Well, good morning. We meet in organization to protect our nation in cyber space. To begin i would like to thank senators rounds and nelson for their leadership on these issues in our Cyber SecuritySub Committee. This hearing builds upon the good work they and their Sub Committee have done to tackle the critical challenge of cyber. This is a that is growing more dire and more complex. Not a week passes that we dont read about some disturbing new incident. This is a totally new kind of threat as we all know. Our adversaries state and nonstate actors view the entire information domain as a battle space and across it they are waging a new kind of war against us, the war involving what extending beyond our military to include our businesses and our people. The department of defense has a Critical Role to play in this new kind of war but it cant succeed alone. To be clear we are not succeeding. We have lacked pollties in the cyber domain and we still dochlt it is because we were trying to defeat a 21st century threat. This is true in the executive branch and frankly it is also true here in the congress. We are failing. Thats why this committee is holding todays hearing and why we have taken unorthodox step of inviting witnesses to appear today. Our withins are the senior officials responsible for ieber within their respective ageneral i ts. I to wrap you on. Scott smith for federal bureau of information and chris for prekts and pra director at department of Homeland Security. Also i would also like to note the empty chair at the witness able. They invited whies Cyber Security rob joyce. Many of us know mr. Joyce and respect him for his experience and expertise on cyber and many years of government service. Unfortunately. The white house decided to viet live gej after it having before congress. I believe the issue of cyber requires us to completely rethink our old ways of doing business. To me the empty chair before us represents a fundamental misalliance limi misalignment. All of our kwe answered for the their part of the Cyber Mission. None of them accountable for d add addressing in in its entirety. It is to make it and director governments efforts. That official is literally prohibited by legal precedent from appearing before the congress. So when we ask who has sufficient authority to protect and defend our nation from Cyber Threats and who is accountable the answer is quite literally no one. Previous administration struggled between the fbi given that no Single Agency has all of the authority is required to protect and respond. The model created cig thif cant coop nugs of Cyber Attacks. We continue to seek to effacing similar challenges a number of our sallies in can for example the United Kingdom recently established its Cyber Security center. It or ke straits num sitting side by side. Today is to have an honest and open conversation. Our concerns are not meant to be critical of our witnesss leadership or your organizati s organizations. Rour intend is to understand the kechl decon fliks to identify where and how we can improve. The last thing any of us wants is to waste precious time because everyone who rushed to the scene taught they were in charge i thank the witnesses as we continue to assess and address our cyber challenges. Thank you very much for holding this hearing. I welcome our hearing today. Let me come in for their great leadership on the sub economy. Cyber threat does not create jurisdictional bound i haves. Each Agency Functions specialized laws and authorities. It established a Cyber Response kbrup to pull together government response but these are organizations with little continuity that come together only in response to events. I believe what is needed is an int dwrated organizational structure. This arrangement has precedent. The coast guard exercises these responsibly and enjoys from the American People. We cant solve this problem but we would solve this problems. These taeps rise above the intersection. The team delegated gi secretary of defense. And there is urgency to our task. Russia attacked our election last year and the may toe alliance. The Intelligence Community ensures us it will attack our upcoming midterm elections. Finally, the okay. They hef it is creating the partner p ifs. He can the government muts work with nechl it must be in cooperation with the private tack to have. There the and before day please proceed. Thank you members of the committee. It is an honor to discuss the roles and responsibility of department of defents and defending the nation from cyber atalks and significant consequence. Im here as my reals as the si sis tans as ale the priens pal side advise sore is in which i see it lead the coordination across the department and with our inner Agency Partners and integrate Cyber Capabilities with mission assurance. I appreciate the ability to testify because these do require a government approach. D. O. D. Is developing cyber courses and capabilities to establish several missions in cyber space. Today i will focus on the mission to defend the United States and interest against high consequence sieb are attacks. The departments efforts to build defib fibber missions force playing a key role in playing out this mission. They are essential to the departments approach to supporting u. S. Government efforts to defend the nation against significant Cyber Attacks. With the goal of ensuring u. S. Dominance in cyber space these teams conduct operations and could deny at ver cherries to improi to impose costs. The cms Cyber Protection teams support a broader domestic response. The forces are focused on defending Dod Information Networks but select teams could provide additional capacity or capability to our federal partners if and when necessary. Dods role in cyber space goes beyond adversary focused operations and includes identifying and mitigating our own vulnerabilities consistent with statutory provisions related to these efforts, we are working with our u. S. Domestic partners and with foreign partners and allies to identify and mitigate cyber vulnerabilities in our networks, computers, critical dod infrastructure and weapons systems. While dod has made significant progress, there is more to do alongside with our other Agency Partners in the broader whole of government effort to protect u. S. National interests in and through cyber space. The outward focus of dod Cyber Capabilities to mitigate foreign threats at points of origin compliments the strengths of our interAgency Partners as we strive to improve resilience should a significant cyberattack occur. In accordance with law and policy during Cyber Incidents dod can be called to directly support the dhs in its role as the lead for protecting, mitigating and recovering from domestic sieb Cyber Incidents or the doj in its role as prosecuting cyber crimes. The work of our departments has resulted in increased understanding of our respective roles and responsibilities as well as authorities. Despite this, however, as a government we continue to face challenges when it comes to cyber Incident Response on a large scale, and it is clear we have more work to do to ensure we are ready for a significant cyber incident. We must resolve seam and gap issues among various departments, clarify thresholds for dod assistance and identify how to best partner with the private sector to ensure a whole of nation response if and when needed. Dod has a number of efforts under way to address these challenges and to improve both our readiness and that of our interAgency Partners. For instance, we are refining policies and authorities to improve the speed and flexibility to provide support and we are conducting exercises such as cyber guard with a range of interagency and state and local partners to improve our planning and preparations to respond to Cyber Attacks. Additionally, the cyber executive order 13800 signed in may will go a long way in identifying and addressing the shortfalls in our current structure. Though the department has several unique and robust capabilities, i would caution against ending the current framework and reassigning more responsibility for Incident Response to dod. The reasons for this include the need for the department to maintain focus on its key mission, the longstanding tradition of not using the military for civilian functions and the importance of maintaining consistency with our other domestic response frameworks. Its also important to recognize that a significant realignment of Cyber Response roles and responsibilities risks diluting dod focus on its core military mission to fight and win wars. Finally, putting dod in a lead role for domestic Cyber Incidents is a departure from opened response practice in other domains in which civilian agencies have the lead responsibility for domestic Emergency Response efforts. It could be disruptive to establishing the critical unity of effort thats necessary to for success. The federal government shouldnt maintain should maintain the same basic structure for responding to all other natural emergencies, whether natural disasters or cyberattacks. There is still work to be done, both within the department and with federal departments to improve efforts in cyber space. I am in the process of reinveg rating the role of the cyber adviser and clarifying the lines of accountability and authority in cyber and better integrating and communicating dod cyber space strategy, plans and train and equip functions. Well also up date our strategies on key cyber issues such as deterrence and translating the guidance into capabilities, forces and operations that will maintain our superiority in this domain. The department is also working to ensure that several Strategic Initiatives it is undertaking come to fruition, including the elevation of u. S. Cyber command, the implementation of the cyber executive order initiating the cyber accepted Service Program and rationalizing the departments cyber budget sdin vements. Our relationship with congress is critical to everything we are doing to defend the nation. From a high consequence cyberattacks. I am grateful for congresss strong support and interest in these issues, and i look forward to your questions and working with you and your staffs Going Forward. Thank you. Thank you, mr. Chairman and the committee. As the committee is aware, the frequency and sophistication of cyberattacks on our nation have increased dramatically in the past decade and only look to be growing. There are significant challenges. The cyber domain is unique, constantly shifting, changing and evolving. But progress has been made in improving structures and collaboration in innovation. But more can be done. Staying ahead of todays threats requires a different mindset than in the past. The scale, scope and complexity of todays threats and the ditt Digital Domain is unlike anything weve experienced. Traditional approaches and mindsets are no longer suited to coping with the speed and volatility and complexity of the new Digital Domain. We have to include the Digital Domain as part of the threat ecosystem instead of separating it as a mechanical machine. This new era often called the fourth industrial revolution, requires the fbi to rapidly assign, align and engage empowered networked teams who are purpose driven and have fierce and unrelenting resolve to win. What does this all mean . What are we doing to meet and stay ahead of the new Digital Domain . Attribute, predict, impose consequences. Thats where the fbis Cyber Mission is going. The fbis Cyber Division and program is structured to address a lot of these unique set of challenges. In the field, the fbi is made up of 56 different field offices spanning all 50 states and u. S. Territories, each with a cyber squad and each developing multiagency cyber task forces which brings together technically proficient investigators, analysts, computer scientists from local, state and federal organizations. At fbi headquarters, in addition to the field resources, Cyber Division offers Program Management and coordination and more technically advanced responders in our cyber action teams. The cat teams are elite cyber Rapid Response force, is on call and prepared to deploy globally in response to significant Cyber Incidents. Additionally, at fbi headquarters, we manage cy watch, a 24hour watch center which provides continuous connectivity to interAgency Partners in an effort to facilitate information sharing and realtime incident management and tracking, ensuring all agencies are coordinating. In addition to these cyber specific resources, the fbi has other technical assets that can be utilized in the event of Cyber Incidents. These include our Operational Technology division, the Regional Computer Forensic Laboratory programs, and the critical Incident Response group. Providing additional expertise and capabilities and resources that the fbi can leverage at a cyber incident. Partnerships is absolutely a