WEBVTT 00:00.601 --> 00:01.434 - Good morning. 00:01.434 --> 00:03.146 Committee meets today to receive testimony 00:03.146 --> 00:05.448 on the U.S. government's policy strategy 00:05.448 --> 00:09.615 and organization to protect our nation in cyberspace. 00:10.519 --> 00:14.686 ^To begin, I'd like to thank Senators Rounds and Nelson 00:15.207 --> 00:17.275 ^for their leadership on these issues, 00:17.275 --> 00:20.275 ^and our cyber security subcommittee. 00:20.468 --> 00:22.511 ^This hearing builds upon the good work 00:22.511 --> 00:24.457 ^that they and their subcommittee have done this year 00:24.457 --> 00:27.711 ^to tackle the critical challenge of cyber. 00:27.711 --> 00:29.358 ^This is a challenge that is growing 00:29.358 --> 00:31.608 ^more dire and more complex. 00:31.724 --> 00:34.212 ^Not a week passes that we don't read about 00:34.212 --> 00:36.377 ^some disturbing new incident. 00:36.377 --> 00:39.127 ^Cyber attacks against our government systems 00:39.127 --> 00:40.638 ^and critical infrastructure, 00:40.638 --> 00:44.285 ^data breaches that compromise sensitive information 00:44.285 --> 00:46.734 ^of our citizens and companies, 00:46.734 --> 00:50.048 ^attempts to manipulate public opinion through social media, 00:50.048 --> 00:52.415 ^and of course, attacks against the fundamentals 00:52.415 --> 00:55.498 ^of our democratic system and process. 00:56.376 --> 00:59.902 ^And those are just the ones that we know about. 00:59.902 --> 01:03.333 ^This is a totally new kind of threat, as we all know. 01:03.333 --> 01:05.772 ^Our adversaries, both state and non-state actors, 01:05.772 --> 01:09.013 ^view the entire information domain as a battle space, 01:09.013 --> 01:13.180 ^and across it, they are waging a new kind of war against us, 01:14.184 --> 01:18.267 ^a war involving but extending beyond our military 01:18.436 --> 01:20.282 ^to include our infrastructure, 01:20.282 --> 01:22.497 ^our businesses, and our people. 01:22.497 --> 01:25.187 ^The Department of Defense has a critical role to play 01:25.187 --> 01:27.007 ^in this new kind of war, 01:27.007 --> 01:29.899 ^but it can't succeed alone, and to be clear, 01:29.899 --> 01:31.732 ^we are not succeeding. 01:31.799 --> 01:34.191 ^For years we have lacked policies and strategies 01:34.191 --> 01:37.305 ^to counter our adversaries in the cyber domain, 01:37.305 --> 01:38.638 ^and we still do. 01:38.927 --> 01:41.271 ^This is in part because we're trying to defeat 01:41.271 --> 01:45.438 ^a 21st century threat with the organizations and processes 01:45.725 --> 01:47.392 ^of the last century. 01:47.731 --> 01:49.405 ^This is true in the Executive Branch 01:49.405 --> 01:53.471 ^and frankly, it's also true here in the Congress, 01:53.471 --> 01:55.054 ^and we are failing. 01:56.913 --> 01:59.028 ^That's why this committee is holding today's hearing 01:59.028 --> 02:02.386 ^and why we have taken the unorthodox step 02:02.386 --> 02:05.295 ^of inviting witnesses from across our government 02:05.295 --> 02:06.628 ^to appear today. 02:06.965 --> 02:08.641 ^Our witnesses are the senior officials 02:08.641 --> 02:12.663 ^responsible for cyber within their respective agencies, 02:12.663 --> 02:15.111 ^and I want to thank them for joining us 02:15.111 --> 02:16.861 ^and welcome them now. 02:17.176 --> 02:20.054 ^Ken Rapuano, Assistant Secretary of Defense 02:20.054 --> 02:22.716 ^for Homeland Defense and Global Security, 02:22.716 --> 02:25.364 ^Scott Smith, Assistant Director for Cyber Division 02:25.364 --> 02:27.938 ^Federal Bureau of Investigation, 02:27.938 --> 02:30.069 ^and Chris Krebs, Undersecretary for 02:30.069 --> 02:32.365 ^the National Protection and Programs Directorate 02:32.365 --> 02:35.615 ^at the Department of Homeland Security. 02:35.727 --> 02:37.563 ^I'd also like to note at the outset 02:37.563 --> 02:40.539 ^the empty chair at the witness table. 02:40.539 --> 02:44.089 ^The committee invited the principal U.S. Cyber official, 02:44.089 --> 02:48.089 ^White House Cybersecurity Coordinator Rob Joyce. 02:49.336 --> 02:51.618 ^Many of us know Mr. Joyce and respect him deeply 02:51.618 --> 02:55.768 ^for his significant experience and expertise on cyber 02:55.768 --> 02:57.470 ^and his many years of government service 02:57.470 --> 02:59.760 ^at the National Security Agency. 02:59.760 --> 03:02.710 ^Unfortunately, but not surprisingly, 03:02.710 --> 03:04.028 ^the White House declined 03:04.028 --> 03:06.248 ^to have its cyber coordinator testify, 03:06.248 --> 03:08.691 ^citing executive privilege and precedent 03:08.691 --> 03:11.304 ^against having non-confirmed NSC staff 03:11.304 --> 03:13.554 ^testifying before Congress. 03:14.712 --> 03:16.803 ^While this is consistent with past practice 03:16.803 --> 03:20.562 ^on a bipartisan basis, I believe the issue of cyber 03:20.562 --> 03:22.639 ^requires us to completely rethink 03:22.639 --> 03:25.222 ^our old ways of doing business. 03:25.969 --> 03:28.636 ^To me, the empty chair before us 03:28.963 --> 03:31.470 ^represents a fundamental misalignment 03:31.470 --> 03:33.739 ^between authority and accountability 03:33.739 --> 03:37.223 ^in our government today, when it comes to cyber. 03:37.223 --> 03:40.778 ^All of our witnesses answer to the Congress 03:40.778 --> 03:42.868 ^for their part of the cyber mission, 03:42.868 --> 03:45.190 ^but none of them is accountable 03:45.190 --> 03:48.273 ^for addressing cyber in its entirety. 03:48.438 --> 03:52.605 ^In theory, that is the White House Cyber Coordinator's job, 03:53.683 --> 03:56.771 ^but that non-confirmable position lacks the full authority 03:56.771 --> 03:59.118 ^to make cyber policy and strategy 03:59.118 --> 04:01.702 ^and direct our government's efforts 04:01.702 --> 04:05.869 ^and that official is literally prohibited by legal precedent 04:06.234 --> 04:08.646 ^from appearing before the Congress. 04:08.646 --> 04:09.563 ^So when we, 04:10.007 --> 04:12.215 ^the elected representatives of the American people, 04:12.215 --> 04:14.629 ^ask who has sufficient authority 04:14.629 --> 04:17.705 ^to protect and defend our nation from cyber threats 04:17.705 --> 04:19.193 ^and who is accountable to us 04:19.193 --> 04:21.044 ^for accomplishing that mission, 04:21.044 --> 04:24.294 ^the answer is quite literally "no one." 04:25.186 --> 04:27.824 ^Previous administrations struggled to address this challenge 04:27.824 --> 04:30.324 ^between DoD, DHS, and the FBI, 04:30.915 --> 04:34.128 ^well-intentioned though it was, led to a result 04:34.128 --> 04:36.737 ^that is as complex and convoluted 04:36.737 --> 04:39.070 ^as it appears in this chart. 04:40.424 --> 04:41.257 Given that no single agency 04:41.257 --> 04:42.090 of all of the authorities required 04:42.090 --> 04:45.840 to detect, prevent, and respond to incidents, 04:46.946 --> 04:50.483 ^the model has created significant confusion 04:50.483 --> 04:51.855 ^about who is actually accountable 04:51.855 --> 04:55.627 ^for defending the United States from cyber attacks. 04:55.627 --> 04:59.191 ^Meanwhile our increasingly capable adversaries 04:59.191 --> 05:00.682 ^continue to seek to exploit 05:00.682 --> 05:03.515 ^our vulnerabilities in cyberspace, 05:04.790 --> 05:06.957 ^Facing similar challenges, 05:07.027 --> 05:10.337 ^a number of our allies have pursued innovative models 05:10.337 --> 05:14.184 to emphasize increased coordination and consolidation. 05:14.184 --> 05:17.020 In doing so, they have significantly enhanced 05:17.020 --> 05:19.848 their ability to react and respond to incidents 05:19.848 --> 05:22.417 and to share information across government, 05:22.417 --> 05:23.750 with the public. 05:23.778 --> 05:26.924 For example, the United Kingdom recently established 05:26.924 --> 05:29.841 its national cyber security center, 05:30.793 --> 05:33.933 an organization that orchestrates numerous cyber functions 05:33.933 --> 05:37.018 across the British government under one roof, 05:37.018 --> 05:39.935 sitting side-by-side with industry. 05:39.996 --> 05:41.888 Today's hearing is an opportunity to have 05:41.888 --> 05:44.555 an honest and open conversation. 05:44.752 --> 05:47.222 Our concerns are not meant to be critical 05:47.222 --> 05:51.389 of our witnesses' leadership or of your organizations, 05:51.434 --> 05:52.955 as each of you are limited 05:52.955 --> 05:54.949 by the policy and legal frameworks 05:54.949 --> 05:58.866 established by Congress and the administration. 05:58.949 --> 06:01.782 Our intent is to better understand 06:02.286 --> 06:05.198 the coordination and deconfliction underway 06:05.198 --> 06:07.346 between agencies, and to identify 06:07.346 --> 06:09.763 where and how we can improve. 06:10.330 --> 06:12.221 The last thing any of us wants 06:12.221 --> 06:16.063 is to waste precious time during a major cyber incident 06:16.063 --> 06:17.950 because everyone who rushed to the scene 06:17.950 --> 06:22.117 thought they were in charge but none had the authority 06:22.236 --> 06:25.664 or even worse, realizing after a cyber incident 06:25.664 --> 06:28.326 that your organizations were not prepared 06:28.326 --> 06:30.373 and resourced to respond, 06:30.373 --> 06:32.319 based on a flawed assumption 06:32.319 --> 06:35.152 that someone else was responsible. 06:35.549 --> 06:37.889 I thank the witnesses for their service to our country, 06:37.889 --> 06:40.308 and their willingness to appear before this committee, 06:40.308 --> 06:44.354 as we continue to assess and address our cyber challenges. 06:44.354 --> 06:45.357 Senator Reed. 06:45.357 --> 06:46.795 - Oh, thank you very much, Mr. Chairman, 06:46.795 --> 06:49.343 for holding this hearing and I welcome my witness today. 06:49.343 --> 06:52.748 Let me also commend Senator Rounds and Senator Nelson 06:52.748 --> 06:54.991 for their great leadership on the subcommittee. 06:54.991 --> 06:56.347 The cyber threats facing a nation 06:56.347 --> 06:58.077 does not respect organizational 06:58.077 --> 07:00.943 or jurisdictional boundaries in the government. 07:00.943 --> 07:03.325 Defense Department, the intelligence community, 07:03.325 --> 07:05.686 the FBI, the Department of Homeland Security, 07:05.686 --> 07:08.471 are all critical in countering the cyber threat, 07:08.471 --> 07:10.634 but each agency functions in silos 07:10.634 --> 07:13.170 under specialized laws and authorities. 07:13.170 --> 07:14.251 In order to be successful, 07:14.251 --> 07:16.864 we must develop an integrated whole of government approach 07:16.864 --> 07:19.401 to strategic planning, resource allocation, 07:19.401 --> 07:21.638 and execution of operations. 07:21.638 --> 07:24.345 I think I'm echoing the Chairman's points. 07:24.345 --> 07:27.336 This problem is not unique to the cyber security mission. 07:27.336 --> 07:28.967 Violent extremism, narcotics, 07:28.967 --> 07:31.174 and human trafficking, transnational crime, 07:31.174 --> 07:33.001 proliferation of weapons of mass destruction, 07:33.001 --> 07:34.353 other challenges require 07:34.353 --> 07:36.603 an effective whole-of-government response 07:36.603 --> 07:38.684 that cut across the missions and responsibilities 07:38.684 --> 07:40.472 to the departments and agencies. 07:40.472 --> 07:42.115 As issues become more complex, 07:42.115 --> 07:43.473 these cost-cutting problems 07:43.473 --> 07:46.634 are becoming more numerous and serious over time. 07:46.634 --> 07:49.300 There have been various approaches to this problem, 07:49.300 --> 07:51.886 but with little demonstrated success. 07:51.886 --> 07:54.284 White House czars generally have 07:54.284 --> 07:55.563 few tools at their disposal, 07:55.563 --> 07:58.398 while a lead agency designated to address 07:58.398 --> 07:59.808 a cost-cutting challenge 07:59.808 --> 08:00.956 must also remain focused 08:00.956 --> 08:03.527 on the mission of its own organization. 08:03.527 --> 08:06.653 Last year President Obama signed PPD 41, 08:06.653 --> 08:09.874 the United States Cyber Incident Coordination Policy. 08:09.874 --> 08:12.621 It established a cyber response group 08:12.621 --> 08:15.346 to pull together a whole-of-government response 08:15.346 --> 08:17.091 in the event of a major cyber incident, 08:17.091 --> 08:20.311 but these are ad hoc organizations with little continuity 08:20.311 --> 08:23.209 that come together only in response to events. 08:23.209 --> 08:24.860 I believe what is needed instead 08:24.860 --> 08:27.915 is a framework with an integrated organizational structure 08:27.915 --> 08:30.755 authorized to plan and cooperate in peacetime 08:30.755 --> 08:33.655 against the constant aggression of cyber opponents. 08:33.655 --> 08:35.620 This arrangement has precedent. 08:35.620 --> 08:37.087 The Coast Guard is a service branch 08:37.087 --> 08:38.145 of the Department of Defense, 08:38.145 --> 08:39.355 but it's also a vital part 08:39.355 --> 08:41.558 of the Department of Homeland Security. 08:41.558 --> 08:42.872 It has intelligence authorities, 08:42.872 --> 08:44.110 defense responsibilities, 08:44.110 --> 08:45.270 customs and border enforcement 08:45.270 --> 08:47.392 and law enforcement authority. 08:47.392 --> 08:48.489 The Coast Guard exercises 08:48.489 --> 08:51.221 these blended authorities judiciously and responsibly 08:51.221 --> 08:53.889 and enjoys the confidence of the American people. 08:53.889 --> 08:56.169 Therefore, we can solve this problem. 08:56.169 --> 08:58.889 We have examples where we have solved this problem. 08:58.889 --> 09:00.821 Last year's National Defense Authorization Act 09:00.821 --> 09:03.315 created cross-functional teams to address problems 09:03.315 --> 09:05.152 that cut across the functional organizations 09:05.152 --> 09:06.869 in the Defense Department. 09:06.869 --> 09:09.151 These teams are composed of experts 09:09.151 --> 09:10.385 and the functional organizations 09:10.385 --> 09:12.250 but rise above the parochial interest 09:12.250 --> 09:13.694 of the bureaucracies. 09:13.694 --> 09:16.683 The team leads would exercise executive authority 09:16.683 --> 09:18.966 delegated by the Secretary of Defense. 09:18.966 --> 09:20.367 Such an approach might be a model 09:20.367 --> 09:21.973 for the inner agency to address 09:21.973 --> 09:24.868 a cross-cutting problem like cybersecurity 09:24.868 --> 09:27.570 and there indeed is urgency to our task. 09:27.570 --> 09:29.769 Russia attacked our election last year. 09:29.769 --> 09:32.064 They similarly attacked multiple European countries, 09:32.064 --> 09:34.238 the NATO alliance and the European Union. 09:34.238 --> 09:36.147 The intelligence community assures us 09:36.147 --> 09:38.995 that Russia will attack our upcoming midterm elections. 09:38.995 --> 09:40.855 So far we have seen no indication 09:40.855 --> 09:42.692 that the administration is taking action 09:42.692 --> 09:45.440 to prepare for this next inevitability. 09:45.440 --> 09:47.670 Finally, the government cannot do this alone. 09:47.670 --> 09:50.098 As former cyber commander and NSA director, 09:50.098 --> 09:52.454 General Keith Alexander testified 09:52.454 --> 09:54.055 "While the primary responsibility of government 09:54.055 --> 09:55.298 is to defend the nation, 09:55.298 --> 09:57.522 "the private sector also shares responsibly 09:57.522 --> 09:59.649 "in creating the partnerships necessary 09:59.649 --> 10:02.017 "to make the defense of our nation possible. 10:02.017 --> 10:03.969 "Neither the government nor the private sector 10:03.969 --> 10:06.348 "can capably protect their systems and networks 10:06.348 --> 10:09.331 "without extensive and close cooperation." 10:09.331 --> 10:10.815 In many ways, the private sector 10:10.815 --> 10:12.989 is on the front lines of the cyber threat 10:12.989 --> 10:14.570 and the government must work with them 10:14.570 --> 10:16.936 if we're to effectively counter that threat. 10:16.936 --> 10:18.313 We need a government strategy, 10:18.313 --> 10:21.737 but it must be in cooperation with the private sector. 10:21.737 --> 10:23.738 I thank Chairman McCain for holding this hearing 10:23.738 --> 10:25.329 and for co-sponsoring my legislation, 10:25.329 --> 10:27.246 that is in the banking committees jurisdiction 10:27.246 --> 10:30.579 S536, the Cybersecurity Disclosure Act, 10:30.610 --> 10:33.491 which through disclosure and our federal securities laws 10:33.491 --> 10:34.689 strives to encourage companies 10:34.689 --> 10:36.968 to focus on avoiding cyber security risks 10:36.968 --> 10:38.992 before they turn into caustic breaches. 10:38.992 --> 10:40.160 Thank you, Mr. Chairman. 10:40.160 --> 10:41.910 - Welcome, witnesses. 10:42.647 --> 10:44.897 Mr Rapuano, please proceed. 10:48.850 --> 10:50.275 - Thank you Chairman McCain, 10:50.275 --> 10:53.138 Ranking Member Reed, and members of the committee, 10:53.138 --> 10:54.715 it is an honor to appear before you 10:54.715 --> 10:56.700 to discuss the roles and responsibilities 10:56.700 --> 10:58.051 that the Department of Defense 10:58.051 --> 11:00.017 and its inter-agency partners 11:00.017 --> 11:00.999 in defending the nation 11:00.999 --> 11:04.749 from cyberattacks of significant consequence. 11:04.859 --> 11:05.692 I'm here today in my roles 11:05.692 --> 11:08.163 as the Assistant Secretary of Defense 11:08.163 --> 11:11.379 for Homeland Defense and Global Security, 11:11.379 --> 11:13.161 as well as the Principal Cyber Advisor 11:13.161 --> 11:15.108 to the Secretary of Defense, 11:15.108 --> 11:18.467 in which I oversee cyber policy in the department, 11:18.467 --> 11:20.949 lead the coordination of cyber efforts 11:20.949 --> 11:24.420 across the department and with our inter-agency partners 11:24.420 --> 11:27.328 and integrate the department's cyber capabilities 11:27.328 --> 11:30.012 with its mission assurance and defense support 11:30.012 --> 11:32.439 to civil authorities' activities. 11:32.439 --> 11:34.675 I appreciate the opportunity to testify 11:34.675 --> 11:37.200 alongside my inter-agency colleagues 11:37.200 --> 11:39.104 because these challenges do require 11:39.104 --> 11:41.687 a whole-of-government approach. 11:41.966 --> 11:45.462 DoD is developing cyber forces and capabilities 11:45.462 --> 11:48.423 to accomplish several missions in cyberspace. 11:48.423 --> 11:50.078 Today I will focus on our mission 11:50.078 --> 11:53.019 to defend the United States and its interests 11:53.019 --> 11:55.759 against high consequence cyber attacks 11:55.759 --> 11:57.950 and how we execute that mission 11:57.950 --> 12:01.443 in coordination with our inter-agency partners. 12:01.443 --> 12:04.547 The department's efforts to build defensive capabilities 12:04.547 --> 12:07.880 through the cyber mission force, or CMF, 12:08.160 --> 12:09.964 play an especially key role 12:09.964 --> 12:12.006 in carrying out this mission, 12:12.006 --> 12:14.804 from both a deterrence and response standpoint, 12:14.804 --> 12:16.221 the 133 CMF teams 12:17.469 --> 12:20.666 that will attain full operational capability 12:20.666 --> 12:22.416 in September of 2018, 12:23.177 --> 12:24.835 are central to the departments approach 12:24.835 --> 12:27.233 to supporting U.S. government efforts 12:27.233 --> 12:31.325 to defend the nation against significant cyber attacks. 12:31.325 --> 12:32.350 With the goal of ensuring 12:32.350 --> 12:35.405 U.S. military dominance in cyberspace, 12:35.405 --> 12:37.484 these teams conduct operations 12:37.484 --> 12:39.910 both to deny potential adversaries 12:39.910 --> 12:42.399 the ability to achieve their objectives 12:42.399 --> 12:46.566 and the conduct military actions in and through cyberspace 12:46.869 --> 12:48.969 to impose costs in response 12:48.969 --> 12:52.219 to an imminent ongoing or recent attack 12:52.939 --> 12:57.022 in particular the CMF's 68 cyber protection teams 12:57.819 --> 13:00.083 represent a significant capability 13:00.083 --> 13:03.076 to support a broader domestic response. 13:03.076 --> 13:05.059 These forces are focused on defending 13:05.059 --> 13:07.142 DoD information networks, 13:07.874 --> 13:09.504 but select teams could provide 13:09.504 --> 13:11.740 additional capacity or capability 13:11.740 --> 13:15.613 to our federal partners, if and when necessary. 13:15.613 --> 13:17.518 DoD's role in cyberspace 13:17.518 --> 13:20.394 goes beyond adversary focused operations 13:20.394 --> 13:22.786 and includes identifying and mitigating 13:22.786 --> 13:24.786 our own vulnerabilities. 13:24.890 --> 13:26.848 Consistent with statutory provisions 13:26.848 --> 13:28.389 related to these efforts, 13:28.389 --> 13:31.256 we are working with our U.S. domestic partners 13:31.256 --> 13:33.526 and with foreign partners and allies 13:33.526 --> 13:36.346 to identify and mitigate cyber vulnerabilities 13:36.346 --> 13:38.429 in our networks, computers, 13:38.429 --> 13:42.139 critical DoD infrastructure, and weapons systems. 13:42.139 --> 13:44.483 While DoD has made significant progress, 13:44.483 --> 13:45.750 there is more to do, 13:45.750 --> 13:48.152 alongside with our other agency partners 13:48.152 --> 13:50.039 in the broader whole-of-government effort 13:50.039 --> 13:52.506 to protect U.S. national interests 13:52.506 --> 13:54.673 in and through cyberspace. 13:54.883 --> 13:57.615 The outward focus of DoD cyber capabilities 13:57.615 --> 14:00.647 to mitigate foreign threats at their points of origin 14:00.647 --> 14:04.181 complements the strengths of our inter-agency partners 14:04.181 --> 14:06.311 as we strive to improve resilience, 14:06.311 --> 14:09.253 should a significant cyber attack occur. 14:09.253 --> 14:11.050 In accordance with law and policy 14:11.050 --> 14:13.923 during cyber incidents, DoD can be called 14:13.923 --> 14:17.313 to directly support the DHS in its role as the lead 14:17.313 --> 14:20.489 for protecting, mitigating, and recovering 14:20.489 --> 14:22.535 from domestic cyber incidents, 14:22.535 --> 14:25.088 or the DoJ in its role as a lead 14:25.088 --> 14:27.872 in investigating, attributing, disrupting, 14:27.872 --> 14:30.289 and prosecuting cyber crimes. 14:30.492 --> 14:32.279 The significant work of our departments 14:32.279 --> 14:35.124 has resulted in increased common understanding 14:35.124 --> 14:38.154 of our respective roles and responsibilities 14:38.154 --> 14:40.231 as well as our authorities. 14:40.231 --> 14:42.506 Despite this, however, as a government, 14:42.506 --> 14:44.245 we continue to face challenges 14:44.245 --> 14:47.294 when it comes to cyber incident response 14:47.294 --> 14:49.198 on a large scale, and it is clear 14:49.198 --> 14:51.557 we have more to work to ensure we are ready 14:51.557 --> 14:54.237 for a significant cyber incident. 14:54.237 --> 14:57.833 Specifically we must resolve seam and gap issues 14:57.833 --> 14:59.691 among various departments, 14:59.691 --> 15:02.858 clarify thresholds for DoD assistance, 15:03.163 --> 15:06.180 and identify how to best partner with the private sector 15:06.180 --> 15:08.490 to ensure a whole-of-nation response, 15:08.490 --> 15:10.073 if and when needed. 15:10.324 --> 15:12.815 DoD has a number of efforts underway 15:12.815 --> 15:14.687 to address these challenges 15:14.687 --> 15:16.143 and to improve both our readiness 15:16.143 --> 15:18.975 and that of our inter-agency partners. 15:18.975 --> 15:19.829 For instance, 15:19.829 --> 15:21.819 we are refining policies and authorities 15:21.819 --> 15:24.063 to improve the speed and flexibility 15:24.063 --> 15:25.290 to provide support, 15:25.290 --> 15:27.497 and we are conducting exercises, 15:27.497 --> 15:29.117 such as Cyber Guard, 15:29.117 --> 15:30.913 with a range of inter-agency 15:30.913 --> 15:32.994 and state and local partners 15:32.994 --> 15:35.109 to improve our planning and preparations 15:35.109 --> 15:37.422 to respond to cyber attacks. 15:37.422 --> 15:41.255 Additionally, the Cyber Executive Order 13800, 15:41.592 --> 15:43.854 signed in May, will go a long way 15:43.854 --> 15:45.587 in identifying and addressing 15:45.587 --> 15:48.278 the shortfalls in our current structure. 15:48.278 --> 15:49.156 Although the department 15:49.156 --> 15:52.283 has several unique and robust capabilities, 15:52.283 --> 15:54.989 I would caution against ending the current framework 15:54.989 --> 15:57.157 and reassigning more responsibility 15:57.157 --> 15:59.574 for incident response to DoD. 16:00.421 --> 16:01.940 The reasons for this include the need 16:01.940 --> 16:05.684 for the department to maintain focus on its key mission. 16:05.684 --> 16:08.221 The long-standing tradition of not using 16:08.221 --> 16:10.620 the military for civilian functions 16:10.620 --> 16:13.413 and the importance of maintaining consistency 16:13.413 --> 16:16.713 with our other domestic response frameworks. 16:16.713 --> 16:18.709 It's also important to recognize 16:18.709 --> 16:20.176 that a significant realignment 16:20.176 --> 16:22.924 of cyber response roles and responsibilities 16:22.924 --> 16:27.091 risks diluting DoD focus on its core military mission 16:27.423 --> 16:29.256 to fight and win wars. 16:29.788 --> 16:31.691 Finally, putting DoD in a lead role 16:31.691 --> 16:33.495 for domestic cyber incidents 16:33.495 --> 16:36.027 would be a departure from accepted response practice 16:36.027 --> 16:39.361 in all other domains in which civilian agencies 16:39.361 --> 16:40.970 have the lead responsibility 16:40.970 --> 16:43.808 for domestic emergency response efforts, 16:43.808 --> 16:45.325 and it could be disruptive to 16:45.325 --> 16:48.213 establishing that critical unity of effort 16:48.213 --> 16:50.630 that's necessary for success. 16:51.488 --> 16:54.655 The federal government should maintain 16:54.906 --> 16:56.383 the same basic structure 16:56.383 --> 17:00.466 for responding to all other national emergencies, 17:00.669 --> 17:03.818 whether they are natural disasters or cyber attacks. 17:03.818 --> 17:05.690 There is still work to be done 17:05.690 --> 17:06.685 both within the department 17:06.685 --> 17:08.329 and with our federal partners 17:08.329 --> 17:11.765 to improve DoD and US government efforts overall 17:11.765 --> 17:12.932 in cyberspace. 17:13.267 --> 17:15.308 Towards this end, I'm in the process 17:15.308 --> 17:16.833 of reinvigorating the role 17:16.833 --> 17:18.957 of the principal cyber advisor, 17:18.957 --> 17:20.362 clarifying the department's 17:20.362 --> 17:22.374 internal lines of accountability 17:22.374 --> 17:24.291 and authority in cyber, 17:24.666 --> 17:26.577 and better integrating and communicating 17:26.577 --> 17:29.160 DoD cyberspace strategy, plans, 17:29.958 --> 17:32.174 and train-and-equip functions. 