Our friend senator king from maine and representative gallagher from wisconsin. They are joined by fellow commissioner, retired Brigadier General john c english. Professional of cybersecuritys at the u. S. Naval academy and former Deputy Director of the National Security agency. Welcome. Thank you for coming to discuss this important topic. I would like to extend my congratulations as well to Mike Gallagher and his wife anne on the recent birth of their baby girl grace. Good luck on your greatest adventure yet. I would also like to recognize former policy duress. Director Mark Montgomery who served as Deputy Director of the commission. Yearon 1652 of the fiscal ndaa established the Cyberspace Solarium Commission to study alternative strategies for the defending of the United States against malicious cyber activity. Among the strategies were cyber deterrence, persistent engagement and compliance with International Norms. The commission has produced an impressive report that advocates a combination of all three. Deterrence by denial, rapid attribution, deliberate shaping of International Norms through a glass of through aggressive diplomacy and of malicious cyber adversaries. The report also presents a number of reforms, many in legislative format for our deliberation. Of particular importance are the following recommendations. That the department of defense evaluate the size and capacity of the Cyber Mission forces, that the department of defense takes an expanded role in exercises and planning relevant to protection against Cyber Attacks of significant consequence. The department of defense and Cybersecurity Companies hunt on industrialbased networks and that the administration establish a nationals diaper National Cyber director. These are valuable contributions to a debate on how policy, programs and organizational constructs will advance the nations cybersecurity. Able toud that we were incorporate 11 of these recommendations into the withttee mark of the ndaa several additional recommendations which were unfortunately outside of our jurisdiction but were incorporated later on the floor discussion. Tooe this hearing comes late to inform the ndaa mark, three objects up the commissions study remain relevant for this committees oversight of operations and for the committees conferencing of the ndaa. Tost and foremost, i want discuss the motivations behind the Commission Recommendations and further actions detailing the establishment of a National Cyber director. How is the injuries how was the process broken today . What authorities, especially to cybere relevant action should be available to the director . How would the National Cyber director act ii director coordinates the department of defense action in response to a cybersecurity incident of significant consequence . Since its establishment, the subcommittee has focused on coordination among the relevant entities within the department of defense to assure synchronized efforts in implementing and executing their cyberspace missions. I believe the office within the secretary of defense has been particularly performing that particular oversight and coordination role. This has been accomplished without the establishment of a large bureaucracy and without creation of yet another cyber stovepipe within the dod. Ndaa, we included a provision that strengthened the principal Cyber Advisors oversight and coordination role. I also sponsored a presented a provision in the 2015 ndaa that added rentable Cyber Advisors for each Service Secretary to provide that with this critical coordination asset. The principal Cyber Advisors have a Department Advisor role while a National Cyber adviser considers a national role. There may be similarities between the functions of the principal Cyber Advisors and the National Cyber director as envisioned by this commission. I would appreciate this discussion on the similarities and is dachshund differences, and the proposed National Cyber director. Understand theto better operations the commission provided regarding the department of defense is cyber targeting. Matching the commissioners recommendations and cyber deterrence and persistent engagement. Did find the departments aspirations for persistent engagement of our adversaries to be realistic . Finally come i want to hear how the department of defense can better execute its mission to protect the nation against chinese, russian irani and and north korean Cyber Attacks. What are the capability shortfalls . What should its role be in a were Emergency Response action . Thank you for your diligent efforts in reproducing this report and for agreeing to testify before this subcommittee. Senator manchin, welcome. Senator blumenthal sat in to make sure things were working. Welcome. Do you have opening comments . Thank you very much for your die appreciate that. Thank you senator rounds. I want to welcome senator angus king and representative Mike Gallagher. Ok. Who served as cochair of the this committeeof establishing last years ndaa, and general chris who served as one of the commission members. Senator king is a distinguished member of this committee. Herbstor galler, and it of gallagher, i think him. I want to speak about the efforts of this commission, why has been successful and what we can learn for the future. Commission of this size was intended not just to educate congress, the intent is to forge a consensus on what needs to be done to fix problems the commission identifies. Too often those recommendations are too vague or difficult for congress to legislate on. The commission spent a lot of time and effort turning recommendations into actual draft legislation text. This was an immensely important decision. If you have to turn an idea into a bill, you have to think it through and the result has to be compatible with the main purpose of congress. To sure we have had these recommendations significantly, without those legislative drafts, much of the commissions work minority be collecting dust on summons shelf. Oftead, the vast majority recommendations were included in one