b"<html>\n<title> - [H.A.S.C. No. 116-88] REVIEW OF THE RECOMMENDATIONS OF THE CYBERSPACE SOLARIUM COMMISSION</title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                                     \n \n                         [H.A.S.C. No. 116-88]\n\n                     REVIEW OF THE RECOMMENDATIONS\n\n                 OF THE CYBERSPACE SOLARIUM COMMISSION\n\n                               __________\n\n                                HEARING\n\n                               BEFORE THE\n\n   SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND CAPABILITIES\n\n                                 OF THE\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                              HEARING HELD\n\n                             JULY 30, 2020\n\n                                     \n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n                            ______\n\n             U.S. GOVERNMENT PUBLISHING OFFICE \n41-410               WASHINGTON : 2021 \n                                     \n  \n\n\n   SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND CAPABILITIES\n\n               JAMES R. LANGEVIN, Rhode Island, Chairman\n\nRICK LARSEN, Washington              ELISE M. STEFANIK, New York\nJIM COOPER, Tennessee                SAM GRAVES, Missouri\nTULSI GABBARD, Hawaii                RALPH LEE ABRAHAM, Louisiana\nANTHONY G. BROWN, Maryland           K. MICHAEL CONAWAY, Texas\nRO KHANNA, California                AUSTIN SCOTT, Georgia\nWILLIAM R. KEATING, Massachusetts    SCOTT DesJARLAIS, Tennessee\nANDY KIM, New Jersey                 MIKE GALLAGHER, Wisconsin\nCHRISSY HOULAHAN, Pennsylvania       MICHAEL WALTZ, Florida\nJASON CROW, Colorado, Vice Chair     DON BACON, Nebraska\nELISSA SLOTKIN, Michigan             JIM BANKS, Indiana\nLORI TRAHAN, Massachusetts\n                Josh Stiefel, Professional Staff Member\n               Eric Snelgrove, Professional Staff Member\n                         Caroline Kehrli, Clerk\n                         \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nLangevin, Hon. James R., a Representative from Rhode Island, \n  Chairman, Subcommittee on Intelligence and Emerging Threats and \n  Capabilities...................................................     1\nStefanik, Hon. Elise M., a Representative from New York, Ranking \n  Member, Subcommittee on Intelligence and Emerging Threats and \n  Capabilities...................................................     3\n\n                               WITNESSES\n\nCilluffo, Frank, Commissioner, Cyberspace Solarium Commission....    11\nGallagher, Hon. Mike, Chairman, Cyberspace Solarium Commission...     7\nKing, Hon. Angus, Chairman, Cyberspace Solarium Commission.......     5\nMurphy, Hon. Patrick, Commissioner, Cyberspace Solarium \n  Commission.....................................................     8\n\n                                APPENDIX\n\nPrepared Statements:\n\n    King, Hon. Angus, joint with Hon. Mike Gallagher, Hon. \n      Patrick Murphy, and Frank Cilluffo.........................    34\n    Langevin, Hon. James R.......................................    29\n    Stefanik, Hon. Elise M.......................................    32\n\nDocuments Submitted for the Record:\n\n    [There were no Documents submitted.]\n\nWitness Responses to Questions Asked During the Hearing:\n\n    [There were no Questions submitted during the hearing.]\n\nQuestions Submitted by Members Post Hearing:\n\n    Ms. Houlahan.................................................    49\n      \n\n  REVIEW OF THE RECOMMENDATIONS OF THE CYBERSPACE SOLARIUM COMMISSION\n\n                              ----------                              \n\n                  House of Representatives,\n                       Committee on Armed Services,\n     Subcommittee on Intelligence and Emerging Threats and \n                                              Capabilities,\n                           Washington, DC, Thursday, July 30, 2020.\n    The subcommittee met, pursuant to call, at 1:01 p.m., in \nroom 2118, Rayburn House Office Building, Hon. James R. \nLangevin (chairman of the subcommittee) presiding.\n\n OPENING STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE \n FROM RHODE ISLAND, CHAIRMAN, SUBCOMMITTEE ON INTELLIGENCE AND \n               EMERGING THREATS AND CAPABILITIES\n\n    Mr. Langevin. The subcommittee will come to order.\n    I would like to begin by welcoming the members who are \njoining the hearing remotely.\n    Just a bit of housekeeping before we get into the actual \nhearing itself.\n    To those members--those members are reminded that they must \nbe visible on screen within the software platform for the \npurposes of identity verification when joining the proceeding, \nestablishing and maintaining a quorum, participating in the \nproceeding, and voting. Members participating remotely must \ncontinue to use the software platform's video function while \nattending the proceedings, unless they experience connectivity \nissues or other technical problems that render the member \nunable to fully participate on camera. If a member who is \nparticipating remotely experiences technical difficulties, \nplease contact the committee staff for assistance, and they \nwill help you get recognized.\n    When recognized, video of remotely attending members' \nparticipation will be broadcast in the room and via television \ninternet feeds. Members participating remotely are asked to \nmute their microphone when they are not speaking. Members \nparticipating remotely will be recognized normally for asking \ntheir questions--for asking questions, but if they want to \nspeak at another time, they must seek recognition verbally. In \nall cases, members are reminded to unmute their microphone \nprior to speaking.\n    Members should be aware that there is a slight lag of a few \nseconds between the time you start speaking and the camera shot \nswitching to you.\n    Members who are participating remotely are reminded to keep \nthe software platform's video function on for the entirety of \nthe time they attend the proceeding. Those members may leave \nand rejoin the proceeding. If members depart for a short period \nfor reasons other than joining a different proceeding, they \nshould leave the video function on. If members will be absent \nfor a significant period or depart to join a different \nproceeding, they should exit the software platform entirely and \nthen rejoin if they return.\n    Members are also advised that I designated a committee \nstaff member to, if necessary, mute unrecognized members' \nmicrophones to cancel any inadvertent background noise that may \ndisrupt the proceeding. Members may use the software platform's \nchat feature to communicate with staff regarding technical or \nlogistical support issues only.\n    Finally, remotely participating members should see a 5-\nminute countdown clock on the software platform's display, but, \nif necessary, I will remind members when their time is up.\n    So, with the logistics verified, I will want to begin by \nwelcoming everyone to today's hearing on the findings of the \nCyberspace Solarium Commission, a congressionally mandated \ncommission created in the fiscal year 2019 NDAA [National \nDefense Authorization Act] that was charged with developing a \nconsensus on a strategic approach to defending the United \nStates in cyberspace against cyber attacks of significant \nconsequence.\n    Inspired by Project Solarium, a task force assembled by \nPresident Eisenhower in the early 1950s, the Solarium \nCommission brought together representatives from academia and \nthe private sector with representatives of the executive branch \nand legislative branches.\n    In the spirit of transparency, I want to make clear that I \nhad the distinct privilege of being selected by Speaker Nancy \nPelosi to serve as one of the four elected Members of Congress \nto serve as a commissioner and one of two from the House of \nRepresentatives, along with our distinguished subcommittee \ncolleague, Congressman Mike Gallagher, who is appearing as a \nwitness before us today.\n    Mr. Gallagher, along with Senator King, the junior Senator \nfrom Maine, also was a member of the Senate Armed Services \nCommittee and Senate Intelligence Committees, is also with us \ntoday. They serve as co-chairs of the Commission, and I am very \nproud to call them both colleagues and friends.\n    This subcommittee, more than most, has heard from numerous \nindividuals on the centrality of cyberspace to our modern \nlives. The novelty of the Solarium's work and its findings is \nin examining how to secure cyberspace with an emphasis on a \nwhole-of-government approach. Congress is methodical in its \nviews of jurisdiction, and we are often too focused on viewing \nour oversight responsibilities exclusively through the lens of \ncommittee jurisdictions.\n    What the Solarium Commission has presented in its final \nreport, completed on March 11th of this year, is a blueprint \nfor legislative and executive actions that force the country to \nbreak apart the institutional stovepipes.\n    In this respect, I see the findings of the Solarium \nCommission as being similar to those of the 9/11 Commission, in \nthat both bodies recognized government silos that had been \nartificially constructed and harmed the national approach to \naddressing cost-cutting issues. Whereas the 9/11 Commission \napplied this to the problem of terrorism, Solarium applies it \nto cyberspace.\n    The Commission's recommendations have resulted in more than \n20 provisions in this year's National Defense Authorization \nAct, passed just last week by the House of Representatives. In \nthat one bill, this chamber was able to address matters as \ndiverse as Reserve support for military cyber operations to the \ncyber insurance marketplace to the establishment of a Senate-\nconfirmed national cyber director.\n    While we obviously have more work to do, I am proud of the \nNDAA--that the NDAA reflects the whole-of-government action \ncalled for by the Commission. I applaud the example set by our \nEuropean partners in particular in approaching cyber in novel \nand holistic ways, as recent as today with the announcement of \nthe first-ever cyber sanctions issue--issued--passed--that \nissued through the European Union against six individuals and \nthree entities responsible for the WannaCry, NotPetya, and \nOperation Cloud Hopper attacks.\n    This is going to be essential going forward in enforcing \ninternational norms, and this is a concrete step toward making \nsure that there are consequences to actions that violate norms \nin cyberspace on the international front.\n    As I noted earlier, we have four witnesses appearing in \nfront of the subcommittee today. In addition to the \ndistinguished gentlemen from Wisconsin and Maine, we are also \njoined by two additional commissioners.\n    The Honorable Patrick Murphy, a former member of the House \nof Representatives from Pennsylvania, is here today. \nCommissioner Murphy has served with distinction as an Acting \nSecretary and Under Secretary of the Army, is a former member \nof the House Armed Services Committee, and today continues his \nservice as distinguished chair of innovation at the United \nStates Military Academy. Commissioner Murphy was the first \nveteran of the war in Iraq to be elected to Congress.\n    Finally, we have Commissioner Frank Cilluffo, who, in \naddition to his service with the Solarium Commission, serves as \nthe director of Auburn University McCrary Institute for Cyber \nand Critical Infrastructure Security. From 2001 to 2003, \nCommissioner Cilluffo served as special assistant to President \nBush on Homeland Security, and then led the Center for Cyber \nand Homeland Security at George Washington University.\n    So I welcome all of our witnesses here today. I thank them \nfor their extraordinary work on the Cyber Solarium Commission. \nYour input and your insights were absolutely invaluable.