17:32.174 --> 17:33.601 We will also be updating 17:33.601 --> 17:36.125 our DoD cyber strategy and policies 17:36.125 --> 17:38.879 on key cyber issues such as deterrence 17:38.879 --> 17:41.296 and translating this guidance 17:41.395 --> 17:44.325 into capabilities, forces, and operations 17:44.325 --> 17:48.492 that will maintain our superiority in this domain. 17:48.603 --> 17:51.032 The department is also working to ensure 17:51.032 --> 17:53.697 that several strategic initiatives it has undertaken 17:53.697 --> 17:56.237 come to fruition, including the elevation 17:56.237 --> 17:57.843 of U.S. Cyber Command, 17:57.843 --> 18:00.825 the implementation of the cyber executive order, 18:00.825 --> 18:03.938 initiating the cyber-excepted service program, 18:03.938 --> 18:05.647 and rationalizing the department's 18:05.647 --> 18:08.064 cyber budget and investments. 18:08.066 --> 18:10.109 Our relationship with Congress is critical 18:10.109 --> 18:13.248 to everything we are doing to defend the nation 18:13.248 --> 18:15.734 from high-consequence cyber attacks. 18:15.734 --> 18:18.300 I am grateful for Congress's strong support 18:18.300 --> 18:20.469 and particularly this subcommittee's interest 18:20.469 --> 18:23.808 in these issues, and I look forward to your questions 18:23.808 --> 18:26.003 and working with you and your staffs going forward. 18:26.003 --> 18:26.836 Thank you. 18:34.260 --> 18:35.193 - Thank you, Mr. Chairman, 18:35.193 --> 18:37.976 and thank the committee for offering me an opportunity 18:37.976 --> 18:41.871 to provide remarks on the FBI's cyber capabilities. 18:41.871 --> 18:43.412 As the committee is aware, 18:43.412 --> 18:44.886 the frequency and sophistication 18:44.886 --> 18:47.137 of cyber attacks on our nation 18:47.137 --> 18:50.134 have increased dramatically in the past decade, 18:50.134 --> 18:52.192 and only look to be growing. 18:52.192 --> 18:53.943 There are significant challenges. 18:53.943 --> 18:55.512 The cyber domain is unique, 18:55.512 --> 18:59.085 constantly shifting, changing, and evolving, 18:59.085 --> 19:02.826 but progress has been made in improving structures 19:02.826 --> 19:05.208 and collaboration in innovation, 19:05.208 --> 19:06.958 but more can be done. 19:07.526 --> 19:09.099 Staying ahead of today's threats 19:09.099 --> 19:12.932 requires a different mindset than in the past. 19:13.292 --> 19:16.625 The scale, scope, and complexity of today's threats 19:16.625 --> 19:19.304 in the digital domain is unlike anything 19:19.304 --> 19:22.971 humanity or our nation has ever experienced. 19:23.042 --> 19:26.144 Traditional approaches and mindsets are no longer suited 19:26.144 --> 19:28.885 to coping with the speed, and volatility, 19:28.885 --> 19:31.761 and complexity of the new digital domain. 19:31.761 --> 19:34.194 We have to include the digital domain 19:34.194 --> 19:36.688 as part of the threat ecosystem, 19:36.688 --> 19:40.432 instead of separating it as a mechanical machine. 19:40.432 --> 19:44.108 This new era, often called the Fourth Industrial Revolution, 19:44.108 --> 19:48.275 requires the FBI to rapidly assign, align, and engage 19:49.152 --> 19:51.402 empowered, networked teams, 19:53.021 --> 19:54.663 who are purpose-driven 19:54.663 --> 19:58.362 and have fierce and unrelenting resolve to win. 19:58.362 --> 20:00.028 What does this all mean? 20:00.028 --> 20:01.776 What are we doing to meet and stay ahead of 20:01.776 --> 20:03.693 the new digital domain? 20:04.022 --> 20:07.212 Attribute, predict, impose consequences, 20:07.212 --> 20:10.879 that's where the FBI cyber mission is going. 20:11.728 --> 20:13.860 The FBI cyber division and program 20:13.860 --> 20:14.914 is structured to address 20:14.914 --> 20:18.247 a lot of these unique set of challenges. 20:18.370 --> 20:20.705 In the field, the FBI is made up 20:20.705 --> 20:22.798 of 56 different field offices, 20:22.798 --> 20:25.511 spanning all 50 states and U.S. territories, 20:25.511 --> 20:27.428 each with a cyber squad 20:27.685 --> 20:31.368 and each developing multi-agency cyber task forces 20:31.368 --> 20:34.574 which brings together technically proficient investigators, 20:34.574 --> 20:37.556 analysts, computer scientists from local state 20:37.556 --> 20:39.722 and federal organizations. 20:39.722 --> 20:41.348 At FBI headquarters, 20:41.348 --> 20:43.357 in addition to those field resources, 20:43.357 --> 20:47.524 Cyber Division offers program management and coordination, 20:48.344 --> 20:50.652 and more technically advanced responders 20:50.652 --> 20:52.780 in our Cyber Action Teams. 20:52.780 --> 20:56.947 The CAT teams, our elite Cyber Rapid Response Force, 20:57.367 --> 21:00.101 is on call and prepared to deploy globally 21:00.101 --> 21:03.684 in response to significant cyber incidents. 21:03.695 --> 21:05.903 Additionally, at FBI headquarters, 21:05.903 --> 21:07.403 we manage CyWatch, 21:07.541 --> 21:09.183 a 24-hour watch center 21:09.183 --> 21:11.464 which provides continuous connectivity 21:11.464 --> 21:13.262 to inter-agency partners 21:13.262 --> 21:15.952 in an effort to facilitate information-sharing 21:15.952 --> 21:19.869 and real-time incident management and tracking, 21:19.893 --> 21:23.143 ensuring all agencies are coordinating. 21:23.349 --> 21:25.981 In addition to these cyber-specific resources, 21:25.981 --> 21:28.080 the FBI has other technical assets 21:28.080 --> 21:31.288 that can be utilized in the event of cyber incidents. 21:31.288 --> 21:34.331 These include our operational technology division 21:34.331 --> 21:38.208 the Regional Computer Forensic Laboratory Program, 21:38.208 --> 21:40.508 and the Critical Incident Response Group, 21:40.508 --> 21:41.944 providing additional expertise, 21:41.944 --> 21:44.369 and capabilities and resources 21:44.369 --> 21:46.452 that the FBI can leverage 21:46.741 --> 21:48.408 at a cyber incident. 21:49.070 --> 21:51.818 Partnerships, that is absolutely a key 21:51.818 --> 21:54.068 and focus area for the FBI. 21:55.260 --> 21:57.754 We rely on a robust international presence 21:57.754 --> 22:00.557 to supplement our domestic footprint 22:00.557 --> 22:03.113 through cyber assistant legal attaches, 22:03.113 --> 22:05.617 the FBI embeds cyber agents with our 22:05.617 --> 22:07.121 international counterparts 22:07.121 --> 22:10.204 in 18 key locations across the globe. 22:11.072 --> 22:13.978 The FBI also relies upon private sector partnerships, 22:13.978 --> 22:17.379 leveraging the National Cyber-Forensics & Training Alliance, 22:17.379 --> 22:19.474 InfraGard, Domestic Security Alliance, 22:19.474 --> 22:21.057 just to name a few. 22:21.913 --> 22:23.465 Building capacity at home and abroad 22:23.465 --> 22:26.885 through training, investigations, and joint operations 22:26.885 --> 22:29.968 is where we are applying our efforts. 22:30.871 --> 22:32.371 Incident Response: 22:32.477 --> 22:35.113 The FBI has the capability to quickly respond 22:35.113 --> 22:37.244 to cyber incidents across the country 22:37.244 --> 22:40.464 and scale its response to the specific incident, 22:40.464 --> 22:43.433 utilizing all its resources throughout the field 22:43.433 --> 22:45.516 headquarters, and abroad. 22:46.272 --> 22:48.895 We have the ability to galvanize and direct 22:48.895 --> 22:53.062 all the available cyber resources instantaneously, 22:54.653 --> 22:56.846 Utilizing dual authorities, 22:56.846 --> 22:58.982 as a domestic law enforcement organization 22:58.982 --> 23:01.737 and a member of the U.S. intelligence community, 23:01.737 --> 23:04.156 the FBI works closely with inter-agency partners 23:04.156 --> 23:06.646 within a whole-of-government effort 23:06.646 --> 23:08.970 to countering cyber threats. 23:08.970 --> 23:11.458 The FBI conducts its cyber mission 23:11.458 --> 23:14.237 with the goal of imposing costs and consequence 23:14.237 --> 23:16.407 on the adversary, and though we would like 23:16.407 --> 23:18.990 to arrest every cyber criminal, 23:19.022 --> 23:20.364 we recognize indictments 23:20.364 --> 23:22.937 are just one tool in a suite of options 23:22.937 --> 23:25.019 that are available to the U.S. government 23:25.019 --> 23:27.136 when deciding how best to approach 23:27.136 --> 23:29.303 this complex cyber threat. 23:29.977 --> 23:31.686 The FBI understands the importance 23:31.686 --> 23:34.229 of being coherently joint with, 23:34.229 --> 23:37.896 and will continue to find ways to work with, 23:37.905 --> 23:41.777 inter-agency partners in responding to cyber incidents. 23:41.777 --> 23:43.642 We look forward to expanding our partnerships 23:43.642 --> 23:44.838 with Cyber Command, 23:44.838 --> 23:47.291 given their new and unique capabilities 23:47.291 --> 23:49.527 and with the National Guard's new cyber program 23:49.527 --> 23:51.946 in complementing our field offices 23:51.946 --> 23:53.779 and cyber task forces, 23:55.009 --> 23:57.114 all within the confines of current laws, 23:57.114 --> 24:01.281 authorities, and expectations of the American people. 24:01.426 --> 24:03.900 We at the FBI appreciate this committee's efforts 24:03.900 --> 24:05.983 in making cyber threat a focus 24:05.983 --> 24:07.173 and committing to improving 24:07.173 --> 24:10.010 how we can work together to better defend our nation 24:10.010 --> 24:12.516 and we also look forward to discussing these issues 24:12.516 --> 24:13.657 in greater detail, 24:13.657 --> 24:16.735 and answering any questions that you may have. 24:16.735 --> 24:18.132 Thank you, Mr. Chairman. 24:18.132 --> 24:19.073 - Thank you, Mr. Smith. 24:19.073 --> 24:19.906 Mr. Krebs? 24:21.592 --> 24:23.932 - Chairman McCain, Ranking Member Reed, 24:23.932 --> 24:25.203 members of the committee, 24:25.203 --> 24:28.144 thank you for the opportunity to appear before you today. 24:28.144 --> 24:29.668 In my current role performing the duties 24:29.668 --> 24:30.648 of the Undersecretary 24:30.648 --> 24:33.250 for the National Protection and Programs Directorate, 24:33.250 --> 24:35.167 I lead the Department of Homeland Security's efforts 24:35.167 --> 24:38.219 to secure and defend our federal networks and facilities, 24:38.219 --> 24:40.581 manage systemic risk to critical infrastructure, 24:40.581 --> 24:43.200 and improve cyber and physical security practices 24:43.200 --> 24:44.700 across our nation. 24:44.728 --> 24:47.914 This is a timely hearing, as during October, 24:47.914 --> 24:51.088 we recognize National Cybersecurity Awareness Month, 24:51.088 --> 24:51.921 a time to focus on 24:51.921 --> 24:54.330 how cyber security is a shared responsibility 24:54.330 --> 24:57.409 that affects every business organization in America 24:57.409 --> 24:58.994 and is one of the most significant 24:58.994 --> 25:01.723 and strategic risks to the United States. 25:01.723 --> 25:03.497 To address this risk as a nation, 25:03.497 --> 25:04.737 we have worked together to develop 25:04.737 --> 25:06.351 the much-needed policies, authorities, 25:06.351 --> 25:08.728 and capabilities across the inter-agency, 25:08.728 --> 25:10.965 with state-local and international partners 25:10.965 --> 25:13.624 and in coordination with the private sector. 25:13.624 --> 25:15.981 Department of Defense's Eligible Receiver exercise 25:15.981 --> 25:19.604 in 1997 laid bare our nation's cybersecurity vulnerabilities 25:19.604 --> 25:21.196 and the related consequences, 25:21.196 --> 25:22.813 initiating a cross-government journey 25:22.813 --> 25:25.739 to respond to the global growing cyber threat. 25:25.739 --> 25:26.953 Over the ensuing 20 years, 25:26.953 --> 25:28.466 through a series of directives, 25:28.466 --> 25:30.226 executive orders, and other documents, 25:30.226 --> 25:33.723 culminating most recently with Executive Order 13800, 25:33.723 --> 25:35.549 we have established an increasingly-defined 25:35.549 --> 25:39.382 policy foundation for the cyber mission space. 25:39.597 --> 25:41.867 Roles and responsibilities have been further bolstered 25:41.867 --> 25:43.697 by bipartisan legislation, 25:43.697 --> 25:45.486 providing the Executive Branch, 25:45.486 --> 25:47.319 and in particular DHS, 25:47.676 --> 25:49.119 much-needed authorities to protect 25:49.119 --> 25:51.920 federal and critical infrastructure networks. 25:51.920 --> 25:53.892 We can further solidify DHS's role 25:53.892 --> 25:55.473 by giving my organization a name 25:55.473 --> 25:57.739 that clearly reflects our operational mission, 25:57.739 --> 26:00.402 and I look forward to working with you in that effort. 26:00.402 --> 26:02.461 Building on those policies and authorities, 26:02.461 --> 26:03.966 the Department continues to develop 26:03.966 --> 26:07.196 the operational capabilities to protect our networks. 26:07.196 --> 26:08.627 Today, the National Cybersecurity 26:08.627 --> 26:11.255 and Communications Integration Center, or NCCIC, 26:11.255 --> 26:12.268 is the center of gravity 26:12.268 --> 26:14.929 for DHS's cyber security operations. 26:14.929 --> 26:16.806 Here we monitor a federal-civilian, 26:16.806 --> 26:18.215 enterprise-wide risk picture 26:18.215 --> 26:21.583 that allows us to manage risk across the .gov. 26:21.583 --> 26:22.561 More broadly, 26:22.561 --> 26:23.765 the NCCIC brings together our partners 26:23.765 --> 26:26.757 to share both classified and unclassified threat information 26:26.757 --> 26:28.692 and coordinated response efforts. 26:28.692 --> 26:30.159 Partners that include representatives 26:30.159 --> 26:31.958 from the critical infrastructure community 26:31.958 --> 26:34.551 state-local, tribal, and territorial governments, 26:34.551 --> 26:37.258 sector-specific liaisons from the Department of Energy, 26:37.258 --> 26:38.474 Health and Human Services, 26:38.474 --> 26:39.752 Treasury, and Defense, 26:39.752 --> 26:41.382 intelligence community personnel, 26:41.382 --> 26:43.789 law enforcement partners such as the FBI, 26:43.789 --> 26:46.730 and liaisons from each of the cyber centers, 26:46.730 --> 26:48.620 including U.S. Cyber Command. 26:48.620 --> 26:51.484 They all sit with one another at the NCCIC. 26:51.484 --> 26:52.958 We know that we can't stop here 26:52.958 --> 26:54.245 and need to accelerate efforts 26:54.245 --> 26:56.205 to develop scalable solutions 26:56.205 --> 26:58.282 to manage systemic cyber security risk 26:58.282 --> 27:00.898 across the nation's infrastructure. 27:00.898 --> 27:03.086 Last year's Presidential Policy Directive 41, 27:03.086 --> 27:04.957 United States Cyber Incident Coordination 27:04.957 --> 27:07.365 further clarified roles and set forth principles 27:07.365 --> 27:10.272 for the federal government's response to cyber incidents, 27:10.272 --> 27:12.665 including formalizing the Cyber Response Group 27:12.665 --> 27:14.833 and Cyber Unified Coordination Group. 27:14.833 --> 27:16.368 It also required the Department 27:16.368 --> 27:18.986 to update the National Cyber Incident Response Plan 27:18.986 --> 27:22.569 or NCIRP, which was completed last January. 27:22.725 --> 27:24.529 Updating the NCIRP in partnership 27:24.529 --> 27:26.546 with industry and state and local partners 27:26.546 --> 27:27.757 was a critical step in cementing 27:27.757 --> 27:29.612 our shared responsibility 27:29.612 --> 27:31.655 and accomplished three main goals. 27:31.655 --> 27:33.871 First, it defines the role and responsibilities 27:33.871 --> 27:36.195 of all stakeholders during a cyber incident. 27:36.195 --> 27:39.049 Second, it identifies the capabilities required 27:39.049 --> 27:41.366 to respond to a significant cyber incident, 27:41.366 --> 27:43.877 and third, it describes the way our federal government 27:43.877 --> 27:45.397 will coordinate its activities 27:45.397 --> 27:48.730 with those affected by a cyber incident. 27:48.740 --> 27:51.650 However, our focus going forward is to build on the NCIRP 27:51.650 --> 27:52.483 with multi-stakeholder operational plans 27:52.483 --> 27:55.150 and Incident Response playbooks, 27:55.764 --> 27:57.987 and then we must train and exercise to those plans 27:57.987 --> 28:00.128 in order to identify and address 28:00.128 --> 28:02.689 the seams and gaps that may exist. 28:02.689 --> 28:04.973 We are building on our cyber mission workforce 28:04.973 --> 28:07.210 within the framework in the NCIRP 28:07.210 --> 28:09.346 with our Hunt and Incident Response teams, 28:09.346 --> 28:12.690 that exercise the tenets of the NCIRP each day. 28:12.690 --> 28:14.102 We work across the various stakeholders 28:14.102 --> 28:17.030 within the NCCIC to accomplish this mission. 28:17.030 --> 28:19.667 In some cases, DHS teams are augmented 28:19.667 --> 28:21.902 with FBI and DoD personnel, 28:21.902 --> 28:24.883 to provide a more robust and coordinated response. 28:24.883 --> 28:28.262 This model of collaboration and cross agency cooperation 28:28.262 --> 28:30.028 will continue taking advantage 28:30.028 --> 28:33.611 of the respective strengths of each agency. 28:34.190 --> 28:35.621 To ensure we are focused on the mission 28:35.621 --> 28:37.822 that you, Congress, have tasked us with, 28:37.822 --> 28:38.953 we are prioritized, 28:38.953 --> 28:41.568 filling all open cyber positions at DHS, 28:41.568 --> 28:44.363 cross training our workforce on Incident Response, 28:44.363 --> 28:47.391 and creating a Cyber Incident Response Surge Capacity Force 28:47.391 --> 28:49.958 modeled after FEMA's for natural disasters, 28:49.958 --> 28:52.518 that can rise to meet any demand. 28:52.518 --> 28:53.959 And before I close, I would like to add 28:53.959 --> 28:55.553 one last but critical element. 28:55.553 --> 28:57.379 The cyber defense mission is much broader 28:57.379 --> 28:58.655 than just response. 28:58.655 --> 29:01.125 It also encompasses preparedness and resilience 29:01.125 --> 29:02.968 and we must continually assess and improve 29:02.968 --> 29:05.905 our cybersecurity posture against the latest threats, 29:05.905 --> 29:09.320 denying our adversaries opportunities to wreak havoc. 29:09.320 --> 29:11.761 Finally, I would like to reinforce one more time, 29:11.761 --> 29:13.406 we have made significant progress 29:13.406 --> 29:14.956 since Eligible Receiver, 29:14.956 --> 29:17.556 yet there's no question we have more to do, 29:17.556 --> 29:20.905 and we must do it with a never-before-seen sense of urgency. 29:20.905 --> 29:22.398 By bringing together all stakeholders, 29:22.398 --> 29:24.869 we are taking action to manage cyber security risks, 29:24.869 --> 29:26.032 improve our whole-of-government 29:26.032 --> 29:27.521 incident response capabilities, 29:27.521 --> 29:29.352 and become more resilient. 29:29.352 --> 29:31.343 I thank you for the opportunity to testify 29:31.343 --> 29:33.301 and I look forward to any questions you may have. 29:33.301 --> 29:34.410 - Thank you Mr. Krebs, 29:34.410 --> 29:36.577 and I thank the witnesses. 29:36.608 --> 29:40.191 I'm sure you can see that chart over there. 29:40.659 --> 29:43.159 Charts are always interesting, 29:44.404 --> 29:47.154 but this one we are going to need 29:47.536 --> 29:49.869 someone to translate for us, 29:50.496 --> 29:52.496 because it's an example, 29:52.779 --> 29:54.909 and I think an accurate one, 29:54.909 --> 29:56.659 of the differences... 30:00.111 --> 30:04.111 Differences in authorities and responsibilities, 30:05.383 --> 30:09.550 none of which seem to have an overall coordinating 30:10.815 --> 30:12.416 office or individual, 30:12.416 --> 30:15.749 and of course, Mr. Joyce's absence here, 30:17.908 --> 30:18.741 whose job it is to do all this 30:18.741 --> 30:20.658 is an example, frankly, 30:25.084 --> 30:29.084 of the disarray in which this whole issue rests. 30:30.653 --> 30:33.153 And Mr Rapuano, to start with, 30:35.064 --> 30:36.610 you said that it's not 30:36.610 --> 30:39.135 Department of Defense's responsibility. 30:39.135 --> 30:41.210 Suppose that the Russians had been able 30:41.210 --> 30:44.460 to affect the outcome of last election, 30:45.224 --> 30:47.643 wouldn't that fall under the responsibility 30:47.643 --> 30:48.941 and authority, to some degree, 30:48.941 --> 30:50.777 of the Department of Defense, 30:50.777 --> 30:54.720 if they're able to destroy the fundamental of democracy, 30:54.720 --> 30:58.887 which would be to change the outcome of an election? 30:58.908 --> 31:00.593 - Mr. Chairman, specifically the issues 31:00.593 --> 31:04.760 associated with protecting elections from cyber incursion... 31:06.384 --> 31:08.749 - So you're saying cyber incursion 31:08.749 --> 31:10.699 is not something that requires 31:10.699 --> 31:14.688 the Department of Defense to be engaged in, is that correct? 31:14.688 --> 31:16.653 No, Mr. Chairman, I was simply saying that 31:16.653 --> 31:19.570 that based on the state authorities 31:20.193 --> 31:22.778 and the state control of the election process 31:22.778 --> 31:25.361 in each state, there are issues 31:25.830 --> 31:29.747 associated with federal authorities to engage-- 31:29.969 --> 31:33.799 - So those issues could be corrected by legislation. 31:33.799 --> 31:36.966 They're not engraved in tablets, okay? 31:38.557 --> 31:39.865 So for you to sit there and say, 31:39.865 --> 31:43.301 "Well, but it's not Department of Defense's responsibility," 31:43.301 --> 31:44.134 it is. 31:44.134 --> 31:48.217 To defend the nation, the very fundamental of our 31:49.255 --> 31:50.257 the reason why we are here, 31:50.257 --> 31:52.417 is because of free and fair elections. 31:52.417 --> 31:54.691 If you can change the outcome of an election, 31:54.691 --> 31:57.858 that has consequences far more serious 31:58.051 --> 31:59.968 than a physical attack. 32:00.768 --> 32:04.369 So I am iin fundamental disagreement with you 32:04.369 --> 32:07.853 about the requirements of the Department of Defense 32:07.853 --> 32:10.395 to defend the fundamental of this nation 32:10.395 --> 32:11.859 which is a free and fair election, 32:11.859 --> 32:15.925 which we all know the Russians tried to affect the outcome. 32:15.925 --> 32:18.005 Whether they did or not is a matter of opinion. 32:18.005 --> 32:19.338 I don't think so 32:19.708 --> 32:22.375 but for you to shuffle off this, 32:23.461 --> 32:25.505 "Oh well there, it's not a attack," 32:25.505 --> 32:29.422 it is, it is an attack of enormous proportions. 32:30.321 --> 32:33.589 If you can change the outcome of an election 32:33.589 --> 32:37.756 then what's the Constitution and our way of life all about? 32:38.636 --> 32:39.710 I think Senator Rounds 32:39.710 --> 32:43.293 will be much more articulate on that issue, 32:43.509 --> 32:46.763 so one, I disagree with your assessment, 32:46.763 --> 32:49.864 and one of the reasons why we've been so frustrated 32:49.864 --> 32:52.364 is exactly what you just said. 32:52.790 --> 32:54.420 It's exactly what you just said, 32:54.420 --> 32:58.423 that, "Well, it's not the Department of Defence's job." 32:58.423 --> 32:59.839 It's the Department of Defense's job 32:59.839 --> 33:00.979 to defend this nation. 33:00.979 --> 33:04.235 That's why it's called the Department of Defense. 33:04.235 --> 33:08.402 Mr. Krebs, numerous experts over the past few years 33:08.600 --> 33:10.852 have highlighted the need for a dramatic change 33:10.852 --> 33:12.380 according the Presidential Commission 33:12.380 --> 33:14.499 on Enhancing National Cybersecurity, 33:14.499 --> 33:15.499 and I quote, 33:16.117 --> 33:18.323 "The current leadership and organizational construct 33:18.323 --> 33:20.389 "for cyber security within the federal government 33:20.389 --> 33:22.590 "is not commensurate with the challenges 33:22.590 --> 33:25.012 "of securing the digital economy 33:25.012 --> 33:28.559 "and supporting the national economic security 33:28.559 --> 33:29.720 "of the United States." 33:29.720 --> 33:31.145 General Keith Alexander, 33:31.145 --> 33:34.728 one of the most respected men in the world, 33:35.105 --> 33:37.978 said before this full committee in March, 33:37.978 --> 33:40.683 quote, "When we talk to the different agencies, 33:40.683 --> 33:44.093 "they don't understand the roles and responsibilities. 33:44.093 --> 33:46.269 "When you ask each of them who's defending what, 33:46.269 --> 33:48.686 "you get a different answer." 33:48.715 --> 33:50.548 Admiral Jim Stavridis: 33:50.629 --> 33:52.632 Quote, "There needs to be a voice in the cabinet 33:52.632 --> 33:54.632 "that focuses on cyber." 33:55.256 --> 33:57.780 Obviously there's supposedly one there 33:57.780 --> 34:01.055 but he is not appearing before this committee, 34:01.055 --> 34:03.638 and that diminishes our ability 34:05.107 --> 34:07.735 to carry out our responsibilities. 34:07.735 --> 34:09.735 The list goes on and on. 34:09.980 --> 34:12.370 January 2017, Center for Strategic 34:12.370 --> 34:15.346 and Institutional Studies Task Force 34:15.346 --> 34:17.092 simply concluded, quote, 34:17.092 --> 34:19.442 "We must consider how to organize the United States 34:19.442 --> 34:21.275 "to defend cyberspace, 34:21.717 --> 34:25.191 "and that if DHS is unable to step up its game, 34:25.191 --> 34:26.878 "we should consider the creation 34:26.878 --> 34:29.040 "of a new cyber security agency." 34:29.040 --> 34:30.532 The list goes on and on. 34:30.532 --> 34:33.819 I'd like to have your responses to these assessments, 34:33.819 --> 34:37.097 ranging from the Presidential Commission 34:37.097 --> 34:38.930 to General Keith Alexander, 34:38.930 --> 34:40.930 to the Atlantic Council, 34:41.454 --> 34:42.584 to Center for Strategic 34:42.584 --> 34:45.667 and International Studies Task Force. 34:45.682 --> 34:49.628 Al of them are saying the same thing, gentlemen. 34:49.628 --> 34:52.632 All of them are saying exactly the same thing 34:52.632 --> 34:55.799 and I look forward to get a translator 34:55.868 --> 34:59.035 who can show us what this chart means. 35:00.450 --> 35:03.393 I'll be glad to hear your responses. 35:03.393 --> 35:04.893 Secretary Rapuano. 35:07.652 --> 35:08.654 - Mr. Chairman, I would say 35:08.654 --> 35:10.850 just on the issue of the election process, 35:10.850 --> 35:13.433 the department is clearly there 35:14.370 --> 35:16.370 to support the response, 35:16.728 --> 35:18.832 or the mitigation of potential threats 35:18.832 --> 35:20.425 to our electoral process. 35:20.425 --> 35:22.507 It's simply that when you look at 35:22.507 --> 35:24.725 the separation of authorities between 35:24.725 --> 35:26.090 state and local governments, 35:26.090 --> 35:28.832 the lead for that coordination and support 35:28.832 --> 35:31.249 in our current system is DHS, 35:31.548 --> 35:33.026 and we provide defense support 35:33.026 --> 35:35.508 to civil authorities as requested, 35:35.508 --> 35:38.841 to support those needs and requirements. 