[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]


                                     
 
                         [H.A.S.C. No. 116-88]

                     REVIEW OF THE RECOMMENDATIONS

                 OF THE CYBERSPACE SOLARIUM COMMISSION

                               __________

                                HEARING

                               BEFORE THE

   SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND CAPABILITIES

                                 OF THE

                      COMMITTEE ON ARMED SERVICES

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             SECOND SESSION

                               __________

                              HEARING HELD

                             JULY 30, 2020

                                     

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




                            ______

             U.S. GOVERNMENT PUBLISHING OFFICE 
41-410               WASHINGTON : 2021 
                                     
  


   SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND CAPABILITIES

               JAMES R. LANGEVIN, Rhode Island, Chairman

RICK LARSEN, Washington              ELISE M. STEFANIK, New York
JIM COOPER, Tennessee                SAM GRAVES, Missouri
TULSI GABBARD, Hawaii                RALPH LEE ABRAHAM, Louisiana
ANTHONY G. BROWN, Maryland           K. MICHAEL CONAWAY, Texas
RO KHANNA, California                AUSTIN SCOTT, Georgia
WILLIAM R. KEATING, Massachusetts    SCOTT DesJARLAIS, Tennessee
ANDY KIM, New Jersey                 MIKE GALLAGHER, Wisconsin
CHRISSY HOULAHAN, Pennsylvania       MICHAEL WALTZ, Florida
JASON CROW, Colorado, Vice Chair     DON BACON, Nebraska
ELISSA SLOTKIN, Michigan             JIM BANKS, Indiana
LORI TRAHAN, Massachusetts
                Josh Stiefel, Professional Staff Member
               Eric Snelgrove, Professional Staff Member
                         Caroline Kehrli, Clerk
                         
                            C O N T E N T S

                              ----------                              
                                                                   Page

              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Langevin, Hon. James R., a Representative from Rhode Island, 
  Chairman, Subcommittee on Intelligence and Emerging Threats and 
  Capabilities...................................................     1
Stefanik, Hon. Elise M., a Representative from New York, Ranking 
  Member, Subcommittee on Intelligence and Emerging Threats and 
  Capabilities...................................................     3

                               WITNESSES

Cilluffo, Frank, Commissioner, Cyberspace Solarium Commission....    11
Gallagher, Hon. Mike, Chairman, Cyberspace Solarium Commission...     7
King, Hon. Angus, Chairman, Cyberspace Solarium Commission.......     5
Murphy, Hon. Patrick, Commissioner, Cyberspace Solarium 
  Commission.....................................................     8

                                APPENDIX

Prepared Statements:

    King, Hon. Angus, joint with Hon. Mike Gallagher, Hon. 
      Patrick Murphy, and Frank Cilluffo.........................    34
    Langevin, Hon. James R.......................................    29
    Stefanik, Hon. Elise M.......................................    32

Documents Submitted for the Record:

    [There were no Documents submitted.]

Witness Responses to Questions Asked During the Hearing:

    [There were no Questions submitted during the hearing.]

Questions Submitted by Members Post Hearing:

    Ms. Houlahan.................................................    49
      

  REVIEW OF THE RECOMMENDATIONS OF THE CYBERSPACE SOLARIUM COMMISSION

                              ----------                              

                  House of Representatives,
                       Committee on Armed Services,
     Subcommittee on Intelligence and Emerging Threats and 
                                              Capabilities,
                           Washington, DC, Thursday, July 30, 2020.
    The subcommittee met, pursuant to call, at 1:01 p.m., in 
room 2118, Rayburn House Office Building, Hon. James R. 
Langevin (chairman of the subcommittee) presiding.

 OPENING STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE 
 FROM RHODE ISLAND, CHAIRMAN, SUBCOMMITTEE ON INTELLIGENCE AND 
               EMERGING THREATS AND CAPABILITIES

    Mr. Langevin. The subcommittee will come to order.
    I would like to begin by welcoming the members who are 
joining the hearing remotely.
    Just a bit of housekeeping before we get into the actual 
hearing itself.
    To those members--those members are reminded that they must 
be visible on screen within the software platform for the 
purposes of identity verification when joining the proceeding, 
establishing and maintaining a quorum, participating in the 
proceeding, and voting. Members participating remotely must 
continue to use the software platform's video function while 
attending the proceedings, unless they experience connectivity 
issues or other technical problems that render the member 
unable to fully participate on camera. If a member who is 
participating remotely experiences technical difficulties, 
please contact the committee staff for assistance, and they 
will help you get recognized.
    When recognized, video of remotely attending members' 
participation will be broadcast in the room and via television 
internet feeds. Members participating remotely are asked to 
mute their microphone when they are not speaking. Members 
participating remotely will be recognized normally for asking 
their questions--for asking questions, but if they want to 
speak at another time, they must seek recognition verbally. In 
all cases, members are reminded to unmute their microphone 
prior to speaking.
    Members should be aware that there is a slight lag of a few 
seconds between the time you start speaking and the camera shot 
switching to you.
    Members who are participating remotely are reminded to keep 
the software platform's video function on for the entirety of 
the time they attend the proceeding. Those members may leave 
and rejoin the proceeding. If members depart for a short period 
for reasons other than joining a different proceeding, they 
should leave the video function on. If members will be absent 
for a significant period or depart to join a different 
proceeding, they should exit the software platform entirely and 
then rejoin if they return.
    Members are also advised that I designated a committee 
staff member to, if necessary, mute unrecognized members' 
microphones to cancel any inadvertent background noise that may 
disrupt the proceeding. Members may use the software platform's 
chat feature to communicate with staff regarding technical or 
logistical support issues only.
    Finally, remotely participating members should see a 5-
minute countdown clock on the software platform's display, but, 
if necessary, I will remind members when their time is up.
    So, with the logistics verified, I will want to begin by 
welcoming everyone to today's hearing on the findings of the 
Cyberspace Solarium Commission, a congressionally mandated 
commission created in the fiscal year 2019 NDAA [National 
Defense Authorization Act] that was charged with developing a 
consensus on a strategic approach to defending the United 
States in cyberspace against cyber attacks of significant 
consequence.
    Inspired by Project Solarium, a task force assembled by 
President Eisenhower in the early 1950s, the Solarium 
Commission brought together representatives from academia and 
the private sector with representatives of the executive branch 
and legislative branches.
    In the spirit of transparency, I want to make clear that I 
had the distinct privilege of being selected by Speaker Nancy 
Pelosi to serve as one of the four elected Members of Congress 
to serve as a commissioner and one of two from the House of 
Representatives, along with our distinguished subcommittee 
colleague, Congressman Mike Gallagher, who is appearing as a 
witness before us today.
    Mr. Gallagher, along with Senator King, the junior Senator 
from Maine, also was a member of the Senate Armed Services 
Committee and Senate Intelligence Committees, is also with us 
today. They serve as co-chairs of the Commission, and I am very 
proud to call them both colleagues and friends.
    This subcommittee, more than most, has heard from numerous 
individuals on the centrality of cyberspace to our modern 
lives. The novelty of the Solarium's work and its findings is 
in examining how to secure cyberspace with an emphasis on a 
whole-of-government approach. Congress is methodical in its 
views of jurisdiction, and we are often too focused on viewing 
our oversight responsibilities exclusively through the lens of 
committee jurisdictions.
    What the Solarium Commission has presented in its final 
report, completed on March 11th of this year, is a blueprint 
for legislative and executive actions that force the country to 
break apart the institutional stovepipes.
    In this respect, I see the findings of the Solarium 
Commission as being similar to those of the 9/11 Commission, in 
that both bodies recognized government silos that had been 
artificially constructed and harmed the national approach to 
addressing cost-cutting issues. Whereas the 9/11 Commission 
applied this to the problem of terrorism, Solarium applies it 
to cyberspace.
    The Commission's recommendations have resulted in more than 
20 provisions in this year's National Defense Authorization 
Act, passed just last week by the House of Representatives. In 
that one bill, this chamber was able to address matters as 
diverse as Reserve support for military cyber operations to the 
cyber insurance marketplace to the establishment of a Senate-
confirmed national cyber director.
    While we obviously have more work to do, I am proud of the 
NDAA--that the NDAA reflects the whole-of-government action 
called for by the Commission. I applaud the example set by our 
European partners in particular in approaching cyber in novel 
and holistic ways, as recent as today with the announcement of 
the first-ever cyber sanctions issue--issued--passed--that 
issued through the European Union against six individuals and 
three entities responsible for the WannaCry, NotPetya, and 
Operation Cloud Hopper attacks.
    This is going to be essential going forward in enforcing 
international norms, and this is a concrete step toward making 
sure that there are consequences to actions that violate norms 
in cyberspace on the international front.
    As I noted earlier, we have four witnesses appearing in 
front of the subcommittee today. In addition to the 
distinguished gentlemen from Wisconsin and Maine, we are also 
joined by two additional commissioners.
    The Honorable Patrick Murphy, a former member of the House 
of Representatives from Pennsylvania, is here today. 
Commissioner Murphy has served with distinction as an Acting 
Secretary and Under Secretary of the Army, is a former member 
of the House Armed Services Committee, and today continues his 
service as distinguished chair of innovation at the United 
States Military Academy. Commissioner Murphy was the first 
veteran of the war in Iraq to be elected to Congress.
    Finally, we have Commissioner Frank Cilluffo, who, in 
addition to his service with the Solarium Commission, serves as 
the director of Auburn University McCrary Institute for Cyber 
and Critical Infrastructure Security. From 2001 to 2003, 
Commissioner Cilluffo served as special assistant to President 
Bush on Homeland Security, and then led the Center for Cyber 
and Homeland Security at George Washington University.
    So I welcome all of our witnesses here today. I thank them 
for their extraordinary work on the Cyber Solarium Commission. 
Your input and your insights were absolutely invaluable.
    Before we hear from our witnesses, I do want now--want to 
turn to Ranking Member Stefanik for her opening comments.
    [The prepared statement of Mr. Langevin can be found in the 
Appendix on page 29.]

