The subcommittee will come to order. I want to welcome everyone to todays hearing of the emerging threats and capabilities subcommittee of the House Armed Services committee. With the president budget request released earlier today, this is our first opportunity to explore this request and the major implications for key defense missions. I think it is fitting that the first area we will dive into is cyber. This is an increasingly important area on overseeing the departments progress in building and maintaining cyber forces to protect, defend, maintain, and when necessary conduct offensive operations in cyberspace. As we move towards developing the fiscal year 2018 and daa, i have made cyber and cyber warfare one of my main priorities. In the coming weeks, Mac Thornberry and i, and the house Ranking Member adam smith stand to introduce legislation that strengthens congressional oversight of sensitive military cyberoperations, including mandating prompt notifications to congress in the event of unauthorized disclosures. We look forward to continuing to work with u. S. Cyber command and the department of defense as we finalize this draft legislation to ensure such notifications are responsive to our needs, but without adding undue reporting burdens on the department of defense. In addition to our focus on strengthening congressional oversight, other key focus areas will include provisions to strengthen our own cyber warfare capabilities and enhance our International Partnerships across the globe. In order to more thoroughly understand these issues, i would like to welcome our witness today, admiral mike rogers, who serves as the commander of u. S. Cyber command and director of National Security agency. Thank you, madam chair. And welcome, admiral rogers. Thank you for testifying before us today. Its always a pleasure to have you before the subcommittee. Thanks for bringing along a crowd. Makes it a little more of an interesting hearing. So the president s budget for fiscal year 2018 was delivered just this morning as the chair mentioned. Last Year Congress passed legislation establishing u. S. Cyber command as its own unified combatant command. The subcommittee worked diligently on the underlying legislation, because we recognize the importance of a trained and ready force able to conduct operations in concert with other military and u. S. Government efforts. Consistent with the appropriate legal authorities and policies. The fy17 ndaa also formalized the relationship with the principal cyber adviser to ensure advocacy and oversight of the command. We also provided u. S. Cyber command with limited cyber acquisition authorities two years ago, and id like to acknowledge the thoughtfulness by which the department has implemented this authority. Today i look forward to hearing about where these two initiatives stand. Both the processes by which necessary resources are being transferred from stratcon to cyber con and the new resources being provided as necessary for effective implementation. Clearly we made progress employing military Cyber Operations over the years. Weve been building the Cyber Mission force, but now we must make sure they are ready and stay ready for a threat that morphs on a daily basis. The persistent training environment, of course, is key to that end. Although the cyber domain is not new, theres still much that were learning, and we must leverage those lessons learned. We must assess the force we are building, how we employ it in order to ensure cybercom is postured correctly and if tools and capabilities are the best that we can provide them. So next week im going to be traveling to nato, the nato cyber cooperative, Cyber Defense center of excellence to attend its annual conference in estonia. I expect theyll provide extraordinary insight on how our nato allies view the cyber domain and how International Law are applicable and it will provide me with insight on how we can increase cyber collaboration against russian aggression. Admiral, id also appreciate your views on how we may strengthen collaboration with our nato allies. So in closing, i just want to echo what the chair said about the importance of formalizing notifications to congress of sensitive cyber military operations. The cyber quarterly brief provides us a forum to oversee Cyber Operations, and i was especially pleased with the participation of the joint staff and osd at the last engagement. However, in our oversight capacity, we must work with the department to get timely notifications as the chair mentioned, and i know that were going to work toward that end. So with that, i thank you, admiral rogers, for appearing today. Thank you for what youre doing at nsa and Cyber Command, and with that i will yield back. Thank you, jim. I also would like to remind members that immediately following this open hearing the committee will reconvene upstairs in 2337 for a closed, classified round table discussion with our witness. Admiral rogers, youre now recognized for your Opening Statement. Thank you. Thank you for your enduring support and the opportunity today to talk about the hard working men and women of the United StatesCyber Command. I look forward to discussing the commands posture and welcome the opportunity to describe how u. S. Cyber command conducts efforts in the cyberspace domain and supports the Nations Defense against sophisticated and powerful adversaries. The department of defense recognized seven years ago that the nation needed a military command focused on cyberspace. U. S. Cyber command and elements have been given the responsibility to direct, operate, secure, and defend the departments systems and networks, which are fundamental to the execution of all d. O. D. Missions. The department and the nation also rely on us to build ready cyber forces and to be prepared to employ them when significant Cyber Attacks against the nations Critical Infrastructure require dod support. The pace of International Conflict and cyberspace threats has intensified over the past few years. Hardly a day has gone by during my tenure at Cyber Command that we have not seen one Cyber Security event somewhere in the world. This is consequences for our military and our nation at large. We face a growing variety of advanced threats from actors who operate with ever more sophistication and precision. At u. S. Cyber command, we track state and nonstate adversaries as they continue to expand their capabilities, to advance their interest in and through cyberspace, and try to undermine the United StatesNational Interests and those of our allies. Conflict in the cyber domain is not simply a continuation of kinetic operations by digital means. It is unfolding according to its own logic, which we continue to better understand. And were using this understanding to enhance the departments and the nations Situational Awareness and to manage risk in the cyber arena. Id also look forward to updating you on our initiatives and plans to help do that. Our three lines of operation are to provide Mission Assurance for dod operations and defend the department of defense information environment, to support joint force commander objectives globally, and to deter or defeat strategic threats to u. S. Interests and Critical Infrastructure. We conduct full spectrum military Cyberspace Operations to enable actions in all domains, ensure u. S. And allied freedom of action in cyberspace, and deny the same to our adversaries. Defense of Dod Information Networks remains our top priority, of course, and that includes Weapons Systems and their platforms, as well as data. To execute our missions, i requested a budget of approximately 647 million for fiscal year 18, which is nearly a 16 increase from fiscal year 17 due to additional funding for Cyber Commands elevation for the fiscal year 17 ndaa, building out cyberspecific capabilities and tools, and jtf area support in the fight against isis. Were completing the buildout of the Cyber Mission force with all teams to be scheduled to be fully operational by the year fiscal 18 and help from the services continually increase readiness to hold targets at risk. Your strong and continued support is critical to the success of the department in defending our National Security interests in cyber. As you well know, i serve as both commander of Cyber Command and director of the National Security agency. This dualhat appointment