 Mr. Chairman, Ranking Members and Members of the Subcommittee, it's an honor to speak at this important discussion today designed to reboot the cybersecurity conversation. This shift is direly needed as there is perhaps no national security problem or 21st century in its definition and form than cybersecurity, and yet to solve it, too much of our discussion and strategy remains rooted in 20th century frameworks that don't well apply. I've submitted written testimony that breaks down the issue and what we can do about it. This is on the debate over digital acts of war and explains in detail how there are seven key differences with the Cold War that make framing this problem in the old modes not ideal. It then provides a suggested new legislative strategy to face our challenge, breaking it down into key areas I'll focus on today. Notably, the strategy is nonpartisan, realistic in its implementation possibilities, and doesn't involve any massive increase in budget. The first key part of the strategy is deter through diversity. This includes improving our offensive cyber capability, but importantly understanding that cyber weapons are not like WMD. They are tools of constant use in everything from espionage to ongoing operations against ISIS. Our real challenge here is more in integrating emerging cyber capabilities with our other conventional capabilities through improving training, doctrine building, resolving command and control questions. But as we face an array of attacks and attackers, a military offensive cyber response is not the only tool that we have to change their calculations. For instance, to respond to IP theft, it makes no sense to limit ourselves to retaliation with the exact same action in the same domain. We can also go after other assets that are valued by the attacker and other realms and even those valued by influential third-party actors, such as sanctioning companies benefiting from stolen fruit. Enditements of individuals involved in hacking have value not so much in actual direct judicial punishment, but as a different means for surfacing data about attribution. Creativity and flexibility will beat simplicity in this dynamic. Indeed, we may even steal ideas from one attacker's playbook and apply them against another as a deterrence tool. From Snowden to Sony, data dumps have been among our most vexing cybersecurity incidents, but they have not threatened our core national interests. By contrast, threatening to reveal the private financial data of an authoritarian regime's leader, his family or allied oligarchs may be far more potent than a counter cyber strike. We can sometimes see what regimes fear most by what they ban discussion of. The second and arguably most important part of the strategy is deterrence by denial, making attacks less likely to cause harm and thus less likely to happen. The magic word of resilience is that it works against any kind of attacker and attack and is perhaps where Congress and this committee can have the most impact. The areas it call out for action cover the spectrum. On the military side, we have spent over $2 billion on construction alone at Fort Meade, and yet the Pentagon's own weapons tester found, quote, significant vulnerabilities, end quote, and nearly every major weapons system program that would be exploited in any actual war. In the executive branch, the White House has issued a post-OPM cybersecurity strategy that describes best practices every federal agency needs to put into place, ensuring their actual implementation at every federal government agency and encouraging their spread to the state and local level could be one of the most important things that Congress does on cybersecurity. In relation to the business and public, sometimes government can be a trusted information provider, and sometimes it must go further to help shape individual and market incentives as it has in realms that range from public health to transportation. The government should not merely support research on basic standards of Internet security, such as the laudableness process, but now work to ensure their use. It can do so by efforts to spur the nascent cybersecurity insurance market that both protects business and incentivizes them to find and maintain best practices. True cybersecurity resilience is not just about computer and legal code, it's also about people, and we have a huge people gap here. The administration has a new cybersecurity human resources strategy, but needs to, one, be overseen to ensure actual implementation, particularly across administrations, and two, it will fail if it only puts new people in old organizational boxes. We also have to find ways to tap talent outside of government. Take the Pentagon's recent one-month experiment with bug bounties. It saved millions of dollars, yielded 1,100 reports on how to protect our systems before the bad guys could attack them, and it talent scouted across the U.S. One of the hackers working for us was an 18-year-old who did it in a spare time while taking his AP exams. Yet there is not a parallel at other federal agencies nor at our state and local partners, or consider that we have retasked a number of National Guard units to become cyber warriors, but there is a wealth of talent that is either unwilling or unable to meet the legal and physical obligations that come with joining the U.S. military. I would point to Estonia's Cyber Defense League as a model to draw on. Think of it as the cybersecurity equivalent to the Civil Air Patrol, creating a mechanism for citizens to volunteer their expertise for cybersecurity to aid for free in everything from red teaming to serving as rapid response teams to cyber attack. They've helped Estonia become one of the most cyber resilient nations in the world. The third real of the strategy, I won't hit its norms, it's in the submission. I think it's been covered well here. I would end just simply by saying we can either approach this topic with a new strategy that faces our new needs, or we can continue to talk tough and simple and be victims. Thank you.