Langevin and others. Recognizeey i myself. The warnings we had and decisions made about the most recent worldwide Intelligence Committee in january of 2019, and i quote, the United States and the world will remain vulnerable to the next pandemic where large scale outbreak of contagious disease that could lead to massive rates of death and disability, severely affect the world economy, strain international resources, and increase calls from the United States for support. We must ask ourselves what are the warnings are going unheeded, and what can we do right now to protect the American People from other threats . Before the unthinkable happens in the future, how can we exercise strategic and precisive foresight to the best of our ability today to ensure are a nation prepared for tomorrow . That same worldwide threat assessment Cyber Attacks is a top global threat with china, russia, iran, and north korea, raging a silent war capable of shutting down with such Information Systems and critical jeopardizing critical sectors in america. The report states, and i quote, our adversaries and strategic competitors increasingly use the Cyber Capabilities, including cyber espionage, to attack and seek political, economic, and military advances over the United States and its allies and partners. Cyber attacks are a critical, complex, prevalent, and growing threat to the nations safety Economic Security, touching nearly ever aspect of our lives. This assessment was upheld by recent findings from the National Defense authorization act to review the state of our cybersecurity and develop [ to protect positions america against Cyber Attacks. This commission of congressional executive branch and private sector cybersecurity sounded the alarm and in addition to that disrupt operations in america on a daily basis will remain vulnerable if we dont stop attacks that are critical to infrastructure and economic systems that could cause widespread damage and death. The number of the commissions recommendations call for legislative this includes what has sparked a high level of interest on both sides of the aisle. Recommendations for a cybersecurity position in the white house to develop and streamline the federal governments strategy for a nation who is prone to Cyber Attacks. This role was first formalized when the george w. Bush with the george w. Bush administration, and then elevated and expanded during the Obama Administration. But in 2018, then National Security adviser john bolton eliminating it to reportedly cut [inaudible]. Of 2019 invited as the fifth most cyber secure nation in the world. In 2020 it dropped to 17. Today we will review hr7331, which would implement the commissions recommendation to establish a National Cyber director in the executive office of the president. This new position would restore that cyber coordination and planning function to the white house. In addition, for the first time, it would be back for resources and Statutory Authority to lead Strategic Planning efforts, cybersecurity budgets, and coordinate national [inaudible]. A challenge that is the basis of cybersecurity requires that our government be strategic, organized, and democrats and republicans agree we need a National Cybersecurity threat to ensure we are both prepared to and coordinated in our response to Cyber Attacks as our nation fights a silent war. Our Mission Today is to gain the detailed understanding of the threats we face and to thoroughly examine hr7331 as the vehicle. I now recognize the distinguished Ranking Member for his opening statement, james komar. E comer thank you, chairwoman maloney, for holding this hearing to address our National Security posture and to explore merits of the u. S. Cyberspace Solarium Commission to establish a director within the executive office of the president. The federal cyber domain we could all agree is a dynamic and dispersed with varying jurisdictions and expertise across the federal government. These agencies are organized to combat cyber crime, defend against National Security intrusions, and support the security needs of the private sector Critical Industries and commercial interests. Our nation has become more and more reliant on technology over the last three decades. Our reliance on technology and interconnected Information Systems is more important than ever with the pandemic forcing remotevations in our nations workforce pivoting to a work from home posture. Increasingly foreign state actors, extremist groups, and domestic agitators and criminal enterprises all have a vested interest in exploiting u. S. Networks. The remote administrations of pandemic have creed new cyber vulnerabilities for these malicious actors to take advantage of. These are the same actors who also target our private sector partners in state and local institutions. Breaches in federal and commercial networks by foreign governments have exposed sensitive intelligence data, proprietary military designs, and government personnel data. Because of cybersecurity risks, we must all do our part to maintain a safe and secure National Cyber infrastructure and by continuing to foster relationships across the private sector and our state and local partners we could share a vital cyber threat information that helps secure our Critical Infrastructure. Well hear today from notable subject Matter Experts who have deep experience navigating the nations cybersecurity environment. They also have experience with efforts to combat damaging Cyber Attacks from foreign adversaries like china. Historically china has hacked into the fdic, stolen valuable u. S. R d, and paid our University Professors to improperly share valuable intellectual property. I welcome the opportunity to work with the majority to hold china accountable for the bad acts, as well the deceptive attacks over the course of the pandemic. That would be a great hearing, madam chairwoman. We will oversee the cybersecurity planning and operations of the federal government. In evaluating this legislative proposal, we have a duty to the American People to be a good steward of taxpayer dollars and not create more bureaucracy. Establishing a clear and convincing rationale requires the Due Diligence and thoughtful commencement that our processes afford. The current and projected cybersecurity landscape is complicated, with many actors and operations that must work in harmony. While there have been more than several highprofile cybersecurity incidents over the past decade, i must note that at targeting the coronavirus Biomedical Research activities and use of remote work platforms have been taken very seriously by Homeland Security and Law Enforcement within the Trump Administration. The administration has done what has expected of cybersecurity professionals, against harmful Cyber Incidents wherever and whenever threats are found. I think we all want the cybersecurity to be effective. To this end, it is imperative that congress and this committee fully evaluate the reasons why the Commission Recommended the statutory creation of the cyber National Cyber director. The main questions i have toward this goal are, is it necessary to create another Forward Office federal office to have someone truly in charge, and, if so, will that official, in fact, have enough authority to make the decisions that immediate to be made . Will everyone else fall in line and work in harmony . We know that multiple federal agencies have a piece of the cybersecurity pie, so by authorizing a new oversight and coordinating official, are we legitimately creating a system for prepared to face growing Cyber Threats . Will the National Cyber director utilizing the existing Cyber Leadership and expertise in our government, or do we risk making that pie bigger and creating duplicating functions . Will a National Cyber director add value to the nations Cybersecurity Infrastructure, or should we align and support systems already in place . I look forward to hearing about tangible expectations of how directoronal cyber would respond and how this might be better than the system already in place. In a fluid environment, when Response Team and expertise are paramount, we could not afford to introduce inefficiencies or bureaucratic hurdles to respond in realtime. Madam chairwoman, i think we agree our cybersecurity enterprise deserves a supportive Public Policy that will not hinder dynamic focused and Strategic Planning and operation. Im pleased to work with you on this issue, but again i want to ensure were not foster redundant efforts across the federal cyber sector. In establishing a senateconfirmed cybersecurity leader, we need to be comfortable in limiting president ial prerogative to implement preferred policies on behalf of the American People. Again, i appreciate this opportunity to review this recommendation and hear from these expert witnesses. I yield back. Rep. Maloney thank you, mr. Comer. I now recognize the distinguished chairman of the on National Security, mr. Lynch, for opening statement. Lynch thank you madam chair, and thank you for todays important hearing on hr7331, which allowed for the creation of a National Cyber director, which is an idea that is not only reasonable but necessary and long overdue given the world in which we live. Im well aware of the lengthy review and study that mr. Langevin has engaged in over the years on this issue. He has done nothing short of relentless in his mission, and i thank him and our friend and colleague mr. Gallagher for their bipartisan commitment to defending our nations cybersecurity and for their testimony before our committee. I also want to take a minute just to thank the original cosponsors of hr7331. For years, National Experts have considered cyber to be the battlefield of the future, and for anyone paying attention, that future is already here. Back in 2014, hackers likely affiliated with the Chinese Government reached the Information System of the office of personnel management, compromising the data of at least 22 million people, including, most notably, federal employees, who had either applied for or received security clearances for access to classified information. Were also well aware of russias sweeping and systemic efforts in 2016 by hacking the Computer Network of the Democratic National committee andattempting to penetrate penetrating the election infrastructure in all 50 states. To speak to some of mr. Comers concerns, most recently, our National Security subcommittee staff, which i chair, we held a briefing with the federal bureau of investigation and the Cybersecurity InfrastructureSecurity Agency to discuss the latest uptick in Cyber Attacks during the coronavirus pandemic against the federal government agencies, research, and academic institutions, and even private citizens. During the briefing, our committee was told that every institution or agency conducting Coronavirus Vaccine research is a target for is a current target for foreign cyber attackers. As our intelligence agencies warned before 9 11, the system is blinking red. Only two years ago, then National Security adviser john bolton dismantled the position at National Security council leaving the u. S. Cybersecurity , policy rutterless and disjointed. Need for greater leadership and Strategic Planning, and policy coordination to ensure the security of our nation and the cyber demand could not be more urgent or important, so im pleased to support hr7331, which would allow for the creation of a National Cyber director, and i would encourage all of my colleagues to do the same. Again, i want to thank the chairwoman for her willing ngs to hold this hearing today, and i want to thank all of our witnesses for testifying. I look forward to the discussion and for Building Greater bipartisanship and consensus around the importance of hr7331. Lastly, im also in a mark up over in tni, im at the capitol today, where i have an amendment pending so ill have to jump out and jump back in. I apologize for that, but that is our schedule. I yield back. Thank you, madam chair. Rep. Maloney thank you, mr. Lynch. I now recognize mr. Grossman for an opening statement. Grossman ok. Can you hear me . Rep. Maloney yes, we can hear you. Rep. Grossman good. Good. I appreciate this opportunity in my role, first of all it is good to see we have a witness here from wisconsin. So i thank you for bringing him in. I appreciate this opportunity in my role as Ranking Member of the National Security subcommittee and oversight to address an issue with major National Security ramifications. As Ranking Member comer addressed in the opening comments, our nations adversaries will stop at nothing to steal our secrets, commercial expertise, and Sensitive Information held on a sprawling Computer Network connecting public and private sector organizations. Chief among the cyber offenders are the Chinese Government. As President Trump said, we have been treated unfairly by the chinese. Oftentimes, this wellintentioned Global Posture costs the United States our valuable intellectual property, which flows out of our Nations Research institutions into chinese hands. The hearing today will help us determine whether our federal government needs support in defending against the highstakes malicious Cyber Attacks and continuing intrusions. One of the proposals by the cyberspace Solarium Commission was the formation of a new National Cyber director and Senate Confirmed official inside of the white house. While i appreciate the commissions desire to ensure that the federal governments Cybersecurity Infrastructure includes a onestop shop for cyber guidelines, i wonder whether we might be too quick to create yet another new bureaucracy but not considering potential down sides to this reform. We must keep in mind the Trump Administration success in protecting our last midterm elections from disruptive Cyber Incidents and the administrations strong stance against those who wish to take advantage of international attempts to exploit the Technology Challenges presented by the pandemic. Would we be doing a disservice to agencies that have responses for our nation. I want to keep an open mind on the merits of any proposal to improve our National Security security, and i appreciate todays witnesses and the time and attention that they have each dedicated to protecting our nations information and Critical Infrastructures. I look forward to the witnesse testimony and their perspective and whether a National Cyber director will add value to the framework to properly deconflict and coordinate responses to Cyber Attacks against our government and private sector. Thank you, chairman maloney, and my counterpart on the National Security subcommittee, ranking and rankingch, member comer in the pressing issues. I look forward to working with you to make sure we strengthen cybersecurity against any types of threats or any foes that wish to do americans harm. I yield back. Rep. Maloney thank you. I will now introduce our first candidate consisting of our colleagues here in the house of representatives who served