Recognizeey i myself. The warnings we had and decisions made about the most recent worldwide Intelligence Committee in january of 2019, and i quote, the United States and the world will remain vulnerable to the next pandemic where large scale outbreak of contagious disease that could lead to massive rates of death and disability, severely affect the world economy, strain international resources, and increase calls from the United States for support. We must ask ourselves what are the warnings are going unheeded, and what can we do right now to protect the American People from other threats . Before the unthinkable happens in the future, how can we exercise strategic and precisive foresight to the best of our ability today to ensure are a nation prepared for tomorrow . That same worldwide threat assessment Cyber Attacks is a top global threat with china, russia, iran, and north korea, raging a silent war capable of shutting down with such Information Systems and critical jeopardizing critical sectors in america. The report states, and i quote, our adversaries and strategic competitors increasingly use the Cyber Capabilities, including cyber espionage, to attack and seek political, economic, and military advances over the United States and its allies and partners. Cyber attacks are a critical, complex, prevalent, and growing threat to the nations safety Economic Security, touching nearly ever aspect of our lives. This assessment was upheld by recent findings from the National Defense authorization act to review the state of our cybersecurity and develop [ to protect positions america against Cyber Attacks. This commission of congressional executive branch and private sector cybersecurity sounded the alarm and in addition to that disrupt operations in america on a daily basis will remain vulnerable if we dont stop attacks that are critical to infrastructure and economic systems that could cause widespread damage and death. The number of the commissions recommendations call for legislative this includes what has sparked a high level of interest on both sides of the aisle. Recommendations for a cybersecurity position in the white house to develop and streamline the federal governments strategy for a nation who is prone to Cyber Attacks. This role was first formalized when the george w. Bush with the george w. Bush administration, and then elevated and expanded during the Obama Administration. But in 2018, then National Security adviser john bolton eliminating it to reportedly cut [inaudible]. Of 2019 invited as the fifth most cyber secure nation in the world. In 2020 it dropped to 17. Today we will review hr7331, which would implement the commissions recommendation to establish a National Cyber director in the executive office of the president. This new position would restore that cyber coordination and planning function to the white house. In addition, for the first time, it would be back for resources and Statutory Authority to lead Strategic Planning efforts, cybersecurity budgets, and coordinate national [inaudible]. A challenge that is the basis of cybersecurity requires that our government be strategic, organized, and democrats and republicans agree we need a National Cybersecurity threat to ensure we are both prepared to and coordinated in our response to Cyber Attacks as our nation fights a silent war. Our Mission Today is to gain the detailed understanding of the threats we face and to thoroughly examine hr7331 as the vehicle. I now recognize the distinguished Ranking Member for his opening statement, james komar. E comer thank you, chairwoman maloney, for holding this hearing to address our National Security posture and to explore merits of the u. S. Cyberspace Solarium Commission to establish a director within the executive office of the president. The federal cyber domain we could all agree is a dynamic and dispersed with varying jurisdictions and expertise across the federal government. These agencies are organized to combat cyber crime, defend against National Security intrusions, and support the security needs of the private sector Critical Industries and commercial interests. Our nation has become more and more reliant on technology over the last three decades. Our reliance on technology and interconnected Information Systems is more important than ever with the pandemic forcing remotevations in our nations workforce pivoting to a work from home posture. Increasingly foreign state actors, extremist groups, and domestic agitators and criminal enterprises all have a vested interest in exploiting u. S. Networks. The remote administrations of pandemic have creed new cyber vulnerabilities for these malicious actors to take advantage of. These are the same actors who also target our private sector partners in state and local institutions. Breaches in federal and commercial networks by foreign governments have exposed sensitive intelligence data, proprietary military designs, and government personnel data. Because of cybersecurity risks, we must all do our part to maintain a safe and secure National Cyber infrastructure and by continuing to foster relationships across the private sector and our state and local partners we could share a vital cyber threat information that helps secure our Critical Infrastructure. Well hear today from notable subject Matter Experts who have deep experience navigating the nations cybersecurity environment. They also have experience with efforts to combat damaging Cyber Attacks from foreign adversaries like china. Historically china has hacked into the fdic, stolen valuable u. S. R d, and paid our University Professors to improperly share valuable intellectual property. I welcome the opportunity to work with the majority to hold china accountable for the bad acts, as well the deceptive attacks over the course of the pandemic. That would be a great hearing, madam chairwoman. We will oversee the cybersecurity planning and operations of the federal government. In evaluating this legislative proposal, we have a duty to the American People to be a good steward of taxpayer dollars and not create more bureaucracy. Establishing a clear and convincing rationale requires the Due Diligence and thoughtful commencement that our processes afford. The current and projected cybersecurity landscape is complicated, with many actors and operations that must work in harmony. While there have been more than several highprofile cybersecurity incidents over the past decade, i must note that at targeting the coronavirus Biomedical Research activities and use of remote work platforms have been taken very seriously by Homeland Security and Law Enforcement within the Trump Administration. The administration has done what has expected of cybersecurity professionals, against harmful Cyber Incidents wherever and whenever threats are found. I think we all want the cybersecurity to be effective. To this end, it is imperative that congress and this committee fully evaluate the reasons why the Commission Recommended the statutory creation of the cyber National Cyber director. The main questions i have toward this goal are, is it necessary to create another Forward Office federal office to have someone truly in charge, and, if so, will that official, in fact, have enough authority to make the decisions that immediate to be made . Will everyone else fall in line and work in harmony . We know that multiple federal agencies have a piece of the cybersecurity pie, so by authorizing a new oversight and coordinating official, are we legitimately creating a system for prepared to face growing Cyber Threats . Will the National Cyber director utilizing the existing Cyber Leadership and expertise in our government, or do we risk making that pie bigger and creating duplicating functions . Will a National Cyber director add value to the nations Cybersecurity Infrastructure, or should we align and support systems already in place . I look forward to hearing about tangible expectations of how directoronal cyber would respond and how this might be better than the system already in place. In a fluid environment, when Response Team and expertise are paramount, we could not afford to introduce inefficiencies or bureaucratic hurdles to respond in realtime. Madam chairwoman, i think we agree our cybersecurity enterprise deserves a supportive Public Policy that will not hinder dynamic focused and Strategic Planning and operation. Im pleased to work with you on this issue, but again i want to ensure were not foster redundant efforts across the federal cyber sector. In establishing a senateconfirmed cybersecurity leader, we need to be comfortable in limiting president ial prerogative to implement preferred policies on behalf of the American People. Again, i appreciate this opportunity to review this recommendation and hear from these expert witnesses. I yield back. Rep. Maloney thank you, mr. Comer. I now recognize the distinguished chairman of the on National Security, mr. Lynch, for opening statement. Lynch thank you madam chair, and thank you for todays important hearing on hr7331, which allowed for the creation of a National Cyber director, which is an idea that is not only reasonable but necessary and long overdue given the world in which we live. Im well aware of the lengthy review and study that mr. Langevin has engaged in over the years on this issue. He has done nothing short of relentless in his mission, and i thank him and our friend and colleague mr. Gallagher for their bipartisan commitment to defending our nations cybersecurity and for their testimony before our committee. I also want to take a minute just to thank the original cosponsors of hr7331. For years, National Experts have considered cyber to be the battlefield of the future, and for anyone paying attention, that future is already here. Back in 2014, hackers likely affiliated with the Chinese Government reached the Information System of the office of personnel management, compromising the data of at least 22 million people, including, most notably, federal employees, who had either applied for or received security clearances for access to classified information. Were also well aware of russias sweeping and systemic efforts in 2016 by hacking the Computer Network of the Democratic National committee andattempting to penetrate penetrating the election infrastructure in all 50 states. To speak to some of mr. Comers concerns, most recently, our National Security subcommittee staff, which i chair, we held a briefing with the federal bureau of investigation and the Cybersecurity Infrastructure Security Agency to discuss the latest uptick in Cyber Attacks during the coronavirus pandemic against the federal government agencies, research, and academic institutions, and even private citizens. During the briefing, our committee was told that every institution or agency conducting Coronavirus Vaccine research is a target for is a current target for foreign cyber attackers. As our intelligence agencies warned before 9 11, the system is blinking red. Only two years ago, then National Security adviser john bolton dismantled the position at National Security council leaving the u. S. Cybersecurity , policy rutterless and disjointed. Need for greater leadership and Strategic Planning, and policy coordination to ensure the security of our nation and the cyber demand could not be more urgent or important, so im pleased to support hr7331, which would allow for the creation of a National Cyber director, and i would encourage all of my colleagues to do the same. Again, i want to thank the chairwoman for her willing ngs to hold this hearing today, and i want to thank all of our witnesses for testifying. I look forward to the discussion and for Building Greater bipartisanship and consensus around the importance of hr7331. Lastly, im also in a mark up over in tni, im at the capitol today, where i have an amendment pending so ill have to jump out and jump back in. I apologize for that, but that is our schedule. I yield back. Thank you, madam chair. Rep. Maloney thank you, mr. Lynch. I now recognize mr. Grossman for an opening statement. Grossman ok. Can you hear me . Rep. Maloney yes, we can hear you. Rep. Grossman good. Good. I appreciate this opportunity in my role, first of all it is good to see we have a witness here from wisconsin. So i thank you for bringing him in. I appreciate this opportunity in my role as Ranking Member of the National Security subcommittee and oversight to address an issue with major National Security ramifications. As Ranking Member comer addressed in the opening comments, our nations adversaries will stop at nothing to steal our secrets, commercial expertise, and Sensitive Information held on a sprawling Computer Network connecting public and private sector organizations. Chief among the cyber offenders are the Chinese Government. As President Trump said, we have been treated unfairly by the chinese. Oftentimes, this wellintentioned Global Posture costs the United States our valuable intellectual property, which flows out of our Nations Research institutions into chinese hands. The hearing today will help us determine whether our federal government needs support in defending against the highstakes malicious Cyber Attacks and continuing intrusions. One of the proposals by the cyberspace Solarium Commission was the formation of a new National Cyber director and Senate Confirmed official inside of the white house. While i appreciate the commissions desire to ensure that the federal governments Cybersecurity Infrastructure includes a onestop shop for cyber guidelines, i wonder whether we might be too quick to create yet another new bureaucracy but not considering potential down sides to this reform. We must keep in mind the Trump Administration success in protecting our last midterm elections from disruptive Cyber Incidents and the administrations strong stance against those who wish to take advantage of international attempts to exploit the Technology Challenges presented by the pandemic. Would we be doing a disservice to agencies that have responses for our nation. I want to keep an open mind on the merits of any proposal to improve our National Security security, and i appreciate todays witnesses and the time and attention that they have each dedicated to protecting our nations information and Critical Infrastructures. I look forward to the witnesse testimony and their perspective and whether a National Cyber director will add value to the framework to properly deconflict and coordinate responses to Cyber Attacks against our government and private sector. Thank you, chairman maloney, and my counterpart on the