Burke Edwin Wilson, the deputy assistant defense secretary of defense for cyber policy, testifies along with other government officials at a joint hearing of the House Armed Services Committee’s intelligence and emerging threats and capabilities subcommittee and its oversight and reform subcommittee, Sept. 10, 2019. The hearing is about securing the U.S. internet architecture.
Transcript
Subcommittee will come to order. So, good afternoon everyone. I’m pleased to welcome everyone here today to the joint hearing with the Committee on Oversight and Reform Subcommittee on National Security about the security of the nation’s internet architecture. I’m particularly thankful to my good friend, Congressman Lynch from Massachusetts, my neighbor in New England, and his staff for working so diligently in making today possible, along with the ranking members of both subcommittees. Today, we are here to conduct what I believe is much needed oversight regarding the security of the internet’s underlying architecture, namely the components, physical sites, and the assets that are necessary for the internet to operate. Defending the United States assets in this global telecommunications network requires a whole-of-government approach, and I’m concerned that the government is not approaching the subject in a cohesive or a comprehensive manner, creating significant risk for the nation. Both the Oversight Subcommittee and the Armed Services Subcommittees are seeking a better understanding of the policies, regulations, and guidelines and interagency agreements that govern the protection of this critical infrastructure. To the extent that there are gaps, we are also interested in learning whether legislative solutions may be needed. Most people think of the internet as the sites they visit, the applications they use, and the emails they send. In other words, the people’s understanding of what the internet is, is very much tied to how they engage with it. However, this leaves out an entire architecture that enables the flow of information around the world and into people’s palms. This architecture includes the high capacity cables buried under the ground and laid below the sea. The cable landing stations that connect the cables from continent to continent, and the internet exchange points, or IXPs that serve as a clearinghouse for data between internet service providers and content delivery networks. These are all examples of physical sites and tangible items that are required the internet to operate effectively. While these physical sites are critical components of the cyber landscape, they are generally viewed as distinct from the network protocols and software that are more familiar to people’s understanding of the internet. However, they are just as important to internet operations. After all, unplugging a network cable is just as effective as a denial of service attack, maybe even more so. From the government’s perspective tackling the subject of internet architecture security is difficult due to the departments and agencies overlapping jurisdictions, responsibilities, and capabilities. And I’m concerned that the Executive Branch has fragmented internet architecture security among multiple departments as opposed to conceptualizing the internet as a single ecosystem with departments working collaboratively. For example, the Department of Homeland Security serves as the government lead for all critical infrastructure and the sector-specific agency for the telecommunications sector. Meanwhile, the Department of Commerce’s National Telecommunications and Information Administration, or NTIA, is principally responsible for advising the President on telecommunications and information policy issues, and develops national policies on internet use and cybersecurity. Separately the Department of Defense is broadly responsible for defense of the nation. Independent regulatory agencies like the Federal Communications Commission also have important responsibilities for ensuring security. To top it all off, many of these exchange points are connected to international providers. So I have no doubt that these agencies work together broadly however I’m very worried that by carving out discrete lanes in the road there are seams left unaddressed in the middle and I’m concerned that internet architecture security is one of those seam issues. Holistic internet architecture security has been generally neglected I believe with organizations remaining firmly in their lanes rather than approaching the problem collectively. So for example, the Department of Homeland Security serves as the government lead for, yeah, okay. So, in any event, separately the Department of Defense, DOD, is broadly responsible for defense of the nation. I think they—
Yeah. (muffled speaking)
Okay. Our nation’s newest cybersecurity organization, the Cybersecurity Infrastructure Security Agency has recognized the inherent challenges in using a critical infrastructure sector framework, particularly with respect to interdependencies between sectors. The National Risk Management Center’s National Critical Function Set explicitly recognizes internet architecture functions such as operate core network and provide internet routing, access and connection services. I’m hopeful that this new framing will help stimulate more cross-agency and cross-sector discussion, interaction, and policy development. So the purpose of today’s hearing is to better understand how the interagency is approaching internet architecture security, including with respect to engagement with the private sector. In particular, I’ll be interested in hearing from the witnesses how their agencies deal with the fact that internet architecture security is not purely a cyber problem and is not purely a physical problem. In order to effectively reduce our risk, DOD, DOD will have to engage actively and eagerly non-security-centric agencies such as NTIA and regulatory bodies such as the Federal Communications Commission and vice versa. Country cyber experts will have to sit down the specialists in physical security and electrical distribution professionals because at the end of the day it won’t matter if these sites and systems are taken offline by cyber attack, sabotage, or natural disaster. There is not greater sign of how cross-cutting this issue is than the fact that the IETC subcommittee is joined today by the Oversight Committee’s National Security Subcommittee. And even within the House of Representatives, of course, we’re inclined to handle things within caucuses or within committees, but in recognition of the problem’s scale we are here today tackling this issue together because that’s exactly what it will take at the end of the day. So with that, and before turning to Ranking Member Stefanik and then to Chairman Lynch and Ranking Member Hice, let me take a minute just to introduce today’s witnesses. Ms. Jeanette Manfra serves as the inaugural Assistant Director of Cybersecurity with the Department of Homeland Security’s Cybersecurity Infrastructure Security Agency. Ms. Manfra served as Assistant Secretary for the Office of Cybersecurity Communications at CISA’s predecessor organization, the National Protection and Programs Directorate before assuming her current role. Ms. Manfra has held numerous other roles within DHS and she has also served on the National Security Council staff. Before joining DHS, Ms. Manfra served in the US Army as a communications specialist and as a military intelligence officer. I’ve known Jeanette now for several years and I have great confidence in her and Director Krebs’ leadership at CISA. Joining us also today we have Deputy Assistant Secretary of Defense for Cyber Policy, Mr. Ed Wilson. In his capacity the Director of, the Secretary, yeah. In his capacity he supports the Secretary of Defense and other senior leaders by formulating, recommending, integrating, and implementing policies and strategies to improve DOD’s ability to operate in cyberspace. Prior to this duty General Wilson retired from the United States Air Force after serving on active duty for over 32 years to include the triple-hatted role of Commander 24th Air Force, Commander Air Force Cyber and Commander Joint Force Headquarters Cyber. Welcome, and General, thanks for your service. And finally, Ms. Diane Rinaldo is the acting Assistant Secretary for Communications and Information for the Department of Commerce and the administrator of the National Telecommunications and Information Administration. Ms. Rinaldo also serves as the Deputy Assistant Secretary for Communications and Information. I have closely tracked several of NTIA’s cybersecurity initiatives including on cybersecurity vulnerabilities disclosure and software component transparency, and I appreciate her continued support, and that of her agency for multistakeholder processes to improve internet security. I’ll also note that Ms. Rinaldo is a proud veteran of the House Permanent Select Committee on Intelligence where she and I worked before where she served as the lead committee staffer on our information sharing legislation the Cybersecurity Act of 2015. So I welcome all of our witnesses today, and with that I want to turn to Ranking Member Stefanik for any comments that she may have.
Thank you Jim. I want to start by thanking both Chairman Langevin and Chairman Lynch for holding such an important and cross-cutting hearing. I’m also pleased to be here with my fellow ranking member, Mr. Hice. We are fortunate that we are joined by such an excellent interagency panel of government witnesses to guide us today. Ms. Manfra, it is great to see you again before this committee. When last we spoke it was regarding election security and I am pleased that today’s hearing will span many of the other important missions of your organization, the CISA. Ms. Rinaldo, given the important role that NTIA plays we are fortunate to have you here as well. And since as the chairman mentioned you are a former professional staff member from HPSCI, we can say welcome back to the House. And Mr. Wilson, it is always great to see you back before the subcommittee, we look forward to hearing how the Department of Defense supports these agencies and our broader national security objectives. As we look to further improve the security of our nation’s internet architecture we should remind ourselves of the urgency of this task. First, the physical enormity of the topic and related challenges are worth mentioning. The world’s internet architecture and by extension our domestic infrastructure is highly integrated with varying levels of resiliency and redundancy. In some cases there are international norms, although laws and policies often vary by country and by sector. There are many points of failure in this physical internet and it remains so contested and complex that even risk managers lack full awareness on how to identify and mitigate threats or weaknesses. Second, our own intelligence community provides sobering assessments on adversarial use and exploitation of the internet. The DNI in the most recent Worldwide Threat Assessment has noted that quote, our adversaries and strategic competitors will increasingly use cyber capabilities, including cyber espionage, attack, and influence, to seek political, economic, and military advantage over the United States and its allies and partners, end quote. And the physical internet architecture we will talk about today is the highway upon which these adversaries travel. So what is crystal clear going in today’s hearing is that our adversaries understand our vulnerabilities and will not hesitate to exploit these weaknesses to further their strategic and economic objectives. We are no longer peerless and security is not assured. In fact, we see these same adversaries, most notably China and Russia, adapting to and learning from our own weaknesses by building what amounts to their own state-controlled internet architecture to monitor, control, and influence their own populations. These very same controls will make it harder for us to preserve and protect geopolitical offensive and strategic options for our nation and our economy. As I have said many times before cyber threats from state and non-state adversaries are real, pervasive, and growing. They leverage and integrate cyber information and communications technologies for geopolitical and economic gain in a seamless way. Yet while these adversaries continue to use the internet as a means to achieve strategic objectives I remain concerned that we as a nation do not yet have a holistic strategy in place to mitigate, deter, or oppose their advances. This is particularly true regarding the security of our physical internet architecture, the topic for today’s timely hearing. Although not the lead agency on this topic I am pleased that the Department of Defense is represented at the table today since they play such an important role in this area. Not the least of which may be providing expertise to other agencies during sensitive national emergencies. We all know that DOD research played a central role in the development of today’s internet through the creation of ARPANET. And today the Defense Advanced Research Projects Agency, or DARPA, continues to advance our national security through projects related to the resiliency of our nation’s internet architecture and various other sectors such as the electrical grid through their Information Innovation Office. In the oversight we have conducted on the Armed Services Committee, I feel confident saying that we have improved our military cyberspace and information warfare capabilities and also improved our resilience in many areas. And while a great deal of broader interagency cooperation and coordination has taken place over the past few years, much work remains to secure our nation’s internet architecture and related sectors to ensure we remain fast, agile and resilient, even during times of crisis. And although today’s panel is comprised of government experts we should not forget about the important role that the private sector and defense innovation and industrial bases play so that we develop a truly whole-of-nation strategy to understand and mitigate these vulnerabilities. Only then will our nation be prepared for the 21st century challenges we face. Our witnesses again are very well qualified to help us navigate these multidimensional problems, and I thank them for being here today. Thank you again to the Chairman and with that I yield back.