on the u. S. Cyberspace Solarium Commission. Congressman jim langevin of rhode island, commissioner and chairman of the emerging threat and capabilities subcommittee of the House Armed Services committee, who has been championing this effort for many, many years and congressman Mike Gallagher of wisconsin, cochair of the commission and a proud new father of grace ellen gallagher. Congratulations on truly lifes greatest experience, becoming a father, and it is the best job in the world. So were very pleased to have you both here today. With that, you are now recognized to provide your testimony. Rep. Langevin great. Well, thank you. And good afternoon, chairwoman maloney, Ranking Member comer, and distinguished members of the committee. It is always humbling to sit on this side of the table, the witness table, even when it is virtual. And i want to begin my remarks by thanking all of you for the important work that you do. I particularly want to thank chairwoman maloney for convening this hearing and for her partnership in raising the issue of creating a National Cyber director. I join you today as a representative of the cyberspace Solarium Commission, and im proud to be joined by Mike Gallagher, one of the cochairs of the commission, and i congratulate him on his newest father in the house, and congratulations, mike. And i know youre coming off paternity leave to be here for this hearing. So thanks and i commend you for your work. In the 2019 National Defense authorization act, congress charged the commission with developing a consensus on a strategic approach to defending the United States and cyberspace against Cyber Attacks of significant consequence. In our first meeting, however, outside experts on congressional commissions told us that we were attempting the impossible. We were trying to have a 9 11 Commission Level of impact without the precipitating event of a september 11th. Well, madam chair, i reject that cynical view. I believe that if we come together in a nonpartisan fashion to implement the commission recommendations, we could alter the trend that sees our cyber risk grow year after year. We could push back on our adversaries who see the cyber domain as the ultimate rain for operations in the gray zone short of war. We could seize the initiative and ensure that we are not left to wonder the day after an attack what more could we have done. So that is how i view the work of the cyberspace solarium that is the urgency i bring to the table, and moreso than any of the other 82 recommendations of the Commission Proposed and the National Cyber director is essential to seizing the initiative from our adversaries. It is essential, because cybersecurity permeates every aspect of our society and every aspect of our government. Every department and agency, from the department of agriculture to the department of veterans affairs, relies on secure Information Technology to conduct business. Yet, very few of them have cybersecurity as part of their mission, nor is it their primary focus. Because cybersecurity is difficult to measure, we end up with misaligned incentives. People skimp on cybersecurity, because they would invest on operational programs in their department. We need a strong leader in the white house to defeat the inertia that pushes down the role or until a devastating breach occurs. We need a strong cyber leader in the white house to coordinate strategy. Beyond Government Systems or national and Economic Security rely on Critical Infrastructure. Most of which is owned and operated by the private sector. Where once we could rely on two oceans and friendly neighbors to insolate us, today our banks and hospitals and power plants are on the front lines of shadow campaigns to undermine our way of life. Only within the white house could we break down agency silos to ensure that we have a whole of nation efforts to protect our networks. Finally, we need a National Cyber director in the white house to coordinate incident response. Were living through a Public Health crisis, the likes of which we have not seen in over a century. When our adversaries strike us in cyberspace, we must be prepared to defend early to stamp out the infections from computer viruses to quarantine Effective Networks an to inoculate uninfected machines by patching them. This is the only this is only possible with the National Cyber director. This idea, of course, is not new. I worked on it with the csi commission for the 44thpresidency in 2008. But as my friend mr. Gallagher has taken great pains to describe at length, the so larium process has a way of refining ones thinking. We debated the proposal extensively, and were very deliberate in our decision making. We chose an office in the white house, because only the white house could truly reach across departments and agencies to manage a risk so pervasive as cyber. We chose a senateconfirmed position, because congressional oversight and buyin is critical to the success of the office. We chose to preserve a coordinated rather than operational to the role because our cyber defenders need , advice. Madam chair just to conclude, there are some that argue that the National Cyber director is congressional overreach. There are those who say that the president is the ultimate arbiter of the executive office of the president and that congress has no business interfering in these article two affairs. Those people, respectfully, disregard history as congress has helped to guide white house structure in the past when the moment demanded it such as when krogs created the office of congress created the office of science and Technology Policy or the u. S. Trade representative. But more concerning to me are these people implicitly endorse the status quo and that scares me because every day i wake up and see our adversaries making gains in cyberspace. I saw it under president bush, i saw it under president obama, and i see it today under President Trump. And president. Shaping norms that suit their interest on the international stage, striking at our partners and allies and attempting to undermine our elections. Agenda,me we set the wishing back on our competitors and shaping their behavior by improving our resilience and strengthening the cyber ecosystem. That, it haswith been one of the most rewarding expenses of my life. In normas dedication of our immensely talented staff are reflected in the bill that we are discussing today. It is an honor to have the opportunity extended before you and i look forward to answering any questions you may have. Much,nk you so congressman. Thank you for your leadership for the security of our nation. Mr. Gallagher. Thank you for the kind words about my newborn daughter. If i pass out during this hearing, it is because i am not only nervous to be on the wrong side of the hearing but because i have not had much sleep. We are truly blessed and i appreciate the kind words. Keep establishments to defend property or territory or rights abroad or at sea. We keep the Security Forces to defend a way of life. Andnow, emerging technology powered by stronger and more capable Digital Networks is being infused into every part of our government, economy and way of life. How we navigate the resulting opportunities and challenges will determine the effectiveness of our nation to deal with future cyber driven or cyber enabled contingencies. For the past 20 years, Commission Initiative studies and four president ial administrations have been challenged to define an Effective National level establishment for coordinating cyber strategy, possibly policy and operations. And i believe it is imperative that we have cyber office and Leaders Within the white house. What that position would entail was one of the most spirited and important debates we had over the course of the commission. And my colleague was absolutely incredible in his thought leadership and dedication. I learned a ton from him throughout. Due to jims leadership, we considered how to address the gap in leadership coordination, two, whether to recommend Senate Confirmation and the size, scope and structure of the authorities of the leadership office. We decided the federal government would be better equipped strengthening existing department and agency efforts, including the cybersecurity and infrastructure Security Agency, rather than the creation of a new department that many advocate for. Without a new agency, the commission deemed the cyber court nader permission position be essential to give the position to have a high enough level of prominence to effectively coordinate National Strategy and provide muchneeded leadership internationally, with state, local, tribal and territorial governments and the private sector. And in recognition of that, the need for better of cooperation, the chamber of commerce recognize the National Cyber director act. The commission spent an enormous amount of time weighing the pros and cons of this position and contemplating the stature of the position. We determined that requiring it to the senate to be Senate Confirmed, somewhere to the way u. S. Trade representative is Senate Confirmed would not only signal that congress is committed to cyber issues but afford us as legislators a level of access to that conversation. But also the person that occupies that position a level of Political Support that bipartisan endorsement would bring while maintaining the discretion of the president in selecting that candidate. Making the role Senate Confirmed would in other words provide greater permanence by institutionalizing the positions existence and ensuring the role would endure throughout president ial transitions and not just be dependent on the whim of a particular president or a particular National Security advisor. , understand there are those particularly my republican colleagues, that are skeptical that this is an added layer of bureaucracy. I came into this discussion with that as my ideological prior. But unless you believe that the status quo is indeed getting the job done. Unless you believe we are at present well structured to avoid a cyber 9 11 as my colleague referred to, then you have to consider how we could make a meaningful reform of the status quo. Rather than creating an entirely new agency, which would take years to create, which would be much more complex and further muddied the bureaucrat waters, i believe i view a single focal point in the white house, a Single Person to quote my coach, angus king, a single throat to choke, someone who is responsible for the effort to be the least bureaucratic, the least onerous and the most efficient of all possible options. It gives congress a greater window into the discussion as i lead alluded to. I believe that we in Congress Must sufficiently enable the federal government to create cohesive National Strategy and defense in cyber domain as we do and all other domains of battle and we must do so today. I urge you to support the recommendation on the creation of National Cyber directors so that in ikes words, we will fight in all element as one single concentrated effort. With that, i will close my comments. I thank you for your time and consideration. Thank you mr. Gallagher. This is truly bipartisan. We will limit questions for the first panel. Mr. Gallagher, i will want to start with you. The Coronavirus Crisis has exposed ashock that number of ways in which our country failed to prepare for what many called the inevitable. In our increasingly connected and Technology Driven world, many experts warned that a largescale cyber attack is inevitable. Mr. Gallagher, between Lessons Learned in the coronavirus pandemic and how these lessons can inform our preparation for significant Cyber Attacks. Can you share some of these parallels in your recommendations with us . Thank you. Absolutely. They are not perfectly analogous events. I would highlight a few similaritys. First, both the pandemic and significant cyber attack can be global in nature, requiring that nations simultaneously look inwards to manage a crisis as well as work across borders to contain its spread. Both are difficult to contain across borders as well. I would argue the coronavirus pandemic and a significance ofer attack require a poll nation response efforts and are likely to challenge existing incident management doctrine and coordinating mechanisms as we are discovering right now with every state, county, city, government and a bunch of nonprofits having to figure out how they can Work Together in order to slow the spread of the disease. Finally, perhaps most importantly, i would argue the similarity that prevention is far cheaper and preestablished relationships far more effective than a strategy based solely on detection and response. That is why if you read our broader cyberspace solariums report which we had the unfortunate time of releasing on march 12, 2020, the last week we were in session in house before shutting down, you will see that a lot of what we are trying to boom for aess of better term. Figure out how we can force the federal government in partnership with congress and territorial governments to think through the unthinkable. How can we rapidly restore our economy in the event of a cyber attack to be able to come back stronger and strike back against our in amis and therefore restore deterrence. I will be cautious about extending the similarities between the pandemic and a cyber attack too far. Those three stand out in my mind. Thank you very much. Mr. Langevin, can you share examples of how the coronavirus pandemic has led to additional cybersecurity challenges . Sure. Thank you for the question, madam chair. Pandemicnly that influence has shown the challenges of needing a coordinated response. And if used have response and many people in charge, for example, leaving it to the states makes it more challenging to have a cohesive direction in which to go. We want to make sure that with respect to a cyber incident that w in terms of preplanning, looking the most vulnerable areas figuring out how we can make our Cyber Networks more resilient and how will we get them back up and running more quickly. In the actual incident if it were to occur that you have a single point of contact that is both the principal advisor to the tosident and the coordinator bring the interagency together for the National SecurityCouncils Together or the economics occur to council to layout options and have a more coordinated, response. Nd th how would establishing this role have made a difference in the covid19 pandemic . Two response in the covid19 pandemic . It is more analogous to how we would respond to a cyber attack with intrusions on our elections. Limitsre certainly the of Cyber Response to covid. Of themple, what we know chinese and other entities trying to steal intellectual property for the development of the coronavirus, i have seen therapeutics. Pointld have a more vocal in which the cyber director would be able to corneille the Department Agencies or private sector entities to effectively corneille the response that needs