurity coordinator at the White House seems 
essential to ensure the swiftness and agility needed to respond 
to cyber-attacks.
    I now recognize the Ranking Member Comer for his questions.
    Mr. Comer. Thank you, Chairwoman.
    My first question would be for Mr. Daniel. Could you walk 
me through how a major cyber incident currently proceeds 
through the Federal Government and how it might change with the 
advent of a National Cyber Director?
    Mr. Daniel. Sure. I think that right now, it really depends 
on who first becomes aware of that incident, right? It depends 
on if that incident is actually disclosed by a private sector 
entity and how it comes in, whether they disclose it to CISA or 
to the FBI or to the NSA.
    But then at some point, if it gets big enough, that those 
entities would eventually probably share that information with 
some of the other elements of the U.S. Government. And then the 
Government would need to do an assessment on how--whether that 
incident actually represents something that is more systemic. 
In other words, is it going to turn into a WannaCry or a 
NotPetya, where it is going to proliferate across more of the 
economy, or is it more limited?
    And then the Government would need to do an assessment on, 
you know, whether or not a response is warranted, based on that 
incident. I think in that case, that's where you would want--
when you start to look at how the U.S. Government responds, 
that's where you really want that coordination, that intense 
level of coordination to actually come together.
    Just because an attack comes through cyberspace does not 
mean that the only response needs to be back at the adversary 
through cyberspace. You might want to use other policy tools 
and means to respond, and that's why that coordination factor 
across all the different elements of national power is so 
important.
    Mr. Comer. OK. My next question will be for Mr. Jaffer. 
Earlier this month, in a joint public service announcement by 
the FBI and DHS's Cybersecurity and Infrastructure Security 
Agency, the FBI reported it is investigating--and I quote--
``targeting and compromise of U.S. organizations conducting 
COVID-19-related research, PRC-affiliated cyber actors, and 
nontraditional collectors.''
    So, in other words, there is reason to believe China is 
attempting to exploit the recent pandemic to hack into U.S. 
businesses conducting research on the very virus originating in 
its own country. So, Mr. Jaffer, could you please explain some 
of the methods China is using to try to steal our Nation's 
critical research into this virus or, if you have no insight 
into current methods, the various ways China accomplishes its 
many cyber intrusions?
    Mr. Jaffer. Thank you, Ranking Member Comer.
    You know, the Chinese have been engaged in this effort to 
steal American intellectual property for the better part of a 
decade and a half. We didn't talk about it publicly for a long 
time, and it was only until Chairman Rogers and General 
Alexander came out and started talking about what was happening 
with China that the public became really aware of it.
    And it's only in recent weeks and months that we've really 
become aware of our supply chain dependence upon China when it 
comes to things like PPE and pharmaceuticals. We now realize 
that that has also expanded well beyond the semi-conductors, 
quantum, and the like. So, what China is doing is they have 
literally built their economy on the backs of American 
innovation, on the backs of American R&D.
    You wonder why a Huawei router often looks like a Cisco 
router? It's because, sir, it essentially is a Cisco router. 
They stole intellectual property, re-purposed it in China, and 
then sold it as a good.
    Now they've built on that for sure. They are trying to do 
the same thing in the COVID arena. They're trying to get out 
ahead of this, trying to have the vaccine first, and 
essentially grow their economy on the backs of our challenges, 
and they're going to steal our intellectual property to do 
that. We simply cannot allow that to happen.
    This has been a national-level issue. The President has 
been very aggressive in pursuing China on this front. We ought 
not let a trade deal get in the way of ensuring that we hold 
the line and stop the Chinese from conducting this continuing 
effort of economic espionage that has allowed them to build 
their economy on the backs of American R&D.
    Mr. Comer. Madam Chair, we had this hearing, and it has 
become--you know, it has always been clear that cybersecurity 
is a huge threat to the United States. We talk about China 
being one of the worst actors with respect to cybersecurity 
threats and cybersecurity violations. You look more at China, 
and you see they've been stealing our patents for years, our 
intellectual property.
    Who knows what all they've done with respect to COVID-19? I 
think we would like to get to know that. I know the Select 
Committee is delving into that supposedly.
    We spend a lot of time in this committee investigating 
Russia. I believe that the American people, the American 
taxpayers would be better served if we spent a little bit of 
time investigating China. So, in closing, I would really 
encourage you to consider devoting a little bit of time on this 
committee to investigating China, whether it be COVID-19, 
whether it be our intellectual property or our patents, whether 
it be cybersecurity hacks, threats, things of that nature.
    So, that is my encouragement to you as we proceed and 
hopefully work together in a bipartisan way. But I want to 
thank all the witnesses for being here today, and I look 
forward to further discussion on this proposal. With that, I 
yield back.
    Voice. Thank you, Mr. Comer.
    Next we will go to Ms. Norton. Ms. Norton, you are unmuted.
    Ms. Norton. I want to thank the chair. Can you hear me and 
see me? I want to thank the chair for this really important and 
timely hearing.
    Because I represent the Nation's capital, I have a special 
interest in this hearing. We are, of course, like most big 
cities, but we are not just any big city. And my question goes 
to what has already happened to some big cities.
    I don't know who is going to answer this. Perhaps starting 
with Mr. Rogers, I am not certain. But we have already seen 
that another big city, New Orleans, has actually had its--
ransomware shut down altogether, grounding all their operations 
to a halt. Imagine if that happened to the capital of the 
United States.
    So, I must ask if we are fortified here in, for that 
matter, the Nation's capital and in other cities against 
similar shutdowns of all operations, blacking out the city 
altogether? So, I would--any number of you are likely to be 
qualified to answer this question, but I would begin with Mr. 
Rogers.
    Mr. Rogers. Thank you, Congresswoman. I appreciate the 
question.
    You know, we've seen this ransomware activity for multiple 
years now, and it became more aggressive and more aggressive, 
meaning that it was spreading amongst organized crime, 
international organized crime groups and others seeking to gain 
revenue from this, including, by the way, the North Koreans, 
who used ransomware attacks to gain revenue for the government.
    Early on, I hate to say about my brethren in the FBI, their 
early recommendations to some of these companies were you 
probably should just pay it because we don't have any way to 
intercede in the interim to do anything about it. So, you had 
major hospital organizations, the Los Angeles hospital system 
comes to mind on one of the early, early cases, where they 
ended up, you know, distastefully to have to pay for this.
    So, it is a real threat. And this is one of the problems 
with cyber protection writ large. We have to remember that the 
NSA doesn't protect the private sector in the country. It's a 
common myth that they're protecting everybody. They're not. 
They're protecting the Government, and then they're doing 
collection activities targeted at our overseas adversaries 
trying to do something bad to the United States.
    So, we have this really uneven ability to stop this in 
cities across America. And candidly, Congresswoman, I think 
most cities in America are not prepared for this, and they have 
old systems. They have legacy systems. They haven't spent the 
money to upgrade their systems and then provide a level of 
protection that would keep that data safe.
    That's why people are going to cities because they believe 
that they're the most vulnerable. And again, remember it's not 
the NSA's job to protect New Orleans or Detroit, Michigan. 
That's not what they do. So, it is really up to the private 
sector and those cities trying to develop systems that they can 
put in place, private systems much like the companies I'm 
involved with who are looking at collective defense and other 
things to try to protect it.
    This is why, in my mind, a coordinated effort out of the 
White House with all of our agencies in the right direction and 
maybe even helps the Department of Homeland Security get the 
word out to these cities the problems that they really have. 
So, we are a long way, I guess is the short answer to this. 
We're a long way from those cities being protected.
    And as more international organized crime organizations 
take on nation-state quality tradecraft, meaning you say the 
Russian tradecraft depended on the method used, the more 
susceptible we are. And we're seeing that. We're seeing that 
leaching of nation-state quality in the tradecraft in 
cyberspace leach into these organizations.
    I argue we're up for a really bumpy road coming up in cyber 
the next few years outside of the U.S. Government across both 
private sector and local and state governments.
    Ms. Norton. I guess New Orleans did pay off. I mean, it is 
really unnerving to hear you say at the moment the 
vulnerability is so great that you pay off----
    Mr. Rogers. Exactly. And we all know what happens, Madam--
Madam Congresswoman. When you pay it, guess what? More people 
are deciding they want to get into the business and try and 
