Good afternoon. Senator manchin, Ranking Member should be here shortly. He had a meeting off the hill. Thank you, senator blumenthal, for being here. Senator purdue, as well. We have a number of our other members who are joining us virtually today. Today, the cybersecurity subcommittee welcomes for the first time colleagues to present the findings of the Cyberspace Solarium Commission. Our friend, senator king, and representative gallagher. Theyre joined by fellow commissioner, retired Brigadier General, john c. Inglis. Welcome to all. Thank you for coming to discuss this important topic in todays hearing. I would like to extend my congratulations as well no Mike Gallagher and her wife ann on the recent birth of their birthday girl, grace. Good luck on your greatest adventure yet and all the amazing moments yet to come associated with it. I would like to recognize Mark Montgomery who serves or who served as executive director of the commission. Section 1652 of if ndaa establishes Cyberspace Solarium Commission to study alternatives to protecting the United States a the commission has produced an impressive report that advocates a combination of all three, deterrents by denial, deliberate shaping of International Norms through aggressive diplomacy and continued engagement of malicious cyber adversaries. The report presents a number of reforms for our deliberation. Of particular importance are the following recommendations. That the department of defense evaluate the size and capacity of the Cyber Mission forces. That the department of defense taking an expanded role and exercises in planning relevant to protection against cyberattacks of significant consequence. That the department of defense and Cybersecurity Companies hunt on defense industrialbased networks and that the administration establish a National Cyber director. These recommendations are valuable contributions to the debate on what policies, programs, and organizational constructs will best advance the nations cybersecurity. I am proud that we were able to incorporate 11 of these recommendations into the Committee Mark of the ndaa with several additional recommendations which were unfortunately outside of our jurisdiction but were incorporated later on the floor discussion. While this hearing comes too late to inform the ndaa mark, three objects of the study remain relevant for this subcommittees oversight of the departments Cyber Strategy and operations and for the committees conferencing of the ndaa. First and foremost, i want to discuss the motivations behind the commissions recommendation and recent annex further detailing the establishment of a National Cyber director. How is the interagency planning an execution process broken today . What authorities, especially those relevant to offensive cyber action should be available to the director . How would the National Cyber director act to direct or coordinate department of defense action in response to a cybersecurity incident of significant consequence . This subcommittee that has focused on improving coordination among the entities within the department of defense to ensure synchronized efforts in emptying and executing their cyberspace missions. I believe that the principle cyber adviser within the office of the secretary of defense has been effective in performing that particular oversight and coordination role and advising the secretary of defense. This has been accomplished without the establishment of a large bureaucracy and without creation of yet another cyber stove pipe within the dod. In this years ndaa, we included a provision that strengthened the cyber advisers oversight and coordination role. There was a provision in the 2020 ndaa that added cyber advisers to provide the secretaries with this critical coordination asset. The principle cyber advisers have a departmental or service role, while the proposal for a National Cyber adviser concerns a national role. However, i think there may be some similarities between the functions of the principle cyber advisers and the National Cyber director as envisioned by this commission. I would therefore appreciate discussion on the similarities and differences between the roles of the dod principle cyber advisers and the proposed National Cyber director. Second, i hope to better understand the recommendations the commission provided regarding the department of Defense Cyber targeting. Do they see the plans as matching the committees observations . Did it find the departments aspirations to be realistic . Finally, i want to hear how the department of defense can better execute its mission to direct the nation against russian, chinese, iranian and north korean cyberattacks. What are the departments capability shortfalls . What should its role be in Emergency Response actions. Thank you for agreeing to testify before this subcommittee. And senator, manchin, welcome. Senator blumenthal sat in and, welcome, do you have any comments . Thank you very much. I appreciate that. Thank you, senator rounds. I welcome our witnesses. Mike, is he going to be on okay. Who served as cochairs of the cyber Solarium Commission that this Committee Established last year and the third retired chris inglis who served as one of the commission members. Senator king of course is a distinguished member of this committee. Representative gallagher, i want to thank him for this week on the commission and for your Great Service in the house. Chris inglis is no stranger to this committee, deserved as a deputy of the National Security agency. Thank you, chris, for being here too. I want to speak about the efforts of this commission, why it has been successful and what lessons we can learn from the future. A commission of this type is intended not just to educate congress. The executive branch and the public. Its to forge a consensus on what needs to be done to fix the problems the commission identifies. Too often those recommendations are too vague or difficult for congress to legislate on. The commission spent a lot of time and effort turning those into drafts of text. This was an immensely important decision. If you have to turn an idea into bill language, you have to think it through and it has to be compatible with congress which is to draft laws. Without those legislative drafts, much of the commissions work might already be collecting dust on someones shelf. A vast majority of the commissions recommendations were included in one form or another in the ndaa bills passed by the house and senate including a significant number of representations that crossed the jurisdictional lines of committees. Getting approval across multiple committees for legislative amendments on the floor of the house and senate is extremely hard. Something that senator king and representative gallagher know very well and were able to do it. One of the main and most Influential Commission recommendations is the creation of a National Cyber director. This recommendation is not popular with the administration and senator rounds and i concluded that the