WEBVTT 00:00.043 --> 00:02.015 - Committee will come to order. 00:02.016 --> 00:04.830 I want to welcome everyone to today's hearing 00:04.831 --> 00:07.033 of the merging treats and capability sub committee 00:07.034 --> 00:09.090 of the house armed services committee. 00:09.091 --> 00:10.957 With the presidents budget request released, 00:10.958 --> 00:12.205 just earlier today. 00:12.206 --> 00:15.605 This is our first opportunity to explore this request 00:15.606 --> 00:18.769 and the major implications, for key defense missions. 00:18.770 --> 00:20.786 I think it is fitting that the first area 00:20.787 --> 00:23.031 we will dive into is cyber. 00:23.032 --> 00:25.499 This is in increasingly important domain of warfare 00:25.500 --> 00:27.949 and an area, where we have increased our emphasis 00:27.950 --> 00:30.383 on overseeing the department's progress 00:30.384 --> 00:32.494 in building and maintaining cyber forces 00:32.495 --> 00:36.301 to protect, defend, maintain and when necessary conduct, 00:36.302 --> 00:39.372 conduct offensive operations in cyber space. 00:39.373 --> 00:43.219 As we move towards developing the fiscal year 2018 NDAA 00:43.220 --> 00:45.240 I have made cyber and cyber warfare 00:45.241 --> 00:47.142 one of my main priorities. 00:47.143 --> 00:49.223 In the coming weeks, Chairman Mac Thornberry 00:49.224 --> 00:52.213 and I, in addition to my ranking member Jim Langevin 00:52.214 --> 00:54.263 HASC ranking member Adam Smith, 00:54.264 --> 00:57.390 plan to introduce stand alone cyber warfare legislation 00:57.391 --> 00:59.820 that strengthens congressional oversight 00:59.821 --> 01:02.454 of sensitive military cyber operations, 01:02.455 --> 01:06.145 including mandating prompt notification to congress 01:06.146 --> 01:08.829 in the event of unauthorized disclosures. 01:08.830 --> 01:10.501 We look forward to continuing to work 01:10.502 --> 01:13.106 with US cyber command and the Department of Defense 01:13.107 --> 01:15.527 as we finalize this staff legislation. 01:15.528 --> 01:18.456 To insure such notifications are responsive to our needs 01:18.457 --> 01:20.882 but without adding undue reporting burdens 01:20.883 --> 01:22.854 on the department of defense. 01:22.855 --> 01:23.917 In addition to our focus 01:23.918 --> 01:25.972 on strengthening congressional oversight 01:25.973 --> 01:27.776 in the area of cyber warfare. 01:27.777 --> 01:30.082 Other key focus areas will include provisions 01:30.083 --> 01:33.095 to strengthen our own cyber warfare capabilities 01:33.096 --> 01:35.627 and provisions that enhance our international partnerships 01:35.628 --> 01:37.181 across the globe. 01:37.182 --> 01:39.764 In order to more thoroughly understand all of these issues, 01:39.765 --> 01:41.441 I would like to welcome our witness, today. 01:41.442 --> 01:43.099 Admiral Mike Rogers. 01:43.100 --> 01:45.449 Who serves as the Commander of US cyber command 01:45.450 --> 01:47.950 and the Director of the National Security Agency. 01:47.951 --> 01:50.367 Let me now recognize, ranking member Jim Langevin 01:50.368 --> 01:53.450 for any opening comments he'd like to make. 01:53.451 --> 01:54.848 - Thank you, madame chair. 01:54.849 --> 01:59.197 And welcome Admiral Rogers, thank you, for testifying. 01:59.198 --> 02:01.506 Before I say it, it's a pleasure to have you 02:01.507 --> 02:03.100 for the subcommittee 02:03.101 --> 02:04.513 and thanks for bringing along the crowd. 02:04.514 --> 02:08.090 It makes it a little more of interesting year. 02:08.091 --> 02:11.017 So, the president's budget, for fiscal year 2018 02:11.018 --> 02:12.805 was delivered just this morning. 02:12.806 --> 02:14.491 As the chair stated 02:14.492 --> 02:16.549 and so I look forward to hearing about 02:16.550 --> 02:18.262 priority investments in cyber 02:18.263 --> 02:20.841 and about any potential new legislative initiative 02:20.842 --> 02:23.110 relating to cyber. 02:23.111 --> 02:26.519 Last year, Congress passed legislation establishing US, 02:26.520 --> 02:28.447 cyber command, 02:28.448 --> 02:31.576 as its own unified combatant command. 02:31.577 --> 02:33.886 The subcommittee worked deligently 02:33.887 --> 02:36.570 and the underlying legislation because we recognize 02:36.571 --> 02:39.269 importance of a trained and ready force 02:39.270 --> 02:42.239 able to conduct effective cyber operations in concert 02:42.240 --> 02:46.059 with other the military and US government efforts. 02:46.060 --> 02:49.098 I consistent, with the appropriate legal authorities 02:49.099 --> 02:50.364 and policies. 02:50.365 --> 02:52.337 And at the FY17, 02:52.338 --> 02:55.014 NDAA also formalized relationship 02:55.015 --> 02:57.943 with principal cyber adviser to ensure advocacy 02:57.944 --> 03:00.178 and oversight of the command. 03:00.179 --> 03:02.090 We'll also provided you a cyber command 03:02.091 --> 03:05.174 with limited cyber peculiar acquisition authorities 03:05.175 --> 03:06.782 two years ago. 03:06.783 --> 03:08.985 And I like to acknowledge the thoughtfulness 03:08.986 --> 03:12.609 by which the department is implemented this authority. 03:12.610 --> 03:16.017 Today, our authority hearing about where 03:16.018 --> 03:18.019 these two initiatives stand. 03:18.020 --> 03:20.922 Both the process, by which necessary resources 03:20.923 --> 03:21.931 are being transferred 03:21.932 --> 03:25.437 from Stratcom to Cybercom 03:25.438 --> 03:27.731 and the new resources being provided 03:27.732 --> 03:30.595 as necessary for effective implementation. 03:30.596 --> 03:33.770 Clearly we made progress employing military cyber operations 03:33.771 --> 03:35.105 over the years. 03:35.106 --> 03:37.336 We've been building the cyber mission force, 03:37.337 --> 03:40.567 but now, we must make sure that they are ready 03:40.568 --> 03:43.771 and stay ready, for a, for a threat, 03:43.772 --> 03:46.060 that morphes on a daily basis. 03:46.061 --> 03:48.386 The persistent training environment cost 03:48.387 --> 03:50.337 it's key to that end. 03:50.338 --> 03:52.946 Although they, the cyber domain is not new 03:52.947 --> 03:55.178 there's still much, that we're learning 03:55.179 --> 03:57.685 and we must ravage those lessons learnt. 03:57.686 --> 04:00.704 We must add, we must asses, the force 04:00.705 --> 04:02.918 we are building, how we employee it 04:02.919 --> 04:04.186 in order to ensure 04:04.187 --> 04:06.476 cybercom is postured correctly. 04:06.477 --> 04:09.470 And if the tools and capabilities are the best 04:09.471 --> 04:11.429 that we can provide them. 04:11.430 --> 04:12.927 So, next week, 04:12.928 --> 04:16.399 I'm gonna be traveling to NATO. 04:16.400 --> 04:19.668 The NATO cyber cooperative, cyber defense 04:19.669 --> 04:22.660 center of excellence to attend, it's in your conference 04:22.661 --> 04:24.033 in town of Estonia. 04:24.034 --> 04:27.491 I expect this icon will provide extraordinary insight 04:27.492 --> 04:30.862 and how our NATO allies view the cyber domain 04:30.863 --> 04:33.532 and it's in, in how 04:33.533 --> 04:36.832 international law are applicable. 04:36.833 --> 04:40.013 And it will provide me with, with insight 04:40.014 --> 04:42.228 on how we can increase cyber collaboration 04:42.229 --> 04:44.831 against Russian aggression. 04:44.832 --> 04:46.851 Admiral, I also appreciate your views 04:46.852 --> 04:49.120 on how we may strengthen in collaboration 04:49.121 --> 04:51.008 with our NATO allies. 04:51.009 --> 04:54.465 So, enclosing I just wanna echo, what the chair said 04:54.466 --> 04:56.408 about the importance of formalizing 04:56.409 --> 04:58.246 notifications to congress 04:58.247 --> 05:00.339 of sensitive cyber military operations 05:00.340 --> 05:02.670 the cyber quarterly brief provides us, 05:02.671 --> 05:06.367 a form to oversee cyber operations 05:06.368 --> 05:08.739 and I was especially pleased with the participation 05:08.740 --> 05:11.859 of the joint staff and OST at the last engagement. 05:11.860 --> 05:15.199 However, I, in our overstate capacity 05:15.200 --> 05:18.833 I believe that we must work with the department to obtain 05:18.834 --> 05:21.640 timely of more standard notifications. 05:21.641 --> 05:23.031 As the chair mentioned, then I, 05:23.032 --> 05:24.926 I know that we're gonna work toward that end. 05:24.927 --> 05:27.340 So, with that, I thank you, 05:27.341 --> 05:28.860 Admiral Rogers for appearing today. 05:28.861 --> 05:31.020 Thank you for what you are doing at NSA 05:31.021 --> 05:34.485 and US cyber command and with that I will yield back. 05:34.486 --> 05:36.757 - Thank you, Jim. I also, would like to remind members 05:36.758 --> 05:38.987 that immediately following this open hearing. 05:38.988 --> 05:41.165 The committee will reconvene upstairs 05:41.166 --> 05:43.746 in 2337 for closed classified 05:43.747 --> 05:45.950 round table discussion with our witness. 05:45.951 --> 05:47.770 Admiral Rogers, you're now recognized 05:47.771 --> 05:48.782 for your opening statement. 05:48.783 --> 05:50.161 - Thank you, Chairwoman Stefanik 05:50.162 --> 05:53.252 ranking member Langevin, and members of the subcommittee. 05:53.253 --> 05:54.814 Thank you, for your enduring support 05:54.815 --> 05:56.377 and the opportunity today. 05:56.378 --> 05:58.950 To talk about the hard working men and women 05:58.951 --> 06:00.917 of the United States Cyber Command. 06:00.918 --> 06:03.326 I look forward to discussing the commands posture 06:03.327 --> 06:05.617 and welcome the opportunity to describe 06:05.618 --> 06:07.513 how US Cyber Command conducts efforts 06:07.514 --> 06:09.112 in the cyber space domain 06:09.113 --> 06:11.658 and supports the nation's defense against sophisticated 06:11.659 --> 06:13.813 and powerful adversaries. 06:13.814 --> 06:15.977 The department of defense recognize seven years ago, 06:15.978 --> 06:18.070 that the nation needed a military command 06:18.071 --> 06:20.003 focused on cyber space. 06:20.004 --> 06:22.062 US cyber command and it's subordinate elements 06:22.063 --> 06:25.983 that been given the responsibility to direct operate, secure 06:25.984 --> 06:29.013 and defend, the department systems and networks 06:29.014 --> 06:32.958 which are fundamental to the execution of all DOD missions. 06:32.959 --> 06:35.448 The department and the nation, also rely us 06:35.449 --> 06:36.935 to build ready cyber forces 06:36.936 --> 06:39.157 and then to be prepared to employ them, 06:39.158 --> 06:41.368 when significant cyber attacks against the nations 06:41.369 --> 06:45.161 critical infrastructure require DOD support. 06:45.162 --> 06:47.948 The pace of international conflict and cyber space threat 06:47.949 --> 06:50.519 has intensified over the past few years. 06:50.520 --> 06:52.430 Hardly, a day has gone by during my ten years 06:52.431 --> 06:54.421 at cyber command that we've not seen at least 06:54.422 --> 06:56.062 one significant cyber security event 06:56.063 --> 06:58.099 occurring somewhere in the world. 06:58.100 --> 07:01.587 This is consequences for military and our nation at large. 07:01.588 --> 07:04.542 We face a growing variety of advance threats 07:04.543 --> 07:05.665 from actors who operate 07:05.666 --> 07:08.592 with ever more sophistication and precision. 07:08.593 --> 07:11.627 At US cyber command, we track state and non-state adversary 07:11.628 --> 07:14.360 as they continue to expand their capabilities 07:14.361 --> 07:17.287 to advance their interest, in and through cyber space 07:17.288 --> 07:20.523 and try to undermine United States national interests 07:20.524 --> 07:22.622 and those of our allies. 07:22.623 --> 07:25.570 Conflict in the cyber domain is not simply a continuation 07:25.571 --> 07:28.150 of kinetic operations by digital means. 07:28.151 --> 07:30.631 It is unfolding according to its own logic 07:30.632 --> 07:33.161 which we continue to better understand 07:33.162 --> 07:34.882 and we're using this understanding 07:34.883 --> 07:36.654 to enhance the departments 07:36.655 --> 07:38.908 and the nation situational awareness 07:38.909 --> 07:42.016 and the manage risk in the cyber arena 07:42.017 --> 07:44.765 and also look forward, to updating you on our initiatives 07:44.766 --> 07:47.327 and plans, to help do that. 07:47.328 --> 07:51.260 Our three line of operation are to provide mission assurance 07:51.261 --> 07:54.065 for DOD operations and defend the department of defense 07:54.066 --> 07:55.900 information environment. 07:55.901 --> 07:59.020 To support joint force commander objectives globally 07:59.021 --> 08:01.642 and to deter or defeat, strategic threats 08:01.643 --> 08:04.560 to US interest in critical infrastructure. 08:04.561 --> 08:07.583 We conduct full spectrum military cyber space operations 08:07.584 --> 08:09.878 to enable actions in all domains. 08:09.879 --> 08:13.122 Ensure US and allied freedom of action in cyber space 08:13.123 --> 08:15.828 and deny the same to our adversaries. 08:15.829 --> 08:17.966 Defensive DOD information networks remains 08:17.967 --> 08:20.196 our top priority of course 08:20.197 --> 08:21.445 and that include weapons systems 08:21.446 --> 08:23.965 and their platforms as well as data. 08:23.966 --> 08:26.787 To executive our mission, I requested a budget 08:26.788 --> 08:31.160 of a approximately 647 million dollar for fiscal year 18. 