extract you from your money, and that's the problem we're 
running into.
    Ms. Norton. Exactly. That makes us all now vulnerable to 
paying up.
    Mr. Rogers. Yes.
    Ms. Norton. In the time I have remaining, I really can't 
help but ask about the election. We have already had perhaps 
most of our primaries, and I am wondering if any of you, 
perhaps beginning with you, Mr. Rogers, have seen any 
interference, any evidence of interference with our elections? 
I mean, we have seen it with financial institutions worldwide. 
How about interference with our elections such as, for example, 
any alteration in election results would occur?
    Mr. Rogers. I can tell you in my work in some of the 
private work that I do, including being vice chairman of Mitre 
Corporation, we haven't seen any, you know, flip one vote to 
another vote. Have not seen that.
    We have, in fact, writ large--let's talk about writ large--
seen going into 2018 that our adversaries, nation-state 
adversaries tried to influence elections by creating chaos, and 
I think we need to be really careful about saying Republican 
versus Democrat. What they're trying to do is create chaos. 
They don't care.
    They don't like Democrat Americans any more than they like 
Republican Americans. They don't like either one. So, they're 
trying to create this chaos in these elections.
    General Nakasone and his team I thought did a phenomenal 
job in 2018 kind of playing that whack-a-mole game to push them 
back, but we know it's a tactic of which they will use because 
they've announced that they, the Russians, the Chinese have 
said, hey, this is very effective, very low consequences. So, 
we're going to kind of ramp up our engagement in trying to 
create this chaos going forward.
    It is something that I think we absolutely have to pay 
attention to. Remember, it's very cheap for them. They don't 
have to go out and buy a new carrier. They don't have to 
develop a naval fleet and then stock it with----
    Ms. Norton. Are states and cities--are states and cities 
aware enough so that when they see this, right now it is just 
interference. It has not had consequences. Are states equipped 
to fight back in November? We only have a couple of months to 
be tested.
    Mr. Rogers. Yes. I think it's difficult for states and 
local governments to do this. I do think we need to look--we 
need to ask ourselves what do we want our high-tier performing 
national, Federal agencies to do for us?
    I think this is where the National Security Agency and 
other high-level performers can be very helpful in trying to 
stop this across the United States, mainly because it is a very 
sophisticated nation-state actor activity. Now there are some 
other groups out there that are trying to get into this game 
that are just--that are worrisome. But I think we should employ 
all the tools that we have.
    And this is where I think congressional oversight is so 
important. Know what it is, talk to them about what they're 
doing, and then encourage them because it's not always going to 
go the way we want. But you have to encourage them to get out 
there and help push back on these activities.
    Chairwoman Maloney. The gentlewoman's time has expired.
    Mr. Yoran. Yes, just we've got a lot----
    Chairwoman Maloney. I now call on----
    Mr. Yoran. Sorry. I just wanted to followup on that. I 
think we have a lot of tools at our disposal. I would just be 
careful to try and solve all problems with the NSA. I know the 
Department of Homeland Security and CISA in particular, working 
with nonprofits like the Center for Internet Security, have 
done a tremendous job laying the groundwork for paving election 
security and election security response capabilities for the--
each of those jurisdictions.
    But there are other things. I mean, the state and local 
governments have very significantly limited expertise. They 
have limited resources, and those that have resource 
restrictions have been exacerbated by their response to corona 
and with a heightened threat provided. So, I think this is an 
area where even a modest amount of funding, additional 
coordination, and policy directed from the Federal Government 
can have a disproportionately huge impact on better protecting 
the Nation.
    Ms. Norton. Thank you very much.
    [Pause.]
    Ms. Norton. Madam Chair, I yield back.
    Chairwoman Maloney. Mr. Gosar?
    Mr. Gosar. Thank you, Madam----
    Chairwoman Maloney. Can staff tell me who I should call on 
if Mr. Gosar is not here?
    Mr. Gosar. I am here.
    Chairwoman Maloney. OK, good. Good. You are recognized.
    Mr. Gosar. Thank you, Chairwoman.
    I am going to go back to you, Mr. Jaffer. I want to have 
you walk through. You made some--gave us some ideas of maybe 
this wouldn't be appropriate at the Presidential level. Can you 
walk us through that a little bit more?
    Mr. Jaffer. Sure. So, Mr. Gosar, as you may know, there are 
four Senate-confirmed individuals today in the White House 
office--the Director of OMB, the U.S. Trade Rep, the head of 
the Office of National Drug Control Policy, and the head of the 
Office of Science and Technology Policy. Of those, two really 
focus on things that Congress and the President really share--
trade, on one hand, and the power of the purse, OMB, right?
    That's why those two have been very successful. The two 
that have been a lot less successful, ONDCP and OSTP, are 
largely less successful because they're not really a shared 
relationship. On this one, the challenge you have is that this 
is an area where the President feels strongly. This is a 
national security responsibility. Like this is like war-making 
in a lot of ways, right, and there are non-war making 
components.
    The idea that any President--Democrat, Republican, Trump or 
otherwise--would be willing to give up a significant portion of 
authority I think is going to be a challenge. I think you're 
going to face significant challenge with the White House.
    So, I think the better approach here is to find the path 
forward to work with the President, emphasize the importance. 
Look, the Congress did this here just in the last few years 
with the issue of interference in elections and the like, and 
they've prioritized it. They put statutory language in. They 
made it a responsibility of the National Security Council, and 
they required a coordinator to be appointed by the President.
    That's a good example of the way that Congress was able to 
work with the White House on solving these problems rather than 
trying to get a Senate-confirmed individual with a large 75-
person office.
    Mr. Gosar. Gotcha. So, Mike Rogers, you know, looking from 
the outside, you have been part of the matrix of Congress. Do 
you agree with anything that Mr. Jaffer has brought forward in 
that aspect?
    Mr. Rogers. I mean, I do. I had the same sensitivities 
about do we--do we really want to impose on a President some 
structure on national security within the National Security 
Council at the White House? And I wrestled with this a lot.
    The reason I think I have come full circle on this is 
because I have seen it from the private sector side as well as 
being chairman of Intel when, candidly, I thought, no, we can 
do this. And this really isn't a Republican or a Democrat 
thing. The Bush Administration had an effort at this. The Obama 
Administration had an effort at this. The Trump administration 
took a very different take on how they wanted to do it. And my 
argument is none of it really worked to our advantage.
    So, when you look at the series of challenges--and this is 
why. This is not, to me, some kind of semantic argument about 
should we or shouldn't we? Every major adversary--China, 
Russia, North Korea, Iran--there are others, but those are our 
main cyber adversaries--are ramping up the use of cyber because 
they know it has low consequence and high impact.
    And if you look at Kim Jong Un, who said the thing that's 
going to keep me in charge are nuclear weapons and 
cybersecurity, offensive cybersecurity. So, he's investing in 
it. We know that the Chinese are spending billions of dollars. 
Matter of fact, they've announced they're going to spend $1 
trillion to try to have a technological edge in quantum 
computing, 5G buildout, AI and AI research, including, by the 
way, cyber capability and data control.
    So, they're looking--they're moving away from building 
large defensive military posture, and don't get me wrong, I'm 
for that. But what they're doing is trying to spend it 
targeting us. And my concern is if we keep doing it the same 
way, we are going to keep having the same response. And the IG 
response that we have now is basically I caught you for the 
last 12 months doing something wrong. I'll come see you in the 
next 12 months to see if you get it right.
    That is not working. It will not work. We will get our 
lunch ate. I argue we are getting our lunch ate under that 
plan. Let's have some office that has that authority--and by 
the way, it takes it. You have some big personality DOD, NSA 
organizations. I'm not talking about the individual leaders. 
It's just they're big personalities to deal in this.
    Nobody wants to listen to anybody. You have to have a 
committee to settle on the way forward. I think you need 
somebody to say I'm here to help you. We're going to get that 
piece right. We're going to fix this piece. We're going to 
coordinate resources. I'm going to reach over to NSA talent and 
who knows? Department of Agriculture figured this out last 
week. We're going to--we're going to include all that to help 
all.
    We don't have that today in that really in that regard. And 
that, to me, has to change. If we could figure out another way, 
great, but I like this idea because it is a radical change and 
really puts it at the feet of an individual to fix this 
problem.
    Mr. Gosar. OK. Now I am going to finish with my last 
question to you. Then looking at the legislation as is, do you 
see any additions or subtractions to it that would keep it on a 
desired pathway, Mike?
    Mr. Rogers. I mean, and here is where I agree with Jamil. 
