Quote the United States and the world will remain vulnerable to the next pandemic or largescale outbreak of contagiousd disease. That could lead to a massive disability. Th and severely affects the worlds economy a. Strain international resources, and weak call in the United States support. We must ask ourselves, what are the warnings that are going unheeded . What can we do right now to protect the American People from other threats . Before the unthinkable happens in the future, how can we exercise strategic and persuasive foresight to the best of our ability today to ensure we are a nation prepared for tomorrow . That same worldwide threat assessment against Cyber Attacks with china, russia, iran, north korea, raging a silent work capable of shutting down such Information Systems and jeopardizing critical sectors in america. The report states, and i quote , our adversaries and strategic competitors increasingly use the cyber capabilities, including Cyber Espionage, to attack and seek political, economic and military advances over the United States and its allies and partners. Cyber attacks are a critical, complex, prevalent and growing threat to the nation safety and Economic Security. Touching nearly every aspect of our lives. This assessment was upheld by recent findings established by the National Defense authorization act to review the state of our cybersecurity and develop a nonpartisan position to protect america against Cyber Attacks. The commission of Congressional Branch with the private sector cybersecurity sounded the alarm and in addition to making some exclusion, that disrupt operations in america on a daily basis, we remain vulnerable critical is economic system. A number of the commissions recommendations. [inaudible] a high on both sides of the aisle. Representation for cybersecurity position in the white house to develop and streamline the federal Government Strategy for nation was prone to Cyber Attacks. Formalizedas first when george w. Bush, and then elevated expanded or in the above administration. But in 2018, the National Security advisor, john bolton eliminated to purportedly cut another layer of bureaucracy. [inaudible] in 2019 the United States was rated as the fifth of cyber in the world. John 2020 it dropped to the 17t. Today we will review hr 7331, which implement the commissions recommendation to establish a National Cyber director and executive office of theal president. This new position would restore hope that cyber coordination and planning function to the whiteho house. In addition, for the first time, or Statutory Authority to lead Strategic Planning efforts, cybersecurity budgets, and coordinated national. [inaudible] a challenge it is the basis of cybersecurity requires that our government be strategic, organized and democrats and republicans agree, we need a National Cybersecurity threat to ensure we are both prepared for and coordinated in our response to Cyber Attacks as our nation bites a silent war. Our Mission Today is to gain the detailed understanding of the threats we face and to thoroughly examine hr 7631 as a vehicle. [inaudible] i now recognize the distinguished Ranking Member for its opening statement. Represented of james khobar. Subject thank you chairwoman maloney for holding this hearing to address our nation cybersecurity posture and to explore the merits of u. S. Cyberspace, Solarium Commission to establish directorates within the executive office of the president prayed the federal cyber gentlemen, we can all agree, is a dynamic and dispersed with barringers additions expertise across the federal government. These agencies are organized to combat cyber crimes, defend against National Security versions, and support the security needs of the private sector criticall industries and commercial interests. Our nation has continuously become more and more reliant on technology over the past three decades. Our reliance on technology and interconnected Information Systems is more important than ever with the pandemic forcing organizations to quickly build out remote operations in our nations workforce pivoting to a work from home posture. Increasingly,yi foreign state actors, extremistth groups, domestic agitators, and criminal enterprises all have ame vested interest in exploiting u. S. Networks. The remote operations of pandemic have created new cyber vulnerabilities for these malicious actors to take advantage of. These are the same actors who also target our private sectorgi partners in state and local institutions. Breaches in federal and commercial networks by Foreign Governments have exposed sensitive intelligence data, proprietary emitted military designs and government personnel data. Because of cybersecurity risks, we must all do our part to maintain a safe and secure National Cyber infrastructure. By continuing to foster relationships across the private sector, and our state and local partners, which are vital cyber threat information that help secure our Critical Infrastructure i. We will hear today from notable subject Matter Experts who have deep experience navigating the nation cybersecurity environmen environment. They also havee experience efforts to combat damaging Cyber Attacks and foreign adversaries like china prehistorically china has hacked into the fdic, stolen valuable u. S. Sh r d, paid our University Professors improperly share valuable intellectual property. I would welcome the opportunity to work with the majority to hold china accountable for these bad acts as well as their deceptive tactics over the course of thisor pandemic. That would be a great hearing, madame chairwoman. Today however we look forward to evaluating the proposal to haveal a National Cybersecurity planning and operations of the federal government. In evaluating this legislative proposal, we have a duty to the American People to be a good steward of taxpayer dollars and not create more bureaucracy. Establishing a clear and convincing rationale for establishing such a credible decision requires the Due Diligence and thoughtful commencement thataf our processes afford. The current and projected cybersecurity landscape is complicated. With many actors and operations it must work in harmony. While there have been more than several highprofile cybersecurity incidents over the pastt decade, i must note that recent attempts at targeting the coronavirus Biomedical Research activities and use of remote work platforms have been taken very seriously by Homeland Security and Law Enforcement within the Trump Administration. The administration is that whats expected of cybersecurity professionals. T it hasti prioritized depending against potentially harmful Cyber Incidents wherever and whenever threats are found. Think we all want our nation cybersecurity to be effective. Both defensively ande often civilly. To this and it is imperative that congress and this committee fully evaluate the reasons why the Commission Recommended the statutory the cyber National Cyber director. The main questions i have for this goal are, is it necessary to create another federal office to have someone truly in charge . And if so will that official, in fact have the authority to make the decisions that need to be made . Will everyone else fall in line and work in harmony . We know that multiple federal agencies have a peace of the cybersecurity pipe. So by authorizing a new oversight and coordinated official, are we legitimately creating a system that will be more prepared to face growing threats . Will the National Cyber director utilize existing Cyber Leadership and expertise in our government . Or do we risk making that bureaucratic pride bigger and creating duplicating functions . Will a National Cyber director advised to this nation cybersecurityor infrastructure . Or should we align and support systems already in place . I look forward to hearing about tangible examples of how this National Cyber director would actually respond to a cyber incident. And how that might be better than the system already in place. In a fluid environment in response and expertise are paramount, we cannot afford to introduce inefficient needs or bureaucratic hurdles for the governments ability to respond to a cybersecurity incident realtime. Madame chairwoman i think we agree or cybersecurity enterprise deserves the support of Public Policies that will not hinder, dynamic, focused and Strategic Planning operation part im pleased to be working with you on this issue. But again, what to ensure that we are no fostering redundant efforts across the federal cyberr sector. In establishing a Senate Confirmed cybersecurity leader, we need to be comfortable in limiting president ial prerogative to implement preferred policies on behalf of the american ispeople. Again, i appreciate this opportunity to review this recommendation. And hear from the second joint expert witnesses, i yield back. Thank you mr. Culver part i now recognize theno distinguished chairman of the subcommittee on National Security mr. Lynch for opening statements. Select thank you madam chair. And thank you for convening todays important hearing on hr 7331. Which allows for the creation of the National Cyber director, which is an idea that is not only reasonable but necessary and long overdue given the worldod in which we live. And i am well aware of the lengthy review and setting that. Has been over the years on this issue pres nothing short of relentless on his mission. And i thank him and our friend and colleague mr. Gallagher for their bipartisan commitment to defending our nationth cybersecurity. And for their testimony beforen, our committee. I also want to take a minute to just thank those who are also original cosponsors of hr 7331. Now for years, foreignpolicy and National Security experts have been considered cyber to be the battlefield of the future. And for anyone paying attention, that future is already here. Back in 2014, hackers, likely affiliated with chinese government, breach the Information System of the office of Personnel Management, compromising personal data of at least 22 million people. Including, most notably federal employees at either applied for or received security clearances for classified information paired were also well aware of russias sweeping and systemic efforts in 2016 to interfere in the president ial election by hacking the Computer Network of the Democratic National committee and attempting to penetrate the election infrastructure in all 50 states. Just because some of mr. Comos concerns, most recently our National Security subcommittee staff, which i chair we held a briefing on the federal bureau of investigation and the Cybersecurity Agency to discuss the latest uptick in Cyber Attacks during the coronavirus pandemic. Against the federal agency, research and academic institutions. And even private citizens. During the briefing our committee was told every institution or agency conducting Coronavirus Vaccine research isdu a target, is a current target for cyber, foreign cyber attackers produce our intelligence agencies worn before 911, the system is blinking red. In only two years ago, then National Security adviser, john bolton dismantled the National Cyber coordinator position leaving the u. S. Cybersecurity policy disjunctive. The need for greater leadership, Strategic Planning and policy coordination to ensure the security of our nation could not be more urgent or important. So imm pleased to support hr 7331 which will allow for the National Cyber director and i would encourage all of my colleagues to do the same. Again i want to thank the chairwoman for her willingness tto hold this hearing today pretty want to thank all of our witnesses for testifying. Look forward to the discussion of building even greater bipartisanship and consensus are on the importance of hr 7331. And lastly im also currently in a lockup at tni. Im at the capital today where i have an amendment pending prince im going to have to jump out and jump back in. I apologize for that, but that is our schedule. Iz i yield back, thank you madam chair. Thank you mr. Lynch. I now recognize mr. Grossman for an opening statement. Can you hear me . Yes we