proposal needed a bit more polishing by the commission in order to better understand what this positions role should be. Senator king and representative gallagher took this on and have produced a very, very good proposal which we will talk about here today. The commission cochairs believe this position is crucial to integrating the response of all departments and agencies who have to be involved in dealing with major cyberattacks. We must have the military cyber forces and Homeland Security officers being a team. I hope the president can be persuaded to not just to accept this idea, but to embrace it, to improve our National Security. I do have two concerns i would like to address with our witnesses today. First, the recommendation to require reporting out of all Critical Infrastructure entities to the department of Homeland Security. While its important that we do all that we can to respond to Cyber Threats in the timeliest manner, we must do so without interrupting reporting. As Ranking Member of the energy and Natural Resource committee, a primaries example are critical energy. Intelligence should be made available to the director. The commissions report rejected a model of deterring major cyberattacks on our Critical Infrastructure by ensuring adversaries, namely retaliating against their Critical Infrastructure through cyberattacks. A strategy of deterrence based on retaliation against an adversary is the basis of our Nuclear Deterrence that has been in place since the end of world war ii. We do not consider this illegal, immoral or ineffective. The idea that an adversary would be deterred from hitting our infrastructure does not seem very likely to me. This is even assuming that we will be able to identify and incapacitate those cyber forces which i submit is a momentary solution. Before turning to our witnesses formomentary solution. The Committee Proposed and endorsed ndaa, extension of the life of the commission. Done for the 9 11 commission and a good idea for senator king and congressman gallagher to observe how the commissions work is implemented and resolve issues not legislated in this cycle. Thank you, mr. Chairman. Thank you, senator manchin. The best way to approach this probably since youve done a combined opening state in the record now, senator king, would you like to begin and well have you and then representative gallagher and then finish up with general inglis if that works in terms how you would like to proceed . Thank you, mr. Chairman. There are so many aspects of are this an Opening Statement could go on all rch. Ill try very hard not to make that happen. Let me make one point about the pandemic. Among all the other things weve learned i think one of the most important things weve learned is that the unthinkable can happen. A year ago we would not have contemplated where we are now with a disease that we are having to deal with on a worldwide basis. So it is with a cyberattack. Seems unthinkable, the stuff of science fiction. Yet it can and it has happened. In fact, its happening right at this very moment. Our basic purpose in the work that we did on this commission and ill outline how it was, how we proceeded, was to be the 9 11 commission without 9 11. Our whole purpose is to avoid not only a cyber catastrophe, but a death by 1,000 cyber cuts, and thats really what we want to talk about here today. The commission as you mentioned, mr. Chairman, was set up almost two years ago in the National Defense authorization act, and our mission was to develop a comprehensive Cyber Strategy for the country and recommend how it should be implemented. There were 14 members, and i think part of the success of the commission rests upon how it was structured. There were 14 members. Four members of congress. And then there were four members from the executive, from the relevant agencies, and six members from the private sector. We had over 30 meetings. We had 90 of attendance at our meetings. We met in this building just downstairs. Over and over. We had hundreds of documents, witnesses, and an immense amount of literature, search and review of all of the ideas that could be brought before us on these subjects. Im proud to say the work of this commission was entirely nonpartisan. In fact, to this day other than the four members of congress, who wear their party labels on their sleeves, i had no idea of the Party Affiliation of any of the other ten members of the commission. And i can honestly say in all of those 30 meeting theres was not a single comment, discussion, question that suggested any partisan content or any kind of partisan point of view in our committees, in our commissions discussions. 400 interviews. We came up with 82 recommendations. 57, as senator manchin mentioned, were turned into actual legislative language. One of the basic principles of the report, they can be summarized in three words. Reorganization. Resilience. And response. Reorganization i think were going to talk a lot about today. How are we organized in order to meet this challenge . Secondly, resilience. How do we build up our defenses so that cyberattacks are ineffective and that in itself can be a deterrent if our adversaries decide its simply not worth it. Finally, response. How do we develop a deterrent strategy that will actually work, particularly for attacks below the level of the threshold of use of force. We havent had a catastrophic cyberattack, probably because of the deterrence that we already have in place. The problem is were were being attacked in a lower level way continuously. Whether its the theft of intellectual property. Whether its the theft of the opm records of millions of american citizens. Whether its the attack on our election in 2016. Thats the area where we remain vulnerable and we havent developed a deterrent policy. What is layered cyber deterrence, the fundamental theory weve put forth. Its to shape behavior. Its to deny benefits and its to impose costs. I know that were going to spend a great deal of time in this hearing talking about the National Cyber director but i want to address it briefly in these opening remarks. The mission and the structure of the National Cyber director is almost identical of the principal cyber adviser position createdality the department of defense. The difference is a wider scope. Just as we were preparing for the hearing i made a quick list of seven or eight or nine federal agencies, all of which have cyber responsibility outside of the department of defense. And the fundamental purpose and structure of the National Cyber direct sir to provide a person in the administration with the status and the advisory relationship with the president to oversee this diverse and dispersed authority throughout the federal government. For the same reason we created the adviser and department of defense we need to do it nationwide, and thats the fundamental purpose, im sure well be able to, well go into much more detail on this, but before i complete my statement ive got two written records. One is a very strong letter from the