35:39.595 --> 35:41.595 - That obviously assumes 35:42.728 --> 35:44.713 that the Department of Homeland Security 35:44.713 --> 35:47.880 has the capabilities and the authority 35:47.973 --> 35:51.223 in order to carry out that requirement, 35:52.532 --> 35:55.115 whereas, this cyber is warfare. 35:57.347 --> 35:58.764 Cyber is warfare. 35:59.045 --> 36:02.628 Cyber is an attempt to destroy a democracy. 36:03.377 --> 36:05.804 That's what Mr. Putin is all about, 36:05.804 --> 36:08.684 so to somehow shuffle that off onto 36:08.684 --> 36:10.291 the Department of Homeland Security, 36:10.291 --> 36:12.453 of course, this goes back to this problem 36:12.453 --> 36:14.577 with this organizational chart. 36:14.577 --> 36:15.410 So I steadfastly reject 36:15.410 --> 36:19.410 your shuffling off the responsibilities of cyber 36:22.037 --> 36:24.976 over to the Department of Homeland Security, 36:24.976 --> 36:27.643 and we have included in the NDAA 36:28.260 --> 36:30.843 a requirement for you to do so. 36:31.006 --> 36:32.922 Mr. Smith, you want to respond? 36:32.922 --> 36:34.005 Or Mr. Krebs? 36:35.772 --> 36:37.439 - Sir, I'm happy to. 36:37.901 --> 36:40.058 Fundamentally, this is a complex and challenging 36:40.058 --> 36:41.268 operational environment. 36:41.268 --> 36:43.583 Every one of the agencies represented here 36:43.583 --> 36:45.489 at the table today, as you see in 36:45.489 --> 36:46.992 the bubble chart, as it's called, 36:46.992 --> 36:50.825 has a unique contribution across the ecosystem 36:52.852 --> 36:54.896 - Where they're without coordination. 36:54.896 --> 36:57.402 - Sir, I would suggest that we are getting there, 36:57.402 --> 36:58.235 that we're working on the coordination PPD 41, 36:58.235 --> 37:01.652 the National Cyber Instant Response Plan, 37:02.202 --> 37:03.445 the Cyber Response Group, 37:03.445 --> 37:05.334 and the Cyber Unified Coordination Group 37:05.334 --> 37:08.324 provide a foundation under which we can coordinate. 37:08.324 --> 37:10.347 We do work closely with Mr. Joyce 37:10.347 --> 37:11.885 in the National Security Council. 37:11.885 --> 37:14.193 However, from a operational perspective, 37:14.193 --> 37:15.772 I think the Department of Homeland Security 37:15.772 --> 37:17.285 and I, in my role as undersecretary, 37:17.285 --> 37:20.026 have the direction and authorities I need 37:20.026 --> 37:20.859 to move out. 37:20.859 --> 37:22.328 Now the question is, whether I have-- 37:22.328 --> 37:24.578 - Are we winning or losing? 37:24.604 --> 37:26.213 - Sir, this is a battle that is going to be 37:26.213 --> 37:27.674 going on for many years. 37:27.674 --> 37:29.688 We're still trying to get our arms around it. 37:29.688 --> 37:30.521 This is not some-- 37:30.521 --> 37:31.354 - I repeat my question. 37:31.354 --> 37:32.742 Are we winning or losing? 37:32.742 --> 37:34.905 - Sir, it's hard to assess whether we're winning or losing. 37:34.905 --> 37:37.054 I would say that we are fighting this battle every day, 37:37.054 --> 37:38.558 we're working with the private sector, 37:38.558 --> 37:39.391 it is a complex environment, 37:39.391 --> 37:43.058 I look forward to working with the Congress. 37:43.453 --> 37:44.498 - Do you know that for eight years 37:44.498 --> 37:46.711 we've been trying to get a policy? 37:46.711 --> 37:49.510 For eight years we've been trying to get a strategy. 37:49.510 --> 37:52.418 For eight years we've been trying to get 37:52.418 --> 37:54.251 something besides this 37:56.374 --> 37:57.791 convoluted chart, 37:58.021 --> 37:58.899 you know that? 37:58.899 --> 37:59.732 - Yes sir. 38:00.311 --> 38:01.974 I've been in my role for eight weeks. 38:01.974 --> 38:04.474 I understand your frustration. 38:04.632 --> 38:06.133 I share your frustration. 38:06.133 --> 38:08.058 I think we have a lot of work to do 38:08.058 --> 38:09.460 and I think this is going to require 38:09.460 --> 38:11.492 both the Executive Branch and the Congress 38:11.492 --> 38:13.137 working together to continue 38:13.137 --> 38:15.505 understanding exactly how we need to address the threat. 38:15.505 --> 38:17.829 - Well, when the coordinator doesn't show up for a hearing, 38:17.829 --> 38:20.412 that's not an encouraging sign. 38:21.627 --> 38:22.460 Senator Reed. 38:22.460 --> 38:24.934 - I wish you would consider a subpoena 38:24.934 --> 38:26.934 to get the main witness. 38:27.759 --> 38:31.926 - I think that has to be discussed in the committee. 38:32.960 --> 38:33.913 - Well, thank you, Mr. Chairman 38:33.913 --> 38:36.363 and thank you, gentlemen, for your testimony. 38:36.363 --> 38:39.113 The Chairman has raised the issue 38:40.523 --> 38:42.679 of Russian involvement in the last election, 38:42.679 --> 38:46.673 but our intelligence community essentially assured us 38:46.673 --> 38:47.506 that they're gonna come back 38:47.506 --> 38:51.673 and with more brio, or whatever the right term is. 38:52.843 --> 38:57.010 Have you been told to prepare for that, Mr. Rapuano, 38:57.472 --> 39:00.245 is the Defense Department given directions 39:00.245 --> 39:02.188 to coordinate to take all steps 39:02.188 --> 39:04.420 to advise the administration on 39:04.420 --> 39:07.420 what you can do to prevent, preempt, 39:07.972 --> 39:11.555 or to respond to Russian intrusions in '18? 39:13.903 --> 39:16.272 - Senator, I'm not aware of a specific direction 39:16.272 --> 39:17.811 in terms of a specific task 39:17.811 --> 39:20.894 associated with the election process. 39:21.263 --> 39:24.846 We are engaging on a routine basis with DHS 39:24.940 --> 39:27.998 and the rest of the inter-agency community 39:27.998 --> 39:30.873 to develop priorities and consider responses, 39:30.873 --> 39:32.878 as well as mitigation measures. 39:32.878 --> 39:35.128 As I tried to note earlier, 39:35.613 --> 39:37.696 the competing authorities 39:37.809 --> 39:40.119 associated with the electoral process 39:40.119 --> 39:43.298 really do call for a thoughtful orchestration 39:43.298 --> 39:46.048 of how we would direct, and task, 39:46.154 --> 39:48.853 and engage with those state and local authorities. 39:48.853 --> 39:51.215 It really does need to be coordinated 39:51.215 --> 39:53.703 because each agency brings something different. 39:53.703 --> 39:55.206 There's a private-sector component, 39:55.206 --> 39:58.444 because most states get very significant support 39:58.444 --> 40:02.238 in terms of their electoral systems from private entities, 40:02.238 --> 40:05.738 so we are certainly engaged in the process 40:05.991 --> 40:08.502 and we are certainly available to support-- 40:08.502 --> 40:10.605 - But you haven't been directed to start 40:10.605 --> 40:13.438 actively planning and coordinating 40:14.100 --> 40:17.388 with respect to the election specifically? 40:17.388 --> 40:18.867 - No, not to my knowledge, Senator. 40:18.867 --> 40:21.523 - Mr. Smith, have you been, in your agency, the FBI, 40:21.523 --> 40:24.656 have been told to begin actively coordinating 40:24.656 --> 40:26.606 with respect to the 2018 election, 40:26.606 --> 40:29.591 in terms of interrupting, pre-empting, 40:29.591 --> 40:32.674 and responding to Russian intrusions, 40:32.694 --> 40:34.443 which again the intelligence community 40:34.443 --> 40:36.906 practically assures this will happen. 40:36.906 --> 40:38.823 - Yes-- - You have been? 40:38.918 --> 40:39.751 - Yes, sir. 40:39.751 --> 40:41.500 - [Sen. Reed] Will you describe what you've been doing? 40:41.500 --> 40:42.876 - Yes, sir. - In general terms. 40:42.876 --> 40:44.543 - In general terms? 40:44.758 --> 40:48.841 Sir, we have not stopped since the last election, 40:48.993 --> 40:51.743 coordinating and keeping together 40:51.817 --> 40:53.650 a election fusion cell 40:53.900 --> 40:57.483 which is jointly located at Hoover Building 40:58.688 --> 41:01.445 and working with our inter-agency partners 41:01.445 --> 41:04.028 not only on what had transpired 41:04.551 --> 41:05.674 and getting deeper on that, 41:05.674 --> 41:07.520 but also working forward 41:07.520 --> 41:10.020 as to what may come towards us 41:10.375 --> 41:14.542 in the upcoming midterms and 2018 election cycles. 41:16.138 --> 41:18.388 So we are actively engaged, 41:19.035 --> 41:21.202 both with outreach in the communities 41:21.202 --> 41:25.119 and with the DHS and their election task force, 41:25.808 --> 41:28.211 along with every field office has 41:28.211 --> 41:31.544 a designated election crimes coordinator 41:31.763 --> 41:33.360 who is on the ground out there 41:33.360 --> 41:36.516 in the event of any information coming towards us 41:36.516 --> 41:39.517 or any incidents that we would need to be aware of 41:39.517 --> 41:40.600 and react to. 41:40.972 --> 41:41.805 - Thank you. 41:41.805 --> 41:43.612 Mr. Krebs, the same question, basically. 41:43.612 --> 41:46.136 - Sir, absolutely, but I'll tell you this, 41:46.136 --> 41:48.982 I didn't need anybody to tell me to stand up a task force 41:48.982 --> 41:50.043 or anything like that. 41:50.043 --> 41:52.358 The first thing I did when I came in eight weeks ago 41:52.358 --> 41:55.210 was assess the state of the election infrastructure 41:55.210 --> 41:57.624 activities underway at the Department of Homeland Security 41:57.624 --> 42:00.130 and established an election security task force 42:00.130 --> 42:02.807 which brings together all the components under me 42:02.807 --> 42:05.377 within NPPD, but also works closely with 42:05.377 --> 42:09.544 the intelligence and analysis component within DHS 42:09.568 --> 42:12.364 as well as the FBI and our other inter-agency partners. 42:12.364 --> 42:13.799 I think we've made some progress here. 42:13.799 --> 42:14.842 I think there's a lot more to do, 42:14.842 --> 42:17.175 as Director Smith mentioned. 42:17.574 --> 42:19.040 We're not just thinking about '18, 42:19.040 --> 42:20.733 we're thinking about the gubernatorial elections 42:20.733 --> 42:22.620 that are coming up in a matter of weeks. 42:22.620 --> 42:25.283 Just last week we worked with 27 states, 42:25.283 --> 42:27.079 the Election Assistance Commission 42:27.079 --> 42:29.712 and established the Government Coordinating Council, 42:29.712 --> 42:32.556 a body under which all the state election officials 42:32.556 --> 42:36.056 can come together and provide a foundation 42:36.909 --> 42:40.135 which coordinated security practices share information. 42:40.135 --> 42:41.688 We're issuing security clearances 42:41.688 --> 42:43.302 to a number of election officials 42:43.302 --> 42:44.217 and in a matter of weeks, 42:44.217 --> 42:46.463 we're going to establish a Sector Coordinating Council, 42:46.463 --> 42:48.117 which will bring those private-sector elements 42:48.117 --> 42:51.582 that provide the systems and technologies in support. 42:51.582 --> 42:54.774 So I think there's still a lot to be done. 42:54.774 --> 42:56.665 We certainly have work ahead of us, 42:56.665 --> 42:58.662 and there's no question they're going to come back 42:58.662 --> 43:01.212 and we're gonna be fighting them every day, yes sir. 43:01.212 --> 43:04.158 - Thanks, you mentioned, and several times, 43:04.158 --> 43:07.241 the need to engage the private sector 43:07.899 --> 43:09.815 and that's a challenge. 43:09.815 --> 43:11.489 In fact, it might be more important in this context 43:11.489 --> 43:14.906 than in any other quasi-military context, 43:16.153 --> 43:18.248 since they lead, you know, 43:18.248 --> 43:20.081 whereas in other areas 43:20.195 --> 43:23.278 like missiles, bombers, and vehicles, 43:25.398 --> 43:27.786 it's the government more than the private sector. 43:27.786 --> 43:29.203 But just quickly, 43:29.793 --> 43:33.376 some of the things that we have to consider 43:33.506 --> 43:36.450 are sort of not the responsibility of this committee 43:36.450 --> 43:39.831 but the legislation that Senator McCain and I 43:39.831 --> 43:41.477 are sponsoring for the SEC 43:41.477 --> 43:43.635 so that they would have to designate 43:43.635 --> 43:45.899 if they have an expert, cybersecurity expert, 43:45.899 --> 43:47.899 on the board or why not, 43:48.077 --> 43:50.727 is a way in which to disclose to shareholders 43:50.727 --> 43:54.144 but also to provide an incentive for them 43:54.304 --> 43:56.637 to be more keyed into cyber. 43:57.202 --> 43:58.326 There's been some discussions, 43:58.326 --> 44:00.671 I was talking to Mr. Rapuano about 44:00.671 --> 44:03.209 using TRIA, the terrorism reinsurance 44:03.209 --> 44:05.209 as a way to incentivize. 44:06.817 --> 44:09.093 Without that, I don't think we're gonna get 44:09.093 --> 44:11.027 the kind of buy-in, so just very briefly, 44:11.027 --> 44:12.711 because my time has expired, 44:12.711 --> 44:16.378 where are we in terms of private engagement? 44:17.487 --> 44:20.320 The threshold, or some engagement, 44:20.413 --> 44:21.746 or it's still... 44:22.307 --> 44:24.646 - So, I actually came out of the private sector. 44:24.646 --> 44:25.664 I spent the last several years 44:25.664 --> 44:27.068 in a major technology company, 44:27.068 --> 44:28.003 where I managed a number of 44:28.003 --> 44:29.815 the cyber security policy issues, 44:29.815 --> 44:30.728 so I have a unique, I think, 44:30.728 --> 44:32.019 understanding of what it takes 44:32.019 --> 44:32.915 on the private sector side 44:32.915 --> 44:34.598 as well as working in government. 44:34.598 --> 44:37.208 We do have a number of private sector representatives 44:37.208 --> 44:39.941 within the NCCIC, and we have unique statutory authorities 44:39.941 --> 44:42.665 for coordinating with the critical infrastructure community. 44:42.665 --> 44:43.900 There's a lot of work ahead of us. 44:43.900 --> 44:46.853 We need to better refine our value proposition, 44:46.853 --> 44:48.464 I think, to get more companies to come in 44:48.464 --> 44:50.135 and share information with us, 44:50.135 --> 44:53.622 but we do have a unique liability protection capability. 44:53.622 --> 44:55.634 One thing that I think will certainly 44:55.634 --> 44:57.384 enable our advancement, 44:57.384 --> 44:58.523 as I mentioned in my opening, 44:58.523 --> 45:00.273 I need a name change, 45:00.278 --> 45:02.037 I need to be able to tell my stakeholders, 45:02.037 --> 45:03.858 my customer set, what it is I do. 45:03.858 --> 45:05.479 The National Protection and Programs Directorate 45:05.479 --> 45:06.950 doesn't tell you anything. 45:06.950 --> 45:09.421 I need something that says I do cyber security, 45:09.421 --> 45:12.605 so I can go out there and I can clearly communicate 45:12.605 --> 45:14.422 what it is on a daily basis that I do. 45:14.422 --> 45:16.078 I think that's a big step forward. 45:16.078 --> 45:17.803 _ You tell us the title you want, 45:17.803 --> 45:19.168 besides president. 45:19.168 --> 45:20.001 - [Woman] Cyber Trump. 45:20.001 --> 45:23.660 - Cyber, yeah, yeah, we'll get you a t-shirt, too. 45:23.660 --> 45:25.993 (chuckling) 45:27.749 --> 45:29.530 (murmuring) 45:29.530 --> 45:30.363 Thank You, Mr. Chairman. 45:30.363 --> 45:33.196 The three of you can relax because 45:33.580 --> 45:36.565 what I'm going to address is to the empty chair, 45:36.565 --> 45:39.922 and I know that this message will get through. 45:39.922 --> 45:43.172 There has to do with section 81 and 86, 45:44.925 --> 45:48.229 there are some provisions in the Senate's version 45:48.229 --> 45:51.646 of the NDAA, specifically those sections, 45:51.794 --> 45:55.125 that have raised concerns among the software developers 45:55.125 --> 45:57.738 critical to our national defense. 45:57.738 --> 45:59.637 The purpose of these provisions 45:59.637 --> 46:02.637 are to make available to the public, 46:06.530 --> 46:08.869 the source code and proprietary data 46:08.869 --> 46:10.908 that's used by the Department of Defense, 46:10.908 --> 46:12.900 and I'd like to submit for the record 46:12.900 --> 46:14.226 numerous letters to that, 46:14.226 --> 46:15.951 which I will do in just a moment, 46:15.951 --> 46:18.169 and documents from industry stakeholders 46:18.169 --> 46:21.387 that share my concerns with this language, 46:21.387 --> 46:22.592 and while I understand the goals 46:22.592 --> 46:24.518 and intentions of the legislation 46:24.518 --> 46:28.401 it creates some unintended consequences and impacts, 46:28.401 --> 46:31.200 such as limit the software choices available 46:31.200 --> 46:33.867 to DoT to serve the war fighter, 46:34.085 --> 46:37.752 increased costs to the Department of Defense 46:38.124 --> 46:42.291 by compromising the proprietary nature of software 46:44.345 --> 46:46.606 in limiting contractor options 46:46.606 --> 46:49.606 and potentially aid U.S. adversaries 46:49.776 --> 46:52.359 and threaten DoD cyber security 46:52.579 --> 46:54.996 by sharing DoD's source code, 46:55.632 --> 46:58.382 by placing in a public repository 47:00.477 --> 47:03.227 and also reducing competitiveness 47:03.469 --> 47:06.363 of American software and technology companies 47:06.363 --> 47:09.363 by opening the software contractors' 47:09.412 --> 47:13.579 intellectual property and code to the public repository. 47:15.098 --> 47:18.567 And as we progress into the conference report, 47:18.567 --> 47:20.253 I look forward to working with 47:20.253 --> 47:22.244 the Senate Armed Services Committee 47:22.244 --> 47:24.616 on a way forward on this topic, 47:24.616 --> 47:27.258 and recommend that we study this issue 47:27.258 --> 47:29.826 prior to instituting new legislation. 47:29.826 --> 47:31.260 this is such a provision 47:31.260 --> 47:33.295 that is in the Senate provision, 47:33.295 --> 47:35.051 Senate bill, not in the House bill, 47:35.051 --> 47:37.700 and I would ask unanimous consent to it 47:37.700 --> 47:40.248 included in the record at this point, Mr. Chairman, 47:40.248 --> 47:42.035 these documents from stakeholders. 47:42.035 --> 47:44.702 - Without objection. - Thank you. 47:48.741 --> 47:49.908 - Anyone else? 47:50.886 --> 47:52.541 - Well, I wouldn't exactly say 47:52.541 --> 47:55.874 that the three of you should relax, but, 47:57.617 --> 47:59.950 I will address more directly 48:02.081 --> 48:04.414 not only to the empty chair, 48:04.895 --> 48:08.478 but to General McMasters, to General Kelly, 48:08.539 --> 48:11.859 to the vice president and to the president, 48:11.859 --> 48:14.821 did you realize that you handed out a chart 48:14.821 --> 48:16.738 that is five years old? 48:17.981 --> 48:20.731 The date on this chart is January 48:22.343 --> 48:23.176 of 2013. 48:25.875 --> 48:27.958 I mean, why in the world? 48:31.401 --> 48:34.484 By the way, Senator Rounds is saying, 48:35.008 --> 48:37.621 acknowledging this, and I want to say, 48:37.621 --> 48:41.788 what a pleasure it has been to deal with Senator Rounds 48:42.983 --> 48:46.399 as the two leaders of the cyber subcommittee, 48:46.399 --> 48:48.441 and I can tell you we are alarmed. 48:48.441 --> 48:52.524 You heard the alarm in the voice of the Chairman. 48:53.605 --> 48:55.772 Can we stipulate here that 48:57.889 --> 48:58.722 state 48:59.902 --> 49:00.735 election 49:03.574 --> 49:04.574 apparatuses, 49:06.092 --> 49:07.990 state election databases, 49:07.990 --> 49:12.157 can we stipulate that that is critical infrastructure? 49:13.267 --> 49:14.623 - Sir, we have made that, 49:14.623 --> 49:16.242 the Department of Homeland Security has made that 49:16.242 --> 49:17.858 - Good. - Designatian, and I have a 49:17.858 --> 49:19.724 election infrastructure subsection, sir. 49:19.724 --> 49:21.973 - Good, therefore a tampering 49:21.973 --> 49:24.556 or a changing or an interfering 49:25.057 --> 49:29.224 with state election databases being critical infrastructure 49:29.659 --> 49:33.326 would in fact be an attack upon our country. 49:34.266 --> 49:38.016 Can we stipulate that that would be the case? 49:39.413 --> 49:41.163 Why is there silence? 49:47.634 --> 49:49.421 - [Man] Let the record show there was silence. 49:49.421 --> 49:50.308 (chuckling) 49:50.308 --> 49:51.141 - Wow! 49:54.868 --> 49:58.410 So, do you realize that you can change the-- 49:58.410 --> 49:59.382 Senator, could I just in deference, 49:59.382 --> 50:00.215 - Please! 50:00.414 --> 50:01.289 - In deference to the witnesses 50:01.289 --> 50:02.760 they are not the ones who are-- 50:02.760 --> 50:05.593 - I understand and that's why I am 50:05.776 --> 50:09.859 referring my comments not only to the empty chair 50:10.086 --> 50:13.503 but to the people behind that empty chair 50:13.631 --> 50:16.851 which is the National Security Council Advisor, 50:16.851 --> 50:18.351 General McMasters, 50:19.101 --> 50:22.160 the fellow who runs the White House staff, 50:22.160 --> 50:23.327 General Kelly, 50:23.662 --> 50:27.829 both of whom I have the highest respect and esteem for 50:29.504 --> 50:33.671 and ultimately the vice president and the president. 50:34.689 --> 50:35.772 I would just, 50:36.332 --> 50:38.582 I would go back and listen, 50:39.168 --> 50:43.335 I would defer to the intensity of the Chairman's remarks, 50:45.496 --> 50:49.246 both in his opening remarks and his question. 50:49.472 --> 50:52.550 You mess around with our election apparatus 50:52.550 --> 50:55.467 and it is an attack on our country, 50:56.431 --> 50:59.226 and so let me give you an example. 50:59.226 --> 51:00.355 It doesn't even have to be 51:00.355 --> 51:02.939 that the Russians come in, or the Chinese, 51:02.939 --> 51:06.772 or some third party that's not a nation-state. 51:08.010 --> 51:12.006 We already know that they're in 20 of our states, 51:12.006 --> 51:14.239 we know that from the reports 51:14.239 --> 51:16.389 that have been in the newspaper 51:16.389 --> 51:19.056 from the intelligence community. 51:20.081 --> 51:23.237 All you have to do is go into certain precincts, 51:23.237 --> 51:24.968 you don't even have to change the outcome 51:24.968 --> 51:27.051 of the actual vote count. 51:27.079 --> 51:31.079 You could just eliminate every tenth registrant, 51:32.316 --> 51:34.733 every tenth registered voter. 51:35.009 --> 51:38.750 So when Mr. Jones shows up on Election Day to vote, 51:38.750 --> 51:42.917 "I'm sorry, Mr. Jones, you are not a registered voter." 51:42.970 --> 51:45.886 You multiply that, every tenth voter, 51:45.886 --> 51:49.303 you've got absolute chaos in the election 51:50.073 --> 51:54.240 and on top of it, you have the long lines that result 51:55.090 --> 51:58.445 and as a result of that people are discouraged from voting 51:58.445 --> 52:01.451 because they can't wait in the long line 52:01.451 --> 52:03.368 and so forth and so on. 52:03.477 --> 52:06.227 Now, this is the ultimate threat. 52:07.165 --> 52:09.685 I've said so many times in this committee, 52:09.685 --> 52:13.102 Vladimir Putin can't beat us on the land, 52:13.308 --> 52:17.475 in the air, on the sea, under the sea, or in space, 52:17.548 --> 52:19.881 but he can beat us in cyber, 52:21.072 --> 52:24.655 and to hand out a five-year old dated chart 52:26.692 --> 52:30.174 as to how we're going to fix this situation 52:30.174 --> 52:32.174 just is totally, totally 52:35.113 --> 52:36.196 insufficient. 52:37.613 --> 52:40.030 I rest my case, Mr. Chairman, 52:40.817 --> 52:43.801 and I wish you would consider a subpoena. 52:43.801 --> 52:46.468 - And would the witnesses desire 52:46.468 --> 52:48.801 to respond to that diatribe? 52:50.067 --> 52:51.750 - That eloquent, - That eloquent, 52:51.750 --> 52:53.458 (laughing) 52:53.458 --> 52:54.842 and one of the most historic statements 52:54.842 --> 52:57.592 in the history of this committee. 52:57.688 --> 52:59.105 Go ahead, please. 52:59.753 --> 53:01.257 - Mr. Chairman I would say 53:01.257 --> 53:05.074 just in terms of the Department of Defense's role, 53:05.074 --> 53:06.647 it is important to note that 53:06.647 --> 53:09.603 the National Guard in a number of states 53:09.603 --> 53:11.912 on the authority of the governor's 53:11.912 --> 53:14.662 trained cyber-capable cape forces 53:16.053 --> 53:18.220 are assisting those states 53:18.693 --> 53:21.682 and they're addressing identifying vulnerabilities 53:21.682 --> 53:24.680 and mitigating those vulnerabilities. 53:24.680 --> 53:28.501 Elements of them are part of the cyber mission force 53:28.501 --> 53:31.751 and we certainly view quite appropriate 53:32.176 --> 53:35.312 the governor tasking them under state authority, 53:35.312 --> 53:37.339 versus the Department of Defense 53:37.339 --> 53:40.839 attempting to insert itself into a process 53:41.128 --> 53:43.878 without directly being requested. 53:43.893 --> 53:44.726 - Could I just say, sir, 53:44.726 --> 53:48.893 again, we are appreciative of what the guard is doing. 53:49.268 --> 53:51.786 We are appreciative of what local authorities are doing. 53:51.786 --> 53:53.016 We are appreciative of what 53:53.016 --> 53:55.905 all these different agencies are doing, 53:55.905 --> 54:00.072 but we see no coordination, and no policy, and no strategy, 54:00.994 --> 54:03.598 and when you're ready to give that to us, 54:03.598 --> 54:06.515 we would be eager to hear about it. 54:08.209 --> 54:09.542 Senator Fischer. 54:10.934 --> 54:11.941 - Thank you, Mr. Chairman. 54:11.941 --> 54:15.524 Those are hard acts follow, your diatribes, 54:16.953 --> 54:20.232 but I would like to focus on something else now, 54:20.232 --> 54:22.315 with regards to response. 54:24.005 --> 54:25.349 Gentlemen, one of the things 54:25.349 --> 54:27.694 that Admiral Rogers has emphasized 54:27.694 --> 54:31.200 is the need to move quicker across the board 54:31.200 --> 54:33.417 and faster threat detection, 54:33.417 --> 54:34.782 faster decision-making, 54:34.782 --> 54:36.532 and faster responses. 54:36.814 --> 54:39.659 So, Mr. Krebs, can you walk us through the process 54:39.659 --> 54:41.742 by which an organization, 54:41.831 --> 54:45.046 an operator of a piece of critical infrastructure, 54:45.046 --> 54:48.682 for example, would reach out to you for help? 54:48.682 --> 54:51.802 I know they first have to detect the threat 54:51.802 --> 54:53.348 and that can take some time, 54:53.348 --> 54:55.445 but what does the process look like 54:55.445 --> 54:57.278 once they contact you? 54:58.020 --> 55:00.816 How long does it take to begin working with them, 55:00.816 --> 55:03.600 and are there legal agreements that must be in place 55:03.600 --> 55:07.767 before a response team could operate on their network? 