National Security subcommittee, ranking and rankingch, member comer in the pressing issues. I look forward to working with you to make sure we strengthen cybersecurity against any types of threats or any foes that wish to do americans harm. I yield back. Rep. Maloney thank you. I will now introduce our first candidate consisting of our colleagues here in the house of representatives who served on the u. S. Cyberspace Solarium Commission. Congressman jim langevin of rhode island, commissioner and chairman of the emerging threat and capabilities subcommittee of the House Armed Services committee, who has been championing this effort for many, many years and congressman Mike Gallagher of wisconsin, cochair of the commission and a proud new father of grace ellen gallagher. Congratulations on truly lifes greatest experience, becoming a father, and it is the best job in the world. So were very pleased to have you both here today. With that, you are now recognized to provide your testimony. Rep. Langevin great. Well, thank you. And good afternoon, chairwoman maloney, Ranking Member comer, and distinguished members of the committee. It is always humbling to sit on this side of the table, the witness table, even when it is virtual. And i want to begin my remarks by thanking all of you for the important work that you do. I particularly want to thank chairwoman maloney for convening this hearing and for her partnership in raising the issue of creating a National Cyber director. I join you today as a representative of the cyberspace Solarium Commission, and im proud to be joined by Mike Gallagher, one of the cochairs of the commission, and i congratulate him on his newest father in the house, and congratulations, mike. And i know youre coming off paternity leave to be here for this hearing. So thanks and i commend you for your work. In the 2019 National Defense authorization act, congress charged the commission with developing a consensus on a strategic approach to defending the United States and cyberspace against Cyber Attacks of significant consequence. In our first meeting, however, outside experts on congressional commissions told us that we were attempting the impossible. We were trying to have a 9 11 Commission Level of impact without the precipitating event of a september 11th. Well, madam chair, i reject that cynical view. I believe that if we come together in a nonpartisan fashion to implement the commission recommendations, we could alter the trend that sees our cyber risk grow year after year. We could push back on our adversaries who see the cyber domain as the ultimate rain for operations in the gray zone short of war. We could seize the initiative and ensure that we are not left to wonder the day after an attack what more could we have done. So that is how i view the work of the cyberspace solarium that is the urgency i bring to the table, and moreso than any of the other 82 recommendations of the Commission Proposed and the National Cyber director is essential to seizing the initiative from our adversaries. It is essential, because cybersecurity permeates every aspect of our society and every aspect of our government. Every department and agency, from the department of agriculture to the department of veterans affairs, relies on secure Information Technology to conduct business. Yet, very few of them have cybersecurity as part of their mission, nor is it their primary focus. Because cybersecurity is difficult to measure, we end up with misaligned incentives. People skimp on cybersecurity, because they would invest on operational programs in their department. We need a strong leader in the white house to defeat the inertia that pushes down the role or until a devastating breach occurs. We need a strong cyber leader in the white house to coordinate strategy. Beyond Government Systems or national and Economic Security rely on Critical Infrastructure. Most of which is owned and operated by the private sector. Where once we could rely on two oceans and friendly neighbors to insolate us, today our banks and hospitals and power plants are on the front lines of shadow campaigns to undermine our way of life. Only within the white house could we break down agency silos to ensure that we have a whole of nation efforts to protect our networks. Finally, we need a National Cyber director in the white house to coordinate incident response. Were living through a Public Health crisis, the likes of which we have not seen in over a century. When our adversaries strike us in cyberspace, we must be prepared to defend early to stamp out the infections from computer viruses to quarantine Effective Networks an to inoculate uninfected machines by patching them. This is the only this is only possible with the National Cyber director. This idea, of course, is not new. I worked on it with the csi commission for the 44thpresidency in 2008. But as my friend mr. Gallagher has taken great pains to describe at length, the so larium process has a way of refining ones thinking. We debated the proposal extensively, and were very deliberate in our decision making. We chose an office in the white house, because only the white house could truly reach across departments and agencies to manage a risk so pervasive as cyber. We chose a senateconfirmed position, because congressional oversight and buyin is critical to the success of the office. We chose to preserve a coordinated rather than operational to the role because our cyber defenders need , advice. Madam chair just to conclude, there are some that argue that the National Cyber director is congressional overreach. There are those who say that the president is the ultimate arbiter of the executive office of the president and that congress has no business interfering in these article two affairs. Those people, respectfully, disregard history as congress has helped to guide white house structure in the past when the moment demanded it such as when krogs created the office of congress created the office of science and Technology Policy or the u. S. Trade representative. But more concerning to me are these people implicitly endorse the status quo and that scares me because every day i wake up and see our adversaries making gains in cyberspace. I saw it under president bush, i saw it under president obama, and i see it today under President Trump. And president. Shaping norms that suit their interest on the international stage, striking at our partners and allies and attempting to undermine our elections. Agenda,me we set the wishing back on our competitors and shaping their behavior by improving our resilience and strengthening the cyber ecosystem. That, it haswith been one of the most rewarding expenses of my life. In normas dedication of our immensely talented staff are reflected in the bill that we are discussing today. It is an honor to have the opportunity extended before you and i look forward to answering any questions you may have. Much,nk you so congressman. Thank you for your leadership for the security of our nation. Mr. Gallagher. Thank you for the kind words about my newborn daughter. If i pass out during this hearing, it is because i am not only nervous to be on the wrong side of the hearing but because i have not had much sleep. We are truly blessed and i appreciate the kind words. Keep establishments to defend property or territory or rights abroad or at sea. We keep the Security Forces to defend a way of life. Andnow, emerging technology powered by stronger and more capable Digital Networks is being infused into every part of our government, economy and way of life. How we navigate the resulting opportunities and challenges will determine the effectiveness of our nation to deal with future cyber driven or cyber enabled contingencies. For the past 20 years, Commission Initiative studies and four president ial administrations have been challenged to define an Effective National level establishment for coordinating cyber strategy, possibly policy and operations. And i believe it is imperative that we have cyber office and Leaders Within the white house. What that position would entail was one of the most spirited and important debates we had over the course of the commission. And my colleague was absolutely incredible in his thought leadership and dedication. I learned a ton from him throughout. Due to jims leadership, we considered how to address the gap in leadership coordination, two, whether to recommend Senate Confirmation and the size, scope and structure of the authorities of the leadership office. We decided the federal government would be better equipped strengthening existing department and agency efforts, including the cybersecurity and infrastructure Security Agency, rather than the creation of a new department that many advocate for. Without a new agency, the commission deemed the cyber court nader permission position be essential to give the position to have a high enough level of prominence to effectively coordinate National Strategy and provide muchneeded leadership internationally, with state, local, tribal and territorial governments and the private sector. And in recognition of that, the need for better of cooperation, the chamber of commerce recognize the National Cyber director act. The commission spent an enormous amount of time weighing the pros and cons of this position and contemplating the stature of the position. We determined that requiring it to the senate to be Senate Confirmed, somewhere to the way u. S. Trade representative is Senate Confirmed would not only signal that congress is committed to cyber issues but afford us as legislators a level of access to that conversation. But also the person that occupies that position a level of Political Support that bipartisan endorsement would bring while maintaining the discretion of the president in selecting that candidate. Making the role Senate Confirmed would in other words provide greater permanence by institutionalizing the positions existence and ensuring the role would endure throughout president ial transitions and not just be dependent on the whim of a particular president or a particular National Security advisor. , understand there are those particularly my republican colleagues, that are skeptical that this is an added layer of bureaucracy. I came into this discussion with that as my ideological prior. But unless you believe that the status quo is indeed getting the job done. Unless you believe we are at present well structured to avoid a cyber 9 11 as my colleague referred to, then you have to consider how we could make a meaningful reform of the status quo. Rather than creating an entirely new agency, which would take years to create, which would be much more complex and further muddied the bureaucrat waters, i believe i view a single focal point in the white house, a Single Person to quote my coach, angus king, a single throat to choke, someone who is responsible for the effort to be the least bureaucratic, the least onerous and the most efficient of all possible options. It gives congress a greater window into the discussion as i lead alluded to. I believe that we in Congress Must sufficiently enable the federal government to create cohesive National Strategy and defense in cyber domain as we do and all other domains of battle and we must do so today. I urge you to support the recommendation on the creation of National Cyber directors so that in ikes words, we will fight in all element as one single concentrated effort. With that, i will close my comments. I thank you for your time and consideration. Thank you mr. Gallagher. This is truly bipartisan. We will limit questions for the first panel. Mr. Gallagher, i will want to start with you. The Coronavirus Crisis has exposed ashock that number of ways in which our country failed to prepare for what many called the inevitable. In our increasingly connected and Technology Driven world, many experts warned that a largescale cyber attack is inevitable. Mr. Gallagher, between Lessons Learned in the coronavirus pandemic and how these lessons can inform our preparation for significant Cyber Attacks. Can you share some of these parallels in your recommendations with us . Thank you. Absolutely. They are not perfectly analogous events. I would highlight a few similaritys. First, both the pandemic and significant cyber attack can be global in nature, requiring that nations simultaneously look inwards to manage a crisis as well as work across borders to contain its spread. Both are difficult to contain across borders as well. I would argue the coronavirus pandemic and a significance ofer attack require a poll nation response efforts and are likely to challenge existing incident management doctrine and coordinating mechanisms as we are discovering right now with every state, county, city, government and a bunch of nonprofits having to figure out how they can Work Together in order to slow the spread of the disease. Finally, perhaps most importantly, i would argue the similarity that prevention is far cheaper and preestablished relationships far more effective than a strategy based solely on detection and response. That is why if you read our broader cyberspace solariums report which we had the unfortunate time of releasing on march 12, 2020, the last week we were in session in house before shutting down, you will see that a lot of what we are trying to boom for aess of better term. Figure out how we can force the federal government in partnership with congress and territorial governments to think through the unthinkable. How can we rapidly restore our economy in the event of a cyber attack to be able to come back stronger and strike back against our in amis and therefore restore deterrence. I will be cautious about extending the similarities between the pandemic and a cyber attack too far. Those three stand out in my mind. Thank you very much. Mr. Langevin, can you share examples of how the coronavirus pandemic has led to additional cybersecurity challenges . Sure. Thank you for the question, madam chair. Pandemicnly that influence has shown the challenges of needing a coordinated response. And if used have response and many people in charge, for example, leaving it to the states makes it more challenging to have a cohesive direction in which to go. We want to make sure that with respect to a cyber incident that w in terms of preplanning, looking the most vulnerable areas figuring out how we can make our Cyber Networks more resilient and how will we get them back up and running more quickly. In the actual incident if it were to occur that you have a single point of contact that is both the principal advisor