STATEMENT OF HON. ELISE M. STEFANIK, A REPRESENTATIVE FROM NEW 
YORK, RANKING MEMBER, SUBCOMMITTEE ON INTELLIGENCE AND EMERGING 
                    THREATS AND CAPABILITIES

    Ms. Stefanik. Thank you, Chairman Langevin.
    Welcome to our witnesses, Senator King, Congressman 
Gallagher, Congressman Murphy, and Mr. Cilluffo. It is great to 
have you before the subcommittee today. I thank you not only 
for your leadership and service to the Cyber Solarium 
Commission, but your long and distinguished records of public 
service to this country.
    And although you are not testifying today, I also want to 
thank Chairman Langevin for his service on the Commission as 
well, as all of the other commissioners who are not 
participating today.
    It is truly remarkable how much ground the Cyber Solarium 
was able to cover in such a brief period of time. In 11 short 
months, the Commission developed over 50 legislative proposals, 
22 of which were included in the House-passed version of the 
National Defense Authorization Act. This impressive commitment 
reflects the hard work of the commissioners and the staff, and 
also recognition that we must address these issues immediately.
    As is often the case, our Nation's strategy, policy, and 
laws trail the advent of new technology. This is especially 
true of many emerging disciplines, but none quite as 
consequential as cyberspace. The debilitating cyber attack on 
Estonia in 2007, the devastating Office of Personnel Management 
data breach in 2014, and the cyber attack on the city of 
Atlanta in 2018, all should have served as wake-up calls for 
the need of a comprehensive strategy to bolster our cyber 
defenses, to deter hostile action in cyberspace, and to build 
more resilient public and private cyber infrastructure.
    The threat actors in cyberspace are as diverse as the tools 
and tradecraft they employ to infiltrate and attack our 
networks. And while we must maintain a flexible and adaptable 
approach to meet the evolving threat, we must also communicate 
an unequivocal position that demonstrates our willingness to 
defend the United States in cyberspace and impose costs on our 
adversaries if and when deterrence fails.
    I firmly believe we must simultaneously strengthen our 
cyber defenses and demonstrate our unwavering resolve to 
challenge our adversaries in cyberspace. I appreciate the 
Commission's recognition of this as well. Deterrence alone is 
not sufficient, especially with the challenges of timely 
attribution and the notional fog of war in cyberspace. The 
United States must proactively take steps to increase the 
resilience of our networks and our Nation's critical 
infrastructure. This task is not one that the Federal 
Government can take on alone. Any effort to bolster our 
cybersecurity must be done in partnership with the private 
sector, our cities and States, and our critical infrastructure 
operators.
    The Commission's recommendations that were included in the 
NDAA address this reality. Accountability, information sharing, 
collaboration, and more timely response and mitigation to cyber 
incidents are all critical attributes that we must reinforce 
and strengthen.
    While the Commission is coming to an end, the work is not 
done. We have a long road ahead to see through conference and 
fully implement these changes. I look forward to ensuring the 
Cyber Solarium's recommendations are translated into concrete 
policy action.
    We have a lot to talk about today, so thank you to our 
witnesses, and I yield back.
    [The prepared statement of Ms. Stefanik can be found in the 
Appendix on page 32.]
    Mr. Langevin. I want to thank the ranking member for those 
comments.
    And before we turn to our witnesses, I would be remiss if I 
didn't acknowledge the extraordinary work of the staff of the 
Cyberspace Solarium Commission, starting with Mark Montgomery 
and the entire team that he assembled that serve the Commission 
so well. And I also want to, of course, mention on my own 
staff, my legislative director, Nick Leiserson, as well as on 
the committee staff, Josh Stiefel, for their subsequent work in 
seeing that the findings were put into action and getting them 
into the NDAA, but extraordinary effort all the way around. I 
can't say enough about the work of the entire staff, again, led 
by Mark Montgomery. We thank them for their contributions and 
their service.
    So, with that, we will turn to our witnesses now.
    Senator King, we will begin with you. The floor is now 
yours for any comments you may have.

  STATEMENT OF HON. ANGUS KING, CHAIRMAN, CYBERSPACE SOLARIUM 
                           COMMISSION

    Senator King. Well, thank you, Mr. Chairman. And thanks to 
the ranking member for those eloquent statements. You stated 
the case. I can save part of my remarks. I do have written 
remarks, which I would like to submit for the record if--
subject to your approval, Mr. Chairman.
    Mr. Langevin. Without objection, so ordered.
    Senator King. And I will have some informal remarks now.
    First, I want to thank this committee and thank the full 
committee for the work that you have already done on this 
critically important subject, the work that went into the 
National Defense Authorization Act that, of course, has now 
passed both Houses.
    Both bills from the Senate and the House have a number of 
our recommendations. They are not in 100 percent overlap, so 
there will be some work to do in conference, but we certainly 
have made a substantial start in really putting these 
recommendations--implementing the recommendations, because if 
it is just a report that sits on a shelf, it is not going to 
serve the public interests.
    Just a bit about the Commission. You talked about it, Mr. 
Chairman. There were 14 members. There were four Members of 
Congress, four members from the executive branch, and six from 
the private sector. Our work was entirely nonpartisan. There 
wasn't a moment of partisan discussion in the 30-plus meetings 
that we had. In fact, I couldn't tell you the partisan 
affiliations of pretty much anyone that was in the room, 
except, of course, the ones--the Members of Congress. And that 
was the spirit with which we approached this incredibly 
important problem.
    I don't really need to outline for this committee how 
serious this is. This is one of the, if not the most serious 
international relations problem that we face. The ranking 
member listed the attacks that we have already endured, and 
there will certainly be more to come.
    We are the most wired country in the world and, therefore, 
we are the most vulnerable country in the world. And as we have 
learned in the pandemic, something which strikes at our 
essential economy and government poses a grave danger to this 
country.
    So let me just give you a brief outline of how the work of 
the Solarium sort of breaks down. There are really three 
pieces. One is reorganization, one is resilience, and one is 
response.
    Reorganization means trying to develop a coherent structure 
in the United States Government so that we can respond to cyber 
threats and cyber attacks. The problem, as is often the case, 
is that the authority for cyber is scattered throughout the 
government. It is in the FBI [Federal Bureau of Investigation]. 
It is in Cyber Command. It is in CIA [Central Intelligence 
Agency], DHS [Department of Homeland Security]. It is in all 
areas of the government. So one of our primary focus was on 
bringing some coherent organizational strategy to that silo 
problem which the chairman mentioned.
    The principal recommendation there is one that you have 
already adopted in your committee, which is the creation of a 
national cyber director to oversee and coordinate all of these 
various functions throughout the Federal Government.
    The second piece is resilience, which is building up our 
cyber defenses, and it goes from simple cyber hygiene to being 
just more secure in how we deal with the cloud, how we certify 
home routers and all of those kinds of things in order to be 
more resilient to make it less likely that an adversary will 
succeed.
    The third piece is response. How do we respond to a cyber 
attack and, more importantly, how do we notify potential 
adversaries that we will respond? And we will be talking about 
that. And all of these four--three pieces come into what is 
called a layered cyber deterrence.
    The intention is to shake behavior--we will be talking 
about that--in the international field of norms and standards. 
The second is to deny benefits. That is the resilience that I 
was talking about. And the third piece is impose costs.
    The truth is that we haven't done a very good job of 
imposing costs. We have become a cheap date in cyber. We can be 
attacked, as we were with the OPM [Office of Personnel 
Management] breach the ranking member mentioned, or other 
attacks on our democracy, and there is no real consequences. 
There are no real results. There is no cost paid by our 
adversary.
    We have got to make adversaries go through a cost 
calculation saying, well, if we do this, they might do this--
something else to us, and it may not be cyber. It may be 
sanctions. It may be other kinds of a response. But we have to 
establish that there will be a response. Otherwise, because 
cyber is a relatively cheap form of aggression, it will 
continue to happen.
    So that is the overall focus of our Commission. And I have 
to say, working with the two members from your subcommittee, 
Jim Langevin and Mike Gallagher, has been one of the great 
pleasures of my life. We have had a fantastic experience 
working together with the other 12 members of the Commission, 
really wrestling with some difficult issues, working hard, 
concentrating, and coming up with what we feel is a solid piece 
of work that will really help our country move forward in this 
critically important area.
    So I thank the subcommittee for your attention and look 
forward to the hearing.
    [The joint prepared statement of Senator King, 
Representative Gallagher, Mr. Murphy, and Mr. Cillufo can be 
found in the Appendix on page 34.]
    Mr. Langevin. Very good. Thank you, Senator King, for those 
remarks, and, again, for your extraordinary leadership in co-
chairing the Cyber Solarium Commission and your commitment to 
public service. The citizens of Maine have chosen wisely in 
having you as their Senator.
    With that, let me now turn to our colleague on the House 
Armed Services Committee, the co-chair of the Cyberspace 
Solarium Commission, Chairman Mike Gallagher--Co-Chairman Mike 
Gallagher.

