Skip to main content

tv   Senate Armed Services Cmte. Cybersecurity Hearing  CSPAN  October 20, 2017 12:53pm-3:19pm EDT

12:53 pm
what happened to you and your also terminated from the company and the predator is left to still work in the same position in which he was harassing you. so this is the way our society has decided to resolve sexual harassment cases, to gag women so we can say we've come so far in 2017. >> gretchen carlson talks about sexual harassment in her new book be fierce, stop harassment and take your power back. she is interviewed by washington post columnist sally quinn. watch "after words" at nine eastern on book tv two. >> defense department, fbi and homeland security department officials testify about the nation cyber security and defense capabilities against cyber attacks. the senate armed services committee held a hearing yesterday. [inaudible conversations]
12:54 pm
, one. >> of morning. the committee meets to receive testimony on the u.s. government policy strategy and organization to protect our nation in cyberspace. to begin i'd like to thank senators rounds and nelson for their leadership on these issues and our cyber security
12:55 pm
subcommittee. this hearing builds upon the good work that they and their subcommittee have done to tackle the critical challenge of cyber. this is a challenge that is growing more dire and more complex. not a week passes that we don't read about some disturbing new incident, cyber attacks against our government systems and critical infrastructure, data breaches back compromise sensitive information of our citizens and companies, attempts to manipulate public opinion through social media and of course attacks against the fundamentals of our democratic system and process. those are just the ones that we know about. this is a totally new kind of threat as we all know. our adversaries, both state and nonstate actors view the entire information domain as a battle space and across it, they are waging a new kind of war against us, a war involving and extending beyond
12:56 pm
our military to include our infrastructure, our businesses and our people. the department of defense has a critical role to play in this new kind of war but it can't succeed alone. to be clear, we are not succeeding. for years we have lacks policies and strategies to counter our adversaries and we still do. this is in part because we are trying to defeat a 21st century threat with the organizations and processes of the past century. this is true in the executive branch and frankly it's also true here in the congress and we are feeling. that's why this committee is holding a hearing and why we have taken an unorthodox step of inviting witnesses from across our government to appear today. they are the senior officials responsible for cyber within their respective agencies, and i want to thank them for joining me and welcome them now.
12:57 pm
we have a consistent secretary of defense for homeland defense and global security. scott smith, assistant director for cyber division, fbi, and chris krebs, undersecretary for the national protection and programs director at the department of homeland scary. i'd also like to note at the outset, the empty chair at the witness table. the committee invited the principal u.s. cyber official, white house cyber security coordinator rob joyce. many of us know him and respect him deeply for his significant experience and expertise on fiber and his many years of government service at the national security agency. unfortunately, but not surprisingly, the white house declined to have the cyber court nader testify, citing executive privilege and precedent against having non- confirmed aniseed staff testifying before congress. while this is consistent with past practice on a bipartisan
12:58 pm
basis, i believe the issue of cyber requires us to rethink our old ways of doing business or to me, the empty chair before us represents a fundamental misalignment between authority and accountability in our government today when it comes to cyber. all of our witnesses answer to the congress for their part of the cyber mission, but none of them is accountable for addressing cyber in its entirety. in theory, that is the white house cyber coordinator job but that non- confirmable position lacks the full authority to make cyber policy and strategy and direct our governments efforts. that official is literally prohibited by legal precedent from appearing before the congress. so when we, the elected representatives of the american people asked who has sufficient authority to protect and defend our nation from cyber threats, and who is
12:59 pm
accountable for us for accomplishing that mission, the answer is quite literally no one. previous administration struggled to address this challenge between dod, dhs and the fbi, well-intentioned as it was, but the result was as complex and convoluted as it appears in this chart. given that no single agency has all of the authorities required to detect and respond to incidents, it has created significant confusion about who is actually accountable for defending the united states from cyber attacks. meanwhile, our increasingly capable adversary seek to exploit our vulnerabilities in cyberspace. facing similar challenges, a number of our allies have pursued innovative models to emphasize increase coronation and consolidation. in doing so, they have significantly enhanced their
1:00 pm
ability to share information with the public. the united kingdom recently established its national cyber security center, an organization that orchestrates numerous cyber functions across the british government under one roof sitting side-by-side with industry. today's hearing is an opportunity to have an honest and open conversation. our concerns are not meant to be critical or of your organizations. each of you are limited by the policy and legal framework established by congress and the administration. :
1:01 pm
>> as the one who rushed to the scene that they were in charge with none having the authority or even worse, realizing after a cyber incident that your organizations were not prepared and resourced to respond based on a flawed assumption that someone else was responsible. i think the witnesses for the service to our country and the willingness to appear before this committee. as we continue to assess and address our cyber challenges. senator reed. >> thank you very much for holding the steering at the welcome our witnesses today. let me also commend senator brown's and nelson for the great leadership on this subcommittee. cyber threats facing the nation does not respect organizational or jurisdictional boundaries, defense department, intelligence community, fbi, department of homeland security, are all critical encountering cyber threat. each agency functions in silos and specialist laws and authorities. in order -- must develop an integrated whole of government
1:02 pm
approach to strategic planning,, resource allocation and execution of operations. i am echoing the chairman points. this department is not unique to the cybersecurity mission. by the extremism, , narcotics ad human trafficking, transnational crime, weapons of mass distraction and other charges are effective whole of government response that cut across the missions and responsibly of departments and agencies. as issues become more complex these problems are becoming more numerous and serious overtime. the rubin various approaches to this problem. with little demonstrated success. white house generally have few tools at the disposal while the lead agency does need to address cross cutting jobs that must remain focused on the mission of its own organization. last year president obama signed ppd 41, united states cyber incident coordination policy. it established a cyber response to group to pull together a hold of government response, but
1:03 pm
these are ad hoc organizations with little continuity that come together all in response to events. i believe what is needed instead is a framework with an integrated organizational structure authorized to plan cooperating in peacetime while the constant progression of cyber opponents. this arrangement as president. the coast guard is a service branch and the department of defense but is a vital part of the department of homeland security. it has intelligence authority, defense responsiveness, customs and border enforcement of law enforcement authority. the coast guard exercises these authorities judiciously and responsibly and enjoys the complement -- conference of the american people. we can solve this problem. we have examples. last years national defense authorization act really cross functional teams to address problems. these teams are composed experts in the functional organizations that rise above the interest of their bureaucracy. the team leads would exercise executive authority delegated by the secretary of defense pick
1:04 pm
such an approach might be a model for the interagency to address a crosscutting problem like cybersecurity. there is indeed urgency to our task. russian attack our election last year. they attacked multiple european countries, the nato alliance in the european union. the intelligence community assures us russian will attack our upcoming midterm elections. so far we've seen no indication that the administration is taking action to prepare for this next inevitability. finally the government cannot do this alone. as former cyber commit an innocent director general keith alexander testified, while the primary responsible of government is to defend the nation the private sector shares responsibility in creating the partnerships necessary to make the defense of our nation possible. neither the government nor private sector can protect their systems and networks without extensive and close cooperation. in many ways the private sectors on the frontline of the cyber threat and the government must work with them if were to effectively counter that threat. we need to covet strategy but it
1:05 pm
must be in cooperation with the private sector. i think chairman mccain for holding the steering effort cosponsored my legislation that is the banking committee jurisdiction, the disclosure act which are federal securities laws tries to encourage companies to focus on avoiding cybersecurity risk before they turn into costly breaches. thank you, mr. chairman. >> welcome witnesses. mr. rapuano, please proceed. >> thank you, chairman mccain, ranking member reed and members of the committee. it is an honor to appear before you to discuss the roles and responsibilities the department of defense and its interagency partners in defending the nation from cyber attacks of the significant consequence. i hear today in my role as the assistant secretary of defense for homeland defense and global security as well as the principal cyber advisor to the secretary of defense, in which i oversee cyber policy in the
1:06 pm
department, lead the coordination of cyber efforts across the department and whether interagency partners, and integrate the departments cyber capabilities with its mission assurance and defense support to civil authorities activities. i appreciate the opportunity to testify alongside my interagency colleagues because these challenges to require a whole of government approach. dod is developing cyber forces and capabilities to accomplish several missions in cyberspace. today i will focus on our mission to defend the united states and its interests against high consequence cyber attacks, and i would execute that mission in coordination with our interagency partners. the departments efforts to build defensive capabilities to the cyber mission force, or cmf, play and especially key role in turning out this mission. for both the deterrent and response standpoint the 133 cmf teams that will attain full
1:07 pm
operational capability in september of 2018 are central to the departments approach to supporting u.s. government efforts to defend the nation against significant cyber attacks. with the goal of ensuring u.s. military dominance in cyberspace, these teams conduct operations also to deny potential adversaries the ability to achieve their objective and to conduct military actions in and through cyberspace to impose costs in response to an imminent ongoing recent attack. in particular, the cmf 68 cyber protection teams represent a significant capability to support a broader domestic response. these forces are focused on defending dod information networks but select teams could provide additional capacity or capability to our federal partners if and when necessary. dod is role in cyberspace goes
1:08 pm
beyond adversary focus in operations and includes identifying and mitigating our own vulnerabilities. consistent with statutory provisions related to these efforts when working with our u.s. domestic partners and with foreign partners and allies to identify and mitigate cyber vulnerabilities in our networks, computers, critical to the infrastructure and weapons systems. while dds dod is made significt progress there is more to do alongside with her as agency partners in the broader whole of government effort to protect u.s. national interests in and through cyberspace. the outward focus of dod cyber capabilities to mitigate foreign threats at points of origin complements the strengths of our interagency partners as we strive to improve resilience should a significant cyber attack occur. in accordance with policy, during cyber incident, dod can be called to directly support the dhs in its role as a lease
1:09 pm
for protecting, mitigating, and recovering from domestic cyber incidents or the doj in its role as a lead investigating, distributing, disrupting and prosecuting cyber crimes. the significant work of our departments has resulted in increased common understanding of our respective roles and responsibilities as well as our authorities. despite this, however, as a government we continue to face the challenges when it comes to cyber incident response on a large scale and it is clear with more to work to ensure we are ready for a significant cyber incident. specifically, we must resolve gap issues among various departments, clarify thresholds for dod assistance, and identify how to best partner with the private sector to ensure a whole of nation response if and when needed. dod has number of effort underway to address these challenges and to improve both our readiness and that of our
1:10 pm
