The dangers of increasing threats posed by russia and china. Held by the Senate Armed Services committee, this is two hours and 15 minutes. Good morning. All right. The Committee Meets today for a hearing on the posture of United StatesCyber Command. Were pleased to welcome back admiral mike rogers, the commander, chief of the Central Security service and several other titles, i believe. We are grateful for your many years of distinguished service and for your appearance before the committee today. Threats to the United States in cyber space continue to grow in scope and severity. But our nation remains woefully unprepared to address these threats which will be a defining feature of 21st century warfare. As a result, this committee has focused its attention on Cyber Security. We have expressed our concern at lack of strategy and policy for addressing our cyber threats. We were hopeful after years without any serious effort for a cyber deterrence policy from the last administration, the new administration promised one within 90 days of the inauguration. But 90 days have come and gone and no such policy and strategy have been provided. While inaction from the executive branch has been disheartening this committee has not stood still. In fact, this committee adopted more than 50 provisions over the past 4 years profussed on organizing, empowering and enabling the department of defense to deter and defend against threats in cyber space. It is an issue that requires a whole of government approach. We simply do not have that now. The very fact that each agency of government believes it is responsible for defending the homeland is emblematic of our dysfunction. We have developed that we know our adversaries will use against us. Yet we fail to summon the will to address these seams. Our allies most notably the United Kingdom have recognized the need for a unified approach. I look forward to hearing from the National CyberSecurity Center in the u. K. And whether a unified model would help address some of our defirnss here in the United States. The coast guard also prevents an interesting model. That should be evaluated for addressing some of our cyber deficiencies. The coast guard has an interesting mix of authorities that may be just as applicable in cyberspace has are in territorial waters. They are an agency in the Homeland Security and a branch of the Armed Services. They can operate in the United States and internationally and can seamlessly transition from Law Enforcement to military authorities. A cyber analog to the coast guard could be a powerful tool for addressing gaps that impede our structure it could serve as a cyber First Response team responsible for immediate triage and handoffs to the appropriate federal entity for further response, remediation or Law Enforcement action. As for the efforts of the department of defense i understand that Cyber Command is still on track to reaching full Operational Capability for the training of the Cyber Mission force in the fall of 2018. But unless we see dramatic changes in future budgets im concerned these forces will have will lack the tools required to respond to malicious cyber behavior. Unless Services Begin to prioritize and deliver Weapons Systems necessary to fight in cyberspace, were headed down the path to a hollow cyber force. I also am concerned with the apparent lack of trained people ready to replace individuals at the conclusion of their first assignments on the Cyber Mission force. Unfortunately we have already heard about some puzzling issues, specifically out of the 127 air force cyber officers that completed their first tool on the Cyber Mission force none went back to a cyber related job. That is unacceptable and suggests a troubling look of focus. It should be obvious the development of a steady pipeline of new talent and the retention of the ones we trained already is essential of the Cyber Mission force. Admiral rogers, we look to you to help us better understand if we should take a closer look at if the existing man, train and equip models of the vfservices e sufficient or if we should consider a different model. Later this week we plan to have another cyber hearing of which we plan to ask if we should be considering a creation of a Cyber Service. Admiral rogers, welcome back. This is im sure one of numerous pleasures you have had of coming before this committee. Welcome. Senator reed. Thank you very much. Let me join you in welcoming admiral rogers. As you point out, mr. Chairman, the frequency which the admirals called up to testify to the committee is a testament of not just his importance but the importance of cyber and the severe challenges we face in this domain so again, thank you, admiral, for your service and your dedication. We have faced serious and growing threats in cyberspace of espionage, theft of intellectual properties that support our military and our economy. Including Critical Infrastructure. Now we and our allies are experiencing firsthand that we are also vulnerable to manipulation and distortion of information through cyberspace which russia is exploiting to threaten the bedrock of our democracy and shared institutions. The Armed Services committee has for years emphasized the importance of developing the means and the strategy deter Cyber Attacks. Now the scope of what we must defend against and deter is expanded and the task takes on even greater urgency. In just a years time we will be in an election season once more and the Intelligence Community warned that russias election interference is likely to be a new normal. While our system has been designate as infrastructure we lack effective integrated and coordinated capability to detect and count ter kind of influence operation that russia now routinely and continuously conducts. We do not yet have a strategy or capabilities to deter such actions through the demonstrated ability to conduct our own operations of this type. Secretary carter commissioned a task force on cyber deterrence. Prominent former officials served on the task force and testified to this Committee Twice this year. They advocate rapidly developing the ability to conduct operations of cyberspace. Which in the case of russia could include their own financial well being and status, in order to deter influence, operation and Cyber Attacks against us. Achieving a credible deterrent requires focused policy Development Across the department of defense as well as through the whole of government. Involving d. O. D. The state department, the Intelligence Community, dhs and the justice department. We have not seen evidence yet that the new administration appreciates these problems and intends to address them. For Cyber Command the committee has heard concerns that the military is almost exclusively focused on operations such as expelling intruders and figuring out how to penetrate network of adversaries. The concern is that this focus misses the element of operations conducted through cyber space. Those actions designed to manipulate perceptions and influence decision making. Admiral rogers, these are critical issues. There is much work to do. I look forward to your testimony and your views on these urgent matters. Thank you, sir. Thank you, mr. Chairman. Welcome back, admiral. Thank you, sir. Chairman mccain, Ranking Member reed and members of the committee thank you for the opportunity today to talk about the hard working men and women. I welcome to opportunity in the cyber space domain against sophisticated adversaries. The department of defense recognized seven years ago that the nation needed a military command focused on Cyber Security. U. S. Cyber command have been given the responsibility to direct, operation, secure and defend the departments systems and networks which are fundamental to the executions of all d. O. D. Missions. The department and the nation also rely on Cyber Command to build ready cyber forces and to be prepared to deploy them when significant Cyber Attacks against the nations Critical Infrastructure require d. O. D. Support. The pace of International Conflict and cyberspace threats has intensified over the last few years. Hardly a day has gone by that we have not seen at least one significant Cyber Security event. Occurring somewhere in the world. This has consequences for our military and nation at large. We face a growing variety of advanced threats of actors operating with ever more sophistication, speed and precision. At u. S. Cyber command, we track state and nonstate adversaries as they continue to expand their capabilities to advance their interest in and through cyber space and try to undermine the National Interest and those of our allies. Conflict in the cyber domain is not simply a continuation of kinetic operations by digital means. Its unfolding according to its own logic. Which we are continuing to better understand. And we are using this understanding to enhance the department and the nations Situational Awareness and management of risk. I want to update you on plans to address that issue of Situational Awareness. And risk management. Our three lines of operations are to provide Mission Assurance and defend the department of environment to support globally and to deter, defeat threats to Critical Infrastructure. We conduct full spectrum military cyber Space Operations and ensure the u. S. Action in cyber space and deny the same to any adversaries. Defense of the d. O. D. Information networks remains our top priority, of course. That includes Weapons Systems, platforms and data. We are completing the build out of Cyber Mission force, as you heard the chairman indicate with all teams scheduled to be fully operational by the end of fiscal year 2018. With the help from the services we are increasing Cyber Mission forces readiness to hold targets at risk. Your strong and continuing support is critical to the success of the department and defending our National Security interests, especially as we comply with the recent National Defense authorization act directive to elevate Cyber Command to unified status. As you well know, i serve as director of National Security agency. This underpins the close partnership. A significant benefit in cyber Space Operations. The institutional arrangement for support may evolve. The National Defense authorization act in a separate provision described conditions and once that can happen. This is another provision i have publicly stated that i support pending the attainment of certain critical conditions. Cyber command will also engage with this committee on several other matters related to the enhancement of authorities over the coming year. This would include increasing our cyber manpower, professionalization of the workforce, building capacity and developing and streamlining acquisition processes. These are critical enablers for operations in a changing global environment. Most or all of these particulars directed in recent authorization acts and along with the office of the secretary of defense for policy and joint staff well work with you and your staffs to iron out the implementation details. Cyber command personal are proud the efforts they play and motivated to complete the assigned missions by the congress and this committee. They work to secure and defend systems and networks, counter adversaries and support national and joint war fighter objectives. The operational successes have validated concepts for effects on the battlefield and beyond. Innovations are emerging out of operational necessity and the real world experiences we are having in meeting the requirements of National Decision makers and joint force commanders to mature the operational approaches and effectiveness over time. This combined with agile policies, faster processes, increased capabilities, broader concepts of operations and smarter command and control structures will ensure that Cyber Command obtains the full potential to counter cyber strategies. The men and women of Cyber Command thank you for your support and appreciate your continued support as we confront and overcome the challenges that lie ahead of us. We understand that a frank and comprehensive engagement with congress not only facilitates the support that allows us to accomplish our mission but it also ensures that our fellow citizens understand and endorse our efforts executed on their behalf. Ive seen the growth in the command size, budget and missions. That investment of resources, time and effort is paying off and more importantly its helping to keep americans safer, not only in cyberspace but in other domains, as well. I look faurt to continuing the dialogue of the command and the progress of with with you in this hearing today and months to come and i look forward to answering your questions. Thank you. Thank you, admiral. We see another russian attempt to affect the outcome of the election in france. Do you see any slackening, reduction in russian chinese efforts to commit Cyber Attacks and even affect elections . No, i do not. Have you seen any reduction in russian behavior . No, i