key and focus area for the fbi. We rely on a Robust International presence to supplement our domestic foot print. Through cyber assistant legal attaches, the fbi embeds cyber assistants with International Counterparts in 18 key locations across the globe. The fbi also relies upon private sector partnerships, infer guard, domestic Security Alliance to name a few. Building capacity at home and abroad through training, investigations and joint operations is where we are applying our efforts. Incident response, the fbi has the capability to quickly respond to Cyber Incidents across the country and scale its response to the specific incident utilizing all its resources throughout the field, headquarters, and abroad. We have the ability to galvanize and direct all the available cyber resources instantaneously. Utilizing dual authorities, as domestic Law Enforcement organization and a member of the u. S. Intelligence community, the fbi works closely with interAgency Partners within a whole of government effort to countering Cyber Threats. The fbi conducts its Cyber Mission with the goal of imposing costs and consequence on the adversary. Though we would like to arrest every cyber criminal, we recognize indictments are just one tool in a suite of options that are available to u. S. Government when deciding how best to approach this complex cyber threat. The fbi understands the importance of being coherently joint with and will continue to find ways to work with interAgency Partners in responding to Cyber Incidents. We look forward to expanding our partnerships with Cyber Command, given their new and unique capabilities and with the National Guards new cyber program, in complementing our field offices and cyber task forces. All within the confines of current laws, authorities, and expectations of the American People. We at the fbi appreciate this committees efforts in making cyber threat a focus and committing to improving how we can Work Together to better defend our nation, and we also look forward to discussing these issues in greater detail and answering any questions that you may have. Thank you, mr. Chairman. Thank you, mr. Smith. Mr. Krebs. Chairman mccain, Ranking Member reed and members of the committee thank you for the opportunity to appear before you today. In my current role performing the duties of the undersecretary for the National Protection and programs directate. I secure and defend our federal networks and facilities. Manage risk to Critical Infrastructure and improve cyber and physical security practices across our nation. This is a timely hearing. During december or october we recognized National Cybersecurity awareness month, a time to focus on how cybersecurity is a shared responsibility that affects every business, organization and american and is one of the most significant and strategic risks to the United States. To address this risk is a nation weve worked together to develop the much needed policies, authorities and capabilities across the interagency with state, local and International Partners and in coordination with the private sector. Department of defense is eligible receiver exercise laid bare our vulnerabilities, initiating a crossgovernment journey to respond to the growing threat. Over the ensuing 20 years through a series of orders and documents culminating with executive order 13800 weve established an increasingly defined policy foundation for the Cyber Mission space. Roles and responsibilities have been further bolstered by Bipartisan Legislation providing the executive branch in particular dhs much needed authorities to protect federal and Critical Infrastructure networks. We can further solidify dhss role by giving the organization a name that clearly reflects our mission. Building on the policies and authorities the department continues to develop the operational capabilities to protect our networks. Today, the national Cyber Security and Communications Integrations center is the center of gravity for dhss cybersecurity operations. We monitor a federal civilian enterprise wide risk picture that allows us to manage risk across the dot gov. It brings together partners to share classified and unclassified threat information and coordinate response efforts. Partners that include representatives from the Critical Infrastructure community. Governments, sector specific liaisons. Intelligence community personnel, Law Enforcement partners such as the fbi, and liaisons from each of the Cyber Centers including u. S. Cyber command. They all sit with one another. We know we cant stop here and need to accelerate efforts to develop Scaleable Solutions to manage systemic Cyber Security risk across the nations infrastructure. Last years president ial policy directive 41 further clarified roles and set forth principles for the federal governments response to Cyber Incidents including formalizing the Cyber Response group and cyber unified Coordination Group. It also required the department to update the National Cyber incidence Response Plan which was completed last january. Updating the ncirp in partnership with industry and state and local partners was a critical step in cementing our shared responsibility. It defines the role and responsibilities of all stakeholders during a cyber incident. Second, identifies the capability required to respond to a significant cyber incident and third it describes the way our federal government will coordinate activities with those affected by a cyber incident. However, our focus Going Forward is to build on this with multistakeholder operational plans and Incident Response playbooks. Then we must train and exercise to the plans in order to identify and address the seams and gaps that may exist. We are building on our Cyber Mission work force within the framework of the ncirp with our hunt and Incident Response teams that exercise the tenets of the ncirp each day. We work across the stakeholders to accomplish this mission. In some cases dhs teams are augmented with fbi and dod personnel to provide a more robust and coordinated response. This model of collaboration and crossagency cooperation will continue, taking advantage of the respective strengths of each agency. To ensure we are focused on the mission that you, congress, have tasked us with we are prioritized filling all open cyber positions at dhs. Crosstraining our work force an Incident Response and creating a cyber Incident ResponseSearch Capacity force that can rise to meet any demand. Before i close, i would like to add one last but critical element. The Cyber Defense mission is much broader than just response. It also encompasses preparedness and resilience and we must continually assess and improve our cybersecurity posture against the latest threats. Denying our adversaries opportunities to wreak havoc. Finally id like to reinforce that we have made significant progress since eligible receiver yet there is no question we have more to do. We must do it with a never seen before sense of urgency. Were taking actions to improve our response capabilities and become more resilient. Thank you for the opportunity to testify. I look forward to any questions you may have. Thank you, mr. Krebs. I thank the witnesses. I am sure you can see that chart over there. Charts are always interesting, but this one we are going to need someone to translate for us because its its an example, i think an accurate one, of the difference of the differences in authorities and responsibilities, none of which seem to have an overall coordinating office or individual. And, of course, mr. Joyces absence here, whose job it is to do all this, is an example, frankly, of the disarray in which this whole issue rests. And mr. Rapuano, you said it wasnt the department of defenses responsibility. Suppose the russians were able to effect the outcome of the last election. Wouldnt that fall under their responsibility and authority to some degree, the department of defense, if theyre able to destroy the fundamental of democracy, which would be to change the outcome of an election . Mr. Chairman, specifically the issues associated with protecting elections from cyber incursion so you are saying cyber incursion is not something that requires the department of defense to be engaged in. Is that correct . No, mr. Chairman. I was simply saying that, based on the state of the state authorities and the state control of the election process in each state, there are issues associated with federal authorities to engage. So those issues could be corrected by legislation. Theyre not engraved in tablets. Okay . So for you to sit there and say, well, but its not the department of defenses responsibility. It is. To defend the nation, a very fundamental of our the reason why we are here is because of free and fair elections. If you can change the outcome of an election, that has consequences far more serious than a physical attack. So i am in fundamental disagreement with you about requirements of the department of defense to defend the fundamental of this nation which is a free and fair election, which we all know the russians tried to affect the outcome. Whether they did or not is a matter of opinion. I dont think so. But for you to shuffle off this, oh, well, its not an attack. It is an attack of enormous proportions. If you can change the outcome of an election, whats the constitution and our way of life all about . I think senator rounds will be much more articulate on that issue. One, i disagree with your assessment. And one of the reasons why we have been so frustrated is exactly what you just said. That, well, its not the department of defenses job. Its the department of defenses job to defend this nation. Thats why its called the department of defense. Mr. Krebs, numerous experts over the past few years have highlighted the need for dramatic change. According to the president ial commission on enhancing National Cybersecurity, and i quote, the current leadership and organizational construct for cybersecurity within the federal government is not commensurate with the challenges of securing the Digital Economy and supporting the national and Economic Security of the United States. General Keith Alexander, one of the most respected men in the world, said before this full committee in march, quote, when we talk to the different agencies, they dont understand the roles and responsibilities. When you ask each of them who is defending what, you get a different answer. Admiral jim staph relatas. There needs to be a voice in the cabinet focusing on cyber. Obviously there is supposedly one there, but he is not appearing before this committee. And that diminishes our ability to carry out our responsibilities. The list goes on and on. January 2017, center for strategic and institutional studies task force simply concluded, quote, we must consider how to organize the United States to defend cyber space and that if dhs is not able to step up its game we should consider the creation of a new cybersecurity agency. The list goes on. I would like your responses to these assessments ranging from a from a president ial commission to general Keith Alexander to the Atlantic Council to the center for strategy and International Studies task force. All of them are saying the same thing, gentlemen. All of them are saying exactly the same thing. And i look forward to getting a translator who can show us what this chart means. I will be glad to hear your responses. Secretary rapuano. Mr. Chairman, i would say just on the issue of the election process, the department is clearly there to support the response or the mitigation of potential threats to our electoral process. Its simply that, when you look at the separation of authorities between state and local governments, the lead for that coordination and support in our Current System is dhs. We provide defense support to civil authorities as requested to support those needs and requirements. That obviously assumes that the department of Homeland Security has the capabilities and the authority in order to carry out that requirement. Whereas, this cyber is warfare. Cyber is warfare. Cyber is an attempt to destroy a democracy. Thats what mr. Putin is all about. So to somehow shuffle that off onto the department of Homeland Security. This goes back to this problem with this organizational chart. So i steadfastly reject your shuffling off the responsibilities of cyber over to the department of Homeland Security, and we have included in the nda a requirement for you to do so. Mr. Smith, you want to respond . Or mr. Krebs. Sir, i am happy to. Fundamentally this is a complex and challenging operational environment. Every one of the agencies represented here at the table today, as you see in the bubble chart as its called, has a unique contribution across the ecosystem. Without coordination. Sir, i would i would suggest that we are getting there, that were working on the coordination. Ppd 41, the Cyber Response