[House Hearing, 119 Congress]
[From the U.S. Government Publishing Office]
SHAPING THE FUTURE OF CYBER DIPLOMACY: REVIEW FOR STATE DEPARTMENT
REAUTHORIZATION
=======================================================================
HEARING
OF THE
SUBCOMMITTEE ON EUROPE
BEFORE THE
COMMITTEE ON FOREIGN AFFAIRS
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED NINETEENTH CONGRESS
FIRST SESSION
__________
April 29, 2025
__________
Serial No. 119-14
__________
Printed for the use of the Committee on Foreign Affairs
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available: http://www.foreignaffairs.house.gov, http://docs.house.gov,
or http://www.govinfo.gov
_______
U.S. GOVERNMENT PUBLISHING OFFICE
60-593PDF WASHINGTON : 2025
COMMITTEE ON FOREIGN AFFAIRS
BRIAN J. MAST, Florida, Chairman
MICHAEL T. McCAUL, Texas GREGORY W. MEEKS, New York,
CHRISTOPHER H. SMITH, New Jersey Ranking Member
JOE WILSON, South Carolina BRAD SHERMAN, California
SCOTT PERRY, Pennsylvania GERALD E. CONNOLLY, Virginia
DARRELL ISSA, California WILLIAM R. KEATING, Massachusetts
TIM BURCHETT, Tennessee AMI BERA, California
MARK E. GREEN, Tennessee JOAQUIN CASTRO, Texas
ANDY BARR, Kentucky DINA TITUS, Nevada
RONNY JACKSON, Texas TED LIEU, California
YOUNG KIM, California SARA JACOBS, California
MARIA ELVIRA SALAZAR, Florida SHEILA CHERFILUS-McCORMICK,
BILL HUIZENGA, Michigan Florida
AUMUA AMATA COLEMAN RADEWAGEN, GREG STANTON, Arizona
American Samoa JARED MOSKOWITZ, Florida
WARREN DAVIDSON, Ohio JONATHAN L. JACKSON, Illinois
JAMES R. BAIRD, Indiana SYDNEY KAMLAGER-DOVE, California
THOMAS H. KEAN, JR, New Jersey JIM COSTA, California
MICHAEL LAWLER, New York GABE AMO, Rhode Island
CORY MILLS, Florida KWEISI MFUME, Maryland
RICHARD McCORMICK, Georgia PRAMILA JAYAPAL, Washington
KEITH SELF, Texas GEORGE LATIMER, New York
RYAN K. ZINKE, Montana JOHNNY OLSZEWSKI Jr, Maryland
JAMES C. MOYLAN, Guam JULIE JOHNSON, Texas
ANNA PAULINA LUNA, Florida SARAH McBRIDE, Delaware
JEFFERSON SHREVE, Indiana BRADLEY SCOTT SCHNEIDER, Illinois
SHERI BIGGS, South Carolina MADELEINE DEAN, Pennsylvania Q04
MICHAEL BAUMGARTNER, Washington
RYAN MACKENZIE, Pennsylvania
James Langenderfer, Majority Staff Director
Sajit Gandhi, Minority Staff Director
------
SUBCOMMITTEE ON EUROPE
KEITH SELF , Texas, Chairman
MICHAEL T. McCAUL , Texas WILLIAM KEATING, Massachusetts,
JOE WILSON , South Carolina T3Ranking Member K
MARK GREEN , Tennessee DINA TITUS , Nevada
YOUNG KIM , California JIM COSTA , California
WARREN DAVIDSON , Ohio GABE AMO , Rhode Island
ANNA JULIE JOHNSON , Texas
AULINA LUNA , Florida SARAH McBRIDE , Delaware
Michael Koren, Subcommittee Staff Director
C O N T E N T S
----------
REPRESENTATIVES
Page
Opening Statement of Subcommittee Chairman Keith Self............ 1
Opening Statement of Subcommittee Ranking Member William Keating. 2
WITNESSES
Statement of Annie Fixler, Director, Center on Cyber and
Technology, Foundation For Defense of Democracies.............. 4
Prepared Statement............................................. 7
Statement of Latesha Love-Grayer, Director, International Affairs
and Trade, U.S. Government Accountability Office............... 19
Prepared Statement............................................. 21
Statement of Theodore Nemeroff, Co-Founder and Vice President for
Data and Compliance, Verific AI................................ 37
Prepared Statement............................................. 39
APPENDIX
Hearing Notice................................................... 60
Hearing Minutes.................................................. 62
Hearing Attendance............................................... 63
Questions for the Record
Questions for the Record submitted to Ms. Latesha Love-Grayer
from Rep. Gabe Amo............................................. 64
SHAPING THE FUTURE OF CYBER DIPLOMACY: REVIEW FOR STATE DEPARTMENT
REAUTHORIZATION
----------
Tuesday, April 29, 2025
House of Representatives,
Subcommittee on Europe,
Committee on Foreign Affairs,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:19 p.m., in
room 2200, Rayburn House Office Building, Hon. Keith Self
(chairman of the subcommittee) presiding.
Mr. Self. The Subcommittee on Europe will come to order.
The purpose of this hearing is to discuss the subcommittee's
areas of jurisdiction for the State Department authorization,
which includes the Bureau of Cyberspace and Digital Policy.
I now recognize myself for an opening statement.
OPENING STATEMENT OF CHAIRMAN KEITH SELF
I want to welcome members and witnesses to the subcommittee
on Europe's second hearing on State Department reauthorization.
Today, the subcommittee will be exploring the role of the State
Department in cyber and technology matters, and how such
policies might align with U.S. national security interests and
foreign policy objectives. In particular, we will be examining
the work of the Bureau of Cyberspace and Digital Policy, or
CDP. Across the globe malicious cyber attacks are conducted by
State and nonState actors against the United States and its
allies, including from the People's Republic of China, from
cyber criminals scamming individuals out of their savings to
large scale state-sponsored attacks from America's adversaries.
U.S. Government entities and citizens are increasingly under
siege. For years, PRC-supported hackers have buried deep into
critical infrastructure, including water transportation
networks and energy systems.
According to the 2025 annual worldwide threats assessment
of the U.S. IC, intelligence community, the PRC remains the
most active and persistent cyber threat to U.S. Government
private sector and critical structure networks. Beijing's
campaign to preposition access on critical infrastructure for
attacks during crisis or conflict, tracking publicly as volt
typhoon, or it more recently identified compromise of U.S.
telecommunications infrastructure, also referred to as Salt
Typhoon, demonstrates the growing breadth and depth of the
PRC's capability to compromise U.S. infrastructure.
Russia also poses a significant cyber threat with its
efforts to compromise sensitive targets for intelligence
collection and to preposition access to U.S. critical
infrastructure. In addition to Beijing and Moscow, Tehran has
demonstrated an increasing willingness to carry out aggressive
cyber operations to the security of U.S. networks and data.
Furthermore, Pyongyang's cyber program presents a highly
capable and maturing threat, including an approach to launder
and cash out cryptocurrency from the United States and other
victims to fund its nefarious activities. As cyber becomes a
growing battlefield for criminal networks and maligned actors,
the State Department must be ready to meet the challenge. The
U.S. is not facing these real and growing threats alone, it
took cooperation with our allies and our partners. The U.S.
will continue to work to combat and align cyber activities from
PRC, Iran, North Korea and Russia.