I want to thank the Ranking Member and now I’d like to recognize and turn to my partner, my colleague, the Chairman of the Government Oversight and Reforms Subcommittee on National Security, Mr. Lynch.
Thank you very much Mr. Chairman. Good afternoon to our distinguished panel of witnesses, thank you for your willingness to help the subcommittees with our work. Before I begin I would like to first personally thank my good friend Chairman Jim Langevin and his staff as well as Ranking Member Stefanik and Hice and their staff for their cooperation and willingness to collaborate with us on this very important hearing. Mr. Langevin in particular has been a strong and long-time advocate for improving the infrastructure of our country in this measure and ensuring that necessary cybersecurity safeguards are in place to protect the United States against the multitude of threats that we face each and every day. He’s made this issue a priority, and it’s one that I share as Chairman of the House Oversight Subcommittee on National Security. Today’s hearing will examine how federal departments and agencies work together to protect the critical architecture upon which US internet and telecommunications systems depend. By working together on the issue we hope that our subcommittees will better understand and be better positioned to identify and fill gaps and vulnerabilities across the various federal agencies and private sector for the purpose of protecting our nation’s internet infrastructure. Uninterrupted and secure access to the internet is critical to daily life in the 21st century. Our constituents rely on the internet to search for jobs, access bank accounts, read the news, and communicate with family. Companies in every industry from Midwest manufacturers to the financial sector in New York need the internet to participate in the national and international economy. The US military requires reliable and secure access to the internet to conduct overseas operation and it is also tasked with protecting our networks from cyber intrusions by foreign actors. Improving secure and reliable access to the internet is also vital to economic development and promoting livelihoods in less developed countries or areas. In fact, our committee, I just came back from last weekend in a congressional delegation to Jakarta where I met with young entrepreneurs from the Indonesian financial technology sector who all highlighted the need and importance of expanding internet connectivity across Indonesia, more than 7000 islands, to bring additional customers into the digital financial market, and to bank the unbanked. Given our growing dependence on the internet even temporary disruptions regardless of whether they are intentional or accidental, can have serious and cascading effects across industries and among our nation’s critical infrastructure sectors. Yet no single US government entity is responsible for securing the internet and it’s underlying architecture. Instead we have multiple departments and agencies which have various jurisdictional roles including the Department of Homeland Security, the Department of Defense, and Department of Commerce, from which we are fortunate to have representatives before us today. In addition to the White House, the Department of Energy, the Department of Justice, the Federal Communications Commission, which all have a role to play in securing this infrastructure. According, excuse me, adding to the complexity of this task is the fact that the physical components of our nation’s telecommunications infrastructure, such as fiber optic cables and data centers and internet exchange points, are largely owned by the private sector. This means that coordination and communication within the federal government and across the public and private sectors are all crucial to the internet’s security. The challenge we therefore face is that when everyone is in charge then nobody is in charge. And while internet activity appears to move seamlessly across digital pathways, this movement is cemented in real, physical architecture and infrastructure. The security which has often been taken for granted in physical fiber cables buried under our streets and under international waters carries this traffic from point A to point B. Data centers and internet exchange points serve to store and transfer this traffic from network to network. All of these physical assets can be damaged by natural disasters, human-caused accidents or intentional attacks by sophisticated malign actors. As Ranking Member Stefanik has noted and as former Director of National Intelligence Dan Coats highlighted in his 2019 Worldwide Threat Assessment, we know that our adversaries are already probing US electric utility grids, election systems, pipelines and financial networks for any signs of weakness. China, Russia, Iran, and North Korea are all increasingly using cyber operations to steal data, disseminate misinformation, and I quote, to disrupt critical infrastructure, close quote. Russia, Director Coats said, and I quote, is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage, close quote. Multiple open source reports in recent years have also noted increased foreign military activity around undersea data cables, raising concerns that hostile actors could be looking for ways to interfere with this critical infrastructure. To our witnesses, I realize that some of today’s questions may drift into topics not suitable for an unclassified hearing. With that in mind I just ask that you do your best to answer member’s questions as candidly as possible, but should you not, but you should not disclose any classified or sensitive security information. Instead, please let us know that you would prefer not to respond for national security reasons in an unclassified setting and we can move on to the next question. We will however reserve the right to request that that information be disclosed in a more appropriate setting at a later date. So Mr. Chairman, I want to thank you again for your courtesy in holding this important hearing with me and with that I yield back.
Thank you Chairman Lynch, and I appreciate your dedication to national security issues, it’s been great partnering with you on this topic and I look forward to others as well. With that I would like to recognize Ranking Member Hice for comments.
Thank you very much Mr. Chairman, and I would like to thank you and Ranking Member Stefanik for hosting this, and always an honor to work with Chairman Lynch. And we appreciate you having us here today as members of the Subcommittee on National Security as part of the Committee on Oversight and Reform, we appreciate you having us here and for having this important hearing. You know, I sometimes have been with this hearing somewhat struck by the reactions of different people to this topic. Some may look at this as not among the most flashy topics but it has got to be among the most important. And more and more whether we realize it or not our lives are happening on the internet. Whether it be in commerce or energy or health care or national security, our lives are impacted greatly by the topic and the discussion today. And that’s why it’s imperative for us to be able to come together and to have a heart to heart honest open discussion as to what’s involved in keeping our nation’s infrastructure safe and secure. And so I want to sincerely say thank you to each of our witnesses for your role and for you being a part of this hearing today and I look forward to hearing how you are engaging the various stakeholders whether they be in government or in the private sector. I want to personally better understand how we are taking a whole-of-government approach to this issue and if we’re not, then I want us to talk about how we get there. I’m also curious to know how each of your components are working together. And there are a lot of seats, if you will, at the internet architecture table, if we can put it that way. And if there’s too many seats we need to know about that, if there need to be fewer seats we need to know about that. The internet for a lot of people is an unknown territory but for those of us here in Congress this is certainly an area that we need to dig deeper into and make sure that we are secure. And this is not something that we can say this is in the future, this is where we are currently living. And so we’ve got to address this straight up and so I deeply thank you for being here, I look forward to our discussion today, and again many thanks to you Mr. Chairman, and with that I yield back.
Thank you Ranking Member Hice. With that, the Chair now recognizes Ms. Manfra, Director Manfra for her opening statement for five minutes. Ms. Manfra the floor is yours.