form or another in the ndaa bills passed by the house and senate. Including significant number of this is no mean feat. Getting approval across committees for legislative amendments on the floor of the house and senate is extremely hard. Something senator king and representative gallagher no very well. Recommendations as to creation of a National Cyber director. This recommendation is not popular with the administration. Senator dachshund i also included that the proposal needed more polishing in order to be better understood with dispositions role should be. Senator king and represented gallagher took this on and in the last couple of months have produced a very good proposal which we will talk about. Firmlymission cochairs believe this position is crucial to integrating the response to all the departments and agencies who have to be involved in dealing with major Cyber Attacks. The recommendation would require reporting of all Critical Infrastructure. While it is important we do all we can to effectively respond to Cyber Threats in a timeless withoutwe must do so interrupting establish cyber threat reporting. As raking member of the resource committee, the prime example our infrastructure entities. They should still report to andr established change that intelligence should be made available to the eventual cyber director. The commissions report specifically rejected a model declaring state declaring major Cyber Attacks by assuring adversaries with an inkind response, retaliating against their Critical Infrastructure. The commissions report suggests a retaliatory doctrine of doing to an adversary was an adversary does to us is immoral and inconsistent with international law. A strategy of deterrence based on retaliation in kind as the basis of our Nuclear Deterrence that has been in place since the end of world war ii. Do not consider this strategy moral or effective. Adversarythe idea an would be deterred from hitting our Critical Infrastructure by the threat we would disable the computers of their cyber forces does not seem likely. Would bessuming we able to identify and incapacitate their cyber forces. Which i submit is an uncertainty solution. For turning two witnesses come i will close by noting that our commission has proposed on this committee has endorsed the ndaa, an exception of life of the commission. This was done for the 9 11 commission and i think it is a good idea for senator king and cosman congressman gallagher to observe how work is being implemented and revisit issues that cannot be resolved in this years budget. Thank you mr. Chairman. Thank you senator manchin. I think the best way to approach this probably since you have done a combined Opening Statement with which is in the record right now, senator king, would you like to begin . And then we will have representative gallagher and finish up with general inglis if that works in terms of how you would like to proceed . Thank you mr. Chairman. There are so many aspects of this, an Opening Statement could go on all afternoon. Im going to try hard not to make that happen. Let me make one point about the pandemic, among all the other things we have learned i think one of the most important things is that the unthinkable can happen. Haver ago, we would not contemplated where we are now with a disease we are having to deal with on a worldwide basis. So it is with a cyberattack. It seems unthinkable, the stuff of science fiction, but it can and has happened. In fact, it is happening at this very moment. Work wec purpose in the did on this commission, and i will outline how we proceeded was to be the 9 11 commission without 9 11. Avoidole purpose is to not only a cyber fast catastrophe, but i death by a thousand cyber cuts. That is what we want to talk about today. The commission, as you mentioned, was set up two years ago and the National Defense authorization act. Mission was to develop a comprehensive Cyber Security strategy for the country and recommend how it should be implemented. There were 14 members, they think part of the success of the mission depends on how it was structured. 14 members, four members of congress, and four members from the executive agencies. Six members from the private sector. Over 30 meetings, 90 of attendance at our meetings. We met in this building just downstairs over and over. Documents,reds of witnesses, and an immense amount of literature search and review of all of the ideas that could be brought before us on these subjects. I am proud to say the work of this commission was entirely nonpartisan. To this day come other than the four members of congress who wear their party labels on their idea thei have no Party Affiliation of any of the other 10 members of the commission. I can honestly say there was not a single comment, discussion or question that suggested any partisan or any kind of purchase supportive you in our commissions discussions. 400 interviews, we came up with 82 recommendations come i57 as senator manchin mentioned were turned into actual legislative language. One of the basic root principles of the report can be summarized in three words. , resilience, and response. Reorganization i think we are going to talk a lot. Secondly, resilience. How do we build up our defenses so that Cyber Attacks are ineffective . The finalists response. How do we develop a deterrence workegy that will actually particularly with a particularly with attacks below the level of use of force. We have not had a catastrophic cyber attack, probably because of the deterrence we already have in place. The problem is we are being attacked in a lower level, continuously, whether it is the theft of intellectual property, the theft of opm records of millions of american citizens, inther it is the attack 2016, that is the area where you remain vulnerable and we have not developed a deterrent policy. Wheres the deterrence . It is to shape behavior. The disputed nine benefits and to impose costs. Either we are going to spend a aboutdeal of time talking the cyber director but i want to address it briefly. The mission and