can hear. I appreciate this opportunity in my role, first of else could deceive got a witness on here i thank you for bringing him in. High pressure the opportunity in my role as Ranking Member of that National Security oversight to address an issue with major National Security ramifications. As Ranking Member komar address in the opening comments, our nations adversariesnk are stopping at nothing to steal our secrets, commercial expertise, and Sensitive Information held on a sprawling Computer Network connecting both public and private sector organizations. Chief among these cyber offenders is a chinese government. Unfortunately, despite a desire to play by the rules in international commerce, the President Trump says, we been treated unfairly by the chinese. Often times is wellintentioned Global Posture across United States are valuable intellectual property which flows out of our Nations Research institutions into chinese hands. The hearing today will help us determine whether federal government needs support in defending the highstakes malicious Cyber Attacks and continuing intrusions. One of the proposals by the Cyberspace Commission was a formation of new National LaborDirector Office in the Senate Confirmed officials inside the white house. Whyag appreciate the commissions desire to ensure the federal government cybersecuritytr infrastructure proves a onestop shop like i like, wonder whether he might be too quick to create another new bureaucracy without carefully considering potential. We must keep in mind the Trump Administration success protecting our last from the disruptor, disruptive Cyber Incidents. And the Administration Strong stance against those who wish to take advantage of international attempts direct Technology Challenges presented by thera pandemic. Would we be doing a disservice to various agencies which already effectively coordinate cybersecurity responses for a nation . I want to keep an open mind on the merits of any proposal to improve the National Security. I appreciate todays witnesses, the time and attention that each dedicated to protecting our nations information and structures. I look forward to the witnesses testimony and perspectives to properly d conflict with Cyber Attacks against our government and private sector. Thank you chairman, my counterpart on that National Security subcommittee chairman lynch. Andd Ranking Member for all of your interest. I look forward to work with each of you to ensure the respective american cybersecurity against all types of threats. For those who wish to do americans harm. I yield back. I will now introduce our first panel of witnesses with our colleagues here in the House Speaker oft representatives. Who served on the u. S. Cyber commission. Congressman jim from rhode island, and chairman of the emerging threats of capabilities subcommittee of the house committee. He has been championing this effort for many, many years. And that congressman mike gallagher, cochair of the commission in a brandnew father of grace gallagher. Congratulations on one of lifes greatest experiences, becoming a father. It is a best job in the world. We are very pleased to have you both here today. You are now recognize to provide your testimony. Verye good. Well thank you. Good afternoon chairwoman mahoney, Ranking Member comer and distinguished members of the committee. Its always humbling to sit on this side of the table, when it is virtual. And i want to begin my remarks by thank you for the important work you do but i want to think chairwoman maloney and her partnership in creating the issue of creating a National Cyber director. I join you today as a representative of the Solarium Commission. I am proud to be joined by my colleague, congress and might part one of the cochairs of the slayer and candidate and Check Commission part also want to congratulate him on being the newest father of the house. To his daughter grace, congratulations mike. And i know youre coming off paternity leave to be here for this hearing. So thanks. And i commend you for your work. In the 2019 National Defense authorization act, congress charge this commission with developing a consensus strategic approach to United States against Cyber Attacks of consequent spirit in first meeting however outside experts on congressional told us that we are attempting the impossible. Were trying to have 911 Commission Level of impact without the precipitating event of a september 11. Madam chair, i reject that cynical view. I believe if we come together and a nonpartisan fashion to implement the Commission Recommendations, we could alter the trends of cyber threat that we see grow year after year prebecome pushback adversaries, receive the cyber jim amos ultimate realm of asymmetric operations and the zone of warpage we can seize the initiative are not left to wonder the day after an attack what more could we havegr done . That is how i viewed the work commission. Ace that is the urgency and bring tomm the table. And more so than any of the other 82 recommendations the Commission Proposes brady National Cyber director is seizing the initiative from the adversary. It is essential because cybersecurity permeates every aspect of the society in every aspect of our government. Every department and agency in the department of agriculture to conductof business. Yet very few of them have cybersecurity as part of their mission nor is it their primary focus. Because cybersecurity is difficult to measure, we end up they skimp on cybersecurity because of rather invest in operationally relevant programs in their department. We need a strong reader in the white house to beat the inertia that pushes investment cybersecurity down the road or until a devastating breach occurs. We also need a strong cyber beyond Government Systems are Economic Security most was owned and operated by these private sector and shadow campaigns and undermine our way of life we can break down agencies silos with Agency Network to protect her effort. Finally madamer chair, when you director to coordinate Incident Response. We are living through a health right now when they strike we have to defend early and stamp out the infections and computer viruses. The quarantine foror Effective Networks and inoculate machines by patching them. This is the only, it is only possible with the National Cyber director prayed this idea of course is not new. I worked on it with the csi commission for the 44ths presidency. Taken great pains to describe at length, the process pioneered by president eisenhower as a way of refining ones thinking. We debated the proposal for National Cyber director extensively. We are very deliberate in our decisionmaking. We chose an office in the white house we have the confirm position because congressional oversight and by and is critical with operational event in the role cyber defenders, need strategic guidance not tactical advice. Madam chair, just to conclude, there is some whom argue that the National Cyber director is congressional overreach. There are those wholt favor the president as the ultimate of the executive office of the president bu and congress, interfering in these affairs. These people respectfully, i disregard history as congresses help to guide white house structure in the past in the moment demanded it such as when congress treated the office of science and Technology Policy or the u. S. Trade representative. Theyre turning to meet those people implicitly endorse the status quo and that scares me. It scares me because every day i wake up and see our adversaries making gains in cyberspace. He sought under president bush , i sought under president obama and i seeee it under today under President Trump. Theyre suing her intellectual property they taking our norms striking out with her analyzed undermine our elections. Mentors timely seize the initiative to share the agenda pushing back on shaping their behavior by proving our resilience. Its time we empower the National Cyber director of the white house. Madame chair, and serving with mr. Gallaghers mother most rewarding expenses of my life. His leadership and that of senator king with the contributions of our fellow commissioners and enormous dedication of our immensely talented staff, are all reflected ined the bill forward to answering any questions you mayy have. Thank you so much congressman. And thank you for your leadership and your passion for the security of our nation. And i now recognize mr. Gallagher. Thank you chairwoman maloney and the rest of the committee. Thank you for your kind words about my newborn daughter. If i pass out during this hearing comments not only because im nervous to be on the wrong side of the hearing, here is a member. Because i have not had much sleep in the past twove weeks. We are truly blessed and hyper shape the kind words. We do not keep security establishments merely to defend property or territory or rights abroad or at sea. We keep the Security Forces to defend a way of life. And right now, emerging technology empowered by stronger and more capable Digital Networks is being infused into every part of our government, economy, and way of life. How we navigated the resulting opportunities and challenges will determine the effectiveness of our nation to deal with future cyber driven are cyber enabled agencies. And for the past 20 years, commissions initiative studies and even for president ial administrations have been challenged to define an Effective National level model for coordinating cyber strategy,hm policy and operation. I believe its imperative that the executive branch have a strong stable cyber office and later within the white house. Whether to create the position of a National Cyber director, however what that would entail, was one of the most spirited important debates we had over the course of the commission. And my colleague was absent incredible in his thought leadership and dedication to the integrity of the Cyberspace Commission process but i learned a ton from him throughout. In due to jims leadership, we really did consider one how to address the gap in National Leadership and prioritization, to whether to recommend Senate Confirmation and three, the size, structure and authorities of the authority for that leadership office. Ultimately we decide the federal government is better equipped by strengthening existing departments and agencies and cyber acute including the Cybersecurity Agency rathertr than to the creation of a new department as many advocate for. Therefore, without a new agency the commission deem the institutionalization of a cyber coordinator position in the white house within the executive office of the president to be essential to give the position a high enough level a promise to effectively coordinate National Strategy and provide a muchneeded leadership internationally. Wi with state, local, tribal and territorial governments the private sector. I have recognition of that, the need for better collaboration, the chamber of commerce recently endorsed the National Cyber director act, our bipartisan legislation. The commission spent an enormous amount of timef weighing the pros and cons of the this position. And consequent stature of the position prayed we determined that requiring it to be Senate Confirmed, similar to the way which the u. S. Trade representative has been confirmed, would not only signal that congress is committed to cyber issues but also forward as as a legislatures a level of access to that conversation. But also the person occupies that position a level of Political Support that bipartisan endorsement would bring. While maintaining the discretion of the president and selecting that candidate. Making the role of Senate Confirmed, and otherwise would provide greater permanence by institutionalizing the positions existence and ensuring the role would endure throughout president ial transitions. Not just be dependent on the president particularvie or a particular national advisor. , particularly my republican colleagues, getting the job done much to believe that we are well structured to avoid a cyber 9 11 of my colleague were referred to and you can consider how to make a