\n    Before we hear from our witnesses, I do want now--want to \nturn to Ranking Member Stefanik for her opening comments.\n    [The prepared statement of Mr. Langevin can be found in the \nAppendix on page 29.]\n\nSTATEMENT OF HON. ELISE M. STEFANIK, A REPRESENTATIVE FROM NEW \nYORK, RANKING MEMBER, SUBCOMMITTEE ON INTELLIGENCE AND EMERGING \n                    THREATS AND CAPABILITIES\n\n    Ms. Stefanik. Thank you, Chairman Langevin.\n    Welcome to our witnesses, Senator King, Congressman \nGallagher, Congressman Murphy, and Mr. Cilluffo. It is great to \nhave you before the subcommittee today. I thank you not only \nfor your leadership and service to the Cyber Solarium \nCommission, but your long and distinguished records of public \nservice to this country.\n    And although you are not testifying today, I also want to \nthank Chairman Langevin for his service on the Commission as \nwell, as all of the other commissioners who are not \nparticipating today.\n    It is truly remarkable how much ground the Cyber Solarium \nwas able to cover in such a brief period of time. In 11 short \nmonths, the Commission developed over 50 legislative proposals, \n22 of which were included in the House-passed version of the \nNational Defense Authorization Act. This impressive commitment \nreflects the hard work of the commissioners and the staff, and \nalso recognition that we must address these issues immediately.\n    As is often the case, our Nation's strategy, policy, and \nlaws trail the advent of new technology. This is especially \ntrue of many emerging disciplines, but none quite as \nconsequential as cyberspace. The debilitating cyber attack on \nEstonia in 2007, the devastating Office of Personnel Management \ndata breach in 2014, and the cyber attack on the city of \nAtlanta in 2018, all should have served as wake-up calls for \nthe need of a comprehensive strategy to bolster our cyber \ndefenses, to deter hostile action in cyberspace, and to build \nmore resilient public and private cyber infrastructure.\n    The threat actors in cyberspace are as diverse as the tools \nand tradecraft they employ to infiltrate and attack our \nnetworks. And while we must maintain a flexible and adaptable \napproach to meet the evolving threat, we must also communicate \nan unequivocal position that demonstrates our willingness to \ndefend the United States in cyberspace and impose costs on our \nadversaries if and when deterrence fails.\n    I firmly believe we must simultaneously strengthen our \ncyber defenses and demonstrate our unwavering resolve to \nchallenge our adversaries in cyberspace. I appreciate the \nCommission's recognition of this as well. Deterrence alone is \nnot sufficient, especially with the challenges of timely \nattribution and the notional fog of war in cyberspace. The \nUnited States must proactively take steps to increase the \nresilience of our networks and our Nation's critical \ninfrastructure. This task is not one that the Federal \nGovernment can take on alone. Any effort to bolster our \ncybersecurity must be done in partnership with the private \nsector, our cities and States, and our critical infrastructure \noperators.\n    The Commission's recommendations that were included in the \nNDAA address this reality. Accountability, information sharing, \ncollaboration, and more timely response and mitigation to cyber \nincidents are all critical attributes that we must reinforce \nand strengthen.\n    While the Commission is coming to an end, the work is not \ndone. We have a long road ahead to see through conference and \nfully implement these changes. I look forward to ensuring the \nCyber Solarium's recommendations are translated into concrete \npolicy action.\n    We have a lot to talk about today, so thank you to our \nwitnesses, and I yield back.\n    [The prepared statement of Ms. Stefanik can be found in the \nAppendix on page 32.]\n    Mr. Langevin. I want to thank the ranking member for those \ncomments.\n    And before we turn to our witnesses, I would be remiss if I \ndidn't acknowledge the extraordinary work of the staff of the \nCyberspace Solarium Commission, starting with Mark Montgomery \nand the entire team that he assembled that serve the Commission \nso well. And I also want to, of course, mention on my own \nstaff, my legislative director, Nick Leiserson, as well as on \nthe committee staff, Josh Stiefel, for their subsequent work in \nseeing that the findings were put into action and getting them \ninto the NDAA, but extraordinary effort all the way around. I \ncan't say enough about the work of the entire staff, again, led \nby Mark Montgomery. We thank them for their contributions and \ntheir service.\n    So, with that, we will turn to our witnesses now.\n    Senator King, we will begin with you. The floor is now \nyours for any comments you may have.\n\n  STATEMENT OF HON. ANGUS KING, CHAIRMAN, CYBERSPACE SOLARIUM \n                           COMMISSION\n\n    Senator King. Well, thank you, Mr. Chairman. And thanks to \nthe ranking member for those eloquent statements. You stated \nthe case. I can save part of my remarks. I do have written \nremarks, which I would like to submit for the record if--\nsubject to your approval, Mr. Chairman.\n    Mr. Langevin. Without objection, so ordered.\n    Senator King. And I will have some informal remarks now.\n    First, I want to thank this committee and thank the full \ncommittee for the work that you have already done on this \ncritically important subject, the work that went into the \nNational Defense Authorization Act that, of course, has now \npassed both Houses.\n    Both bills from the Senate and the House have a number of \nour recommendations. They are not in 100 percent overlap, so \nthere will be some work to do in conference, but we certainly \nhave made a substantial start in really putting these \nrecommendations--implementing the recommendations, because if \nit is just a report that sits on a shelf, it is not going to \nserve the public interests.\n    Just a bit about the Commission. You talked about it, Mr. \nChairman. There were 14 members. There were four Members of \nCongress, four members from the executive branch, and six from \nthe private sector. Our work was entirely nonpartisan. There \nwasn't a moment of partisan discussion in the 30-plus meetings \nthat we had. In fact, I couldn't tell you the partisan \naffiliations of pretty much anyone that was in the room, \nexcept, of course, the ones--the Members of Congress. And that \nwas the spirit with which we approached this incredibly \nimportant problem.\n    I don't really need to outline for this committee how \nserious this is. This is one of the, if not the most serious \ninternational relations problem that we face. The ranking \nmember listed the attacks that we have already endured, and \nthere will certainly be more to come.\n    We are the most wired country in the world and, therefore, \nwe are the most vulnerable country in the world. And as we have \nlearned in the pandemic, something which strikes at our \nessential economy and government poses a grave danger to this \ncountry.\n    So let me just give you a brief outline of how the work of \nthe Solarium sort of breaks down. There are really three \npieces. One is reorganization, one is resilience, and one is \nresponse.\n    Reorganization means trying to develop a coherent structure \nin the United States Government so that we can respond to cyber \nthreats and cyber attacks. The problem, as is often the case, \nis that the authority for cyber is scattered throughout the \ngovernment. It is in the FBI [Federal Bureau of Investigation]. \nIt is in Cyber Command. It is in CIA [Central Intelligence \nAgency], DHS [Department of Homeland Security]. It is in all \nareas of the government. So one of our primary focus was on \nbringing some coherent organizational strategy to that silo \nproblem which the chairman mentioned.\n    The principal recommendation there is one that you have \nalready adopted in your committee, which is the creation of a \nnational cyber director to oversee and coordinate all of these \nvarious functions throughout the Federal Government.\n    The second piece is resilience, which is building up our \ncyber defenses, and it goes from simple cyber hygiene to being \njust more secure in how we deal with the cloud, how we certify \nhome routers and all of those kinds of things in order to be \nmore resilient to make it less likely that an adversary will \nsucceed.\n    The third piece is response. How do we respond to a cyber \nattack and, more importantly, how do we notify potential \nadversaries that we will respond? And we will be talking about \nthat. And all of these four--three pieces come into what is \ncalled a layered cyber deterrence.\n    The intention is to shake behavior--we will be talking \nabout that--in the international field of norms and standards. \nThe second is to deny benefits. That is the resilience that I \nwas talking about. And the third piece is impose costs.\n    The truth is that we haven't done a very good job of \nimposing costs. We have become a cheap date in cyber. We can be \nattacked, as we were with the OPM [Office of Personnel \nManagement] breach the ranking member mentioned, or other \nattacks on our democracy, and there is no real consequences. \nThere are no real results. There is no cost paid by our \nadversary.\n    We have got to make adversaries go through a cost \ncalculation saying, well, if we do this, they might do this--\nsomething else to us, and it may not be cyber. It may be \nsanctions. It may be other kinds of a response. But we have to \nestablish that there will be a response. Otherwise, because \ncyber is a relatively cheap form of aggression, it will \ncontinue to happen.\n    So that is the overall focus of our Commission. And I have \nto say, working with the two members from your subcommittee, \nJim Langevin and Mike Gallagher, has been one of the great \npleasures of my life. We have had a fantastic experience \nworking together with the other 12 members of the Commission, \nreally wrestling with some difficult issues, working hard, \nconcentrating, and coming up with what we feel is a solid piece \nof work that will really help our country move forward in this \ncritically important area.\n    So I thank the subcommittee for your attention and look \nforward to the hearing.\n    [The joint prepared statement of Senator King, \nRepresentative Gallagher, Mr. Murphy, and Mr. Cillufo can be \nfound in the Appendix on page 34.]\n    Mr. Langevin. Very good. Thank you, Senator King, for those \nremarks, and, again, for your extraordinary leadership in co-\nchairing the Cyber Solarium Commission and your commitment to \npublic service. The citizens of Maine have chosen wisely in \nhaving you as their Senator.\n    With that, let me now turn to our colleague on the House \nArmed Services Committee, the co-chair of the Cyberspace \nSolarium Commission, Chairman Mike Gallagher--Co-Chairman Mike \nGallagher.\n\nSTATEMENT OF HON. MIKE GALLAGHER, CHAIRMAN, CYBERSPACE SOLARIUM \n                           COMMISSION\n\n    Mr. Gallagher. Thank you, Chairman Langevin.\n    Let me state at the outset that this is the most nervous I \nhave ever been sitting in this room with all of you, but thank \nyou, Chairman Langevin, for your leadership, and, particularly, \nyou know, there was a 2-week stretch when NDAA was happening \nwhere I was not--I was out of commission because my wife had a \nbaby, and Jim stepped up and really led the way in terms of \nmaking a forceful argument for a lot of our recommendations and \ngetting them included in the NDAA, and really Project Solarium \nor the Cyberspace Solarium Commission represent the culmination \nof a lot of work that Jim has been doing for decades. And so it \nwas an honor to work with you.