have not. The defense Science Board told this committee at least the next decade, the capabilities are likely to far exceed the United States ability to defend key Critical Infrastructures. Do you agree with that assessment of the defense Science Board . I agree that the offensive side has the ability over the defense. Which is why the ideas of deterrence are important. How do we shape and change opponents behavior. To do that we would have to have a policy followed by a strategy, right . Yes, sir. Do we have that now . No, sir. But the new team is working on that. I want to make sure we all understand that. And the checks in the mail . So, do you agree we should let me we have got the federal xwu row of investigations, lead for Law Enforcement, department of Homeland Security is leading of Government Networks and the department of defense is the lead for defending the homeland, defending military Computer Networks and employing is that is that the sta chus quo sustainable . Its sustainable but my question is, is it the most effective way to generate a better question. Thank you. Yes, sir. In my my recommendation, my input to this process has been, our challenge is so we built a foundation with the series of very specialized and distinct responsibilities. And yet, i think what experience has taught us over the last few years, is its our ability to respond in a much more integrated, focused way is really the key to success here. I think thats the challenge. How do we more formally integrate the capabilities across the government . Do we need a cyber corp . Im not a proponent of the idea of a separate cyber force or service and thats for the following reasons. In my experience, to be successful in cyber you not only need to understand the technical aspects of this, but you need to understand the broader context in which cyber evolutions occur. Somewhere in the world theres a man or woman sitting on a keyboard directing an operation. My concern is if we went with a very unique Service Approach to this, we would generate a force that was incredibly technically proficient but not necessarily deep in understanding of the broader context. I think using a Service Based model is a stronger way to go about doing this. As i mentioned in my opening remarks, 127, whatever it is, the air force, not a single 1 stayed in cyber. Are you getting the kind of cooperation that you need to have trained people at work in your command . So ive talked to all the Service Chiefs personally over the course of the last year on this topic. I have one service that im particularly highlighting to them, saying, look, we need to change the policies here. What ive suggested to the services is the Cyber Mission force, that part which i am responsible for, i acknowledge as only one part of the departments broader cyber needs. Was that message received by the United States air force . Theyre clearly still working their way through this i got it they have a broader set of circumstances. I had the chief of staff of air force come out to ft. Meade, said this is what im saying. Do i have the right picture, is this accurate . He has come back to me saying, no, mike, you have an accurate sense that were not where we need to be. Heres what im trying to do to get there. My job is to help him and also to keep the pressure on to make sure we sustain this. In your job, you have to look at scenarios. Give us the best scenario and the worst scenario. For . For Cyber Attacks on the United States. The worstcase scenario in my mind has a couple dimensions to it. Outright destructive activity focused on some aspects of Critical Infrastructure. Including space . It could be space. And then in addition to outright destruction, the other thing that concerns me is two other things. The second thing in terms of worst consequence do we see data manipulation on a massive scale. Most is penetration and extraction. Like changing voting rolls . Yes. What happens if we go in and change data . Thats a very different kind of challenge for us. And then thirdly, to me, the other element of a worstcase scenario, what happens when nonstate actors decide that cyber now is an attractive weapon that enables them to destroy the status quo . Thats kind of the worst, the worst end if you will. And the best . The best is we develop a policy followed by a strategy we continue to make improvements both in capacity as well as the broader deterrence piece. Thank you, admiral. Senator reed. Thank you, mr. Chairman. Again, that remember, admiral. As youve pointed out and i think weve both pointed out, in terms of technical aspects of cyber, in terms of detecting intrusions, penetrating other networks, Cyber Command has been in the forefront. But this issue of which you allude to, cognitive operations, information warfare, the change in public opinion, et cetera, have you been tasked to conduct such operations . Prepare to conduct the operations . No, we have not. Thats not right now in our defined set of responsibilities, per se. Is it in anybodys set of responsibilities to your knowledge . Its theres some i wont get into specifics in an unclassified forum. There are things were doing right now. For example, with the fight against isis with Combatant Commanders in this regard and i dont want to go any deeper if i could. Thats fine. But i think one of our challenges is if information is now truly going to come a weapon almost like in many ways, how are we going to optimize ourselves to deal with this world . We had much of this skill, if you go back to the cold war, we had extensive infrastructure, extensive expertise. As the soviet union collapsed, we decided perhaps that expertise isnt required. We did away with many of the institutions, many of the individuals who had the skill sets are no longer with us. I think we need to step back and reassess that. I would assume if youd not been tasked to do that, your expertise in cognitive warfare is rather limited in terms of those you just mentioned, the skill sets, the personnel. Its not what our workforce is optimized for. And not comparable to what were perceiving from other actors around the globe. Certainly not on a daytoday basis. Within d. O. D. My knowledge suggests that socom has been given the lead on Information Operations. Broadly. Broadly. I would say that thats true. And is there any integration with Cyber Command . We work very socom is one of those partners i mentioned, so we do work very closely, general thomas and i. I think the other issue, too, and its come up in the context of all of our comments this morning, is that this is a mission that goes across several different organizations. And, in fact, weve heard comments about how the state department in some areas has go back to the cold war, they were doing the voice of the america, they were doing all the radio towers. That were beaming in. Its a new world. And they dont have the expertise or the resources, et cetera, so no one seems to be doing this aggressively. Is that fair estimate . Certainly were not where we need to be. I think thats fair. In terms of russian operations, were you aware of the penetration of the election in 2016 in terms of active involvement of russian entities directly or indirectly. Yes, sir. And was there what actions did you take, just simply informing your superiors, was that it . So heres where i have to differentiate between my role of commander of Cyber Command and director of the National Security agency. The director of the National Security agency as ive publicly testified before other committees, when nsa first gained initial knowledge in the summer of 15 that the russians were engaged in an effort to access political institutions, we informed the federal bureau of investigation with responsibility to inform those organizations. I dont as the director of nsa, i dont deal directly with them. In turn, i then made sure that d. O. D. And other elements within the government had the awareness. Thats where my role as Cyber Command comes in. As Cyber Command, i become aware of efforts in terms of intrusion and hacks directed against u. S. Infrastructure. I turned to myself and make sure that the d. O. D. System is optimized to withstand because they were coming after d. O. D. At the same time. In addition, we coordinate with the department of Homeland Security. Is there a requirement for are you looking for d. O. D. . For example, if we had defined voting infrastructure is Critical Infrastructure . Under the set of duties assigned to Cyber Command, had the president or secretary of defense determined we need today insert ourselves, i would have been tasked as Cyber Command. You would have been prepared technically to try to disrupt these operations . Yes. And then, again, given im sure, weve all been looking back and the after action reports are still being written about 2016, in your estimate we have to be much, much better prepared for 2018 and beyond. Is that fair . I apologize, senator after looking at the experience in 2016, as you just described, knowledge of penetration, attribution to a foreign state, going after key systems in this country, some of which has now been designated as Critical Infrastructure. We have to be much better prepared yes, sir. I agree, i apologize. Thats fine, sir. Thank you very much. Admiral rogers, it would be unfair for me to ask you to evaluate the article i showed you earlier this morning because you havent read it yet. The title pretty much says it. It appeared this morning. Are cyber crooks funding north koreas nukes . How does kim jongun pay for Nuclear Tests . Increasingly Online Bank Heists provide a lot of the funding. Does that make sense to you . Im not going to get into specifics in an unclassified forum. But we have publicly acknowledged, we have seen the north koreans use cyber in a criminal mechanism, if you will, to generate monetary resources. It has to come from somewhere. And when you look at it, you kind of eliminate come down to that conclusion, they might be right on this. Although i would highlight this is only one element of the north korean broader attempt to generate revenue and get it back to north korea. When we look and see the growth in this thing from 2006 to 2015, the number of cyberattacks has climbed by 1,300 . Then you talk about weve all visited about the policy or lack of policy in making the decision. Theres some thought that maybe the theres too much authority at the top. It was general goldfein that was quoted in december of last year. Actually before this committee. He said if we want to be more agile then the reality is that we are going to have to push decisional authority down to some lower levels in certain areas. Does that make sense . Yes, sir, and weve highlighted in the cyber arena to secretary mattis, as he has assumed his new responsibilities. I think this is an important area we need to assess particularly within the cyber arena. Just a matter of a few weeks ago we happened to be in israel and we met and talked to their National Cyber director for a cyber subcommittee meeting. He actually came over and we had it was senator rounds who was with me at that time, he chairs the subcommittee, and we had a meeting that i think was pretty productive. The doctor is very careful not to say that perhaps they might be doing Something Better there than were doing. He said its much more complex than the United States because of the size and all of that. He also pointed out three things that were significant, and i just wondered if you had any thoughts or if you studied their system. Maybe some other countries, too. See what theyre doing. So with that case, theres a reason every time ive in tel aviv i see him. Every time he is in the United States he sees us. I knew thats the case. He said the same thing. We can learn from each other. In fact, were talking about some potential test cases that we could use with a new team in place. Well see how that plays out over time. I look to him. I look one of the things that ive learned in my journey in cyber is there is no one single organization, group or entity that has all the answers. Its about the power of partnerships here and how do you create a system that enables you to gain insight and knowledge from a whole host of partners . Some with the United States, outside the United States, within the government, the academic world, industry. Hes one example of the power of that. Yeah. I kind of got that impression, too. The when general alexander was in that position he spent sometime out at the university of tulsa and i know there are many other schools, too. The chairman asked the question. Are we having access to the people that are going to become necessary to staff this new, very serious problem that we have . Is there an effort going back to some of these schools and to promote the programs as were promoted in that particularly . There is, between nsa and Cyber Command we have relationships with over 200 academic institutions around the United States. Because thats in part the future workforce for us. Although, one