55:08.144 --> 55:10.119 - Ma'am, thank you for the question. 55:10.119 --> 55:11.514 There are, of course, a number of ways 55:11.514 --> 55:15.546 that a victim can discover they have been breached, 55:15.546 --> 55:18.103 they have some sort of intrusion, 55:18.103 --> 55:19.065 and that's working, 55:19.065 --> 55:20.553 whether with the intelligence community, 55:20.553 --> 55:22.111 or the FBI could notify them, 55:22.111 --> 55:24.263 or the Department of Homeland Security could inform them, 55:24.263 --> 55:26.072 or, of course, one of their private sector vendors 55:26.072 --> 55:29.059 could discover an actor on their networks. 55:29.059 --> 55:31.006 Now, how they reach out, 55:31.006 --> 55:32.992 there are a number of ways as well they can reach out. 55:32.992 --> 55:34.648 They can email us, they can call us, 55:34.648 --> 55:37.957 we have local official cybersecurity advisors 55:37.957 --> 55:38.840 throughout the region, 55:38.840 --> 55:40.795 we have protective security advisors throughout the region. 55:40.795 --> 55:43.020 They could also contact the FBI. 55:43.020 --> 55:45.770 Once we are aware of an incident, 55:47.519 --> 55:49.711 we'll then do an intake process, 55:49.711 --> 55:52.321 and every incident is gonna be different. 55:52.321 --> 55:54.250 That's kind of a truism here, 55:54.250 --> 55:55.599 every incident could be different. 55:55.599 --> 55:56.432 in terms of timing 55:56.432 --> 55:59.296 it all does depend on what the situation is, 55:59.296 --> 56:01.447 what kind of information they want to provide. 56:01.447 --> 56:03.788 We do have to work through a legal agreement 56:03.788 --> 56:05.677 just to, for instance, get on their networks 56:05.677 --> 56:08.151 and install government equipment and take a look. 56:08.151 --> 56:09.335 That can take time. 56:09.335 --> 56:13.159 It can depend, of course, on the legal back and forth 56:13.159 --> 56:14.992 as hours or even days, 56:15.396 --> 56:19.563 but I would view this as a kind of a elastic spectrum 56:19.591 --> 56:20.803 it could take, we're talking hours, 56:20.803 --> 56:23.024 it could take a couple days to a week, 56:23.024 --> 56:24.097 It all of course, depends 56:24.097 --> 56:26.154 on the nature of the the breach. 56:26.154 --> 56:28.866 - If you determine that DoD has to be 56:28.866 --> 56:32.654 involved in the response as part of that team, 56:32.654 --> 56:35.243 I assume that's going to take more time then 56:35.243 --> 56:39.410 and that decision currently rests with the president, 56:39.416 --> 56:40.749 is that correct? 56:40.958 --> 56:43.463 - Ma'am actually, we do a fair amount of coordination 56:43.463 --> 56:44.584 with the Department of Defense. 56:44.584 --> 56:46.995 In fact, we do a cross training 56:46.995 --> 56:49.412 on incident response matters. 56:49.559 --> 56:51.193 As I've mentioned before, 56:51.193 --> 56:52.647 we do have blended teams 56:52.647 --> 56:55.558 that go out to the field for investigations 56:55.558 --> 56:58.058 that can be FBI or DoD assets. 56:58.248 --> 57:00.042 In terms of the decision making process, 57:00.042 --> 57:02.625 we do have agreements in place. 57:02.872 --> 57:05.008 We have an understanding in place that 57:05.008 --> 57:06.796 we don't necessarily have to go to the president, 57:06.796 --> 57:09.604 we don't actually have to go to the secretary level, 57:09.604 --> 57:12.437 there are sub-level understandings 57:13.895 --> 57:17.728 that we're able to use each other's resources, 57:18.036 --> 57:20.456 and those agreements would also cover 57:20.456 --> 57:24.151 what types of military assistance is going to be needed. 57:24.151 --> 57:26.318 - It's a support function, 57:26.746 --> 57:29.913 but we're typically talking personnel. 57:30.768 --> 57:33.685 - Mr. Rapuano, did I say your name, 57:33.777 --> 57:35.704 really messed it up, didn't I? 57:35.704 --> 57:36.696 - [Kenneth] Rapuano, that's great. 57:36.696 --> 57:39.936 - Rapuano, okay, are there concepts of operations 57:39.936 --> 57:42.588 that define the specific requirements 57:42.588 --> 57:46.005 that DoD forces could be asked to fulfill 57:46.412 --> 57:49.162 and prioritizes assets or sectors 57:49.453 --> 57:52.414 that should be defended from cyber attack 57:52.414 --> 57:55.914 if we were gonna have a high-end conflict? 57:57.479 --> 58:01.646 - So, the focus of the domestic response capabilities 58:01.656 --> 58:03.377 defense support to civil authorities, 58:03.377 --> 58:04.712 when it comes to cyber, 58:04.712 --> 58:06.984 are those defensive, those protection teams, 58:06.984 --> 58:08.760 out of the cyber mission force, 58:08.760 --> 58:11.247 and those are skilled practitioners 58:11.247 --> 58:14.164 who understand the forensics issues 58:14.668 --> 58:15.589 the identification 58:15.589 --> 58:17.006 of the challenges 58:17.791 --> 58:19.308 of types of malware and 58:19.308 --> 58:20.321 different approaches to 58:20.321 --> 58:23.304 removing the malware from the systems. 58:23.304 --> 58:26.387 As Mr. Krebs noted, the DSCA process, 58:26.867 --> 58:28.774 Defense Support to Civil Authorities 58:28.774 --> 58:32.057 is a direct request for assistance from DHS 58:32.057 --> 58:34.977 to the department and we have authorities 58:34.977 --> 58:37.154 all the way down to COCOM commanders, 58:37.154 --> 58:39.404 specifically Cyber Command. 58:39.826 --> 58:42.693 Admiral Rogers has the authority in a number of areas 58:42.693 --> 58:44.827 to directly task those assets. 58:44.827 --> 58:47.446 It then comes up to me, and for certain areas, 58:47.446 --> 58:50.314 the secretary requires his approval 58:50.314 --> 58:52.314 but most of these things 58:52.437 --> 58:54.130 can be done at lower levels, 58:54.130 --> 58:56.512 and we have provided that assistance 58:56.512 --> 58:58.012 previously to DHS. 58:58.152 --> 59:00.636 - So do you have that policy guidance in place 59:00.636 --> 59:03.303 if there is a high end conflict, 59:03.920 --> 59:05.708 is it a first-come first-served, 59:05.708 --> 59:08.509 do you have a way that you can prioritize 59:08.509 --> 59:10.554 how you're going to respond? 59:10.554 --> 59:12.160 Is that in place now? 59:12.160 --> 59:15.160 - Absolutely, so a high-end conflict 59:15.541 --> 59:19.708 for which we are receiving cyber attacks and threats 59:19.901 --> 59:20.734 in terms of against our capabilities 59:20.734 --> 59:23.234 to project power, for example, 59:24.757 --> 59:27.237 would be an utmost priority for the department, 59:27.237 --> 59:28.635 as well as attacks against 59:28.635 --> 59:30.039 the DoD information system. 59:30.039 --> 59:31.688 If we can't communicate internally, 59:31.688 --> 59:33.304 we can't defend the nation, 59:33.304 --> 59:34.668 so those are the equivalent 59:34.668 --> 59:36.455 of heart, brain, lung function. 59:36.455 --> 59:40.098 DoD equities and capabilities that we prioritize. 59:40.098 --> 59:43.098 We have resources that are available 59:44.064 --> 59:47.214 unless tapped by those uppermost priorities, 59:47.214 --> 59:49.212 and then it becomes hard decision times 59:49.212 --> 59:51.795 in terms of, do we apply assets 59:51.920 --> 59:54.433 for domestic and critical infrastructure protection, 59:54.433 --> 59:57.264 for example, or to protection of the DODIN 59:57.264 --> 59:59.431 or other DoD capabilities. 01:00:00.311 --> 01:00:01.311 - Thank you. 01:00:03.492 --> 01:00:04.325 - [Senator Reed] On behalf of Chair McCain, 01:00:04.325 --> 01:00:06.711 let me recognize Senator Shaheen. 01:00:06.711 --> 01:00:08.265 - Thank you, Senator Reed, 01:00:08.265 --> 01:00:09.977 and thank you to all of our witnesses 01:00:09.977 --> 01:00:12.011 for being here this morning. 01:00:12.011 --> 01:00:14.206 I share the frustration that you're hearing 01:00:14.206 --> 01:00:16.397 from everyone on this committee 01:00:16.397 --> 01:00:19.647 about decisions that have not been made 01:00:20.538 --> 01:00:22.802 actually with respect to cyber threats 01:00:22.802 --> 01:00:24.380 affecting our nation. 01:00:24.380 --> 01:00:27.880 One example is the use of Kaspersky's Labs 01:00:30.279 --> 01:00:34.112 antivirus software on U.S. government systems. 01:00:34.506 --> 01:00:36.640 Kaspersky Lab has reported links 01:00:36.640 --> 01:00:38.010 to Russian intelligence, 01:00:38.010 --> 01:00:40.963 and its base in Moscow subjects client data 01:00:40.963 --> 01:00:42.521 to the Kremlin's intrusive 01:00:42.521 --> 01:00:45.291 surveillance and interception laws. 01:00:45.291 --> 01:00:49.208 We just had a recent report of Kaspersky's role 01:00:49.955 --> 01:00:52.762 in a successful Russian cyber operation 01:00:52.762 --> 01:00:54.703 to steal classified information 01:00:54.703 --> 01:00:57.703 from a NSA employee's home computer, 01:00:57.819 --> 01:01:00.569 and yet they remained on the list 01:01:02.607 --> 01:01:06.107 of approved software for way too long now. 01:01:06.854 --> 01:01:10.145 This committee put an amendment in the NDAA 01:01:10.145 --> 01:01:12.295 that would have prohibited 01:01:12.295 --> 01:01:13.997 the use of that software 01:01:13.997 --> 01:01:16.330 by the Department of Defense 01:01:16.605 --> 01:01:18.278 and I'm pleased that finally 01:01:18.278 --> 01:01:21.281 we've seen the administration act on that. 01:01:21.281 --> 01:01:23.628 But I think it really raises the question 01:01:23.628 --> 01:01:25.961 of how we got to this point, 01:01:26.641 --> 01:01:28.203 so what standards were used 01:01:28.203 --> 01:01:30.370 in approving Kaspersky Lab 01:01:30.377 --> 01:01:32.055 as an appropriate choice 01:01:32.055 --> 01:01:33.198 to fill the U.S. government's 01:01:33.198 --> 01:01:35.448 antivirus protection needs? 01:01:35.667 --> 01:01:38.024 Does the government vet the origins 01:01:38.024 --> 01:01:39.911 and foreign business dealings 01:01:39.911 --> 01:01:42.756 of cybersecurity firms and software companies 01:01:42.756 --> 01:01:45.869 before these products are used in our systems? 01:01:45.869 --> 01:01:48.094 And are companies looking to contract 01:01:48.094 --> 01:01:49.473 with the U.S. government 01:01:49.473 --> 01:01:53.142 required to disclose all their foreign subcontractors, 01:01:53.142 --> 01:01:54.537 as well as their work and dealings 01:01:54.537 --> 01:01:56.565 with foreign governments who may be a threat 01:01:56.565 --> 01:01:58.315 to the United States? 01:01:58.437 --> 01:02:01.354 So I will throw those questions out 01:02:02.483 --> 01:02:05.566 to whoever would like to answer them. 01:02:07.979 --> 01:02:09.224 - Ma'am, thank you for the question. 01:02:09.224 --> 01:02:12.585 As you know, the binding operational directive 01:02:12.585 --> 01:02:14.379 that we issued several weeks ago, 01:02:14.379 --> 01:02:15.633 just over a month now, 01:02:15.633 --> 01:02:17.976 thirty, thirty-some odd days ago, 01:02:17.976 --> 01:02:20.390 require federal and civilian agencies 01:02:20.390 --> 01:02:22.925 to identify Kaspersky products, if they have them, 01:02:22.925 --> 01:02:26.031 then a plan to implement then over 90 days. 01:02:26.031 --> 01:02:27.864 So, what that tells me 01:02:29.291 --> 01:02:30.813 is that we still have a lot of work to do 01:02:30.813 --> 01:02:33.552 in terms of the processes that are in place 01:02:33.552 --> 01:02:35.969 to assess technology products 01:02:36.225 --> 01:02:38.037 that are on the civilian agenda. 01:02:38.037 --> 01:02:40.120 - I agree and that's why I'm asking those questions 01:02:40.120 --> 01:02:41.129 and I don't mean to interrupt, 01:02:41.129 --> 01:02:44.191 but I have limited time and what I'd really like to know 01:02:44.191 --> 01:02:46.906 is what you can tell me about what standards we use, 01:02:46.906 --> 01:02:49.871 how do we vet those kinds of products, 01:02:49.871 --> 01:02:53.633 and how do we ensure that we don't have another case 01:02:53.633 --> 01:02:54.466 of Kaspersky being used 01:02:54.466 --> 01:02:57.466 in our sensitive government systems. 01:02:58.091 --> 01:02:59.142 - If I may suggest, 01:02:59.142 --> 01:03:00.194 I'd like to come back 01:03:00.194 --> 01:03:02.227 with the General Services Administration 01:03:02.227 --> 01:03:03.347 to take a look at that with you 01:03:03.347 --> 01:03:05.144 and give you a more detailed briefing 01:03:05.144 --> 01:03:06.644 on how we do that. 01:03:06.668 --> 01:03:09.385 - Thank you, I would appreciate that. 01:03:09.385 --> 01:03:10.802 Also, Mr Rapuano, 01:03:12.368 --> 01:03:15.393 I appreciate your taking some time this morning 01:03:15.393 --> 01:03:17.715 to spend a few minutes with me to talk about 01:03:17.715 --> 01:03:20.215 the Hewlett Packard Enterprise 01:03:20.783 --> 01:03:22.859 which allowed a Russian defense agency 01:03:22.859 --> 01:03:25.464 to review the source code of software 01:03:25.464 --> 01:03:27.168 used to guard the Pentagon's 01:03:27.168 --> 01:03:29.615 classified information exchange network. 01:03:29.615 --> 01:03:32.022 Can you tell me, is the disclosure 01:03:32.022 --> 01:03:35.105 of our source codes to other entities 01:03:36.724 --> 01:03:39.224 a usual way of doing business? 01:03:40.096 --> 01:03:41.763 How did that happen? 01:03:42.633 --> 01:03:44.867 - Senator, the details on that, 01:03:44.867 --> 01:03:47.059 as I shared with you this morning, 01:03:47.059 --> 01:03:48.007 we are working that, 01:03:48.007 --> 01:03:52.174 our CIO is leading that effort with HPE on Arclight. 01:03:52.275 --> 01:03:53.924 I can get you additional details 01:03:53.924 --> 01:03:56.356 with regard to our procedures. 01:03:56.356 --> 01:03:57.404 We have a layered approach, 01:03:57.404 --> 01:03:58.953 to the defense of the DODIN, 01:03:58.953 --> 01:04:01.464 but we can follow up with those details for you. 01:04:01.464 --> 01:04:03.593 - Um, well, thank you, I appreciate that 01:04:03.593 --> 01:04:06.343 as that was a rhetorical question 01:04:06.929 --> 01:04:08.929 to raise the point again 01:04:09.012 --> 01:04:11.345 that I have serious concerns 01:04:11.444 --> 01:04:13.241 about the attention that we're paying 01:04:13.241 --> 01:04:16.324 to these kinds of issues and in April 01:04:16.327 --> 01:04:20.077 DoD's logistic agency said that, and I quote, 01:04:21.086 --> 01:04:25.253 "HP ArcSight software and hardware are so embedded," 01:04:25.370 --> 01:04:28.857 end quote, that it could not consider other competitors. 01:04:28.857 --> 01:04:29.690 Quote, 01:04:29.690 --> 01:04:33.857 "absence and overhaul of the current IT infrastructure." 01:04:34.966 --> 01:04:36.836 Do you believe that that's what's required 01:04:36.836 --> 01:04:39.320 and how are we ever going to address any of these problems 01:04:39.320 --> 01:04:41.820 if we say we can't take action 01:04:42.179 --> 01:04:44.929 because it would create a problem 01:04:45.182 --> 01:04:48.182 in responding throughout other areas 01:04:48.662 --> 01:04:50.412 where we do business? 01:04:51.757 --> 01:04:54.241 Again, I appreciate that you're going to respond 01:04:54.241 --> 01:04:56.908 to the concerns that I laid out, 01:04:57.567 --> 01:05:00.567 including that one, at a later time. 01:05:01.617 --> 01:05:03.534 I am almost out of time 01:05:03.634 --> 01:05:05.636 but I just had one question for you, Mr. Krebs, 01:05:05.636 --> 01:05:07.219 and that is on this 01:05:08.522 --> 01:05:10.439 notice of this hearing, 01:05:11.173 --> 01:05:13.506 you are listed as performing 01:05:13.585 --> 01:05:15.893 the duties of the undersecretary for 01:05:15.893 --> 01:05:18.633 the National Protection and Programs Directorate. 01:05:18.633 --> 01:05:20.770 You said you've been on the job for eight weeks. 01:05:20.770 --> 01:05:22.437 What does that mean? 01:05:22.722 --> 01:05:23.555 - Yes, ma'am, thank you for the question. 01:05:23.555 --> 01:05:25.270 I have actually been with the department 01:05:25.270 --> 01:05:26.687 since March 2017, 01:05:27.077 --> 01:05:29.611 where I was a senior counselor to General Kelly. 01:05:29.611 --> 01:05:31.404 He moved to the White House, of course, 01:05:31.404 --> 01:05:34.913 and soon after that I was appointed by the president 01:05:34.913 --> 01:05:38.207 to be the assistant secretary for infrastructure protection. 01:05:38.207 --> 01:05:40.783 In the meantime, we do have an open vacancy 01:05:40.783 --> 01:05:42.797 at the undersecretary position, 01:05:42.797 --> 01:05:43.838 so as the senior official 01:05:43.838 --> 01:05:46.677 within the National Protection and Programs Directorate, 01:05:46.677 --> 01:05:47.696 I am the senior official 01:05:47.696 --> 01:05:51.170 performing the duties of the undersecretary. 01:05:51.170 --> 01:05:55.003 - Okay, so tell me what your current title is, 01:05:56.142 --> 01:05:58.464 in addition to having that as part of 01:05:58.464 --> 01:05:59.894 your responsibilities. - Do I have to do this again? 01:05:59.894 --> 01:06:01.203 The senior official performing the duties 01:06:01.203 --> 01:06:02.293 in the under secretary-- 01:06:02.293 --> 01:06:04.092 - No no, I know that's what's on here, 01:06:04.092 --> 01:06:06.026 what's your actual title? 01:06:06.026 --> 01:06:09.492 Assistant Secretary for Infrastructure Protection. 01:06:09.492 --> 01:06:10.325 That's what - Thank you. 01:06:10.325 --> 01:06:12.281 - I've been appointed, yes ma'am. 01:06:12.281 --> 01:06:14.020 - Thank you, Mr. Chairman. 01:06:14.020 --> 01:06:15.544 - [Chairman] Thank you. 01:06:15.544 --> 01:06:19.711 Senator Rounds, I want to thank you and Senator Nelson 01:06:20.203 --> 01:06:22.859 for the outstanding work you're doing 01:06:22.859 --> 01:06:24.236 on the cyber subcommittee. 01:06:24.236 --> 01:06:28.098 It's been incredibly important and very helpful, thank you. 01:06:28.098 --> 01:06:28.931 Thank you, Mr. Chairman. 01:06:28.931 --> 01:06:31.514 Just let me just share with you 01:06:31.709 --> 01:06:34.628 my appreciation for you and the ranking member 01:06:34.628 --> 01:06:36.630 for elevating this particular discussion 01:06:36.630 --> 01:06:39.047 to the full committee status. 01:06:39.271 --> 01:06:41.533 Senator Nelson has been great to work with 01:06:41.533 --> 01:06:43.265 and I appreciate the bipartisan way 01:06:43.265 --> 01:06:45.593 in which he has approached this issue, 01:06:45.593 --> 01:06:49.426 and I wish we had the same type of cooperation 01:06:50.149 --> 01:06:54.316 this morning with Mr. Joyce coming to visit with us. 01:06:54.855 --> 01:06:56.527 I personally did not see this 01:06:56.527 --> 01:06:58.395 as an adversarial discussion today, 01:06:58.395 --> 01:07:01.432 I saw this as one in which we could begin 01:07:01.432 --> 01:07:02.619 in a cooperative effort 01:07:02.619 --> 01:07:05.794 the discussion about how we take care of the seams 01:07:05.794 --> 01:07:08.294 that actually we believe exist 01:07:09.187 --> 01:07:11.282 between the different agencies responsible for 01:07:11.282 --> 01:07:15.449 the protection of the cyber systems within our country, 01:07:16.263 --> 01:07:18.047 and I just wanted to just to kind of bring this out. 01:07:18.047 --> 01:07:19.880 This particular chart, 01:07:20.873 --> 01:07:22.612 I believe Senator Alexander indicated 01:07:22.612 --> 01:07:23.826 that there were over, 01:07:23.826 --> 01:07:26.326 or General Alexander indicated 01:07:26.730 --> 01:07:29.218 that there were 75 different revisions 01:07:29.218 --> 01:07:32.968 to this particular chart when it was created. 01:07:33.495 --> 01:07:35.054 Let me just clear the record. 01:07:35.054 --> 01:07:37.593 Do any of you have a more updated chart 01:07:37.593 --> 01:07:40.926 than the one that's been provided today? 01:07:42.436 --> 01:07:43.519 No? No, okay. 01:07:46.292 --> 01:07:49.459 For the record, that was done in 2013, 01:07:50.069 --> 01:07:52.155 and yet at the same time, I just, 01:07:52.155 --> 01:07:54.988 for Mr. Krebs, so let me just ask. 01:07:55.430 --> 01:07:58.071 As I understand it, DHS is responsible 01:07:58.071 --> 01:08:00.945 for the protection of some but not all 01:08:00.945 --> 01:08:04.870 of the critical infrastructure within the United States. 01:08:04.870 --> 01:08:06.298 I believe I'm correct in my understanding, 01:08:06.298 --> 01:08:07.984 that when it comes to the energy sector, 01:08:07.984 --> 01:08:10.322 the Department of Energy is the lead agency, 01:08:10.322 --> 01:08:11.743 is that correct, sir? 01:08:11.743 --> 01:08:13.982 - Yes sir, that is correct. 01:08:13.982 --> 01:08:16.307 - Where does it fit in the chart? 01:08:16.307 --> 01:08:19.557 - So, in the column here in the middle, 01:08:19.777 --> 01:08:21.039 protect critical infrastructure, 01:08:21.039 --> 01:08:24.357 there is an updated piece of policy surrounding this. 01:08:24.357 --> 01:08:25.979 I mentioned in my opening statement, 01:08:25.979 --> 01:08:27.967 there's a progressive policy arc, 01:08:27.967 --> 01:08:30.717 this was a snapshot in time 2013. 01:08:30.922 --> 01:08:34.216 The general muscle movements hold and have been reflected 01:08:34.216 --> 01:08:37.216 in presidential policy directive 41. 01:08:37.703 --> 01:08:40.909 - So we do have an updated chart someplace? 01:08:40.909 --> 01:08:42.466 - I may have something better than a chart 01:08:42.466 --> 01:08:45.940 what I have is a plan and a policy around it, 01:08:45.940 --> 01:08:47.690 PPD 41 and the NCIRP, 01:08:47.913 --> 01:08:50.057 which lay out the responsibilities 01:08:50.057 --> 01:08:51.731 of our respective organizations. 01:08:51.731 --> 01:08:55.064 All of you are working on the same level 01:08:55.117 --> 01:08:57.450 as Mr. Krebs has described here 01:08:57.450 --> 01:09:00.200 with the information that he has? 01:09:00.740 --> 01:09:03.549 A yes or a no would be appropriate. 01:09:03.549 --> 01:09:04.836 - Yes. - Yes, Senator. 01:09:04.836 --> 01:09:06.001 - Yes, thank you, 01:09:06.001 --> 01:09:07.362 I appreciate that because 01:09:07.362 --> 01:09:09.151 what really would have bothered me is 01:09:09.151 --> 01:09:10.707 if this thing had not been updated 01:09:10.707 --> 01:09:13.270 or that you had not been working on anything since 2013 01:09:13.270 --> 01:09:15.411 with all the changes that have occurred. 01:09:15.411 --> 01:09:17.442 Let me ask you, just very quickly, 01:09:17.442 --> 01:09:19.250 I'm just curious there 01:09:19.250 --> 01:09:21.715 it would seem to me that there's no doubt 01:09:21.715 --> 01:09:23.211 that there are three types of barriers 01:09:23.211 --> 01:09:25.448 that we need to overcome, in order to strengthen 01:09:25.448 --> 01:09:28.041 the collective cyber defense of the nation: 01:09:28.041 --> 01:09:30.483 legal, organization, and cultural. 01:09:30.483 --> 01:09:32.960 Many of you identified legislative hurdles 01:09:32.960 --> 01:09:35.776 that restrict or inhibit inter-agency gaps 01:09:35.776 --> 01:09:39.943 and/or seams for our collective cyber defense. 01:09:45.670 --> 01:09:46.670 Mr. Rapuano? 01:09:49.183 --> 01:09:50.770 - Senator, I would just note, 01:09:50.770 --> 01:09:54.040 when you look at the National Response framework 01:09:54.040 --> 01:09:56.599 that we use for non-cyber but kinetic 01:09:56.599 --> 01:10:00.432 in the range of state actor or natural events, 01:10:00.729 --> 01:10:03.721 what you've seen, particularly since Katrina, 01:10:03.721 --> 01:10:06.479 is a maturation of a very similar process. 01:10:06.479 --> 01:10:08.721 Many disparate roles, responsibilities, 01:10:08.721 --> 01:10:12.888 and authorities, and many different target stakeholders 01:10:13.615 --> 01:10:15.802 who may require assistance from local-state 01:10:15.802 --> 01:10:18.342 all the way up, and this system, 01:10:18.342 --> 01:10:20.467 the National Cyber Response framework, 01:10:20.467 --> 01:10:24.153 is based very closely on that National Response framework. 01:10:24.153 --> 01:10:26.318 We're obviously in a more nascent stage 01:10:26.318 --> 01:10:29.124 when it comes to cyber and all the aspects, 01:10:29.124 --> 01:10:30.874 but I would just say, 01:10:31.650 --> 01:10:33.015 if you look at the last several months 01:10:33.015 --> 01:10:37.015 in terms of very significant multiple hurricanes 01:10:37.292 --> 01:10:40.966 and what I think overall, in light of the consequences, 01:10:40.966 --> 01:10:43.329 was a very effective federal response, 01:10:43.329 --> 01:10:46.195 there has been a dramatic evolution in our ability 01:10:46.195 --> 01:10:48.939 to work as a whole-of-government team 01:10:48.939 --> 01:10:51.004 when it comes to complex problems 01:10:51.004 --> 01:10:53.125 with aligning authorities. 01:10:53.125 --> 01:10:54.490 - I do have one more question, 01:10:54.490 --> 01:10:57.100 I get the gist of what you're suggesting. 01:10:57.100 --> 01:11:00.644 Let me just ask this in terms of the overall picture. 01:11:00.644 --> 01:11:04.217 We can either have defense here within our country 01:11:04.217 --> 01:11:06.544 or we can have defense which is to try to stop 01:11:06.544 --> 01:11:08.411 something in terms of a cyber attack 01:11:08.411 --> 01:11:12.091 before it actually gets here, and that involves 01:11:12.091 --> 01:11:14.736 not only a cyber system which is universal, 01:11:14.736 --> 01:11:16.633 it involves talking about systems 01:11:16.633 --> 01:11:18.493 that are sometimes in our allies' countries, 01:11:18.493 --> 01:11:19.712 sometimes in countries 01:11:19.712 --> 01:11:21.181 that are not necessarily our friends, 01:11:21.181 --> 01:11:22.216 but then also in areas 01:11:22.216 --> 01:11:25.313 where there actually are the bad guys located, 01:11:25.313 --> 01:11:28.297 who are creating the attacks themselves. 01:11:28.297 --> 01:11:30.332 What are your views on the sovereignty 01:11:30.332 --> 01:11:32.915 as it relates to cybersecurity? 01:11:33.147 --> 01:11:35.697 Now, let me just ask before you answer this. 01:11:35.697 --> 01:11:36.947 In Afghanistan, 01:11:37.798 --> 01:11:39.551 regardless of what you think about the strategy, 01:11:39.551 --> 01:11:41.341 the long-standing undertone 01:11:41.341 --> 01:11:43.471 that justifies why we are still there 01:11:43.471 --> 01:11:45.654 is that fighting the enemy abroad 01:11:45.654 --> 01:11:48.727 prevents another major attack at home. 01:11:48.727 --> 01:11:51.586 In this context, it's a defensive strategy, 01:11:51.586 --> 01:11:54.669 played out via offensive maneuvering. 