 Committee will come to order. Committee meets today to explore cyber warfare in the 21st century, threats, challenges, and opportunities. Needless to say, it's a big, complex topic that is at the heart of much of American national security today, and will be even more so in the future. One of those internet quotes attributed to Albert Einstein says, given one hour to save the planet, I would spend 55 minutes understanding the problem and five minutes resolving it. Well, whether Einstein really said something like that or not, I think the point rings true that much of our challenge in cyber is understanding the problem. As we've seen in recent years, cyber is being used by both nation-states and non-state actors in ways that challenge our traditional notions of what is war. It is being used to destroy, to steal, and to influence. Cyber is a domain of warfare in itself, but its technologies also undergird most all of our defense efforts. It helps make us the strongest military in the world, and it also presents a vulnerability which adversaries are looking to exploit. And what's true for our military is also true for our society. Those technologies offer great opportunity but are also a vulnerability that must be defended. And when it comes to things that must be defended, we often turn to the United States military. I'm very grateful to all the members who came back to Washington early this week to spend our yearly retreat at Fort Meade focusing on this issue. Our witnesses today will also help us advance our thinking and hopefully help lead us to find the right questions so that we can work together to find the right answers. I'd yield to the ranking member for any comments he'd like to make. Thank you, Mr. Chairman. I appreciate you holding this hearing on this very important topic. And it's one that I guess we're probably going to spend more than 55 minutes trying to figure out the problem. Unfortunately, it's very complicated. The first thing we have to figure out is how best and better to protect our networks, both within government and those private sector groups that we come into contact with the government. We have that problem on the Armed Services Committee with a lot of the defense contractors that have sensitive information within their cyber domain that we have to figure out how to protect. And we still don't really have a comprehensive strategy for how to do that. That's part of the problem. And then the other part is as cyber is increasingly used for active warfare, what is our policy on that? If we are attacked through cyber, what is an appropriate response? We saw that with the Russian attacks on the DNC. The President responded, it took a long time because we really don't have a set policy on what is a proportional and appropriate response to a given cyber attack, which we need to figure out. And then lastly, how do we use it as an offensive weapon? Certainly our enemies are using it. ISIS is using it very effectively to spread their message and recruit. And we've seen Russia use it in a variety of different formats. We have suspicions of others using it as well. What should we do from an offensive standpoint to use cyber to cause problems for our enemies in advance, our interests? So those are the three questions I'm most interested in learning more about. I apologize, I actually have to leave early from this hearing, but certainly it will study the remarks of our witnesses. And I know the panel will benefit from the discussion. I thank the chairman for holding this hearing and I yield back. Thank the gentleman. Again, let me thank each of our witnesses for taking the time to be here. We have Dr. Peter Singer, strategist and senior fellow at New America Foundation, among other things, author of Wired for War and Ghost Fleet, Dr. Martin LeBicchi, professor of U.S. Naval Academy and adjunct management scientist at the Rand Corporation, and Mr. Jay Healy, non-resident senior fellow cyber statecraft initiative at the Atlantic Council. Thank you all for being here. Without objection, your full written statement will be made part of the record and we'd be pleased to hear any oral comments you'd like to make at this point. Dr. Singer, we'll start with you. Chairman Thornberry and ranking member Smith, members of the committee, it's an honor to speak at this important discussion today designed to reboot the cybersecurity conversation. It's all the more needed as the United States was recently the victim of what was arguably the most important cyber attack campaign in history. Hackers reported as working on behalf of the Russian government have attacked a wide variety of American citizens and institutions. They include political organizations of both parties, the Republican National Committee and the Democrat National Committee, as well as prominent Democrat and Republican leaders, as well as civil society groups like various American universities and academic research programs. These attacks started years back, but have continued after the 2016 election. They've been reported as hitting clearly government sites like the Pentagon's email system, as well as clearly private networks like US banks. They've also been reported as targeting a wide variety of American allies, ranging from government, military and civilian targets and states that range from Norway to the United Kingdom, as well as now trying to influence upcoming elections in Germany, France and the Netherlands. While Vladimir Putin has denied the existence of this campaign, its activities have been identified by groups that include all the different agencies of the US intelligence community, the FBI, and in statements by both the prior and present US president. This campaign has also been well established by the marketplace, five different well-regarded cybersecurity firms have identified it. This campaign is not a cyber war of the kind that's often envisioned, with power grids going down and fiery cyber pearl harbors. Instead, it's a competition more akin to the Cold War's pre-digital battles that crossed influence operations with espionage and subversion. However, while Russia's attacks are the most notable events in cybersecurity in the last year, unlike in the Cold War, our strategy must recognize they are only one aspect of a larger threat landscape. In cyberspace, the malevolent actors presently engage in attacks on US persons and institutions range from criminals who are stealing personal information or holding ransom valuable corporate data, although here too, there is a prominent Russian link with reportedly 75% of ransomware coming from Russian speaking parts of the online criminal underground, to governments like China, which have been accused of large-scale intellectual property theft, as well as breaking into government databases like the OPM and a cyberversion of traditional espionage. And finally, our strategy must face that all of this ongoing activity must account for the risk of an actual cyber war, the activities that would occur in outright conflict, including cyber attacks to cause physical damage. So what can be done to defend America in this challenging realm? In my written testimony, I submitted a series of 30 actions that can be taken by the Congress to raise cybersecurity, notably in reflecting the nature of this nonpartisan realm, the overall strategy, and each of the proposed 30 measures are designed to be amenable to and implementable by the leaders of both parties. I've submitted the strategy for the record, which I hope will be a useful resource to you and your staff in your important work ahead. Rather than restating in detail, I would note that it involves three core elements. First, activities that can be taken to restore deterrence from making key new investments in training, cutting-edge technology like artificial intelligence and organizational changes in our Defense Department approach, including disentangling cybercom and the NSA, to utilizing all our tools of power to better influence current and future adversary thinking in the wake of Russia's attack, most especially by turning sanctions into law and strengthening them. Second, actions to raise resilience, our ability to shake off attacks and thus create what is known as deterrence by denial, where we are not only better protected, but adversaries gain less and are thus less incentivized to attack. Importantly, a strategic effort to raise U.S. resilience would be a useful investment against any type of attack or attacker. The steps that can be taken by Congress here range from measures to better utilize Pentagon buying power to oversight on the implementation of industry best practices into government. They also include innovative means to deal with our cybersecurity human resource challenge from supporting better pipelines into government and the military and better organizing the wealth of talent that lies outside of government and the military reserves, such as through the creation of a program akin to Estonia's world-respected approaches to societal resilience. The final track looks at the broader challenge we face in a world of social media and online influence operations. Here too, there are a range of suggested congressional actions including enhancing cybersecurity information sharing among likely U.S. political targets, raising the ability of U.S. military to better utilize social media and integrate it into our own training environments and supporting the recreation of the Active Measures Working Group, an interagency Cold War program designed to debunk foreign propaganda and limit the impact of lies spread by what the Soviets aptly called useful idiots. In conclusion, we must recognize that for as long as we use the Internet, adversaries like Putin's Russia and many others will seek to exploit this technology and our dependence on it and realms that range from politics to business to warfare itself. In response, the United States can build a new set of approaches to deliver true cybersecurity aiming to better protect ourselves while reshaping adversary attitudes and options or we can continue to be a victim. Thank you. Thank you. Dr. Lubicki. Good morning, Chairman Thornberry, Ranking Member Smith and the distinguished members of the committee. My name is Martin Lubicki, the Mary Ellen and Richard Kaiser Chair of Cybersecurity Studies at the Naval Academy and an adjunct at Rand. The views expressed are my own. Two years ago, Admiral Rogers asked Congress to support an increase in his ability to carry out cyber attacks so that the United States could deter cyber attacks on it. But would strength alone suffice? A deterrence capability has at least four prerequisites. First, we must be able to attribute cyber attacks in order to punish the correct party and convince others that we are acting justifiably. Second, we must communicate our thresholds, what actions will lead to reprisals. Third, we need credibility so that others believe that punishment will in fact follow crossing such thresholds. Fourth, we need the capability to carry out reprisals. Of the four prerequisites, it is U.S. capability that is least in doubt. Any country credited with Stuxnet and the operations that Snowden leaked has demonstrated an impressive capability. It is the other three prerequisites that need attention. Attribution, to be fair, has improved considerably over the past 10 years. But the same cannot always be said about the U.S. ability or willingness to prove that its attribution is correct. After the Sony attack, the FBI's public statement devoted just 140 words to justifying its attribution. And the public case that Russia carried out the DNC hack is even more problematic. Credibility remains an issue. Although the United States did retaliate against North Korea for the Sony attack and Russia for the DNC hack, the reprisals that have been made public, mostly sanctions were not the sort that would induce fear in others. That leaves the issue of thresholds, which gets the least attention. What cyber attacks merit cranking up the machine of U.S. retaliation for and thereby potentially altering the U.S. relationship with another country, especially when cyber attacks can vary so much from a momentary network disruption to a major catastrophe. Not everything that we might call a cyber attack is actionable. By contrast, even the smallest nuclear weapon on U.S. soil was obviously actionable. Finding a tractable threshold is not a problem easily solved. So let's consider some candidates. Should something be actionable if it violates the Computer Fraud and Abuse Act? Well, there are three problems. First, using a national law as an international red line sets a precedent easily abused by countries that, for instance, criminalize free speech. Second, this act is violated literally on millions of occasions, pretty much every time a computer is turned into a zombie. Third, such a law makes cyber espionage an actionable act, but this is something that the United States carries out all the time. Well, is something actionable? As one Assistant Secretary of Defense argued, if it is among the top 2% of all attacks, here the problem is that cyber attacks have no minimum. So it's very difficult to define the set and thus very difficult to define 2% of the set. OK, should everything that affects the U.S. critical infrastructure be actionable? Supposedly, we know what is and is not part of the U.S. critical infrastructure. But then we have attacks that make us change our mind. For instance, a number of folks said this attack on Sony was an attack on the critical infrastructure. And after the attack on the DNC, we reconsidered the election, the voting machinery in this country, and we reclassified it as part of the critical infrastructure. Well, do the laws of armed conflict or LOAC provide a good dividing line? Well, unfortunately, LOAC kicks in only when something is broken or someone is hurt. And in cyberspace, damage has occurred twice and death not at all. An attack that bankrupts affirm by contrast would not be actionable by LOAC. Worse, LOAC fosters the notion that a cyber attack like a physical attack is unacceptable behavior for countries, while cyber espionage, like traditional espionage, is something countries do. But the United States does not accept all cyber espionage. It successfully pressed China to stop its economic cyber espionage. If the data taken from OPM had been sold into the black markets, the United States would doubtlessly have raised very strong objection to China. And the DNC hack was actually cyber espionage. If the Russians had taken what they took in-house rather than posted online, there likely would have been no US response. My bottom line is this. The Terence introduces multiple issues that need far more careful attention than they have received to date. Being strong is necessary, but it is not sufficient. And until we have a firmer