interagency partners. for instance, when refining policies and authorities to improve the speed and flexibility to provide support, and we're conducting exercises such as cyberguard with a range of interagency and state and local partners to improve our planning and preparations to respond to cyber attacks. additionally, the cyber executive order, 13800 signed in may will go a long way in identifying and addressing the shortfalls in our current structure. although the department has several unique and robust capabilities, i would caution against ending the current framework and re-signing more responsibility for incident response to dod. the reasons for this include the need for the department to maintain focus on its key mission, the long-standing tradition of not using the military for civilian functions, and the importance of maintaining consistency with our other domestic response frameworks. it's also important to recognize
1:11 pm
that he significant realignment of cyber response roles and responsibilities risks diluting dod focus on its core military mission to fight and win wars. finally, putting dod on lead role for domestic cyber incidents would be a departure from accepted response, practice and all other domains in which a civilian agency have the lead responsibility for domestic emergency response efforts. and it could be disruptive to establishing that critical union of effort that's necessary for success. the federal government shouldn't maintain -- should maintain the same basic structure for responding to all other national emergencies, whether they're natural disasters or cyber attacks. there's still work to be done both within the department and with our federal partners to improve dod and u.s. government efforts over all in cyberspace. towards this and i'm in the process of reinvigorating the role of the principal cyber
1:12 pm
advisor, clarifying the departments internal lines of accountability and authority in cyber, and better integrating and communicating dod cyberspace strategy, plans, and train and equip functions. we will also be updating our dod cyber strategy and policies on key cyber issues such as deterrence and translate this guidance into capabilities, forces and operations that will maintain our superiority in this domain. the department is also working to ensure that several strategic initiatives it is undertaking come to fruition, , including te elevation of u.s. cyber command, the limitation of the cyber executive order, initiating the cyber excepted service program, and rationalizing the departments cyber budget and investment. our relationship with congress is critical to everything we are doing to defend the nation from high consequence cyber attacks. i am grateful for caucuses
1:13 pm
strong support and particularly the subcommittees interest in these issues and i look forward to your questions and working with you and your staffs going forward. thank you. >> thank you, mr. chairman, thanks, committee, for offer me an opportunity to provide remarks on the cyber capabilities. as the committee is aware the frequency and sophistication of cyber attacks on our nation of increased dramatically in the past decade and only look to be growing. there are significant challenge challenges. the cyber domain to me is uniqe constantly shifting, changing and evolving. but progress has been made in improving structures and collaboration in innovation. but more can be done. staying ahead of today's threats requires a different mindset than in the past. the scale, scope and complexity of today's threats in the digital domain is like anything
1:14 pm
humanity of our nation has ever experienced. traditional approaches and mindsets are no longer suited to coping with the speed and complexity of the digital domain. we have to include the digital domain as part of the threat ecosystem instead of separating it as a mechanical machine this new era often called before the industrial revolution requires the fbi to rapidly assign, align and engage, and powered network teams who are purpose driven and have fears and unrelenting resolve to win. what does this all mean? what are we doing to meet and stay ahead of the new digital domain? predict, impose consequences, that's what the fbi cyber mission is going. the fbi cyber division and program is structured to address a lot of these unique set of challenges. in the field the fbi is made up
1:15 pm
of 56 different field offices spent all 50 states and u.s. territories, each with the cyber squad, and each developing multi agency cyber task forces which brings technically, proficient investigators, and a list, sign ellis, from state and local. in addition to those field resources, cyber division offers program management and coordination and more technically advanced responders in our cyber action teams. the cat teams are in the cyber rapid response force that is on call and prepared to deploy globally in response to significant cyber incidents. additionally at fbi headquarters we manage site watch, 24 hour watch center which provides continuous connectivity to interagency partners in an effort to facilitate information sharing and real-time incident management and tracking insuring
1:16 pm
all agencies are coordinating. in addition to the cyber specific resources come the fbi has other technical assets that can be utilized in the event of cyber incidents. these include our operational technology division, the regional computer forensic laboratory programs, and a critical incident response group providing additional expertise and capabilities and resources that the fbi can leverage at a cyber incident. partnerships as absolute key focus area from the fbi. we rely on a robust international presence to supplement our domestic footprint. through cyber assistant legal attaches, the fbi and bedside agents with her inner -- counterparts with 18 to locations across the globe. the fbi also relies on private sector partnerships leveraging the national cyber forensic allies, domestic security
1:17 pm
alliance to name a few. billy deposit home through training, investigation and joint operations is where we are applying our efforts. incident response, if you has the capability to quickly respond to cyber incidents across the country and skip its response to specific incident utilizing all its resources on the field, headquarters and abroad. we have the ability to galvanize and direct all available cyber resources instantaneously here utilizing dual authorities as domestic law enforcement organization and a member of u.s. intelligence community, the fbi works closely with interagency partners within a whole of government effort to countering cyber threats. the fbi conducts cyber missions with the goal of imposing costs and consequences on the adversary and the we would like to arrest every cyber criminal
1:18 pm
we recognize indictments are just one tool in the suite of options that are available to us government when deciding how best to approach this complex cyber threat. the fbi understands the importance of incoherently joined with and will continue to find ways to work with an agency partners in responding to cyber incidents. we look forward to expanding our partnerships with cyber command given their new and unique capabilities and with the national guards new cyber program in complement our field offices and cyber taskforces. all within the confines of current laws authorities and expectations of the american people. we at the fbi appreciate this committees efforts in making cyber threat a focus and committed to improving how we can work together to better defend our nation. we also look forward to discussing these issues in greater detail and answering any questions that you may have. thank you, mr. chairman.
1:19 pm
>> thank you. mr. krebs. >> chairman mccain, ranking member reed, members of the committee, thanks for the opportunity to appear before you today. in my current role performs the duties of their dissector for the national protection and programs directorate i lead the department of homeland seekers efforts to secure and defend our federal networks and facilities, and the systemic risk to critical for such an approved cyber and physical security practices across our nation. this is a time hearing as during december, october we recognize national cybersecurity awareness month, find a focus on how cybersecurity is a shared responsibility and ethics of the business, organization in america and is one of the most significant and strategic risks to the united states. to address this week as and if we work together to develop a much needed policies authorities and capabilities across the interagency with state international partners in coordination with the private sector. department of defense is eligible receiver exercise in 1997 laid bare our nation
1:20 pm
cybersecurity vulnerability and consequences initiating across government journey to respond to the growing cyber threat. over the ensuing 20 years through a series of, orders and other documents omitted most recently with executive order 13800 we established an increasingly defined policy foundation for the cyber mission space. roles and responsibility seven further bolstered by a partisan legislation providing executive branch and in particular dhs much-needed others to protect federal and critical infrastructure networks. we can solidify the role by giving my organization and index reflects our operational mission and i look forward to working with you in that effort. building of those policies and authorities the department continues to develop the operational capabilities to protect our networks. a national cybersecurity and communications integration center or nccic is a center of gravity for dhs and cyber skewed operations. we monitor federal civilian
1:21 pm
enterprisewide risk picture that allows us to manage risk across the dot gov. it brings together partisanship of classified and unclassified threat information. partners include representatives from critical infrastructure committee, state, local, and tribal governments, such as pacific liaisons from the department of energy, health and human services, treasury and defense, intelligence committee, law enforcement, fbi and liaisons of each of the cyber cities including u.s. cyber command. they all sit with one another at nccic. we know we can't stop your in need of efforts to develop scalable solutions to manage systemic cybersecurity risks across the infrastructure. last years presidential policy director -- directive further clarified rules and separates principles for the federal governments response to cyber incidents including formalizing the cyber response group and cyber unified coordination group. it required the department to update the national cyber
1:22 pm
response plan or insert irp which was completed last january. updating the ncr at pete and marshall insisted a local partners was a critical step in submitting our shared responsibility and accomplish three main goals. first it defines the role and responsibility of all stakeholders, second and identifies the capabilities required to respond to a significant cyber incident and third it describes with our federal government will coordinate its activities with those affected by a cyber incident. however focus with forward is to build on the with multi-stakeholder multi-stakeholder operational plans and incident response playbooks and that we must train an exercise to the consumer to identify and address the gaps that makes us. we are building on our cyber mission workforce within the framework of the ncirp with her hand and incident response team exercise the tennis of the ncirp each day. we work across the stakeholders within the nccic to conflict this mission.
1:23 pm
dhs teams are augmented with fbi and dod personnel to fight a more robust and corrugated response. this model of collaboration across agency cooperation will continue taking advantage of the strengths of each agency. to ensure we're focus on the mission that you congress have passed as with we are prioritized so that all open cyber positions at dhs, crosstraining our workforce on incident response and create a cyber incident response search capacity force modeled after fema for natural disasters that can rise to meet any demand. before i close out like to add one last article olympic the cyber defense mission is much broader than just response. it encompasses preparedness and resilience and we must continually assess and improve our cybersecurity posture against the latest threats. deny our adversaries opportunities to wreak havoc. finally i like to reinforce one more time, we've made significant progress yet there's a a question with more to do. we must do it with a never
1:24 pm
before seen since of urgency. by bringing together all stakeholders we are taking action to manage a cybersecurity risk and improve our whole of government incident response even bows and become more resilient. i thank you for the opportunity to test for adult afforded to any questions you may have. >> thank you, mr. krebs, and thanked the witnesses. i'm sure you can see that chart over there. charts are always interesting, but this one, we're going to need someone to translate for us because it's an example, and i think an one, of the difference, the differences and authorities and responsibilities, none of which seem to have an overall coordinating office or individual. of course, mr. joyce absence here, whose job it is to do all
1:25 pm
this is an example, frankly, of the disarray in which this whole issue rests. and mr. rapuano, to start with, you said that is not department of defense responsibility. suppose at the russians had been able to affect the outcome of the last election. wouldn't that fall under their responsibility and authority to some degree of the department of defense if they're able to destroy the fundamental of democracy which would be to change the outcome of an election? >> mr. chairman, specifically, the issues associated with protecting elections from cyber incursion -- >> so you're saying cyber incursion is not something that requires the department of defense to be engaged in, is that correct. >> was no. i'm simply saying based on the
1:26 pm
state authorities and the state control of the election process in each state, there are issues associated with federal authority to engage -- >> so those issues could be corrected by legislation. they are not engraved in tablets, okay? so for you to sit there and say well but it's not department of defense responsibility. it is. to defend the nation, the very fundamental, the reason why we're here is because of free and fair elections. if you can change the outcome of an election, that has consequences far more serious than a physical attack. so i admin fundamental disagreement with you about requirements of the department of defense to defend the fundamental of this nation which is a free and fair election which we all know the russians try to affect the outcome. whether they did or not is a matter of opinion.