STATEMENT OF HON. MIKE GALLAGHER, CHAIRMAN, CYBERSPACE SOLARIUM 
                           COMMISSION

    Mr. Gallagher. Thank you, Chairman Langevin.
    Let me state at the outset that this is the most nervous I 
have ever been sitting in this room with all of you, but thank 
you, Chairman Langevin, for your leadership, and, particularly, 
you know, there was a 2-week stretch when NDAA was happening 
where I was not--I was out of commission because my wife had a 
baby, and Jim stepped up and really led the way in terms of 
making a forceful argument for a lot of our recommendations and 
getting them included in the NDAA, and really Project Solarium 
or the Cyberspace Solarium Commission represent the culmination 
of a lot of work that Jim has been doing for decades. And so it 
was an honor to work with you.
    Ranking Member Stefanik, thank you for your input into the 
report and all of your contributions in this space and your 
leadership.
    I too have an official written statement that I would like 
to submit for the record, if that is okay.
    Mr. Langevin. Sure. Without objection, so ordered.
    [The information referred to was not available at the time 
of printing.]
    Mr. Gallagher. And in an attempt to be brief, I will just 
say a few things.
    When I first approached then Speaker Paul Ryan and asked 
him to consider me for this Commission, I got about 10 seconds 
into my spiel, and I had printed out my journal article I wrote 
on the original Project Solarium, I was really proud of myself, 
when he cut me off and said, Mike, no one else has asked me to 
be on it, so if that holds, you will have the spot on the 
Commission.
    And I just bring that up to say I came into this not with a 
particular expertise on cybersecurity, but a desire to, if 
nothing else, to demystify a lot of what we talk about in 
cybersecurity, because while we all have an interest in the 
space, it is my experience that this can easily devolve into a 
complex discussion of technology and acronyms. And so I hope 
you will see reflected in the final report an attempt to speak 
in plain language, not only to each other and to the executive 
branch, but to the American people about the threats we face in 
cyberspace.
    And I also came with a desire to demystify a lot of what 
happened with the original Project Solarium. And by that I mean 
I think it is--we have this tendency to look back on the early 
days of the Cold War and think, well, we just had a bunch of 
like-minded people that were able to come together and agree on 
everything and join hands and sing kumbaya, and that is how we 
beat the Soviets and laid the foundation for successful 
containment.
    I don't believe that is the case. We had very vicious 
disagreements at that time. We went through multiple variants 
of containment, even within the Truman administration before we 
got to Eisenhower. But there was this persistent willingness to 
challenge each other in good faith to think through the 
unthinkable, think through the consequences of a nuclear 
exchange with the Soviets in order to ascertain what we needed 
to do to avoid that exchange.
    And I just want to highlight that, because I think, among 
the many recommendations in this report, one that I think is 
absolutely critical is a similar effort today that is needed to 
think through the unthinkable in cyberspace, think through the 
consequences of what a massive cyber attack on the United 
States would look like, what a so-called cyber 9/11 would look 
like, and that is why you see a lot of recommendations in here 
on why Congress should mandate the executive branch do 
continuity of the economy planning. So we think through how we 
can get the economy back up and moving when we are faced with 
such a significant cyber attack.
    And so I just wanted to highlight that, because I really 
think it gets to what was the genius at the heart of the 
original exercise, which really reflected Eisenhower's style of 
making decisions. He had this beautiful phrase where, you know, 
we always remember he said, you know, in times of war, the 
plans are nothing, but the planning is everything, and that is 
reflected.
    But he also said to his subordinates frequently when they 
are sitting around the National Security Council, there can be 
no nonconcurrence through silence. In other words, you had to 
speak up. You couldn't claim after the disaster that you 
actually had the right answer the whole time but you failed to 
share it with your colleagues. And, similarly, we have tried 
not to suppress disagreement in this report but to surface it 
and, if nothing else, provoke a more thoughtful debate among 
our colleagues.
    So I thank you for your attention, I thank you for your 
engagement, and I thank you for your pushback on our findings. 
And I yield the rest of my time.
    Mr. Langevin. Thank you, Chairman Gallagher.
    The chair now recognizes Commissioner Patrick Murphy for 
his opening comments.

  STATEMENT OF HON. PATRICK MURPHY, COMMISSIONER, CYBERSPACE 
                      SOLARIUM COMMISSION

    Mr. Murphy. Thank you, Mr. Chairman, and thank you, 
Representative Ranking Member Stefanik. I do have written 
opening testimony that is brief. If it is okay, I would like to 
submit it for the record.
    Mr. Langevin. So ordered, without objection.
    [The information referred to was not available at the time 
of printing.]
    Mr. Murphy. Terrific. And to my other commissioners, thank 
you so much.
    You know, today is a great day to be back in the House 
Armed Services Committee, where I used to serve, and I am 
honored to testify today along with my fellow commissioners on 
the recommendations from the Cyber Solarium Commission's 
report. Our report has been a lot of blood, sweat, and tears 
over a year in a bipartisan, bicameral, public-private sector 
approach.
    And before I was in political public service, I did serve 
in the United States Army and am a veteran of the Iraq war, and 
I now chair innovation at the United States Military Academy at 
West Point.
    But when I was appointed to this special bipartisan 
commission, I was naturally interested in how the United States 
could preserve and employ the military instrument of power to 
impose costs on our adversaries and defeat the ghosts in our 
networks. And I want to concentrate my comments today on this 
important aspect of our Commission's work, because at the end 
of the day, it is our United States military that is 
responsible for keeping our families safe here at home.
    I am firmly in support of our Commission's choice to expand 
upon the concept of defend forward as described in the 2018 
Department of Defense Cyber Strategy, to incorporate both 
military and nonmilitary instruments of power as part of our 
Commission's strategy of defend forward and layered cyber 
deterrence.
    I believe that this strategy, if endorsed and appropriately 
resourced by our United States Congress, will ensure that the 
United States is prepared to impose costs on our adversaries to 
better deter and, if necessary, fight and win conflicts. It is 
no secret that our adversaries are using cyberspace to steal 
national security, intellectual property, and hold U.S. 
military systems and functions at risk. The latter, in 
particular, threatens to undermine our deterrence across all of 
our instruments of warfare.
    The conventional and nuclear technologically advanced 
military capabilities that form the bedrock of America's 
military advantage also create cyber vulnerabilities that our 
adversaries could exploit to their own benefit. And so whether 
it is nuclear, conventional, or cyber, the United States must 
be confident that its military capabilities will work as 
intended.
    Moreover, across a spectrum of engagement from competition 
to crisis and conflict, the United States must ensure that it 
has sufficient cyber forces to accomplish our strategic 
objectives in and through cyberspace. This demands sufficient 
capability, capacity, and streamlined decision-making processes 
enabling rapid and effective cyber response options to impose 
meaningful costs against adversaries and to respond to 
adversary action.
    You know, while our Commission's final report--it boasts 
over 80 recommendations, but I would like to draw this 
committee's attention, this committee in particular's 
attention, to ensure that you give serious consideration to the 
following 3 items as it involves defending our Nation.
    First, Congress should direct the Department of Defense to 
conduct a force structure assessment of the Cyber Mission Force 
to ensure that the United States has the appropriate force 
structure and capabilities in light of mission requirements and 
expectations that are growing in both scope and scale. 
Additionally, this assessment must also include ensuring 
sufficient resources for entities within our intelligence 
community that do play critical combat support agency functions 
for our U.S. Cyber Command, particularly the NSA [National 
Security Agency].
    Second, currently, the CMF, the Cyber Mission Force, has 
133 teams comprised of 6,200 incredible individuals. However, 
these requirements were determined over 7 years ago in 2013, 
before the United States fully appreciated the scope and the 
scale of the threat in cyberspace, which has increased mission 
requirements on the CMF. A force structure assessment of the 
CMF is the first step to make sure that we get it right to 
ensure that the CMF has appropriately sized forces and 
sufficiently capable--is sufficiently capable to achieve its 
objectives.
    And last, as it relates to defense, Congress needs to 
direct the Department of Defense to conduct a cybersecurity 
vulnerability assessment of all these segments of the nuclear 
command and control system, continually assess weapons systems' 
cyber vulnerabilities.
    Now let me go to the economy.
    I thought our co-chairman, Senator Angus King, said it 
great and appropriately when he said we are the most wired and 
vulnerable country in the world. And whether it is my time in 
the Pentagon, as a soldier overseas, or in the Congress, we 
understand that the greatness of America is that we do have the 
number one economy in the world, and we have the number one 
military in the world, and it is up to us to make sure we keep 
it that way.
    And as it goes to our economy, I want to make sure that we 
comment and address the continuity of the economy. I believe 
the United States must prepare for the cyber day after. The 
government needs a continuing plan to ensure that critical data 
and technology remains available after a devastating network 
attack.
    You know, during the height of the Cold War, the U.S. 
Government had a plan for the day after. The government did 
what it needs to ensure that after a massive nuclear strike, 
how do we ensure that our government and how do we get the 
private sector operating, especially when it comes to critical 
infrastructure, getting it back online, and even how to put 
hard currency back into circulation and begin regenerating our 
economy.
    Similar to the necessary plans to manage a pandemic, we 
currently have no such reconstitution plans for such a cyber 
event. I strongly believe this Congress should direct the 
executive branch to develop and maintain this plan in 
consultation with the private sector to ensure the continuous 
operation of critical infrastructure of the economy in the 
event of a significant cyber disruption.
    Like COOP [continuity of operations] and COG [continuity of 
government] before it, this will be a critical piece of our 
national planning. And in similar vein, you know, Congress 
should codify a cyber state of distress tied to a cyber 
response and recovery fund to ensure that the CISA 
[Cybersecurity and Infrastructure Security Agency] and 
appropriate Federal agencies have sufficient resources and 
capacity to respond to significant cyber incidents before they 
turn into major disasters.
    You know, while the NDAA functions to provide the DOD 
[Department of Defense] with an annual health and wellness 
checkup, Congress must not ignore the underlying national 
security threats that could damage our infrastructure that is 
owned and operated by the private sector, because these digital 
foundations drive the American economy. They spur technological 
innovation and they support our United States military. The 
status quo in cyberspace and this lack of a COOP plan is 
unacceptable, and we need your help to protect the key elements 
and enablers that make our military and our country it serves 
the best in the world.
    Thanks, Mr. Chairman and the ranking member, for this 
opportunity to testify before you today, and we look forward to 
your questions.
    Mr. Langevin. Thank you, Commissioner Murphy, for those 
comments.
    And now the chair recognizes Commissioner Frank Cilluffo, 
Frank, for any comments that you would like to make.
    You are still muted.