basis for setting thresholds, we may have to limit reprisals to obviously actionable attacks while using the less obvious ones as markers for what we would react to next time. I appreciate the opportunity to discuss this important topic, and I look forward to your questions. Thank you, Mr. Healy. Good morning. Chairman Thornberry, ranking member Smith, distinguished members of the committee, really humbled to be in front of you today. I'll jump right to the heart of my comments on cyber conflict where several issues stand out. First, what isn't a problem? Attribution, as my colleagues have pointed out, is not nearly the challenge that it used to be. As analysts at private sector companies and the US government have made tremendous gains determining which nations are behind cyber attacks. Second, what's different in cyber compared to conventional conflict? I believe it is not hazy borders or operating at network speeds or the other things that you might have heard that is most different. But in fact, the role of the private sector, America's cyber power is not at Fort Mead. No, the center of US cyber power is instead in Silicon Valley, in Route 128 in Boston, in Red Mid Washington, and in all of your districts where Americans are creating and maintaining cyber space and can bend it if they need to. Third, what didn't we see coming? In the wake of the 1991 Gulf War, we in the military were eager to study information operations, including propaganda and influence, which are now some of our adversary's primary weapons against us. Yet in the time since, we have become so enamored of the cyber. We've forgotten critical lessons of information operations from that time. Fourth, what might we have most wrong? Simply deterrence and coercion. Previous testimony to this house made it clear there was an electronic Pearl Harbor waiting to happen. Well, that was in June 1991. So we've been fretting about an electronic Pearl Harbor for 25 of the 75 years since the actual Pearl Harbor. Cyber deterrence above the threshold of death and destruction, not just is working, but works pretty much like traditional deterrence. Where deterrence is not working, of course, is in the gray area between peace and war, where all major cyber powers are enjoying a free for all. We should not kid ourselves. In that gray zone, the United States is throwing as well as taking punches. And deterrence works very differently if your adversary is certainly striking back, not first. In fact, I believe cyber may be the most escalatory kind of conflict we have ever encountered. Because of this, any exercise in cyber deterrence must be thought of as an experiment. Some of our experiments will work, some won't. So we must be cautious, attentive to the evidence and willing to learn. So my first recommendation is that a new set of cyber influence teams might quickly be trained and folded into the cyber mission force at Fort Meade, working alongside cyber and area studies experts there. Second, I continue to advocate splitting the leadership of NSA and Cyber Command. Imagine if the commander of US Pacific Command were the leading source of information on the China military threat, negotiated with US companies dealing with China, ran the best funded China oriented bureaucracies, was involved in intelligence operations and military planning against China and could decide what information on China was classified or not. Sometimes two heads and two hats are more American than one. Third, the best use of government resources is to reinforce those doing the best work already. Our critical infrastructure companies are on the front lines and together with major vendors and cybersecurity companies have far more defensive capabilities than our military. Grants to the non-profit associations that are knitting these operations together can give massive bang for the buck. Lastly, I'd like to leave you with a question to consider asking others in Testimonial Future. What do you believe will be the dominant form of cyber conflict in 10 years? The Pentagon seems to have a healthy set of cyber requirements but not many views of what cyber conflict might be like as they do in the land, sea, air or space. For example, I'm sure the Chief of Staff of the Air Force can give you many reasons on why he sees future air conflict and why long-range strike bomber is the answer to succeeding in many of those kinds of conflicts. What do we think the future of cyber conflict might be like that will justify the requirements that the Pentagon is asking for? In closing, I'd like to mention that on 16 and 17 March, 48 student teams, including from many of your districts or your alma mater, including the Air Force Academy, Brown and the universities of South Alabama and Maryland College Park will compete in the Cyber 912 Student Challenge. This competition prepares students to tackle exactly the same sort of challenges about which my colleagues and I are testifying before you today. If you or your staff are available to observe, judge or provide remarks, the student teams would greatly benefit. Thank you for your time. Thank you. As we notified all members, Mr. Smith and I agreed that for the purpose of this hearing, we would start out by going in reverse seniority order for those members who were here at the time of the gavel and then go in order that members enter the room like we usually do. I also want to remind members that this afternoon, the Emerging Threats and Capabilities Subcommittee is holding a classified quarterly update on cyber operations to which all members of the committee are invited. And at this point, I would like to yield my five minutes to the chair of that subcommittee, Mr. Panick. Thank you, Mr. Chairman. I have two questions. The first is broad, what aspects of the previous administration cyber policy should we keep and what should we rethink? I'll start with Mr. Healy and move down the line. Okay, thank you very much, Chairwoman. The, Mr. Panick, the previous administration got a lot of runs across the plate, but they weren't really swinging for the fence. So they had a lot of small, a lot of, they were playing small ball. And so there weren't that many things that really angered me that much about what they did. One that I think we should absolutely keep. Because I think the private sector should be the supported command, not the support in command, I'm a big fan of the work that they had done on the vulnerabilities equities process. This was the process by which if the US government discovers vulnerabilities, especially in US IT products, that the default is to tell the vendors on that. And if they keep it, for example, at Fort Meade, that they have a risk mitigation strategy in case, so that if it does become public, that they can respond most quickly. The work that they did on that was very important. It actually dates back to CNCI in the previous administration. But I think that it's certainly worth keeping. To change, I certainly hope that the US government can do better on its own cybersecurity systems. It looks like the new administration might be doing better on this with a more role for the Office of Management and Budget, as well as more shared services. That is more cloud. I also think we can do more within the Department of Defense for accountability. My experience in the private sector, especially working for banks, was that they had much more control over what was added to their networks and who could do what, than even the Department of Defense does, which was a prize to me, considering how much we think of command and control and leadership within the Department of Defense. Thank you. Dr. LeBicchi. I believe the administration made a lot of good investment in defensive, in defending networks, and I think that's a trend that should continue. Details, I suppose we can discuss, but I think the general trend towards putting most of your eggs in the defensive basket is a good one. In the realm of what I would do different, if you're going to talk up an attack as something that's unacceptable, then you need better attribution, public attribution case, and you need to hit back more strongly. Conversely, if you're not prepared to hit back strongly and you're not prepared to make a good attribution case, maybe you shouldn't make so big a deal of the cyber attack. Dr. Singer. I echo what was just previously said, I add a couple of things. Towards the end of the Obama administration, in the wake of the OPM breach, it put together a series of essentially best practices from the private sector that could be mined for implementation into government. I see those as a key oversight area for Congress and essentially seeing if they're being implemented or not. And again, I think they're bipartisan and that they're pulling from the private sector. Similarly, in the very last weeks of the transition, there was a bipartisan commission of experts, cybersecurity experts that issued a report of what could be done to aid government in this realm. It was lost in a little bit of the conversation. Here too, bipartisan recommendations, implementing those would be a good area. Finally, the administration created a cybersecurity human resources strategy. This space is not merely about zeros and ones, it's a people problem. And there's all sorts of areas there and I would look to that and see is this being implemented or not. It also points to at least so far in the drafts of the Trump administration's executive orders, human resources hasn't been mentioned. So I'd be focusing on that. In areas of what they can do, what they didn't do, there's a wide variety of them that have been mentioned whether it's sanctions to, we've done well at pulling in the National Guard as a way of tapping broader societal resource, but that's only limited to what's already in the military. I would look to the Estonian model or in essence the cybersecurity version of the civil air patrol as a way of pulling in broader civilian talent that isn't either able or willing to serve in the military or guard reserves. Thank you, Dr. Singer. My final more specific question, Mr. Healy in your written testimony, you discuss how our adversaries are using cyber capabilities as part of a larger strategic and orchestrated influence operations form of information warfare. The most recent examples are the North Korean hack of Sony, the Russia hack of the DNC, and even in 2008 the Chinese hack of both the Obama and McCain campaigns. In addition to your suggestion to create cyber influence teams with our cyber forces, what more can we do to counter the strategic influence campaigns that are so successfully being waged by Russia, China, North Korea, and Iran? Such an important question, thank you very much. I agree with Dr. Singer on the returning to the active measures working group, which I think is an important step. I think we can start refunding some of those information operations projects that we had done in the 1990s. For example, an Allied force where we had done a lot against Slobodan Milosevic. There had been a lot done in the military professional universities, especially places like National Defense University and the doctrine centers, where hopefully some of those people still reside and we might be able to build back some capability quickly. It also, we obviously need to do this whole of government because this clearly isn't a Department of Defense response. It's helped me to think about, we have incidents of national significance to respond to terrorist attacks. We have cyber incidents of national significance, but neither of these fit here. It has helped me to think about an information incident of national significance and saying, who would we bring to the table? What agencies would we bring to the table to respond into an information incident of national significance? I'm not convinced that we should create such a concept because there's something that's stricken me a bit on American about how we might use that if there's information we didn't like, but it certainly helped me think about how we might improve our interagency of response against such actions. Thank you. Thank you, Mr. Healy. I'm over my time. Ms. Murphy. Thank you gentlemen for being here and for your testimony as well as the Q&A. I represent a district in central Florida that is home to the nation's largest modeling simulation and training industry cluster, which includes a collaboration, which is a collaboration between the military, academia, and industry. The Army Command there, known as PEO STRI, has been tasked with the cyber training mission for Army. I was alarmed by a recent study that I saw that talked about the accelerating workforce gap for cybersecurity professionals. This survey projects that we will have a shortfall of 1.8 million cybersecurity professionals in the next five years. And to put that in some context, when you talk about workforce gaps in other industries, we're talking in the tens of thousands, but not in the millions. So I found this an astounding shortfall in its size and particularly in a critical area for both national security as well as economic stability. So I was wondering, you know, you've all talked a little bit about some of the initiatives that workforce initiatives that could be implemented, but what specific partnerships between academia, government, and the private sector would help to build this talent pipeline in the future? And what role does Congress have in providing investments for and supporting such partnerships? There's a whole array of activities that can and frankly should be undertaken. As was mentioned, there was previously a human resources strategy. It's unclear whether that will be continued or not. I believe it should be in the new administration if it's not, there should be a similar full-fledged version of it. Equally, there have been organizations created like, for example, the U.S. Cyber Corps, which is akin to a ROTC program, a scholarship program for drawing talent into government. It is unclear what the effect of the federal hiring freeze will have on that. Right now, you have students that are worried that they are not going to be able to meet their scholarship commitments by joining government because the positions won't be open to them. I would urge Congress and the administration to make clear that cybersecurity is an area that would not be included in that hiring freeze because frankly, any labor savings that you get will be lost by one breach, one incident. Similarly, there's a whole series of areas to bring in. As was mentioned, the strength of the United States is in districts like yours and around. So ways of bringing that talent into government for short term. So the examples range from adding a cybersecurity element to the U.S. Digital Service, to a program akin to what the Center for Diseases Control has for bringing in talent from the medical