thing i try to highlight is be leery of creating a cyber force where everyone is cookie cutters. We need to get a broad range of skills and experience. Some people will be good at this and they wont necessarily have advanced education but theyve spent much of their personal life in there so we have to build a construct to get a full spectrum of capability. You know, we look and see some of these countries. Putin when he came in after their parliamentary election and they didnt have any communists for the first time in 96 years. He started doing things in addition to just the coming in and declaring a level of warfare. He also started working and apparently according to port chanco they have used Cyber Capabilities to attack the Ukrainian Government over the last two months. This is something thats happening. Not just its happening all over the world. And you see Something Like the example in ukraine. That didnt take any lead time and all of a sudden theyre already inflicting that type of harm. Im sure youre right on top of everything thats happening were trying. Thank you very much. Thank you, mr. Chairman. And thank you, admiral, for your public service. In response to senator reed, you said that you were aware of russian attempts to interfere in our election. Are you aware were you aware of Russian Communications with members of the Trump Campaign team . Im not now youre into my role as nsa. Im here as Cyber Command. Im not going to publicly get into that, sir. I thought i understand your reluctance, but i also see you not just Cyber Command. I see you as nsa director. Okay. The chairman mentioned and asked you is this what we see this behavior . Is this a new normal to which you responded, i think, somewhat regretfully, yes. Yes, sir. How should we counter these kind of cyber enabled Information Operations and who has the responsibility for these kind of operations . In terms of russian execution of the operations or our response . I apologize. Im trying to understand. Both. Both. Well, in the case of the russians, again, if you refer to the publicly available Intelligence Community assessment, we identified multiple Russian Security elements that were involved in this campaign. With respect to what should we do, the first is i think we need to publicly out this behavior. We need to have a Public Discourse on this. Those national states, groups of individuals that would engage in this behavior, they need to know were willing to publicly identify them and publicly identify their behavior. Weve got to make this much more difficult for them to succeed. That means hardening our systems, taking a look at our election process, which is not, Cyber Commands role. I think broadly we need to look at this end to end and ask ourselves what changes do we need to make in this structure. Thirdly, i think as a society, as a nation, we need to acclimatize ourselves to the idea that were in many ways back into a time frame of disinformation, false news, goes to senator reeds point. Manipulation of media. You got to be a much more discerning reader, so to speak, in many ways in the world were living in right now. And then lastly, i think we also need to make it clear to those nation states or groups that would engage in this behavior it is unacceptable and theres a price to pay for doing this. So at this point, it sounds listening to the answers to the previous questions that we are really in a position that we cant prevent a cyberattack on things like our Critical Infrastructure. Again, when we say prevent, its one of the reasons why deterrence becomes so important. The goal should be we want to convince actors you dont want to do this, regardless of whether you could be successful or not, its not in your best interest and you dont want to engage in this behavior. In a different setting that is secure, would you share with us where we have either under the threat of an attack or an attack deterred, the word you just used, deterrence yes, sir. I could share with you in a classified situation where weve driven them out of a network or okay. That would be very helpful. Yes, sir. Now, would you consider it Critical InfrastructureVoter Registration rolls . I think one of the challenges if you go back to the process we used to identify the current 16 defined Critical Infrastructure areas in the private sector, we tended to look at that from a very industrial is there an output associated with it . One of the things i think we need to be thinking about now is not that output is not important because you could argue an election generates an output, but does data and information reside in a critical thing to us . We didnt look at it that way. We sure better because if someone shows up to vote and suddenly they find out theyre not a registered voter because, indeed, its been attacked and the data has been manipulated and taken them off the rolls, thats pretty serious. Yes, sir. And thats Critical Infrastructure. Yes, sir. We need to take a look at that definition. Thank you, mr. Chairman. Thank you. Let me follow up on the chairmans statement with regard to the air force cyber officers not remaining in that field of work. Would one of the reasons be because they do not view it as a good career path . No, if i could say, when we say not in that field, the experience were seeing is theyre taking officers that are rolling out of the Cyber Mission force, the structure that im responsible for, and employing them in other areas in cyber in the department. Thats why i say, part of the challenge if youre a service, you have a wide spectrum of cyber requirements beyond just what Cyber Command is responsible for. Its why im trying to make the argument with the services what we need to do ive talked to them and said look, you know, something on the order of a third should stay with us, the rest we should then look how do we put them elsewhere within this broader Cyber Enterprise to build the cyber level of expertise across the department. I dont want to make it sound like what the air force is doing is just ripping people once they finish their three years so to speak and then making them airplane mechanics, for example. Thats not what were seeing at all. Okay. For the third youd like to keep, do you think thats a good way to get to be a four star . Oh, do you mean could you build a career over time . Right. Clearly in the military were moving into im not the last person thats going to be doing this as a four star i dont think. Okay. And then with regard to the Cyber Service, which you are doubtful about, do i understand britain does have such a cyber no. Their structure is less a Cyber Service and more a combination of active as well as significant reserve. Is anybody trying this . Are any of our allies trying this . Theres nobody right now who has really gone to a single Cyber Service. Most are trying to take within the existing service structure, can you create a dedicated work specialty where thats what you do for your career. Thats whats being done by most nations around the world. Okay. Well, keep us posted on that. On page two of your written testimony you say advanced states continue to maintain the Initiative Just short of war. Challenging our ability to react and respond, unquote. So what constitutes an act of war in your opinion or in terms of the policy of the agency . So, first, im not a lawyer and im not a policy individual. That question at its heart is about legality and policy. It is clear that we do not not just the United States, i would argue broadly internationally we havent yet reached a broad consensus on how you would define in clear actionable terms what an act of war within the cyber arena looks like. To date how we going to do that . Were going to get our policy people together. And were trying to discuss this broadly. Again, its outside my lane but i know were involved in broad discussions both internally in the u. S. Government as well as with our foreign partners. Help us out. Because it may not be in your lane. Youre not a lawyer you say but you would certainly be one of the first people i would ask in terms of what sort of act in your judgment, would go beyond this threshold of war. Right. What i looked personally for me, what i look to do is could we define a set of criterias, intent, impact, the tactics or techniques that were used, could be develop a set of very specific criteria that would help us define this rather than this broad nebulous is the wrong world because it implies people arent really focused on it but the general conversation we often tend to find ourselves in. Im trying to mentally work myself through how could we get this down to a more specific set of attributes that would help us. I see those attributes. That therefore would be defined as an act of war, as an example. You say technical developments are outpacing laws and policies. We find that in the commerce area, also. Do you need anything new in this next ndaa that you dont have now . I dont know specific to the nda. In broad terms, you know, my input to the process has been we need to reassess authorities in delegation. We need to take a look at the right investments in manpower. Are we investing in the right capabilities . Im very honored that the department is focused on this mission. There shouldnt be any doubt in anybodys mind. There is focus on this mission set. Im the first to acknowledge cyber competes with a broader range of priorities and needs. But the argument im trying to make is within those priorities, i think cyber is pretty high. And we need to focus the investment and prioritize it and we cant be willing to accept five to ten years for development cycles, whether its getting the right people, whether its training them. Thats just not going to get us where we need to be. To the extent that laws and policies are being outpaced, tell us what you need. Let us know what you need. Yes, sir. Thank you, mr. Chairman. Following the line of questioning by senators nelson and reed, one of the issues raised by russian intervention in our election is how our government as a whole responds to Cyber Attacks and how it escalates its response. Do you believe that theres a coherent plan in place to allow the federal government, in coordination with state and local governments to respond to major Cyber Attacks on the country and escalate the response as appropriate . To be honest, senator, i dont know enough to accurately answer the question. Some parts of that question is outside of my purview. Im not trying to be a smart ass. Its outside my knowledge. Im just not positioned to say categorically yes or no. So i was concerned by your earlier responses that your strategy is deterrence. Because i dont see how deterrence is going to work with regard to russia since weve seen a continuation of an interest on their park to hack our systems and hack other countries system and their elections. I guess what im looking from you is leadership in coordination with other Government Agencies throughout the u. S. Government to be prepared for our oh, yes, maam. Dont get me wrong. Im part of this. If i could, i dont think you heard me say that i thought our strategy was deterrence. What i thought at least i communicated was deterrence should be part of a broader strategy. It shouldnt be the only thing. Im the first to acknowledge that. Do you think there is particularly the transition between private companies and a government response, are there the authorities in place to accomplish these transitions effectively . If not what kind of authorities might you need . I dont know if its theres certainly an authoritys aspect to it but part of this im wondering is a cultural. So the government comes to a private entity, and you saw this. The government informs this private entity the russians have penetrated your system. Heres where they are. In some cases the responses are, hey, want to work with you, thanks can we come back. In some cases its thanks very much and we never hear anything. In some cases its i dont believe you. In some cases its not the you saw this play out for example in some states response to the election. Correct. And thats some states came back and said, hey, look, thats not your guys role. Thats the testimony weve heard in a few hearings now. Im highly concerned that if you dont have the authority or some aspect of the federal government doesnt have authority to say to a secretary of state we recognize its a states right to run elections, we recognize you choose the technology that you want to pursue. We recognize its a states right issue. But if you dont have a level of sophistication that has been certified as cyber protected, its not adequate. What i really hope you can come to this committee with is a list of authorities you might need to put in place before the next election because its not adequate to defer this to any secretary of state in any given state that they think theyre covered. We need assurances that they are covered by the most highly sophisticated cyber experts in our government. I think a lot of that