And he and I had these conversations often when we were working 
together in the Intelligence Committee. You want to make sure 
we're not propping a bureaucracy here. If everybody in this 
bureaucracy gets to say no and everybody gets to sign off, we 
lose. It has to be smaller and more agile. I would worry about 
the body count.
    Now maybe 75 is right. I don't know. Maybe it's 50. I don't 
know. But we need to make sure that it is agile enough in its 
strategic advice that it can actually do something. It needs to 
say, ``Department X, you haven't performed. Not that I'm going 
to beat you with a stick or have you hauled before Congress, 
I'm going to help you get where you want to go.'' That's what 
this needs to be.
    And you know, how it looks in text and legislation, as we 
all know, the devil is in those details. And I would flyspeck 
those to death. I'm for that. But if we don't do something 
pretty radical, we are already behind the eight ball.
    And I'm talking even offensive policy, defensive policy, 
and then all these agencies that nobody even knows are out 
there working that have all this sensitive data that nobody 
thinks that loves them are great targets for cybersecurity. So, 
all of that I think--that's why you need somebody to pay 
attention to it every single day.
    Mr. Gosar. Thank you, Chairwoman. I yield back.
    Chairwoman Maloney. The time of the gentleman has expired. 
Chairman Connolly? Chairman Connolly is recognized.
    Mr. Connolly. Thank you, Madam Chairwoman, and thank you to 
our panel. Fascinating conversation.
    And I don't know if Jim Langevin is still with us, but 
congratulations on the work of the Cyberspace Solarium 
Commission and this piece of legislation.
    I want to go to practicality. I have spent all 12 years of 
my life in Congress focused on Federal IT, modernizing Federal 
IT. And you know, we spend $96 billion a year on IT at least, 
80 percent of which is spent simply maintaining legacy systems, 
many of which cannot be encrypted. They can't be updated for 
21st century cyber protection.
    And I want to raise some concerns, and Mr. Daniel and Ms. 
Spaulding, you both kind of touched on it, as did Mr. Jaffer. 
Mr. Daniel, you were in the White House. We have a CIO in the 
White House. We have a CTO in the White House. We have a Chief 
Information Security Officer in the White House, and we have 
the Office of Science and Technology Adviser. All right?
    All four of those offices right now, their responsibility 
in some measure for IT investments in the Federal Government, 
they're trying to modernize and to protect in terms of cyber. 
How will the creation of a cyber czar work with those other 
offices, and what authority will he or she have to help 
upgrade?
    I mean, to upgrade a legacy system is going to cost at 
least billions of dollars multiple years. We have been trying 
for five years through the FITARA legislation that came out of 
our committee to exhort Federal agencies to make those 
investments. Will the cyber czar have superseding authority 
with respect to the kinds of investments that they make? Will 
he or she be required to coordinate with the CTO or the CIO, 
who are charged with setting certain sets of goals for the 
Federal Government that include cyber, but are not limited to 
cyber?
    And I say all of this supportive of the attempt in the 
legislation, but worried about its execution, worried about 
overlap and what could go wrong with this in terms of 
coordination. And maybe I could start with you, Mr. Daniel, 
given your experience. Presumably, those are real concerns. Do 
you share them, and what protections can we take in creating 
this position to avoid the inevitable conflict, bureaucratic 
conflict that could ensue?
    Mr. Daniel. Well, thank you, Congressman.
    I certainly agree that this position would need to work 
very closely with the Federal CIO and the Federal CISO, and the 
way that I look at it is that you would want to have this 
position work with--those offices are designed to focus 
exclusively on the security of Federal networks, and that would 
be one, one element of a National Cyber Director's portfolio.
    So, what you would want is you would want that position 
working very closely with those individuals to be able to 
highlight the threats to Federal networks across the broader 
policy space, to advocate on behalf of investments. Certainly 
one of the challenges that agencies have is that it is 
relatively easier to get operational money to keep the old 
stuff going, and it's much, much harder to get procurement 
money to actually upgrade things.
    So, there's a structural problem in the budget process for 
how we--how we go about funding, you know, upgrades in IT. And 
that creates an incentive for agencies to keep old stuff around 
forever, which is inherently harder to secure.
    What you would hope is that a National Cyber Director would 
also be able to help bring in expertise from the private sector 
to help the Federal Government do better. And then, last, to 
look at what are the structural changes we can make across the 
Federal Government? At some level, it's kind of ridiculous to 
expect the Denali Commission to really focus and be good at 
cybersecurity. We need to continue working on much more cross-
agency support for cybersecurity so that we're not expecting 
every agency to be really, really good at their cybersecurity 
and instead think about the--you know, the economic principle 
of comparative advantage.
    Mr. Connolly. Well, I certainly agree with you that we 
would hope and expect that they would work closely together. 
But we are addressing a bill here. We are codifying a position. 
And I want to do more than hope that they coordinate. I want to 
make sure we get it right so that this person, this position 
can hit the ground running with defined responsibilities.
    Because if we don't get this right, you're going to buildup 
bureaucratic resistance. So, instead of getting cooperation in 
cybersecurity, you actually get bureaucratic resistance. We 
certainly have seen that in CIOs. You mentioned bringing people 
in from the outside. We have done that with CIOs, and their 
lunch gets eaten.
    You know, the bureaucracy just gangs up on them because 
they are outsiders. They are alien. They are grafted on. They 
are presuming to tell me what to do, and as a result, they 
fail. Not all of them, but you know, I----
    Chairwoman Maloney. The gentleman's time has expired, but 
the gentleman----
    Mr. Connolly [continuing]. Just wanted to share that 
concern. Thank you, Madam Chairman.
    Chairwoman Maloney. OK. The gentleman's time has expired, 
but the witness can respond to your question.
    Mr. Daniel. Well, thank you. Yes, I mean, I certainly agree 
that, you know, requiring some coordination with the Federal 
CIO and the Federal CISO, whose job it is to focus on Federal 
agency cybersecurity, you know, could be useful because it's 
those individuals who should really focus specifically on that 
task. And that--again, this would just be one aspect of 
something that a National Cyber Director would have to be 
concerned about.
    Chairwoman Maloney. Thank you. Mr. Massie is now 
recognized.
    Mr. Massie. Thank you, Madam Chairwoman.
    My first question, which I think should be everybody's 
first question, is what is the budget for this proposed Office 
of the National Cyber Director? And the second part of that 
question is, in addition to the 75 employees that are 
anticipated, how many--what percent of the money is going to go 
to contractors?
    And anybody can answer that question, if there is an answer 
to it.
    Mr. Jaffer. Well, Mr. Massie, it's Jamil Jaffer.
    We don't know what the budget is. There's no authorization 
for appropriations in the bill, as far as I can tell, and we 
don't know what the committees will give it. That being said, 
the 75 FTE that are in there are a significant number. There is 
also authority to bring billets in from other parts of the 
Government, as well as to hire outside experts and the like. 
So, this number, 75, could actually grow beyond that.
    Now to be fair, the legislation does just say ``up to 75'' 
for the full-time equivalent, but there's a lot of other room 
in there. And depending on what the various committees of 
jurisdiction appropriate and authorize, that may make a big 
difference, sir.
    Mr. Massie. OK. That is a question I would like to get an 
answer to. Let me go on to my next question. This is for Ms. 
Spaulding.
    You were on the commission that recommended this position. 
Is that correct, Ms. Spaulding?
    Ms. Spaulding. That's correct, yes.
    Mr. Massie. OK. Was there an advocate for civil liberties 
and privacy on that commission, and if so, why is there not in 
this proposed legislation? I know you probably didn't write the 
legislation, but there is two Deputy Directors, but I don't see 
a Deputy Director for Civil Liberties or an advocate for 
privacy in here. Should there be one, and was that discussed in 
the commission?
    Ms. Spaulding. So, it's an excellent question, Congressman, 
and I have a long record of being an advocate for civil 
liberties and for privacy throughout my career. I think a 
number of us on the commission came to the table with those 
sensitivities and those equities very much in mind. There was 
no specific person designated for that, but a number of us, as 
I say, brought those sensitivities to the discussion.
    And I think, you know, certainly privacy is one of the 
values and interests that cybersecurity is very much intended 
to protect. So, I think in many respects privacy is very much 
built into the efforts to strengthen our cybersecurity. But 
there are times in which the way in which you approach security 
issues may have implications in other contexts for privacy and 
civil liberties, and I think your point is very well taken.
    And I think there ought to be an emphasis. I'm not sure a 
Director specifically for that, but certainly, when I was at 
the Department of Homeland Security as the Under Secretary for 
what is now CISA, I valued very highly having a specific 
individual and staff focused on privacy and civil liberties 