field. Finally, bug bounty programs, which are very cheap ways of incentivizing people outside of government to volunteer to help government. I would urge the DOD is doing these on a pilot basis. This should be done at every single agency in Congress can help support that and incentivize that. I think, I mean, there are a lot of programs that have been mentioned could be mentioned that could increase the supply of cybersecurity professionals. But if we're talking about the scholarship program, we're talking about hundreds and thousands of people as opposed to millions of folks. And I think thought needs to be given not only to how do you increase the supply but also how you reduce the demand. Let me give you an example. If you take a look at the Office of Personal Management, there was a lot of sensitive information, particularly information that you gather as part of doing the security clearance that was leaked to other countries as a result. Now, if you just took a cybersecurity perspective, you say, well, how many people does OPM have to hire in order to make sure that their material doesn't leak? But there are another way of looking at it. Do we have to ask people those questions? Do we have to write down the answers? Do we have to put those that digitize the answers that they give? Do we have to make the answers available? And do we have to make the answers available online? And is there some way of finding out where the answers are going online in the circulation? None of those things that I describe need a cybersecurity professional. They need ways of understanding how information works. And I think as a general proposition, there is a tendency to say, we want to compute the way we want to compute. We've got no restrictions. This internet stuff is wonderful. We want as much as we can have, but it seems to give us cybersecurity problems. So let's go hire a bunch of cybersecurity folks and sort of spread some cybersecurity on the top. And if you can't get these folks, or if you're paying an arm, I'd like to get these folks. And if it still doesn't work, because the Russians are very, very talented and the Chinese are very talented, okay? Then you might want to consider, how are we actually managing our information? And that leads you to a different place. If I could request each of y'all, if you talk directly into the microphone, sometimes there's a noise outside that is making it hard to hear up here. So thank you. Mr. Gallagher. Thank you, Mr. Chairman. I have a somewhat related question. The Marine Corps Commandant, General Neller recently stated that using tactical cyber needs to become routine, like other technical arms of the service. So when the arty officer shows up or the naval gunfire officer shows up, he needs to be accompanied by a cyber liaison officer. My concern is that in terms of the cyber talent pool, I don't think a lot of them are enthusiastic about getting a high in tide and joining the Marine Corps. So I'm drawn to your idea, Dr. Singer, about something akin to the Estonia Cyber Defense League, but I see a host of practical challenges to implementation. And I think we might have to rethink how we grant security clearances. Could you just talk a little bit more about that and how we might operationalize and implement such a proposal? So the approach that Estonia has is a little bit akin to an our age old, the Minutemen are more appropriate today, the Civil Air Patrol. The Cyber Defense League there is, it takes people that have been security cleared, so they do go through a clearance process. They are volunteers, they are outside of government. Their talent ranges from people who are hackers to people who are bankers. So for example, if you wanna understand how to attack or defend a bank, you just don't need computer talent, you need to understand how the systems work. And they essentially volunteer to aid Estonia and everything from red teaming, so attacking voting systems before an election to find vulnerabilities before the bad guys do, to the help with emergency response. It's a little bit akin to the Civil Air Patrol which gathers people who are interested in aviation and it ranges from youngsters that are entering the field to people who just wanna keep flying, but then they're on call for aviation related accidents, training exercises, and importantly on call at the local, state and federal level. My point is that often in this space, we very appropriately enough say, look we've got active duty and National Guard has expanded and gotten really good at this, but then we stop and miss the fact that as you put there's a great deal of talent that will be forced to be outside of National Guard. I would also, real quickly to you, one other point make that if we're looking at history, we often talk about the Pearl Harbor parallel and what General Neller's pointing to is that there's other battles, Casserine Pass which were really ones that where we won or lost, not based on our weapons, but our failure to figure out how we command and controlled, how we organized and that's what I would urge you to be pushing a little bit more on the military side with. And then on that point, Mr. Healy, you seem to argue that the reports of a cyber Pearl Harbor have been greatly exaggerated, but I count myself among many Americans who received a notification from OPM after the hack which some described as a cyber Pearl Harbor. What's your assessment of the long-term damage caused by that hack? I've certainly, when I've thought about my colleagues and my friends that in the future might be negotiating with China over some issue and I can imagine their Chinese counterparties sitting down in front of them and having their complete SF-86 and then the rest of their information in front of them and I imagine the chilling effect that that will have on that negotiation and how America's diplomatic position is going to be significantly worse since then. But I also take the thought of a devastating attack that leaves thousands of Americans dead. I mean, that for me is it's what we've been thinking about or what we've been imagining that was gonna be this catastrophic bolt from the blue and so certainly that hasn't happened yet and yet we still to some degree allow that to capture our imagination. So I think we need a little bit more curiosity about what future cyber conflicts might be like and how we respond to those. I think that would put us much better off to deal with the OPMs and to deal with the Russian hacking. And finally, Dr. Lubicki, among the many terrorist groups who we are fighting, kinetically right now, who's the most sophisticated cyber actor? Well, I think you'd have to say ISIS, but I think even ISIS is really good at information operations and propaganda, okay? Because in many ways they say that terrorism is sort of the propaganda of the deed and so they're integrated within a country, within an organization like ISIS. But in terms of actual cyber capability, there are many criminal groups that are better than all the terrorist groups. Thank you, Mr. Chairman, I owe the rest of my time. Mr. Brown. Thank you, Mr. Chairman. I represent a district in Maryland that is perhaps less than eight miles from Fort Mead, which is home to several very important agencies and activities in the cyberspace, NSA, the Cyber Command, and the Defense Information Systems Agency. And we are home to a very large percentage of those high and tight cyber warriors. And I know that this committee over the past several years has looked at the organization and structure of the cyber force, cyber command as a unified command. We're interested in the dual hat arrangement between the director of NSA and as commander of Cybercom. And also we're interested in a strategy for incorporating the guard and the reserve. So my question is, and there's a lot of different activities involved in cyber warfare at the operational level, do you have any thoughts and opinions on how best to support that combatant commander? We've got cyber mission teams that my understanding right now pretty much operate from CONUS, a lot at Fort Mead, some in Atlanta, and pushing those teams out much like the Special Operations Command does. And any other thoughts you have on sort of the operational tactical deployment of these assets? Thank you very much. And there are parts of this that remind me of the previous question. The cyber forces I think for a very, very long time are gonna be high demand low density assets. There's just not gonna be enough of them. And in general when we've got HDLD assets we try to keep them in a centralized pool so that way, especially keeping them in a place where they can support multiple commands and multiple operations without having to necessarily deploy to do them. I think it's gonna be a long time before it is as easy to use cyber capabilities as it is to drop a JDAM or to send artillery rounds down range. It's extremely complex. And when you have capabilities you tend to want to use them sparingly and not in a tactical kind of situation because the adversary will just fix them. And so the kinds of things that I think have been happening within the cyber emission force have been really excellent and we hope to see more capabilities and spending in that area. Briefly, I'm not quite too sure I have an answer for your question but I do have a sense of what it will depend on. First is we need to understand a lot better the efficacy of offensive cyber forces and the second thing is that we have to understand their depletability. There's a difference when you surprise somebody in cyberspace, when you pull off something that they weren't expecting. The surprise element tends to deteriorate over time. It's not like an artillery round which still has the same blast effect for the first as it does for the hundreds. So that we don't understand a lot for these next five to 10 years we're going to have to be playing around with a lot of alternative models until we do have a level of understanding that allows us to make good decisions. I think your mention of special operations command is an appropriate one. I was actually down there literally yesterday and it's my sense that that is the likely and I think ideal future evolution of what happens with cyber command where it is as mentioned, it's global in its operation but also can focus down and help in specific commands on a theater level or the like. It also has its own culture, its own approaches to promotions, to different types of budget authorities to reflect kind of its unique role. That's my sense of where cyber command can and should evolve to. Part of that will, as was mentioned, I do think it's time for it to disentangle from the dual hat leadership structure for both what Jay Healy mentioned in terms of the intelligence operational side to just frankly it's a human talent no matter how good the person is. Those two roles are incredibly important and you're getting half their time. They're also very different to make a sports parallel. It's like having the coach of the wizards and the general manager of the capitals. You wouldn't do that. The final aspect that I would put in terms of to aid this in solving a lot of this question is better integration of this into our muddy boots training environments. And when I say this, I mean both offensive and defensive cyber capabilities as well as the social media side. Our training environment should reflect what the internet looks like now and how we can and our adversaries will use it. Thank you, Mr. Chairman. Thank you. Ms. McSally. Thank you, Mr. Chairman. Thank you, gentlemen. First, just have a comment as we're talking about this cyber workforce. Although I agree with Dr. Lubicki about managing our information, there is gonna be demand. These are gonna be jobs that'll be out there and growing and highlight the University of Arizona south of my district has taken advantage and seen that come in and really created a cyber operations program partnering with Fort Wichuka federal agencies seeing that this is an opportunity to really train the workforce of the future for government, military and the private sector. And I think a great example of really how educational institutions need to take advantage of this to provide training and opportunities for good jobs in the future. So just wanna highlight what's happening at the U of A south. I'm former military. You look at our potential adversaries. They don't wanna take us on head on although they are closing some gaps but we are so heavily reliant on network operations for command and control for situation awareness, whether that's GPS or how we're managing unmanned aerial systems or even how we're managing air tasking orders and time sensitive targeting. If you're the bad guy you wanna go after that asymmetrical potential Achilles heel although we haven't seen it happen. I'd like to hear your comments on our vulnerability. Obviously we're in an unclassified setting and what we could do because if we had an adversary go in that direction, try and take us down. We talk about it like the AOR would go stupid pretty fast. Like we wouldn't be able to operate. We wouldn't have had a command and control and give directions to our assets and I see this as a very deep vulnerability that we have. Could you have any comments on that and what we need to be doing better about it? You wanna start, Mr. Healy? Thank you. It's tough for me when you're asking me to question not to answer first with a salt course, ma'am. So I would start with- Sorry about that. We haven't had- I put him through basic training. The cyber Pearl Harbor the way that we thought. In some way because cyber attacks tend to only take down things made of silicon. Things made of one zeros and those are relatively easy to replace. The more that we are bringing in the internet of things and the smart grid, the more that those same attacks instead of just bringing down things made of silicon or it can bring down things made of concrete and steel. So I'm not one of those that think cyber attacks have been that bad lately. I really don't because no one has died yet. I think we're gonna look back at these days as it's a Halcyon days when Americans had not yet start dying from these. So to me, that's really where I'd like to start putting a lot of my time and I think the time from the UD and from Congress and in trying to see what we can do about to secure the IOT and keep our adversaries away from them. Thank you. Any other comments from? I think you're spot on and I would point to, so what would make the previous member happy? We've spent over $2 billion on construction in the Fort Meade area alone, which is great. We've grown up this capability in Cyber Command, but the Pentagon's own weapons tests are found in their words, quote, significant vulnerabilities in quote, in every major U.S. weapons program. And that's made