underpins the significant benefit right now in Cyberspace Operations. The institutional arrangement between these two organizations, however, will evolve as Cyber Command grows to full proficiency in the near future of t. Also conditions for splitting the dualhat arrangement, which can only happen without impairing either organizations effectiveness to complete their missions. This is another area i publicly stated i support, pending the attainment of certain critical conditions. Cyber command will also engage with the subcommittee on several other maeftters related to authorities in the coming year. This would include increasing cyber manpower, enhancing the professionalization of the cyber work force, building offensive capability and capacity, and developing and streamlining our acquisition processes. These are critical enablers for Cyberspace Operations in a dynamically changing global environment. And most or all of these particulars have been in recent ndaa acts, along with the joint staff well talk with you and your staffs to iron out the Implementation Details of that legislation. The men and women of Cyber Command are proud of the roles we play in our nations Cyber Efforts and are motivated to accomplish our assigned missions overseen by the congress, particularly this subcommittee. We work to secure and defend dod systems and networks, counter adversaries, and support national and joint war fighting objectives in and through cyberspace. The commands Operational Success have validated concepts for creating cyber effects on the battlefield and beyond. Innovations are constantly emerging out of operational necessity and the real world experiences in meeting requirements of National Decision makers and joint force commanders continues to mature our operational approaches and effectiveness over time. At the same time, i realize cybersecurity is a National Security issue. It requires a whole of nation approach that brings together both public and private sections of our society. Our point of Partnership Program in Silicon Valley and boston has proven to be a Successful Initiative to link our command to some of the most Innovative Minds from industry, working together on cybersecurity as we face 21st century threats together in the private and Public Sectors. This combined with agile policies, Decision Making processes, capabilities and command and control structures will ensure Cyber Command obtains its potential to counter our adversaries. The men and women of u. S. Cyber command thank you and appreciate your continued support as we confront and overcome the challenges facing us. We understand that a frank and comprehensive engagement with congress not only facilitates the support that allows us to accomplish our mission, but also helps ensure our fellow citizens understand and endorse our efforts, which are executed on their behalf. Ive seen the growth in our commands size, budget, and mission, and that investment of resources, time, and effort is paying off. And more importantly, its helping to keep americans safer in the cyber arena. But not only in cyberspace, but other domains, as well. And i look forward to continuing the dialogue across the command and its progress with you in this hearing today and over the months to come. I look forward to answering your questions. Thank you, admiral rogers. We now turn to questions. First i want to thank you for your service and your leadership. My first question is very broad. Last years ndaa elevated Cyber Command to a full combatant command. What steps need to happen before the changes to the unified command plan take effect . So, first, the secretary of defense and the president need to make a decision. Secretary of defense making a recommendation, the president ultimately making the decision. As to the timing and the process well use, and that process is ongoing and i dont want to speak for the secretary or the president , but i know that process and that discussion is ongoing. Given the language in the ndaa and in anticipation of this possibility, we spent much of the last year working our way through the specifics of how we would do that, and if a decision is ultimately approved, were prepared to apply that and in a timely manner and in accordance of the direction and timeline provided to us. What are the specifics, as you said youre assessing the specifics you would do to take action. What are they, specifically . If i could, until we have an ultimate decision, id rather than not get ahead of my leadership and i think i owe them that and get into the how. Yes. Part of your responsibilities that we enshrined in section 923 of fy17 ndaa when we elevated cybercom involved development of doctrine and tactics related to cyber. What role do you have in advocating for or driving Doctrinal Development for the individual services when it comes to cyber . So, as the senior operational commander in cyber in the department, its the partnership between that cyber team, if you will, and our fellow operational commanders and policy makers that help shape, so what is the doctrine that should shape how we employ this capability that the departments developing . If you look at what weve done over the course of the last year, the efforts against isis, things were doing against other real world challenges, they are shaping the way were looking at how do we build a force of the future, what are the concepts for its employment. If you go back a couple years, for example, i can remember a year ago, two years ago, one of our fundamental concepts was we were always going to deploy forward in full teams. One of the things we found with practical experience is we can deploy in smaller sub elements, power of data analytics, we dont necessarily have to employ everyone. We can work in a much more tailored, focused way optimized for the particular Network Challenge were working. Were actually working through some things using this, for example, out in the pacific at the moment. A few weeks ago in your testimony in front of sasc, you were asked about whether we should be considering the establishment of a Cyber Service, and at that time you said that you were not a proponent. Could you explain a bit more as to why you feel that way . So, the reason im not i certainly understand others have a different different view. The reason im not a proponent of that is my concern is if were not careful we will view cyber as a very technical, very, very specialized, very narrow mission set and my view is cyber fits within a broader context and if you want to be successful in the ability to achieve outcomes within the cyberspace arena, you need to understand that broader context and im afraid that if we go the Service Route we will tend to generate incredibly technically proficient but very narrowly focused operators and one of my take aways from being in the department of defense is were optimized for outcomes when the workforce has a broader perspective and i also think back because im a big fan of history i think back to the dialogue of the 1980s when i was first commissioned in the military and the aftermath of the failure of desert one and the effort to rescue those u. S. Hostages being held in the embassy in teheran, we had a lot of dialogue about is soft so specialized, so poorly understood by the broad conventional part of the military, so needing of specific attention that we should create a separate soft service. We ultimately decided that the right answer was to create a joint war fighting construct. Thus in 1987 was born special operations command. And in addition, we said that the operational entity needed to be a little uniquely structured. Not only should be a war fighter but it should be given Budget Resources that enable it to not only employ capability wu determine the operational capabilities and drive the investments to generate the capability. I think that that is a very effective model for us to think about for cyber and Cyber Command, vice just automatically transitioning to the idea of a separate service. Thank you. My times about to expire. I now recognize mr. Langaman. Thank you. So, admiral, congress has provided cyber com with Acquisition Authority so i want to first of all commend the thoughtfulness by which the provision was implemented but can you provide a general overview of how that authority will be executed in overseeing in the command . So as youre aware