the structure of the National Cyber director is almost identical of the principal cyber adviser position we have created at the department of defense. The difference is a wider scope. Just as we were preparing for the hearing, he made a quick list of seven to nine federal cyberes, all which have responsibilities outside the department of defense. For the structure of the National Cyber directors to provide a person in the administration with the status and the advisory relationship with the president to oversee this diverse and dispersed authority throughout the federal government. Create same reason we the advisor and the department of defense, we need to do it nationwide. That is the fundamental purpose we need to go into much more detail on this. The second is a testimony recently in the house by former representative mike rogers, former chair of the Intelligence Committee who confesses that he has 180 degrees changed his position on the idea of a National Cyber director from steadfast opposition to strong support. I would like to introduce both of those documents for the record with the permission of the chair. Without objection. I will end my comments now and we will be able to discuss more of the details particularly in the National Cyber director recommendation as the hearing progresses. Representative Michael Gallagher come i believe you will be joining us. Are you ready . Can you hear me . Back off a little bit. Hang on a second. We are going to bring the volume down a little. Hopefully that is better. Much. Thank you mr. Chairman. For your leadership and your kind words about my baby daughter. To Ranking Member mansion, thank you sir and to all of you all on the committee for allowing us to. I have enormous respect for this committee and the senate because before i was a member of the house i was a staffer in the senate. There was a time when i actually used to wield the real power. Thank you for letting me return to my roots. As senator king laid out, siberia Cyber Operations continue to in been what we know, the state of our defenses and adversaries intentions are a major cyberattack to Critical Infrastructure is almost something to be expected. I would say we have no choice but to hope for the best while planning for the worst. With this in mind come i would like to emphasize two of our critical proposals as we look ahead to the nda conference. King, i agree with senator on the importance of establishing a National Cyber director. This is the right balance of authority, responsibility and necessary prominence. A Senate Confirmed within the ice of the president that across the federal government in focusnion would bring the that Cyber Security desperately needs at the highest level of the federal government. Second come i would like to highlight the necessity for continuity. We need resiliency enter and redundancy in our Critical Infrastructure. I would submit the pandemic has shown not only that our economy to destruction but the potential impact of economic destruction has on americans. Wereas we thought unthinkable, so too do we need to think through the unsinkable as to how we would rapidly recover in the wake of a massive cyberattack so we have the ability to retaliate. Ill want to say that to ensure Congress Must address a number of issues that impact multiple agencies that currently Work Together to protect National Security in cyberspace. Just a few of our recommendations on that front include the institutionalizing of dod participation in publicprivate cybersecurity initiatives, establishing and funding a joint collaborative environment for sharing bread information, establishing and an integrated and integrate seven existing cyber centers. Crating a joint cyber planning office. Biennial Senior Leader cyber exercise to test our plans. Establishing authority to do Threat Hunting on all. Gov networks. All of these provisions are included in the house version of the ndaa. Perhaps our most important thing are important conclusion is that failure to act is not an option. While we have made remarkable process in a few years, the status quo is simply not getting the job done in the time to act is now. Thank you for the opportunity to testify. Representative gallagher, thank you. No return to Brigadier General retired john inglis. Thank you. Distinguished Committee Members for the opportunity to testify today. I agree with my fellow commissioners that this year has been for me an honor and opportunity of a lifetime to hear from the experts in cyber technology, policy and operations across the continuum of private and public sectors to include consideration of how both allies and adversaries approach the challenge of defining and executing a National Cyber strategy. I fully back my colleagues in supporting the overall report, recommendations, and urge you to swiftly pass the provisions that we will probably discuss in detail today. I would like to focus my opening remarks on the National Cyber director. This committee has done much to improve both the nations understanding in the militarys preparedness to deal with the challenges of cyberspace. Yet, we must do more. For military cyber power is only one of the many instruments that must be applied to achieve our aims. As you will know, cyberspace is inextricably linked to any other domain of human interest. Such that while cyber comprises both technology and the human to make use of it is an instrument of power in its own right. All other instruments of power increasingly depend on a properly functioning cyberspace for efficient and effective operation. The reverse is also true. Mainly that the proper functioning of cyberspace relies upon the effective employment of a diverse array of tools and expertise. These will sent authorities are not held by one person, one organization or sector. Into the self organize coherent fold we required to ensure cyberspace is appropriately robust against the increasing threats posed by transgressors cooperate with impunity holding cyberspace intonation at risk. A red was garys our adversaries have gone to