[House Hearing, 118 Congress]
[From the U.S. Government Publishing Office]
RED ALERT:
COUNTERING THE CYBERTHREAT
FROM CHINA
=======================================================================
HEARING
before the
SUBCOMMITTEE ON CYBERSECURITY, INFORMATION
TECHNOLOGY, AND GOVERNMENT INNOVATION
of the
COMMITTEE ON OVERSIGHT
AND ACCOUNTABILITY
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTEENTH CONGRESS
SECOND SESSION
__________
MAY 15, 2024
__________
Serial No. 118-108
__________
Printed for the use of the Committee on Oversight and Accountability
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available on: govinfo.gov
oversight.house.gov or
docs.house.gov
_______
U.S. GOVERNMENT PUBLISHING OFFICE
55-708 PDF WASHINGTON : 2024
COMMITTEE ON OVERSIGHT AND ACCOUNTABILITY
JAMES COMER, Kentucky, Chairman
Jim Jordan, Ohio Jamie Raskin, Maryland, Ranking
Mike Turner, Ohio Minority Member
Paul Gosar, Arizona Eleanor Holmes Norton, District of
Virginia Foxx, North Carolina Columbia
Glenn Grothman, Wisconsin Stephen F. Lynch, Massachusetts
Michael Cloud, Texas Gerald E. Connolly, Virginia
Gary Palmer, Alabama Raja Krishnamoorthi, Illinois
Clay Higgins, Louisiana Ro Khanna, California
Pete Sessions, Texas Kweisi Mfume, Maryland
Andy Biggs, Arizona Alexandria Ocasio-Cortez, New York
Nancy Mace, South Carolina Katie Porter, California
Jake LaTurner, Kansas Cori Bush, Missouri
Pat Fallon, Texas Shontel Brown, Ohio
Byron Donalds, Florida Melanie Stansbury, New Mexico
Scott Perry, Pennsylvania Robert Garcia, California
William Timmons, South Carolina Maxwell Frost, Florida
Tim Burchett, Tennessee Summer Lee, Pennsylvania
Marjorie Taylor Greene, Georgia Greg Casar, Texas
Lisa McClain, Michigan Jasmine Crockett, Texas
Lauren Boebert, Colorado Dan Goldman, New York
Russell Fry, South Carolina Jared Moskowitz, Florida
Anna Paulina Luna, Florida Rashida Tlaib, Michigan
Nick Langworthy, New York Ayanna Pressley, Massachesetts
Eric Burlison, Missouri
Mike Waltz, Florida
Mark Marin, Staff Director
Jessica Donlon, Deputy Staff Director and General Counsel
Peter Warren, Senior Advisor
Lauren Lombardo, Senior Policy Analyst
Raj Bharwani, Senior Professional Staff Member
Mallory Cogar, Deputy Director of Operations and Chief Clerk
Contact Number: 202-225-5074
Julie Tagen, Minority Staff Director
Contact Number: 202-225-5051
------
Subcommittee on Cybersecurity, Information Technology, and Government
Innovation
Nancy Mace, South Carolina, Chairwoman
William Timmons, South Carolina Gerald E. Connolly, Virginia
Tim Burchett, Tennessee Ranking Minority Member
Marjorie Taylor Greene, Georgia Ro Khanna, California
Anna Paulina Luna, Florida Stephen F. Lynch, Massachusetts
Nick Langworthy, New York Kweisi Mfume, Maryland
Eric Burlison, Missouri Jared Moskowitz, Florida
Vacancy Ayanna Pressley, Massachesetts
Vacancy Vacancy
C O N T E N T S
----------
Page
Hearing held on May 15, 2024..................................... 1
Witnesses
----------
The Honorable William Evanina, Chief Executive Officer, The
Evanina Group, LLC, Former Director of the National
Counterintelligence and Security Center
Oral Statement................................................... 5
Mr. Rob Joyce, Owner, Joyce Cyber, LLC, Former Special Assistant
to the President, and White House Cybersecurity Coordinator
Oral Statement................................................... 7
Mr. Charles Carmakal, Chief Technology Officer, Mandiant
Oral Statement................................................... 8
Mr. Steven M. Kelly (Minority Witness), Chief Trust Officer,
Institute for Security and Technology
Oral Statement................................................... 10
Written opening statements and statements for the witnesses are
available on the U.S. House of Representatives Document
Repository at: docs.house.gov.
Index of Documents
----------
* Article, New York Times, ``China's Advancing Efforts to
Influence the U.S. Election''; submitted by Rep. Connolly.
* Press Release, NCSC Director, ``Election Threat Update for
the American Public''; submitted by Rep. Connolly.
* Questions for the Record: to Mr. Evanina; submitted by Rep.
Langworthy.
* Questions for the Record: to Mr. Joyce; submitted by Rep.
Langworthy.
* Questions for the Record: to Mr. Joyce; submitted by Rep.
Connolly.
* Questions for the Record: to Mr. Kelly; submitted by Rep.
Connolly.
Documents are available at: docs.house.gov.
RED ALERT:
COUNTERING THE CYBERTHREAT
FROM CHINA
----------
Wednesday, May 15, 2024
U.S. House of Representatives
Committee on Oversight and Accountability
Subcommittee on Cybersecurity, Information Technology, and Government
Innovation
Washington, D.C.
The Subcommittee met, pursuant to notice, at 4:01 p.m., in
room 2154, Rayburn House Office Building, Hon. Nancy Mace
[Chairwoman of the Subcommittee] presiding.
Present: Representatives Mace, Timmons, and Connolly.
Also present: Representative Moylan.
Ms. Mace. Good afternoon, you all. I am pleased to
introduce our witnesses for today's hearing.
Before we do that, I want to ask unanimous consent for
Representative Moylan from Guam to be waived onto the
Subcommittee for today's hearing for the purposes of asking
questions. So, without objection, so ordered.
Our first witness today is Mr. William Evanina, Chief
Executive Officer of the Evanina Group and former Director of
the National Counterintelligence and Security Center. Our
second witness is Mr. Rob Joyce, owner of Joyce Cyber, LLC, and
former Special Assistant to the President and White House
Cybersecurity Coordinator.
Our third witness is Mr. Charles Carmakal, Chief Technology
Officer at Mandiant, and our fourth witness today is Mr. Steven
Kelly, Chief Trust Officer at the Institute for Security and
Technology.
I would now like to recognize myself for 5 minutes for my
opening statement.
Earlier this year, top intelligence and cybersecurity
officials testified before the Select Committee on China about
a vast, long-term, and ongoing campaign by the Chinese
Communist Party, or CCP, to hack into the computer systems that
operate America's critical infrastructure--our dams, power
plants, transportation hubs, and other essential operations. We
do not know the full extent of this campaign. Why? First, the
hacks are done in a manner designed to avoid detection. Second,
the perpetrators are not trying to steal data or cause systems
to immediately go haywire. It is worse. This campaign, labeled
Volt Typhoon, has been underway for several years, at a
minimum.
The Chinese Government and its state-sponsored actors are
using an infiltration tactic called Living Off the Land. The
hackers' aim is to blend in with normal Windows system and
network activities and remain undetected, according to one
cybersecurity expert. Using malicious software, Volt Typhoon
finds vulnerabilities to penetrate internet-connected systems
to take control of devices like routers and security cameras,
for example.
The goal here is not smash-and-grab-type theft or immediate
system disruption. It is a lot more disturbing because China is
playing the long game. It is silently pre-positioning itself
for disruptive or destructive cyberattacks against U.S.
critical infrastructure in the event of a major crisis or
conflict with the United States. That is according to an
advisory jointly issued this year by the National Security
Agency, the FBI, and other Federal agencies. In other words,
the CCP is biding its time until it has reason to awaken these
cyber sleeper cells. At the critical moment, they will trigger
them to create confusion and disarray across America by
disrupting our power supply, our transportation, our
communication networks, our water and our food supply. This is
a terrifying but realistic scenario. It also illustrates how
China's cyber warfare against the United States has matured. It
is now part and parcel of its military strategy and its plan to
achieve its broader ambitions on the world stage.