group and Coordination Group provide a foundation under which we can coordinate. We work closely with mr. Joyce and the National Security council. However, from an operational perspective i think the department of Homeland Security and i in my role as undersecretary have the direction and authorities i need to move out. Now, the question is whether are we winning or losing . Sir, this is a battle that is going to be going on for many years. We are still trying to get our arms around it. I repeat my question, are we winning or losing . Sir, its hard to assess. I would say we are fighting the battle every day. We are working with the private sector. It is a complex environment and i look forward to working with the congress do you know that for eight years we have been trying to get a policy, for eight years we have been trying to get a strategy. For eight years we have been trying to get something besides this convoluted chart . You know that . Yes, sir. I have been in my role for eight weeks. I understand your frustration. I i share your frustration. I think we have a lot of work to do. This is going to require both the executive branch and Congress Working together to continue understanding exactly how we need to address the threat. When a coordinator doesnt show up for a hearing, thats not an encouraging sign. Senator reed. I wish you would consider a subpoena to get the main witness. I think that has to be discussed in the committee. Thank you, mr. Chairman. Thank you, gentlemen, for your testimony. The chairman has raised the issue of russian involvement in the last election, but our Intelligence Community essentially assured us that they are going to come back and with more brio or whatever the term is. Have you been told to prepare for that, mr. Rapuano, has the Defense Department given directions to coordinate to take all steps to advise the administration on what you can do to prevent, preempt or to respond to a russian intrusions in 18 . Senator, i am not aware of a specific direction in terms of a specific task associated with the election process. We are engaging on a routine basis with dhs and the rest of the Interagency Community to develop priorities and consider responses as well as mitigation measures, as i tried to note earlier. The competing authorities associated with the electoral process really do call for a thoughtful orchestration of how we would direct and task and engage with those state and local authorities. It really does need to be coordinated because each Agency Brings something different. There is a private sector component because most states get very significant support in terms of their Electoral Systems from a private entities, so we are certainly engaged in the process, and we are certainly available to support but you havent been directed to start actively planning and coordinating with respect to the election specifically. No, not to my knowledge. Mr. Smith have you in your agency, the fbi, been told to begin coordinating with respect to the 2018 election in terms of interrupting, preempting, responding to russian intrusions which the Intelligence Community practically assures us will happen . Yes. You have been. Yes. Can you describe what youve been doing in general terms. In general terms, sir, we have not stopped since the last election. Coordinating and keeping together a election fusion cell which is jointly located at hoover building and working with our interAgency Partners not only on what had transpired and getting deeper on that but also working forward as to what may come towards us in the upcoming midterms and 2018 election cycles. So we are actively engaged, both with outreach in the communities and with the dhs and their Election Task force along with every field office has a designated election crimes coordinator who is on the ground out there in the event of any information coming towards us or any incidents that we would need to be aware of and react to. Thank you. Mr. Krebs, the same cquestion basically. Sir, absolutely. I will tell you this. I didnt need anybody to tell me to stand up a task force or anything. The first thing i did when i came in eight weeks ago was assess the state of the election infrastructure, activities under way at the department of Homeland Security and establish tan Election Security task force which brings together all the components under me, within nppd and works closely with the intelligence and analysis component within dhs as well as fbi and the other interAgency Partners. I think we made progress here. There is a lot more to do, as director smith mentioned. We are not just thinking about 18, we are thinking about the gubernatorial elections coming up in a few weeks. Last week we worked with 27 states, the Election Assistance Commission and established the government coordinating council, a body under which all the state Election Officials can come together and understand provide a foundation to which coordinate security practices, share information. We are issuing security clearances to a number of Election Officials and in a matter of weeks well establish a Sector Coordinating Council to bring the cyber elements to provide the systems, technologies and supports. I think there is still a lot to be done. We certainly have work ahead of us and there is no question theyre going to come back. And were going to be fighting them every day. Yes, sir. You mentioned several times the need to engage the private sector. And thats a challenge. And in fact, it might be more important in this context than in any other quasi military context since they lead, you know, the whereas in other areas like missiles, bombers and vehicles, its the government more than the private sector. But just quickly. Some of the things that we have to consider are sort of not the responsibility of this committee but legislation that senator mccain and i sponsor in the s. E. C. So theyd have to designate if they have a cybersecurity expert on the board or why not as a way to disclose to shareholders and provide on incentive for them to be more keyed into cyber. And using insurance to incentivize. Without that, i dont think were going to get the kind of buyin. Very briefly because my time has expired. Where are we in terms of private engagement . The threshold or some engagement or its still a so, i actually came out of the private sector. I spent the last several years in a Major Technology company. So i have a unique understanding i think of what it takes on the private sector side as well as working in government. We do have a number of private sector representatives within our organization and we have authorities for coordinating with the Critical Infrastructure community. There is a lot of work ahead of us. We need to better refine our Value Proposition to get more companies to come in and share information with us, but we have a unique Liability Protection capability. One thing i think that will enable our advancement as i mentioned in the opening, i need a name change. I need to be able to tell my customer set what i do. The National Protections and program directate doesnt tell people anything. I need to clearly communicate what i do on a daily basis. You tell us the title you want besides president. Cyber yeah. Well get you a tshirt too. [ laughter ] thank you, mr. Chairman. The three of you can relax, because what i am going to address is to the empty chair. And i know that this message will get through. It has to do with section 881 and 886. There are some provisions in the senates version of the ndaa, specifically those sections, that have raised concerns among the Software Developers critical to our national defense. The purpose of these provisions are to make available to the public some public the source code and proprietary data thats used by the department of defense. I would like to submit for the record numerous letters, which i will do in a moment and documents from industry stakeholders that share my concerns with this language. While i understand the goals and intentions of the legislation, it creates some unintended consequences and impacts, such as limit the software choices available to dot to serve the war fighter. Increased costs to the department of defense by compromising proprietary nature of software or and limiting contractor options and potentially aid u. S. Adversaries and threaten dod cybersecurity by sharing dod source code by placing in a public repository. And also reducing competitiveness of the American Software and Technology Companies by opening the Software Contractors intellectual property and code to the public repository. As we progress into the conference report, i would like to i look forward to, working with the Senate Armed Services committee on a way forward on this topic and recommend that we study this issue prior to instituting new legislation. This is a provision is in the senate provision senate bill, not in the house bill. I would ask unanimous consent to include in the record the documents from stakeholders, mr. Chairman. Without objection. Thank you. I wouldnt exactly say the three of you should relax, but i will address more directly, not only to the empty chair but to general mcmaster, general kelly, to the Vice President and to the president. Did you realize that you handed out a chart that is five years old . The date on this chart is january of 2013. I mean, why in the world . That by the way, senator rounds is saying acknowledging this. I want to say what a pleasure it has been to deal with senator rounds as the two leaders of the cyber subcommittee. I can tell you, we are alarmed. You heard the alarm in the voice of the chairman. Can we stipulate here that state election apparatuses, state election databases, can we stipulate that that is Critical Infrastructure . Sir, i we have made that the department of Homeland Security has made that designation. Good. I have an election infrastructure subsection, sir. Good. Therefore, a tampering or a changing or an interfering with state election databases, being Critical Infrastructure, would in fact be an attack upon our country. Can we stipulate that that would be the case . Why is there silence . Let the record show there was silence. Wow. So, do you realize that you can change could i just yes. Could i, indeference to the witnesses, they are not the ones who thats why i am referring my comments not only to the empty chair but to the people behind that empty chair, which is the National Security council adviser, general mcmaster, the fellow who runs the white house staff, general kelly, both of whom i have the highest respect and esteem for. And ultimately the Vice President and the president. And i would just i would go back and listen, i would i would defer to the intensity of the chairmans remarks, both in his opening remarks and his question. You mess around with our election apparatus, and it is an attack on our country. And so, let me give you an example. It doesnt even have to be that the russians come in or the chinese or some third party thats not a nationstate. We already know that theyre in 20 of our states. We know that from the reports that have been in the newspaper from the Intelligence Community. All you have to do is go into certain precincts. You dont even have to change the outcome of the actual vote count. You could just eliminate every tenth rege strant every tenth registered voter. So when mr. Jones shows up on election day to vote, i am sorry, mr. Jones, you are not a registered voter. You multiply that, every tenth voter, you have absolute chaos in the election. On top of it, you have the long lines that result. And as a result of that, people are discouraged from voting. Because they cant wait in the long line. And so forth and so on. Now, this is this is the ultimate threat. I have said so many times in this committee, Vladimir Putin cant beat us on the land, in the air, on the sea, under the sea or in space, but he can beat us in cyber. And to hand out a fiveyearold dated chart as to how were going to fix this situation just is totally, totally insufficient. I rest my case, mr. Chairman. And i wish you would consider a subpoena. Would the witnesses desire to respond to that diatribe . That eloquent diatribe. That eloquent one of the most historic statements in the history of this committee. Go ahead. Please. Mr. Chairman, i would say just in terms of the department of defenses role, it is important to note that the National Guard, in a number of states, on the authority of the governors, train cyber capable forces are assisting those states and theyre addressing, identifying vulnerabilities and mitigating the vulnerabilities. Element of them are part of the Cyber Mission force. And we certainly view, quite appropriate, the governor tasking them under state authority versus the department of defense attempting to insert itself into a process without directly being requested. Could i just say, sir, again, we