u. S. Chamber of commerce endorsing the National Cyber director position, and the second is the testimony recently in the house by former representative mike rogers, former chair of the intelligence committee, who questions that he has 180 degrees changed his position on the idea of a National Cyber director from steadfast opposition to very strong support. Id like to introduce both of those documents into the record with permission of the chair. Without objection. Thank you. Ill end my comments now and we will be able to really discuss more of the details, particularly on the National Cyber director recommendation as the hearing progresses. Thank you, mr. Chairman. Thank you, senator king. Representative Michael Gallagher. I believe youll be joining us virtually here. Are you ready, sir . I am. Can you hear me . Just back off a little bit. Hang on a second. Were going to bring that volume down just a little bit here. All right. Lets try that again. Okay. Hopefully thats also buy bit better. Much better, thank you. Welcome. Thank you, mr. Chairman and thank you foreign nor your leadership but kind words about my baby daughter. We truly feel blessed and to my good friend ranching member manchin thank you, sir and all distinguished members of the committee allowing us to testify on behalf behaof our report. I have tremendous respect for this committee before a member of the house a staffer in the senator. I actually used to wield real power that is to say. Thank you for letting me return to my roots in the senate. As senator king laid out our adversary Cyber Operations continue to increase in sophistication and frequency creating an unacceptable risk to our National Security. Given what we know the state of our defenses and adversaries intentions a major disruptive cyber attack to Critical Infrastructure at this point is almost something to be expected. So, therefore, i would say we have no choice but to hope for the best while planning for the worst. With this in mind i would like to emphasize two of our critical proposals as we look ahead to the nda conference. I strongly aye with cochair senator king establishing a National Cyber director. Country needs strategic leadership on cybersecurity and we believe this is the right balance of responsibility, necessary prominence. A Senate Confirmed cybersecurity yielding bch and policy to coordinate cyberauthority would bring the focus cybersecurity desperately needs at the highest level of the National Government and continuity of economy plannings resilience and redundancy in our Critical Infrastructure, a National Resilience that necessitates planning. I submit the pandemic has known economy is vulnerable to widespread disruption but the economic disruption that has on americans. As we thought through the unthinkable in the earliest parts of the cold war so, too, now we need to think through the unthinkable how to rapidly recover in the wake of a massive cyber attack so we have ability to strike back with speed and agility against whoever chooses to test us. Also i say that to ensure the u. S. Government reduces vulnerabilities across Critical Infrastructure, Congress Must address a number of issues that impact multiple agencies that currently Work Together to protect our National Security in cyberspace. Just a few of our few recommendations on that front include one, the institutionalizing of Public Private cybersecurity initiatives, establishing a joint collaborative sharing threat information. Three, establishes integrate the cyber the host integrating our seven existing federal cyber centers. Four, creating a join cyber planning office. Five, connecting a biannual senior exercise playbook and effort and finally in six establishing authority for sza ob all doc networks. All include in the house version of the ndaa. The most important conclusion and i will close on a recommendation from the commission that failure to act is not an option. While weve made remarkable progress in the last few years the status quo is simply not getting the job done and the time to act is now. Thank you again for the opportunity to testify before you today and for your commitment to american cybersecurity. Representative gallagher, thank you very much for your Opening Statement. Now well turn to brigadier retired general inglis. Thank you, chairman. Ranking member manchin and all distinguished Committee Members for the privilege of testifying before you today on the recommendations from the Cyberspace Solarium Commission. I agree with fellow commissioners this last year has been for me an honor and opportunity of a lifetime to hear from expert counsel from a wide range of policy and operations experts across the continuum of private and public sectors including consideration how both allies and adversaries approach the challenge of defining and executing a National Cyber strategy. I fully back my colleagues here supporting both the overall report to include its 82 recommendations and urge you to in particular swiftly pass the provisions that well probably discuss in great detail today. To that extent id like to focus my opening remarks on the National Cyber director. This committee has done much to improve both the nations understanding and militarys preparedness to deal with challenge of cyberspace yet we must still do more. For military cyber power is only one of the many instruments of power applied to achieve our aims in and through cyberspace. You well know cyberspace is inextricably linked to every other domain of Human Interest such while cyber comprised by humans and those who make use of it is an instrument of its own right and all others depend a properly functioning cyber space for efficient operation. The reverse is also true. Functioning of cyberspace relies on effective employment of diverse array of authorities, tools and expertise. These are not held by one person, one organization or one sector, and do not selforganize into the coherent hallway to ensure cyberspace is robust, resilient and well defended against increasing threats posed by transgressors who often operate with impunity. Holding both cyberspace and in turn our National Security at risk. Our adversaries have gone to school on us and routinely choose time, place, manner of transgressions without regard to imagined or commonly accepted boundaries between the swaths of cyberspace operated by individuals, private sector and governments as a collective whole. It absent a consistent proactive and joined up effort on our side that gish as premium to preparation, integration and clageration we will fall further behind. To that end United States needs a leader to act at the president s principal at visor and associated Emergency Technology issues and to coordinate the fraught goederal government response. Our experience in preparing for kinetic attacks richly inform e doctrine and plans how to respond. Including supporting roles other instruments of National Power would play under various scenarios we are not in the same place with respect to cyber attack. Military