we sat down from a policy and technical perspective and an operational perspective and ask ourselves whats the best way to execute this by the congress. Again, we thought socom offered a good model, we approached the teammates and said you have a skill set, you have personnel who are much more proficient in this area than we so socom identified two individuals that we have hired to provide our acquisition oversight and certification, if you will. Those individuals were put in place just a couple of months ago. The authorities are almost all finished and see us starting this summer and we have identified an initial set of priorities about where to apply the authority in terms of acquisition and you will see it play out over the next couple of months and we have a few things to iron out and you will see us implement this over the course of the next couple of months. The authority is not used yet . Not yet. I have specific technical and overnight and control things to make sure are in place before we start spending the money and using this. That will all be finished within a month or so i think. Can you speculate, an example of what you think the authority may be used for . What i have asked is we have identified, for example, a series of capabilities through Cyber Commands point of partnership we call it out in silicone valley so ive got i already have a structure thats interacting with the private sector. Now i want to overlay the acquisition that is right to actually now i actually purchase, if you will, and acquire some that have that capability from the private sector we have been talking to them about for a few months and try to work the requirement piece in anticipation of gaining the Acquisition Authority. Now that we have got that pretty much done and i overlay the authority, you will see us start to enter some specific contracts very focused on a couple specific mission seths and defense for teams, first area to focus on. Okay. Very good. So i mentioned in my Opening Statement that im attending the cyber conference of nato, the cooperative Defense Center of excellence next week. What is the relationship with the center and nato . And your opinion, how can we cooperate more closely with our nato allies and that cooperation be strengthened . So, for example, like yourself, i was out there last june and spoke at the same conference. Every time im at estonia, i spend time at the center, talk to them. The points i try to make to the nato teammates are a couple fold. First, under the nato framework, the center represents the positions of the members of the alliance that participate in the center. Not necessarily the alliance as a whole. So, for example, not all 28 nations, 29 now with mont nay go, not all 29 participate in the center. Id like to see if we can somehow more formally tie the center to natos policy development, for example. I think that could really accelerate some things. Also, im trying because capacity is a challenge and trying to meet the priorities and help key allies in the nato alliance. One of the things im interested in creating a partnership of european command. Were talking about potentially placing an individual maybe in the center in the course of the next year or so to more directly link with ourselves. Id also like to see what could we potentially do within the exercise framework that the alliance is starting to create in cyber now. I have already extended invitations to them to observe and participate in our exercise framework but i would like to do the same thing if i could in the nato arena. So you know obviously that the Congress Passed the cyber information sharing legislation and something that was domestically. Right. And we have information sharing, for example, with the israelis. How are we doing with robust cyber threat sharing information with our nato partners . Right now, most cyber sharing tends to be focused in many ways on a nation to nation basis. Thats another one of the challenges and interested with in Cyber Command. How can we work that formally. Military organization to military organization so were doing this once and not 29 different times as it were. Okay. Very good. My time expired. I do have additional questions and if we dont get to a second round, ill submit them for the record. Appreciate you getting back to me on them. Thank you for the work youre doing and thank you for your service to the country. I yield back. Dr. Abraham. Thank you, admiral, for being here. The Armed Services certainly have their own Cyber Commands. What is cyber com doing as far as the manning and the concept of operations as far as having duplicative issues within those services . Remember the way yeah, to prevent the duplication. Yes, sir. So the way were structured, each of those Service Primary operational Cyber Commands is a subcomponent of u. S. Cyber command. Whether its army cyber, coast guard cyber, air force cyber, fleet cyber, mar force cyber, they have an operational relationship to me. Thats how we try to work the joint and the service piece in a very integrated way. Im the first to acknowledge and i was a commander before this job. I was the navys guy. Fleet Cyber Command. In those service structures, theyre both opcom to me in the execution of the joint responsibilities and they have Service Responsibilities and i try to be the connecting loop partnering with them and also partnering with the Service Leadership to make sure that from a service and a joint perspective in the department we are aligned and focused on priorities and outcomes. All right. And so lets parlay that into our other federal agencies that it seems all of them certainly have a cyberspace department, so to speak. Cyber com, as far as coordinating mechanisms between other federal agencies, could you explain that a little bit, please . We coordinate directly primarily in the rest of the government with the department of Homeland Security. Thats particularly driven by the fact that one of Cyber Commands three missions is if directed by the president or the secretary of defense to defend Critical Infrastructure against acts of significant cyber consequence. We would do that in partnership with dhs. And so because of that, were closely relying with them. In fact, i just was talking with the team yesterday. Between the private sector in the private sector the u. S. Government has designated 16 different areas, think about finance, transportation, aviation. There are 16 different segments that the federal government has designated as critical to the nations security. That infrastructure. We have picked one of those 16 segments to do a test case, if you will, between dhs, Cyber Command, that private sector as well as nsa from an information and intelligence sharing, that would be the nsa rule, to get down to an execution detail about how we would do this day the day. My experience as an military individual has taught me i dont like to do discovery learning when im trying to contact with a client. It tends to be a high loss rate. Inefficient. Often resource intensive and much slower. Im interested in how can i create those relationships now before we get into a Major Incident directed against one of those 16 segments. I think i have time for one more question. What is cyber coms supporting role in north com, pay com, and has the d. O. D. Codified that relationship so that if there is an incident or accident that that can be really instituted very seamlessly if such an event should happen . So, our role on the defensive side is to support and ensure the continued operation, for example, of those networks, Weapons Systems, and platforms that those operational commanders and others count on to execute their missions. In addition, we generate offensive capability, particularly for pay com and other geographic commands outside the United States because we dont really see i dont think right now in my mind how would we apply cyber offensive capability in the United States . Not that thats not the role of the d. O. D. Our focus inside the United States would be largely defensive. One of the things its focus area i have set out a series of goals for 2017. One of those goals is increased Cyber Reserve and guard integration to get to the question that you are really driving at. How do we make sure to for a domestic incident that all elements at d. O. D. Are aligned . And we all know how we are going to do