are appreciative of what the guard is doing. We are appreciative of what local authorities are doing. We are appreciative of what all these different agencies are doing, but we see no coordination and no policy and no strategy. And when you are ready to give that to us, we would be eager to hear about it. Senator fischer. Thank you, mr. Chairman. Those are hard acts to follow. Your diatribes. But i would like to focus on Something Else now with regards to response. Gentlemen, one of the things that admiral rogers has fe emphasized is the need to move quicker across the board. Faster threat detection, faster decisionmaking and faster responses. So mr. Krebs, can you walk us through the process by which an organization and operator of a piece of Critical Infrastructure, for example, would reach out to you for help. I know they first have to detect the threat, and that can take some time, but what does the process look like once they contact you . How long does it take to begin working with them, and are there legal agreements that must be in place before a Response Team could operate on their network . Maam, thank you for the question. There are, of course, a number of ways that a victim can discover they have been breached or they have some sort of intrusion. And thats working whether with the Intelligence Community or the fbi could notify them or the department of Homeland Security could inform them or, of course, one of their private sector vendors could discover an actor on their networks. Now, how they reach out. There are a number of ways as well. They can email us, call us, we have local official cybersecurity advisers throughout the region. Protective security advisers. They could also contact the fbi. Once we are aware of an incident, we will then do an intake process, and every every incident will be different. Thats a truism here. Every incident could be different. In terms of timing, it all depends on what the situation is, what kind of information they want to provide, we do have to work through a legal agreement just to, for instance, get on their networks and install government equipment and take a look. That can take time. It can depend, of course, on the legal back and forth as hours or even days. But i would view this as a kind of an elastic spectrum. It could take were talking hours, it could take a couple of days to a week. It all depends on the nature of the breach. If you determine that dod has to be involved in the response as part of that team, i assume thats going to take more time, then . And that decision currently rests with the president. Is that correct . Maam, actually we do a fair amount of coordination with the department of defense. We do a crosstraining with an Incident Response matters. As i mentioned before, we have blended teams that go out to the field for investigations that can be fbi or dod assets. In terms of the decisionmaking process, we do have agreements in place. We have an understanding in place that we dont necessarily have to go to the president. We dont actually have to go to the secretary level. There are sublevel understandings that we are able to use each others resources. And thats agreements would also cover what types of military assistance will be needed . It is its a support function. But it would typically were talking personnel. Mr. Rapuano, did i say your name i messed it up. Rapuano. Okay. Are there concepts of operations that define the specific requirements that dod forces could be asked to fulfill and prioritize as assets or sectors that should be defended from cyberattack, if we were going to have a highend conflict . So the focus of the domestic response capabilities, defense support to civil authorities when it comes to cyber are those defensive, those protection teams out of the Cyber Mission force. And those are skilled practitioners who understand the forensics issues, the identification of the challenges of types of malware and approaches to removing the malware from the systems. As mr. Krebs noted, the defense support to civil authorities process is a direct request for assistance from dhs to the department. And we have authorities all the way down to cocom commanders, specifically Cyber Command, admiral rogers has the authority in a number of areas to directly task those assets. It then comes up to me and for certain areas the secretary requires his approval. But most of these things are can be done at lower levels, and we have provided that assistance previously to dhs. So do you have that policy guidance in place if there is a if there is a highend conflict, is it a first come first served . Do you have a way that you can prioritize how you are going to respond . Is that in place now . Absolutely. So a highend conflict for which we are receiving Cyber Attacks and threats in terms of against our capabilities to project power, for example, would be an utmost priority for the department. As well as attacks against the dod information system. If we cant communicate internally, we cant defend the nation. Those are the equivalent of heart, brain, lung function dod equities and capabilities that we prioritize. We have resources that are available unless tapped by those upper most priorities, and then it becomes hard decision times in terms of do we apply assets for domestic and Critical Infrastructure protection, for example, or to protection of the dod n or other dod capabilities. Thank you. On behalf of chairman mccain, i recognize senator shaheen. Thank you, senator reed and thank you to our witnesses for being here this morning. I share the frustration that you are hearing from everyone on this committee about decisions that have not been made, actually, with respect to Cyber Threats affecting our nation. One example is the use of kasperskys labs Antivirus Software on u. S. Government systems. Kaspersky lab has reported links to russian intelligence, and its base in moscow subjects client data to the kremlins intrusive surveillance and interception laws. We just had a recent report of kasperskys role in a successful russian Cyber Operation to steal classified information from an nsa employees home computer. And yet they remained on the list of approved software for way too long. Now, this committee put an amendment in the ndaa that would have prohibited the use of that software by the department of defense, and i am pleased that finally we have seen the Administration Act on that. But i think it really raises the question of how we got to this point. So what standards were used in approving Kaspersky Lab as an appropriate choice to fill the u. S. Governments Antivirus Protection needs . Does the government vet the origins and foreign business dealings of cybersecurity firms and Software Companies before these products are used in our systems, and are Companies Looking to contract with the u. S. Government required to disclose all of their foreign subcontractors as well as their work and dealings with Foreign Governments who may be a threat to the United States . So i will throw those questions out to whomever would like to answer them. Maam, thank you for the question. As you know, the binding operational directive that we issued several weeks ago just over a month now, 30someodd days ago, required federal civilian agencies to identify kaspersky products, if they have them, then a plan to implement and then over 90 days. So what that tells me is that we still have a lot of work to do in terms of the processes that are in place to assess Technology Products that are on the civilian i agree. Thats why i am asking those questions. I dont mean to interrupt but i have limited time. What i would like to know is what you can tell me about what standards we use, how do we vet those kinds of products and how do we ensure that we dont have another case of kaspersky being used in our sensitive Government Systems . If i may suggest, i would like to come back with the General Services administration to take a look at that with you and give you a more detailed briefing on how we do that. Thank you, i would appreciate that. Also, mr. Rapuano, i appreciate your taking some time this morning to spend a few minutes with me to talk about the hewlettpackard enterprise that allowed a Russia Defense agency to view a source. Can you tell me, is the disclosure of our source codes to other entities a usual way of doing business . How did that happen . Senator, the details on that, as i share with you this morning, we are working on that. Our cio is leading the effort with hpe on arclight, i get you Additional Details with regard to our procedures. We have a layered approach. We can follow up with the details for you. Well, thank you. I appreciate that. That was a rhetorical question to raise the point, again, that i have serious concerns about the attention that we are paying to these kinds of issues. And in april dods Logistics Agency said that and i quote hp arc Site Software and hardware are so embedded, end quote, that it could not consider other competitors, quote, absence an overhaul of the current it infrastructure. Do you believe that thats whats required . And how are we ever going to address any of these problems if we say we cant take action because it would create a problem in responding throughout other areas where we do business . Again, i appreciate that you are going to respond to the concerns that i laid out, including that one, at a later time. I am almost out of time, but i just had one question for you, mr. Krebs. That is, on this notice of this hearing, you are listed as performing the duties of the undersecretary for the National Protection and programs directorate. You said you have been on the job for eight weeks. What does that mean . Yes, maam. Thank you for the question. I have actually been with the Department Since march 2017 where i was a senior counselor to general kelly. He moved to the white house, of course, and soon after that i was appointed by the president to be the assistant secretary for infrastructure protection. In the meantime we do have an open vacancy at the undersecretary position. So as the senior official within the National Protection and programs directate i am the senior official performing the duties of the undersecretary. Okay. Tell me what your current title is. In addition to having that as part of your responsibilities. The senior official performing the duties of the undersecretary no. Thats whats on here. The actual title. Assistant secretary for infrastructure protection. Thank you. Thats what i have been appointed. Yes, maam. Thank you, mr. Chairman. Thank you. Senator rounds, i want to thank you and senator nelson for the outstanding work you are doing, the cyber subcommittee. Its been incredibly important and very helpful. Thank you. Thank you, mr. Chairman. And i just let me just share with you my appreciation for you and the Ranking Member for elevating this particular discussion to the full committee status. Senator nelson has been great to work with, and i appreciate the bipartisan way in which he has approached this issue. And i wish we had the same type of cooperation this morning with mr. Joyce coming to visit with us. I personally did not see this as an adversarial discussion today. I saw this as one in which we could begin in a cooperative effort the discussion about how we take care of the seams that actually we believe exist between the different agencies responsible for the protection of the Cyber Systems within our country. And i just wanted to just kind of bring this out. This particular chart, i believe senator alexander indicated that there were over seven general alexander indicated that there were 75 different revisions to this particular chart when it was created. Let me just, to clear the record, do any of you have a more updated chart than the one thats been provided today . No . No. Okay. Second and i for the record, that was done in 2013. And yet, at the same time, i just for mr. Krebs, i just let me just ask. As i understand it, dhs is responsible for the protection of some but not all of the Critical Infrastructure within the United States. I believe i am correct in my understanding that, when it comes to the Energy Sector the department of energy is the lead agency. Is that correct, sir . Yes, sir, that is correct. Where does it fit in the chart . So, in the column here in the middle, protect Critical Infrastructure, there is an updated piece of policy surrounding this. I mentioned in my Opening Statement there is a progressive policy arc. This was a snapshot in time 2013. The general muscle movements hold. We do have an updated chart . I may have Something Better than a chart. I have a plan and a policy around it. Ppd41 and the ncirp which lay out the responsibilities of our respective organizations. All of you are working on the same level as mr. Krebs has described here with the information that he has . A yes or a no would be appropriate. Yes, senator. Yes. Thank