up, it's revealed itself in everything from China flying comparable copycat versions of the F-35, which either coincidentally, the J-31 looks like it or it's because there were reported three different breaches during the design process to exploitation during warfare itself. So in terms of what Congress can do, I think we need to have a focus on building resilience within the DOD acquisition system, specifically establishing metrics and determining where progress has been made or not in our acquisitions process to deal with vulnerabilities in that. So we know they're there, what can we do about it? I would also add, we can explore how to use Pentagon buying power more effectively outside the defense industrial base. So for example, entities like Transportation Command have relationships with a lot of different critical infrastructure. How can they incentivize them to get better at their cybersecurity using Pentagon buying power? Dr. McKee. Three things. First, I think we need a better understanding of our end-to-end vulnerability. Part of the problem in defense of cyber is we tend to chop them up into little pieces and look at the vulnerability of each piece. But in fact, if the bad guy's going to exploit our vulnerabilities, he's gonna do it on an end-to-end basis. And this is the basis under which you ought to measure things. In terms of the vulnerability, as you point out, this is an unclassified session. So my best guess is that heterogeneity and believe it or not, legacy systems make a big difference because it gives us a lot of ways of doing different things. And I think in general, the fact that our warfighters tend to be, given the authority to do their own innovation is very important. Because after a cyber attack, the world is gonna look different than it did before. And how do you put the pieces back together becomes very important. And a well-trained military that knows how to think on the spot in different ways becomes very important in the aftermath of a cyber attack, part of the resilience package. Great, thank you. I had another question about ISIS, but I am at a time of often, you see ISIS, how they're using the internet to recruit, train, direct. Yet the internet was continuing to still work in rock. I've asked many times in this setting why is internet still on a rocker, but we don't have time, so we'll follow up with you all later. Thank you, I'll be back. Mr. Carbohal. Thank you, Chairman Thornberry and ranking member Smith. Dr. Singer, I'm gonna build on that, but maybe closer to home. An area of major concern is the supply chain vulnerabilities where malicious software or hardware is inadvertently or exists in the development or acquisition of different systems. In your testimony, you expressed concern over the significant vulnerabilities in every major weapons program, extending from breaches of operational systems to original design process. Can each of you speak to how we can tackle these vulnerabilities? What checks and balances can we put in place to avoid developing systems with malicious software or hardware? And what resources do we need to invest in order to protect our supply chain? So I should clarify this phrase of significant vulnerabilities. That's actually from the Pentagon's own weapons tester. So it's not merely an assertion of mine, it's from our own government's reporting on it. The concern here, again, as you put, is not just merely what does it do in acquisitions, what does it do in an operational environment like we explored in future scenarios. But it also means it is, I would argue, difficult to impossible to win an arms race if you are paying the research and development for the other side. And so in terms of what can be done, I think the question for Congress is where in using your authority, what are the changes needed in acquisition law or is it processes, is it policy to create better requirements for essentially resilience to cybersecurity attack? Not preventing it, we'll never be able to prevent all of it, but build resilience to it. This also points to the human resources side that we've talked about. And again, this cuts across the board and everything from within the military as was laid out to outside and broader society. And it's very exciting to hear that everyone's very proud of the different universities. We need to think about how we can build training for cybersecurity into our education system to create better levels of cyber hygiene. Thank you. Thank you. There has been a lot of concern about the fact that some of our foreign sourcing leads to vulnerabilities. I'm not entirely certain whether we need to do all that much more than we're currently doing. I remember that there was a lot of discussion 20 years ago when people were talking about fixing the Y2K problem and there was a lot of hand-wringing about foreigners working on our code and therefore we become much more vulnerable because we couldn't trust the foreigners to work on our code. And I haven't seen any evidence that that really mattered to Y2K or that mattered to vulnerabilities in the immediate aftermath of Y2K. I think as a general principle, it gets back to understanding our end-to-end vulnerabilities. Even if a particular product is weak, there's no way to exploit the weakness that gives you a certain level of protection. So you do have to look at supply chain vulnerability as part of a broader overall systemic end-to-end vulnerability issue. Thank you very much. I've been impressed with how much has been done on the academic side and within the computer security community on trying to build a trusted system on untrustworthy components. So for example, if you use end-to-end encryption like is happening now on Apple, even if you don't trust the systems between you and the person you're talking to, there are tools like end-to-end encryption that can give you much more trust over the system as a whole. One example in the DOD context is DARPA is now putting a system they called HACM, the high assurance computing system. I can't remember the exact acronym, where they're using mathematically provably secure code. They've done this on a helicopter drone. They've given a red team hacker's access to part of that drone and they have not been able to get out to hack the entire drone and take control of it. And so here are areas where you can trust the system even if it has some untrustworthy components. I'd like to also call out what's been happening between the defense industrial-based companies themselves. The amount of information sharing my colleagues tell me have gotten that in the past. If the Chinese were to hack one of those companies, they could use that same vulnerability to hack all of them. And it has now been several years where the sharing and the defenses have gotten so good that now they have to use a different software vulnerability on each of these companies. I think that's exactly getting towards the kind of defenses that we need. And it's probably more because of the sharing, which is cheap, than having to add more and give them more money in the contract so they can improve their security. Thank you. Thank you for your insight and your wisdom. I yield back. Mr. Fonik, do you have additional questions on your own time? Thank you, Mr. Chairman. NATO has introduced the Talon Manual through its Cyber Defense Center of Excellence in Estonia, which provides an analysis on how existing international law applies to cyberspace. The most recent Talon 2.0 Manual focuses on cyber operations and discusses cyber activities that fall below the thresholds of the use of force or armed conflict. Is this framework helpful in establishing international norms for nation states? And what, if anything, would you recommend we consider incorporating into U.S. policy? I'll start with Dr. Lubicki. I think, I mean, I can say nice things about global rule under international law, but international law is only as good as countries that support international law are willing to support it. In other words, they're willing to put muscle behind violations of international law. And I regard international law as a tool of policy. I do not regard it as a substitute for policy. At some point where you have to take certain elements of international law seriously enough to say, this is unacceptable and this is what we're going to do about that. And it's in turn, it's part of the broader discussion which I urge that we have about what in fact constitutes thresholds, okay? Part of the problem with using international law as a base as was obvious in the talent one manual is that there's a lot of disagreement among people about what in fact constitutes legal behavior. And you don't have the same judicial mechanism in the United States where you can point to the opinions that are rendered by judges to say, okay, there is a consensus that this is the way it is and this isn't the way it is. We don't have that, okay? So in the end, international law has to be supported by nation state, by countries and the willingness to take risks in support of law before it becomes actionable. Thank you. Mr. Haley and Dr. Singer, do you have anything to add? I'm a huge fan because it takes a lot of the arguments off the table. Instead of arguing, well, are you going from scratch if we think something is an act of war not now we at least have a place to come from and that helps a lot. Now we can argue what to do about it. That's really what's been tripping us up, I think more than anything is not what to call something or what's the thresholds to set but what are the actual policy tools and how are we gonna use them in each instance and hopefully now we can focus on that. Dr. Singer? I'm a huge supporter of it as well. I would just add two things to it. The first is to recognize that there's not just this process but a broader web work of agreements and norm building that's going on and everything from bilaterals with allies to multilaterals that be it at NATO to all the way up to the United Nations and I think a key area for action for Congress is to essentially request of the administration what's your overall strategy here? How does this all fit together and most importantly are you not gonna let this fall by the wayside because it's clearly advantageous to the United States to shape these norms in a way that restores global cybersecurity. The second most importantly thing is to recognize that the quickest way to undermine norms and laws is to take in action when they're broken and we've seen repeated instances specifically by Russia and everything from attacks on power grids that were no-go areas such as in Ukraine to most recently this broader campaign that I mentioned and so if we want a norm build we also have to take actions besides just write things down and treaties. Thank you. In some of your testimonies you've talked about our increasing capabilities when it comes to attribution. My question is how good are we at doing battle damage assessment in cyberspace? Are there areas or capabilities that we need to invest in to improve our ability to do BDA? Do you mean against when the attack is against us? Yes. Yes, here I think a lot of the work that's been happening in the information sharing and analysis centers as well as the new policy from the past administration for information sharing and analysis centers to try and come together and get that coordination done within the affected sectors themselves or the affected companies that depends so much on which sector has been hit to try and figure out the level of disruption. Some like finance are extremely good at this. Their regulatory agencies are bang on the door to find out what happened. Other parts of our critical infrastructure like water aren't going to be as strong and that underlines I think how good the sector organizations are, how well they're regulated for example rather than anything specific to determine the level of disruption and the damage. Dr. Singer? This is one of those key areas I think to delve deeper into in the muddy boots training side. So for example, if you lose 10% of communications it's only if you actually go out and exercise is it that you understand that maybe it doesn't have a 10% compromise on you. Maybe it actually means your entire organization can't work or similarly if it's not you lose access but that you can't trust communication. If one time the adversary inserts false information be it into GPS or false information into an order does that mean that you no longer trust the system itself so the entire system goes down? So that's one of the areas where I think we need to involve it more into our own training to understand the effects of it. That's the only way. Thank you, my time's expired. Ms. Rosen? Thank you and I really appreciate all of you being here today, thank you Mr. Chairman. My question is about the disentangling of the NSA and Cyber Command. And so I see some of the benefits and challenges I'd like you to expand on that a little bit and especially about how that relates to our ability to respond dynamically to threats or challenges as you see them in our ability to be fast and flexible there, go ahead. Thank you very much Congresswoman Rosen. The most dynamic part of America's cyber defenses is not Fort Mead and it will never be the Pentagon. It just isn't, they can't, pretty much no part of the US government is actually creating and maintaining cyberspace. One of my colleagues that used to a former Army major that then went on to work at Verizon said, look, if there's an attack, we at Verizon and our colleagues and our companies, we can bend cyberspace if we need to. We can change the physics of this space to blunt this attack in a way that is incredibly difficult for places like Fort Mead and US Cyber Command to do. US Cyber Command simply just doesn't have the levers to be able to respond agilely enough to attacks against us. They can certainly attack back, but they're not tied in in the same way as these companies are. And so because I believe that the private sector is the supported command, they have agility. They have the subject matter expertise and they can bend cyberspace if they need to that our money is best spent rather than trying to recreate that at Fort Mead, find ways to help make sure that what they can do better. You've asked an interesting question, which unfortunately I don't have a clear answer for because I'm still thinking through it, okay? But a lot of what you do with Cyber Command vis-a-vis NSA depends on what you actually want Cyber Command to do. If you're thinking of what Cyber Command does as part of a broader information operations area, then you need to bring Cyber Command in with other parts of the Department of Defense that deal with information operations. And this is not something that's currently on the table. Cyber Command, doesn't it also execute? Right. And in terms of its