Replayhenry clay. Next, depending the u. S. From Cyber Attacks. Subcommittee held a hearing with members of the cyber space mission. Recommendations including ways to streamline information between the agencies. [silence]. Soon a good afternoon. Breaking members should be here shortly. He had a meeting off of the hill and partially. Inc. You senator blumenthal for being here. Senator purdue as well. We have a number of our other members joining us virtually today. Today the Cyber Security subcommittee welcomes the first time, collies to present the findings of the Cyberspace Solarium Commission rate our friend senator king, from a rep. Gallagher from wisconsin. They are joined by fellow commissioner and retired general john, professor of cyber studies at the u. S. Naval academy and former Deputy Director of the National Security agency. Welcome to all. Thank you for coming to discuss this important topic at todays hearing. I like to extend my congratulations as well to Mike Gallagher and his wife and by the recent birth of the baby girl grace. Good luck on your greatest adventure yet in all of the amazing moments yet to come associated with it. I would also like to recognize former staff and policy director Mark Montgomery who served as executive director of the public commission. Section 1652 of the fiscal year 2019 establish the Cyberspace Solarium Commission to study alternative strategies for defending the United States against malicious cyber activities and advancing National Interest in cyberspace. Among the strategies evaluated were cyber, persistent engagement, and compliance with International Norms. The commission has produced an impressive report that of kids combination of all three deterrence and rapid attribution, delivered chasing of International Norms progressive diplomacy and continued persistent engagement of malicious cyber adversaries. It also presents a number of reforms in many legislative format for deliberation. Of particular importance, the following recommendations. That the department of defense evaluate the size and capacity of the Cyber Mission forces. The department of defense taken expanded role in exercising and planning. Relevant to protection against Cyber Attacks causing significant consequence. In the department of defense and Cyber Security companies hunt on Defense Industrial place networks and ministration established a National Cyber director. These recommendations are valuable additions to the debate on what policies, programs, organization no con start full busted destination cyber securities. I am proud that we were able to incorporate 11 of these recommendations into the Committee Mark of the mba which several additional recommendations which work and partially outside of our jurisdiction lowering inc. Later on the floor discussion. While this hearing comes too late to inform this mark, three objects of the Commission Study remain relevant for the subcommittees oversight of the department of Cyber Strategy and operations for the committees conferencing of the him the aa. First and foremost i want to discuss the motivations behind the commissions recommendations and recent antics, further detailing the establishment of a National Cyber director. Hows interagency planning and execution process broken today. What authorities especially those relevant to the cyber action could be available to the director. The National Cyber director has to director coordinate the department of defense action in response to a Cyber Security incident of significant consequence. Since its establishment the subcommittee is focused on improving coordination among many relevant entities within the department of defense producer synchronized efforts in implementing and executing their cyberspace missions. I believe the principal cyber advisor was within the office of the secretary of defense has been particularly affected performing that particular oversight and coordination role and advising the secretary of defense this has been accomplished without the establishment from a large bureaucracy and appropriation of yet another cyber stovepipe within the due g. In this years permission strengthens the oversight and coronation role. I also sponsored a provision in the fiscal year 2020 and baa then principal Cyber Advisors for each Service Secretary to provide them with this critical coordination assets. The principal Cyber Advisors have the Department Little service for a while the proposal for National Cyber advisor concerns a national role. However, i think there may be some similarities between the functions of the principal Cyber Advisors the National Cyber director as envisioned by this commission. I would therefore appreciate discussion on the similarities and differences between the roles of the dod for principal Cyber Advisors and the proposed National Cyber director. Second i hope to better understand recommendations that the commission provided regarding the department of defense and cyber targeting. The Commission SeatCyber Command current plans and operations as matching the commissions recommendations and cyber terms. And engagement. Didnt find the departments aspirations for engagement of the adversaries to be realistic. And finally, want to hear how the department of defense and better execute his commission to protect the nation against russians, chinese, iranian, and north korean Cyber Attacks. What are the departments capabilities shortfalls. Question is will be in Emergency Response actions. Thank you for your diligent efforts in producing this report and for agreeing to testify before the subcommittee. And senator mentioned, welcome. Senator blumenthal set and to make sure that things were working the way theyre supposed to. You have an opening comments. Thank you very much and i appreciate that. And our dear friends, and representative Mike Gallagher. I guess mike is going to be on. Okay. They serve as cochairs on the commission and that this Committee Established in the mba. In the retired general who served as one of the commission members. Senator king of horses distinguished member of this committee. It represented gallagher, thank him for his work on this commission every Great Service in the house. Im chris is no stranger to this many and previously served as the director of service agency. Thank you chris for being here to predominate moment speaking about the efforts of this committee. And what lessons can we learn in the future pretty commission of the type is intended not just to educate congress. The executive branch of the public, intent is to forge a consensus on one need to be done to fix the problems the commission intensifies. However too often those recommendations are too vague or difficult for congress to legislate on. The questions and spent a lot of time and effort during those into actual draft legislation sprayed this was immensely important decision. If you have to turn 90 into a building which language that we have to really think it through result has to be compatible with the main purpose