to be taken to protect those networks and that intellectual property from occurring in the first place. You, your opinion of establishing a National Partner directive is an essential to ensuring the u. S. Is in the best position to prevent a crisis. I certainly feel that that is the most effective way to both prevent and also respond to a cyber incident of significant consequence. We thought this through clearly. , the colleague pointed out various ways we could have gone, having the authority in a new havingcurity agency or it at the Senate Confirmed executive office of the position, we thought this was the best way to go of the various options we would have recommended. Create a news not excessive bureaucracy. I believe it is streamlined and focused. It gives strategic guidance and both advice to the president. Authoritiesting makes sure they are pointed in the same direction in the event of a cyber incident. Mr. Gallagher, if you want to answer that . I would second jims for months. It is a necessary but insufficient recommendation. If you read our final report, what you would see is a genuine attempt from commissioners on both sides of the aisle to elevate and empower existing agencies rather than create a bunch of overlapping new bureaucratic structures. I want to commend the work of a lot of great leaders we have at the nsa who have learned a lot of lessons in the past four years. We are not saying they havent done good work. We view this as a way to better empower them and build upon the lessons of the last few years. With the commissioner and my bipartisan colleagues. I thank you all for your hard work today. I now recognize the distinguished Ranking Member for five minutes for questions. Thank you chairwoman. I had a very good conversation with jim yesterday about this legislation. I will direct my questions to my good friend, Mike Gallagher. The National Cyber director legislation create budgetary hurdles in how it works with the office of management and budget that might artificially constrain a president s cyber policy decisions . We examined that in depth. Ultimately i dont think so. Our construct,in giving the National Cyber director budget certification authority. Which effectively means he has the ability to look at various executive Branch Agencies when it comes to cyber elements within their budget and flag ,ffectively for the president something of concern. The president retains the ultimate authority to adjudicate that dispute. If there were a disagreement between omb and the National Cyber director as there is often disagreement with executive Branch Agencies. They can adjudicate those to dudes disputes and choose whether or not to follow the advice of the interNational Cyber director. While the cyber director would have budget certification authority, he cannot go in and mess the entire process up for lack of a better way to describe it. I have heard different people describe what they view this might entail. Comprise aw office large new staff . I have heard between 75 and 100 new staffers. Obviously that would create a new bureaucracy. We are always careful about creating a bureaucracy. Of ais the prediction budget . How much would this cost . How many staffers are we talking about . As we estimate, 75 is about right. I understand your concern. That is not nothing. That would replace about the 15 that are there right now. I just would say if you look ofht now at the comparison people and resources we devote toward offensive operations what they have to do, you will see thousands of personal difference. Even though we would be adding anywhere between 75 to 100, that would be a small step toward correcting the imbalance, given the white house purview into defensive operations. What the budgetary impact of that would be, we think it would a in the low about tend Million Dollars. That depends on whether these people 10 million to 15 Million Dollars. It is a growing of the office in the organization. That is consistent with precedent with other confirmed offices within the executive office of the president. Understand the concern and appreciate the effort here to alleviate that. If this is staffed by career officials or detail these from er agencies, why something that this president has been battling for the last 3. 5 years . Is adont doubt that this problem within the executive branch. Having worked in the executive branch, there is always a tendency, if you are a bureaucrat, you sort of believe in the status quo. The old saying goes where you stand depends on where you sit. At the end of the day, that is a broader cultural issue where everybody who works in the executive branch, whether they are wearing a uniform or are a civilian needs to understand they work for the president regardless of the president s party. I dont think it solves that problem. I dont think it would make it dramatically worse. Curiosity, have you had any conversations with anyone in the white house to gouge their level of support or opposition for this proposal . I have had conversations with the white house. Good deal. My time is about to expire. I have the utmost respect for , represented gallagher representative gallagher. You are one of the foremost experts on Cyber Security. I appreciate what you are doing here. I look forward to further conversations. With that, madam chairman, i yield back. Thank you. I now recognize the senior making member of the subcommittee of National Security. Can you hear me . Um. Can you hear me . Yes. Loud and clear. Position onake a whether cybersecurity has improved over the years . Has it gotten better or worse . Will offer my view. I think after a year of conversations with a lot of talented people in dod, many of whom participated in the commission, i think we have gotten a lot better. A lot of that is due to legislation that we have passed in congress. On our services committee, we have devolved Greater Authority down to lower levels so that people can operate with cyber with the speed and agility that is necessary to have an effect. I think if you look at Lessons Learned from 2016, there was a concerted effort in 2018 to protect our democracy. I have been very impressed with the work of the general and a lot of dedicated cyber warriors. If i could add i would agree with mike. I oversee both nsa and u. S. Cyber command. I see the extraordinary work that the general and his team have done with cyber command, also sitting on the Homeland Security committee. That helpscommittee cisa. Rsee we are organize to combat this threat. The organizations do guidance. We are more forward leaning, extending forward if you will. I think we are were probably too reserved in past years. In the coming construct, we are forward leaning. It is defending early. Or defending forward. I think it is the right strategy. Adversaries are getting more effective and successful and sophisticated in their ability to carry out Cyber Attacks and the consequences. We need to continue to involve evolve. That is why this new added position will help us get even better. Do we have a databank of breaches or incidents that we feel we will try to prevent in the future . . Eople rattle off usehis is an example i frequently. The breach that happened in personal management happened because there was a department why dont you rattle off the three or four worst breaches. Monic lines the incident that occurred. The sony breach that north korea carried out. The first one was one of the most costly Cyber Incidents that occurred in world history. And mirskyex billions of dollars in lost revenue when their computers were wiped out or damaged. So, the amount of intellectual property stuff it has incurred over the years has cost u. S. Jobs and economic competitiveness to the tune of hundreds of billions of dollars if not choi into dollars. The list goes on. Not to mention, of course, the amount of personal information that has been stolen. We are Getting Better at responding to and protecting these things. I missed something. One of you guys talked about john bolton dismantling some agency or commission or whatever. Could you go over that a little bit . If i could jump in on that, i know mike will want to comment. Under every administration we were making forward progress on cybersecurity. John bolton was the first person in the administration to take us back when we limited the Cyber Security coordination admission. Have Budgetary Authority but at least it was there. Michael daniel was the cybersecurity coordinator under president obama. Rob joyce it hits me as odd, whatever his logic was. He sold the president a bill of goods. I think he might argue he is streamlining the overall nsc process and his predecessor successor has tried to continue that process. I think we what we are arguing is even that status quo with the cyber court later was thepositioned to get overall interagency interdisciplinary oversight you need of cyber, as well as develop longterm expertise. To go back to the Senate Confirmed for, we want this person to not only have the ear of the president but be a single bellybutton that we as legislators can push to get answers when it comes to congress. As per your earlier question, throughout our report, we go through the major infiltrations attributed to china, north korea, iran, as well as nonstate actors and lay it out. One that comes to mind for me is the defense died from 2006 through 2018. Having systematic espionage campaigns, stealing information from over 100,000 u. S. And navy personnel. In addition to opm, i have the letter i received framed somewhere in my basement, saying my records have been hacked. There have been little attempt to ask to extract data and compromise the data of military personnel. I did not even know, mike. That, e tries to do it depends. Inre has been lag time protection for some of the major breaches we have had. I would say we have gotten better in detecting how this happens. We will have testimony from a variety of experts like our former colleague mike rogers who can speak to that. I think we are Getting Better at rapid detection and rapid attribution and a Better Process for response. As jim rightly pointed out, the threats are Getting Better as well. Better at anonymizing the origin of the threat. Thank you. Thank you very much to my esteemed colleagues for their work on the commission and for sharing their work with us today. Would either of you like to stay for panel two. You have been generous with your time. Would you like to stay . Yes, i would like to stay for a bit. Ask that a letter of endorsement of the National Cyber director of the u. S. Chamber of commerce be added . Nto the record yucca absolutely. Goingave the markup right now. I may have to go in and out. If you will in joels indulge me, i meant not may not be able to attend the whole second session. Now, i would like to introduce the second panel. Honorable and the general gentlemen from wisconsin. I will now introduce mike rogers, select committee on intelligence from 2011 through 2015. Michael daniels, president and ceo of the cyber threat alliance. Former cybersecurity coordinator for president obama from 2012 through 2017. Ceo of the u. S. Computer. The Senior Advisor for Homeland Security of the interNational Security program that interprets strategic and international studies. Cyberspacer of u. S. Commissions. The founder and executive director of George Mason UniversitysNational Security institute. The witnesses will be unneeded on muted. Un muted. Do you swear the testimony you are about to give is the truth, the whole truth and nothing but the truth, so help you god . I do. I do. I do. Let the records show the witnesses answered in the affirmative. Thank you and without objection, the written statements will be made part of the record. With that, chairman rogers, nice to see you again. You are recognized to provide your testimony. Thank you. It is good to see so many colleagues i had the privilege to work with and new ones as well. Beyond a panel of very distinguished experts, this has been a long journey for me, madam chair, to get to where i would sit in front of the community and say i would sit in asnt of the cyber director two congressmen both reminded me over the years about how i was wrong. They have invited me to dinner under the understanding that they want to watch me eat crow as i testified today in my cybert for the National Director bill that you propose today. I will tell you why. I looked at it, certainly when i was chairman. Prior to being chairman on the Intelligence Committee and in my private sector life through the policy work and the study of the presidency, we can get how we can combat this threat. Sector, i private have some cybersecurity start up companies that have had the opportunity to view how the government is doing some of these things and offer products out into the commercial market to help defend our private sector from the rest of Cyber Security threats. All of those things have led me to change my mind. I look back and have a lot of the same argument. Myself and representative palmer were sitting in a meeting in 2008. I think it would have been two people on one side of the table and two people on the other. I was worried about this expansion. There was talk about an agency or azar. I did not think we should go there. We had lots and lots of discussions. What i find this bill does that was different than previous discussions is that it does not expand government, which i am concerned about. It focuses government. If we need anything now in the cyberspace, we need vocus on what focus on what our government is doing and does not have the right resources. We have taken steps in the past for federal the federal Security Management act of 2000 seven got us started. There was a modernization in 2014. Imagine if you take the quarterback and not let the quarterback train with a few Football Team all year until the first team first game. We will have problems. This is how we have set up the ability to monitor and oversee the large enterprise which is the federal government. If you think about it, there has been a lot of talk about incidents and we need to be prepared there. Think of the agencies. I will read all three of them. I went online in the Inspector General report and there are hundreds and hundreds of these getting paidare auditors to come in and basically review the cybersecurity programs that they are meeting federal guidelines. Wethink of the big ones but do not think of the committee for purchase from people who are blind or severely disabled and think of the information that those organizations have that are pretty Sensitive Information. The pension benefit guarantee corporation. I have dozens of these. I could go through them for hours. All of these agencies who are absolutely under siege today, think of it, billions of times a day, somebody is getting up in the morning with a soul purpose and job to try to penetrate the u. S. Government at any level. That happens every single day. Every agency i mentioned plus the