Thank you sir. Chairman Langevin, Chairman Lynch, Ranking Member Stefanik, Ranking Member Hice and members of the Subcommittees, thank you for today’s opportunity to discuss this very important issue around securing our nation’s internet architecture, and specifically our role, the Cybersecurity and Infrastructure Security Agency, or CISA, role in securing that. Safeguarding and securing cyberspace has long been a core Homeland Security mission. In today’s globally interconnected world our critical infrastructure and American way of life face a wide array of serious risks. Nation-state adversaries and competitors seek to advance their objectives through various hybrid tactics, including subtle actions that significantly weaken the foundations of US power, degrade society’s functions, and increase adversary’s ability to hold our critical infrastructure at risk. As network devices further weave into our lives and businesses, their vulnerabilities provide additional attack vectors. Global supply chains introduce risks of malicious activity in software and hardware. Many of these risks are complex and disperse geographically and across stakeholders. To meet this urgent national security need Congress established CISA last year. CISA is the nation’s risk advisor, and we are uniquely positioned to serve this role. By statute and at the President’s direction, we lead the nation’s risk management efforts by bringing together diverse stakeholders to collaboratively identify risks, prioritize them, develop solutions, and drive those solutions to ensure the stability of our most crucial systems. An important note is that we don’t just think about threat or vulnerable or consequence, we think about them all together and how they interact, in order to establish risk. And so we try to understand things how could an adversary actually accomplish something, can they have an actual consequence. So when I talk about risk management that’s how we frame it. So as the nation’s risk advisor, we must also unify two strategic goals across all of our mission space. We must simultaneously mobilize strong public-private partnerships to defend against the most urgent threats and hazards while not losing sight of the need to build a more secure tomorrow. Our foremost responsibility is to safeguard the American people and we prioritize our efforts at all levels to focus on the greatest risks facing the homeland. In order to successfully accomplish this we must be able to understand and manage this risk holistically. And again, that means we must understand both threat and vulnerability and a consequence, and we must understand how that manifests across the country. This is why we established the National Risk Management Center. CISA, while often referred to as a cyber agency is more than just cyber, in fact we have a long history in thinking about infrastructure security holistically both against natural and man-made hazards. By establishing the National Risk Management Center within CISA, this brings together all our different disciplines to better understand what is the risk to the nation as a whole. Our first important step was to reframe the conversation instead of thinking about industry-specific activities, but to think about cross-cutting functions, ’cause in the end adversaries are interested in causing consequences to the functioning of our society or holding those at risk. Therefore we worked across multiple sectors of the economy and government partners to establish the first set of National Critical Functions in early April of this year. These National Critical Functions support the operations of nearly all businesses, public safety organizations, and government, and are so vital that their disruption, corruption, or disfunction, would have a debilitating effect on our nation. The global internet architecture includes an array of components that enable these National Critical Functions. Going forward, we will prioritize our efforts and resources both within CISA and across the government to ensure we are reducing risk to these functions and bringing the full power of the US government to bear to do so. At CISA our vision is to fully realize this national effort that I just described. This means breaking down the old organizational and institutional divides that impede our ability to provide for our collective defense in cyberspace. Our adversaries are targeting systems that are across sector and the growing interdependencies demand an integrated approach. To achieve this integrated approach we’re working and will continue to work with numerous stakeholders, including my colleagues joining me today. Specifically we’ve been working with the National Telecommunications and Information Administration or NTIA for many years on multiple internet governance issues from domain name system or DNS issues to participating in their multistakeholder process to publish a report on botnets. We also have expanded our partnership with DOD. Almost a year ago DHS and DOD finalized an agreement which reflects the commitment of both departments to this important issue. This agreement clarifies roles and responsibilities to enhance US government readiness to respond to cyber threats and establishes coordinated lines of efforts to secure, protect, and defend the homeland. Today’s national security challenges require innovation in government as well as in the economy and throughout the world, and I’m proud to be working with two partners who share that desire for innovation and partnership. The heart of CISA’s purpose is to mobilize a collective defense of our nation’s critical infrastructure, and we cannot do this alone. My colleagues on this panel represent some of those critical partnerships in order to achieve this goal. Tomorrow is the anniversary of the September 11th attacks on our country. As we learned from that event 18 years ago, information and federal operations must not be siloed. We see these same lessons amplified and complicated by the global, borderless, interconnected nature of cyberspace where strategic threats can manifest in the homeland without advanced warnings. I thank you again for starting this important conversation and holding this hearing and I look forward to further discussing our efforts. Thank you and I look forward to your questions.
Thank you Director Manfra. Ms. Rinaldo, you are recognized next.
Chairman Langevin, Chairman Lynch, Ranking Member Stefanik, Ranking Member Hice and members of the Committee, thank you for the opportunity to testify today on the role of US government in securing the nation’s internet architecture. The National Telecommunications and Information Administration in the Department of Commerce, is responsible for advising the President on telecommunications and information. NTIA collaborates with other Commerce bureaus and Executive Branch agencies to advocate for domestic and international policies that preserve the open internet and advance the key US interests. NTIA is involved in a host of policy issues that affect the security of critical elements of our nation’s telecommunications infrastructure. Our support includes working our interagency partners to enhance the security of our nation’s telecommunications supply chain. We are supporting the Secretary of Commerce on the implementation of the Executive Order on Securing the Information and Communications Technology and Services Supply Chain. NTIA is the lead Executive Branch expert agency on issues relating to the domain name system, a critical component of the internet architecture. The DNS functions similar to an address book for the internet by allowing users to identify websites, mail servers, and other internet destinations using easy to understand names. NTIA supports a multistakeholder approach to the coordination of the DNS to ensure long-term viability of the internet. NTIA collaborates across the government on numerous efforts related to the security of the nation’s internet architecture. We have been working closely with the National Security Council and the interagency colleagues on implementing the National Cyber Strategy. In that effort we shared our activities across the interagency and looked for synergies to maximize the impact of the strategy. NTIA will continue to participate in these efforts. One significant example of NTIA’s contribution to the protection of the internet infrastructure is our work NIST and DHS on the botnet report delivered to the President in May of 2018. Botnet attacks can have large and damaging effects and they put the broader network at risk. Botnets now capitalize on the sheer number of internet of things connections and devices. We have seen attacks that have topped a terabyte per second. Dealing with an attack of this magnitude can take time, which is a major concern when dealing with critical infrastructure. The botnet report outlines a positive vision for the future cemented by six principle themes and five complementary goals that would improve the resilience of the internet ecosystem. The departments of Commerce and Homeland Security developed the report through an open and transparent process for the specific purpose of identifying stakeholder actions as opposed to government regulation. We are tracking progress through a document known as the Botnet Roadmap. More than half of the identified tasks are already in progress or completed. At the end of this year the Departments of Commerce and Homeland will provide a status update to the President that reviews progress, tracks the impact of the roadmap, and sets further priorities. NTIA’s cybersecurity multistakeholder processes also contribute to the security of the nation’s internet architecture. Most recently we’ve been working on a software component bill of materials. Most modern software’s not written completely from scratch but includes existing components from the open source and commercial software world, which can be challenging to track. Our ultimate objective is to foster a more resilient ecosystem through industry-led market-based cybersecurity solutions. Over the past three decades the internet has been transformational for the American economy. America’s established leadership in technology has resulted in millions of jobs and remarkable prosperity. Because of this we must work harder than ever to ensure that the infrastructure supporting the internet is secure. NTIA is committed to coordinating across the federal government and engaging with the private sector to ensure the United States can continue to harness the economic benefits of this vital part of the economy for American businesses and for American workers. Thank you for this opportunity to testify and I look forward to your questions.
Okay, thank you Ms. Rinaldo. Mr. Wilson you are now recognized for five minutes.
[Mr. Wilson] Chairman Langevin, Chairman Stefanik, Ranking Member Hice, and Ranking Member Stefanik, my apologies Chairman Lynch, and the members of the Subcommittee, thank you for the opportunity to testify before you today. It really—
Can you pull the mic a little closer to you, General? Thank you.
Absolutely. Is that better, sir?
Might want to turn it on.
[Chairman Langevin] Yeah, is it on, or?
[Man] It’s on.
I’ve got a green light.
We’re good.
My apologies.
[Man] It’s okay.
Chairman Langevin, Chairman Lynch, Ranking Member Stefanik, Ranking Member Hice it’s really an honor to be here before you and the Subcommittee members. It’s good to be back in this chamber as well and testifying again. I look forward to discussing the role of the US government in securing the nation’s internet architecture alongside my counterparts from the Department of Homeland Security and Department of Commerce. It’s a critically important topic. We understand the sense of urgency behind this. First on behalf of Secretary Esper, thank you for the tremendous support that Congress has given the Department of Defense in our effort to improve our overall defense posture related to cyber threats. We’ve made significant progress, but with your support we continue to make significant progress to deter, disrupt, and defeat strategic malicious cyber threats directed at our national interest. Despite this progress, we understand there’s much more that needs to be done. And with that we’ve been very focused on the progress ahead. As the 2018 National Defense Strategy and the 2018 DOD Cyber Strategy make clear the US is, the US homeland is no longer a sanctuary from cyber threats. Our strategic competitors such as China and Russia are conducting persistent cyber-enabled campaigns to erode US military advantage, threaten our nation’s critical infrastructure and reduce our economic prosperity, which includes threats to our telecommunications and information technology sectors. These campaigns are being conducted below the threshold of armed conflict but collectively pose long-term strategic risk to the nation, our allies, and our partners. In response the Department adopted a proactive posture to compete with and counter determined and rapidly maturing cyber adversaries. Our objective is to prevent or mitigate significant threats before they reach US soil. We refer to this strategy as defending forward, it’s the core of our DOD cyber strategy. This approach is focused on enabling our interagency, industry and international partners to strengthen their resilience, close vulnerabilities and defend critical networks and systems while simultaneously imposing costs on adversary malicious cyber actors when called upon. Towards this end the Department is continually working with our partners, both domestically and internationally to strengthen the resilience of networks and systems that contribute to current and future military advantages. The Department previously focused its defensive efforts almost exclusively on military platforms, systems, and networks. However, the evolving cyber threat increasingly proactive activities of key competitors have demonstrated vulnerabilities that extend beyond our DOD systems and networks. The vulnerable of critical infrastructure to cyber attacks means that adversaries could disrupt military command and control, banking and financial operations, the transportation sector, the energy sector, various means of communication, and a variety of other sectors. As a result, supporting US government efforts in securing and defending the nation’s critical infrastructure is a key priority under our DOD Cyber Strategy. Partnerships are an essential element of our National Defense Strategy. We understand that our interagency, international, and industry partners are vital to ensuring that DOD can operate and project power in a contested cyber environment. DOD’s role in defending the homeland is outwardly focused, like it is in any other domain of operations, focused on strategic threats, and supports our interagency partners, including the Department of Homeland Security and the other sector-specific agencies. The US government has a limited and specific role to play in defending against attacks on our nation’s internet architecture, including through our trusted relationships with industry. As we all recognize security was not a primary consideration when the internet was designed and fielded. Although computers and network technologies underpin US military war-fighting superiority by enabling the joint force to gain the information advantage, strike at long distances and exercise global command and control, the private sector was and operates now well over 90% of the interdependent networks of information technology infrastructure across the cyberspace domain. At the same time the nation’s telecommunications infrastructure is primarily owned by commercial entities. Our adversaries target our nation’s weakest links and vulnerabilities are consistently found across the full scope of the internet ecosystem be it government or industry. The Department, which views the challenges it faces in performance of its critical missions principally through a national security lens is nonetheless highly dependent on privately owned infrastructure, decisions concerning which are regularly guided by ordinary business or economic considerations. Recognizing this inherent tension defending national critical infrastructure, including the nation’s internet architecture from significant foreign malicious cyber activity has become an area of interest and emphasis for the Department and large scale disruption or degradation of national critical infrastructure would constitute a national security concern as would threats to the DOD critical technology information other controlled unclassified information processes stored on non-DOD-owned systems and networks, which demands a close cooperation alongside our partners. This reinvigorated partnership alongside the FBI, intelligence community, was instrumental to the whole-of-government efforts to protect and defend the 2000 US midterm elections from foreign interference. We continue to leverage the lessons from this experience and these activities to help shape and further improve how we secure 2020 elections and other ongoing efforts related to protecting and defending the nation’s critical infrastructure. Again, thank you for the opportunity to appear before you today, and for the continued support you and your staffs provide as we address these challenges. I look forward to your questions.