Earlier this year, General Paul Nakasone, former head of
the NSA and U.S. Cyber Command, testified the People's Republic
of China poses a challenge unlike any our Nation allies have
faced before, competing fiercely in the information domain.
Today's hearing is a forum to discuss the challenge posed by
China's cyber warfare and how we must, as a Nation, meet that
challenge.
We know China is throwing massive money and manpower into
its efforts. FBI Director Wray recently testified the PRC has a
bigger hacking program than that of every major nation
combined. In fact, if you took every single one of the FBI's
cyber agents and intelligence analysts and focused them
exclusively on the China threat, China's hackers would still
outnumber FBI cyber personnel by at least 50 to 1. Fifty to 1,
what a massive, massive number.
This speaks to the necessity of the U.S. maintaining its
technological edge over China, including in cutting-edge fields
like artificial intelligence and quantum computing. AI is
increasingly being harnessed as both an offensive and defensive
tool in cyber warfare, and post-quantum cryptography will be
key to safeguarding critical data in the future. We also need
to bolster cybersecurity partnerships between the Federal
Government, the private sector, and international allies. These
are vital pathways for sharing threat information. Finally, we
need to widen our talent pipeline to help fill the hundreds of
thousands of cybersecurity job vacancies that currently exist
in the public and private sector of the United States.
To facilitate today's dialog, we are thrilled to have
testifying today individuals who recently served at the highest
levels of the Federal intelligence community. Before I--well, I
already introduced them. I skipped the order, so you are here,
so we will now recognize you for 5 minutes.
Mr. Connolly. Thank you, Madam Chairwoman. Forgive me for
being a little late, but we have too many hearings. I have two
markups, two hearings, two briefings, and two sets of votes
today, so maybe we should cut back on some hearings.
This past March, the Office of Director of National
Intelligence released the Annual Threat Assessment of the U.S.
Intelligence community. An excerpt from the report reads,
``China remains the most active and persistent cyberthreat to
U.S. Government, private sector, and critical infrastructure
networks.'' The Chinese Communist Party poses a significant
threat to the safety and economic prosperity of the United
States. Through a multipronged strategy that includes the Belt
and Road Initiative, economic coercion, and military buildup,
the CCP has sought to challenge the American-led, rules-based
international order. As part of its larger campaign to conduct
asymmetric attacks on the United States, Beijing has turned to
cyberattacks to steal American companies' intellectual
property, undermine our civil society, and disrupt civilian and
military infrastructure.
Just 2 months ago, the Cybersecurity and Infrastructure
Security Agency, or CISA, confirmed that CCP-sponsored groups,
like Volt Typhoon, have successfully infiltrated the Federal
Government's civilian and military systems. What is more, some
of those groups have been on our networks for up to 5 years and
lay in wait until the opportune moment to disrupt a military
response or to disable our water and power infrastructure.
Unfortunately, when it comes to cyber warfare, the threat
extends beyond China. In fact, experts have identified that not
just China, but also Iran and North Korea, are using Russia's
well-known disinformation playbook to disrupt elections,
infiltrate American companies, and generally cause malign
behavior.
Although disinformation campaigns and cyberattacks are not
identical, they are two halves of the same chaotic coin. They
similarly seek to inject uncertainty into daily operations and
undermine the foundation of businesses, communities, and
democratic values and tenets. Last November, Meta released its
Third Quarter Adversarial Report, which outlined the removal of
nearly 5,000 fake accounts all based in China. Meta removed
those accounts for impersonating U.S. citizens and posting
divisive rhetoric on deeply sensitive internal political issues
with the intent to have an impact on the upcoming 2024
Presidential election.
It is not just America at risk. Earlier this year, the CCP
again employed Moscow's tactics of online disinformation to
cast doubt upon Taiwan's Government and to influence its recent
elections. China has made a concerted effort to extend its
power and influence across the world, especially in the global
south. As roughly half of the world's population heads to the
polls in 2024, China will take this opportunity, no question,
to expand its influence and disrupt democratic processes using
all tactics at hand.
Fortunately, the Biden-Harris Administration has taken
unprecedented steps to counter these threats, both direct
cyberattacks and disinformation campaigns. The White House
released the first-ever National Cybersecurity Strategy in
October 2022, directing both public and private stakeholders to
coordinate efforts to address new ambitious plans called the
International Cyber Space and Digital Policy Strategy, seeking
to work with allies to counter both Russia and China's global
election interference efforts. I am also proud to have
partnered with this Administration to safeguard networks
against harmful nation-state actors.
Historically, this Subcommittee has held hearings to
conduct meaningful oversight of Federal IT programs and worked
alongside the Government Accountability Office to produce a
Biannual Scorecard on compliance with FITARA. Agencies then
receive grades based on compliance with the law and other
statutory-based IT priorities. The scorecard assesses
compliance with the Federal Information Security Modernization
Act--FISMA--evaluating all 24 CFO Act agency cybersecurity
postures. For further transparency and after years of
congressional advocacy for metrics to replace the expiring
Trump-era cross-agency priority data, OMB finally began
publishing quarterly Federal cybersecurity progress reports on
performance on Performance.gov website. These reports measure
agencies' progress in achieving milestones in implementing key
cybersecurity measures articulated in President Biden's
executive order on improving the Nation's cybersecurity. The
executive order encouraged adoption of Zero Trust architecture,
and I encourage the Administration to revolve the
Performance.gov data and provide public metrics in order to
assess agencies' implementation.
To successfully stop our foreign adversaries, we need a
whole-of-government approach with bipartisan congressional
support to bolster our Federal work force and its IT
infrastructure, and we need a whole-of-Nation approach to
combat the disinformation and misinformation coming out of
Russia and China. A report from the Center for Security and
Emerging Technology found that, ``By 2025, Chinese universities
will produce more than 77,000 STEM Ph.D. graduates per year,''
compared to approximately 40,000, almost half that, here in the
United States. If international students are excluded from that
number of the United States, Chinese STEM Ph.D. graduates would
outnumber their U.S. counterparts by more than 3-to-1. Three-
to-one.
For our country to compete effectively with China, we need
to implement the Office of the National Cyber Director's
National Cyber Workforce and Education Strategies'
recommendations and bolster our cyber work force and cyber
faculty pipelines. We will soon introduce legislation that
would enhance the already highly successful CyberCorps Program,
which boasts an impressive 97 percent successful job placement
rate. When passed, I hope that legislation will extend the
scholarship cap of this program from 3 to 5 years and provide a
pathway for more STEM-trained Ph.Ds.
We must properly fund the cyber defenses and basic
government IT by reauthorizing and properly funding the TMF. In
2021, Democrats fought to secure $1 billion investment for that
program, although the President had requested $6 billion.
Today, the TMF has funded 11 Zero Trust efforts, as well as
numerous other cyber projects, to protect our military and
sensitive information while retiring vulnerable legacy systems.
Congress usually sees IT as an easy thing to cut, but in most
cases, IT modernization is a critical investment with a
critical return on it with respect to the future. The pandemic
exposed the cracks in the Federal Government's aging IT
infrastructure and how it impeded mission-driven programs.
Upgrading those systems is not just a national security
priority. It is essential to making sure government stays
effective and serves the people.
State-sponsored cybersecurity and disinformation campaigns
seek to undermine the very fabric of our society. Cyberattacks
wreak chaos and prove costly. Disinformation campaigns obscure
the truth and threaten democratic principles. We must work to
resist and oppose both. I look forward to the hearing, and I
look forward to hearing from our witnesses. Thank you, Madam
Chairman. I yield back.
Ms. Mace. Pursuant to Committee Rule 9(g), the witnesses,
if you will please stand and raise your right hands.
Do you solemnly swear or affirm that the testimony that you
are about to give is the truth, the whole truth, and nothing
but the truth, so help you God?