\n    Ranking Member Stefanik, thank you for your input into the \nreport and all of your contributions in this space and your \nleadership.\n    I too have an official written statement that I would like \nto submit for the record, if that is okay.\n    Mr. Langevin. Sure. Without objection, so ordered.\n    [The information referred to was not available at the time \nof printing.]\n    Mr. Gallagher. And in an attempt to be brief, I will just \nsay a few things.\n    When I first approached then Speaker Paul Ryan and asked \nhim to consider me for this Commission, I got about 10 seconds \ninto my spiel, and I had printed out my journal article I wrote \non the original Project Solarium, I was really proud of myself, \nwhen he cut me off and said, Mike, no one else has asked me to \nbe on it, so if that holds, you will have the spot on the \nCommission.\n    And I just bring that up to say I came into this not with a \nparticular expertise on cybersecurity, but a desire to, if \nnothing else, to demystify a lot of what we talk about in \ncybersecurity, because while we all have an interest in the \nspace, it is my experience that this can easily devolve into a \ncomplex discussion of technology and acronyms. And so I hope \nyou will see reflected in the final report an attempt to speak \nin plain language, not only to each other and to the executive \nbranch, but to the American people about the threats we face in \ncyberspace.\n    And I also came with a desire to demystify a lot of what \nhappened with the original Project Solarium. And by that I mean \nI think it is--we have this tendency to look back on the early \ndays of the Cold War and think, well, we just had a bunch of \nlike-minded people that were able to come together and agree on \neverything and join hands and sing kumbaya, and that is how we \nbeat the Soviets and laid the foundation for successful \ncontainment.\n    I don't believe that is the case. We had very vicious \ndisagreements at that time. We went through multiple variants \nof containment, even within the Truman administration before we \ngot to Eisenhower. But there was this persistent willingness to \nchallenge each other in good faith to think through the \nunthinkable, think through the consequences of a nuclear \nexchange with the Soviets in order to ascertain what we needed \nto do to avoid that exchange.\n    And I just want to highlight that, because I think, among \nthe many recommendations in this report, one that I think is \nabsolutely critical is a similar effort today that is needed to \nthink through the unthinkable in cyberspace, think through the \nconsequences of what a massive cyber attack on the United \nStates would look like, what a so-called cyber 9/11 would look \nlike, and that is why you see a lot of recommendations in here \non why Congress should mandate the executive branch do \ncontinuity of the economy planning. So we think through how we \ncan get the economy back up and moving when we are faced with \nsuch a significant cyber attack.\n    And so I just wanted to highlight that, because I really \nthink it gets to what was the genius at the heart of the \noriginal exercise, which really reflected Eisenhower's style of \nmaking decisions. He had this beautiful phrase where, you know, \nwe always remember he said, you know, in times of war, the \nplans are nothing, but the planning is everything, and that is \nreflected.\n    But he also said to his subordinates frequently when they \nare sitting around the National Security Council, there can be \nno nonconcurrence through silence. In other words, you had to \nspeak up. You couldn't claim after the disaster that you \nactually had the right answer the whole time but you failed to \nshare it with your colleagues. And, similarly, we have tried \nnot to suppress disagreement in this report but to surface it \nand, if nothing else, provoke a more thoughtful debate among \nour colleagues.\n    So I thank you for your attention, I thank you for your \nengagement, and I thank you for your pushback on our findings. \nAnd I yield the rest of my time.\n    Mr. Langevin. Thank you, Chairman Gallagher.\n    The chair now recognizes Commissioner Patrick Murphy for \nhis opening comments.\n\n  STATEMENT OF HON. PATRICK MURPHY, COMMISSIONER, CYBERSPACE \n                      SOLARIUM COMMISSION\n\n    Mr. Murphy. Thank you, Mr. Chairman, and thank you, \nRepresentative Ranking Member Stefanik. I do have written \nopening testimony that is brief. If it is okay, I would like to \nsubmit it for the record.\n    Mr. Langevin. So ordered, without objection.\n    [The information referred to was not available at the time \nof printing.]\n    Mr. Murphy. Terrific. And to my other commissioners, thank \nyou so much.\n    You know, today is a great day to be back in the House \nArmed Services Committee, where I used to serve, and I am \nhonored to testify today along with my fellow commissioners on \nthe recommendations from the Cyber Solarium Commission's \nreport. Our report has been a lot of blood, sweat, and tears \nover a year in a bipartisan, bicameral, public-private sector \napproach.\n    And before I was in political public service, I did serve \nin the United States Army and am a veteran of the Iraq war, and \nI now chair innovation at the United States Military Academy at \nWest Point.\n    But when I was appointed to this special bipartisan \ncommission, I was naturally interested in how the United States \ncould preserve and employ the military instrument of power to \nimpose costs on our adversaries and defeat the ghosts in our \nnetworks. And I want to concentrate my comments today on this \nimportant aspect of our Commission's work, because at the end \nof the day, it is our United States military that is \nresponsible for keeping our families safe here at home.\n    I am firmly in support of our Commission's choice to expand \nupon the concept of defend forward as described in the 2018 \nDepartment of Defense Cyber Strategy, to incorporate both \nmilitary and nonmilitary instruments of power as part of our \nCommission's strategy of defend forward and layered cyber \ndeterrence.\n    I believe that this strategy, if endorsed and appropriately \nresourced by our United States Congress, will ensure that the \nUnited States is prepared to impose costs on our adversaries to \nbetter deter and, if necessary, fight and win conflicts. It is \nno secret that our adversaries are using cyberspace to steal \nnational security, intellectual property, and hold U.S. \nmilitary systems and functions at risk. The latter, in \nparticular, threatens to undermine our deterrence across all of \nour instruments of warfare.\n    The conventional and nuclear technologically advanced \nmilitary capabilities that form the bedrock of America's \nmilitary advantage also create cyber vulnerabilities that our \nadversaries could exploit to their own benefit. And so whether \nit is nuclear, conventional, or cyber, the United States must \nbe confident that its military capabilities will work as \nintended.\n    Moreover, across a spectrum of engagement from competition \nto crisis and conflict, the United States must ensure that it \nhas sufficient cyber forces to accomplish our strategic \nobjectives in and through cyberspace. This demands sufficient \ncapability, capacity, and streamlined decision-making processes \nenabling rapid and effective cyber response options to impose \nmeaningful costs against adversaries and to respond to \nadversary action.\n    You know, while our Commission's final report--it boasts \nover 80 recommendations, but I would like to draw this \ncommittee's attention, this committee in particular's \nattention, to ensure that you give serious consideration to the \nfollowing 3 items as it involves defending our Nation.\n    First, Congress should direct the Department of Defense to \nconduct a force structure assessment of the Cyber Mission Force \nto ensure that the United States has the appropriate force \nstructure and capabilities in light of mission requirements and \nexpectations that are growing in both scope and scale. \nAdditionally, this assessment must also include ensuring \nsufficient resources for entities within our intelligence \ncommunity that do play critical combat support agency functions \nfor our U.S. Cyber Command, particularly the NSA [National \nSecurity Agency].\n    Second, currently, the CMF, the Cyber Mission Force, has \n133 teams comprised of 6,200 incredible individuals. However, \nthese requirements were determined over 7 years ago in 2013, \nbefore the United States fully appreciated the scope and the \nscale of the threat in cyberspace, which has increased mission \nrequirements on the CMF. A force structure assessment of the \nCMF is the first step to make sure that we get it right to \nensure that the CMF has appropriately sized forces and \nsufficiently capable--is sufficiently capable to achieve its \nobjectives.\n    And last, as it relates to defense, Congress needs to \ndirect the Department of Defense to conduct a cybersecurity \nvulnerability assessment of all these segments of the nuclear \ncommand and control system, continually assess weapons systems' \ncyber vulnerabilities.\n    Now let me go to the economy.\n    I thought our co-chairman, Senator Angus King, said it \ngreat and appropriately when he said we are the most wired and \nvulnerable country in the world. And whether it is my time in \nthe Pentagon, as a soldier overseas, or in the Congress, we \nunderstand that the greatness of America is that we do have the \nnumber one economy in the world, and we have the number one \nmilitary in the world, and it is up to us to make sure we keep \nit that way.\n    And as it goes to our economy, I want to make sure that we \ncomment and address the continuity of the economy. I believe \nthe United States must prepare for the cyber day after. The \ngovernment needs a continuing plan to ensure that critical data \nand technology remains available after a devastating network \nattack.\n    You know, during the height of the Cold War, the U.S. \nGovernment had a plan for the day after. The government did \nwhat it needs to ensure that after a massive nuclear strike, \nhow do we ensure that our government and how do we get the \nprivate sector operating, especially when it comes to critical \ninfrastructure, getting it back online, and even how to put \nhard currency back into circulation and begin regenerating our \neconomy.\n    Similar to the necessary plans to manage a pandemic, we \ncurrently have no such reconstitution plans for such a cyber \nevent. I strongly believe this Congress should direct the \nexecutive branch to develop and maintain this plan in \nconsultation with the private sector to ensure the continuous \noperation of critical infrastructure of the economy in the \nevent of a significant cyber disruption.\n    Like COOP [continuity of operations] and COG [continuity of \ngovernment] before it, this will be a critical piece of our \nnational planning. And in similar vein, you know, Congress \nshould codify a cyber state of distress tied to a cyber \nresponse and recovery fund to ensure that the CISA \n[Cybersecurity and Infrastructure Security Agency] and \nappropriate Federal agencies have sufficient resources and \ncapacity to respond to significant cyber incidents before they \nturn into major disasters.\n    You know, while the NDAA functions to provide the DOD \n[Department of Defense] with an annual health and wellness \ncheckup, Congress must not ignore the underlying national \nsecurity threats that could damage our infrastructure that is \nowned and operated by the private sector, because these digital \nfoundations drive the American economy. They spur technological \ninnovation and they support our United States military. The \nstatus quo in cyberspace and this lack of a COOP plan is \nunacceptable, and we need your help to protect the key elements \nand enablers that make our military and our country it serves \nthe best in the world.