Okay. Thank you Mr. Wilson. We’re gonna go into questions at this point. Members will be recognized for five minutes. Before we go to that though I just wanted to mention that we’re expecting votes in just a few minutes so we’ll get through as many of the questions as possible so if we can all stick to as close to five minutes in questions and answers that’ll move things along. So with that I want to begin for all of our witnesses with a question. What role does the National Security Council and the White House play in facilitating and coordinating amongst all the federal agencies? And can you describe efforts led by the White House to address internet architecture security. Ms. Manfra, if we could start with you.
Thank you for the question sir. Well the National Security Council as a policy coordination body focuses on from a cyber perspective, but also on the resilience side areas that we need to either identify or implement policies as an interagency body. Coordinated the National Cyber Strategy, which was released some time ago. And focusing specifically on, as an example, things like the DNS ecosystem, supply chain for our ICT ecosystem, and as well as other threats that may come up, coordinating both the policy and any kind of response that we may need to do either urgently or in the long term.
Ms. Rinaldo, Mr. Wilson, can you comment on any aspects of interaction with the White House on coordination?
Yes, as Ms. Manfra said, the White House routinely convenes meetings to bring us together to talk about issues as the cyber strategy, supply chain, as well as other issues that come up as needed. It is an opportunity to bring not only my two fellow witnesses to the table as well as other parts of the government that may have equities in these processes as well. So they are fairly routine and with the Cyber Strategy we have due-outs, so we regularly meet to see where we are on the process of implementing that.
[Chairman Langevin] Thank you. Mr. Wilson.
[Mr. Wilson] And I would just add in the series of sessions that we do do across the interagency led by the NSC team—
Can you pull that microphone a little closer, General?
Can do. I’m gonna put on my command voice and project if that’s okay then, my apologies. Is we do, we look at a lot at the threat. We bring in, especially the intelligence community to understand the threat as well as a series of functional reviews that we do with recommendations that follow. And that could be the report that was referenced earlier about the botnet, it could be work that’s going on regarding ransomware across the interagency. Sometimes it’ll start domestically but then we’ll bring in a larger team to do some initial work at the direction of the NSC team. And so depending on the topic there’s usually a series, but many times we’re organized to be able to address specific threats and understand that threat so that we have the right actions.
‘Kay. Ms. Manfra, what is the role of law enforcement agencies such as the FBI and CISA’s own Federal Protective Service in protective or defensive functions such as hardening cable landing station and IXPs that are owned and operated by the private sector?
Sir, we have a very close partnership with the FBI in particular, specifically on some of these issues. The FBI is able to kind of cross both on the intelligence side as well as law enforcement authority both to take actions, legal actions if needed through the justice process against those who may not be, who may not be following legal laws related to how they’re deploying their systems as well as conducting investigations that we may be gathering from intelligence sources, so working domestically to further investigation to determine is there an issue. Other law enforcement entities are not as involved on the internet architecture issue itself, though they have the ability to collect information or if they have a related case to share that information. FPS is primarily focused on physical protection of government buildings and we have worked with them on ensuring that building owners are thinking holistically about cyber and physical threats to their buildings. But not particularly relevant probably to the internet architecture conversation.
Yeah, and I think that’s again, this is the whole, right, the purpose of this hearing so we get a better understanding of what we need to continue to focus on in terms of hardening these sites. Let me before I’m, let me just, did that expire?
[Mr. Stiefel] I was gonna start it over for the next question.
Okay.
Chairman Langevin if I could maybe just add on, the DOD has a very active role alongside DHS as well, both domestically and internationally, and so we work with industry partners but domestically especially with DHS to understand what information flows are moving through, so from a command and control perspective or communications flow to our forces. To do assessments, and to understand that we have enough capacity and diversity of undersea cable capability to be able to execute our DOD missions. To go into more detail probably need to go into a classified session, but just to make you aware that we have a very active relationship alongside our interagency partners. Very tied to our mission and execution of the DOD missions around the world, so it’s more of an international perspective.
Okay, thank you. My time has expired, so I’m gonna stop there. We’re gonna have some follow up questions I’d like to submit for the record and I ask you to respond to those. And without that I believe votes have been called.
[Man] Yes sir.
Okay. I’m gonna yield to Ranking Member Stefanik and hopefully we can get through her questions.
Great. Given the complexities of the ecosystem that we’re talking about today I want to focus on supply chain security and integrity, which many of you referenced in your opening statement. I’d like to understand in more detail given how complex the global telecommunications supply chain already is, combined with emerging technologies like 5G, internet of things, even cloud computing, how are you specifically improving our supply chain security? Ms. Rinaldo I’ll start with you, that’s question one. The second one is are there any specific technologies you’re more concerned about than others in securing our supply chain, and specifically what collaboration needs to happen with industry and the private sector? So Ms. Rinaldo I’ll start with you. Mic. Can you turn? There you go.
Sorry, I’m new at this. As you may know on May 15th of this year the President issued Executive Order 13873 Securing the Information and Communications Technology and Services Supply Chain which gives the Secretary of Commerce IEEPA authority emergency powers to act on national security concerns with the implementation of infrastructure into our telecommunications networks. This is something that NTIA is working with the Secretary’s office on. We are currently developing the interim final rule, the regulations on how this process will work out. We believe that will, we are on track to have that delivered to the President the middle of October. But as well, through our multistakeholder processes which we are probably most known for is an opportunity for us to meet with technologists, policy makers, academia, civil society to talk about these important issues. The thing that I really love about NTIA is that we’re able to pull back to the 50,000-foot level and look and then hone in on certain issues that go down and tackle certain concerns or issues, and this is what, the format that we use. So we talk about vulnerabilities. We have done, we are currently working on the software bill of materials specific to supply chain, we have, we definitely have concerns moving forward, especially as we move to fifth generation technologies. And I think it really gives us an opportunity as we talked about is it baked in or bolted on, that it gives us the opportunity to bake in security as we move forward.
[Ms. Stefanik] Ms. Manfra.
Yes ma’am. I will just touch high level and then we can, always happy to come back and go in more depth, there’s a lot to talk about on supply chain. As Diane noted around the Executive Order, that is a key component of the administration’s approach. We at CISA have also stood up an ICT supply chain task force which is mostly made up of private sector, but also colleagues across the government to focus on what are the most important things that we can actually make progress on, what are the tangible things we can do, and they have been working along a few of those lines particularly around procurement, government procurement. Which to segue into what we’re doing for government procurement, following up on the law that was passed last December around federal acquisition security supply chain, chaired by Grant, but an interagency body to look at how do we reform and modernize our federal procurement system to ensure that we are taking mission risk I’ll call it, into account when we’re procuring and maintaining IT products and services. So those are some of the things that we’re doing. Specific technology I would say it’s not necessarily a specific type of technology that is concerning. What we have really, from a DHS perspective is we really think of it as a framework that started with our experience in Kaspersky, but that you have to really look at where is this product or data being held, what are the laws of the country that mandate how that data or products are treated, but you also have to look at what is the level of access that that piece of software or that piece of hardware that somebody would be able to gain access to. An antivirus piece of software you have tremendous access into a computer, so that combined with a country’s laws that we have concerns about that would compel access, those things together are what would cause us to concern. So we’re looking at a lot of things across government is how do we understand things like foreign ownership and controlling influence, how do we understand what that means to risk. But looking at it through that framework. And then of course what would always be the consequence that somebody who had that access and those laws, is there any sort of significant consequence. So it’s less about the technology and more about the context that that technology lives.
My time’s expired. Mr. Wilson, I’ll take yours for the record since we’ve expired. Yield back.
Okay. Okay, thank you Ranking Member. So votes have been called, we’re gonna recess at this point. We’ll return right after, there are three votes, so hopefully we’ll get through those quickly. We’ll come right back and then Chairman Lynch will be up next for questions.