school on us. Without regard to commonly accepted boundaries that are operated by individuals in the private sector and governments as a collective whole. Absent a consistent proactive and joint effort on our side they gives a premium to preparation, integration and collaboration, we will fall behind. States end, the united needs a leader to act as the president s advisor to cybersecurity and coordinate the federal government response. Our experience as a nation and preparing for kidnap take attacks as richly preparing improvetic attacks to the rules that other powers would play under various scenarios. We are not in the same place with respect to Cyber Attacks were the military instrument they not be the singular or supported instrument of National Power, let alone the need to consider the actions of the private sector which maintains and operates the front line of Cyber Attacks as they maintain and operate over 85 of what we know several space. To that end, there is a rough analogy to be drawn between what we are recommending here and the use ofent of defenses an advisor or the chairman of the joint chiefs of staff. Both positions are used to affect cohesion between the commanders without usurping the efficiency, execution of the Operational Authority of those commanders. While installing another player, the National Cyber director under the coordination of complex Cyber Operations could be a concern. I think it is important to note how this functions of the department of defense. Importantly, neither the principal cyber advisor or chairman of the joint chiefs of staff serve as operational commanders in their separate roles. Ensuresr advisor coherent planning for cyber capability and doctrine. Chairman ensures the testing of Combatant Commanders is coherent across cocom. And is mutually exclusive. These are useful for small deployers of forces were often outnumbered but never outmatched. Theional several cyber director would similar to the roles that are already wellestablished and very useful within the department of defense. Note thatme i would cyberspace exists inexorably in the presence of adversaries. The nature of cyberspace is where the u. S. Is challenged by adversaries who can into attack us on every front in homes, places of business and Critical Infrastructure. They meet the same essential coherence and National Strategy to find roles and responsibilities ended and the propensity to collaborate based on leadership that connect sent supports various players to a National Strategy. I would close by saying while it from the remains difficult to propose were to name the time and place adversary action will take place in cyberspace, we can be certain it will take place. A failure to warn, prepare and respond will resort in certain causes we can ill afford in a future where we are dependent on the time to act is now. I close my remarks with a thanks for promoting this hearing and an opportunity to discuss these in gray told greater detail. Thank you for your testimony. I do appreciate the work that this commission has done. You have not only started out with a whole series of proposals, but when we asked you to go back and flesh out the authorities and responsibilities of what a cyber director would look like, i appreciated the responsiveness to the commission back to the committee. It was our intent to use this information to discuss and to provide information during the reconciliation between the house and Senate Versions of the ndaa and conference. Laid out committee has what their vision is. The concern we had expressed was one that we believed the principal Cyber Advisors, as laid out within the department of defense, have allowed for technical and professional expertise to be available and deliverable to our chief executive officers immediately. With that additional expertise, they could facilitate the use of activities, where needed. The concern we had was if at the National Level you created a silo, a location where there could be authority, or responsibilities and the ability to simply have one more stop along the way in deciding before policy could be executed, that we risk making those cyber responses were challenging. The reason why i lay this out is that over the last several years we have followed what has happened at the executive branch with originally a well intended ppe 20. Ppd 20. Which was started in the previous in administration p their attempt was to find consensus. Would beber activities rolled out. Unfortunately, in doing so it became a consensus which meant that anyone of a number of different individuals could stop the Movement Forward of any cyber activity. Changed a couple of years ago with the creation of nsp on 13. National Security Policy memorandum 13, in which a clear line was laid out for the decisionmaking process on the use of cyber tools. And the availability of cyber for our fighters. The reason i lay this out is because we were able to, in coordination with the executive branch, streamline the process so we were actually able, and i would not discuss this but President Trump did share about it, 2018 and the fact that we did not have interference in our 2018 election was not by accident. It was because of the clear capabilities of men and women of Cyber Command. It was because they could execute the appropriate policy in an expeditious manner. What i dont want to have happen, is to have another layer of bureaucracy get in the way. I think you have done an excellent job in leaning out in laying out what using this would look like. I would ask all of you, would it be your intention that this cyber director be identified as more than a principal cyber advisor similar to the dod, versus having Authority Responsibility and the ability to silo those areas and create a roadblock for cyber actions in the future . Senator king . Our proposal is the antisilo. The problem is weve got cyber activities and planning and work going on throughout the federal government. The whole idea is to bring coherence and coordination to that. To your specific question, which is