cyber expertise is being developed by the department of defense. Yes, maam. If i your leadership and coordination is so necessary. Yes, maam. Please, i dont dispute that at all. Much of what youre asking me falls on the department of Homeland Security. I dont want to speak for dhs, senator kelly should excuse me secretary kelly should be able to speak for himself. I do acknowledge particularly if we were to define this as Critical Infrastructure, clearly d. O. D. Has a role here. Agreed. I mean, theres no doubt about that. Yes, maam. With regard to the most recent French Election, we saw that in that election emails of the successful french candidate Emmanuel Macron were dumped online. After previous hacking. It was also rumor of campaigns launched against him on the internet and the head of the German Domestic Intelligence Agency accused russia of hacking in preparation for germanys upcoming president ial elections. How can the United States leverage our cyber and other capabilities to prevent russian interference in our election and partners and allies . Should we have a role . This is much more in my role as the director of nsa than Cyber Command. If you take a look at the French Elections, an unclassified hearing im not going to get into specifics. But we had become aware of russian activity. We had talked to our french counterparts prior to the announcement, of the Public Events attributed this past weekend and gave them a heads up. Look. Were watching the russians. Were seeing them penetrate some of your infrastructure. This is what we have seen. What can we do to try to assist . Were doing similar things with our german counterparts, our british counterparts. They have an upcoming election sequence. Were trying to figure out how can we learn from each other. Thats much more in my nsa role than my Cyber Command role. Ed that, admiral. Yes, maam. Thank you, mr. Chairman. Thank you, admiral, for being here today. As you know, theres been some debate about our use of a geographically based Counter Terrorism strategy where legal authorities to conduct operations depends considerably on where they take place. To what extent are your operations in cyberspace similarly dependent upon the declared areas of active hostilities . So that is an issue for us, authority is often granted by defined geographic space. The point i try to make to policymakers is the challenge in the cyber arena, the infrastructure lets take isis, for example. Isis might be using is not necessarily physically in syria or iraq but is in other areas. We need to be able to have an impact on that. I apologize. I dont want to go into this broadly in an unclassified forrum but we have that challenge. Yes, maam. Are you bound then by the limitations that are set forward in the president ial policy guidance . Oh, yes, maam. I have to meet ppd 20 for example. So when youre looking at that and we look at the interconnectedness of the nature of cyberspace, so what impact does that have on your operations . Do you have the necessary ability to meet the requirements of the Combatant Commanders . The geographic Combatant Commanders. Not as fast as i would like. Im not going to get into the specifics in an open forum. But some of the things we are doing against isis, this very issue came to a bit of a head. We are able to work it out through the interagency process and we were granted the authorities to execute some of the ongoing activity that were doing against isis that extends beyond the immediate physical environment of syria and iraq. Im the first to acknowledge it was not the fastest process in the world. It was the very complete process. Im the first to acknowledge that. Do you have suggestions for any changes Congress Needs to make before i go to congress, im trying to have a dialogue with my own immediate bosses about what might such framework look like. I think i owe them time to come to their own conclusions first. I understand that president ial policy from 2013 is being reviewed by the department, is that correct . Again, its not a department document. Its a president ial document. So is the department reviewing it . We are broadly looking at cyber authorities right now writ large. Again, ive provided an input to the secretary with a heres my views on what are some of the things we want to look at. Cyber com is involved in that review . Based on your experience, do you where do you think improvements should be made . The Positive Side for me is everything im hearing from the current team is they acknowledge that the structures that are in place are not fast enough. Which is thats a good step for me. Im not spending a lot of time in a debate. Now its, okay, what do we do. If we accept that premise, what should we do . Again, because thats an ongoing topic of discussion i would rather not publicly get into this. I think i owe them the time to come to their conclusions. Although they are reaching out to us. I have no complaints in that regard. Do you anticipate the secretary will be bringing forward to this committee any conclusions that are made then . I dont know, maam. I dont want to speak for the secretary. Okay. Admiral, in testimony before the house Armed Services committee in 2015 you mentioned an unresolved question about applying, quote, d. O. D. Generated capacity in the cyber arena outside the government in the private sector. Can you elaborate on this . Specifically, what type of capacities do you believe would be beneficial and what kind of gaps are you trying to fill . So, it goes to some of the points that many of you made already this morning about, for example, if were going to defend Critical Infrastructure, d. O. D. Is going to defend Critical Infrastructure. One of the points im trying to make is i dont want to show up in the middle of a crisis for the first time ive ever interacted with some of these sectors. My experience as a military individual, it teaches me discovery, learning while youre moving to contact with an opponent is a painful way to learn. Increased loss, it takes so much more time and youre not effective and efficient. The argument im trying to make is building on the sector approach with Critical Infrastructure, which i think is very sound, cant we create standing mechanisms where i the d. O. D. , dhs the private sector can operate 24 7, what are we all seeing out there . Do you support the deployment of government sensing capabilities on the private sector . In a perfect world, what i would probably prefer would be to create a structure where the private sector because theyre putting sensors, putting telemetry on their networks. Couldnt you share that with us rather than us go in and do it . My first recommendation would be could we create a mechanism where we could take advantage of the private sector is already making . Can we do that now . In some areas, i want to make it more institutionalized and much more realtime, for me anyway. Thank you. Thank you, mr. Chairman. Thank you, mr. Chairman. First question, admiral, for the record, weve been having these hearings now for four years, and we talk about the problem and everybody is absolutely convinced that this is a very serious problem. I would appreciate it, given the fact of the depth of your knowledge and the work you do, if you could supply for the record the five things you think we should do. Talking about it is important. But action, what five actions if you would think about it, have your smart people think about it, whether its legislation or regulation or new relationships, communication, i think all of us would find that helpful. This is an echo of senator wickers question earlier. Second, its we talk about this. We have to approach this with a whole of government approach. I think the term should be whole of society. Society. Yes, sir. Because this is an odd situation where youve got government, for sure, but the vulnerable elements are in the private sector. The electric grid, the Financial System, the gas pipeline situation. We had a situation, i think it was in 2011, where there was a cyber bill. It was regulatory. It would have applied to the private sector, it failed. There was great resistance in the private sector to a regulatory approach. We dont ask the private sector to defend themselves against russian bombs or missile attacks from north korea. We do that. What about a system whereby we work with the private sector to assist them financially in installing the kind of defensive measures that might be important and in exchange they would get a limitation of liability and, of course, they would get free stuff . The question is, how do we do that without them just taking their foot off the gas and not protecting themselves. Incentivizing behavior tends to prove better incomes in our society than the penalization. Its a much broader issue than me, but i think the core point you raise as the point i was trying to make with senator fischer, we traditionally in our society we often have very strong walls between what is a private function and whats a government function. I think cyber shows that much of what were seeing is a National Security issue and therefore it requires a whole of nation approach to how were going to handle this. Which involves new levels and creative thinking. Yes, sir. Of the government and the private sector. Because we could have a perfect government system but if the Financial System right. If wall street goes down, it is chaos. No. I agree. On the issue of policy, the senatorpolicy, senatoor rousse got into the National Defense act last year that says to the administration, 180 days of military or nonmilitary action available or deterring or responding to eminent threats. That data is coming just to remind you. It is june. Yes, certainly. It is in my calculation. This is a way of trying to force what senator mccain is talking about at the development of policy and the president has 180 days after that. To describe actions carried out in cyber. We got to respond to this. We have been apart of that process. One of our big gaps to talk about what we need to do, a policy and a strategy as the chairman has mentioned is critical. Deterrence does not work unless there is a strategy. Yes, sir. Finally, i think as we talk about this, when you think of what the russians did in 2016, there were three kmoent components. One was hacking and leaking and the other was attempted hacking in terms of the Voting System which we talked about which i think is a serious issue. The other is information and manipulation of information. Thats very hard to get out, especially in places of the first amendment. Right. I would suggest that one of the things we need to be thinking about is a hieighten level of literacy in this country. People have to understand when they are being misled and m manipula manipulated. My wife has a sign in the kitchen that says the most difficult thing on the internet is to determine the authenticity of quotes, abraham lincoln. [ laughter ] we got to be educated and our public has to understand that this is a whole new level of way of manipulating. There are all kinds of reports in the French Election that macron had Bank Accounts at cayman islands. How do you defend yourself against that. I would urge you to be thinking about this. How do we educate our people to be discerning when they read something incredible on the internet. It is a great new world out there. Wearing two hats. At this criteria, will you share the criteria. This is an ongoing policy issue. I am not going to get in the specifics. The criteria that you would expect to be depleted before the move is made. We identified the steps within the department. We identified the steps we need to take to elevate and combat. I am confident that we can do this. Could you share with the committee of activities. We identified. We need to shift current responsibilities from strapcom down to us and define their responsibilities and if there is a geographic aspects to those responsibilities. We got to make those changes. If not, we identify investment and manpower as well. There would be an advantage in some ways to having two separate organizations, while the information that would be shared perhaps would be shared in a different manner. The sharing of that information could continue on but the activities of the two, can you share the positive of the side in making a move like that . I am on record of saying that my recommendation of the process has been, i didnt believe this when i came in the job. I came to the conclusion of being in two jobs, the right answer is to separate the two. Theyll remain closely in line. Cyber command will still continue to work in the same battle space in many ways so to speak. It will still be a unique relationship. In the long run, i think is the right thing to do. There is a series of steps we need to take to make sure each organization is a optimizing to achieve serious outcomes. There are things we need to do on the Cyber Command side. It is within reasons to me and can be done in a reasonable amount of time