\n    Thanks, Mr. Chairman and the ranking member, for this \nopportunity to testify before you today, and we look forward to \nyour questions.\n    Mr. Langevin. Thank you, Commissioner Murphy, for those \ncomments.\n    And now the chair recognizes Commissioner Frank Cilluffo, \nFrank, for any comments that you would like to make.\n    You are still muted.\n\nSTATEMENT OF FRANK CILLUFFO, COMMISSIONER, CYBERSPACE SOLARIUM \n                           COMMISSION\n\n    Mr. Cilluffo. Thank you, Chairman.\n    Mr. Langevin. Gotcha.\n    Mr. Cilluffo. Thank you for the privilege, Chairman \nLangevin, to join you today, Ranking Member Stefanik, \ndistinguished representatives, and my fellow commissioners. It \nreally is a privilege to be able to spend a little bit of time \nwith you and share some of our thoughts on the recommendations \nof our Commission's report.\n    The strategy that we have laid out, as Senator King said, \nis the modern credible deterrent that the United States \nurgently needs in cyberspace. The current status quo in which \nChina, Russia, Iran, and North Korea conduct malicious cyber \ncampaigns against the country is, simply put, unacceptable.\n    As my colleagues addressed, it is imperative we move fast, \nstarting with a national cyber strategy and a national cyber \ndirector who will focus government efforts on cybersecurity. I \nalso second the call that Patrick was espousing to establish \ncontinuity of the economy planning. There can be no more \nimportant efforts than the ones to make our Nation resilient to \ncyber attacks.\n    But I thought I would highlight a couple of other \nrecommendations that are equally as important.\n    First, to foot stomp what Patrick had mentioned in terms of \nthe Cyber Mission Force, we really do need to conduct that \nforce structure assessment, which is dated in terms of what the \ngap and the need is today from when that was initially \nestablished. And the scope of the threat obviously grows \nexponentially. And since the bulk of capabilities within DOD to \ncounter malicious adversary campaigns and impose costs are \nwithin the CMF, we simply have to ensure that they are \nresourced and have the authorities to fulfill its job.\n    I think, as Ms. Stefanik rightly put, we must continue to \nlead and innovate by integrating cyber into our warfighting \nstrategies and doctrine. We need to ensure that we can bring in \nboth the offensive capabilities and the defensive capabilities \nto lead.\n    Second, as Patrick also mentioned, conventional and nuclear \nweapons systems. They need to work when--when needed and as \nintended. And I just want to double tap the recommendation in \nterms of conducting a cybersecurity vulnerability assessment of \nall segments of not only our NC3, our nuclear command and \ncontrol systems, but continually assess our conventional \nweapons system cyber vulnerabilities as well, and we need to do \nthis in a systems-to-systems approach. You can't look at it in \nisolation. You need to look at it in its totality.\n    And I also highly support the recommendations that Congress \nshould require defense industrial base [DIB] participation in \nthreat intelligence-sharing programs and threat hunting on the \nDIB networks.\n    And as I said before, to preserve and employ the military \ninstrument of power, we must also maintain resilience in our \neconomy and critical infrastructure. And, again, I just want to \nfoot stomp the continuity of economy recommendation. I hope \nCongress can act upon that.\n    Third, the public and private sectors, along with key \ninternational partners, must collaborate to build resilience \nand reshape the cyber ecosystem in a manner that enhances \nsecurity. This means partnering with the private sector and \nespecially those that are ideally positioned to scale their \nimpact on the ecosystem, such as IT [information technology] \ncompanies, ISPs [internet service providers], and cloud service \nproviders, and to better secure the services and products that \nthey offer.\n    The Commission recommended a number of important actions \nthat Congress should take now to that effect. One, Congress \nshould establish and fund a national cybersecurity \ncertification and labeling authority for information and \ncommunications technology funnels, and a bureau of cyber \nstatistics to provide a foundation for decision makers to base \npolicies and programs on empirically based evidence. This \nstatistical information also serves as a platform to facilitate \nmarket-based solutions and mechanisms, such as cybersecurity \ninsurance.\n    I also want to thank the committee for including demark \nstandards in the NDAA. This can go a long way in securing email \nfrom phishing and malware attacks. And while we obviously need \nto be focused on advanced persistent threats, often the first \nway into one system is through phishing expeditions and the \nlike.\n    And, lastly, we need to ensure that our supply chains are \ntrusted, and Congress should direct the U.S. Government to \ndevelop and implement an industrial base and manufacturing \nstrategy, again, for information technologies and \ncommunications technologies.\n    Finally, I would like to focus on a topic that is critical \nto mission success. We must, must invest in our Nation's \ncybersecurity workforce. The shortfall between supply and \ndemand in this area is staggering. And it is all the more \nconcerning because the threat continues to expand \nexponentially, and the gap gets greater, not lesser.\n    And we need to--as a matter of national and economic \nsecurity, we need to redouble our efforts to pull in more \nveterans and get serious about recruiting and retaining more \nwomen, people of color, and neurodiverse individuals.\n    Leveraging different perspectives and diversifying a \ncybersecurity workforce is not only the right thing to do; it \nis the smart thing to do. The time to act is now.\n    Mr. Chairman, I hope I didn't go over my time, but thank \nyou for the opportunity to testify before you today. I look \nforward to questions. And I really do appreciate your \nleadership, not only through the Solarium Commission, but for \nmany, many years on cyber-related issues. So thank you, sir.\n    Mr. Langevin. Thank you very much, Commissioner Cilluffo, \nand for your longstanding contributions to the issue of \ncybersecurity in your own right.\n    So, with that, I thank all of our witnesses for their \ntestimony today. We are now going to move to our questions.\n    Before I do that, though, I was remiss in not recognizing a \ncouple of other people that were very involved in certainly \nhelping us to get the recommendations through the Armed \nServices Committee and into our mark and to the floor. I want \nto recognize Chairman Smith and Ranking Member Thornberry for \ntheir support, as well as Ranking Member Stefanik and staff \ndirector Paul Arcangeli and many others.\n    Let me also recognize my team, Allison Browning, my--you \nknow, my colleagues, military fellows, along with Caroline \nGoodson and Matt Lake, my other military fellow. And I know \nthat Eric Snelgrove as well on the minority side was very, very \nhelpful.\n    So, with that, let me now turn to questions. And if it is \nconducive, Senator King, if I could start with you. If I could \nask, which defense-centric recommendations strike you as the \nmost urgent, whether directed at the executive branch or the \nlegislative branch?\n    You are muted. You just need to unmute.\n    Senator King. If I seem a little out of breath, it is \nbecause I just voted. I had to go upstairs for a vote, but I \nwas able to listen to Frank's testimony, so I appreciate it.\n    I think, Jim, our probably the most significant \nrecommendation that relates indirectly to defense but is--\noverall is the national cyber director. The reality is that, \nright now, we have enormously capable people throughout the \nFederal Government, but there is no central point of oversight. \nThere is no central point of coordination. There is no central \npoint of defining strategy. And I really think that that is--\nthat is one of the critical recommendations. It is one that is \nalready in your committee bill, which I think is really \nimportant.\n    I think, secondly--and Patrick Murphy mentioned this--the \nforce structure assessment. We haven't really looked at the \nforce structure of--in the Defense Department on cyber since \n2013, and I think we all know that there have been dramatic \nchanges since then. There have been dramatic changes in the \nrisk, in the complexity, in the adversaries, in the target \nspace. So I think that is probably--I would put that next in \nline.\n    And then the development of the cyber workforce, because we \ncan have--we can talk about force structure, but if we don't \nhave the people to fill those positions with the skills, then \nwe are just not going to make it. For example, a cyber \nworkforce, there is a--we have a scholarship program now that \nis very effective, but it has graduated, I think, 2,000 people \nin the last 4 or 5 years. We need to--or 3,600, I guess. We \nneed to graduate 2,000 a year. I mean, we have a tremendous \nneed for these skilled people.\n    So I would say national cyber director, assess the cyber \nforce, and develop workforce would be my first three priorities \nin the--in that--in the military area.\n    Mr. Langevin. Yeah. Very good. Very insightful. I \ncompletely concur. Thank you for those observations. And we \nneed to grow the size of the cyber pie, not just competing for \na bigger slice of it from a government standpoint. We need to--\nit helps both government and private sector to grow the size of \nthe cyber workforce pie. And I concur with the other \nrecommendations you highlighted.\n    How about Chairman Gallagher, same question to you, what do \nyou see as the most urgent and important of the 82 \nrecommendations, if you would like to comment?\n    Mr. Gallagher. Well, I agree with Senator King that I \nthink, over time, we will realize that the force structure \nassessment of the Cyber Mission Force will end up having \nperhaps the biggest impact on DOD over the next decade if we \ncome back with a finding that suggests that we do not have \nenough personnel dedicated to the issue.\n    But I do think perhaps more urgent, and it is an area where \nI know there is still some debate, is to get the authorities \nright that would allow us to do threat hunting on defense \nindustrial base networks. I think one of our biggest findings \nin the report was that, while we are getting a better awareness \nof our own systems, we still, down to the level of some of our \nDOD contractors, subcontractors, all the small companies that, \nyou know, work with the big defense primes, don't have the \nlevel of visibility on the threat picture and the security of \ntheir networks that we need.\n    And so we have a lot of recommendations in chapter 6 \ntowards that end. And I just would argue that we need to figure \nthat piece out, because we just can't be in the process of \nreacting to cyber intrusions after the fact. We have to \nidentify those threats at a quicker timeline than that at which \nour adversaries can break out on networks.\n    So I just would highlight some of what my colleagues have \ntalked about in terms of threat hunting, not only on DOD \nsystems, but on the whole defense industrial base network.\n    Mr. Langevin. Very good. Thank you for that.\n    Let me turn to Commissioner Murphy now. Commissioner \nMurphy, based on your time within the Department of the Army as \na soldier, as an officer, and a civilian leader, what are your \nviews on the Solarium's recommendation on evaluating different \nmodels for their Reserve Component? Are you optimistic that the \nArmy, as an institution, can accommodate a different model for \ntheir Reserves than existed, say, for the last several decades?