1:27 pm
i don't think so, but for you to shuffle off this well, it's not an attack, it is an attack of enormous proportions. it you can change the outcome of an election, then what's the constitution and our way of life all about? i think senator rounds will be much more articulate on the issue. so one, i disagree with your assessment, and one of the reasons why we have felt frustrated is exactly what you just said. it's exactly what you just said, well, it's not the department of defense is job. it's the department of defense is jump to defend this nation that's why it's called the department of defense. mr. krebs, numerous expert over the past few years have highlighted the need for dramatic change. according to the presidential commission on enhancing national cybersecurity, and i quote, the current leadership and
1:28 pm
organizational construct for cybersecurity within the federal government is not commensurate with the challenges of securing the digital economy and supporting the national and economic study of the united states. general keith alexander, one of the most respected men in the world, said before this full committee in march quote, when we talked to the different agencies they don't understand the roles and responsibilities. when you ask each of them who is defending what, you get a different answer. admiral jim cerritos, quote, the need to be a voice in the captain that focuses on cyber. obviously there supposedly one there but he is not appearing before this committee, and that diminishes our ability to carry out our responsibilities. the list goes on and on. january 2017 center for strategic and institutional studies task force simply concluded quote we must consider how to organize the united
1:29 pm
states to defend cyberspace. and that it dhs is unable to step up its game, we should consider the creation of a new cybersecurity agency. the list goes on and on. i like to have your responses to these assessments ranging from a presidential commission to general keith alexander to the atlantic council to the center for strategic and international studies task force. all of them are saying the same thing, gentlemen. all of them are saying exactly the same thing. i look forward to getting a translator who can show us what this chart means. i'll be glad to hear your responses. mr. rapuano. >> mr. chairman, i would say just on the issue of the election process the department is clearly there to support the response or the mitigation of
1:30 pm
potential threats to electoral process but it is something that when you look at the separation of authority between state and local governments, the lead for the coordination and support in our current system is dhs here can we provide defense of authorities as requested support those needs and requirements. >> that obviously assumes that the department of homeland security has the capabilities and the authority in order to carry out that requirement. whereas this cyber is warfare. cyber is warfare. cyber is an attempt to destroy a democracy. that's what mr. putin is all about. so to somehow shuffled off on to the department of homeland security of course this goes back to this problem with this organizational chart. so i steadfastly reject your
1:31 pm
shuffling off the responsibilities of cyber over to the department of homeland security, and we have included in the ndaa a requirement for you to do so. mr. smith, you want to respond, or mr. krebs? >> i'm happy to. fundamentally, it's a complex and challenging operational environment. everyone of the agencies represented at the table today as you see in the bubble chart as it's called has a unique contribution across the ecosystem. >> without coordination? >> i would suggest that we are getting there, we are on the coordination. ppd 41, the cyber response group and the cyber unified cognition group provide a foundation under which we can coordinate. we do work closely with mr. joyce and national city council. however, from an operational perspective i think the department of homeland security and imi will as undersecretary have the direction and
1:32 pm
authorities i need to move out. the question is whether i have -- >> are winning or losing? >> this is a battle there's going to be going on for many years. we are still can't get our arms around it. this is not speak repeat my question. i would winning or losing? >> it's hard to assess whether we are winning or losing i was a we're fighting this battle every day, working with the private sector. it is a complex apartment and i look for to working with congress speedy to you know for eight years with and trying to get a policy, for eight years we've been trying to get a strategy, for eight years we've been trying to get something besides this convoluted chart? did you know that? >> yes, sir. i've been in my role for eight weeks. i understand your frustration. i share your frustration. i think we have a lot of work to do, and i think this is going to require both the executive branch and the congress working together to continue understanding exactly how we need to address the threat. >> when the coordinator doesn't show up for hearing, that's not
1:33 pm
an encouraging sign. senator reed. >> i wish you would consider a subpoena to get the main witness. >> i think that has to be discussed in the committee. >> well, thank you mr. chairman, thank you, gentlemen, for your testimony. the chairman have raised the issue, russian involvement in the last election but our intelligence community essentially assured us that they're going to come back and with more brio, whatever the right term is. have you been told to prepare for that, mr. rapuano? has the defense department given direction to according to take all steps to advise the administration on what you can do to prevent, preempt tort respond to russian intrusions in 2018? >> senator cochran not aware of a specific direction in terms of
1:34 pm
a specific task associated with the election process. we are engaging on a routine basis with dhs and the rest of the interagency community to develop priorities and consider responses as well as mitigation measures. as i tried to note earlier, the competing authorities associate with electoral process really do call for a thoughtful orchestration of how we would direct and cast and engage with the state and local authorities. it really does need to be coordinated because each agency bring something different. there's a private sector component, because most states get very significant support in terms of their electoral systems from five entities. we are certainly engaged in the process and we're certainly available to support, but -- >> but you have been directed to start actively planning and coordinating with respect to the
1:35 pm
election specific? >> not to my knowledge. >> mr. smith, have you been and your agency the fbi been told of the actively coordinating with respect to the 2018 election in terms of interrupting, preempting, responding to russian intrusions which begin the intelligence community practically assures us will happen? >> yes. >> you have been? >> yes. >> would you describe what you been doing in the general terms? >> in general terms. we have not stopped since the last election, coordinating and keeping together an election fusion cell which is jointly located at hoover building and working with our interagency partners, not only on what had transpired and getting deeper on that but also working forward as to what may, towards us in the upcoming midterms and 2018 election cycles. so we are actively engaged both
1:36 pm
with outreach in the communities and the dhs and the election task force, along with every field office has a designated election crimes coordinator who is on the ground out there in the event of information coming towards us or any evidence that we would need to be aware of and react to. >> mr. krebs, same question. >> absolutely. but i'll tell you this, i did need anybody to tell me to stand up a task force or anything like that. the first thing i did when i came in eight weeks ago was assess the state of the election infrastructure activities and establish an election saturday task force which brings together all the components underneath within nppd but also works closely with intelligence and analysis component with dhs as those fda -- fbi and other partners. i think there's a lot more to do as director smith mentioned it were not just thinking about 18.
1:37 pm
18. we think that the gubernatorial election coming up in a matter of weeks. last week we work with 27 states, the election assistance commission and establish a government coordinate in council, the body under which all the state election officials can come together, and provide a foundation to which coordinate security practices, share information. we are issuing security clearances to a number of election officials and in a matter of weeks will establish a sector chordate accounts which will bring the private sector elements to provide systems and technologies and support. there's still a lot to be done. we certainly have worked ahead of us in the question they will come back and we will be fighting them everyday. >> you mention and several times you need to engage the private sector, and that's a challenge. in fact, it might be more important in this context that in any other since they lead,
1:38 pm
whereas in other areas like missiles, bombers and vehicles, it's the government more than the private sector. but just quickly, some of the things we have to consider are sort of not responsible of this committee but legislation senator mccain and i are sponsoring so they would have to designate if they haven't experts have said expert on the board or why not is a way which disclosed to shareholders but also to provide an incentive for them to be more keyed into cyber. there's been some discussions cost talking to mr. rapuano about using that terrorism reinsurance as way to incentivize. without that i don't think we'll get the kind of buying. my time is about to expire but where are we in terms of private engagement?
1:39 pm
the threshold or some engagement or it still -- >> i actually came out of the private sector, spent the last several years and a major technology come to i managed in them of the cybersecurity policy issues. either unique understanding of what it takes on the private sector side as well incumbent. we do have a number of private sector representatives within nccic and with the unique statutory authorities for coordinating with the infrastructure committee. we need to better refine our value proposition to get more companies to come in and share information with us but we do have the unique liability protection capability. one thing i think will enable our advancement is i mentioned, i need a name change. i need to be able to tell my stakeholders, my customers wanted to depict the national protection and protector program director doesn't do anything. i knew something i do subsidy so i can go out and clearly communicate what it is on a daily basis that a depict i think that's a big step forward. >> you tell us the title you want decides president.
1:40 pm
[laughing] >> we will get you a t-shirt, too. [laughing] >> thank you, mr. chairman. the three of you can relax, because what i'm going to address is to the empty chair. and i know that this message will get through. there has to do with section 881 and 886, there is some provisions in the the senate vn of the ndaa specifically those sections that have raised concerns among the software developers critical to our national defense. the purpose of these provisions are to make available to the public the source code and proprietary data that is used by the department of defense. i'd like to submit with the record numerous letters which i will do in a moment, and documents from industry
1:41 pm
stakeholders that share my concerns with this language. while he understand the goals and intentions of the legislation, a great unintended consequences and impacts such as limit the software choices available to dod to serve the war fighter, increase costs to the department of defense by compromising proprietary nature of software or in limiting contractor options, and potentially aid u.s. adversaries and threaten dod cybersecurity by sharing dod source code by placing it in a public repository. it also reduces competitiveness of american software technology companies by opening the software contractors intellectual property and code to the public repository. and as we progressed into the conference report, i look
1:42 pm
forward to working with the senate armed services committee on the way forward on this topic and recommend that we studied this issue prior to instituting new legislation. this is a provision that is in the senate provision senate bill, not in the house bill. and i would ask unanimous consent to include in the record at this point mr. chairman these documents from stakeholders. >> without objection. >> thank you. >> well, i wouldn't exactly say that the three of you should relax, but i will address more directly not only to the empty chair, but the general mcmasters, to general kelly, to the vice president into the president. did you realize that you handed out a chart that is five years old? the date on this chart is
1:43 pm
january of 2013. i mean, why in the world? that -- by the way, senator rounds is saying, acknowledging this, and want to say what a pleasure it has been to deal with senator rounds as the two leaders of the cyber subcommittee. and i can tell you we are alarmed. you heard the alarm in the voice of the chairman. can we stipulate here that state election apparatuses, state election databases, can we stipulate that that is critical infrastructure? >> we have made that, the department of homeland security has made that determination and
1:44 pm
i have a subsection. >> good. therefore, a tampering or a changing or interfering with state election databases being critical infrastructure would in fact, be an attack upon our country. can we stipulate that that would be the case? why is their silence? >> let the record show there was silence. [laughing] >> wow. so do you realize that you can change speedy could i just -- >> please. >> cut i end deferent the witnesses? that the one to -- >> i, and that's why i'm referring my comments that only to the empty chair, but to the people behind that into chair, which is the national security council advisor, general mcmasters, the fellow who runs
1:45 pm
the white house staff, general kelly, both the phone i have the highest respect and esteem for, and ultimately the vice president and the president. i would go back and listen. i would defer to the intensity of the chairman to remarks, both in his opening remarks and his questions. you mess around with our election apparatus, and it is an attack on our country. so let me give you an example. it doesn't even have to be that the russians, , man or the chine or some third party. that's not a nationstate. we already know that they are in 20 of our states. we know that from the reports that a a been in the newspaper from the intelligence community.