instrument may not be the singular or supported instrument of National Power lit alone to need to consider actions of the private sector typically maintaining and operating front line of cyber takes as they maintain and operate over 85 of what we know at cyberspace. To that end there is a rough but useful analogy to be drawn what were recommending here in the National Cyber director and department of defense use so principal the adviser and or even chairman of the joint chiefs of staff both positions used to effect cohesion amongst operational Combatant Commanders without usurping efficiency, execution of the Operations Authority of those commanders. While installing another player, the National Cyber director into coordination of already complex Cyber Operations, could be a concern, i think its important to note how this functions in the department of defense. Importantly, neither the principle seiber adviser or chairman of joint chiefs of staff serve aspirational commanders in distinct and separate roles. Cyber involved for cyber capability and doctrine and chairman Combatant Commanders mapping a National Strategy coherence across coe found is and properly resourced useful force mull pligers often out numbered but not out matched. National cyber director fill a role across agencies similar to the ptwo roles well established and very useful within the department of defense. Finally i note cyber space exists in the presence of adversaries. The u. S. Is challenged by adversaries who can and do attack us on every front in our homes, places of business and within or Critical Infrastructure. Names that use the same essential coherence in National Strategy, defined roles and responsibilities and propensity to collaborate base and leadership that connects and supports various players to a National Strategy. Simplywhileit remains to name the time and place adversaries action will take place in cyberspace we can assure it will take place and failure to respond will result in costs we can illafford when dependence on Digital Infrastructure will only grow. The time to act is now. I close my Opening Statement with thanks for being able to discuss those in greater detail. Thank you very much for your testimony, and i think, let me begin i do appreciate the work that this commission has done. Youve not only started out with a whole series of proposals but when we asked to go back and flush out in particular the authorities and responsibilities of what a cyber director would look like, i really appreciated the responsiveness from the commission back to the committee. It is our intent to use this information to discuss and to basically provide information during the markup of the of the reconciliation between the house and Senate Versions of the ndaa in conference and the House Committee has laid out what their vision is, and the concern that we had expressed was one that we believed that the principle cyber advisers as laid out within the department of defense have allowed for Technical Knowledge and professional expertise to be available and deliverable to our chief executive officers immediately. And that with that additional expertise they could facilitate the use of cyber, cyber activities, offensive and defensively, where needed. The concern that we had was that if at the National Level you created a silo, a location where there could be authority or for that matter responsibilities and the ability to simply have one more stop along the way in deciding before policy could be executed that we risk making those cyber responses more challenging. The reason i lay this out for you this way is over the last several years we have followed what has happened at the executive branch with originally a very wellintended ppe 20 president ial memorandum 20 started in the previous administration. There intent, find consensus. But before cyber activities would be ruled out. Unfortunately, in doing so it became a consensus which men any one of a number of different individuals could stop the Movement Forward of any cyber activity. That was changed a couple of years ago with the creation of nspm13. National security 13 in which a clear line was laid out for the decisionmaking process on the use of cyber tools, and the availability of cyber for our war fighters. The reason i lay this out is we were able to incoordination with the executive branch streamline the process. We were actually able, as per i wouldnt discuss this except that President Trump shared a little bit about it, 2018 and the fact we did not have interference in our 2018 election was not by accident. It was because of the clear capabilities of men and women of Cyber Command. And it was because they could execute appropriate cyber policy in an expeditious manner. What i dont want to have happen and is to have another layer of bureaucracy get in the way. I think youve done an excellent job of laying out for this subcommittee your vision of what this would look like, but i think for the record, i would ask all of you, would it be your intent that this cyber director be identified as much as a principle cyber adviser similar to the d. O. Dncd. Versus having authorities and ability to silo those areas and create a road block for cyber actions in the future . Senator king . Mr. Chairman i would say that our proposal is antisilo. The problem is now as i mentioned weve got cyber activities and planning and work going on throughout the federal government and the whole idea is to bring some coherence and coordination to that. To your specific question, which i think is an important one. We do not propose that the National Cyber director be in the chain of command for cyber actions. Its Cyber Command. Secretary of defense. President of the United States. We are not talking, and you used the term policy executed. Were not talking about adding a layer in terms of execution of policy. Were talking about adding a coordinating function to bring together the expertise throughout the federal government and i think thats of very important, an important distinction and a totally valid question but we view this as a a bringing together of a coherent organization with someone at the top that has oversight and Situational Awareness of whats going on in all of these different agencies, but in terms of cyber actions, such as the action you cite in the 2018 election, this person would be an adviser to the president. Yes. Thats what im hoping and i just wanted to make can clear. Sure id like representative gallagher concur with that if hes available as well. I concur with what senator king expressed and. See for the whole commission when i say the intent of this proposal to build interagency integration and not to add bureaucracy. I think, mr. Chairman, you did a great job laying out how far weve come in recent years on the offensive side. A lot of this starts two years ago with provisions we put in as congress to make cyber surveillance and reconnaissance a traditional military activity current, 13, laid on top of that, and i think the primary