offense mission is what I'm referring to, okay? In terms of its defense mission, it's a coordination between Cyber Command and the way that networks are currently managed that becomes an important component. And for a long time NSA has had that responsibility to improve the security management of DoD networks. If you're looking for Cyber Command to think in terms of a general analysis of the vulnerability of other people's militaries, then you may want to bring them in together with other folks who look at the vulnerabilities of other people's militaries that are not necessarily digital zero and ones, but in fact arise from the interaction of the various components of their militaries. And that's about as far as I've gotten on my thinking unfortunately. So I think we've laid out earlier some of the rationales for it and it ranges from the split as you note between essentially the evolution of the missions from intelligence to Cyber Command becoming more and more operational, both offense and defense, having training requirements and the like. As I mentioned, there's the double hat problem of just human talent. There is another aspect of this that I think is interesting to talk with you about is go back to the original rationale for why they were double-hatted. It was both because the creation of Cyber Command, it didn't have its own culture, didn't have its own human talent, but it also was because there was a concern that the head of Cyber Command would not be able to speak with a voice or authority that would get Congress's attention. Post-Snowden, the absolute opposite happened where you are more interested, maybe not you individually, but Congress is more interested in the NSA surveillance encryption debate side, and we even saw that in the confirmation hearings for the head of Cyber Command. So I think for this wide variety of reasons, it makes sense to split them, but I would not do it instantaneously. I would do it like the transition that we had with Joint Forces Command where the mandate, so to speak, of the last commander was figure out how to disentangle this in a way that doesn't compromise effectiveness. Thank you. Well, as a former computer programmer and systems analyst, I have about a million more questions about the public-private partnership versus privacy. We don't have the time to do it today. I hope you'll come back and I'll be able to ask them all. Thank you. You can use the gentle lady as a resource as going ahead. That's what's clear to me. Mr. Scott. Thank you, Mr. Chairman. Gentlemen, many of my questions have been answered, but I want to go back and focus on a couple of things. The Y2K issue was approximately 20 years ago. It was not intentional, but my question has always been as we talk about malware and digital and X's and O's, one of the vulnerabilities that we don't talk about much, which has been mentioned before, has been the supply chains and the ability to perhaps embed things in hardware prior to the manufacturing of the actual equipment. I'd go back to, just for example, the GPS system that we put in an airplane or a radio system that we put in an airplane, could it be pre-programmed to stop working at a certain point in time? In which case that would give your, certainly major adversaries, near-peer adversaries a distinct advantage over you and that if they knew that you were gonna lose radio communications at a certain point in time, that would obviously be an opportunity and time for them to go on offense. And so it seems to me that we have this constant testing, if you will, of capabilities among select few countries. When one of those countries finds a weakness, the question is how far do they go on exploiting it? I guess before a Cold War actually becomes what we would acknowledge as a true war. Listen to your comments on the split of leadership in NSA, certainly interested in further discussion on that, but I'd like for you to speak if you would towards the future. Dr. Healy, you said that we don't have the levers that the private sector has to bend cyberspace, I think is the way you put it. We obviously have active duty personnel, we have National Guard personnel, National Guard has had a tremendous amount of success in helping us. What does the cyber mission force look like 20 years from now? What are the decisions that have to be made to make sure that we have that cyber force? Thank you very much, it's a great question. And to put some context, I'm not taking swipes at Cyber Command, I was one of the initial cadre of what became Cyber Command. When I was a young captain in the late 1990s, I helped at Headquarters Air Force set up what was to become the Joint Task Force Computer Network Defense and was one of the 21st, one of the first 25 cadre members there and then it went on to grow to be US Cyber Command. When I think about, it's a great question in what that force might look like. One of the futures that I start thinking about and saying what would happen if we went down that what cyber conflict might look like in 10 years. Last year at DARPA funded a contest called the Cyber Grand Challenge in which they had different supercomputers discovering their own vulnerabilities and discovering vulnerabilities and attacking the other supercomputers on stage which then had to run through their programming and come up with automated defenses. And certainly when I'm thinking about what cyber conflict might look like in 20 years or 10 years, that to me seems like somewhere obvious to start in where DARPA is already thinking. So just imagine what that might mean for the Cyber Mission Force where we have over 6,000 people at Fort Mead and other places now preparing for a fight. Well, if the future conflict is gonna be malicious software that's got a back end over supercomputer telling it what to target next, how to change to avoid defenses, you now need your own supercomputer to try and defend against that. And I think that has just tremendous challenges for military doctrine, for organizations and certainly for staffing. And that brings me to another question. I mean, obviously a lot of these people that are extremely intelligent, we need to have the ability to work with these people. They may not be interested in joining the military. They may not, what certainly full time or part time. I mean, for lack of better terminology, I mean, do we, when we see this problem coming, deputize a cyberpostic like the old days and where you bring people in that you've never worked with before. And Dr. Singer, I know you're interested in your opinions. That's why I'm an advocate of, look, there is great talent within active duty. National Guard has been a way to pull in, we've reorganized so we can pull in that talent, you know, that already has cyber skill sets. But at the end of the day, as you know, there will be a wide range of people who either are unwilling to serve in the National Guard and Reserves or they simply won't qualify for physical reasons, whatnot. And so we need to create alternative pathways to draw people in beyond just contracting them. And that's why I'm an advocate of both this civil air patrol, cyber security equivalent to expansions of the US digital service to include cyber security. Essentially looking at outside of this field, what are like models that we know work? How do we use those to bring in cyber talent? And then lastly, I'd point to the Bug Bounty program. The US, you know, what will this look like? The people that participated in the Pentagon's first Bug Bounty ranged from off-duty government workers to people working in business doing it night to my favorite example was an 18-year-old who did it in the middle of their AP tests who volunteered to help defend Pentagon networks. And reportedly he did it because he just wanted the T-shirt. So we have to have a means of pulling in all this wide variety of talent. That's what makes America great. But you also have to get them cleared from a security standpoint. You have to have them operate under some agency out there. And those are the things that I think we need to have that outlined before the attack happens. Mr. Chairman, I apologize for going over. That's fine. Interesting discussion. Mr. O'Halloran. Thank you, Mr. Chairman. I guess I want to go back a little bit to Mr. Scott's issue because I have a concern that what we're doing here is without deterrence, without clearly showing deterrence that we're in this never-ending spiral of more and more people, more conflict between the budget for cyberspace and the budget for defense, how do we pay for it that the people that are attacking us are spending far less to attack us than we are to stop the attacks? And so it appears that the deterrence factor has to be something that is credible, as Mr. Lubicki said. I'm just trying to understand how we start to slow down the cycle. It's a great full-time employment issue for a lot of young people that are coming out of our universities. But it's a serious question as far as our long-term capability to be able to defend ourselves without trying to deal with the deterrence side in a meaningful way, if we do not deal with it in a meaningful way. So how does that all occur? Mr. Lubicki, I'd like to start with you. I think ultimately, the way you discourage people from attacking you is to give yourself an architecture, the relationship between information and systems that reduces their value, what they get from attacking you in the first place. And even if we had an effective national deterrence policy, we would still have many other threats from criminals, from insiders, and so one of the advantages of defense and resiliency is that it defends against people no matter what their motivation and no matter what way we can or cannot reach out and touch them. And I take it from your comment that you don't feel we're at that point yet where we have the system that can deter like that. I think we've made a great deal of progress. I think we have a lot more progress to make. It's going to be a long challenge. Dr. Singer? So there are different forms of deterrence and because of the Cold War experience, we typically focus on the idea of deterrence by overwhelming retaliation. There's many things for the people at Fort Mead to be upset with Mr. Snowden about, but the one thing he did reveal is that there's no question of our offensive capability. And yet as we see, the attacks continue. So it's not like the Cold War where there's mutuality here and that someone attacks us and we respond in a like manner. So if we're thinking about retaliation, it's going to be better using those other tools of American power to influence actors that have both attacked us, but also others looking to it. And that's why I'm very pointed about the Russian campaign and our lack of a response to it has incentivized a wider array of actors. Secondly, there's a different form of deterrence which wasn't possible in the Cold War called deterrence by denial or it's resilience. It's the idea that I don't attack you not because you're going to hit me back but because my attack is not going to succeed. You'll shrug it off. And importantly, resilience would be a useful building activity. Whatever the form or type of attacker, you build good resilience. It's good against criminal actors, state actors, you name it. And in my written testimony, there's a whole series of actions that we can take to raise our resilience levels and therefore make attacks against us less successful and therefore less likely. Thank you. And Mr. Healy, just to go a little bit further on this, we just talked about Russia during the Cold War. It got to the point where they just appeared to not be able to afford to continue on with the path. In this instance, we have a situation where those that are attacking us can't afford to keep going because our cost ratio is much higher than their cost ratio. Just how do we start to stop that? I don't understand what Dr. Singer just said, but again, the architecture is just not there right now and our cost is just exploding. There are new architectures and new things that are coming down in the computer fields that I think will help. We've been doing a New York Cyber Task Force at Columbia University to say, what can we make a more defensible cyberspace, a more defensible America, and more defensible sectors, more defensible companies. And so for example, going to the cloud, I was astounded at how many of the bank chief information security others and others that were saying, absolutely, it allows you a more secure foundation to build that from the ground up. The CIO thinks he's gonna do it for cost reasons, but really you do it for security. I'd also like to add, I tend to be very hesitant when it comes to trying to raise the adversary's costs more directly, but I certainly think when it comes to Russia, we've got a national mission team. They're looking into red space, able to disrupt the Russian influence operations and cyber attacks. I think absolutely we should start thinking about that to help out France German elections as they're coming up. Thank you. Thank you, Mr. Chairman. Thank you, just Mr. Whitman. Thank you, Mr. Chairman. Appreciate our panelists for joining us today. Dr. Levicki, you wanna start with you. You had spoken very much about building an offensive capability. I have a particular interest in that because I think it's the way that we can make our adversaries use their resources to defend their systems. I think that's extraordinarily important. Give me your perspective about how in the realm that we see ourselves in, especially with the United States Navy, with new systems, unmanned platforms and what we have to do to create command and control there, how do we not only protect those systems, but how do we look at vulnerabilities that our adversaries might have with their systems so that their time is taken up not in going after our links within our systems or looking for weak points there, but what they have to do to defend their systems and how do we most aggressively pursue that? Well, there are a number of standard ways for exploring other people's systems and one of the best ways is actually buy a copy of them and run it in our test labs and we did that throughout the Cold War and I don't think our activity has slowed down very much. To the extent that they use international components in their systems, we already have a certain amount of familiarity with that. We probably pick up a great deal of electronic intelligence just by listening to these components communicate with them over the air. But let me actually address your question by asking a question for which I'm not quite too sure there's a good answer, but I'll do this anyway. To what extent do we wanna tell folks or hint to folks that we have an ability to interrupt their information systems? On the one hand, it gives us a certain amount of