Since the recent establishment of CDP, it has played a role
in the U.S. response to a major ransomware campaign in Costa
Rica that disrupted critical services. In particular, CDP,
alongside other Federal partners, work to strengthen Costa
Rica's cyber defenses against attacks from malicious actors
threatening the security of both our countries. It has also
worked to identify strategic opportunities to leverage partner
resources to further U.S. strategic objectives through subsea
cable projects in the Pacific Islands.
Such efforts ensure that the Pacific Islands rely on
trusted, primarily American businesses for their internet
connectivity while also countering the PRC's influence in the
strategically imported region. On the other hand, the
Department of State agreement on a cybercrime U.N. treaty that
conflicted with CDP policy lead and recommendations begs the
question of the actual authority wielded by CDP. This hearing
should lead us toward conclusions on how to improve CDP
efficiency and effectiveness in this vital area of national
interest and security.
As we move through this reauthorization process, the
experience and insights from today's witnesses will help inform
this subcommittee on the State Department's cyber diplomacy
role in addressing these increasingly important challenges.
I look forward to hearing your testimony and
recommendations. The chair now recognizes the ranking member,
the gentleman from Massachusetts, Mr. Keating, for any
statement he may have.
OPENING STATEMENT OF RANKING MEMBER WILLIAM KEATING
Mr. Keating. Thank you, Mr. Chairman and to our witnesses
for being here today. For years, bipartisan members of this
committee have recognized the necessity for the State
Department to take on the important task of cyber diplomacy. In
2021, the Biden administration announced the creation of the
Bureau of Cyberspace and Digital Policy, CDP, with bipartisan
support and the Department of State Authorization Act of 2022
authorized the CDP Bureau into statute, an important step in
recognizing the need for robust and comprehensive approach to
cyber diplomacy.
With the CDP bureau established in statute, its work in
conjunction with this committee to lead the State Department's
diplomatic cyberspace and cybersecurity efforts encompassing
both hard security and economic policy. As our adversaries,
Russia, China, Iran and North Korea, each take different
approaches to undermining U.S. actions in cyberspace,
bolstering U.S. cyber capability through a strong CDP bureau is
more important than ever.
The CDP bureau has worked to advanced U.S. interest in
cyberspace across multiple lines of effort. For example,
following the 2022 ransomware attack in Costa Rica by a
Russian-linked cyber crime group, the CDP bureau provided
swift, decisive, support to Costa Ricans and their authorities
to bolster the country's digital defenses and resiliency. This
emergency support was critical to ensure that a partner in our
own hemisphere was able to effectively respond to an
unprecedented attack. Similarly, the State Department worked to
strengthen Ukraine cyber defenses in the midst of Russia's
full-scale, illegal invasion of the country through the digital
connectivity cybersecurity partnership program, a joint venture
by the Department of USAID.
These are just a few examples of the CDP bureau's important
work to bolster our allies and partners while promoting
American values and security in cyberspace.
While I appreciate the opportunity to talk about an
important bureau, which is long maintained by partisan support,
it is unfortunately clear that neither this majority nor the
Trump administration has any interest or intent to engage
constructively on a reauthorization of the State Department.
Last week, Secretary Rubio unveiled a proposed
reauthorization plan for the State Department without any
meaningful consultation with Congress. Reorganization would
decimate the Department's cyber policy tools by splitting it in
half. CDP's economic structures would be moved under the
economic family of the bureau and CDP's hard security offices
would be placed in a new emerging threats bureau. This move
will create exactly the duplication and the waste this
administration says it seeks to avoid. Even more concerning, it
deprioritizes a crosscutting issue that needs to be tackled
holistically and at the highest levels.
Our witnesses here today and many experts in the field have
all pointed out the importance of capacity building in
cyberspace and maintaining and recruiting the skills required
for qualified cyber diplomacy workforce.
Unfortunately, rather than invest in capacity building in
places like Costa Rica and Ukraine, the Trump administration
has slashed the U.S. foreign assistance budget and illegally
eliminated USAID, a chief implementer with capacity-building
programs.
At the same time, GAO and Ms. Love-Grayer, they found out
that nonpartisan report, that while CDP is currently staffed
and fully operational, it needs to train existing staff and
hire more people to meet its growth plans. Rather than seeking
to recruit and train staff, the Trump administration has
attacked and politicized the Federal workforce, leaving a
legacy of destruction and indeed distrust.
Finally, rather than listen to the advice of experts,
consult with industry professionals and engage with the State
Department, this committee has effectively served as a rubber
stamp for the administration's destructive actions.
Ms. Fixler, you concluded in an article on March 17th the
capacity building program, including those implemented by
USAID, are not merely altruistic endeavors, they advance
critical U.S. interest. Ms. Love-Grayer, your nonpartisan 2024
GAO report concluded that the State Department provides foreign
assistance to strengthen partner capacity and to promote cyber
norms to achieve U.S. cyber policy objectives.
Mr. Nemeroff, your testimony points out that a well-placed
cybersecurity foreign assistance project can make all the
difference in leveling the playing field for our companies and
private investments in countries that still deeply respect U.S.
tech leadership. Yet rather than invite administration witness
here from the CDP bureau to testify on the effectiveness of the
bureau's programming or implement the advice of experts like
our witnesses here today, the chair of the full committee and
many of my major majority colleagues have already
wholeheartedly endorsed the administration's reorganization
plans. This is a troubling abdication of the oversight
responsibilities of this committee, and an elimination of the
Article I authority of this Congress.
I look forward to the testimony of our witnesses here
today. I would strongly urge my majority colleagues to listen
to what they have to say, work to reauthorize the State
Department in a way that serves the interest of the American
public, and move this important issue to the foreign front.
I yield the balance of my time.
Mr. Self. Other members of the committee are reminded that
opening statements may be submitted for the record.
We are pleased to have a distinguished panel of witnesses
before us today on this important topic. Ms. Annie Fixler,
Director of Center on Cyber and Technology at the Foundation
for Defense of Democracies; Ms. Letesha Love-Grayer, Director
of International Affairs and Trade at the U.S. GAO; and Mr.
Theodore Nemeroff, cofounder and Vice President for Data and
Compliance at Verific AI.
This committee recognizes the importance of the issues
before us and is grateful to have you here to speak with us
today. Thank you. Your full statements will be made part of the
record. And I will ask each of you to keep your spoken remarks
to 5 minutes in order to allow time for our member questions.
I now recognize Ms. Fixler for your opening statement.
STATEMENT OF ANNIE FIXLER
Ms. Fixler. Thank you, Chairman Self, Ranking Member
Keating, and distinguished members of the committee, on
behalf----
Mr. Self. Would you check your mic, or get closer to it?
Ms. Fixler. Sorry.
Mr. Self. Pull it close to you.
Ms. Fixler. Better?
Mr. Self. Try it.
Ms. Fixler. Thank you, Chairman Self, Ranking Member
Keating, and distinguished members of the committee, on behalf
of the Foundation for Defense of Democracies, thank you for
inviting me to testify today.