08:31.161 --> 08:34.997 Which is nearly a 16% increase from fiscal year 17 08:34.998 --> 08:37.393 due to additional funding for cyber command elevation 08:37.394 --> 08:40.304 for the fiscal year 17, NDAA, 08:40.305 --> 08:41.818 building out cyber mission force 08:41.819 --> 08:44.856 and cyber specific capabilities and tools 08:44.857 --> 08:48.494 and JTF Erie support in the fight against ISIS. 08:48.495 --> 08:50.173 We're completing the build out of this 08:50.174 --> 08:52.432 cyber mission force with all team schedule 08:52.433 --> 08:55.914 to be fully operational by the end of fiscal year 18 08:55.915 --> 08:59.384 and with the help from the services, continually increase 08:59.385 --> 09:02.866 cyber mission force readiness to whole targets at risk. 09:02.867 --> 09:04.992 Your strong and continue support is critical 09:04.993 --> 09:06.233 to the success of the department 09:06.234 --> 09:09.177 and defending our national security interest in cyber. 09:09.178 --> 09:11.126 As you well know I serve as both commander 09:11.127 --> 09:12.483 of United State cyber command 09:12.484 --> 09:14.984 and Director of the National Security Agency. 09:14.985 --> 09:17.742 This dual had appointment underpins the close partnership 09:17.743 --> 09:19.813 between Cyber command and NSA. 09:19.814 --> 09:23.494 A significant benefit right now in cyber space operations. 09:23.495 --> 09:24.803 The institutional arrangement 09:24.804 --> 09:26.260 between these two organizations 09:26.261 --> 09:28.035 however will evolve as cyber command 09:28.036 --> 09:29.991 grows to full proficiency 09:29.992 --> 09:31.421 in the near future. 09:31.422 --> 09:34.244 The National Defense Authorization act separate provision. 09:34.245 --> 09:36.084 Also described conditions 09:36.085 --> 09:37.891 for splitting the dual had arrangement. 09:37.892 --> 09:39.339 Which can only happen 09:39.340 --> 09:41.827 without impairing either organizations affected this 09:41.828 --> 09:43.896 and ability to execute their missions. 09:43.897 --> 09:46.751 This is another provision I probably stated I support. 09:46.752 --> 09:50.601 Depending the attainment of certain critical conditions. 09:50.602 --> 09:51.957 Cyber command will also engage 09:51.958 --> 09:53.774 with this subcommittee and several other matters 09:53.775 --> 09:54.941 related to the enhancement 09:54.942 --> 09:57.613 of the commander's responsibilities and authorities 09:57.614 --> 09:59.242 in the coming year. 09:59.243 --> 10:01.518 This would include increasing cyber man power. 10:01.519 --> 10:03.596 Enhancing the prof... professionalization 10:03.597 --> 10:05.572 of the cyber work force. 10:05.573 --> 10:09.255 Building defense and offensive capability and capacity 10:09.256 --> 10:12.812 and developing in stream lining our acquisition processes. 10:12.813 --> 10:14.180 These are critical to neighbors 10:14.181 --> 10:16.843 enablers for cyber space operations 10:16.844 --> 10:19.775 in a dynamically changing global environment 10:19.776 --> 10:21.850 and most or all of these particulars 10:21.851 --> 10:24.581 has been directed in recent NDAX. 10:24.582 --> 10:26.577 Along with the office of the secretary defense 10:26.578 --> 10:28.631 for policy in the joint staff 10:28.632 --> 10:29.943 We'll talk with you and your staffs 10:29.944 --> 10:34.368 to iron out implementation details of that legislation. 10:34.369 --> 10:35.729 The men and women are cyber commander 10:35.730 --> 10:37.180 are proud of the roles that we play 10:37.181 --> 10:39.046 in our nation's cyber efforts 10:39.047 --> 10:41.594 and are motivated to accomplish our sign missions 10:41.595 --> 10:42.790 over seen by the congress. 10:42.791 --> 10:44.792 Particularly this subcommittee. 10:44.793 --> 10:48.212 We worked to secure and defend the DOD systems and networks. 10:48.213 --> 10:49.943 counter adversaries and support 10:49.944 --> 10:52.529 National and joint war fighting objectives 10:52.530 --> 10:54.964 in and through cyber space. 10:54.965 --> 10:56.581 The commands operational successive 10:56.582 --> 10:57.938 have validated concepts 10:57.939 --> 10:59.230 for creating cyber affects 10:59.231 --> 11:01.358 on the battle field and beyond. 11:01.359 --> 11:03.025 Innovations are constantly emerging 11:03.026 --> 11:04.856 out of operational necessity 11:04.857 --> 11:06.284 and the real world experiences 11:06.285 --> 11:09.260 and meeting their requirements of national decision makers 11:09.261 --> 11:11.043 and Joint force commanders 11:11.044 --> 11:13.587 continues to mature our operational approaches 11:13.588 --> 11:16.129 and effectiveness over time. 11:16.130 --> 11:18.412 At the same time I realize cyber security 11:18.413 --> 11:20.749 is a national security issue. 11:20.750 --> 11:22.833 It requires a whole of nation approach 11:22.834 --> 11:25.238 that brings together both public and private sections 11:25.239 --> 11:27.145 of our society. 11:27.146 --> 11:28.643 Appoint a partnership program 11:28.644 --> 11:30.517 in Silicon Valley in Boston 11:30.518 --> 11:33.739 has proven to be a successful initial to link our command 11:33.740 --> 11:35.990 to some of the most innovative minds from industry 11:35.991 --> 11:38.170 working together on cyber security 11:38.171 --> 11:40.535 as we face 21st century threats 11:40.536 --> 11:43.360 together in the private and public sectors. 11:43.361 --> 11:45.961 This combined with agile policies 11:45.962 --> 11:47.770 decision making processes 11:47.771 --> 11:50.682 capabilities and command and control structures 11:50.683 --> 11:53.314 will ensure that cyber command change its potential 11:53.315 --> 11:55.656 to counter our adversaries. 11:55.657 --> 11:57.231 The men and women of US cyber command 11:57.232 --> 11:59.917 thank you and appreciate your continued support 11:59.918 --> 12:03.231 as we confront and overcome the challenges facing us. 12:03.232 --> 12:05.552 We understand that frank and comprehensive 12:05.553 --> 12:06.781 engagement with congress 12:06.782 --> 12:09.084 not only facilitates the support that allows us 12:09.085 --> 12:10.933 to accomplish our mission. 12:10.934 --> 12:11.981 But also help ensure 12:11.982 --> 12:13.636 that our fellow citizens understand 12:13.637 --> 12:15.293 and endorse our efforts 12:15.294 --> 12:17.744 which were executed on their behalf. 12:17.745 --> 12:19.339 I've seen the growth in our commands 12:19.340 --> 12:21.206 size, budget and mission 12:21.207 --> 12:24.059 and that investment of resources time and effort 12:24.060 --> 12:25.428 is paying off 12:25.429 --> 12:26.657 and more importantly 12:26.658 --> 12:29.925 it's helping keep Americans safer in the cyber arena. 12:29.926 --> 12:31.426 But not only in cyber space 12:31.427 --> 12:33.324 but in other domains as well 12:33.325 --> 12:35.138 and I look forward to continue in the dialogue 12:35.139 --> 12:37.097 across the command and it's progress with you 12:37.098 --> 12:38.369 in this hearing today 12:38.370 --> 12:40.056 and over the months to come. 12:40.057 --> 12:42.660 I look forward to answering your questions. 12:42.661 --> 12:43.727 - Thank you, Admiral Rogers. 12:43.728 --> 12:46.214 We now turn to questions. 12:46.215 --> 12:47.539 First I wanna thank you for your service 12:47.540 --> 12:48.763 and your leadership. 12:48.764 --> 12:50.604 My first question is very broad. 12:50.605 --> 12:52.781 Last year's NDAA directed the elevation 12:52.782 --> 12:56.189 of cyber commands to a full combatant command. 12:56.190 --> 12:58.154 What steps need to happen before 12:58.155 --> 13:03.252 the changes to the unified command plan take affect? 13:03.253 --> 13:05.637 - So first the Secretary Defense 13:05.638 --> 13:07.517 and the president need to make a decision. 13:07.518 --> 13:09.418 Secretary Defense making a recommendation 13:09.419 --> 13:12.248 the president ultimately making decision. 13:12.249 --> 13:14.073 As to the timing and the process will use 13:14.074 --> 13:15.199 and that process is on going 13:15.200 --> 13:17.758 and I don't wanna speak for the Secretary or the president. 13:17.759 --> 13:22.029 But I know that the process and that discussion is ongoing. 13:22.030 --> 13:24.001 Given the language in the NDAA 13:24.002 --> 13:26.031 and an anticipation of this possibility, 13:26.032 --> 13:28.171 we spent much of the last year working our way 13:28.172 --> 13:30.413 through this specifics of how would we do that. 13:30.414 --> 13:32.819 And that the decision is ultimately approved 13:32.820 --> 13:33.965 we're prepared to apply that 13:33.966 --> 13:35.201 and to do it in the timely manner 13:35.202 --> 13:36.326 in accordance to the direction 13:36.327 --> 13:37.783 and in terms of the timeline provided 13:37.784 --> 13:40.061 to us via the President and Secretary defense. 13:40.062 --> 13:41.869 - What are the specifics... as you said 13:41.870 --> 13:43.842 you're assessing this specifics... 13:43.843 --> 13:45.116 you would do... 13:45.117 --> 13:46.852 - No. - What are they specifically? 13:46.853 --> 13:49.143 - If I could until we have an ultimate decision 13:49.144 --> 13:51.625 I'd rather not get ahead of my leadership. 13:51.626 --> 13:52.798 was I think, I owe them that 13:52.799 --> 13:54.079 and to get into the how 13:54.080 --> 13:57.681 if that right now - Yes. 13:57.682 --> 13:59.759 Part of your responsibilities that we intrined 13:59.760 --> 14:01.130 in section two... 14:01.131 --> 14:04.150 923 of FY17 NDAA 14:04.151 --> 14:07.633 when we elevated cybercom to the full combatant command 14:07.634 --> 14:09.646 involve development of doctrine 14:09.647 --> 14:12.446 and tactics related to cyber. 14:12.447 --> 14:14.367 What role do you have in advocating 14:14.368 --> 14:17.813 for or driving doctrinal development for 14:17.814 --> 14:20.695 the individual services when it comes to cyber? 14:20.696 --> 14:22.514 - So as the senior operational commander 14:22.515 --> 14:24.191 and cyber and in the department 14:24.192 --> 14:27.682 it's the partnership between that cyber team if you will 14:27.683 --> 14:29.623 and our fellow operational commanders 14:29.624 --> 14:31.298 and policy makers that helps shape 14:31.299 --> 14:33.423 so what is the doctrine that should shape 14:33.424 --> 14:34.807 how we employ this capability 14:34.808 --> 14:36.948 that the department's developing. 14:36.949 --> 14:40.228 If you look at what we've done over the course of last year 14:40.229 --> 14:42.519 the efforts against ISIS 14:42.520 --> 14:44.825 things we're doing against other real world challenges 14:44.826 --> 14:46.630 They're shaping the way we're looking at 14:46.631 --> 14:48.218 how do we build the force of the future? 14:48.219 --> 14:50.489 What are the concepts for its employment? 14:50.490 --> 14:53.203 If you go back a couple of years, for example, 14:53.204 --> 14:55.564 I remember, a, a year ago, two years ago 14:55.565 --> 14:56.947 one of our fundamental concepts 14:56.948 --> 14:58.357 was we're always gonna deploy 14:58.358 --> 15:00.125 forward in full teams. 15:00.126 --> 15:03.174 One of the things we found with practical experiences 15:03.175 --> 15:05.733 we can actually deploy in smaller sub elements. 15:05.734 --> 15:06.966 Use reach back capability 15:06.967 --> 15:08.331 the power of data analytics. 15:08.332 --> 15:10.903 We don't necessarily have to deploy everyone. 15:10.904 --> 15:14.117 We can actually work in a much more tailored focused way 15:14.118 --> 15:16.076 optimize for the particular network challenge 15:16.077 --> 15:16.759 that we're working, 15:16.760 --> 15:18.651 we're actually working through something's 15:18.652 --> 15:22.194 using this, for example out in the pacific at the moment 15:22.195 --> 15:25.654 - Few weeks ago in your testimony in front of SASK 15:25.655 --> 15:27.344 you were asked your opinion about whether 15:27.345 --> 15:30.955 we should be considering the establishment of cyber service 15:30.956 --> 15:35.015 and at that time you said that you were not a proponent. 15:35.016 --> 15:36.326 Could you explain a bit more 15:36.327 --> 15:38.370 as to why you feel that way? - Yes, ma'am. 15:38.371 --> 15:39.680 So 15:39.681 --> 15:41.991 the reason I'm not, I certainly understand 15:41.992 --> 15:43.031 others have a different view. 15:43.032 --> 15:44.739 the reason I'm not a proponent of that 15:44.740 --> 15:48.600 is my concern is if we're not careful 15:48.601 --> 15:52.027 we will view cyber is, is very technical 15:52.028 --> 15:54.768 very specialized 15:54.769 --> 15:56.298 very narrow mission set. 15:56.299 --> 15:57.625 In my view is 15:57.626 --> 15:59.669 cyber fits within a broader context 15:59.670 --> 16:01.589 and if you want to be successful 16:01.590 --> 16:02.974 in the ability to achieve 16:02.975 --> 16:06.246 out comes within the cyber space arena. 16:06.247 --> 16:08.318 You need to understand that broader context 16:08.319 --> 16:11.303 and I'm afraid that if we go the service route. 16:11.304 --> 16:12.781 We will tend to generate 16:12.782 --> 16:15.170 incredibly technically proficient 16:15.171 --> 16:18.006 But very nearly focused operators 16:18.007 --> 16:20.032 and one of my take aways for being a member 16:20.033 --> 16:22.323 of the department of defense for the last 36 years 16:22.324 --> 16:26.125 is we are best at optimized for outcomes. 16:26.126 --> 16:29.049 When our work force has a much broader perspective 16:29.050 --> 16:31.998 and I also think back as I'm a big fan of history. 16:31.999 --> 16:33.478 I think back to the dialogue 16:33.479 --> 16:35.221 in the 1980's when I first joined 16:35.222 --> 16:36.980 was first commissioned in the military. 