meaningful form of the status quo and entirely new agency which would take years to create an much more complex in them bureaucratic waters, ive used the single focal point in the white house, a Single Person or to quote my cochair, a single throat to choke, someone who is responsible for the effort to be the least bureaucratic in the least onerous and the most efficient of all possible options. I believe in closing we and Congress Must sufficiently enable the government to create a cohesive National Strategy and defense in the cyber domain as we do in all other domainsde of battle and we must do so today, urges to support the Commission Recommendation on the cyber director so in ikes words, when we fight will fight all elements as one single concentrated effort. With that i will close my comments, i thank you for your time and consideration. In. Thank you, this is truly a bipartisan to protect our country. We will be limiting questions for the first panel and im now recognize myself for five minutes and mr. Gallagher i want to start with you. The current Coronavirus Crisis that created a systemic shock that will expose and which arewa country field to what many call the inevitable. And we are connected in the technology of the world and many experts warn that a largescale cyber attack is also inevitable. The commission recently released the paper examining cybersecurity from the context of the pandemic it lays out the interesting parallel between Lessons Learned during the coronavirus pandemic and how we can inform our corporation to significant Cyber Attacks. Can you share some of these parallels and recommendations with us. Thank you. Absolutely, obviously they are not perfectly analogous event but i would highlight aa few similarities, few standouts that we analyze in our pandemic. Both the pandemic and a significant cyber attack can be global in nature requiring that nations simultaneously look inwards as well as look across borders that can contain the spread and difficult to contain across borders as well, second i would argue the coronavirus pandemic and a significant cyber attack require a poll of nation response effort and likely to challenge existing incident management doctrine and quorum 80 mechanisms as we are discovering now with every state in every county in every city,th government and nonprofits having to figure out how they can Work Together in order to slow the spread of the disease and finally and perhaps most important we, i would argue that its far more effective than a strategy solely on detection and response. If you read not only our pandemic but our broader cyberspace report which we have the unfortunate timing of releasing on march 12, 2020 the last week we were in session in the house before shutting down, you will see a a lot of what were trying to do is to get elective boom for lack of a better term to figure how to force the federal government and partnership with congress is State Government and the tribal government to think the unthinkable, think through how we can rapidly restore our economy in the event of a cyber attack to be able to come back stronger and strike back against her enemies and therefore restorete deterrence. And be cautious by extending the similarities between the pandemic and a cyber attack to far but those three stand out in my mind. Thank you, thank you very much. The Commission Recommends a National Vector to coordinate the federal government and response activity. Can you show the example of how the coronavirus pandemic can shift through security challenges. Thank you for the question not in chair. Certainly as shown the challenges of needing a native response and we have a diffuse response in many people in charge and leading to the states as we have more challenging to have a cohesive direction in which to go. We want to make sure in respect to a cyber incident that somebody that thinks about this and preplanning and looking at the most vulnerable areas in the Cyber Attacks which is owned and operated in the private sector and figuring out how we can make it more resilient and how we get them back up and running more quickly. In the actual incident if it were to occur, if you have a single point of contact in a principal advice to the president , he or she is a nader to bring the interagency together or the National SecurityCouncil Together for the Economic SecurityCouncil Together to weigh options for tisponse and have a more coordinated cohesive effective response. Thank you, how would of establishing this role make a difference in the covid19 pandemic. I think it is probably more on how we will respond to a cyber attack on elections and its really elements of Cyber Response to covid to what we know of the chinese and other entities trying to steal intellectual property for the development of the coronavirus in the vaccine or therapeutic, we would have a much more focal point in which a cyber director would be able to cordoning the relevant into positive agencies sector entities to essentially coordinatee the response that needs to be taken to protect those networks and prevent intellectual property hopefully from occurring in the first place. Thank you, now for both of you, is it your opinion that a National Directive is an essential step in ensuring the u. S. Is in the best position to prevent unnecessary response at least by significant cyber attack . I certainly feel that is the most effective way to prevent and respond to Cyber Incidents of significant consequence. We thought this through very clearly and as my colleague pointed out the various ways we couldve gone having this at an existing agency or having authority in a new Cybersecurity Agency or having it in the Senate Confirmed executive office of the president position and we thought this was the best way to go of the various options we wouldveon recommended and it doesnt create an excessive new bureaucracy, i think its very streamlined, focus and give strategic guidance in those to the president but its going to be the record needing authority to make sure they are in the same direction in the event of the cyber incident. Thank you. Mr. Gallagher you want to add to that. I want to second his remarks and said think of it as a necessary but insufficient recommendation, broader speaker recommendations and i think if you read our final report, the genuine attempt by commissioners on both sides of the aisle to elevate and empower existing agencies rather than create a bunch of overlapping new bureaucratic structures, i want to commend the work of a lot of great readers that we have at the nsa who have learned a lot of lessons of theot last four years and come along way were not saying it did not do to good work but to better a power them and build on the lessons of the last few years. I agree with the commission on the bipartisan colleagues that we need cybersecurity position at the white house to develop and streamline the strategy coordination and response by the press and is taking place now. I thank you all for your hard work in your testimony today, i mw recognize the distinguished Ranking Member and the representative. Thank you, chairwoman i had a very good conversation with jim yesterday about the legislation and ill direct my questions to my good friend mike gallagher, will the National Cyber director create budgetary hurdles and hot it works with the office of management and budget that might artificially constrain a president cyber policy decisions questioning. We examine that indepth, i dont think we are giving in or construct the National Cyber director budget Certification Authority which effectively means he has ability to look at various executive Branch Agencies when it comes to cyber elements within their budget and flag effectively for the president , something of concern, the president still retains the ultimate authority to adjudicate that dispute, and for example there is a disagreement between omb and the National Cyber director just as often in agreement with different executive Branch Agencies, the president and working through the National Security advisor and you can choose whether or not to follow the advice of the National Cyber director. Why the National Cyber director would have the budget authority, he cannot go in and messed the entire process up for lack of a better way to describe it. I have heard different people describe what they view this my intel, with the new office comprise a large view staff, i have heard between 75 and 100 new staffers, obviously that would create a bureaucracy and were always careful about crating bureaucracies but what is the projection of a budget and how much will this cost and how many staffers are we talking about . I would say as we estimate 75 is about right and i understand your concern that isco not nothing, that would replace 15 that are there right now and i would say if you look right now if you look at the comparison of people and resources that we devote for offensive operation versus the defensive operation you will see a dramatic imbalance in terms of the personnel that we have, hoousandso, of personnel even though we would be adding anywhere betweene 75 100 that would be a small step towards correcting the imbalance and giving the white house betteral prove you and defensive operation and what the budgetary impact that would be, we think it would be in the low 10 15 million but some of that depends on whether these people from other agencies but im not suggesting it is nothing, its a growing organization but thats also consistent with precedent for other Senate Confirmed offices. I certainly understand the concern and the appreciation of the effort here to the ba that. But if this is by career officials were detailed leaves from other agencies, why would it become for employees who refused to honor of an incumbent president , this president for the last three and half years. I dont doubt that that is a problem within the executive branch and having worked in the executive branch, i think theres a tendency if your bureaucrat, you believe in the status quo in the old saying goes where you stand depends on where youd sit. But at the end of the day that the cultural issue where everybody who works in the executive branch whether they are wearing uniform or civilian need to understand that they work for the president regardless of the president s party so i dont think this would and i dont think it would make dramatically worse. Ihave you had any conversations in the white house of the opposition for this proposal . I have had conversations with the white house. Ismy time is about to expire, ive had most respect for you representative and most experts on cybersecurity, i appreciate what youre doing and i look forward to the conversation. I yield back. Thank you, i understand representative is at another meeting so i now recognize the distinguished Ranking Member of the National Security. Can you hear me . Can you hear me now . Can you hear me questioning. Yes loud and clear, did you take a position on whether the cybersecurity has improved over the years customer or they Getting Better or worse . From my view i think after a year of extensive conversation with general, chris and a lot of talented people dod and many participate in the commission, i think weve gotten a lot better and a lot of that is due to legislation which we have passed in congress in the Armed Services committee effectively involves Greater Authority down to lower level so people can operate with the speed and agility that is necessary to have an effect. If you look at Lessons Learned from 2016, there was a concerted effort in 2018 to protect our democracy and ive been very impressed ofo o the work of generals and others that have Cyber Warriors in this case. I would agree with mike as the chairman of the intelligence capability subcommittee i oversee with the u. S. Cyber command and i see the extraordinary work that he and ss teamnd have donated and sitting on the Homeland Security committee and the subcommittee that helps to oversee. We are Getting Better and better and more effectively organized to combat this growing threat. So we have been vetted by