STATEMENT OF FRANK CILLUFFO, COMMISSIONER, CYBERSPACE SOLARIUM 
                           COMMISSION

    Mr. Cilluffo. Thank you, Chairman.
    Mr. Langevin. Gotcha.
    Mr. Cilluffo. Thank you for the privilege, Chairman 
Langevin, to join you today, Ranking Member Stefanik, 
distinguished representatives, and my fellow commissioners. It 
really is a privilege to be able to spend a little bit of time 
with you and share some of our thoughts on the recommendations 
of our Commission's report.
    The strategy that we have laid out, as Senator King said, 
is the modern credible deterrent that the United States 
urgently needs in cyberspace. The current status quo in which 
China, Russia, Iran, and North Korea conduct malicious cyber 
campaigns against the country is, simply put, unacceptable.
    As my colleagues addressed, it is imperative we move fast, 
starting with a national cyber strategy and a national cyber 
director who will focus government efforts on cybersecurity. I 
also second the call that Patrick was espousing to establish 
continuity of the economy planning. There can be no more 
important efforts than the ones to make our Nation resilient to 
cyber attacks.
    But I thought I would highlight a couple of other 
recommendations that are equally as important.
    First, to foot stomp what Patrick had mentioned in terms of 
the Cyber Mission Force, we really do need to conduct that 
force structure assessment, which is dated in terms of what the 
gap and the need is today from when that was initially 
established. And the scope of the threat obviously grows 
exponentially. And since the bulk of capabilities within DOD to 
counter malicious adversary campaigns and impose costs are 
within the CMF, we simply have to ensure that they are 
resourced and have the authorities to fulfill its job.
    I think, as Ms. Stefanik rightly put, we must continue to 
lead and innovate by integrating cyber into our warfighting 
strategies and doctrine. We need to ensure that we can bring in 
both the offensive capabilities and the defensive capabilities 
to lead.
    Second, as Patrick also mentioned, conventional and nuclear 
weapons systems. They need to work when--when needed and as 
intended. And I just want to double tap the recommendation in 
terms of conducting a cybersecurity vulnerability assessment of 
all segments of not only our NC3, our nuclear command and 
control systems, but continually assess our conventional 
weapons system cyber vulnerabilities as well, and we need to do 
this in a systems-to-systems approach. You can't look at it in 
isolation. You need to look at it in its totality.
    And I also highly support the recommendations that Congress 
should require defense industrial base [DIB] participation in 
threat intelligence-sharing programs and threat hunting on the 
DIB networks.
    And as I said before, to preserve and employ the military 
instrument of power, we must also maintain resilience in our 
economy and critical infrastructure. And, again, I just want to 
foot stomp the continuity of economy recommendation. I hope 
Congress can act upon that.
    Third, the public and private sectors, along with key 
international partners, must collaborate to build resilience 
and reshape the cyber ecosystem in a manner that enhances 
security. This means partnering with the private sector and 
especially those that are ideally positioned to scale their 
impact on the ecosystem, such as IT [information technology] 
companies, ISPs [internet service providers], and cloud service 
providers, and to better secure the services and products that 
they offer.
    The Commission recommended a number of important actions 
that Congress should take now to that effect. One, Congress 
should establish and fund a national cybersecurity 
certification and labeling authority for information and 
communications technology funnels, and a bureau of cyber 
statistics to provide a foundation for decision makers to base 
policies and programs on empirically based evidence. This 
statistical information also serves as a platform to facilitate 
market-based solutions and mechanisms, such as cybersecurity 
insurance.
    I also want to thank the committee for including demark 
standards in the NDAA. This can go a long way in securing email 
from phishing and malware attacks. And while we obviously need 
to be focused on advanced persistent threats, often the first 
way into one system is through phishing expeditions and the 
like.
    And, lastly, we need to ensure that our supply chains are 
trusted, and Congress should direct the U.S. Government to 
develop and implement an industrial base and manufacturing 
strategy, again, for information technologies and 
communications technologies.
    Finally, I would like to focus on a topic that is critical 
to mission success. We must, must invest in our Nation's 
cybersecurity workforce. The shortfall between supply and 
demand in this area is staggering. And it is all the more 
concerning because the threat continues to expand 
exponentially, and the gap gets greater, not lesser.
    And we need to--as a matter of national and economic 
security, we need to redouble our efforts to pull in more 
veterans and get serious about recruiting and retaining more 
women, people of color, and neurodiverse individuals.
    Leveraging different perspectives and diversifying a 
cybersecurity workforce is not only the right thing to do; it 
is the smart thing to do. The time to act is now.
    Mr. Chairman, I hope I didn't go over my time, but thank 
you for the opportunity to testify before you today. I look 
forward to questions. And I really do appreciate your 
leadership, not only through the Solarium Commission, but for 
many, many years on cyber-related issues. So thank you, sir.
    Mr. Langevin. Thank you very much, Commissioner Cilluffo, 
and for your longstanding contributions to the issue of 
cybersecurity in your own right.
    So, with that, I thank all of our witnesses for their 
testimony today. We are now going to move to our questions.
    Before I do that, though, I was remiss in not recognizing a 
couple of other people that were very involved in certainly 
helping us to get the recommendations through the Armed 
Services Committee and into our mark and to the floor. I want 
to recognize Chairman Smith and Ranking Member Thornberry for 
their support, as well as Ranking Member Stefanik and staff 
director Paul Arcangeli and many others.
    Let me also recognize my team, Allison Browning, my--you 
know, my colleagues, military fellows, along with Caroline 
Goodson and Matt Lake, my other military fellow. And I know 
that Eric Snelgrove as well on the minority side was very, very 
helpful.
    So, with that, let me now turn to questions. And if it is 
conducive, Senator King, if I could start with you. If I could 
ask, which defense-centric recommendations strike you as the 
most urgent, whether directed at the executive branch or the 
legislative branch?
    You are muted. You just need to unmute.
    Senator King. If I seem a little out of breath, it is 
because I just voted. I had to go upstairs for a vote, but I 
was able to listen to Frank's testimony, so I appreciate it.
    I think, Jim, our probably the most significant 
recommendation that relates indirectly to defense but is--
overall is the national cyber director. The reality is that, 
right now, we have enormously capable people throughout the 
Federal Government, but there is no central point of oversight. 
There is no central point of coordination. There is no central 
point of defining strategy. And I really think that that is--
that is one of the critical recommendations. It is one that is 
already in your committee bill, which I think is really 
important.
    I think, secondly--and Patrick Murphy mentioned this--the 
force structure assessment. We haven't really looked at the 
force structure of--in the Defense Department on cyber since 
2013, and I think we all know that there have been dramatic 
changes since then. There have been dramatic changes in the 
risk, in the complexity, in the adversaries, in the target 
space. So I think that is probably--I would put that next in 
line.
    And then the development of the cyber workforce, because we 
can have--we can talk about force structure, but if we don't 
have the people to fill those positions with the skills, then 
we are just not going to make it. For example, a cyber 
workforce, there is a--we have a scholarship program now that 
is very effective, but it has graduated, I think, 2,000 people 
in the last 4 or 5 years. We need to--or 3,600, I guess. We 
need to graduate 2,000 a year. I mean, we have a tremendous 
need for these skilled people.
    So I would say national cyber director, assess the cyber 
force, and develop workforce would be my first three priorities 
in the--in that--in the military area.
    Mr. Langevin. Yeah. Very good. Very insightful. I 
completely concur. Thank you for those observations. And we 
need to grow the size of the cyber pie, not just competing for 
a bigger slice of it from a government standpoint. We need to--
it helps both government and private sector to grow the size of 
the cyber workforce pie. And I concur with the other 
recommendations you highlighted.
    How about Chairman Gallagher, same question to you, what do 
you see as the most urgent and important of the 82 
recommendations, if you would like to comment?
    Mr. Gallagher. Well, I agree with Senator King that I 
think, over time, we will realize that the force structure 
assessment of the Cyber Mission Force will end up having 
perhaps the biggest impact on DOD over the next decade if we 
come back with a finding that suggests that we do not have 
enough personnel dedicated to the issue.
    But I do think perhaps more urgent, and it is an area where 
I know there is still some debate, is to get the authorities 
right that would allow us to do threat hunting on defense 
industrial base networks. I think one of our biggest findings 
in the report was that, while we are getting a better awareness 
of our own systems, we still, down to the level of some of our 
DOD contractors, subcontractors, all the small companies that, 
you know, work with the big defense primes, don't have the 
level of visibility on the threat picture and the security of 
their networks that we need.