1:46 pm
all you have to do is go into certain precincts, you don't enough to change the outcome of the actual vote count. you could just eliminate every tenth registrant, every tenth registered voter. so when mr. jones shows up on election day to vote, i'm sorry, mr. jones, you are not a registered voter. you multiply that every tenth th voter, you've got absolute chaos in the election. and on top of it, you have the long lines that result, and as result of that people are discouraged from voting because they can't wait in the long line and so forth and so on. this is the ultimate threat. i said so many times in this committee, vladimir putin can't beat us on the land, in the era, on the sea, under the sea or in space, but he can beat us in
1:47 pm
cyber. and to hand out a five year old data chart as to how we're going to fix the situation just is totally, totally insufficient. i rest my case, mr. chairman,, and i wish you would consider a subpoena. >> and with the witnesses desire to respond to the diatribe? >> that eloquent -- >> that eloquent diatribe. one of the most historic statements in the history of this committee. [laughing] go ahead, please. >> mr. chairman, i would say just in terms of the department of defense his role, it is important to note that the national guard in a number of states on the authority of the governors train cyber capable forces are assisting those
1:48 pm
states and their addressing come identifying vulnerabilities and mitigating those vulnerabilitie vulnerabilities. part of them are part of the cyber mission force, and we certainly view quite appropriate the counter tasking and under state authority versus the department of defense attempting to insert itself into a process without directly being requested. >> could i just say, sir, i can we are appreciative of what the guard is doing. we are appreciative of what local authorities are doing. we are appreciative of what all these different agencies are doing, but we see no coordination and no policy and a strategy. when you're ready to give that to us, we would be eager to hear about it. senator fischer. >> thank you, mr. chairman. those are hard acts to follow, your diatribes. but i would like to focus on
1:49 pm
something else now with regards to response. gentlemen, one of the things that admiral rodgers has emphasized is the need to move liquor across the board and after threat detection, faster decision-making and faster responses. so mr. krebs, can you walk us through the process by which an organization, and operator of a piece of critical infrastructure, for example, would reach out to you for help? i know the first tab to detect the threat, and i can take some time, but what does the process look like once they contact you? how long does it take to begin working with them, and are there legal agreements that must be in place before a response team could operate under network? >> thank you for the question. there are of course a number of ways a victim can discover they have been breached. they had some sort of intrusion,
1:50 pm
working with the intelligence community or the fbi to notify them or the department of homeland security to an for them or of course one of the private sector vendors could discover an actor on their networks. how to reach out, there are a number of ways as well they can reach it. they can e-mail, call the spirit we have local official cybersecurity advisors throughout the region, we have protected security advisers. they can also contact the fbi. once we are aware of an incident, we will then do with intake process. every incident is going to be different. that's kind of a truism. every incident can be different. in terms of time it all those depend on what the situation is, what kind of information they want to provide. we have to work to a legal agreement just to get on their networks and assault government equipment and take a look. that can take time. it can depend on the legal back-and-forth, hours or even days. but i would view this as kind of
1:51 pm
an elastic spectrum. it could take, talking hours, a couple days to a week. it all depends on the nature of the breach. >> if you determine that dod has to be as involved in the response as part of that team, i assume is going to take more time then? and does that decision currently rests with the president, is that correct? >> we do a fair amount of ordination with the department of defense. in fact, we do a crosstraining with an incident response matter. we do have blended teams that go up to the field for investigations that could be fbi or dod assets. in terms of the decision-making process we do have agreements in place to live in understanding and place that we don't necessary have to go to the president. we don't have to go to the secretary level. there are sub level understandings that we are able to use, use each others resources. >> those agreements would also
1:52 pm
cover what types of military systems that will be needed? >> it's a support function, but we are typically talking personnel. >> mr. rapuano, did i say your name really -- misted up, didn't i? >> rapuano. >> other concept of operations that define the specific requirements that dod forces to be asked to fulfill and prioritize ssn or sectors that should be defended from cyber attack if we're going to have a high and conflict? >> the focus of the domestic response capabilities, the civil authorities when it comes to cyber are those defense and those protection teams out of the cyber mission force. those are skilled practitioners who understand the forensic issue, the identification of the
1:53 pm
challenges of types of malware and different approaches removing the malware from the systems. as mr. krebs noted, the defense support authority. >> request for assistance from dhs to the department. we have authorities all the way down to commanders, specifically cyber command. admiral rogers has the authority and a number of very to direct attach those assets. then comes up to me and for certain areas the secretary requires his approval. but most of these things can be done at lower levels and we have provided that assistance previously to dhs. >> do you have the policy guidance in place if there is a high end conflict, is it a a first-come first-served? do have a way that you can prioritize how you're going to respond? >> absolutely. a high end conflict for which we
1:54 pm
are receiving cyber attacks and threats in terms of against our capabilities to project power, for example, would be the utmost party for the department as well as attacks against dod information system if we can't communicate internally he can't defend the nation. those are the equivalent of hard brain lung functions, equities and capabilities we prioritize. we have resources that are available and less tapped by those uppermost priorities and then becomes hard decision times and. >> translator: reply assets for domestic and critical infrastructure protection for example, or to protection of other dod capabilities. >> thank you. >> on behalf of chairman mccain let me recognize senator shaheen. >> thank you, senator reed. thank you to all of her witnesses for being here this morning. i share the frustration you hearing from everyone on this committee about decisions that
1:55 pm
have not been made actually with respect to cyber threats affecting our nation. one example is the use of casper ski labs antivirus software on u.s. government systems, casper ski labs as reported links to russian intelligence and it is based in moscow, subjects quite get the crimmins intrusive surveillance and interception laws. we just had a recent report of casper ski his role in a successful russian cyber operation to steal classified information from it nsa employees home computer. and yet they remained on the list of approved software for way too long now. this committee put an amendment in the ndaa that would have prohibited the use of that software by the department of defense, and i'm pleased that
1:56 pm
find we've seen the administration act on that. but i think it really raises the question of how we got to this point. so what standards were used in approving kaspersky labs as an appropriate choice to fill the escarpments antivirus protection needs? does the government that the origins and foreign business dealings of cybersecurity firms and software companies before these products are used in our systems? and her companies looking to contract with the us government required to disclose all there for subcontractors as well as their works and you do with foreign governments and maybe a threat to the united states? so i will throw those questions out to whether would like to answer them. >> thank you for the question. as you know the directive we issued several weeks ago just over a month now, 30 some odd days ago, required federal
1:57 pm
civilian agencies identify casper c products if they have them and it led played governmt and over 90 days. what that tells me is we saw a lot of work to do in terms of the processes that are in place, to assess technology products that on this of a speedy i create that's what i'm asking those questions. i don't mean to enter up but i've limited time and what it would like to know is what you can tell me about what standards we use, how do we vet this kind of products and how do we ensure that we don't have another case of kaspersky being used in our sensitive government systems? >> if i may suggest i'd like to come back with the general services administration to take a look at that which you and give a more detailed briefing on how we do that. >> thank you. i would appreciate that. also, mr. rapuano, i appreciate your taking some time this morning to spend a few minutes with me to talk about the
1:58 pm
hewlett-packard enterprise, which allowed the russian defense agency to view the source code of software used to guard the pentagon's class of information exchange network. can you tell me how is the disclosure of our source codes to other entities a usual way of doing business? how did that happen? >> senator, the details on that as i shared with you this morning, we're working that. our cios beating that effort. i can get you additional details with regard to our procedure to regulate approach but we can follow up with those details for your. >> thank you. appreciate that. that was a rhetorical question to raise the point again that i have serious concerns about the attention where paying to these kinds of issues. in april dod logistic agency
1:59 pm
said, quote, hp software and hardware are so embedded that it could not consider other competitors quote absence and overall of the current i.t. infrastructure. do you believe that's what is required and how he we're goino address any of these problems if we say we can't take action because it would create a problem in responding throughout other areas where we do business? again, i appreciate that you're going to respond to the concerns that i laid out, including that one at a later time. i'm almost out of time but i just had one question for you, mr. krebs, and that is on this notice of this hearing, you were listed as performing the duties of the under secretary for the national protection and programs
2:00 pm
directorate that you said you been on the job for eight weeks. what does that mean? >> yes, ma'am. thank you for the question i have accident with lifted parva since march 2017 was a counselor to general kelly. he moved to the white house of scores and soon after that i was appointed by the president to be the assistant secretary for infrastructure protection. in the meantime we have an open vacancy at the undersecretary position so as the senior official within the national protection and programs directorate i am the senior official performing the duties of the undersecretary. ..
2:01 pm
>> my appreciation for you and the ranking member for elevating this particular discussion to the full committee status. senator nelson has been great to work with and i appreciate the bipartisan way he has approached the issue. wish we had the same type of cooperation this morning with mr. joyce coming to visit with us. i personally did not see this as an adversarial discussion today. i saw this as one in which we could guinn a cooperative effort to discussion how to take care of the seams that actually we believe exist between the different agencies responsible for the protection of the cyber systems in our country.