you. And i appreciate that, because but really what bothered me is that this thing had not been updated or you had not been working on anything since 2013 with all the changes that have occurred. Let me ask quickly. I am curious. It would seem to me that there is no doubt there are three types of barriers that we need to overcome in order to strengthen the collective Cyber Defense of the nation. Legal organization and cultural. Have any of you identified legislative hurdles that restrict or inhibit interagency gaps and or seams for our collective Cyber Defense . Mr. Rapuano . Senator, i would just note, when you look at the National Response framework that we used for noncyber but kinetic in the range of state actor or natural events, what you have seen, and particularly since katrina, is a maturation of a very similar process, Many Disparate roles, responsibilities and authorities and many different target stakeholders who may require assistance from local, state, all the way up. This system, the national Cyber Response framework, is based close closely on the National Response framework. We are in a more nascent stage when it comes to cyber in all aspects. I would say, if you look at the last several months in terms of very significant multiple hurricanes and what i think overall, in light of the consequences, was a very effective federal response, there has been a dramatic evolution in our ability to work as a whole of Government Team when it comes to complex problems with colliding authorities. I do have one more question. I get the gist of what you are suggesting. Let me just ask this, in terms of the overall picture here. We can either have defense here with in our country or defense to try to stop something in terms of a cyber attack before it actually gets here. That involves not only a cyber system which is universal, it involves talking about systems that are sometimes in our allies countries, sometimes in countries that are not necessarily or friends and when there are actually the bad guys located who are creating the attacks themselves. What are your views on the sovereignty as it relates to cybersecurity . Let me before you answer this, in afghanistan, regardless of what you think about the strategy, the longstanding undertone that justifies why we are still there is that fighting the enemy abroad prevents another major attack at home. In this context, its a defensive strategy played out via offensive maneuvering. As we evolve cyber and the Cyber Intelligence fields, if is inevitable that we will start to think of Cyber Defense in this offensivelyminded way, given this, i would like to hear your thoughts on the sovereignty and where we ought to be fighting this battle to stop the attacks before they get here. Senator, thats a very important question. As i think you are aware, the concepts of sovereignty are still molting, so some degree, in the sense that there are differing views with regard to what constitutes sovereignty in what type of scenario. It is, except for one thing. Mr. Chairman, if you wouldnt mind, here is the key part of this. These are actions going on now. Tallon 1. 0, 2. 0 and so forth are discussions in terms of what our adversaries are looking at. We have a gap in time period in which we have to make a decision about where we actually defend our country against the possibility of existing attacks today, tomorrow and next week. Now, unless weve now, unless weve got a current strategy with regard to how we regard sovereignty and where we will actually go to defend our Critical Infrastructure i guess thats what im asking, is do we have that on the books today . And are you prepared to say that we know where we would defend against those attacks . Yes, we do. The details of our current posture with those elements i think would need to be deferred to a closed door hearing. Its a home and away game. Weve got to go get them over there at the same time we need to be protecting our infrastructure here. I worked very closely with the electricity sector. During the hurricanes i was on the phone with the c. O. S of major utilities. We have to start here, network protection, close out the gaps, mitigate consequences. At the same time we have to take down the threat actor. Its a whole of government best athlete approach. Thank you. Thanks, mr. Chairman. Thank you very much for holding this critically important hearing and to the excellent witnesses that we have before us today. This week the New York Times published an article. Im going the submit it for the record, assuming theres no objection. It details north koreas Cyber Attacks that are estimated to provide the north korean government with as much as 1 billion a year. That figure is staggering. North koreas ransom ware attacks and Cyber Attacks on pa banks are producing a funding stream for that country which in turn fuels its nuclear program. And it is a Funding Source that must be stopped. At the time when the United States is leading efforts to sanction exports of coal, labor, textiles and other products in order to hinder north Koreas Nuclear ambitions, we also have to be focusing on additional Funding Sources and this cash flow ought to be priority number one. Tough rhetoric must be supported by tough action and practical measures that make clear to north korea that this kind of conduct will be answered. The question is what actions are being taken to combat their i Cyber Operations and address this cyber revenue . And i know that you may not be fully at liberty to discuss these steps in this forum, but id like you to do so to the extent you can, because north korea knows what its doing. Youre not going to reveal anything to north korea. The American People deserve to know what north korea is doing. This is a topic i think ought to be front and center for the administration and congress and for the people and i look forward to your responses. I would simply say, yes, senator, we do have plans and capabilities that are focused and directed on the north korean threat in general and on the specific activities that you have noted. I think that it would be most appropriate if were going into detail to do that in closed session. We continue to work with our foreign partners in information sharing whenever possible when were able to assist them in identifying these types of criminal activities. We provide them also Technical Assistance whenever asked or engaging with them in joint operations and whenever possible, we are always looking tooli link it back or coordinat some indictment or joint operation that would bring to light the people or the nation states that are conducting those activities. I can actually provide a little bit of detail on a particular unclassified activity. Working very closely with the fbi, weve designated one effort called hidden cobra. We have a hidden cobra page that speaks to a bot net command and control infrastructure that has certain indicators, hey look at this, go track this down. We share that information with them and were looking to take action against it. This is not just a whole of government approach. This is an International Problem with international solutions. Were moving out aggressively. I agree its an International Problem with international solutions, but we provide the main solution and we are in effect victims substantially if not primarily of the problem. And i understand that we have plans and capabilities. Im not fully satisfied with the idea that those forward oriented measures of action are sufficient. I think we need action here and now. The lazarus group, north korean linked cyber crime ring stole 81 million from the Bangladesh Central Bank account at the new york federal reserve. Which would have been 1 billion except for a spelling error on the part of north koreans. Theyve also been tied to the w wanna cry attack earlier this year and the sony attack in 2014. This week they are being linked to a 60 million theft from the taiwanese bank. Measured in millions given the way we measure amounts of money in this billion, which this week with our budget which is in the billions and trillions may seem small but it is substantial given the north korean economy and its size. Im hoping we can be more fully briefed on what is being done now to stem and stop this threat. Thank you. Thank you for your willingness to tackle these issues. I think your level of success will influence american democracy for many many years. Cyber defense coordination is very important. However, coordination doesnt do any good without the proper understanding of our capabilities across the government. Thats why i worked with senators to introduce Bipartisan Legislation requiring the d. O. D. To track Cyber Capabilities. So for each of you, how do you assess the capabilities of the individuals and the organizations under your charge . Because we see this lovely chart which very old, but you do have a number of organizations that youre responsible for. How do you go in and assess what that organization can actually do . And is it effective . Its great to say we have a cyber team, but how do you know theyre effective . Can you explain how you assess that . Well start with you, mr. Secretary. Thank you, senator. That is an excellent question. It does represent a significant challenge. Weve got a lot of disparate organizations. We have a number of initiatives starting with the budget initiative. When you start to see our budget formulations, its apples to apples instead of what it has been historically, which is each services or organizations conception of what constitutes training or the different elements of their budget and we have found we did a first run this year that was off the budget cycle just to get us in the road to progress, so to speak. And we found that we really have got to understand that theres common definitional issues. So were defining things the same way. The other area in terms of National Guard, we do track National Guard cyber capability development, training capabilities, how they fit into the Cyber Mission force. The one area we do have a little bit of a challenge with is understate statuunde under state status. We definitely recognize the critical importance of having that common ability across many different fronts to define those things. I appreciate that. Thats good to understand that now and get those worked out, those details and discrepancies. Mr. Smith, how about you . On our technical side, we tend to be on the job with that routinely. So most of the people are out there currently actively engaged in incidents, Incident Responses and following up on threat investigations. We submit a significant amount of effort in enhancing those, particularly at a much higher level on the Cyber Technical side. In addition to that weve taken steps to significantly elevate the entire work force in the Digital Domain. Weve created on the job training which allows noncyber personnel to be taken offline from investigating other matters to enhance that cyber capability so when they go after a couple of months theyre capable of bringing both their normal investigative methods along with the current digital modern investigative requirements. Longtermer term, talking about the work force of the future, were been collaborating on a local level with stem high schools and building a work force as opposed to trying to compete with everybody here and with the private industry, which can offer things and more benefits at times than were capable of. By building in fbi cyber stem programs and bringing local University Courses to High School Students at an earlier age and supplementing that with some Leadership Development in those high school ranks. So looking longterm, building a work force that will augment and maintain the necessity that we all require and were talking about here in this digital arena. Our internal cyber people are at a very high level. Thank you. Yes. I am running out of time. If you could submit that to us for the record, i would be appreciative. One thing we look at across the board is really assessing those organizations that fall under your purview and make sure were not duplicating agencies and operating as efficiently as possible. Thank you, mr. Chairman. Im glad that were having a discussion about the integrity of our elections and as being fundamental to our democracy. As i look at this chart, even if its dated, your responsibility is to protect Critical Infrastructure. You did say that election systems are Critical Infrastructure. And you have an Election Security task force. Do you consider dhs to be the lead agency on making sure that our election systems are not hacked . Maam, we do have unique statutory authorities to coordinate protection activities across the Critical Infrastructure, yes, maam. I do not physically protect those networks. I enable state and locals and also the private sector to have better practices. I understand that. But you would