deterrence. It reminds people who are throwing a lot of stones that they live in glass houses and it reveals our intention to go after their glass houses which I think is very important. On the other hand, you wanna do it in such a way that it doesn't look overly aggressive, aggressive but not overly aggressive and you wanna do it in such a way that it doesn't give away too much of how we actually do our business. So there's a lot of trade-off to be had here. I think we're in a good position where we're given credit for a lot of capability without necessarily having to show it. I don't know what the depletion rate of that confidence is. But right now I think it's pretty high. So we have American defense officials, certainly in the last administration, I think in this administration who have hinted from time to time that we have a great deal of capability and they need to watch themselves but to maintain that confidence or lack of confidence in their mind, I think is a challenging problem but not an insurmountable one. The next question, how do we as we look at where the future brings us with educating and training our military members and leaders today for the challenges they'll face tomorrow within the cyber realm? And I've been an advocate to say all the way from the basic training level, tactical level all the way up to the strategic level, there needs to be a common theme of training and educating everybody in the military as to the cyber sphere that they're gonna operate in. Give me your perspective on where you see things currently going, maybe even some of the efforts that are undergoing through your experience that are happening, maybe at places like the academies and what needs to happen there to make sure we from top to bottom in our fighting force emphasize the cyber realm as much as we do the kinetic realm. I'm glad you asked that question because it allows me to speak on behalf of my employer. I think the Naval Academy does a really good job on this. We have two semesters of requirements for all Naval and Marine Corps officers, one they take in their first year, one they take in their third year and I have a little experience with them because I teach a lot of freshmen, this sort of stuff. We also have a cyber operations major. This year we will be graduating about 40 folks and one of the nice things I like about the program is that we spend year and year two, year two and three on the technical education and then starting in a bit in year three and into year four, we give them the policy perspective. One of the biggest shortfalls in the area of cyber is you have a lot of technical people that can't talk policy. You have a lot of policy people who don't have a rich enough foundation in the technology and I believe the Naval Academy is graduating officers that in fact have a background in both of them and I think that's very beneficial and I think it's something that I, speaking ex-catheter that I think the other two military academies also should take a serious look at. Are there any efforts underway currently as far as facilities or things that might be there in the future to make sure that we aren't even enhancing that experience with things like a secure facility, like a skiff for them to be able to learn and operate within? Well, as you're having to ask, we are building a cyber building, the Hopper Hall. I think it's called on campus, should be ready in about 2019 and it is supposed to have a skiff. Very good. Thank you, Mr. Chairman, with that I yield back. Mr. Visi? Thank you, Mr. Chairman. I want to ask Mr. Healy a question. In your testimony you recommended that the U.S. needs to take further steps to deal with foreign influence in cyber realm and I wanted to ask you if you could elaborate more on what those steps look like and which agency you would have spearhead those. Yes, thank you, Congressman Visi. I think it is a tough question because one reason why I think we have turned to the Department of Defense to help us out on cyber issues has been they were there with the capability when they were needed. Many people have been very disappointed that it's taken Department of Homeland Security so long to get themselves up when it comes to dealing with cyber issues and yet DOD has been there quietly providing capabilities for a long time. I see the same problems are going to vex us here when we're talking about influence operations. DOD clearly should not be in the lead on such things but we can easily imagine ways that the Department of Defense can bring their amazing capability to bear on this. They've already been studying information operations. I think they should be coming to Congress with different projects to fund within the probably within the cyber branches for example 24th Air Force or 10th Fleet to start rebuilding that information operations capability and also blowing on the coals of where that information operations capability resides particularly National Defense University and hopefully that can kick off while the interagency process is figuring out how better to deal with this. I think there'll obviously be a role for justice and for state in the Department of Homeland Security but it's gonna take them much longer I think to get their capability up to speed unfortunately. Thank you very much. And also I wanted to ask about just the relationship between the private sector and the government moving forward when addressing these cyber security concerns. There've been obviously lots of talk about the government being able to have a back door to be able to go into some of these devices so they can go back and find out exactly what was taking place but then also there are other apps and things like that that are overseas that the companies here in America don't necessarily have the same access to that wouldn't be able to unlock some of those clues that we may be seeking in case of some sort of a terrorist attack. So I just wonder if you had any thoughts on that at all either any of you. So across the board if you did a poll and actually they've been done of cyber security experts consistently they would say that building in back doors is the best way to create greater vulnerability for the wider public and the defense department systems themselves that we've talked about. So that's why you find very few advocates of that within the community and by the way people would just move to other systems. So the challenge I think to move that's a known known. The challenge in between the public and private sector relationship. Now one of the key areas is just who does the private sector turn to for help when there is an incident. The administration towards the Obama administration in its last year began to clarify that a bit but it's not yet enough. It's not yet clarified and in my sense when among the proposals I've got there is a so you know the idea of you need a one stop shop a key place for them to go. I wanted to circle back though to your prior question about influence operations. Much of this the activity to counter it is gonna have to happen outside of the defense department. It's everything that we mentioned from the creation of an active active measures working group to debunk lies and make it harder for people to spread them. It's to the debate over critical infrastructure in our election systems has I believe wrongly focused just on voting machines when clearly the targets are political organizations they should be having the same kind of information sharing that competing banks do and same kind of link ups to government. The activities during the 2016 election would have been stopped if just the FBI and the DNC had had a better means of communication and had been able to trust each other. To again there's other elements to this on the intelligence community side Congress should be requesting briefings on just what these influence operations and the broader spread of social media means for the likelihood of conflict itself. How it is affecting popular sentiment among adversary states and the like. Thank you very much Mr. Chairman, I yield back. Thank you. Mr. Bacon. I think four stars. You're gonna get different priorities. Sorry about that. Different priorities, different visions and I see we could break down that synergy that you need in that cohesion. What are the benefits of moving away from a dual hat relationship and getting two different four stars? And isn't there a better way to elevate cyber command than going down the path that some are suggesting? And I just open up to anybody that care to answer. Let me make a sort of a tactical statement here. We tend to think of attack and espionage as two different things, right? Attack is your title 10 thing, espionage is title 50 but we shouldn't have the same people doing attack as we do have espionage. But in practice, the two may be a lot more similar than we think. Let me give you a scenario. Let us say that I can attack a network, inject messages in a network and tell the bad guys to meet at a particular place. I get there an hour before they do. Tactical engagement, I win, right? Right. Scenario two, I listen until I find out that they're going to meet in a separate, in a particular place. I find out where, when, I get there an hour before they do. The tactical results, fairly similar, right? Why do you want one organization doing one and one organization doing the other because we happen to have defined injection as a title 10 issue and interception as a title 50 issue? I think what those folks are doing and sort of as a broader issue, a lot of what you can do with interception of information these days has a lot more tactical relevance than it did 20, 40, 60 years ago. If I can get into your equivalent of Blue Force Tracker and just listen, the tactical advantages I would have would be tremendous. So you're positing here that you should have a totally separate cyber command that has that reconnaissance capability. Is that what I'm hearing? Well, if you end up with that reconnaissance capability, you've now recreated a large chunk of NSA. That's right. So wouldn't you want a single hat or a dual hat four star? Well, that's a different question I have to give more thinking about. You certainly want some very strong XOs in both of them, right? So that in fact, the XOs and the running the agencies. Which is what we have today. Which is what we have today. So it depends on the quality of the XO. Mr. Healy, it looks like you have a different thought. I think Peter and I, we're looking to jump in. One, I don't mind creative friction. I think this is the most escalatory kind of conflict we've ever come across. I don't mind having some breaks on that just like we don't mind breaks on using nuclear capability. The people that say let's keep them together, they want to optimize offense, intel and defense, and it's true. Keeping them together does optimize that. I want to optimize America's overall defense. And that means optimizing the integration with the private sector. Look at what we've done. We've folded information assurance directorate farther into the signals intelligence directorate NSA. I would have loved the option to keep that out so that they are able to better work with America's private sector. Which I think are the ones that are truly doing the defense. Of course, it makes sense to optimize those things. I just think there's a higher priority when it comes to this. Mr. Dr. Singer. I think there's two points here. The first is just because you divide the dual hat structure, it doesn't mean that they can't continue to work effectively together. And we can look at models outside this space for how you've seen task forces and interagency teams and everything from General McChrystal, what he creates to engage against the counterinsurgency efforts in Iraq, which brings together talent from across services, other agencies, to how we approach counter drug efforts down in Southcom. So just because you split them doesn't mean that you can't operate in this interagency manner. And frankly, as Jay puts it, it may be easier to bring in other elements either legally or because of their willingness to work with. And then the second is, I would echo Jay's point, there's a worry, but what if they might disagree? That's a good thing. That's a good, that is our system and disagreements then allow the next tier of lead. It airs ideas and lets the next tier of leaders to get both perspectives. So I would say the friction between them isn't necessarily 100% bad and a lot of situations might be a good. Well, I appreciate your inputs. I just see a warning, I've commanded five times and I've seen the good rapport and I've seen somewhere there wasn't that good rapport. And I could see two different four stars with different visions and the folks that would pay for it would be down at those 133 teams that have to be working well together. So thank you. I yield back, sir. Mr. Courtney. Mr. Chairman and for organizing this hearing which is a big one for this committee. First of all, Dr. Lebicki, I just wanted to add a footnote to your comments about the academies. I represent New London, Connecticut where the Coast Guard Academy and they are moving very swiftly over the last three or so years to boost their cyber curriculum. And I mean, they are very, very much focused on that and doing good work. So I'm sure the Naval Academy has obviously been leading the way but I just want to at least add that sort of a little extra comment there. And I have really just sort of one question. One of the members talked about backdoors and you may have already covered this and I apologize because I was in another committee but I mean, we're seeing, you know, obviously a lot of programs flow through this committee, large platforms where there's long range strike bomber, F-35, Columbia class and you know, the model for building these platforms now relies on a pretty extensive supply chain which can be, you know, firms and companies that are, I mean, tiny. And I just sort of wonder if you had any comment about, you know, how we sort of address that issue. I mean, it's a big one in terms of just again, the number of actors that participate in, you know, pretty sensitive projects. So you're exactly right. There's a series of potential vulnerabilities and they extend again across from the software-based attacks on the design process, i.e., you know, learning how to model, to copy it all the way to operational side and then the same thing when you think about the hardware, the potential of hardware hacks on the chips themselves. And the result is that it can play out in anything from lost future arms races or future sales to foreign markets to actual loss in battle. The thing that the Pentagon senior leadership, I believe, is aware of this problem but the answer to it has been kind of uneven in its implementation. And I would urge the committee essentially