to the tosident and the coordinator bring the interagency together for the National Security Councils Together or the economics occur to council to layout options and have a more coordinated, response. Nd th how would establishing this role have made a difference in the covid19 pandemic . Two response in the covid19 pandemic . It is more analogous to how we would respond to a cyber attack with intrusions on our elections. Limitsre certainly the of Cyber Response to covid. Of themple, what we know chinese and other entities trying to steal intellectual property for the development of the coronavirus, i have seen therapeutics. Pointld have a more vocal in which the cyber director would be able to corneille the Department Agencies or private sector entities to effectively corneille the response that needs to be taken to protect those networks and that intellectual property from occurring in the first place. You, your opinion of establishing a National Partner directive is an essential to ensuring the u. S. Is in the best position to prevent a crisis. I certainly feel that that is the most effective way to both prevent and also respond to a cyber incident of significant consequence. We thought this through clearly. , the colleague pointed out various ways we could have gone, having the authority in a new havingcurity agency or it at the Senate Confirmed executive office of the position, we thought this was the best way to go of the various options we would have recommended. Create a news not excessive bureaucracy. I believe it is streamlined and focused. It gives strategic guidance and both advice to the president. Authoritiesting makes sure they are pointed in the same direction in the event of a cyber incident. Mr. Gallagher, if you want to answer that . I would second jims for months. It is a necessary but insufficient recommendation. If you read our final report, what you would see is a genuine attempt from commissioners on both sides of the aisle to elevate and empower existing agencies rather than create a bunch of overlapping new bureaucratic structures. I want to commend the work of a lot of great leaders we have at the nsa who have learned a lot of lessons in the past four years. We are not saying they havent done good work. We view this as a way to better empower them and build upon the lessons of the last few years. With the commissioner and my bipartisan colleagues. I thank you all for your hard work today. I now recognize the distinguished Ranking Member for five minutes for questions. Thank you chairwoman. I had a very good conversation with jim yesterday about this legislation. I will direct my questions to my good friend, Mike Gallagher. The National Cyber director legislation create budgetary hurdles in how it works with the office of management and budget that might artificially constrain a president s cyber policy decisions . We examined that in depth. Ultimately i dont think so. Our construct,in giving the National Cyber director budget certification authority. Which effectively means he has the ability to look at various executive Branch Agencies when it comes to cyber elements within their budget and flag ,ffectively for the president something of concern. The president retains the ultimate authority to adjudicate that dispute. If there were a disagreement between omb and the National Cyber director as there is often disagreement with executive Branch Agencies. They can adjudicate those to dudes disputes and choose whether or not to follow the advice of the interNational Cyber director. While the cyber director would have budget certification authority, he cannot go in and mess the entire process up for lack of a better way to describe it. I have heard different people describe what they view this might entail. Comprise aw office large new staff . I have heard between 75 and 100 new staffers. Obviously that would create a new bureaucracy. We are always careful about creating a bureaucracy. Of ais the prediction budget . How much would this cost . How many staffers are we talking about . As we estimate, 75 is about right. I understand your concern. That is not nothing. That would replace about the 15 that are there right now. I just would say if you look ofht now at the comparison people and resources we devote toward offensive operations what they have to do, you will see thousands of personal difference. Even though we would be adding anywhere between 75 to 100, that would be a small step toward correcting the imbalance, given the white house purview into defensive operations. What the budgetary impact of that would be, we think it would a in the low about tend million dollars. That depends on whether these people 10 million to 15 million dollars. It is a growing of the office in the organization. That is consistent with precedent with other confirmed offices within the executive office of the president. Understand the concern and appreciate the effort here to alleviate that. If this is staffed by career officials or detail these from er agencies, why something that this president has been battling for the last 3. 5 years . Is adont doubt that this problem within the executive branch. Having worked in the executive branch, there is always a tendency, if you are a bureaucrat, you sort of believe in the status quo. The old saying goes where you stand depends on where you sit. At the end of the day, that is a broader cultural issue where everybody who works in the executive branch, whether they are wearing a uniform or are a civilian needs to understand they work for the president regardless of the president s party. I dont think it solves that problem. I dont think it would make it dramatically worse. Curiosity, have you had any conversations with anyone in the white house to gouge their level of support or opposition for this proposal . I have had conversations with the white house. Good deal. My time is about to expire. I have the utmost respect for , represented gallagher representative gallagher. You are one of the foremost experts on Cyber Security. I appreciate what you are doing here. I look forward to further conversations. With that, madam chairman, i yield back. Thank you. I now recognize the senior making member of the subcommittee of National Security. Can you hear me . Um. Can you hear me . Yes. Loud and clear. Position onake a whether cybersecurity has improved over the years . Has it gotten better or worse . Will offer my view. I think after a year of conversations with a lot of talented people in dod, many of whom participated in the commission, i think we have gotten a lot better. A lot of that is due to legislation that we have passed in congress. On our services committee, we have devolved Greater Authority down to lower levels so that people can operate with cyber with the speed and agility that is necessary to have an effect. I think if you look at Lessons Learned from 2016, there was a concerted effort in 2018 to protect our democracy. I have been very impressed with the work of the general and a lot of dedicated cyber warriors. If i could add i would agree with mike. I oversee both nsa and u. S. Cyber command. I see the extraordinary work that the general and his team have done with Cyber Command, also sitting on the Homeland Security committee. That helpscommittee cisa. Rsee we are organize to combat this threat. The organizations do guidance. We are more forward leaning, extending forward if you will. I think we are were probably too reserved in past years. In the coming construct, we are forward leaning. It is defending early. Or defending forward. I think it is the right strategy. Adversaries are getting more effective and successful and sophisticated in their ability to carry out Cyber Attacks and the consequences. We need to continue to involve evolve. That is why this new added position will help us get even better. Do we have a databank of breaches or incidents that we feel we will try to prevent in the future . . Eople rattle off usehis is an example i frequently. The breach that happened in personal management happened because there was a department why dont you rattle off the three or four worst breaches. Monic lines the incident that occurred. The sony breach that north korea carried out. The first one was one of the most costly Cyber Incidents that occurred in world history. And mirskyex billions of dollars in lost revenue when their computers were wiped out or damaged. So, the amount of intellectual property stuff it has incurred over the years has cost u. S. Jobs and economic competitiveness to the tune of hundreds of billions of dollars if not choi into dollars. The list goes on. Not to mention, of course, the amount of personal information that has been stolen. We are Getting Better at responding to and protecting these things. I missed something. One of you guys talked about john bolton dismantling some agency or commission or whatever. Could you go over that a little bit . If i could jump in on that, i know mike will want to comment. Under every administration we were making forward progress on cybersecurity. John bolton was the first person in the administration to take us back when we limited the Cyber Security coordination admission. Have Budgetary Authority but at least it was there. Michael daniel was the cybersecurity coordinator under president obama. Rob joyce it hits me as odd, whatever his logic was. He sold the president a bill of goods. I think he might argue he is streamlining the overall nsc process and his predecessor successor has tried to continue that process. I think we what we are arguing is even that status quo with the cyber court later was thepositioned to get overall interagency interdisciplinary oversight you need of cyber, as well as develop longterm expertise. To go back to the Senate Confirmed for, we want this person to not only have the ear of the president but be a single bellybutton that we as legislators can push to get answers when it comes to congress. As per your earlier question, throughout our report, we go through the major infiltrations attributed to china, north korea, iran, as well as nonstate actors and lay it out. One that comes to mind for me is the defense died from 2006 through 2018. Having systematic espionage campaigns, stealing information from over 100,000 u. S. And navy personnel. In addition to opm, i have the letter i received framed somewhere in my basement, saying my records have been hacked. There have been little attempt to ask to extract data and compromise the data of military personnel. I did not even know, mike. That, e tries to do it depends. Inre has been lag time protection for some of the major breaches we have had. I would say we have gotten better in detecting how this happens. We will have testimony from a variety of experts like our former colleague mike rogers who can speak to that. I think we are Getting Better at rapid detection and rapid attribution and a Better Process for response. As jim rightly pointed out, the threats are Getting Better as well. Better at anonymizing the origin of the threat. Thank you. Thank you very much to my esteemed colleagues for their work on the commission and for sharing their work with us today. Would either of you like to stay for panel two. You have been generous with your time. Would you like to stay . Yes, i would like to stay for a bit. Ask that a letter of endorsement of the National Cyber director of the u. S. Chamber of commerce be added . Nto the record yucca absolutely. Goingave the markup right now. I may have to go in and out. If you will in joels indulge me, i meant not may not be able to attend the whole second session. Now, i would like to introduce the second panel. Honorable and the general gentlemen from wisconsin. I will now introduce mike rogers, select committee on intelligence from 2011 through 2015. Michael daniels, president and ceo of the cyber threat alliance. Former cybersecurity coordinator for president obama from 2012 through 2017. Ceo of the u. S. Computer. The Senior Advisor for Homeland Security of the interNational Security program that interprets strategic and international studies. Cyberspacer of u. S. Commissions. The founder and executive director of George Mason Universitys National Security institute. The witnesses will be unneeded on muted. Un muted. Do you swear the testimony you are about to give is the truth, the whole truth and nothing but the truth, so help you god . I do. I do. I do. Let the records show the witnesses answered in the affirmative. Thank you and without objection, the written statements will be made part of the record. With that, chairman rogers, nice to see you again. You are recognized to provide your testimony. Thank you. It is good to see so many colleagues i had the privilege to work with and new ones as well. Beyond a panel of very distinguished experts, this has been a long journey for me, madam chair, to get to where i would sit in front of the community and say i would sit in asnt of the cyber director two congressmen both reminded me over the years about how i was wrong. They have invited me to dinner under the understanding that they want to watch me eat crow as i testified today in my cybert for the National Director bill that you propose today. I will tell you why. I looked at it, certainly when i was chairman. Prior to being chairman on the Intelligence Committee and in my private sector life through the policy work and the study of the presidency, we can get how we can combat this threat. Sector, i private have some cybersecurity start up companies that have had the opportunity to view how the government is doing some of these things and offer products out into the commercial market to help defend our private sector from the rest of Cyber Security threats. All of those things have led me to change my mind. I look back and have a lot of the same argument. Myself and representative palmer were sitting in a meeting in 2008. I think it would have been two people on one side of the table and two people on the other. I was worried about this expansion. There was talk about an agency or azar. I did not think we should go there. We had lots and lots of discussions. What i find this bill does that was different than previous discussions is that it does not expand government, which i am concerned about. It focuses government. If we need anything now in the cyberspace, we need vocus on what focus on what our government is doing and does not have the right resources. We have taken steps in the past for federal the federal Security Management act of 2000 seven got us started. There was a modernization in 2014. Imagine if you take the