16:36.981 --> 16:38.216 In the aftermath 16:38.217 --> 16:40.853 of the failure desert one and the effort 16:40.854 --> 16:43.174 to rescue those US 16:43.175 --> 16:44.864 hostages being held in the 16:44.865 --> 16:46.591 embassy in Tehran. 16:46.592 --> 16:48.907 We had a lot of dialogue about 16:48.908 --> 16:51.981 is soft so specialized. 16:51.982 --> 16:54.428 So, poorly understood by the broad 16:54.429 --> 16:57.499 conventional part of the military. 16:57.500 --> 17:00.551 So meeting at specific attention 17:00.552 --> 17:03.428 that we should create a separate soft service. 17:03.429 --> 17:06.409 We ultimately decided that the, the right answer 17:06.410 --> 17:08.904 was to create a joint war fighting construct 17:08.905 --> 17:11.164 thus in 1987 was born 17:11.165 --> 17:13.184 special operations command 17:13.185 --> 17:15.259 and in addition we needed, we said that 17:15.260 --> 17:16.958 operational entity 17:16.959 --> 17:18.995 needed to be a little unique structured. 17:18.996 --> 17:20.748 It not only should be a war fighter, 17:20.749 --> 17:22.189 but it should be giving budget 17:22.190 --> 17:24.117 it should be given budget resources 17:24.118 --> 17:26.872 that enable it to not only employ capability, 17:26.873 --> 17:29.269 but to determine the operational capabilities 17:29.270 --> 17:31.372 that actually and drive the investments 17:31.373 --> 17:33.102 that actually generate the capability. 17:33.103 --> 17:36.711 I think that is a very affective model for us 17:36.712 --> 17:39.273 to think about for cyber and cyber command. 17:39.274 --> 17:41.994 Vice just automatically transitioning to the idea 17:41.995 --> 17:43.870 of a separate service. 17:43.871 --> 17:45.597 - Thank you. My time's about to expire. 17:45.598 --> 17:48.161 I now recognize Mr. Langevin 17:48.162 --> 17:49.765 - Thank you, Elise. 17:49.766 --> 17:52.851 So admiral, congress has provided 17:52.852 --> 17:54.841 cybercom with limited 17:54.842 --> 17:57.173 cyber peculiar acquisition authority. 17:57.174 --> 18:00.106 So, (mumbling) 18:00.107 --> 18:01.179 comend the thoughtfulness 18:01.180 --> 18:03.841 by which the provision was implemented by. 18:03.842 --> 18:06.648 Can you please provide general overview 18:06.649 --> 18:09.270 of how that the authority will be executed 18:09.271 --> 18:11.390 and overseen in the command. 18:11.391 --> 18:14.861 - So, as you're aware, we sat down between OSD from a policy 18:14.862 --> 18:17.049 and technical perspective and cyber command 18:17.050 --> 18:19.240 from an operational perspective, you can ask yourself, 18:19.241 --> 18:21.727 What's the best way to implement this acquisition authority 18:21.728 --> 18:25.595 that was granted to us by the congress. 18:25.596 --> 18:28.948 Again, we thought SOCOM offered a good model. 18:28.949 --> 18:31.135 We actually, cyber command actually approached 18:31.136 --> 18:32.690 their team mates at SOCOM and said, 18:32.691 --> 18:35.103 look, you have a skill set, you have a personnel 18:35.104 --> 18:37.474 who have much more proficient in this area than we. 18:37.475 --> 18:40.145 So SOCOM was kind enough to actually identify 18:40.146 --> 18:42.753 the two initial individuals that we have hired 18:42.754 --> 18:45.285 who are gonna provide her acquisition, oversight 18:45.286 --> 18:47.683 and certification, if you will? 18:47.684 --> 18:49.949 Those individuals were put in place 18:49.950 --> 18:53.119 just a couple of months ago. 18:53.120 --> 18:55.803 The authority's are now all most all finished. 18:55.804 --> 18:58.629 Which your gonna see us in starting this summer 18:58.630 --> 19:00.863 is we've identified an initial set of priorities 19:00.864 --> 19:02.297 about where we wanna apply 19:02.298 --> 19:04.461 this authority in terms of acquisition 19:04.462 --> 19:05.808 and you'll see that play out over 19:05.809 --> 19:07.130 the course of next couple of months. 19:07.131 --> 19:09.428 Just got a couple of things we have to finish ironing, 19:09.429 --> 19:11.264 ironing out. What you're gonna see is actually 19:11.265 --> 19:14.197 implement this over the course of next few months and... 19:14.198 --> 19:16.378 - So, has not the authority has not been used yet? 19:16.379 --> 19:19.288 - Not yet, because I have got through some specific 19:19.289 --> 19:21.753 technical, and over sight control things, 19:21.754 --> 19:23.006 I have to make sure are in place, 19:23.007 --> 19:25.040 before we start spending the money that 19:25.041 --> 19:26.310 and using this. 19:26.311 --> 19:28.021 That will all be finished within the next month 19:28.022 --> 19:28.736 or so I think. 19:28.737 --> 19:31.086 - Can you speculate just provide example 19:31.087 --> 19:33.600 of what you think the authority may be used for? 19:33.601 --> 19:37.216 - So, what I've asked is, we've already identified, 19:37.217 --> 19:40.630 for example, a series of capabilities through cyber commands 19:40.631 --> 19:45.268 point of partnership, we call it, out in silicon valley. 19:45.269 --> 19:47.597 So, I've got, I already have a structure 19:47.598 --> 19:49.427 that's interacting with the private sector. 19:49.428 --> 19:52.127 Now, I wanna overlay this acquisition authority, 19:52.128 --> 19:55.318 actually now, I, I'm actually purchase if you will 19:55.319 --> 19:58.166 and acquire some of that 19:58.167 --> 19:59.755 capability from the private sector 19:59.756 --> 20:01.024 that we've been talking them about 20:01.025 --> 20:02.102 now from last few months. 20:02.103 --> 20:03.823 So, I tried to work through acquirement piece 20:03.824 --> 20:07.372 and anticipation of gaining the acquisition authority. 20:07.373 --> 20:09.826 Now, that we've got that pretty much done 20:09.827 --> 20:12.807 and I overlay the acquisition authority, you're gonna see us 20:12.808 --> 20:14.680 start to introduce some specific contract's, 20:14.681 --> 20:18.223 very focus on a couple, specific mission sets, 20:18.224 --> 20:21.061 defense and capability for cyber protection teams 20:21.062 --> 20:23.088 is the first area we're gonna focus on. 20:23.089 --> 20:24.345 - Okay, very good. 20:27.068 --> 20:29.050 So, I, ad mist my opening statement 20:29.051 --> 20:31.516 that I'm gonna be attending the annual 20:31.517 --> 20:34.502 sub-conference at NATO. 20:34.503 --> 20:36.593 The corporate cyber defense center 20:36.594 --> 20:37.963 actually next week. 20:37.964 --> 20:42.040 What's SAP commands relationship with, 20:42.041 --> 20:45.154 with the center and NATO and European. 20:45.155 --> 20:48.872 How can we co-operate move closely with our NATO allies? 20:48.873 --> 20:51.016 How do that, that corporation be strengthen? 20:51.017 --> 20:52.740 - So, for example, like yourself, 20:52.741 --> 20:54.033 I was just out there last June, 20:54.034 --> 20:56.838 spoke at the same conference you'll be going to next month. 20:56.839 --> 20:59.306 Every time I'm in Estonia, I spend time at the center, 20:59.307 --> 21:01.297 actually talk to them. 21:01.298 --> 21:02.346 The point I try to make 21:02.347 --> 21:05.570 to my NATO team mates are couple fold. 21:05.571 --> 21:08.275 First, 21:08.276 --> 21:10.250 this, under the NATO framework, 21:10.251 --> 21:12.632 the center wreck, the center represents 21:12.633 --> 21:14.898 the positions of the members of the alliance 21:14.899 --> 21:16.237 that participate in the center. 21:16.238 --> 21:17.795 Not necessarily, the alliance is a whole. 21:17.796 --> 21:19.949 So for example, not all 28 nations, 21:19.950 --> 21:22.009 29 now at the month April. 21:22.010 --> 21:25.117 Not all 29 nations actually participate in the center. 21:25.118 --> 21:27.104 I'd like to see if we can somehow 21:27.105 --> 21:30.317 more formally tie this center to NATO's policy development. 21:30.318 --> 21:33.315 For example, I think that can really accelerate something's. 21:33.316 --> 21:36.394 Also, I'm trying because capacity is certainly a challenge 21:36.395 --> 21:38.204 and I'm trying to both meet our own priorities 21:38.205 --> 21:41.083 as well as help key ally is in the NATO alliance. 21:41.084 --> 21:43.485 One of the things I'm interested in is 21:43.486 --> 21:46.586 I've created partnership with European command. 21:46.587 --> 21:49.367 We're talking about potentially placing an individual 21:49.368 --> 21:51.487 may be in the center in the course of next year 21:51.488 --> 21:54.372 or so more directly link with our self. 21:54.373 --> 21:56.878 I also like to see what could we potentially do 21:56.879 --> 21:59.590 within the exercise frame work that the NATO, 21:59.591 --> 22:01.833 that the alliance starting to create in cyber now. 22:01.834 --> 22:04.228 I've already extended invitation's to them. 22:04.229 --> 22:07.725 To observe and participate in our exercise frame work 22:07.726 --> 22:08.945 but I like to do the same thing 22:08.946 --> 22:10.545 if could within the NATO arena. 22:10.546 --> 22:14.563 - So, you know that obviously, the Congress pass the 22:14.564 --> 22:17.903 CISA the cyber information sharing legislation 22:17.904 --> 22:19.824 that's something domestically, but 22:19.825 --> 22:21.498 also we have robust cyber threat. 22:21.499 --> 22:24.320 information sharing, for example with the Israel's. 22:24.321 --> 22:28.265 How we doing with robust cyber threat sharing information 22:28.266 --> 22:30.753 with our, with our NATO? 22:30.754 --> 22:32.105 - Right now, 22:32.106 --> 22:36.148 most cyber sharing tends to be focus 22:36.149 --> 22:38.050 in many ways at nations and nations basis. 22:38.051 --> 22:39.673 That's another one of the challenge where I'm, 22:39.674 --> 22:41.648 that I'm interested in my cyber command. 22:41.649 --> 22:43.295 How can we work that more formally 22:43.296 --> 22:46.361 or military organizations in military organizations? 22:46.362 --> 22:50.549 So we're doing this once, not 29 different times as it were. 22:50.550 --> 22:52.304 - Okay, very good. 22:52.305 --> 22:54.587 My time is expired, I do have additional questions 22:54.588 --> 22:56.213 but if we don't get to second round, 22:56.214 --> 22:58.300 I'll submit them with the record. 22:58.301 --> 22:59.712 I appreciate you getting back to me on them 22:59.713 --> 23:01.584 but thank you admiral for the work that you're doing 23:01.585 --> 23:04.247 and thanks for your service to the country. 23:04.248 --> 23:06.571 - Dr. Abraham. 23:06.572 --> 23:07.321 - Well thank you, Madam chair, 23:07.322 --> 23:08.571 thank you, Admiral for being here. 23:08.572 --> 23:09.646 Appreciate it. - Thanks. 23:09.647 --> 23:11.275 The other services, 23:11.276 --> 23:14.675 the arm services only have their own cyber commands. 23:14.676 --> 23:17.818 What is cybercom doing as far as the manning 23:17.819 --> 23:22.275 and the concept of operations as far as 23:22.276 --> 23:24.318 having duplicative 23:24.319 --> 23:27.183 issues within those services. 23:27.184 --> 23:30.321 - So, remember the ways we.. - To prevent the duplication. 23:30.322 --> 23:32.945 - So, the way we're structured, 23:32.946 --> 23:34.622 each of those service 23:34.623 --> 23:37.497 primary operational cyber commands 23:37.498 --> 23:40.967 is a, is a sub-component of US. cyber command. 23:40.968 --> 23:43.834 So whether it's army cyber, coast guard cyber, 23:43.835 --> 23:48.484 air force cyber, fleet cyber, marforcyber? 23:48.485 --> 23:50.799 They have an operational relationship to me. 23:50.800 --> 23:52.115 And so, that's how we try to work 23:52.116 --> 23:54.278 the joint in the service peace. 23:54.279 --> 23:56.293 In a very integrative way. 23:56.294 --> 23:57.423 On the first to acknowledge 23:57.424 --> 24:00.078 and I was a service component commander before this job. 24:00.079 --> 24:02.492 I was the navy's guy. I was fleet cyber command. 24:02.493 --> 24:06.557 In those service structures, 24:06.558 --> 24:09.686 they are both to me 24:09.687 --> 24:12.041 in the execution of their joint responsibility. 24:12.042 --> 24:14.557 But they also have additional service responsibilities. 24:14.558 --> 24:18.075 I tried to be the connecting loop, partnering with them. 24:18.076 --> 24:20.538 And also partnering with the service leadership 24:20.539 --> 24:22.305 to make sure that from a service 24:22.306 --> 24:23.947 and a joint perspective within department 24:23.948 --> 24:27.054 we're aligned and focused on priorities and outcomes. 24:27.055 --> 24:30.087 - All right, and so let's parley that into 24:30.088 --> 24:33.014 other federal agencies at 24:33.015 --> 24:37.258 it seems all sort of have a cyber space 24:37.259 --> 24:39.601 departments so of speak. 24:39.602 --> 24:43.259 Cybercom has far as is coordinated mechanism 24:43.260 --> 24:45.701 between other federal agencies. 24:45.702 --> 24:47.175 Could you explain that a little bit? 24:47.176 --> 24:50.422 - So we coordinate directly, primarily 24:50.423 --> 24:52.142 in the rest of the government with 24:52.143 --> 24:53.640 the department and homeland security. 24:53.641 --> 24:54.980 That's particularly driven by the fact 24:54.981 --> 24:57.090 that one of the cyber commands three missions 24:57.091 --> 25:00.513 is directed by the president or the secretary defense, 25:00.514 --> 25:03.114 to defend critical infrastructure 25:03.115 --> 25:05.497 against acts of significant 25:05.498 --> 25:06.578 cyber consequence. 