\n    Mr. Murphy. I do, Mr. Chairman, and I appreciate that \nquestion. Can I just address something? I think this is the \nfirst time in American history we had someone testifying and at \nthe same time voting in the U.S. Senate when Senator King did \nthat about 15 minutes ago.\n    But to your question, Mr. Chairman, absolutely. We all know \nthat the largest fighting force we have in America is our U.S. \nArmy. We have got a million soldiers strong, 300,000 civilians. \nBut of those a million soldiers, unlike the other services, the \nmajority of our soldiers are actually in a Reserve Component, \nin the National Guard, in the Army Reserves. And that is why it \nis critical that when we say we have in the CMF 133 teams, you \nknow, Chairman Milley and I, when we were running the Army, we \nmade it a point that we didn't talk about just the 10 Active \nDuty divisions. We were one Army, and we made sure that we \nfought as one Army. We trained as one Army. And that includes \nwith cyber.\n    So, yes, I think our Army, now being led very well by my \nbattle buddy from Fort Bragg, Secretary Ryan McCarthy, and also \nGeneral McConville, they get that, and they are trying to \nreally do what they can to partnership with the HASC [House \nArmed Services Committee] and the Congress to make sure that \nthey had that proper balance between the Reserve and Active \nComponent as it relates to cyber, as it relates to CMF. But we \nneed to make sure that as we address this assessment, which we \ncritically need, because, remember, Mr. Chairman, in my \nstatement, 7 years ago is when we did the last assessment. That \nwas before we even had defend forward. That is before we even \nhad layered deterrent.\n    So now that we have a bigger footprint digitally and we are \nstill vulnerable--and I said, as Senator King mentioned, we are \nthe most vulnerable country in the world because we are so \nwired. And when we look at the pandemic of coronavirus and what \nit has done to our economy, imagine the destruction which cyber \nwould do. And that is why, to your point, we need to make sure \nthat we have this assessment and make sure that assessment \nabsolutely positively incorporates the Reserve Component of our \nmilitary forces.\n    Mr. Langevin. Well said. Well said. Thank you.\n    Thank you all for your--the answer to those questions. They \nare all very insightful answers, and I thank you again for your \nwork on the Commission.\n    With that, now I want to turn to Ranking Member Stefanik \nfor any questions she may have.\n    Ms. Stefanik. Thank you, Chairman Langevin.\n    I wanted to ask Senator King, both in my opening statement \nand many of our witnesses have touched upon this, and that is \nthe importance of establishing deterrence in cyberspace that \nwas featured very prominently in the report, but the Commission \nalso notes that true deterrence must be adapted from how it is \napplied in other domains.\n    What actions can we take to better deter our adversaries, \nincluding state actors like Russia, China, Iran, and North \nKorea, from conducting cyber attacks on American interests?\n    Senator King. Well, I think there are a series of steps, \nand one that hasn't really been mentioned very strongly so far \nis the international community. We are in the infancy of the \nlaw of cyber war, if you will, and we need to be more active \nparticipants in setting the standards and the guardrails and \nthe norms for activity in cyberspace so that when we do act, \nwhether it is the imposition of sanctions or other responses, \nwe are not acting alone or unilaterally.\n    Winston Churchill said the only thing worse than fighting \nwith your allies is fighting without allies. And that is one of \nour major advantages on the world stage with regard to our \nprincipal near-peer adversaries of Russia and China. I was in \nAsia about a year ago, and the--someone said, America has \nallies; China has clients. And I think that is--so that is step \none, is to develop an international set of norms that will \nthemselves be at least some level of deterrent.\n    Secondly, we have to have a clear declaratory policy. I \nemphasize the word ``declaratory,'' because if you don't tell \nyour adversary that you will respond, then it is not a \ndeterrent. And so I think we need to have a much clearer \nstatement of our doctrine, of our strategy, so that adversaries \nknow that they will, in fact, pay a price.\n    The problem has been you can argue that we have done a good \njob of deterring catastrophic cyber attacks. Of course, there \nis no way to measure something that doesn't happen, but we \nhaven't deterred lower--below the threshold of the use of force \ncyber attacks, whether it is the OPM breach that you mentioned, \nor the attacks on our election, our election infrastructure, or \nthe kind of intellectual property theft. We haven't done a very \ngood job of deterring that. So I think the important thing is \nto establish, (a), the means, the credibility, the credible \nresponse; and, secondly, to declare it, to make it clear that \nyou will not attack the United States and not have a \nsignificant cost imposed upon you.\n    So I think international norms and a clear declaratory \nstrategy. It is not exactly, as you note, I think, as you \nunderstand, it is not exactly analogous to the nuclear \ndeterrent. It is a different and more subtle kind of issue. But \nI do believe that unless we make it clear to our adversaries \nthat they have a--they have to calculate that there will be \ncosts imposed, and it may--it doesn't have to be cyber for \ncyber. It may be sanctions or other kinds of responses. Until \nthey make that calculation, they are going to keep coming after \nus.\n    So that would be my response to that very good question. \nThank you.\n    Ms. Stefanik. Thank you, Senator King.\n    And my next and final question I am going to address to \nCongressman or Chairman Gallagher. As you know, oftentimes it \nis not the DOD or even the Federal Government that is the \ntarget of our adversaries in cyberspace. It is often our \ncities, our States, universities, or private-sector businesses. \nAnd many of those entities are ill-suited and, frankly, ill-\nprepared to protect against cyber threats from nation-states.\n    How do we address this capability gap, and what are some of \nthe Commission's recommendations that address this really \nimportant issue where we tend to have siloing within our \nFederal agencies?\n    Mr. Gallagher. That is a great question. I would connect it \nto your previous question, actually. Actually, I think this is \nthe primary difference between the logic of strategic nuclear \ndeterrence and the logic of deterrence as we see it in \ncyberspace, which is that so much of what we are trying to \nprotect and so many of the actors that we are trying to get to \nbuy into that logic are not card-carrying members of the \nFederal Government and certainly don't wear uniforms.\n    And so we had a private-sector commissioner, Tom Fanning, \nwho runs a major energy company, and he would remind us \nconstantly that 85 percent of the critical infrastructure in \nthis country is owned by the private sector.\n    I think what we also see, to get to the heart of your \nquestion, is the good-faith effort to thread the needle in this \nreport between the recognition that the Federal Government has \nto compel the organizations you identify, be they universities \nor companies or major banks on Wall Street, against the \nunwillingness to saddle them with a bunch of counterproductive \nand onerous regulations that might stifle innovation and \nentrepreneurship in this country, which, as Senator King and I \nsay at the outset, is our best path to beating China over the \nlong term.\n    So the approach we took, whether it is through \nrecommendations like mandating penetration testing for major \npublicly traded companies or requiring companies that are part \nof the defense industrial base to participate in threat \nintelligence sharing or establishing a joint planning office \nwithin CISA in order to more proactively engage with the \nprivate sector so they are actually integrated into our \ndefensive planning process, we get their input on the front \nend, is a mix, I would say, of carrots and sticks.\n    We want the C-suite executives to take cybersecurity \nseriously, and we are prepared to sort of nudge them in that \ndirection. But we also want them to view the Federal Government \nas a valuable partner, a partner that understands that, in many \nways, the private sector is the main effort in cyberspace and \nthe Federal Government is the supporting effort.\n    Ms. Stefanik. Thank you. I yield back.\n    Mr. Langevin. Very good. Thank you, Ranking Member \nStefanik.\n    Mr. Larsen is now recognized for 5 minutes.\n    Mr. Larsen. Thank you--thank you.\n    My first question is for Representative Gallagher, and this \ngets to the business of the private sector side of things, \nbecause we have the Cybersecurity Maturity Model Certification \n[CMMC] process now working its way through the Pentagon and \nbeing utilized, mainly focused on smaller businesses within the \ndefense industrial base.\n    Did you look at how that could be or should be integrated \nwith what your recommendations are for private-sector cyber \nhygiene?\n    Mr. Gallagher. I think our view is that it needs to be more \nexpansive than that, and that--I think it needs to take a prior \nstep of even understanding who is included in the phrase \n``defense industrial base.'' We have actually gone through this \nprocess before, not in a cyber context, where the Pentagon has \nactually tried to have what I would call total defense \nmanufacturing visibility. Who are all the companies that are \npart of this ecosystem? And for whatever reason, we haven't \ngotten there. It is now even more complex in cyberspace.\n    So I view our recommendations as perhaps building upon the \nefforts you reference. I know that those--there are a lot of \ncompanies who may not want to participate in that, but I just \nwould say, if you are working with the Pentagon, if you are \nworking on systems that are critical to our national defense, \nand if we know that you are a target for foreign actors, be \nthey state-sponsored hackers from China or cyber criminals, you \nare going to have to demonstrate a higher level of \ncybersecurity than those companies have right now.\n    Mr. Larsen. Yeah. Yeah.\n    For Commissioner Murphy, good to see you again, \nCommissioner. Recommendations recommend that the U.S. \nstrengthen existing bilateral and multilateral relationships. \nCan you talk specifically how the U.S. could partner with NATO \n[North Atlantic Treaty Organization] to enable and help the \nmember countries strengthen their systems against cyber \nattacks?\n    Mr. Murphy. Absolutely. And, Congressman Larsen, it is \ngreat to be with you again, and I hope your home State of \nWashington is doing great.\n    Mr. Larsen. Thank you.\n    Mr. Murphy. On your earlier question, really quick, on the \nprivate side sector, I know with the CMMC, what we need to do \nalso is that data. Data is king, as you know. And that data and \nthat--really that what we are calling the CSET, the Bureau of \nCyber Statistics and Emerging Threats, that is critical, \nbecause we need that to make sure that we have a more robust \ninsurance program, et cetera. So I just wanted to dovetail on \nthat.\n    But to your question directly, no doubt what makes America \nthe shining city on the hill is our diplomatic power. You look \nat the symbol, the American eagle, 1 talon, 13 arrows \nsignifying the 13 colonies and our military might, the other \ntalon with the olive branch showing our diplomatic power and \nusing smart power.