quarterback and not let the quarterback train with a few Football Team all year until the first team first game. We will have problems. This is how we have set up the ability to monitor and oversee the large enterprise which is the federal government. If you think about it, there has been a lot of talk about incidents and we need to be prepared there. Think of the agencies. I will read all three of them. I went online in the Inspector General report and there are hundreds and hundreds of these getting paidare auditors to come in and basically review the cybersecurity programs that they are meeting federal guidelines. Wethink of the big ones but do not think of the committee for purchase from people who are blind or severely disabled and think of the information that those organizations have that are pretty Sensitive Information. The pension benefit guarantee corporation. I have dozens of these. I could go through them for hours. All of these agencies who are absolutely under siege today, think of it, billions of times a day, somebody is getting up in the morning with a soul purpose and job to try to penetrate the u. S. Government at any level. That happens every single day. Every agency i mentioned plus the others are under siege from either espionage or destruction of data. That is happening and it is happening in a pretty big and significant way. We will need to do something. We are looking at it from the wrong end. I will tell you two reasons why. My testimony highlights some of the threats we have been dealing with. I want to give you an example of why we have to change the way we are thinking. We cannot expect to do it the same way and expect a different outcome. There was an oig inspection of a particular agency of which we would all be concerned about if that data were exposed. What they found is they found about 25 serious changes that needed to be made in 2019. Here is the conclusion. Outside firm, hired to come into say these are the things youre doing wrong. We will be back next year to see if you have corrected them. Next year, right . A year in cyberspace is a lifetime. A Quarterly Report is a lifetime. That means we have lots of exposure there. This is the one that got me. Here is one of the recommendations. If this agency continues to delay corrective actions, a Material Weakness in Information Technology Security Control may be reported in 2020. That tells me that we are not prepared for the threat that is knocking on our door today. Part of the reason is they have to coordinate through a whole series to give you a little bit of its all in the. They had to do a dhs and coordinate with all of these different agencies to come up with what the guidelines are to move out. All of those agencies are under owner tax. They have their own Cyber Operations by the way. There is no person or organizations that over the top of this say they will be either the calvary to help you in your deficiencies or help you find out what is wrong and fix it in a short order. Nothing is steering that. We are going to need help. We are going to have other incidents. We are one keystroke away from an incident that has major consequences in the United States. Why . We are under siege. The chinese has been highlighted in intellectual property threat theft and now disruption. They like to disrupt things. If the American People stop trusting their institutions to the point where it is not operable, china wins. Russia wins, iran wins. North korea wins. And they all know it. I want to redo this quick quote if i may. This was done by a general from russia. A perfectly frightening state can, in a matter of months or even days be transformed into an ,rena of fierce, Armed Conflict become a victim of foreign intervention and sink into a web of chaos. Humanitarian catastrophe and civil war. The role of nonmilitary means and of achieving Political Goals has grown. He is talking about cybersecurity and cyber influence operations and disruption of cyber activities for the public to lose trust. And in many cases, these tools have exceeded the power and force of weapons in their effectiveness. That was 2013. Fastforward with what has happened since 2013. We watched the russians engaged in aggressive Information Operation including the attempts to penetrate networks which to disrupt things. Was determinedid to be penetrated. They tried to penetrate our start stock market. Disruption leads to chaos which leads to distrust in the american institution. This is as serious a problem as we can get. The conclusion i came to, i will have to eat crow with my good friends, is that if we dont have something, i dont agree with the big agencies. If we dont have something that does not expand government but focuses our cybersecurity efforts, we are going to be in for a long run. We have had these conversations. We have admired the problem, worshiped the problem. Now we have to do something about it. I think this agency will help all of the agencies get to where they need to go. The is why i am before committee today offering my support this legislation. You so much, chairman rogers. That was a powerful and moving presentation. Mr. Daniel, you are now recognized. Thank you. Good afternoon. Thank you chairwoman maloney and other distinguished members of the committee for the opportunity to testify before you today on the topic of this legislation and the National Cyber directive. I am happy to be on the panel with people that i consider friends and colleagues. All of whom we have worked together and have known each other for many years. As you might imagine, i think about this issue a lot. Therved for 4. 5 years as assistant to the president in the cybersecurity correlator under president obamas National Security council staff. I have served as the president and cbo ceo of the cyber fed alliance. Issueecurity is a tough for almost any organization to manage. That is certainly true for the federal government. Dependence digital continues to increase, something we have talked about this morning and this afternoon already, it is imperative for the government to get better at. Anaging cybersecurity one aspect that makes cybersecurity to clearly tougher the federal government is that it does not fit neatly into one bureaucratic bucket. Cybersecurity is a National Security, Economic Security, commercial, intelligence, Law Enforcement, public safety, military, Foreign Policy issue all rolled into one. At the same time, cybersecurity is interdependent, just like the internet. All of those aspects that i mentioned is are connected and they all affect each other. They affect each other in some unanticipated ways. That means all of these disparate pieces have to coordinate and Work Together in order for the whole to be effective and not undermine each other. To some of the questions and commentary from the first panel, we have made excellent progress inr the last two decades weighing the Foundation Laying the foundation for better cybersecurity. We put in place better policies. Includingacted laws the cybersecurity information sharing act of 2015. Put in organizational structures fi. Visit za. We face impenitent impediments. The lack of information across agencies and the need for response coordination and the need for complexity. After wrestling for these issues for several with these issues for several years, we need a strong position along the lines of a National Private director like the bill the representative is sponsoring. I do not come to this conclusion lightly. Prior to serving as the cybersecurity coordinator, i have spent 17. 5 years at the office of management and budget. Omb personser natural skepticism for creating new entities in the government. In this case, i think it is the only viable approach we have. Particular, and eop Level Organization is the only one that will be able to overcome a signet impactor in the federal bureaucracy and that is the you are not the boss of me problem. That is rampant among federal agencies and only something centered at the white house can overcome that. That said, i would urge congress to think through the scope and authorities at this position very carefully. It would be easy to get it wrong. And to end up with something that does take up bureaucratic bandwidth and does not focus on things like congressman rogers recommended. Most important leak, this position has to cover all of the aspects of cybersecurity and not just some of them. It has to have oversight of Law Enforcement, military and intelligence related offensive and defensive. Andannot exclude that excite the physicians to be a success. Even in the eop, it will not be effective. It has to have a big enough office to get the job done but not so big that it is tempted to become operational. And it needs to have a clear relationship with the federal f. And the federal iza. Cybersecurity is not just a technical problem. It is an organizational problem. To takeneed additional organizational steps to address it. We have taken the first few steps and it is time to create a position back can bring it all together. Thank you for giving me the opportunity to testify. I am looking forward to your questions. Thank you very much. Thank you. Now, mr. , you are now recognized. Maloney, thank you for the opportunity to testify today. I would like to thank rep senate of gators the rep. Sinema representatives for their leadership. I would also like to thank chairwoman maloney for serving as cosponsor of the bill. Provider ofleading information technologies. Solutions for just about every department and agency of the federal government and many state and local governments, our customers include over 50 of the fortune 500 and over 25 of the global 2000. Tens of thousands of Midsized Companies in major industries. We are instrumental to helping the nation and organizations around the world understand and reduce cyber risk. Hr 7331, the nation has the opportunity to significant he improved cyber preparedness. My support is for the need of stronger enterprise practices across the government and across the nation. Requires aon Risk Response and a new standard across the entire nation. This includes every aspect of government as well as the private industry. Government services and the critical functions that citizens rely on. The white house would be helpful incarnating a whole government or understanding government understanding of cyber risk to reduce cyber risk and coordinate responses when needed. The National Cyber director is needed to ensure the government holds itself and industries accountable for care with regard to cybersecurity. Today, there remains a laxatives approach,adaisical resulting in the vast super majority of todays breaches. Can leadigent behavior to helplessness. Have undermined the proposed legislation. In my written testimony, i recommended augmenting the authorities under 7331 to include establishing a National Encryption policy that palaces balances the need of Law Enforcement with cybersecurity safety. Coordinating with regulatory agencies with policies and practices which can improve the understanding of cyber risk. Focus efforts on workforce to moment initiatives with greater inclusiveness. Elop and maintain towill be difficult overstate the cyber risk that we face today. Governments and businesses utilize prosecuting and international technologies. These technologies optimize production and increased sustainability. They also expand the overall cybersecurity attack surface. A need to be an integral part of Risk Management practices. These Risk Management practices must include service and industries essential to our safety and wellbeing such as andr, water, Transportation Health care as well as our industrial productions. The risk is more than a technical one. It is political, it is social, it is physical and it is economic. Cybersecurity connects essentially threaten our way of life. There are important steps that we can take to improve our cybersecurity posture in advance of a national crisis. Those steps include the creation of an office of a National Cyber director at the white house. Chairman to will bean maloney, i happy to respond to your questions. Thank you. You are now recognized. Thank you chairwoman maloney and members of the committee. Thank you for this opportunity to be here today to testify and support of the in support of to cyberspace recommendation establish a cyber director. It is an honor to be here with my distinguished witnesses and former colleagues. It was a particular honor to serve on the commission alongside rep. Sinema gallagher and other, commissioners, it is inspiring to see the bipartisan and nonpartisan approach that the commissioners brought to the work of the commission. This recommendation is no exception. Commission noted the considered alternative approaches to address what we all agreed was an urgent need ,or stronger coordination engagement of cybersecurity and for more robust Strategic Planning and prioritization to guide those efforts. The first panel addressed the alternatives so i will not go through them again. I wanted to emphasize the pulling themnst out of the department and agencies where they reside and putting them together in a new department of cybersecurity. I am strongly opposed to the creation of such a department because it would not solve our key coordination challenges and would cause huge disruption with little to no gain. The most important and challenging coordination issues in the inner agency in my experience are rise between bmd elements, including nsa, Law Enforcement, especially the fbi and dhs. Iot will not relinquish their cyber activities to a new department. Nor will fbi turnover its Law Enforcement activity. Thus the new department would still face those key coordination challenges. Director, onber the other hand, could and must be empowered to address these key coordination challenges with the backing of the president. Cd ncb, the in must have the authority to conferring convene and get information from the Law Enforcement and Intelligence Committee and the dhs and specific agencies about their Operational Plan and strategy. Haveer important reason i opposed a new Cybersecurity Department is the risk that it would become singularly focused on technology. I watched this happen with our wmd efforts in the 90s when i was at the Central Intelligence agency, where folks working Nuclear Nonproliferation focused entirely on the technical aspects and failed to adequately integrate the regional experts and those studying the political and dynamics within various countries. I see the same tendencies in cyber. We tend to turn to technical