    And so we have a lot of recommendations in chapter 6 
towards that end. And I just would argue that we need to figure 
that piece out, because we just can't be in the process of 
reacting to cyber intrusions after the fact. We have to 
identify those threats at a quicker timeline than that at which 
our adversaries can break out on networks.
    So I just would highlight some of what my colleagues have 
talked about in terms of threat hunting, not only on DOD 
systems, but on the whole defense industrial base network.
    Mr. Langevin. Very good. Thank you for that.
    Let me turn to Commissioner Murphy now. Commissioner 
Murphy, based on your time within the Department of the Army as 
a soldier, as an officer, and a civilian leader, what are your 
views on the Solarium's recommendation on evaluating different 
models for their Reserve Component? Are you optimistic that the 
Army, as an institution, can accommodate a different model for 
their Reserves than existed, say, for the last several decades?
    Mr. Murphy. I do, Mr. Chairman, and I appreciate that 
question. Can I just address something? I think this is the 
first time in American history we had someone testifying and at 
the same time voting in the U.S. Senate when Senator King did 
that about 15 minutes ago.
    But to your question, Mr. Chairman, absolutely. We all know 
that the largest fighting force we have in America is our U.S. 
Army. We have got a million soldiers strong, 300,000 civilians. 
But of those a million soldiers, unlike the other services, the 
majority of our soldiers are actually in a Reserve Component, 
in the National Guard, in the Army Reserves. And that is why it 
is critical that when we say we have in the CMF 133 teams, you 
know, Chairman Milley and I, when we were running the Army, we 
made it a point that we didn't talk about just the 10 Active 
Duty divisions. We were one Army, and we made sure that we 
fought as one Army. We trained as one Army. And that includes 
with cyber.
    So, yes, I think our Army, now being led very well by my 
battle buddy from Fort Bragg, Secretary Ryan McCarthy, and also 
General McConville, they get that, and they are trying to 
really do what they can to partnership with the HASC [House 
Armed Services Committee] and the Congress to make sure that 
they had that proper balance between the Reserve and Active 
Component as it relates to cyber, as it relates to CMF. But we 
need to make sure that as we address this assessment, which we 
critically need, because, remember, Mr. Chairman, in my 
statement, 7 years ago is when we did the last assessment. That 
was before we even had defend forward. That is before we even 
had layered deterrent.
    So now that we have a bigger footprint digitally and we are 
still vulnerable--and I said, as Senator King mentioned, we are 
the most vulnerable country in the world because we are so 
wired. And when we look at the pandemic of coronavirus and what 
it has done to our economy, imagine the destruction which cyber 
would do. And that is why, to your point, we need to make sure 
that we have this assessment and make sure that assessment 
absolutely positively incorporates the Reserve Component of our 
military forces.
    Mr. Langevin. Well said. Well said. Thank you.
    Thank you all for your--the answer to those questions. They 
are all very insightful answers, and I thank you again for your 
work on the Commission.
    With that, now I want to turn to Ranking Member Stefanik 
for any questions she may have.
    Ms. Stefanik. Thank you, Chairman Langevin.
    I wanted to ask Senator King, both in my opening statement 
and many of our witnesses have touched upon this, and that is 
the importance of establishing deterrence in cyberspace that 
was featured very prominently in the report, but the Commission 
also notes that true deterrence must be adapted from how it is 
applied in other domains.
    What actions can we take to better deter our adversaries, 
including state actors like Russia, China, Iran, and North 
Korea, from conducting cyber attacks on American interests?
    Senator King. Well, I think there are a series of steps, 
and one that hasn't really been mentioned very strongly so far 
is the international community. We are in the infancy of the 
law of cyber war, if you will, and we need to be more active 
participants in setting the standards and the guardrails and 
the norms for activity in cyberspace so that when we do act, 
whether it is the imposition of sanctions or other responses, 
we are not acting alone or unilaterally.
    Winston Churchill said the only thing worse than fighting 
with your allies is fighting without allies. And that is one of 
our major advantages on the world stage with regard to our 
principal near-peer adversaries of Russia and China. I was in 
Asia about a year ago, and the--someone said, America has 
allies; China has clients. And I think that is--so that is step 
one, is to develop an international set of norms that will 
themselves be at least some level of deterrent.
    Secondly, we have to have a clear declaratory policy. I 
emphasize the word ``declaratory,'' because if you don't tell 
your adversary that you will respond, then it is not a 
deterrent. And so I think we need to have a much clearer 
statement of our doctrine, of our strategy, so that adversaries 
know that they will, in fact, pay a price.
    The problem has been you can argue that we have done a good 
job of deterring catastrophic cyber attacks. Of course, there 
is no way to measure something that doesn't happen, but we 
haven't deterred lower--below the threshold of the use of force 
cyber attacks, whether it is the OPM breach that you mentioned, 
or the attacks on our election, our election infrastructure, or 
the kind of intellectual property theft. We haven't done a very 
good job of deterring that. So I think the important thing is 
to establish, (a), the means, the credibility, the credible 
response; and, secondly, to declare it, to make it clear that 
you will not attack the United States and not have a 
significant cost imposed upon you.
    So I think international norms and a clear declaratory 
strategy. It is not exactly, as you note, I think, as you 
understand, it is not exactly analogous to the nuclear 
deterrent. It is a different and more subtle kind of issue. But 
I do believe that unless we make it clear to our adversaries 
that they have a--they have to calculate that there will be 
costs imposed, and it may--it doesn't have to be cyber for 
cyber. It may be sanctions or other kinds of responses. Until 
they make that calculation, they are going to keep coming after 
us.
    So that would be my response to that very good question. 
Thank you.
    Ms. Stefanik. Thank you, Senator King.
    And my next and final question I am going to address to 
Congressman or Chairman Gallagher. As you know, oftentimes it 
is not the DOD or even the Federal Government that is the 
target of our adversaries in cyberspace. It is often our 
cities, our States, universities, or private-sector businesses. 
And many of those entities are ill-suited and, frankly, ill-
prepared to protect against cyber threats from nation-states.
    How do we address this capability gap, and what are some of 
the Commission's recommendations that address this really 
important issue where we tend to have siloing within our 
Federal agencies?
    Mr. Gallagher. That is a great question. I would connect it 
to your previous question, actually. Actually, I think this is 
the primary difference between the logic of strategic nuclear 
deterrence and the logic of deterrence as we see it in 
cyberspace, which is that so much of what we are trying to 
protect and so many of the actors that we are trying to get to 
buy into that logic are not card-carrying members of the 
Federal Government and certainly don't wear uniforms.
    And so we had a private-sector commissioner, Tom Fanning, 
who runs a major energy company, and he would remind us 
constantly that 85 percent of the critical infrastructure in 
this country is owned by the private sector.
    I think what we also see, to get to the heart of your 
question, is the good-faith effort to thread the needle in this 
report between the recognition that the Federal Government has 
to compel the organizations you identify, be they universities 
or companies or major banks on Wall Street, against the 
unwillingness to saddle them with a bunch of counterproductive 
and onerous regulations that might stifle innovation and 
entrepreneurship in this country, which, as Senator King and I 
say at the outset, is our best path to beating China over the 
long term.
    So the approach we took, whether it is through 
recommendations like mandating penetration testing for major 
publicly traded companies or requiring companies that are part 
of the defense industrial base to participate in threat 
intelligence sharing or establishing a joint planning office 
within CISA in order to more proactively engage with the 
private sector so they are actually integrated into our 
defensive planning process, we get their input on the front 
end, is a mix, I would say, of carrots and sticks.
    We want the C-suite executives to take cybersecurity 
seriously, and we are prepared to sort of nudge them in that 
direction. But we also want them to view the Federal Government 
as a valuable partner, a partner that understands that, in many 
ways, the private sector is the main effort in cyberspace and 
the Federal Government is the supporting effort.
    Ms. Stefanik. Thank you. I yield back.
    Mr. Langevin. Very good. Thank you, Ranking Member 
Stefanik.
    Mr. Larsen is now recognized for 5 minutes.
    Mr. Larsen. Thank you--thank you.
    My first question is for Representative Gallagher, and this 
gets to the business of the private sector side of things, 
because we have the Cybersecurity Maturity Model Certification 
[CMMC] process now working its way through the Pentagon and 
being utilized, mainly focused on smaller businesses within the 
defense industrial base.
    Did you look at how that could be or should be integrated 
with what your recommendations are for private-sector cyber 
hygiene?
    Mr. Gallagher. I think our view is that it needs to be more 
expansive than that, and that--I think it needs to take a prior 
step of even understanding who is included in the phrase 