[A chorus of ayes.]
Ms. Mace. Let the record show the witnesses all answered in
the affirmative. We appreciate all of you being here today and
look forward to your testimony.
Let me remind the witnesses that we have read your written
statements, and they will appear in full in the hearing record.
Please limit your oral arguments to 5 minutes, and as a
reminder, please press the button on the microphone in front of
you so that it is on and we can hear you up here. And when you
begin to speak, the light in front of you will turn green.
After 4 minutes, the light turns yellow, and then when the red
light comes on, your 5 minutes has expired, and I will very
kindly smile and wave this thing and ask you to wrap it up.
So, you all can be seated, and I will recognize Mr. Evanina
to please begin your opening statement, 5 minutes.
STATEMENT OF WILLIAM EVANINA
CHIEF EXECUTIVE OFFICER, THE EVANINA GROUP, LLC
FORMER DIRECTOR, NATIONAL COUNTERINTELLIGENCE
AND SECURITY CENTER
Mr. Evanina. Chairwoman Mace, Ranking Member Connolly,
Members of the Committee, it is an honor to appear before you
today with my esteemed colleagues at the table.
Our Nation faces an array of diverse, complex,
sophisticated, and unprecedented threats by nation-state
actors, cyber criminals, and terrorist organizations. Each of
them in their own distinct manner pose a serious threat to our
Nation, our systems, and our citizens. However and
unequivocally, the existential threat to our Nation emanates
from the Communist Party of China. This comprehensive threat is
the most complex, pernicious, strategic, and aggressive threat
our Nation has ever faced. It is an existential threat to every
fabric of our great Nation, our capitalism, and our democracy.
Xi Jinping drives a comprehensive and whole-of-country
approach to the CCP's efforts to invest, leverage, infiltrate,
influence, and steal from every corner of the United States.
Naivete by those who hope to otherwise believe the opposite
will only accelerate Xi's intentions and progress.
Additionally, the United States' private sector, critical
infrastructure, academia, and research and development entities
have all become the new battle space for the CCP's nefarious
activities. As this Committee is aware, it is currently
estimated that the economic loss from the theft of intellectual
property from the Communist Party of China is nearing $600
billion per year. To make it more relevant and personal, that
equates to approximately $6,000 per American families of four
after taxes.
China's ability to strategically obtain our intellectual
property and trade secrets via legal, illegal, and
sophisticated cyber and hybrid methods is like nothing we have
ever witnessed before. It is said by many to be the largest
theft of intellectual property in the history of the world.
Technology, from ideation to manufacturing, is frequently the
intended target of these efforts. Additionally, it is estimated
that 80 percent of American adults have had all of their data
stolen by the Communist Party of China. The other 20 percent,
just most of their data. Data and technology have become two of
the most valuable commodities in the world, and acquiring them
has been a high priority for the CCP.
I believe we must approach this existential threat with the
same sense of urgency, leadership, spending, and strategy as we
have done for the past 2 decades in successfully preventing and
deterring terrorism. I would offer to this Committee that we
are in a terrorism event--a slow, methodical, strategic,
persistent, and enduring event--which requires a degree of
urgency of government action and corporate awareness. It is
clear that under Xi Jinping, the CCP's economic war with the
United States, combined with his intent to be the military
leader of the world, has manifested itself into a terrorism-
like framework.
Let me be more specific. The CCP's capabilities and intent
are second to none as an adversary. Countless cyber breaches,
insider threats, and nefarious penetrations into our critical
infrastructure are ubiquitous and have been widely reported.
Add in the CCP's crippling stranglehold to so many critical
aspects of our supply chain, and what results is domestic
vulnerability we have not seen in generations, if ever. Now we
must confront and defend against these CCP efforts with all the
known and unknown artificial intelligence accelerators which
will come along.
As we continue to drive forward with AI development for the
good, we must also ensure security safeguards are implemented
to protect from the bad. For all the progress we make, we must
equally think of the potential of a zero day exploit utilizing
sophisticated AI. When we incorporate China's recent actions,
to include, as referenced by the Chairwoman and Ranking Member,
Volt Typhoon; sophisticated surveillance balloons across our
sovereign land; technical surveillance stations just 90 miles
away in Cuba; maritime port threats; Huawei; strategic land
purchases near military installations; fentanyl; TikTok; malign
influence, et cetera, the collage begins to paint a bleak
picture that is beyond blinking red. I am not even addressing
space, deep fakes, or 5G genomics.
The inability or unwillingness to look behind China, the
curtain they provide, and deal with the existential threat is
no longer an option for the Congress, for the Administration,
academic institutions, and the private sector. There is no more
curtain to look behind. It has been removed. There must be
consequences leveled for China's actions. Otherwise, there will
be continued to be no deterrent. Volt Typhoon should be the
straw of the proverbial camel's back. Unfortunately, I believe
more is to come.
Thank you for the opportunity to join my esteemed fellow
witnesses, and I look forward to answering your questions.
Ms. Mace. Thank you. I will now recognize Mr. Joyce for 5
minutes.
STATEMENT OF ROB JOYCE
OWNER, JOYCE CYBER LLC
FORMER SPECIAL ASSISTANT TO THE PRESIDENT
AND WHITE HOUSE CYBERSECURITY COORDINATOR
Mr. Joyce. Chairwoman Mace, Ranking Member Connolly,
Members of the Subcommittee, it is an honor to appear before
you today. Thank you for this chance to discuss what I believe
is the most significant cybersecurity issue faced by the U.S.
That is the threat from cyberattack from the People's Republic
of China and the threat it poses to our critical
infrastructure. I am Rob Joyce. I served over 34 years at the
National Security Agency, retiring as the Director of
Cybersecurity, and I hope in our conversation today, I get to
provide you some insight into the sophistication and strategic
implications of these PRC cyberthreats and, really, how the PRC
competes fiercely in the cyber domain.
It has been widely understood that for years, PRC hackers
have stolen intellectual property, they have performed
traditional espionage through cyber, but now they are preparing
attacks against our critical infrastructure through cyberspace.
So that first segment, they stole intellectual property. This
is to aid their domestic industry. Chinese state-sponsored
hacking groups, like APT 41, have systematically conducted
cyberespionage campaigns to steal trillions of dollars' worth
of intellectual property and trade secrets from U.S. companies.
It has been across critical sectors like aerospace,
pharmaceuticals, energy, manufacturing, and more.
For example, a multiyear campaign uncovered in 2022 showed
APT 41 had infiltrated over 30 multinational firms and
exfiltrated hundreds of gigabytes of proprietary data,
including designs for fighter jets, missiles, drugs, solar
panels, and other cutting-edge technologies not yet patented.
The brazen thefts rob American companies of their R&D
investment and competitive advantages, undermining U.S.
economic interests. The annual cost to the U.S. economy from IP
theft is hundreds of billions of dollars, and that does not
include the long-term impact where China closes technology gaps
and brings competing products to markets using stolen
information.
And the second area I would highlight is the hacking for
traditional espionage. A good example of that cyberespionage is
the intrusion last year into the U.S. State Department in which
the U.S. State Department discovered the compromise of its
email system. The attackers accessed the inboxes of the U.S.
Secretary of Commerce, the U.S. Ambassador to China,
Congressman Don Bacon, and key State Department employees. All
of this was before a sensitive visit by the Secretary of State
to China. Microsoft assesses the intrusion was a Chinese threat
actor they call Storm 0558. According to the Cyber Safety
Review Board study of this event, of which I was a panel
member, the activity was so stealthy, Microsoft still cannot
say with certainty how the credentials used in the attack were
stolen from them.
The issues of espionage and intellectual property theft
have persisted for years, but now I want to highlight an even
more troubling set of intrusions into critical infrastructure.