For years, on a bipartisan basis, members of this committee
pushed the State Department to better organize itself to defend
U.S. national security in cyberspace. Two and a half years
after creating the Bureau of Cyberspace and Digital Policy,
this committee must assess its performance, expand its
successes and address its shortcomings. This hearing is
particularly timely, given the Department's proposed
reauthorization which appears to put its cybersecurity efforts
at risk and contradict congressional guidance to integrate
cybersecurity and digital economy efforts.
In my written testimony, I describe the successes the
bureau has been able to achieve because of this integration. I
would like to take this opportunity to summarize the threat we
face and the role States cyber bureau should play.
Every day malicious cyber operators sitting in remote
corners of the world attack our critical infrastructure. Across
energy transportation and communication systems, China has
prepositioned destructive capabilities. Beijing is prepared to
use crippling cyber attacks to induce societal panic and
interfere with our ability to project power.
During the Biden administration, we issued stern warnings
but failed to deter Chinese aggression. Trump administration
officials and Members of Congress have rightfully articulated
that our Nation needs to go on the offense and punish those who
use cyberspace to do us harm. And we need better defense to
deny our adversaries their objectives.
The cyber bureau plays a critical role in both. Over the
course of its short tenure it has demonstrated it understands
these priorities and can execute the mission.
Congress tasked the bureau with managing a unique cyber
assistance fund because lawmakers recognized it took far too
long for us to respond to incidents overseas that might cascade
and hit our homeland. Now in as little as 2 days, the bureau
can airdrop expertise into partner countries.
The Department bolsters allied law enforcement capability
to investigate cyber crime and prosecute the offenders and
convinces those same allies and partners to join us when we
call out bad behavior.
The first step to getting our allies and partners to impose
costs on China is for them to agree that a cyber attack has
occurred and that Beijing is to blame. The bureau helps allies
and partners proactively build cyber resilience. On this, our
strategic priorities are clear: We need the countries that we
fight with and through to have resilient infrastructure.
Resilience buys America time to deploy a range of policy
responses. Had Ukraine succumbed to Russian cyber attacks,
Washington could not have provided the lethal aid that has
helped Kyiv substantially degrade the military capabilities of
a leading U.S. adversary.
Last summer, FDD led a tabletop exercise in Taiwan,
exploring Chinese cyber enabled economic warfare against the
island. In the game, the thing that gave Beijing the greatest
pause was not U.S. countermeasures, but an assessment that
Taiwan could withstand the attack. If China believed that
Taiwan could survive, it would refrain from attacking in the
first place, lest Taiwan's strengths reveal the CCP's limits.
Resilience has a deterrent power all its own. But building the
resilience of allies and partners will be a Sisyphean task if
the telecommunications infrastructure underpinning all of it is
built by China.
The U.S. military does not have operational security if
Beijing is listening on the line. In the CHIPS Act, Congress
tasked and funded efforts at State to secure information
communications technology. The cyber bureau is wisely using its
portion on undersea cables in the Indo-Pacific.
When Congress created the bureau, lawmakers rightfully
articulated that its head must be a principal cybersecurity
policy official in the Department. It also needs permanent
staff billets so that the funding Congress appropriate is spent
wisely and efficiently. There is a battle underway in
cyberspace. Without a robust cyber bureau, we will not win.
Thank you for inviting me to testify today. I look forward
to your questions.
[The prepared statement of Ms. Fixler follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Self. Thank you, Ms. Fixler.
I now recognize Ms. Love-Grayer for your opening statement.
Welcome.
STATEMENT OF LATESHA LOVE-GRAYER
Ms. Love-Grayer. Chairman Self, Ranking Member Keating, and
members of the subcommittee, thank you for the opportunity to
discuss our work on the Bureau of Cyberspace and Digital Policy
known as CDP. As international trade communication and critical
infrastructure grow more dependent on cyberspace and digital
technology, there is an opportunity to advance U.S. interests
in this digital ecosystem. But also an increase in foreign
cyber threats. Foreign governments and nonState actors are
increasingly using cyberspace as a platform to target critical
infrastructure and our citizens, undermine democracies and
international institutions and uncut global competition by
stealing ideas when they cannot create them. These are among
the reasons that GAO has identified information security as a
high-risk issue.
In April 2022, State established CDP to lead U.S.
Government international efforts to advance our interest in
cyberspace, which State defines as cyber diplomacy. Its
overarching objectives included building coalitions,
strengthening capacity and reinforcing alarms in cyberspace.
State uses two main tools to implement the cyber diplomacy
mission, diplomatic engagement and leadership and multilateral
and bilateral fora and foreign assistance that provide training
and technical assistance to our international partners.
Examples of the diplomatic efforts include engaging with
the European Union to develop shared principles in the 6G
wireless network. And supporting the negotiation process of the
U.N. cybercrime convention, which appropriately, if
appropriately ratified, would facilitate international
cooperation to combat cyber crime.
As Congress considers State's reauthorization, my statement
today is intended to help inform the discussion about the cyber
diplomacy efforts and was based primarily on the reports that
we have issued between September 2020 and January 2024 related
to those efforts.
State's cyber diplomacy efforts have evolved between 2011
and the present. Between 2011 and 2018, State established the
Office of the Coordinator of Cyber Issues to lead global
diplomatic engagement and developed an international cyberspace
policy strategy document among other efforts. In January 2019,
Members of Congress introduced the Cyber Diplomacy Act of 2019,
which would have established a new office to lead State's
international cyberspace efforts and consolidate a range of
crosscutting cyber issues.
Later that year, State notified Congress of its intent to
establish a bureau that was more narrowly focused on
cybersecurity. In September 2020 and January 2021, we assessed
these efforts to establish the cyber bureau. We found that it
had not involved other Federal agencies that contributed to
international cyber diplomacy and the development of its plan
and recommended that it do so.
We also found that State had not demonstrated that it had
used data and evidence to develop its proposal for establishing
the bureau, and therefore, lacked assurance that its proposal
would effectively set priorities and allocate resources to
achieve those goals. We recommended that it do so.
In response, State consulted other key Federal agencies and
its plaining and collected data and evidence to inform its
approach, which resulted in changes to the final plan for the
bureau.
Once the bureau was established, we examined how it was
structured to accomplish its goals. CDP contains four units,
including the office of the coordinator for digital freedom,
international information and communications policy,
international cyberspace security, and a strategies program in
communications unit. The new consolidated bureau and the
appointment of a Senate-confirmed Ambassador at large to lead
it elevated cyber issues in State's diplomatic engagement, that
Ambassador engaged with various other country senior leaders on
advancing cyber goals.
As an example, in August 2023 the Ambassador headed the
U.S. delegation to the G-20 digital economy ministerial meeting
he highlighted U.S. views and priorities on digital economy
topics.
In addition, we reported that CDP status as a bureau
provided senior-level support, resources, and involvement, that
did not exist before. Although State's efforts to promote cyber
diplomacy have evolved, challenges remained. Among them clearly
defining CDP's roles and responsibilities across overlapping
issuers with other inter, intra and inter agencies that conduct
work in cyber diplomacy, especially given the breadth of cyber
issues, as well as ensuring that the bureau has sufficient
expertise to carry out its goals.
These are among the challenges that the bureau will still
need to effectively navigate to lead cyber diplomacy in the
future, especially a State considers streamlining its functions
and addressing any new priorities of the administration.