issues, as did the Department as a whole, and found their input 
and insights extremely important and valuable.
    Mr. Massie. Well, I would like to see that, if we create 
this office, defined legislatively because there always seems 
to be a bias in the other direction. So, I think we need an 
advocate there. Thank you for being one.
    Mr. Jaffer, what does it mean to have a list of trusted 
vendors when those vendors are putting backdoors intentionally 
into their hardware and software? How can you have a secure 
cyber system in the Government when we were actually even 
sometimes encouraging those vendors to put backdoors in?
    Mr. Jaffer. No, I think it's an important question that you 
raise, Congressman Massie. At the end of the day, you know, we 
have legislation that permits the Government to obtain certain 
access to telecommunication systems, the Communications 
Assistance for Law Enforcement Act. That's typically the way in 
which law enforcement gets access to telecoms.
    Now if we're talking about other systems, that's a harder 
question. More often than not, what typically happens in 
Government is, is the Government will come to a provider with a 
court order, either from the Foreign Intelligence Surveillance 
Court or from a Federal court or a subpoena authorized by 
Congress to get access. It's not typically happening in a 
cooperative manner. Typically, it's through some sort of legal 
process because the companies have learned that it's important 
to have that kind of process that if they ever get--if it comes 
out or they're sued, they have the protection of the law to 
help protect them.
    So, that's typically how we see it happening. There is 
usually a judge involved. If not, some sort of administrative 
process that Congress oversees, sir.
    Mr. Massie. OK. Well, I think there is a little bit of an 
oxymoron of creating a list of trusted vendors and then asking 
them to put backdoors in their products. So, I am concerned 
about that.
    My final question is, what is the real responsibility of 
the Government to provide security for a company like Sony, who 
has over 8 trillion yen in revenue every year? And yes, Mr. 
Jaffer?
    Chairwoman Maloney. The gentleman's time has expired. The 
gentleman may answer the question.
    Mr. Jaffer. Yes. So, it's a great question, Congressman 
Massie. You know, one of the challenges we have is that today 
in our country, we expect every company, whether it's a large 
Sony, the JPMorgan Chase, or the small mom-and-pop bake shop, 
we expect every single one of those companies and all that part 
of American small business that run our economy and that are 
the real engines of innovation, we expect all of them to defend 
themselves against nation-sanctioned actors in Russia, China, 
Iran, North Korea that have virtually unlimited human and 
monetary resources to throw at this problem. It's an unwinnable 
battle.
    We've got to get those companies to come together with one 
another to create a collective defense structure with multiple 
industries working with one another, and the Government, 
frankly, takes all this intelligence it collects and provides 
it back to industry in an actual form to help them defend 
themselves. If we're going to put them on the front lines, we 
owe them better, and we're not doing that right now, sir.
    Mr. Yoran. Well, if I can interrupt here? I think that 
there is maybe a misperception being created here. I don't 
think they're dealing with sophisticated adversaries. Many of 
these companies are falling victim through simple negligence. 
They're not applying a standard of care with their system, and 
I think the line of questioning is important.
    And why I think it's important to have this Cyber Director 
position is to balance the equities of law enforcement where 
there are proposals, sponsored proposals to create backdoors 
and weakness, and weaken the encryption in commercial products. 
There are intelligence gain/loss decisions that are made on a 
daily basis. There are law enforcement considerations in 
creating norms of behavior and interactional norms of behavior 
here.
    And all of these things are being done without having a 
national policy thought through at the White House level that 
can balance and consider all of these different equities. It's 
sort of each department and agency off and running on their own 
in a fairly uncoordinated fashion.
    Mr. Massie. Thank you, Madam Chairwoman, I yield back.
    Chairwoman Maloney. Representative Raskin is now 
recognized.
    Mr. Raskin. Thank you, Madam Chair. And I want to salute 
our colleagues Mr. Langevin and Mr. Gallagher for an extremely 
compelling presentation and for their hard bipartisan work on 
this legislation.
    I am kind of puzzled by the history of this, and I was 
hoping that Mr. Rogers might start off by clarifying some 
things for me. We got hit in 2014 with the massive cyber breach 
at OPM by China, and that caused massive damage to our country.
    In 2016, we experienced a sweeping and systematic cyber-
attack on our election by Vladimir Putin's Internet Research 
Agency that caused incalculable damage to our democracy and to 
social cohesion in the United States of America.
    Now, of course, in 2020, we have been caught totally 
unaware and seemingly unprepared for the coronavirus epidemic, 
which was denied and dismissed and trivialized and wrapped in 
magical thinking. And now we lead the world in case count and 
death count. While our European allies totally have the virus 
on the run, we are spiraling out of control.
    So, if everybody is responsible for something, nobody is 
responsible. And it seems overwhelmingly compelling and clear 
to me that the purpose of this legislation is absolutely right. 
We need someone who is coordinating our cyber defenses at a 
time when all of these weaknesses and vulnerabilities have been 
repeatedly demonstrated by different attacks.
    So, I guess my first question for you, Mr. Rogers, is why 
has it taken us so long to get to this point? What has slowed 
us down?
    Mr. Rogers. Oh, boy, that may be the million-dollar 
question, Congressman. When we went back and looked--think 
about this. The first time that China was publicly named as 
this increased actor in cyber intellectual property theft, even 
though we had known it was going on for years, was 2010.
    Why? Because the Bush Administration had said, oh, we 
can't. No way. Not disclosing it yet. Even the early days of 
the Obama Administration, they said it's too early. We've got 
to figure out a way around it. So, Dutch Ruppersberger and I at 
the time, we gave a pretty forceful argument about making this 
public. So, we've only been talking about it publicly for 10 
years, and I think the public is slowly coming around.
    Now there was a recent Gallup Poll I think last week that 
said 81 percent of Americans believe that there will be a 
cyber-attack of significance on the United States. We didn't 
have anything like that in 2010. People thought we were crazy. 
I mean, they didn't even understand what we were talking about. 
So, public opinion has been slow to catch up.
    I think we're in a very different place now. Public opinion 
is probably more with us now than it's ever been to try to 
defeat this thing. And remember, there is no system out there 
that is completely impenetrable, none. I mean, if it's 
connected to the Internet, you are vulnerable.
    So, any time we break up our efforts to try to do this, 
meaning if the NSA has one mission set and the FBI has another, 
and they're not talking to each other, guess what? That scene 
means somebody is going to win, and that happens in private 
sector, it happens in local and state government, and it 
happens in the Federal Government.
    And if you look at what the Chinese were able to do, this 
was very typical in the OMB breach, a typical espionage 
activity where they're going to take I think it was--I forget 
what the number is now--17 million records of SF-86, right, the 
very sensitive information to get a clearance. I got a letter 
saying mine was breached. All of that information was taken 
back, and think about what they're doing now with their ability 
through AI algorithms to collate that data and find out people 
that they're interested in spying on.
    Either you're with the Government and have a 
classification, or you've moved on to the defense realm and 
have a classification. That was, unfortunately, a brilliant 
government espionage activity. So, we have to--we really have 
to change the way we think about these threats. They are 
looking at----
    Mr. Raskin. Can I followup with you just for 1 second?
    Mr. Rogers. Yes.
    Mr. Raskin. I have got time for maybe one more question. I 
mean, what is terrifying to me is that our failed response to 
the coronavirus pandemic has exposed a lot of vulnerabilities 
to foreign governments that may mean to do us harm, and they 
may figure we don't have the governmental preparedness, we 
don't have the social cohesion to respond to a massive threat 
on our infrastructure.
    So, if you would just put this in a geopolitical 
competitive context, what is the imperative here to act now?
    Mr. Rogers. Well, I think that's two conversations. One is 
on the supply chain and security of the supply chain.
    Chairwoman Maloney. The gentleman's time has expired, but 
the witness may answer the question. Answer the question.
    Mr. Rogers. Whoops. Security is, I think, a very important 
discussion Congress is going to have to weigh in on. I wouldn't 
kill international trade, but I would protect our ability to 
surge on critical items.
    Second, the other reason on this is that these nation-
states, our big adversaries, have refocused their efforts. 
Remember the quote I used from Gerasimov in Russia? They've 
realized I don't need to build an aircraft carrier. I'm going 
to invest in cyber operations. If I can shut down their 
electricity or I can cause distrust of the American people with 
their government, we win. It has an outsized impact on what 
they're trying to do.
    And all of them have stepped up their game. Russia, China, 