of congress which is drafting laws. To be sure weve had to modify these recommendations, sometimes significantly. But without those legislative drafts, much of the commissions work might already be can enter collecting dust on someones shelf. Instead they best majority recommendations for improving in one form or another in the mba a bill passed by the house and senate including a significant number number of recommendations across lines of multiple committees. This is no mean feat pretty getting approval from multiple amendments on the floor of the house and senate is extremely hard. Something to the senator king and mr. Gallagher know very well and were able to do it. One of the main and most influential commissioners recommendations is the integration of the National Cyber director. This recommendation is not popular with administration. We also concluded that the proposal needed a bit more polishing by the commission in order to better understand. What dispositions role should be. Senator king, and representative gallagher took the sub in the last couple of months and produce a very good proposal which we will talk about here today. The Commission Culture picturesy believe this is crucial to integrating this response to all of the departments and agencies will have to be involved in dealing with major Cyber Attacks. We must have the military cyber forces of the intelligence collectors, our Law Enforcement officers and Homeland Security operating as a team. Bringing all their authorities and resources to better account and attack. I hope the president Senior Advisors can be persuaded. Not to just accept the idea but to embrace and improve our National Security. Im greatly impressed with the efforts. I do have two concerns that i would like to address with the witnesses today. For the recommendation to require the reporting of all Critical Infrastructure. And in the department of homes e led department. We must do so without interrupting the established reporting. As Ranking Member of the Natural Resource committee upon example of the critical structure entity sprayed they should still report to their department of energy and intelligence should be made available to the eventual National Cyber director. Second the commissions report explicitly rejected a model to during major Cyber Attacks on Critical Infrastructure by assuring adversaries to contemplate such action within an response mainly retaliating against their Critical Infrastructure through Cyber Attacks. The commissions report suggests a retaliatory document going to an adversary and what to do to us. That is immoral. Even inconsistent with international law. Strategy of deterrence based on retaliation in kind, symmetrical against absurd as the basis of our Nuclear Deterrence that has been in place since the end of world war ii. We do not consider the strategy illegal or immoral or ineffective. Grover, the idea an adversary would be deterred from pinning her critical structure thread, we would disable the cyber forces in computers does not seem very likely to me. Even assuming that will be able to identify and incapacitate their cyber forces which i submit is not a certain momentary solution. And issues that cannot be resolved in the legislative cycle. Thank you, mr. Chairman look forward to hearing from our witnesses. Think it senator manchin. I think the best way to approach this, probably since youve done a combined Opening Statement which is in the record now, senator kain would you like to begin and then have representative gallagher and then finish up with the general if that works in terms of how you would like to proceed . Thank you, mr. Chairman. There are so many aspects of this and Opening Statement could go on all afternoon. Going to try very hard to make that not happen. Let make one point of the pandemic. Among all of the other things we have learned, think one of the most important things we have learned is that the unthinkable can happen. A year ago we would not have contemplated where we are now with a disease we are having to deal with on a worldwide basis. So it is with the cyber attack. It seems unthinkable, it seems the stuff of science fiction. And yet it can and it has happened. In fact it is happening right at this very moment. Our basic purpose in the work that we did on this commission. And i will outline how we proceeded, was to be the 911 commission without 911. Our whole purpose is to avoid not only a cyber catastrophe, but a death by a thousand cyber crimes. And that is really what we want to talk about here today. The commission, as you mention, mr. Chairman was set up almost two years ago in the National Defense authorization act. And our mission was to develop a comprehensive Cyber Strategy for the country and to recommend how it should be implemented. There were 14 members. I think part of this asset of the commission is how it was structured. There were 14 members. For members of congress, and then there were four members from the executive, from the relative agencies. And six members of the private sector. We had over 30 meetings. We had over 90 attendance in our meetings. We met in this building just downstairs. Over and over we had hundreds of documents, witnesses, and an immense amount of literatures general review of all of the ideas that could be brought before us on these subjects. I am proud to say the work of this commission was entirely nonpartisan. In fact, to this day, other than the four members of congress who wear their party labels on their sleeves, i have no idea the Party Affiliation of any of the other ten members of the commission. And i can honestly say in all those 30 meetings there is not a single comment, discussion, question that suggested any partisan content or any kind of partisan point of view in our commissions discussions. 400 interviews, we came up with 82 recommendations. Fiftyseven, as senator manchin mentioned were turned into actual legislative language. One of the basic principles of the report can be summarized in three words. Reorganization, resilience, and response. Reorganization, think we are going to talk a lot about today. How are we organized in order to meet this challenge . Secondly resilience. How do we build up our defenses so Cyber Attacks are ineffectiv ineffective. And that in itself is a deterrent for adversaries try it simply not worth it. The final is response. How do we develop the deterrent strategy that will actually work, particularly for a tax below the threshold of the use of force. We have not had a part of it we had in place for the problem is were being attacked in a lower level way continuously of us a theft of intellectual property, whether is that the possible of the opm records of millions of american citizens, whether its the attack on our election in 2016, that is the area where we remain vulnerable and we havent developed a deterrent policy. What is layered cyber deterrence . Which is a fundamental theory we have put forth. It is to shape behavior, is to deny benefits and it is to