Thank you.
Committee stands in recess.
Thank you Mr. Chairman. Again, I really appreciate your willingness to come here and help us grapple with these problems. Recently I’ve had groups ask to meet with me about the need for more funding from the government for infrastructure security, and when you sort of look at the landscape here, you have Facebook and Apple and Google and other private sector players that have a major role here and that have an intense investment I think in maintaining security themselves. Do you think there is a significant role here to play in funding the necessary improvements to our infrastructure on the part of internet companies, including mobile banking and others, much the same way that we have a gas tax for the users of our roads and highways that goes into the transportation trust fund and helps with an enormous part of the funding for that infrastructure. Have to thought about this from a funding side in terms of how we have to continually maintain the integrity of the internet architecture and a way of doing that over the long term. So I would offer it to the three of you if you’ve thought about this aspect of it. Ms. Manfra?
Yes sir, I can start. Yes, the funding question is something we grapple with in a lot of areas. I will say when you’re talking about those companies that provide the internet architecture, the ecosystem that we’re talking about, as you noted they have a lot of economic incentives to have a secure and reliable infrastructure. So I don’t know that we’ve considered sort of funding those organizations, they are also doing very well as I understand it, and have a fair amount of funding. There are other elements when you get into state and local organizations and others that I think is a separate conversation. I will say when we think about how the government could provide resources in this space in either complementing private sector investment or driving change, it would be in the area of standards and research and development. In how do we think about what sort of, there are some standards bodies, there could potentially be new standards bodies or existing ones that evolve to think about things like 5G and as our kind of overall internet architecture evolves the government sort of thinking about how do we participate in that process either through resourcing or participation. And importantly I think in research and development, how do we think of new ways to build more resilient infrastructure, both resilient from a physical perspective and as a cyber, so those would be the areas that we’ve most thought about the funding.
[Mr. Lynch] Thank you. Ms. Rinaldo?
When you look at the ecosystem as a whole most private companies underpin the internet architecture so what added benefit can government bring them to help move the ball. At NTIA we currently work with the private sector through our webinars. We have a broadband group that actually reaches out to rural areas to talk to local providers on how can we help them improve their security and their resiliency. We work through the American Broadband Initiative, which the President initiated last year, we lead that on behalf of the government to again to have these conversations on how can we as a government help improve security and resiliency. And one of the things that we hear back is information sharing, this is something as Chairman Langevin, we talked about just before the hearing, that I’ve been working on for a very long time. What information can we pass as a government to local providers to vendor manufacturers that ensure that they are getting the quality of information to help them protect their products are being implemented throughout the supply chain.
[Mr. Lynch] Thank you. Mr. Wilson?
I would just echo, I think when we look from a DOD perspective, we look for the nexus when it revolves around national security. And so we’re very active in standards boards, not just domestically but globally associated with the internet. In addition we look at capability that could be brought to bear from a DOD perspective. We’re very active in the research and development, it was highlighted in the introductory comments, the DARPA team, also our service laboratories, and I would have to maybe tip a hat to the Department of Energy lab environment. They do some great work in this arena, so there’s a lot of partnering that goes on to bring innovation to the game, to this table, in terms of solutions. To be really a catalyst for change. And there’s several different.
What about cost-sharing, that’s what I’m asking. In the private sector, you know, they’re the major beneficiaries, these private companies that are, you know, hugely successful.
And so in the Department of Defense we use vehicles such as cooperative research and development agreements with industry partners, really a sharing of either personnel and intellectual property as well as resources, so we may have a range in the Department of Defense where we can do experimentation, etc. And so we use several different vehicles along those lines to be able to get after high priority requirements. Again, we look for the national security nexus when it comes to research and development standards, etc.
[Mr. Lynch] Okay, thank you very much. Mr. Chairman I yield back.
Thank you Chairman Lynch and Mr. Hice, the Ranking Member, Ranking Member Hice is now recognized.
Thank you very much, Mr. Chairman. Mr. Wilson while you’re talking we’ll just keep going here. About this time last year the Department of Defense released a cyber strategy where it was highlighted the need to conduct cyberspace operations, that’s very intriguing to me and specifically to determine and to make sure that we are able to maintain our US military advantage and at the same time to defend our national interest. And an interesting quote, and also quote, to prepare military and cyber capabilities to be used in the event of a crisis or conflict. Those three areas are extremely important to me and I know in my own district, Fort Gordon, the Cyber Center of Excellence resides there and they’re very much involved in all three of these areas. Obviously without going into classified information but would you be able to share some of the specific actions that the department has taken in light of that cyber strategy to just some insight on how things are going to protect our infrastructure.
Absolutely. So in August of last year the Secretary signed, Secretary Mattis at the time, signed out the DOD Cyber Strategy. Some very core missions. Number one being the ability to operate DOD joint force, so kinetic forces alongside all of the other forces in a cyber contested environment, to be able to build resiliency into our joint force, that was priority one from Secretary Mattis’ perspective. In addition we wanted to be able to bring cyber effects operations, defensive and offensive, alongside our normal kinetic operations. And so we’ve been hard at work at doing that. We’ve worked with Congress, with authorities to be able to execute in that arena. We usually are pretty, we do some really good work in the area of hostilities in competition with the revisionist powers we’ve seen that they’re operating below our normal traditional response mechanisms and so we’ve been very focused on that, so the strategy addresses that. Down at Fort Gordon they’re doing some great work, Lieutenant General Fogarty and team in terms of that’s the ARCYBER, the Army Cyber team. They’re focused right now in CENTCOM theater, AFRICOM theater, the Africa Command, doing some fantastic work. When it comes to critical infrastructure there was a recognition that the Department of Defense had a role, and I think if you had asked us maybe two or three years ago, it wasn’t as clear. We brought a strategy forward called Defend Forward. We focus in the department, just like we do in any other domain of operations, on external threats to the nation. And so in cyberspace we do the same thing, so we focus on those external threats, we want to be able to see those threats, understand those threats, see indications and warnings if there attack on critical infrastructure for the nation or DOD forces or allies. And we want to be postured and prepared to be able to respond to those attacks. Preferably in a preemptive fashion if needed versus waiting to take a strike and then have to be on—
Would you believe that, how are we doing, is kind of what I want to know. Are we prepared offensively? Are we prepared defensively? Are we prepared in the event of a crisis here? I mean, where are we on these three areas? On a scale of one to 10, I mean, are we?
So it depends on which category and it’s best done in a classified setting, but I maybe would just put a backdrop behind it. We’re making tremendous progress. Over the last year we’ve executed operations which we’ve briefed in the Armed Services updates and we’re getting ready to do one here shortly, across several different mission types, and so that’s going very well on the offensive side. On the defensive side we’re building tremendous resiliency in the force, we have a long way to go. So if you’re talking about the network we have tremendous activity going on endpoint security, zero trust environments, and the team is doing really good work. We also have activity going on associated with weapon systems to make them more resilient, and then we’re beginning to look at defensive cyber effects operations broadly to be able to mitigate risk to the best of our ability.
Okay. Well Mr. Chairman I don’t have time to get into the next question, so I’ll go ahead and yield back, thank you. (muffled speaking)
Thank you Mr. Chairman. Thank you so much for being here and being willing to have a interagency discussion about this. I’d like to just hone in on just some of my understandings about some vulnerabilities and try to get a better sense of how different agencies and departments are honed in on this. A concern that we have is certainly about the different nodes in which the information is coming to us through internet exchange points, we have one in New Jersey and we understand some of the vulnerabilities that come with that. When information is being transmitted through let’s say the undersea cables, through the internet exchange points, from my understanding is that undersea cables is something under the jurisdiction of DOD, the internet exchange points are ones under the jurisdiction and oversight of DHS, so I guess my understanding is how do we structure the preparations or the coordination that’s involved in that to try to understand if we were to have any disruptions along those points that we can understand what role different agencies and departments play. Are there particular exercises that are being done, other ways in which we can understand who all is engaged, because from what I understand it’s lots of different departments and agencies and offices that are involved in that type of process, so if you don’t mind I’d love to just hear from across the board what we can be doing on that front and who are the main actors that need to be at that table?
Thank you for the question, sir. I don’t know that I would use the term jurisdiction. I wouldn’t say we have jurisdiction over internet exchange points, and I would defer to DOD but I don’t think they think they have jurisdiction over undersea cables. What it’s more is we have some interagency bodies such as Team Telecom and things like CFIUS, other sort of bodies where we work together, our three agencies plus others, to understand the risk and make decisions and are able to intervene if necessary in (mumbles) decisions in those particular cases. In other areas where there’s not a specific investment or acquisition happening we continue to work together. Once you start getting further beyond the borders of US waters obviously there’s others who start to have insight, but we recognize the connectedness of that. So specifically on undersea cables we worked with the DNI two years ago, issued a report on threats to undersea cables, working very closely with DOD, DNI and others to both better understand the threat but then on the DHS side given sort of our authorities and the public-private partnerships, what can we do to counter that threat, build more resilience, and of course DOD has capabilities to use those tools as well as NTIA. So it’s not so much that here’s a clear jurisdiction and it ends at this part of the internet architecture, and then the next person picks it up, it’s really largely private sector led in all cases and what we have are different tools to analyze and make assessments and take action if we have some concerns. Is there potential more tools and better cooperation? Absolutely, we can also continue to improve the coordination and that’s why I think we’ve got those national critical functions very focused on how is the stability of the internet overall, how are we focusing on that, what are those different mechanisms and those tools and those partners. That’s how I would, I hope that’s helpful, but that’s how I would frame it.