Iran, North Korea, others. That's why, to me, this is so 
important.
    And candidly, we're in a cyber war today. Most people don't 
realize it. And folks who say it's not really a war, I don't--I 
disagree. They are causing destruction, disruption, and adding 
chaos. I don't know what else you call it. And we need to act 
that way, and I think we ought to have one focus on this so 
that we can coordinate all the good activities around the 
Government and focus--don't expand Government--focus it on the 
solution.
    Mr. Raskin. Thank you, Madam Chair.
    Ms. Spaulding. If I could just very quickly? The other 
lesson from the pandemic, of course, is the--is what happens if 
we don't have strong coordination and a coherent response in a 
crisis.
    Chairwoman Maloney. Thank you. Mr. Grothman? Mr. Grothman?
    [Pause.]
    Chairwoman Maloney. Congressman Grothman, are you there?
    Mr. Grothman. Can you hear me? Yep, can you hear me? Can 
you hear me?
    Chairwoman Maloney. Yes. Yes.
    [Pause.]
    Chairwoman Maloney. Unmute. Unmute. Can you unmute?
    Mr. Grothman. Can you hear me now?
    Chairwoman Maloney. I can hear you now.
    Mr. Grothman. OK. OK, I have a question here. First 
question is when we confront China or Russia about this, what 
do they say? You know, what is their response when we bring 
this up to them?
    Mr. Daniel. Well, Congressman, I can--having engaged them 
on this topic directly, I can tell you that most of the time, 
of course, they deny it. And they say that----
    Mr. Grothman. And we never catch them red-handed, either 
them or China?
    Mr. Daniel. Oh, of course. And you know, naturally, they 
deny it, and they will--at most, they would say it must be--we 
must be mistaken, and could we please provide them all of the 
detailed evidence for how we, you know, found that out so we 
could expose our intelligence methods to them so they could 
prevent us from doing it in the future. And you know, then at 
most they might say it's some sort of rogue element that they 
weren't really in control of, and it wasn't really them.
    They, of course, never will accept responsibility for doing 
that. That said, we have engaged with them in other ways to try 
to push forward and push back on their activity.
    Mr. Grothman. That is fine. Now I have a question for Ms. 
Spaulding. We asked this earlier, how a major cyber incident 
proceeds through the Government. I want to kind of expand a 
little bit on that. I want to know step by step, based on your 
experience, what happens when an incident is reported by either 
the private sector or a Government agency?
    You know, what happens from discovery to response? Kind of 
walk me through the U.S. Cyber Command authorities that are 
triggered, and how would this change if we got a National Cyber 
Director?
    Ms. Spaulding. Thank you, Congressman.
    As Michael Daniel explained, some of it depends on how this 
information first comes into the Government. So, it might come 
in first to the NCCIC, which is the National Cybersecurity 
Communications Integration Center, or the ops center, at the 
Department of Homeland Security. We would often get reports, 
usually from private sector companies, that they are seeing 
malicious activity. But it's equally likely to come into the 
FBI, for example.
    And then the players, the DHS, the CISA, the Bureau--FBI--
and usually the NSA would get on the phone together, though 
there are often reps sitting at the ops center at DHS. But the 
information would be shared.
    And then a decision has to be made very quickly, depending 
on the nature of the event and if the Government is going to 
step in, on what is most important. Do we go first--and 
sometimes you will try as you can to do these at the same time, 
but you often have to prioritize. Are we going to try to go in 
and mitigate the problem, address the malicious cyber activity 
and the damage that's being done to that private sector 
business, for example? Or are we going to put our priority on 
getting law enforcement in there to do attribution, to figure 
out who's behind this?
    And both of those are legitimate equities, but sometimes 
they can't both happen at once. So, conversations ensue to 
determine how to prioritize that.
    The advantage that a National Cyber Director can bring to 
bear on this, obviously, is to deconflict those competing 
equities quickly. Time is of the essence to make sure that we 
can get in there and do what is most important first, even as 
we're trying to accomplish all of the other equities.
    Mr. Grothman. Thank you. Next question.
    One of you mentioned, you know, you talked about Russia and 
China, North Korea and Iran, and then you said ``other 
countries,'' one of you. Can you expand what other countries we 
have to worry about other than those four?
    Does anybody want to take it?
    Mr. Rogers. Yes, I mean, I can take it, take a shot at 
that.
    Mr. Grothman. One of you said there was more than the four, 
so I just ask.
    Mr. Rogers. There are--there are countries who are engaged 
in ramping up their cyber capabilities that might not be 
friendly to the United States. I think Belarus comes to mind. 
Leaked nation-state capability from Russia into former Eastern 
Bloc criminal organizations perform like a state. They may not 
look like a state, but they perform like a state when it comes 
in cyberspace.
    And there are other countries that are probably best not 
discussed in an open forum that some aren't very friendly 
countries, and you would----
    Mr. Grothman. OK. We won't discuss them, if you don't want 
to discuss them.
    Next question. One of you said they were involved in this 
George Floyd incident, that some of our enemies were involved 
in that. Could you expand on that?
    Mr. Jaffer. It was me, Congressman. What we've seen is 
we've seen some reporting that the Chinese--you know, you saw 
the Chinese Foreign Ministry from the platform in open setting 
refer to the plight of black Americans. Obviously, we know the 
Chinese don't actually care about black Americans. They are 
interning a million Muslims in the Xinjiang Province. So, we 
know that these people actually don't care. It's an effort to 
influence our own--our own discussions here in the United 
States.
    We know what they're doing overtly. We have seen them 
operate covertly in very similar related spaces, and we have 
every reason to believe that both they and the Russians, having 
watched the Russians do it successfully in our 2016 elections, 
are involved in this effort. They're essentially gaslighting 
these debates, playing both sides----
    Mr. Grothman. Could you give us a specific example? Could 
you give us a specific example?
    Mr. Jaffer. So, I don't--I don't know that we've seen sort 
of, you know, point-on-point examples, but I would bet dime to 
dollars that in the next six months we will see very specific 
examples coming out of Facebook, Twitter, and the like. I can't 
prove it to you right now today, sir, but I'd put my--I'd put 
my life on it.
    Mr. Grothman. OK.
    Chairwoman Maloney. The gentleman's time has expired, and 
now----
    Mr. Grothman. Thank you much.
    Chairwoman Maloney.--Congressman Rouda is recognized.
    Mr. Rouda. Madam Chair, did you recognize me?
    Chairwoman Maloney. Yes, I did.
    Mr. Rouda. Thank you, too. I apologize. I did not hear you. 
But thank you, Madam Chairwoman, for convening this hearing, 
and I would also like to thank the commission for their 
detailed report.
    And I want to focus on one key area that had been 
previously discussed, but I would like to dig in a little bit 
deeper, and it is about the loss of hundreds of billions of 
dollars in intellectual property theft to nation-state 
sponsored cyber espionage. Obviously, the chief country 
responsible for that cyber IP theft has been China.
    We know China actively works with both state-owned and 
civilian corporations and universities to steal IP from foreign 
sources, including the United States. And according to a 2018 
report released by the United States Trade Representative, 
theft of U.S. intellectual property by China cost our economy 
up to $600 billion a year. Let me repeat that, $600 billion a 
year.
    The long-term damage of these losses, however, simply 
cannot be fully quantified. So, Ms. Spaulding, let me turn to 
you first. In developing your recommendations for the National 
Cyber Director, did the commission structure the role and its 
office with this persistent problem in mind, and can you 
provide any specifics as to how the Director would address this 
issue?
    Ms. Spaulding. Yes, absolutely, we did. And the situation 
that you've described really is addressed by a number of 
recommendations in the report. The private sector and the 
Government both have a critical role to play in stopping this 
theft of intellectual property, and it requires a true 
collaboration.
    We need to--we are the ones in Government that have the 
national technical means and the exquisite intelligence 
capabilities to collect information about what nation-states 
like China are engaged in and the kind of tactics and 
techniques that they're using, as does the private sector 
research community. The private sector businesses that are--
that are developing this intellectual property are in the best 
position to defend their networks, armed with information from 
the Government.
    So, we have a number of recommendations to make sure that 
we are--that the Government is obligated to get that 
information to those private sector companies, and the National 
Cyber Director will have a key role in making sure that that's 
happening. That has to be part of the metrics, right, that is 
evaluated by this National Cyber Director.
    We need to have proactive plans, strategies for addressing 
this, and that planning capability across the interagency has 
been lacking. That is another key role for this National Cyber 
Director, largely using the joint planning organization at 
CISA.
    Mr. Rouda. Thank you. Chairman Rogers, you have talked 
about how long America has been struggling to protect its IP. 