this. And all the forces know what their role is going to be, the command control is all outlined. North com knows what they are going to do. I know what im going to do. Pay com, they have a domestic responsibility. They know what they are going to do. I would like to use the defense support to Civil Affairs which has been an ongoing process we have used for decades. I would kinds of like the use that as a test model. I am a big fan of lets use what is working elsewhere, to the extent that i can. Okay. Thank you. Mr. Larson. Admiral, thanks for coming. I would like to go back to the question of unified Cyber Command because your answer wasnt concerned about the portion of the answer we are still working it out. I was concerned because i thought i heard you Say Something that runs counter to what we told you all to do. And that is the decisions made to do this. And that the secretary and the president dont need to make a decision to actually do a unified command. The law as i understand but they will drive the timing, thats separate thats my only point is the timing. If thats your only point, thats fine. I just thought i heard something else. I apologize if i miscommunicated. You have clearly provided a legal framework. Thats what you are doing. Absent of changing the law, thats what we have to execute. Okay. Appreciate that. Id like to go back, as well, to something the chair was exploring with you and had to do with having a Cyber Service or not. I actually agree with you in not having one. But it does beg the question, though, to have to have that capability. What flexibility do you need in personnel . What flexibility do you need in contracting . Just kind of what flexibility do you need to fully utilize and even develop a formal framework so you can using active component reserve guard as well as the Contractor Community . Among the ways that we try to ask ourselves if we are going to go with a service base approach, which is what we are executing, how would you do it, we came up with baseline principles if you will. First is it doesnt matter what your service is, guard or reserve, we build to one standard. And so, we have created within a joint framework for every position within the Cyber Mission force we can tell you the pay grade is and we can tell what you the qualification standards are and we can tell what you the duties are that are assigned the position. Because i said, look. We have got to create one integrated force. And if we do 1,000 different variance, i cant optimize that. The second thing we said was the structure of the teams needs to be the same regardless of whether it is a particular service, guard or reserve. The analogy i used was it doesnt matter if we have an f16 squadron in the guard or in the active force, theres one squadron nomenclature for an f16 that we can then employ anywhere globally because we know everybody is built to the same standard. Even as we acknowledge, there are some variances but everybody is built to the same standard. That was another principle, the only way we can make a service base approach work is active or reserve, guard or reserve, it doesnt matter. We are building to one standard. If we stick to that framework, im very comfortable that we can make a Service Approach work for us. If we insist on variance, if we insist on everybody doing their own thing im the first to admit this is not a model thats going to generate the outcomes we need. Im the first to acknowledge that. And the role of the private sector . So, the private sector, when i look at them a couple things come to mind. Number one, they are providing the they are the ones who are going to provide the Human Capital. Whether that Human Capital ends up wearing a uniform, whether its part of our civilian Government Workforce or its contractor force. They all start in the private sector. So its one of the reasons why i spend a fair amount of time as Cyber Command and as director of the nsa to the same extent in some ways with the academic world, with private industry about so tell me how do you create a workforce . What works for you . What incentives are you using . What has failed that in hindsight you say to yourself, dont go down this road because it really failed spectacularly for us. Even as i acknowledge there is a difference between government and the private sector. But i think there are some things that we can learn from each other. In addition i think two other areas come to mind for me with the private seconder. The first is technology. The days when d. O. D. Is going to be the engine for technological innovation and change i think are long behind us. Its not the d. O. D. Model. Thats why we created the point of partnership in Silicon Valley and in boston. Its why i thought the acquisition piece was so important for us. We have got to be able to tap into the private sector in terms of acquisition and technology and capabilities. And then the last area, which is a little bit counterintuitive in some ways, when it comes to the generation of policy, concepts, thought, the private sector can play a huge role here. I think back to the beginnings of Nuclear Deterrence and nuclear policy, for example. If you go back in the 1950s and you read much of the thought process, much of that was falling from the academic world. Hardly anybody remembers now that Henry Kissinger in the 1950s and 1960s was a professor at harvard writing about Nuclear Deterrents and Nuclear Deployment that he and others ended up shaping the Strategic Vision we had. Id like to see the same thing in cyber. All right. Thank you. Ms. Cheney. Thank you, madame chairwoman, and thank you, admiral rogers, for your service and being here today. Secretary mattis, before he became secretary, in talking about the budget control act and sequestration said no foe in the field could do our military as much harm as sequestration and the budget control act. As we begin the process of looking at the 2018 budget, im interested to know to what extent you were able to factor in strategy and threats and sort of Strategic Thinking about what needs to be done as you put together the budget for Cyber Command and to what extent you have still been hamstrung by the bca and by those cap numbers. So like any entity its about prioritization. We spend a lot of time figuring out with finite resources even with growth with finite resources how are we going to prioritize. So our input for the fiscal year 2018 and in truth in lending we just rolled it out as a government as a department this afternoon and during the mid day today. I have not seen the specifics. I know the broad number for us but i havent seen the sub elements about that. Ill talk broadly. I apologize but ill talk broadly. For the 18 input we tried to identify those priorities. In a macro sense in no particular order i have been arguing manpower, investment in core capabilities, and then number three, how can i accelerate number one and number two. How can i do both of those faster . Because in some ways, even though as with the Wannacrypt Ransomware that we have been going through shows there is motivation in the department. Men and women doing good work. We were not impacted by a wanna crypt. That wasnt by a lack of effort. We sent significant Time Starting in march asking ourselves how might this play out, how will we position ourselves in the case of microsoft did put out the patch for the vulnerable. We as microsoft users saw that and started to asking ourselves did a patch of the its one of the reasons why we use a defense in depth strategy. There is no one single solution, there is no one single way to fix this problem. Its layers built on top of each other. That really has been the key to our success. So we are asking ourselves how can we do this faster. Every day, one of my biggest concerns is and i have never really had this same viewpoint in almost 36 years of commissioned service. Every day i literally think to myself we are in a race to generate more capacity and more capability at the same time that im watching a host of global actors doing the exact same thing. We are trying to sustain both staying up with them but quite frankly my objective is to get ahead of the problem set. I dont like reacting to things. Its not an efficient way to do business. I dont think its what the nation wants from us. Until im able to bore into the specifics of the budget that quipd of gives