[Mr. Kim] No, that is helpful. Any of the other witnesses want to jump in on this? Mr. Wilson?
From a DOD perspective, what we really focus and try to understand the threat. So we work with the intelligence community and then our own insights. Also we do assessments so that we understand our reliance on cable landing sites or any type of infrastructure. And then we constantly are planning and coming up with contingencies, so based on that reliance we want to understand if that’s lost in whatever fashion, however complex that looks like, our ability to roll off and conduct operations maybe in a minimized fashion with high priority taskings. And so that’s a natural rhythm that we move through in our war plan, or an O plan activities. In addition, in our Tier 1 exercises we do exercise and the loss of critical infrastructure, which might include cable landing sites or other undersea cables, that’s a normal battle rhythm of activity that we look at. And then just I would point to maybe day-to-day. We do have just, there’s anchor drags and cable losses and so just naturally we see in a day-to-day fashion the loss of capability, whether it’s natural disasters or man-made calamities out there under the sea, we see that happen on occasion on a very routine basis and so we’re constantly having to already do this for a living, if you will, to maintain mission. And so we gain a lot of insight and we do a lot of after-actions and lessons learned based on those experiences. And so pretty deep well of knowledge there and then we share and work hand in hand with DHS and we have natural rhythms. They see our tasking orders, we share that from a cyber perspective.
Well thank you for your insights. Mr. Chairman, I yield back.
[Chairman Langevin] Thank you.
[Congressman] Thank you Mr. Chairman. I think we all agree as the DOD moves toward an increasingly internet integrated war-fighting posture it’s critically important to identify vulnerabilities in software and hardware within the DOD network. Mr. Wilson, as identified in DOD’s 2019 Digital Modernization Strategy, DOD utilizes 10,000 operational IT systems. I’m concerned about the number of access points within the DOD network. Does DOD have a complete inventory of all items that can access the network?
Today the answer would be we do not. We’re driving very very diligently to have insight and to be able to see. We have several modernization efforts and several initiatives underway, endpoint security and visibility being the number one, so that we have visibility to all those endpoints. 10,000 endpoints, sir, would probably be a low estimate. So when you just look at end-users out there given we have several million people inside the Department of Defense that number is much higher than that. And so we need to be able to have visibility to be able to mitigate risk, and so step one has been insight and an endpoint security initiative that’s been underway. We’re really driving hard. We’re getting tremendous traction alongside the services and our Fourth Estate in the DOD Enterprise. In addition we have an initiative underway called Zero Trust where we’re driving so that we validate and limit the movement, so if something’s exploited inside the network that we contain that to the best of our ability. And so Admiral Norton and the DISA team are hard at work on that alongside the service components, and so that’s been a high priority task. The Deputy is taking reviews on all of these initiatives plus more on a very routine basis, so the sense of urgency’s high on this one.
Good. Ms. Manfra, you testified that the CISA works across government and industry to ensure the national security and emergency preparedness community has access to priority telecommunications and restoration. Are government agencies able to keep up with industry in issuing security updates?
I think much of what we use is industry products, so it’s more about ensuring the behavior that people are actually, if you’re referring to patching and those sorts of things. We’ve had a lot of work that we’ve done around this to focus behavior on those types of things, are they patching vulnerabilities that identified, and we’ve actually made a tremendous amount of progress. I think we are able to keep up with them, in some cases we are actually leading industry. There’s work that we’ve done under one of our directives to improve web and email security and the government went from least secure by an independent auditor to actually leading all industries in the security of our websites. So I think that there’s, and I think that’s what we need to be doing, we should be not just talking about it, but actually leading in putting these things in place. But it’s a mix of behavior and resource. Sometimes there’s technical challenges and we work with agencies in particular to assist them on that. If that’s getting at your question.
Yes.
Okay.
Mr. Wilson, back to you, how does the role of the CIO coordinate with DISA regarding the responsibility of DOD IT security?
So the DOD CIO by statute has responsibility for the standards, so the technology and the fielding of capability. DISA is their operations arm and so DISA has purview and there’s in two roles, in organize, training and equipping alongside the services all of our IT fielding. In addition the DISA commander, Admiral Norton, also wears what we call the Joint Force Headquarters Commander hat for the DoDIN, DOD Information Network, and so in that role she’s able to direct activity in terms of orders out to the DOD at large. And so that kind of is the arm that is able to execute operationally day-to-day to mitigate risk. If there is an incident to be able to harness the power of the department at large and be able to mitigate that risk. To be able to drive initiatives like the Zero Trust activity that I just highlighted. So DOD CIO is responsible statutorily for the department in terms of standards and compliance and then the operation arm is DISA that reports up through the DOD CIO.
Okay, thank you very much, I yield back. (muffled speaking)
Thank you Mr. Chairman, ladies and gentleman, thank you for being here this afternoon. I have two questions. One is very basic, and the other is rather not. So let’s handle the basic question first. How do you ladies and gentleman feel about securing our undersea submarine cables that transmit most of our signals? How do you feel about that, where are we right there?
[Ms. Manfra] Well sir, I would argue that it’s not—
It’s been identified as a area of potential—
Yes.
Threat. And that this could disrupt internet services globally and have serious economic impact and perhaps military implications, communications, etc. So without getting into the weeds on the, or revealing anything that shouldn’t be spoken of, what’s your opinion, is there more that should be done and could be done?
Yes sir, this is a high priority for us. Both my agency and those here as well as others that aren’t represented. And we are very focused on this and yes there is absolutely more that we will do and can do, is the short answer.
[Mr. Higgins] Do you concur, sir?
Yes, for the Department of Defense it’s core to what we do and so I would just kind of maybe walk back through. One, we want to understand the threat against undersea cables in particular because we are relying on them. And so anytime that the DOD is relying on any kind of capability we want to understand the threat to it, where the vulnerabilities are, and then what—
Those threats and vulnerabilities in your opinion are being addressed?
We understand the threat and we understand the vulnerabilities, so the next is how do you mitigate those risk. For us in the military that would be in operations, the execution of our operations day-to-day. And so we have a very robust effort that we continually look and assess undersea cables because it’s the crux of, and we rely on it for a lot of our communications—
Right, so to, in the interest of time, and thank you for answering, please just all of you stay in very efficient communications with both these committees whereby we can give you anything you need ’cause it would be a disaster for the world if those things got hit. So let’s move to my question that is actually my concern. I’m concerned about national security issues regarding protection from emerging technologies sponsored by nation-states with global aspirations and strategies, like China. Specifically, I’m talking about quantum computing. We have a responsibility to protect the people’s treasure and of course we have the responsibility to provide national security, but are we talking about investing money on protecting ones and zeros, long streams of ones and zeros when China could be on the verge of using entangled photons to communicate. They recently had this in public data, had a satellite transmission to two separate land stations 1200 miles apart, and achieved quantum entanglement, successfully. A professor from LSU in my home state of Louisiana, a physics professor that spends a large part of the year at the university in Shanghai, the Science and Technology of China university, stated that he believes China will go dark in two to three years, meaning we won’t be able to, we won’t be able to understand and read their communications. So if they reach a point through quantum computing before we do, because we’re spending money on VHS tapes while the world has moved to DVD, that if they reach a point of quantum entanglement and quantum computing efficiently, and we can’t read them, then how would we know that they’re reading us? In the remainder of my time, please, whoever feels qualified to answer that question.
Sir, first I would offer that I think us and potentially some other agencies would be happy to come in and have a longer conversation about this. Both quantum computing and other emerging technologies are definitely top of mind of not just our agencies, but many others and I would argue that the US government is investing a lot in ensuring that we continue to maintain leadership in this space. And while yes we absolutely have—
So we could look forward to a SCIF briefing on this?
Yes sir, we will follow up.
I would ask the Chairman to consider that.
And I would just add I think quantum computing’s at the core, digital modernization at large, 5G, quantum computing, AI, large data or big data analytics, etc, are all converging. And so in the Department of Defense we see that as opportunity to field the right kinds of capability both for productivity but for effectiveness, mission effectiveness, but we also are looking at it through the lens of risk. And so how do we mitigate that risk alongside our interagency partners. We have the challenge of low end and high end conflict and so we have a reliance and we’re becoming more reliant on those capabilities. So it’s of utter importance, so but we would love to join.
Thank you sir, we look forward to a more extensive briefing in a secure setting. Thank you Mr. Chairman. (muffled speaking)
Thank you Mr. Chairman. Ms. Manfra, earlier this year CISA released a list of 56 National Critical Functions. You defined these as functions, quote, so vital to the United States that their disruption, corruption, or disfunction, would have a debilitating effect on security, national economic security, and national public health or safety, is that correct?
[Ms. Manfra] Yes ma’am.
As it pertains to internet architecture, how does the identification of these 56 critical functions alter CISA’s approach to protecting our nation’s internet infrastructure?