Virtually every administration deals with this issue, has dealt 
with this issue, and candidly, we have not been successful. Do 
you envision this bill would finally allow us to successfully 
defend and protect our IP?
    Mr. Rogers. I think it would put us in a better position. I 
would hate to say ``finally.'' I think this is something we're 
going to have to continue to invent a better way to defend 
ourselves as we get into 5G and what that means for pushing 
what we use to defend the core out to the edge of a 5G network, 
quantum, AI. All of that is going to change the way we look at 
security.
    So, I think it gives us the best possibility to take all 
these new challenges and bring everyone in the Federal 
enterprise up to snuff. Everybody keeps talking about that one 
incident. We want to prevent that incident.
    And here is the other piece, and I agree with Ms. Spaulding 
on everything she said. I would argue if you look at the recent 
level of arrests by the FBI for Chinese espionage in the United 
States, the number--the interesting high level of taskings for 
those assets, those spies targeting America or American 
enterprise, is to steal credentials to get around firewalls so 
they can steal more information.
    It's really interesting. The nature of espionage is 
changing dramatically. They don't want you to just steal the 
secrets. They figure that's probably maybe too hard to do. They 
want you to steal the guy next to you's credentials to get into 
the network so that they can be passed back for a more 
sophisticated penetration of your network. That's what makes 
this----
    Mr. Rouda. Thank you.
    Mr. Rogers. Yes, this is what really makes it hard to put 
your arms around.
    Mr. Rouda. One last question for Mr. Jaffer. Is there a 
concern that if we, as a country, are unsuccessful at providing 
appropriate protection that we could see companies move their 
IP and businesses to foreign countries that do provide 
protection?
    Mr. Jaffer. Thank you, Congressman.
    Look, I think that there are so many benefits to being an 
American company, whether it's our labor laws or our tax 
policies or our investment base, that it's unlikely to see a 
tremendous flood of intellectual property that comes out of the 
United States. That being said, we have to recognize this is 
the core of our innovation base in this country. We have moved 
to an innovation economy.
    If we allow it to walk out the backdoor, whether to China 
or anywhere else, we are undermining the capability of our 
economy to survive and make it to the next stage. So, even as 
we think about rehoming American technology and bringing some 
of those jobs back here and starting to build stuff here, we've 
got to protect that core thing that makes America so productive 
as a country, which is that innovation, that ability to invent 
and reinvent and modify ourselves over time. If that walks out 
the backdoor, we've got nothing.
    Mr. Rouda. Thank you. I yield back, Chairwoman.
    Chairwoman Maloney. The gentleman's time has expired. 
Representative Ro Khanna is now recognized. Ro Khanna, are you 
with us?
    Mr. Khanna. Yes, I am. Thank you, Madam Chair.
    I appreciate and want to just thank Representative Langevin 
and Representative Gallagher for their extraordinary work in 
helping come up with such a detailed proposal and their work 
with the commission on a bipartisan basis. I know in particular 
Representative Langevin has been working on this for many, many 
years, and this is a passion of his that he has talked about 
often. So, I am glad to see it come to fruition.
    Let me ask the panel, are there additional authorities that 
you think the National Cyber Director should have?
    Mr. Daniel. Well, certainly, Representative, I think that 
it is important that as we structure this position that we make 
sure that it not be just restricted to looking at network 
defense. It's got to be able to have the full suite of 
capabilities that the Federal Government can bring to bear.
    So, including military operations and intelligence and the 
law enforcement and all the way across the board. We cannot 
just restrict this position to looking at the kinds of things 
that CISA already does. Chris Krebs does not need another boss. 
You know, he's got one in the Secretary of Homeland Security. 
This really has to be able to look across the entire Federal 
Government and all of the tools of national power that we have.
    Ms. Spaulding. And if I might, Congressman? I totally agree 
with Michael on this point, and I think the distinction here is 
between having visibility. The National Cyber Director has to 
have visibility across the entire Government cybersecurity 
activities in order to make sure and deconflict even between 
offensive and defensive operations.
    That's different from giving the National Cyber Director 
directive authority, right? You don't want law enforcement 
activities being directed out of the White House, for example.
    Mr. Khanna. No.
    Ms. Spaulding. And you don't want this Director either in 
the way of warfighting plans or daily intelligence collection, 
those kinds of activities. But it's critical that they not be 
excluded from the meetings and the conversations at the White 
House where these offensive, for example, activities are being 
discussed and that they have visibility.
    Because they need to be able to deconflict. They can never 
deconflict in this way, and I'll give you an example. Let's say 
our banks are fending off--they're in the middle of fending off 
lots of malicious activity from North Korea trying to steal 
money from their system. That might not be--in the midst of 
that crisis might not be the best time to ask the banks to 
impose sanctions, to implement sanctions to implement--new 
sanctions against Iran because we know Iran retaliated in the 
past against our banks with malicious cyber activity.
    So, that kind of deconfliction is something that the 
National Cyber Director needs to be at the table to help with.
    Mr. Khanna. Right. Thank you. And are there additional 
cybersecurity recommendations that you think we should be 
considering, including for many that the Solarium Commission 
report came up with?
    Mr. Jaffer. Yes, I think, Congressman, there are a couple 
of really important ones, in particular the ones that revolve 
around collective defense like establishing a joint 
collaborative environment where both NSA and DHS can come 
together and share classified and unclassified information and 
then share that in real time at meetings with industry. That 
was something we've been talking about forever.
    Information sharing isn't enough, though. You've got to 
collaborate in real time. That's something that the commission 
was very focused on, too. I think that part of the report is 
really critical. I think more work could be done there, and the 
commission has got some great recommendations in that space, as 
well as on continuity of the economy and a variety of other 
areas. The critical infrastructure entities also, I think some 
good recommendations there from the commission.
    Mr. Rogers. I 100 percent agree. Just a couple of things 
that we just haven't talked about. The interim, the brush-
cleaning that we can do to make us more competitive would be 
huge. Congress needs to pay attention. Chairman Pai has done 
the spectrum clearing. Outrageously important if we're going to 
compete in 5G and push back on Chinese expansion there.
    Rip and replace. We have lots of gear around the country, 
and I know people want to beat on them for it. It was legal at 
one point. There's lots of great effort in Congress today about 
how do we get rid of that? It does two things. Helps our own 
infrastructure ecosystem, people who are trusted vendors, to do 
that, No. 1. And No. 2, it gets out Huawei gear much, much 
quicker.
    Those are kinds of things that we can do almost immediately 
that are in the process that you're all dealing with now that 
would have a huge advantage for us, putting us in a competitive 
position to do all the things that my other panelists just 
talked about.
    Mr. Yoran. As Suzanne Spaulding said, each organization, 
each enterprise, each company is in the best position to defend 
themselves. They understand which of their systems are most 
critical and represent the greatest risk.
    There are opportunities, and I think some of the 
recommendations of the commission, things like increasing 
transparency, having the interpretation by the SEC requiring an 
attestation from public company CEOs not on the level of 
security they have, but just the fact that they've looked at 
their cyber risk and that they are adequately or proactively 
managing cyber risk associated with their business.
    When you get things like that in place, you will have--you 
will increase the level of hygiene, increase the level of 
attention. It will increase each enterprise's ability to defend 
themselves, and the amount of noise and the amount of economic 
loss will go way down. It's probably the single greatest move 
that we can do as a nation to improve our cyber resilience and 
preparedness.
    Mr. Khanna. I appreciate all of your expert testimony. I 
just want to thank again Representative Langevin and Gallagher. 
Representative Gallagher had come out to my district, and I 
remember at Stanford they were talking about a ``cyber Pearl 
Harbor'' as the big fear. So, many of the companies have talked 
about how we shouldn't have every company in this country 
required to have basically private armies to safeguard 
ourselves. We need a national response.
    So, I certainly will be supporting this legislation and 
appreciate everyone who helped put it together.
    Chairwoman Maloney. Thank you. And Representative Sarbanes, 
you are recognized. Representative John Sarbanes?
    Mr. Sarbanes. Thanks very much, Madam Chair. Can you hear 
me?
    Chairwoman Maloney. Yes.
    Mr. Sarbanes. Excellent. Well, I appreciate the panel. I 
certainly want to thank my colleagues, Congressman Langevin and 
Congressman Gallagher, not just for their testimony this 
morning, but for their efforts on this proposal, which I 