Chairman Self, Ranking Member Keating and members of the
subcommittee, this concludes my oral statement. I would be
happy to take questions at this time.
[The prepared statement of Ms. Love-Grayer follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Self. Thank you, Ms. Love-Grayer.
I now recognize Mr. Nemeroff for his opening statement,
welcome.
STATEMENT OF THEODORE NEMEROFF
Mr. Nemeroff. Chairman Self, Ranking Member Keating,
distinguished members of the subcommittee, thank you for the
opportunity to testify today. My remarks are drawn from my
written testimony and offered in my personal capacity.
This subcommittee is reviewing the Cyber Diplomacy Act at a
critical time. American leadership and key technologies,
especially AI, positions us to shape the global technological
ecosystem in ways that align with our values and benefit U.S.
national and economic security. But our vision is contested, as
my colleagues here has really effectively outlined. China poses
the greatest and most comprehensive challenge to U.S.
leadership, leveraging both economic and security tools to
advance its goals. Russia, Iran and North Korea also pose
significant threats and ransomware actors operating with
impunity from Russian territory routinely disrupt our
businesses, our hospitals and our schools.
Through the Cyber Diplomacy Act. This committee has helped
ensure the State Department is better prepared to meet these
challenges. A key strength of Congress' vision was to integrate
national security, economic and human rights equities in CDP.
This has increased efficiency and reduced redundancy within the
Department, and unlocked opportunities to face the challenge
posed by China in particular in more comprehensive and
strategic ways. But we can always do better. I recommend going
forward focusing on four areas: First, CDP should take further
steps to organize itself around a full-stack approach to cyber
and digital diplomacy. Whether our adversaries gain access to
critical systems through hacking or by selling untrusted
undersea cables data centers or 5G, it all harms our national
security, and the Department needs to think about this all
together.
A full stack approach enables us to see the full picture
and leverage engagements at one layer to have influence at
others. For example, the way that our cyber support to Costa
Rica, which has been cited several times already, has, since
2022, opened the door to deeper cooperation with the country on
telecom issues.
Second, CDP should continue to lead efforts to deter
adversaries that behave irresponsibly. Cyber deterrence is not
like nuclear deterrence. It requires a dynamic and constant
effort, warning adversaries about activities we won't accept
and then swiftly, preferably with allies, responding to
activities that cross our lines by imposing meaningful
consequences.
This effort started in the first Trump administration with
coordinated international responses to incidents like Russia's
2017 NotPetya cyber attack, and it continued in the Biden
administration with actions like our response to Iran's brazen
2022 cyber attack against Albania, attempting to coerce a NATO
ally.
Third, CDP should continue to take on a more operational
role, especially in incident response, and by using diplomatic
channels to support whole-of-government adversary disruption
campaigns. These activities show clear gaps in interagency
capabilities that I saw when I was at NSC working on issues
around Ukraine and others.
I want to particularly highlight the potential for CDP's
recently piloted falcon capability which allows State to
rapidly deploy private sector incident responders to countries
in need.
Finally, I want to emphasize the importance of foreign
assistance and development finance. We are in a global tech
competition with China. We need every tool possible to level
the playing field for our companies against China's subsidies
and hardball tactics. And a well-placed cyber assistance
project, or a well-timed loan can make all the difference. CDP
needs funding to provide specialized foreign assistance where
it is most needed, and it should be empowered to build a
coordinated, full-stack investment strategy across the
interagency, including with institutions like development
finance corporation.
This subcommittee has been--we will be reauthorized in the
Cyber Diplomacy Act, alongside the administration's recently
announced plans to reorganize the Department.
I offer four key questions to consider as you decide on the
way ahead: First, does the proposed restructuring enable the
type of integrated approach I have discussed today? Second,
does it maintain the requisite attention authority and
responsibility of the Department's most senior leaders, the
ones who can make this a priority in States regionally oriented
work?
Third, does it sustain and ideally accelerate efforts to
bill a technology savvy workforce? And fourth, does the
proposed budget provide the resources required for this
critical mission set?
I want to thank this subcommittee for its continuing
leadership and I look forward to your questions.
[The prepared statement of Mr. Nemeroff follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Self. Thank you, Mr. Nemeroff.
I now recognize myself for 5 minutes of questioning. A
series of questions, Ms. Fixler. You say Taiwan survived the
attack. What did you mean when you say, survived the attack? Is
that physical or is that cyber? What are you referring to?
Ms. Fixler. Sure so in the tabletop exercise we did, it was
a series of economic and cyber attacks that were testing the
societal resilience of Taiwan to withstand Chinese aggression
and withstand efforts to coerce its policy to agree to a
reunification with the mainland, so it was a societal and cyber
resilience. And if the CPP judged that Taiwan could survive the
pressure campaign, it might actually----
Mr. Self. By not go kinetic.
Ms. Fixler. Yes.
Mr. Self. Okay. I want to read something to you. Yesterday,
probably everyone in this room was aware of the three-nation
outage in Europe. I got back from Europe a week ago Saturday,
so this is from the Siemens Security Advisory, just to show you
how important this issue is, the point of origin for the
blackout possibly originated--when they say possibly, they are
not definitively saying something, but I believe that they
believe this, possibly originated in a high-voltage substation
in the Basque region of northern Spain specifically near Balboa
at the substation that they named. The potential method of
sabotage was a sophisticated cyber attack targeting the
substation SCADA system, injecting malware that overloaded
transformers and triggered a cascading failure across the
European grid. The malware exploited a known vulnerability in
the Siemens system and they listed that.
So Ms. Fixler, you, in your testimony you mentioned the
need for partners and allies to be cyber resilient. When I was
in Europe, I talked to both politicals in Europe and to our
U.S. military, and they made the U.S. military from the SAC
(ph) on down said that we need to be aware that their
infrastructure to include cyber needs to support our war plans.
Can you elaborate on what you said about their vulnerable
infrastructure impacts our national security?
Ms. Fixler. Sure, thank you so much for the question. So we
recently at FDD issued a report looking at military mobility,
specifically the way that U.S. military forces rely on civilian
critical infrastructure to move men and material in the United
States. That is true as well overseas, and we intend to look
more closely at the infrastructure in our NATO allies and how
it must be secure so that our troops have secure transportation
infrastructure, telecommunications infrastructure, because all
of our forces rely not on infrastructure-owned and operated
exclusively by the Defense Department, but by civilian-owned
infrastructure. So that infrastructure must be resilient to
secure our forces overseas.
Mr. Self. Thank you. Ms. Love-Grayer, in what way has the
CDP worked with other agencies to advance cyber diplomacy? How
does that impact national interest, defense interest? And where
is the coordination point? And who holds the big stick, I will
call it, in this area, cyber diplomacy?
Ms. Love-Grayer. Thank you for that question. I actually
have several examples. But I want to use one that connects to
what you just mentioned. So the DOD has an operation called
Hunt Forward, where they assist our partner countries by
assessing their vulnerabilities in their cyber systems. CDP
partners with them by going in afterward and actually providing
the technical assistance and capacity building needed to
address the vulnerability that they have identified. And so
again, if we are partners with those countries and we are
working with them closely, we may even have our own troops in
those countries. It is important to not only identify the
vulnerabilities, but to help them to address it.