therts and they focus on technical aspects, even though we know that understanding enmity getting cyber risks requires a much broader approach that fully recognizes the human element, integrates cyber and physical risks, including knowledge of the operational environment, whether it is financial services, electras the or infrastructure electricity or infrastructure. That a newys warned Cyber Department would be staffed by technical experts and too focused on technical aspects. This could happen to the office of the National Cyber director as well. It is something we must guard against. But, sitting within the white house structure, having responsibility for agency coronation and working closely should help guard against that tendency. Another of the key recommendations is strengthening and reinforcing the great work that i used to lead at the nhs called cybersecurity and infrastructure Security Agency. One of their greatest barriers to effective operations is that numerous agencies compete for resources and authorities. The ncb can support and enable cisa. The ncb is not intended to direct or manage implementation of strategy by any federal agency. But, responsible for overall integration and execution of defensive strategies across the executive branch through Strategic Policy operations and budgets. The National Cyber director should do only what the agency and department leads cannot do themselves. They should ensure visibility on operational activities and help push the process to active into actual decisions. It addswill fail if further typing and bureaucracy. Instead, the ncb needs to help the power help to power, prioritize muchneeded support for existing cyber entities within the u. S. Government. Thank you very much. I look forward to your questions. Thank you. Mr. Jeffrey, you are now recognized. What . Go to questions . Yes. Ok. Recognize myself for five minutes for questions. Thank you very much to all of the panelists for your testimony. I want to dig a little deeper to the 2017 malware attack executed by north korea. Attack disabled hundreds of thousands of computers in more than 150 countries. It even shut down a portion of Britains National Health Service for a week. Chairman rogers, can you describe the potential effect a cyber attack on Critical Infrastructure like this could have in the United States . It was north korea, it was a ransomware based attack that in some ways did not have a way to pay back the ransom. It was the least capable actor, even highend at a highend and it had a global wide impact. They could not actually access the right, appropriate records for the surgeons to do a surgery. You can imagine the Health Impacts of that sort. [indiscernible] part of it was they could not control it. It fed on itself and spread without them directing it which probablye problem of not toptier nationstate acting. They have gotten better. That is the scary part. When we look at the trends, we know where the biggest adversaries are coming from. China uses all of its state power to do and set themselves up for influence around the world. They use diplomacy. If you look at the fact that fromconfiscated masks rightful Contract Owners that they were going to be delivered to, gave them to entities in china so they could deliver them in a way to try to get credit for their influence operation, they used military defense and intelligence Cyber Operations. They used Cyber Operations for espionage. I would look at all of the ways they are coming at us. What we know is they would love to get access to peoples data from a nationstate perspective. But also cyber criminals. Organized cyber criminals and others who would love to get the data that the u. S. Government collects from u. S. Citizens. Everything from food stamp participation. Think of all of the information you have to give in order to get that program qualified. The federal guidance sitting in a repository for federal government, that is valuable to a cyber thief. I would look at this. That was a massive attack by a nationstate. We have all of these other attacks underneath us. Again, that is my argument for the cyber director. Not just toebody incident respond. You want somebody for precrisis. How do you help these agencies, not hurt them or hit them with a club when they are not doing it right, but help them through what they need to look like in their cyber shops and the kind of tools that we do. Can we do this with a collective defense mentality so that when one gets attacked, Everybody Knows what the threat is moving forward . That is the way i would look at this. Lets try to be precrisis. Having the director whose sole job is to think through all of those problems, my argument would be we will be better off. There is lots of talent. Mr. Gallagher and mr. Langevin highlighted it. We need to coordinate it. Focus it on the problem that helps us the most. What would happen if one of these companies was compromised, and can you talk about the attack . Arehe effects of the attack outage can certainly ensue. In other cases, it is more of preparation where information is being compromised but the adversary has no desire to create an outage, unless it is during a time of crisis. The impacts here could vary greatly, and it is one of the reasons why we need a systemic understanding of risk and why a National Cyber director needs to work closely with the regulatory agencies that do exist, to make sure we are implementing a standard of care that makes sense, that we dont see the continued negligent behavior where enterprises are not maintaining good hygiene of their systems, not providing patches and updates in doing maintenance that is required to keep them in a secure state. This sort of poor hygiene ofults in super majority regions perpetrated by north korea and a lot of damaging ones we have heard and a lot of these highprofile casess do you believe highprofile cases. Do you believe this would help the federal government address these concerns more effectively . There is no question in my mind, having done cybersecurity for over 25 years and having spent time in multiple departments of the federal government, as well as surveying with cybersecurity products to the private sector and now also helping the federal government with technologies to protect itself. This would help provide a coordinating capability and bring maximum understanding and appropriate resources to bear in a coordinated fashion. Think it was said that the preparation work we do now has Significant Impact on how we deal with the questions we face down the road. I think the creation of this office and role are absolutely critical steps. Thank you. I now want to call on jamil jaffer, who disappeared for a while but is now back for his testimony. Thank you so much for the opportunity, and apologies for the technical difficulties. Thank you for inviting me here today. Members of this committee will know, Cyber Threats face the United States. It is no overstatement to say that we are at war in cyberspace. As a nation, we remain woefully unprepared to deal with this conflict. Lawyers makeable with whether we are actually at war and may point down but the fact is for the better part of a decade, our nation has been involved in consistent ongoing series of complex cyberspace at a low level. We know the question has had an impact on our nation and its allies. The foreigner the former nsa director said chairman rogers on this panel called attention to this economic pressure by china and referred to the fact that we are in an economic cyber war nearly 10 years ago. We have also seen countries like north korea and iran engage in the destruction of data in the United States in the last half decade. Iran has been actively preparing for Cyber Attacks. To be sure, while we played a role in some of this, the chinese and russians both know this, we have seen them mucking around with more covert operations and the killing of george floyd. We may see the same players become more active during the election cycle. Three years ago, cybersecurity posed a greater risk to the safety and health of our finances. We know what threat ourrsecurity poses to country and our economy. These efforts represent the uniquely challenging threat to our economy and our way of life. The question becomes what should we do about it, and how much of cyber can creating a new director in the white house help . Having a key strategic leader in the white house is important but i am skeptical of having a large in the need to have that set up have that Senate Confirmed. The white house would be opposed to you to get another Senate Confirmed position. They may consider creating an option that is smaller and more leadership oriented. The committee could work with the president to ensure that that person has a rank and stature of an assistant to the president. There is no doubt that all the cooks in the kitchen from dhs to coordination,r more aggressive coordination is necessary. Billy question to consider is whether that can wither that requires Senate Confirmation and a 75 office. On that note, i am skeptical. I have a lot of respect for that position. With that, thank you and apologies again for the technical difficulties earlier. Thank you for your testimony. I would like to ask you about the 2017 russian cyberattack, that froze Computer Systems in exchange for ransom. In ukraine, the attack at hospitals, power companies, airports, impacting every federal agency. The u. S. Is not immune. This attack hit fedex and a direct company, costing each more than 300 billion in lost business and cleanup. How great is the risk of a in thecale ransom attack United States today . It is a huge issue. It was a carefully attacked carefully crafted attack by russia against ukraine. What happened was collateral damage. The mostcompanies, destructive attack in the history of humankind and as you mention, over five International Countries suffered between 250 million and 300 million in damage. You very well may be attacked because you may be collateral damage. Thank you. A centralized cybersecurity coordinator at the white house deemed an century deemed essential to ensure the agility needed to respond to attacks. The rankingize member of congress for his questions. Thank you chairwoman. My first question would be for mr. Daniel. Could you walk me through how a major cyber incident currently proceeds through the federal government and how that would change with the advent of a new cyber director . Sure. I think right now, it depends on who first becomes aware of that incident. It depends on it that incident disclosed by a private sector fbi or entity, or to the the nsa. At some point, if it gets big enough, that those entities would eventually share that information with some of the other elements of the u. S. Government, and then the government we need to do an assessment would need to do an assessment on whether that incident actually represents something that is more systemic. Is it going to turn into a wanna cry and proliferate across most of the economy or is it limited . Then the government would need to do an assessment on whether or not a response is warranted, based on that incident. I think in that case, it is where you would when you start to look at how the u. S. Government responds, that is where you want that coordination, that intense level of coordination to come together. Just because an attack comes through cyberspace doesnt mean the only response needs to be back at the adversary through cyberspace. You might want to use other policy tools to respond. That is why that coordination factor across all different elements of power is so important. Be forext question will mr. Jaffer. Earlier this month and a joint Public Service announcement by and securityi, agencies, the fbi reported it is investigating targeting and compromise of u. S. Organizations conducting covid19 research. There is reason to believe china is attempting to exploit the recent pandemic to hack into u. S. Businesses conducting research on the very virus originating its own country. Mr. Jaffer, could you explain some of the methods china is using to steal Critical Research into this virus or if you have no insight, describe the various ways china accomplishes its many cyber intrusions. Thank you. Engaged in have been this effort to steal American Intellectual properties of the better part of a decade and a half. It was only when general alexander came out and was talking about what is happening with china that the public became aware that it is only in recent weeks and months that we have become aware that our supply chain depends on china when it comes to ppe in pharmaceuticals. We realize that has expanded well beyond that. Is builta is doing their economy on the backs of american innovation, american r d. Wei router why a hua looks like a cisco router, that is because they stole it. They are trying to do the same thing in the covid arena. Trying to get out ahead of this and have the vaccine first and grow their economy on the backs of our we cannot let that happen. The president has been very aggressive in pursuing china on that. Hearing and itis has always been clear that cybersecurity is a huge threat to the United States. We talk about china being one of respectt actors, with to cybersecurity threats, cybersecurity violations. You look more china and see they have been stealing patents for years, intellectual properties, who knows what all they have done with respect to covid19. I think we would like to get to know that. Time in thist of Committee Investigating russia. I believe the American People, the taxpayers would be better served if we spent a little bit of time investigating china. So in closing, i would really encourage you to consider devoting a little bit of time in this committee to investigating china, whether it be covid19, our intellectual property, patents, whether it be cybersecurity threats, things of that nature. That is my encouragement to you as we proceed and hopefully Work Together in a bipartisan way, but i want to thank all the witnesses for being here today and i look forward to further discussion of this proposal and with that, youll back. Go to ms. Will norton. Can you hear me and see me . I want to thank the chair for this really important and timely hearing. Because i represent the Nations Capital, i have a special interest in this hearing. Cities, butmost big we are not just any big city. To what hasgoes already happened to some big cities. I dont know who should answer this, perhaps starting with mr. Rogers. We have already seen that hadher big city actually ransomware shut down