support very strongly.
    I want to welcome back Chairman Rogers and thank the rest 
of the panelists for their testimony.
    Obviously, one key responsibility of the National Cyber 
Director is establishing and implementing a National Cyber 
Strategy. In 2018, the Trump administration released a National 
Cyber Strategy that aims to ``integrate cyber into all elements 
of national power.''
    Chairman Rogers, could you speak to how the 2018 National 
Cyber Strategy has been successful or not successful in that 
goal, and how would the National Cyber Strategy that is 
required by this bill that we are talking about today be 
different from that? So, could you maybe compare and contrast 
those a little bit for us?
    Mr. Rogers. I think what that strategy was meant to do in 
2018 for sure was bring us to a better place about coordination 
and understanding that our adversaries are using all the 
nation-state power they can bring to bear. So, diplomacy, 
military defense, intelligence, cyber, and kind of using that 
capability--oh, and economic. The most--I argue probably the 
most important.
    So, we know that China steals economic data to try to 
influence its trade negotiations as an example. So, they're 
using cyber and intelligence as a way to influence all of those 
pressure points that a government has to bring to bear on a 
country, and it's my understanding that that 2018 rule was to 
say, OK, we're finally getting to understand that it is multi-
domain, right?
    We tend to separate diplomacy and the economy to a great 
degree in this country. So, how do we try not to do that? How 
do we have everybody rowing the boat in the same direction, 
understanding our adversaries are using that against us? I 
think that's what they were trying to do.
    I think it's still a work in progress. And a part of that, 
by the way, we debated when I was chairman, and prior to me 
being chairman--and Mr. Langevin can comment on this as well, 
and certainly, Jamil was part of those discussions as well--
about what is offensive cyber? Are we allowed to protect 
ourselves if we know they're going to shoot at us in 
cyberspace?
    And I have seen lots of folks say we've solved that 
question over the last 15 years. I don't believe we have yet 
today solved that question. We had a piecemeal policy, and I 
think that 2018 policy was trying to say is we're going to, 
again, use all the nation-state groups of power that I know our 
adversaries are using and then try to understand what tools in 
our toolkit do we have?
    And I'm not saying every cyber-attack should be--you know, 
we should have another cyber-attack back. I'm not saying that 
at all. But we really didn't, and I don't think still to this 
day have, a good definition of what we can do to prevent, you 
know?
    And I've heard the terms go through the years. Now we call 
it aggressive defense. OK, whatever we want to call it, but we 
need to understand what that is.
    Mr. Sarbanes. Yes. I'm interpreting you to say that the 
administration's strategy released back in 1918 was heading in 
the direction that now this Cyber Director with the strategy 
required under 7331 takes to a new and better and more 
coordinated and more structural place.
    One key difference of the role as envisioned by this bill 
is that the position would be empowered with new statutory 
authority to monitor implementation across the Federal 
Government in terms of strategy, which would include 
recommending changes to OMB regarding agency organization, 
personnel, resource allocation. I think that makes a lot of 
sense. As well as certifying that the annual budget proposal 
for each Federal department or agency is consistent with the 
strategy. Again, that makes a lot of sense in terms of 
coordination.
    Mr. Daniel, I understand you spent 17 years at OMB before 
assuming the cybersecurity coordinator role. Do you think it is 
important for the National Cyber Director to have this 
statutory authority, and how do you think the relationship with 
OMB would actually work in practice?
    Mr. Daniel. Yes, sir. Thank you.
    I think that it is critically important that the office 
have a very good understanding of the budget and be empowered 
to actually work in that budget process. A former OMB Director 
once said, ``Policy without resources is a hallucination.'' So, 
you know, clearly, the ability to influence and shape how we 
allocate resources is absolutely critically important.
    As a practical matter, I think what you would want to see 
is very close collaboration between any staff associated with 
this office and the program, the line program examiners at OMB. 
OMB is at its most effective when it works very closely across 
the entire White House complex with NSC, with OSTP, with ONDCP, 
any of those White House elements, to make sure that the 
budgets support the President's policies.
    So, you might even imagine a situation where you have 
program examiners from OMB detailed over to this office to help 
provide that connectivity and that reach-back, and you would 
want them working hand-in-glove with each other to shape that 
President's budget. So, that's why I think having this lever of 
the--having a lever like that statutory authority that's in 
7331 would be very, very helpful to the position.
    Mr. Sarbanes. Thanks very much. I yield back.
    Chairwoman Maloney. The gentleman's time has expired. I now 
yield to Katie Porter. Representative Porter?
    Ms. Porter. Hi. Thank you, Madam Chair.
    Under H.R. 7331, the first duty listed for the National 
Cyber Director is serving as the principal adviser to the 
President on cybersecurity strategy and policy. Mr. Daniel, 
having essentially worked to achieve many of those functions 
yourself, can you give me any concrete examples of how having a 
principal cybersecurity adviser was essential to the 
President's work and why it is important to formalize that 
role, as proposed in the bill?
    Mr. Daniel. Yes, thank you, Representative Porter.
    I think that when you look at an issue like cybersecurity 
that is so cross-cutting, that affects so many different policy 
areas, from national security policy to our economic policy, 
you want the President to have an adviser who focuses on this 
issue as part of her time. You know, the main thing that they 
focus on every day because it pervades so many of our policy 
issues now.
    So, if you're trying to decide what the U.S. policy should 
be on everything from 5G to relations with China to how we're 
dealing with the Middle East, cyber shoots through all of those 
things. And so you want to be able to have the President be 
able to draw upon somebody with expertise in those areas that 
can bring that cyber perspective to those issues so that you 
make a decision knowing what the effects on our cybersecurity 
might be, for good or for ill.
    Sometimes you're going to make decisions that maybe have a 
negative effect on that for a greater positive gain somewhere 
else, but you do that with full knowledge and not by accident. 
And that's why it's so critically important that a senior 
adviser in the White House focus on this issue, just given its 
breadth across so many different policy areas now.
    Ms. Porter. Yes, I appreciate your flagging the importance 
of expertise in this cybersecurity role, and I want to ask some 
more questions about how Senate confirmation would help us 
assure that.
    Mr. Jaffer, do you remember anyone who the President 
appointed as one of his cybersecurity advisers when he took 
office in 2017?
    Mr. Jaffer. Yes, sure. Rob Joyce, obviously, was an 
excellent appointee, and Tom Bossert, who Rob worked with, was 
also an excellent appointee. Both very good on cyber.
    Ms. Porter. Yes, both very, very good, and I would agree 
with you about the importance of expertise. I think the 
President also appointed Mr. Giuliani, and I think like so many 
of us--and I think we are seeing this during work from home--
technology is frustrating and hard, and we are all struggling 
to get our level of expertise up to where it needs to be to be 
cybersecure.
    So, I completely relate to the fact that Mr. Giuliani, 
after being appointed one of the cybersecurity advisers, got 
frustrated with his iPhone and went into a public Apple store 
in San Francisco within a month of being appointed a principal 
cybersecurity adviser because he had entered his password wrong 
10 times and was locked out of his iPhone. I think this really 
indicates the gap between the rest of us, who are trying to do 
our very level best, and the need for a true expert at the very 
top of this.
    Would you agree with that?
    Mr. Jaffer. I completely agree. In fact, we're working on a 
program funded by the Hewlett Foundation at George Mason, where 
we're bringing technologists from around the country to D.C. to 
train them on how policy works so we can get more technologists 
talking to you about the problems that you have and challenges 
that you face in policymaking. I mean giving you real advice 
from people who actually do the work, the data scientists, the 
coders, and the like.
    So, you're exactly right. Having real--there's no 
substitute for having real experts in this area.
    Ms. Porter. Yes, thank you so much.
    Ms. Spaulding, I wanted to turn to you briefly and ask you, 
I know that H.R. 7331 would require the National Cyber Director 
position to be Senate-confirmed. Can you explain why the 
Solarium Commission made that recommendation, and whether you 
think--or how you would respond to concerns that that has the 
potential to create distrust between the President and the 
National Cyber Director, or do you think that concern is 
misplaced?
    Ms. Spaulding. Thank you, Congresswoman.
    Yes, you know, with respect to that latter question about 
the potential impact on trust in the National Cyber Director 
within the White House, I would point out that there are lots 
of Senate-confirmed, a number of Senate-confirmed positions 
within the White House, including the OMB Director. And I don't 
think anybody questions really the level of trust there with 
respect to that OMB Director.