values of nspm13, it establishes clear authority. Right . As my good friend senator king continually reminds me, always you want one throat to choke. One person to keep accountable. And i think our vision for this was to provide the president with that person, primarily on the defensive side. The final think id say is to confess my bias when i came into this was resist the creation of new agencies and, you know, positions, and largely i think weve avoided that. With this ive come to believe its actually the least bureaucratic option. One option could create a separate agency entirely. Thats pretty bureaucratic. Doing nothing i actually think is the most bureaucratic option because i think it will tleed a catastrophic cyber incident requiring layering on of new agencies and positions in response to that. We really want that National Cyber director to get to the left of that cyber boom by coordinating and advising the president primarily on the defensive side of the equation. Great. And thank you very much. Im about out of time. Mr. Inglis, quickly, your thoughts . I would say i think i speak confidently the commission would support your sense of the substance in the spirit of the National Cyber director and the National Security adviser is busy. Doesnt have the time or she doesnt have the time to on a daily basis try to figure out what our overall strategy is visavis cyber and much as the committee reconciled how we think about the military power what we asked i think two years ago of the nation what is the context of the application of the military cyber pow jer a traditional military instrument or traditional military activity or not . Give us the expectations what then it might do and let us go do it. I think the National Cyber director needs to treat all instruments of power in the same way. Provide context, expectations and allow the depth of expertise to do it in a distributed fashion. Absent the sense of context or fabric well have a series of stove pipes a jazz mannband mak no music worth listening to. Thank you. Senator manchin, thank you, mr. Chairman. I guess to senator king and to congressman gallagher and general inglis, im understanding the way we have 17 different intelligence agencies. I assume every has its own cyber. I know that, fbi has a cyber center for law enforcement. Dhs has one dealing Cyber Attacks on the homeland. D. O. D. And on and on. Youre saying this one person would be gathering all the information so i think if we have a credible threat to the homeland pap credible threat, they all have to enter be, interact, i assume, and agree that this is a valid threat . To present. Is that the way its done now . Or is it basically just each one taking their own different direction and shot how theyre going to counter this . Different agencies have different responsibilities in addition to the ones you mentioned other agencies that have cyber responsibilities are ferc. Sure. Department of energy. Fda. Its so broad. What were talking about is having an office and not a big office. We talked about the possibility as representative gallagher mentioned, creating a new department. But thought that was too bureaucratic, too heavyhanded and take too long. This is a position thats, there are really two models for the position were talking about. One is the cyber adviser in the department of defense. I think thats an almost exact analogy, because it was created because there was too many moving parts in the department of defense. There needed to be a coordinator. Other model, u. S. Trade Representative Office of management and budget, the drug office and i cant think i think theres one other, but scientist technology. Thats right. These are all president ial appointed Senate Confirmed, and it provides them with the status and the the ability to have some authority and Budget Review authority as part of it over the, the range of cyber involved agencies in the front ederal government. Who do the heads of these agencies when their a cyber attack report to . They would report directly to the president. Theres no, theres no cyber coordinator. Thats the whole problem. This is basically the coordinator youre talking about . Yes. There was a cyber one of the arguments, well, traditionally this has been a tradition in the National Security agency as a, an appointed position by the National Security adviser. The problem with that is its at the whim of any particular National Security adviser. I got you. Two years ago the position was eliminated by the then National Security adviser and why were saying elevate this to the status and the organizational status it needs in order to be effective to defend the country. General, military person you are, the Commission Report specifically rejected idea deterring Cyber Attacks and Critical Infrastructure threatening retaliation against attacking countrys Critical Infrastructure. So i understand the desire to be reserve, but how do you feel this recommendation is going to be adequate to deter . First, if i might go a half step back and answer another question you asked, which was concern about whether sectorspecific agencies might then will thwarted in the intimate and direct relationship they had profitably in terms of outcomes with their respective sectors. The commission is with you on that and actually want to strengthen the sectors specific agencies relationships allowing them as representatives of the government to on various faces continue that strength. So the National Cyber director should benefit from that but never constrain that. Should essentially take advantage of that. To your question about whether the commission believes it is appropriate or inappropriate to attack a Critical Infrastructure of other nations i think that our views on that perhaps are more nuanced than a yes or a no. We start by saying that we believe, first, as the United States, has long attested, we will follow International Law. And we will adhere to the Global Standards of normal behavior that we attested to in 2015 through the auspices of the state department we wouldnt in peace time attack the Critical Infrastructure of other nations. That being said, in war time, it is a political decision, leadership of this nation to determine with necessity and proportionality how we should array the various instruments of National Power we bring to bear and shouldnt be in a place we never say never, just need to follow rules of proportionality, necessity and International Laws that govern such things. I would offer, though, that its often a discussion that takes place with respect to the use of force or armed attack, and what we have found is adversaries are operating well below that with impunity essentially like termites in the woodwork as opposed to flash and bang through kinetic weapons. We have to address whether or not adversaries are taking inappropriate advantage of our either complacency or implicit tolerance interritorying themselves into our Critical Infrastructure and how do we stop this . Some include cyber power. Use of diplomacy, public