25:06.579 --> 25:10.736 We would do that in partnership with the defense with DHS. 25:10.737 --> 25:13.994 And so because of that, we're closely relying with them. 25:13.995 --> 25:16.961 In fact I just was talking 25:16.962 --> 25:19.693 with the team yesterday 25:19.694 --> 25:22.289 between the private sector. 25:22.290 --> 25:24.819 In the private sector, the US. government has designated 25:24.820 --> 25:28.221 16 different areas. Think about finance, transportation, 25:28.222 --> 25:30.961 aviation, there is 16 different segments 25:30.962 --> 25:31.927 that the federal government 25:31.928 --> 25:34.218 has designated as critical to the nations security, 25:34.219 --> 25:36.258 that infrastructure. 25:36.259 --> 25:39.738 We've picked one of those 16 segments 25:39.739 --> 25:41.298 to do a test case if you will between DHS cyber command. 25:44.500 --> 25:47.039 That private sector as well NSA, 25:47.040 --> 25:48.993 from an information and intelligence sharing 25:48.994 --> 25:50.652 that would be the NSA role. 25:50.653 --> 25:53.056 To try to get down the execution level detail about 25:53.057 --> 25:55.530 so how would we really do this day to day? 25:55.531 --> 25:57.920 Because my experience as a military individual 25:57.921 --> 26:01.600 has taught me, I don't like to do discovery learning 26:01.601 --> 26:03.525 when I'm moving to contact against an opponent. 26:03.526 --> 26:06.132 It tends to be high lost rate. 26:06.133 --> 26:08.904 Incredibly inefficient and ineffective. 26:08.905 --> 26:12.642 Often very resource intensive and much slower. 26:12.643 --> 26:15.308 So, I'm interested how can I create those relationships 26:15.309 --> 26:18.798 and exercise them now before we get into a major incident 26:18.799 --> 26:21.601 directed against one of those 16 segments. 26:21.602 --> 26:24.212 - Okay, I, I'll take half, one more question. 26:24.213 --> 26:25.683 cybercom has 26:25.684 --> 26:28.360 or I guess 40 cybercom supporting role 26:28.361 --> 26:30.748 and northcom, paycom 26:30.749 --> 26:34.211 and has the DOD that relationship 26:34.212 --> 26:38.271 so, that if there is a incident or accident that they can 26:38.272 --> 26:41.585 be really instituted very seamlessly. 26:41.586 --> 26:43.817 If such an eviction happen. 26:43.818 --> 26:45.237 - So, our role 26:45.238 --> 26:47.629 on the defensive side is to support 26:47.630 --> 26:49.209 and ensure the continued operations. 26:49.210 --> 26:52.637 For example, those network's weapons system in platforms 26:52.638 --> 26:53.838 those operational commanders 26:53.839 --> 26:56.831 and others count on to execute their mission. 26:56.832 --> 27:00.720 In addition, we generate offensive capability. 27:00.721 --> 27:02.093 At particularly for paycom 27:02.094 --> 27:05.100 and other geographic commands outside 27:05.101 --> 27:06.393 the United States. 27:06.394 --> 27:09.543 Because we don't really see. 27:09.544 --> 27:12.517 I don't think, right now in my mind how would 27:12.518 --> 27:15.141 we apply cyber offensive capability in the United States 27:15.142 --> 27:17.245 that, that's not role of the DOD. 27:17.246 --> 27:21.378 Our focus inside the United States will be largely defensive 27:21.379 --> 27:23.254 One of things, it's a focus area, 27:23.255 --> 27:26.638 it's set out of series of goals for 2017. 27:26.639 --> 27:28.516 One of those goals 27:28.517 --> 27:32.050 is increased cyber reserve in guard integration 27:32.051 --> 27:33.969 to get to the question that you really driving at. 27:33.970 --> 27:37.523 How do we make sure that for domestic incident 27:37.524 --> 27:40.721 that all elements of DOD are aligned 27:40.722 --> 27:42.775 then we all know, how we're gonna do this. 27:42.776 --> 27:45.050 And all the forces know, what their roles gonna be 27:45.051 --> 27:46.939 the command and control is all outline 27:46.940 --> 27:48.674 so, Northcom knows what they're gonna do, 27:48.675 --> 27:50.190 I know, what I'm gonna do. 27:50.191 --> 27:52.071 Paycom because they have a portion 27:52.072 --> 27:53.434 of the domestic responsibilities, 27:53.435 --> 27:55.331 so that, they know what they're gonna do. 27:55.332 --> 27:59.128 I'd like to use the defense support to civil affairs 27:59.129 --> 28:01.859 which is been an on-going process, we've used for decades. 28:01.860 --> 28:05.903 I kinda like to use that as a test model I'm the big fan of 28:05.904 --> 28:08.459 let's use which working elsewhere, let's not try to create 28:08.460 --> 28:10.092 something different or unique for cyber 28:10.093 --> 28:12.393 to the maximum extent, that I can. 28:12.394 --> 28:13.634 - [Jim] Yeah, right. 28:13.635 --> 28:15.738 - [Elise] Mr. Larson 28:15.739 --> 28:17.671 - Thanks, Admiral for coming. 28:17.672 --> 28:21.148 I'd like to go back to the question, unified cyber command 28:21.149 --> 28:23.307 because your answer 28:23.308 --> 28:25.436 wasn't concerned about the answer 28:25.437 --> 28:28.443 the portion of the answer, like we're still working it out. 28:28.444 --> 28:31.729 I was concerned, because I thought I heard you say something 28:31.730 --> 28:35.074 that runs counter to what we told you all to do 28:35.075 --> 28:38.577 and that is the decisions made to do this. 28:38.578 --> 28:41.408 And that, the secretary in the present don't need to make 28:41.409 --> 28:45.483 a decision to actually do unified a command. 28:45.484 --> 28:47.960 - The law is understandable. - At the time 28:47.961 --> 28:50.747 - they'll drive a time. - A time 28:50.748 --> 28:51.705 - I just wanna - So, that's my only point 28:51.706 --> 28:53.228 is the timing - If that's the only point, 28:53.229 --> 28:55.910 that's fine, I just thought, I heard something, 28:55.911 --> 28:57.576 - something else. - No, I apologize, 28:57.577 --> 29:00.328 if I miscommunicated you've clearly provided legal framework 29:00.329 --> 29:01.396 and this is what you're doing. 29:01.397 --> 29:02.661 - Okay. - You know I set a change 29:02.662 --> 29:04.212 in the law that's what we have to execute. 29:04.213 --> 29:05.865 - Okay, I appreciate that, okay. 29:05.866 --> 29:08.820 And I'd like to go back as well to something the chair 29:08.821 --> 29:10.871 was exploring with you and has to 29:10.872 --> 29:13.446 the... having a cyber service or not 29:13.447 --> 29:14.386 and I don't want you to 29:14.387 --> 29:16.364 I actually agree with you in not having one 29:16.365 --> 29:19.948 but, does bring the question though to have a 29:22.714 --> 29:26.563 so, to have capability, what flexibility 29:26.564 --> 29:29.413 do you need in personnel, 29:29.414 --> 29:30.989 what flexibility you need in contract 29:30.990 --> 29:32.835 in what, just kind, what flexibility do you need 29:32.836 --> 29:36.763 to fully utilize and even develop a formal framework 29:36.764 --> 29:38.865 so you're using active component 29:38.866 --> 29:40.631 reserve, guard, 29:40.632 --> 29:43.874 as well as the contractor community. 29:43.875 --> 29:46.712 - So, among the ways that we tried to ask ourselves 29:46.713 --> 29:48.898 so if we're gonna go with this service based approach 29:48.899 --> 29:51.471 which is really what we're executing how would you do it. 29:51.472 --> 29:53.596 We came up with the couple of baseline principles 29:53.597 --> 29:55.800 if you will, the first is, it doesn't matter, 29:55.801 --> 29:57.350 what your service is and it doesn't matter 29:57.351 --> 29:58.684 if you're guard or reserve. 29:58.685 --> 30:00.846 We built to one standard 30:00.847 --> 30:03.254 and so, we've created with it a joined framework 30:03.255 --> 30:06.544 for every position within the cyber mission force. 30:06.545 --> 30:08.918 We can tell you, what, what the pay grade is 30:08.919 --> 30:11.318 and we can tell you, what the qualification standards are 30:11.319 --> 30:12.623 and we can tell what the duties are 30:12.624 --> 30:14.056 that assigned the position. 30:14.057 --> 30:15.802 Because I said, look, we've got to create 30:15.803 --> 30:17.460 one integrated force, 30:17.461 --> 30:20.466 and if we do a thousand different variants 30:20.467 --> 30:21.677 I can't optimize that. 30:21.678 --> 30:24.375 The second thing we said was 30:24.376 --> 30:28.354 the structure of the teams needs to be the same 30:28.355 --> 30:30.555 regardless of whether it's a particular service 30:30.556 --> 30:33.440 guard or reserve, the anology I used was, 30:33.441 --> 30:37.209 it doesn't matter if we have a F16 squadron in the guard, 30:37.210 --> 30:39.609 or in the active force. 30:39.610 --> 30:42.556 There's one squadron nomenclature for F16 30:42.557 --> 30:44.631 that we can then employ anywhere globally 30:44.632 --> 30:46.590 because we know everybody is built to the same standard 30:46.591 --> 30:48.647 even as we now, I'm sure there's some variances 30:48.648 --> 30:51.009 but everybody is built to the same standard. 30:51.010 --> 30:53.462 So, that was another principle I said, the only way 30:53.463 --> 30:55.733 we can make a service based approach work 30:55.734 --> 30:59.618 is that active or reserve, guard or reserve 30:59.619 --> 31:02.098 it doesn't matter, we're building to one standard. 31:02.099 --> 31:04.940 If we stick to that framework, 31:04.941 --> 31:06.546 I'm very comfortable 31:06.547 --> 31:10.632 that we can make a service approach work for us. 31:10.633 --> 31:12.605 If we, if we insist on variance, 31:12.606 --> 31:14.676 if we insist on everybody doing their own thing 31:14.677 --> 31:15.948 I'm the first to admit 31:15.949 --> 31:17.970 boy, this is not a model that's gonna generate 31:17.971 --> 31:19.052 that the outcome that we need. 31:19.053 --> 31:21.248 I'm the first to acknowledge that. 31:21.249 --> 31:24.475 - And the role of the private sector? 31:24.476 --> 31:27.870 - So, the private sector, when I look at them. 31:27.871 --> 31:30.220 A couple of things come to mind, number one 31:30.221 --> 31:31.961 they're providing the, they're the ones 31:31.962 --> 31:33.426 who are gonna provide the human capitol 31:33.427 --> 31:35.967 whether that human capitol ends up wearing uniform 31:35.968 --> 31:38.726 where there's part of our civilian government work force, 31:38.727 --> 31:40.943 or it's a contractor force. 31:40.944 --> 31:43.134 They all start in the private sector. 31:43.135 --> 31:46.618 So it's one of the reasons why I spend a fair amount of time 31:46.619 --> 31:50.535 as cyber command and as the Director of NSA for that 31:50.536 --> 31:52.365 to the same extent in some ways 31:52.366 --> 31:55.991 with the academic world with private industry about 31:55.992 --> 31:58.164 so, tell me how you create a work force? 31:58.165 --> 32:00.528 What works for you? What incentives are you? 32:00.529 --> 32:01.925 What incentives are you using? 32:01.926 --> 32:03.361 What has failed? 32:03.362 --> 32:04.920 then in hindset you say to yourself 32:04.921 --> 32:05.891 boy, don't go down this road 32:05.892 --> 32:08.254 because it really fails spectacularly for us. 32:08.255 --> 32:09.912 Even as I acknowledge there's a difference 32:09.913 --> 32:12.110 between government and the private sector, 32:12.111 --> 32:13.460 but I still think there's something's 32:13.461 --> 32:14.782 that we can learn from each other. 32:14.783 --> 32:18.738 In addition, I think to other areas come to my mind for me 32:18.739 --> 32:21.297 with the private sector, the first is technology. 32:21.298 --> 32:25.107 The days, when DOD is gonna be the engine for technological 32:25.108 --> 32:28.436 innovation in change, I think they're long behind us. 32:28.437 --> 32:30.767 It's just not the DOD model, 32:30.768 --> 32:32.812 that's why we created the point of partnership 32:32.813 --> 32:35.752 in Silicon Valley and in Boston 32:35.753 --> 32:37.433 it's why I thought the acquisition piece 32:37.434 --> 32:38.561 was so important for us, 32:38.562 --> 32:40.629 we've got to be able to tap into that private sector 32:40.630 --> 32:43.522 in terms of acquisition of technology and capability. 32:43.523 --> 32:45.211 And then the last area, 32:45.212 --> 32:48.366 which is a little bit counter intuitive in some ways. 32:48.367 --> 32:52.613 When it come to, the generation of policy, 32:52.614 --> 32:54.787 concepts, thought 32:54.788 --> 32:57.435 the private sector can play huge role here. 32:57.436 --> 33:01.054 I think back to the beginning of nuclear deterrence 33:01.055 --> 33:03.137 and nuclear policy, for example. 33:03.138 --> 33:05.506 If you go back in the 1950's 33:05.507 --> 33:08.051 and you read much of the thought process, 33:08.052 --> 33:10.145 much as that was flown from the academic rule. 33:10.146 --> 33:13.123 Hardly anybody remembers now that Henry Kissinger 33:13.124 --> 33:16.733 in the 1950's, literally 1960's was a professor at Harvard 33:16.734 --> 33:20.767 who was writing about concepts of nuclear deterrence. 33:20.768 --> 33:23.440 Nuclear employment that ended up he and others 33:23.441 --> 33:24.823 ended up shaping 33:24.824 --> 33:26.192 the strategic vision we had, 33:26.193 --> 33:28.601 and I'd like to see us do the same thing in cyber. 33:28.602 --> 33:30.192 - Well, thank you. 33:30.193 --> 33:31.251 - Miss Cheney 33:33.316 --> 33:35.855 - Thank you, Madame Chairwoman, thank you, Admiral Rogers 33:35.856 --> 33:39.105 for your service and for being here today. 