Thank you for the question, ma’am. What it does is more holistically it defines what functions we are concerned about. So previously, while it is important to continue to have these sector-specific approaches, but when we’re talking to the IT community and the communications community, we felt it was important to narrow in a little bit more on what specifically, so are we talking about routing, and addressing, are we talking about the internet exchange point conversation and physical infrastructure that supports the internet. So we felt it was important to start to disentangle so it’s not just all here’s an IT and communications broad structure, industry already thought this way, it was really us sort of catching up and we will now shift how we prioritize our resources and our engagements to ensure that we have the right people in the room and we are taking the right actions against those critical functions.
Okay, thank you. And how does this change CISA’s outreach and coordination with the private sector and with your partners at other agencies?
What it really means is we’re gonna ensure that the right players are in the room. We have great partnerships with the IT and communications industries, but as we started to think about a functional approach, which is frankly the way the adversaries are thinking about it, we recognized that not all of the correct players were in those conversations, so we want to ensure that the owners and the operators, the providers of services, are also a part of whether it’s just information sharing back and forth, so they can give us information about what might be going on, or we can provide them information, but also they’re a part of this broader policy conversation when we’re thinking about risks and what we want to do about it.
Thank you. That list of National Critical Functions includes providing internet-based content, information and communication services and it also includes conducting elections, is that correct?
Yes ma’am.
Of course our internet architecture is connected to election security in many places across the country so let me start by asking you a question that I have asked CISA Director Krebs multiple times since May of this year. Russia intentionally influenced our 2016 elections and is expected to try again in 2020. Has the President received a comprehensive briefing from CISA on potential Russian influence in the 2020 elections?
My understanding is the President has received briefings and continues to receive briefings on threats.
No no, I’m asking you has he received a comprehensive briefing from CISA on potential Russian influence in the 2020 elections.
He has not directly received a briefing from us but he has received comprehensive briefings that we have informed.
Okay, that’s new information because that’s since the last time I spoke with Director Krebs where he has said no, or he was not aware that the, I mean small briefings here and there. That’s different than a comprehensive briefing specifically given to the President of the United States on Russia’s desire and intention to influence the 2020 elections. So since the last time I asked him, that comprehensive briefing for the President of the United States has taken place?
Ma’am, to be honest, I am not in the meetings where the President receives these, but I do understand that the President has received multiple briefings on—
Okay, so essentially you’re giving me the same answer that Director Krebs, he has not to your knowledge had a comprehensive briefing from CISA on this risk.
We have not directly provided him a briefing.
Okay, okay. Are there plans to brief the President on this critical issue in a comprehensive way from CISA?
I would have to defer to others on that.
Okay. And lastly, are you familiar with the Quadrennial Homeland Security Review? Okay, that’s a critical document that is used for assessing the department’s overall security strategy and what it views as the most pressing threats to US security, including threats to critical infrastructure. Congress mandates that DHS produce this review every four years. Can you tell me the last time DHS submitted a Quadrennial Homeland Security Review to Congress?
Off the top of my head I cannot remember the exact year, ma’am.
It’s 2013.
Okay.
Or 2014. And the most recent version of this document was due to Congress in December 2017 but more than 20 months later DHS has not submitted this critical document. What’s the status of the now long overdue 2018 Quadrennial Homeland Security Review?
Ma’am I’ll have to get back to you on that.
Okay, if you could. The bottom line, Mr. Chairman is not having an up to date Quadrennial Homeland Security Review makes it more difficult for Congress to evaluate DHS’s strategy and coordinate with federal agencies, which you very effectively answered on homeland security priorities including protecting our internet architecture. So I would ask that you take it back to your bosses that it’s time to comply with the law and if you actually take this issue seriously, making sure that this report is issued in a timely fashion is essential.
Yes ma’am.
Thank you, I yield back. (muffled speaking)
Thank you Mr. Chairman. Ms. Manfra, obviously DHS defends the homeland and defends our critical infrastructure here including our internet infrastructure, and Mr. Wilson, DOD in a number of briefings has described it’s posture now as defending forward, in both classified and unclassified briefings. And I’ve received a number of briefings on what those activities have entailed, particularly as it pertained to 2018 and our elections there. Is there any discussion in the department, in the Defense Department in particular amongst the interagency of moving to a deterrence strategy rather than a purely defensive strategy, whether we’re defending forward or defending the homeland. What I mean by that is to use an analogy, terrorism, we cannot bat a thousand, so to speak, using a baseball analogy. At some point we have to alter our adversary’s decision dynamic and I think some members have described it as perhaps blinking the lights in the Kremlin or holding their assets at risk. What’s the department from a policy standpoint? Are they moving that direction? Have you made a decision not to move that direction and we take a purely defensive posture? We could talk across a number of domains obviously where we have a deterrence strategy to stop and try and alter the behavior rather than simply defend against it. Does that make sense? And I’d welcome your thoughts.
Absolutely sir. So last year as part of our cyber posture review we delivered a report to Congress, really had two pieces, that was in early September. One was a holistic assessment of our ability to execute the missions as articulated in our DOD Cyber Strategy. And so we did a gap assessment, that’s a classified report that we can make available. In addition we were asked to some work on deterrence, specifically deterrence in cyberspace. And so a couple of the key takeaways. One, we believe that deterrence comes in a few flavors, it’s not just consequences, we think the first step is deterrence by denial. So we want to deny adversaries the benefit of what they’re trying to achieve through a cyber effects operation. Or any other type of activity directed at the US, or allies, or the nation at large. And so that’s where you see the partnership between DHS and the other departments and agencies of the US government where we’ve stepped in to begin to assist and enable support the resiliency of our critical infrastructure segments. Not just focused on DOD systems, networks, weapons systems, etc. So our focus is much broader because we do rely and we see the importance of denying an adversary the benefit. In addition we look very hard at the ability if called upon to deliver consequences, not just kinetically or in all the other domains of operation that the department has, but also in the domain of cyberspace. And so a lot of assistance from Congress with regards to some clarity on authorities. We’ve also in the strategy tried to articulate our role uniquely focused against external threats, and in addition the NSC team and the White House has led us in the interagency through a process with a new National Security Presidential Memorandum 13 which focuses on the decision process for either offensive or defensive cyber effects operations. The details of that we’d have to go in to a classified session, but that has been in play and I think just in general—
I’d like to follow up. I’d like to follow up and better understand that and then also better understand how that’s been communicated to our adversaries because obviously deterrence is only effective if they understand the consequences.
Absolutely, so strategy, a clarity of authorities, and then the process for making decisions have been very key in the consequences part. In addition we look at deterrence really what I would describe as entanglement. So how do we entangle ourselves or use and leverage one of our strengths as a nation in the international arena. And so how do we bring alongside our close partners and operate together, and make the complexity of a targeting problem for an adversary more difficult. And then lastly is how to we strategically communicate any actions we’re taking across as a whole-of-government, not just the—
Just in the interests of time, I’ll take that for follow up, but thank you and we’ll reach out to your staff. And then just very quickly, who has, I know there was a question earlier and I apologize if I’m repeating it, on undersea cables, who has authority on, or who has responsibility for defending undersea cables that directly affect the United States, it’s ability to communicate, and our economy in international waters. That’s just not clear to me and if anyone wants to send that for the record in the interests of time, Mr. Chairman, I believe my time is expired, I’d appreciate it.
I think it would probably be best if we followed up with more detail, sir.
[Mr. Waltz] Thank you. (muffled speaking)
Thank you Chairman Langevin. Mr. Wilson, my question is for you. With respect to helping secure our nation’s infrastructure and even responding to an incident or an attack upon our critical infrastructure, can you clarify the role that US Cyber Command and US Northern Command plays and the relationship between the two. What role does DISA play here and are there clear chains of command so that these organizations and commands understand their particular role, who’s responsible for what, and then how do they interface with DHS?
So, if there’s an attack on the nation that involves kind of a multi-domain attack, so kinetic strikes against the nation, NORTHCOM has the point, they have the lead for the defense of the nation. So from a supporting-supported relationship, NORTHCOM is point. If there are activities that would require a cyber effects operations or any type of response, Cyber Command would be in support of NORTHCOM in those instances. If there’s a unique, and it’s a fairly contained, but very focused on a cybersecurity threat or activity, then there’s a decision to be made, and in most cases then we would look to Cyber Command to be the lead, and they would be the supported command ’cause it would really contained within their purview. In direct coordination with, and lots of communication and coordination so that we’re all on the same sheet of music. And so that activity, we’ve exercised that on many occasions, and that is maturing. I think if you had asked us just a few years ago that was a bit cloudy. I think we’re doing great work on that front. Our Tier 1 exercises is beginning to really mature those relationships and the command and control activity that goes alongside those. DHS is alongside in anything domestically along with FBI representation. And so when required, if it’s a domestic incident there would be support either provided to DHS as part of our normal Defense Support to Civil Authorities, our DSCA roles, there’s a mechanism to put that in play, and then we would institute that.
Let me ask a more specific, let me use a more specific example. As we’re heading towards 2020, obviously one of the focuses of every member of Congress is making sure that we have secure, resilient elections and we are well positioned to ensure that the lessons learned from 2016 in terms of our vulnerabilities, that we are being offensive in terms of protecting our elections infrastructure. So in that case, let’s say there are cyber effects. How does that responsibility, can you go through that decision-making process for that particular example, so elections, online election system as part of our critical infrastructure, who’s responsible for what?