altogether, grounding all of their operations to a halt. Imagine if that happens to the capital of the United States. Fortified here in the Nations Capital and other against a similar shutdown of all operations, locking out the city altogether. Thank you. We have seen this ransomware activity for multiple years now and it became more and more aggressive, meeting it was spreading against amongst International Organized Crime groups and others seeking to gain revenue from this, including the North Koreans who used Ransomware Attacks to gain revenue for the government. Early on, i hate to say about my brother and in the fbi, their recommendations to some of these companies were that they should trouble he just pay at because we dont have any way to intercede to do anything about it, so you had Major Hospital organizations, the los angeles Hospital System comes to mind as one of the early cases, where just he having to pay for it. Isis a real threat and this one of the problems with cybersecurity. The nsa does not protect the private sector in the country. It is a common myth that they are protecting everybody. They are not, they are protecting the government and doing collection activities targeted at overseas adversaries. We have this really uneven ability to stop this in cities across america and candidly, i think most cities in america are not prepared for this. They have old systems, they havent spent the money to upgrade their systems and then provide a level of protection. That is why people are going to cities, because they believe they are the most vulnerable. It is not the nsas job to protect detroit, michigan. That is not what they do. It is up to the private sector and the cities to develops it to develop systems the can put systems they can put in place, look at collective defense. This is why a coordinated effort out of the white house, all of our agencies getting pointed in the right direction they maybe if it helps get the department of Homeland Security, helping with the problems they really have. We are a long way from those cities being protected and as more organizations take on nationstate quality tradecraft, meaning the russian tradecraft to penetrate networks, the more susceptible we are, and we are seeing that, that leaching of nationstate quality in cyberspace. We are up to a we are up for a really bumpy road in the next few years, outside of the u. S. Government across both the private sector and local and State Governments. Nervy really a really unnerving. When all know what happens you pay at. More people are deciding they want to get in and extract money and that is the problem we are running into. Remaining,ime i have i cant help but ask about we have had most of our primaries and i am wondering if any of you perhaps beginning with you mr. Rogers, have seen any interference, any evidence of interference with our elections. We have seen it with Financial Institutions worldwide. How about interference with our elections such as in the alteration in election results. I can tell you in some of my private work i do, we havent seen any flip one vote to another vote. Large, in fact, writ seen going into 2018 that are adversaries tried to influence elections by creating chaos and we need to be really careful about saying republican versus democrat. They dont care, they dont like democrats anymore than they like republican americans. They are trying to create this chaos in these elections. I thought the did a phenomenal job in 2018, playing that my camel game to push them back, they announced this is very effective, very low consequences, so we are going to ramp up our engagement and trying create this chaos going forward. It is something that i think we absolutely have to Pay Attention to, or ember it is very cheap for them. They dont have to develop a naval fleet and then stock it. Are states and cities aware enough so that when they see are states equipped to fight back . We only have a couple months to be tested. It is difficult for states and local governments to do this. We need to ask ourselves, what we want our high tier performing National Federal agencies to do for us. Can be very help in trying to stop this across the United States, mainly because it is a very sophisticated nationstate actor activity. There are some other groups out there that are trying to get into this game, that are worrisome, but i think we should employ all the tools that we have. This is where i think correctional oversight is so important congressional oversight is so important. You have to encourage them. I wanted to follow up on that. I think we have a lot of tools at our disposal. Laying the groundwork, with Election Security response get abilities for the for each of those jurisdictions, but there are other things, state and local governments a very limited have very limited resources. Those are being exacerbated by their response to corona and with a heightened threat. Even additional coordination and policy directing from the federal government can have a huge impact. Thank you very much. You are recognized. Thank you chairwoman. Im going to go back to mr. Jaffer. Im going to have you walk through you gave us some ideas of maybe this would be appropriate at the president ial level. Can you walk us through that a little bit more . Are four Senate Confirmed individuals in the white house. The director of omb, the u. S. Trade ramp u. S. Trade rep. Two really focus on Things Congress and the president share, trade on one hand and the power of the purse. Two that have been a lot less successful r. G. Largely because they are not they are not shared relations. The challenge you have is that this is an area where the president this is a National Security responsibility. This is like warmaking in a lot of ways. The interference of elections and the like and they prioritize it, they made a responsibility thehat is a good example in way that congress can work with the white house to solve these problems. Mike rogers, looking from the outside, you have been part of. He matrix of congress do you agree with anything that mr. Jaffer has said in that aspect . I do. I have the same sensitivities about do we want to really and i on the president wrestled with this a lot. The reason i think i have come full circle and this is because i have seen it from the private sector side as well as being chairman of intel and i thought we could do this and this isnt a republican or democrat thing. The Bush Administration had an effort at this, the Obama Administration had an effort at this and the Trump Administration took a very different take on how they wanted to do it. My argument is none of it really works to our advantage. When you look at the series of challenges, and this is why. This is not to me some should we or shouldnt we, every major adversary, china, russia, iran. And it has low consequences, the what will keep me in charge, he is investigating it. The chinese spending billions of dollars. They spend 1 trillion to have a technological edge in quantum computing, 5g buildout, cyber capability, and large, defense of military posture, spend it targeting, if they keep doing it the same way we will keep having the same response, the ig response, i caught you for the last 12 months doing something wrong. In the next 12 months to see if we got it right. Under that plan, lets a Big Personality, dod, just there Big Personality to deal in this. To settle on the way forward, i am here to help you and get that piece right. I am going to reach over to nsa and who knows, and that has to change. It is a radical change at the feet of an individual to fix this problem. My last question, looking at the legislation do you see any additions or subtractions to it, they have conversations often. They want to make sure they are not propping a bureaucracy. If they get to say no and sign off we lose, has a smaller and more agile, worried about the body count, maybe it is 50, and strategic advice. And help you get where you want to go. And fly spec those to death. And even offense of policy and defense of policy, nobody knows are out there and have all this Sensitive Data nobody thinks they are great targets for Cyber Security. Somebody needs to Pay Attention to it every day. Chairman connolly is recognized. Thank you, madam chairwoman, fascinating conversation. I dont know if chairman langevin is still with us but congratulations, this piece of legislation. I want to go to acts of cowardice, i spent 12 years of my life in congress focused on federal it, modernizing, 96 billion a year on it, and legislate systems, cant be updated for cyberprotection. And and you were in the white house, we have a cio in the white house, cto in the white house, chief Information Security officer, the office of science, all of those offices, and to protect in terms of cyber. And what authority he has to upgrade. It will cost at least billions of dollars multiple years, the legislation that came out of the committee to absorb federal agencies to make that induction. Will the cyberczar have superseding authority with respect to that . Required to coordinate with the cto charged with setting certain sets of goals for the federal government that include cyber but are not limited to cyber. I say all this, worried about the execution, worried about overlap. Once you go on with this in terms of coordination, presumably those are real concerns, what protections in creating this division to avoid the conflict. I certainly agree this position would need to work closely with federal cio. The way look at it, you would want to have this position, work with those offices, designed to focus exclusively on federal networks. And and they are able to highlight federal network and to advocate on behalf of investment. The challenges agencies have, it is relatively easier to get operational money to keep it going. To upgrade things. There is a structural problem in the budget process, how we go about funding upgrades in it and that creates an incentive for agencies to keep stuff around forever which is harder to secure. They are able to help them bring in expertise from the private sector to do better and to look at the structural changes across the government, some level of ridiculous to expect the commission to focus and be good at cybersecurity and work on more cross Agency Support for cybersecurity, not expecting every agency to be really good at their cybersecurity and think of the economic principles comparative advantage. We hope and expect we work closely together, we are codifying the position and hope they coordinate. I want to make sure we get it right, to hit the ground running with defining responsibilities. And build up resistance so instead of getting cooperation in cybersecurity, we have seen that in cios, we have done that. The bureaucracy games up on them, they are outside, alien, wrapping up, what to do, as a result they fail, not all of them. I want to share that concern. The witness can respond to your question. I certainly agree requiring some coordination with the federal cio whose job is to focus on federal Agency Cybersecurity could be useful, to focus specifically on that, one aspect of something the National Cyber director would have to be concerned about. My first question which should be everybodys first question, what is the budget for this proposed budget for cyber director and the second part of that question, what percentage will go to contractors . We dont know what the budget is, no authorization, dont know what the committees will give us. There are also authorities from other parts of the government, 75 the legislation, though fulltime equivalent and a lot of room to appropriate and authorize. That is the question i would like to get an answer to. You were on the commission that recommended that is correct. Is there an advocate for Civil Liberties and privacy on that commission and also why is there not in this proposed legislation, you probably didnt write the legislation, and an advocate for privacy, was that discussed in the commission . A long record of being an advocate for sybil liberties throughout my career. A number of us on the commission came to the table with those equities very much in mind. There was no specific person designated for that. Certainly privacy is one of the values and interests, intended to protect. Very much built into strengthening cybersecurity the way you approach Security Issues have implications for privacy and Civil Liberties. Your point is well taken and there ought to be an emphasis, not sure our director for that, when i was at the department of Homeland Security, undersecretary, specific individual staff focus on privacy and civil liberty as a whole, important and valuable. If we create this office defined legislatively, there seems to be a bias in the other direction so we need an advocate there. Thank you for being one. What does it mean to have a list of trusted vendors when those vendors, how can you have a secure cybersystem, we were encouraging those vendors to put backdoors in. Important questions to be raised. To obtain certain acts of communication systems, Law Enforcement acts, the way Law Enforcement is in the teleconference. The government will come to a provider with a court order, on federal court run by congress to get access, not happening in a cooperative manner through the Legal Process to have that kind of process if it comes out, that is how we see it happening with administrative costs. A little bit of an oxymoron, to put backdoors in their products so i am concerned about that. My final question, what is the real responsibility of the government, to provide security for a company like sony that has 8 trillion in revenue every year . Time has expired. One of the challenges, we expect the Large Company or small mom and pop bakeshop, part of american small business, we russia, china, iran, north korea, unlimited problems. One or another, work with one another and the multiplex provides back industry in the actual form to defend itself. We are not doing that right now. May be there is a misperception here. We are not dealing with sophisticated adversaries. They are falling victim to simple negligence, not applying the standard of care with their system and the question is important to balance the equities of Law Enforcement to create backdoors and weaken the encryption, on a daily basis, Law Enforcement creating norms of behavior and all of these things are being done without having a National Policy at the White House Level that can consider all the equities. Each department and agency running on their own. Thank you, i yield back. Thank you, madam