01:11:54.685 --> 01:11:57.195 As we evolve cyber in the cyber intelligence fields, 01:11:57.195 --> 01:11:59.352 it is inevitable that we will start to think 01:11:59.352 --> 01:12:03.352 of cyber defense in this offensively-minded way. 01:12:03.492 --> 01:12:05.677 Given this, I'd like to hear from you your thoughts 01:12:05.677 --> 01:12:07.703 on the sovereignty and where we ought 01:12:07.703 --> 01:12:09.366 to be fighting this battle 01:12:09.366 --> 01:12:12.783 to stop the attacks before they get here. 01:12:14.425 --> 01:12:17.033 - Senator, that's a very important question, 01:12:17.033 --> 01:12:21.200 as I think you're aware that concepts of sovereignty 01:12:21.623 --> 01:12:24.734 are still molting to some degree, in the sense of, 01:12:24.734 --> 01:12:26.077 there are differing views 01:12:26.077 --> 01:12:29.660 with regard to what constitutes sovereignty 01:12:29.737 --> 01:12:32.339 in what type of scenario or situation. 01:12:32.339 --> 01:12:33.172 - It is except, for one thing, 01:12:33.172 --> 01:12:34.857 and Mr. Chairman, if you wouldn't mind, 01:12:34.857 --> 01:12:37.190 here's the key part of this. 01:12:37.212 --> 01:12:39.602 These attacks are going on now, 01:12:39.602 --> 01:12:42.458 Tallinn, Tallinn 1.0, Tallinn 2.0, and so forth, 01:12:42.458 --> 01:12:44.846 are discussions about what our allies are looking at 01:12:44.846 --> 01:12:46.865 in terms of the sovereignty issues outside 01:12:46.865 --> 01:12:50.197 but in the meantime we've got a gap in time period here 01:12:50.197 --> 01:12:51.779 in which we have to make a decision about 01:12:51.779 --> 01:12:53.853 where we actually defend our country 01:12:53.853 --> 01:12:56.887 against the possibility of existing attacks, 01:12:56.887 --> 01:12:59.250 today, tomorrow, and next week. 01:12:59.250 --> 01:13:01.396 Now, unless we've got a current strategy 01:13:01.396 --> 01:13:04.230 with regard to how we regard sovereignty 01:13:04.230 --> 01:13:05.668 and where we will actually go 01:13:05.668 --> 01:13:08.618 to defend our critical infrastructure 01:13:08.618 --> 01:13:10.356 and I guess that's what I'm asking, 01:13:10.356 --> 01:13:12.669 do we have that on the books today, 01:13:12.669 --> 01:13:14.112 and are you prepared to say 01:13:14.112 --> 01:13:16.898 that we know where we would defend against those attacks 01:13:16.898 --> 01:13:20.263 and are we prepared to take them beyond our borders. 01:13:20.263 --> 01:13:22.346 - So, Senator, yes we do, 01:13:22.882 --> 01:13:25.057 and the details of our current posture 01:13:25.057 --> 01:13:27.854 with regard to those elements, I think, 01:13:27.854 --> 01:13:30.015 would need to be deferred to a closed hearing. 01:13:30.015 --> 01:13:31.015 - Very good. 01:13:31.141 --> 01:13:32.891 Mr. Smith, Mr. Krebs? 01:13:34.363 --> 01:13:35.826 - It's a home and away game. 01:13:35.826 --> 01:13:37.029 We've got to go get 'em over there 01:13:37.029 --> 01:13:38.256 at the same time we need to be 01:13:38.256 --> 01:13:39.835 protecting our infrastructure here. 01:13:39.835 --> 01:13:41.293 I worked very closely, for instance, 01:13:41.293 --> 01:13:42.126 with the electricity sector in the 01:13:42.126 --> 01:13:44.910 Electricity Sector Coordinating Council. 01:13:44.910 --> 01:13:47.468 During the Hurricanes, I was on the phone 01:13:47.468 --> 01:13:51.237 with the CEOs of major utilities on a daily basis. 01:13:51.237 --> 01:13:53.241 Every 5:00 p.m. with Secretary Perry, 01:13:53.241 --> 01:13:55.874 we were talking about the status of the electricity sector. 01:13:55.874 --> 01:13:57.707 We have to start here. 01:13:59.516 --> 01:14:02.047 Network protection, close out the gaps, 01:14:02.047 --> 01:14:03.880 mitigate consequences, 01:14:04.386 --> 01:14:07.495 at the same time we have to take down the threat actor. 01:14:07.495 --> 01:14:11.662 It's a whole-of-government, best athlete approach. 01:14:11.666 --> 01:14:12.532 - Thank you. 01:14:12.532 --> 01:14:13.599 Thank you, Mr. Chairman, 01:14:13.599 --> 01:14:14.439 I apologize for going over 01:14:14.439 --> 01:14:15.643 but I think it's a critical issue 01:14:15.643 --> 01:14:16.768 that we have to address. 01:14:16.768 --> 01:14:17.601 Thank you. 01:14:23.911 --> 01:14:24.811 - Thanks Mr. Chairman, 01:14:24.811 --> 01:14:26.528 and thank you very much for holding 01:14:26.528 --> 01:14:29.278 this critically important hearing 01:14:29.968 --> 01:14:31.321 and to the excellent witnesses 01:14:31.321 --> 01:14:33.487 that we have before us today. 01:14:33.487 --> 01:14:37.461 This week, the New York Times published an article 01:14:37.461 --> 01:14:40.408 and I'm gonna submit it for the record 01:14:40.408 --> 01:14:42.908 assuming there's no objection, 01:14:43.492 --> 01:14:45.997 which details North Korea's cyber attacks 01:14:45.997 --> 01:14:47.238 that are estimated to provide 01:14:47.238 --> 01:14:49.488 the North Korean government 01:14:49.715 --> 01:14:53.005 with as much as 1 billion dollars a year. 01:14:53.005 --> 01:14:55.172 That figure is staggering. 01:14:56.205 --> 01:14:58.952 It's equivalent to one third of that country's 01:14:58.952 --> 01:15:00.119 total exports. 01:15:00.817 --> 01:15:03.156 North Korea's ransomware attacks 01:15:03.156 --> 01:15:06.739 and cyber attacks on banks around the world 01:15:06.898 --> 01:15:09.398 are producing a funding stream 01:15:09.864 --> 01:15:10.958 for that country, 01:15:10.958 --> 01:15:12.041 which in turn 01:15:13.826 --> 01:15:15.993 fuels its nuclear program, 01:15:18.183 --> 01:15:22.183 and it is a funding source that must be stopped. 01:15:23.220 --> 01:15:24.719 At a time when the United States 01:15:24.719 --> 01:15:27.886 is leading efforts to sanction exports 01:15:28.143 --> 01:15:31.596 of coal, labor, textiles, and other products 01:15:31.596 --> 01:15:35.763 in order to hinder North Korea's nuclear ambitions, 01:15:35.765 --> 01:15:37.160 we also have to be focusing on 01:15:37.160 --> 01:15:39.410 additional funding sources, 01:15:40.565 --> 01:15:44.732 and this cash flow ought to be priority number one. 01:15:45.374 --> 01:15:48.041 Tough rhetoric must be supported 01:15:48.992 --> 01:15:52.159 by tough action and practical measures 01:15:52.526 --> 01:15:55.026 that make clear to North Korea 01:15:55.296 --> 01:15:58.879 that this kind of conduct will be answered. 01:16:02.606 --> 01:16:06.169 So the question is, what actions are being taken 01:16:06.169 --> 01:16:09.541 to combat their offensive cyber operations 01:16:09.541 --> 01:16:12.124 and address this cyber revenue? 01:16:14.055 --> 01:16:17.972 And I know that you may not be fully at liberty 01:16:19.040 --> 01:16:22.123 to discuss these steps in this forum, 01:16:22.463 --> 01:16:25.997 but I'd like you to do so to the extent you can 01:16:25.997 --> 01:16:29.497 because North Korea knows what it's doing. 01:16:30.207 --> 01:16:33.382 You're not going to reveal anything to North Korea. 01:16:33.382 --> 01:16:34.785 The American people deserve to know 01:16:34.785 --> 01:16:36.952 what North Korea is doing, 01:16:37.225 --> 01:16:41.142 and they don't, so this is a topic that I think 01:16:41.392 --> 01:16:44.215 ought to be front and center for the administration, 01:16:44.215 --> 01:16:45.239 and for the Congress, 01:16:45.239 --> 01:16:46.554 and for the American people, 01:16:46.554 --> 01:16:49.387 and I look forward your responses. 01:16:51.719 --> 01:16:52.552 - I would simply say, 01:16:52.552 --> 01:16:55.600 yes, Senator, we do have plans and capabilities 01:16:55.600 --> 01:16:58.267 that are focused and directed on 01:16:58.804 --> 01:17:00.619 the North Korean threat in general, 01:17:00.619 --> 01:17:04.786 and on the specific activities that you have noted. 01:17:04.833 --> 01:17:06.411 I think that it would be most appropriate, 01:17:06.411 --> 01:17:07.633 if we're going into detail, 01:17:07.633 --> 01:17:10.050 to do that in closed session. 01:17:12.247 --> 01:17:14.606 - Senator, I would just say that 01:17:14.606 --> 01:17:17.166 we continue to work with our foreign partners 01:17:17.166 --> 01:17:19.062 in information sharing wherever possible, 01:17:19.062 --> 01:17:21.912 when we're able to assist them in identifying 01:17:21.912 --> 01:17:24.547 these types of criminal activities. 01:17:24.547 --> 01:17:28.714 We provide them also technical assistance whenever asked 01:17:29.216 --> 01:17:32.427 or engaging with them in joint operations 01:17:32.427 --> 01:17:34.973 and whenever possible, we are always looking to 01:17:34.973 --> 01:17:38.473 link it back or coordinate some indictment 01:17:41.784 --> 01:17:45.867 or some joint operation that would bring to light 01:17:46.009 --> 01:17:48.592 the people or the nation states 01:17:49.266 --> 01:17:52.349 that are conducting those activities. 01:17:55.339 --> 01:17:57.006 - I'll pile on here, 01:17:57.984 --> 01:17:59.712 and I can actually provide a little bit of detail 01:17:59.712 --> 01:18:02.879 on a particular unclassified activity. 01:18:02.975 --> 01:18:05.808 Working very closely with the FBI, 01:18:06.335 --> 01:18:09.931 we've designated one effort called Hidden Cobra, 01:18:09.931 --> 01:18:12.504 and on a U.S. cert we have a Hidden Cobra page 01:18:12.504 --> 01:18:14.568 that speaks to a botnet infrastructure, 01:18:14.568 --> 01:18:16.504 command and control infrastructure, 01:18:16.504 --> 01:18:18.238 that has certain indicators that, 01:18:18.238 --> 01:18:20.778 "Hey, look at this, go track this down," 01:18:20.778 --> 01:18:21.844 working with federal partners 01:18:21.844 --> 01:18:23.661 where some of that command and control infrastructure 01:18:23.661 --> 01:18:25.466 may be in another country, 01:18:25.466 --> 01:18:26.738 we share that information with them 01:18:26.738 --> 01:18:28.358 and we're looking to take action against it. 01:18:28.358 --> 01:18:31.019 So this is not just a whole-of-government approach, 01:18:31.019 --> 01:18:33.112 this is an international problem 01:18:33.112 --> 01:18:34.499 with international solutions, 01:18:34.499 --> 01:18:35.935 and we're moving out aggressively, 01:18:35.935 --> 01:18:37.227 and this is a recent 01:18:37.227 --> 01:18:39.014 last few weeks, where we've been able to partner with 01:18:39.014 --> 01:18:40.931 some unlikely partners. 01:18:42.227 --> 01:18:44.356 - I agree that it's an international problem 01:18:44.356 --> 01:18:46.345 with international solutions, 01:18:46.345 --> 01:18:49.012 but we provide the main solution 01:18:50.393 --> 01:18:52.810 and we are in effect victims, 01:18:56.130 --> 01:18:58.196 substantially if not primarily, 01:18:58.196 --> 01:19:01.620 of the problem and I understand, Mr. Rapuano, 01:19:01.620 --> 01:19:04.620 that we have plans and capabilities. 01:19:07.485 --> 01:19:09.686 I'm not fully satisfied with the idea 01:19:09.686 --> 01:19:11.936 that those forward-oriented 01:19:13.871 --> 01:19:16.149 measures of action are sufficient. 01:19:16.149 --> 01:19:18.821 I think we need action here and now. 01:19:18.821 --> 01:19:22.988 The Lazarus group, a North Korean-linked cyber crime ring, 01:19:23.697 --> 01:19:25.216 stole 81 million dollars 01:19:25.216 --> 01:19:28.549 from the Bangladesh Central Bank account 01:19:28.649 --> 01:19:31.316 at the New York Federal Reserve, 01:19:34.250 --> 01:19:37.256 which would have been 1 billion dollars, 01:19:37.256 --> 01:19:39.145 but for a spelling error, 01:19:39.145 --> 01:19:41.156 a fairly rudimentary spelling error 01:19:41.156 --> 01:19:43.906 on the part of the North Koreans. 01:19:44.149 --> 01:19:47.217 They've also been tied to the WannaCry attack 01:19:47.217 --> 01:19:51.105 earlier this year, and the Sony attack in 2014. 01:19:51.105 --> 01:19:53.772 This week, they are being linked 01:19:54.339 --> 01:19:58.506 to a 60 million dollar theft from the Taiwanese bank. 01:20:01.256 --> 01:20:03.632 You know, measured in millions, 01:20:03.632 --> 01:20:06.903 given the way we measure amounts of money, 01:20:06.903 --> 01:20:07.889 and this billion, 01:20:07.889 --> 01:20:10.088 which in this week with our budget 01:20:10.088 --> 01:20:12.838 is in the billions and trillions, 01:20:13.335 --> 01:20:16.335 may seem small but it is substantial 01:20:16.627 --> 01:20:20.127 given the North Korean economy and its size, 01:20:20.127 --> 01:20:22.877 so I'm hoping that in another setting 01:20:22.877 --> 01:20:27.044 we can be more fully briefed on what is being done now 01:20:27.540 --> 01:20:29.078 to stem and stop this threat, 01:20:29.078 --> 01:20:32.275 and I appreciate all of your good work in this area. 01:20:32.275 --> 01:20:33.108 Thank you. 01:20:33.308 --> 01:20:35.058 Thanks, Mr. Chairman. 01:20:35.522 --> 01:20:36.355 - Thank you, gentlemen, 01:20:36.355 --> 01:20:39.305 for your willingness to tackle these issues 01:20:39.305 --> 01:20:41.507 and I think it goes without saying that 01:20:41.507 --> 01:20:43.320 your level of success in these areas 01:20:43.320 --> 01:20:46.653 will really influence American democracy 01:20:47.266 --> 01:20:51.147 for many, many years, as well as decades to come. 01:20:51.147 --> 01:20:53.748 So the conversation today so far 01:20:53.748 --> 01:20:57.915 has been focused very much on cyber defense coordination 01:20:58.014 --> 01:21:01.421 which is, we would all say, is very important. 01:21:01.421 --> 01:21:04.576 However, coordination doesn't do any good 01:21:04.576 --> 01:21:05.965 without the proper understanding 01:21:05.965 --> 01:21:09.211 of our capabilities across the government, 01:21:09.211 --> 01:21:10.745 and that's why I worked with 01:21:10.745 --> 01:21:13.131 Senators Coons, Fisher, and Gillibrand 01:21:13.131 --> 01:21:15.724 to introduce bipartisan legislation 01:21:15.724 --> 01:21:17.891 requiring the DoD to track 01:21:17.916 --> 01:21:20.492 National Guard's cyber capabilities. 01:21:20.492 --> 01:21:22.290 And Mr. Smith, you had given a shout-out 01:21:22.290 --> 01:21:25.005 to the new cyber program within the National Guard, 01:21:25.005 --> 01:21:27.344 and I really do appreciate that. 01:21:27.344 --> 01:21:28.927 So for each of you, 01:21:29.549 --> 01:21:31.476 how do you assess the capabilities 01:21:31.476 --> 01:21:35.643 of the individuals and the organizations under your charge? 01:21:36.566 --> 01:21:40.733 Because we see this lovely chart which is very old, 01:21:41.277 --> 01:21:43.837 but you do have a number of organizations 01:21:43.837 --> 01:21:45.892 that you're responsible for. 01:21:45.892 --> 01:21:47.968 How do you go in and assess 01:21:47.968 --> 01:21:51.135 what that organization can actually do 01:21:52.939 --> 01:21:54.606 and is it effective? 01:21:56.186 --> 01:21:57.332 It's great to say 01:21:57.332 --> 01:22:00.133 "Hey, we have a cyber team in DoJ," or whatever, 01:22:00.133 --> 01:22:02.452 but how do you know that they're effective? 01:22:02.452 --> 01:22:05.452 Can you explain how you assess that? 01:22:05.561 --> 01:22:08.561 We'll start with you, Mr. Secretary. 01:22:09.560 --> 01:22:12.499 Thank you, Senator, that is an excellent question 01:22:12.499 --> 01:22:15.320 and it does represent a significant challenge. 01:22:15.320 --> 01:22:16.955 We've got a lot of disparate organizations 01:22:16.955 --> 01:22:18.747 that obviously have cyber equities 01:22:18.747 --> 01:22:20.956 and are developing cyber capabilities, 01:22:20.956 --> 01:22:23.351 and within the Department of Defense 01:22:23.351 --> 01:22:25.478 we have really committed in earnest 01:22:25.478 --> 01:22:29.022 to start to better understand the cross-cut 01:22:29.022 --> 01:22:31.271 in terms of the services, the commands, 01:22:31.271 --> 01:22:33.863 the full range including the National Guard. 01:22:33.863 --> 01:22:34.948 What are the capabilities? 01:22:34.948 --> 01:22:37.029 What specific skills are they developing? 01:22:37.029 --> 01:22:38.962 What professional development program 01:22:38.962 --> 01:22:42.126 do we have to recruit, train, and develop 01:22:42.126 --> 01:22:44.459 very attractive career paths 01:22:44.552 --> 01:22:46.402 for the best and the brightest? 01:22:46.402 --> 01:22:49.095 So we have a number of initiatives 01:22:49.095 --> 01:22:50.940 starting with the budget initiative, 01:22:50.940 --> 01:22:54.200 so when you start to see our budget formulations, 01:22:54.200 --> 01:22:55.245 it's apples to apples 01:22:55.245 --> 01:22:57.768 instead of what it has been historically, 01:22:57.768 --> 01:23:01.044 which is each service's or organization's conception 01:23:01.044 --> 01:23:02.930 of what constitutes training 01:23:02.930 --> 01:23:05.743 or what constitutes the different elements of their budget. 01:23:05.743 --> 01:23:07.154 And we have found, 01:23:07.154 --> 01:23:08.962 we did a first run this year 01:23:08.962 --> 01:23:10.410 that was off the budget cycle, 01:23:10.410 --> 01:23:14.577 just to get us in the road to progress, so to speak. 01:23:15.534 --> 01:23:18.119 We found that we really have got to ensure 01:23:18.119 --> 01:23:21.433 that there's common definitional issues. 01:23:21.433 --> 01:23:24.766 So we were defining things the same way. 01:23:24.940 --> 01:23:26.778 The other area, in terms of National Guard, 01:23:26.778 --> 01:23:29.884 we do track National Guard cyber capability, 01:23:29.884 --> 01:23:31.764 development training capabilities, 01:23:31.764 --> 01:23:34.474 and how they fit into the cyber mission force. 01:23:34.474 --> 01:23:35.870 The one area that we do have 01:23:35.870 --> 01:23:37.150 a little bit of a challenge with 01:23:37.150 --> 01:23:38.983 is under state status. 01:23:40.238 --> 01:23:44.056 We don't have that same system of consistent definitions 01:23:44.056 --> 01:23:46.497 so that's something that we're working at, 01:23:46.497 --> 01:23:49.740 but we definitely recognize the critical importance 01:23:49.740 --> 01:23:53.647 of having that common ability across many different fronts 01:23:53.647 --> 01:23:55.500 to define those things so we can apply them. 01:23:55.500 --> 01:23:56.630 - No, I appreciate that, 01:23:56.630 --> 01:23:58.611 and that's good to understand that now 01:23:58.611 --> 01:24:00.464 and get those worked out, 01:24:00.464 --> 01:24:03.099 those details and discrepancies worked out. 01:24:03.099 --> 01:24:05.182 Mr. Smith, how about you? 01:24:05.575 --> 01:24:07.575 - On our technical side, 01:24:07.646 --> 01:24:11.061 we tend to be on the job with that routinely, 01:24:11.061 --> 01:24:12.208 so most of the people are out there 01:24:12.208 --> 01:24:15.175 and currently actively engaged in either incidents, 01:24:15.175 --> 01:24:17.571 incident response, and following up 01:24:17.571 --> 01:24:20.273 on the threats and investigations, 01:24:20.273 --> 01:24:22.048 but we spend a significant amount of effort 01:24:22.048 --> 01:24:26.215 in enhancing those, particularly at a much higher level 01:24:27.352 --> 01:24:29.676 on the cyber technical side. 01:24:29.676 --> 01:24:31.982 But in addition to that we've taken steps 01:24:31.982 --> 01:24:34.449 to significantly elevate the entire work force 01:24:34.449 --> 01:24:36.282 in the digital domain. 01:24:36.554 --> 01:24:38.781 We've created on-the-job training 01:24:38.781 --> 01:24:42.948 which allows non-cyber personnel to be taken offline 01:24:43.211 --> 01:24:44.432 from investigating other matters 01:24:44.432 --> 01:24:46.881 to enhance that cyber capability, 01:24:46.881 --> 01:24:49.071 so when they go back after a couple of months, 01:24:49.071 --> 01:24:50.135 they're capable of bringing 01:24:50.135 --> 01:24:53.188 both their normal traditional investigative methods 01:24:53.188 --> 01:24:54.740 along with the current, modern 01:24:54.740 --> 01:24:57.657 digital investigative requirements. 01:24:57.886 --> 01:24:59.456 Looking longer term though, 01:24:59.456 --> 01:25:02.814 when we're talking about the workforce of the future, 01:25:02.814 --> 01:25:06.897 we've been collaborating on much more local level 01:25:06.992 --> 01:25:09.334 with STEM high schools programs 01:25:09.334 --> 01:25:11.814 in developing and building a future workforce, 01:25:11.814 --> 01:25:15.981 as opposed to trying to compete with everybody here, 01:25:16.623 --> 01:25:19.123 and with the private industry, 01:25:19.366 --> 01:25:23.449 which can offer things and more benefits at times 01:25:24.384 --> 01:25:26.108 than we're capable of, 01:25:26.108 --> 01:25:29.858 but by building in a FBI cyber STEM programs, 01:25:30.241 --> 01:25:33.324 and bringing local university courses 01:25:34.094 --> 01:25:36.894 to high school students at an earlier age 01:25:36.894 --> 01:25:40.066 and supplementing that with some leadership development 01:25:40.066 --> 01:25:41.686 in those high school ranks. 01:25:41.686 --> 01:25:42.646 So looking long term, 01:25:42.646 --> 01:25:46.198 building a workforce that will augment and maintain 01:25:46.198 --> 01:25:49.009 the necessity that we all require, 01:25:49.009 --> 01:25:51.313 and we're talking about here in this digital arena, 01:25:51.313 --> 01:25:52.993 working with the non-cyber elements. 01:25:52.993 --> 01:25:55.160 Our internal cyber people, 01:25:55.187 --> 01:25:57.241 they are a very high level. 01:25:57.241 --> 01:25:59.561 Thanks you, yes, and I am running out of time. 01:25:59.561 --> 01:26:03.546 Mr. Krebs, if you could submit that to us for the record, 01:26:03.546 --> 01:26:04.589 I would be appreciative, 01:26:04.589 --> 01:26:08.294 but gentlemen, one thing too as we look across the board 01:26:08.294 --> 01:26:10.680 is really assessing those organizations 01:26:10.680 --> 01:26:12.678 that fall under your purview, 01:26:12.678 --> 01:26:13.917 but then making sure that we're not 01:26:13.917 --> 01:26:17.194 duplicating services amongst our agencies as well, 01:26:17.194 --> 01:26:19.971 and operating as efficiently as possible. 01:26:19.971 --> 01:26:21.121 So, thank you very much. 01:26:21.121 --> 01:26:22.871 Thank you, Mr. Chair. 01:26:24.536 --> 01:26:25.485 - Thank you, Mr. Chairman. 01:26:25.485 --> 01:26:27.355 I'm glad that we're having a discussion 01:26:27.355 --> 01:26:30.264 about the integrity of our elections 01:26:30.264 --> 01:26:32.570 and as being fundamental to our democracy, 01:26:32.570 --> 01:26:35.106 and Mr. Krebs, as I look at this chart, 01:26:35.106 --> 01:26:38.659 even if it's dated, your responsibility at DHS 01:26:38.659 --> 01:26:40.729 is to protect critical infrastructure 01:26:40.729 --> 01:26:43.159 and you did say that, election systems, 01:26:43.159 --> 01:26:44.536 critical infrastructure, 01:26:44.536 --> 01:26:47.215 and you have an election security task force, 01:26:47.215 --> 01:26:50.240 so do you consider DHS to be the lead agency 01:26:50.240 --> 01:26:54.407 on making sure that our election systems are not hacked? 01:26:55.902 --> 01:26:58.883 - Ma'am, we do have unique statutory authorities 01:26:58.883 --> 01:27:00.727 to coordinate protection activities 01:27:00.727 --> 01:27:02.210 across the critical infrastructure, 01:27:02.210 --> 01:27:04.681 and as a designated critical infrastructure sub-sector, 01:27:04.681 --> 01:27:05.514 yes, ma'am. 01:27:05.514 --> 01:27:06.347 I have lead in coordinating. 01:27:06.347 --> 01:27:10.347 Now, I do not physically protect those networks, 01:27:10.608 --> 01:27:13.171 I enable state and locals and also the private sector 01:27:13.171 --> 01:27:14.936 to have better practices, yes ma'am. 01:27:14.936 --> 01:27:15.947 - Yes, I understand that, 01:27:15.947 --> 01:27:17.550 but you would be the lead federal agency 01:27:17.550 --> 01:27:19.194 that have this responsibility 01:27:19.194 --> 01:27:22.066 to work with the state and local entities 01:27:22.066 --> 01:27:24.508 to protect our election systems? 01:27:24.508 --> 01:27:26.949 From a critical infrastructure protection perspective, 01:27:26.949 --> 01:27:29.366 yes ma'am, alongside the FBI, 01:27:29.681 --> 01:27:31.576 as well as the intelligence community. 01:27:31.576 --> 01:27:32.409 What we're just looking for, 01:27:32.409 --> 01:27:35.042 as we're wrestling with the idea 01:27:35.042 --> 01:27:37.542 of who's responsible for what, 01:27:37.753 --> 01:27:38.875 I just like to get down there 01:27:38.875 --> 01:27:40.506 with regard to election systems. 01:27:40.506 --> 01:27:42.339 We should look to DHS. 01:27:42.718 --> 01:27:44.241 That's all I want to know. 01:27:44.241 --> 01:27:45.881 Now, I hope that your task force 01:27:45.881 --> 01:27:47.941 is also addressing the purchases 01:27:47.941 --> 01:27:51.108 of political ads by foreign countries. 01:27:51.732 --> 01:27:53.235 I hope that's one of the things 01:27:53.235 --> 01:27:55.985 that your task force will address 01:27:57.474 --> 01:27:59.264 and whether there's a need for legislation 01:27:59.264 --> 01:28:02.181 to prevent those kind of purchases. 01:28:03.627 --> 01:28:07.127 I want to get to a question to Mr Rapuano. 01:28:07.636 --> 01:28:10.176 Data prediction is obviously an important issue 01:28:10.176 --> 01:28:12.526 with industrial espionage being carried out 01:28:12.526 --> 01:28:14.636 by some of our near peer competitors 01:28:14.636 --> 01:28:17.278 and the DoD requires contractors 01:28:17.278 --> 01:28:19.078 to provide adequate security 01:28:19.078 --> 01:28:20.708 for recovered defense information, 01:28:20.708 --> 01:28:23.481 that is processed, stored, or transmitted 01:28:23.481 --> 01:28:27.648 on the contractor's internal information system or network. 01:28:28.102 --> 01:28:30.019 By December 31st, 2017, 01:28:30.145 --> 01:28:31.906 contractors must at a minimum 01:28:31.906 --> 01:28:35.156 implement security requirements to meet 01:28:35.597 --> 01:28:38.256 National Institute of Standards and Technology standards 01:28:38.256 --> 01:28:41.089 NIST, so my question, Mr. Rapuano, 01:28:41.280 --> 01:28:42.689 can you talk about the importance 01:28:42.689 --> 01:28:45.874 of having industry comply with this requirement 01:28:45.874 --> 01:28:48.310 and how you are working with industry 01:28:48.310 --> 01:28:51.664 to get the word out so that everyone is aware, 01:28:51.664 --> 01:28:52.611 especially I would say, 01:28:52.611 --> 01:28:55.402 small businesses that y'all work with. 01:28:55.402 --> 01:28:58.194 They need to know that they're supposed to be doing this. 01:28:58.194 --> 01:29:00.188 - Yes, Senator, our primary focus 01:29:00.188 --> 01:29:02.125 is with the defense industrial base 01:29:02.125 --> 01:29:04.077 where we have the highest frequency 01:29:04.077 --> 01:29:06.910 and most significant DoD programs, 01:29:08.067 --> 01:29:10.184 but we are engaged with all of those 01:29:10.184 --> 01:29:11.397 private sector elements 01:29:11.397 --> 01:29:13.685 that work with the Department of Defense. 01:29:13.685 --> 01:29:17.829 I work that closely with the chief information officer 01:29:17.829 --> 01:29:19.778 for the department, Dr. Zangardi. 