you a broad sense of what i thought we needed to focus on. Would you say, admiral, that the budget as its been proposed provides the resources necessary to regain superiority in areas that we have lost it . It certainly moves us along that road but no one should think for one moment that this mission set not unlike some others is going to require increased and sustained investment over time. This is not going to be a one or two years we have increased you by some reasonable number, which has been the case for the last few years, and thats all you are going to need. If you look at scope and the challenges associated with this mission set and from where we are starting we have a lot of hard work ahead of us. Would you talk a little bit about how youre going to measure success and how youre gong to measure progress along that path of regaining superiority . There is a couple components to it. First, we have developed a set or we are in the process of developing a set of metrics. How do we truly assess readiness for this force that we have created . We focused for the first few years on assessing initial operating capability and final operating capability. Thats when you hear us talking about foc and ioc. You heard me say in my remarks we achieved ioc essentially on time, october 2016, we are on track for that. One of the things i tell the team is that doesnt get to war fighting. In the end its about our ability to actually operate in a sustained, heavy environment. Just like when we are building a brandnew carrier or a brandnew fighter wing for example. Its not enough just to say we have got the pilots and the parts. Its about training, assessing readiness. We are working our way through how are we going to do that. Then its other things like we ask ourselves are we driving down defensive penetrations . Are we driving down malware infections . Theres some, you know, specific metrics that we think that we can use to give us a sense particularly on the defensive side. Are we being more effective or not . Thank you very much. My times expired. Mr. Orourke . Thank you. Help me understand a little bit how we make clear to other countries in the world the consequences of Cyber Attacks. With conventional weapons in conventional wars, there may be an understanding of what the consequences will be should one country attack another with a certain kind of weapon. What is our level of dialogue with other countries, including those countries we view as threats, including those countries who i think we know who have attacked us about what the consequences are Going Forward . If i could in an unclassified session, im not going to go to get into specifics associated with particular nation states, it hasnt been one size fits all approach, which is true broadly for strategy for us i would argue as a nation. Its not a one size fits all approach. We try to optimize the way we are looking at this particular challenge set based on the particular actor we are dealing with. What works for one wont necessarily have the same impact as what will work for another. There are let me talk about a couple basic things. We have been very public and acknowledged the fact that we are using cyber offensively against isis. Not just because we want isis to know we are contesting them but because quite frankly we also think its in our best interest for others to have a level of knowledge we are investing in capability and employing it with a legal law of armed conflict. We have also employed strategy documents for department of cyberspace strategy is developing offensive capability that we believe that deterrence is an important concept. That we have got to work our way through. We are trying to communicate to the world around us that we are aware of the kinds of activity were seeing out there. Some of it we view with concern. As a result we think its in our own nations best interest to have a set of capabilities that both generate greater options for our policymakers and our operational commanders but at the same time help communicate to others around us you dont want to go down this road with us. I think the reaction or the way wanna crypt played out in the United States, for example, is a very good example of that. Hey, look, in a major malware evident that took down many systems in lots of other parts of the world, did not have the same level of effect on us here in the United States. Let me ask you a question about that. Thats not by chance. To what degree are we treatybound to assist an ally who attacked through cyber not kinetically . And are we already assisting allies who are maybe to use that most recent example that you just gave . Thats a bit of a legal question. And thats not my lane but ill give you my thoughts from my perspective as an operational commander. We, for example, nato has been very direct in saying that they view cyber as a natural continuation of the standing article five framework where an attack against one is an attack against all, even as nato acknowledges the application of article five is through a decision framework in the North Atlantic Council and its done on a case by case basis. But broadly, thats the intent and thats been communicated in multiple forms and multiple ways. For other nations you would have to ask somebody who is a little bit smarter on the particulars of the standing mutual defense treaties. Let me ask you another question. Because we know the russians attacked the integrity of our elections here. Uhhuh. Because we know that they have done that in other countries because past behavior is a good predictor of future behavior, whose responsibility is it in this country and then kind of to maybe for the record on for our allies when our al allies elections are attacked. But is it Cyber Command . Is it dhs . Is it both . Should the rnc or the dnc be attacked Going Forward, for example, whose responsibility is that . Under the current framework, could change, but the department of Homeland Security has overall responsibility for the provision of capability and capacity within the federal government in support of the private sector. Broadly. Cyber command, in its defined mission of if directed, as i said, to support the defense of Critical Infrastructure we would partner with dhs to do that. We would do that, Cyber Command, by attempting to interdict that opportunity before it ever reached that network. Frankly we wouldnt focus on blue or friendly space. We would be out in gray space. And red space. Its years before it gets here. Once it gets here simplistically, once it gets here, dhs created a sector framework. Cyber command has capabilities in the form of Cyber Protection teams that we would also deploy in partnership with dhs to support within those 16 Critical Infrastructure areas. Again, its one of things that i mentioned earlier that i want to test. We are going to start using one particular sector thats more mature than some of the other 15. Thank you. Mr. Franks. Well, thank you, madam chair. And thank you, admiral rogers. Thank for your service to the country and your job is so very important to us all. You stated that your First Mission priority is defense of d. O. D. Information networks. Would you suggest that that means that defensive operations doctrinally will take precedence over offensive operations . No, i remind the team we have three missions and we have to be capable of executing all of them. I cant go to my boss and say, i chose to focus on number one. Dont get me wrong. Like any commander i have to prioritize. As i am looking at the challenges out there, i have told the team we will prioritize number one even as we acknowledge we have to execute those other two missions. But like any other operational organization, as times i have to prioritize resources, focus. It isnt just one and not the others. We have got to do all of them. Yeah. Well, as you know, the d. O. D. Relies upon the civilian power grid for 99 of its power requirement, without which im told that its it becomes impossible in conus to affect the d. O. D. Mission. Do your priorities include protecting the u. S. Power grid and other Critical Infrastructure against Cyber Attacks . So again, i dont have responsibility for the defense of that in the United States. I will say one of the things im interested to see if we can maybe look at doing differently, im having this conversation in particular with transcom