In terms of the coordination, there are various ways that
CDP coordinates that we found in our audit. There is informal
regular meetings between the heads of corporations and the
agencies and with private sector corporations. But also, there
is formal interagency agreements. So CDP at the time that we
conducted our audit had 11 different agreements with different
agencies such as DOD, Department of Commerce, the FCC, DHS,
USAID and others. And these interagency agreements allowed them
to partner with these other agencies who have specific
capabilities and skill sets that could be used to provide,
again, technical assistance and capacity building to other
countries.
Who has the big stick? At the moment, it depends on--I
would say, depending on what you call the big stick. I think
who has the mandate for cyber diplomacy is CDP. Sometimes it is
the other agencies who might have the technical expertise or
even the funding. CDP does provide foreign-assistance funding,
but in other cases they may just partner. So CDP has the
mandate and there are a number of other players who have
different types of capabilities that they bring to the table.
Mr. Self. Very good. I now recognize Ranking Member Keating
for 5 minutes.
Mr. Keating. Thank you, Mr. Chairman.
I think when we use terms like cyber diplomacy and other
terms like that, it really doesn't give us back to the real
threat that we have. It sounds something that wouldn't be like
a direct kinetic attack or something that we had.
But cyber, unlike other kinds of warfare, or other kinds of
threats, there is no barriers there, there is no wall that can
be built, there is no ocean that stands between these threats.
They are global and they have to be approached globally. And
so, we really rely had on our allies in this area even more in
some respects than we would through conventional kinds of
threats that we deal with. So how important is it to have us
make sure we are working in these areas, making sure we are
funding the cuts to USAID and the other things that could have
an effect on our ability to work with our allies? Because if we
are working America alone will just not work when it comes to
cyber. So how great a threat is that and what should we be
looking for? Mr. Nemeroff.
Mr. Nemeroff. Thank you. I think it is a long old saying
that cybersecurity is a team sport, both within the interagency
and with our allies and partners. The key thing is to be able
to work with allies and partners at different levels of cyber
capacity and cyber capability. So in NATO, for example, we work
across the board to try to raise the level of cyber hygiene and
cyber capability. And then with particular countries,
particularly those that are foreign-assistance eligible,
foreign assistance is a fantastic lever to be able to help them
help themselves. I think that is the key piece of this. Albania
is a NATO ally. Albania was targeted by Iran by a major cyber
attack that I think really implicated alliance-wide issues, and
having foreign assistance as a way to get them to raise their
capability was an important way of achieving our policy goals
and to make the alliance safer.
Mr. Keating. I think readiness is a really clear
comparative here too, because timing is so important. Ms.
Fixler, you mentioned how quickly the response has to be, and
that is critical to being able to deal with this. And it has to
be in place ahead of time.
So another question I have, in our own internal domestic
workforces there to support this, I am concerned with a lot of
these cuts that are going on and the effects on the workforce
and the expertise that could be walking out the door here, how
important is it to have a workforce that is already trained,
experienced, in place? And what would happen through
reorganization or cuts, that that was reduced and we lost that?
How much of a threat would that create?
Ms. Fixler. I would just say that thank you for the
question. Recruiting and retaining technical talent is a
persistent problem in the Federal Government across the Federal
Government. At least part of it is a pipeline problem. We need
a lot more STEM graduates. We need a lot more folks focused and
pursuing cybersecurity degrees. Not all of them need to be 4-
year degrees, associates degrees are great, on-the-job training
is great, apprenticeships are great. And so I am particularly
heartened by some of the efforts in this Congress to focus on
cyber workforce, including things like the PIVOT Act providing
a faster way for community college graduates to get into the
Federal Government with cyber degrees, because we need a lot of
cyber professionals in our government to focus on cybersecurity
and the intersection between cybersecurity and national
security.
Ms. Love-Grayer. I will just add a few thoughts to this.
One of the concerns that we had after we conducted our review
on CDP is that they did need to recruit a specific type of
official. They needed someone who had not just technical
capability, but also diplomacy skills. And competing for that,
as we spoke with the former Ambassador of CDP, he noted it is
very hard to compete with the private sector for individuals
who can harness both of those skill sets. And so having the
staff is once you get them on board keeping them and helping
them to grow and understand the issues is important, but also
having staff who can really cover the range. There is a broad
spectrum of issues involved in cyber diplomacy.
Mr. Keating. Yes, with 30 seconds left too, Mr. Nemeroff
mentioned AI, and this is just going to accentuate and
geometrically affect our ability to respond in any timely
fashion. And one of my concerns is with the reorganization,
there could be siloing of different functions. And the whole
point is to bring it all together and perhaps any kind of
written responses that you might have, since my time is running
out, you could really comment in greater detail on the threat
of that siloing and how--we should be looking at
reorganizations so that there is not greater difficulty in
being able to respond to these really critical threats. I yield
back.
Mr. Self. I now recognize Mr. Davidson for 5 minutes.
Mr. Davidson. Thank you, Chairman. Thanks to our witnesses
for your testimony and your preparation for this hearing.
Ms. Fixler, you argued in a March 17 op-ed that cuts to
USAID harm our cyber assistance to allies and partners. I mean,
by definition, if we don't give them money, we are harming the
assistance, but are they really harmed? And I guess to what
extent do we want to preserve it? I think you make the case
that this could and should be consolidated under CDP. What is
the appropriate amount and kind of cyber assistance that the
United States should be distributing?
Ms. Fixler. Sure, thank you for the question. So I think
one of the things that CDP has demonstrated it is good at is
using a little bit of U.S. foreign assistance, marrying that
with assistance from U.S. partners and allies and private
sector investment. So I will talk about the undersea cables
area because that I think is where this shines. U.S. technology
companies, communications companies are making major
investments in undersea cables. They are interested in
connecting major population centers because that makes sense
from a market perspective.
When CDP is able to get involved, it can use a little bit
of foreign assistance, find U.S. partners and allies who are
interested in the issue, and then combine that with the private
sector investment so that we look at it from a strategic
perspective. And we don't just focus on the market, but also on
where it matters for U.S. military capabilities, particularly
in the south--the Indo-Pacific, but that is applicable in other
areas as well.
Mr. Davidson. Yes, thank you for a very concrete
illustration. And as you talk about blending public sector work
to try to foster some private sector investment, one of the big
things that we are trying to do as a Congress, really as a
country, but we need a law that my other subcommittee might as
chairman of the national security, I went to finance, we are
working on outbound investment. So I wonder, Mr. Nemeroff, as
you think about AI, in particular, one of the most rapidly
changing tech sectors and you think about cyber and other
factors, what kinds of things ought we to consider within
cybersecurity? I think the real tension comes between one
approach that says, we don't want American companies investing
in AI outside of America, or maybe a more concrete example that
uses kind of the financial services' Treasury thing and saying,
Here is specifically who we don't want you investing with. What
are the tradeoffs there and what is your view?
Mr. Nemeroff. Thank you. So there was a hot AI competition
happening right now among companies and among countries. And we
have to think very strategically about that. Cybersecurity
comes into it in a lot of different places, but critically in
this area in protecting the hard one IP that our companies
produce in developing AI models. And so, I think it is
important to be thoughtful when one is building data centers
anywhere, whether it is here in the United States or elsewhere,
how do we build in the right cybersecurity systems in order to
protect--and protect our assets from others who might try to
steal them for advantage?