\n    And so, with that, and with our very specific \nrecommendations that we were tasked to do is asking for a new \nAssistant Secretary of State. And this one is very, very \nimportant, because we need to make sure that we strengthen the \nnorms, we make sure that we use that diplomatic power to let \nother nations, like China, like Russia, like Iran, know that \nthis is not acceptable, and establishing those norms and making \nsure that we bring everybody to the table. And I think that is \ncritically important, and we do that by also advocating, \nfrankly, in the White House for the NCD, the national cyber \ndirector.\n    You know when we worked together in the HASC that I am a \nbig believer in leadership and one throat to choke, and by \nhaving one person, one quarterback within the Executive Office \nof the President, that national cyber director will help make \nsure we are streamlining within our government and also in the \nprivate sector, what we need to do to protect our military, to \nprotect our economy and our companies, and also to make sure we \nare keeping our families and our economy safe.\n    Mr. Larsen. Yes. Thanks. Final question will be for \nCommissioner Cilluffo, because you shouldn't be exempt from \nhaving to answer questions while you are here.\n    Senator King mentioned paying the price. I think it is an \nattribution. So can you talk a little bit more deeply about \nwhat the Commission considered with regards to a policy of \nattribution? And, second, would attribution apply only to those \ncountries that are specifically listed in the National Security \nStrategy or would it be any country that is participating in \ncyber intrusions, which sometimes are not those countries that \nwe consider adversaries?\n    Mr. Cilluffo. Thank you, sir, for the excellent question. I \nmean, for starters, attribution has improved dramatically over \nthe years. We are not fully where we want to be, but I think we \nare in a much better place. And I think it is worth noting--and \nthis transcends all of the various questions we have seen \nhere--is that cyber is its own domain, but it transcends all \nthe other domains, whether air, land, sea, space, and there are \nother means of collection that can be brought to bear to \nenhance our attribution, whether it is through technical means \nor through human sources. So the bottom line is our attribution \nis improving.\n    You have probably noted a big uptick in at least Five Eyes \ncountries coming together and doing joint and shared \nattribution. I think this actually is having some very positive \nnet effect in terms of some of our adversaries and actually \nputting them on notice, as Senator King was discussing earlier. \nSo we need to be able to have some declaratory sort of impact.\n    And I might note our transatlantic partners with NATO, you \nhave also seen an uptick in joint attribution.\n    Bottom line is, just the facts, ma'am. We have got to be \ngoing where the facts arise. Obviously, there are other \npotential diplomatic questions when discussing allies, but I \nthink that in terms of informing our USG [United States \nGovernment] entities and some of our dot-com entities, we have \ngot a responsibility to do that as the U.S. Government.\n    So longwinded way of saying I think you are going to see us \nmoving out from our Five Eyes to our NATO partners to allies \nthat don't exist in any of those organizations, such as South \nKorea, Japan, Israel, and a handful of others, and then build--\nIndia, and building out from there. So I think we have made \nsome progress, we have got to continue to do more, and we have \ngot to hold our adversaries to account. There have to be \nconsequences. There has to be impact.\n    And I think it is worth noting that we do suggest we lean \nforward in a lot of these issues. We do support the defend \nforward concept, persistent engagement concept, but not only \nthrough the lens of the military, that is a crucial element of \nit, but all instruments of statecraft.\n    Mr. Langevin. Very good. Thank you, Mr. Larsen.\n    Before we go to Mr. Bacon, I will comment and say that Mr. \nCilluffo's answer is absolutely right that we are getting \nbetter at attribution. What we do need to do, though, is \nshorten the timeline between incident and our response. I \napplaud the Europeans who are--the sanctions that they put on \nthe entities that were responsible for several high-profile \nattacks or intrusions, but those things happened, you know, \nseveral months ago. There is such a long lag between action and \nconsequence. If we can, I think both United States, Europeans, \nour partners, need to work more quickly to close that gap \nbetween action, between incident and response. So we punish the \nbad actors, and they realize it is relevant to the action.\n    With that, Mr. Bacon is now recognized for 5 minutes.\n    Mr. Bacon. Thank you there, Mr. Chairman. And I want to \nthank the Commission for their hard work, a very thoughtful \ndiscussion. Great product. I appreciate it.\n    I am not sure who to target the questions to, so I will \njust--whoever feels best to answer them, just jump in there. I \nam curious to hear more about the national cyber director, and \nthe reason is our cyber attack is under Cyber Command \nprimarily. Cyber intelligence is primarily under NSA, but what \nis most worrisome is the cyber defense. It is really no--there \nis no single authority.\n    So is this national cyber director and the team that were \nput in the executive branch or that you are proposing, is it \nprimarily focused on the defense end or does it involve all \nthree: attack, intelligence, defense? And if it is all three, \nhow will that impact the chain of command for a cyber attack? \nIs it that command goes through the Cyber commander, Secretary \nof Defense, and the President? So I am just sort of curious to \nhear more. Thank you.\n    Senator King. Mr. Chairman, perhaps I can take that. That \nis a really good question. The purpose of the national cyber \ndirector is planning and coordination, not operations. So the \nchain of command between the--between Cyber Command, Secretary \nof Defense, and the President would not be interrupted. That is \nnot the purpose of this new office in the Executive Office of \nthe President. We want this person to be accountable for the \ncoordination, but does not--would not have an operational role.\n    Also, a piece of it is planning, as we have been talking \nabout, and coordinating planning throughout, whether it is in \nCISA in Homeland Security or in other--in NIST [National \nInstitute of Standards and Technology] or wherever it is in the \nFederal Government. But I think the specific answer to your \nquestion is we are not talking about operations for this \nposition but coordination, planning, and budget coordination. \nThis person would have an oversight over the budgets of the \nvarious agencies, not a veto but a recommendation and a \ncertification through the OMB [Office of Management and Budget] \nprocess.\n    Again, the whole idea is to bring some level of--I guess I \nwould call it just sensible organization because, right now, \nthere is nobody in charge. But to answer your specific \nquestion, it is still Cyber Command, Secretary of Defense, \nPresident of the United States.\n    Mr. Bacon. Thank you very much, Senator. I appreciate that.\n    I surely see a need on the defense side. There is very \ndiffused responsibilities on defense, and it just seems to me \nthat there is a definite need at least on that part of our \ncyber operations.\n    Change in topics. I have a little experience with cyber, \nbeing in the Air Force for a long time. It seems, if I could \ngeneralize, Russia was more focused on military cyber, IO \n[information operations]; China a lot more on the economic \nintelligence. Is that generalizations or is that still \nconsidered, by and large, still the case?\n    Mr. Gallagher. Well, I think that is largely right, though \nneither, you know, Russia would ignore the economic domain, nor \nwould China ignore the military domain.\n    I think if you read the report, in particular the threat \nanalysis portion of the report, it is clear that we agree with \nthe fundamental finding of the National Security Strategy and \nthe National Defense Strategy that China is the pacing threat. \nChina is the pacing threat in cyber in terms of the sheer \nresources they are devoting to this issue. I think we are--we \nare concerned about Russia. We talk about Russia. We are \nconcerned about non-state actors. But China really comes out as \na threat that organizes a lot of our response.\n    I am not disagreeing with your analysis, but at least a lot \nof what I realized in the course of participating in this \nCommission was that we are insufficiently concerned with the \nactions of the Chinese Communist Party in cyber.\n    Mr. Bacon. I appreciate that. And my generalizations were \ngoing back, not necessarily current. So just curious if it was \nstill the case.\n    I think the areas that concern me most is the energy sector \nand the financial sector, you know, whether it is Wall Street. \nI really think China or Russia would really create havoc with \nfocused attacks on those areas, and we have obviously got to \nraise our game if we want to defend those two critical parts of \nour country.\n    Mr. Gallagher. Maybe I can connect it to your first \nquestion. I think, you know, under the doctrine of civil-\nmilitary fusion, China is not making these clear siloed \ndistinctions between military operations and sort of economic \nwarfare. And I do think that is an area where we hope the \nnational cyber director can step up and lead that defensive \neffort.\n    One of our biggest findings in the report was that a lot of \nthe work that this committee has done in recent years and the \nfiscal year 2019 NDAA to make cyber surveillance and \nreconnaissance a traditional military activity and then to have \nNSPM-13 [National Security Presidential Memorandum-13] layered \non top of that has really been a positive development and \nhelped us on the offensive side. We need similar attention paid \nto the defensive side, so that someone in the Federal \nGovernment is the single belly button we can push and is \nproactively reaching out to the banks and the financial \ncommunity to say, hey, here is what we are thinking. What input \ndo you have for us?\n    Mr. Bacon. Chairman Gallagher, I agree. I yield. Thank you.\n    Mr. Langevin. Very good. Thank you very much, Mr. Bacon.\n    Next on my list I have Congressman Khanna, but I don't know \nthat he is still there.\n    Are there any members that have not been recognized that \nwould like to be recognized?\n    Ms. Stefanik. We are all good in the room, Jim.\n    Mr. Langevin. Okay. I guess I have one more question on \ncontinuity of the economy. And would anybody like to comment \non--and I agree that the comments that were made earlier about \ncontinuity of the economy are very important. Commissioner \nMurphy addressed a lot of these. But what role do you see, say, \nthe Department of Treasury, Department of Commerce, and then \nindependent agencies like the Federal Reserve in a continuity \nof economy plan proposal, and any thoughts on how that should \nwork?\n    Senator King. Jim, let me start off on that--or I should \nsay Congressman. Sorry.\n    I think one thing the pandemic has taught us is that the \nunthinkable can happen. If you had told us all a year ago we \nwould be wearing masks and it would be--we would have large \npart of our economy having severe difficulty, all the things \nthat are happening, it would have sounded like science fiction. \nThe unthinkable can happen, and that is really what we are \ntalking about here.