01:29:19.778 --> 01:29:21.752 I can get you additional details 01:29:21.752 --> 01:29:24.419 on the processes for doing that. 01:29:26.192 --> 01:29:28.661 - Yes, I'd like to make sure that, as I mentioned, 01:29:28.661 --> 01:29:30.478 particularly small businesses 01:29:30.478 --> 01:29:32.198 who may not be aware of this requirement, 01:29:32.198 --> 01:29:34.121 that they are very aware 01:29:34.121 --> 01:29:37.564 and that they can have enough time to comply 01:29:37.564 --> 01:29:41.581 because December 2017 is right around the corner. 01:29:41.581 --> 01:29:43.259 So whatever you have, flyers, 01:29:43.259 --> 01:29:46.071 whatever you use to get the word out. 01:29:46.071 --> 01:29:47.238 For Mr. Krebs, 01:29:47.893 --> 01:29:49.237 now, you mentioned in your testimony 01:29:49.237 --> 01:29:52.411 how cyber actors have strategically targeted 01:29:52.411 --> 01:29:54.535 critical infrastructure sectors 01:29:54.535 --> 01:29:57.445 with the intent ranging from cyber espionage 01:29:57.445 --> 01:30:00.016 to disruption of critical services 01:30:00.016 --> 01:30:03.517 and specifically, you identify two malware attacks 01:30:03.517 --> 01:30:06.017 called Black Energy and Havex, 01:30:06.056 --> 01:30:07.681 is that the correct pronunciation? 01:30:07.681 --> 01:30:08.544 - Yes, ma'am. 01:30:08.544 --> 01:30:11.982 - on specifically targeted industrial control systems, 01:30:11.982 --> 01:30:13.681 and it doesn't take a wild imagination 01:30:13.681 --> 01:30:16.522 to think up how a sophisticated cyber attack 01:30:16.522 --> 01:30:20.150 to a power plant's industrial control system 01:30:20.150 --> 01:30:23.896 could cause a massive disruption with grave consequences. 01:30:23.896 --> 01:30:28.063 What is being done by DHS to encourage the private sector 01:30:28.624 --> 01:30:32.791 to harden their defense of industrial control systems? 01:30:32.919 --> 01:30:34.542 - Yes ma'am, thank you for your question, 01:30:34.542 --> 01:30:36.390 and I do share your concern, 01:30:36.390 --> 01:30:40.390 particularly with respect to those two toolkits. 01:30:41.239 --> 01:30:42.125 I think I would have, 01:30:42.125 --> 01:30:43.221 I'd answer the question two ways. 01:30:43.221 --> 01:30:45.413 One, in endpoint protection, 01:30:45.413 --> 01:30:48.002 so we do work very closely with the electricity sector, 01:30:48.002 --> 01:30:49.316 as I mentioned early on, 01:30:49.316 --> 01:30:51.731 with the Electricity Sector Coordinating Council, 01:30:51.731 --> 01:30:55.564 and those that, again from a grid perspective, 01:30:56.895 --> 01:30:59.846 but then through our industrial control systems CERT 01:30:59.846 --> 01:31:03.425 the ICS-CERT, we do look at kind of more scalable solutions 01:31:03.425 --> 01:31:05.710 that I mentioned in my opening statement. 01:31:05.710 --> 01:31:07.911 Not just kind of the whack-a-mole approach 01:31:07.911 --> 01:31:09.844 at the individual facilities, 01:31:09.844 --> 01:31:10.872 but try to understand 01:31:10.872 --> 01:31:14.564 what the actual individual control systems are, 01:31:14.564 --> 01:31:15.838 who manufactures them, 01:31:15.838 --> 01:31:18.227 because it does tend to be a smaller set of companies 01:31:18.227 --> 01:31:21.408 instead of a hundred or a thousand endpoints. 01:31:21.408 --> 01:31:23.631 We can kind of go to the root of the problem, 01:31:23.631 --> 01:31:26.222 the systemic problem, as I also mentioned, 01:31:26.222 --> 01:31:29.659 address that at the manufacturer or coder level 01:31:29.659 --> 01:31:31.687 and then from there kind of break out 01:31:31.687 --> 01:31:32.717 and hit those end points. 01:31:32.717 --> 01:31:34.092 So again, we do work at the endpoint, 01:31:34.092 --> 01:31:36.186 but we also work at kind of the root problem. 01:31:36.186 --> 01:31:40.023 - So you perform outreach activities then through ICS-CERT, 01:31:40.023 --> 01:31:42.773 to make sure that for example the 01:31:43.036 --> 01:31:46.453 utilities sector is adequately protected? 01:31:48.177 --> 01:31:50.285 - Among other mechanisms, yes ma'am. 01:31:50.285 --> 01:31:51.170 - Thank you. 01:31:51.170 --> 01:31:53.087 Thank you Mr. Chairman. 01:31:54.624 --> 01:31:55.752 Thank you, Mr. Chairman. 01:31:55.752 --> 01:31:56.863 Gentlemen, thank you for being here. 01:31:56.863 --> 01:31:57.960 One quick question, 01:31:57.960 --> 01:31:59.832 and this is really from the perspective, 01:31:59.832 --> 01:32:02.655 my perspective as the personnel subcommittee chair, 01:32:02.655 --> 01:32:06.072 what trends, either positive or negative, 01:32:06.148 --> 01:32:07.315 are we seeing? 01:32:08.087 --> 01:32:09.254 It is Rapuano? 01:32:10.337 --> 01:32:12.837 Is that correct pronunciation? 01:32:13.665 --> 01:32:14.765 - Yes. - Mr. Rapuano, 01:32:14.765 --> 01:32:16.443 you mentioned I think earlier, 01:32:16.443 --> 01:32:18.273 when I was here, about the National Guard 01:32:18.273 --> 01:32:19.937 playing some role at the state level, 01:32:19.937 --> 01:32:21.319 but can you give me any idea 01:32:21.319 --> 01:32:24.569 of either positive or concerning trends 01:32:25.117 --> 01:32:26.725 about the resources we're getting 01:32:26.725 --> 01:32:28.228 into the various agencies 01:32:28.228 --> 01:32:30.097 to really flesh out our expertise 01:32:30.097 --> 01:32:32.236 to attract them and retain them 01:32:32.236 --> 01:32:33.653 and to grow them. 01:32:33.701 --> 01:32:34.639 - Well I would simply say, 01:32:34.639 --> 01:32:37.022 and I think it's been a common experience 01:32:37.022 --> 01:32:39.370 for my colleagues at the table here, 01:32:39.370 --> 01:32:43.140 that getting the best talent is a very significant challenge 01:32:43.140 --> 01:32:46.310 in the cyber realm, for all the obvious reasons. 01:32:46.310 --> 01:32:47.143 - Comp? 01:32:47.420 --> 01:32:49.773 I mean, there's a variety of reasons, 01:32:49.773 --> 01:32:52.929 but what would you list as the top two or three? 01:32:52.929 --> 01:32:54.593 - There's a very high demand signal 01:32:54.593 --> 01:32:57.011 throughout the entire economy, 01:32:57.011 --> 01:33:00.428 the compensation that individuals can get 01:33:01.936 --> 01:33:03.414 on the outside of government 01:33:03.414 --> 01:33:05.497 is significantly greater. 01:33:05.734 --> 01:33:07.936 We are trying to address that 01:33:07.936 --> 01:33:10.556 in terms of our workforce management process, 01:33:10.556 --> 01:33:11.772 and we have some additional authorities 01:33:11.772 --> 01:33:13.108 that we're applying to that, 01:33:13.108 --> 01:33:16.608 as I believe, other agencies have as well. 01:33:16.650 --> 01:33:20.567 but again it's a demand versus supply question. 01:33:21.527 --> 01:33:24.416 - We've asked that, we've had this discussed before, 01:33:24.416 --> 01:33:26.873 and actually Senator Rounds and I have talked about it. 01:33:26.873 --> 01:33:29.349 I'd be very interested in feedback that you can give us 01:33:29.349 --> 01:33:30.903 on things that we should look at 01:33:30.903 --> 01:33:33.029 as a possible subject matter 01:33:33.029 --> 01:33:36.946 for future subcommittee hearings for retention. 01:33:37.028 --> 01:33:38.218 You know, I worked in the private sector 01:33:38.218 --> 01:33:40.483 and I had a cyber sub-practice, 01:33:40.483 --> 01:33:42.200 ethical hack testing practice 01:33:42.200 --> 01:33:44.450 back in the private sector, 01:33:44.927 --> 01:33:47.769 and what you're up against is not only 01:33:47.769 --> 01:33:49.491 a higher baseline for salaries 01:33:49.491 --> 01:33:50.495 but you're also up against 01:33:50.495 --> 01:33:52.410 what the industry would call hot skills. 01:33:52.410 --> 01:33:55.386 These are very, very important skills, 01:33:55.386 --> 01:33:56.810 and so just when you think you've caught up 01:33:56.810 --> 01:34:00.174 or got within the range on the baseline comp, 01:34:00.174 --> 01:34:02.505 a firm like the firm that I worked with 01:34:02.505 --> 01:34:04.404 that both Price Waterhouse and IBM says 01:34:04.404 --> 01:34:06.676 "Okay, now we've got to come in with a signing bonus 01:34:06.676 --> 01:34:08.162 "and some sort of retention measures" 01:34:08.162 --> 01:34:10.568 that make it impossible in a governmental institution 01:34:10.568 --> 01:34:11.516 to stay up with. 01:34:11.516 --> 01:34:13.576 So, getting feedback on that would be helpful. 01:34:13.576 --> 01:34:15.192 I'm gonna be brief because we've got votes 01:34:15.192 --> 01:34:17.775 and I want to stick to my time. 01:34:17.928 --> 01:34:19.576 I do want to just associate myself 01:34:19.576 --> 01:34:22.442 with comments and questions that were made by Senator Inhofe 01:34:22.442 --> 01:34:26.003 and I think Senator Shaheen, about open-source software 01:34:26.003 --> 01:34:29.177 and some of the policy discussions we're having here. 01:34:29.177 --> 01:34:31.124 I'll go back to the record 01:34:31.124 --> 01:34:33.055 to see how you all responded to their questions 01:34:33.055 --> 01:34:34.649 but I share their concern. 01:34:34.649 --> 01:34:36.153 I want to get more of an idea 01:34:36.153 --> 01:34:39.634 of the scope and the scale of non classified software 01:34:39.634 --> 01:34:41.634 that the department uses 01:34:41.667 --> 01:34:43.333 and I'm trying to get an idea of a volume. 01:34:43.333 --> 01:34:47.500 Let's say, as a percentage of the entire portfolio, 01:34:47.930 --> 01:34:49.847 what are we looking at, 01:34:50.399 --> 01:34:54.566 at non-classified software as a percentage of our base? 01:34:56.032 --> 01:34:56.981 I mean, is it safe to assume 01:34:56.981 --> 01:35:00.486 that it's in the thousands, in terms of software platforms, 01:35:00.486 --> 01:35:04.653 tools, the whole portfolio of the technology stack? 01:35:04.954 --> 01:35:06.521 - Senator, that's a request that I have 01:35:06.521 --> 01:35:09.344 into our system, into our CIO's office, 01:35:09.344 --> 01:35:11.350 and I can get that information back to you 01:35:11.350 --> 01:35:13.017 as soon as I get it. 01:35:14.970 --> 01:35:16.294 - Yeah, I would have to get back with you 01:35:16.294 --> 01:35:17.579 with more specifics. 01:35:17.579 --> 01:35:19.847 I think it'd be helpful, because I'm sure that we have 01:35:19.847 --> 01:35:22.284 application portfolios out there for, 01:35:22.284 --> 01:35:23.951 I hope I should say, 01:35:24.063 --> 01:35:25.865 that we're following best practices 01:35:25.865 --> 01:35:28.706 and somebody out there in the ops world 01:35:28.706 --> 01:35:31.599 knows exactly what our portfolio is 01:35:31.599 --> 01:35:34.699 and how they fit in the classified and unclassified realm. 01:35:34.699 --> 01:35:35.784 I think that'd be very helpful, 01:35:35.784 --> 01:35:37.376 very instructive to this committee. 01:35:37.376 --> 01:35:38.926 I'm going to yield back the rest of my time, 01:35:38.926 --> 01:35:40.907 so hopefully other members can get their questions in 01:35:40.907 --> 01:35:41.740 before the vote. 01:35:41.740 --> 01:35:43.407 Thank you Mr. Chair. 01:35:44.738 --> 01:35:45.974 - Mr. Krebs, I just want to make you feel 01:35:45.974 --> 01:35:46.807 better about your title. 01:35:46.807 --> 01:35:49.346 I enjoyed that interplay with Senator Shaheen, 01:35:49.346 --> 01:35:52.211 as 40 years ago I worked here as a staff member 01:35:52.211 --> 01:35:53.435 and I was seeking a witness, 01:35:53.435 --> 01:35:56.643 I think I may have told the Chairman this story, 01:35:56.643 --> 01:35:58.005 from Office of Management budget 01:35:58.005 --> 01:35:58.924 from the administration. 01:35:58.924 --> 01:36:01.580 They said, "He's the deputy secretary under such and such." 01:36:01.580 --> 01:36:03.570 I said, "I don't know what that title means." 01:36:03.570 --> 01:36:06.249 The response was, and you could take this home with you, 01:36:06.249 --> 01:36:10.416 "He's at the highest level where they still know anything." 01:36:10.656 --> 01:36:12.040 and I now realized, by the way, 01:36:12.040 --> 01:36:13.881 that I'm above that level so... 01:36:13.881 --> 01:36:15.834 But I appreciate having you here. 01:36:15.834 --> 01:36:19.633 I think you fellows understated one important point 01:36:19.633 --> 01:36:20.744 and I don't understand 01:36:20.744 --> 01:36:22.859 why the representative from the White House isn't here 01:36:22.859 --> 01:36:25.239 because I think he has a reasonable story to tell. 01:36:25.239 --> 01:36:27.392 On May 11th, the President issued 01:36:27.392 --> 01:36:31.008 a pretty comprehensive executive order on this subject 01:36:31.008 --> 01:36:35.091 that is not the be-all and end-all on the subject 01:36:35.246 --> 01:36:38.768 but certainly is an important beginning in terms of, 01:36:38.768 --> 01:36:40.139 now, here's my question though. 01:36:40.139 --> 01:36:41.343 In that executive order, 01:36:41.343 --> 01:36:44.110 there were a number of report back requirements 01:36:44.110 --> 01:36:45.828 that triggered mostly in August. 01:36:45.828 --> 01:36:49.995 My question is, have those report backs been done? 01:36:50.083 --> 01:36:51.083 Mr. Rapuano? 01:36:52.893 --> 01:36:54.565 - Senator, they are starting to come in, 01:36:54.565 --> 01:36:56.802 and as you note, there are a number that are still due out, 01:36:56.802 --> 01:36:59.801 just based on-- - Some were 180 days, 01:36:59.801 --> 01:37:00.855 some were 90 days, 01:37:00.855 --> 01:37:01.960 so I'm wondering if the 90 days, 01:37:01.960 --> 01:37:05.288 which expired in August, have have come back? 01:37:05.288 --> 01:37:07.280 - That's correct, I don't have the full tracker 01:37:07.280 --> 01:37:08.319 with me right here. 01:37:08.319 --> 01:37:10.346 I can get back to you on that. 01:37:10.346 --> 01:37:11.404 - I would appreciate that. 01:37:11.404 --> 01:37:12.619 - Some have been submitted 01:37:12.619 --> 01:37:14.380 according to the original timeline, 01:37:14.380 --> 01:37:16.500 others have been extended, 01:37:16.500 --> 01:37:19.770 but absolutely those are the essential elements 01:37:19.770 --> 01:37:22.181 of information necessary to fully develop 01:37:22.181 --> 01:37:25.875 and update the strategy to the evolving threats 01:37:25.875 --> 01:37:28.468 and build that doctrine, and requirements, and plans. 01:37:28.468 --> 01:37:30.761 - You used the key word of doctrine, 01:37:30.761 --> 01:37:32.061 and I want to talk about that in a minute, 01:37:32.061 --> 01:37:33.159 but by the same token, 01:37:33.159 --> 01:37:36.492 this committee passed as, or the Congress passed 01:37:36.492 --> 01:37:38.455 as part of the National Defense Authorization Act 01:37:38.455 --> 01:37:42.205 last December, a provision requiring a report 01:37:43.535 --> 01:37:44.705 from the secretary of defense 01:37:44.705 --> 01:37:47.012 to the president within 180 days, 01:37:47.012 --> 01:37:48.638 and from the president to the congress 01:37:48.638 --> 01:37:49.971 within 180 days. 01:37:50.310 --> 01:37:53.530 That report would have been due in June 01:37:53.530 --> 01:37:54.914 from the secretary of defense, 01:37:54.914 --> 01:37:57.369 involving what are the military 01:37:57.369 --> 01:37:59.480 and non-military options available 01:37:59.480 --> 01:38:01.605 for deterring and responding to imminent threats 01:38:01.605 --> 01:38:02.772 in cyberspace. 01:38:03.823 --> 01:38:06.836 Do you know if that report has been completed? 01:38:06.836 --> 01:38:07.669 - Yes, Senator. 01:38:07.669 --> 01:38:10.870 It was our original intent and desire to couple the two 01:38:10.870 --> 01:38:13.222 with the input both into the president's EO 01:38:13.222 --> 01:38:16.091 as well as the input back to the Senate 01:38:16.091 --> 01:38:19.161 based on the delay of the president's EO, 01:38:19.161 --> 01:38:22.202 we decoupled that because we recognized your impatience 01:38:22.202 --> 01:38:23.360 and we need to get-- 01:38:23.360 --> 01:38:24.193 - You may have heard, 01:38:24.193 --> 01:38:25.927 you may have picked up some impatience this morning 01:38:25.927 --> 01:38:27.427 So, do we have it? 01:38:27.866 --> 01:38:30.746 - We will be submitting it to you shortly 01:38:30.746 --> 01:38:32.329 and I'll get a specific date. 01:38:32.329 --> 01:38:35.543 - "Shortly" doesn't make me feel much better. 01:38:35.543 --> 01:38:38.543 Is that geologic time or is that...? 01:38:39.097 --> 01:38:40.251 - (chuckles) Calendar time, sir. 01:38:40.251 --> 01:38:42.001 - Please let us know. 01:38:42.009 --> 01:38:44.592 You mentioned the word doctrine 01:38:44.811 --> 01:38:47.765 and I think that's one of the key issues here. 01:38:47.765 --> 01:38:51.932 If all we do is try to patch networks and defend ourselves 01:38:53.192 --> 01:38:55.025 we'll ultimately lose. 01:38:55.352 --> 01:38:57.935 There has to be, and Mr. Smith, 01:38:58.854 --> 01:39:02.104 you use the term "imposed consequences" 01:39:02.694 --> 01:39:04.546 and right now we're not imposing much 01:39:04.546 --> 01:39:06.451 in the way of consequences. 01:39:06.451 --> 01:39:07.520 For the election hacking, 01:39:07.520 --> 01:39:08.998 which is one of the most egregious attacks 01:39:08.998 --> 01:39:12.081 on the United States in recent years, 01:39:13.430 --> 01:39:15.041 there were sanctions passed by the Congress, 01:39:15.041 --> 01:39:17.038 but it was six or eight months later, 01:39:17.038 --> 01:39:20.455 and it's unclear how severe they will be. 01:39:21.341 --> 01:39:24.623 We need a doctrine where our adversaries know 01:39:24.623 --> 01:39:27.623 if they do X, Y will happen to them. 01:39:28.695 --> 01:39:30.729 Mr Rapuano, do you have any thoughts on that? 01:39:30.729 --> 01:39:31.620 Do you see what I mean? 01:39:31.620 --> 01:39:32.755 Just being on the defensive 01:39:32.755 --> 01:39:33.959 isn't gonna work in the end. 01:39:33.959 --> 01:39:36.315 If you're in a boxing match and you could bob and weave 01:39:36.315 --> 01:39:37.544 and you're the best bobber and weaver 01:39:37.544 --> 01:39:38.591 in the history of the world, 01:39:38.591 --> 01:39:40.392 if you're not allowed to ever punch, 01:39:40.392 --> 01:39:43.037 you're gonna lose that boxing match. 01:39:43.037 --> 01:39:44.469 - Yes, Senator, certainly agree 01:39:44.469 --> 01:39:48.636 that both the demonstrated will and ability to respond 01:39:49.016 --> 01:39:52.721 to provocations in general, and cyber in specific, 01:39:52.721 --> 01:39:55.336 is critical to effective deterrence. 01:39:55.336 --> 01:39:56.875 I think the challenge that we have 01:39:56.875 --> 01:39:59.542 that is somewhat unique in cyber 01:39:59.717 --> 01:40:01.634 is defining a threshold 01:40:02.246 --> 01:40:04.919 that then does not invite adversaries 01:40:04.919 --> 01:40:07.761 to inch up close but short of it yet. 01:40:07.761 --> 01:40:10.792 - Right. - And therefore the criteria, 01:40:10.792 --> 01:40:14.152 it's very difficult to make them highly specific 01:40:14.152 --> 01:40:15.375 versus more general, 01:40:15.375 --> 01:40:17.303 and then the downside of the general is 01:40:17.303 --> 01:40:19.375 it's too ambiguous to be meaningful 01:40:19.375 --> 01:40:20.525 as a deterrent. 01:40:20.525 --> 01:40:22.227 - And part of the problem also is 01:40:22.227 --> 01:40:23.925 we tend to want to keep secret what we can do 01:40:23.925 --> 01:40:28.092 when in reality, a secret deterrent is not a deterrent. 01:40:28.579 --> 01:40:30.726 The other side has to know 01:40:30.726 --> 01:40:32.688 what's liable to happen to them, 01:40:32.688 --> 01:40:35.688 and I hope you'll bear that in mind. 01:40:36.059 --> 01:40:38.080 I think this is a critically important area 01:40:38.080 --> 01:40:38.913 because we have to have a deterrent capability, 01:40:38.913 --> 01:40:39.913 otherwise... 01:40:42.054 --> 01:40:43.887 We know this is coming 01:40:45.364 --> 01:40:47.328 and so far there haven't been much 01:40:47.328 --> 01:40:49.328 in the way of price paid 01:40:49.515 --> 01:40:53.015 whether it was Sony, or Anthem Blue Cross, 01:40:53.363 --> 01:40:56.280 or the government personnel office, 01:40:56.888 --> 01:40:58.305 or our elections. 01:40:58.696 --> 01:41:00.322 There have to be consequences 01:41:00.322 --> 01:41:02.969 otherwise everybody's going to come after us, 01:41:02.969 --> 01:41:05.481 not just Russia, but North Korea, 01:41:05.481 --> 01:41:07.728 Iran, terrorist organizations, 01:41:07.728 --> 01:41:09.561 this is warfare on the cheap, 01:41:09.561 --> 01:41:12.714 and we have to be able not only to defend ourselves 01:41:12.714 --> 01:41:15.909 but to defend ourselves through a deterrent policy 01:41:15.909 --> 01:41:18.766 and I hope in the councils of the administration 01:41:18.766 --> 01:41:22.184 that will be an emphasis in your response. 01:41:22.184 --> 01:41:24.792 - Yes I agree, Senator, and that is the point of the EO 01:41:24.792 --> 01:41:26.945 in terms of that deterrence option set 01:41:26.945 --> 01:41:28.324 is to understand them 01:41:28.324 --> 01:41:30.858 in the wider context of our capabilities, 01:41:30.858 --> 01:41:34.354 different authorities, and to start being more definitive 01:41:34.354 --> 01:41:36.791 about what those deterrence options are 01:41:36.791 --> 01:41:38.082 and how we can best use them. 01:41:38.082 --> 01:41:38.915 - Thank you. 01:41:38.915 --> 01:41:39.758 Thank you, Mr. Chairman. 01:41:39.758 --> 01:41:41.708 - [Chair] Senator Heinrich. 01:41:41.708 --> 01:41:42.674 - I want to return to that 01:41:42.674 --> 01:41:43.997 because I keep hearing the words 01:41:43.997 --> 01:41:47.580 but I don't see something specific in place 01:41:48.322 --> 01:41:49.434 and we've struggled with this 01:41:49.434 --> 01:41:52.101 for years on this committee now. 01:41:52.915 --> 01:41:55.159 Imagine that tomorrow we had 01:41:55.159 --> 01:41:58.076 a foreign nation state cyber attack 01:41:58.777 --> 01:42:01.342 on our financial or our banking sector, 01:42:01.342 --> 01:42:05.509 or next month on our utility or transmission infrastructure, 01:42:06.678 --> 01:42:08.903 or next year on our elections, 01:42:08.903 --> 01:42:11.307 and I would suggest that any of those 01:42:11.307 --> 01:42:13.307 would cross a threshold. 01:42:14.334 --> 01:42:17.251 What is our doctrine for how, when, 01:42:18.360 --> 01:42:20.972 and with what level of proportionality 01:42:20.972 --> 01:42:23.666 we're gonna respond to that kind of a cyber attack? 01:42:23.666 --> 01:42:24.666 Mr. Rapuano. 01:42:26.254 --> 01:42:27.373 - First I'd note that 01:42:27.373 --> 01:42:30.179 obviously our deterrence options are expansive 01:42:30.179 --> 01:42:31.846 beyond cyber per se. 01:42:32.240 --> 01:42:35.333 So cyber is one of a large number of tools 01:42:35.333 --> 01:42:38.250 including diplomatic economic trade 01:42:38.485 --> 01:42:40.242 and military options, kinetic, 01:42:40.242 --> 01:42:42.246 including and then cyber. 01:42:42.246 --> 01:42:44.913 so looking at that broad space-- 01:42:45.001 --> 01:42:46.473 - And I agree wholeheartedly, 01:42:46.473 --> 01:42:47.632 you shouldn't limit yourself 01:42:47.632 --> 01:42:49.382 to responding in kind 01:42:50.453 --> 01:42:52.286 with the same level of 01:42:52.398 --> 01:42:54.322 or with the same toolbox, 01:42:54.322 --> 01:42:56.183 but do we have a doctrine? 01:42:56.183 --> 01:42:57.669 Because if we don't have a doctrine, 01:42:57.669 --> 01:42:58.882 one of the things that has worked, 01:42:58.882 --> 01:43:00.854 that worked through the entire Cold War, 01:43:00.854 --> 01:43:05.021 is we knew what the doctrine for the other side was, 01:43:05.149 --> 01:43:07.832 and they knew what our doctrine was, 01:43:07.832 --> 01:43:10.756 and that kept us from engaging in conflicts 01:43:10.756 --> 01:43:13.061 that neither side wanted to engage in. 01:43:13.061 --> 01:43:15.105 Do we have an overall structure 01:43:15.105 --> 01:43:16.738 for how we're going to respond? 01:43:16.738 --> 01:43:18.732 And if we don't, I would suggest 01:43:18.732 --> 01:43:21.815 we have no way to achieve deterrence. 01:43:24.011 --> 01:43:26.798 - We do not have sufficient depth and breadth 01:43:26.798 --> 01:43:29.806 of the doctrine as we've been discussing, 01:43:29.806 --> 01:43:32.547 and that really is one of the primary drivers 01:43:32.547 --> 01:43:35.380 of the executive order, the 13800, 01:43:35.550 --> 01:43:37.388 is to have the essential elements 01:43:37.388 --> 01:43:39.805 to best inform that doctrine. 01:43:40.704 --> 01:43:44.704 - The Chairman's been asking for an overall plan 01:43:46.423 --> 01:43:49.425 for I don't know how long, and I think that is 01:43:49.425 --> 01:43:51.497 what we're all going to be waiting for 01:43:51.497 --> 01:43:54.702 and I wish I could ask the same question of Mr. Joyce, 01:43:54.702 --> 01:43:57.202 but maybe in a future hearing. 01:44:00.172 --> 01:44:01.054 For any of you, 01:44:01.054 --> 01:44:05.221 I spent a good part of yesterday looking at Russian created, 01:44:06.736 --> 01:44:09.153 Russian paid-for Facebook ads 01:44:09.201 --> 01:44:13.326 that ran in my state and in places across this country 01:44:13.326 --> 01:44:17.366 and were clearly designed to divide this country, 01:44:17.366 --> 01:44:21.199 as well as to have an impact on our elections. 01:44:21.638 --> 01:44:24.305 What is the administration doing 01:44:24.661 --> 01:44:26.828 to make sure that in 2018, 01:44:27.534 --> 01:44:31.701 we're not going to see this same thing, all over again. 01:44:35.732 --> 01:44:37.690 Don't all speak at once. 01:44:37.690 --> 01:44:39.236 - Sir, yeah, let me start with the 01:44:39.236 --> 01:44:40.744 election infrastructure sub sector 01:44:40.744 --> 01:44:41.813 that we have established. 01:44:41.813 --> 01:44:45.051 So, from a pure cyber-attack perspective, 01:44:45.051 --> 01:44:47.320 we are working with state and local officials 01:44:47.320 --> 01:44:49.737 to up their level of defense, 01:44:51.156 --> 01:44:54.638 but specific to the the ad buys and social media use, 01:44:54.638 --> 01:44:58.805 it is still an emerging issue that we're assessing 01:44:59.058 --> 01:45:01.914 and I can defer to that BI on on their efforts. 01:45:01.914 --> 01:45:03.450 - Well, it's not emerging, 01:45:03.450 --> 01:45:04.367 it emerged. 01:45:04.582 --> 01:45:06.749 We've been trying to get our hands around this 01:45:06.749 --> 01:45:08.832 for close to a year now, 01:45:10.080 --> 01:45:12.833 and we still don't seem to have a plan 01:45:12.833 --> 01:45:15.293 and that that worries me enormously. 