In 2023, the U.S. cybersecurity community developed increased
understanding that a set of PRC hackers, called Volt Typhoon,
was pre-positioning on U.S. critical infrastructure. They were
not there to steal our information but, instead, prepared to
disrupt vital critical infrastructure systems. They want to
slow the U.S. military's ability to mobilize and deploy in time
of crisis, and they want to sow societal panic at the time of
their choosing. They hope we would turn inward and focus on
serious critical infrastructure problems at home rather than
supporting any crisis on the other side of the globe. My
colleague, the Honorable Evanina, talked about a simple
description for their intent: domestic terrorism. They want to
inspire panic inside our society. That is serious and
disturbing.
So, this activity was discovered and validated through
unique collaboration of government and industry, and I sit here
today with some of my industry partners. Foreign intelligence
was used in conjunction with the tremendous insight of industry
where NSA, along with multiple government agencies, both
domestic and international, described the intrusions in a
public advisory, and 11 of the biggest internet and
telecommunication companies added their names to the
publication as participating in the investigation. Subsequent
work by FBI, CISA, and industry confirmed the compromise of IT
systems in diverse infrastructure sectors, including
communications, energy, transportation, water, and wastewater
systems. They found prepositioning in the continental U.S. as
well as the U.S. territory of Guam. Guam is significant because
the island hosts the Anderson Air Force base and Naval Base
Guam, which play a crucial role in any potential conflict with
China over Taiwan.
The intrusions have gone on for quite some time but have
generally escaped notice. It is increasingly important that we
understand the siege, that we work against it, and that we get
our systems prepared to not only get them out but keep them
out. These activities by the Chinese Government warrant your
full attention and support, ensuring the PRC cannot undermine
our national security. And I look forward to answering your
questions alongside this knowledgeable panel.
Ms. Mace. Thank you, and, Mr. Carmakal, you are recognized
for 5 minutes.
STATEMENT OF CHARLES CARMAKAL
CHIEF TECHNOLOGY OFFICER
MANDIANT
Mr. Carmakal. Chairwoman Mace, Ranking Member Connolly, and
Members of the Subcommittee, thank you for the opportunity to
share my observations and experiences regarding this very
important topic, as well as for your leadership on
cybersecurity issues. My name is Charles Carmakal, and I am the
Chief Technology Officer at Mandiant
In my role at Mandiant, I oversee a team of security
consultants and incident responders that help organizations
both respond to security events and prepare for and mitigate
the risk and impact of those security events. I led the teams
that are responsible for discovering and identifying the
SolarWinds software supply chain attack in December 2020, the
Colonial pipeline cyber destructive attack in 2021, and the
discovery of several novel and sophisticated cyber campaigns
carried out by China-nexus threat actors. I am here to talk
about Mandiant and my personal experiences in defending against
and responding to cyberthreats emanating from the People's
Republic of China. I will share my firsthand observations and
the observations of the team that I lead.
Before we discuss today's threats, it is important to
review what has happened over the past decade. On September 25,
2015, the United States and China agreed that neither
government would conduct or knowingly support cyber-enabled
theft of intellectual property for economic advantage. The
following year, in 2016, Mandiant analyzed our incident
response cases to assess the impact of the agreement. We
actually observed a reduction in cyber intrusions by China-
nexus threat actors that began a year prior to the agreement.
The relatively lower volume of intrusion activity continued
until approximately 2020. Government-backed China-nexus threat
actors operated notably differently prior to the agreement than
they do in modern days.
In my written testimony I talk about specific ways in which
China-nexus threat actors operated prior to the agreement.
These actors operate very differently today. They are more
coordinated, resourced, sophisticated, and clandestine. I want
to talk about a few of the capabilities that we see them
demonstrating as they effectively break into organizations
across the globe but, specifically, in the United States.
We see them leveraging zero-day vulnerabilities, which
essentially are vulnerabilities that are known by threat actors
and exploited by threat actors before the vulnerability is
known by the vendor. The tools and the know-how to exploit
these vulnerabilities are shared amongst multiple discrete
groups that conduct cyber operations for the benefit of the
PRC. Over the past few years, we have observed targeted zero-
day exploitation of vulnerabilities in VPN, firewall, email
security gateway, hypervisors, and other technologies that do
not commonly support endpoint detection and response solutions.
Endpoint detection and response solutions have gotten more
effective over the years and have enabled organizations to
detect compromises in Windows environments. Therefore, we see
China-nexus threat actors targeting those systems that do not
traditionally support EDR solutions, which essentially makes it
more difficult for organizations to detect compromises.
To further exacerbate the problem, we see threat actors
leveraging vulnerabilities in closed-box appliances, which are
essentially systems that provide routing functionality,
firewall functionality, or other security functionality to
organizations. Because these appliances are closed box, it
makes it very difficult for organizations to actually determine
if they are compromised. If an organization wants to
forensically examine a compromised device, they often need to
reach out to the vendor in order to be able to analyze it. Not
all vendors will actually give permission to the victim
organization to analyze the device.
We also see China-nexus threat actors leveraging
residential IP addresses to conduct their intrusion operations.
Over the years, they have built a very large botnet or series
of computers that essentially enable them to access victim
environments such that they look like an employee of the
organization by accessing the network in a close proximity to
the employees or to the companies that they want to log into.
So, for example, if they were targeting a company in Virginia
and they wanted to emulate an employee that lived in Virginia,
we would see them leveraging compromised home infrastructure
that allows them to log into the VPN of that Virginia-based
organization and look like an employee there. We also see them
living off the land, which is essentially leveraging tools and
technologies that are native to operating systems so that they
can move laterally within environments and not get detected by
the organizations.
Given the advanced tradecraft leveraged by China-nexus
threat actors, it is incredibly difficult for organizations to
tell when they have been compromised. In fact, when we work
with organizations and discover compromises, we often see that
those compromises very often have lasted for weeks, months, and
sometimes years. Over the years, I have personally observed
multiple China-nexus threat actors with significant access and
privileges to U.S.-based technology, defense, government,
energy, construction, chemical, financial services, and
healthcare organizations. Fortunately, I have not yet
personally observed any actions taken by these actors that I
consider to be overtly and intentionally destructive that could
directly lead to negative kinetic outcomes or physically harm
people. That could certainly change over time, but I wanted to
share my personal experiences.
On behalf of Mandiant, I thank you for this opportunity to
testify before the Subcommittee.
Ms. Mace. Thank you, and, Mr. Kelly, you are now recognized
for your 5 minutes.
STATEMENT OF STEVEN M. KELLY
CHIEF TRUST OFFICER
INSTITUTE FOR SECURITY AND TECHNOLOGY
Mr. Kelly. Chairman Mace, Ranking Member Connolly, and
Members of the Subcommittee, my name is Steve Kelly. I am the
Chief Trust Officer at the Institute for Security and
Technology, a think tank that unites technology and policy
leaders to create actionable solutions to emerging security
threats. I came to IST almost a year ago after retiring from
the FBI as a special agent working cyber issues, and during my
tenure, I was honored to twice serve on the NSC staff. Bonnie
and I have since moved back to Indiana, but I am glad to be
here in the Nation's Capital to discuss this pressing topic
with you.
I am gravely concerned by both the PRC's illiberal global
agenda and the means by which it seeks to realize it. For at
least 2 decades, the PRC has carried out a rob, replicate, and
replace strategy, which allows Chinese firms to benefit from
stolen American innovation, begin manufacturing identical
products at a lower cost, and put the victimized firm out of
business. Over time and across numerous research and
development areas, this strategy, enabled by large-scale
economic espionage, has allowed the PRC's technology industry
to rapidly catch up and, in some cases, surpass the United
States and allied nations.
Chinese technology products, both inside the PRC and for
export, prioritize state-level interests over users' security
and privacy, exposing users to government surveillance, acting
as a vector for cyber operations, and potentially enabling
denial and disruption operations. This has been a challenge
here at home, leading Congress to fund ripping and replacing
Huawei and CTE equipment from U.S. telecom networks, but the
challenge is even greater in developing nations that often find
the immediate need of economic development more pressing than
the potential foreign intelligence risk. I am encouraged by a
recent surge of interest in trusted technology within the
investor community. For example, a group of leading investors
recently announced their voluntary trusted capital investment
principles and commitments. Another leading venture capital
firm announced its American dynamism effort, and an array of
investors and founders are driving a new defense tech-focused
movement.