others are under siege from either espionage or destruction of data. That is happening and it is happening in a pretty big and significant way. We will need to do something. We are looking at it from the wrong end. I will tell you two reasons why. My testimony highlights some of the threats we have been dealing with. I want to give you an example of why we have to change the way we are thinking. We cannot expect to do it the same way and expect a different outcome. There was an oig inspection of a particular agency of which we would all be concerned about if that data were exposed. What they found is they found about 25 serious changes that needed to be made in 2019. Here is the conclusion. Outside firm, hired to come into say these are the things youre doing wrong. We will be back next year to see if you have corrected them. Next year, right . A year in cyberspace is a lifetime. A Quarterly Report is a lifetime. That means we have lots of exposure there. This is the one that got me. Here is one of the recommendations. If this agency continues to delay corrective actions, a Material Weakness in Information TechnologySecurity Control may be reported in 2020. That tells me that we are not prepared for the threat that is knocking on our door today. Part of the reason is they have to coordinate through a whole series to give you a little bit of its all in the. They had to do a dhs and coordinate with all of these different agencies to come up with what the guidelines are to move out. All of those agencies are under owner tax. They have their own Cyber Operations by the way. There is no person or organizations that over the top of this say they will be either the calvary to help you in your deficiencies or help you find out what is wrong and fix it in a short order. Nothing is steering that. We are going to need help. We are going to have other incidents. We are one keystroke away from an incident that has major consequences in the United States. Why . We are under siege. The chinese has been highlighted in intellectual property threat theft and now disruption. They like to disrupt things. If the American People stop trusting their institutions to the point where it is not operable, china wins. Russia wins, iran wins. North korea wins. And they all know it. I want to redo this quick quote if i may. This was done by a general from russia. A perfectly frightening state can, in a matter of months or even days be transformed into an ,rena of fierce, Armed Conflict become a victim of foreign intervention and sink into a web of chaos. Humanitarian catastrophe and civil war. The role of nonmilitary means and of achieving Political Goals has grown. He is talking about cybersecurity and cyber influence operations and disruption of cyber activities for the public to lose trust. And in many cases, these tools have exceeded the power and force of weapons in their effectiveness. That was 2013. Fastforward with what has happened since 2013. We watched the russians engaged in aggressive Information Operation including the attempts to penetrate networks which to disrupt things. Was determinedid to be penetrated. They tried to penetrate our start stock market. Disruption leads to chaos which leads to distrust in the american institution. This is as serious a problem as we can get. The conclusion i came to, i will have to eat crow with my good friends, is that if we dont have something, i dont agree with the big agencies. If we dont have something that does not expand government but focuses our cybersecurity efforts, we are going to be in for a long run. We have had these conversations. We have admired the problem, worshiped the problem. Now we have to do something about it. I think this agency will help all of the agencies get to where they need to go. The is why i am before committee today offering my support this legislation. You so much, chairman rogers. That was a powerful and moving presentation. Mr. Daniel, you are now recognized. Thank you. Good afternoon. Thank you chairwoman maloney and other distinguished members of the committee for the opportunity to testify before you today on the topic of this legislation and the National Cyber directive. I am happy to be on the panel with people that i consider friends and colleagues. All of whom we have worked together and have known each other for many years. As you might imagine, i think about this issue a lot. Therved for 4. 5 years as assistant to the president in the cybersecurity correlator under president obamas National Security council staff. I have served as the president and cbo ceo of the cyber fed alliance. Issueecurity is a tough for almost any organization to manage. That is certainly true for the federal government. Dependence digital continues to increase, something we have talked about this morning and this afternoon already, it is imperative for the government to get better at. Anaging cybersecurity one aspect that makes cybersecurity to clearly tougher the federal government is that it does not fit neatly into one bureaucratic bucket. Cybersecurity is a National Security, Economic Security, commercial, intelligence, Law Enforcement, public safety, military, Foreign Policy issue all rolled into one. At the same time, cybersecurity is interdependent, just like the internet. All of those aspects that i mentioned is are connected and they all affect each other. They affect each other in some unanticipated ways. That means all of these disparate pieces have to coordinate and Work Together in order for the whole to be effective and not undermine each other. To some of the questions and commentary from the first panel, we have made excellent progress inr the last two decades weighing the Foundation Laying the foundation for better cybersecurity. We put in place better policies. Includingacted laws the cybersecurity information sharing act of 2015. Put in organizational structures fi. Visit za. We face impenitent impediments. The lack of information across agencies and the need for response coordination and the need for complexity. After wrestling for these issues for several with these issues for several years, we need a strong position along the lines of a National Private director like the bill the representative is sponsoring. I do not come to this conclusion lightly. Prior to serving as the cybersecurity coordinator, i have spent 17. 5 years at the office of management and budget. Omb personser natural skepticism for creating new entities in the government. In this case, i think it is the only viable approach we have. Particular, and eop Level Organization is the only one that will be able to overcome a signet impactor in the federal bureaucracy and that is the you are not the boss of me problem. That is rampant among federal agencies and only something centered at the white house can overcome that. That said, i would urge congress to think through the scope and authorities at this position very carefully. It would be easy to get it wrong. And to end up with something that does take up bureaucratic bandwidth and does not focus on things like congressman rogers recommended. Most important leak, this position has to cover all of the aspects of cybersecurity and not just some of them. It has to have oversight of Law Enforcement, military and intelligence related offensive and defensive. Andannot exclude that excite the physicians to be a success. Even in the eop, it will not be effective. It has to have a big enough office to get the job done but not so big that it is tempted to become operational. And it needs to have a clear relationship with the federal f. And the federal iza. Cybersecurity is not just a technical problem. It is an organizational problem. To takeneed additional organizational steps to address it. We have taken the first few steps and it is time to create a position back can bring it all together. Thank you for giving me the opportunity to testify. I am looking forward to your questions. Thank you very much. Thank you. Now, mr. , you are now recognized. Maloney, thank you for the opportunity to testify today. I would like to thank rep senate of gators the rep. Sinema representatives for their leadership. I would also like to thank chairwoman maloney for serving as cosponsor of the bill. Provider ofleading information technologies. Solutions for just about every department and agency of the federal government and many state and local governments, our customers include over 50 of the fortune 500 and over 25 of the global 2000. Tens of thousands of Midsized Companies in major industries. We are instrumental to helping the nation and organizations around the world understand and reduce cyber risk. Hr 7331, the nation has the opportunity to significant he improved cyber preparedness. My support is for the need of stronger enterprise practices across the government and across the nation. Requires aon Risk Response and a new standard across the entire nation. This includes every aspect of government as well as the private industry. Government services and the critical functions that citizens rely on. The white house would be helpful incarnating a whole government or understanding government understanding of cyber risk to reduce cyber risk and coordinate responses when needed. The National Cyber director is needed to ensure the government holds itself and industries accountable for care with regard to cybersecurity. Today, there remains a laxatives approach,adaisical resulting in the vast super majority of todays breaches. Can leadigent behavior to helplessness. Have undermined the proposed legislation. In my written testimony, i recommended augmenting the authorities under 7331 to include establishing a National Encryption policy that palaces balances the need of Law Enforcement with cybersecurity safety. Coordinating with regulatory agencies with policies and practices which can improve the understanding of cyber risk. Focus efforts on workforce to moment initiatives with greater inclusiveness. Elop and maintain towill be difficult overstate the cyber risk that we face today. Governments and businesses utilize prosecuting and international technologies. These technologies optimize production and increased sustainability. They also expand the overall cybersecurity attack surface. A need to be an integral part of Risk Management practices. These Risk Management practices must include service and industries essential to our safety and wellbeing such as andr, water, Transportation Health care as well as our industrial productions. The risk is more than a technical one. It is political, it is social, it is physical and it is economic. Cybersecurity connects essentially threaten our way of life. There are important steps that we can take to improve our cybersecurity posture in advance of a national crisis. Those steps include the creation of an office of a National Cyber director at the white house. Chairman to will bean maloney, i happy to respond to your questions. Thank you. You are now recognized. Thank you chairwoman maloney and members of the committee. Thank you for this opportunity to be here today to testify and support of the in support of to cyberspace recommendation establish a cyber director. It is an honor to be here with my distinguished witnesses and former colleagues. It was a particular honor to serve on the commission alongside rep. Sinema gallagher and other, commissioners, it is inspiring to see the bipartisan and nonpartisan approach that the commissioners brought to the work of the commission. This recommendation is no exception. Commission noted the considered alternative approaches to address what we all agreed was an urgent need ,or stronger coordination engagement of cybersecurity and for more robust Strategic Planning and prioritization to guide those efforts. The first panel addressed the alternatives so i will not go through them again. I wanted to emphasize the pulling themnst out of the department and agencies where they reside and putting them together in a new department of cybersecurity. I am strongly opposed to the creation of such a department because it would not solve our key coordination challenges and would cause huge disruption with little to no gain. The most important and challenging coordination issues in the inner agency in my experience are rise between bmd elements, including nsa, Law Enforcement, especially the fbi and dhs. Iot will not relinquish their cyber activities to a new department. Nor will fbi turnover its Law Enforcement activity. Thus the new department would still face those key coordination challenges. Director, onber the other hand, could and must be empowered to address these key coordination challenges with the backing of the president. Cd ncb, the in must have the authority to conferring convene and get information from the Law Enforcement and Intelligence Committee and the dhs and specific agencies about their Operational Plan and strategy. Haveer important reason i opposed a new Cybersecurity Department is the risk that it would become singularly focused on technology. I watched this happen with our wmd efforts in the 90s when i was at the Central Intelligence agency, where folks working Nuclear Nonproliferation focused entirely on the technical aspects and failed to adequately integrate the regional experts and those studying the political and dynamics within various countries. I see the same tendencies in cyber. We tend to turn to technical therts and they focus on technical aspects, even though we know that understanding enmity getting cyber risks requires a much broader approach that fully recognizes the human element, integrates cyber and physical risks, including knowledge of the operational environment, whether it is financial services, electras the or infrastructure electricity or infrastructure. That a newys warned Cyber Department would be staffed by technical experts and too focused on technical aspects. This could happen to the office of the National Cyber director as well. It is something we must guard against. But, sitting within the white house structure, having responsibility for agency coronation and working closely should help guard against that tendency. Another of the key recommendations is strengthening and reinforcing the great work that i used to lead at the nhs called cybersecurity and infrastructure Security Agency. One of their greatest barriers to effective operations is that numerous agencies compete for resources and authorities. The ncb can support and enable cisa. The ncb is not intended to direct or manage implementation of strategy by any federal agency. But, responsible for overall integration and execution of defensive strategies across the executive branch through Strategic Policy operations and budgets. The National Cyber director should do only what the agency and department leads cannot do themselves. They should ensure visibility on operational activities and help push the process to active into actual decisions. It addswill fail if further typing and bureaucracy. Instead, the ncb needs to help the power help to