be the lead federal agency that would have this responsibility to work with the state and local entities to protect our election systems . From a Critical Infrastructure protection perspective, yes, maam, alongside the fbi as well as the Intelligence Community. Were just looking for were wrestling with the idea of whos responsible for what. Id just like to get down with regard to election systems, we should look to dhs. Thats all i want to know. I hope your task force is addressing the purchase of political ads by foreign countries. I hope thats one of the things your task force will address and whether theres a need for legislation to prevent those kind of purchases. I want to get to a question. Data protection is object an important issue with industrial espionage being carried out by some of our competitors. The d. O. D. Requires contractors to provided adequate security. By december 31st, 2017, contractors must at a minimum implement security requirements to meet National Institute of standards and technology standards. My question is can you talk about the importance of having industry comply with this requirement and how you are working with industry to get the word out so that everyone is aware, especially i would say Small Businesses that you all work with. They need to know theyre supposed to be doing this. Yes, senator, our primary focus is with the Defense Industrial base where we have the highest frequency and most significant d. O. D. Programs. But we are engaged with all of those private sector elements that work with the defendant of defense. I work that closely with the chief Information Officer for the department. I can get you Additional Details on the processes for doing that. Yes. Id like to make sure as i mentioned, particularly Small Businesses who may not be aware of this requirement, that they are very aware and that they have enough time to comply, because december 2017 is right around the corner. Whatever you have, flyers, what have you use to get the word out. For mr. Krebs, you mentioned in your testimony how cyber actors have strategically targeted criminal enterprise sectors, specifically you identified two Malware Attacks called black energy and havox specifically targeting Industrial Control Systems. It doesnt take a wild imagination to think how a sophisticated cyber attack to a power plants Industrial Control System could cause a massive disruption with grave consequences. What is being done by dhs to encourage the private sector to harden their defense of Industrial Control Systems. Thank you for your question. I do share your concern particularly with respect to those tool kits. I think id answer the question two ways. One, an in point protection. We do work very closely with the electricity Sector Coordinating Council and those that again from a grid perspective. Then through our Industrial Control Systems cert, we do look at more Scaleable Solutions that i mentioned in my Opening Statement, not just the whack a mole approach but trying to understand what the individual control systems are, who manufactures them, because it does tend to be a smaller set of companies. We can go to the root of the systemic problem, as i mentioned, address that at the manufacturer or coder level and from there break out and hit those end points. We do work at the end point but also kind of the root problem. You perform out reach activities to make sure that for example the Utilities Sector is adequately among other mechanisms, yes, maam. Thank you. One quick question. This is really from the my perspective as the personnel subCommittee Chair. What trends either positive or negative are we seeing is that the correct pronunciation . Yes. You mentioned i think earlier when i was here about the National Guard plan at the state level. Can you give me any idea of either positive or concerning trends about the resources were getting into the various agencies to really flesh out our expertise to attract and retain them and to grow them . I think its been a common experience for my colleagues at the table here that getting the best challenge is a very specific challenge in the cyber realm for all the obvious reasons. What would you list as the two two or three . Theres a very high demand signal throughout the entire economy. The kpcompensation that individuals can get on the outside of government is significantly greater. We are trying to address that in terms of our Work Force Management process and we have some additional authorities that were applying to that as i believe other agencies have as well. Again, its a demand versus supply question. Weve had this discussed before. Id be very interested in feedback that you can give us on things that we should look at as possible subject matter for future hearings for retention. I worked in the private sector and i had a cyber sub practice, ethical hack testing practice back in the private sector. What youre up against is not only a higher baseline for salaries, but youre also up against what the industry would call hot skills. These are very, very important skills. Just when you think youve got up or got within the range on the baseline comp, the first that i worked with says okay now weve got to come in with a signing bonus and some sort of retention measures that make it impossible in a Governmental Institution to stay up with. Getting feedback on that will be helpful. I do want to just associate myself with comments and questions made by senators about open Source Software and some of the policy discussions were having here. Ill go back to the record to see how you all responded to their questions but i their their concern. I want to get more of an idea of the scope and scale of the nonclassified software. What are we looking at at nonclassified software as a percentage of our base . Is it safe to assume that its in the thousands in terms of software platforms, tools, the whole portfolio . Thats a question that i have into our system, into our cios office and i can get that information back to you as soon as i get it. I would have to get back with you with more specifics. I think it would be helpful because im sure we have application portfolios out there that were following best practices. Somebody out there in the ops world knows. Im going to yield back the rest of my time. I just want to make your feel better about your title. I enjoyed that interplay. 40 years ago i worked here as a staff member and i was seeking a witness from office of management and budget from the administration. They said hes the deputy secretary under of such and such. I said i dont know what that title means. The response was, hes at the highest level where they still know anything. And i now realized by the way that im above that level but i appreciate having you here. I think you fellows understated one important point and i dont understand why the representative from the white house isnt here because i think he has a reasonable story to tell. On may 11th the president issued a pretty comprehensive executive order on this subject that is not the be all end all on the subject but certainly is an important beginning in terms of now, heres my question, though. In that executive order there were a number of report back requirements that triggered mostly in august. My question is, have those report backs been done . Senator, they are starting to come in. As you note, there are a number that are still due out. Some fwere 180 days, some wee 90 days. Im wondering if those in august have come back. Some have been submitted according to the original timeline. Others have been extended. But absolutely those are the essential elements of information necessary to fully develop and update the strategy to the involving threats and build that doctrine and requirements and plans. You used the keyword of doctrine. I want to talk about that in a moment. By that same token Congress Passed a Provision Requiring a report from the secretary of defense to the president within 180 days and from the president to the congress within 180 days. That report would have been due in june from the secretary of defense involving what are the military and nonmilitary options available for deterring and responding to imminent threats in cyberspace. Do you know if that report has been completed . It was our original desire to couple the two. Based on the delay of the president s e. O. , we decoupled that because we recognize your impatience. You may have picked up some impatience this morning. Yes, sir. Do we have it . We will be submitting it to you shortly and ill get a specific date. Shortly doesnt make me feel much better. Is that geologic time . Calendar time. Please let us know. You mentioned the word doctrine. I think thats one of the key issues here. If all we do is try to patch networks and defend ourselves, well ultimately lose. There has to be and mr. Smith, you used the term imposed consequences. And right now were not imposing much in the way of consequences. For the Election Hacking which is one of the most egregious attacks on the United States in recent years there were sanctions passed by congress, but it was six or eight months later and its unclear how severe they will be. We need a doctrine where our adversaries know, if they do x, y will happen to them. Just being on the defensive isnt going to work in the end. If youre in a boxing match and youre the best bobber and weaver in the world, if youre not allowed to punch, youre going to lose. Both the will and ability to respond to provocations in general and cyber in specific is critical to effective deterrents. I think the challenge that we have that is somewhat unique in cyber is defining a threshold that then does not invited a r invite adversaries to inch up close. Part of the problem also is we tend to want to keep secret what we can do when in reality a secret deterrent is not a deterrent. The other side has to know whats liable to happen to them. I hope youll bear that in mind. I think this is a critically important area. We have to have a deterrent capability. Otherwise, we know this is coming and so far there havent been much in the way of price paid, whether it was sony or Anthem Blue Cross or the government Personnel Office or our elections. There have to be consequences. Otherwise everybodys going to come after us, not just russia. This is warfare on the cheap and we have to be able not only to defend ourselves but defend ourselves through a deterrent policy. I hope in the councils of the administration, that will be an emphasis on your response. Yes, i agree senator. That is the point of the x. E. Is to understand them in the wider context of our capabilities, different authorities and to start being more definitive about what the deterrents are and how we can best use them. I keep hearing the words but i dont see something specific in place. Struggled with this fo years now. Imagine tomorrow we had a foreign nation state cyber attack on our Banking Sector or next month on our utility or Transmission Infrastructure or next year on our elections. And i would suggest that any of those would cross a threshold. What is our doctrine for how, when and with what level of proportion proportionality were going to respond . Our deterrent options are expansive beyond cyber per se. Cyber is one of a large number of tools which include diplomatic, economic, trade, military options, kinetic and cyber. Looking at that broad space i agree whole heartedly. You shouldnt limit yourself to responding in kind with the same toolbox. But do we have a doctrine . If we dont, one of the things that worked through the entire cold war because we fwknew what the doctrine for the other side was and they knew what our doctrine was. That kept us from engaging in conflicts that neither side wanted to engage in. Do we have an overall structure for how were going to respond . We do not have sufficient depth and breadth of the doctrine as weve been discussing. That really is one of the primary drivers of the executive order, is to have the essential elements to best inform that doctrine. The chairmans been asking for, you know, an overall plan for i dont know how long. I think thats what were all going to be waiting for. I spend a good part of yesterday looking at russian created, russian paid for facebook ads that ran in my state and in places across this country and were clearly designed to divide this country as well as to have an impact on our elections. What is the administration doing to make sure that in 2018 were not going to see the same thing all over again . Dont all speak at once. Sir, yeah. Let me start with the election infrastructure sub sector that we have established. So from a pure cyber attack perspective we are working with state and local officials to up their level of defense. But specific to the ad buys and social media use, it is still an emerging issue that were assessing. I can defer to the fbi on their efforts. Its not