01:45:15.293 --> 01:45:17.365 We have special elections in place, 01:45:17.365 --> 01:45:20.180 we have gubernatorial elections in place, 01:45:20.180 --> 01:45:22.043 and we are continuing to see 01:45:22.043 --> 01:45:23.208 this kind of activity, 01:45:23.208 --> 01:45:25.847 and we need to get a handle on it. 01:45:25.847 --> 01:45:28.738 Let me go back to your issue of election infrastructure 01:45:28.738 --> 01:45:31.407 because as a number of people have mentioned, 01:45:31.407 --> 01:45:34.913 it has been widely reported that there was cyber intrusion 01:45:34.913 --> 01:45:37.778 into state-level voting infrastructure, 01:45:37.778 --> 01:45:40.695 and it's my understanding that DHS, 01:45:41.605 --> 01:45:45.605 before you got there, was aware of those threats 01:45:45.607 --> 01:45:47.389 well before last year's election, 01:45:47.389 --> 01:45:51.139 but only informed the states in recent months 01:45:51.174 --> 01:45:53.603 as to the nature of the intrusions 01:45:53.603 --> 01:45:55.650 in those specific states. 01:45:55.650 --> 01:45:57.567 Why did it take so long 01:45:57.656 --> 01:46:00.531 to engage with the the subject matter experts 01:46:00.531 --> 01:46:04.342 at the state level, and is there a process now in place 01:46:04.342 --> 01:46:06.652 so that we can get those security clearances 01:46:06.652 --> 01:46:09.332 that you mentioned in a timely way, 01:46:09.332 --> 01:46:12.499 so that that conversation can head off 01:46:12.623 --> 01:46:14.873 similar activity next year? 01:46:15.467 --> 01:46:16.794 - Sir, thank you for the question. 01:46:16.794 --> 01:46:20.068 I understand that over the course of the last year or so 01:46:20.068 --> 01:46:23.651 officials in each state that was implicated 01:46:24.904 --> 01:46:26.526 was notified at some level. 01:46:26.526 --> 01:46:29.187 Now as we continue to study the issue 01:46:29.187 --> 01:46:32.187 and got a fuller understanding of how each state 01:46:32.187 --> 01:46:35.939 has perhaps a different arrangement for elections, 01:46:35.939 --> 01:46:38.027 in some cases its state-local, 01:46:38.027 --> 01:46:39.296 you have a chief election official 01:46:39.296 --> 01:46:40.810 you have a CIO for the state, 01:46:40.810 --> 01:46:42.289 you have a CIO for the networks, 01:46:42.289 --> 01:46:43.991 you have a homeland security adviser. 01:46:43.991 --> 01:46:46.071 As we continue to get our arms around 01:46:46.071 --> 01:46:47.827 the problem in the governance structure 01:46:47.827 --> 01:46:50.236 across the 50 states plus territories, 01:46:50.236 --> 01:46:52.319 we got a better sense of, 01:46:52.368 --> 01:46:55.868 here are the fuller range of notifications 01:46:56.116 --> 01:46:56.966 we need to make, 01:46:56.966 --> 01:47:00.197 so when you think about the notifications of September 22nd, 01:47:00.197 --> 01:47:02.501 that was a truing up perhaps 01:47:02.501 --> 01:47:05.511 of each state opening the aperture, saying, 01:47:05.511 --> 01:47:07.017 "Okay, we let this person know, 01:47:07.017 --> 01:47:08.626 "but we're now letting these additional 01:47:08.626 --> 01:47:10.077 "two or three officials know." 01:47:10.077 --> 01:47:11.984 So I wouldn't characterize it necessarily 01:47:11.984 --> 01:47:13.379 as we just let them know then. 01:47:13.379 --> 01:47:14.793 It was, we broaden the aperture, 01:47:14.793 --> 01:47:16.386 let the responsible officials know, 01:47:16.386 --> 01:47:18.694 and we gave them additional context around 01:47:18.694 --> 01:47:20.375 what may have happened. 01:47:20.375 --> 01:47:22.708 - I'm working on legislation 01:47:22.946 --> 01:47:26.113 and have been working with the people, 01:47:26.702 --> 01:47:29.452 Secretary of State from my state, 01:47:30.215 --> 01:47:32.590 who is obviously involved in the 01:47:32.590 --> 01:47:35.411 National Association of Secretaries of State. 01:47:35.411 --> 01:47:37.193 It's not rocket science. 01:47:37.193 --> 01:47:38.787 I mean it is basically building a 01:47:38.787 --> 01:47:41.787 spreadsheet of who and at what level 01:47:41.831 --> 01:47:45.714 and when we see things happen in a given geographic area, 01:47:45.714 --> 01:47:47.319 you pull out the book and you figure out 01:47:47.319 --> 01:47:49.541 who you need to be talking to, 01:47:49.541 --> 01:47:52.462 and we need to make sure that that is in place. 01:47:52.462 --> 01:47:55.336 - Yes sir, we are actively working that right now. 01:47:55.336 --> 01:47:56.336 - Thank you. 01:47:56.587 --> 01:47:58.449 - [Chair] Senator McCaskill. 01:47:58.449 --> 01:47:59.449 - Thank you. 01:47:59.881 --> 01:48:02.163 To reiterate some of the things I've said previously, 01:48:02.163 --> 01:48:04.996 but the empty chair is outrageous. 01:48:05.352 --> 01:48:06.597 We had a foreign government 01:48:06.597 --> 01:48:09.281 go at the heart of our democracy, 01:48:09.281 --> 01:48:11.986 a foreign government that wants to break the back 01:48:11.986 --> 01:48:14.653 of every democracy in the world, 01:48:16.357 --> 01:48:19.357 and a very smart senator I heard say 01:48:19.868 --> 01:48:21.618 in this hearing room, 01:48:22.822 --> 01:48:24.668 "Who cares who were they were going after this time? 01:48:24.668 --> 01:48:27.153 "It'll be somebody else next time," 01:48:27.153 --> 01:48:31.320 and I'm disgusted that there isn't a representative here 01:48:32.137 --> 01:48:33.969 that can address this. 01:48:33.969 --> 01:48:35.494 I also am worried that there is-- 01:48:35.494 --> 01:48:38.676 - Sorry, could I ask interrupt, Senator, 01:48:38.676 --> 01:48:42.379 and just say that we need to have a meeting of the committee 01:48:42.379 --> 01:48:44.462 and decide on this issue. 01:48:46.092 --> 01:48:48.136 I believe you could interpret this 01:48:48.136 --> 01:48:52.303 as a misinterpretation of the privileges of the president 01:48:53.232 --> 01:48:54.565 to have counsel. 01:48:55.062 --> 01:48:58.836 He's in charge of one of the major challenges, 01:48:58.836 --> 01:49:00.919 major issues of our time, 01:49:00.990 --> 01:49:04.176 and now he's not going to be able to show up 01:49:04.176 --> 01:49:06.735 because he's, quote, "counselor to the president." 01:49:06.735 --> 01:49:09.068 That's not what our role is. 01:49:10.397 --> 01:49:11.557 - That's never... 01:49:11.557 --> 01:49:14.140 I think in any other situation, 01:49:14.306 --> 01:49:16.274 let's take out this president, take out Russia, 01:49:16.274 --> 01:49:19.294 this circumstance would not allowed to be stand 01:49:19.294 --> 01:49:22.544 by the United States Senate, typically. 01:49:22.802 --> 01:49:23.635 - I agree, and I think-- 01:49:23.635 --> 01:49:25.250 - And you would know more about that than I would, 01:49:25.250 --> 01:49:26.719 you've been here longer than I have. 01:49:26.719 --> 01:49:28.862 But I just think this is something that we need 01:49:28.862 --> 01:49:31.511 in these times when there's an issue every day 01:49:31.511 --> 01:49:33.329 that is roiling this country, 01:49:33.329 --> 01:49:35.467 we have a tendency to look past things 01:49:35.467 --> 01:49:38.385 that are fundamental to our oversight role 01:49:38.385 --> 01:49:39.237 here in the Senate. 01:49:39.237 --> 01:49:41.227 I'm really glad that the Chairman 01:49:41.227 --> 01:49:43.640 is as engaged as he is on this issue, 01:49:43.640 --> 01:49:45.690 and I look forward to assisting. 01:49:45.690 --> 01:49:49.589 - Well, this should not count against the Senator's time, 01:49:49.589 --> 01:49:51.388 but we are discussing it 01:49:51.388 --> 01:49:54.158 and we'll have a full committee discussion on it. 01:49:54.158 --> 01:49:55.337 I thank the senator. 01:49:55.337 --> 01:49:56.587 - That's great. 01:49:56.748 --> 01:49:58.105 Mr. Krebs I'm also worried 01:49:58.105 --> 01:50:00.633 that we have no nominee for your position, 01:50:00.633 --> 01:50:02.632 so if the White House reviews this testimony, 01:50:02.632 --> 01:50:04.382 I hope they will understand 01:50:04.382 --> 01:50:06.092 that your job is really important. 01:50:06.092 --> 01:50:08.273 I'm not taking sides as to whether or not 01:50:08.273 --> 01:50:10.007 you're doing a good job or a bad job, 01:50:10.007 --> 01:50:12.387 but the point is we don't need the word, acting, 01:50:12.387 --> 01:50:13.220 in front of your name 01:50:13.220 --> 01:50:17.387 for this kind of responsibility in our government. 01:50:17.574 --> 01:50:20.614 Unfortunately, the chairman of the committee 01:50:20.614 --> 01:50:22.716 that I am ranking on, Homeland Security, 01:50:22.716 --> 01:50:25.074 has chosen not to have a hearing, 01:50:25.074 --> 01:50:28.246 believe it or not, on the election interference, 01:50:28.246 --> 01:50:29.744 so this is my shot 01:50:29.744 --> 01:50:31.318 and I'm hoping that the Chairman 01:50:31.318 --> 01:50:33.156 will be a little gentle with me, 01:50:33.156 --> 01:50:34.822 because I haven't had a chance 01:50:34.822 --> 01:50:36.490 to question on some things. 01:50:36.490 --> 01:50:39.490 Why in the world did it take so long 01:50:39.647 --> 01:50:43.730 to notify the states where there had been attempt 01:50:43.947 --> 01:50:47.447 to enter their systems, their voter files? 01:50:48.624 --> 01:50:50.568 - Again ma'am, as I mentioned earlier, 01:50:50.568 --> 01:50:52.764 at some point over the course of the last year, 01:50:52.764 --> 01:50:54.764 not just September 22nd, 01:50:54.766 --> 01:50:56.119 an appropriate official, 01:50:56.119 --> 01:50:58.185 whether it was the owner of an infrastructure, 01:50:58.185 --> 01:50:59.246 a private sector owner, 01:50:59.246 --> 01:51:01.700 or a local official, state official, 01:51:01.700 --> 01:51:04.867 state secretary, someone was notified. 01:51:05.260 --> 01:51:08.033 - But shouldn't all of the secretaries of states 01:51:08.033 --> 01:51:09.356 have been notified? 01:51:09.356 --> 01:51:12.191 I mean, isn't that just like a, duh! 01:51:12.191 --> 01:51:15.383 - Ma'am, I would agree, I share your concern. 01:51:15.383 --> 01:51:17.158 I think over the course of the last several months 01:51:17.158 --> 01:51:18.922 we've, as I mentioned, had a truing-up 01:51:18.922 --> 01:51:22.889 and we have opened a sort of governance structure 01:51:22.889 --> 01:51:23.895 per each state. 01:51:23.895 --> 01:51:26.386 These are the folks that need to be notified of activity. 01:51:26.386 --> 01:51:27.704 - So, what's the explanation 01:51:27.704 --> 01:51:30.377 for a state being told one day that it had been 01:51:30.377 --> 01:51:32.313 and the next day it hadn't been? 01:51:32.313 --> 01:51:33.462 How did that happen? 01:51:33.462 --> 01:51:35.795 - I understand the confusion 01:51:35.854 --> 01:51:36.687 that may have surrounded 01:51:36.687 --> 01:51:38.630 the notifications of September 22nd. 01:51:38.630 --> 01:51:39.827 I think the way I'd explain that is 01:51:39.827 --> 01:51:41.160 there was additional context 01:51:41.160 --> 01:51:43.456 that was provided to the individual state, 01:51:43.456 --> 01:51:47.343 so in one case perhaps the election system network 01:51:47.343 --> 01:51:51.510 may not have been scanned, targeted, whatever it was. 01:51:51.936 --> 01:51:53.819 It may have been another state system, 01:51:53.819 --> 01:51:56.236 and I would analogize that to 01:51:56.689 --> 01:51:58.406 the bad guy walking down your street, 01:51:58.406 --> 01:52:00.132 checking your neighbor's door 01:52:00.132 --> 01:52:01.997 to see if you had a key to get in, 01:52:01.997 --> 01:52:04.272 if they had a key to get into your house, 01:52:04.272 --> 01:52:05.860 so it's not always that 01:52:05.860 --> 01:52:08.335 they're knocking on the network. 01:52:08.335 --> 01:52:10.098 They may be looking for other ways in 01:52:10.098 --> 01:52:11.974 through other networks or similarities 01:52:11.974 --> 01:52:13.042 with shared services. - It doesn't change the fact 01:52:13.042 --> 01:52:14.313 that the secretaries of state 01:52:14.313 --> 01:52:16.266 should have immediately been notified 01:52:16.266 --> 01:52:17.795 in every state where there had been 01:52:17.795 --> 01:52:18.989 knocking on a neighbor's door 01:52:18.989 --> 01:52:21.845 or their own door, and the bottom line is, 01:52:21.845 --> 01:52:23.512 we have good news is 01:52:23.651 --> 01:52:26.373 we have a disparate system in our state, in our country, 01:52:26.373 --> 01:52:28.828 so it's hard to find one entry point. 01:52:28.828 --> 01:52:31.706 Bad news is, if we don't have clear information 01:52:31.706 --> 01:52:33.868 going out to these secretaries of state, 01:52:33.868 --> 01:52:37.728 then they have no shot of keeping up with the bad guys. 01:52:37.728 --> 01:52:39.050 - That's right, and going forward, 01:52:39.050 --> 01:52:40.351 we have that plan in place. 01:52:40.351 --> 01:52:42.910 We have governance structures, we have notifications, 01:52:42.910 --> 01:52:46.220 as I mentioned earlier, we have security clearance processes 01:52:46.220 --> 01:52:48.415 ongoing for a number of officials, 01:52:48.415 --> 01:52:50.273 and we will get them the information they need 01:52:50.273 --> 01:52:52.267 when they need it and they can act on it. 01:52:52.267 --> 01:52:53.369 'Cause they don't want to take advantage 01:52:53.369 --> 01:52:54.221 of what you're offering, 01:52:54.221 --> 01:52:55.489 which is terrific that you'll come in 01:52:55.489 --> 01:52:56.695 and check their systems, 01:52:56.695 --> 01:52:59.362 no mandate, no hook, no expense. 01:53:00.883 --> 01:53:03.119 I talked to the secretary of state of 01:53:03.119 --> 01:53:04.168 Missouri and he was saying, 01:53:04.168 --> 01:53:06.189 "Listen, they're not even talking to us." 01:53:06.189 --> 01:53:07.970 Now, this was before September, 01:53:07.970 --> 01:53:12.090 but I do think somebody's got to take on the responsibility 01:53:12.090 --> 01:53:15.573 of one-on-one communication with 50 people in the country, 01:53:15.573 --> 01:53:19.179 plus, I don't know who does voting in the territories, 01:53:19.179 --> 01:53:21.512 but as to what is happening, 01:53:22.206 --> 01:53:25.373 what you're doing, what they're doing. 01:53:25.682 --> 01:53:28.599 I'm not really enamored of the idea 01:53:29.411 --> 01:53:31.123 of moving all of this to DoD 01:53:31.123 --> 01:53:32.337 because I think what you guys do 01:53:32.337 --> 01:53:33.771 with the civilian workforce, 01:53:33.771 --> 01:53:36.800 I think there would be some reluctance to participate fully 01:53:36.800 --> 01:53:38.274 if it was directed by DoD, 01:53:38.274 --> 01:53:41.068 but the point the Chairman makes is a valid one. 01:53:41.068 --> 01:53:44.256 If you all don't begin a more seamless operation 01:53:44.256 --> 01:53:46.854 with clear lines of accountability and control, 01:53:46.854 --> 01:53:50.271 we have no shot against this enemy, none. 01:53:50.524 --> 01:53:51.357 And it worries me 01:53:51.357 --> 01:53:54.018 that this has been mishandled so much 01:53:54.018 --> 01:53:57.659 in terms of the communication between the states 01:53:57.659 --> 01:54:00.895 that are responsible for the validity of our elections. 01:54:00.895 --> 01:54:04.912 Let me talk to you briefly about Kapersky, Kaspersky. 01:54:04.912 --> 01:54:07.163 I don't even know how you say it. 01:54:07.163 --> 01:54:09.413 How are you gonna make sure 01:54:09.619 --> 01:54:11.435 it's out of all of our systems? 01:54:11.435 --> 01:54:13.537 - So ma'am, a little over a month ago 01:54:13.537 --> 01:54:16.132 we did issue a binding operational directive 01:54:16.132 --> 01:54:17.303 for federal civilian agencies-- 01:54:17.303 --> 01:54:18.136 - Yeah, and everybody gets, 01:54:18.136 --> 01:54:19.802 - We're through the first-- - they get another 90 days 01:54:19.802 --> 01:54:20.635 to be able to get stuff 01:54:20.635 --> 01:54:23.076 because you're giving them a long time. 01:54:23.076 --> 01:54:26.493 Yes, that is a 90 day process to identify 01:54:26.783 --> 01:54:28.097 develop plans to remove, 01:54:28.097 --> 01:54:29.396 there may be budgetary implications, 01:54:29.396 --> 01:54:30.291 so we have to work through that, 01:54:30.291 --> 01:54:31.960 and then 30 days to execute. 01:54:31.960 --> 01:54:33.488 We've seen a number of activities 01:54:33.488 --> 01:54:35.379 in the intervening 30-plus days 01:54:35.379 --> 01:54:37.689 of actually people going ahead and taking it off. 01:54:37.689 --> 01:54:39.326 - Let me just ask you, 01:54:39.326 --> 01:54:41.278 do you think if this happened in Russia, 01:54:41.278 --> 01:54:43.293 if they found a system of ours 01:54:43.293 --> 01:54:45.206 that was looking at all of their stuff 01:54:45.206 --> 01:54:46.557 do you think it'd take, 01:54:46.557 --> 01:54:48.058 you think they'd tell their agencies of government 01:54:48.058 --> 01:54:50.558 you have 90 days to remove it? 01:54:50.861 --> 01:54:51.797 - Uh ma'am - Seriously? 01:54:51.797 --> 01:54:54.094 - I've learned not to predict with the Russians. 01:54:54.094 --> 01:54:55.443 Well, no, I mean, really, 01:54:55.443 --> 01:54:57.130 but the point I'm trying to make is, 01:54:57.130 --> 01:55:00.317 I mean why don't you say you've got to do it immediately? 01:55:00.317 --> 01:55:03.734 - Ma'am, you can't just rip out a system. 01:55:05.348 --> 01:55:09.114 There are certain vulnerabilities that can be introduced 01:55:09.114 --> 01:55:12.721 by just turning a critical antivirus product off. 01:55:12.721 --> 01:55:16.526 So what we need to do is have a process in place 01:55:16.526 --> 01:55:19.661 that you can replace with something that's effective. 01:55:19.661 --> 01:55:22.817 In the meantime, we're able to put capabilities around 01:55:22.817 --> 01:55:24.335 anything that we do identify, 01:55:24.335 --> 01:55:27.270 to monitor for any sort of a traffic, 01:55:27.270 --> 01:55:29.033 - Is the private sector fully aware 01:55:29.033 --> 01:55:31.257 and are our government contractors fully aware 01:55:31.257 --> 01:55:34.590 of the dangers of the Kaspersky systems? 01:55:35.200 --> 01:55:37.602 - Ma'am, we've shared the binding operational directive 01:55:37.602 --> 01:55:38.732 with a number of our partners, 01:55:38.732 --> 01:55:40.816 particularly including state and local partners 01:55:40.816 --> 01:55:43.704 and working with some of our inter-agency partners as well. 01:55:43.704 --> 01:55:45.727 We are sharing risk information. 01:55:45.727 --> 01:55:47.644 - Yeah, is that a little bit like sharing 01:55:47.644 --> 01:55:49.616 with all the appropriate people at the time, 01:55:49.616 --> 01:55:51.430 but not the secretaries of state? 01:55:51.430 --> 01:55:52.631 I mean, I just think that needs to be 01:55:52.631 --> 01:55:54.964 a really big red siren here, 01:55:55.324 --> 01:55:57.688 and what about our government contractors? 01:55:57.688 --> 01:56:01.273 Is the BoD, is it binding on our government contractors? 01:56:01.273 --> 01:56:03.106 - No ma'am, it is not. 01:56:03.344 --> 01:56:04.177 Actually I'm sorry, - Shouldn't it be? 01:56:04.177 --> 01:56:06.464 - let me follow up on that. - Shouldn't it be? 01:56:06.464 --> 01:56:07.368 - I should get the specifics. 01:56:07.368 --> 01:56:08.201 It would make sense. 01:56:08.201 --> 01:56:09.271 - Since we have more contractors 01:56:09.271 --> 01:56:10.384 on the ground in Afghanistan 01:56:10.384 --> 01:56:11.482 than we have troops, 01:56:11.482 --> 01:56:12.640 wouldn't you think it'd be important 01:56:12.640 --> 01:56:14.850 that we would get Kaspersky out of their systems? 01:56:14.850 --> 01:56:16.441 - That would be the Department of Defense. 01:56:16.441 --> 01:56:20.391 My authority only extends to federal civilian agencies. 01:56:20.391 --> 01:56:21.346 - Department of Defense, 01:56:21.346 --> 01:56:22.641 have you guys told the contractors 01:56:22.641 --> 01:56:24.391 to get Kaspersky out? 01:56:24.600 --> 01:56:26.288 - We have instructed the removal 01:56:26.288 --> 01:56:29.695 of Kaspersky from all of the DoD information systems. 01:56:29.695 --> 01:56:32.074 I'll follow up specifically on contractors. 01:56:32.074 --> 01:56:33.491 I'd like an answer on the contractors. 01:56:33.491 --> 01:56:37.241 Thank you, Mr. Chairman, for your indulgence. 01:56:39.474 --> 01:56:41.641 - Thank you, Mr. Chairman. 01:56:42.833 --> 01:56:43.993 Your agency, Mr. Krebs, 01:56:43.993 --> 01:56:45.644 declared that Russian-linked hackers 01:56:45.644 --> 01:56:49.425 targeted voting systems in 21 States this past election. 01:56:49.425 --> 01:56:51.027 Why did it take over a year 01:56:51.027 --> 01:56:55.194 to notify states that their election systems were targeted? 01:56:55.524 --> 01:56:57.524 - Ma'am, as I've stated, 01:56:58.510 --> 01:57:01.589 we notified an official within each state 01:57:01.589 --> 01:57:02.854 that was targeted or scanned. 01:57:02.854 --> 01:57:05.299 In the meantime, we have offered 01:57:05.299 --> 01:57:08.466 a series of services and capabilities, 01:57:08.483 --> 01:57:12.650 including cyber hygiene scans to every state in the Union 01:57:12.693 --> 01:57:13.932 and every Commonwealth. 01:57:13.932 --> 01:57:16.276 So not only did we notify the States, 01:57:16.276 --> 01:57:18.598 granted there was a broader notification 01:57:18.598 --> 01:57:20.765 that we subsequently made, 01:57:21.769 --> 01:57:23.889 but we did make capabilities available 01:57:23.889 --> 01:57:26.075 to all 50 states in common. 01:57:26.075 --> 01:57:28.453 - And are 50 states using the capabilities 01:57:28.453 --> 01:57:29.676 that you offered? 01:57:29.676 --> 01:57:30.895 - I don't have the specific numbers 01:57:30.895 --> 01:57:33.007 of the states that are using ours, 01:57:33.007 --> 01:57:36.590 but we have seen a fairly healthy response. 01:57:37.539 --> 01:57:39.603 - I would like a report on whether all states 01:57:39.603 --> 01:57:43.558 are using the recommended technology that you offer to them, 01:57:43.558 --> 01:57:47.725 because I think we need to have that kind of transparency, 01:57:47.979 --> 01:57:50.992 given what Senator McCain started this hearing with. 01:57:50.992 --> 01:57:51.825 I think it is a national security priority. 01:57:51.825 --> 01:57:52.908 - Yes, ma'am. 01:57:53.340 --> 01:57:54.923 - and if the states 01:57:55.643 --> 01:57:57.154 are not doing their jobs well, 01:57:57.154 --> 01:57:58.525 we need to provide the oversight 01:57:58.525 --> 01:58:02.692 that is necessary to make sure they do do their jobs well. 01:58:04.999 --> 01:58:08.119 Do you believe that making these election cybersecurity 01:58:08.119 --> 01:58:11.119 consultations optimal is sufficient? 01:58:12.613 --> 01:58:14.617 - I'm sorry, making them, oh, optional? 01:58:14.617 --> 01:58:15.450 Optional. 01:58:15.450 --> 01:58:16.283 - [Senator Gillibrand] Excuse me, optional sufficient. 01:58:16.283 --> 01:58:17.529 - You know, fundamentally 01:58:17.529 --> 01:58:19.949 there are some constitutional questions in play here. 01:58:19.949 --> 01:58:21.830 What we do in the meantime is ensure 01:58:21.830 --> 01:58:24.830 that every resource that we have available and out there, 01:58:24.830 --> 01:58:28.251 that the state local governments and election systems 01:58:28.251 --> 01:58:30.501 have the ability to access. 01:58:30.890 --> 01:58:33.933 - I understand that there is a nine-month wait 01:58:33.933 --> 01:58:36.173 for a risk and vulnerability assessment, 01:58:36.173 --> 01:58:37.590 is that accurate? 01:58:38.297 --> 01:58:41.177 - We offer a suite of services from 01:58:41.177 --> 01:58:43.940 remote scanning capability, cyber hygiene scans, 01:58:43.940 --> 01:58:47.706 all the way up to a full-blown vulnerability assessment 01:58:47.706 --> 01:58:48.627 that can sometimes, 01:58:48.627 --> 01:58:50.914 just to execute that vulnerability assessment 01:58:50.914 --> 01:58:53.771 because it's the breadth and depth of the assessment 01:58:53.771 --> 01:58:55.711 can actually take a number of weeks, if not months, 01:58:55.711 --> 01:58:57.872 to conduct that assessment itself. 01:58:57.872 --> 01:59:01.122 So we're in the process of looking into 01:59:01.392 --> 01:59:03.797 whether that nine-month backlog exists 01:59:03.797 --> 01:59:07.344 and how to ensure, again, that in the meantime, 01:59:07.344 --> 01:59:09.708 we can provide every other tool needed 01:59:09.708 --> 01:59:11.917 out to the state and local officials. 01:59:11.917 --> 01:59:13.322 - I guess what I'm trying to get at 01:59:13.322 --> 01:59:15.246 is are we ready for the next election 01:59:15.246 --> 01:59:17.540 and do you believe we are cyber secure 01:59:17.540 --> 01:59:19.057 for the next election? 01:59:19.057 --> 01:59:22.103 - I think there's a lot of work that remains to be done. 01:59:22.103 --> 01:59:24.129 I think we need to, as a country, 01:59:24.129 --> 01:59:26.462 we need to continue ensuring 01:59:27.058 --> 01:59:29.339 that we're doing the basics right, 01:59:29.339 --> 01:59:30.954 and even at the state local levels, 01:59:30.954 --> 01:59:31.845 even the private sector, 01:59:31.845 --> 01:59:34.512 there's still a lot of basic hygiene activities 01:59:34.512 --> 01:59:35.508 that need to be done. 01:59:35.508 --> 01:59:38.110 - I would like a full accounting of what's been done, 01:59:38.110 --> 01:59:40.280 what has yet left to be done, 01:59:40.280 --> 01:59:42.056 and what are your recommendations 01:59:42.056 --> 01:59:44.857 to secure our electoral system by the next election, 01:59:44.857 --> 01:59:47.403 and I like it addressed to the entire committee. 01:59:47.403 --> 01:59:49.461 Because we just need to know what's out there, 01:59:49.461 --> 01:59:50.294 what's left. 01:59:50.294 --> 01:59:52.430 Senator Graham and I have a bill 01:59:52.430 --> 01:59:54.989 to have a 9/11 style commission 01:59:54.989 --> 01:59:56.734 to do the deep dive you are doing 01:59:56.734 --> 01:59:58.815 to make recommendations to the congress 01:59:58.815 --> 02:00:01.931 on the 10 things we must do before the next election, 02:00:01.931 --> 02:00:03.746 and then have the authority to come back to us 02:00:03.746 --> 02:00:05.378 so we can actually implement it, 02:00:05.378 --> 02:00:08.385 because doing it on an ad hoc basis isn't sufficient 02:00:08.385 --> 02:00:11.659 and I'm very worried that because there's no accountability 02:00:11.659 --> 02:00:13.048 and because of the constitutional limitations 02:00:13.048 --> 02:00:14.143 that you mentioned, 02:00:14.143 --> 02:00:16.241 that we are not going to hold these states accountable 02:00:16.241 --> 02:00:18.384 when they haven't done the required work. 02:00:18.384 --> 02:00:21.642 So we at least need to know what have you succeeded in doing 02:00:21.642 --> 02:00:23.892 what is still left to be done, what are the impediments? 02:00:23.892 --> 02:00:24.975 Is it delays? 02:00:25.092 --> 02:00:27.675 Is it lack of enough expertise? 02:00:28.419 --> 02:00:30.489 Is it a lack of personnel? 02:00:30.489 --> 02:00:31.856 Is it a lack of resources? 02:00:31.856 --> 02:00:34.317 I need to know because I need to fix this problem. 02:00:34.317 --> 02:00:35.150 - Yes, ma'am. 02:00:35.150 --> 02:00:38.218 I'll say that we are making significant progress. 