2:02 pm
this particular chart, i believe senator alexander indicated over -- general alexander indicated there were over 75 different revisions to this particular chart when it was created. let me just to clear the record, do any of you have a more updated chart than the one provided today? >> no? no. okay. for the record that was done in 2013. yet at the same time i just -- for mr. krebs, let me just ask, as i understand it, dhs is responsible for the protection of some but not all of the crediting infrastructure in the united states. when it come thursday energy detector the department of energy is the lead agency. is that correct? >> , that is correct. >> where does it fit in the
2:03 pm
chart other. >> is an updated piece of policy surrounding this if mentioned that's progressive policy arc. the unmuscle moments hold and have been reflected in presidential policy directive 41. >> we have an updated chart someplace? >> i may have something better than a chart. i have a plan and a policy around it. ppd41 which lay out the responsibilities of respective organizations. >> all of you are working on the same level as mr. krebs has shrined here with the information he has? i yes or no would be appropriate. >> yes. >> yes, senator. >> thank you. then i appreciate that because what really bothered me if this was not update or had been working on anything since 2013 hen the change owes cured. let me ask you quickly, just
2:04 pm
curious, it would seem to me there's no doubt there are three types of barriers we need overcome in order to strengthen the collective cyber defense over the organization, legal organization and cultural. have any of you identified legislative hurdles that restrict or inhibit enter eight gap offered seams for the collective cyber defense? >> mr. rapuano? >> i would just note, when you look at the national response framework that we use for noncyber but kinetic in state actor or national events, you have seen since katrina is a maturation of a similar process. many disparate roles and responsibilities and authorities and many different target stakeholders who may require assistance, from local, state, all the way up. and this system, in the national
2:05 pm
cyber response framework is based closely on the national response framework. we're obviously in a more nascent stage when it comes to cyber all the aspected but i would just say, if you look at the last several months in terms of very significant multiple hurricanes and what i think overall, in light of the consequences, with a very effective federal response, has been a dramatic evolution in our ability to work as a whole of government team when it comes to complex problems with colliding authorities. >> i have one more questions. get yours gist. we can either have defense here within our country or we can have defense which is to try to stop something in terms of a cyber attack before it actually gets here. that involves not only a cyber system which is universal, involves talking about systems that are sometimes in our ally's country, sometimes countries not
2:06 pm
necessarily our friend but in areas where they're actually the bad guys located who are creating the attacks themselves. what are your views on the sovereignty relating to cyber security? let me just -- before you answer this, in afghanistan, regardless of what you think about the strategy, the long-standing undertone that justifies why we're still there is fighting the enemy abroad prevents another major attack at home. in this context it's a defensive strategy played out via offensive maneuvering. as we evolve cyber the cyber intelligence field it's inevitable we'll start to think of cyber defense in this offensively minded way. i'd like to hear you thoughts on the sovereignty and where we ought to be fighting the battle to stop the attacks before they get here. >> senator, that's a very important question. as i think you're aware, the
2:07 pm
concept of sovereignty are still molding to some anything the sense there are differing views with regard to what constitutes sovereignty and what type of scenario -- >> it is -- mr. chairman dish here's the key part of this. these facts are going on now -- these attacks going on now, talon 1.0 and 2.0 are discussions what our allies are working at in terms of sovereignty issues. in the meantime we have a gap in time period and have to decide where the actually defend our country against the possibility of existing attacks today, tomorrow, and next week. unless we have a current strategy with regard to how we regard sovereignty and where we will actually go to defend our critical infrastructure. could be we have that o. the book today and are you prepared to say where we know we would defend get the attackers and we
2:08 pm
prepared to take them beyond our border. >> senator, yes, we can do, and the detailses of our current posture i think would need to be deferred to a closed hearing. >> very good. in smith, mr. krebs? >> it's a home and away game. we have to get them over there, at the same time we need to be protecting our infrastructure here. i work very closely, for instance, with the electricity sector, and the electricity sector coordinating council. i'm on the -- during the hurricanes i was on the phone with the major cos of major utilities daily. every 5:00 p.m. with secretary perry we talk about the status of the electricity sector. we have to start here, network progression, close out to the gaps, mitigate consequences, at the same time we have to take down the threat actor. it's a whole of government best athlete approach. >> thank you. thank you, mr. chairman. apologize for going over but it's a critical issue we have to address. thank you.
2:09 pm
>> thank you, mr. chairman and thank you for holding this critically important hearing and to the excellent witnesses before us today. this week "the new york times" published an article -- and i'm going to submit it for the record -- assuming there's no objection children do details north korea's cyber attacks estimated to provide the north korean government with as much as $1 billion a year. that figure is staggering. it's equivalent to a third of that country's total exports. north korea's ransom ware attacks and cyber attacks on banks around the world are producing a funding stream for that country which, in turn, fuels the nuclear program and a
2:10 pm
funked source that must be stopped at a time when the united states is leading efforts to sanction exports of coal, labor, textiles and other products in order to hinder north korea's nuclear ambitions. we also have to focus on additional funding sources and this cash flow ought to be priority number one. tough rhetoric must be supported by tonight action, and practical measures that make clear to north korea that this kind of conduct will be answered. so, the question is, what actions are being taken to combat their offensive cyber operations and address this cyber've -- cyber revenue, and i know you may not be fully at
2:11 pm
liberty to discuss the steps in this forum but i'd like you to do so to the extent you can because north korea node what it is dumb. you're not going reveal anything to north korea. the american people deserve to know what north korea is doing. and they don't. so, this is a topic that i think ought to be front and center for the administration and for the congress and for the american people, and i look forward to your responses. >> i would simply say, yes, senator, we do have plans and capabilities that are focused and directed on the north korean threat in general, and on the specific activities. that you have noted. think it would be most appropriate to go into details in closed session. >> senator, i would just say that we continue to work with our foreign partners in information-sharing wherever
2:12 pm
possible, whenever we're able to assist them in identifying these type of criminal activities and provide them also technical assistance whenever asked or engaging with them in joint operations, and whenever possible we are always looking to link it back or coordinate some indictment or investigative -- some joint operations that would bring to light the people or the nation states that are conducting those activities. >> i'll pile on here. i'm actually providing a little detail on a particular unclassified activity. working very closely with the fbi, we designated one effort called hidden cobra, and we have a hidden cobra page that speaks to a bot net infrastructure, command and control infrastructure, that has certain indicators that, look at this,
2:13 pm
track this down, wife, federal partners where the command and control infrastructure may be in another country and we share that information and are looking to take action against it. not just a whole of government approach. this is an international problem and with international work and we have been partnering with unlikely partner. >> i agree with an international problem with international solutions but we provide the main solution and we are in effect victims, substantially if not primarily, of the problem, and i understand, mr. rapuano, we have plains plans and capabi. i'm not fully satisfied with the idea that those forward oriented measures of action are sufficient. i think we need action here and
2:14 pm
now. the lazareth group, north korean linked cyber crime ring stole $81 million from the bangladesh central bank account at the new york federal reserve, which would have been one billion dollars but for a spelling error, fairly rudimentary spelling error on the part of the north koreans. they've also been tied to the wanna cry attack this year and the sony attack in 2014. this week they are being linked to a $60 million theft from the taiwanese bank. measured in millions, given the way we measure amounts of money in this billion, which -- in this week with our budget is in the billions and trillions, may seem small but it is substantial given the north korean economy and its side.
2:15 pm
so, i'm hoping that in another setting we can be more fully briefed on what is being done now to stem and stop this threat and i appreciate your good work in this area. thank you. >> thank you, mr. chairman. >> thank you, gentlemen, for your willingness to tackle these issues, and i think it goes without saying that your level of success in these areas will really influence american democracy for many, many years, as well as decades to come. so the conversation today so far has been focused very much on cyber defense coordination, which is -- we would all say is very important. however, coordination doesn't do any good without the proper understanding of our capabilities across the government. that is why i worked with senators coon, fisher and
2:16 pm
gillibrand and you have a shoutout to program within in the national guard. so, for each of you, how do you assess the capabilities of the individuals and the organizations under your charge? because we see this lovely chart, which very old, but you do have a number of organizations that you're responsible for. how do you go in and assess what that organization can actually do? is it effective? so, it's great to say, hey, we have a cyber team in doj or whatever but how do you know they're effective? can you explain how you assess that? we'll start with now, mr. secretary. >> thank you, senator. that is an excellent question and does represent a significant challenge. we have a lot of disparate organizations that have cyber equities and-under developing
2:17 pm
cyber capabilities and within the department of defense we have really committed in ernest to start to better understand the crosscut in terms of services, commands, the full range, including thank you national guard. what are their capabilities, what specific skills are they're develop, what professional development program could be have to recruit, train and develop very attractive career paths for the best and the brightest. so we have a number of initiatives, starting with the budget initiative so when you start the cr budget formulation, apples to apples, ininstead of what it has been historically, which each service or organization's conception of what constitutes training or different elements of their budget, and we did a first run this year that was off the budget cycle just to get us in the road to progress, so to speak, and we found we really have got to ensure there's
2:18 pm
competent definitional issues so we're defining things the same way. the other area in terms of national guard, we track national guard cyber capability development, training, how they fit into the cyber mission force. one area we have a challenge with is under state status, we don't have that same system of consistent definitions. that's something that we're working at, but we definitely recognize the critical importance of having that common ability across multiple front -- >> i appreciate that and that's good to understand that now and get the worked out, those details, and discrepancies work out. mr. smith, how about you? >> on hour -- our technical side we're on the job with that routinely. they're currently actively engaged in incidents, incident and following up on the threats and investigations.
2:19 pm
we have spent a significant amount of effort in enhancing those, particularly at a much higher level on the cyber technical side, but in addition to that we have taken steps to significantly elevate the entire work force in the digital domain. we have created on the job training which allows noncyber personnel to be taken offline from investigating other matters to enhance the cyber capability so when they go become after a couple of months, they're capable of bringing both the normal traditional investigative methods along with the current modern digital investigative requirements. longing looker term, though, when we are talking about the work force of the future we have been collaborating on a much more local level with stem high schools programs in developing and building a future work force as opposed to trying to compete with everybody here and with the private industry, which can
2:20 pm
offer things and more benefits at times than we're capable of, but by building in, in an fbi cyber stem programs, bringing local university courses to high school students at an earlier age and supplementing that with some leadership development in those high school ranks; looking long-term, building a work force that will augustment and maintain the necessity we all require and we're talking about near this digital arena, working with the noncyber elements, intern cyber people are at a very high level. >> i'm running out of time. mr. krebs, if you could submit that to us for the record i would be appreciative. one thing, as we look across the board, is really assessing the organizations that fall under your purview, make sugar we're not duplicating services amongst our agencies as well, and operating as efficiently as possible.