emerging. It emerged. Weve been trying to get our hands around this for close to a year now and we still dont seem to have a plan. That worries me enormously. We have special elections in place. We have gubernatorial elections in place. And we are continuing to sigh this kind of activity and we need to get a handle on it. Let me go back to your issue of election infrastructure. As a number of people have mentioned it has been widely reports there was cyber intrusion into state level voting infrastructure. And its my understanding that dhs before you got there was aware of those threats well before last years election, but only informed the states in recent months as to the nature of the intrusions in those specific states. Why did it take so long to engage with the subject Matter Experts at the state level . And is there a process now in place so that we can get those security clearances that you mentioned in a timely way so that that conversation can head off similar activity next year. I understand that over the course of the last year or so officials in each state that was implicated was notified at some level. As we continue to study the issue and got a fuller understanding of how each state has perhaps a different i rangement frang arrangement for elections. As we continue to get our arms around the problems, we got a better sense of here are the full heer range of notification. When i wouldnt characterize it necessarily as we just let them know then. We let the responsible officials know and we gave them additional context around what may have happened. Im working on legislation and have been working with the people secretary of state from my state who is obviously involved in the National Association of secretaries of state. Its not rocket science. It is basically building a spreadsheet of who and at what level. And when we see things happen in a given Geographic Area you pull out the book and figure out who you need to be talking to. We need to make sure that is in place. Yes, sir. We are actively working that right now. Thank you. To reiterate some of the things said previously, but the empty chair is outrageous. We had a Foreign Government go at the heart of our democracy, a Foreign Government that wants to break the back of every democracy in the world. And a very smart senator i heard say in this hearing room who cares who they were going after this time, it will be somebody else next time. Im disgusted there isnt a representative here that can address this. Could i ask interrupt the senator and just say that we need to have a meeting of the committee and decide on this issue . I believe you could sbrerinterp this as a misinterpretation of the privileges of the president to have counsel. Hes in charge of one of the major issues of our time and now hes not going to be able to show up because hes quote a counselor to the president. Thats not what our role is. Thats never i mean, i think in any other situation lets take out this president , take out russia. This circumstance would not allowed to be stand by the United States senate typically. I agree. You would know more about that than i would. In these times when theres an issue every day that is royilin this country, we have a ten deny to look past this level. This should not count against senators time, but we are discussing it and well have a full Committee Discussion on it. I thank the senator. Thats great. Im also worried that we have no nominee for your position. If the white house reviews this testimony, i hope they will understand that your job is really important. Im not taking sides as to believe it or not y whether or not youre doing a good job or a bad job. But we dont need the word acting in this responsibility of government. Unfortunately the chairman of the committee im ranking on, Homeland Security, has chosen not to have a hearing, believe it or not, on the election interference. This is my shot. Im hoping the chairman will be a little gentle with me. Why in the world did it take so long to notify the states where there had been attempt to enter their systems, their voter files . Again, maam, as i mentioned earlier at some point over the course of the last year, not just september 22 2nd, an appropriate official, someone was notified. But shouldnt all of the secretaries of states been notified . Isnt that just like a duh . Maam, i would agree. I share your concern. I think over the course of the last several months weve had a trueing up and we have opened a sort of governance structure per each state. Whats the explanation for a state being told one day that it had been and if nethe next day it hadnt been . I think the way id explain that is there was additional context provided to the additional states. In one case perhaps the election System Network may not have been scanned, targeted, whatever it was. It may have been another state system. I would analogize that to the bad guy walks down the street checking your neighbors door to see if they had a door to get into your house. Its not always that theyre knocking on the network. Doesnt change the fact that the secretaries of state should have immediately been notified in every state whether they had been knocking on a neighbors door or their own door. We have good news as we have a disparate system in our country, so its hard to find one entry point. Bad news is if we dont have clear information going out to these secretaries of state, then they have no shot of keeping up with the bad guys. Thats right. Going forward we have that plan in place. We have governance structures. We have notifications. We have security clearance processes ongoing for a number of officials. They dont want to take advantage of what youre offering which is terrific that youll come in and check their systems, no mandate, no hook, no expense. I talked to the secretary of state in missouri. He was saying theyre not even talking to us. This was before september, but i do think somebodys got to take on the responsibility of one on one communication with 50 people in the country plus i dont know who does voting in the territories as to what is happening, what youre doing, what theyre doing. Im not really enamored of the idea of moving all of this to d. O. D. I think what you guys do with the civilian work force, i think there would be some reluctance if it was directed by d. O. D. But the point the chairman makes is a valid one. If you all dont begin a more seamless operation, we have no shot against this enemy, none. It worries me that this has been mishandled so much in terms of the communication between the states that are responsible for the validity of our elections. Let me take to you briefly art kespersky. How are you going make sure its out of all of our systems . A little over a month ago we did issue a federal directive. They get another 90 days to be able to get stuff pause youre giving them a long time. Yes. That is a 90day process to identify, develop plans to remove. And then 30 days to execute. Do you think if this happened in russia if they found a system of ours that was looking at all of their stuff, do you think theyd tell their agencies of government they have 90 days to remove it . Seriously . The point im trying to make is why dont you say youve got to do it immediately . Maam, there are you cant just rip out a system. There are certain vulnerabilities that can be introduced by just turning a critical antivirus product off. What we need to do is have a process in place that you can replace with something effective. In the meantime, were able to put capabilities around anything that we do identify to monitor for any sort of traffic. Is the private sector fully aware and are our Government Contractors fully aware of the dangers of the kesperski systems. We are sharing risk information. Yeah. Is that a little bit like sharing with all the appropriate people at the time but not the secretaries of state . I think there needs to be a really big red siren here. What about our Government Contractors . Is it binding on our Government Contractors . It is not. Shouldnt it be . Let me follow up on that. It would make sense. Since we have more contractors on the ground in afghanistan than we have troops. That would be a department of defense. My authority only extends to federal civilian agencies. Have you guys told the contractors to get kesperski out. We have instructed the removal from all of the. E d. O. D systems. Ill follow up on the contractors. Thank you, mr. Chairman. Your agency, mr. Krebs, declared that russianlinged hack ee eed hackers targeted 21 states in their elections. Why did it take a year to notify . We notified an official in each state that was targeted. In the meantime we are offered a series of Cyber Services to every state in the union and every commonwealth. Not only did we notify the states, granted there was a broader notification that we subsequently made but we did make capabilities available to all 50 states. Are all 50 states using the capabilities that you offered . I dont have the specific numbers of the states that are using ours, but we have seen a fairly healthy response. I would like a report on whether all states are using the recommended technology that you offer to them. I think we need to have that kind of transparency given what senator mccain started this hearing with. If the states are not doing their jobs well, we need to provide the oversight necessary to make sure they do their jobs well. Do you believe that making these election Cyber Security consultations optimal is sufficient . Making them optional. Excuse me, optional. Fundamentally there are some constitutional issues at play here. I understand there is a nine month wait for a risk and Vulnerability Assessment. Is that accurate . We offer a suite of services from remote scanning capabilities, cyber hygiene scans all the way up to a full blown Vulnerability Assessment which can just to execute that assessment can actually take a number of weeks if not months to conduct that assessment invest. We are in the process of looking into whether that ninemonth backlog exists. I guess what im trying to get at is, are we ready for the next election and do you believe we are cyber secure for the next election . I think theres a lot of work that remains to be done. As a country we need to continue ensuring that we are doing the basics right. Even at the state and local levels theres still a lot of basic hygiene activities that need to be done. I would like a full accounting of what has been done, what is left to be done and what are your recommendations to secure our electoral system by the next election. Id like it to address the spire committee. We need to know whats out there, whats left. Senator graham and a bill to have a 9 11 Style Commission to do the deep dive youre doing on the ten things we must do before the next election. And then have the authority to come back to us so we can actually implement it. Doing it on an ad hoc basis is not sufficient. Im worried that we are not going to hold these states accountable when they havent done the required work. We at least need to know what have you exceeded in doing, what are the impediments. Is it delays . Is it lack of enough expertise . Is it a lack of personnel, a lack of resources . I need to know because i need to fix this problem. We are making significant progress. We have a working relationship, a Strong Partnership with the state and local Election Officials and we are moving forward towards the next elections. In your confirmation hearing you said that the russian interference in our election is a credible and growing threat. Given the likelihood of continued cyber interference in american elections, what are the mediate steps you a immediate know that you are not necessarily doing all the training necessary or spending the resources to do the National Guard training consistent with other active duty personnel . Senator, we stand at the ready in terms of the process that dhs has put into place to support all the states with regard to the election system vub vulnerabilities. To state we have not been tasked directly to support that effort. Can i have your commitment that in the next budget you will include the full amount needed for the training of these cyber specialists within the National Guard . What i need to do is check on the status of our current funding for that effort andly get back to you in terms of any deltas. Thank you, mr. Chairman. So i want to follow up if i can on these questions about the attacks on our voting systems. We know that 21 states faced attacks by russian actors during the runup to the 2016 election. I dont see any reason to believe they wont try again. Mr. Krebs, your predecessor at Homeland Security recently urged congress to have a strong sense of urgency about russian tampering in the upcoming elections. Id just like to follow up on the question and what i think i heard you say. Are you confident