and level of investment. How do you classify the private sector and Critical Infrastructure and vital to the mission and whatever cyber com is under taking thats vital to the dod vision. I am not talking about trying to classify all the other stuff but critical to other dod activities we try to partner closely with defense Security Service and making sure those critical businesses and infrastructure that we at the dod count on. We spend a lot of time focusing on this. How do we make sure because he in particular, his organization, not that it is unique to transcom. Hes got a greater challenger than most. We are talking about how we can speed up our processes or i would like to overtime can we create a different relationship. It is hard to deal with the law and the framework that we create overtime. I would like to see looking at how we can amend that with a specific set of companies with direct relationship and providing capabilities and infrastructure for dod. I am working that with transcom. We picked hawaii and guam, theyre little easier. How we can partner with the dod and other islands and power and a few other things and highlighting how we can Work Together closely. There is no alternative generator capabilities, for example, well pipe in power if we have problem with the distribution system, we have major problem with the dod. Sometimes we forget how critical these cyber aspects are and we talk about domain that we fight in, air land and cyber and sea. Can you think of any area that we require dominance of and maintaining dominance in if we dont have dominancy in our success helps to under pin the ability of the rest of the department. I am not saying it is the only determinant but it is the foundation of the departments broader ability of the mission. Thank you, sir, thank you mr. Chairman. Sure. Thank you chairman. Welcome back admiral rogers. It is becoming really evident to me as a member of the Intel Committee and this committee. It is becoming Crystal Clear that russia has mastered this domain of digital information. Very effectively, that serves their interest. Thats what we call of fake news and true of any real news that serves their interest of under mines u. S. Policy. So these capabilities are proven to be just as politically disrupting both in our elections and daytoday business as well as what we have seen in europe as the russians hacking that we have seen. Does Cyber Command has a role to play in meeting this new what i would zridescribe is a threat. There is a broader aspect of it. If you look at the spectrum and the network, if you look at the information dynamic is playing out, one of the questions that we are trying to come to grips of the department, i am so focused and trying to execute the mission and i have been assigned, let meggett the structure set before we start to stole stuff in the light raft. How are we going to bring together Electronic Warfare cyber dynamics . It is blurry in the Digital World that we live in. How do we do this in an innovative way . Right now we are not there yet. Do you have people assigned, for example, looking at the issues when you have thousands and thousands of bottos out the and they looked like social media accounts and wisconsin or michigan and some where else in the United States, really just take a story that has interested ten people and make it look like to 10 have we look at capabilities making it clear and even to the Companies Whose platform that we are on and accounts are not g genuine. If you take that application pieces out. Yes, a couple of points. Fers, remember much of the scenario that you went through is about domestic. It is largely focused so all monitored bots infrastructure and it comes the bot farms are over seas. Right. They are not attached to actual people. What we are starting to see is you are starting to see a migration of capabilities. We have been observing for some time. The way it is going to go next in my opinion, you are going to start to see this domestic manipulation. That is a part that for us from now, i am not really directly involved. We do as part of the broader government effort participating generating insights that we share with providers to say that these are activities that we are seeing and we believe to be criminal or believe to be supporting you are able to share realtime information with big providers . In some occasions. One of the things i try to do is get enough so that i can try try to count today and here is ten and here is the next hour. We are in the early stage. How do we be more responsive than we currently are. Thank you admiral rogers. It is good to see you again. During the lyineup questioning. You had answers where you dont want to have to learn about the enemy on the move. I agree. I would also say conversely we want to know about our friends. Going back to the National Guard, we corresponded about a number of time. I did drop a bill to ensure that dod will start tracking these capabilities. From your perspective, what more can we be doing to help cyber com to connect with our National Guard and their capabilities. What else can we do . I am trying to partner for command as well as the National Guard bureau team. I am very supportive and appreciative of. How do we create the mechanism so we can apply that in realtime . We are doing something now, for example, where air force is activating and i have reviewed the activation sequence in the guards out of 1620. But, what i am trying to get to is if we have a major cyber event, i feel comfortable that we understand whos going to do what. What i am curious about is what happens if it is not something catastrophic or necessarily of the threshold. How do we use those guard capabilities in instance from the active side is not the lead. How do we make sure that the capabilities are there. How do we apply them and whats the struck a chance for shower thats in place. Thats very mature in terms of how we respond to Natural Disaster and we got a great process there and Northern Command roles. I am trying to argue that we spend more time. I agree wholeheartedly. I look at it and maybe it runs parallel to our support team to where it provides backup or in case of any sort of incidents or the super bowl, we always have them on standby and as we look at major events and progression whether it is election or other significant events throughout the year, we have those, we have those capabilities. Can i make one other point . Yes. One of the challenges and i am trying to work my mind through. I had this discussion with the governor and the tags. In many instances the infrastructure that the state is going to be counting up of cyber protective. How do we take advantage of the structure and not just saying it is important. How do we construct something that does not define by geography. I know a member of my colleagues is moving on and how do we keep on personnel there. There is a lot of suggestions of bringing in civilians. During secretary mathis confirmation, he stated that the war is essential when you have a military. As we look at things like lateral succession and flexible career path, how do we make sure that it is not diluted. One reason why i argued no disrespect we want the warriors ethos of the law of our conflict and there are things legally of a uniformed member. So civilians plan for it, dont get me wrong. Thats one of the reasons why i believe the right console for us is to bring the active and guards reser guards, reserves and contractors. Not one single slice. I am leery of swinging in one direction. Thank you, for your time. I appreciate your time admiral rogers. Thank you mr. Chairman. The office of director National Intelligence releasing general clapper testified regarding this report yesterday in the senate in the judiciary, we all know that russia interfered with our election, do you feel president putins action in this regard as a cyber attack . Again, maam, thats a legal policy discussion. It should be viewed as unacceptable. Thats the bottom line. This is not a behavior that you want to encourage and accept nor this is a behavior that you want to see repeated. I think we all share that. How to get there is a challenge. Whats your opinion and preventing these types of events in the future. So from an intelligence positive, our job is to generate in siegsights and knowledge and helping reforms and the ability a. That policymaker and the ability to engage in operations or choices that communicated to the other party. You dont want to go down to this road. Again, if we define election infrastructure, critical infrastr infrastructure to the nation, and with e are directed i can apply capabilities proactively with some of the owners of the system. It was very clear by general clapper yesterday that russia will continue, we know they have been doing this since the 1960s or 70s where they have many more tools in their tool box to interfere with our election. You are waiting for direction from the president for everyone to coordinate to stop this . I am saying, i dont have a define mission here. No one has changed that yet. We need to do that for everybody to come together. Thank you. Services continue to increase and developing events to combat Cyber Attacks. How douse cyber com work with other combat and command to comp the cyber effects they face . I was in honolulu two weeks ago. Theyre generally every six months and trying to do this with all the combat and commander around the world, face to face, where are we . Cyber command in any way and much of what we do functions to support others. We exist to support and enable success of others. I tell our team much of our successes are going to be defined by others and not by us. Thats the way it should be. We spent a good deal of time to meet the specific combat and commander requirements. Working of what should be i have an opinion well partner together. For example, thats what we are doing now. And in our meeting with the other combat and command, is it part of your function to encourage to make sure that we dont have unnecessary duplication of efforts across service sns. I try to make the argument, and therefore the same kinds of processes that we put in place to make sure we are maximizing the finite capabilities we have, we have to do the exact same thing in cyber. We know we have challenges facing military recruiter in attempting to fill and as other Government Agencies and the private sector trying to fill their riemts equirements a. I would like to know how important it is and continuing of education in the stem program for americans use in order to meet the growing need of command and others. As i said, our work force is going to be a spectrum from the active guard reserve of civilians and contractors. For the civilians contractors and much of that active piece and much of that education is going to be done by the private second s sectors. We have relationships over 200 academics i how are we going to create the Human Capital of the future of this. Tell me how you generate a work force and how do you retain it . It cannot be all about money. Thank you, mr. Chairman. Thank you mr. Chair and admiral rogers. It is good to see you again. You have been on the job for two years, right . Three years, sir. Yes, sir. If you were to go back three years ago and you were in the same committee hearing, would the answers changed substantially . Where in other words, have we made significant progress . We have capabilities and we are actually using it. We got a good way ahead and we got a commitment to that way ahead. The challenging now as you go through this, admiral, if you think about looking at our near competitors, they too are two or three years further along. Is the gap wider now to defend ourselves and respond to some attack . It is narrowing. To go continuing of the point i am trying to make, i tell myself, roger, you are not moving faster enough. We got to move faster. We are not where i want to be. What about over the last three years of the private sect sector. I think we are making a huge mistake if we leave this hearing or the private sector thinks theyre coming up with a solution that they benefit from. They are apart of an infrastructure that we cannot expect for it we are the poli police. We have to respond when an attack occurs and trying to figure out who did it and what are the consequences. We all need to have some sort of security ourselves in our businesses and homes and states. How well have it improved the last few years . It has by sectors. Others have made improvements and others no. The analogy that i try to use, it is hard to expect police work to stop burglaries if you are leaving everyone of your doors unlocked and you are going to turn all the lights on and and saying not home. Feel free, thats not going to get us where we needed. How do we move the ball. We have hearing just last week or the week before, how do you get to the point where we put pressure to the private sector not to mandate but to use as a distinguishing factor when we are