While it has been a long time coming, many throughout the
world have come to recognize the risks that often accompany
lower-cost Chinese products and are seeking more trustworthy
sources even at a price premium. I played a small part in
planning and launching the U.S. Cyber Trust Mark, a voluntary
security labeling program for consumer internet of things
devices, like smart home appliances, and I am pleased by the
enthusiasm shown by consumer technology manufacturers in this
program. While the FCC is moving the program forward, I
encourage Congress to ensure the program's future stability by
specifically authorizing and funding it.
The threat described by my fellow witnesses should inspire
a new sense of urgency to remove the PRC's leverage by
consistently counteracting and publicly exposing their cyber
operations and hardening U.S. critical infrastructure. Given
numerous cyberattacks impacting critical infrastructure over
the past several years, including the ransomware attacks on
Colonial Pipeline, JBS Foods, and many hospitals, we are
clearly not doing enough. While ransomware is not the focus of
this hearing, it is instructive of the real-world impact cyber
operations can deliver. If Russian criminal gangs can achieve
these effects, the People's Liberation Army most certainly can,
too.
President Biden's National Cybersecurity Strategy calls for
establishing minimum cybersecurity requirements for critical
infrastructure through regulation or, where such authority does
not exist, to seek it. While Federal regulations are not
appropriate or desired in all circumstances, I believe that
safeguarding functions essential to national security, economic
security, or public health and safety warrants a regulatory
approach. If establishing baseline requirements is to be
achieved, Congress will need to create or clarify regulatory
authorities for certain sectors, and each sector risk
management agency and regulator must be resourced to carry out
the task.
The infrastructure in need of protection is scattered
throughout the Nation, and it is difficult to meet their needs
from Washington, DC. Fortunately, there are a variety of
players across the Federal enterprise who are able to engage at
the local level. CISA's Cybersecurity Advisor Program, which
places personnel across the country, is still quite new, and
often an entire region may have only one such advisor. While I
encourage Congress to fund sufficient advisors to cover the
ground, what remains clear is the need for expanded and
enhanced partnerships as force enablers. Fortunately, CISA
cyber advisors are not alone as the FBI and Secret Service have
task forces across the country.
Emulating the successful Joint Terrorism Task Force
Program, there exist incredible opportunity to team Federal,
state, and local cyber personnel to undertake both proactive
and reactive cybersecurity efforts. National Guard units acting
under their state authorities might also plug into this model.
And, given the topic of this hearing, I think it is worth
considering what authorities might exist or be needed for
active duty cyber personnel under Title IX to provide
assistance or even protection to civilian entities essential to
the operation of key military installations, also referred to
as defense critical infrastructure. While this approach may not
scale, I believe there are scenarios under which that would
make sense and should be explored.
I want to thank the Subcommittee for inviting me to
participate in today's hearing and look forward to your
questions.
Ms. Mace. Thank you. I will now recognize myself for 5
minutes of questioning. I do have several questions, so if I
could just ask if we could be brief and direct and
straightforward in our responses because I would like to try to
get through all of them today.
General Nakasone has stated that, ``If a nation-state
decided to attack our critical infrastructure, I would say that
is above the threshold level of war,'' and in the testimoneys
that were prepared, it refers to China's cyber warfare against
the U.S. as a form of terrorism, and, Mr. Evanina, you said
today it was an existential threat, in your words. So, in the
face of this terrorism, Mr. Evanina notes there is little
deterrence also. So, my first question to you, Mr. Evanina, if
these CCP-driven hacking campaigns are a form of war or
terrorism, are we deterring China from conducting them?
Mr. Evanina. Thanks for the question, Chairwoman Mace. If
we are deterring, I am not aware of that from an intel
perspective and a law enforcement perspective and a cyber
perspective. What they are doing to us is on the border of----
Ms. Mace. Why not? Why aren't we deterring?
Mr. Evanina. You would have to ask the policymakers in that
space, but I do believe as they are preparing for battle, as we
heard, and our critical infrastructure, I do not think it is
reasonable for the minimum standards to ask companies to defend
against nation-state threat actors and their proxies. I think
it is a big task for them to do, and I think U.S. Government
should take more of a hand in defeating and deterring the
Chinese Communist Party and their infrastructure.
Ms. Mace. Is it safe to say this Administration does not
have a strategy for deterrence?
Mr. Evanina. I am not aware what the current strategy is.
Ms. Mace. OK. OK. So, my next questions will be for Mr.
Evanina and Mr. Joyce. Do we know how many of America's
critical computer systems have been infiltrated via the Volt
Typhoon hacking campaign? Do we know?
Mr. Evanina. I am not aware.
Ms. Mace. Mr. Joyce?
Mr. Joyce. I do not have that information, no.
Ms. Mace. OK. So, if it is achieving its goal of gaining
undetected system access, how would we know?
Mr. Joyce. So, Madam Chairwoman, I believe the combination
of intelligence that revealed this campaign as well as the
capabilities of the U.S. cybersecurity industry has the ability
to find and defeat some of these activities. But it is going to
take a combination of both the public efforts, the private
efforts, as well as the targeted entities have to remove some
of their outdated and legacy IT to be safe
Ms. Mace. A debate that has been going on for the better
part of 30 years probably. Mr. Joyce, do we know how much money
the CCP invests in cyber warfare?
Mr. Joyce. I do not.
Ms. Mace. Mr. Evanina, do you know?
Mr. Evanina. I do not.
Ms. Mace. Do we know what kind of manpower they throw into
these efforts? We heard what FBI Director Wray said recently,
50 to 1 in terms of comparing it to FBI analysts, but do we
know what kind of manpower they have?
Mr. Evanina. I think that is a conservative estimate by
Director Wray, but I also would include in that the
cybercriminal actors and their proxies that are supported by
the MSS and the PLA should be included in that number as well.
Ms. Mace. OK. AI and quantum computing are powerful new
tools in the arsenal of both hackers and defenders in
cyberspace. How much does defense of critical U.S. computer
systems hinge on our ability to maintain and buildupon our edge
in AI over China? Either of you.
Mr. Joyce. So, I believe that AI is actually going to
advantage the defense much more than the offense, especially in
the near term. The ability to look at large scales of data to
understand the trade craft that might go undetected by human
analysts is rapidly increasing by some of the innovations. So,
I do believe that is our advantage today.
Ms. Mace. Mr. Carmakal, I have a minute left. Your
testimony states that Mandiant, you helped identify SolarWinds
and the Colonial Pipeline disruption in 2021. Would you say
China's Volt Typhoon campaign is designed to make even these
major hacks pale in comparison?
Mr. Carmakal. So far, we have only seen intrusion
operations that were very hard to detect that were orchestrated
by Volt Typhoon, plus many other threat actors emanating from
China. We do not yet know what they might do, but we could tell
you the capability and the access that they have is very
significant, and they could certainly do anything similar to
what happened to Colonial Pipeline or even much worse with the
access that we know that they have.
Ms. Mace. And how could we respond to a slew of disruptions
to critical operators if all this is happening all at once, if
they did something all at once?
Mr. Carmakal. It would be very difficult to respond to.
There is a finite amount of security talent and investigators
and incident responders that could help respond to security
events. And so if there were a cascading set of security
attacks against organizations, it would be incredibly difficult
to respond to it.
Ms. Mace. All right. Thank you, and I will now yield.
Mr. Connolly. Madam Chair, if you want to take another 5
minutes?
Ms. Mace. No, I will wait.
Mr. Connolly. OK.
Ms. Mace. Yes.
Mr. Connolly. All right.
Ms. Mace. OK. And I will now yield to Mr. Connolly for 5
minutes.
Mr. Connolly. Thank you. Mr. Evanina, you were ringing the
alarm bell some time ago. You served in the Trump
Administration. What was your position?