that our nation is prepared to fully prevent another round of cyber intrusions into our election systems in 2018 or 2020 . What i would say is that we have structures in place. This is not an overnight event. We are not going to flip a switch and suddenly be 100 secure. So we are not there now. We are working towards the goal of securing our infrastructure. Were not there now. I believe theres work to be done, yes, maam. So were not there now. Can i ask on maybe some of the specifics. Have you done a state by state threat assessment of the cyber environment leading up to the next election kwemt. Are you speaking of specific to te electihe election infrast or statewide . Election. I would have to you dont know whether or not theres been a state by state threat assessment . We are working with every single state. My question is specific. A threat assessment for each state on their infrastructure. I would have to get back to you on that. Are there minimum standards in place for the elections . We do work to look at security standards. I understand you work on it. My question is are there minimum standards in place . There are recommended standards, yes, maam. In place. Are there established best practices. I believe there are best practices. Any plans for substantial support for states to upgrade their Cyber Defenses . If youre talking about investments i am. That is a different question that i think we need to have a conversation between the executive branch and congress was that a no . At this point, i do not personally have the funds to assist so thats a no. That is a resourcing to st e states. There are Grant Programs so you not only dont have the money to do it. Do you have any plans for substantial support for states to upgrade their Cyber Defenses . Do you have plans in place . Were exploring our ogptions yes the answer is no . Okay. Look, i understand that states have the responsibility for their own elections and also that states run our federal elections, but i dont think anybody in this room thinks that the commonwealth of massachusetts or the city of omaha, nebraska, should be left by themselves to defend against a sophisticated cyber adversary like russia. If the russians were poisoning water or setting off bombs in any state or town in america, we would put our full National Power into protecting ourselves and fighting back. The russians have attacked our democracy and i think we need to step up our response and i think we need to do it fast. Thank you, mr. Chairman and thank you to our witnesses for your testimony today. I think i would concur with all of my colleagues up here that the number one threat beface as a country is the cyber threat. Its one we have to be laser focused on. And i conquer with those troubled by the fact that we dont have a comprehensive strategy, we dont have a plan to deal with this in a comprehensive way. We know the risk is not just military or elections but significant attacks against our Economic Security. We have just been hit with an absolutely incredible hack with equifax that basically has take some actor out there has taken the most private information necessary to open up accounts and take somebodys identity. Youre talking about over 100 Million People in this country. I cant think of a worse type of cyber attack. Mr. Smith, do you think that we will be able to determine who was responsible for that hack . Yes. When will we be able to do that . I wouldnt want to put a specific time frame on it. Generally. Generally within maybe six or eight months. Thats on the far side. Hopefully within less than that time. Do you believe well be able to identify who was responsible . And second, do we have the tools to effectively punish those individuals or whoever that entity may be . Two separate issues. First, to get it to a certain destination is easier than the second question, which is imposing significant consequences on an individual or on a specific if it becomes nation state or associate like that. Recently with the yahoo compromise where we are seeing a blended threat targeting our businesses and our country where you have criminal hackers working at the direction of russian intelligence officers. So thats where i become a little more vague as to my answer on specific would we be able to impose consequences. Which is a significant problem that you cant answer that, that we dont have a plan, we dont have a deterrence plan that says if you do this, these will be the consequences for you and they will be significant. You mentioned the line. We dont actually want to put a line somewhere because everybody will workup to that line. The problem is we have zoero lines right now. Its like the wild west out there. Would you concur that if a state actor was behind an equifax breach, would that be over any kind of line you could see . I think the process we have in play right now in terms of all the reports being submitted in response to the executive order, looking at how we protect Critical Infrastructure, mode modernizing i. T. , what are our capabilities, what are our vulnerabilities, what are the implications of adversaries that are exploiting those abilities. How to best establish what those deterrence thresholds are. We are on the path to developing that. Well, having said that i think its a straightforward question. Somebody who hacks in and steals information from over 100 million americans and something that compromises their potential identify for the rest of their lives, i hope the directive would say thats well over any kind of line. I certainly warrants a consequence, public schoo consequence, absolutely. There would be more details in looking into that and determining who the actor is, whats our quality and competence in determining attribution. You answered some questions related to kesperski and taking out some of those machines of the United States federal government because of the inherci inherent risk. If the risk is there for the u. S. Government, isnt it risky for the average citizen to have this software on their computers when we have millions of americans with access to this software and potentially access on their computer. Isnt that a Security Threat we should alert the flopublic to. Risk of course is relative. We were not willing to have these products installed across our networks. Thats a pretty strong signal of what our risk was and we have shared information on that decision. You say thats an indication of the seriousness of the problem. Should the average citizen also take this software off their system . I think the average needs to make their own risk informed decision. We are instructing agencies to remove it at the present. Thank you very much. Is Cyber Command prepared to engage and defeat an attack on Critical Infrastructure in the United States . I know theres an issue here of whats the trigger, but are they prepared to do that right now. Right now. Cyber command is developing a suite of capabilities against a variety of targets that are, yes, it is inclusive of responding to attack on u. S. Critical infrastructure. And to the question, senator peters raised it is, what is the trigger and you suggest that act of war, were still on sort of the definitional phase of trying to figure out what would prompt this. We have the capability, but the question is, under what circumstance do we use it. Is that fair . That is fair, absolutely. Thank you. I want to thank the witnesses for the hard work youre doing and your candor and helping this committee understand many of the challenges, and i must say, i appreciate your great work on behalf of the country. But i can back four years ago, i can back two years ago, one year ago, i get the same answers. We put into the Defense Authorization bill a requirement that there be a strategy followed by a follows followed by action. We have now four months late a report thats due before the committee. We have our responsibilities and were going to carry them out. We have authorities that i dont particularly want to use. But unless were allowed to carry out our responsibilities to our voters who sent us here, then were going to have to demand a better cooperation and a better teamwork than were getting now. And again, i appreciate very much the Incredible Service that you three have provided to the country, and im certainly not blaming you for not being able to articulate to us a strategy which is not your responsibility. The implementation of actions dictated by the strategy obviously is yours. So when we see the person in charge at an empty seat here today, then we are going to have to react. The committee is going to have to get together and decide whether were going to sit by and watch the person in charge not appear before this committee. Thats thats not constitutional. Were coequal branches of government. So i want to make sure that you understand that every member of this committee appreciates your hard, dedicated, patriotic work. And what youre dealing with and doing the best that you can with the hand youre dealt. And this hearing has been very helpful to us in assembling that, not assembling but being informed as to one of the major threats to americas security. And i thank you for that. I thank you for your honest and patriotic work. But we are going to get to this because of the risk to our very fundamentals of democracy, among which are free and fair elections. So is there anything that the senator from maine would like to editorialize . He usually likes to editorialize on my remarks so my mind is racing, but i think prudence dictates no response, mr. Chairman. I thank the witnesses for your cooperation. I thank you for your service to the country. This hearing is adjourned. And that finishes up this Senate Armed ServicesCommittee Hearing looking at Cyber Security issues. If you missed any of the event, it will be available to view shortly online at cspan. Org. By the way, we spoke with Committee Chair senator mccain recently looking at his service in the senate. You can see that interview sunday at 6 00 p. M. Eastern on our companion network cspan and well follow that with his appearance earlier this week at the National Constitution center in philadelphia. That will also be sunday at 6 30 eastern on cspan. Join us later today for remarks from former president barack obama. Hes on the campaign trail for the First Time Since leaving office. Hell be stumping for virginias democratic Lieutenant GovernorRalph Northham running for governor against republican ed gillespie. Live coverage of p. M. On cspan and cspan. Org or listen with the free cspan radio app. Coming up later tonight, paul ryan delivering remarks at the Al Smith Dinner new york city. Live coverage starts at 8 40 p. M. Eastern on cspan online at cspan. Org and again, you can listen with the free cspan radio app. Live look at the u. S. Capitol here in washington, d. C. Its been a very busy day for the u. S. Senate. Lawmakers continuing work on the 2018 republican budget resolution. That measure would clear the way for tax Reform Efforts also. Several amendments being considered and votes on those amendments just getting under way. Expect to have happen throughout the day. A vote on final passage on the resolution expected by the end of the week. Watch as those votes come in on our companion network cspan2 and that will happen again throughout the day. We expect a late night in the senate. Sunday night on after words over 90 of Sexual Harassment cases end up in settlements. And what does that mean . That means that the women pretty much never works in her chosen career ever again and she can never talk about it. Shes gagged. How else do we solve Sexual Harassment suits . We put in arbitration clauses in Employment Contracts which make it a secret proceeding. So again, nobody ever finds out about it if you file a complaint. You can never talk about it ever. Nobody ever knows what happened to you and in most cases youre also terminated from the company and the predator in many cases is left to still work in the same position in which he was harassing you. So this is the way our society has decided to resolve Sexual Harassment cases, to gag women so that we can fool everyone else out there that weve come so far in 2017. Former fox news host Gretchen Carlson talks about Sexual Harassment in her new book be fierce, stop harassment and take your power back. Shes interviewed by Washington Post columnist sally quinn. Watch after words sunday night at 9 00 eastern on cspan2s book tv. Well, state Department Officials testified at a Senate Banking housing and urban Affairs Committee last month on the effectiveness of sanctions against north korea. In response to its pursuit of nuclear weapons. They answered questions about what legal authorities the sanctions were tendered under and in what ways those could be strengthened. This is about an hour 20 minutes. Good morning. This hearing will come to order. Today were going to proceed a