2:21 pm
so thank you very much. thank you, mr. chairman. >> thank you, mr. chairman. i'm glad that we're having a discussion about the integrity of our elections and as being fundamental to our democracy. mr. krebs, is a look at this chart, even if it's dated, your responsibility at dhs is to protect critical infrastructure and you did say you have -- you have an election security text force. do you consider dhs to be the lead agency on make sure our election systems are not hacked? >> ma'am, we do have unique statutory authorities to coordinate protection activities across the critical infrastructure, and as a digs nateed critical structure, subcertificate yes. do not physically protect those networks. i enable state and locals and private sector to have better practices. >> but you would be the lead federal agency that would have the responsibility to work with the state and local entities to
2:22 pm
protect our election systems? >> from a critical infrastructure protection perspective, yes, ma'am, alongside the fbi and intelligence community. >> we're just looking for wrestling with the idea of who is responsible for what. i'd like to get down with regard to the election system wed should look to dhs. that's all i want to know. >> guest: i hope your task force is adjust thing purchases of political ads by foreign countries. hope that's one of the things that your task force will address and whether there's ad in for legislation to prevent that kind of -- those kind of purchases. i want to get to a question, too, mr. rapuano, data protection is obviously an important issue wherever i industrial espionage being carried out and the dod requires contractors to provide adequate security for cover defense
2:23 pm
information that is processed, stored or transmitted on the contractor's internal information it? or network, by december 31, 2017, contractors must at a minimum implement security requirements to meet national institute of standards and technology standards, nist. so, my question, mr. rapuano, can you talk about the importance of having industry comply with this requirement and how to you are working with industry to get the word out so that everyone is aware. i would say small businesses that y'all work with. they'd knee to node they're supposed to be doing this. >> yes, senator. the primary focus is the defense industrial space where we have the highest frequent and most significant dod programs prograd engaged with this private sector elements that work with the department of defense. i work that closely with the chief information officer for the department. i can get you additional details
2:24 pm
on the processes for doing that and -- >> i'd like to make sure that, is a mentioned, particularly small businesses, who may not be aware of this requirement, that they are very aware and that they can -- have enough time to comply because december 2017 is right around the corner. whatever you have, fliers, whatever you use to get the word out. for mr. krebs, you mentioned in your testimony how cyber actors have strategically targeted critical infrastructure, specifically you identified two mallware attacks called black energy and hafax targeted industrial control systems and doesn't take a wild imagination to think of how a sophisticated power attack to power plant
2:25 pm
control systems could cause a massive disruption with grave consequences. what is being done by dhs to encourage the private sector to harden their defense of industrial control systems? >> host: yes, ma'am. thank you for your question and i share your concern, particularly with respect to those two tool kits. i think i would -- i'd answer the question two ways. one in end point protection. we work closely with the electricity sector, with the sect sector coordinating council, and that particular -- again, from a grid perspective. then through our industrial control systems, the ics, we look at more capable solution is mexed in my opening staple. not the whack-a-mole approach at the individual facilities but trying to understand what the actual individual control systems are, who mars them. it does tend to be a smaller set of companies rather than 100 or
2:26 pm
100 end pointed. we good to the root of the problem, the system nick problem, address that at the manufacturer or coder level, and then from there kind of break out and hit those end points. we look at the end point and also work at the root problem. >> you perform outreach activities through ics to make sure that, for example, the utilities sector is adequately -- >> among other mechanisms, yes, ma'am. >> thank you, mr. chairman. >> thank you, mr. chairman. >> thank you for being here. one quick question from the perspective of -- my privilege as the personnel subcommittee chair. what trendses, either positive or negative, are we seeing it? is rapuano? is that correct pronouncation? >> yes. >> you mentioned i think earlier when i was here about the national guard playing some role
2:27 pm
at the state level. can you give any idea of a positive or concerning trends about the resource we're getting into the various agencies to really flesh out our expertise to attract and retain them and to grow them? >> i would simply say -- i think it's been a common experience for my colleagues at the table here is getting the best talent is a significant challenge in the cyber realm for obvious reasons. >> there's a variety of reasons but what would you list as the top two or three? >> a very high demand signal throughout the entire economy. the compensation that individuals can get on the outside of government is significantly greater. we are trying to address that in terms of our work force management process, and we have some additional authorities that we're applying to that is a believe other agencies have as well. but again, it's a demand versus
2:28 pm
supply question. >> we have had this discussion before and actually senator round and i talked about it, be very interested in feedback you can give us on things we should look at, as possible subject matter for hearings for retention. i worked in the private sector and had a cyber subpractice, ethical hack testing practice in the private sector, and what you're up against is not only a higher baseline for salaries but also up against what the industry would call hot skills. these are very, very important skills, and so just when you think you have caught up or got within the range on the baseline comp, firms -- like the firm i worked with, both price waterhouse and ibm says we have to have a signing bow newspapers and retention measures that make it impossible for a governmental institution to stay up with it. i'll be brief because we have votes and i want to stick to the
2:29 pm
time. want to associate myself with comments and questions made by senator enhoff and senator should high. 'll go back to the record to see how you responded itch want to get more of an idea of the scope and scale of nonclassified software the depth uses, as a percentage of the entire portfolio, what are we looking at, at nonconfident -- nonclassified software as the percentage of the base, is it suv to same it's in the thousands, in terms terms of soe platforms, tools, the whole portfolio. >> that's a question have into our system and the cio office, and i can get that information back to you as soon as i get it. >> i would have to get back with you with more specifics.
2:30 pm
>> i think it would be helpful. i'm sure we have application portfolios dish hope, i should say -- we're following best practices and somebody out there in the ops world knows what our portfolio and is howl they fit into the classified and nonclassified realm. that would be helpful. 'll yesterday back the rest of my time so other members can get their questions in before the vote. thank you, mr. chair. >> mr. krebs, just want to make you feel better about your title. enjoyed that interplay with senator shaheen. 40 years ago i worked here as a staff member and was seeking a witness -- from office of management and budget from the administration. they he's a deputy secretary under such and such. i said i don't note what they title minneapolis. the response was -- and you can take this home with you tv dehighest level where they still know anything and i realize eyeful above that level. but i appreciate having you here. i think you fellas understated one important point and i don't
2:31 pm
understand why the representative from the white house isn't here because i think he has a reasonable story to tell. on may 11th, the president issued a pretty comprehensive executive order on this subject that is not the be all and end all on the subject but is an important beginning in terms of -- here's my question. in that executive order there were a number of reportback requirements that triggered mostly in august. my question is, have those reportbacks been done? mr. rapuano? >> senator, they're starting to come in and as you note there are a number that are still due out. just -- >> interest m were 180 days and in 90 days. i wonder irthe ones from august have come back. >> i don't have the full tracker with me here. i again get back. >> i would appreciate that. >> some have been submitted with the original timeline and others extended but absolutely those are the essential elements of
2:32 pm
information necessary to fully develop and update the strategy to the evolving threats and build that doctrine and requirement and plan. >> you use the key word of doctrine. i want to talk about that. by the same token, this committee passed -- the congress passed as part of the national defense authorization act last december, a provision requiring report from the secretary of defense to the president within 180 days, and from the president to the congress within 180 days. that report would have been due in june from the secretary of defense involving what are the military and nonmilitary options available for deterring and responding to imminent threats in cyberspace. do you know if that report has been completed. >> yes, senator. it was our original intent and desire to couple the two with the input in the president's eo and the input back to the senate. based on the delay of the president's e of we decoupled
2:33 pm
that because we recognize your impatience so we'll be submitting it to you shortly. >> shortly doesn't make any feel much better. is that geologic time or -- >> calendar time. >> please let us know. you mentioned the word doctrine, and i think that's one of the key issues here. if all we do is try to patch networks and defend ourselves, we'll ultimately lose there has to be -- and mr. smith, you used the term "impose consequences." right now, we're not imposing much in the way of consequences. for the election hacking, one of the most egregious attacks on the united states in recent years there were sanctions passed by the congress but it was six or eight months later and unclear how severe they --
2:34 pm
we need a dock trip -- doctrine where our adversaries know if they do x, y will happen to them? just being on defers si won't work. you're in the boxing match and can bob and weave, if you're not allowed to ever punch you'll lose the boxing match. >> yes, senator. it's certainly agree that both the demonstrated will and ability to respond to provocation in general and cyber specific, is critical to effective deterrence. i think the challenge we have that is somewhat unique in cyber is defining a threshold that then does not invite at very seas to inch up close but -- adversaries to inch up close but not on to it. it's important 'omake thyme hi lie specific slurs generally and the downside of the general it's too ambiguous to be meaningful.