shames perhaps, all need to be brought to bear to stop that and hold them at risks that follow International Law that use pro pogs ali proportionality. Congressman gallagher, i think in your Opening Statements you all have laid out a significant number of commission legislative recommendations. Am i correct that each of these recommendations that you described appear in some form in either the house or senate ndaas . And that would be part of the issues, in conference of the ndaa so the commissions report and recommendations you make, are they in both . Congressman gallagher . Yes. There were six specific recommendations that i talked about that were, are in the house version of the ndaa, but not in the Senate Version of the ndaa and i brought that up just to urge the senate to consider the house equities when were in that discussion and i believe there is some ongoing debate be our continuity of the economy proposals and i understand for various jurisdictional issues in the house and senate there are other recommendations that made it into neither report, but we feel fairly good about just the sort of the baseline of what made it in to either the house or the senate and hope there is a collaborative approach in the Conference Committee process. Senator manchin, i can present to the committee a chart that exactly answers your question. There are 12 of our provisions in the house National Defense act. That arent in the Senate Version. Okay . There are 12 in the house that arent in the Senate Version. There are 11 in both the house and the Senate Versions. So they match and then there are 6 in our version that arent in the house. So altogether, lets see. Weve got 29 provisions of which 11 are in both and another, more than a dozen can be and hopefully will be resolved in the conference. Outside the jurisdiction . Is that the problem . Some are outside the jurisdiction . No. These are all we believe close enough to that can be considered inside the conferees and all 29 in play . Yes. Theyre in the bill and we hope they can be resolved so that as many as possible i mean you know. We all know what happens with Commission Reports. And we were determined to not have that happen, and thats why we actually drafted legislation rather than just give you ideas, and so if we can finalize these documents in the, these amendments in the bill as it comes out of the Conference Committee, we will have done well more than half of our total recommendations. Thank you all. Appreciate it very much. Thank you, and, yeah. Just in looking back over the numbers that ive got in front of me. Its been great to see the number of them actually put into this subcommittees mark and the other three added on the floor. We couldnt do them in subcommittee because of jurisdictional issues. 14 total coming out of the senate was good and holding a spot for discussion on the National Cyber director position as well. So i think the committee has been very successful and done great work. Just to followup a little. I did start out when i first got on to this committee, i was very interested in the National Cyber adviser, or National Cyber director. Then i kind of came around a little bit saying one thing i was concerned about, that things were starting to work within the department of defense. We were actually having Movement Forward, getting things done and i was concerned we not create any silos and am happy to hear all of you indicate the same. It is not the intention and legislation should not be there to create that. But there is clear evidence that the congress has in the past asked for Senate Approved members to advise the president or to participate in the executive branch and i thought id take a minute to make that point here. Examples of such positions that currently exist that congress has put into law. Top leaders of the office of management and budget. The director, the deputy drecter, the Deputy Director foremanagement. The controller, office of federal financial management, omb. Administrator office of information and Regulatory Affairs omb. Administrator office of federal procurement policy omb. Director of Office National drug control policy. Top leaders of office of science and tns knowledpolicy intellecty enforcement. Chairman Council Economic advisers, chair and Members Council on environment quality. Top leaders of office of the United States trade representative including the United States trade representative deputy United States trade representatives, chief agriculture negotiator, chief innovation and intellectual property negotiator and i understand really a lot of language youve put in to this proposal comes from the legislation authorizing and directing the United States trade representative as well. So there is a format followed toll look at to see whether or not its successful in terms of advising the president of the United States. I think youve done your work on it and most center, if theres any part of it as i say that we were concerned with it was that we make sure that we allow what is working within Cyber Operations of the d. O. D. To continue to work and that we not create i silos. The other thing that the committee talked about a little bit was the direction with regard to our activity in cyberspace. Werther there should be, what type of deterrence should be used. Whether we should put more emphasis on defensive activity making it more difficult for adversaries to get in. Id like to take a minute. Just to give you the opportunity to share a little bit about your thoughts regarding the operations in cyberspace. Air, land, sea space and cyberspace. Most certainly the most inexpensive to get into and create havoc everyplace else is cyberspace. We have to be on top of our game. Can you share your thoughts about the questions, concerns, that your Commission Found or that you wanted to express and maybe havent had the opportunity to do so so far . Thank you, mr. Chairman. There are a couple of aspects. One i want to touch on quickly. One of our major recommendations which isnt before this committee but is for the creation of an assistant secretary of state for cyber because International Norms and expectations are an important part of this discussion. And if were not at that table, we can lose when they are talking about standards or whatever. This is a place where weve lost some ground. So thats one of our recommendations, but i think the what id like to say about the deterrent issue is that this was, a great deal of discussion about this. It grew for me out of many of the hearings that you and i have sat through over the last four, five years, where we havent had a deterrent policy. Weve been purely defensive. And what we are saying is, that theres a level Everybody Knows that there would be a response if there was an attack on Critical Infrastructure. But the question is, what happens if theres it an attack on our election or what happens if theres a wholesale theft of intellectual property . Whats the response . And because there hasnt been, and because as you