Mr. Davidson. Yes, nation states that might use their
intelligence services to steal American intellectual property.
Mr. Nemeroff. Absolutely.
Mr. Davidson. Like China?
Mr. Nemeroff. Like China.
Mr. Davidson. All right. So that is exactly what we are
trying to cutoff. And of course they don't say, Hey, we are
with the Chinese intelligence service, they set up companies
and they use it to steal it. That is why we really want to go
with a sanctioned-oriented approach. I think where you go named
individuals and named companies that basically you create a
burn list and which keep it going.
So we will see where that goes but hopefully, we will get
that done.
You know, one of the tradeoffs there is always civil
liberties, so we find people that say, You know, we are really
concerned about freedom of speech, Congress, of course, isn't.
According to the First Amendment supposed to make any laws
abridging the freedom of speech. What can our committee do by
working with CDP, because that was the claim that they were
just combating misinformation and disinformation. When CISA was
frankly it seemed pretty Orwellian, I mean a lot of my
constituents had a lot of concerns about an American Big
Government agency saying what an American citizen is saying is
somehow foreign misinformation. How do we get that right?
Mr. Nemeroff. Fundamentally, the First Amendment kind of
has to be at the bedrock of everything that we do. We do have a
challenge that adversaries seek to use the openness of our
system to exploit and disrupt or cause--to advance their
agenda, that has got to be a part of the consideration. CDP's
focus primarily has been on promoting freedom of expression and
digital freedom abroad, and in particular, safeguarding our
networks and other people's networks from cyber threats.
Mr. Davidson. I that is the proper focus. I think CISA
definitely got it wrong and frankly some of these agencies that
were created to defend America were weaponized against American
citizens. We want to make sure that we prevent that from
happening. Maybe the best way to do that is to hold some of
those former officials accountable.
Thanks. My time has expired. I yield back.
Mr. Self. I now recognize Representative Amo, Mr. Amo?
Mr. Amo. Thank you, Chairman Self. And thank you to our
witnesses for being here. Look, it is no secret that digital
technologies are quickly evolving, brain--greater connectivity
and new and emerging threats. And these threats are not unique
to the United States. They transcend borders and affect their
allies from across the world. They require close collaboration
and global solutions. And starting under the first Trump
administration there was bipartisan consensus that America
needed a crosscutting bureau, reporting directly to senior
State Department leadership that could coordinate the various
elements of cyberspace, digital technologies and global digital
governance.
The Bureau of Cyberspace and Digital Policy, and I know we
are all associated with the acronym CDP now was born in 2022.
And its mission, I think, is one to come back to, to
underscore, to ensure an open, secure, and reliable internet, a
necessity to promote democratic values like privacy, freedom of
expression, access through information.
CDP made our foreign cyber policy more efficient and
streamline our cyber diplomacy. But Secretary Rubio's new
reorganization plan for the State Department breaks CDP. And I
think it is important to highlight these changes. It is
separating its economic functions and moving cybersecurity into
the new emerging threats branch. This plan undermines the core
reason CDP was created, again streamlining international cyber
policy.
It is not efficient to create overlapping and redundant
mandates. It is not efficient to jeopardize how CDP coordinates
cyber policy with the Department of Defense, Homeland Security
and the intelligence community. And it is not efficient to
jeopardize the essential work that CDP does, alongside the
cybersecurity and infrastructure security agency or CISA,
because we know that CDP manages programs for CISA that
provides training and resources to protect targeted countries
from cyber attacks. And given that CISA already faces drastic
cuts to their programs, thanks to the actions of President
Trump and Elon Musk, ending coordination with CDP could cause
tremendous harm in keeping Americans safe.
So Ms. Love-Grayer, how does CDP coordinate with CISA to
ensure that we have a comprehensive strategy for cyber
diplomacy? And how would the plan on the table from Secretary
Rubio split up--splits up CDP, affect their collaboration with
agencies like CISA?
Ms. Love-Grayer. In the past we found that CDP, and in
particular, the Ambassador-at-large who led it, coordinated
very closely with CISA, with the Office of the National Cyber
Director to ensure that our domestic policy and our foreign
policy, our foreign facing policy aligned so that our views,
our perspectives, our policy interests, and our values would be
represented in the foreign policy that we had as we faced and
engaged with our multilateral organizations. So there was a lot
of coordination there.
At the same time, the views and the interests and the
issues that the Ambassador heard out in the world, he would
bring back to our leaders here on the domestic side to ensure
that we could learn from that as well, that we were using that
to inform our strategies and our own protections at home. So
that collaboration we found to be pretty important.
In terms of where they sat, it was very important that the
Ambassador did report to the deputy secretary because he had
more direct influence and the ability to get leadership support
on major decisions. That coordination sat above all the other
bureaus, and so there was a higher level of gravitas that was
given to CDP in being able to garner resources and support
across the Department is what we found. So breaking that up
could look different in the future.
Mr. Amo. And no better time to elevate and make sure that
gravitas of that coordination is central while the threats grow
by the day.
Before I wrap up here, last week back at home in Rhode
Island, I joined Rhode Island College to recognize their
designation as a National Security Agency center of academic
excellence. And during that time we spent together, we
discussed the need for a well-trained and stable cybersecurity
workforce and a pipeline. And one of the things that I
certainly would welcome your responses in writing as my time
wraps up, we have seen this disdain from a President for public
service and Federal workers and firing employees. And so, I
want to ask a different version of what the ranking member
asked previously just to assess the firing and how it has--of
workers and how it has affected our future ability to attract.
And I know that might require you to speculate a little bit,
but clearly, there is an impact, a lasting impact that in the
termination of employees, you know, for no reason will have on
the cybersecurity workforce. It will make us less safe. And I
welcome your thoughts on that in the future. With that, I yield
back.
Mr. Self. Thank you. Before I introduce our next speaker,
the ranking member has asked for a comment.
Mr. Keating. Thank you, Mr. Chairman.
As you are aware, since our last hearing, we had a
discussion, and you expressed that you intend to continue a
manner of introduction of a member that at a minimum, is not
becoming of this committee. I hope you reconsider. I want to
make clear my objection to the harmful, wrong-minded language
of the chairman's introduction. It is the wrong way to treat
duly elected Members of Congress. It is the wrong way to treat
a colleague. The wrong way to treat any individual. The
chairman knows, I suggested to both maintain dignity and
respect the committee, while continuing our committee's focus
on policy issues, that the chairman simply address members by
their title if he wants, Representative. But the chairman has
said to me that he can't do that because it is just not him.
Representative McBride, on the other hand, has publicly
indicated this had he wants to focus on committee policy at
hand. Representative McBride has identified who she is, the
chairman has identified who he is. And I think it is something
to reflect on each time her introduction is disrespectfully
invoked.
I yield back.
Mr. Self. With that, in order--I find myself in the
position in order to maintain the parliamentary integrity of
this hearing with being the lone majority member here, I would
like to recognize Representative McBride.
Ms. McBride. Thank you, Mr. Chairman. I appreciate that,
thank you. That means a lot. And thank you, Ranking Member
Keating, for your friendship and your support. Thank you so
much to our witnesses for joining us today for your
perseverance through a hearing.