at the moment. Right now when it comes, for example, to Critical Infrastructure that the d. O. D. Counts on to do its mission, when it comes to clear defense contractors who either are generating the capabilities that we use, advanced fighters, and other platforms, as well as private industry, for example, for transcom that provides services, lift, movement of cargo under the current structure, the Defense Security service has overall responsibility for the interface with these private companies. Not the not transcom for example, even though they work for transcom or they provide a Service Based on a contractual relationship with transcom and not necessarily for us. I would like to see is there a way to bring those operational commands, Cyber Command, dss and that private sector together in a much more integrated way. Because what we are finding right now is i will become aware of activity, i will pass that to dss, dss passes that to the private sector. That doesnt come across to me always as the fastest, most efficient, most agile way to do business and i would like to see if we can maybe change that. Admiral, you know that thats been one of the challenges in the past that sometimes, you know, the whole notion of protecting the grid from Cyber Security challenges kind of walks the 13th floor of humanity. Right. Because we in the department, your department, they consider that a civilian responsibility. Of course, the civilian response is that that is a National Security issue and should not be our responsibility. And my fear of course is this neither, with the sufficient focus on it as necessary. And given your stated yes, sir. Yeah. So its worth always Touching Base on. How will Cyber Commands posture improve once its elevated . Do you believe you will have all the resources and authorities you require to accomplish your assigned missions and what do you expect your number one challenge will be in terms of russia, china, iran, isis, someone else . Let me unpackage this. If i forget one, let me know, sir. First, whats the benefit of elevation . Why have i and others recommended that thats a smart course of action. Even as i acknowledge the decisions not mine. Its outlined in legislation. Now its timing issue absent a change to the legislation. In the departments processes when it comes to how we develop budgets, how we articulate prioritization, how we develop broad policy, it is generally built around the idea that the Combatant Commanders are the primary voices for operational end of those processes. Not subunified commands. Combatant commanders. One of my concerns have been, we talk about the importance of cyber. I acknowledge there are other priorities in the department. And yet for some, not all but for some of our processes the cyber expertise is not embedded in the current structure because you would put it one level below. I believe that elevation plugs us in more directly into the primary decisionmaking processes within the department which is really optimizes for Combatant Commanders. Now there is one less layer to work through. The commanders i have worked with, general heighten, and boy, how quickly we forget. I can picture he was a good flag officer friend. They were great to team with because i would tell them, look, if we are going to insist i think i do flows through, i cant get the timeliness and i cant get the speed and this helps address that. Time is expired. Thank you. I now recognize mr. Copper. Thank you madam chair. Apparently two of our colleagues have introduced a bill that would allow private sector u. S. Companies to hack back active defense. I hadnt realized before this is apparently illegal today absent a law change . So could you reflect on this proposal and whether its a good idea or not . So, broadly i only speak for mike rogers because im not in the policy lane but i have an opinion. As an operational commander, my concern is while there is certainly historic precedence for this, nation states have often gone to the private sector when we lacked government capacity for capability. We did that in the revolution war. Go out and capture cargos from the royal navy and the merchant fleet. My concern is be leary of putting more gun fighters out in the street in the wild west. As an individual tasked with protecting our networks, i am thinking to myself we have got enough cyber actors out there already. Just putting more out there im not sure is in everybodys best interests. I would also be concerned about the legal liability you might and im not a lawyer. The legal liability. I would think that you would have some liability issues associated with taking actions with second and Third Order Effects that you dont truly understand when you actually execute it. Thats just my concern. Are other countries doing this . Are you familiar with any other countries that have enabled their private sector there may be equivalent legal frameworks out there. Certainly not that have come to my attention and not that i have had a discussion about. I was curious. You used a gun fighter analogy. Some people have thought that the nra might set up a whole new wing of activity for this. Its to the extent that private business in this country feels disconnected from government, or that as you pointed out earlier, government response is too slow or that certain National Security interests are not recognized as being National Security interests even when its protecting the grid, i think you are probably going to see greater pressure. Right. I would agree. In some ways it goes back to, again, showing you my war college education. I dont want you to think as a taxpayer i didnt listen when i was sent to service colleges. In the west failing and construct the application of force has generally for the last several centuries been viewed as a mission or a right of a sovereign state, not something that the private sector does. We dont use, for example, for us we dont use contracts to actually drop and fire weapons. We dont use mercenaries to do that. We use uniform military. I would just be concerned that going that route again argues against the broad principles we have used about the role of the state and applying force kinetically or nonkinetically. We dont use those tools but in our degraded west failian system we dont know who we are being attacked by. It might be state actors, quasi state actors, possibly private actors. Who knows . Well, it depends on the situation. But im the first to acknowledge 100 attribution is probably a standard we are going to be driving for for a long time and not necessarily achieve immediately. What percentage of accuracy in attribution would you give us today . Oh, it depends on the actor. If you take, for example speaking now as on the nsa side, if you take look at the efforts we did in the Intelligence Community assessment with respect to russian efforts to influence the 2016 election process, really high confidence. Very fine grain attribution. If you take a look at wanna crypt, for example, were ten days into this, and collectively both the private sector and the government we are still working our way through who are the actor or actors associated with this . It tends to vary. There is no single concrete with the elections, we are close to 90 , 95 , and this we are 60 but raising it . I dont know, i havent really thought about it from a number. Okay. Thank you, madam chair. Mr. Scott. Thank you, madam chair. Admiral, it is a long way from auburn university. We are eagles, sir. I hope you never lose a war or win a ball game. I am a university of georgia graduate. Oh. I have a brother who went to the university of georgia and sisterinlaw. Good man. Misguided individuals. I love them. Was he the one that bit the auburn player . All kidding aside, thank you for your service. And we talk a lot about how Fast Technology changes. In the acquisition process being a problem throughout the department. I would like to hear your comments on the personnel. Again, you speak to this in you comments. You know, when you get the young man, the young woman out there thats the best and the brightest, their opportunities in the private sector versus their opportunities in the Public Sector under your command, the challenges there, and the issue of, you know, what percentage of your personnel are civilian versus uniform . Roughly we are about 80 military. About 20 civilian. Thats kind of