point out this is a cheap way to may war, then weve become a cheap date. Weve become an easy target. And what the commission suggests is there needs to be a new declaratory policy there will be a response. It may not be cyber. It may not be kinetic. It may be sanctions or any part of the National Power tool kit, but that there will be a response and another sort of wrinkle of this thats very important is, 85 of the target space in cyber is in the private sector. Its not the army and the air force. They will be under attack. Cyber attack. But the target space is in the private sector. And thats where we have to really develop relationships. This is a whole new way of thinking. One of the things we talk about is the intelligence agencies being able to share with the private sector what theyre learning about Cyber Attacks on data systems at power plants. So youre absolutely right. The discussion of the deterrent idea was an essential part and a lot of discussion in the commission, but we concluded there had to be some deterrent. It cant simply be defensive patching, make it more difficult cyber hygiene, all of those are important, but we wanted our adversaries when theyre contemplating a cyber attack on the United States to say, but what will they do to us . We want that to be part of their risk calculus. A formative moment for me when we interviewed head of nsa three, four years ago in this committee and i asked him if there was any deterrent to the, a foreign adverse serie taking these kinds of actions, and his answer ive never forgotten was not enough to change their risk calculus. And that, to me, is a is a is an admonition and warning to us we have to not only defend ourselves but we, our adversaries have to know that we can and the will respond in such a way as to make them regret their attack. Thank you, sir. Im going to turn it over to senator manchin. Mr. Amos, one of the commissions recommendations included in the senate ndaa have the Defense Department careful lif and comprehensively assess whether the Cyber Mission force our military cyber forces are rightly sized including the recommendation in our bill and it is important. Frankly this mission is so new we had to create everything from scratch ten years ago. No one really knew how many people it would take to perform this mission or even really the exact mix of skills needed to get the job done. As you know, we also realized Cyber Command can only get after targets and clever people can figure out how to get inside that target through cyberspace and if we have infrastructure in the right places to get access to it. Really highend skills and accesses requiring a lot of smart planning by a lot of smart people. If you dont have the accesses to military targets adding more cyber United Nations are not ac much. Is there difficult recruiting, training enough people with requisite skills to generate accesses to support expansion of the cyber forces . I think we did look at that nationally and then within the various components that constitute those who employ cyber workers within the United States federal bureaucracy. Our sense of United StatesCyber Command is theyve done a great job within the authorities that they have of recruiting, training and developing for careers the people necessary to do the work that they do, but as you well know, those forces were set in size and the year 2013. I think were sitting now with a combined size of that force, the actual kind of pointy end of the force about 6,200. 133 teams, time and place when our sense highway we use military cyber power was different and a time and place the sense where that should be used was different. Its time to review that, take a look at that, but to your point also at the same time we need to make sure weve done everything necessary to create a bigger pie from which we can recruit and once we recruit focus hard how to retain those people across careers and cyber disciplines. If i could followup with congressman gallagher on that. Congressman, your commission did make a recommendation that you have not emphasized here today or senator king. I assume because it didnt get much serious consideration here in congress. That recommendation that the house and senate should establish select committees on cybersecurity with members drawn mostly from all committees and each member with significant jurisdiction over National Cybersecurity problem. Make next year you can give it another try and see if that goes anywhere, if you want to comment on that, im happy to hear. Well, i i understand the difficulties of trying to Reform Committee jurisdiction in both the house and senate. We view this as a critical recommendation. It was one we spent a lot of time debating. Just as we want that single point of focus within the executive branch, that person who wakes up every single day thinking, how can we defend the country in cyber . So, too, i think we want a repository of legislators who have the ability to develop true cyber expertise, can hold that person as well as the upper people in the executive branch at work on this issue accountable and just creates a space where the executive branch and the legislative branch can Work Together to keep the country safe. So i understand the difficulties of this proposal but view it as necessary. Its one drawn from congress own history of creating select committees on intelligence. The final thing id say, senator, i think the most forceful advocate for this proposal was my colleague in the house, congressman who has the most salutes jurisdictionally given he chairs the subcommittee analogous to your committee and therefore might lose from jurisdictional power but feels very strongly about this proposal as well. Thank you. Senator king, followup if you will quick on this . And let me ask you something else. First i want to followup. To illustrate the difficulty of the congressional organization, in order to get, i gave you the list of those amendments that had been cleared and put in. We had to get 180 clearances. From both sides on multiple committees and subcommittees. I mean, that gives you a flavor of how bifurcated, theres got to be a word, fractioned, or fractured, the congressional process is. Thats something were going to continue to work on. The analogy is the intelligence committee, which was created in 1976 for the same reason there was a realization that intelligence was scattered throughout the government and the congress and made sense to put it into one set of expert hands. Thats the origin of the intelligence committee. We think the same thing should be done, should be done here, and i will continue to pursue the idea. With all the expertise yall had on your commission, seemed like you had a wide range of people coming from different walks of life that had expertise to add, what was the greatest concern if we can talk about it, plab we cant in this type of setting, but the greatest concern you have with our cybersecurity and what our add voe quits a advocates are trying to do with us . Did all of you agree one highly concerned sector of our society vulnerable . I cant identify one sector, but critical sectors, one that doesnt get enough attention is water. Our water system. Different Water Companies in the United States. Yeah. And there are vulnerabilities there. All of our, our financial system, our telecommunication system, of course, electrical energy. And this is this is ongoing. Weve talked to utility executives, for example. One of whom told us his system was attacked 3 million times a day. Jesus. 