33:39.106 --> 33:42.065 Secretary (mumbling) before he became secretary 33:42.066 --> 33:45.212 in talking about the budget control act and sequestration 33:45.213 --> 33:48.273 said no foe in the field could do our military as much harm 33:48.274 --> 33:50.324 as has been done to us through sequestration 33:50.325 --> 33:52.081 in the budget control act. 33:52.082 --> 33:55.892 As we begin the process of looking at the 2018 budget. 33:55.893 --> 33:59.750 I'm interested to know, to what extent you're able to factor 33:59.751 --> 34:02.210 in strategy and threats 34:02.211 --> 34:04.081 and through strategic thinking 34:04.082 --> 34:06.671 about what needs to be done. 34:06.672 --> 34:10.296 As you put together the budget for cyber command 34:10.297 --> 34:13.166 and to what extent you've still been hamstrung 34:13.167 --> 34:16.516 by the BCA and by those cap numbers. 34:16.517 --> 34:18.534 - So, like any entity, 34:18.535 --> 34:20.069 it's all about prioritization for us 34:20.070 --> 34:22.947 so we spend a lot of time figuring out with finite resources 34:22.948 --> 34:25.332 even with growth with finite resources, 34:25.333 --> 34:27.069 how are we gonna prioritize? 34:27.070 --> 34:29.664 So, our input for the fiscal '18 year budget 34:29.665 --> 34:32.313 and truth in lending, we just rolled it out 34:32.314 --> 34:34.516 as a government as it appointment this afternoon 34:34.517 --> 34:35.580 during the midday today, 34:35.581 --> 34:38.319 so I've not yet seen the specifics yet 34:38.320 --> 34:40.110 I know, what the broad number for us is 34:40.111 --> 34:42.191 but, I haven't seen the sub elements of that 34:42.192 --> 34:45.494 so, I'll talk broadly, I apologize, but I'll talk broadly. 34:45.495 --> 34:49.681 For the '18 input, we try to identify those priorities 34:49.682 --> 34:53.153 in a macro sense, in no particular order. 34:53.154 --> 34:56.985 I've been arguing man power, 34:56.986 --> 35:00.727 investments and core capabilities and then number three 35:00.728 --> 35:03.814 how can I accelerate number one and number two? 35:03.815 --> 35:06.085 How can I do both of those faster? 35:06.086 --> 35:09.590 Because in some ways, even though 35:09.591 --> 35:11.810 as the one encrypt ransom ware issue 35:11.811 --> 35:14.497 that we've been going through shows. 35:14.498 --> 35:15.893 There's capability in their department 35:15.894 --> 35:17.194 there's allot of motivated men and women 35:17.195 --> 35:20.441 who are doing some good work, we were not impacted 35:20.442 --> 35:22.506 by one encrypt that wasn't from a lack of effort 35:22.507 --> 35:25.059 we had spent significant time starting in March 35:25.060 --> 35:26.687 asking ourselves 35:26.688 --> 35:29.436 how might this play out, how do we position ourselves, 35:29.437 --> 35:32.100 in the case of, because Microsoft had put out 35:32.101 --> 35:33.238 the patch for vulnerability 35:33.239 --> 35:35.594 we as Microsoft users saw that 35:35.595 --> 35:37.130 and started asking ourselves 35:37.131 --> 35:39.620 how might an opponent attempt to exploit this vulnerability 35:39.621 --> 35:41.205 even as we were working a patch. 35:41.206 --> 35:43.063 It's one of the reason why we use a defense 35:43.064 --> 35:46.124 in depth strategy, there's no one single solution 35:46.125 --> 35:47.890 there's is no one single way 35:47.891 --> 35:49.263 to fix this problem. 35:49.264 --> 35:52.110 It's layers built on top of each other. 35:52.111 --> 35:55.697 That really has been the key to our success. 35:55.698 --> 35:59.193 So, we're asking ourselves how could we do this faster 35:59.194 --> 36:02.280 every day, one of my biggest concerns is 36:02.281 --> 36:05.188 and I've never really had this same view point 36:05.189 --> 36:07.920 and almost 36 years of commission service. 36:07.921 --> 36:11.103 Every day, I literally think to myself, we are in a race 36:11.104 --> 36:13.697 to generate more capacity and more capability 36:13.698 --> 36:17.240 at the same time that I'm watching a host of global actors 36:17.241 --> 36:18.734 do the exact same thing. 36:18.735 --> 36:22.551 And so, we're trying to sustain both staying up with him 36:22.552 --> 36:23.752 but quite frankly my objective 36:23.753 --> 36:25.313 is to get ahead of the problem set. 36:25.314 --> 36:26.885 I don't like reacting to things 36:26.886 --> 36:28.918 that's not an effective or efficient way to do business 36:28.919 --> 36:30.987 and I don't think what that's what the nation 36:30.988 --> 36:31.987 wants from us. 36:31.988 --> 36:35.099 So, until I'm able to bore into the specifics of the budget 36:35.100 --> 36:36.548 that kind of gives you a broad sense 36:36.549 --> 36:38.770 of what I thought we needed to focus on. 36:38.771 --> 36:41.283 - So, would you say, Admiral, that the budget 36:41.284 --> 36:44.118 as it's been proposed 36:44.119 --> 36:47.704 provides resources necessary to regain superiority 36:47.705 --> 36:49.331 in areas that we've lost it. 36:49.332 --> 36:51.201 - It certainly moves us along that road 36:51.202 --> 36:53.942 but no one should think for one moment 36:53.943 --> 36:57.132 that this vision set, not unlike some others, 36:57.133 --> 36:59.064 is going to require increased 36:59.065 --> 37:01.962 and sustained investment over time. 37:01.963 --> 37:05.608 This is not going to be a one or two years 37:05.609 --> 37:07.808 we've increased you by some reasonable number 37:07.809 --> 37:09.676 which has been the case for the last two years 37:09.677 --> 37:10.863 and that's all you're gonna need. 37:10.864 --> 37:12.466 Look, at the scope or the challenges 37:12.467 --> 37:14.519 associated with this mission set 37:14.520 --> 37:15.840 and that from where we're starting, 37:15.841 --> 37:18.924 we've got a lot of hard work ahead of us. 37:18.925 --> 37:21.407 - And would you talk a little bit about 37:21.408 --> 37:23.607 how you are gonna measure 37:23.608 --> 37:26.022 success and how you are gonna measure progress 37:26.023 --> 37:29.384 along that path of regaining superiority. 37:29.385 --> 37:31.549 So, there's a couple components to it. 37:31.550 --> 37:33.942 First, we've developed a set of... 37:33.943 --> 37:36.054 we're in the process of developing a set of metrics 37:36.055 --> 37:38.749 so how do we truly assess readiness 37:38.750 --> 37:40.494 for this forces we've created. 37:40.495 --> 37:43.116 We focus for the first few years 37:43.117 --> 37:46.566 on assessing initial operating capability 37:46.567 --> 37:48.241 and final operating capabilities 37:48.242 --> 37:50.790 when you hear us talking slang about IOC and FOC 37:50.791 --> 37:52.432 and you heard me and my remarks. 37:52.433 --> 37:56.898 We achieved IOC essentially on time October 2016 37:56.899 --> 38:00.555 we have until 30 September 2018 to achieve FOC 38:00.556 --> 38:02.149 I think we're on track for that. 38:02.150 --> 38:04.193 But one of the things I tell the team is 38:04.194 --> 38:05.736 that doesn't get to war fighting 38:05.737 --> 38:08.366 and in the end, it's our ability to actually operate 38:08.367 --> 38:10.514 in a sustained heavy environment. 38:10.515 --> 38:12.539 Just like when we're building a brand new carrier 38:12.540 --> 38:15.649 or a brand new fire wing, for example. 38:15.650 --> 38:17.372 It's not enough, just to say, 38:17.373 --> 38:19.919 we've got all the pilots, we've got all the parts. 38:19.920 --> 38:22.042 It's about training, it's about assessing readiness. 38:22.043 --> 38:23.789 So, we're working our way through 38:23.790 --> 38:25.559 "How are we going to do that?" 38:25.560 --> 38:27.765 Then it's other things like, we ask ourselves, 38:27.766 --> 38:31.640 "Are we driving down defensive penetrations?" 38:31.641 --> 38:35.155 "Are we driving down malware infections?" 38:35.156 --> 38:38.065 There's some, you know, specific metrics 38:38.066 --> 38:40.485 that we think that we can use to give us a sense 38:40.486 --> 38:42.319 particularly on the defensive side. 38:42.320 --> 38:45.873 Are we being more effective or not? 38:45.874 --> 38:48.271 - [Cheney] Thank you very much, my times expired. 38:48.272 --> 38:51.265 - Mr. O'Rourke. 38:51.266 --> 38:52.136 - Thank you. 38:54.696 --> 38:56.169 Help me understand a little bit 38:56.170 --> 39:00.481 how we make clear to other countries in the world 39:00.482 --> 39:04.767 the consequences of cyber attacks 39:04.768 --> 39:08.432 with conventional weapons in conventional wars 39:08.433 --> 39:10.045 that there may be an understanding 39:10.046 --> 39:11.492 what the consequences will be 39:11.493 --> 39:12.883 should one country attack another 39:12.884 --> 39:14.826 with a certain kind of weapon. 39:14.827 --> 39:17.447 What is our level of dialogue with other countries 39:17.448 --> 39:20.048 including those countries with US threats 39:20.049 --> 39:22.767 including those countries to... 39:22.768 --> 39:24.252 We know have attacked us about 39:24.253 --> 39:26.016 what the consequences are going forward. 39:26.017 --> 39:28.639 - So, if I could in an unclassified session 39:28.640 --> 39:29.793 I'm not going to get into specifics 39:29.794 --> 39:33.385 associated with particular nation states 39:33.386 --> 39:35.735 and it hasn't been an one size fits all approach, 39:35.736 --> 39:38.465 which is truly broadly for strategy for us. 39:38.466 --> 39:39.625 I would argue as a nation 39:39.626 --> 39:41.199 that's not an one size fits all approach. 39:41.200 --> 39:43.100 We try to optimize 39:43.101 --> 39:45.504 the way we're looking at this particular challenge set 39:45.505 --> 39:47.608 based on whatever the particular near actor 39:47.609 --> 39:49.135 that we're dealing with. 39:49.136 --> 39:50.693 What works for mission won't necessarily 39:50.694 --> 39:54.460 have the same kind of impact as what will work for another. 39:54.461 --> 39:55.103 There's a couple, 39:55.104 --> 39:58.397 first let me talk about a couple basic things. 39:58.398 --> 40:01.448 We have been very public 40:01.449 --> 40:02.737 and acknowledge the fact 40:02.738 --> 40:04.715 that we are using cyber offensively 40:04.716 --> 40:07.511 against ISIS, not just because we want ISIS to know 40:07.512 --> 40:10.708 that we are contesting them, but quite frankly 40:10.709 --> 40:13.109 we also think that it's in our best interest for others 40:13.110 --> 40:14.672 to have a level of awareness 40:14.673 --> 40:17.386 that we are investing incapability and we are employing it. 40:17.387 --> 40:20.037 Within a legal law of arm conflict framework 40:20.038 --> 40:23.479 not indiscriminately, but we are employing it. 40:23.480 --> 40:27.168 We've acknowledged very publically and unclassified strategy 40:27.169 --> 40:28.231 documents for example 40:28.232 --> 40:30.717 for the Department of Cyberspace strategy. 40:30.718 --> 40:33.710 That we are developing offensive capability 40:33.711 --> 40:35.277 that we believe 40:35.278 --> 40:37.156 that deterrence is an important concept 40:37.157 --> 40:38.500 that we've got to work our way through. 40:38.501 --> 40:41.855 Trying to communicate to the world around us 40:41.856 --> 40:43.598 that we're aware of the kinds of activity 40:43.599 --> 40:44.657 that we're seeing out there. 40:44.658 --> 40:46.705 Some of it, we view with concern. 40:46.706 --> 40:49.632 As a result, we think it's in our own nation's best interest 40:49.633 --> 40:51.691 to have a set of capabilities 40:51.692 --> 40:54.620 that both generate greater options for our policy makers 40:54.621 --> 40:56.045 and our operational commanders. 40:56.046 --> 40:57.440 But at the same time 40:57.441 --> 40:59.384 help communicate to others around us. 40:59.385 --> 41:03.321 You don't want to go down this road with us. 41:03.322 --> 41:06.098 I think that the reaction, 41:06.099 --> 41:09.586 or the way (mumbling) played out in the United States 41:09.587 --> 41:11.513 for example is a very good example of that. 41:11.514 --> 41:15.451 Hey, look, in a major malware effort 41:15.452 --> 41:17.623 that took down many systems 41:17.624 --> 41:19.400 and lots of other parts of the world 41:19.401 --> 41:21.134 did not have the same level of effect 41:21.135 --> 41:22.311 in this here in the United States. 41:22.312 --> 41:24.506 - Let me ask you a question. - Not by chance. 41:24.507 --> 41:27.001 - To what degree are we treaty bound 41:27.002 --> 41:29.767 to assist an ally whose attacked 41:29.768 --> 41:32.401 through cyber not kinetically 41:32.402 --> 41:35.709 and are we already assisting allies who are... 41:35.710 --> 41:39.618 and maybe to use that most recent example that you just gave 41:39.619 --> 41:42.050 - So, that's a bit of a legal question 41:42.051 --> 41:44.357 and it's not my lane, but I'll give you my thoughts 41:44.358 --> 41:48.421 from my perspective as an operational commander. 41:48.422 --> 41:50.883 We for example, NATO has been very direct 41:50.884 --> 41:53.410 in saying that they view cyber 41:53.411 --> 41:54.846 is a natural continuation 41:54.847 --> 41:57.192 of the standing article five framework 41:57.193 --> 41:59.715 where attack against one, is attack against all. 41:59.716 --> 42:03.504 Even as NATO acknowledges the application of article five 42:03.505 --> 42:04.852 is through a decision framework 42:04.853 --> 42:06.666 in the North Atlantic council 42:06.667 --> 42:08.302 and it's done on a case by case basis, 42:08.303 --> 42:10.255 but broadly, that's the intent. 42:10.256 --> 42:12.369 That's been communicated 42:12.370 --> 42:15.537 in multiple forms in multiple ways. 42:15.538 --> 42:19.292 For other nations, you'd have to ask (mumbling) 42:19.293 --> 42:21.042 what is a little bit smarter about the specifics 42:21.043 --> 42:24.164 of the standing mutual defense. 