choosing between one potential contractor or supplier and another one in terms of the extent that we believe they are fully protecting us as much as they can. So i think it goes to th the we need to change is that within current authorities . Yes, we have made some across the department and made some changes and contractual language. What extend is your command trying to define and the discussion, i think it was a transcom. We are talking about meeting some sort of third party and there needs to be something out there of supplier or agency or adhere to baseline standards. To what extend is your command involved in that or who owns that. We dont do that right now but thats one of those changes that i talked about. How do we change relationships between dod and core private capability providers and infrastructure providers and one of the things contractually looking at it. If you are doing business with us, you are signing up to the idea that we can do an assessment and we can do an inspection. We need to work our way through that. Thats the kind of thing we need to think of. We have to look at the reality that they got a Supplier Base that of the people that we contract with, making sure they are hold their base. All find a weaker link and all you got to do is understand the chain. And in my remaining time, can you tell me a little after elevation and the duo hats split, how do you envision of command operating and what are the priorities . Again, we are now in the scenario of what if, i dont like to get into the what if kind s of things. Now, we need to let the process play out and see what kind of bottom line that Decision Makers come come. I think thats fair. Thank you. I want to quickly ask about the importance of our non military agencies and programs to your mission which include defending the United States. Our state Department PromotesInternational Norms and responsible behaviors and helping making our alliances more cyber secured and i think you have talk ds about that some. Counter online radicalization and recruiting by non state actor like isis everyday. You leave the best Cyber Warrior in t s in the world. I want to ask would reduction in funding and counter radicalization problems make your job easier or harder . Tougher. I agree. I am concerned about the significant reductions to non Dod Department proposed by the administration. These agencies provide critical support for your work and i just want to make sure that does not get over looked. What i want to do is follow up on a question that senator carona asked. Last year of stolen private emails slammed all across the internet and last week the russians did the same thing in order to help their preferred the french candidate. The United States americans need to step up its game here. I know you are a key part of that. You stated in your testimony that in proverimproving dods n defenses and building Cyber Security culture depends on skilled people. Admiral, let me see if i can do this the right way. We had a hearing in our military personnel committee. The military recruiting system is focused on filling quotas that they only end up recruiting for only the military today and not targeting the best suited or execute the missions that we need. Can you tell us of the recommendations that we are recruiting the right talent for cyber jobs and threats that well face tomorrow. My experience to dat date knock on wood. I am happy of the quality of individuals. We are exceeding tension broadly on the uniform side. The thing thats helping us at the moment is this work force views themselves as a digital warrior of the 21st century and their self images, we are the cutting edge of something brand new and everyday we are shaping the future in a way that nobody else gets to do and we are doing things that nobody else on the outside gets to do. My sense is we got to focus and we got a vision and we are driving. Constantly as a leader, i am looking at what is changing and how do i get ahead of this . What are the skills set that i need two days or five years from now . Data is one area that i want to highlight. What kind of skills do i need and do i look at civilians to do that i am glad to hear. You are looking out and i love the focus of data and critically important here. The 2017 Defense Department authorization giving a lot of flexibility and how to recruit. Let me just ask, do you have all the authorities you need or do we need more exceptions from federal hiring laws and other changes in the system to help you in your recruiting efforts and not just today but a year from today or a few years. Right now i feel good about military recruitment. I find the ability to hire our civilian side, we are lagging. Part of this, i tell rt, is this something we are failing to understand. Do we have a lack of knowledge of our own system and out putting our needs. I told the team that look, if we come to a conclusion that we have to ask for more authorities, guys, thats what we are doing. We got to take advantage of the willingness of this committee and department when it comes to capitol peace. I know how much you have invested in your cyber military force and the mission overall. You made an enormous progress. I do hope that you will let us know and let us know more in advance rather than later. But, let us know because if you need more flexibility, you should have more flexibility. Thank you admiral. Thank you miss chair. Good to see you and thank you for everything. In testimony we heard this year, for at least the next decade of Cyber Capabilities are our most capable adversary are likely to exceed the United States ability to defend key infrastructure, do you agree with that . I said broadly and purely things we have our challenges and much of our infrastructure represents investments and decisions and priorities made decades ago. Theyre not reflective of the Digital World we find ourselves today. The cost of replacing that fixed infrastructure is huge. It is not likely that we are going to replace all of that of the infrastructure. It is the scale and beyond the ability of our nation right now. So you will go on defense and deterrence and detection right now from your earlier testimony and even today are we developing defensive capabilities as well . I apologize, i rather not get into the specifics. I would like to move over the question of the day and how do you stand up this force more the next few years and training is a major part as you said between 2013 and 2016 under cyber comp, joint staffs are supposed to come to an agreement on a jointed and fed rated Training Program of the Cyber Mission force. Can you update us on the status of this . Well transition that model into 18 and the initial outfit if you will o f the Cyber Mission force using much of nsas structure or schoolhouses or national lodgic schools to d much of the training associated that build out capability is due to be completed and we are on track with september 2018. The agreement is at that point responsibility for training and development and longterm sustainable force. We are on track to do that right now. Does that mean each service will be responsible in developing their own Cyber Warriors. Each service then often times partners, right now, there maybe training in pensacola. We get together and say given this single common standard, given this single agreed to qualification process, whats the best way across the department to make this work . What serves the best capabilities and thats the only way to maximize it. You talk about, you mentioned context and which is why you dont favor a unifying force. I get it. I am concerned of the trade off. We are in a crisis stage right now, i think you would agree to that with our ability to detect and deter. The longterm of the idea to have the service because of the contacts mentioned. In the interim phase, do we have a set that maybe could wanter productive to our ability to stand up to the immediate threat. It would be difficult to do it today, that would take a longterm investment structural, cultural changes cht it is another reason why we would argue optimizing structures and mechanisms thats in place. We got to hold them accountable. Dont get me wrong. We cannot turn to them and do what you always do. There has to be accountability and over sight. I am comfortable of the approach thats going to generate of the outcome that we need. Everyone i acknowledge that we are not moving as fast as we like. I know it is the requirement, we are always in a tails chase. Hacking is the primary motive and north korea, we saw a little bit of different attacks where they went in and start placing what i would call sleeper embedded code, whatever, for a bigger event than later. Do we see a continuing growth. Have we see the evidence in the u. S. . You have seen every nation, and penetrating the system. Theyll look to us and not just extract but study it and understand it and can they use this as a jumping off points to get to some where else. One of the things you are looking for is if a system thats penetrated, has the actor manipulated change and amending the configuration so they can gain access separately now. Thats one o f the things you are looking for when you are trying to do. It is the full spectrum. Have we seen any evidence of that in the u. S. Thank you. Thank you mr. Chairman and admiral rogers. It is always a pleasure to see you and enjoyed your testimony as always. There is been strategic push by china to reshape the market in its favor using industrial policies back by over 100 billion, government directed funds. With Semi Conductor of critical u. S. Defenses, i am concerned that china poses a real threat to National Security and we have a danger tool to deal with this, and within the dod, as you know as well, nsa is a key contributor. Dia, military services and combat command all have a role in this process as well. My question is considering cyber comp leading role of the department, how is command posture to support perhaps significant implications of the Cyber Mission. So we interact on the nsa site. One of the implications for the future and again, one input i try to make to the new team that i think i need to take back and reassess this process and making sure it is optimized for the world of today. They understand our structure and the criteria of what we use is investment acceptable from a National Security perspective and my concern is you are watching some nation changing the methodology trying to get around this. Do you feel of advocate resource and authorized of making the changes that we need. It is knott something that the dod at large or Cyber Commander nsa runs per se. We need to step back and ask that question myself. My gut just telling me what we need to be doing. I would like to turn back to some of the discussions what we had relate to the involvement of the private sector thats involved in any kind of security operations. I know your team operated cyber guards over the years exercises and the moesz recent one you are involved in simulating attack in the northeast and attack on golf oils and facilities and ports and california and all these entitie entities, of course, are not privately owned and not part of the department of defense and looking at prior exercises. Of the large portion of the exercise taking place which places some inheret limitations and all those arrangements certainly is designed to protect sensitive plans and capabilities and we realize the importance of doing that. The approach may fall short in preparing participants in a real world of cyber emergency which can be catastrophic. So my question is how are you balancing the need for security with the realities of cyber threat and landscape that may assess a broad support from unclear citizens and entities. So it is one other reasons that we change the structure of cyber guard overtime and try to bring more in the private sector. If you look at this scenario that you talk about that we did last year in terms of we simulated activities directed against the power grid and the east petroleum in the industry and the gulf. We went to private companies with each of those sectors and hey, we would like for you to participate in this and what do we need to make it happen. We are increasingly going to the private sector in terms of private sectors companies. I am trying to see can we create an exercise, in addition, we do table top exercises which are not quite, you get cyber guards. It is like a thousand individuals. We also do regular table top exercises where we talk at high levels so we can skirt some of the security aspect, classification aspects of this. Thank you everyone. Admiral rogers, welcome back. Well talk about russia today and how they hack into those emails released last year. I want to touch on that. Senator warren a few months ago, shes referring there to the Intelligence Community assessment of january 6th, prima primarily written by your agency and along with nsa and nci. In the key judgment, the report says and we also assessed putin and the russian government, helping the president elect trump, cia and fbi have high confidence in this judgment, nsa has moderate conference. Kou could you explain the discrepan discrepancy . I call it a difference opinion between three different organizations and in the end, i made that call. If anybody is unhappy, mike rogers is accountable. When i looked at all the data, i was struck by every key judgment of multiple source and multiple discipline. I was able to removed every other alternatives that i can come up in my mind and well, could there be another reason to explain it. In the case of that one particular point, it did not have the same level of sourcing and same level of multiples sources from different perspective, human intelligence. I still believe it fits in the context and agreed with the judgment. From a professional analytic perspective, i am not quite at the level you are as james comey and did your agency take that into account . Yes, sir. Also, if you look back the last eight years of a quick run down. The obama administration, 2009 reset relations with russia, six months after innovated georgia and of 2010. 