important, we do not propose the National Cyber director be in the chain of command for cyber actions. Command, the secretary of defense, the president to the United States. We are not talking and you use the term policy, we are not talking about adding a layer in terms of execution of policy. We are talking about adding a coordinated function to bring together the expertise throughout the federal government. I think that is a fairly important distinction. That is a valid question. As a bringing together of a coherent organization with someone at the top who has oversight and Situational Awareness of what is going on in these different agencies, but in terms of actions such as the actions you cite in the 2018 election, this person would be an advisor to the president , yes. That is what i am hoping on that i want to make it clear. I would like to have representative gallagher confer concur with that. The intent of this proposal was to build interagency integration, not to add bureaucracy. Mr. Chairman, you did a good job of laying out how far we have come in recent years on the offense of side. A lot of this starts years ago with the provisions we put in as a congress to make cyber surveillance a persistent military activity. On top of that i think the thatry values of pm 13 is that was clear authority. As my good friend senator king continually reminds me, you always want to one throat to choke. One person to keep accountable. The business of this was to provide the president with that person primarily on the defensive side. Biasly, just to assess my was to resist the creation of new agencies and physicians. Large and positions. Is actually the least bureaucratic option. When option to would be to create a separate agency entirely. Doing nothing i think is most bureaucratic because it will lead to a catastrophic cyber incident that will require the layering on of new agencies and positions. We want that cyber director to get that cyber boom by coordinating and advising the president primarily on the defensive side. I my obama nd and i am about out of time. I would speak confidently the commission would support your sense of the substance, and spirit of the National Cyber director. The National Security advisor is busy. He is not had the time to figure what our overall strategy is. Has like this committee reconciled how we think about the military, instrument of cyber power, but we asked too years ago of the nation, what is the context of the application of the military and cyber power . Is it traditional or not . Give us the expectations and let us go do it. I think we need to provide context and expert jap series we will have is a of stovepipes that is a jazz band that makes no music. Thank you mr. Chairman. To senator king and congressman gallagher, the common understanding of the way we have this 17 different intelligence agencies, we would assume every intelligence has its own cyber. I know the fbi has a cyber center for law enforcement. Dod and on. So you are saying that this one person would be gathering all of the information . If we have a credible threat to the homeland, they would all assume interact, i would , and agree that this is a valid threat . To present. Is that the way it is done now . Or, is it basically each one taking their own different direction . Other agencies have had cyber responsibilities are ferc, the department of energy, it is broad. What we are talking about is having an office, not a big office. We talked about the possibility of representative gallagher mentioned creating a new department. We thought that was too bureaucratic and would take too long. Models foreally two the position we are talking about. One is the cyber advisor in the department of defense. I think that is an almost exact analogy because it was created because there were too many parts in the department of defense. There needed to be a coordinator. The other model was the u. S. Trade Representative Office of management and budget, the drug office, and i think there is one other. The science technology, thats right. These are all president ially appointed, Senate Confirmed. Statusides them with the and the ability to have some authority and Budget Review authority as part of it, over the range of cyber involved agencies in the federal government. Whod hooted the heads of these agencies . Their report directly to the president. There is no cyber coordinator. [indiscernible] yes. One of the arguments was that this has traditionally been a position of the National Security agency as an appointed position by the National Security advisor. The problem with that is that it is at the whim. Two years ago, this position was eliminated by the then National Security advisor. That is what i that is why i am saying we should elevate this to the organizational status of requires. Person, theilitary report specifically rejected with threatening retaliation against attacking countries. [indiscernible] how do you feel this recommendation is going to be adequate to determine . Backmight go a halfstep and ask another question, the concern about whether sector specific agencies may be thwarted in the imminent and direct relation they have in terms of outcomes with their respective sectors. The commission is with you on that. We want to strengthen the sector specific agencies, and allow them as of the government to allow to continue that straight. The National Cyber director should benefit from that, take advantage of that. To your question about whether the commission believes it is appropriate or inappropriate to attack the Critical Infrastructure of other nations, i think those are more nuanced than a yes or no. We would start by first saying we believeth the United States long tested, we will follow international law. We will adhere to the Global Standards of normal behavior in 20e have attested to 15 through the offices of the state department that we wouldnt on other nations. That being said, in wartime it is a political decision. For the leadership of this nation to determine with necessary and proportionality how