power, prioritize muchneeded support for existing cyber entities within the u. S. Government. Thank you very much. I look forward to your questions. Thank you. Mr. Jeffrey, you are now recognized. What . Go to questions . Yes. Ok. Recognize myself for five minutes for questions. Thank you very much to all of the panelists for your testimony. I want to dig a little deeper to the 2017 malware attack executed by north korea. Attack disabled hundreds of thousands of computers in more than 150 countries. It even shut down a portion of Britains NationalHealth Service for a week. Chairman rogers, can you describe the potential effect a cyber attack on Critical Infrastructure like this could have in the United States . It was north korea, it was a ransomware based attack that in some ways did not have a way to pay back the ransom. It was the least capable actor, even highend at a highend and it had a global wide impact. They could not actually access the right, appropriate records for the surgeons to do a surgery. You can imagine the Health Impacts of that sort. [indiscernible] part of it was they could not control it. It fed on itself and spread without them directing it which probablye problem of not toptier nationstate acting. They have gotten better. That is the scary part. When we look at the trends, we know where the biggest adversaries are coming from. China uses all of its state power to do and set themselves up for influence around the world. They use diplomacy. If you look at the fact that fromconfiscated masks rightful Contract Owners that they were going to be delivered to, gave them to entities in china so they could deliver them in a way to try to get credit for their influence operation, they used military defense and intelligence Cyber Operations. They used Cyber Operations for espionage. I would look at all of the ways they are coming at us. What we know is they would love to get access to peoples data from a nationstate perspective. But also cyber criminals. Organized cyber criminals and others who would love to get the data that the u. S. Government collects from u. S. Citizens. Everything from food stamp participation. Think of all of the information you have to give in order to get that program qualified. The federal guidance sitting in a repository for federal government, that is valuable to a cyber thief. I would look at this. That was a massive attack by a nationstate. We have all of these other attacks underneath us. Again, that is my argument for the cyber director. Not just toebody incident respond. You want somebody for precrisis. How do you help these agencies, not hurt them or hit them with a club when they are not doing it right, but help them through what they need to look like in their cyber shops and the kind of tools that we do. Can we do this with a collective defense mentality so that when one gets attacked, Everybody Knows what the threat is moving forward . That is the way i would look at this. Lets try to be precrisis. Having the director whose sole job is to think through all of those problems, my argument would be we will be better off. There is lots of talent. Mr. Gallagher and mr. Langevin highlighted it. We need to coordinate it. Focus it on the problem that helps us the most. What would happen if one of these companies was compromised, and can you talk about the attack . Arehe effects of the attack outage can certainly ensue. In other cases, it is more of preparation where information is being compromised but the adversary has no desire to create an outage, unless it is during a time of crisis. The impacts here could vary greatly, and it is one of the reasons why we need a systemic understanding of risk and why a National Cyber director needs to work closely with the regulatory agencies that do exist, to make sure we are implementing a standard of care that makes sense, that we dont see the continued negligent behavior where enterprises are not maintaining good hygiene of their systems, not providing patches and updates in doing maintenance that is required to keep them in a secure state. This sort of poor hygiene ofults in super majority regions perpetrated by north korea and a lot of damaging ones we have heard and a lot of these highprofile casess do you believe highprofile cases. Do you believe this would help the federal government address these concerns more effectively . There is no question in my mind, having done cybersecurity for over 25 years and having spent time in multiple departments of the federal government, as well as surveying with cybersecurity products to the private sector and now also helping the federal government with technologies to protect itself. This would help provide a coordinating capability and bring maximum understanding and appropriate resources to bear in a coordinated fashion. Think it was said that the preparation work we do now has Significant Impact on how we deal with the questions we face down the road. I think the creation of this office and role are absolutely critical steps. Thank you. I now want to call on jamil jaffer, who disappeared for a while but is now back for his testimony. Thank you so much for the opportunity, and apologies for the technical difficulties. Thank you for inviting me here today. Members of this committee will know, Cyber Threats face the United States. It is no overstatement to say that we are at war in cyberspace. As a nation, we remain woefully unprepared to deal with this conflict. Lawyers makeable with whether we are actually at war and may point down but the fact is for the better part of a decade, our nation has been involved in consistent ongoing series of complex cyberspace at a low level. We know the question has had an impact on our nation and its allies. The foreigner the former nsa director said chairman rogers on this panel called attention to this economic pressure by china and referred to the fact that we are in an economic cyber war nearly 10 years ago. We have also seen countries like north korea and iran engage in the destruction of data in the United States in the last half decade. Iran has been actively preparing for Cyber Attacks. To be sure, while we played a role in some of this, the chinese and russians both know this, we have seen them mucking around with more covert operations and the killing of george floyd. We may see the same players become more active during the election cycle. Three years ago, cybersecurity posed a greater risk to the safety and health of our finances. We know what threat ourrsecurity poses to country and our economy. These efforts represent the uniquely challenging threat to our economy and our way of life. The question becomes what should we do about it, and how much of cyber can creating a new director in the white house help . Having a key strategic leader in the white house is important but i am skeptical of having a large in the need to have that set up have that Senate Confirmed. The white house would be opposed to you to get another Senate Confirmed position. They may consider creating an option that is smaller and more leadership oriented. The committee could work with the president to ensure that that person has a rank and stature of an assistant to the president. There is no doubt that all the cooks in the kitchen from dhs to coordination,r more aggressive coordination is necessary. Billy question to consider is whether that can wither that requires Senate Confirmation and a 75 office. On that note, i am skeptical. I have a lot of respect for that position. With that, thank you and apologies again for the technical difficulties earlier. Thank you for your testimony. I would like to ask you about the 2017 russian cyberattack, that froze Computer Systems in exchange for ransom. In ukraine, the attack at hospitals, power companies, airports, impacting every federal agency. The u. S. Is not immune. This attack hit fedex and a direct company, costing each more than 300 billion in lost business and cleanup. How great is the risk of a in thecale ransom attack United States today . It is a huge issue. It was a carefully attacked carefully crafted attack by russia against ukraine. What happened was collateral damage. The mostcompanies, destructive attack in the history of humankind and as you mention, over five International Countries suffered between 250 million and 300 million in damage. You very well may be attacked because you may be collateral damage. Thank you. A centralized cybersecurity coordinator at the white house deemed an century deemed essential to ensure the agility needed to respond to attacks. The rankingize member of congress for his questions. Thank you chairwoman. My first question would be for mr. Daniel. Could you walk me through how a major cyber incident currently proceeds through the federal government and how that would change with the advent of a new cyber director . Sure. I think right now, it depends on who first becomes aware of that incident. It depends on it that incident disclosed by a private sector fbi or entity, or to the the nsa. At some point, if it gets big enough, that those entities would eventually share that information with some of the other elements of the u. S. Government, and then the government we need to do an assessment would need to do an assessment on whether that incident actually represents something that is more systemic. Is it going to turn into a wanna cry and proliferate across most of the economy or is it limited . Then the government would need to do an assessment on whether or not a response is warranted, based on that incident. I think in that case, it is where you would when you start to look at how the u. S. Government responds, that is where you want that coordination, that intense level of coordination to come together. Just because an attack comes through cyberspace doesnt mean the only response needs to be back at the adversary through cyberspace. You might want to use other policy tools to respond. That is why that coordination factor across all different elements of power is so important. Be forext question will mr. Jaffer. Earlier this month and a joint Public Service announcement by and securityi, agencies, the fbi reported it is investigating targeting and compromise of u. S. Organizations conducting covid19 research. There is reason to believe china is attempting to exploit the recent pandemic to hack into u. S. Businesses conducting research on the very virus originating its own country. Mr. Jaffer, could you explain some of the methods china is using to steal Critical Research into this virus or if you have no insight, describe the various ways china accomplishes its many cyber intrusions. Thank you. Engaged in have been this effort to steal American Intellectual properties of the better part of a decade and a half. It was only when general alexander came out and was talking about what is happening with china that the public became aware that it is only in recent weeks and months that we have become aware that our supply chain depends on china when it comes to ppe in pharmaceuticals. We realize that has expanded well beyond that. Is builta is doing their economy on the backs of american innovation, american r d. Wei router why a hua looks like a cisco router, that is because they stole it. They are trying to do the same thing in the covid arena. Trying to get out ahead of this and have the vaccine first and grow their economy on the backs of our we cannot let that happen. The president has been very aggressive in pursuing china on that. Hearing and itis has always been clear that cybersecurity is a huge threat to the United States. We talk about china being one of respectt actors, with to cybersecurity threats, cybersecurity violations. You look more china and see they have been stealing patents for years, intellectual properties, who knows what all they have done with respect to covid19. I think we would like to get to know that. Time in thist of Committee Investigating russia. I believe the American People, the taxpayers would be better served if we spent a little bit of time investigating china. So in closing, i would really encourage you to consider devoting a little bit of time in this committee to investigating china, whether it be covid19, our intellectual property, patents, whether it be cybersecurity threats, things of that nature. That is my encouragement to you as we proceed and hopefully Work Together in a bipartisan way, but i want to thank all the witnesses for being here today and i look forward to further discussion of this proposal and with that, youll back. Go to ms. Will norton. Can you hear me and see me . I want to thank the chair for this really important and timely hearing. Because i represent the Nations Capital, i have a special interest in this hearing. Cities, butmost big we are not just any big city. To what hasgoes already happened to some big cities. I dont know who should answer this, perhaps starting with mr. Rogers. We have already seen that hadher big city actually ransomware shut down altogether, grounding all of their operations to a halt. Imagine if that happens to the capital of the United States. Fortified here in the Nations Capital and other against a similar shutdown of all operations, locking out the city altogether. Thank you. We have seen this ransomware activity for multiple years now and it became more and more aggressive, meeting it was spreading against amongst International Organized Crime groups and others seeking to gain revenue from this, including the North Koreans who used Ransomware Attacks to gain revenue for the government. Early on, i hate to say about my brother and in the fbi, their recommendations to some of these companies were that they should trouble he just pay at because we dont have any way to intercede to do anything about it, so you had Major Hospital organizations, the los angeles Hospital System comes to mind as one of the early cases, where just he having to pay for it. Isis a real threat and this one of the problems with cybersecurity. The nsa does not protect the private sector in the country. It is a common myth that they are protecting everybody. They are not, they are protecting the government and doing collection activities targeted at overseas adversaries. We have this really uneven ability to stop this in cities across america and candidly, i think most cities in america are not prepared for this. They have old systems, they havent spent the money to upgrade their systems and then provide a level of protection. That is why people are going to cities, because they believe they are the most vulnerable. It is not the nsas job to protect detroit, michigan. That is not what they do. It is up to the private sector and the cities to develops it to develop systems the can put systems they can put in place, look at collective defense. This is why a coordinated effort out of the white house, all of our agencies getting pointed in the right direction they maybe if it helps get the department of Homeland Security, helping with the problems they really have. We are a long