the support in the Administration New guidance on cyber msp and 13 and we are forward leaning and defending forward if you will, we are probably too reserved in past years and now the current construct that we are forward leaning so as christine likes to say, defending early were as you can say often defending forward, strategy. Ight and the adversaries are getting more effective and more successful and sophisticated in their abilities to carry out Cyber Attacks and significant consequence. We need to continue to evolve and that is why the new added position is helping us to get better, going from the categor category do we have a databank of breaches or incidents that will prevent in the future. People rattle off the top five in the last three years. This is an example that abuse pretty frequently, we are trying to prevent the next opm breach for example. The breach that occurs with Personnel Management happened because there was a department. Why dont you rattle off the three or four worst breaches and the last three or four years. There was the incidenton that occurred, the sony breach that occurred in north korea that carried out in water cry was probably one of the most costly Cyber Incidents that occurred in World History and it cost fedex billions of dollars in lost revenue inio their computers wee wiped out or damaged. In the amount of intellectual property theft that is occurred over the years has cost you jo jobs, economic competitiveness to the tunes of hundreds of billions if not trillions of dollars. The list goes on and on, not to mention the amount privatization that is stolen, we are Getting Better to responding and protecting better. There were six or seven was trying to prevent the future. I missed something some talked dismantlingolton some agency or commission or whatever, can you go over that a little bit. If i can jump in on that, i know mike will want to comment. Under every administration we were making forward progress on cybersecurity, john bolton was the first in the administration and to take us backwards in the security correlator. The Senate Confirmed did not have policy authority but at least it was there in the second panelau Michael Daniel was the security coordinator under president obama and rob joyce under this administration. It hits me as odd, why was his logic. I think he sold it a bill of goods by eliminating the position to serve as the president. I think my argue he is streamlining the overall nsc process and his predecessor or his successor has tried to continue the process and i think what we are arguing even the status quo was a cyber core nader and was not sufficient to get the overall inter agency, interdisciplinary oversight that you need of cyber as well as longterm expertise and to go back to the Senate Confirmed, we want this person to not only have the ear of the president but bsl th single bellybutton tt we as legislators can push to get answers when it comes to congress, as per your earlier question throughout our report we go through all of the major infiltrations attributed to china, russia, north korea, around as well as nonstate actors and lay it out in one that comes to mind is the defense guy, basically from 200s conducting systematic Cyber Espionage campaigns and compromising Computer Systems containing personal information from over 100,000 u. S. Navy personnel. In addition to opm, i have the letter that i received from opm framed in my basement say my records have been hacked, theres been a lot of attempts to export treat data directly from our military and compromising data military personnel. I dont even know, if someone tries to do that do we find out right away or my all sorts of things going on and we anoint you. It just depends, certainly there has been longtime in detection for the major breaches we have had and i would say neve gotten better at detecting how this happens and will have testimony from the righty of expert in mike rogers can speak to that. A think were Getting Better rapid detection, rapid attribution and a Better Process for response but as jim pointed out, the threats are Getting Better as well and better at anonymizing the origin. Thank you. He thank you very much and thank you to my colleagues for their tireless work in sharing their work with us today with either mr. Gallagher like to stay for panel two, you been generous with your time and would be very happy to weigh you in, would you like to stay. Yes i will stay for a bit and if i could ask a letter of endorsement of a t national cybr director by the u. S. Chamber of commerce be added into the record, can i ask a unanimous consent. Absolutely. Right to have the tmi keith markup going on so i have to announce as well as many diapers i have to change up stairs, i may not be able to attend the whole second session. Thank you without objection gentlemen from rhode island will join the committee on the virtual biased in the second panel. Now i would like to introduce my second panel the honorable and the gentleman from wisconsin. I will now introduce our second panel the honorable mike rogers with a member of Congress Chairman of the House Permanent Select Committee on intelligence from 2011 2015. Michael daniel, president and ceo of the Cyber Threat Alliance and former cybersecurity core nader for president obama from 2012 2017. The chairman and ceo of the founding director computer emergency readiness team. Suzanne, Senior Advisor for Homeland Security at the interNational Security program at the center for strategic and international settings. The u. S. Cyberspace commission. Jamil, founder and executive director of george mason universityon National Security, the witnesses will beth on muted so we can swear them and now. Please raise your right hand, do you swear or affirm that the testimony you are about to get is the first, the whole truth and nothing but the truth so help you god. I do. I do. Let the record show that the witnesses in the affirmative. Thank you and without objection your written statements will be made part off the record and with that chairman rogers, nice to see you again you are recognized to provide your testimony. Thank you, t madam chair its good to see so many colleagues i had the privilege to work with and new ones as well and to be on a panel of very distinguished expert in the field of cybersecurity and how we approach it. Its been a very long journey for me madam chair to get to where i would sit in front of the committee and say i support the cyber director and congressman and my good friend congressman both have reminded me over the years how i was just ruffling about this and they invited me too dinner under the understanding that they want to watch meet as they testify today in my support for the National Cyber director bill that you proposed today. Ill tellat you why, i looked at it when i was chairman prior to being chairman on the Intelligence Committee and subsequently in my privatesector life with a policy work in the study of presidency working at all the fascination of how we can combat this threat and in the private sector in the start up companies and have the opportunity to view how the government is doing some of these things offer products out into the commercial market to help defend the private sector from aggressive cybersecurity threats, all of those things have led me too change my mind, i look back and have a lot of the same arguments, congressman and roofers burger and myself and representative homer sitting in a meeting in 2008, i think it wouldve been two people on side one table and two people on the other, i was worried about the expansion, there was a lot of talk at that time about an agency and i did not think we should go there and we had lots hoof discussions and what i find that this bill does different than previous discussions is that it does not expand government, which im really concerned about, it focuses government, if we need anything in the cyberspace, we need focus on what our government is doing and does not have the right resources. Weve taken important steps in the past and congress, the federal Information Security management actde of 2002 got us started in the modernization in 2014 but here is the problem, imagine if you take the quarterback and not like the quarterback train with the Football Team all year until the tfirst game you put them on the field, we will have problems, this is exactly how we set up the ability toit monitor to oversee the large enterprise which is the federal government. If you think about it, i know theres been a lot of talk about incidents and we need to be prepared and the nsa has the ticket but think about the agents, i will read off three, i went online and the Inspector General report and there are hundreds and hundreds of these agencies by the way who are getting paid auditors to come in and do their review of their Cybersecurity Program if there meeting the federal guidelines. We e big ones but do not think of the committee for purchase from people who are blind or severely disabled and think of the information that those organizations have that are pretty Sensitive Information. The pension benefit guarantee corporation. I have dozens of these. I could go through them for hours. All of these agencies who are absolutely under siege today, think of it, billions of times a day, somebody is getting up in the morning with a soul purpose and job to try to penetrate the u. S. Government at any level. That happens every single day. Every agency i mentioned plus the others are under espionage or destruction of data. Thats happening and in a pretty big significant way and we are going to need to do something. We are looking at it from the wrong and. My testimony highlights some of the threats weve been dealing with a want to give you an example of why we have to change the way we are thinking. We cannot continue to do the same way and expect a different outcome. There was an inspection of the particular agency we would all be concerned about is the datapa were exposed and what they found is about 25 serious changes that need to be made outside firms hired to come in and say these are the things youre doing wrong. We will be back next year to see if you have corrected them. A year in cyberspace is a lifetime. A Quarterly Report is r a lifetime. That means we have got lots of exposure and this is the one got me. Seres one of the recommendations. If this agency continues a delay in protective actions, a Material Weakness in Information Security control may be reported in 2020. That tells me we are not prepared for the threats that is knocking on our door today. Part of the reason is they have to coordinate with a whole series of bodies. Let me give you a little bit. They have to coordinate with all these different agencies to come up with what guidelines are to move up. They are under their own attacks by the way. They offered their own Cyber Operations and there is no organization over top of it to say im going to be the calvert e. To help you in your deficiencies arent going to help you find out whats wrong and how we fix it in a short order. So we are going to need help. The fact that we are going to have incidents and we are one keystroke away from an incident that has major consequences in the United States because theyy are just under siege. The chinese have been highlighted in intellectual property theft and found disruption they are changing their policy. Northns korea wins and they all know it. Matter of fact i want to read this quick quote if i may, madam chair. This was done by the general of russia. A perfectly thriving state can in a matter of months four days be transformed into an arena of armed conflict, a victim of intervention and sink into a web of chaos, humanitarian catastrophe in the civil war. The role of nonmilitary means, achieving political strategic goals, talking about Cyber Security and cyber influence operations and disruption in cyber activities for the public to lose trust, and in many cases they have exceeded the power and force of weapons in their ineffectiveness. That was 2013. Fast forward to whats happened. We watched the russians engage in operations