impose costs. I know were going to spend a great deal of time talk about the nation hundred National Cyber director. I want to address it briefly in these opening remarks. The mission and the structure of the National Cyber directors almost identical of the principal cyber adviser position that we created at the department of defense. The differences a wider scope. Just as we are preparing for the hearing, i made a quick list of seven or eight or nine federal agencies all which have cyber responsibility outside the department of defense. The fundamental purpose and structure of the National Director is to provide a person in the administration with the status and the advisory relationship with the president to oversee this diverse and dispersed authority throughout the federal government. For the same reason we created the cyber advisor with the department of defense we need to do it nationwide. And that is the fundamental purpose im sure we will be able to before have my statement ive to written records. One is a very strong letter from the very strong letter from the chamber of commerce endorsing the National Cyber director position. In the second is the testimony recently in the house by former representative michael rogers, former chair of the Intelligence Committee who confesses he is a one third 80 degrees change his position on the idea of a National Cyber director am steadfast opposition to very strong support. I would like to introduce both of those documents into the record with permission of the chair. Without objection. Ill end my comments now and we will be able to really discuss further details particularly on the National Cyber director recommendation as the hearing progresses. Thank you, mr. Chairman. Thank you, senator king. Represent of Michael Gallagher i believe you will be joining us roughly here are you ready sir . I am keen to hear me . Yes back off a little bit, were going to bring that volume down just a little bit here lets try that again. Okay hopefully thats a little bit better . Much better thank you. Welcome. Cement thank you, mr. Chairman thank you for your leadership in words my baby daughter. We do truly feel blessed and to make good friend, Ranking Member manchin and all the distinguished members of the committee to allows to testify on behalf of our portrait have amended source backed for this committee because before i was a member of the house i was a staffer in the senate which is to say theres a time i would used to eat yield real power thank you for letting me return to my roots in the senate. As senator king laid out our adversary Cyber Operation continued to increase in sophistication and frequency creating whats really an unacceptable risk to our National Security. Given what we know, state of art defense is a major disruptive cyber attack to Critical Infrastructure at this point is almost something to be expected. So therefore they have no choice but to hope for the best will plan for the worse. But this in mind i like to emphasize two critical proposals as we look ahead to the conference. First i strongly agree with my cochair, senator king on the importance of establishing a National Cyber director. The country needs students leadership on we all believe it the right balance of authority, necessary prominence of senate can confirm a National Cyber director within the office of the president that wields both budget and policy authority to coordinate cyber policy across the federal government. In my opinion of the opinion of the commission would bring the focus at Cyber Security desperately needs at the highest level of the federal government. Secondly like to highlight the necessity for continuity of the economy planning. We need resilience and redundancy in our Critical Infrastructure. National resilience fits takes planning. The pandemic is shown we are the economic disruption has on americans for Justice Without to the unthinkable and the earliest parts of the cold war, so to now we need to think through the unthinkable in terms of how we would rapidly recover in the wake of a major cyber attack that we have the ability to strike back with speed and agility against whoever chooses to test us. I would also say that to ensure the federal government ensures vulnerability Congress Must address a number of issues that impact multiple agencies that currently Work Together to protect her National Security in cyberspace. Just a few of our key recommendations on that front include one, the institutionalizing of the participation in private security initiatives, to establishing and funding a joint collaborative environment for sharing and viewing threat information. Three com establishing an integrated cyber center within the host that collaborative environment integrate our existing cyber centers. For, creating a joint cyber planning office. Five, conducting a biannual Senior Leadership cyber exercise to test our plans, playbooks and integration efforts were divinely six, establishing authority to Threat Hunting on all. Gov networks. All these provisions are included in the house version of the nba. Perhaps most important complete collusion what i will close on is that failure to act is not an option pretty well we have made remarkable progress in the last few years, the status quo is simply not getting the job done. The time to act is now. Thank you again for the opportunity to testify before a today of your commitment to american cybersecurity. Thank you very much for your Opening Statement. Now we will turn to Brigadier General retired mr. John english. Please read proceed. Thank you for all the Committee Members to testify today for the recommendations of the cyberspace. This last years been for me and honor the opportunity of a lifetime tear from the expert counsel of a broader with experts in Cyber Technology policy and operations across the continuum of private and public sectors to include consideration of how both allies and adversaries approach the challenge of defining and executing a National Cyber strategy. I backed my colleagues here and supported the overall report for recommendations and to urge you to him particular swiftly pass the provisions that will probably discuss in great detail today, not least of which the National Cyber director bridget that accented like to focus my opening remarks on the National Cyber director. This committee has done much to improve both the nations understanding and the militarys preparedness to deal with the challenges of cyber state. But we must still do more pride than military powers only one of the many instruments must be applied to achieve our aims in and through cyberspace. As you well know cyberspace is inexplicably linked to every other domain of human interest. Such that while cyber comprised of technology and the humans that make use of it there is an instrument of power in its own right. All other instrument of power increasingly depend upon a properly functioning cyberspace for the efficient and effective operation. The reverse is also true. Mainly the