``defense industrial base.'' We have actually gone through this 
process before, not in a cyber context, where the Pentagon has 
actually tried to have what I would call total defense 
manufacturing visibility. Who are all the companies that are 
part of this ecosystem? And for whatever reason, we haven't 
gotten there. It is now even more complex in cyberspace.
    So I view our recommendations as perhaps building upon the 
efforts you reference. I know that those--there are a lot of 
companies who may not want to participate in that, but I just 
would say, if you are working with the Pentagon, if you are 
working on systems that are critical to our national defense, 
and if we know that you are a target for foreign actors, be 
they state-sponsored hackers from China or cyber criminals, you 
are going to have to demonstrate a higher level of 
cybersecurity than those companies have right now.
    Mr. Larsen. Yeah. Yeah.
    For Commissioner Murphy, good to see you again, 
Commissioner. Recommendations recommend that the U.S. 
strengthen existing bilateral and multilateral relationships. 
Can you talk specifically how the U.S. could partner with NATO 
[North Atlantic Treaty Organization] to enable and help the 
member countries strengthen their systems against cyber 
attacks?
    Mr. Murphy. Absolutely. And, Congressman Larsen, it is 
great to be with you again, and I hope your home State of 
Washington is doing great.
    Mr. Larsen. Thank you.
    Mr. Murphy. On your earlier question, really quick, on the 
private side sector, I know with the CMMC, what we need to do 
also is that data. Data is king, as you know. And that data and 
that--really that what we are calling the CSET, the Bureau of 
Cyber Statistics and Emerging Threats, that is critical, 
because we need that to make sure that we have a more robust 
insurance program, et cetera. So I just wanted to dovetail on 
that.
    But to your question directly, no doubt what makes America 
the shining city on the hill is our diplomatic power. You look 
at the symbol, the American eagle, 1 talon, 13 arrows 
signifying the 13 colonies and our military might, the other 
talon with the olive branch showing our diplomatic power and 
using smart power.
    And so, with that, and with our very specific 
recommendations that we were tasked to do is asking for a new 
Assistant Secretary of State. And this one is very, very 
important, because we need to make sure that we strengthen the 
norms, we make sure that we use that diplomatic power to let 
other nations, like China, like Russia, like Iran, know that 
this is not acceptable, and establishing those norms and making 
sure that we bring everybody to the table. And I think that is 
critically important, and we do that by also advocating, 
frankly, in the White House for the NCD, the national cyber 
director.
    You know when we worked together in the HASC that I am a 
big believer in leadership and one throat to choke, and by 
having one person, one quarterback within the Executive Office 
of the President, that national cyber director will help make 
sure we are streamlining within our government and also in the 
private sector, what we need to do to protect our military, to 
protect our economy and our companies, and also to make sure we 
are keeping our families and our economy safe.
    Mr. Larsen. Yes. Thanks. Final question will be for 
Commissioner Cilluffo, because you shouldn't be exempt from 
having to answer questions while you are here.
    Senator King mentioned paying the price. I think it is an 
attribution. So can you talk a little bit more deeply about 
what the Commission considered with regards to a policy of 
attribution? And, second, would attribution apply only to those 
countries that are specifically listed in the National Security 
Strategy or would it be any country that is participating in 
cyber intrusions, which sometimes are not those countries that 
we consider adversaries?
    Mr. Cilluffo. Thank you, sir, for the excellent question. I 
mean, for starters, attribution has improved dramatically over 
the years. We are not fully where we want to be, but I think we 
are in a much better place. And I think it is worth noting--and 
this transcends all of the various questions we have seen 
here--is that cyber is its own domain, but it transcends all 
the other domains, whether air, land, sea, space, and there are 
other means of collection that can be brought to bear to 
enhance our attribution, whether it is through technical means 
or through human sources. So the bottom line is our attribution 
is improving.
    You have probably noted a big uptick in at least Five Eyes 
countries coming together and doing joint and shared 
attribution. I think this actually is having some very positive 
net effect in terms of some of our adversaries and actually 
putting them on notice, as Senator King was discussing earlier. 
So we need to be able to have some declaratory sort of impact.
    And I might note our transatlantic partners with NATO, you 
have also seen an uptick in joint attribution.
    Bottom line is, just the facts, ma'am. We have got to be 
going where the facts arise. Obviously, there are other 
potential diplomatic questions when discussing allies, but I 
think that in terms of informing our USG [United States 
Government] entities and some of our dot-com entities, we have 
got a responsibility to do that as the U.S. Government.
    So longwinded way of saying I think you are going to see us 
moving out from our Five Eyes to our NATO partners to allies 
that don't exist in any of those organizations, such as South 
Korea, Japan, Israel, and a handful of others, and then build--
India, and building out from there. So I think we have made 
some progress, we have got to continue to do more, and we have 
got to hold our adversaries to account. There have to be 
consequences. There has to be impact.
    And I think it is worth noting that we do suggest we lean 
forward in a lot of these issues. We do support the defend 
forward concept, persistent engagement concept, but not only 
through the lens of the military, that is a crucial element of 
it, but all instruments of statecraft.
    Mr. Langevin. Very good. Thank you, Mr. Larsen.
    Before we go to Mr. Bacon, I will comment and say that Mr. 
Cilluffo's answer is absolutely right that we are getting 
better at attribution. What we do need to do, though, is 
shorten the timeline between incident and our response. I 
applaud the Europeans who are--the sanctions that they put on 
the entities that were responsible for several high-profile 
attacks or intrusions, but those things happened, you know, 
several months ago. There is such a long lag between action and 
consequence. If we can, I think both United States, Europeans, 
our partners, need to work more quickly to close that gap 
between action, between incident and response. So we punish the 
bad actors, and they realize it is relevant to the action.
    With that, Mr. Bacon is now recognized for 5 minutes.
    Mr. Bacon. Thank you there, Mr. Chairman. And I want to 
thank the Commission for their hard work, a very thoughtful 
discussion. Great product. I appreciate it.
    I am not sure who to target the questions to, so I will 
just--whoever feels best to answer them, just jump in there. I 
am curious to hear more about the national cyber director, and 
the reason is our cyber attack is under Cyber Command 
primarily. Cyber intelligence is primarily under NSA, but what 
is most worrisome is the cyber defense. It is really no--there 
is no single authority.
    So is this national cyber director and the team that were 
put in the executive branch or that you are proposing, is it 
primarily focused on the defense end or does it involve all 
three: attack, intelligence, defense? And if it is all three, 
how will that impact the chain of command for a cyber attack? 
Is it that command goes through the Cyber commander, Secretary 
of Defense, and the President? So I am just sort of curious to 
hear more. Thank you.
    Senator King. Mr. Chairman, perhaps I can take that. That 
is a really good question. The purpose of the national cyber 
director is planning and coordination, not operations. So the 
chain of command between the--between Cyber Command, Secretary 
of Defense, and the President would not be interrupted. That is 
not the purpose of this new office in the Executive Office of 
the President. We want this person to be accountable for the 
coordination, but does not--would not have an operational role.
    Also, a piece of it is planning, as we have been talking 
about, and coordinating planning throughout, whether it is in 
CISA in Homeland Security or in other--in NIST [National 
Institute of Standards and Technology] or wherever it is in the 
Federal Government. But I think the specific answer to your 
question is we are not talking about operations for this 
position but coordination, planning, and budget coordination. 
This person would have an oversight over the budgets of the 
various agencies, not a veto but a recommendation and a 
certification through the OMB [Office of Management and Budget] 
process.
    Again, the whole idea is to bring some level of--I guess I 
would call it just sensible organization because, right now, 
there is nobody in charge. But to answer your specific 
question, it is still Cyber Command, Secretary of Defense, 
President of the United States.
    Mr. Bacon. Thank you very much, Senator. I appreciate that.
    I surely see a need on the defense side. There is very 
diffused responsibilities on defense, and it just seems to me 
that there is a definite need at least on that part of our 
cyber operations.
    Change in topics. I have a little experience with cyber, 
being in the Air Force for a long time. It seems, if I could 
generalize, Russia was more focused on military cyber, IO 
[information operations]; China a lot more on the economic 
intelligence. Is that generalizations or is that still 
considered, by and large, still the case?
    Mr. Gallagher. Well, I think that is largely right, though 
neither, you know, Russia would ignore the economic domain, nor 
would China ignore the military domain.
    I think if you read the report, in particular the threat 
analysis portion of the report, it is clear that we agree with 
the fundamental finding of the National Security Strategy and 