way from those cities being protected and as more organizations take on nationstate quality tradecraft, meaning the russian tradecraft to penetrate networks, the more susceptible we are, and we are seeing that, that leaching of nationstate quality in cyberspace. We are up to a we are up for a really bumpy road in the next few years, outside of the u. S. Government across both the private sector and local and state governments. Nervy really a really unnerving. When all know what happens you pay at. More people are deciding they want to get in and extract money and that is the problem we are running into. Remaining,ime i have i cant help but ask about we have had most of our primaries and i am wondering if any of you perhaps beginning with you mr. Rogers, have seen any interference, any evidence of interference with our elections. We have seen it with Financial Institutions worldwide. How about interference with our elections such as in the alteration in election results. I can tell you in some of my private work i do, we havent seen any flip one vote to another vote. Large, in fact, writ seen going into 2018 that are adversaries tried to influence elections by creating chaos and we need to be really careful about saying republican versus democrat. They dont care, they dont like democrats anymore than they like republican americans. They are trying to create this chaos in these elections. I thought the did a phenomenal job in 2018, playing that my camel game to push them back, they announced this is very effective, very low consequences, so we are going to ramp up our engagement and trying create this chaos going forward. It is something that i think we absolutely have to Pay Attention to, or ember it is very cheap for them. They dont have to develop a naval fleet and then stock it. Are states and cities aware enough so that when they see are states equipped to fight back . We only have a couple months to be tested. It is difficult for states and local governments to do this. We need to ask ourselves, what we want our high tier performing National Federal agencies to do for us. Can be very help in trying to stop this across the United States, mainly because it is a very sophisticated nationstate actor activity. There are some other groups out there that are trying to get into this game, that are worrisome, but i think we should employ all the tools that we have. This is where i think correctional oversight is so important congressional oversight is so important. You have to encourage them. I wanted to follow up on that. I think we have a lot of tools at our disposal. Laying the groundwork, with Election Security response get abilities for the for each of those jurisdictions, but there are other things, state and local governments a very limited have very limited resources. Those are being exacerbated by their response to corona and with a heightened threat. Even additional coordination and policy directing from the federal government can have a huge impact. Thank you very much. You are recognized. Thank you chairwoman. Im going to go back to mr. Jaffer. Im going to have you walk through you gave us some ideas of maybe this would be appropriate at the president ial level. Can you walk us through that a little bit more . Are four Senate Confirmed individuals in the white house. The director of omb, the u. S. Trade ramp u. S. Trade rep. Two really focus on Things Congress and the president share, trade on one hand and the power of the purse. Two that have been a lot less successful r. G. Largely because they are not they are not shared relations. The challenge you have is that this is an area where the president this is a National Security responsibility. This is like warmaking in a lot of ways. The interference of elections and the like and they prioritize it, they made a responsibility thehat is a good example in way that congress can work with the white house to solve these problems. Mike rogers, looking from the outside, you have been part of. He matrix of congress do you agree with anything that mr. Jaffer has said in that aspect . I do. I have the same sensitivities about do we want to really and i on the president wrestled with this a lot. The reason i think i have come full circle and this is because i have seen it from the private sector side as well as being chairman of intel and i thought we could do this and this isnt a republican or democrat thing. The Bush Administration had an effort at this, the Obama Administration had an effort at this and the Trump Administration took a very different take on how they wanted to do it. My argument is none of it really works to our advantage. When you look at the series of challenges, and this is why. This is not to me some semantic argument about should we or shouldnt we. China,ajor adversary, russia, north korea, there are upers, but they are ramping the use of cyber because they know it has low consequence and highimpact. If you look at kim jongun who says thing that is going to keep me in charge is Nuclear Weapons and cybersecurity, offensive cybersecurity. He is investing in it. We know the chinese are spending billions of dollars. They announced they will spend 1 trillion to try and have a technological edge in quantum computing, 5g buildout, ai research, including cyber capability and data control. They are moving away from building large defensive military posture and i am for that. What their diet but they are doing is trying to spend it targeting us and if we keep doing it the same way, we are going to keep having the same response and the ig response we have now is basically i caught you for the last 12 months doing something wrong, i will come see you in the next 12 months to see if you get it right. That is not working and it will not get work. We are getting our lunch ate under that plan. Lets have some office that has some authority. Dod, to deal in this. Nobody wants to listen and anybody. You have to have a committee to settle on the way forward. You need somebody to say i am here to help we will get that piece right in fixed this piece and coordinate resources. I will reach over to nsa talent and who knows, department of agriculture to figure this out. We will include all that. We dont have that today in that regard, and that to me has to change. If we can find another way, great but i like this way because it puts it at the feet of an end of an individual to fix this problem. Looking at the legislation as any additions or subtractions to it that would keep it on a desired pathway . Withre is where i agree jamil. He and i have these conversations often when we were working in the intelligence space. You want to make sure we are not propping a bureaucracy here. If everybody gets to say no and sign off, we lose. It has to be smaller and more agile. I would be worried about the body count. Maybe 75 is right, i dont know but we need to make sure that it is agile enough in its strategic advice that it actually do something. Actseds to Say Department department x, you have it performed. Im going to help you get where you want to go you havent performed. Im going to help you get where you want to go. The devil is on those is in those details. I am talking even offensive policy, defensive policy, all of these agencies that people dont know are out there working and have this Sensitive Data that nobody thinks that loves them are great for cybersecurity. That is why you need somebody to Pay Attention to it every single day. Thank you. I yield back. Chairman connelly is recognized. Thank you to our panel. Fascinating conversations. Congratulations on the work of the Cyberspace Division and this piece of legislation. I want to go to practicality. I have spent 12 years of my life in congress focused on federal i. T. , modernizing federal i. T. Spent the money is maintaining legacy systems, many of which cannot be encrypted. They cant be updated for 21st century cyber protection. Raise some concerns. Mr. Daniel and miss spalding, you both kind of touched on it. Mr. Daniel, you were in the white house. We have a cio in the white house, we have a ceo in the white house, we have achieve ends or a chief Information Security officer in the white house and we have the office of science, technology and cyber. All of those offices right now bear responsibility in some measure for i. T. Investments in the federal government, trying to modernize and protect in terms of cyber. How will the creation of a cyber czar work with those other offices . Authority will he or she have to help upgrade . Upgrade a legacy system is going to cost billions of dollars and multiple years. We have been trying to exhort federal agencies to make those investments. Will the cyber czar have superseding authority with respect to the kind of investments they can make . Will he or she be required to report to the ceo and cio in charge of setting goals for the government which includes a cyber but are not limited to cyber . I am supportive of this legislation but worried about its execution. Worried about overlap and what could go wrong with this in terms of coordination and maybe i could start with you, given your experience, bizarrely those are really those are real concerns. Do you share them and what protections can we take in creating this position to avoid the inevitable conflict that could ensue . Thank you. I certainly agree that this position would need to work very closely with the federal cio, and the way that i look at it is that you would want to have this position those offices are designed to focus exclusively on the security of federal networks, and that would be one element of a National Cyber directors portfolio. What you would want is that position working closely with those individuals to be able to highlight the threats to federal networks across the bottom the broader policy space to advocate on behalf of investments, and certainly one of the challenges that agencies have is that it is relatively easier to get operational money, to keep the old stuff going and it is much harder to get procurement money to upgrade things, so there is a structural problem in the process for how we go about funding upgrades and that creates an incentive for agencies to keep old stuff around for forever, which is inherently harder to secure. What you would hope is that a National Cyber director would also be able to help bring in expertise from the private sector, to help the federal and what ofo better the structural changes we can make across the federal government . At some level it is kind of ridiculous to expect to really be focused and good at cybersecurity. We need to look at more cross Agency Support for cybersecurity so we not expecting every agency to be really good at their cybersecurity. Instead, thinking about the economic principle of comparative advantage. I would hope and expect that we would work closely together, but we are addressing a bill here, we are codifying a position and i want to do more than hope that they coordinate, i want to make sure we get it right so that this person, this position can hit the ground running with defined responsibilities because if we dont get this right, you will build up they will build up bureaucratic resistance. That incertainly seen cio. We have done that with cio and the bureaucracy just gangs up on them because they are outsiders, and as a result, they fail. I just of them, but wanted to share that concern. The witness can respond to your question. You i certainly agree that requiring some coordination with the federal cio and the federal system whose job is to focus on cybersecurity could be useful. It is those individuals who should focus specifically on that task and this would just be one aspect of something that a National Cyber director would have to be concerned about. Thank you. The next speaker is now recognized. My first question which i think should be everyones first question is what is the budget for this proposed office of the National Cyber director and the second part of that question is in addition to the 75 employees that are anticipated, what percent of the money is going to go to contractors . We dont know what the committees will give it. Authorities to bring from other parts of the government as well as the outside experts. This could grow beyond that. There is a lot of room depending make a bigmay difference. That is a question i would like to. Thatere on the Commission Recommended this position right . Advocate for Civil Liberties and privacy on that commission and if so, why is there not in this proposed legislation . I know you probably didnt write the legislation, but there are two Deputy Directors but i dont see a Deputy Director for Civil Liberties or an advocate for privacy. Should there be one, and was that discussed in the commission . That is an excellent question. Have long records of being advocate for Civil Liberties and for privacy throughout my career. I thickened number of us on the commission i think a number of us on the commission came together with those equities very much in mind. There was no specific person designated for that. I think certainly privacy is one thate values and interests cybersecurity is intended to protect. Cybersecurityts, is built into our efforts privacy is built into our efforts to strengthen cybersecurity. There are times in which the way you approach cybersecurity issues may have implications in other contexts for privacy for civil and Civil Liberties. Your point is well taken, and i think there ought to be an emphasis, i am not sure a director specifically for that, but certainly when i was with the department of Homeland Security, i valued very highly, andng a specific individual staff focused on privacy and Civil Liberties issues, and found their input and insight extremely important and valuable. I would like to see that defined legislatively if we create this office because there always seems to be a bias in the other direction, so we need an advocate there. Mr. Jaffer, what does it mean to have a list of trusted vendors when those vendors are putting a backdoor intentionally into their hardware and software . A secure cybere system in the government . We are sometimes even encouraging those vendors to put backdoors in. That is an important question you raised. At the end of the day, we have legislation that permits the government to obtain certain indication systems. That is typically the way in which Law Enforcement its access to telecoms. Whatoften than not, typically happens is the government will come to a provider with a court order. It does not typically happen in a cooperative manner, it is typically a legal process. There is usually a judge involved. There is a little bit of an oxymoron in creating a list of trusted vendors and then asking them to put a backdoor in their products. I concerned about that. My final question is, what is the real responsibility of the government to provide security for a company like sony that has over ¥8 trillion in revenue every year . His time is expired. It is a great question. One of