3 million times a day, and that gives you the range. Banks, i know, the same, i dont know if its the same number, but hundreds of thousands of times a day. So this is an ongoing threat. Not only from state actors, but from maligned actors who are doing ransom ware, sometimes just garden variety crooks, but there are also people that want to undermine our society. So i cant i cant give you one one specific target that we most worried about. I think our worry was that we just didnt feel that the country was adequately prepared for what could and likely will happen. Sir, could i speak to that, too, then . Building on that just to say theres the insidious threat, our concern was that our adversaries in place whether criminals or nation states or those in between, they could be one of us without garnering attention or response of the rest of us. We actually had a situation where wed been divided, slowly conquered one at a time. Holes not on my side of the boat, therefore im not helping you patch the hole on your side of boat. Our view, you wont find this line in the report, but if i was stuck in an elevator with somebody and ten seconds to get out we propose if youre an adversary in the space, henceforth, beat all of us to beat one of us. Derived from using all talent, sdpe expertise, all authorities we already have, preparing as one. Applying resources as one such that when we execute this in a distributed fashion much like the department of defense has. Given freedom to operate. If we know were operating according to some larger strategy, consistent with some larger purpose, and were helping whatever is to the left of us, to the right of us, thats a fundamental problem for us at this moment in time. As we made the rounds over 400 different engagements most in the appreciate sector we heard time and again from the private sector i like the part of government that i have an interaction with. Maybe a sector specific agency. But im not sure i know what the Government Strategy overall is. The governments not joined up therefore not in a position where it can be a viable collaborator with me the appreciate sector who is bearing then the burden of this kind of transgression after transgression. They want the government to be joined up. They want it to be coherent, want to be a liable partner at the same speed they enjoy on the edge that they approach that government. Thank you. Look, i want to take this time to just say thank you to all of our participants. This is critical that we get this right. Today i think theres an understanding somehow that the department of defense has a role to play with regard to coming in and working turnerly within the United States to defend and yet they cant really step in unless they coordinate with homeland. Homeland basically requests and then d. O. D. Can, but its almost like, if, in terms of an analogy. Archers on the outside shooting arrows in, you can work all day and try to catch each arrow coming in and talking millions of them. Or at some point you have to go after the archer, and the challenge on it is defensively and offensively, how do you do that in the best way possible . I cant say enough about how important i think it is that the work that youve done on the commission be recognized and that we do our best to incorporate what we can into the ndaa. Second piece i think we have to recognize and i want to thank senator manchin for being here today. We had a number of other member whose were here early on and then had to leave. Its multiple meetings at the same time. But we shouldnt leave without recognizing how far our cyber teams have come in just the last few years. And the way in which the general and those teams have really stood up what has been an impressive series of achievements. Both offensiveliened defensively and yet they will tell you its still so much more work to be done, and so everything we can do to provide them with the tools that they need and the correct Public Policy that they need in order to do their job the better off were going to be, and every other domain, whether youre talking air, land, sea, space, all of them are dependent on our ability to protect them in cyberspace because its all connected, and its the least expensive way for our adversaries to get in and actually do damage in any one of the other domain. So we have to Pay Attention to it, and i think the work that youve done is to be commended and we appreciate your time today. Senator manchin, any final thoughts . Hit your button. Appreciate all the work. I know a lot of effort you put in this for quite some time. I appreciate it very much. Having served with senator king on Intel Committee its opened oush eyes. Theres a lot of concerns we have and were still very good at what we do but can sdo a lot better protecting the American People as best we can. It werent our thing i want to ask a question on. Do you see the private sector opening up a bit . Communicating enough to let them know they have a responsibility to harden up also . The answer is, yes. And i would include when you sayed private sector also the states, the public, the election system, for example. Are they looking to us . Senator king, looking to us basically to do it all for them or understand they have to come to the take, too . No. Theyre very much engaged in their own processes. Okay. Uhhuh. As i said. Because 85 of the target space is the appreciate sector, and the chairman in his very opening remarks said were here to defend the nation. Weve got to help defend them, but they have to do their part. Yeah. Building those relationships is a very much a part of what were trying to establish and its happening. I can assure you, but were not there yet. Thank you. Thank you very much. With that, i would like to say thank you to our witnesses today. Senator angus king, honorable Michael Gallagher and Brigadier General john inglis retired. Thank you to all of you for your testimony, and with that this subcommittee meeting is adjourned. Thank you. Thank you. Today the spacex crew dragon will talk to reporters about their mission to space and reentry to earth. Watch live at 4 30 eastern on cspan3. Online at cspan. Org or limp line with the cspan radio app. Weeknights this month we feature American History tv programs as a preview of whats available every weekend on cspan3. Tonight at 8 00 p. M. Eastern, a Police Training film from 1964 on how to handle protests and civil disturbances including techniques for mob control and the use of tear gas and batons. Federal laboratories inc. W