\n    And I think one of the problems that our Commission tried \nto attack head on was the fact that has been alluded to today, \nand the prior questioner mentioned this, in terms of the \nfinancial sector, the energy sector. The target is mostly in \nthe private sector. So the continuity of the economy, the \nplanning has to engage the private sector. We have to determine \nwhat are the crucial elements? What are the crucial sectors \nthat need to be functioning, no matter what? And how do we \nensure their protection?\n    I think this is one of our most important recommendations. \nThis is one that is in the Senate bill. I don't think it is in \nthe House bill, and hopefully we are going be able to pull it \nthrough in the conference committee. But we have really got to \nbe thinking about--you know, an ounce of prevention is a pound \nof cure. I mean, we have got to be thinking about how to react \nwhen the unthinkable happens. And if every--if everybody is \npointing at one another and there is no plan on the shelf, we \nare going to be--it is going to be infinitely worse and take \ninfinitely longer to recover.\n    So I think this is one of our most important \nrecommendations. And, overall, I think one of the most \nimportant insights of the Commission was the extent to which we \nhad to really forge a new relationship. We have to think in a \nnew way about how we relate, how the government and the private \nsector relate in terms of sharing intelligence, sharing attack \ndata, cooperating, talking to allies. I mean, it is really a \nvery comprehensive approach to this. And I think that is one of \nthe significant insights that we bring to the table in the \nreport.\n    Thank you.\n    Mr. Cilluffo. Mr. Chairman, can I add a thought on that? \nWhen we talk about the continuity of the economy, it did, as \nSenator King said, it became loud and clear just how important \nthat is in a post-COVID environment, both directly and \nindirectly. And one of the things we did really zero in on, if \nyou think about an x- and a y-axis, you have our critical \ninfrastructures, and some are even more so critical than \nothers, and we mentioned a couple of them already here today: \nenergy, financial services, telecommunications, and, obviously, \nthe defense industrial base.\n    But then also on a y-axis we have got these critical \nfunctions. So agnostic to the particular sector, whether it is \nthe cloud or whether it is timing and signaling from a GPS \n[Global Positioning System] perspective or a PNT-assured--\npositioning, navigating, timing, and signaling kind of \nperspective--this is how we have got to start racking and \nstacking some of these issues.\n    And I might note, for the Armed Services Committee as a \nwhole, the challenge around mission assurance or the ability \nfor DOD to rely upon civilian entities and critical \ninfrastructures to project power, deploy forces, this is a \ntough--we have got to put--this is a tough circle to put in a \nsquare sort of peg. So I think this is where the interaction \nbetween DOD and CISA at DHS and FBI, as well from an \ninvestigatory standpoint, becomes so important, and I think \nthat just makes the case for a national cyber director that \nmuch more important. So we at least have the visibility across \nthe various playbooks that can come together to be able to make \nsure that the whole is greater than the sum of its parts.\n    And this was a point that came up in various questions as \nwell. I mean, at the end of the day, what I think is so \nimportant is also on the intelligence side. The new national \ncyber director that was stood up at NSA is going to play a very \nimportant role in enabling CISA, in--so CISA can better reach \nout to our State, local, Tribal, territorial partners and, of \ncourse, the private sector, and same thing in terms of FBI.\n    So this, again, may not sound sexy, but it is the org--it \nis the spaghetti org [organizational] chart right now that \nneeds to be brought--tamed a little bit and brought under \ncontrol.\n    Mr. Murphy. Mr. Chairman, can I just put a stamp on what \nFrank just said real quick, sir----\n    Mr. Langevin. Sure.\n    Mr. Murphy [continuing]. If that is okay with you? One \nminute. Two things. One, we are going to get caught with our \npants down if we don't focus on continuity of the economy, \nperiod. And that is why, you know, in my opening statement, I \ntalked about making sure that we have Congress codifying a \ncyber state of distress that is tied to that cyber response and \nrecovery fund, so, you know, that we need to direct the \nexecutive branch and make sure that we do have that continuity \nof the economy planning that is in consultation with the \nprivate sector. We absolutely need to do that.\n    I would also say to you, when we talk about the NCD, \nnational cyber director, why that is critically important. As \nFrank just said about, when he was talking about DHS and CISA \nand making sure State and local, we also need to ensure that \nour allies--that is why we were calling for that Assistant \nSecretary of State--that our allies aren't a launching pad to \nhurt us here or hurt our private sector clients or our military \nbut, secondly, so that it can more quickly do attribution. \nThank you.\n    Mr. Langevin. Very good. Thank you, Commissioner Murphy and \nto all of our commissioners, for those answers on the topic.\n    That concludes my questions. I will turn now to Ranking \nMember Stefanik for any final questions she may have.\n    Ms. Stefanik. I am all set, Jim. Thank you to our \nwitnesses.\n    Mr. Langevin. Okay. All right. Are there any members in the \nroom that I can't see that have not been recognized and would \nlike to ask a question?\n    Ms. Stefanik. No. We are all set.\n    Mr. Langevin. Okay. Well, with that, let me conclude by \nthanking all the members of the Commission. You did an \nextraordinary job here today but an even more extraordinary job \nin the--on the Commission, both Senator King and Congressman \nGallagher, our two co-chairs, and Commissioner Murphy, \nCommissioner Cilluffo, and the rest of the commissioners. Thank \nyou all for your extraordinary work. You have made a major \ncontribution to better protecting the country in cyberspace \nwith your combined efforts, and it is an honor and a privilege \nto be one of the four Members of Congress joining you on the \nCommission. It was one of the highlights of my 20 years in \nCongress to be a part of this effort, and I just--I found it so \nmeaningful and, again, time well spent.\n    And I like the fact from the very beginning that we \ndetermined that we were not going to allow just this to be a \nreport that would sit on a shelf somewhere, but we wanted \nactionable findings, recommendations that we could implement \nand, again, achieve meaningful change.\n    So with that, I thank you all for your participation today, \nyour service to the country.\n    With that, the hearing now stands adjourned.\n    [Whereupon, at 2:14 p.m., the subcommittee was adjourned.]\n\n\n\n      \n=======================================================================\n\n\n\n\n                            A P P E N D I X\n\n                             July 30, 2020\n\n=======================================================================\n\n      \n\n\n\n      \n=======================================================================\n\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                             July 30, 2020\n\n=======================================================================\n\n      \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n      \n      \n=======================================================================\n\n\n              QUESTIONS SUBMITTED BY MEMBERS POST HEARING\n\n                             July 30, 2020\n\n=======================================================================\n\n      \n\n                  QUESTIONS SUBMITTED BY MS. HOULAHAN\n\n    Ms. Houlahan. The Commission's recommendation #1.5 regards \nrecruiting and retaining a strong cyber workforce. I really appreciate \nwhat you've put forward. A different congressionally mandated group, \nthe National Commission on Artificial Intelligence recommended the \nestablishment of a U.S. Digital Service Academy that would be a \ndedicated effort to train the next generation of tech talent. Is this a \nrecommendation you would agree with?\n    Mr. Gallagher and Mr. Cilluffo. The government workforce is short \nmore than 33,000 cybersecurity workers in a workforce of nearly \n100,000. Simply expanding government recruitment efforts is not \nsufficient to provide the cybersecurity workforce needed to protect \nnational security. Rather, the nation's cybersecurity workforce \ndevelopment ecosystem must grow as a whole. Currently, innovative \nprograms are taking the first steps toward addressing this need by \nbuilding partnerships between educators, government, and industry, but \nwe need to do more. The Cyberspace Solarium Commission studied many \nfederal government hiring programs, private sector initiatives, and \neducational efforts, and recommended that it should invest in existing \nprograms such as the CyberCorps: Scholarship for Service (SFS), which \nis a program ripe for expansion, as well as the FBI Cyber STEM program \nand CISA's Cybersecurity Education Training Assistance Program on a \nnational scale.\n    The SFS is a joint program between OPM, the NSF, and DHS that helps \nstudents finance their education in cyber-related topics in exchange \nfor a term of service working for a federal or state, local, or tribal \ngovernment upon graduation.\\1\\ The program works much like the Reserve \nOfficer Training Corps (ROTC) program on many U.S. campuses, only \nbetter--it awards grants to participating universities, which then \naward scholarships to students while also using a portion of the \nfunding to build out the university's cyber-focused programming. As a \nresult, the program strengthens educational offerings on cyber topics \nat the same time that it recruits and develops students who are \nprepared for federal cyber service. Currently, there are 85 \nparticipating universities and community colleges offering SFS \nscholarships. The program requires that students may pursue degrees \nthat are a ``coherent formal program that is focused on \ncybersecurity,'' and it has supported students working toward a \nbachelor's, master's, or research-based doctorate degree focused on \ncybersecurity.\\2\\ The recent expansion of the SFS program through the \nCommunity College Cyber Pilot Program extends eligibility to students \npursuing an associate's degree or specialized program certifications in \nthe field of cybersecurity as well, provided that the students already \nhave a bachelor's degree or are military veterans.\\3\\\n---------------------------------------------------------------------------\n    \\1\\ ``CyberCorps: Scholarship for Service,'' Office of Personnel \nManagement, accessed July 7, 2020, https://www.sfs.opm.gov/\ndefault.aspx.\n    \\2\\ ``CyberCorps: Scholarship for Service, Overview,'' Office of \nPersonnel Management, accessed August 4, 2020, https://www.sfs.opm.gov/\nProspectiveStud.aspx; ``CyberCorps: Scholarship for Service, Students: \nParticipating Institutions,'' Office of Personnel Management, accessed \nAugust 4, 2020, https://www.sfs.opm.gov/ContactsPI.aspx.\n    \\3\\ ``Community College Cyber Pilot Program (C3P),'' National \nScience Foundation, Division of Graduate Education, https://\nwww.nsf.gov/funding/pgm_summ.jsp?pims_id=505573.\n---------------------------------------------------------------------------\n    The program has graduated about 275 students per year in recent \nyears,\\4\\ and since its creation in 2000, it has placed 3,600 \nCyberCorps graduates in public-sector cybersecurity jobs in more than \n140 different government organizations.