42:24.165 --> 42:26.377 - Okay, let me ask another question then. 42:26.378 --> 42:28.134 Because we know the Russians, 42:30.618 --> 42:34.819 attacked the integrity of our elections here. 42:34.820 --> 42:36.498 Because we know they have done that in other countries 42:36.499 --> 42:40.359 because past behaviors could predict the future behavior 42:40.360 --> 42:43.341 whose responsibility is it 42:43.342 --> 42:46.537 in this country and then kind of to... 42:46.538 --> 42:50.294 Maybe for the record on for our allies 42:50.295 --> 42:52.733 when our allies elections are attacked 42:52.734 --> 42:56.838 but is it cyber command to DHS or both? 42:56.839 --> 43:00.745 Should the RNC, or the DNC be attacked going forward 43:00.746 --> 43:03.645 for example whose responsibility is that? 43:03.646 --> 43:05.771 - So, under the current framework, this could change 43:05.772 --> 43:06.669 but under the current framework 43:06.670 --> 43:07.989 the Department of Homeland Security 43:07.990 --> 43:10.962 is overall responsibility for the provision of capability 43:10.963 --> 43:13.114 and capacity within the federal government 43:13.115 --> 43:16.305 in support of the private sector, broadly. 43:16.306 --> 43:19.978 Cyber command in its defying mission if directed 43:19.979 --> 43:23.464 as I said to support the defense of critical infrastructure. 43:23.465 --> 43:25.810 We would partner with DHS to do that. 43:25.811 --> 43:28.535 We would do that, cyber command 43:28.536 --> 43:30.602 by attempting to interdict that activity 43:30.603 --> 43:32.411 before it ever reached the US network. 43:32.412 --> 43:36.362 Quite frankly, we wouldn't focus on blue or friendly space 43:36.363 --> 43:38.366 we'd be out in grey and red space 43:38.367 --> 43:39.880 if will trying to stop the activity 43:39.881 --> 43:41.662 (mumbling) - It's yours before it gets 43:41.663 --> 43:42.523 here, once it gets here 43:42.524 --> 43:44.205 it's how you kill. - And then once, 43:44.206 --> 43:47.686 simplicistically, then once it gets here, 43:47.687 --> 43:50.733 DHS has created a sector of framework 43:50.734 --> 43:52.750 cyber command also has capabilities 43:52.751 --> 43:56.241 in the form of nation cyber protection teams 43:56.242 --> 43:59.445 that we would also deploy in partnership with DHS 43:59.446 --> 44:00.852 to support among those 44:00.853 --> 44:03.531 16 specific critical infrastructure areas. 44:03.532 --> 44:05.937 Again, it's one of the things I mentioned early 44:05.938 --> 44:07.021 that I wanna test 44:07.022 --> 44:09.623 we're gonna start using one particular segment sector 44:09.624 --> 44:11.378 that's a little bit more mature 44:11.379 --> 44:13.035 than some of the other 15. 44:13.036 --> 44:14.188 - Thank you. 44:14.189 --> 44:16.261 - [Elise] Mr. Franks. 44:16.262 --> 44:17.608 - Well, thank you, Madame Chair. 44:17.609 --> 44:21.173 And thank you Admiral Rogers for your service to the country 44:21.174 --> 44:24.813 and your job is so very important to us all. 44:24.814 --> 44:27.253 You stated that your first mission priority 44:27.254 --> 44:29.922 is defense and DOD information networks. 44:32.142 --> 44:34.040 Would you suggest that, that means 44:34.041 --> 44:35.969 defensive operations nocturnally 44:35.970 --> 44:39.603 with take precedents over offensive operations? 44:39.604 --> 44:41.264 - No, because I remind the time, 44:41.265 --> 44:42.511 look, we have three missions 44:42.512 --> 44:45.101 and we have to be capable of executing all of them. 44:45.102 --> 44:46.745 I can't go to my boss and say, 44:46.746 --> 44:48.168 "Hey, I really just chose to focus 44:48.169 --> 44:50.040 "on number one." 44:50.041 --> 44:51.845 Now, don't get me wrong, like any commander 44:51.846 --> 44:53.776 I have to prioritize and so as I am looking 44:53.777 --> 44:55.586 at the challenges out there 44:55.587 --> 44:58.555 I have told the team we will prioritize against number one. 44:58.556 --> 44:59.926 Even as I acknowledge we still have 44:59.927 --> 45:02.039 to execute those other two missions 45:02.040 --> 45:04.820 but like any other operational organizations at times 45:04.821 --> 45:08.379 like to privatarized resources focus. 45:08.380 --> 45:10.953 But it is an, well, I just one and not the others 45:10.954 --> 45:12.109 we can't do all of them. 45:12.110 --> 45:14.239 - Yeah. 45:14.240 --> 45:15.603 - Well as you know 45:15.604 --> 45:17.366 how the DOD raise, realize 45:17.367 --> 45:20.911 upon the civilian power grid for 99% 45:20.912 --> 45:23.521 of its power requirement without which, 45:23.522 --> 45:25.932 I am told that it's becomes impossible 45:25.933 --> 45:27.637 and to affect 45:27.638 --> 45:30.136 the DOD mission. 45:30.137 --> 45:31.775 Do your priority include 45:31.776 --> 45:34.205 protecting US power grid another critical infrastructure 45:34.206 --> 45:35.899 in cyber attacks. 45:35.900 --> 45:39.683 - So again, I know responsibility 45:39.684 --> 45:41.876 for the defense that in the United States. 45:41.877 --> 45:43.391 I will say, one of things I've mentioned 45:43.392 --> 45:45.879 which is to see, we can may be look at doing differently 45:45.880 --> 45:47.028 and I'm having this conversation 45:47.029 --> 45:49.558 particularly with transcom at the moment. 45:49.559 --> 45:50.851 Right now, 45:50.852 --> 45:52.877 when it comes to, for example 45:52.878 --> 45:54.382 to critical infrastructure 45:54.383 --> 45:56.612 that the DOD accounts on the do its mission. 45:56.613 --> 45:59.704 When it comes to clear defense contractors 45:59.705 --> 46:02.050 who either are generating the capabilities that we use 46:02.051 --> 46:05.080 advanced fighters for example and other platforms 46:05.081 --> 46:09.908 as well as private industry for example 46:09.909 --> 46:13.431 for transcom that provides services, lift 46:13.432 --> 46:15.608 movement of cargo. 46:15.609 --> 46:19.146 Under the current structure, the defense security service 46:19.147 --> 46:22.284 is overall responsibility for the interface 46:22.285 --> 46:23.608 with those private companies 46:23.609 --> 46:27.163 not transcom for example, even though they work for transcom 46:27.164 --> 46:29.846 or they provide a service based on a contractual relation 46:29.847 --> 46:33.014 between transcom and not necessarily with us. 46:33.015 --> 46:35.759 I'd like to see is there a way to bring 46:35.760 --> 46:38.873 those operational commands, cyber command 46:38.874 --> 46:41.837 DSS, and that private sector together 46:41.838 --> 46:43.402 in a much more integrated way. 46:43.403 --> 46:44.772 Because what we are finding right now, 46:44.773 --> 46:49.035 is I will become aware of activity, I will pass that to DSS 46:49.036 --> 46:51.701 DSS passes that to the private sector. 46:51.702 --> 46:54.821 That doesn't come across to me as the fastest most efficient 46:54.822 --> 46:56.262 most agile way to do business 46:56.263 --> 46:57.724 and I would like to see if we could maybe 46:57.725 --> 47:00.655 try to change that. 47:00.656 --> 47:04.269 - Now, Admiral, you know that's been one of the challenges 47:04.270 --> 47:09.180 past that sometimes the whole ocean of protecting the grid 47:09.181 --> 47:11.247 from cyber security challenges 47:11.248 --> 47:14.613 is kind of a walks the 13th floor of humanity 47:14.614 --> 47:16.122 because we... 47:16.123 --> 47:18.422 And your department, 47:18.423 --> 47:20.973 we consider that a civilian responsibility. 47:20.974 --> 47:23.413 Of course, the civilian response is that, 47:23.414 --> 47:25.314 that is a national security issue 47:25.315 --> 47:27.308 and should not be our responsibility 47:27.309 --> 47:31.646 and my fear, of course is that neither (mumbling) 47:31.647 --> 47:34.423 focus on it necessary given its, 47:34.424 --> 47:35.984 - your stated - Yes, sir. 47:35.985 --> 47:37.901 - Yeah, so 47:37.902 --> 47:40.865 it's worth always touching base on. 47:40.866 --> 47:43.546 How will cyber security commence in posture improved 47:43.547 --> 47:45.223 once its elevated. 47:45.224 --> 47:46.950 And do you believe that you will have all the resources 47:46.951 --> 47:47.880 and authorities that you require 47:47.881 --> 47:49.314 to accomplish your assigned missions? 47:49.315 --> 47:52.153 And what do you expect your number one challenge will be 47:52.154 --> 47:56.066 in terms of Russia, China, Iran, ISIS, someone else? 47:56.067 --> 47:58.232 - So, let me try to unpackage 47:58.233 --> 48:00.615 if I forget in places let me know, sir. 48:00.616 --> 48:05.374 So, first, what's the benefit of elevation? 48:05.375 --> 48:07.721 Why have I and others recommended 48:07.722 --> 48:10.291 that that's a smart course of action. 48:10.292 --> 48:12.209 Even as I acknowledge the decisions not mine, 48:12.210 --> 48:13.293 as we've already talked. 48:13.294 --> 48:17.121 That's outline within legislation now it's the timing issue. 48:17.122 --> 48:19.299 Now, send a change to the legislation. 48:19.300 --> 48:21.219 In the department's processes, 48:21.220 --> 48:24.694 when it comes to how we develop budgets 48:24.695 --> 48:27.279 how we articulate prioritization, 48:27.280 --> 48:29.222 how we develop broad policy? 48:29.223 --> 48:32.451 It is generally built around the idea 48:32.452 --> 48:35.009 that the combatant commanders are the primary voices 48:35.010 --> 48:37.389 for the operational end of those processes. 48:37.390 --> 48:41.133 Not sub unified commands, combatant commanders. 48:41.134 --> 48:43.570 So, one of my concerns is that, 48:43.571 --> 48:45.998 we talk about the importance of cyber 48:45.999 --> 48:48.916 and I acknowledge there are other parties in the department 48:48.917 --> 48:51.853 and yet, for some not all, but for some of our processes 48:51.854 --> 48:54.408 the cyber expertise is not embedded in the current structure 48:54.409 --> 48:56.714 cause you put it one level below. 48:56.715 --> 48:59.749 So, I believe that elevation plugs us more directly 48:59.750 --> 49:02.141 into the primary decision making processes 49:02.142 --> 49:03.744 within the department which are really optimized 49:03.745 --> 49:05.594 for combatant commanders. 49:05.595 --> 49:08.450 It also makes us faster because now, 49:08.451 --> 49:10.551 I've got one less layer that I have to work through. 49:10.552 --> 49:13.166 I've been very blessed in my time as cyber command. 49:13.167 --> 49:15.368 This strategic command commanders I've worked with 49:15.369 --> 49:19.908 General Heighten, boy how quickly we forget. 49:19.909 --> 49:23.633 I can picture, he was a good flag officer friend. 49:23.634 --> 49:25.408 They were great to team with. 49:25.409 --> 49:28.213 Because I would tell them, "Look, if we're gonna insist 49:28.214 --> 49:30.692 "everything I do goes through off it. 49:30.693 --> 49:33.247 "I can't get the timeline as I can't get the speed." 49:33.248 --> 49:35.375 And this helps address that. 49:35.376 --> 49:36.372 - Time is expired. 49:36.373 --> 49:38.887 I now recognize Mr. Cooper. - Thank you. 49:38.888 --> 49:39.933 - Thank you, Madame Chair. 49:39.934 --> 49:42.595 Apparently, two of our colleagues have introduced a bill 49:42.596 --> 49:48.005 that would allow private sector US companies to hack back. 49:48.006 --> 49:49.834 Act of defense, 49:49.835 --> 49:51.068 I hadn't realized before 49:51.069 --> 49:53.122 that this is apparently illegal today 49:53.123 --> 49:55.684 absent will all change 49:55.685 --> 49:58.002 So, could you reflect on this proposal 49:58.003 --> 49:59.681 and whether it's a good idea or not. 49:59.682 --> 50:01.614 - For broadly... 50:01.615 --> 50:04.291 I'll only speak for Mike Rogers 50:04.292 --> 50:07.632 'cause I'm not in the policy leave, but I'm an opinion. 50:07.633 --> 50:11.251 As an operational commander, my concern is 50:11.252 --> 50:13.898 while there is certainly historic precedents for this. 50:13.899 --> 50:16.615 Nation states have often gone to the private sector 50:16.616 --> 50:19.168 when we lacked government capacity or capability. 50:19.169 --> 50:20.416 We did that in the revolutionary war. 50:20.417 --> 50:22.064 Letters of bark, we didn't have a navy. 50:22.065 --> 50:23.910 We to the private sector, 50:23.911 --> 50:26.835 gave them authority and protection via our government 50:26.836 --> 50:29.473 as I go out and capture cargo from the royal navy 50:29.474 --> 50:31.626 and from the British Merchant Fleet. 50:31.627 --> 50:35.448 My concern is be leary of putting more 50:35.449 --> 50:38.704 gun fighters out on the street and the wild west. 50:38.705 --> 50:40.793 As an individual task 50:40.794 --> 50:43.340 with protecting our networks 50:43.341 --> 50:45.936 I'm thinking to myself we got enough cyber actors 50:45.937 --> 50:46.806 out there already. 50:46.807 --> 50:47.893 Just putting more out there, 50:47.894 --> 50:50.279 I'm not sure is in everybody's best interest. 50:50.280 --> 50:52.814 And I would also be concerned legal liability 50:52.815 --> 50:54.750 you might and I'm not a lawyer. 50:54.751 --> 50:57.088 But the legal liability, that I would think 50:57.089 --> 50:59.474 that you'd have some liability issues associated 50:59.475 --> 51:02.551 with taking actions with second and third order effects 51:02.552 --> 51:05.816 so that you don't truly understand when you execute it. 51:05.817 --> 51:08.599 It's just my concern. 