what we are building to. It varies in some areas, but its about 80 20. I know we have a tremendous number of wonderful people in uniform. Some of the people that we see that seem to be the best and the brightest in the Technology Field arent exactly the people that you imagine going to boot camp. Right. How do we recruit in case i mean, do we have a system in place to allow those people to serve . It is one of the reasons why we have tried to come up with a total force concept for us. Active, guard, reserve, civilian, contractor. That within that pool of five subpopulations, if you will, we can match almost any individual. Hey, i really want to get into this. I want to serve the nation, but i have no desire to deploy or be put through the physical Fitness Standards of the uniformed world. Boy, i would love to work for you as a civilian. Hey, i like mobility. Im going to try the contractor route so i can move around a little bit. We tried to build a structure that attracts a broad swath. The Positive Side to me is, boy, when you get people in the team i was just talking to one of the Service Review panels. One of the services out there is created has asked a party of gray beards to take a look at how they manage the Cyber Mission force within their service. And to answer the question, are they really optimized for the future. I coincidentally this morning was just sitting down with this retired former chief of their service. And i said, well, you have talked to the teams because they did that as part of their process. I said, tell me what you are hearing from them. I have a sense but im curious what you are hearing. He said to me the most amazing thing is every team we talk to these men and women are so motivated and love what they are doing. That is a real plus for you. They really are into this mission. Because their self image is theyre the digital warriors of the 21st century. The challenge, i think we have got to work with the services who provide this manpower capability. How do we manage it effectively over time . And how do we also build into this the fact we have got to acknowledge there are some areas we have got to do differently . We cant put a person in this once and then spend all this Time Training them and then they dont do it for another ten years. Thats ridiculous to me. On the other hand, i realize there is more than just the Cyber Mission force. The services are asking themselves how are we building a broader work force to address cyber. Im working with the services about what percentage of the eligible training population makes sense, what kind of policies we should have with respect to retouring them so we sustain some level of capability and experience over time and we are not starting all over again every three years. Thats one of the challenges at the moment one service is trying to deal with. Their model. Im argue we have got to make some changes to. We just cant afford to retrain everybody every three years. I dont think its costeffective and demoralizing to the men and women. I think this is going to be one of the greatest challenges Going Forward in how we handle the cyber war, if you will. Right. And not just with your issue. We hear the same thing about the drone pilots and how dedicated they are and how determined they are, and you know, the need for flexibility. Yes, sir. With where they work and the time that they work. And i recognize it from a pay scale. Were nowhere close to what they would get right, but on other hand so i their commitment to the country and your commitment to the country, as well. Sure. Thank you. Mr. Wilson. Thank you, chair woman, for your extraordinary leadership on organizing this hearing. Sir. Its just an honor, admiral, to be back with you and we appreciate your Innovative Service to address the issues of Cyber Defense. As the former chairman of the subcommittee on emerging threats and capability im keenly aware of the huge challenges that lie before us and the extraordinary men and women that you put together to serve in your command. Cyber security is a 24 hour 365 day a year responsibility that requires instantaneous analysis, response, and deterrence. After each cyber attack, we had the circumstance where the government officials are grappling with whether or not it constitutes a mere nuisance or an act of war. It is for this reason i introduce the cyber attack standards measurement study act hr 1030 which would require that a direct of national intelligence, the Homeland Security security department, fbi, and secretary of defense to conduct a study to determine appropriate standards that could be used to quantify the damage of Cyber Incidents for the purpose of determining appropriate response. And two questions. Do you believe that there exists an interagency definition for cyber act of war . And secondly, do you believe that we have a common metric to measure Cyber Incidents which could benefit the interagency response . I think there is a broad certainly in the kinetic world there is a broad definition out there of an act ever war. But even in the kinetic world its still somewhat situational. So i fully expect that our experience in cyber is going to be something similar. It goes to one of the previous questions in some ways, articulating those concepts in a way that actors understand that you may be tripping a threshold that will trigger response. I think thats in our best long term interest. That helps, i think, helps the nation states, actors, groups out there understand there are potential prices to pay here. And at some point you will trip a threshold, again, depending on the scenario. And thats not a good place for you to be. We are clearly still working our way through there. I am not a policy guy. Im the operational guy. I try to figure out what do we do once the policymaker makes that determination. And thank you for recognizing, too, it can be nation states. It could be other actors. What a challenge. And so were so grateful for your service. One of the first challenges that you have are updating antiquated infrastructure. Yes, sir. Im grateful that the district i represent is adjacent to ft. Gordon, home of the harmys Cyber Command. Can you please describe the amount of Infrastructure Modernization that needs to occur and how the demand differs across the army, navy, air force, coast guard and marines . As we saw and ill use wanna crypt as an example. As we are working our way through the services because i have overall operational responsibility, the services physically own much. In the Current Network structure the services own the structure. I partner with them in attempting to address that infrastructure Cyber Security. One of the things we continue to find is we are still carrying a lot of very old infrastructure that offers potential increased vulnerable. Vulnerability. And the defense in depth approach we use is designed to help mitigate that. But i literally just sent a note to a service chief earlier this week and Senior Leaders in that service and said, look, at some point these vulnerabilities down at the tactical level in our acquisition will become potential points of exploitation by others that have the chance to negate some of that defense indepth. So weve got to address this. I find we have talked a lot about manpower. But in some ways to me the acquisition piece, thats even harder. Because its long term. Its huge costs. And it is competing against priorities like so do you want me to buy more f35s, official, you know, carriers . Do you want more brigade combat teams . In a world of finite resources you got to make those resource tradeoffs. In general, the acquisition world hasnt historically always been incentivized for Cyber Security outcomes as its primary metric. Thank you very much and we look to working with the chairwoman to back you up in every way. Thanks. With my time running out i do want to thank you for the participation by the National Guard and your efforts. What has been the level and what more can we do to help new this regard . If you just look at Cyber Command we have over 100 guardsmen and reserves every day supporting us. Every day we have we currently have guard components activated on the defensive side. On the offensive side. Some of our specialized capabilities. The guard is a daytoday player for us. If you also look at what the guard is doing sorry, maam. Thank you very much. Time