Mr. Evanina. Yes. I started as the head of
counterintelligence for the United States in 2014 under
President Obama, and I stayed there until January 2021.
Mr. Connolly. OK. And you, among other things, led efforts
to protect security and integrity of the 2020 election from
foreign threats. Is that correct?
Mr. Evanina. That is correct, sir.
Mr. Connolly. Last month, the New York Times published an
article, ``China's Advancing Efforts to Influence the U.S.
Election Raise Alarms,'' and it highlighted that during the
2022 midterm elections, the cybersecurity firm, Mandiant,
reported that an influence campaign linked to China tried to
discourage Americans from voting while highlighting political
polarization. The finding illustrates how China has been using
Russia's disinformation to ``influence American politics with
more of a willingness to target specific candidates and
parties, including now-President Biden.'' I ask that we insert
this article into the record.
Ms. Mace. Without objection.
Mr. Connolly. I thank the Chair.
Mr. Connolly. Mr. Evanina, during the Trump Administration,
is it true you were already ringing the alarm that both CCP and
Russia were trying to influence that 2020 election?
Mr. Evanina. Yes, sir.
Mr. Connolly. And in August of that year, you issued an
official press release warning, ``We assess that Russia is
using a range of measures to primarily denigrate former Vice
President Biden and what it sees as an anti-Russian
establishment.'' Your statement added, ``For example, pro-
Russian Ukrainian parliamentarian, Andrei Derkach, is spreading
claims about corruption, including through publicizing leaked
phone calls, to undermine President Biden and his candidacy and
the Democratic Party.'' I ask unanimous consent to insert that
press release into the record.
Ms. Mace. Without objection.
Mr. Connolly. Mr. Evanina, is that the same Andre Derkach
who, according to reports, ``gained access to Trump's inner
circle through Rudy Giuliani, the President's personal
lawyer?''
Mr. Evanina. Yes, sir.
[Chart]
Mr. Connolly. Is that the gentleman in question?
Mr. Evanina. Yes, sir.
Mr. Connolly. And is he sitting with Rudy Giuliani?
Mr. Evanina. Yes, sir.
Mr. Connolly. Aha. In fact, just a month after you issued
your statement, the Trump Administration sanctioned him, to
their credit, for being an ``active Russian agent for over a
decade.'' Is that correct?
Mr. Evanina. I believe that is correct.
Mr. Connolly. Even though experts, including you and
others, have repeatedly warned us about Russian efforts to
smear Joe Biden with false information about corruption in
Ukraine. And by the way, one of those informants who was the
key witness of the oversight impeachment hearing is now in jail
for lying to the FBI. Is that correct, Mr. Kelly? Are you
familiar with that?
Mr. Kelly. I do not have firsthand knowledge of that.
Mr. Connolly. Well, do you have any thoughts, given your
new role and your previous role, about the dangers that can
ensue? Mr. Evanina warned us, correctly, about Russian
disinformation inserting itself into our politics? And it sure
did get into a very high level both here in Congress and in
targeting the President of the United States with absolutely
false information. What could go wrong with that, Mr. Kelly?
What should we worry about with that?
Mr. Kelly. Malign foreign influence operations coming from
Russia, China, or anywhere else is incredibly problematic and,
in particular, in the context of elections, so, I agree with
that statement.
Mr. Connolly. So, in some cases, credulous people might
take at face value information coming from social media bots,
false sources who create false identities as Americans when
they are, in fact, not. In fact, recently, one of the big media
companies just took down 5,000 accounts, I think I mentioned in
my opening statement, all from China, pretending to be
Americans. But the other is that political figures might use
that information, knowing or not knowing it is false, for
political gain that could, in fact, be harmful to our system,
especially given the fact it is based on false information and
a foreign actor with an agenda. Would that be a fair statement,
do you think?
Mr. Kelly. Yes. That can absolutely happen.
Mr. Connolly. Thank you. I yield back.
Ms. Mace. Thank you. I would like to say for the record,
most Republicans in Congress are actually banned from Russia.
And when we are talking about false sources, false information,
we could look no further in 2020 than mainstream media that
covered up the laptop, and the FBI and all those national
security advisors that signed that letter. That was absolutely
misinformation, disinformation right before an election. So,
when we talk about foreign actors with an agenda, there are
domestic actors with an agenda.
So, I would now like to recognize Mr. Moylan for 5 minutes.
Mr. Moylan. Thank you, Chairwoman Mace and Ranking Member
Connolly, for allowing me to waive onto the hearing and speak
on an issue that has plagued my district and the United States
at large.
The problem is clear. The People's Republic of China has
unabashedly conducted cyber warfare against the United States
for over a decade. The PRC uses proxy groups, like Volt
Typhoon, to sidestep attribution for these cyberattacks. As a
veteran, I can personally say that divesting cyberattacks on
the Office of Personal Management in 2015 was a cyber wakeup
call. While many cyberattacks target our Federal Government,
Chinese hackers' indifference toward targeting civilians is
apparent. Chinese leadership or their proxies has continued to
demonstrate a lack of concern toward attacking civilian
infrastructures. Regardless of source, the blatant disregard,
even to the extent of launching cyberattacks during an active
Category 5 typhoon on Guam, shutting down Guam's communications
while extreme weather destroys billions of dollars' worth of
homes, businesses, and community facilities, is simply
inexcusable.
So, my question, Mr. Evanina. Cyber represents a facet of
Chinese gray zone warfare that the U.S. has struggled to
contend with. Part of this problem stems from using cyber
contractors to circumvent the Chinese Communist Party
attributions for these attacks. With those companies in mind,
could you recommend steps that the U.S. should take to properly
distinguish who attacks us?
Mr. Evanina. Congressman Moylan, I thank you for the
question, and thank you for your support and efforts in Guam
and the Pacific for us competing with our major adversary
there. To answer your question, sir, I think the first thing
has to happen, we have to be more aggressive as a country, as
an Administration, working in partnership with Mandiant and
others, to attribute these criminal entities as what they are.
They are proxies for a state-sponsored organization that we
know is the Communist Party of China.
China actors who are in the administrative state security
or the People's Liberation Army oftentimes work part-time jobs
in these cyber organizations and do the bidding of the
Communist Party of China, and oftentimes are utilized to do
zero days and other cyber activities to obfuscate attribution
by the Communist Party of China. I think we have to get more
aggressive as a country in attributing those entities as what
they are: long arms of the Communist Party of China.
Mr. Moylan. Thank you. Mr. Joyce, with the limited cyber
personnel already, Guam cyberinfrastructure suffers from
deterioration and lack of funding, leaving civilian and
military assets vulnerable to cyberattacks with Guam being one
of the closest U.S. territories to China. What policy advice
would you give the President, the Governor, or even myself to
solve Guam's cyber insecurity?
Mr. Joyce. Thank you, Congressman, for your question. I
think the most important thing is we have to have the awareness
and the priority on this crisis to give them the resources to
get rid of old, outdated, and insecure hardware. A lot of the
tactics used in the attacks are finding flaws that could have
and should have been patched in old and obsolete equipment. So,
if you can get the budgets for the infrastructure so they will
have cyber-capable training, so that they will get rid of their
old and antiquated technology, and that they have the resources
to get the support of the private industry with the expertise,
I think we can make a lot of headway on this problem.
Mr. Moylan. Perfect. Final question--we have got about a
minute--for both of you, please. China is using national cyber
power to harass districts and state-level actors. Could the
panel briefly explain the necessity of developing Federal,
state, or local cyber defense and responses?
Mr. Evanina. Thank you, Congressman. I will start. I think
the state and local and tribal cyber capabilities are the
weakest point for our Nation. I think the Chinese Communist
Party exploits that, especially at the county level. We see
that throughout not only ransomware attacks, but also, as we
will start to see, in election infrastructure, it is the
weakest level. And oftentimes states throughout the United
States do not have the money to invest and to replace the
legacy hardware that Mr. Joyce talked about. I think that is
going to be the first thing to do is to pay for that legacy
information utilities to be removed.