we the National Power we bring to bear . We shouldnt be a place for resale never say never, we just need to follow the rules of international laws. It is often a discussion that takes place with respect to the use of force, or arm to attack. What we have found is that our adversaries are operating well below that with impunity. Worktermites in the word as opposed to the flash and bedding that might be affected through kinetic weapons. We would then have to address whether our adversaries are taking inappropriate advantage complacency, or perhaps implicit tolerance of them. How do we stop that . Array ofhere ecole methods i think there are an array of methods. All of those need to be brought to bear to stop that and hold them at risk in ways that follow international law. If i could ask one final question congressman, i think in your Opening Statements you all have laid out a number of legislative recommendations. Each of thesehat recommendations you described appear in some form in either the house and or send that ndaas and they will be part of the conversation in progress concerning the ndaa . Come are theyo to in both . There were six specific recommendations i talk about that were in the house version of the ndaa, but not the senate. I brought that up to urge the senate to consider the house. I believe there is ongoing debate about continuity of the economy. I understand for various jurisdictional issues there are other recommendations that made it into neither report. About theirly good baseline of what made it into either the house for the senate and hope there is a collaborative approach and the committee process. Senator manchin come i can present to the committee a chart that exactly answers her question. There are 12 provisions in the house National Defense act that are not in the senate version. 12 in the house that are not in the senate. There are 11 and both the house and the senate. So, they match. There are six in our version that are not in the house. Altogether, weve got 29 provisions of which 11 are in dozennd more than a pending and hopefully will be resolved. Is that the problem we have . Some of those are outside their jurisdiction . These are are all close enough. They can be considered in play . They are in the bell. We hope that they can be resolved so that as many as possible you know, we all know what happens with commission reports. We were determined to not have that happen. Thats why we drafted legislation rather than just give you ideas. If we can finalize these documents in these amendments and the bill as it comes out of the conference committee, we will have done well more than half of our total recommendations. I appreciate it very much. And looking back over the numbers that i have gotten front of me, it has been great to see the number of them that were actually put into this subcommittees mark in the other three that were added on the floor. We couldnt do them because of jurisdictional issues. Walk out of the Senate Holding this spot on the thought of a National Cyber director position. I think the committee has been successful and you have done great work. To followup, i did start out when i first got out of this committee, it was interested in a National Cyber advisor or director. I came relevant. The one thing it was concerned about is that if things were starting to work, we were having Movement Forward getting things done and i was concerned we not create any silos. I am happy to hear all of you indicate the same, that is not the intention and legislation should not be there creating that. That theevidence congress has, in the past, asked for Senate Approved members to advise the president or to participate in the executive branch. I thought i would take a minute to make that point. Examples of such positions that currently exist that congress has put into law, top leaders of the office of management and budget. The controller, the office of omb, office of federal procurement policy. Policy. Of drug control top leaders of the office of science and Technology Policy including the director and associate directors. Intellectual property enforcement coordinator. Chairman, council of economic advisors. Chair and members of the council of environmental equality. United states trade tradeentative, deputy representatives, chief aquacultural negotiators, chief property negotiators. I understand a lot of the language you have put into this proposal comes from the legislation authorizing and direct the trade organization. There is a format we have followed we can look at to see whether it is successful or not in terms of advising the president. Worknk you have done your and most certainly if there is any part of it that we were concerned with, it was that we make sure that we allow what is working within Cyber Operations of the dod to continue to work and it would not create any silos. The other thing the committee talked about was the direction with regard to our activity of in cyberspace. What type of deterrence should be used . Should we be putting more emphasis on defensive activity . Making it more difficult for our adversaries to get in . I would like to take a minutes just to give you the opportunity to share a little about your thoughts regarding the operations in cyberspace. You have air, land, seas, space and cyberspace. The most expensive of any to get into his cyberspace. We have to be on top of our game. Can you share with me your thoughts about the questions and concerns your Commission Founder that you wanted to express and baby havent had the opportunity echo havent had the opportunity . One of our major recommendations, which is not before this committee but is for the creation of an assistant secretary of state for cyber because International Norms and expectations are an important part of this discussion. If we are not at the table, we can lose when they are talking about standards or whatever, this is a place where we have lost ground. That is one of our recommendations. They think what i would like to say about the deterrent issue is that there was