the National Defense Strategy that China is the pacing threat. 
China is the pacing threat in cyber in terms of the sheer 
resources they are devoting to this issue. I think we are--we 
are concerned about Russia. We talk about Russia. We are 
concerned about non-state actors. But China really comes out as 
a threat that organizes a lot of our response.
    I am not disagreeing with your analysis, but at least a lot 
of what I realized in the course of participating in this 
Commission was that we are insufficiently concerned with the 
actions of the Chinese Communist Party in cyber.
    Mr. Bacon. I appreciate that. And my generalizations were 
going back, not necessarily current. So just curious if it was 
still the case.
    I think the areas that concern me most is the energy sector 
and the financial sector, you know, whether it is Wall Street. 
I really think China or Russia would really create havoc with 
focused attacks on those areas, and we have obviously got to 
raise our game if we want to defend those two critical parts of 
our country.
    Mr. Gallagher. Maybe I can connect it to your first 
question. I think, you know, under the doctrine of civil-
military fusion, China is not making these clear siloed 
distinctions between military operations and sort of economic 
warfare. And I do think that is an area where we hope the 
national cyber director can step up and lead that defensive 
effort.
    One of our biggest findings in the report was that a lot of 
the work that this committee has done in recent years and the 
fiscal year 2019 NDAA to make cyber surveillance and 
reconnaissance a traditional military activity and then to have 
NSPM-13 [National Security Presidential Memorandum-13] layered 
on top of that has really been a positive development and 
helped us on the offensive side. We need similar attention paid 
to the defensive side, so that someone in the Federal 
Government is the single belly button we can push and is 
proactively reaching out to the banks and the financial 
community to say, hey, here is what we are thinking. What input 
do you have for us?
    Mr. Bacon. Chairman Gallagher, I agree. I yield. Thank you.
    Mr. Langevin. Very good. Thank you very much, Mr. Bacon.
    Next on my list I have Congressman Khanna, but I don't know 
that he is still there.
    Are there any members that have not been recognized that 
would like to be recognized?
    Ms. Stefanik. We are all good in the room, Jim.
    Mr. Langevin. Okay. I guess I have one more question on 
continuity of the economy. And would anybody like to comment 
on--and I agree that the comments that were made earlier about 
continuity of the economy are very important. Commissioner 
Murphy addressed a lot of these. But what role do you see, say, 
the Department of Treasury, Department of Commerce, and then 
independent agencies like the Federal Reserve in a continuity 
of economy plan proposal, and any thoughts on how that should 
work?
    Senator King. Jim, let me start off on that--or I should 
say Congressman. Sorry.
    I think one thing the pandemic has taught us is that the 
unthinkable can happen. If you had told us all a year ago we 
would be wearing masks and it would be--we would have large 
part of our economy having severe difficulty, all the things 
that are happening, it would have sounded like science fiction. 
The unthinkable can happen, and that is really what we are 
talking about here.
    And I think one of the problems that our Commission tried 
to attack head on was the fact that has been alluded to today, 
and the prior questioner mentioned this, in terms of the 
financial sector, the energy sector. The target is mostly in 
the private sector. So the continuity of the economy, the 
planning has to engage the private sector. We have to determine 
what are the crucial elements? What are the crucial sectors 
that need to be functioning, no matter what? And how do we 
ensure their protection?
    I think this is one of our most important recommendations. 
This is one that is in the Senate bill. I don't think it is in 
the House bill, and hopefully we are going be able to pull it 
through in the conference committee. But we have really got to 
be thinking about--you know, an ounce of prevention is a pound 
of cure. I mean, we have got to be thinking about how to react 
when the unthinkable happens. And if every--if everybody is 
pointing at one another and there is no plan on the shelf, we 
are going to be--it is going to be infinitely worse and take 
infinitely longer to recover.
    So I think this is one of our most important 
recommendations. And, overall, I think one of the most 
important insights of the Commission was the extent to which we 
had to really forge a new relationship. We have to think in a 
new way about how we relate, how the government and the private 
sector relate in terms of sharing intelligence, sharing attack 
data, cooperating, talking to allies. I mean, it is really a 
very comprehensive approach to this. And I think that is one of 
the significant insights that we bring to the table in the 
report.
    Thank you.
    Mr. Cilluffo. Mr. Chairman, can I add a thought on that? 
When we talk about the continuity of the economy, it did, as 
Senator King said, it became loud and clear just how important 
that is in a post-COVID environment, both directly and 
indirectly. And one of the things we did really zero in on, if 
you think about an x- and a y-axis, you have our critical 
infrastructures, and some are even more so critical than 
others, and we mentioned a couple of them already here today: 
energy, financial services, telecommunications, and, obviously, 
the defense industrial base.
    But then also on a y-axis we have got these critical 
functions. So agnostic to the particular sector, whether it is 
the cloud or whether it is timing and signaling from a GPS 
[Global Positioning System] perspective or a PNT-assured--
positioning, navigating, timing, and signaling kind of 
perspective--this is how we have got to start racking and 
stacking some of these issues.
    And I might note, for the Armed Services Committee as a 
whole, the challenge around mission assurance or the ability 
for DOD to rely upon civilian entities and critical 
infrastructures to project power, deploy forces, this is a 
tough--we have got to put--this is a tough circle to put in a 
square sort of peg. So I think this is where the interaction 
between DOD and CISA at DHS and FBI, as well from an 
investigatory standpoint, becomes so important, and I think 
that just makes the case for a national cyber director that 
much more important. So we at least have the visibility across 
the various playbooks that can come together to be able to make 
sure that the whole is greater than the sum of its parts.
    And this was a point that came up in various questions as 
well. I mean, at the end of the day, what I think is so 
important is also on the intelligence side. The new national 
cyber director that was stood up at NSA is going to play a very 
important role in enabling CISA, in--so CISA can better reach 
out to our State, local, Tribal, territorial partners and, of 
course, the private sector, and same thing in terms of FBI.
    So this, again, may not sound sexy, but it is the org--it 
is the spaghetti org [organizational] chart right now that 
needs to be brought--tamed a little bit and brought under 
control.
    Mr. Murphy. Mr. Chairman, can I just put a stamp on what 
Frank just said real quick, sir----
    Mr. Langevin. Sure.
    Mr. Murphy [continuing]. If that is okay with you? One 
minute. Two things. One, we are going to get caught with our 
pants down if we don't focus on continuity of the economy, 
period. And that is why, you know, in my opening statement, I 
talked about making sure that we have Congress codifying a 
cyber state of distress that is tied to that cyber response and 
recovery fund, so, you know, that we need to direct the 
executive branch and make sure that we do have that continuity 
of the economy planning that is in consultation with the 
private sector. We absolutely need to do that.
    I would also say to you, when we talk about the NCD, 
national cyber director, why that is critically important. As 
Frank just said about, when he was talking about DHS and CISA 
and making sure State and local, we also need to ensure that 
our allies--that is why we were calling for that Assistant 
Secretary of State--that our allies aren't a launching pad to 
hurt us here or hurt our private sector clients or our military 
but, secondly, so that it can more quickly do attribution. 
Thank you.
    Mr. Langevin. Very good. Thank you, Commissioner Murphy and 
to all of our commissioners, for those answers on the topic.
    That concludes my questions. I will turn now to Ranking 
Member Stefanik for any final questions she may have.
    Ms. Stefanik. I am all set, Jim. Thank you to our 
witnesses.
    Mr. Langevin. Okay. All right. Are there any members in the 
room that I can't see that have not been recognized and would 
like to ask a question?
    Ms. Stefanik. No. We are all set.
    Mr. Langevin. Okay. Well, with that, let me conclude by 
thanking all the members of the Commission. You did an 
extraordinary job here today but an even more extraordinary job 
in the--on the Commission, both Senator King and Congressman 
Gallagher, our two co-chairs, and Commissioner Murphy, 
Commissioner Cilluffo, and the rest of the commissioners. Thank 
you all for your extraordinary work. You have made a major 
contribution to better protecting the country in cyberspace 
with your combined efforts, and it is an honor and a privilege 
to be one of the four Members of Congress joining you on the 
Commission. It was one of the highlights of my 20 years in 
Congress to be a part of this effort, and I just--I found it so 
meaningful and, again, time well spent.
    And I like the fact from the very beginning that we 
determined that we were not going to allow just this to be a 
report that would sit on a shelf somewhere, but we wanted 
actionable findings, recommendations that we could implement 
and, again, achieve meaningful change.
    So with that, I thank you all for your participation today, 
your service to the country.
    With that, the hearing now stands adjourned.
    [Whereupon, at 2:14 p.m., the subcommittee was adjourned.]