    So, I don't think--I do think that concern is misplaced. 
And we talked a lot about whether--the pros and cons of having 
this person Senate-confirmed, and ultimately, the consensus 
was, yes, we should recommend Senate confirmation.

    I think it's critically important that Congress have 
effective oversight. And given the decentralized nature of 
cybersecurity, if Congress doesn't have really the ability to 
hold someone accountable and really to have somebody that they 
can turn to get a coordinated and coherent picture of what's 
happening, it's going to be very hard for Congress to do 
effective oversight. So, I think that's important. That Senate 
confirmation gives Congress a greater ability to conduct 
oversight of those activities.

    Ms. Porter. I really appreciate it, Ms. Spaulding, and I 
think it's important to note that that's bipartisan oversight 
that Congress would be conducting. So, unfortunately, my time 
has expired. So, I yield back.

    But thank you so much.

    Chairwoman Maloney. Thank you. The gentlelady yields back.

    Representative Comer, would you like to ask an additional 
question or make a closing comment? Representative Comer?

    Mr. Comer. I think that just to wrap it up, I want to thank 
the witnesses again for their testimony. This is certainly an 
issue that is bipartisan that we all care about when we are 
talking about cybersecurity. But the question that many of my 
colleagues have is whether we want to create another Government 
bureaucracy and what is the total cost going to be? And how is 
this bureaucracy going to be able to work with the 
administration, whichever administration that would be moving 
forward?

    So, I do think this was very helpful. I appreciate the 
conversation, appreciate the questions.

    Again, Madam Chair, with all due respect, I hope that we 
can focus on China. There is a huge demand across America to 
hold China accountable for not just COVID-19, but also the 
cybersecurity breaches that are at the hands of China. So, 
again, I would encourage future hearing with a sole focus on 
investigating China and determining a path forward to hold them 
accountable for their violations.

    But again, thank you for the hearing today, and with that, 
I yield back.

    Chairwoman Maloney. Thank you.

    Because this August marks 100 years of women's suffrage, I 
want to close with one final question. Mr. Yoran, your written 
testimony addresses the lack of diversity in the cybersecurity 
sector and how it contributes to the overall shortage of talent 
in the cybersecurity work force.

    For example, you point out that women make up just 14 
percent of the cybersecurity work force in North America. You 
say, ``The Nation needs a bold, new cyber work force strategy 
that develops and advances the ranks of people from all walks 
of life.''

    How would the Federal Government--my question is, how would 
the Federal Government's effort to promote diversity in the 
cyber work force benefit the private sector? And I mean more 
minorities, gender diversity. So, how would it benefit the 
private sector, more diversity?

    Mr. Yoran. Well, the most important thing when it comes to 
cybersecurity is recognizing the fact that what we're doing 
isn't getting the job done. We can't just have a continuation 
of the same mode of thinking, the same solutions, the same 
approach that we've used in years past to deal with the threats 
that continue to evolve. And as we deploy new technologies, 
they have new exposures and new vulnerabilities.

    So, we need experts to come from diverse backgrounds, and 
that certainly means people that are trained in the discipline 
of cyber, but diversity of thinking. People with diverse 
backgrounds--from minorities and other groups which are 
underrepresented in the cyber field and in the cyber domain.

    I think the Government has an opportunity and a 
responsibility to help promote the diversity of thinking and 
the diversity of talent available to the private sector. It 
will help us innovate faster, think outside the box, and 
outmaneuver our adversaries. So, there's a series of programs. 
Love to have a conversation with you about it in perhaps a 
followup.

    Chairwoman Maloney. Thank you. Ms. Spaulding, do you 
believe such an effort would advance innovation and give us a 
competitive edge globally?

    Ms. Spaulding. Absolutely, Chairman. I couldn't agree more 
with Amit's comments. And of course, the commission has a 
series of recommendations on building that cyber work force, 
including diversity.

    And I would say just from a very basic perspective from my 
time at DHS, and we see it, we have an urgent need to build the 
number of cyber-talented people that we bring--that we have 
available to come into the work force. We cannot afford to 
leave any part of our population on the sidelines of this 
effort.

    Chairwoman Maloney. Well, I agree with you. We can and must 
do more in this regard.

    I truly want to thank all of my colleagues for their 
participation, particularly Congressmen Langevin and Gallagher 
for their leadership, and all of our witnesses for your passion 
and your knowledge and all the information you gave us today. 
The creation of a National Cyber Director is not something any 
of us take lightly. After what we have heard here today, I 
think it is clear this is something we cannot afford to delay.

    I also want to thank all of my colleagues across the aisle 
particularly, for their questions and engagement. It is not 
every day that we can find areas of bipartisan consensus that--
and we have it here. We have to agree on our national security, 
protecting our innovation, and protecting our people. So, I 
look forward to working together to get this bill passed and on 
other items that were brought up today.

    Without objection, all Members have five legislative days 
within which to submit additional written questions for the 
witnesses to the chair, which will be forwarded to the 
witnesses for their response. I ask our witnesses to please 
respond as promptly as you are able to.
    And this hearing is adjourned. Thank you all.
    [Whereupon, at 3:11 p.m., the committee was adjourned.]

                                 [all]