proper functioning of cyberspace relies upon the infective employment for the diverse array of the authorities, tools, and expertise. These are not held by one person, one organization or one sector. And they do not self organize into the coherence we required to ensure cyberspace is appropriately robust, resilient and well dependent against the increasing threats posed by transgressors who often operate with impunity. Holding both cyberspace and intern our Nation Security at risk. Our adversarys account to school on us for they routinely seize the initiative choose the time, place, manner of their transgressions without imagined or commonly accepted boundaries between the pervasively interconnected cyberspace that again operated by individuals, and governments as a collective whole. Absence of proactive joint effort on our side that gets a premium to preparation, integration and collaboration. We will fall further behind. Too that end, the United States needs a leader to act as the president s principal adviser and cybersecurity unassociated Emergency Technology issues. And to coordinate government response. Our experience as a nation preparing for connecticut tax is rich in farm doctrine plan how we respond to connecticuts act to include the supporting and supporting roles that other instrument of National Power play under various scenarios. It will not be the same place in respect to cyber attack where the military instrument may not be the singular or even the supportive instrument of National Power. Let alone the need to consider the actions of the private sector which typically maintains and operates the front line of Cyber Attacks as they maintain and operate over 85 of what we know in cyberspace. Too that and theres a rough but useful analogy to be drawn between what we are recommending here in the National Cyber director on the department offenses use of the principal cyber advisor and or even the chairman of the joint chiefs of staff. There used to have cohesion with the operational commanders without usurping the efficiency, execution of the Operation Authority of those commanders. While installing another player, the National Cyber director into the coordination of already complex Cyber Operations, could be a concern for it is important to note how this functions in the department of defense. Importantly, is the principal or the advisor of the chairman of the joint chiefs of staff serves of operational commanders their distinct and separate roles. Cyber advisor ensures coherent planning for cyber capability and doctrine. In ensures the tasking of individuals commanders and National Strategies coherent. And is initially supporting a properly resourced. These are useful force multipliers for forces that are often outnumbered National Cyber director would fulfill functions against agencies similar to these two roles that are already wellestablished and very useful within the department of defense. And finally, i would note that cyberspace execs in the presence of adversaries. The contested nature of cyberspace over the u. S. Is challenged by adversaries who can and do attack us on every front in our homes and our places of business and within our Critical Infrastructure. Need a same essential coherence and national strategy, define roles responsibilities and the propensity to collaborate based on leadership that connects and supports the various to a national strategy. Simply close by saying what remains difficult to propose earning the time and place necessary action will take place in cyberspace, we can be certain it will take place on failure to warn, prepare, respond shorten surkin we can ill afford in the future were our dependence on Digital Infrastructure will only grow. The time to act is now. I close my opening or marks again with thanks or promoting his hearing an opportunity to discuss these and furthers details. Thank you very much for your testimony let me begin i present the work this commission is don done. We ask you to go back and flush out in particular the authorities what a cyber director would look like, i really appreciated the responsiveness from the commission back to the committe committee. It is our intent to use this information to discuss and to basically provide information of the reconciliation of the mba and conference. The House Committee has laid out what their vision is. The concern that we expressed was one we believe the principal Cyber Advisors has laid out within the department of defens defense. To be available and deliverable with that additional expertise they could facilitate the use of cyber activities, often 70 and defensively where its needed the concern we have is a National Level you created a silent, a location where the could be authority, or for that matter responsibility and the ability to simply have one more stop along the way and deciding if policy could be executed that we risk making those cyber responses a more challenging. The reason i lay this out for you is over the last several years we have followed what has happened to cut the executive branch with originally a very well intended president ial policy directive memorandum 20 which was started in the previous administration. Their intent was to find consensus. But before cyber activity would be ruled out. Unfortunately, i becomes a consensus which means individuals could stop the Movement Forward of any cyber activity. That was changed a couple of years ago with the creation of an spm 13 National Security policy memorandum 13. In which a clear line was laid out for the decisionmaking process of the use of cyber tools. And the availability of cyber for fighters. The reason i lay this out is we were able to comment coordination with the executive branch, streamline the process. So we were actually able and i would not discuss it except President Trump did share a little bit about it. 2018 the fact we did not have interference or 2018 election was not by accident. It is because of the clear capabilities of the men and women of Cyber Command. It was because they could execute appropriate cyber policy and expeditious manner. What i dont want to have happen is to have another layer of bureaucracy get in the way. I think you have done an excellent job of laying out this subcommittee your vision of what this would look like. But i think for the record i would ask all of you, would be your intent that this cyber director be identified as much as a principal cyber advisor similar to the dod versus having Authority Responsibility and the ability to silo those areas and create a roadblock for cyber actions in the future . Senator came. Select mr. Chairman i would say our proposals the anti silo. We have cyber activities in planning and work going on throughout the federal government played the whole idea is to bring some coherence and coordination. Thats an important one. We dont propose a National Cyber director be in the chain of command for cyber actions. Secretary of defense in the United States. We are not talking, and we use the term