      
=======================================================================




                            A P P E N D I X

                             July 30, 2020

=======================================================================

      



      
=======================================================================


              PREPARED STATEMENTS SUBMITTED FOR THE RECORD

                             July 30, 2020

=======================================================================

      
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
      
      
=======================================================================


              QUESTIONS SUBMITTED BY MEMBERS POST HEARING

                             July 30, 2020

=======================================================================

      

                  QUESTIONS SUBMITTED BY MS. HOULAHAN

    Ms. Houlahan. The Commission's recommendation #1.5 regards 
recruiting and retaining a strong cyber workforce. I really appreciate 
what you've put forward. A different congressionally mandated group, 
the National Commission on Artificial Intelligence recommended the 
establishment of a U.S. Digital Service Academy that would be a 
dedicated effort to train the next generation of tech talent. Is this a 
recommendation you would agree with?
    Mr. Gallagher and Mr. Cilluffo. The government workforce is short 
more than 33,000 cybersecurity workers in a workforce of nearly 
100,000. Simply expanding government recruitment efforts is not 
sufficient to provide the cybersecurity workforce needed to protect 
national security. Rather, the nation's cybersecurity workforce 
development ecosystem must grow as a whole. Currently, innovative 
programs are taking the first steps toward addressing this need by 
building partnerships between educators, government, and industry, but 
we need to do more. The Cyberspace Solarium Commission studied many 
federal government hiring programs, private sector initiatives, and 
educational efforts, and recommended that it should invest in existing 
programs such as the CyberCorps: Scholarship for Service (SFS), which 
is a program ripe for expansion, as well as the FBI Cyber STEM program 
and CISA's Cybersecurity Education Training Assistance Program on a 
national scale.
    The SFS is a joint program between OPM, the NSF, and DHS that helps 
students finance their education in cyber-related topics in exchange 
for a term of service working for a federal or state, local, or tribal 
government upon graduation.\1\ The program works much like the Reserve 
Officer Training Corps (ROTC) program on many U.S. campuses, only 
better--it awards grants to participating universities, which then 
award scholarships to students while also using a portion of the 
funding to build out the university's cyber-focused programming. As a 
result, the program strengthens educational offerings on cyber topics 
at the same time that it recruits and develops students who are 
prepared for federal cyber service. Currently, there are 85 
participating universities and community colleges offering SFS 
scholarships. The program requires that students may pursue degrees 
that are a ``coherent formal program that is focused on 
cybersecurity,'' and it has supported students working toward a 
bachelor's, master's, or research-based doctorate degree focused on 
cybersecurity.\2\ The recent expansion of the SFS program through the 
Community College Cyber Pilot Program extends eligibility to students 
pursuing an associate's degree or specialized program certifications in 
the field of cybersecurity as well, provided that the students already 
have a bachelor's degree or are military veterans.\3\
---------------------------------------------------------------------------
    \1\ ``CyberCorps: Scholarship for Service,'' Office of Personnel 
Management, accessed July 7, 2020, https://www.sfs.opm.gov/
default.aspx.
    \2\ ``CyberCorps: Scholarship for Service, Overview,'' Office of 
Personnel Management, accessed August 4, 2020, https://www.sfs.opm.gov/
ProspectiveStud.aspx; ``CyberCorps: Scholarship for Service, Students: 
Participating Institutions,'' Office of Personnel Management, accessed 
August 4, 2020, https://www.sfs.opm.gov/ContactsPI.aspx.
    \3\ ``Community College Cyber Pilot Program (C3P),'' National 
Science Foundation, Division of Graduate Education, https://
www.nsf.gov/funding/pgm_summ.jsp?pims_id=505573.
---------------------------------------------------------------------------
    The program has graduated about 275 students per year in recent 
years,\4\ and since its creation in 2000, it has placed 3,600 
CyberCorps graduates in public-sector cybersecurity jobs in more than 
140 different government organizations.\5\ These graduates have brought 
cyber expertise to the government across a variety of cybersecurity 
areas, including cyber policy and strategy, security architecture, and 
cyber operations planning. Because a limited percentage of students can 
fulfill their service obligation in state, local, or tribal governments 
as well as in the federal government, the program also provides the 
opportunity for a limited percentage of graduates to work in public 
education. This helps address the national dearth of teachers able to 
provide cybersecurity instruction.\6\
---------------------------------------------------------------------------
    \4\ More specifically, CyberCorps SFS is projected to graduate 380 
students in 2020. It graduated 307 students in 2019, 324 in 2018, 290 
in 2017, 245 in 2016, and 211 in 2015. Data provided by NSF.
    \5\ OPM, ``CyberCorps: Scholarship for Service: History/Overview.'' 
At the time of access, the data cited was available at https://
www.sfs.opm.gov/Overview-History.aspx; it now can be found at https://
web.archive.org/web/20200608183458/https://www.sfs.opm.gov/Overview-
History.aspx and https://www.nass.org/sites/default/files/
2019%20Summer/presentations/presentation-sfs-sum
mer19.pdf.
    \6\ In fact, legislation has been proposed for inclusion in S.4049, 
the National Defense Authorization Act for Fiscal Year 2021, explicitly 
permitting up to 10 percent of SFS graduates to fulfill their service 
obligation in education roles in higher education institutions that 
participate in the SFS program.
---------------------------------------------------------------------------
    Although the program has an impressive track record, the Commission 
believes that--given the country's inability to fill tens of thousands 
of cybersecurity jobs in both the government and private sector--the 
number of SFS participants should be much higher (Report Recommendation 
1.5). Accordingly, taking practical steps toward increasing the number 
of students also requires increasing the number of participating 
institutions and expanding university- and federal-level outreach about 
the program. The Commission recommends a goal of graduating 2,000 
CyberCorps students per year. To reach that target, the Commission 
advocates for SFS's budget to be increased 20 percent above inflation 
annually over a 10-year period to support scholarships to additional 
students and the programmatic efforts needed for expansion. To help 
jumpstart that budget growth, the Commission recommends increasing 
funding for the CyberCorps SFS program by $20 million in FY2021.
    As your question stated, another Congressionally-mandated group, 
the National Commission on Artificial Intelligence recommended the 
establishment of a U.S. Digital Service Academy that would be a 
dedicated effort to train the next generation of tech talent. A brick 
and mortar effort similar to the service academies. We believe this 
idea has exceptional merit and should be studied and, if all 
expectations are met, funded. This USDSA would service as a ``service 
academy'' partner to the ``ROTC'' like efforts of the CyberCorps SFS 
program The U.S. military benefits from both--the ROTC graduates are on 
the whole significantly cheaper, but the service academy graduates come 
with a better grounding in government (service) processes and efforts. 
An unusual twist is that we would need to consider whether USDSA would 
have the same flexibilities as CyberCorps SFS--graduate degrees, 
associate degrees, and limited year scholarships--many SFS are two and 
three year scholarship students, who are not selected until they have 
demonstrated some college success. A USDSA study should review and 
identify the unique attributes that the USDSA would bring to the 
effort. Moreover, it is important to weave this program into the 
existing policy proposals and efforts ongoing at various agencies, 
including DHS, which has proposed a Cyber Workforce Institute. The 
nation needs one cohesive strategy with streamlined implementation and 
funding to ensure that agencies pull in the same direction, instead of 
at cross purposes.
    With the high number of annual openings required to be filled, it 
is likely that the U.S. government needs both an expanded CyberCorps 
SFS and a brick and mortar cyber institute.--A study to work out the 
details on all these proposals would provide needed strategic direction 
as would efforts to determine how to grow the CyberCorps SFS to 2000 
plus graduates a year as recommended by the Cyberspace Solarium 
Commission.
    Ms. Houlahan. Did you look into current contracting procedures, and 
do you believe the Department is missing out on innovative cyber 
solutions due to current contracting policies?
    Mr. Gallagher and Mr. Cilluffo. Government contracting is an 
extremely difficult and complex area, and while it was not our primary 
focus, we did attempt to make some recommendations which would enhance 
and streamline government contracting for the cyber domain.
    The Commission recommends the executive branch direct the Federal 
Acquisition Regulation Council (FARC) and the Office of Management and 
Budget to update its cybersecurity regulations in the Federal 
Acquisition Regulation (FAR) and cybersecurity guidance under Federal 
Information Security Management Act at least every five years, to 
account for changing cybersecurity standards, and explore ways to 
integrate and fully account for existing models and frameworks, such as 
the Cybersecurity Maturity Model Certification, in the FAR. In 
addition, the FARC should be directed to update the FAR to require that 
federal civilian agency contractors adhere to the contractor-exclusive 
Binding Operational Directive issued by DHS.\7\
---------------------------------------------------------------------------
    \7\ The Binding Operational Directives (BODs) identify requirements 
for federal agencies in the executive branch. Each BOD prescribes a set 
of actions that agency chief information security officers or their 
equivalents must take to manage their enterprise networks.
---------------------------------------------------------------------------
    The Commission also recommends the executive branch update to 
Federal Procurement Regulation and Guidelines, including the FAR, to 
require National Cybersecurity Certification and Labeling Authority 
certifications and labeling for certain information technology products 
and services procured by the federal government to enable the broader 
adoption of Certification and Labeling across the nation. The executive 
branch should be required to report to Congress on its decision to 
require National Cybersecurity Certification and Labeling Authority 
certifications and labeling within the FAR, the extent of these 
requirements, or an explanation if no action was taken. This 
recommendation is necessary because the U.S. government is 
institutionally and legally limited in its ability to attest and 
certify that products adhere to security standards, and third-party 
efforts to fill this gap lack sufficient scale, funding, and maturity 
to enact meaningful change in the marketplace.\8\
---------------------------------------------------------------------------
    \8\ Several nongovernmental initiatives, such as Digital Standard 
and the Cyber Independent Testing Laboratory, are aimed at testing and 
providing security information for consumer IT and IoT devices. NIST, 
under Section 401 of the Cybersecurity Enhancement Act of 2014, is 
tasked with coordinating the development and dissemination of standards 
and best practices for cybersecurity.
---------------------------------------------------------------------------
    Federally procured information technology fully accounts for 
identified good security practices for building secure software and 
systems, such as those offered by NIST's Secure Software Development 
Framework \9\ and the ISO/IEC 27000 standards family.\10\ When 
developing requirements, the council should take into account lessons 
learned with NIST Special Publication 800.171, comments from DOD's 
Cybersecurity Maturity Model Certification, rulings or comments of the 
Federal Acquisition Security Council, and the ISO/IEC 27000 standards.
---------------------------------------------------------------------------
    \9\ Donna Dodson, Murgiah Soppaya, and Karen Scarfone, ``Mitigating 
the Risk of Software Vulnerabilities by Adopting a Secure Software 
Development Framework'' (National Institute of Standards and 
Technology, 2019), https://csrc.nist.gov/CSRC/media/Publications/white-
paper/2019/06/07/mitigating-risk-of-software-vulnerabilities-with-ssdf/
draft/documents/ssdf-for-mitigati
ng-risk-of-software-vulns-draft.pdf.
    \10\ International Organization for Standardization, ``ISO/IEC 
27001 Information Security Management'' International Organization for 
Standardization, https://www.iso.org/isoiec-27001-information-
security.html.
---------------------------------------------------------------------------
    Providers of information technology submit software transparency 
and software bills of materials for the systems they provide in support 
of government missions in line with the certifications and labels 
developed by the National Cybersecurity Certification and Labeling 
Authority (recommendation 4.1).\11\
---------------------------------------------------------------------------
    \11\ ``NTIA Software Component Transparency,'' National 
Telecommunications and Information Administration, September 5, 2019, 
https://www.ntia.doc.gov/SoftwareTransparency.
---------------------------------------------------------------------------
    Upon the development of cybersecurity insurance policy 
certifications (recommendation 4.4), U.S. government contractors 
maintain a certified level of cybersecurity insurance and explore 
whether the Cybersecurity Maturity Model Certification should be 
updated to require cybersecurity insurance.
    Additionally, to enhance the flexibility and agility of U.S. Cyber 
Command in a dynamic operating environment, Congress should direct in 
the FY2021 NDAA that the Department of Defense submit a budget 
justification display that includes a Major Force Program (MFP) 
category for the training, manning, and equipping of U.S. Cyber 
Command. According to 10 U.S. Code Sec. 238, DOD is required to submit 
to Congress a budget justification display that includes an MFP 
category for the Cyber Mission Force. However, this law was enacted in 
2014, before U.S. Cyber Command was elevated to a unified combatant 
command. Therefore, there is a need for a new budget justification 
display that establishes an MFP category for U.S. Cyber Command. A new 
MFP funding category for U.S. Cyber Command would provide it with 
acquisition authorities over goods and services unique to the command's 
needs. It should also provide a process to expeditiously resolve 
Combatant Command/Service funding disputes, consistent with the intent 
of DOD Directive 5100.03.\12\ This would be analogous to the MFP 
funding category for U.S. Special Operations Command, which was created 
to support comparable needs for operational adaptability.
---------------------------------------------------------------------------
    \12\ U.S. Department of Defense Directive 5100.03, ``Support of the 
Headquarters of Combatant and Subordinate Unified Commands'' (February 
9, 2011; incorporating Change 1, September 7, 2017), https://
www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodd/510003p.pdf.
---------------------------------------------------------------------------