2013 was the red line fiasco in syria when president obama accepted vladimir putin. By that point, we have long been ignoring inf treaty violations. 2015, russia had a massive surge in syria and continuing its efforts to block. 2016, they tumbled aleppo, they objected numerous Holding Russia to account espionage effort and they increased the amount of times of aircraft in the arctic. President trump promised the reverse those policies and cl t secretary clinton campaigning on continuity. Thank you mr. Chair, just to follow up on this issue of moderate confidence. Did you have a high degree of confidence to discredit one candidate and only a moderate degree of conference. If you read the key judgment that says i concur in the report that we have high confidence in the judgment that the russians were clearly trying to under mind our democracy and discredited us broadly. They want to specifically make sure candidate clinton did not win and under cut her that she should have won. High confidence in that. And it was the last part in that and their judgment was they wanted candidate trump to win. That was one of the objective. Which was the nation state views he was our most he thought that would be russia. The cyber domain, do you view russia as adversary they taken actions that put them in the cyber domain. I am watching them and engaging in behaviors thats of our best interest. Do you agree of france of our neighbor ally. Yes, sir, you are aware of the report of the last few days that there were significance evidence of destabilizing the French Election. Thats something we should take seriously when an adversary tries to destabilize the government of an ally, would you agree . Yes, sir. The day before the election, saturday the 6th, hacking attack against macron. The article was about the efforts of groups in the United States to spread the hack document and in many instances before wikileaks was able to defend. If we should take seriously, an adversary cyber attack of democracy of an ally, should we be indifference or concern about efforts of americans working together with or an adversary attacking i am apologize, i am not sure if i am understanding. Again, you testified the response to my question that we ought to take seriously if an adversary tries to cyber attack of an ally. If american organizations are working together with or in parallel with an adversary, as theyre trying to attack the government like france, should we be indifference to that or take it seriously . We need to be concerned. If we are concerned about that. The u. S. Government should be concerned and i will introduce this article for the record. If we should be concern of the efforts of folks in the United States to Work Together with or in parallel with, an adversary like russia or attacking allies like france, where should that concern lie in government . Is it an nha matter or cyber . It depends on the specifics of the scenario. I am not trying to be dismissive, it is a complex question. I will quickly the article in for the record and there is i think there is more to come on this, if individuals or organizations of the United States were taking half documents from an illegal russian hack of the french system and trying to disseminate of the French Election, this is something that we should be concerned about. My first is the fbi. Let me ask you this, there is debates of the last couple of days of a good shut down of the United States government. Can you see any circumstances under which Cyber Command mission would be benefited by shut down of the government of the United States . No. The number one issue that often raises with me is what we went through in 2014. Every time there is a mirror hint in the media of this potentiality, i get sir, are we going to go through this again, sir, i thought they were committed to us, sir, i dont want to work in an environment where every couple years i am getting jerked around about am i going to come to work or get paid or do they value what i do . We just want to do the mission and need the support to keep moving forward. Thank you, admiral. Senator graham. Thank you, admiral and thank you for your service. Director comey said a couple of days ago, last week in hearing that i was involved in judiciary that russia still is interfering american politics, do you concur with that . Yes. He thought russia had the most capability and the biggest intent and in terms of interfering of the future. Do you agrie wiee with that . Yes. Do you agree it is democrat in the 2016 and it can be republicans in the next election . Yes, this is about an effort against the strategic interest of every citizen in our nation . I agree with you 1,000 . Yes. Do you believe that if somebody does not make them pay a price that theyll keep on doing this . Yes. I am asking and a lot of talk about this. Are you aware of any incident of collection on 2016 candidates on both sides of the isle . Um, i am not going to get specifics of collection at large. I will say that we certainly acknowledge an accidentelection. The only way you can kplekt on an american citizen inside the country or if an american citizen is accidentally in a conversation with somebody that ru following. I am asking of a request to your organization, i want to know. How many of those requests did you get in 20 1 16. Around 2,000, 1,099. How many people can request the unmasking of american citizens. If you are an authorized recipient of intelligence, we use two criteria. The requesters must be asking this in their duties. It cannot be something that we need to know. It is number one in the execution of their efficient duties. Number two, the revealing of the u. S. Person has to provide context and greater values for the intelligence, again, i am just curious. Sfo again, within our government, are there ten people and groups that can do this . In terms of unmasking . To make the request . No, it is broader. If you are on the distribution foreign sbl jens reporting, you can ask. Is National Security director National Security adviser . They are on distribution for most and not all. Is there a request unmasking the there is a record of whether or not you grinded there is also a record of the basis of why did we say yes. We reminded every individual once we unmask the unmasking. We unmask a report that went to a particular individual. We dont unmask the report. Only individuals that are told. They are told, a reminder. Of a classification. Yes, sir. General flynn was caught up in a conversation of the russian ambassador, you are familiar with that story . Yes. Assuming that he did not have a warrant allowing us to collect on him. It would be a case on incident of collecting on the russian ambassador, does it make sense . Yes, sir, we would know how that conversation is revealed or to who it would reveal to the request of your agency. If we unmasked and based on the error. You are tyou are the prim radioig right . I am not talking about warrants. I would argue probably a greater potential on the fbi side than nsa in terms of collection of u. S. Persons. Okay, we can leave this fbi argue. Yes, sir. So somebody took that information that we gain through collection with flynn and gave it to the washington post. Somehow it got to the media. Thats a crime. That is a im. That is a leak and that is illegal. Which is why ive gone to my workforce if i could finish, sir we do engage in this behavior and if i catch you behaving in this mr. Chairman, for 30 additional seconds. The bottom line here, it is possible for the congress to find out who requests unmasking of american citizens, who that information was given to, and that is possible for us to know . On the nsa side, thats part of Ongoing Investigation with the primary oversight committees that were going through right now. Okay. Do you know if susan rice ever asked for an american citizen to be unmasked . I would have to pull the data, sir, i apologize. Thank you. Thanks, mr. Chairman. Thank you, admiral rogers, for being here again, and thank you for your service. We have heard repeatedly in this room as well as yesterday with director clapper that the russians will continue attacking the United States unless they are forced to pay a price. And you agree. Yes, sir. And right now, are they forced to pay a price . Certainly nothing thats changing their behavior. Nothing thats changing their behavior. And clearly nothing that will change their behavior in the future, because, to quote you, or paraphrase you, they have more to gain than to lose by continuing this kind of attack. Yes, sir. So can you recommend to us what kinds of measures should be taken . And i know youve been asked this question before, in fact you were asked when you last testified here. And you said that tools like sanctions can be an effective option, but so far the sanctions in my view are way less than they should be. You agree that sinkianctions cad should be increased to provide a price that the russians so i will only say sanctions i think have proven to be an effective tool in many scenarios. Im not going to argue that theyre perfect and that they work all the time. But there will be a point where a Cyber Response should be appropriate. Potentially. Although i would highlight, when we think about deterrence, because someone comes to us with cyber, we shouldnt necessarily respond in kind. We need to think more broadly. Theres no question the russians attacked this country through cyber. And would you agree that americans who colluded or cooperated with that attack also should be held accountable . Broadly, yes. But again, now youre starting to get into a legal and policy piece and thats just not my lane in the road. Well, your lane includes defending this nation against a cyber attack. Yes, sir, but not actions against individuals. Thats not well, lets talk about a group of americans who may have colluded or cooperated with the russians in enabling or encouraging this kind of attack. And by the way, they violated criminals laws if they did so. Wouldnt you agree they should be held accountable and that an investigation of it is appropriate and necessary . So i agree an investigation is appropriate and necessary. And if they violated the law, then yes, sir. Im just not an attorney, im not a lawyer, im not a Law Enforcement individual. Thats not my area of expertise. But unless theyre made to pay a price as well such behavior will continue, yes, sir. And theyll be paying less of a price as well. Right. I feel like we are in a time warp here, because when you were last here, we agreed that we need a policy and a strategy, as the chairman has articulated so well, and we still dont have one. Can you tell the American People whose responsibility it is to develop that strategy and policy . So ultimately the executive branch. Theres multiple components, but ultimately its down to the executive branch. As ive said, we have a new team in place, theyre working their way through this, in fairness to them. This is not a this is a complicated topic with a whole lot of complexity and nuance. I know that these discussions are ongoing. I have been a part of some of them. Im grateful that the team is willing to reach out and say, hey, admiral rogers, from your perspective, what do you see, what are you thinking about. I dont want anybody walking away thinking theyre not proactively trying to grab well these tough problems. Well, i just want to conclude by stressing again that forcing the russians to pay a price for their attack on this country requires compelling americans who colluded or cooperated with them to pay a price, but also a strategy and policy for knowing when there is a cyber attack on this nation, when it is an act of war, that should prompt a response in the cyber domain or in other military domains. Yes, sir. And economic sanctions that also may force them to pay a price. And right now our policy of