to, you know, you're the ones who will best know whether it's through a hearing or a report. We need to figure out when it comes to these kind of vulnerabilities, how in our acquisition system can we build up resilience? And is it law changes that need to happen in that buying process or is it policy changes that need to happen to incentivize resilience across the supply chain? And to echo something I said earlier, we shouldn't just think about this though in the defense industrial base. DoD has a lot of buying power to other parts of the economy. Where can it use that influence to aid cybersecurity writ large for the nation? And if I may, like many cybersecurity problems, this comes down to who pays in many cases. If you're talking about Lockheed Martin having the defenses to keep out Chinese attackers, well, we can say, all right, Lockheed, you have to pay for that. But for many of the companies that we're talking about here, buying in a more secure way for the supply chain is going to be more expensive and we can't always expect them to foot the bill on that to choose a more expensive part for where there's a little bit more trust. And of course, when it comes down to more pays then it's going to be services and committees like these that are going to have to help decide that. I'd like to make a statement. We mentioned back doors but I think front doors are also a problem. Imagine you have a very great capability, a very sensitive capability and you say, I want these people to be able to access it and you're happy. And then somebody from the outside, not the outside, somebody who's part of your group or whatever, part of the military says, oh, I also want an ability to access it. Okay, well, we'll give you access and I also want the ability to access it. Sooner or later, you end up trying to figure out who's got the ability to access it. How many more people do I have to protect? How many more people do I have to monitor? Because there's a tendency in this world to just expand accessibility because it can help people do their jobs. And every time you expand accessibility, you expand the attack surface. And if you're not careful, every time you expand the attack surface, you've created another route for somebody else who it doesn't have your interest at heart to go in and try to play with your system. So a lot of cybersecurity means saying no to people. Chairman Conaway. Thank you. The officer corps is being trained at the academies but this exact same training is going on for the listed ranks at Goodfell Air Force Base in San Islo, Texas. Good shout out. A lot of speculation in the media are in this world about how soon it will be before robotic soldiers take the place of the fight in the kinetic world. How soon will AI supplant the need for, and Dr. Hale, you mentioned a bit of it, computers fighting computers, but how quickly will AI supplant the need for all these human beings to be able to defend these networks and do what we do? I'll take it quickly and then you'll to Peter because since he kind of wrote the books on this. Because I was an alumni of San Angelo. I think it's probably going to come more quickly than we think as many of these developments do. The part of it that worries me the most, and by that I mean 10 years. The part of it that particularly worries me the most is that on the defensive side, many people are thinking that artificial intelligence, new heuristics, better analytics, and automation are going to help the defense. That if only we can roll these things out faster that we will be better and the system will be more stable. I think that these technologies are going to aid the offense much more than it aids the defense. Because to defend against these kinds of attacks, you need your own supercomputer. That's fine for the Department of Defense. We've got them lying around. But for America's critical infrastructures, they are not going to be able to afford such defenses in many cases. Certainly small and medium sized enterprises and mom and pops are not going to be able to. And so that's why that future in particularly worries me if it goes down that direction because it leaves much of America undefended. Let me ask one other thing and you could comment on either one of these, but most of these cyber warriors, the human versions, will be in protected enclaves, probably here in continental United States, for most of the work, will never need really to be able to fill this in M4. However, there were others in this group that may be forward deployed again in protected enclaves, but they should have some familiarity with it. Is the DOD doing a good job of being able to split out? Those guys who are going to be an enclave forever don't need to look like a soldier. They probably don't act like one and they don't take orders like one. But is there, is the Department looking at in terms of the near term need for human beings, this group of folks that really don't look good in uniform and don't need to know how to fight other than with a keyboard? And then our versus AI thing that I mentioned earlier. So on your first question on AI, it points to as an example, a recent hacker convention, a DARPA competition had AI competing to bug hunt. And it was won by one from Carnegie Mellon called Mayhem and it was able to take on a task that human hackers, bug hunters, it would take them a long period of time, it did it quite quickly. So the point I'd make here is that much like, you mentioned robotics and drones and conventional warfare, we have a couple of kind of disruptions, potentially coming in the cyber conflict side. AI would be one and other would be quantum where when I say disruption, it's not just when is it gonna happen, but we don't yet know is it gonna privilege the offense or defense, what are gonna be the effects of it? So in my written testimony, I advocate that you should hold a classified hearing on trying to find out where do we stand in these technologies versus likely adversaries because they're critical, we don't wanna fall behind in them. On your question of people, the answer to be blunt is no. We've done a very good job of organizing existing talent within the military, be it an active duty or starting to retool the National Guard, but we don't have a means for pulling in people outside the military who are willing to serve but not to formally join or unable to because of some requirement. And that's why in the written testimony I propose a sort of series of actions and organizations that could help us do that better. Ashleigh Baking. I just wanna add one thing. It's important to get talent into the technical side of hacking and counter hacking, but from a military perspective, it's also important to have people who understand how offensive and defensive cyber warfare fits into all the other elements of warfare so they can be presented in an integrated manner. And for that, I don't think you have much of an alternative, but a militarily trained individual, whether it officer or enlisted. Well, clearly it's not either or, it's both, because the physical requirements to run a keyboard in a mouse pad are dramatically different than somebody who's gotta even go down range and run a keyboard and do this one. Appreciate your perspective, you go back. Just an editorial comment on the AI discussion. It seems to me that we're always a lot better at developing technologies than we are the policies on how to use them, and that certainly seems the case there. I'd like to back up and maybe rehash a little bit some of the topics that y'all have touched on. Starting with the role of the military to defend the country in cyberspace. If there were a bunch of bombers coming toward refineries in the Houston Ship Channel, we know what we would expect U.S. military to do to defend that private infrastructure. If packets were coming through the internet against the same refineries under the Obama administration, if it caused death or significant economic damage, I guess, not really defined, then the military could get involved to defend that private infrastructure. You gotta make judgment calls. All this has happened at the speed of light, et cetera. So I would just appreciate reflections from each of you on the appropriate role of the military in defending non-military, and defending the country, private infrastructure especially. I think there's a lot of things that the military can do, but I think it's also, there's a lot of things the military cannot do. And a lot of the difference, by the way, between the two is a sort of a technical difference. Let me give you an example. Let us say we lived in a world where the technology of firewalls was good enough, and the economies of scale of firewalls was such that it made sense to have a national firewall, right? You could say, well, that could be a role for the Department of Defense. It could be a role for another part of the federal government, et cetera. Let's say the Department of Defense because it often takes classified information to make a firewall run well, right? And if it turned out that that was a large part of the solution, there would be a strong argument for the military. But the state of firewall technology does not suggest a ground for that sort of optimism. There are, it doesn't defend against zero days, it doesn't defend against built-in malware, it doesn't defend against encrypted stuff, and by the time you sort of do a positive and a negative, you end up saying, I don't think the firewall is gonna get us there, and therefore I don't think whatever role is associated with running the firewall is gonna get us there either. I don't think it's a question of, well, physical is gonna be military, and cyber is not gonna be military because there's a sort of existential difference between the two. I think it's a matter of what tools do you use, and then how do you deploy those tools? And if the tools that you need to use, for instance, have a lot to do with architecture, have a lot to do with systems administration, have a lot to do with training, then the role for the federal government is correspondingly smaller. If, however, you're depending on barriers, if you're depending on classified intelligence, then the role of the military is larger. And it might be, for instance, that 20 years from now with the technology that the role of the military is much larger than it is today because the tools are different. It's entirely possible that 20 years from now the role will be smaller because we're looking at a different set of tools entirely, okay? It's not an ideological ipso facto issue. You have to follow the technology in order to think about roles and missions. Interesting, but I want y'all's perspective too. In addition, you gotta figure out who's doing it because if it's the most sophisticated sort of state actors, then it's pretty hard for anybody other than our military to defend against it. But I'd be interested in y'all's perspectives on this. So I think it's interesting to use your example to look back at history. So we have the obvious, a bomber plane crosses into our territory, drops a bomb, military responsibility. But we had a real, fortunately that never happened in World War II or ever. But we did have a real world example in World War II where German submarines dropped off saboteurs. And the Navy was responsible for hunting down the German submarines. In the midst of a all out national conflict, it was the FBI that was in charge of the saboteur hunting down. So I point to, we've wrestled with these before in the physical domain. So I think when it comes to the questions of roles and responsibilities, the way we've divided it out so far for the military makes a great deal of sense. It's very clear, offensive action should be governmental, should be military responsibility. I would note there's been a push recently for, hey, shouldn't the private sector be able to hit back on its own? I would argue that's a very bad idea. It's a bad idea for the same reason that vigilanteism in general is a bad idea. Makes you feel good about yourself. It doesn't actually do anything about the effect. When you move into politics, if we've got private actors out there hitting foreign entities, they might think it is a U.S. state action. So that's clearly military. Defend its own networks, again, clearly military pulling in aid from the private sector. Where it gets questionable is in this, what should the military do to aid the private sector? And as I think Jay noted and probably will note, it's not just a question of roles and responsibilities. There's also the hard reality that the private sector knows its own systems better. So it is gonna be the one best equipped to defend itself, set aside all the other appropriate questions. So for me, the parallel here is just like when there is a natural disaster or some other thing, the military should be on call to aid. When it moves into a situation of war, where it is an act of violence, political in nature, now we've moved into there's a clear role for the military. So say they should be able to aid if they're called upon by other agencies. But if we're short of an act of war, I don't want them fiddling around with power grid networks or the like. Okay, and Mr. Healy, as you answer, I just want to add another layer here. So according to press reports, a foreign actor destroyed computers owned by Saudi Aramco. Is that destruction of property that justifies this kind of added layer of military involvement if something like that were to happen here? Without a doubt, I used to be the vice chairman of a group called the Financial Services Information Sharing and Analysis Center that coordinates response and information within the finance sector. And there's a bunch of military help that I could have used, but it's not generally the military help that we think. I would have loved to have had just some senior NCOs or good junior officers that knew how to respond to incident and could keep their head so that when we had a bad incident that they could help us get ready for the response and what was going to happen next. I could easily imagine a situation where it attacks against the finance sector where we have to call for fires, where the banks have to say, we are not going to be able to open for business tomorrow unless we get this taken care of. How are we going to do that call for fires? The private sector is the supported command we need to start thinking about this. The finance sector is finally starting to push an issue of how do we get our intelligence requirements listened to? We're the ones that are on the front line. How can we have some communication with the Intel community just like any other customer? To me, this is so difficult because the attacks have largely been so inconsequential not causing death and destruction. So I like to step back and say, well, imagine that