including the attempts of the networks concerned to disrupt things in public reports show that the electric grid was attempted to be penetrated and they tried to penetrate thete stock market. Disruption leads to chaos and disruption in the americanhi institutions. This is as serious a problem as we can get. I will have to eat crow with my good friends, but if we do not have something coming and i dont agree with the big agents. If we dont have something that doesnt expand government that focuses the Cyber Security efforts, we are going to be in for a long run. Weve had these conversations and admired the problem. We worshiped the problem and now we have to do something about it. It will help them get to where they need to go and that is why before the committee today im offering my support of this legislation. Thank you so much, chairman rogers. That was a powerful and moving presentation. Mr. Daniel, you are now recognized. Good afternoon and thank you chairman maloney and other distinguished members of the committee. For the opportunity to testify before you today on the topic of the legislation all of whom weve worked together and have known each other forrk many yea. As you might imagine i think about this issue a lot. I served for four and a half years as the special assistant to the president and Cyber Security coordinator on thecu National Security task and since then i served as the president and ceo of the nonprofit front organization. As the digital dependence continues to increase them something we talked about this morning, the imperative to get better at managing cybersecurity increases. It makes it tough for the government that it doesnt fit neatly into a bureaucratic bucket. Cybersecurity is a National Security, Economic Security, commercial intelligence, Law EnforcementPublic Safety foreignpolicy issue all rolled into one. Yet at the same time it is highly interdependent juste lie the internet. All of those aspects are connected and affect each other in some unanticipated way many times and that means all of these pieces have to coordinate and Work Together to be defective and not undermine each other. And weve actually some of the questions and commentary weve made excellent progress over the last few years actually the last two decades an in laying out the foundation for better n bersecurity. We put in place better policies and enacted laws including the cybersecurity information sharing act from 2015. Organizational structures as the department of Homeland Security and the cyber command. These include cross cutting nature across agenciese and the need for Incident Response coordination i do not come to this conclusion lightly. I spent 17. 5 years at the office of management and budget and i have a national skepticism for creating new entities in the federal government but in this case is the only viable approach chat we have. In particular is the only one to overcome the factor in the federal bureaucracy and thats that you are not the boss of me problem and that is just rampant among federal agencies an the fd on the something centered at the white house can overcome that. With that said, i would urge congress to think through the scope and authority is very carefully. It would be easy to get it wrong and end up with something that does take a bureaucratic bandwidth that doesnt focus on things like congressman rogers recommended. This has to do with the aspects of cybersecurity it has to have intelligence related cyber activities in addition to the Network Defense. In the policy process it has to have a big enough office to get the job done but not so much thaton its attempted to become operational and it needs to have a n clear relationship to. At the end of the day we need a position at the National Cybersecurity director. Cybersecurity isnt just a technical problem we need to take steps to address it. Thank you for giving me the opportunity to testify for you today and i am looking forward to your questions. Thank you very much. M you are now recognized. Members of the committee thank you for the opportunity to testify today if the provider of the Technology Organizations to understand and reduce their cyber risk and the solutions are just about every department and agency of the federal government in any state and local governments and tens of thousands of Midsized Companies working with organizations in the world contemplating to understand and reduce the cyber risk the creation of the office within the executive office is a critical step forward with Risk Management practices across the federal government and across the nation. The wholeat nation risk requires theon new expanded across the entire nation not immune from the threat of Cyber Attacks or National Security. Government services and critical functions of citizens rely on. They would also be helpful in coordinating the government understanding of cyber riskmemef efforts to proactively reduce ntber risk and coordinate responses when needed. To ensure the government holds itself and industry accountable this is negligent behavior. Many have been outlined in the agislation and a ninth written testimony their 7331 to include establishing a National Encryption policy that deals with Cyber Security and Public Safety coordinating with regulatory agencies to set policies and practices on the Cyber WorkforceDevelopment Initiatives and emphasis on greater inclusiveness. Its difficult to overstate the cyber risk that we face today. The governments and businesses utilize internet of things in operational technologies. One of these technologies optimize production and increased sustainability they also expand the overall cybersecurity attacks and need to be an integral part of the practices. These Risk Management practices must include services and industries essential to the Public Safety and wellbeing such as power, water, transportation and health care. The risk is more than a technical one. For chairwoman maloney, the Ranking Members of the committee further attention to this important topic and i would be happy to respond to your questions. Thank you. Thank you, chairwoman maloney, Ranking Members of the committee thank you for this opportunity to be here today to testify in support of the Cyberspace Commission recommendation. In aspiring to see the bipartisan and nonpartisan approach all of the commissioners brought to the work of the commission in this recommendation is no exception. It has been noted the commission considered alternative approaches to address what we all agreed was an urgent need for stronger coordination across the many entities engaged in cybersecurity for the better integration effort and more robust Strategic Planning that i do want to emphasize the arguments against the alternative of the entities out of the departments and agencies where they currently reside and put them together in the new department of cybersecurity it wouldnt solve our key challenges and cause huge destructions with little to no gain. The most important and challenging coordination issued in the interagency in my experience arrives betweener the elements of. The dod are not going to relinquish their cyber activities to the new department with the backing of the president. To do this, they must have the authority to convene and get information from Law Enforcement, the military and the Intelligence Community as well as dhs and the specific agencies. Its the risk that it would become singularly focused on technology and the technical aspects and failed to integrate the regional experts and those in the regional and political dynamics of they not surprisingly focus on the technical aspects even though we know understanding and mitigating cyber risks requires the broader approach that fully recognizes the human element, integrate cyber and physical risks including the knowledge of the operational environment for the financial services, or election infrastructure and incorporates the knowledge of the adversaries and what drives them. A new Cyber Department would be staffed by technical experts and focused on technical aspects. This could happen to the office of the National Cyber director as well and it is something we must guard against. Working with the council of economic advisers to help guard against a tendency. Another of the key recommendations is strengthening and reinforcing the great work being done by the group. They often compete for resources and authorities. They can support and enable the battles that the federal government in cybersecurity. The National Cyber director should do only what the agency and the department cannot dig themselves. The across the interagency on these activities have helped to push the process to active positions. It will fail if it has further stove piping bureaucracies to the nations efforts to reduce cyber risks. For the existing cyber within the u. S. Government. Thank you very much and i look forward to your questions. Go to questions. Thank you very much to all of the panelists for your testimony theres more than 150 countries and even shut down a portion of the National Health service. So, chairman rogers, can you potential effect a cyber attack on the Critical Infrastructure like this would have been the United States . It was the least capable actor even at the high end but was able to affect the systems and it had a Global Impact and sometimes they were turned off [inaudible] spread without the directing of which is a whole apr problem oft toptier nationstate actors. Threats look with the are when they use their state power to set themselves up for influence around the world toun thuse diplomacy to. They can deliver them anyway to try to get credit for theirtr influence other nations. They use use military defense ad intelligence cyber observation. The cyber observation for his espionage. This espionage. I would look at all of the ways they are comingg at us. What we know is they would love to get access to peoples data from the nationstate perspective but also cyber criminals, organized to cyber criminals and others who would love to get data the u. S. Government collects from the u. S. Citizen. Everything from food stamp participation. Think of all the information you have to give in order t to get qualified for the program. That is valuable so i would look at this. Thathis was a massive attack bye nationstate but we have all of these other attacks and that is my argumentt is they want somebody not just an Incident Response but somebody for the pre crisis. How do you help themh through what they need to look like in their cyber shops and the kind of tools that we do and by the way can we do this with a collective defense mentality so that when one gets attacked, Everybody Knows what that threat is moving forward. That is the way that i put up at this. Lets have the directors job every day is to get up and she needs to think through all of those problems. My argument would be we are going to be better off because there is a lot of talent. I was shocked by the report that 90 of Critical Infrastructure operators to. For the different parts of the process. What would happen if one of these companies would compromise and can you talk about the part . It can totally ensue into for a preparation for the systems are being compromised and is o being stolen during the time of crisis. The impact here could vary greatly we need a systemic understanding of risk which is why a National Cyber director needs to work closely with the regulatory agencies. They are not providing updates and maintenance to keep them in a secure statement. Perpetrated by north korea and a lot of the damaging ones. Hr 7311 would help. There is no question in my mind having been cybersecurity now for over 25 years and having spent time in multiplet departments and also hoping the federal government with technologies to protect. It would help provide a coordinating capability and bring the maximum understanding of the. So the representative who said it would have a Significant Impact on the crisis that we face down the road so in the creation of the office these are critical steps to a and the proposed legislation to establish the new cyber