policy executed. Runtime but adding a layer in terms of execution of policy. To bring together the expertise throughout the federal government. I think that is a very important distinction. That is a total valid question. But we view this as a bringing together of a coherent organization with someone at the top who has oversight and Situational Awareness of what is going on in all of these different agencies. But in terms of cyber action such as the action you cite in the 2018 election, this person would be an advisor to the president. Yes. And thats what im hoping. I just want to make that clear. sure like to have represented of gallagher concurrent that if hes available as well. I do concur with senator kate expressed by think i speak for the whole commission when i say the intent of this proposal was the inter agency and not to add bureaucracy. I think mr. Chairman, you did a great job of laying out how far we have come on the offense of side. A lot of it started two years ago with the provision we put in congress to make cyber surveillance common sense with traditional military activity. Its laid on i think the primary value of spm 13 is that it just establishes Clear Authority and senator kaine continually reminds you of one throat to choke. One person to keep accountable. I think our vision for this is to provide a president with that person primarily on the defensive side. The final thing i would say is that my bias when i came into this was to resist creation of new agencies. And positions. Largely we have avoided that. But with this ive come to believe is the least bureaucratic option prayed one option be to create a separate agency entirely pretty think thats pretty bureaucratic. But doing nothing is the most bureaucratic option. Please check cast crop of Cyber Incidents that will require layering on of new agencies in response to that. We really want that National Cyber director to get that elective boom by coordinating the present primarily on the defensive side of the equation. Great im about out of time but. I think i speak optically the commission would support your sense of the substance of the spirit of the National Cyber director. The National Security advisor is busy. He does in her she doesnt have the time to do on a daily basis to try to figure out what her overall strategy is. Much like this committee has reconciled with cyber power what we asked two years ago of the nation was what is the context of the application of the military and cyber power. Is that a traditional . A traditional activity or not. Give us the expectations of what it might do and then go do it. The National Cyber director needs to treat all the power the same way. Correct context and have expertise into that in a distributive fashion. Roses stovepipes it makes a jazzman of no music worth listening to. Senator manchin. Thank you, mr. Chairman. I guess to senator king, Conklin Gallagher and the way we have 17 different intelligence agency. I assume everyone has their own cyber. I know the fbi has a cyber center for Law Enforcement, chs has for detecting in the homeland, dod, on and on. See her saying this one person would be gathering all of the information. So if we have a credible threat to the homeland. If we have a credible threat they would all have to interact i assume you have a valid threat to present, is that the weights done now . Or is it basically each one taken their own different direction and shot at halligan to counter this . Select different agencies have different responses but in addition to those that youve mentioned the other ones the dea, the department of energy, it is just so broad. What we are talking about is having an office. Not a big office bird we talked about the possibility of represented or gallagher mentioned creating a new department. We thought that was too bureaucratic, too heavyhanded and would take too long. This is a position, there really two models for the position we are talking about. One is the cyber advisor and the department of defense. Thats almost exact analogy. Because it was created because there were too many moving parts in the department of defense. They needed to be a coordinator. The other model was u. S. Trade Representative Office of management and budget, the drug office. I think there was one other these are all president ial appointed Senate Confirmed it provides them with the status and the ability to have some authority and Budget Review authority as part of this, over the range of cyber involved agencies of the federal government. Schematic who did these agencies report to know senator . Right now who the heads of these agencies report to . Spinnaker they would report directly to the president pray there is no cyber coordinator thats the whole problem. So this is the coordinator talking about. This has traditionally been a position in the National Security agency as an appointed position by the National Security advisor. The problem with that as its at the whim of any particular National Security adviser. Two years ago this position was eliminated by the then National Security advisor. Thats over saying lets elevate this to the status and the organizational status that needs in order to be effective in the country. Being a military person the commission rejected the idea of having Cyber Attacks on Critical Infrastructure by threatening retaliation of the countrys Critical Infrastructure. So i understand the desire to be reserved. But how do you feel this recommendation is going to be adequate to deter . If i could go half a step back and answer another question you asked was a concern about whether sector specific agencies would be afforded in the intimate and direct relationship very profitably in terms of outcomes with their respective sectors. The sectors with you on that party want to strengthen the sector specific agencies, relationships and allow them as representatives of the government to honor and strengthen. So the director should benefit from that but not constrained that prayed they should take advantage of that. See your question of whether the commission is appropriate or inappropriate to protect Critical Infrastructure of other nations, think the views on that are more nuance than a yes or n no. His start by first saying that we believe as the United States has long attested we will follow international law. We will adhere to the Global Standards of normal behavior that weve attested to in 2015 for the offices of the state department that we wouldnt end in peacetime attacked the Critical Infrastructure of other nations. That being said in the wartime it is a political decision to determine with necessity of proportionality how we should have buries in sermons of power that we bring to bear. We shouldnt be in a place or we never say never. We just need to follow the rules of proportionality, necessity, International Laws that govern such things. I would offer though is a discussion that takes place with the use of force. What we have found is our adversaries are opportune well below