we're not in a gray year. Imagine it's black and white. Americans have just died because of foreign cyber attack in the Aramco case. Large scale attacks against our refineries. What do the American people, what does the American president now looking to the military? It's not support to civil authorities. We're going to be looking for that military to step up. And the last thing I'll mention is in historical analogy, during the Battle of Britain, they invented something called the doubting system where they were having to track what incoming fighters, what's the radar telling us, which fighters are we going to divert? And so I see us needing a modern version of this doubting system that includes the private sector. So then wouldn't we have these kinds of attacks? We've got information that's coming in and we can figure out how to handle those defenses. I don't believe that is probably going to be at the end kick at DHS where it is right now. And it might not even be at Cyber Command. We might need a more American model that brings together a better partnership. One other thing that occurs to me as you were talking is we're going to have, if that's the case, we're going to have to have a government decision making ability in appropriate time. You cannot take every one of these cases to the NSC and deliberate on it for a month. Maybe we're moving more in that direction, but it's obviously been a problem before. Let me yield distinguished ranking member of the Emerging Threat Subcommittee, Mr. Langeman. Thank you, Mr. Chairman. I want to thank you for convening this panel. It's been a great discussion. I wish I had been here for all of it. I was at a Homeland Security briefing on cybersecurity on this topic as well. So, but I appreciate all the contributions you all have made in various aspects to this dialogue and the work you're doing in this field. Dr. Langeman, let me start with you. What metrics do you believe that we should have in place to determine if cyber operations, both offensive and defensive, are effective or not? Well, that is a very interesting question because metrics are one of the hardest things in security, right? The problem with a lot of defense is that the other side is only interested in stealing your information and you don't know about it. You think you're in good shape or in fact, you're not in good shape. One of the things that our intelligence community and our law enforcement community has gotten some traction on is trying to figure out by looking at the other side what people have stolen from our own side in terms of how good our defense is. In terms of our offense, that some of it you can do directly. If you maintain a presence in the other person's network and you want to attack it in a certain way, as long as that attack doesn't kick you out of that network, you have a fairly good platform for how you see the other side react. But in general, I think when you're judging offense, you have to take a look back and say what is the broader overall military effect that we want to have and how do we measure that particular effect, not merely the cyber effect? I think there is often a tendency, particularly because cyber space operations are so technical, to measure the quality of cyberspace operations in did we move the ones and zeros without measuring the bigger picture, did it help us win the battle slash campaign slash war? Anything else? I would add in a couple other elements. When you're thinking about on the offensive side, we've typically framed it in terms of classic military operations where clearly many, if not most of our adversaries are looking at them through the lens of influence operations. So it's not how many websites did I take down or your access to GPS or the like, but it's how did I shape the overall environment? How did I, to put it bluntly, hack your hearts and minds? And that's something that we need to pay attention to both in adversary hands and ours. The second is on the defensive side, when we're looking for metrics, again, they're not just the sort of obvious ones of detecting attacks. What we're seeing in the corporate sector moving more to this resilient strategy is a key is recovery time. So how long after I've detected, how long after I've been knocked down, do I get back up quickly? And this points to, again, the concept of deterrence by denial. If you've got good recovery time, then you've nullified what the attacker did to you. Good, thank you. It's one of the things I'm wrestling with right now is how do we assess metrics? And we have the NIST standards, for example, which are important, but the degree to which they're being adopted and if they're being adopted, is the framework effective? We don't have any sufficient metrics right now to measure that. So let me ask, while I still have a little bit of time left, to all our witnesses, in your opinion, what are the greatest policy challenges that the department is facing with respect to military operations in the cyber domain? I would say that the greatest challenge that DOD faces is understanding its own vulnerability and understanding its own vulnerability on an end to end basis. I think that's a fine answer. I'm still, I struggle when I talk to DOD officers and officials and they seem pretty uncurious about how tomorrow's cyber conflict might look different than yesterday's. They're so deep down into looking at the ones in the zeros and talking about network speed and hazy borders that I would love their challenge to pull out. I mean, we're so busy doing the destroyer engagements. We're not thinking about fleet actions or what actually winning is gonna mean in this field. I'd echo the concept here again of, while it's almost natural in terms of identity and thinking to focus on the offensive, on the how do I use this? How do I take it to the enemy? The reality is that resilience is a side that building up DOD resilience would give us a greater advantage. It's just to put it bluntly not as sexy and it's not something that has the same appeal. The second to add to this would be multi-domain operations, understanding how fires from one domain might affect another domain. And a key element of this is recognizing that a lot of what we're talking about is not just cybersecurity, but moves into the space of electronic warfare where adversaries in particular Russia have been making deep, deep investment in that. And as they showed off in Ukraine, particularly in the ground forces side, they're probably better than us. And this is an area where, again, we may need to think about coming off of decades plus of counterinsurgency, have we shrunk too much our electronic warfare capability, not just building out cybersecurity capability, but do we need to build up EW side too? Thank you all very much. Mr. Connor. Thank you, Mr. Chairman, for convening this panel and for your leadership of our committee. My question is for Mr. Healy. I was very pleased to read in your testimony that the center of U.S. cyber power is in Silicon Valley and not in Fort Meade. Of course, I represent that area and that's what many folks in the Valley think. My question for you concerns coordination. The reality is today we have many private companies that have their own basic cybersecurity defense and we would never have that each company have their own private military. Is there a way to have information sharing or a platform between these companies? Is there a way to have information sharing between them and the government in a way that doesn't compromise classified information? It's a great question and I'm very happy that I had a chance to come back and add some details to these remarks. Some of those already exist and are relatively well-funded. We can still build capabilities. Others don't exist and we hope that they'll stand up. Others are in place but relatively starved of resources. I'd been, as I mentioned, the vice chairman of the FSISAC and we only shared information and coordinated response for people that paid to be members, largely that meant Wall Street. We got about a $2 million grant from Treasury to re-up our technology but we had to include all 13,000 plus financial institutions in the United States and now the FSISAC is winning awards for being the best information sharing and response organization. I think that's the best $2 million that we spent in U.S. government on cyber ever. Compare that. DHS right now is spending millions of dollars a year on a vulnerability database that is in trouble right now. One of my colleagues was running an open-source version of that that had something like four times as many vulnerabilities in it for $10,000 a year and they ended up having to close up shop because they were starved of resources. So there's so much that's happening out there and we don't necessarily have to recreate that within the department or within the government because it already exists. Others that I'll mention and I'm sorry I won't break out the acronyms in the interest of time. NANOG is an operating group that helps coordinate the main network service providers. NSPSEC does the same and was critical in the response to the denial of service attacks on Estonia. And there's many of these groups out there that are already helping and I think with some small targeted grants like the FSISAC could, for we're talking a few million dollars, they might be able to build a secretariat, they might be able to include new technology and I think really make a difference. You saw this with the defense industrial base sharing where just saying go ahead you can share you won't get an anti competitive trouble led to significant differences. So I'd love to follow up with you offline and get your thoughts on this but if you were to prioritize then one or two things that we on the committee could do what would those be in terms of the funding? In this area, the first thing that I would want to do and this is this committee but also maybe Homeland Security is have the executive branch go through each of several different kinds of the main incidents that we've faced. Botnet takedown denial of service attack, major malware spread like config or counter APT and go through in a disciplined way who took what actions, who took what decisions based on what information and what happened next. I think if we went through that process in a disciplined way, it include decision modelers in that. I mean, again, we're talking about a few million dollars and you come out with that and now you know the actual decision makers, you know what the information sharing requirements are. We can build our cyber incident response plan around that and then we can help use grants if necessary to start building the capability where it's needed to make sure that's gonna happen better next time. Thank you. Well, thank you for your testimony and I hope we can work with you on these issues. Thank you, Mr. Chairman. Thank you. I wanna go back to resilience for just a second. Now, y'all have talked a lot about it. Obviously the drive for the Department of Defense, as and you've all mentioned, an internet of things, everything's connected, every platform's a sensor to increase your capability. And yet as we think about the Russian hacking, one of the reasons people had confidence in our voting system is because every state was different. And so that diversity, the fact that they were not all linked together was part of the resilience that made it much harder for any actual changes to happen in the voting. So how do you balance that? You want to be more effective, we don't have enough money and yet does not this drive to have everything connected reduce our resilience? There's a couple of things to note. I mean, we should be clear that, well, I'll put it this way, part of how you find that optimal mix of what you're laying out is essentially kind of both diversity, but no one old. And the constant story again, whether it's your personal cybersecurity or DoD cybersecurity is this battle between convenience, effectiveness and security. And that's the same. So you find that optimal space, frankly, by doing, by training, by testing. I would use the example of the election side though to illustrate this. There's been testing done that shows, yes, voting machines are vulnerable. It's not that the diversity kept us safe. It's that in the 2016, the threat actor didn't go after them. The threat actor went after not the voting machines, but the voting public. And this is again, a lesson to the DoD side is it's not always about how does my system works. It's about the humans behind them, be it their hearts and minds and sentiments or their awareness or the like. So we shouldn't tell ourselves that we've been made secure because an actor didn't go after something. They have to went after something else and were effective at it. And now, again, are going after other allies. They're not targeting, as far as we're aware, the French voting machines or the German voting machines, they're targeting the voting public and getting potentially maybe more out of it. And I think it's a great point and I really want to associate myself with Dr. Schinger's point in this and your previous question. Because to me, when I hear the military talking about cyber and the third offset, I get really, really worried. Because it seems from a lot of my colleagues that I hear from, they're thinking that that means more offense. And offense is gonna be how we can use cyber as part of the third offset to move in a way that our adversaries can't. I think you've hit exactly on resilience is the way that we can do that. Having better cybersecurity so that we can have deterrence by denial and they're not going to be able to affect us is critical to part of that. I've been very heartened to see what's been happening in the military in a few years where they're saying, let's operate, let's unleash the red teams and exercises so that they can really show us what they can do and really affect the exercise. Whereas normally you would not let them affect the exercise goal. Just like the Air Force used to make sure pilots could operate through jamming, they're now starting to say, what can we do when we don't have the internet? And I think that kind of resilience is really where we're gonna have the third offset. Yeah, I agree completely on exercising when your networks go down or something. That's true. And I just mentioned among the hearings we are planning in the future is one that looks more broadly at, however you wanna describe it, hybrid warfare attempts to influence policy short of traditional methods of warfare. Certainly what the Russians are doing are some examples, Chinese using their economic power or others. This is one of our key challenges I think which y'all have touched on but we don't have time to get in. Thank you all for being here. It's been very helpful. The hearing stands adjourned.