Cyber diplomacy has never been more important to American
national security interests, and it will continue to grow in
its significance in the years to come. This is why the
administration's proposal to reorganize the Bureau of
Cyberspace and Digital Policy deserves serious consideration
and security. And today, we should be asking ourselves does the
proposal by the administration make America safer, stronger and
more prosperous?
Unfortunately, in just 100 days, the Trump administration
has attempted to undertake massive and disruptive changes in
how our Nation conducts our diplomacy, throwing our entire
national diplomatic ecosystem into upheaval. While serious and
thoughtful reforms on how the U.S. can best defend our
interests abroad should always be welcome, far too many of this
administration's actions have been rushed, misinformed and
often downright incoherent.
America's diplomatic and soft power is one of our most
valuable assets. And Congress' role is to ensure our foreign
policy continues to align with our national interests. I
promised I would work with anyone who is willing to work with
me to deliver for Delawareans so I am looking forward to
learning more about this administration's plans.
My first question is for you, Mr. Nemeroff. As emerging
technologies transform global digital infrastructure, how can
CDP stay ahead of the curve? And what resources or capabilities
do you think CDP needs to stay competitive?
Mr. Nemeroff. Thank you for the question. I am going to
come back to the idea of looking at this from a full-stack
approach. This isn't a matter of us competing with one
technology, but thinking about how we are working to promote a
trusted technology ecosystem around the world. Undersea cables,
older technology like undersea cables and data centers, and
then 5G networks, that is going to shape a lot of what then
gets rolled out in terms of AI in different countries as well.
We have stiff competition from models like DeepSeek that
are open source and low cost. And so a key piece, in my view of
what our strategy needs to be, is thinking about how are we
building that entire stack to enable our technology to get out
there. And then how were we using cybersecurity? In our
remarkable capabilities as a government and a society and our
private sector to secure all of those pieces so that we can
trust that our information and our ideas can be used safely and
without causing harm to our national security.
Ms. McBride. Thank you. Ms. Love-Grayer, how does the Trump
administration shuttering of U.S. foreign assistance writ large
impact the ability of the CDP bureau to effectively conduct
outreach to allies and partners? What impact do you think the
cessation of cyber-related foreign assistance has on CDP's
ability to carry out its mission?
Ms.Love-Grayer. We haven't yet assessed the effects of
these changes, especially since they are not formalized. But I
will say we do have a request, a congressional request to look
at the impact of foreign assistance changes, including to the
workforce and so we plan to do that soon.
Ms. McBride. Thank you very much.
I want to reiterate the comments of my colleague,
Representative Amo and the ranking member made earlier about
the importance for us to provide a respectful, predictable,
sustainable career option for public servants across the
Federal Government. And this is an area that obviously requires
specific training, specific skills, which makes it that much
more difficult to recruit for and retain in, especially when
competing with the private sector. And I think it is important
as we have these conversations to recognize the importance of
protecting our Federal workforce and treating them with respect
as we seek to fill these positions and have the best and
brightest working in this critical capacity so thank you very
much.
Mr. Chairman, I yield back.
Mr. Self. Thank you, I recognize myself for 5 minutes.
We are leading on this CDP reauthorization. I have several
questions, for everyone's information here, we have
nongovernmental witnesses here because we don't have a lot of
people confirmed yet. So that is why we have you. And I
appreciate you all filling in the gaps while we can.
So a couple of--first of all, for you, Ms. Fixler, undersea
cable routing, because we have seen undersea cables being torn
up in several different theaters of the world. Is this an area
that we ought to be engaging with our allies? Because--is there
any way to protect the undersea cables or route them which
would help national security?
Ms. Fixler. Sure. Thank you for the question. Undersea
cables are a critical issue. And it is both the physical
resilience and the cyber resilience of that infrastructure. And
the ownership and operation of that infrastructure.
China and Russia have demonstrated they are interested in
disrupting that infrastructure. And China has also demonstrated
that it is interested in owning operating that infrastructure
so that it can route and control the flow of communications.
And so, it is concerning when our adversaries are trying to
disrupt the infrastructure, and when they are trying to control
the infrastructure.
Mr. Self. Okay, thank you.
I just want to get to the specifics here. We are talking
about cybersecurity professionals. Give me a range of--first of
all, what level to we need in the CDP and what would be a range
of salaries? Who wants to tackle that? Ms. Love-Grayer?
Ms. Love-Grayer. Well, I think I will tackle part of this
question. We are talking about cybersecurity, but also beyond
cybersecurity, there are a range of cyber issues and technical
capacities that are needed, and you need diplomacy skills as
well. One of the things we heard from CDP after our review is
that they had trained about 250 diplomats on cyber issues. So
there is internal training you can do, as well as hiring, and I
think we need to use both capabilities.
Mr. Self. So what about salary range? Who wants to tackle
that? Because we are competing with a growth industry here.
Mr. Nemeroff. I can start. The one piece I would emphasize,
I am a lawyer by training----
Mr. Self. I am sorry.
Mr. Nemeroff. Yes. And I think what I learned in legal
cyber practice has also been true in diplomatic cyber practice,
which is that you take the old skills and you apply it to a new
technology. And so that is a lot of what CDP does really well,
it brings in diplomatic whizzes who can learn the technology
and apply it. And it brings in tech whizzes who can learn the
diplomacy and do that too.
Salary is a problem, we operate on the normal GS-15 scale
so there is no special cyber pay at the State Department, and I
do think that is an issue that you have colleagues who can----
Mr. Self. No, I am asking, what are we competing against?
Mr. Nemeroff. In the private sector?
Mr. Self. Right.
Mr. Nemeroff. Hundreds of thousands of dollars.
Mr. Self. Okay. I do want to get to because several
mentions have been made of the new org chart. I want to just
hear briefly--I have less than 2 minutes here. Let's go down
the line, what do you recommend? I think part of it was in your
written testimoneys, part of it was in your verbal testimoneys,
but I want to hear specifically what do you recommend for CDP
in the reauthorization, quickly.
Ms. Fixler. I will jump in. I think Congress had it right
on a bipartisan basis, you created the cyber bureau and you
understood the importance of the integration between the
different components of the cyber mission, the cybersecurity
mission, the digital economy mission, the emerging threats
mission. All of those work hand in hand. And so, seeing that
integration remain I think is a wise decision Congress
previously made. I look forward to Congress continuing to weigh
in on that.
Mr. Self. But now, it is directly underneath the deputy
secretary. It is probably not going to stay under the deputy
secretary.
Ms. Fixler. Yes, or maybe. I mean, you are going to
reauthorize right it. Thank you for the question, though. I
think the integration of the bureau is where I would focus.
Whether--the head of the bureau needs to have the authority in
crosscutting authorities, but whether exactly where you
position the bureau I think may be less important than the
integration of the different capabilities within the bureau.
Mr. Self. Thank you.
Ms. Love-Grayer. Actually I really agree with this point. I
think integration is really critical even as we interface with
other governments who are structured differently. However, I do
think that where it sits plays an important role as well,
because depending on where it sits it may have to compete with
others for resources. And it also needs the ability to have the
leader communicate with the most senior leaders at State in
order make some pretty important decisions.