51:08.600 --> 51:10.600 - Are other countries doing this? 51:10.601 --> 51:12.562 Are you familiar with any other countries 51:12.563 --> 51:15.357 that have enabled their private sector... 51:15.358 --> 51:18.699 - There maybe equivalent legal frameworks out there. 51:18.700 --> 51:20.592 I certainly not that come to my attention 51:20.593 --> 51:23.807 and not that I have had a discussion about. 51:23.808 --> 51:25.990 - I was curious you used a gun fighter analogy 51:25.991 --> 51:28.460 'cause some people have thought that an NRA 51:28.461 --> 51:31.244 might set up a whole new wing of activity for this. 51:34.282 --> 51:36.630 It's... 51:36.631 --> 51:38.361 To the extent that private business 51:38.362 --> 51:41.598 in this country feels disconnected from government 51:41.599 --> 51:42.962 or as you pointed out earlier 51:42.963 --> 51:45.671 the government response is too slow. 51:45.672 --> 51:47.483 Or there are certain national security interests 51:47.484 --> 51:50.408 are not recognized as being national security interests 51:50.409 --> 51:52.579 even when it's protecting the grid. 51:52.580 --> 51:54.869 I think you are probably going to see greater pressure. 51:54.870 --> 51:56.604 - Right, I would agree. 51:56.605 --> 51:59.649 In some ways it goes back to 51:59.650 --> 52:02.367 again showing you my work, college, education 52:02.368 --> 52:03.415 I don't want you to think as a tax payer, 52:03.416 --> 52:05.612 I didn't listen when I was sent to service colleges. 52:05.613 --> 52:07.483 In the west failing in construct, 52:07.484 --> 52:10.758 the application of force has generally 52:10.759 --> 52:13.487 for the last several centuries been viewed 52:13.488 --> 52:15.902 as a mission 52:15.903 --> 52:18.148 or right of a cybering state. 52:18.149 --> 52:20.436 Not something that the private sector does. 52:20.437 --> 52:23.134 We don't use, for example for us 52:23.135 --> 52:25.179 we don't use contracts 52:25.180 --> 52:27.665 to actually drop and fire weapons. 52:27.666 --> 52:29.408 We don't use mercenaries to do that. 52:29.409 --> 52:30.835 We use uniform military. 52:30.836 --> 52:32.728 I would just be concerned 52:32.729 --> 52:34.262 that going that route again, 52:34.263 --> 52:37.515 argues against the broad principles we've used about 52:37.516 --> 52:38.980 to roll the state and applying force 52:38.981 --> 52:41.599 kinetically or non-kinetically. 52:41.600 --> 52:44.165 - We don't use those tools, 52:44.166 --> 52:47.698 but in our degraded west failing system 52:47.699 --> 52:50.051 we don't know who we are being attacked by. 52:50.052 --> 52:52.667 It might be state actors, crazed high state actors 52:52.668 --> 52:54.500 possibly private actors. 52:54.501 --> 52:55.672 Who knows? 52:55.673 --> 52:56.945 - Well, it would depend... 52:56.946 --> 52:58.283 It depends on the situation 52:58.284 --> 53:01.758 but I'm the first to acknowledge 100% attribution 53:01.759 --> 53:05.176 is probably the standard we're going to be driving for 53:05.177 --> 53:08.059 for a long time and not necessarily achieve immediately. 53:08.060 --> 53:11.149 - What percentage of accuracy and attribution 53:11.150 --> 53:13.012 would you give us today? 53:13.013 --> 53:14.839 - It depends on the actor, 53:14.840 --> 53:18.987 if you take for example 53:18.988 --> 53:21.268 speaking now as on the NSA side 53:21.269 --> 53:24.578 if you take a look at the efforts we did 53:24.579 --> 53:26.842 and the intelligence committee assessment 53:26.843 --> 53:28.703 where they expect a Russian efforts 53:28.704 --> 53:33.133 to influence the 2016 election process 53:33.134 --> 53:38.229 really highly confidential, very fine grain attribution. 53:38.230 --> 53:40.999 If you take a look at one encrypt for example 53:41.000 --> 53:43.734 we're 10 days into this and collectively both 53:43.735 --> 53:45.103 the private sector and the government 53:45.104 --> 53:48.298 we're still working our way to who are the actor... 53:48.299 --> 53:51.743 Who's the actor or actors associated with this. 53:51.744 --> 53:52.926 So it tends to vary 53:52.927 --> 53:55.898 there's no single concrete hint 53:55.899 --> 53:59.315 - So with the elections were close to 90%, 95% 53:59.316 --> 54:01.918 and with this we're 60, but raising in. 54:01.919 --> 54:04.306 - I don't know, I've never really thought about it 54:04.307 --> 54:05.569 from a number. 54:05.570 --> 54:06.964 - Okay. 54:06.965 --> 54:08.535 Thank you, Madame Chair. 54:08.536 --> 54:11.226 - [Elise] Mr. Scott 54:11.227 --> 54:12.878 - Thank you, Madame Chair, admiral, 54:12.879 --> 54:14.573 it's a long way from Auburn University and... 54:14.574 --> 54:15.597 - We're eagle, sir. 54:15.598 --> 54:17.969 - I hope you never lose a war or win a ball game. 54:17.970 --> 54:20.976 (laughing) 54:20.977 --> 54:23.509 I'm a University of Georgia graduate. 54:23.510 --> 54:25.970 - Oh, I have a brother who went to the University of Georgia 54:25.971 --> 54:26.894 and a sister in... - He's a good man. 54:26.895 --> 54:28.534 He's a good man. - Misguided individuals. 54:28.535 --> 54:29.532 - We'll see them... - I love them. 54:29.533 --> 54:30.577 (mumbling) - Well say the one 54:30.578 --> 54:34.555 (mumbling) (laughing) 54:34.556 --> 54:36.785 All kidding aside, thank you for your service 54:36.786 --> 54:39.197 and we talk... 54:39.198 --> 54:43.860 A lot about how fast technology changes 54:43.861 --> 54:47.591 and the acquisition process being a problem 54:47.592 --> 54:50.412 throughout the department, but 54:50.413 --> 54:53.741 I'd like to hear your comments on the personnel. 54:53.742 --> 54:57.031 Again, you speak to this in your comments. 54:57.032 --> 54:59.917 Your, when you get the... 54:59.918 --> 55:02.027 The young man and the young woman out there 55:02.028 --> 55:04.319 that's the best and the brightest. 55:04.320 --> 55:06.351 Their opportunities in the private sector 55:06.352 --> 55:10.073 versus their opportunities in the public sector 55:10.074 --> 55:11.721 under your command. 55:11.722 --> 55:13.976 The challenge is there 55:13.977 --> 55:16.208 in the issue of... 55:18.777 --> 55:21.362 What percentage of your personnel or civilian 55:21.363 --> 55:23.283 versus uniform? 55:23.284 --> 55:25.948 - Roughly we're about 80% 55:25.949 --> 55:27.787 military about 20% civilian, 55:27.788 --> 55:29.344 that's kind of what we're building to. 55:29.345 --> 55:31.611 It varies in some areas, but it's about 80, 20. 55:31.612 --> 55:35.980 - It, and that we have a tremendous number of... 55:35.981 --> 55:37.899 Wonderful people in uniform. 55:37.900 --> 55:39.942 Some of the people that we see that seem to be 55:39.943 --> 55:42.774 the best and the brightest in the technology field. 55:42.775 --> 55:45.020 Aren't exactly the people that you imagine 55:45.021 --> 55:47.323 going to boot camp. - Right. 55:47.324 --> 55:50.276 - How do we recruit in case? 55:50.277 --> 55:52.901 I mean do we have a system in place? 55:52.902 --> 55:55.387 To allow those people to serve. 55:55.388 --> 55:58.544 - So it's one of the reason why, we've tried to come up 55:58.545 --> 56:01.094 with a total force concept for us. 56:01.095 --> 56:03.462 Active, guard, reserve, 56:03.463 --> 56:05.170 civilian, contractor. 56:05.171 --> 56:07.146 That within that pool of 5, 56:07.147 --> 56:09.605 sub populations if you will. 56:09.606 --> 56:11.869 We can match almost any individual. 56:11.870 --> 56:15.683 Hey, I really wanna get into this, I wanna serve the nation. 56:15.684 --> 56:17.599 But I have no desire to deploy 56:17.600 --> 56:19.529 or be put through the physical fitness standards 56:19.530 --> 56:20.751 of the uniform. Well boy, 56:20.752 --> 56:23.875 I'd love to work for you as the civilian. 56:23.876 --> 56:26.517 Hey, I like mobility, I'm gonna try the contractor route. 56:26.518 --> 56:27.973 So I can move around a little bit. 56:27.974 --> 56:31.652 We tried to build a structure that enables us 56:31.653 --> 56:34.821 to try to attract a pretty broad swathe. 56:34.822 --> 56:37.015 The positive side to me 56:37.016 --> 56:38.867 is... 56:38.868 --> 56:41.432 Boy, when you get people in the team structure... 56:41.433 --> 56:44.251 I was just talking to one of the service review panels 56:44.252 --> 56:46.551 one of the, one of the services out there 56:46.552 --> 56:50.420 has created, has asked a party of grey beards 56:50.421 --> 56:52.262 to take a look at how they manage 56:52.263 --> 56:54.659 the cyber mission force within their service 56:54.660 --> 56:57.159 and to answer the question, 56:57.160 --> 56:58.776 are they really optimized for the future? 56:58.777 --> 57:01.163 I and coincidentally this morning was just sitting down 57:01.164 --> 57:05.433 with this retired former chief of their service 57:05.434 --> 57:07.396 and I said, "We'll you've talked to the teams." 57:07.397 --> 57:08.948 Because they did that as part of their process. 57:08.949 --> 57:10.887 They said, "Tell me what you're hearing from them." 57:10.888 --> 57:11.815 Because I have a sentiment, 57:11.816 --> 57:13.185 I'm curious of what you're hearing 57:13.186 --> 57:15.137 and he said to me, 57:15.138 --> 57:18.163 The most amazing thing is every team we talked to, 57:18.164 --> 57:20.158 these men and women are so motivated 57:20.159 --> 57:21.255 and in love what they're doing. 57:21.256 --> 57:23.030 I mean, that is a real plus for you. 57:23.031 --> 57:25.306 They really are into this mission. 57:25.307 --> 57:26.813 Because their self image is... 57:26.814 --> 57:29.996 They're the digital warriors of the 21st century. 57:29.997 --> 57:31.827 That the challenge I think we've got to work 57:31.828 --> 57:33.041 with the service is 57:33.042 --> 57:35.894 who provide this man power capability. 57:35.895 --> 57:38.590 How do we manage it affectively over time? 57:38.591 --> 57:40.748 and how do we also build into this 57:40.749 --> 57:42.191 the fact that we got to acknowledge 57:42.192 --> 57:44.459 there are some areas we're gonna need to do differently. 57:44.460 --> 57:46.862 We can't put a person in this once 57:46.863 --> 57:49.206 and then spend all that time training him. 57:49.207 --> 57:50.825 And then they don't do it for another ten years. 57:50.826 --> 57:53.154 That, that's ridiculous to me. 57:53.155 --> 57:55.144 On the other hand I realize that there's more than just 57:55.145 --> 57:56.068 the cyber mission force, 57:56.069 --> 57:57.903 is the services are asking themselves... 57:57.904 --> 58:01.320 How are we building a broader work force to address cyber? 58:01.321 --> 58:03.897 So, so I'm working with the services about what percentage 58:03.898 --> 58:07.604 of the eligible train population makes sense. 58:07.605 --> 58:09.766 What kind of policy we should have with respect 58:09.767 --> 58:12.250 to retouring them so we sustain 58:12.251 --> 58:15.231 some level of capability and experience over time 58:15.232 --> 58:17.933 and we're not starting all over again every three years. 58:17.934 --> 58:19.440 That's one of the challenges at the moment 58:19.441 --> 58:22.773 that one service is trying to deal with. 58:22.774 --> 58:24.280 Their model I'm trying to argue, 58:24.281 --> 58:25.967 we've got to make some changes to... 58:25.968 --> 58:28.518 We just can't afford to retrain everybody every three years 58:28.519 --> 58:29.873 I just don't think that's cost affective 58:29.874 --> 58:32.650 and it's a little demoralizing to the men and women. 58:32.651 --> 58:34.231 - And I think this is gonna be one of our 58:34.232 --> 58:38.586 greatest challenges going forward and how we handle... 58:38.587 --> 58:39.921 The cyber war. - Right. 58:39.922 --> 58:43.243 If you will and not just with your issue. 58:43.244 --> 58:45.803 We, we hear the same thing about the drone pilots 58:45.804 --> 58:48.154 and the... 58:48.155 --> 58:50.625 How dedicated they are and... 58:50.626 --> 58:54.000 And how determined they are, and... 58:54.001 --> 58:55.866 You know, the need for flexibility. 58:55.867 --> 58:57.681 - Yes, sir. - With where they work in 58:57.682 --> 58:59.590 and, and the time that they work. 58:59.591 --> 59:01.352 And this, and I've... 59:01.353 --> 59:03.790 I recognize it from a pay scale. 59:05.869 --> 59:10.878 We're nowhere close to what... 59:10.879 --> 59:12.571 They would get... - Right, but on the other hand 59:12.572 --> 59:14.234 - So, I appreciate their commitment to the country 59:14.235 --> 59:14.960 - Right. - Your commitment 59:14.961 --> 59:16.631 to the country as well. - Sir. 59:16.632 --> 59:19.035 - Thank you. 59:19.036 --> 59:20.805 - [Elise] Mr. Wilson. 59:20.806 --> 59:22.529 - Thank you, Chairwoman Elise Stefanik 59:22.530 --> 59:23.838 for your extraordinary leadership 59:23.839 --> 59:25.897 on organizing this hearing and - Sir. 59:25.898 --> 59:29.026 it's just an honor, Admiral to be back with you 59:29.027 --> 59:32.258 and we appreciate your innovative service. 59:32.259 --> 59:34.803 To address the issues of cyber defense. 59:34.804 --> 59:36.992 As the former chairman of the subcommittee 59:36.993 --> 59:38.872 on emerging threats and capability. 59:38.873 --> 59:42.823 I'm keenly aware of the huge challenges that lie before us 59:42.824 --> 59:45.936 and the extraordinary men and women that you put together 59:45.937 --> 59:47.750 to serve in your command. 59:47.751 --> 59:51.419 Cyber security is 24 hours a day, 59:51.420 --> 59:53.737 365 day a year responsibility 59:53.738 --> 59:55.559 that requires instantaneous 59:55.560 --> 59:58.253 analysis, response and deterrence. 