the challenges we have is today in our country, we expect , large and small, we expect them all to defend themselves against russian actors against nationstate actors with virtually unlimited human and monetary resources. We have to get those companies that come together for one and provides it back to industries in actual form to help them defend themselves. We owe them better and we are not doing that right now. If i could interrupt, i think there is a misperception here. I dont think we are dealing with sophisticated adversaries. Many companies are following victim through simple negligence and not applying a standard of care with their system and i think the line of questioning is important and why it is important to have the cyber director position is to balance the equities of Law Enforcement where there are proposals to create backdoors and weaken the encryption of commercial products. There is an there is intelligence gain and loss decisions, Law Enforcement considerations in creating norms of behavior in all of these things are being done without having a National Policy at the White House Level that can consider all of these different eachies, it is often department and agency running on their own with little coordination. I want to salute our colleagues for extremely and forng presentation their hard bipartisan work on this legislation. I am kind of puzzled the history of this and i was hoping that mr. Rogers might start off by clarifying some things for me. 2014 with the massive cyber breach by china and that cause massive damage to our country. In 2016, we experienced a sweeping and systematic cyber attack on our elections by vladimir putin, causing incalculable damage to our democracy and social cohesion in the United States of america. Caught, we have been totally unaware and seemingly unprepared for the coronavirus epidemic, which was denied and andissed and trivialized, wrapped in magical thinking. Now we leave the world in case count and death count lead the world in case count and death count while our allies have the virus on the run. If everybody is responsible for something, nobody is responsible and it seems overwhelmingly compelling to me that the purpose of this legislation is right, which is we need someone who is coordinating our cyber defenses at a time when all of these weaknesses and vulnerabilities have been repeatedly demonstrated by attacks. My first question for mr. Rogers is why has it taken us so long to get to this point . What has slowed us down . That may be the Million Dollar question. When we went back and looked at this, the first time china was publicly named as this increased actor in cyber intellectual property theft, even though we had known it was going on for years, it was 2010, because the Bush Administration said we were not exposing that yet, even in the early days of the Obama Administration. A pretty forceful argument about making this public. Weve only been talking about it publicly for 10 years. I think the public is slowly coming around. There was a recent poll that said 81 of americans believe that there will be a cyberattack of significance on the United States. We didnt have anything like that in 2010. People thought we were crazy. Public opinion has been slow to catch up. We are in a very different place now. There is no system out there that is completely impenetrable. If it is connected to the internet, you are vulnerable. Anytime you break up our efforts to try and do this. If the nsc the nsa has one mission and the fbi has another, they are not talking to each other. It happens in private sector, local and state government. If you look at what the chinese were able to do, this was very typical in the omb breach, the typical espionage activity where they are going to take 17 million records of very Sensitive Information. All of that information was. Aken they areind out people interested in spying on, either with classification or youve realm,n to the defense that is a brilliant government espionage activity. We really have to change the way we think about these threats. . Can i follow up with you what is terrifying to me is that our failed response to the coronavirus pandemic is asked has exposed a lot of vulnerabilities to foreign governments that may mean to do us harm and they may figure we dont have the preparedness, we dont have the social cohesion to respond to a massive threat on our infrastructure. If you would just put this in a geopolitical context, what is the imperative to act now . I think that is two conversations, one on the supply chain. The witness may answer the question. [indiscernible] security is a very important discussion congress is going to have to weigh in on. I would protect our ability to surge on critical items. These nationstates are big adversaries have these nationstates, our big adversaries, have focused their efforts. Russia realizes they dont need to build an aircraft carrier, they can just shut down electricity or because distrust of the American People with their government. It has an outsized impact on what they are trying to do. All of them have stepped up their game. That is why to me, this is so important. Candidly, we are in a cyber war today. People dont realize it. People who say it is not really a war, i disagree. They are causing disruption, disruption and chaos. Destruction, disruption and chaos. We ought to have one focus on this so we can coordinate our government and focus it in the solution. The other lesson from the pandemic is what happens if we dont have strong coordination and a coherent response in a crisis. Thank you. Mr. Grossman. Can you hear me . Are you there . Can you hear me . Yes. Unmute. Can you unmute . Can you hear me now . I can hear you now. Yes. Ok. I have a question here. First question is, when we confront china or russia about this, what are they saying . What is there response to bringing this up to them what is their response to bringing this up to them . Having engaged them on this topic directly, most of the time they deny it. Naturally, they deny most they would say it must be we must be mistaken and could we please provide all the detailed evidence for how we found that out so we can expose our intelligence methods to them so they can prevent us from they it in the future, and might say it is a rogue element they werent in control of and it wasnt really them. Their course will never accept responsibility for doing that. That said, we have engaged with them in other ways to try and push forward and push back on their activities. I have a question for ms. Spalding, we ask this earlier, how a major cyber incident proceeds through the government. I want to expand a little bit on that. This is stepbystep, based on your experience. What happens when an incident is reported in either the private sector or a Government Agency . What happens from discovery to response . Trigger andugh the how would this change if we got a National Cyber director . Michael daniels explained, it depends on how this information comes in to the government. It might come in first to the National CyberSecurity Communications integration center, or the ops center at the director of the department of Homeland Security. We would often get reports from private Sector Companies that they are seeing malicious activity but it is equally likely to come into the fbi. Then the players, the dhs, the nsa would usually the get on the phone together, though often there are reps at the ops center at dhs, but the information would be shared, and then a decision has to be made very quickly depending on the nature of the event and if the government is going to step in, on what is most important. Sometimes you and will try to do this at the same time, but you will often have to prioritize. Are we going to put our priority on getting Law Enforcement in to do attribution and figure out who is behind this . Legitimate equities, but sometimes they cant both happen at once. Conversations ensue to determine how to prioritize that. The advantage that a National Cyber director can bring to bear on this, is to deconflict those competing equities quickly. Time is of the essence to make sure that we can get in and do what is most important first, even as we are trying to accomplish all of the other equities. Thank you. Next question, we talked about russia and china and north korea. I could take a shot at that. You said there was more than the four. There are countries who are engaged in ramping up their Cyber Capabilities who might not be targeting the United States. Leaked nationstate capabilities from russia into former eastern bloc criminal organizations. They may not look like a state but they perform like a state when it comes to cyberspace. There are countries that are probably best not discussed in argue orum, someone some would argue arent they friendly countries . You said some of our enemies were involved in the george floyd incident. Could you expand on that . We have seen reporting that the chinese you saw the refere Foreign Ministry to the plight of black americans. Care,inese dont actually they are currently interning one million muslims. We know what they are doing overtly. We have seen them operate covertly in similar cases and we have reason to believe they and the russians are involved in this effort to gaslight these debates. Could you give a specific example . I dont know that we have seen on point examples but i would bet dimes to dollars that we will see various examples coming out of facebook, twitter and the like. I would put my life on it. Time hasntlemans expired. Thank you much. Madam chair, did you recognize me . Yes i did. Thank you, i apologize, i did not hear you but iq for convening this hearing. I would also like to thank the commission for their detailed report. I want to focus on one key area that has been previously discussed. It is about the loss of hundreds of billions of dollars in intellectual property theft to nationstate sponsored type cyber espionage. Obviously the chief country responsible for that cyber ip theft has been china. We know china actively works with state owned and civilian corporations to steal ip from foreign sources, including the United States. According to a 2018 report released by the United States trade representative, theft of u. S. Intellectual property by china costs our economy up to 600 billion a year. Let me repeat that. 600 billion a year. The longterm damage of these losses simply cannot be fully quantified. Ms. Spalding, let me turn to you first. In developing your recommendations for the National Cyber director, did the Committee Structure the office with this persistent problem in mind and can you provide any any specifics as to how the director would address this issue . Absolutely, we did. The situation that you described really as addressed by a number of recommendations in the report. The private sector and government both have a Critical Role togovernment both have a cl role to play in stopping this theft of International Intellectual Property and it requires a true collaboration. We are the ones in government could have the National Technique and the exquisite intelligence capabilities to collect information about what nation states like china are engaged in and the kind of techniques that they are using. Researchivate sector community. The private sector businesses that are developing this intellectual property are in the best position to defend their networks armed with information from the governments. We have a number of recommendations to make sure the government is obligated to get that information to those private Sector Companies and the National Cyber director will have a key role in making sure thats happening. That has to be part of the by the that is evaluated National Cyber director. We need to have proactive plans, strategies for addressing this and thats planning capability across the agency has been lacking. Thes another key role for National Cyber director. Chairman rogers, you candidly we have not been successful. With this finally allow us to defend rip . I think it would put us in a better position. I think this is something we will have to continue to invent a better way to defend ourselves. S we get into 5g quantum, ai, all of that is going to change the way we look at security. Possibilitythe best to look into all of these new changes. Everyone keeps talking about that incident. Spalding on ms. Everything she said. The interesting high level of taskings for those assets is to stealerica credentials to get around firewalls so they can steal more information. Its really interesting. The nature of espionage is changing dramatically. They dont want you to just steal the secrets, they want you to steal the guy next to yous credentials to get into the network so they can be passed back to a more sophisticated penetration of your network. It makes it hard to put your arms around. Concern that if we as a country are unsuccessful at providing appropriate protection that we could see Companies Move their ip and businesses to countries that do provide protection . Many benefits to being an American Company wether its our labor law have to recognize this is the core of our innovation based. We have moved to an innovation economy. Undermined the capability of our economy to survive. Even if we think about rehoming american technology, weve got to protect that core that makes america so productive as a tontry which is that ability reinvent and monitor. Rep resented of ro khanna representative ro khanna is recognized. Thankant to representative lindemann and representative gallagher for their extraordinary work in helping come up with such a on aled proposal bipartisan basis. Representative lanterman has been working on this for many years and this is a passion of his that hes talked about often so im glad to see it come to fruition. Let me ask the panel, are there additional authorities that you think the National Cyber director should have . Certainly i think that it is important that as we structure that we make sure and not just be restricted to looking at network defense. Its got to be able to have the full weight of cap abilities that the government can bring to bear. Including military operations intelligence and Law Enforcement all the way across the board. This tot just restrict looking at the kinds of things that already does. Chris krebs does not need another boss. Its got to look across the entire federal government and all the tools of National Power that we have. I totally agree with michael on this point. I think the distinction is between having visibility. The National Spider director has to have visibility across the entire government. In order to make sure even between offensive and defensive operations, thats different from giving the National Cyber director directive authority. You dont want Law Enforcement activities being directed out of the white house. Directoront want this in war fighting clans. Critical that they not be excluded and that they have visibility because they need to be able to deconflict. I will give you example. Are fendingr banks off a lot of malicious activity from north korea trying to steal money from their system. That might not be the best time to ask the banks to impose implement sanctions against iran because we know iran retaliated in the past against our banks with malicious cyber activity. That is something the National Cyber director needs to be at the table to help with. Thank you. Additional cybersecurity recommendations you think we should be considering, in putting the Solarium Commission report came up with . There are a couple of really important ones. Share that in real time with industry. Sharing isnt enough. Youve got to collaborate in real time. That part of the report is really critical. As well as on continuity, economy and a variety of other areas. The Critical Infrastructure is all about the recommendations from the commission. 