chair. Our colleague, mister gallagher, for a bipartisan look at this legislation. I am puzzled by the history of this and hoping Mister Rogers might clarify some things for me. In 2014 we had a cyber breach by china causing massive damage to the country. In 2016 we experienced a sweeping systematic cyberattack by vladimir putin, Internet Research agency that caused incalculable damage to our democracy and social cohesion in the United States of america. In 2020 we have been caught totally unaware for the coronavirus epidemic which was denied and trivialized and trapped in magical thinking and now we lead the world in case count and death count while our european allies have the virus on the run. We are spiraling out of control. If everybody is responsible for something nobody is responsible and it seems overwhelmingly clear to me that the purpose of this legislation is right, someone who is coordinating our cyber defenses at a time when all of these vulnerabilities have been repeatedly demonstrated by different attacks. My first question is why is it taking so long to get to this point . What has slowed us down . That is the milliondollar question. The first time china was publicly named as increased actor in cyber intellectual property theft even though we knew it was going on for years, was 2010 because the Bush Administration, not disposing of it yet. Early days of the Obama Administration figuring out a way around it. We gave a forceful argument, we are only talking about it publicly for ten years but the public is coming around, a recent gallup poll said 81 of americans believe there will be a cyberattack of significance on the United States. We didnt have anything like that, people thought we were crazy. They didnt understand what we are talking about, Public Opinion has been slow to catch up. We are in a different place, it is more with us now than it has ever been to defeat this thing. There is no system out there that is completely impenetrable and if it is connected to the internet you are vulnerable. Any time we break up our efforts, if the nsa has one mission set and the fbi has another, that means somebody is going to win. It happens in private sector, local and State Government and federal government. If we look at what the chinese were able to do this was difficult in the omb breach where they are going to take, forget what the number is, 17 million records of Sensitive Information, i got a letter saying my was breached. All that information was taken back, their ability throughout gore rhythms to collate that data and find people they are interested in spying on. Either you are with the government and have classification or you moved on to the defense realm and have a classification, that was a brilliant government espionage activity. We have to change the way we think about these threats. One more question. What is terrifying for me, the coronavirus pandemic, exposed a lot of vulnerabilities, we dont have the governmental preparedness or cohesion to respond to threat on our infrastructure. If you will put this in a geopolitical context, what is the imperative to act now . Two conversations, what is on the supply chain. After the question. Answer the question. Security is a very important discussion congress will have to weigh in on. I would protect our ability to surge on critical items. The other reason is nation states, big adversaries refocused their efforts. In russia, they realize i dont need to build an aircraft carrier. I will invest in Cyber Operations. Viking shutdown electricity will cause distrust of the American People with their government we win. It has an outsized impact on what they are trying to do. All of them stepped up their game, russia, china, iran, north korea, others. That is why this is so important. We are in a cyberwar today. Folks who say it is not real, i disagree. They are causing destruction, disruption and adding chaos, dont know what else you would call it and we need to act that way and we should focus on this to coordinate all the good activities around the government and focus, dont expand government, focus it. The other lesson from the pandemic is what happens if we dont have strong coordination and a coherent response to the crisis. Mister grothman. Are you there . Can you hear me . Can you hear me . Yes, yes. Unmute. Did you unmute . Can you hear me now . I can hear you now. Okay. I have a question here. First question is when we confront china or russia about this what do they say . What is their response when you bring this up to them . I can having engaged them on this topic directly, most of the time they deny it and they say we catch them redhanded, the more china. Naturally they deny it and at most they would say it must come we must be mistaken, could we please provide detailed evidence for how we found that out so we can expose our intelligence methods to prevent them from doing it in the future and at most they might say it is a rogue element they are not in control of. Never will accept responsibility for doing that. That said we have engaged with them in other ways to push forward and push back on their activities. The question for miss spaulding. We asked how a major cyber incident proceeds through the government. I want to expand on that. Stepbystep based on your experience, what happens when an incident is reported by the private sector or a Government Agency . What happens from discovery to response and walk me through the us Cyber Command authority and how would this change if we got a National Cyber director . As Michael Daniels explains, depends how this information comes to the government. It might come into the National Cybersecurity Integration Center at the department of Homeland Security. What often get reports from cybersector companies of malicious activity. Equally likely to come into the fbi for example and the players, the dhs, the bureau, fbi, usually the nsa would get on the phone to gather though there are often reps sitting at the ops center at dhs but the information would be shared and the decision has to be made quickly depending on the nature of the event and if the government is going to step in. On what is most important to we go first and sometimes you try as you can to do this at the same time but you have to prioritize, are we going to try to go in and mitigate the problem, address the malicious cyberactivity and the damage being done to the private sector business or are we going to put our priority on getting Law Enforcement to do attribution to figure out who is behind this . Both of those are legitimate equities but sometimes they cant both happen at once. Conversations ensued to determine how to prioritize that. The advantage a National Director can bring to bear on this is to d conflict those competing equities quickly. Time is of the essence to make sure we can get in there and do what is most important for stephen as we try to accomplish the other equities. One of you mentioned, you talked about russia, china, north korea and iran, anything else we need to worry about than those four . I can take a shot. There was more than that. There are countries engaged in ramping up their Cyber Capabilities that might not be friendly to the United States. Leaked nationstate capability to eastern bloc criminal organizations perform like a state when it comes to cyberspace countries that are probably best not discussed in an open forum. They arent friendly countries. Next question was one of you said they were involved in the george floyd incident some a enemies were involved in that. Could you expand on that . We have seen some reporting the Chinese Foreign ministry from the platform in an open sitting referred to the plate of black americans, the chinese dont care about black americans, we know they dont care. It is an effort to influence the United States. We know, in similar related spaces we have every reason to believe that and the russians are involved in this effort. Give a specific example, give us a specific example. We havent seen on point examples but i would bet time to dollar we will see examples out of facebook, twitter and the like. I put my life on it. The gentlemans time is expired. Thank you much. Madam chair, recognize me . If i did. I apologize i did not hear you but thank you for convening this hearing. I would like to thank the commission for their detailed report. I want to focus on one key area previously discussed, the loss of hundreds of billions of dollars of intellectual property theft nationstate sponsored cyberespionage. Obviously the chief country responsible for that cyber death has been china. We know china actively works with stateowned and civilian corporations to steal it from foreign sources including the United States and according to a 2018 report leaked by the United States trade representative, theft of us intellectual property by china, cost our economy up to 600 billion a year. Let me repeat that, 600 billion a year. Longterm damage of these losses cannot be fully quantified. Let me turn to spaulding first, in developing your recommendations for the National Cyberdirector did the Commission Structure the office with this persistent problem in mind and can you provide specifics as to how the director would address this issue . Absolutely we did and the situation you described is addressed by a number of recommendations in the report. The private sector and the government both have a Critical Role to play in stopping the theft of intellectual property and it requires a true collaboration. We are the ones in government that have the National Technical means and intelligence capabilities to collect information about nationstates like china are engaged in and the techniques they are using as is the privatesector research community, private sector businesses that are developing this intellectual property are in the best position to defend their network armed with information from a government. If a number of recommendations make sure the government is obligated to get that information to those privatesector companies and the National Cyberdirector will have a key role in making sure that is happening. That has to be part of the metric that is evaluated, we need to have proactive plans, strategy for addressing this and planning capability has been lacking, another key role for the National Cyber director largely using the joint Planning Organization system. Chairman rogers, you talk about how long american struggling to protect its ip with this issue, has dealt with this issue and candidly we have not been successful. Will this allow us to successfully defend and protect our ip . It would put us in a better position. This is something we have to continue to invent a better way to defend ourselves as we get into 5g and what that means for what we use to defend the court to the edge of our 5g network, quantum, ai, that will change the way we look at security so it gives us the best possibility to take these new challenges and bring everyone in the federal enterprise, everybody talks about that one incident. We want to prevent that. Here is the other piece, i would argue if you look at the recent level of arrests by the fbi for chinese espionage in the United States the number of interesting highlevel taskings, targeting American Enterprise is getting around firewalls to steal more information. The nature of espionage is changing dramatically. They dont want you to just steal the secrets, that is too hard to do. But they want to steal the next guys credentials to be passed back for a more sophisticated penetration of your network. It makes it hard to put your arms around. Last question for mister jaffer. If we are unsuccessful, we could see Companies Move their ip in businesses to countries that do provide protection . So many benefits to being an American Company whether it is labor law or tax policy or investment but unlikely to see a tremendous flood of intellectual property coming out. This is the core of our innovation base, we move the innovation economy, we walk out the back door china or anywhere else, to make it to the next stage. We think about American Technology and bringing jobs back here and building something, how to protect how to make america productive as a company, the innovation, to reinvest and modify ourselves over time. The gentlemans time is expired. Representative khanna is with us. Thank you, madam chair. I appreciate and want to thank representative langevin and gallagher for their extraordinary work in helping come up with such a detailed proposal and their work with the commission on a bipartisan basis. Representative langevin has been working on this for many years. This was a passion of his he talked about often. Im glad to see it come to fruition. Let me ask the panel are there additional authorities you think the National Cyber director should have . Certainly, representative it is important that as we structure the position that we make sure it not just be restricted to looking at network defense. It has got to be able to have the full suite of capabilities the federal government can bring to bear so including military operations and intelligence and Law Enforcement and all across the board, we cannot just restrict this position to looking at the kinds of things it already does. Chriscraft does not need another box, youve got one in the secretary of Homeland Security. This has to be able to look across the entire federal government, all the tools of National Power that we have. If i might, i totally agree with michael on this point and the distinction here is between having visibility, the National Cyber director have to have visibility across the entire government, Cyber Security activities in order to make sure and the conflict between offense and defense of operations. That is different from giving the National Cyber director directive authority. You dont want lawenforcement directed out of the white house. And you dont want the directors war fighting planes or daily intelligence collection, those kind of activities but it is critical that they not be excluded from the meetings and conversations at the white house where these offenses activities are being discussed and they had visibility because they need to d conflict, they can never d conflict in this way. Lets say our banks are fending off lots of malicious activity from north korea or china to steal money from their system. That might not be in the midst of that crisis the best time to ask the bank to impose sanctions to implement sanctions against iran because we know iran retaliated against our banks. That kind of d confliction is something the National Cyber director needs to be at the table to help with. Thank you. Are there additional recommendations we should be considering including the Solarium Commission reports you came up with . There are a couple important ones, really, beretta to come together. And share that in real time with industry. That is what we have been talking about forever to collaborate in real time, that part of the report is critical. More needs to be done, well done continuity and another variety of areas for the recommendations from the commission. 