2:35 pm
>> part of the problem is we want to keep secret what we can do when in reality a secret deterrent is not a deterrent. this other side has to know what is liable to happen to them, and i hope you'll bear that in mind. think this is a critically a important area because we have to have a deterrent capability. otherwise, we know this is coming. so far there haven't been much in the way of price paid, whether it was sony, or anthem blue cross or the government personnel office or our elections. there have to be consequences. otherwise, everybody is going to come after us. not just russia but north korea, iran, terrorist organizations. this is warfare on the cheap and we have to be able to not only defend ourselves but to defend ourselves through a deterrent policy, and i hope in the counsels of the administration that will be an emphasis on
2:36 pm
your -- no your response. >> yes, i agree, senator. that is the point of the oe in terms of the detention option set to understand them in the wider context of our capabilities, different authorities, and to start being more definitive about the deterrent options options and he them. >> thank you, are in chairman. >> i want to return to that. i keep hearing the words but don't see something specific in place, and we have struggled with this for years on this committee now. imagine that tomorrow we had a foreign nation state cyber attack on our financial or banking sector or next month on our utility or our transmission infrastructure or next year on our elections, and i would suggest that any of those would cross the threshold. what is our doctrine for how, when, and with what level of
2:37 pm
proportionality we're going to respond to that kind of a cyber attack? mr. rapuano. >> first i'd note that obviously our deterrence options are expansive beyond cyber per se. so cyber is one of a large number of tools, including diplomatic, economic trade, military options, kinetic, including, and then cyber. so looking at the broad space -- >> i agree wholeheartedly, shouldn't limit yourself to responding in kind with the same level of -- or with the same toolbox, but do we have a doctrine, because if we don't have a dock -- doctrine in the cold war we knew what the doctrine for the other side was and they knew what our doctrine was and that kept us from engaging in conflicts that neither side wanted to engage in. do we have an overall structure for how we're going to respond and if we don't, would suggest we have no way to achieve
2:38 pm
deterrence. >> we do not have sufficient depth and bread of the doctrine has we have been discussing and that's one of the primary driver offered the executive order. the 13800. to have the essential elements to inform the doctrine. >> the chairman has been asking for an overall plan for i don't know how long, and i think that is what we're all going to be waiting for, and i wish i could ask the same question of mr. joyce, but maybe in a future hearing. for any of you, spent a good part of yesterday looking at russian created, russian paid for facebook ads, that ran in my state and in places across the country, and were clearly designed to divide this country as well as to have an impact on
2:39 pm
our elections. what is the administration doing to make sure that in 2018, we're not going to see the same thing all over again? don't all speak at once. >> let me start with the election infrastructure subset. from a pure cyber attack perspective we're working with state officials to update their defense. with regard to the ad buy, it's an emerging issue we're assessing and i can defer to the fbi on their efforts. >> it's not emerging. it emerged. we have been trying to get our hand its around this for close to a year now, and we still don't seem to have a plan, and that worries me enormously. we have special elections in place. we have gubernatorial elections
2:40 pm
in place, and we are continuing to see this kind of activity and we need to get a handle on it. let me go back to your issue of election infrastructure. as a number of people have mentioned it has been widely reported that there was cyber intrusion into state level voting infrastructure, and it was -- it's my understanding that dhs, before you got there, was aware of the threats well before last year's election, but only informed the states in recent months as to the nature of the intrusions in those specific states. why did it take so long to engage with the subject matter experts at the state level and is there a process now in place so that we can get those security clearances that you mentioned in a timely way so that the conversation can head off similar activity next year? >> sir, thank you for the question. i understand that over the course of the last year or so,
2:41 pm
officials in each state that was implicated was notified at some levelful as we continue to study the issue and got a fuller understanding of how each state has perhaps a different arrangement for elects, you in some cases it's state, local, chief election official, a cio for the state, cio nor networks, homeland security adviser. as we get arms around the problem and the governance stuck tour in 50 states and territoriesing, we have better sense of here their fuller range of notifications we need make. when you think about the notifications of september 22-inch that was a trueing up, perhaps, of each state saying, we let these officials now. wouldn't characterizes a just let them know then. it's we broaden the am aperture and give them context around
2:42 pm
what may have happened. >> i'm working on legislation and have been working with the people -- secretary of state from my state and then -- who is obviously involved in the national association of secretaries of state. it's not rocket science. it is basically building a spreadsheet of who and at what level and when we see things happen in a given geographic area, pull out the book and figure out who you need to be talking to, and we need to make sure that is in place. >> yes, sir, we're actively working that right now. >> senator mccaskill. >> thank you. to reiterate some of the things said previously but in the empty chair is outrageous. we have a foreign government go at the heart of our democracy, 0 foreign government that wants to break the back of every democracy in the world, and it -- a very smart senator i heard say in this hearing room,
2:43 pm
who cares who they were going after this time -- it will be somebody else next time, and i am disgusted that there is not a representative here that can address this. also am worried -- >> could i ask -- interrupt, senator, and just say that we need to have a meeting of the committee and decide on this issue. i believe you could interpret this as a misinterpretation of the privileges of the president to have counsel. he is in charge of one of the major challenges, major issues of our time, and now he is not going to be able to show up because he is, quote, 0 counselor to the president. that's not what our role is. >> that's never -- i think in any other situation, let's take out the president, take out russia -- this circumstance would not allow to be stand bid
2:44 pm
the out senate typically. >> i agree. >> you would know more about that than i wouldover been here longer. this is something that we need -- in these times when there's an issue every day that is royleing this country we have tendency to look pasts things that fundamental to the oversight role here in the senate and i'm glad that the chairman is as engaged at he is on this issue and i look forward to assist. >> i'm -- this should not count against the senator's time but we'll have a full committee constitution on it and i thank the and i thank the senator. >> i'm worried we have no nominee for your position so if the white house reviews this testimony i hope they will understand that your job is really important. i'm not taking sides as to whether or not you're doing a good job or bad job but the point is we don't need the word "acting" in front of your name for this kind of responsibility in our government.
2:45 pm
i'm unfortunately the chairman of the committee i'm ranking on, homeland security, has chosen not have a hearing, believe it or not, on the election interference so this is my shot and i'm hoping that the chairman will be a little gentle with me because i haven't had a chance to question on some things. why in the world did it take so long to notify the states where there had been attempt to enter their symptoms, their voter files? >> i again, ma'am, is a mentioned earlier, it's some point over the course of the least year, not just september 22nd, an appropriate official, whether the owner of a infrastructure, private sector own, or local official, state official, state secretary, spun someone was notified. >> shouldn't all of the secretaries of state have been notified? isn't that just like a, duh. >> i share your corn. over the course of the last
2:46 pm
sever months we hat a trueing up and have opened a sort of governance structure per each state. the folked that need to be notified. >> what's the explanation for state being told one day it had been and the next day it hadn't been. how did that happen? >> i understand the confusion that may have surrounded the notification of september 22nd there was additional context that was provided to the individual states so in one case perhaps the election system network may not have been scened or targets. may have been another state estimate analogize that to the bad guy walking down the street and checking your neighbor's do to see if they had a key to get into-under your house. it's not always that they're knocking on the network. they may be looking for other ways in through other networks -- >> doesn't change the fact that the secretaries of state should have been immediately been notified in every state, where there had been knocking on a
2:47 pm
neighbors' door or their own door. the bottom line is we -- good news is we have a disseparate system in our country so it's hard to find one entry point. bad news if we don't have clear information going to the secretaries of state, then they have no shot of keeping up with the bad guys. >> that's right. going forward we have that plan in place. we have governance structures. we have notifications, as i mentioned earlier. security clearance processes ongoing for a number of officials and we'll get them in the information they need when they need and it can act. >> they don't want to take advantage of your offering, which is terrific you'll check their systems no mandate no hook, no expense, i talked to secretary of state of missouri and he was saying, listen, they're not even talking to us. this was before september but i do think somebody has to take on the responsibility of one-on-one communication with 50 people in the country, plus i don't know who does voting in the
2:48 pm
territories but -- as to what is happening, what you're doing, what they're doing, this -- i'm not exactly -- i'm not really enmammor offed the idea of moving off of this to dod. hwaot do we to the work fort there bee reluctance to participate fully if it was directed be in dod but the chairman rod point, if you don't begin a more seamless operation with clear lines of accountability and control, we have no shot against this enemy. none. and it worries me that this has been mishandled so much in terms of the communication between the states that are responsible for the validity of our elections. let me talk about kasperski. how are you going to make sure it's out of our systems? >> a little over a month ago we did issue a binding operation direct disfor federal --
2:49 pm
>> if they've got another 90 days to get stuff because you're giving them long time. >> yes, that is a 90-day process to identify, develop plans to remove. may be budgetary implications and then 30 days to execute. we have seen a number of activities in the intervene ing 30 plus days of people taking it off. >> let me just ask you do. you think if this happened in russia, if they found a system of ours that was looking at all of their stuff do you think it would -- they'd tell their agencies of government you have 90 days to remove it? >> mam -- >> seriously? >> i learned not to predict what -- >> immean, really. the point i'm trying to make is, why don't you say you have to do it immediatefully. >> ma'am, there are -- you can't just rip out a system. there are certain vulnerabilities that can be introduced by just turning a critical antivirus protect off. we need to have a process in place that you can replace with
2:50 pm
something that is effective. in meantime we're able to put capabilities around anything that we do identify to monitor for any sort of traffic. >> does the private sector fully aware and are government contractors fully aware of the dangers of the kasperski system? >> we have shared the bioperational directive with our partners, including state and local partners and working with our interagency partners as well. we're sharing risk information. >> is that a little bit like sharing with the appropriate people at the time but not the sects of state? needs to be a red siren here. what about the governor contractor inside this bod binding on our government contractors. >> is its not -- >> shouldn't it be publish. >> let me follow up on that to get the specifics. >> shouldn't it bejing makes sense. >> since we have more contractor on the ground in afghanistan than tops, it would be important to get kasperski owl of their
2:51 pm
system. >> my authority is only federal civilian agency us. >> dod have you told the contractors to get kasperski out. >> we have instructed the remove of casperski from the dod informations. ry follow up on contractors. >> lied like an answer. thank you, mr. chairman, for your indulgence. >> thank you, mr. chairman. your agency, mr. krebs, declared that russia linked acteddors hacked 21 states. why did it take over a year to notifying states that their election systems were targeted. >> as i have stated, we notified an official within each state that was targeted or scanned. we have offer a series of services and came end, including cyber hygiene scans, to every state in the union and every commonwealth. so not only did we notify the states, granted, there was a
2:52 pm
broader notification that we have subsequently made, but we did make capabilities available to all 50 states. >> and are all 50 states using the capabilities you offered. >> i don't have the specific number offered the states using ours but we have seen a fairly healthy response. >> i would like a report on whether all states are using the recommended technology that you eaverred to them. i don't think -- i think we need have that kind of transparent si, given what senator mccain started this hearing with. it is a national security priority, and if the states are not doing their jobs well, we need to provide the oversight that is necessary to mike sure they do their jobs well. do you believe that making these election cyber security optimal is sufficient? >> i'm sorry, making them -- 0 are optional. >> excuse me.