100 agree. The brush cleaning we can do to make us more competitive would be huge. Congress needs to Pay Attention. Chairman piatt has done the spectrum clearing, outrageously important if we are going to push back on chinese expansion. We have lots of gear around the country. I know people want to beat on them for. Theres lots of great effort in Congress Today about how do we get rid of that. It helps our own infrastructure ecosystem to do that. Huawei gear much quicker. They have a huge advantage putting this in a Competitive Position to do all the things my colleagues talked about. In the bestany is position to defend themselves and understand which of their systems is most critical and represent the greatest risk. There are opportunities of the commission. Things like increasing transparency. Having the interpretation by the requiring attestation from company ceos not on the level of security but just the fact that they have looked at their cyber managingare adequately cyber risk associated with their business. When you get things like that in place, he will increase the , attention,iene each enterprise ability to defend themselves. The amount of Economic Loss will go way down. Thats probably the single greatest move that we can do as a nation to improve our resilience and preparedness. I want to thank representative langa men and gallagher. At stanford they were talking about the cyber pearl harbor as the big fear and so many of the companies have talked about how we shouldnt have every company in this country required to have basically private armies to safeguard ourselves, that we need a national response. I will be supporting this legislation and appreciate everyone who helped put it together. Representative john faso banks, you arear recognized. Appreciate the panel. I want to thank my colleagues congressman lanterman and congressman gallagher for their efforts on this proposal which must support very strongly. Want to welcome back chairman rogers and thank the rest of their panelists for their testimony. Obviously one key responsibility of the National Cyber director is establishing and implementing a National Cyber strategy. In 2018 the Trump Administration cyber andtegrate interNational Power. Chairman rogers, can you speak to how the 2018 National Cyber strategy has been successful or not successful in that goal and how would the National Cyber strategy required by this will be different from that. What that strategy was meant to do in 2018 was bring us to a better place about coordination and understanding that our adversaries are using all the nation state power they can bring to pair bring to bear. Using that capability. China steals Economic Data to try to influence its trade negotiations. Cyberre using intelligence to influence all of those pressure points government has to bring to bear on a country. Its my understanding that the we arele was to say finally getting to understand that it is multidomain. We tend to set right diplomacy and the economy to a great degree in this country. How do we have everybody rowing the boat in the same direction understanding our adversaries. I think it is still a work in progress. Chairmand when i was and prior to being chairman. Bout what is offensive cyber are we allowed to protect ourselves if we know they are going to shoot at us in cyberspace. I have seen lots of folks say we have solved that question over the last 15 years. I dont believe we have today. Olved that we need to understand what tools in our toolkit do we have. Im not saying we should have another cyberattack back, but we really didnt and i dont think still to this day have a good definition of what we can do to prevent. I have heard the terms go through the years. Now we call it aggressive defense. Im interpreting you to say that the administrations thetegy was heading in direction that now the cyber takesor strategy required to a more coordinated and structural place. One key difference of the role envisioned by this will is that be empoweredwould with new Statutory Authority in terms of strategy which would include recommending changes to regarding agency organization, personnel resource allocation as well as certifying that the annual Budget Proposal for each federal department or agency is consistent with strategy. Hat makes a lot of sense mr. Daniel, i understand you spent of in years at omb. Do you think its important for the National Cyber director to have this Statutory Authority and how do you think the relationship with owen you would actually work in practice . Omb would actually work in practice . To work inpowered that budget process. A former director said policy without resources is a hallucination. Clearly the ability to influence and shape how we allocate resources is critically important. As a practical matter, i think what you would want to see is very close collaboration between thestaff associated and program examiners at omb. Omb is at its most effective when it works very closely across the entire white house with any of those white house elements to make sure budget supports the president s policies. You might even imagine a situation where you have program examiners detailed to this office to help provide connectivity and reach back and you would want them working hand in glove with each other to shape that president budget. Thats why having this lever like that Statutory Authority would be very helpful to the position. I now yield to katie porter. Thank you. First duty31, the listed for the National Cyber director is serving as the principal advisor to the Cyber Security, strategy and policy. Having essentially worked to achieve many of those functions yourself, can you give me concrete examples of how having a principal Cyber Security was important to the president s work and why is it important to formalize that role . When you look at an issue like Cyber Security that is so crosscutting that affects so many different policy areas from National Security policy to our economic policy, you want the president to have an advisor who focuses on this issue as part of her time. The main thing they focus on every day. Because it pervades so many of our policy issues now. If you want to decide what the u. S. Policy should be on everything from 5g to relations with china to how we are dealing with the middle east, cyber shoots through all of those things. Once the president to be able to draw upon somebody with expertise that can bring that cyber perspective to those issues so that you make a decision knowing what the effects on our Cyber Security might be for good or for ill. Makeimes you are going to decisions that may be have a negative effect on that for greater positive gain but you do that with full knowledge and not by accident. Thats why it is critically important that a Senior Adviser in the white house focus on this issue given its breath across so many policy areas now. I appreciate you flogging the role of expertise. Ask how Senate Confirmation would help us assure that. Do you remember anyone who the president appointed as one of the Cyber Security advisors in 2017 . Was very good on cyber. Would agree about the importance of expertise. I think the present also appointed mr. Giuliani and i think like so many of us and i think we are seeing this during work from home. Technology is frustrating and hard and we are all struggling to get our level of expertise of where it needs to be Cyber Security. I completely relate to the fact that mr. Giuliani after being appointed one of the Cyber Security advisors got frustrated with his iphone and went into a public apple store in San Francisco within a month of being appointed a principal Cyber Security advisor because he had entered his password wrong 10 times and was locked out of his iphone. I think this illustrates the gap between the rest of us who are trying to do our very level best and the need for a true expert at the very top of this. Would you agree with that . I completely agree. We are working a program at george mason where we are bringing technologists from around the country to train them on how Politics Technology works. Youre exactly right. There is no substitute for having real experts in this area. You, i knowto ask that hr seven would require the National Cyber director decision to be Senate Confirmed. Solariumxplain why the commission made that recommendation and how you would respond to concerns that that has the potential to create distrust between the president and the National Cyber director or do you think that concern is misplaced . Respect to that latter question about the potential impact on trust and the National Cyber director within the white house, i would point out that there are lots of Senate Confirmed positions within the white house including the omb director and i dont think anybody questions the level of trust with respect to that omb director. Iso think that concern misplaced. We talked a lot about whether the pros and cons of having this person senate can armed and ultimately the consensus was we should recommend Senate Confirmation. I think its critically important that congress have effective oversight and given the decentralized nature of Cyber Security, if congress doesnt have the ability to hold someone accountable and really have somebody they can turn to to get a coordinated and coherent picture of whats happening, its going to be very hard for congress to do effective oversight. Senateimportant, that conversation gives congress the ability. I think its important to note the bipartisan oversight that congress would be conducting. Thank you. Gentlelady yields back. Make a closingto comment . Covert e, covert. Would like to thank the witnesses again for this testimony. This is an issue that is bipartisan that we all care about on we are talking about cybersecurity. The question any of my colleagues have is whether we want to create another government bureaucracy and whats the total cost going to and how is this going to be able to work with the administration moving forward. Verythink this was helpful. I appreciate the conversation and the questions. Chair, with all due respect, i hope we can focus on china. Theres a huge demand across america. Fores a huge demand covid19 but also the Cyber Security breaches that are at the hands of china. I would and cured encourage future hearings to hold china accountable for their violations. For the hearing today. I yield back. Marks 100 this august years of womens suffrage, i want to conclude with one final question. Your written testimony addresses a lack of diversity in the cyber sector and how it contributes to shortage of talent in the Cybersecurity Workforce. Eup just 13 of the system Cybersecurity Workforce in north america. Newsee the nation needs a Cyber Workforce strategy that develops and advances the ranks of people from all walks of life. How the federal government effort to promote workforcein the cyber benefit the private sector . How would it benefit the private sector, more diversity . The most important thing when it comes to cybersecurity is reckoned rising the fact that what we are doing isnt getting the job done. We cant just have a continuation of the same approach that weve used in years past to deal with the threats that continued to evolve and as we deploy new technologies, they have new exposures and vulnerabilities. We need experts to come from diverse backgrounds and that certainly means people that are trained and disciplined in cyber. People with diverse backgrounds and other groups which are underrepresented in the cyber field and in the cyber domain. Government has an opportunity and a responsibility to help promote the diversity of thinking and the diversity of talent. Faster,help us innovate think outside the box and help maneuver our adversaries. Ms. Spalding, do you believe such an effort would advance innovation and give us a Competitive Edge globally . Absolutely. I couldnt agree more and of course the commission has a series of recommendations on building that Cyber Workforce including diversity and from a very basic perspective from my time at dhs, we have an urgent need to build the number of cyber talent and people that we have available to come into the workforce. We cannot afford to leave any part of our population on the sidelines of this effort. I agree with you and we can and must do more in this regard. I think all of my colleagues for particularlypation congressman lanterman and gallagher and all of our witnesses for their passion and knowledge and all the information you gave us today. The creation of a National Cyber director is not something any of us take lightly. That this isclear something we cannot afford to delay. I also want to thank all of my colleagues across the aisle particularly for their questions and engagement. Its not every day that we can of bipartisan we have to agree on protecting our nation and protecting our people. Without objection, all members have five legislative days within which to submit additional written questions from the witnesses to the chair which will be forwarded to the witnesses for their response. Witness to please respond as promptly as you are able to and this hearing is adjourned. Thank you will. Thank you all. Youre watching cspan. Your unfiltered view of government. Created by americas Cable Television company as a Public Service and brought to you today by your television provider. Coming up this morning on washington journal, the editor of the cook political report, charlie cook, Discusses Campaign 2020. Colby, a former Deputy Assistant secretary of defense in the Trump Administration, talks about a new pentagon report on chinas military buildup. Washington journal is next. Good morning. On this labor day weekend, we look at the Employment Situation here in the u. S. , the latest job numbers show a drop in the unemployment rate. Nearly 1. 4gust with million jobs average. The jobless rate still more than double what it was at the end of the year. Which candidate you trust more to improve employment in this country . Heres how to take part in the program. If you support the bidenharris ticket, 202 7488000