that with impunity, essentially like termites in the woodwork as opposed to the and bang that might be effective kinetic weapons. What with the then have to address us if adversaries are taking inappropriate advantage of our either complacency or perhaps her implicit tolerance and then inserting themselves into a Critical Infrastructure and how do we stop that . I think there is an array of methods some of which include cyber power. But the use of diplomacy, the use of legal method, the use of public shaving. Those all need to be brought to bear to stop that and hold them in ways to follow international walt law. If i could ask one final question to congressman gallagher. Congressman i think youd your Opening Statements you all have laid out a significant number of Commission Legislative Recommendations and i correct that each of these recommendations that you describe appeared in some form and either the house or the senate and baa daily part of the issues in play in our conference with the nba . So the commissions report and recommendations you make, are they in both . Tungsten gallagher . There is six specific recommendations that are in the house version but not in the senate version. I brought that up just to urge the senate to consider that house equities and we are in that discussion. I believe there is some ongoing debates about our continuity of the economy proposal that i understand the various jurisdictional issues in the house and the senate there other recommendations that make it into the report. We feel fairly good about the baseline of what made it into either the house or the senate and hope there is a collaborative approach in the Conference Committee process. Senator manchin i can present to the committee of chart that exactly answers your question. There are 12 of our provisions in the house National Defense act that arent in the senate version, okay . There are 12 that are not in the senate version. There are 11 and both the house and the senate version. So they match. Then there are six in our version that are not in the house. So altogether, lets see weve got 29 provisions of which 11 are in both. And more than a dozen can be and hopefully will be resolved at the conference. Outside the jurisdiction, is that the problem we have with them being outside the jurisdiction . So note these are all close enough. So they can be considered into, all 29 will be in play . So they are in the bill. We hope they can be resolved so that as many as possible. I mean you know, we all know what happens with Commission Reports prayed we were determined to not have that happen. And that is why we actually drafted legislation rather than just give you ideas. And so if we can finalize these documents in these unmanned mens and the bill, as it comes out of the Conference Committee we will have done well more than half of our total recommendations. Thinking while i appreciate very much. Schematic thank you wouldnt just looking back over the numbers that i got in front of me at has been great to see the number they were actually put into this subcommittees mark and the other three they were added on the floor. We couldnt do them in subcommittee because of jurisdictional issues. Thats 14 total coming out of the senate the National Cyber director position as well youve done some great work. Just a follow up with it i did start out when i first got onto this committee is very interested in a National Cyber director. Then it kind of came around a little bit and said the one thing i was concerned about was things are starting to work within the department of defense. Were actually been some Movement Forward, getting some things done. I was concerned but not create any silos. Very happy to hear all views say the same its not the intention of the legislation should not be there to create that. But there is clear evidence that the congress has in the past asked for Senate Approved members to advise the president or to participate in the executive branch. I just thought i would take a minute to make that point here. Examples of such positions that currently exists that congress has put into law, top leaders of the office of management and budget, the director, the Deputy Director, the Deputy Director for management, the controller, the office of financial management, omb, office of information or brag interior affairs, oob, office of federal procurement, omb, director of office of National Drug control policy, top leaders of the office of science and Technology Policy including the director and the associate directors. Intellectual property enforcement coordinator, Chairman Council of economic to velvet chair and Members Council on environmental quality. Top leaders of the office of the United States trade representatives include the United States trade representative, deputy of the United States trade representative, chief agricultural negotiator, chief innovation property. I understand a lot of the language you put into this proposal comes from the legislation authorizing and directing the United States trade representative as well. So there is a format that has been followed here that we can look at to see whether it successful or not interns advising the president of the United States. So i think youve done your work on it. If theres any part of it that we were concerned with was that we make sure we allow what is working within Cyber Operations of the dod to continue to work and we not create any of the silos. The other thing the committee talked about a little bit was the direction with regard to our activity in cyberspace. What type of deterrence should be used . Whether we should putting more emphasis on defensive activity . Make it more difficult for adversaries to get in . I would like to just take a minute to give you the opportunity to share a little bit about your thoughts regarding the operations in cyberspace pretty got air, land, sea, and cyberspace. And certainly the most inexpensive to get into and create havoc everywhere else is cyberspace. We have to be on top of our game. Can you share with me a little bit on your thoughts. , concerns about your commission funneled or you wanted to express and maybe havent had the opportunity to do so, so fa far . So thank you, mr. Chairman for their couple of aspects prayed what i want to touch on quickly one is the major recommendation which isnt before this committee but as for the creation of assistant secretary of state for cyber paired because International Norms and expectations are an important part of this discussion. If you are not at that table you can lose over the chocolate standards or whatever these are someplace weve lost some ground prayed thats one of our recommendations. But i think would like to say about the deterrent issue is, this is a great deal of discussion about this. And it grew up for me out of many of the hearings you and i have sat through over the last for five years. We havent had a deterrent policy. We have been purely defensive. What we are saying is theres a level this