director they are [inaudible] as a nation we were made under prepared to deal with this ongoing conflict. Whether we are at war and point out the better part of a decade theyve been insulted consistent conflicts albeit fairly low levels. The director Keith Alexander says the greatest transfer there are two types of countries those that have been acting to do not know it. In north korea and iran andee te data figures here in the United States in the last half decadeta we know they are preparing on the american body politic undermining elected officials and rule of law and when we played a role in some of this, they paid a price at the debate could they both have this. We may see the same players become active into the new work from homeun environment and to r way of life. What can we do about it and how much of a role in creating this play in the process. I completely agree with all of the members of my panel as well as congressman gallagher had the pleasure to work with in the past it is critically important for a large office of 75 people one third of the size of the existing National Security avuncil and we need to have that confirmed. We know that almost any white house, whether republican or democrat, this administration or another will be opposed to the creation of yet one more in the White House Office. Indeed there are other alternatives to consider. The committee may consider creating a position in the White House Office but not Senate Confirmed and more leadership oriented to work with the president to ensure that person has the stature and is able to effectively work through for the full range of issues in this space to ensure there is no doubt with all better coordination and more aggressive coordination is necessary. The question for the committee to consider is whether that requires senatee confirmation ad on that note im skeptical that i recognize theres a lot of my friends and colleagues who support this and i have a lot of respect for the position and with that, thank you and again apologies for the technical difficulties earlier and i will yield back the balance. I would like to ask about the cyber attack that froze Computer Systems around the world and in geexchange for ransom. Practically and every federal agency this attack hit the direct company costing or then 300 million. How great is the risk of an attack in the United States today . I think it is a huge issue. Mostly the west to suffer between the damage with it demonstrates is even the realities you may very well be seeing Collateral Damage with cybersecurity coordinator for the swiftness and agility to respond i now recognize the Ranking Member for his partnership. Thank you, chairwoman. My first question that you walk me through how they currently proceed with the federal government and how it might change with the advent of a National Cyber director . Right now i think that it depends on who first becomes aware of that incident. It depends on if that incident disclosed by a private sector entity but then at some point if it gets big enough they would share that information with some of the other elements of the u. S. Government. And then the government would need to do an assessment on whether that incident actually represents something that is more systemic. In other words, is it going to turn into a cry or proliferate across more of the economy or is it more limited and then the government would need to do an assessment on whether or not the response is warranted based on that incident. I think in that case, when you start to look at how the government responds, thats where you want that coordination to come together. Just because an attack comes through doesnt mean that the only response needs to be back at the adversary through cyberspace. You might want to use other policy tools and means to respond and that is why the different elements of National Power is so important. The next question earlier this month in the joint Public Service announcement by the fbi, dhs Cyber Security infrastructure security agency, the fbi reported it is investigating targeted compromise of u. S. Organizations conducting a research with cyber directors so in other words there is china attempting the pandemic to hack into the business of conducting research on the very virus originating at in its own country. Could you please explain some of the message china is using to try to steal the nations Critical Research into this virus or if you havere no insig, various ways that china accomplishes its many cybers inclusions . The chinese have been engaged in this for the better part of a decade and a half. We didnt talk about it publicly for a long time and it was chairing rogers and alexander came out and started talking about whats happening for the public became really aware of it and only in the recent weeks and months that wes become aware of our supplychain when it comes to the pharmaceuticals and so what china is doing theyve built their economy. They then sold it and they try to do the d same thing in the arena they try to get out aheada of this to grow the economy on the back of our shelves and we cannot allow that to happen. This has been a national issue. The president has been blessed in pursuing china on this and we cant let it get in the way. The stop the chinese from continuing this and develop the backs onto the back of the rmd. Weve had this hearing and its always been clear cybersecurity is a huge threat to the United States. We talk about china being one of the worst actors with respect to Cyber Security threats from Cyber Security violations. You see they have been stealing the patents for years and intellectual property. Who knows what all they have done with respect to covid19. I think we would like to get to know that. I know the select committee is delving into that. We spent a lot of time in the Committee Investigating russia. I believe the American People, the american taxpayers would be better served if we spent a lot of time investigating china, so in closing i would encourage you to consider devoting a little bit of time in this committee to investigate whether it be covid19, our intellectual property patterns, whether it be Cyber Security threats and things of that nature, so thats my encouragement to use. Atwe have seen and hopefully wok together in a bipartisan way that i want to thank the witnesses for being here today and i look forward to further discussion of this proposal. With that i will yield back. Can you hear me and see me . I want to thank the chair for this important andnd timely hearing. Because i represent the nations capital, i have a special interest in the mishearing. We are not just any big city. And my question. Dave showed up to get around in other operations against a similar shutdown of all operations any number are likely to be qualified that i would begin. Thank you and i appreciate the question. Weve seen this ransom ware activity for multiple years now and it became more aggressive to gain revenue for the government in early on i hate to say about my brother in the fbi the recommendations t for some of these companies where you probably should justt pay it. Than they are doing collectionti activities targeted to do something bad to the United States. So theres this on the eve and the ability to the cities across america and candidly, i think most cities in america are not prepared for this. It is old systems. They have legacy systems. They havent had the money to upgrade and then provide a level of protection thats why they are going to cities. All of our agencies are in the right direction and a the organizations take on nationstate Quality Craft a [inaudible] it is unnerving to hear you say. And we all know what happens when you pay if more people decide they want to try to extract and if that is the problem in the time i have remaining i cant help but ask. We have already had perhaps most of our primaries and im wondering if any of you have seen any interference, any evidence of interference. We have seen it with Financial Institutions worldwide. How about interference with our elections for example any alteration in the results that occur. I can tell you in some of my work that i do. We have in fact with large going into 2018 that the adversaries try to influence t by creating chaos and we need to be careful. What they are trying to do is create chaos. They dont care. So they are trying to create this chaos in these elections. I thought they did a phenomenal job. They said this is very effective we are going to ramp up our engagement and try to create this coming forward. It is something we absolutely have to paytt attention to. And they dont have to develop a naval fleet in stockt. At the states and cities when they see this right now its interference, its consequences and they are equipped to fight back. In november we only have a couple of months to be tested. Its difficult for the state and local governments tos do this. We need to ask ourselves what do we want our hike here performing National Federal agencies to do for us. I think this is where the National Security agency and other highlevel performers can be helpful in trying to stop this across the United States mainly because it is a very sophisticated nationstate after activity. There are some other groups out there trying to get into this game that are worrisome and then encourage them because it isnt always going to go the way that we want but we have to encourage them and dont look back on these. I now call on we have a lot of tools at our disposal [inaudible] working with nonprofits those have been activated by the response to covid and a heightened threats to the scenario of the policy can have a disproportionate impact. Madam chair i will yield back. Who should i call on. Thank you, chairwoman. I want to go back to you and have you walk through you made some ideas that maybe this would be appropriate at the president ial level. Can you walk us through that a little bit more . Of omb, the head of the drug control policy. To focus on things they share with trade on one hand and power of the purse this is an area where it is a National Security responsibility. Democrat, republican or otherwise we have to face the challenges of the white house to emphasize the importance. With the issue of interference into the prioritized it [inaudible] mike rogers, looking from the outside, youve been part of the matrix of congress. Do you agree with anything hes brought forth in that aspect . I had the same sensitivities of do we really want to him pose on the president s structure of National Security at the white house, and i wrestled with this a lot and the reason i think ive come full circle on this is because i have seen it from the private sector site as well as chairman of the intel and this isnt a republican or democratic thing. The Bush Administration had an effort of this, the Obama Administration had an effort, they took a different take on how they wanted to do it. My argument is none of it worked to our advantage. When you look at the series of challenges this isnt the kind of semantic of should we or shouldntev we. Every major adversary. China, russia, north korea, iran, those are the main adversaries. They are ramping up the use of cyber because they know that it has littleas consequence in highimpact. If youif look at whats going to keep me in charge of nucleargo weapons and cybersecurity, offensive cybersecurity. So hes investing. We know the chinese are spending billions of dollars as a matter of factt they announced they wil spend a trillion dollars to try to have a technological and edge in quantum computing and build out his research including by the way cyber capability into the control. So, they are looking away from building large defensive military postures. Dont get me wrong. I am for that but what they are doing is trying to spend it and my concern is if we keep doing it the same way, we will keep having the same response and the response we have now is basically i called you for the last 12 months doing something wrong and i will see you in the next 12 months to see if you get it right. That isnt working and it wont work. Lets