02:00:38.218 --> 02:00:42.063 We have a working relationship, a strong partnership 02:00:42.063 --> 02:00:44.998 with state and local election officials, 02:00:44.998 --> 02:00:49.163 and we are moving forward towards the next elections. 02:00:49.163 --> 02:00:49.996 - Okay. 02:00:49.996 --> 02:00:51.246 Mister Rapuano, 02:00:52.083 --> 02:00:53.647 in your confirmation here, you said that 02:00:53.647 --> 02:00:55.215 the Russian interference in our election 02:00:55.215 --> 02:00:56.257 is a credible and growing threat, 02:00:56.257 --> 02:00:57.907 and that Russians will continue to interfere 02:00:57.907 --> 02:01:00.595 as long as they view the consequences of their actions 02:01:00.595 --> 02:01:03.529 as less than the benefits they accrue. 02:01:03.529 --> 02:01:05.589 Given the likelihood of continued cyber interference 02:01:05.589 --> 02:01:06.726 in American elections, 02:01:06.726 --> 02:01:09.296 what are the immediate steps that you are going to take 02:01:09.296 --> 02:01:10.668 and that the federal government should take 02:01:10.668 --> 02:01:14.109 to restore the integrity of our elections, 02:01:14.109 --> 02:01:17.178 and I know you answered one of the earlier questions 02:01:17.178 --> 02:01:19.350 with the work we're doing with the National Guard, 02:01:19.350 --> 02:01:21.886 but I know that you are not necessarily doing 02:01:21.886 --> 02:01:24.565 all the training necessary or spending the resources 02:01:24.565 --> 02:01:27.445 to do all the National Guard training consistently 02:01:27.445 --> 02:01:30.195 with other active duty personnel. 02:01:31.229 --> 02:01:33.896 - Senator, we stand at the ready 02:01:34.355 --> 02:01:37.772 in terms of the process that DHS has put into place 02:01:37.772 --> 02:01:39.493 to support all the states 02:01:39.493 --> 02:01:42.865 with regard to the election system vulnerabilities. 02:01:42.865 --> 02:01:45.467 To date, we have not been tasked directly 02:01:45.467 --> 02:01:47.201 to support that effort, 02:01:47.201 --> 02:01:49.697 but we certainly have capabilities 02:01:49.697 --> 02:01:51.434 that we could apply to that. 02:01:51.434 --> 02:01:53.891 - Can I just have your commitment that in the next budget, 02:01:53.891 --> 02:01:55.936 you will include the full amount needed 02:01:55.936 --> 02:01:58.354 for the training of these cyber specialists 02:01:58.354 --> 02:02:00.521 within the National Guard? 02:02:00.643 --> 02:02:03.596 - What I need to do, Senator, is check on the status 02:02:03.596 --> 02:02:05.575 of our current funding for that effort 02:02:05.575 --> 02:02:07.754 and I will get back to you, 02:02:07.754 --> 02:02:09.915 in term of any deltas. - Thank you. 02:02:09.915 --> 02:02:11.915 Thank you, Mr. Chairman. 02:02:13.916 --> 02:02:15.671 Thank you, Mr. Chairman, 02:02:15.671 --> 02:02:17.035 I want to follow up, if I can, 02:02:17.035 --> 02:02:18.666 on these questions about the attacks 02:02:18.666 --> 02:02:20.054 on our voting systems. 02:02:20.054 --> 02:02:23.691 We know that 21 states faced attacks in their networks 02:02:23.691 --> 02:02:27.426 by Russian actors during the run-up to the 2016 election. 02:02:27.426 --> 02:02:28.259 Seems like the Russians 02:02:28.259 --> 02:02:30.108 are pretty happy with those efforts 02:02:30.108 --> 02:02:31.542 and I don't see any reason to believe 02:02:31.542 --> 02:02:33.602 that they won't try again. 02:02:33.602 --> 02:02:34.880 In fact, Mr. Krebs, 02:02:34.880 --> 02:02:36.680 your predecessor at Homeland Security 02:02:36.680 --> 02:02:39.211 recently urged Congress to, quote, 02:02:39.211 --> 02:02:42.813 "have a strong sense of urgency about Russian tampering 02:02:42.813 --> 02:02:44.774 "in the upcoming elections," 02:02:44.774 --> 02:02:47.175 and I know that Homeland Security designated 02:02:47.175 --> 02:02:50.180 our election system as critical infrastructure 02:02:50.180 --> 02:02:51.431 earlier this year. 02:02:51.431 --> 02:02:54.017 So I just like to follow up on the question 02:02:54.017 --> 02:02:56.105 that Senator Gillibrand was asking, 02:02:56.105 --> 02:02:58.855 and what I think I heard you say. 02:02:59.062 --> 02:03:02.812 Are you confident that our nation is prepared 02:03:03.139 --> 02:03:07.233 to fully prevent another round of cyber intrusions 02:03:07.233 --> 02:03:11.400 into our election systems in 2018 or 2020, Mr Krebs? 02:03:14.783 --> 02:03:18.950 - So, what I would say is that we have structures in place. 02:03:19.136 --> 02:03:20.984 This is not an overnight event. 02:03:20.984 --> 02:03:22.147 We are not going to flip the switch 02:03:22.147 --> 02:03:23.710 and suddenly be a hundred percent secure-- 02:03:23.710 --> 02:03:25.131 - [Senator Warren] So we're not there now? 02:03:25.131 --> 02:03:27.364 - We are working towards the goal of securing our 02:03:27.364 --> 02:03:28.783 infrastructure, yes ma'am. - Okay, it's a simple question 02:03:28.783 --> 02:03:30.063 we're not there now? 02:03:30.063 --> 02:03:31.837 - I believe there's work to be done, yes ma'am. 02:03:31.837 --> 02:03:33.523 - Okay, so we're not there now. 02:03:33.523 --> 02:03:37.029 Can I just ask on maybe some of the specifics. 02:03:37.029 --> 02:03:39.812 Have you done a state-by-state threat assessment 02:03:39.812 --> 02:03:43.979 of the cyber environment leading up to the next election? 02:03:44.005 --> 02:03:45.313 - Are you speaking of 02:03:45.313 --> 02:03:47.699 specific to the election infrastructure or statewide? 02:03:47.699 --> 02:03:49.425 - Election infrastructure. 02:03:49.425 --> 02:03:51.528 I would have to check on that. 02:03:51.528 --> 02:03:52.945 I don't have deep 02:03:53.221 --> 02:03:54.833 - So you don't know whether or not 02:03:54.833 --> 02:03:57.116 there's been a state-by-state 02:03:57.116 --> 02:03:58.938 threat assessment? - We have engaged 02:03:58.938 --> 02:04:00.189 every single state. 02:04:00.189 --> 02:04:01.520 We are working with their-- 02:04:01.520 --> 02:04:04.222 - But my question is actually more specific, 02:04:04.222 --> 02:04:06.600 a threat assessment for each state 02:04:06.600 --> 02:04:08.268 on their election infrastructure. 02:04:08.268 --> 02:04:09.870 - I would have to get back to you on that. 02:04:09.870 --> 02:04:14.037 - Okay, are there minimum cyber standards in place 02:04:14.360 --> 02:04:16.053 for election systems? 02:04:16.053 --> 02:04:16.948 - We do work with 02:04:16.948 --> 02:04:19.837 the National Institute of Standards and Technology 02:04:19.837 --> 02:04:22.484 and the Election Assistance Commission 02:04:22.484 --> 02:04:24.878 to look at security standards for voting. 02:04:24.878 --> 02:04:26.142 - I understand you work on it. 02:04:26.142 --> 02:04:28.921 My question is, are there minimum cyber standards 02:04:28.921 --> 02:04:29.754 in place? - There are recommended 02:04:29.754 --> 02:04:30.595 standards, yes ma'am. 02:04:30.595 --> 02:04:32.153 There are minimum cyber standards? 02:04:32.153 --> 02:04:33.291 - [Mr Krebs] There are recommended standards, yes ma'am. 02:04:33.291 --> 02:04:34.475 - All right, in place. 02:04:34.475 --> 02:04:36.518 Are there established best practices? 02:04:36.518 --> 02:04:37.667 - I believe there are best practices. 02:04:37.667 --> 02:04:39.568 - Okay, and those are in place, 02:04:39.568 --> 02:04:42.651 and any plans for substantial support 02:04:43.121 --> 02:04:46.704 for states to upgrade their cyber defenses? 02:04:47.306 --> 02:04:49.705 - If you're talking about investments, 02:04:49.705 --> 02:04:51.526 - [Senator Warren] I am. 02:04:51.526 --> 02:04:54.443 - Okay, that's a different question 02:04:54.474 --> 02:04:56.993 that I think that we need to have a conversation 02:04:56.993 --> 02:04:58.926 between the Executive Branch and Congress 02:04:58.926 --> 02:04:59.759 about how-- 02:04:59.759 --> 02:05:01.424 - [Senator Warren] Is that a no? 02:05:01.424 --> 02:05:03.307 - At this point, I do not personally 02:05:03.307 --> 02:05:05.474 have the funds to assist-- 02:05:05.747 --> 02:05:07.164 - So that's a no. 02:05:07.544 --> 02:05:10.749 - That is a resourcing to states that are grant programs 02:05:10.749 --> 02:05:12.136 that we can put in place perhaps 02:05:12.136 --> 02:05:13.750 to improve capabilities. - So you not only 02:05:13.750 --> 02:05:15.801 don't have the money to do it, 02:05:15.801 --> 02:05:17.128 do you have any plans? 02:05:17.128 --> 02:05:18.650 I'll ask the question again. 02:05:18.650 --> 02:05:20.968 For substantial support for states 02:05:20.968 --> 02:05:22.425 to upgrade their cyber defenses, 02:05:22.425 --> 02:05:24.180 do you have plans in place? 02:05:24.180 --> 02:05:25.068 - We're exploring our options, yes. 02:05:25.068 --> 02:05:25.901 - [Senator Warren] So the answer is no, 02:05:25.901 --> 02:05:28.163 you do not have them in place. 02:05:28.163 --> 02:05:29.787 - We are working on plans, yes ma'am. 02:05:29.787 --> 02:05:31.514 We're assessing what they need. 02:05:31.514 --> 02:05:33.514 - Yes, the answer is no? 02:05:34.763 --> 02:05:37.013 Okay, um look, I understand 02:05:38.121 --> 02:05:39.038 that states 02:05:39.055 --> 02:05:41.806 have the responsibility for their own elections 02:05:41.806 --> 02:05:44.633 and also that states run our federal elections 02:05:44.633 --> 02:05:47.311 but I don't think anybody in this room thinks 02:05:47.311 --> 02:05:49.240 that the Commonwealth of Massachusetts 02:05:49.240 --> 02:05:51.823 or the City of Omaha, Nebraska, 02:05:51.877 --> 02:05:55.637 should be left by themselves to defend against 02:05:55.637 --> 02:05:59.304 a sophisticated cyber adversary like Russia. 02:05:59.359 --> 02:06:01.587 If the Russians were poisoning water 02:06:01.587 --> 02:06:05.754 or setting off bombs in any state or town in America, 02:06:06.581 --> 02:06:09.082 we would put our full national power 02:06:09.082 --> 02:06:12.442 into protecting ourselves and fighting back. 02:06:12.442 --> 02:06:14.508 The Russians have attacked our democracy 02:06:14.508 --> 02:06:16.545 and I think we need to step up our response, 02:06:16.545 --> 02:06:18.649 and I think we need to do it fast. 02:06:18.649 --> 02:06:20.649 Thank you, Mr. Chairman. 02:06:23.110 --> 02:06:23.986 Thank you Mr. Chairman, 02:06:23.986 --> 02:06:25.771 and thank you to our witnesses 02:06:25.771 --> 02:06:26.904 for your testimony today. 02:06:26.904 --> 02:06:29.642 I think I would concur with all of my colleagues up here 02:06:29.642 --> 02:06:32.347 that the number one national security threat we face 02:06:32.347 --> 02:06:35.097 as a country is the cyber threat. 02:06:35.317 --> 02:06:37.319 It's one we have to be laser-focused on 02:06:37.319 --> 02:06:39.248 and I will concur with the chairman and others 02:06:39.248 --> 02:06:41.781 who are very frustrated and troubled by the fact 02:06:41.781 --> 02:06:43.945 it doesn't seem like we have a comprehensive strategy, 02:06:43.945 --> 02:06:45.643 we don't have a plan to deal with this 02:06:45.643 --> 02:06:47.269 in a comprehensive way, 02:06:47.269 --> 02:06:49.888 integrating both state and local officials 02:06:49.888 --> 02:06:52.354 with federal officials, as well as the business sector 02:06:52.354 --> 02:06:54.629 which is under constant attack, 02:06:54.629 --> 02:06:56.673 and we know the risk is not just military, 02:06:56.673 --> 02:06:59.193 it's not just the elections, as significant as that is, 02:06:59.193 --> 02:07:01.849 because it goes to the core of our democracy, 02:07:01.849 --> 02:07:05.038 but significant attacks against our economic security 02:07:05.038 --> 02:07:07.539 which also goes to the core of our civilization 02:07:07.539 --> 02:07:09.329 and we have just been hit 02:07:09.329 --> 02:07:12.995 with an absolutely incredible hack with Equifax 02:07:12.995 --> 02:07:14.749 that basically has taken now, 02:07:14.749 --> 02:07:16.397 some actor out there has taken 02:07:16.397 --> 02:07:18.911 the most private information necessary 02:07:18.911 --> 02:07:21.407 to open up accounts and to take somebody's identity 02:07:21.407 --> 02:07:23.176 and you're talking about hundreds of, 02:07:23.176 --> 02:07:25.172 or over a hundred million people in this country. 02:07:25.172 --> 02:07:28.521 I can't think of a worse type of cyber attack. 02:07:28.521 --> 02:07:31.560 So, Mr. Smith, my question to you is, 02:07:31.560 --> 02:07:33.354 do you think that we will be able to determine 02:07:33.354 --> 02:07:36.187 who was responsible for that hack? 02:07:37.015 --> 02:07:37.848 - Yes. 02:07:38.607 --> 02:07:41.565 - [Senator Peters] When will we be able to do that? 02:07:41.565 --> 02:07:43.172 - I wouldn't want to put a specific timeframe. 02:07:43.172 --> 02:07:45.018 - [Senator Peters] Yeah, generally? 02:07:45.018 --> 02:07:46.518 - Generally, um... 02:07:50.089 --> 02:07:52.839 within maybe six or eight months, 02:07:53.083 --> 02:07:55.000 that's on the far side. 02:07:55.107 --> 02:07:56.893 - So hopefully within less than that time 02:07:56.893 --> 02:07:57.726 to be able 02:07:57.726 --> 02:07:58.584 so we'll be able to identify? 02:07:58.584 --> 02:08:00.291 I know attribution is always very difficult. 02:08:00.291 --> 02:08:02.039 Do you believe that we'll be able to identify 02:08:02.039 --> 02:08:03.706 who was responsible? 02:08:03.909 --> 02:08:05.004 And then second, 02:08:05.004 --> 02:08:07.171 do we have the tools to effectively punish 02:08:07.171 --> 02:08:11.171 those individuals or whoever that entity may be? 02:08:12.592 --> 02:08:14.311 - Those are... - Two separate questions. 02:08:14.311 --> 02:08:16.987 - Correct, and two separate issues. 02:08:16.987 --> 02:08:19.173 First on the attribution point, 02:08:19.173 --> 02:08:22.006 to get it to a certain destination 02:08:22.405 --> 02:08:25.322 is easier than the second question, 02:08:26.670 --> 02:08:29.191 which is imposing significant consequences 02:08:29.191 --> 02:08:32.024 on an individual or on a specific, 02:08:32.603 --> 02:08:36.235 if it becomes nation state or associate like that. 02:08:36.235 --> 02:08:38.340 As you've seen recently though, 02:08:38.340 --> 02:08:40.423 with the Yahoo compromise 02:08:41.805 --> 02:08:44.722 where we have seen a blended threat 02:08:44.977 --> 02:08:48.105 targeting our businesses and our country 02:08:48.105 --> 02:08:49.940 where you have criminal hackers working 02:08:49.940 --> 02:08:54.107 at the direction of Russian intelligence officers, 02:08:54.881 --> 02:08:58.548 so that's where I become a little more vague 02:08:59.375 --> 02:09:01.708 as to my answer on specific, 02:09:02.381 --> 02:09:04.617 would we be able to impose consequences. 02:09:04.617 --> 02:09:05.844 - Which is a significant problem 02:09:05.844 --> 02:09:07.235 that you can't answer that, I would think, 02:09:07.235 --> 02:09:09.049 Not to you personally, that you can't answer it, 02:09:09.049 --> 02:09:10.673 but that we don't have a plan, 02:09:10.673 --> 02:09:12.312 we don't have a deterrence plan that says 02:09:12.312 --> 02:09:15.007 if you do this, these are the consequences for you 02:09:15.007 --> 02:09:16.641 and they will be significant, 02:09:16.641 --> 02:09:20.390 particularly if there's a state actor associated with it. 02:09:20.390 --> 02:09:23.849 Now, I know Mr. Raupano, you mentioned the line 02:09:23.849 --> 02:09:25.387 "We don't want to actually put a line somewhere, 02:09:25.387 --> 02:09:28.548 "because everybody will work up to that line." 02:09:28.548 --> 02:09:29.596 I think we have a problem now, 02:09:29.596 --> 02:09:31.411 as we have zero lines right now, 02:09:31.411 --> 02:09:34.336 so it's like the Wild West out there. 02:09:34.336 --> 02:09:37.309 But would you concur that if a state actor, 02:09:37.309 --> 02:09:40.905 hypothetically, a state actor was behind an Equifax breach 02:09:40.905 --> 02:09:43.632 that compromised the most personal financial information 02:09:43.632 --> 02:09:46.132 of over 100 million Americans, 02:09:46.795 --> 02:09:50.962 would that be over any kind of line that you could see? 02:09:51.099 --> 02:09:52.794 - Sir, I think that the process 02:09:52.794 --> 02:09:54.530 that we have in play right now, 02:09:54.530 --> 02:09:56.349 in terms of all the reports being submitted 02:09:56.349 --> 02:09:58.746 in response to the executive order 02:09:58.746 --> 02:10:00.998 looking at how we protect critical infrastructure 02:10:00.998 --> 02:10:03.469 modernizing IT, develop the work force, 02:10:03.469 --> 02:10:05.232 developed deterrence options, 02:10:05.232 --> 02:10:07.132 looking across the suite of issues, 02:10:07.132 --> 02:10:08.351 what are our capabilities, 02:10:08.351 --> 02:10:09.622 what are our vulnerabilities, 02:10:09.622 --> 02:10:11.801 what are the implications of adversaries 02:10:11.801 --> 02:10:14.316 that are exploiting those vulnerabilities, 02:10:14.316 --> 02:10:16.899 that helps inform that doctrine 02:10:16.982 --> 02:10:20.025 and that also helps inform an understanding 02:10:20.025 --> 02:10:24.192 of how to best establish what those thresholds are, 02:10:24.532 --> 02:10:26.530 those deterrence thresholds. 02:10:26.530 --> 02:10:29.331 Well, what may be too specific to be useful, 02:10:29.331 --> 02:10:32.277 but what is too vague to be useful as well. 02:10:32.277 --> 02:10:35.360 We're on the path to developing that. 02:10:35.400 --> 02:10:36.482 - Well, having said that, 02:10:36.482 --> 02:10:37.740 I think it's a straightforward question. 02:10:37.740 --> 02:10:40.138 Someone who hacks in and steals information 02:10:40.138 --> 02:10:42.017 from over a hundred million Americans 02:10:42.017 --> 02:10:44.507 and something that compromises their potential identity 02:10:44.507 --> 02:10:46.496 for the rest of their lives, 02:10:46.496 --> 02:10:47.866 I would hope the directive would say that 02:10:47.866 --> 02:10:50.561 that's well over any kind of line. 02:10:50.561 --> 02:10:53.907 - Right, it certainly warrants a consequence, absolutely. 02:10:53.907 --> 02:10:55.270 Is it an act of war? 02:10:55.270 --> 02:10:58.270 I think that's a different question, 02:10:58.299 --> 02:10:59.990 and I think there are a number of variables 02:10:59.990 --> 02:11:03.543 that go into that and there would be more details 02:11:03.543 --> 02:11:05.964 that we would be looking at in terms of understanding 02:11:05.964 --> 02:11:08.188 what the actual impact is, who the actor is, 02:11:08.188 --> 02:11:12.271 what's our quality and confidence in attribution. 02:11:13.162 --> 02:11:16.096 - Mr. Krebs, you answer some questions 02:11:16.096 --> 02:11:17.645 related to Kaspersky 02:11:17.645 --> 02:11:19.852 and taking out that software 02:11:19.852 --> 02:11:23.187 from the machines of the federal government, 02:11:23.187 --> 02:11:24.106 United States government, 02:11:24.106 --> 02:11:27.689 because of the risk that is inherent there. 02:11:28.122 --> 02:11:29.642 If the risk is there for the U.S. government, 02:11:29.642 --> 02:11:32.218 isn't it risky for the average citizen as well, 02:11:32.218 --> 02:11:34.814 to have this software on their computers? 02:11:34.814 --> 02:11:36.339 So when we have millions of Americans 02:11:36.339 --> 02:11:39.050 that have the software and potentially access 02:11:39.050 --> 02:11:41.626 to their personal information on that computer, 02:11:41.626 --> 02:11:43.953 isn't that a significant security risk 02:11:43.953 --> 02:11:46.808 that we should alert the public to? 02:11:46.808 --> 02:11:48.980 So risk, risk of course is relative, 02:11:48.980 --> 02:11:49.813 the Department of Homeland Security 02:11:49.813 --> 02:11:53.127 made a risk assessment for the civilian agencies 02:11:53.127 --> 02:11:55.377 that we were not willing to 02:11:57.945 --> 02:11:59.940 have these products installed across our networks. 02:11:59.940 --> 02:12:02.427 I think that's a pretty strong signal 02:12:02.427 --> 02:12:04.211 of what our risk assessment was 02:12:04.211 --> 02:12:05.865 and we had shared information 02:12:05.865 --> 02:12:08.434 across the critical infrastructure community 02:12:08.434 --> 02:12:11.078 and state locals on that decision. 02:12:11.078 --> 02:12:12.698 - So you say that's an indication 02:12:12.698 --> 02:12:14.438 of the seriousness of the problem 02:12:14.438 --> 02:12:16.290 so should the average citizen 02:12:16.290 --> 02:12:19.199 also take this software off their system? 02:12:19.199 --> 02:12:20.972 - I think the average citizen needs to make 02:12:20.972 --> 02:12:23.102 their own risk-informed decision. 02:12:23.102 --> 02:12:25.187 Again, the federal government has made the decision 02:12:25.187 --> 02:12:27.775 that this is an unacceptable risk position 02:12:27.775 --> 02:12:31.247 and we are instructing agencies to remove if present. 02:12:31.247 --> 02:12:32.237 - Right, thank you so much. 02:12:32.237 --> 02:12:34.154 - [Mr Krebs] Thank you. 02:12:35.360 --> 02:12:36.627 - Thank you very much, Mr. Chairman. 02:12:36.627 --> 02:12:38.788 Just quickly, Mr. Rapuano, 02:12:38.788 --> 02:12:42.461 and following up on Senator Peters' line of questioning. 02:12:42.461 --> 02:12:46.294 Is Cyber Command prepared to engage and defeat 02:12:47.735 --> 02:12:51.902 an attack on critical infrastructure in the United States? 02:12:54.075 --> 02:12:56.126 I know there's an issue here of what's the trigger, 02:12:56.126 --> 02:12:58.531 but are they prepared to do that right now? 02:12:58.531 --> 02:13:02.698 - So Cyber Command is developing a suite of capabilities 02:13:03.760 --> 02:13:06.658 against a variety of targets that are, 02:13:06.658 --> 02:13:09.741 yes, it is inclusive of responding to 02:13:11.308 --> 02:13:14.558 attack on U.S. critical infrastructure. 02:13:14.861 --> 02:13:16.047 - And so the question is, 02:13:16.047 --> 02:13:18.464 and Senator Peters raised it, 02:13:18.725 --> 02:13:20.786 is what is the, from want of a better term, 02:13:20.786 --> 02:13:24.286 the trigger, and you suggested act of war, 02:13:26.003 --> 02:13:29.710 so we're still on sort of the definitional phase 02:13:29.710 --> 02:13:32.233 of trying to figure out what would prompt this. 02:13:32.233 --> 02:13:34.451 We have the capability but the question is 02:13:34.451 --> 02:13:37.442 under what circumstance do we use it, is that fair? 02:13:37.442 --> 02:13:38.900 - That is fair, absolutely. 02:13:38.900 --> 02:13:40.230 - [Ranking Member Reed] Thank you. 02:13:40.230 --> 02:13:41.673 - I want to thank the witnesses 02:13:41.673 --> 02:13:42.506 and I want to thank you 02:13:42.506 --> 02:13:46.339 for the hard work you're doing and your candor 02:13:48.016 --> 02:13:50.363 in helping this committee understand 02:13:50.363 --> 02:13:52.196 many of the challenges 02:13:52.926 --> 02:13:56.593 and I must say, I appreciate your great work 02:13:57.007 --> 02:13:59.090 on behalf of the country, 02:13:59.194 --> 02:14:01.444 but I can back 4 years ago, 02:14:01.689 --> 02:14:03.072 I can back two years ago, 02:14:03.072 --> 02:14:04.947 I can back one year ago, 02:14:04.947 --> 02:14:06.864 I get the same answers. 02:14:08.057 --> 02:14:10.425 We put into the Defense Authorization bill 02:14:10.425 --> 02:14:13.675 a requirement that there be a strategy, 02:14:13.834 --> 02:14:15.322 followed by a policy, 02:14:15.322 --> 02:14:16.905 followed by action. 02:14:17.798 --> 02:14:20.396 We have now four months late a report 02:14:20.396 --> 02:14:23.063 that's due before the committee. 02:14:23.093 --> 02:14:25.426 We have our responsibilities 02:14:25.742 --> 02:14:27.722 and we're going to carry them out. 02:14:27.722 --> 02:14:31.889 We have authorities that I don't particularly want to use 02:14:32.830 --> 02:14:36.447 but unless we are allowed to carry out our responsibilities 02:14:36.447 --> 02:14:39.030 to our voters who sent us here, 02:14:39.085 --> 02:14:43.252 then we're going to have to demand a better cooperation 02:14:43.796 --> 02:14:46.841 and a better teamwork than we're getting now. 02:14:46.841 --> 02:14:49.591 And again, I appreciate very much 02:14:50.449 --> 02:14:53.532 the incredible service that you three 02:14:54.017 --> 02:14:56.298 have provided to the country 02:14:56.298 --> 02:14:59.041 and I'm certainly not blaming you 02:14:59.041 --> 02:15:03.124 for not being able to articulate to us a strategy 02:15:03.671 --> 02:15:06.421 which is not your responsibility. 02:15:07.412 --> 02:15:09.829 The implementation of actions 02:15:11.046 --> 02:15:14.713 dictated by the strategy obviously is yours, 02:15:14.799 --> 02:15:17.716 so when we see the person in charge 02:15:18.425 --> 02:15:20.758 at an empty seat here today, 02:15:21.357 --> 02:15:24.274 then we are going to have to react. 02:15:25.947 --> 02:15:27.901 The committee is going to have to get together 02:15:27.901 --> 02:15:31.071 and decide whether we're going to sit by and watch 02:15:31.071 --> 02:15:35.238 the person in charge not appear before this committee, 02:15:36.084 --> 02:15:38.251 that's not constitutional. 02:15:40.817 --> 02:15:43.815 We are co-equal branches of government, 02:15:43.815 --> 02:15:46.926 so I want to make sure that you understand 02:15:46.926 --> 02:15:50.255 that every member of this committee appreciates 02:15:50.255 --> 02:15:53.255 your hard, dedicated, patriotic work 02:15:54.194 --> 02:15:56.533 and what you're dealing with and 02:15:56.533 --> 02:15:58.383 doing the best that you can 02:15:58.383 --> 02:16:00.570 with the hand you're dealt, 02:16:00.570 --> 02:16:03.541 and this hearing has been very helpful to us 02:16:03.541 --> 02:16:05.124 in assembling that, 02:16:06.949 --> 02:16:08.962 not assembling, but being informed 02:16:08.962 --> 02:16:13.129 as to one of the major threats to America's security, 02:16:13.860 --> 02:16:15.451 and I thank you for that. 02:16:15.451 --> 02:16:19.169 I thank you for your honest and patriotic work, 02:16:19.169 --> 02:16:21.836 but we are going to get to this, 02:16:22.181 --> 02:16:26.348 because of the risk to our very fundamentals of democracy, 02:16:26.718 --> 02:16:29.831 among which are free and fair elections. 02:16:29.831 --> 02:16:33.837 So, is there anything that the senator from Maine 02:16:33.837 --> 02:16:36.007 would like to editorialize? 02:16:36.007 --> 02:16:39.674 He usually likes to editorialize my remarks. 02:16:43.452 --> 02:16:44.285 - My mind is racing, 02:16:44.285 --> 02:16:46.148 but I think prudence dictates. 02:16:46.148 --> 02:16:46.981 (chuckling) 02:16:46.981 --> 02:16:48.683 No response, Mr. Chair. 02:16:48.683 --> 02:16:50.800 - [Chair McCain] I thank the witnesses for your cooperation. 02:16:50.800 --> 02:16:53.338 I thank you for your service to the country. 02:16:53.338 --> 02:16:55.505 This hearing is adjourned.