is expired. They are calling votes soon so i want to get through everybody. Dr. Winthrop. Thank you, madam chair. Admiral, thank you for being here today. Sure. You were talking about various structure where we set up our command and where we are headed. Right. Im curious what our adversaries are doing, what do we know about how they are structured and what they are doing can maybe guide us in some way . In some ways its kind of interesting. Again, not going to get into a classified information but broadly Cyber Command is viewed as wow this is an interesting concept that the u. S. Has created. What can do to emulate it. Im not saying its perfect for everybody in the world wants to. But in general i spend a lot of time talking to allies and they will often say to me, while we may not opt to go with the same particular structure you have created, the process you went through, the capabilities you have developed, the way you have created an organizational operational construct thats focused on jean rating outcomes, hey, we are really interested in doing that. Is there a way we can potentially partner . Part of the Cyber Command mission set right now is we spend a lot of time with foreign partners around the world. I cant i am the first to acknowledge. I have to prioritize here. There are areas in the world we are focused on helping them develop cyber capabilities. As partnership of helping those nations develop cyber capabilities. Those are our allies. What about you mentioned in a different setting go into more detail what our adversaries i would be happy to in the closed session. Thats fine. I appreciate this. Interesting thoughts there. You did mention we wanted people to know some of the things we were going to counter isis. Maybe thats kind of hitting them but a shot across the bow for others. Have you felt that its had an affect . I certainly hope so. Because, quite frankly, again, one of the reasons we opted to publicly acknowledge this was we wanted other actors to be aware that we are developing and employing, again within a legal framework, but we are developing and employing those capabilities. There certainly is an increased awareness by some actors around the world as they look at us, as they try to study us about capabilities and the kinds of things we are doing. Not going to get into specifics but we are certainly aware of that. Yeah. In another setting i would like to hear more. Id be glad to. We will have that opportunity, im sure. Thank you very much. I yield back. Thank you, thank you very much, admiral rogers, for your testimony. At this time, they are likely to call votes in the next couple of minutes or so. After votes are finished, we will reconvene in rayburn 2337 upstairs for the closed portion of this. If there are additional questions from the members, please feel free to submit them for the record and then we can anticipate a response from you. Yes, maam. This committee is adjourned. And we will reconvene. Thank you, maam. Former fbi director james comey makes his first congressional appearance since being fired when he testifies on thursday. You can watch live coverage. Then director comey testified about the investigation into russias influence on the u. S. President ial election. Heres one of the exchanges. It wasnt simply that the russians had a negative preference against secretary clinton. They also had a positive preference for donald trump. Isnt that correct . Correct. And i want to ask you to say whether this is an accurate characterization of mr. Trump. I wont put you in that spot. But would it be logical for the kremlin to prefer a candidate that disparaged nato to be president of the United States . Youre not going to put me in that spot, you said . Im happy with that. Im happy with that. Im not going to put you in the spot of answering whether its an accurate characterization and is it logical for the kremlin to want someone with a dim view of nato . All kidding aside, i dont think thats something i should be answering. Thats beyond my responsibilities. Well, what is what is the russian view of nato . Do they like nato . Do they want to see nato strong . Again, im sure you have already spoken the people who are greater experts than i but yeah they dont like nato. They think nato encircles them and threatens them. Would they have a preference for a candidate that expressed an openness to repealing the sanctions over ukraine . Again, i dont want to get in the business of commenting on this. Let me ask you this way, director. Would they like to see the sanctions on ukraine go away . Yes. Would they have a preference for a candidate who expressed open admiration for poout snn. I hope youll reform late the question. Mr. Putin would like people that like him. Encouraging brexit and other departures of europe . Would they like to see more brexits . Yes. And have the russians in europe demonstrated a preference for Business People as political leaders with the hope that they can entangle them in financial interests or allow their financial interests to take precedence over the interests of the countries in europe they represent . In our joint report, we recount that the russians, that president putin has expressed a preference for Business Leaders in leading other governments and mentions schroeder and im going to forget one. Berlusconi believing people more open to negotiation, easier to deal with. President trump fired mr. Comey last month. The former fbi director will testify thursday before the Senate IntelligenceCommittee Investigating russian activities during last years election. Well have live coverage here on cspan3 of the open hearing at 10 00 eastern and watch live online at cspan. Org or listen live with the free radio app for apple and android devices. In case you missed it on cspan, Veterans Affairs secretary David Shulkin on the state of v. 20 veterans a day are dying by suicide. That should be unacceptable to all of us. This is a National PublicHealth Crisis and it requires solutions that not only va will work on but all of government and other partnerships in the private sector, nonprofit organizations. Law profession at ze fir teachout on corruption in the u. S. Government. Splitting community and relates to the incredible class in the country and mark twain and go to for almost anything writes about this in his novel the guilded age is two different languages of corruption that happened in the late 19th century where elites start to say, hey, this isnt really corrupt. This is just the way we do things. And everybody else says, you know, if it walks like a duck, talks like a duck, it is a duck. Bridge usa founder talks about free speech and censorship on college campuses. Call it a tax on free speech. I kind of agree with them. I agree theyre placed in a very tricky position when they cant invite the speakers they want to speak because there will be violence and to gregs point, i think that when you give in to threats, you know, when you give in threats of violence, when the university gives in to threats, youre basically allowing the violent agitators to be successful even before they land one punch and i think thats a very dangerous precedent to set preventing a speaker from speaking just because of the threats of violence. And Hillary Clinton talks about the 2016 president ial election and her upcoming book. You may think you know what happened and you may be right to a certain extent based on what you have perceived an how you process it but im going to tell you how i saw it and what i felt and what i thought because you cannot make up what happened. Cspan programs are available at cspan. Org. On our home page and by searching the video library. Next a briefing on funding for the u. S. Army. After the president released his 2018 Defense Budget request. Major general Thomas Horlander spoke to reporters at the pentagon for about 45 minutes. Good afternoon, ladies and gentlemen. Im chief of the army human relations division. Major general Thomas Horlander, director for the the next few moments with you to go over the armys portion of the budget. Once hes complete, hell take questions. And he will be moderating the discussion. Please limit it to one question and one followup. That allows everybody an opportunity to try to get a question in. So without further ado, general horlander. So good afternoon. Great to be back here again and see some familiar