have an office that has that authority. And theres some big personalities. Im not talking about the individual leaders its just their big personalities nobody wants to listen to anybody. You have to have a committee and i think you need somebody to say thank you to help you. We are going to get that peace right. We are going to fix this and coordinate resources and im going to reach over the department of agriculture toig figure this out. We are going to include all that. We dont have that today and that to me has to change. I like this idea because it is a radical change in the really said at the beac setup oe individual to fix this problem. Do you see any additions or r subscribe to because attractions to it . Heres where i agree and he and i have had those conversations often when we were working together in the Intelligence Committee. You want to make sure that if everybody in this bureaucracy gets to say no and everybody gets to sign off, we lose. It has to be smaller and more agile. I would worry about the body count. We need to make sure that it is agile and that it can actually do something. It needs to say not that im going to beat you with a stick, but im going to help you get where you want to go. That is what this is to be. As we all know the devil is in the details but if we dont do something graphical, we are already behind faithful and all of the data, so all of that is why we need somebody to Pay Attention to it every single day. Chairman connelly is recognized. Thank you, madam chairwoman. And thank you to the panel. Its a fascinating conversation. Congratulations on the work of the Cyberspace Commission into this piece of legislation. I spent all 12 years of his life in congress focus on federal it, modernizing federal it. 96 billion a year increased from 80 of which is spent simply maintaining and many of which cannot be encrypted, cant be updated. I want to raise some concern. You both kind of touchedki on i. And you were in theou white hou. We have a chief Information Security in the white house and the office of science advisors. They tried to modernize and protect. How will the creation work with those other offices and what authority would he or she have to help upgrade a legacy system that will cost at least hundreds of dollars weve been trying for five years to absorb them to make those investments. Will they superseding authority and will he or she be required to coordinate or charge a certain set of goals that include cyber but are not limited . I say this in support of the legislation but worry about execution. Worry about its overlap and what could go wrong with this coordination. And maybe i could start with you to get your w experience. Presumably those are real concerns. Could you y share them and what protections could be taken creating dispositions to avoid thevo inevitable conflict that could ensue . For how we go about finding upgrades in it. And thats to keep old stuff around forever. The cyberdirector you would hope and expertise from the private sector and then the structural changes we could make across the federal tovernment. I and we need to continue working on cross agencies support forcy cybersecurity for not affecting every agency to be good and instead think of the economic principle of comparative advantage. Want to make sure to get it right to hit the ground running to defy responsibility because if we dont get this right so instead of getting cooperation we certainly to do that. And dave resume what to do and not allal of them. The witness can respond. And with the federal cio whose job it is to focus on the federal agency of cybersecurity and those individuals who should focus specifically and this is one aspect that is cyberdirector would have to be concerned about. You are now recognized. Everybodys first question is why it is the budget for the National Cyberdirector . Is ine second part addition to the 75 employee employees, what part will go to contractors . We dont know what the budget is. And then to bring in other parts of the government so that could go beyond that now. And for that fulltime equivalent and then to be appropriated and authorized. Thats a question i would like to get an answer to. You were on the commission that recommended this position. Correct . Thats correct. Was there an advocate for civil liberty for privacy on that commission . And why is there not on this owproposed legislation there were two deputy directors for Civil Liberties or an advocate for privacy. Should there be one and was that discussed in the commission . I have a long record to be an advocate for Civil Liberties. And they came to the table with those sensitivities in mind the specific person designated. And privacy one of the values and interests that cybersecurity is intended to protect. And it was built into the efforts but there were times in which they approach Security Issues may haver implications for privacy and civil liberty. Your point is very well taken. And there ought to be an emphasis. May be a director specifically for that but with the department of Homeland Security, a valued very highly with privacy and civil liberty issues. And found their implant and insights extremely valuable. And there was a bias in the other direction. What does it mean to have a list of trusted vendors into the hardware and software. How do you have that system in the government and how do we put those back doors in. And for those systems and more often are not that comes to a provider with the court order and in a cooperative manner. There is a little bit of tlthe oxymoron. So i am concerned about that. What is the realy responsibility with sony that has 8 trillion man in revenue. So we expect every company or the small momandpop so they all defend themselves with monitor resources. But just for section that they are falling victim and with that standard of care. And why its important to have the cyberdirector position with Law Enforcement were there is proposals to weaken the encryption. And those made on a daily basis with the International Norms of behavior and all of these are done without having a National Policy at the white house level. Thank you madam chairwoman i you back. By thes puzzled history of this way i had in 2014 by china causing and that cause the incalculable damage and now we work are totally unaware is seemingly unprepared for the coronavirus and with the european alleys on allies everybody is responsible for something what seems overwhelmingly compelling to me that was coordinating hours cyberdefenses with those vulnerabilities that were demonstrated so my first question for you is why does it take so long to get to this point. If you look at back on about this this increased acting on actor even though we knew it was going on for years because the Bush Administration said no way. So we gave a forceful argument about making this public only been talking publicly for ten years. Now there was a recent gallup poll that 81 percent of americans believe there will be a cyberattack of significance on the United States. We didnt have anything like that in 2010. So Public Opinion has been slow to catch up. And then to defeat this thing that there is no system out there i that is impenetrable. Anytime we break up the efforts and one mission set and that happens in private sector and local and State Government. This was very typical espionage activity and very Sensitive Information all of that information was taken back through the algorithms to collate the data those that they are interested in spying on or moved to the defense realm that was unfortunately a brilliant espionage activity. We really have to change the way we think about these threats. Let me follow up with you. What is terrifying is the field response to coronavirus for the Foreign Government to do that t harm. We dont have the social cohesion with the spread on the infrastructure so with that geopolitical contact. That is two conversations one is on a supply chain. Answer the question. Security is a very important discussion and to Kill International trade and second the other reason is that the nationstate is a big adversary remember the quote they realize i need to build an Aircraft Carrier if i can shut down their electricity to cause distrust of the government then we when. And they all have stuff on stepped up their game. Thats why this is so important and we are in a cyberwar today. Those that dont i disagree they are causing disruption i dont know what you call it. We should have one focus to coordinate all good activities and focus dont expand but focus. We the other lesson from the pandemic is what happens if we dont have aat coherent respons. Mr. Grossman. Can you hear me . Can you hear me . Can you hear me . Yes. Yes. [silence] unmute yourself. And you hear me now . I can hear you now. Okay. I have a question here. The first question is when we confront china or russia, what is their response . Congressman having engage them on this topic directl directly, most of the time they deny it. And naturally they deny it and we must be mistaken and and please provide all the detailed evidence of how they found that out to expose the intelligence from doing that and that at most it is at rogue element but it they never will accept responsibility for doing that. We have engaged with them to push forward and push back on that activity. We asked this earlier how a major cyberincident proceeds from the government. And with the private sector or the Government Agency and what happened from discovery to response in the cybercommand authorities and how does this change with the National Cyberdirector . Some of that depends on how this information comes to the government. First with the National Cybersecurity communication integration centernten we often get reports from private Sector Companies they are seeing malicious activity but then to come into the fbi for example the players and dhs and the bureau usually the nsa gets on the phone together although they often sit at the center but the information would be shared. Then a decision has to be made very quickly if the government will step in on what is most important sometimes you try to do this at the same time but you have to prioritize will we mitigate the problem and the damage done for that privatesector business or the priority to do attribution who is behind it . They cannot but happen at one so conversations inue sue to prioritize that so with the National Cyberdirector that is two d conflict of those quickly. Time is of the essence to make sure we can get in there to make sure what is trying to accomplish all the others. Talk about russia and china and what about those other countries with those for cracks. Otth those that are engaged in wrapping up cybercapabilities in the nationstate capability to former eastern bloc criminal organizations. They may not look like a state. And with those family countries said the next questio and if you were involved with the george floyd incident could you expand on that . You see the foreign minister platform refer to the plight of black americans with those muslims in the province they dont care and they operate in a very covert way we have every reason to believe they have blocked and they are involved in this effort. Gave us a specific example. I dont know if weve seen on point examples i cant prove it to you today that i put my life on it. The gentlemans time has expired. Madam chair did you recognize me . Yes i did. I did not hear you. Thank you madame chairwoman for convening this hearingso fod thank you to the commission for the detailed report. Also on one key area that was previously discussed i dug deeper with the loss of hundreds of billions of dollars of intellectual nationstates and cyberespionage. The chief country responsible hast been china we know they actively work with state owned to steal ip from foreign sources. And that release the report released release by china cost the economy 600 billion per year. Let me repeat that. And then to be thoughtfully quantified let me turn to you first. And with those recommendations for the National Cyberdirector and with that persistent in mind and to