responsive theres an attack on Critical Infrastructure. But the question is it what happens at theres an attack on the election . Or if there is an attack on wholesale theft of intellectual property . Whats the response . Because there hasnt been a because youve pointed out this is a cheap way to make war. Then we become a cheap date. We become an easy target. And what commission suggests as her knees to be a new declaratory policy needs to be a new response. It may not be cyber, i may not be kind that it, that may not be sanctioned may be a part of the toolkit. But there will be a response. Another sort of wrinkle of this thats very important is 85 of the target space and cyber is in the protector is not the army in the air force they will be under attack, cyber attack. Hattori have to develop relationships, this is a whole new way of thinking. One of the things we talk about is the intelligence agencies being able to share the private sector with they are learning about Cyber Attacks on data system and power plant. So you are absolutely right prayed the discussion of the deterrent idea was an essential part of a lot of discussion in the commission. But we concluded there had to be some deterrent. It cant simply be defensive patching, make it more difficult cyber hygiene. All those are important. We wanted our adversaries when theyre contemplating an attack on the United States to say but what will they do to us . We want that to be part of their risk calculus. Of the formative moment for me is when we were interviewing the head of nsa three or four years ago on this committee. And i asked him if there was any deterrent to the foreign adversary taking these kinds of actions. And his answer of never forgotten was now enough to change their risk calculus. And that me as an admonition and a warning to us that we have to not only defend ourselves. But our adversaries have to know that we can and will respond in such a way as to make them regret their attack. So thank you server. Senator manchin. One of the Committee Recommendations that was included in the senate is to have the Defense Department carefully and comprehensively assess whether a Cyber Mission force or military cyber force are rightly size. We include the recommendation our bill, and it is important but frankly this mission is so new we had to create everything from scratch ten years ago no one really knew how many people it would take to perform this mission or even really the exact mix of skills we need to get the job done. As you know we also realize that Cyber Command can only get up to targets and clever people can figure out how to get inside that target to cyberspace if we have infrastructure at the right place have these are highend skills in enabling access requires a lot of smart planning by a lot of smart people. If you dont have access to military targets adding more cyber units are not going to accomplish much. So my question into the commission examine whether Cyber Command has difficulty recruiting, training and retraining enough people with the requisite skills to generate accesses to support expansion of cyber forces . So i think we did look at that nationally and within the various components constitutes those who employ cyber workers within the United States federal bureaucracy. Our sense of United StatesCyber Command as they have done a great job within the authorities that they have. Of recruiting, training, developing for careers the people necessary to do the work they do. But as you well know those forces reset incise in the year 2013. Think were now sitting with the size of that force of the actual pointy end of the forest about 620300 teams, sizing the time and place when our sense of how we use military cyber powers different. Another time and place in the sense of where that should be used was different. Its time to review that. Its time to take a look at that. But your point we also need to look at everything necessary to create a bigger pie from which we cant recruit and wants to recruit to focus hard on how to retain those people across careers in cyber disciplines. If i could follow up with congressman gallagher on that, congressman your commission to make a recommendation the of not emphasize here today and i assume its because it did not give much serious consideration here in congress. That recommendation is the house and senate should establish committees on cybersecurity of members drawn mostly from all the committees in each member that has significant jurisdiction of our National Cybersecurity problem. So maybe next year you can give it another try and see if that goes anywhere. Put a comment on that im happy to hear. I understand the difficulties of trying to Reform Committee jurisdiction about the house and senate. We view this as a critical recommendation. It was one that we spent a lot of time debating just as we want that single points of focus within the executive branch, the person who accept every single day thinking how can we defend the country in cyber. Who want a repository of legislators have the ability to develop true cyber expertise can hold that person as well as the other people in the executive branch on this issue accountable. In create a space where the executive branch and the executive branch can Work Together to keep the country safe. So i understand the difficulties of this proposal. But i view it as necessary, one drawn from congress own history of creating on intelligence for the final thing out say senators i think the most forceful advocate for this proposal was my colleague in the house, who presently has the most to lose jurisdictionally given that he chairs the subcommittee that is with your committee. Therefore it might lose some jurisdictional power. But he feels very strongly about this proposal as well. So thank you near end centered king you might want a follow up really quick. I want to ask something else. So person want to follow that illustrates the difficulty of the congressional organization in order to get, and gave you the list of the amendment that have been cleared. We had to get 180 clearances. From both sides on multiple committees and subcommittees. That gives you a flavor theres got to be word fractions fractured the congressional process is. That is something we are going to continue to work on. The analogy is the Intelligence Committee which was created in 1976 for the same reason there is a realization that intelligence was scattered throughout the federal government and throughout the Congress Responsibility and it made sense to put into one set of expert hands. That is the origin of the Intelligence Committee. We think the same thing should be done here. Ill continue to pursue the idea. With all the expertise you have on your commission it seems like a wide range of people coming from different walks of life that had expertise to add. What was the greatest concern maybe we can talk about or maybe we cant in this type of setting. Whats up Biggest Issue you have a cybersecurity what are adversaries