a great deal of discussion about this. It grew for me out of many of the hearings that you and i have sat through over the past four or five years where we have not had a deterrent policy. We have been purely defensive. What we are saying is there is Everybody Knows there would be a response if there was an attack on Critical Infrastructure. The question is, what happens if attacked an attack on our elections . Because there has not been, and as you point out it is a cheap way to make war, we become a cheap date. We become an easy target. With the commission suggests is there needs to be a new declaratory policy that there will be a response. It may not be cyber, it may not be kinetic, it may be sanctions. But, there will be a response. Another wrinkle of this that is important is 85 of the target space in cyber is in the private sector. It is not the army and the air force. They will be under cyber attack, but the target spaces in the private sector. That is where we have to develop relationships. This is a whole new way of thinking. One of the ways we talk about is the intelligence agencies being able to share with the private sector what they are learning about Cyber Attacks on systems at power plants. Youre absolutely right. Deterrentsion of the idea was an essential part in a lot of discussion in the commission but we concluded there had to be some deterrent. It cant simply be defensive more difficultit cyber hygiene. All of those are important but we wanted our adversaries when contemplating a cyber attack on the United States to say, but what will they do to us . We want that to be part of the risk calculus. A formative moment for me is when we are interviewing the head of the nsa in this committee and i asked him if there was any deterrent of a foreign adversary taking these actions . To answer was, not enough change their risk calculus. Admonition andn a warning that we not only have to defend ourselves but our adversaries have to know we can waywill respond in such a as to make them regret their attack. Im going to turn it over to senator manchin. One of the commissions recommendations that was included in the senate ndaa is to have the Defense Department carefully and comprehensively assess whether the Cyber Mission forces are rightly size. We included the recommendation in our bill and it is important. Tos mission is so new we had recreate everything. Nobody knew what it would take to perform this mission were the exact mix of skills we would need to get the job done. We also realized that Cyber Command can only get after targets and clever people have to get to that target through cyberspace. If we have infrastructure in the right place to get access to it. End skills and enabling access requires a lot of smart planning by smart people. If you do not have the accesses to military targets adding more cyber units are not going to accomplish much. Examinecommission whether the Cyber Command has difficulties recruiting, training and maintaining enough people with requisite skills to generate accesses to support an expansion of the cyber forces . Did look at that National Land within the various components that constitute those who employ cyber workers within the United States federal bureaucracy. Our sense of the United StatesCyber Command as they have done a great job within the authorities they have of recruiting, training and developing for careers of the people necessary to do the work they do. Forces were those set in size in the year 2013. We are sitting there with a combined size of that force of the actual pointy end of the force about 6200, 133 teams. Sized and a time and place where our sense of how use cyber power was different. In a time it is time to review that, but to your point we need to also make sure we have done everything necessary to create a bigger pie from which recruit and focus on how you do retain those people. If i could follow up with congressman gallagher . Your commission made a recommendation that you have not emphasized and i assume it is because it did not get serious consideration. That recommendation is that we should select committees on drawn membersand from across the board. Maybe you can try again next year. If you want to comment on that, i am happy to hear. I understand the difficulties of trying to Reform Committee jurisdiction in the house and senate. We view this as a critical recommendation. It was one we spent a lot of time debating and just as we want that single point of focus within the executive branch, that person who wakes up thinking how can we defend the country . We also want a repository of legislatures that have true cyber expertise, can hold that person and the other people who work on this issue accountable, and just create a space where the executive branch and legislative branch can Work Together to keep the country safe. I understand the difficulties, but i view it as necessary and drawn from congress own history. The final thing i would say is that the forceful advocate for this proposal was my colleague in the house, congressman jim. Andman lose some jurisdiction power, but feels very strongly about this proposal. Thank you. Senator king, you may followup if you would like. I want to illustrate the difficulty of the congressional organization. I gave you the list of amendments that had been cleared. We had to get 180 clearances from both sides on multiple committees and subcommittees. How gives you a flavor of bifurcated there has to be a word fractured the congressional process is. That is something we are going to continue to work on. The analogy is the Intelligence Committee, which was created in 1976, because there was a realization that intelligence was scattered throughout the government and congress. Oneade sense to put it into set of expert hands and that is the origin of the Intelligence Committee. We think the same think should be done here and i will pursue the idea. With all the expertise you had, you had a wide range of people coming from different walks of life. What was the greatest concern we might not be able to talk about it but the greatest concern of cybersecurity and what our adversaries are trying to do to us . The vulnerability that you are or that youout agree is one highly concerning sector. I cannot identify one sector, but critical sectors that do not get enough attention is water. Our water system there is like 50,000 different Water Companies in the United States. There. Re vulnerabilities all of the financial system, the telecommunications system, electrical energy, and this is ongoing. We have talked to utility executives one of whom told us his system was attacked 3 million times a day. Jesus. 