deterrence is, in my view, an abject failure. Not achieving the desired result, that is clearly true, yes, sir. Thank you. Thanks, mr. Chairman. Thank you, mr. Chairman. Good to see you, admiral, thank you for your service. We have heard over and over again in multiple hearings, and ive got weve got our cyber hearing in Homeland Security tomorrow, so this is really timely for me about poor information sharing. And understanding the challenges of classified information. My staff has tried to chart the National Cybersecurity structure for me. And the one thing that sticks out to me is the cyber unified coordinated group, it appears to me to be really the only place that our structure is set up under pbd 41, where the private sector entities really seem to plug into the national structure. And the interesting thing is, is this cyber unified coordinated group is supposed to be in response to a significant cyber event. Thats the operative phrase. In the United Kingdom, the ncsc has realtime information on exchange of classified information on an ongoing basis. My first question to you is, has the cyber unified coordinated group ever been called into a session, has there ever been ongoing meetings, have there been any meetings of this particular group that is laid out in pbd 41 . I mean, it does interact, it does operate. I would be the first to admit, maam, i would have to take a question for the record as it ever physically weve participated in it. Some of the work we do virtually, well take an issue and do it via email and conference, videoconference. If you like, i can take that for the record. Im trying to think, it seems like to me the russian thing is a significant cyber event. You know, and i guess my problem with this, i know weve spent a lot of time today struggling about what our policy is. It looks like to me that we dont really have anywhere where there is an ongoing meeting, structure, that integrates the private sector into what is a pretty convoluted setup that we have right now. Could i disagree slightly, if i could . Sure. I think its fair to say at a sector level we do have constructs that enable that to occur. But one of the things that the russian influence points out is, we dont have a sector labeled u. S. Infrastructure like we do in power, like we do in transportation. Although dhs has named election infrastructure as part of their Critical Infrastructure responsibility. Yes, maam, now. And that happened last year. Right. Maybe in response to this, hopefully well find out more tomorrow. But i guess it seems to me that when someone is impacting our elections, that overlooks all because if you look at this list, our National Policies certainly impact chemical, commercial, communications, manufacturing, dams, everything gets impacted. I guess forget about russia for a minute. Are you familiar with the uk model . And why arent we oh, yes, maam, very much so. Why arent we doing that, what is wrong with that . Why arent we emulating that more . Lets look at the uk model. They turned to their intelligence structure, gchq, which is nsas fifequivalent, a said you have the expertise. We are going to create this National CyberSecurity Center. In fact the individual who runs it, the guy ive worked with for a long time, is a gchq employee. They decided in their construct they were comfortable in that. For us on the u. S. Side, we have always been less comfortable with the idea, well, do you want the military or do you want the intelligence world to be the primary interface, if you will. Our uk teammates are very comfortable with that. Their view is its about aligning the greatest expertise and capability with the private sector, and there isnt quite the same baggage of history or tradition. Because of that, on the u. S. Side weve taken a very fundamental different approach. Im hoping with this new team coming in, this is an opportunity for us to step back and say to ourselves, are we happy with the way this is working . I agree, i havent seen your diagram, but youve heard me say for a long time, weve got to simplify the complexity of this structure to the outside world. Because if youre in the private sector and youre trying to figure out, so who am i supposed to be dealing with and why this time was it you and the last time it was that organization and the next time youre telling me you want me to go there, we have got to simplify this. Well, im down for that. I think that one of the curse and the blessing is how protective we are of classified information. And i understand that challenge. But boy, oh, boy, pulling this group together after a significant cyber event, theres going to be a lot of monday morning quarterbacking over whether that information should have been shared. I can also make one point. Perfect information sharing in terms of classified in and of itself will not necessarily fix every problem. If you look at reactions to the russian hack, there were plenty of organizations who were provided specific insights who opted for a variety of reasons not to react in the same way. And that wasnt about classification. So i just want to make people i just want dont want us to thf it as, this is the simple cureall. And i know thats not how youre painting it. I know its not the simple cure. That underlying disease about information sharing goes deep and it is calcified and i want to make sure were aware of that. Yes, senator. Thank you, admiral. Senator shaheen, please. Thank you, mr. Chairman, and thank you, admiral, for being here and for the job that you do. And just to pick up a little bit on senator mccaskill and the issue of classified versus unclassified, the challenge with in this case the russian hack, with so much of the information being unclassified or being classified, is that the American Public doesnt know whats going on. And when the American Public doesnt know whats going on on an event of this magnitude, that is a real challenge for our democracy. And i was not able to hear your testimony and the questions, obviously, because i was in another hearing, but i know that there have been a number of questions about the russian hacking and what that means. But have you talked about what in the big picture that means . What is russia really trying to do with the hack of our electoral system, with the hack of france, with the interference in germany, with what theyve done in many of the balkan countries . Three primary goals, we thought. First was to undercut the United States and its proud principles of democracy, to try to send a message, hey, look, these guys are every bit as inconsistent as anybody else, look, they have pettiness, they work against each other. So to undercut our democracy. Secondly, they clearly had a preference that candidate clinton not win. And they also wanted to ensure if she did win that she was weakened. And then the report talks about the third objective was to try, and this is where nsa has a different confidence level than my teammates but i agree with the judgment, that the third objective was to help candidate trump win. If you look at the activity theyve done in the United States, if you look at the activity theyve done in france, in germany, they clearly are trying to help ensure that leaders they believe might be more inclined, it doesnt mean that they necessarily are, but the russians appear to be assessing, that some leaders might be more inclined to be supportive of their positions, their views, might engage in policies more favorable from a russian perspective. You saw that just play out in the russian excuse me, in the French Election, where there clearly was a difference between these two candidates and their views of russia and the things they were talking about in their campaign, if they won, what would some of their choices be in terms of National Security policies for france and how that might impact the russians. But isnt the overarching strategy not so much who the winners and losers are but its to undermine the Public Confidence in a democracy and how it works . Thats why i say that is a part of it. Im sorry if i didnt make that jump on the foreign side as well. Its same thing, that is an aspect of it. Right. So just as theyre engaging in a military buildup, just as theyre engaging in cyber inresolutio intrusions. To weaken them, to forestall their ability to respond, because theres no political consensus, because they distrust their institutions as citizens, et cetera, yes, maam. So i was in poland after the munich security conference, and met with a number of officials there. And some of the people that we met with suggested that they were very concerned that we hadnt responded to the russian attack of our election system. And one of the things that really impressed me was the person who said, you know, if youre not willing to do anything about what russia did in the United States, intervening in your electoral system, fundamental to your democracy, how should we have any confidence that you will defend us when the russians come after us . So what does it say to our allies that we have not been willing to take any overarching action against russia for what they did, we havent been willing to pass stronger sanctions, we havent been willing to do other efforts to take action against them because of their interference. What does that say to our allies . So i can certainly understand why allies would be perplexed, if this conduct occurred, you know, why arent we seeing x, y, or z. I certainly can understand that. One of the things we try to assure our allies is, this is one aspect of a broader strategy. It depends on the relationship. But in broad terms, you should not call into question our long term commitment, to poland, for example, dont let there be any doubt of that. So were more committed to poland than we are to addressing russias thats not what i said. Interference . I know thats not what you said, but it leaves open to interpretation that assumption. So thank you. Yes, maam. Thank you. Admiral rogers, thank you for your testimony today. As always, we appreciate your service. And would you communicate to your colleagues our appreciation for their service also. On behalf of chairman mccain, the hearing is adjourned. [ indiscernible conversation ] this weekend on American History tv on cspan3, saturday at 10 00 p. M. Eastern on reel america, a 50yearold cbs broadcast with Robert Kennedy and Ronald Reagan taking questions via satellite from students in london. In england there is a great motivation for legislation against racial discrimination. Would the candidates like to comment on this and perhaps other countries may learn from americas experience. Were dealing with a heritage of 150 years weve been unjust to our minority groups, and particularly the negros, as well as some other groups, mexicanamericans, the indians. And weve just begun to recognize it. And now were starting to deal with it. At 8 00, on lectures in history, Georgetown University professor taylor on emancipation during the civil war. The idea that a president might have the authority to emancipate slaves as a military measure predates the civil war. Its not a new idea. Its articulated by John Quincy Adams on a number of occasions. Sunday at 6 45 p. M. Eastern, history professor paul poldark talks about the 1790 congressional debate on slavery and race. Especially the Pennsylvania Abolition Society put forth a vision of a new nation that imagined a racially inclusive e republic. And at 8 00, charles strozier. It was normal and encouraged for men to talk about their everlasting love for each other, intimacy, connection, and love, and thats the way to see this relationship. As long as the boundary against sexuality was absolutely and strictly maintained. For our complete American History tv schedule, go to cspan. Org. Sunday night on after words, journalist Stuart Taylor examines Campus Sexual Assault process. Mr. Taylor is interviewed by the editor in chief of the National Law Journal and legal times. Share for the viewers, whats your general thesis that were looking at here . What are we going to be reading about when we open the pages . The gist of it is that theres been a huge myth thats taken root, that there is an epidemic of campus rape, there is a culture of campus rape where its encouraged and condoned by the administrators, that its out of control, that its increasing, that its worse on campus than it is off campus, and that it requires completely demolishing all due process for the accused people, 99 of whom are male, and thats not an accident. This comes from extreme feminists, malehating extreme feminists in some cases, but its enormously pushed ahead by the obama administration. Watch after words sunday night on 9 00 p. M. Eastern on cspa cspan2s book tv. Now the American Association for the advancement of science hosts a discussion on the Opioid Epidemic in the u. S. Well hear about the demographics of those addicted, Public Health effects of opioid addiction as well as effective strategies for pain management. This is an hour and 40 minutes