trying to do this on a daily basis . The vulnerability you were really concerned about . Did you all agree theres one highly concerned sector of our society thats vulnerable . So i cant identify one sector. But critical sectors, one that does not get enough attention is water. Our water system. To Something Like 50000 different Water Companies in the United States. And their vulnerabilities they are. All of our financial system, our telecommunication system course electrical energy. And this is ongoing. We have talked to utility executives for example, one of whom told us his system was attacked 3 million times a day. 3million times a day. That gives you the range. Banks i know, the same out of it the same number, but hundreds of thousands of times a day. So this is an ongoing threat. Not only from state actors, but from malign actors who are doing ran somewhere. Sometimes they are gardenvariety crooks. But they are also people who want to undermine our society. I cant give you one specific target that we most worried about. I think our worry was that we just didnt feel the country was adequately appeared for what could likely will happen. Sos circuit i speak to that too . Building on that the adversaries in place with the criminally nationstates without garnishing response and the rest of us but we actually have a situation were saluting concord when the time for the hold is not on my side of the vote so im not can help you patch the hole in your side. Five stuck in an elevator was semi had ten seconds to get out. What would propose if youre an adversary in this henceforth youre going to have to beat all of us to be one of us pray that drives them using all of the talent, all the expertise, all the authority that we arty have preparing as one applying those resources as one, such that when you execute this in a distributed fashion much like the department of defense has or the freedom to operate, consistent with larger purpose whatever to the left of us the right of us thats the fundamental problem for us at this moment in time. As i made the rounds of a four to 50 different engagements. Most of those in the private sector, weird time and again in the private sector i like the part of a government i have interaction with maybe its a specific agency primitive not sure i know with the Government Strategy overall is. The governments not joined up in cannot be a viable collaborator with me the private sector is bearing then the burden of this kind of transgression after transgression. They want the government to be joined up they want to be joined if they want to be a viable partner the same speed they enjoy on the edge of the approach that government. So only take the time to say thank you to all of our participants. This is critical that we get this right. Today i think theres an understanding somehow that the department of defense had a role to play with coming in and working internally within the United States to defend. And yet they cant really step in unless they coordinate with homeland. Homeland basically requests anyone its like an analogy you can work all day trying to catch each arrow coming in. Youre talking millions of them. Or at some point you have to go after the archer. And the challenge on it is defensively and often civilly how do you do the best way possible . I cant say enough about how important i think it is that the work youve done on the commission be recognized. And we do our best to incorporate what we can and the second peace i think we have to recognize point to thank senator manson for being today. A number of other members who were here and on and had to leave. Multiple meetings at the same time. But we shouldnt leave without recognizing how far our cyber teams have come in just the last few years. And the way which the general and those teams have really stood up what has been an impressive series of achievements both authentically and defensively. And yet they will tell you is still some much more work to be done. And so everything we can do to provide them with the tools that they need. And the correct Public Policy that they need in order to do this job the better off we are going to be. And every other gentlemen, whether youre talking air, land, sea, space all of them are dependent on our ability to protect them in cyberspace because it is all connected. And it is the least expensive way for our adversaries to get in and actually do damage in any of the other domains. And so we have to Pay Attention to it. And i think the work that you have done is to be commended and we appreciate your time today. Senator manchin any final thoughts . So i appreciate all of the work on all the effort you put in this for quite some time pretty appreciate it very much. Theres a lot of concerns we have are so good at what we do going to protect the American People the best weekend do you see the private sector starting to harden up a little bit . Are we communicate with them well enough to know they have the responsibility to harden up also smacked the answer is yes. When you say the private sector i would also say the states, the election system for example. So are they looking to us basically to do it all for them . Or did they understand they got to come to the table. So they are very much engaged in their own processes. As i said because 85 of the target space is the private sector the chairman and is very opening remarks we have to do for them but theyve got to do their part building is very much a part of that were trying and its happening i assure you but we are not there yet. So thank you all. With that i like to thank you to our witnesses senator angus king, Michael Gallagher, and Brigadier General john inglis retired. Thank you to all of you for your testimony. The subcommittee is adjourned, thank you. [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] [background noises] sea sans washington journal every day we are taking your calls live on the air watch cspans washington journal live at seven eastern Tuesday Morning and be sure to join the conversation with your phone calls, facebook comments, Text Messages and tweets. Cspan has unfiltered coverage of congress, the white house, the Supreme Court and Public Policy events. You can watch all of cspans Public Affairs programming on Television Online or be a part of the National Conversation through cspans daily Washington Journal Program or through our social media feeds. Cspan, created by americas Cable Television company as a Public Service and brought to you today by your television provider. Host the ceos of amazon, facebook, google and apple were virtually on capitol hill for a hearing on big tech and antitrust. That is our discussions this week on the communicators. Joining us is sarah miller who is with the American Economic liberties project, executive director there and former congresswoman Barbara Comstock who is now Senior Advisor at baker donelson. Sarah miller, the question i was asked quite a bit at the hearing was his big tech to big . What is your answer to that