\\5\\ These graduates have brought \ncyber expertise to the government across a variety of cybersecurity \nareas, including cyber policy and strategy, security architecture, and \ncyber operations planning. Because a limited percentage of students can \nfulfill their service obligation in state, local, or tribal governments \nas well as in the federal government, the program also provides the \nopportunity for a limited percentage of graduates to work in public \neducation. This helps address the national dearth of teachers able to \nprovide cybersecurity instruction.\\6\\\n---------------------------------------------------------------------------\n    \\4\\ More specifically, CyberCorps SFS is projected to graduate 380 \nstudents in 2020. It graduated 307 students in 2019, 324 in 2018, 290 \nin 2017, 245 in 2016, and 211 in 2015. Data provided by NSF.\n    \\5\\ OPM, ``CyberCorps: Scholarship for Service: History/Overview.'' \nAt the time of access, the data cited was available at https://\nwww.sfs.opm.gov/Overview-History.aspx; it now can be found at https://\nweb.archive.org/web/20200608183458/https://www.sfs.opm.gov/Overview-\nHistory.aspx and https://www.nass.org/sites/default/files/\n2019%20Summer/presentations/presentation-sfs-sum\nmer19.pdf.\n    \\6\\ In fact, legislation has been proposed for inclusion in S.4049, \nthe National Defense Authorization Act for Fiscal Year 2021, explicitly \npermitting up to 10 percent of SFS graduates to fulfill their service \nobligation in education roles in higher education institutions that \nparticipate in the SFS program.\n---------------------------------------------------------------------------\n    Although the program has an impressive track record, the Commission \nbelieves that--given the country's inability to fill tens of thousands \nof cybersecurity jobs in both the government and private sector--the \nnumber of SFS participants should be much higher (Report Recommendation \n1.5). Accordingly, taking practical steps toward increasing the number \nof students also requires increasing the number of participating \ninstitutions and expanding university- and federal-level outreach about \nthe program. The Commission recommends a goal of graduating 2,000 \nCyberCorps students per year. To reach that target, the Commission \nadvocates for SFS's budget to be increased 20 percent above inflation \nannually over a 10-year period to support scholarships to additional \nstudents and the programmatic efforts needed for expansion. To help \njumpstart that budget growth, the Commission recommends increasing \nfunding for the CyberCorps SFS program by $20 million in FY2021.\n    As your question stated, another Congressionally-mandated group, \nthe National Commission on Artificial Intelligence recommended the \nestablishment of a U.S. Digital Service Academy that would be a \ndedicated effort to train the next generation of tech talent. A brick \nand mortar effort similar to the service academies. We believe this \nidea has exceptional merit and should be studied and, if all \nexpectations are met, funded. This USDSA would service as a ``service \nacademy'' partner to the ``ROTC'' like efforts of the CyberCorps SFS \nprogram The U.S. military benefits from both--the ROTC graduates are on \nthe whole significantly cheaper, but the service academy graduates come \nwith a better grounding in government (service) processes and efforts. \nAn unusual twist is that we would need to consider whether USDSA would \nhave the same flexibilities as CyberCorps SFS--graduate degrees, \nassociate degrees, and limited year scholarships--many SFS are two and \nthree year scholarship students, who are not selected until they have \ndemonstrated some college success. A USDSA study should review and \nidentify the unique attributes that the USDSA would bring to the \neffort. Moreover, it is important to weave this program into the \nexisting policy proposals and efforts ongoing at various agencies, \nincluding DHS, which has proposed a Cyber Workforce Institute. The \nnation needs one cohesive strategy with streamlined implementation and \nfunding to ensure that agencies pull in the same direction, instead of \nat cross purposes.\n    With the high number of annual openings required to be filled, it \nis likely that the U.S. government needs both an expanded CyberCorps \nSFS and a brick and mortar cyber institute.--A study to work out the \ndetails on all these proposals would provide needed strategic direction \nas would efforts to determine how to grow the CyberCorps SFS to 2000 \nplus graduates a year as recommended by the Cyberspace Solarium \nCommission.\n    Ms. Houlahan. Did you look into current contracting procedures, and \ndo you believe the Department is missing out on innovative cyber \nsolutions due to current contracting policies?\n    Mr. Gallagher and Mr. Cilluffo. Government contracting is an \nextremely difficult and complex area, and while it was not our primary \nfocus, we did attempt to make some recommendations which would enhance \nand streamline government contracting for the cyber domain.\n    The Commission recommends the executive branch direct the Federal \nAcquisition Regulation Council (FARC) and the Office of Management and \nBudget to update its cybersecurity regulations in the Federal \nAcquisition Regulation (FAR) and cybersecurity guidance under Federal \nInformation Security Management Act at least every five years, to \naccount for changing cybersecurity standards, and explore ways to \nintegrate and fully account for existing models and frameworks, such as \nthe Cybersecurity Maturity Model Certification, in the FAR. In \naddition, the FARC should be directed to update the FAR to require that \nfederal civilian agency contractors adhere to the contractor-exclusive \nBinding Operational Directive issued by DHS.\\7\\\n---------------------------------------------------------------------------\n    \\7\\ The Binding Operational Directives (BODs) identify requirements \nfor federal agencies in the executive branch. Each BOD prescribes a set \nof actions that agency chief information security officers or their \nequivalents must take to manage their enterprise networks.\n---------------------------------------------------------------------------\n    The Commission also recommends the executive branch update to \nFederal Procurement Regulation and Guidelines, including the FAR, to \nrequire National Cybersecurity Certification and Labeling Authority \ncertifications and labeling for certain information technology products \nand services procured by the federal government to enable the broader \nadoption of Certification and Labeling across the nation. The executive \nbranch should be required to report to Congress on its decision to \nrequire National Cybersecurity Certification and Labeling Authority \ncertifications and labeling within the FAR, the extent of these \nrequirements, or an explanation if no action was taken. This \nrecommendation is necessary because the U.S. government is \ninstitutionally and legally limited in its ability to attest and \ncertify that products adhere to security standards, and third-party \nefforts to fill this gap lack sufficient scale, funding, and maturity \nto enact meaningful change in the marketplace.\\8\\\n---------------------------------------------------------------------------\n    \\8\\ Several nongovernmental initiatives, such as Digital Standard \nand the Cyber Independent Testing Laboratory, are aimed at testing and \nproviding security information for consumer IT and IoT devices. NIST, \nunder Section 401 of the Cybersecurity Enhancement Act of 2014, is \ntasked with coordinating the development and dissemination of standards \nand best practices for cybersecurity.\n---------------------------------------------------------------------------\n    Federally procured information technology fully accounts for \nidentified good security practices for building secure software and \nsystems, such as those offered by NIST's Secure Software Development \nFramework \\9\\ and the ISO/IEC 27000 standards family.\\10\\ When \ndeveloping requirements, the council should take into account lessons \nlearned with NIST Special Publication 800.171, comments from DOD's \nCybersecurity Maturity Model Certification, rulings or comments of the \nFederal Acquisition Security Council, and the ISO/IEC 27000 standards.\n---------------------------------------------------------------------------\n    \\9\\ Donna Dodson, Murgiah Soppaya, and Karen Scarfone, ``Mitigating \nthe Risk of Software Vulnerabilities by Adopting a Secure Software \nDevelopment Framework'' (National Institute of Standards and \nTechnology, 2019), https://csrc.nist.gov/CSRC/media/Publications/white-\npaper/2019/06/07/mitigating-risk-of-software-vulnerabilities-with-ssdf/\ndraft/documents/ssdf-for-mitigati\nng-risk-of-software-vulns-draft.pdf.\n    \\10\\ International Organization for Standardization, ``ISO/IEC \n27001 Information Security Management'' International Organization for \nStandardization, https://www.iso.org/isoiec-27001-information-\nsecurity.html.\n---------------------------------------------------------------------------\n    Providers of information technology submit software transparency \nand software bills of materials for the systems they provide in support \nof government missions in line with the certifications and labels \ndeveloped by the National Cybersecurity Certification and Labeling \nAuthority (recommendation 4.1).\\11\\\n---------------------------------------------------------------------------\n    \\11\\ ``NTIA Software Component Transparency,'' National \nTelecommunications and Information Administration, September 5, 2019, \nhttps://www.ntia.doc.gov/SoftwareTransparency.\n---------------------------------------------------------------------------\n    Upon the development of cybersecurity insurance policy \ncertifications (recommendation 4.4), U.S. government contractors \nmaintain a certified level of cybersecurity insurance and explore \nwhether the Cybersecurity Maturity Model Certification should be \nupdated to require cybersecurity insurance.\n    Additionally, to enhance the flexibility and agility of U.S. Cyber \nCommand in a dynamic operating environment, Congress should direct in \nthe FY2021 NDAA that the Department of Defense submit a budget \njustification display that includes a Major Force Program (MFP) \ncategory for the training, manning, and equipping of U.S. Cyber \nCommand. According to 10 U.S. Code Sec. 238, DOD is required to submit \nto Congress a budget justification display that includes an MFP \ncategory for the Cyber Mission Force. However, this law was enacted in \n2014, before U.S. Cyber Command was elevated to a unified combatant \ncommand. Therefore, there is a need for a new budget justification \ndisplay that establishes an MFP category for U.S. Cyber Command. A new \nMFP funding category for U.S. Cyber Command would provide it with \nacquisition authorities over goods and services unique to the command's \nneeds. It should also provide a process to expeditiously resolve \nCombatant Command/Service funding disputes, consistent with the intent \nof DOD Directive 5100.03.\\12\\ This would be analogous to the MFP \nfunding category for U.S. Special Operations Command, which was created \nto support comparable needs for operational adaptability.\n---------------------------------------------------------------------------\n    \\12\\ U.S. Department of Defense Directive 5100.03, ``Support of the \nHeadquarters of Combatant and Subordinate Unified Commands'' (February \n9, 2011; incorporating Change 1, September 7, 2017), https://\nwww.esd.whs.mil/Portals/54/Documents/DD/issuances/dodd/510003p.pdf.\n---------------------------------------------------------------------------\n\n                                  <all>\n</pre></body></html>\n"