100 agree, the brush cleaning we can do to make us more competitive, Congress Needs to Pay Attention. Chairman pai has done the spectrum, if we are going to push back on chinese expansion. We have lots of gear around the country. People want to beat on them, theres lots of great effort in congress how to get rid of that, if those things help our own infrastructure, ecosystem, people who are trusted vendors to do that and number 2, gets out gear much quicker. Those are things we can do immediately that are in the process you are dealing with now that would have a huge advantage for us putting us in a Competitive Position to do all the things my other panelists talked about. As miss spaulding said, each company is in the best position to defend himself, understanding which of their systems are most critical and represent the greatest risk. There are opportunities and recommendations, things like increasing transparency, having the interpretation by the sec, from public companies, ceos, not on the level of security but looking at cyberrisk and adequately manage cyberrisk but when you get things like that in place you will increase the level of attention, increase each enterprises ability, the amount of noise and Economic Loss will go way down, the single greatest move we can new to improve our resilience. All of your testimony, just want to thank representative langevin and gallagher. They were talking about pearl harbor and the big fear, the companies talked about how we shouldnt have every company in the country required to have private audience to safeguard ourselves, Even National response. I will be supporting this legislation and appreciate everyone who helped put it together. Representatives our brains recognized. s our brains sarbanes you are recognized. Appreciate the panel. I think my colleagues, not just for their testimony this morning but their efforts on the proposal which i support very strongly, want to welcome back chairman rogers and thank the panelists for their testimony. One key responsibility of the National Cyberdirectories establishing and implementing National Cyberstrategy. In 2018 the Trump Administration released a National Cyber strategy that aims to, quote, integrate cyber into all elements of National Power. Chairman rogers, could you speak to how the National Cyber strategy has been successful or not successful in that goal and how with the National Cyber strategy required by the bill we are talking about today be different from that, could you compare and contrast . The strategy was meant to do in 2018 was bring us to a better place about coordination and understanding our adversaries are using all nationstate power they can bring to bear, diplomacy, military defense, intelligence, cyber, using that capability, the most important so we know china steals Economic Data to influence its trade negotiations as an example. They are using cyber and intelligence as a way to influence all those pressure points government has to bring to bear on a country. My understanding is the 2018 rule was to say we are finally getting to understand it is multidomain. We tend to separate diplomacy and the economy to a great degree so how do we have everybody going in the same direction understanding our efforts . That is what they are trying to do, it is still a work in progress and part of that, we debated when i was chairman and prior to me being chairman, Mister Langevin can talk about that, what is offenses, are we allowed to protect ourselves if we know they are going to shoot at us in cyberspace . Ive seen lots of folks say we solved that question in the last 15 years. I dont believe we have yet today saw that question. We have a piecemeal policy and that 2018 policy was trying to say all the nationstates, trying to understand what tools in our toolkit, im not saying every cyberattack we should have another cyberattack, not saying that at all and still to this day we dont have a good definition of what we can do to prevent. The terms go through the years, now we call it aggressive defense. Whatever you call it. I am interpreting you to say the administrations strategy was heading in the direction that now the cyberdirector with the strategy required under 7331 takes new and better and more coordinated and structural place. One key difference as envisioned by this bill is it would be empowered with new Statutory Authority to monitor implementation across the federal government in terms of strategy which would include implementing changes regarding Agency Organization personnel, resource allocation. That makes sense as well as certifying the annual Budget Proposal for each federal department or agency is consistent with the strategy again that makes a lot of sense in terms of coordination. I understand you spent 17 years at omb before assuming the Cyber Security coordinator role. It is important for the National Cyberdirector to have Statutory Authority and how do you think the relationship with omb would work in practice . Thank you. I think it is critically important that the office have a good understanding of the budget and be empowered to work in that budget process. Former omb director said policy without resources is a hallucination. Clearly the ability to influence and shape how we locate resources is critically important. As a practical matter what you would like to see is close collaboration between any Staff Associated with the offense and the mind program examiners at omb. Omb is at its most effective when it works closely across the entire complex with omd cp, any of those white house elements to make sure the budget support the president s policy. You might imagine a situation where you have program examiners from omb detailed to this office to help provide that connectivity and reach back and you want the working hand in glove with each other to shape that budget so that is why having this lever like the Statutory Authority would be very helpful to the position. I yield back. I now yield to representative porter. Thank you. Under hr 7331 the first duty of the National Cyberdirector is serving as principal advisor for the president on cybersecurity. Having worked to achieve many of those functions can you give me any concrete example of how having a principal cybersecurity adviser was essential to the president s work and why it is important to formalize that role proposed in the bill . Thank you. When you look at an issue like cybersecurity that its so crosscutting it affects so many policy areas from National Security policy to our Economic Policy you want the president to have an advisor who focuses on this issue as part of her time. The main thing they focus on every day because it pervades our policy issues so if youre trying to decide whether us policy should be on everything from 5g to relations with china to how we are dealing with the middle east cyber shoots through those things so you want to have the president be able to draw upon somebody with expertise in those areas that can bring cyberperspective to those issues so you make a decision knowing what the affect on our cybersecurity might be for good or ill, sometimes you will make decisions that have a negative affect for greater positive gains somewhere else but with full knowledge and not by accident and that is white is critically important Senior Advisor in the white house focused on this issue just given its breath the crest across so many policy areas. I appreciate the expertise in the cybersecurity role and more questions about how Senate Confirmation was sure that. Mister jaffer, do you remember cybersecurity adviser when you took office . Rob joyce and palm boss letter bossoer. I agree with you on the important of expertise. The president also appointed Rudy Giuliani and i think like so many of us we are seeing this work from Home Technology is frustrating and hard and we are struggling to get our level of expertise up to where it needs to be so i completely relate to the fact that Rudy Giuliani after being appointed one of the cybersecurity advisors got frustrated and went into a public apple store in San Francisco within a month of being appointed a principal Cyber Security adviser because he entered his password wrong as was locked out of his iphone. This indicates the gap between the rest of us who are trying to do our level best and the need for an expert at the top of this. Would you agree with that . I completely agree. At george mason, colleges from around the country, we can get more on the challenges we face in all the agencies and doing the work, no substitute for that. I want to turn to miss spaulding. Hr 7001 would require the position to be affirmed. Can you explain why the Solarium Commission made the recommendation and how do you respond to concerns that has the potential to create distrust between the president and the National Cyber director is that concern misplaced . With respect to the latter question about the potential impact on trust in the National Cyberdirector in the white house i would point out there are lots of Senate Confirmed positions including the omb director and i dont think anybody questions the level of trust with respect to that omb director so i dont think, i do think that concern is misplaced and we talk a lot about whether the pronumplaps and cons of having the person in the Senate Confirmed that the consensus was we should recommend Senate Confirmation. It is critically important that congress have effective oversight and given the decentralized nature of cybersecurity if pirates doesnt have the ability to hold someone accountable and somebody they can turn to to get a coordinated coherent picture of what is happening it is going to be hard for congress to be effective oversight. That is important, the Senate Confirmation gives congress a greater ability to conduct oversight of those affected. I appreciate it. My time is expired so i yield back, thank you so much. The gentlelady yields back. Representative comer, would you like to make a closing comment . I think just to wrap it up i want to thank the witnesses again for their testimony. This is certainly an issue that is bipartisan that we all care about when talking about cybersecurity, the question many of my colleagues have is whether we want to create another government bureaucracy and what is the total cost going to be and how is this bureaucracy going to work with the administration whichever administration that would be. I think this was very helpful. I appreciate the conversation, the questions. With all due respect, i hope we can focus on china, there is huge demand across america, not just for covid19 but Cybersecurity Breaches in the hands of china so again would encourage future hearing with full focus on investigating china and determining a path forward, the violations, thank you for the hearing and with that i yield back. Thank you. This august marks 100 years of womens suffrage. I want to close with one final question. Amit yoran, you address the lack of diversity in the cybersecurity sector, how it contributes to the overall shortage of the challenge of the Cybersecurity Workforce would you point out women make up just 14 of the Cybersecurity Workforce in north america, you say, quote, the nation needs a whole new cyberworkforce strategy that develops and advances people from all walks of life. How would the federal governments effort to promote diverse city in the Cyber Workforce benefit the privatesector . I mean more minority, gender diversity . How would this benefit the privatesector . The most important thing when it comes to cybersecurity is recognizing we are getting the job done. Cant just have a same solution, same approach weve used in years past to deal with threats but continue to evolve and to appoint new technologies, new exposures and new vulnerabilities. We need experts to come from diverse backgrounds, that means people that are trained, disciplined, diversity of thinking, from minorities and other groups which are underrepresented in the cyberfield and the cyberdomain. The government has an opportunity and responsibility to help promote the diversity of thinking as available to the privatesector, help us innovate, think outside the box and outmaneuver our adversaries so theres a series of programs and perhaps a followup. Thank you. Miss spalding, do you believe such an effort would advance and give us a Competitive Edge globally . I couldnt agree more. The commission has a series of recommendations on building that cyber warhorse including diversity. And from a very basic perspective from my time at dhs, we have an urgent need to build the number of cyber talent and people that we have available to come into the workforce. We cannot afford to leave any part of our population on the sidelines of this effort. I agree with you and we c i agree and we can and must do more inus this regard. I truly want to thank all of my colleagues for their participation, particularly the congressman for the leadership at all of our witnesses for your passion and your knowledge and all the information you gave us today. The creation of a National Cyber director is not something any of us take lightly after what we heard here today i think its clear this is something we cannot afford to delay. I also want to thank all of my colleagues across the aisle particularly for the questions and engagement. Its not everyday we can find areas of bipartisan and we have at here, we have to agree on our National Security, protecting our innovation of protecting our people. So i look forward to working together to get this bill passed and our other items that were brought up today. Without objection all members have five legislative days within which to submit additional written questions for the witnesses to the chair which will be forwarded to the witnesses for their response. I ask our witnesses to please respond promptly as you able to. And this hearing is adjourned. Thank you all. Heres a look at our live coverage thursday. Booktv on cspan2 has top nonfiction books and authors every weekend
comparemela.com © 2020. All Rights Reserved.