I would consider where it is placed. It also says something
about what where the focus is. If it is in the E bureau versus
the T bureau, it sends a signal about what the focus of the
bureau will be, or the E family versus the T family.
Mr. Self. Out of time. But quickly, Mr. Nemeroff, I very
much agree with the point about maintaining integration. There
is no perfect answer, if you are going to try to put it under E
or T, I think you need to make sure that whoever it is
reporting to cares about the whole mission and that senior
leaders at the top of the department the deputy secretary are
still going to be representing all the equities that deputies
committee meetings and diplomatic engagement.
Mr. Self. Thank you, I recognize our ranking member.
Mr. Keating. Ms. Fixer mentioned the tabletop exercise that
occurred. I am just curious as part of that, since I am also in
the Armed Services Committee, we are boosting our undersea
autonomous vehicles, and we have been doing it every year
because of threats like this.
Did you--is any of that considered, I know it is not
strictly cyber, but we have been talking about the integrity of
undersea cables?
Ms. Fixler. Yes. Thank you for the question. I am happy to
provide more information about the exercise that we conducted.
We have an after-action report, I am happy to share that with
the committee.
The exercise looked at a number of different attacks that
China could conduct. Some of them were cyber-related. Some of
them were sort of more in the economic realm. And they looked
also at undersea cables, mostly the disruption and the need to
be able to quickly repair that infrastructure.
Mr. Keating. The other thing is, I remember my time in
homeland security, how we were trying to deal with cyber
threats and the importance of dealing with the private sector,
because many of the countries that are represented, as well as
our own, that is done on the private side and has an enormous
impact to our safety and economy.
The same is true for the other countries that we are trying
to make more resilient and make sure we are not affected by
things that affect them.
So when you are looking at that situation and you are
dealing with a private side, can you explain advantages there
might be with the fact that we can deal with other countries to
deal with their own private sector instances in terms of
getting that kind of cooperation, particularly in revealing a
cyber attack, you know, just minutes, hours make a difference
in the ability to contain that. Perhaps anyone might want to
address that.
Mr. Nemeroff. It was particularly breathtaking, I thought,
to see the scale and speed and agility of the private sector in
the days after the Russian invasion of Ukraine. They were able
to move at a speed I wish governments could move at, and so,
they are a critical partner wherever you are operating.
I found that foreign assistance is a part of it, but
another part of it is maintaining a shared situational
awareness.
The reporting that you referred to that they often issue is
really an early warning often of incidents that we need to
respond to quickly, and so they are a critical partner.
Mr. Keating. Great. Thank you. I notice we have another
member who has come for a first line of questioning, so I yield
back.
Mr. Self. I now recognize Mrs. Kim.
Mrs. Kim. Thank you, Chairman Self. Thank you. I want to
thank our witnesses for being here today. You know, let me go
right into questions like, how can private sectors'
technological expertise such as that from organizations like
very fake AI be leveraged to enhance the resilience of ally
infrastructure against the response of a cyber attack?
Mr. Nemeroff. Thank you. I think it is a critical thing
that every country in government needs to recognize that this
has to be a public-private partnership, and that governments
need to rely and use private sector capabilities to secure
their networks.
We have made important strides within the U.S. Government,
for example, moving to cloud as a place to store our data in
order to help take cybersecurity out of the hands of individual
offices and place it higher up.
We have also found that when incidents happen, private
sectors are often the most agile in investigating and
remediating, and so, it is very important as we talk to our
allies and partners to make sure that they are thinking about
this as a team sport as, well working with their own companies,
or working with capable U.S. cybersecurity providers in order
to provide these kinds of services and support.
Ms. Fixler. I would just add as well, CDP maintains some of
those relationships, and its incident response capability, the
foreign assistance funding that you all authorized to focus on
rapid response and rapid deployment of resources, that is a
partnership with private sector companies. It is not deploying
U.S. Government personnel, but it is the relationship with
private sector cybersecurity incident response professionals.
Ms. Love-Grayer. I will add just one note, which is, CDP's
foreign assistance also sometimes makes it capable--or makes
the environment possible for private sector companies to come
in. And we saw that with Costa Rica, because they changed their
environment based on CDP assistance, Intel felt more secure in
being able to go in and make a $1.2 billion investment that
they probably would not have made if Costa Rica had not changed
many of its cyber norms and policies as a result of its
interactions and engagement with CDP.
Ms. Kim. Thank you. You know, Ms. Fixler, from your
perspective, how should the CDP bureau foster such partnerships
to enhance cybersecurity in ally infrastructure, and what
challenges must be addressed to ensure effective cooperation
across the borders?
Ms. Fixler. Thank you for the question. I will focus
specifically on the challenge. I think there is a challenge to
think about things strategically. When it comes to critical
infrastructure, everything is critical, but, frankly, there are
things that are more critical, and we need to focus on that
systemically important infrastructure in our own country and
abroad to think about what do we most need to protect against.
So if we can think about that strategically, I think that is a
challenge, but a real opportunity for us to do better.
Mrs. Kim. Ms. Love-Grayer, can you provide which offices
GAO found to have overlapped with CDP, and how the bureau works
to ensure clear delineation between responsibilities with other
offices that have cyber equities?
Ms. Love-Grayer. Within State, we found that the Bureau of
Democracy and Human Rights and Labor, DRL, as well as INL,
which focuses on international law enforcement, both of those
bureaus also have equities in cyber diplomacy.
DRL, in particular, works on freedom, internet freedom
issues, and they engage in multilateral foreign--they provide
foreign assistance.
INL works on combating cyber crime. And they also lead a
lot of the foreign assistance initiatives with other foreign
governments, as well as multilateral diplomacy efforts.
So the coordination between all three of them are
important. We found that they do have regular meetings and
conversations, but they were still facing challenges defining
who should take the lead on certain initiatives given the
expertise that already exists in these other bureaus.
Mrs. Kim. Let's talk about that, so can you talk about the
steps that CDP can take to mitigate risk of the overlap or
redundancy that you are talking about in existing cybersecurity
efforts across the Federal agencies, and how has CDP improved
collaboration with key partners like DHS, DOJ, DOD and
Treasury?
Ms. Love-Grayer. Within the Department, one of the things
they--I believe they have started to do and they can continue
to do is ensure that there is constant communication between
all of the bureaus and they are well aware of which partners
they are working with and where the focus ought to be for each
one of them.
There is still some overlap in the missions, and I think
there could be greater delineation between who is taking the
lead on certain issues if they are not going to be consolidated
in any kind of way.
In terms of the interagency, currently they have formal
interagency agreements with several agencies, DHS, DOD, FTC,
Department of Commerce, those do seem to be working well
because they outline the parameters of those relationships and
who is taking the lead.
Mrs. Kim. Thank you. Chairman, I yield back.
Mr. Self. I thank the witnesses for their testimony, and
the members for their questions. The members of the
subcommittee may have some additional questions for you, and we
would ask you to respond to those in writing.
Pursuant to committee rules, all members may have 5 days to
submit statements, questions and extraneous materials for the
record subject to the length of limitations. Without objection,
the committee stands adjourned. Thank you very much.
[Whereupon, at 3:27 p.m., the subcommittee was adjourned.]
APPENDIX
----------
Material Submitted for the Hearing Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]