Mr. Moylan. Mr. Joyce?
Mr. Joyce. I think it has got to be a close collaboration
between the private sector and the state, local, and tribal
entities. They are often resource and expertise poor. Someone
going to school with a cybersecurity degree, they are not
excited to go into the local water utility and be their CISO.
So, we have got to then augment them with private industry and
technology so that they can have top-notch security.
Mr. Moylan. Thank you very much. Thank you to the panel.
Thank you, Chairwoman Mace. Thank you.
Ms. Mace. Thank you, Mr. Moylan, and we are going to go for
a few extra minutes until votes, which could be in a minute,
could be in 10 minutes, so I would like to recognize myself for
5 minutes. I had a few extra followup questions I wanted to
ask.
Mr. Carmakal, rapid incident reporting by hack victims
enables the identification of specific threats and limits the
harm that they can inflict, but critical infrastructure
operators vary widely in their knowledge of incident reporting
protocols and in their compliance with them. So, what can be
done to improve incident reporting by non-Federal entities?
Mr. Carmakal. Yes. Thank you very much for the question,
Chairwoman. Incident reporting is a very difficult topic
because there are a number of equities that need to be
balanced. You cannot disclose a security incident too early,
especially if the threat actor still has access to the
environment. They may do something more damaging, or they might
escalate their attack, or they might steal more data.
Obviously, you also do not want organizations to wait too long
to disclose that there was a security event. And so, there is
definitely a very tough balance in terms of how long it
actually should take for an organization to disclose, but at a
minimum, we do want organizations to disclose so that the whole
of community has the opportunity to learn from it.
Ms. Mace. Does the government provide clear guidance about
these protocols?
Mr. Carmakal. There are a number of regulations and
requirements for disclosure, so it is confusing to certain
organizations to understand who do they need to report to, when
do they need to report it, and they typically have to engage
legal counsels to help understand the reporting complexities.
Ms. Mace. And if you are engaging legal counsels, probably
pretty expensive for a business in some cases.
Mr. Carmakal. It certainly could be expensive. Yes.
Ms. Mace. Do companies ever get punished if they have been
hacked by the government? Do they get sued? Is there that kind
of thing going on, too, when these things happen?
Mr. Carmakal. A lot of victims of cybercrime or
cyberespionage feel like they are victimized multiple times.
So, they are first victimized by the threat actor, then they
might be victimized by the media, by their customers, by their
partners. And so, yes, it is certainly complicated, and they do
feel like they are victimized often.
Ms. Mace. Is the government effectively sharing information
it has about threat actors with the private sector?
Mr. Carmakal. There is a lot of information sharing that is
occurring from a government perspective. Obviously there could
always be more information sharing, better information sharing,
more timely sharing, but there is a lot of great things that
are happening.
Ms. Mace. That is good to hear. So, talk to me--in your
testimony earlier, you talked about legacy systems for a little
bit. Talk to me about that and what dire straits we are in
right now with regards to our vulnerabilities.
Mr. Carmakal. Yes. We very often find organizations that
have antiquated technologies still deployed within their
environment. Sometimes we see very old operating systems that
are deployed that have not yet been retired but are still used
for business-critical capabilities and functionality.
Ms. Mace. What is the oldest one you have heard of? What
has been around the longest?
Mr. Carmakal. We still see Windows XP, which has been long
end of light for quite some time.
Ms. Mace. How long?
Mr. Carmakal. I cannot remember how long it has been, but
it is probably been more than a decade, if I am not mistaken.
That is in the IT environments. When you look at OT
environments or operations----
Ms. Mace. Is that government specifically or are you just
are saying private industry?
Mr. Carmakal. Across the globe.
Ms. Mace. Across.
Mr. Carmakal. When you look at the systems that are
controlling safety at nuclear power plants or manufacturing
facilities or pipelines, what we tend to find is that there is
very old technology that exists out there that you cannot
actually apply software patches to. And so, in the IT world,
you expect that you would have to apply a critical security
patch in hours or days or maybe a month. In the operational
technology world, sometimes the patch timing takes months,
maybe a year, or maybe it never happens at all. Generally
speaking, there are other compensating controls that help
mitigate the risk of a compromise of an OT environment. But
essentially, if a threat actor could get into an operational
technology environment, it could be a pretty bad day for that
organization because there are generally very little controls
in those OT environments with very old technology.
Ms. Mace. How do we incentivize technology updates, private
and public sector?
Mr. Carmakal. I defer to my colleagues on this panel for a
proper response.
Ms. Mace. All right. Mr. Joyce and Mr. Evanina?
Mr. Joyce. I think one of the things you have to do is you
have to look at regulation, right? We would not have antilock
brakes and seat belts in our cars if it were just up to the
industry. I am not a huge fan of regulation, but I am
increasingly convinced that the bare cyber minimums need to be
regulated.
Ms. Mace. Mr. Evanina?
Mr. Evanina. I would add out to that that I think it is
about leadership, and it starts with the government. I think if
the government earmarked significant dollars, moonshot, to
update our own legacy systems would obviously prevent our
adversaries from getting our government systems, and I think
that would be a leading role to stimulate private sector to do
the same.
Ms. Mace. Yes. We have had a lot of hearings up here and
the amount that is wasted even in tech. I mean, we had a
hearing last year, and DoD had wasted $300 million on a
software program. I can only imagine what we could have done
with $300 million in the cybersecurity space, either hiring
workers or updating and upgrading software packages and
technology to keep them safer. So, I appreciate your time today
and thank you for being here. Do you want to be recognized for
5 minutes, Mr. Connolly?
Mr. Connolly. I thank the Chair. I want to go back to the
danger of relying on Russian and China sources because they
have an active agenda of insinuating. We have established one
that you are familiar with, Mr. Evanina, and that was a key
source for Rudy Giuliani and his false claims about corruption
involving Ukraine, Burisma, and then-Vice President Biden, and
it is very dangerous to rely on sources like that.
I want to point out three key sources for the impeachment
inquiry on my other committee, the Oversight Committee, the
full Committee, and on the Weaponization Committee: one, a man
on the lam who has been charged by the U.S. Government for
being a Chinese spy outright; second, a man who is in Federal
prison today for having been convicted of fraud; third, a man
named Alexei Smirnov, an FBI informant, in jail, charged by the
FBI for lying to the FBI. He lied specifically about witnessing
a cash bribe being given to President Biden, then-Vice
President, or out of office, actually, and his son, Hunter.
Neither was true. In fact, it has been established Mr. Smirnov
did not even meet anyone from Burisma until 2 or 3 years after
the alleged exchange. And furthermore, Mr. Smirnov has admitted
that his sources were Russian agents. Other than that, these
are reliable witnesses upon which one of the most solemn
constitutional duties that falls upon Congress has occurred,
the impeachment of a President. We relied on Russian and
Chinese agents. That is an established fact.
Mr. Evanina, what are the risks when political leaders
assert that claims of Russian or Chinese interference are just
a hoax? Could something go wrong when we do not take it
seriously?
Mr. Evanina. Ranking Member Connolly, I think it is
important to note that we should fully expect the Communist
Party of China, Russia, Iran, and others to participate in the
same type of disinformation, misinformation in the upcoming
election. And I think we have to be postured to be able to
identify that quickly and notify the American public as fast
and as furious as we can, and then take action to notify
individuals who are either a part, wittingly or unwittingly, or
being used by those nation-states to promulgate their
information. So, I think that is really critical that we do
that moving forward.
Mr. Connolly. So, I do not want to put words in your mouth,
but I am hearing you say, look, before we politically decide to
dismiss something as an inconvenient fact, we need to have some
skepticism about sourcing because of what Russia and China are
doing.
Mr. Evanina. Well, I think part of the playbook for Russia
and China and others is to be able to sow doubt in all the
reporting, and I think that is important. I think we should
also take time to rely on the intelligence community, law
enforcement, and the FBI to be able to most effectively weed
out some of this information, to be able to be in the best
posture to provide that to decisionmakers.