2:53 pm
optional. >> fundmentally there are constitutional questions in play. we make sure that every resource we have available and out there that the state and local governments and election systems have the ability to access. >> i understand that there is a nine-months wait for a risk and vulnerability assessment. is that accurate? >> we offer a suite of services from remote scanning capabilities, cyber hygiene scans, up to a full-blown vulnerability assessment that can sometimes just to execute that vulnerability assessment, because it's the breadth and depth of the assessment can take a number of week if not months to conduct at the assessment itself. so i have -- we are in the process of looking into whether that nine-month backlog exist and how the insurer -- we can private every other toll needed out to the state and local officials. >> are we ready for the next election and do you believe we are cyber secure for in the next
2:54 pm
election and. >> i think there's a lot of work remains to be done. we need to as a country, we need to continue ensuring we're doing the basics right, and even at the state and local level, the private sector, still a lot of basic hygiene activities. >> i would like a full accounting what has been done, what is left to be done and what-under your recommendations to secure our electoral system bit the next election and like it to addressed to the entire committee. we need to know what is out there, what is left. senator graham and i have a bill to have a 9/11 style commission for do the deep dive you are doing to make recommendations to the congress on the ten thing wed must do before the next election. then have the authorities come back to us so we can actually implement it. doing on it an ad hoc basis is not sufficient and i'm not worried because there's no accountability and because of the constitutional limit takes you mentioned we are not going hold these states conditionable when they have not done the
2:55 pm
required work. we need to know what have you succeeded in doing, what is still left to be done, the impredments, delays, lack of expertise, lack of personnel or resources in i need to know because i need fix this problem. >> we are making significant progress. we have a working relationship, strong partnership, with state and local election officials, and we are moving forward with the -- towards the next election. >> mr. rapuano in your confirmation hearing you said the russian irphoenix is a growing threat and russians will continue to enter as long that thivel the consequence their, as is lens than the benefits aday crew, given the likelihood of interference what are the immediate extent you are going to take and the federal government should take to restore the integrity of our elects? i know you answered one therefore early 'er question wiz
2:56 pm
the work we are degree with the nam national guard but i know you are no necessarily doing all the training necessary or spending the resources to do all the national guard training consistently with other active duty personnel. >> senator, we stand at the ready in terms of the process that dhs has put into place to support all the states with regard to the election system vulnerabilities. to date we have not been tasked directly to support that effort but we certainly have capables that we could apply to that. >> ick just have your commit independent the next budget you'll include the full amount needed for the training of cyber specialists within the national guard? >> what i need to do is check on the status of the current furnishing for the effort and i will get back to you and -- >> thank you. >> i want to follow up on the
2:57 pm
questions about the attacks on or voting steps. we know that 21 states faced attack bid russian ablers during the run-in 2016 election. seem its luke the russians are happy with the efforts and don't see nye reason to believe they won't try again. in fact, mr. krebs, your predecessor another homeland security urged congress to, quote, have a strong sense of urgency about russian tampering in the upcoming elections, and i know that homeland security designated our election system as critical infrastructure earlier this year. i just like to follow up on the question that senator jill gillibrand was asking and what think i hard you say, are you confident that our nation is prepared to fully prevent another round of cyber intrusions into our election systems in 2018 or 2020, mr. krebs? >> so, what i would say is that we have structures in place.
2:58 pm
this is not an overnight event. we're not going flip a switch -- >> we're not there now. >> we are working towards the goal of securing the infrastructure. >> a simple question. we're not there now. >> i believe there's two, be done, yes, ma'am. >> host: so we're not there now. can i just ask on maybe some of the specifics. have you done a state-by-state threat assessment of the cyber environment leading up to the next election. >> are you speaking of specific to the election infrastructure or statewide. >> election infrastructure. >> i would have to check on that. i don't have -- >> you don't know whether or not there's been a state-by-state -- >> we have engaged every single statement wore work -- >> my question is more specific. a threat assessment for each state on their election infrastructure? >> i would have to get back to you on that. >> okay. are there minimum cyber standards in place for election systems? >> we do work with the national
2:59 pm
institute of standards and technology and the election commission to look at security standards for voting. >> i understand you work on it. my question is there are minimum cyber -- >> there are recommended -- >> there are- >> recommended. >> in place. are the established best practices? >> i believe there are best practices. >> those are in place. and any plans for substantial support for states to upgrade their cyber defenses? >> if you're talking about investments, i -- >> i am. >> okay. that is -- that's a different question i think that we need have a conversation between the executive branch and congress about how -- >> was that a no? >> at this pound i do not personally have the funds to assist -- >> that's a. no. >> that is a resourcing to states that are grant programs that we can put in place perhaps to -- >> so you not only don't have the money to do it, do you have any plans? i'll ask the question again --
3:00 pm
for substantial support for states to upgrade their cyber defenses. >> we are exploring onces. >> the answer is no, you do do not have them in place. >> we're working on plans, yes, ma'am, assess that they need. >> yes, the answer is no? >> okay. ... the state or town in america we would put our full national power into protecting ourselves in fighting back. the russians have attacked our
3:01 pm
democracy and i think we need to step up our response and i think we need to do it fast. i would can occur with all of the colleagues up there. that is when we have to be laser focused on. i will concur with the chairman and others that are very frustrated and troubled. a comprehensive way. integrating the state and local officials with federal officials. as significant as it is. it goes to the core of my democracy. it also goes to the core of our civilization. we've been hit with an incredible hack on taking the most private information to
3:02 pm
open up accounts and to take cindy's identity and your talking about over a hundred million people do you think we will be able to determine who is responsible for that hack. generally, when would we be able to do that. on the far side. within less than that time. i know that's very difficult. do we have the tools to punish those individuals. those are two separate questions. in two separate issues.
3:03 pm
first on the attribution point to get it to a certain destination is easier than the second question which is imposing significant consequences. if it becomes a nationstate or associate like that you have seen recently though with the yahoo compromise where we have have a blended threat targeting of businesses in our country. that is where i become a little more vague as to my answer on specific would would be able to impose consequences. it is a significant problem that you can't answer. we really don't have a plan that says if you do this these are the consequences for you.
3:04 pm
they will be significant particularly if there is a state actor associated with it. i know that you mentioned the line we don't actually want to put a line somewhere. everyone would work up to that line. we with zero lines right now. a state actor was behind a colfax breach. the most personal information. the process we head in place right now in terms of all the reports been submitted looking at how we correct the infrastructure and looking across this suite of issues what are our capabilities and vulnerabilities and implications that are exploiting those vulnerabilities and how to
3:05 pm
best establish what the threshold is. what is to vague to be useful as well. having said that i think it's a straightforward question. someone who hacks and instills information from over hundred million americans and something that compromises their potential identity for the rest of their lives i hope that the directive would say it's well over any kind of line. it certainly warrants a consequence. there would be more details that we would be looking at. what is the quality in attribution. we answered some questions and
3:06 pm
taking out the federal government. because of that risk that is inherent there. when we have millions of americans i have this software that access to their personal information on that computer. should we alert the public to. they made our risk assessment that we were not willing to have these products installed. it's a pretty strong signal. we had shared information across that. is an indication.
3:07 pm
the federal government has made the decision that this is an unacceptable risk position and we are instructing agencies to remove it at the present. just quickly following up on senator peter's line. is cyber command prepared to engage. with the critical structure and then united states. what is the trigger. are they able to do that right now. against the variety of targets. it is inclusive of her responding to an attack on the u.s. critical infrastructure.
3:08 pm
what is one of the triggers and you suggested that the act of war was still on the definitional phase on what would it prompt this. we have the capability but the question is under what circumstance do you use this. is that fair? >> yes it is. i want to thank you for the hard work that you are doing in the candor and helping them understand many of the challenges and must say i appreciate your great work. i can back two years ago. that there be a strategy followed by a policy we have
3:09 pm
no four months late. we have our responsibilities and we will carry them out. we had authorities that i don't particularly want to use and less we are allowed to carry out our responsibilities to our voters who sent us here then we are can have to demand a better cooperation and teamwork than we are getting now. i appreciate very much the incredible service that you three have provided and i'm certainly not blaming you for not being able to articulate to us a strategy which is not your responsibility. the implementation of actions dictated by the strategy obviously is yours. when you see the person in
3:10 pm
charge at an empty seat here today than we are can have to react the committee is can have to get together and decide whether we will sit by and watch the person in charge not appear before this committee. that is not constitutional. we are coequal branches of government. i want to make sure that you understand they appreciate the hard dedicated patriotic work. and what you are dealing with and doing the best you can with the hand you are dull. this hearing has been very helpful to us in assembling being informed to one of the major threat to the american security. and i think you for that.
3:11 pm
i think you for your honest and patriotic work but we are going to get to this because of the risk to and the very fundamental list of the democracy. is there anything that the senator from maine would like to editorialize. i think prudence dictates. i think the witnesses for your cooperation. this hearing is adjourned.
3:12 pm
[indiscernible] [indiscernible]
3:13 pm
3:14 pm
[indiscernible] later today a form on recent supreme court rulings involving freedom of speech. live coverage begins at 530 eastern on c-span. you can also watch online at the federal reserve chair
3:15 pm
speaks tonight at the national economist club dinner. life at 7:15 p.m. also on c-span i get it is on my end on the radio at. this weekend on book tv on c-span two. the former vice president al gore looks at the effects of climate change around the world at the inconvenient sequel. and we and our civilization not me but the technologists and engineers are learning how to manage adams and molecules with the same prison decision that they demonstrated that they have been able to do this. it's changed things dramatically. they have a stabilized for the last four years. starting a downward trend the remaining question is whether
3:16 pm
we will win in time that we will cross some port of no return. with the hope in the catastrophic consequences. >> with professors sam abrams. april kelly of elizabethtown college. the former president of the aclu. i don't want to disparage that protesters like i think they ought to. they are passionately committed to social justice. i would love to have the opportunity to persuade them
3:17 pm
that freedom of speech is their most essential ally. more of this weekend schedule we can schedule a good book close your eyes for a moment. close your eyes and stretch i want you to stretch your imagination open your eyes. that is how fast it happens. in a blink no warning sunday night on q&a executive director of paralyzed veterans of america and the retire u.s. marine corps talks about his own paralysis and has worked
3:18 pm
to help paralyzed vets. i'm trying to tell them that this is the problem. this is what i see from a patient's perspective. you have to empathize. that is what will make it the ideal provider for veterans who have gone to combat and sacrifice. earlier this week attorney general jeff sessions testified about oversight issues at the justice department. he answered questions on russia in the 2016 elections executive privilege and the future of the immigration program. this is almost five hours.


info Stream Only

Uploaded by TV Archive on