3 million times a day and that gives you the range. Banks, hundreds of thousands of times a day. This is an ongoing threat not only from state actors, but from malign actors doing ransomware, gardenvariety crooks, but also people who want to undermine our society. One specific you target we are most worried about. Our worry was we did not feel the country was adequately prepared for what could, and likely will, happen. Can i speak to that . Sure. The insidious threat is that our adversaries, whether they were criminals or nationstates, could beat one of us without garnering the attention of the rest of us. We have a situation where we have been divided and slowly being conquered one at a time. Im not going to help you patch the hole on your side of the boat. If i was stuck in the elevator with somebody, you are going to have to beat all of us to be one of us. That is using all the authorities, talents that we joined upve in a more fashion. When we execute this in a distributed fashion much like the department of defense has we know we are operating according to larger strategy consistent with larger purpose and helping whatever is to be left and right of us. That is a fundamental problem. Rounds mosthe engagements in the private sector set i like the part of government i have interaction know but i am not sure i what the Government Strategy overall is. The government is not joined up and not in a position where it can be a collaborator with me, the private sector, who is bearing the brunt of transgression after transgression. They want to be a viable partner at the same speed they enjoy on the edge they approach government. Thank you. I want to take this time to say thank you to all participants. This is critical we get this right. Today, i think there is an understanding the department of defense has a role to play with regard to coming in and working internally within the United States to defend and yet, they cannot step in unless the coordinate with homeland. Likean, but it is almost if you have archers on the outside shooting arrows in, you can work all day and trying to catch each arrow and you are talking millions of them, or you have to go after the archer. The challenges defensively and offensively how do you do that in the best way possible . Enough about how important i think it is the work you done we recognized and we do our best to incorporate what we can into the ndaa. The second piece i think we have to recognize, and i want to thank senator manchin for being here today, members were here earlier and had to leave. It is multiple meetings at the same time, but we should not leave without recognizing how far our cyber teams have come in the last few years. The way in which the general and those teams have really stood up what has been an impressive series of achievements both offensively and defensively. Yet they will tell you, it is still so much work to be done. Everything we can do to provide them with the tools they need in the correct Public Policy they need in order to do their job the better off we are going to be. Every other domain, whether sea,e talking air, land, space, depend us to protect them in cyberspace. It is the least expensive way for our adversaries to get in and do damage in any other domain. We have to Pay Attention to it and i think the work you have done is to be commended and we appreciate your time today. Senator manchin, any final thoughts . I appreciate all the work. I know this is a lot of effort you have put in and i appreciate it. Having served with senator king on until committee it has opened our eyes to concerns we have and we are good at what we do, but we could do better. Thing is i wanted to ask a question on do you see the private sector starting to harden up . Are we communicating with them well enough to let them know they have to harden up also . The answer is yes. I would include when you say the private sector also the states, the election system for example. Are they looking to us to do it for them or they understand they have to come to the table . They are very much engaged in their own processes. Ok. As i said because 85 of the target space is the private sector and the chairman in his opening remarks said we are here to defend the nation, we have got to help defend them, but they have to do their part. Yeah. Building those relationships is what we are trying to do and it is happening, but were not there yet. Thank you. Thank you very much. I would like to say thank you to our witnesses today. Senator angus king, honorable Michael Gallagher, and Brigadier General john english. Thank you to all of you for your testimony and with that the subcommittee meeting is adjourned. Thank you. [gavel banging] [indiscernible] [indiscernible] announcer we are live at the white house. Press secretary Kayleigh Mcenany was scheduled to take questions. Things are running a bit behind. You are watching live coverage on cspan. Twominute warning. [indiscernible] [camera lens shuttering] hello, everyone. Democrats failed to act in the interest of americans hardest hit by the pandemic. Amid action, President Trump stood up for every american who, through no fault of their own, needed relief. Politics as usual should find a place during this pandemic, but democrats rejected multiple clean bills to provide relief. The American People are tired of games. They seek leadership and President Trump delivered. This weekend President Trump took executive action designed to