address this issue. And addressed by a number of recommendations. And to have a Critical Role to play the intellectual property and a truell collaboration. We are the ones in government the National Technical means and to collect information about what nationstates like china are engaged in and the techniques they are using. The private sector businesses developing intellectual property to defend their network p so that number of recommendations toen make sure the government is obligated to get the information to those private Sector Companies and the National Sector to make sure that is happening to be part of the metrics. With the National Cyberdirector. We need to have a proactive plan and strategy but that planning capability has been lacking and another key role for the cyberdirector using the joint planning organization. Chairman rogers who talk about how america has been struggling dealing with the ip. And then to finally allow us to sexily defend. I would hate to sayit finally. But we need to continue to invest in a way to defendve ourselves getting into 5g out to the 5g network. It gives the best possibility to take all these new challenges if you look at the recent level of arrest those targeting American Enterprise is to get around the firewalls to steal more information. And it is changingna dramatically. They want you to steal the credentials to get into the network for a more sophisticated penetration of the network. Is there a concern to provide appropriate protection to see companies for those that do provide protection . There are parts to being an American Company they are unlikely to see a flood of intellectual property. That being said we have moved economy. Novation and and then to survive to the next stage. Even thinking of rehoming american technology, we have to protect that with that innovation and ability to invest and reinvest. I yelled back. Representative are you with us . Yes. Thank you madame chair. I appreciate and thank you to the representative for their extraordinary work to come up with such a detailed proposal on the bipartisan basis. Working on this for many years it is a passion he has talked about often so im glad to see it has come toto fruition. Are there additional authorities the National Cyberdirector should have . Certainly representative, i think it is important as we structure this position to make sure its not just restricted to Network Defense but have the full suite the capabilities the government has to bear including military operations and Law Enforcement across the board. We cannot restrict this position to look at the things. Chris does not need another boss. He has one. And he have to look across the entire federal government. And if i might die a totally agree on this point. The distinction is between having visibility across the entire government and between offensive and defensive operation thats different from giving directive authority. You dont want Law Enforcement activities at the White House Daily intelligence selection of those activities. But its critical they are not excluded from those conversations and they have visibility. They never d conflict in this way. They are fending off malicious activity to steal money that may not be the best time to asked the banks to impose sanctions to implement those against iran. We know iran retaliated and the past against our banks. That d confliction is something the National Cyberdirector needs to help with at the table. Are there additional cybersecurity recommendations we should be considering with a report that you came up with . [inaudible] but then share that in real time and then to collaborate in real time. That part of the report is critical as well as continuity and a variety of other areas and the recommendations from the commission. I 100 percent agree and then what to make us more competitive and chairman pie has done and then to compete in 5g and a people want to be done them and there is a great effort today how do we get rid ofofge that . And those that are vendors to do that those are the things that you are dealing with now to have a huge advantage with us to put us in a competitivee position. As Suzanne Spalding said those systems to defend themselves that are the most critical. Commissionf the and the interpretation of the sec one fcc and look at the cyberrisk to be managed associated with their business. To get that back in place you will increase the level of attention and each enterprise to defend themselves from the amount of noise and Economic Loss will go way down. Thank you for your testimony and the pearl harbor. And then to have every company in this country to have private armies to safeguard ourselves at the national response. I will be supporting the legislation to help put it together. Representatives are beans on soybean. Can you hear me . I just thank you to the congressman not only for yourng testimony with this proposal which i support very strongly welcome back to chairman rogers and the rest of the panel for the testimony. Obviously wine key responsibility of the National Cyberdirector is implementing a National Cyberstrategy. In 2018 it Trump Administration released a National Cyberstrategy to integrate cyberinto all elements of National Power. Can you state how the 2018 strategy has been successful or not and how with the National Cyberstrategy required by this bill be different from that so you could compare and contrast . With that strategy was meant to do was a better place of coordination to understand our adversaries have all the nationstate power they can bring to bear diplomacy, cyber, and using thatap capability. So has the Economic Data with trade negotiations. So they are using cyberand intelligence for all of those pressure points a government has to bring to bear. Its my understanding the 2018 rule as we finally get to understand it is multi domain separating the diplomacy in the economy so how do we have everybody go in they same direction . That is what they were trying to do. Is a work in progress. We debated when i was chairman and to be part of those discussions, what is that and we are allowed to protect ourselves if they shoot at us in cyberspaceto . They saw that question over the last 15 years. We have a piecemeal policy in the 2018 policy tried to say again we use all the nationstate groups of power and then understand what tools in the toolkit we have. Not every cyberattack not at all but still to this day i dont think we have a good definition of what we can do to prevent. Now we call it aggressive defense. Whatever we call it. I interpret you to say the Administration Strategy released in 18 headed in the direction that now the cyberdirector with a strategy required take to a more coordinated andd structural place. One key difference of the role envisioned by this bill the position would be empowered with new authority to monitor implementation in terms of strategy with changes to omb with personnel and resources r allocation as well as certifying the annual Budget Proposal with each agency is consistent and that makes a lot of sense with coordination. Mr. Danielle you spent 17 years before assuming the cybersecurity coordinator role. Is it important for the National Cyberdirector to have authority . Y . How do you think that relationship would work in practice. I think its critically important that the office have a very good understanding and it works and the budget process former omb director that clearly the ability to influence and shape how we allocate resources is incredibly important. As a practical matter very closee collaboration and those program examiners it was most effective working closely across the entire complex any of those white house elements to make sure the budget supports the president s policy. You could imagine a situation where program examiners detailed to help provide thatvi conductivity working hand in glove to shape the president s budget. Thats why having a lever like the Statutory Authority would be very helpful to the position. Representative porter. Thank you. Under hr 7331 with the National Cyberdirector serving as a principal advisor to the president on cybersecurity and strategy. Having worked through many of those functions your self do you have any concrete examples how having the cybersecurity while its important to finalize. And that is so crosscutting with policy areas that as part of her time so if you are trying to decide what the policy should be on everything tom 5g to relations with china cybershoots through all of those you want the president to draw upon somebody with expertise in those areas to those issues to make a decision knowing the effect on what cybersecurity might be. Sometimes you make decisions that have a negative effect and thats why its so critically important a Senior Advisor in the white house focus on w this issue and policy issues. And how that helps assure that to remember anyone the president appointed. [inaudible] and the importance of expertise and with mr. Giuliani. And we see this work from home. We are all struggling to get our level of expertise so i completely relate to one of the cybersecurity advisors and that leaves a gap for the rest of us and an expert at the top of this. And we bring around the tcountry on how policy works. Thank you so much. I know that was a National Cyberdirector position. Can you explain why it makes that recommendation cracks . And how do you respond to create distressed between the present and National Cyberdirector . With respect to that latter question of trust there are lots of Senate Confirmed positions including omb director. I dont think anybody questions the level of trus with respect to the omb director. I dont think thats misplaced. We talk a lot having the person Senate Confirmed and the consensus was yes it is critically Important Congress have effective oversight of congress doesnt have the ability and to have that picture of what is happening it will be very hard for oversight. So that Senate Confirmation guess that greater ability to conduct oversight. And that bipartisan oversight thank you so much. That gentle lady yields back. Would you like to make a closing comment representative . Just to wrap it up, thank you to the witnesses again. This is an issue that we all care about talking about cybersecurity but if you want to create another government bureaucracy and whichever administration will that will be . I do think this was very helpful. I appreciate the questions. Again madam chair with all due i hope we can focus on china not just for covid19 but cybersecurity and encourage future hearing with the sole focus on investigating china for their violations. I yield back. How that contributes to the overall shortage and you say and for all people for all walks of life. And how does the federal government benefit the private sector . And more gender diversity . To benefit the private sector . And the s same approach and with new technologies and we need experts too come from trckgrounds for those that are trained those with diverse backgrounds to minorities in the cyberfield and cyberdomain and that to help promote the diversity of thinking to help innovate faster and think outside the box and there are a series of programs. You leave the effort and with that Competitive Edge and to have that series of recommendations and with that perspective from dhs and that cybertalent that we have available to come into the i workforce. We cannot leave any population on the sidelines. I truly want to thank my colleagues for their leadership. And all the witnesses for the passion and all the information they gave us today. This is something we cannot afford to delay is not every day to find areas of bipartisan and we have to agree on National Security protecting innovation and people. And without objection to have five legislative days with the written questions that would be forwarded to the witnesses for a response. The hearing is adjourned welcome to the 11th annual cybersecurity summit is a delight to have you here. I am the founder cybersecurity and host of the summit. It is my great privilege and honor to introduce to you the two analysts