Mr. Connolly. And that is what you did during the Trump
Administration.
Mr. Evanina. I think that is what the United States
government----
Mr. Connolly. Right. It is not a Democrat, or it should not
be a Democrat or a Republican issue. Mr. Kelly, in your time in
the FBI, does it echo what Mr. Evanina has cautioned us?
Mr. Kelly. Yes, there was----
Mr. Connolly. I cannot hear you.
Mr. Kelly. Yes. In the last Administration, the Justice
Department actually came out with a policy on this topic, which
I think was actually a very wise approach, which is to flag the
source of information. And so, to the extent that they have
information that a malicious foreign actor has set up a false
persona on social media, they cannotify the social media
platform so that they can take action under their terms of use,
but to not get into the business of fact-checking because that
gets very, very tricky.
So, I think where the facts are that we have identifiable
bad foreign actors that are doing things, that is an
opportunity then to notify the affected people, to notify
technology platforms. And then when it relates to,
specifically, the functions of an election, misinformation
around that polls have closed or the polls are open, or the
voting day moved, or whatever else is happening, those are the
kinds of things that public officials need to come out and
absolutely correct the factual record on.
Mr. Connolly. Thank you, and I appreciate it. Thank you,
Madam Chair.
Ms. Mace. Thank you. And going back, just to clarify with
Alexei Smirnov, this Committee was actually told by the FBI--we
did not know his name when we got the access to the FBI 1020
form--but the FBI told this Oversight Committee ``that the
witness was trustworthy and credible,'' also repeated by
Democrat colleagues here on the Oversight Committee because
that is what the FBI told us. And that witness actually was
paid six figures by the FBI, over half a million dollars. So, I
do not know if the FBI just was incompetent in paying a witness
that was not trustworthy and credible, or if they were lying to
Congress and this Committee when they said the witness was
trustworthy and credible.
And just a reminder, this hearing is about China. It is not
about Russia, and we are talking about skepticism about
sourcing. We should be very skeptical of mainstream media here
today who has fed the American people lies, hook, line and
sinker. And, in fact, the whole Russia hoax thing, Trump was
not assisted by Russia. The Russia hoax was actually Joe Biden
getting paid off with his family members by Russian oligarchies
and then lying about it, and we saw that in the testimony of
Hunter Biden and his deposition, and we have seen these lies
told over and over again by my colleagues across the aisle.
Every time it is an accusation, it is really a projection. So,
with that, I will recognize Mr. Timmons for 5 minutes.
Mr. Timmons. Thank you, Madam Chair. Back to China. I am
going to talk about Huawei briefly, Mr. Evanina and Mr. Joyce.
I am going to ask you some questions at the end of it.
So, China was using Huawei to give next-generation wireless
technology to developing countries and to developed countries,
many of which were allies, and they were doing that at a rate
that was beyond competitive. It was essentially subsidized, and
the FBI was able to reach out to our allies and essentially
say, hey, this is a really bad idea. They have a backdoor in
security. Their servers are not secure. You are essentially
letting the Chinese have all your data.
And so what happened? Well, all of our allies said they
either took steps to ban Huawei, or they changed their course
and are now using more secure next-generation wireless
technology. And that was done, basically, because the United
States took a leadership role in informing our allies that
China was not being a good actor, and it has caused Huawei to
have to completely adjust their approach to the global economy.
Is that fair, Mr. Joyce?
Mr. Joyce. Absolutely.
Mr. Timmons. OK. So, I think this is a great model. It is a
great model of how we can address larger concerns. So,
obviously, we are talking about cyberattacks, and there is no
amount of money that the private or publicly held companies can
spend to secure their networks from a government as big as
China. There is just nothing they can do. It is not a question
of if they are going to get a breach. It is a question of when.
But what we can do is we can use the U.S. Government and use
our allies to create a consequence.
So, I do not see why the United States and like-minded
countries cannot create a system--the biggest issue is
attribution in this proposal. If a company is breached and
receives damages and it is from a nation-state, I think that
company should be able to go to the government and say, look,
we do all of these things right to try to protect our data, but
China came after us. We had a breach. It cost us this amount of
money. Obviously, there is going to be a civil suit. They are
going to have to settle that civil suit with all of the
individuals who had data breached. And so, let us just say it
is, I do not know, a hundred million dollars. So, then the
United States says, all right, attribution is good. China did
this. The government did this. Here is your hundred million
dollars, and then go and use trade tariffs to essentially make
the United States whole. If we create a system like that, it
can create a deterrent threat to nation-states that are using
cyberattacks as a tool. What do you all think? Is that
something that we should consider doing, Mr. Evanina?
Mr. Evanina. Congressman Timmons, yes, but I will caution
the Subcommittee here that I think the back end of this is the
concern I have looking at Huawei for 15 years. We were able to
get the threat relayed to the Congress who acted and had rip-
and-replace legislation. The problem we have is Huawei is a
legitimate business entity that functions fairly well with an
intelligence collection apparatus tied to it. If we rip it, we
need to replace it with something different. And the trouble we
have had, because we do not have the innovation and technology
based in the United States to replace Huawei, we are still
stuck with Huawei across our country in our telecommunication
systems. So, to your point, I agree with, but we also have to
have something to replace Huawei with when we rip it out.
Mr. Timmons. Mr. Joyce, do you think that the international
community could create this deterrent threat that would hold
China accountable? It is not just China. It is China, North
Korea, Iran, Russia, anybody that is using cyberattacks as
basically a state tool. Is that something that we could do?
Mr. Joyce. I do, Congressman, believe we have got to use
all the elements of our national power, whether it is military,
cyber, but increasingly commercial and tariff-related
activities have proven pretty forceful, and we have seen the
reactions to it. Unfortunately, a lot of these cyber criminals
get to remain in places like North Korea, Russia out of the
reach of law enforcement cooperation, and so we have got to
have other tools beyond law enforcement.
Mr. Timmons. So, I think that we can resolve that by saying
that any individual that is attacking the United States, I
mean, it is no different than the Taliban. I mean, we sent
hundreds of thousands of U.S. soldiers and waged war for
decades in Afghanistan because the Taliban allowed Al-Qaeda to
use it as base of operations to attack the Twin Towers. So, I
mean, there is no difference if Al-Qaeda was using a computer
in Afghanistan and using code to crash an energy grid in a hot
area in the summer or a cold area in the winter. I mean, it
could legitimately kill thousands and thousands of people if we
are unable to provide heat in the Northeast during a winter
storm. And it would be very easy to do that, and we would have
to hold that individual accountable, but we would have to hold
the country that gave them safe harbor accountable. I mean, do
we agree on this?
Mr. Evanina. I completely agree, and I think your analogy
is right with the terrorism because if Al-Qaeda had pre-
deployed explosives or electrical magnetic capability in New
York City, is that different than Volt Typhoon and what they
are doing here to potentially cause harm to our critical
infrastructure? We have to look at that as a simple model.
Mr. Timmons. And if there was a cyberattack on Goldman
Sachs resulting in a half a billion dollars in damages, are we
not going to then make them whole when they did nothing wrong
versus if Hamas bombs their building? I mean, we are going to
make them whole, so I do not think that we should view a
terrorist cyberattack any differently than we would view a
missile because there is no difference, effectively.
OK. I am over time. Sorry. Thank you for your----
Ms. Mace. I agree. Cybersecurity is national security.
Thank you, Mr. Timmons.
In closing, I want to thank our panelists who are here this
afternoon, once again, for your testimony today.
With that, and without objection, all Members will have 5
legislative days within which to submit materials and to submit
additional written questions for the witnesses, which will then
be forwarded to the witnesses for their response.
So, if there is no further business, without objection, the
Subcommittee stands adjourned.
[Whereupon, at 5:10 p.m., the Subcommittee was adjourned.]
[all]