59:58.254 --> 01:00:00.806 And after each cyber attack 01:00:00.807 --> 01:00:03.095 it, we have their circumstances 01:00:03.096 --> 01:00:05.228 where the government officials are grappling 01:00:05.229 --> 01:00:08.287 with whether or not it constitutes a mere nuisance 01:00:08.288 --> 01:00:10.165 or an act of war. 01:00:10.166 --> 01:00:11.787 Is for this reason I introduce 01:00:11.788 --> 01:00:15.984 the cyber attack standards measurements study act HR1030 01:00:15.985 --> 01:00:19.529 which would require that a direct of national intelligence 01:00:19.530 --> 01:00:21.508 homeland security department, 01:00:21.509 --> 01:00:24.673 FBI and secretary of defense to conduct a study 01:00:24.674 --> 01:00:26.825 to determine appropriate standards 01:00:26.826 --> 01:00:30.270 that could be used to quantify the damage of cyber incidents 01:00:30.271 --> 01:00:33.772 for the purpose of determining appropriate response. 01:00:33.773 --> 01:00:35.040 And two questions. 01:00:35.041 --> 01:00:37.803 Do you believe that there exist an inter agency definition 01:00:37.804 --> 01:00:39.581 for cyber active war? 01:00:39.582 --> 01:00:43.331 And secondly do you believe that we have a common metric 01:00:43.332 --> 01:00:45.824 to measure cyber incidents 01:00:45.825 --> 01:00:50.454 which could benefit the interagency response. 01:00:50.455 --> 01:00:51.988 - I think there's a broad 01:00:51.989 --> 01:00:54.995 certainly in the kinetic world, there's a broad definition 01:00:54.996 --> 01:00:56.835 out there of an act of war. 01:00:56.836 --> 01:00:59.082 But even in the kinetic world 01:00:59.083 --> 01:01:01.213 it's still somewhat situational 01:01:01.214 --> 01:01:03.030 And so I fully expect that our experience 01:01:03.031 --> 01:01:06.834 and cyber is gonna be something similar. 01:01:06.835 --> 01:01:10.377 It goes to one of the previous questions in some ways. 01:01:10.378 --> 01:01:13.649 articulating those concepts 01:01:13.650 --> 01:01:16.344 in a way that actors understand 01:01:16.345 --> 01:01:17.939 that you maybe tripping a threshold 01:01:17.940 --> 01:01:19.461 that will trigger response. 01:01:19.462 --> 01:01:21.265 I think that's in our best long term interest. 01:01:21.266 --> 01:01:23.295 That, that helps I think... 01:01:23.296 --> 01:01:26.480 Helped in nation, states, actors, groups out there 01:01:26.481 --> 01:01:27.799 who understand 01:01:27.800 --> 01:01:30.420 there are potential prices to pay here 01:01:30.421 --> 01:01:33.449 and at some point you will trip a threshold again 01:01:33.450 --> 01:01:35.138 depending on the scenario. 01:01:35.139 --> 01:01:37.510 And that's not a good place for you to be. 01:01:37.511 --> 01:01:39.079 We're clearly still working our way through there 01:01:39.080 --> 01:01:42.046 and I'm not a policy guy, I'm the operational guy 01:01:42.047 --> 01:01:44.727 though I try to figure out what we, what do we do 01:01:44.728 --> 01:01:48.511 once the policy maker makes that determination. 01:01:48.512 --> 01:01:49.367 - And thank you. 01:01:49.368 --> 01:01:51.537 for recognizing too, it can be nation states, 01:01:51.538 --> 01:01:53.636 it could be other actors. 01:01:53.637 --> 01:01:57.738 What a challenge and so, we're so grateful for your service. 01:01:57.739 --> 01:02:00.480 One of the first challenges that you have 01:02:00.481 --> 01:02:02.822 are updating in unacquainted infrastructure 01:02:02.823 --> 01:02:04.947 - Yes, sir. - I'm grateful that the... 01:02:04.948 --> 01:02:07.096 the district town representatives is adjacent 01:02:07.097 --> 01:02:10.316 to Fort Gordon, home of the army cyber command. 01:02:10.317 --> 01:02:12.807 Can you please describe the amount of infrastructure 01:02:12.808 --> 01:02:16.482 moniterization that needs to occur and how to demand 01:02:16.483 --> 01:02:19.914 differs across the army, navy, air force and marines. 01:02:19.915 --> 01:02:21.398 - So, it... 01:02:21.399 --> 01:02:23.694 As we saw and I'll use one encrypt as an example 01:02:23.695 --> 01:02:27.275 as we're working our way through the services 01:02:27.276 --> 01:02:30.171 because I have overall operational responsibility 01:02:30.172 --> 01:02:32.255 the service is physically own much 01:02:32.256 --> 01:02:33.463 into the current network structure 01:02:33.464 --> 01:02:35.592 the service is still owned much of the infrastructure. 01:02:35.593 --> 01:02:37.274 So I partner with them 01:02:37.275 --> 01:02:41.511 in attempting to address that infrastructure cyber security. 01:02:41.512 --> 01:02:44.468 What one of the things we continue to find is... 01:02:44.469 --> 01:02:48.974 We are still carrying a lot of very old infrastructure. 01:02:48.975 --> 01:02:51.999 That offers potential increased vulnerability. 01:02:52.000 --> 01:02:54.556 And the defense in depth approach we use is designed 01:02:54.557 --> 01:02:55.874 to help mitigate that. 01:02:55.875 --> 01:02:58.897 But I literally just sent a note to a service chief 01:02:58.898 --> 01:03:00.732 earlier this week 01:03:00.733 --> 01:03:02.567 and, and senior leaders in that service 01:03:02.568 --> 01:03:05.602 and said look at some point 01:03:05.603 --> 01:03:08.361 these vulnerabilities down at the tactical level 01:03:08.362 --> 01:03:10.822 in our acquisition will become 01:03:10.823 --> 01:03:15.452 potential points of exploitation by others that have the 01:03:15.453 --> 01:03:17.861 the chance to negate some of that defense in depth. 01:03:17.862 --> 01:03:19.596 So we've got to address this. 01:03:19.597 --> 01:03:22.625 I, I find, we've talk a lot about man power. 01:03:22.626 --> 01:03:25.544 But in some ways to me the acquisition piece. 01:03:25.545 --> 01:03:27.075 That's hard, that's even harder 01:03:27.076 --> 01:03:30.909 because it's long term, it's huge some cost 01:03:30.910 --> 01:03:34.076 and it is competing against priorities like 01:03:34.077 --> 01:03:36.845 so do you want me to buy more F35's 01:03:36.846 --> 01:03:38.751 additional you know carriers. 01:03:38.752 --> 01:03:41.674 Do you, do you want more brigade combat teams. 01:03:41.675 --> 01:03:43.487 In a, in a world of finite resources 01:03:43.488 --> 01:03:46.043 you gotta make those resource trade-offs 01:03:46.044 --> 01:03:48.008 and in general 01:03:48.009 --> 01:03:50.112 the acquisition world hasn't historically 01:03:50.113 --> 01:03:52.012 always been intensified 01:03:52.013 --> 01:03:55.883 for cyber security outcomes as it primary metric. 01:03:55.884 --> 01:03:57.709 - Well, thank you very much and we look forward 01:03:57.710 --> 01:04:00.186 to working with Chairwoman Stefanik 01:04:00.187 --> 01:04:02.080 back you up in every way. - Thanks. 01:04:02.081 --> 01:04:04.448 - With my time running out 01:04:04.449 --> 01:04:06.602 I do wanna thank you for 01:04:06.603 --> 01:04:09.380 the participation by the national guard 01:04:09.381 --> 01:04:11.747 in your efforts and what has been the level 01:04:11.748 --> 01:04:14.357 and, and what more can we do to help you in this regard. 01:04:14.358 --> 01:04:16.634 Boy's, if just look at the cyber command 01:04:16.635 --> 01:04:18.460 we have over a 100 01:04:18.461 --> 01:04:21.902 guardsmen in reserve every day, supporting us. 01:04:21.903 --> 01:04:24.047 Every day we have, we currently have 01:04:24.048 --> 01:04:26.549 guard components activated on the 01:04:26.550 --> 01:04:29.273 defensive side and the offensive side. 01:04:29.274 --> 01:04:32.992 Some of our specialized capabilities. 01:04:32.993 --> 01:04:35.064 So the guard is a day to day player for us. 01:04:35.065 --> 01:04:37.602 If you also look at what the guard is doing... 01:04:37.603 --> 01:04:40.076 Oops, sorry, ma'am. - Thank you very much. 01:04:40.077 --> 01:04:40.996 - Time's expired. 01:04:40.997 --> 01:04:42.863 They are calling votes soon so I want to get to everybody. 01:04:42.864 --> 01:04:44.430 Dr. Winsthrope. 01:04:44.431 --> 01:04:45.398 - Thank you, Madame Chair 01:04:45.399 --> 01:04:47.789 and Admiral good to be with you here today. 01:04:47.790 --> 01:04:50.752 Appreciate it what you were talking about various structures 01:04:50.753 --> 01:04:53.144 of how we, we set up our command and 01:04:53.145 --> 01:04:54.746 then, you know where we are headed. 01:04:54.747 --> 01:04:56.753 - I'm curious what our adversaries are doing? 01:04:56.754 --> 01:04:59.208 What do we know about how they're structured. 01:04:59.209 --> 01:05:01.930 And, and looking at what they are doing 01:05:01.931 --> 01:05:04.430 and maybe guiding us in some way. 01:05:04.431 --> 01:05:05.971 - In some ways it's kinda interesting 01:05:05.972 --> 01:05:08.036 you not gonna get it know classified discussion. 01:05:08.037 --> 01:05:09.628 But broadly 01:05:09.629 --> 01:05:10.915 cyber command is viewed as. 01:05:10.916 --> 01:05:12.707 Well, this is a really interesting concept 01:05:12.708 --> 01:05:13.775 that the US is created 01:05:13.776 --> 01:05:15.948 What can we do to attempt it, emulate at least parts of it 01:05:15.949 --> 01:05:17.005 not arguing that it is perfect 01:05:17.006 --> 01:05:20.343 that everyone else in the world wants to. 01:05:20.344 --> 01:05:21.908 But in general 01:05:21.909 --> 01:05:24.829 it's been a lot of time talking to allies 01:05:24.830 --> 01:05:26.049 and they all often say to me 01:05:26.050 --> 01:05:27.562 while we may not opt to go 01:05:27.563 --> 01:05:30.839 to same particular structure you've created. 01:05:30.840 --> 01:05:32.805 The process you went through. 01:05:32.806 --> 01:05:35.427 That, that the capabilities you've developed. 01:05:35.428 --> 01:05:37.055 The way you've created an organization 01:05:37.056 --> 01:05:40.318 operational construct that focused on generating outcomes. 01:05:40.319 --> 01:05:42.256 and we're really interested in doing that. 01:05:42.257 --> 01:05:44.850 Is, is there a way we can potentially partner? 01:05:44.851 --> 01:05:46.961 So part of cyber commands missions sent right now 01:05:46.962 --> 01:05:49.788 is you spend a lot of time with 01:05:49.789 --> 01:05:51.444 foreign partners around the world 01:05:51.445 --> 01:05:53.360 no I can't, I'm the first to acknowledge 01:05:53.361 --> 01:05:54.595 I have to prioritized here. 01:05:54.596 --> 01:05:57.356 But as part of the border department strategy 01:05:57.357 --> 01:05:59.377 I have prioritized different areas of the world 01:05:59.378 --> 01:06:01.116 that we really heavily focused on right now 01:06:01.117 --> 01:06:02.598 in terms of partnership 01:06:02.599 --> 01:06:05.558 As helping those nations develop cyber capability. 01:06:05.559 --> 01:06:08.572 - That's our allies. But what and you mentioned 01:06:08.573 --> 01:06:10.593 in different settings. Go into more detail 01:06:10.594 --> 01:06:11.977 what our... - Right, if I could 01:06:11.978 --> 01:06:15.520 I be glad then the... - Another time. 01:06:15.521 --> 01:06:16.615 - I appreciate that. - share some interesting 01:06:16.616 --> 01:06:17.690 thoughts there. 01:06:17.691 --> 01:06:18.890 - You did mention that 01:06:18.891 --> 01:06:21.015 we wanted people to know some of the things 01:06:21.016 --> 01:06:23.439 we were doing to counter ISIS 01:06:23.440 --> 01:06:25.963 and maybe that's kind of a 01:06:25.964 --> 01:06:30.000 you know hitting them but a shot across the bow for others. 01:06:30.001 --> 01:06:33.502 Have you felt that it's had an effect? 01:06:33.503 --> 01:06:35.868 - I, I certainly hope so. 01:06:37.946 --> 01:06:39.160 Because quite frankly again 01:06:39.161 --> 01:06:41.777 one of the reasons we opted to publicly acknowledge this 01:06:41.778 --> 01:06:43.848 was we wanted other actors to be aware 01:06:43.849 --> 01:06:45.451 that we are developing and employing. 01:06:45.452 --> 01:06:46.782 Again with an illegal framework 01:06:46.783 --> 01:06:48.577 but we are developing 01:06:48.578 --> 01:06:50.906 and employing these, those capabilities. 01:06:50.907 --> 01:06:53.266 That, there is certainly is an increased awareness 01:06:53.267 --> 01:06:54.989 by some actors around the world 01:06:54.990 --> 01:06:57.481 as they look at us as they try to study us about 01:06:57.482 --> 01:06:59.384 you know capabilities and kinds of things we're doing 01:06:59.385 --> 01:07:01.068 again not gonna get into 01:07:01.069 --> 01:07:03.594 specifics, but we are certainly aware of that. 01:07:03.595 --> 01:07:05.091 - Yeah and another setting 01:07:05.092 --> 01:07:07.226 - Yes sir, - I'd be glad to. 01:07:07.227 --> 01:07:09.138 We'll have that opportunity I'm sure. 01:07:09.139 --> 01:07:10.661 Thank you very much 01:07:10.662 --> 01:07:12.844 - Sir. 01:07:12.845 --> 01:07:14.048 - Thank you. 01:07:14.049 --> 01:07:15.403 Thank you very much admiral Rogers 01:07:15.404 --> 01:07:17.411 for your testimony. 01:07:17.412 --> 01:07:19.357 At this time they are likely to call votes 01:07:19.358 --> 01:07:21.280 in the next couple of minutes or so. 01:07:21.281 --> 01:07:23.991 After votes are finished we'll reconvene 01:07:23.992 --> 01:07:26.583 in Rayburn 2337 upstairs 01:07:26.584 --> 01:07:28.608 for the closed portion of this. 01:07:28.609 --> 01:07:30.798 If there are additional questions from the members 01:07:30.799 --> 01:07:32.611 please feel free to submit them for the record 01:07:32.612 --> 01:07:34.754 and then we can anticipate a responsibility. 01:07:34.755 --> 01:07:37.034 This committee is adjourned and we'll reconvene. 01:07:37.035 --> 01:07:38.090 - Thank you, ma'am.