So we look at it through three really lines of effort, or lines of operation. The first is associated with election security infrastructure. So in support of the DHS team, ’cause they have purview, and so whether that’s information intelligence, information sharing, activity directed at helping to secure, share any threats, any indicators of compromise to make sure that the robust defenses that are in place to secure our elections infrastructure. So that’s kind of job one, if you will, for elections support. The second line of effort we have within the DOD, and General Nakasone is at the helm here, is associated with disinformation or malign influence. And so FBI has point with regards to disinformation associated with elections or any other activity in the United States as a law enforcement activity. And so likewise, the combined team of US Cyber Command and NSA would provide support to FBI in the form of information sharing, any intelligence indicators we may have, alongside the intelligence community, so we’re one of many that would be supporting. FBI does the vast majority of outreach to like social media to give them heads up that there’s issues, that there’s a threat associated with a malign actor, a Russia, or whoever, using social media to spread disinformation or try to sway the public as part of the elections, or just day-to-day. And then the last would be is if we’re called upon as the Department of Defense to deliver consequences in any form, whether it be cyber effects operations or anything else, then that’s wholly within the Department of Defense. And we have the procedures, ma’am, as you’ve been briefed on with regards to the process for approval on those as part of the NSBM 13 process. And so we’ve executed some of those in the past, as you’ve been briefed, can’t get into details in this forum, and so we’re postured to be able to execute those types of operations in the future from an offensive or defensive activity. At times we may partner with international partners like we did during the 2018 election, and close partners and providing support in that arena, and what we would describe as a hunt forward as part of our defend forward construct. Those are the structure we’ve used that was very successful. We’ve gone in and looked at the after actions and are tuning that, but we’re well underway with all three of those lines of effort for the 2020 elections.
Yeah, I think fine tuning that is going to continue to be important because as you laid out the infrastructure, the disinformation, and the third bucket, you have a lot of agencies who are in the mix, whether it’s US Cyber Command, NSA, DHS, FBI, so making sure that there is a, DOD, there’s a holistic approach and an understanding of who is responsible because oftentimes the attacks, and we saw this in 2016, it was multifaceted. It checked multiple boxes. And thanks for the leniency, I yield back.
Very good. Excellent points, and it’s one thing when we, when we know the bad actor or what’s coming, for example, we need to be prepared for the upcoming 2020 elections and just as in 2018 we had a whole-of-government, whole-of-nation approach, we’ll do that again I’m confident in 2020, the American people should know that. It’s for the things that we can’t anticipate coming up that this is well harmonized and the left hand knows what the right hand is doing, so it’s got to be well thought out and becomes muscle memory going forward, so. Thank you to the Ranking Member. Jim Lynch now recognized for five minutes.
Thank you very much. So we have about 2600 internet companies and I think there are no less than 90 undersea fiber cables that feed both the United States and its territories. The trend has been that those cables are clustered on a select number of landing stations. Is that clustering effect, even though it creates redundancy I guess because you got all these cables, which is good, the redundancy is good, but the vulnerable that that prevents is, excuse me, that that presents, is that a problem for us? Ms. Manfra.
[Ms. Manfra] I would say—
And by the way, with maps that show the cable are all publicly available so I’m not giving up any, you know—
[Ms. Manfra] No you’re not, sir.
National secrets there.
Most of actually what we see in the risks for some of that co-location and consolidation tends to come from natural hazards or accidents.
[Mr. Lynch] Okay.
And now that does also mean that other threats could potentially take advantage of that and we have done, usually working jointly with the FBI, working to understand, do physical security assessments of those cable landing stations, helping the owners of those, of that particular infrastructure improve both their physical security and the resilience.
[Mr. Lynch] Okay.
As well as kind of how it gets passed from the cable landing station into sort of the rest of the internet ecosystem. So there is some, there’s definitely concern around some of that consolidation, but it usually manifests itself when you have say a hurricane or something like that. So they’ve already built a lot of resilience into that to combat some of these natural disasters.
Let me just rephrase the question a little bit more generally. Do you repeatedly and continuously monitor and do threat assessments on individual aspects of our internet architecture?
[Ms. Manfra] Yes sir, we do.
Once a year, is that when we do it?
It depends. We do probably, I don’t know that we would do any of them once a year. Many of these would be assessments that ideally they could use for multiple years and would offer multi-year approaches to improving some of the security. But in some of the areas where we’ve maybe identified some weaknesses or perhaps we have some threat intelligence that they may be a target, we do prioritize engagement. And we will continue to elevate the prioritization of those. I think this is really in the last few years that we’ve started to prioritize this.
Speaking very generally what keeps you up at night, what do you worry about most when we look at the whole, you know, the scheme of our internet architecture? What do you think, and again, being sensitive to the nature of the question, what do you think we should be doing to better protect ourselves?
When it comes to internet architecture, I think, I think increased visibility and working with those companies and ensuring resilience. There’s a lot of talk about security, but I think resilience in this space, and it’s already something that the community understands. So having a lack of resilience, and whether that’s through market pressures or others, would be a concern and that somebody could take advantage of that and you’d have single points of failure. I’m not saying that we have that now, but that we would get to a point where we did and the adversary would be able to have real catastrophic consequences as a result.
So the redundancy aspect of it in many cases.
Oftentimes resiliency through redundancy. There’s other mechanisms for resiliency, but yes, redundancy I think is important.
Okay. Thank you very much, I will yield back.
Thank you. And on that point on the redundancy and the resiliency obviously things happen for just physical failures, or we talked about the anchor drags, and so it’s not the first time that a node has been damaged. How quickly, give us a sense of how that can be reconstituted, or do you have that resiliency so you have another way of performing the same function through some other mechanism. And with that also, how many points of failure then become on the scale of more catastrophic, as far is where resiliency is harder and it takes longer.
I will take a stab at that, and then I can, so it’s hard to provide sort of one answer to that because I think it depends on which part of it you’re talking about. When you’re talking about submarine cables, cable landing stations, internet exchange points, that part, there’s, that is a knowable universe of who owns that and so it means it’s also a little bit I think simpler in terms of who we’re engaging with and how we improve the security and the resilience. You know, I think, I think we’ve identified some really good best practices and honestly industry has really led largely through telecommunications companies needing to build resilience in hurricanes or whatever. So they’ve created mutual assistance agreements essentially in terms of when you’re thinking about roaming and if one company can’t handle a customer set because their infrastructure has gone down they have agreements in place, and they’ve been doing this for a while. I think that is starting to evolve in broader than just these telcos and that’s something that we definitely welcome and want to encourage. You also have to think about as the market is sort of, there’s new players now coming into the market that didn’t typically have cable landing stations or submarine cables, so how do we kind of think about these different market players, whether that’s providing mutual assistance or the government ensuring that we prioritize, we learned about this whether it was Puerto Rico, Virgin Islands, some of these significant events in the Caribbean that had impact to critical nodes of our communications infrastructure, how do we ensure that working with FEMA that we’re prioritizing the restoration of those services or we’re helping industry prioritize the restoration of those services.
I think we often hear that the internet was not built with security in mind, but it was built upon to be resilient, and it is very resilient. You know, a couple of things with the routing table, if there is a glitch it can reroute traffic, it does reroute traffic. For the DNS system, DNS, NTIA represents the United States at ICANN on these issues, we lead the DNS Interagency Working Group. There are the authoritative root servers but there are also more than 1000 root server instances or anycasts that are distributed all throughout the world, and this is done for security, for stability. It’s done for the consumer. So there are many instances that resiliency has been built into the system and even to this day we keep building and making sure that the system remains and is stable because it is such a driver of our economic lives in this country as well as how we operate.
[Chairman Langevin] Okay. Mr. Wilson, you have anything to add on that?
Chairman Langevin I would just add that just based on experience, it depends on, the answer is it depends in terms of a cable outage. If there’s a cable outage at sea and you’re a two day steam out to fix that cable, the diversity and the resiliency of the architecture can work around that. As cables converge and if there’s an incident like in a harbor or something that may have more consequential outcomes, however it’s closer so the remedy is typically quicker. In a lot of cases it’s just the physical restoration of services. So the answer is it depends, it could be very quick, a matter of hours, it could be several days, if not more depending on the location and the type of fix action that’s required. But I would just echo that these systems are built with resiliency. Chairman Lynch, to you question, what’s the threat, I think it would be the miscalculation of an adversary that is trying to seek or take, seek an outcome, and miscalculates with regards to how they go about doing it, the WannaCry-like incident that maybe has much more implications worldwide or globally than what we would, an actor would have anticipated. And so that’s what I guess keeps me up in the middle of the night.
So I want to just go back to the role of CYBERCOM and NORTHCOM in defending physical sites that are part of the internet architecture ecosystem. Do you have that worked out, I know we kind of touched upon on that, but who has primary responsibility in defending those sites?
So for the Department of Defense, we have very good knowledge about which systems we rely on. We have good plans in terms of mitigation with regards to moving to secondary or tertiary capability, whether that’s cable systems or whatever portion of the architecture. When it comes to defending, most of these are owned and operated by commercial vendors in terms of these heavy haul systems that we’re talking about, so defending is a bit of a different question, it’s the resiliency that’s built in. But we understand our reliance and if we need to take action to, if it’s not happening naturally is to be able to bring online other systems. Many times for the department that may be prioritization of mission, in other words, we may have to go without that broadband or that very large bandwidth support in terms of comms, and we may have to go to a much more minimized posture. We understand how to do that and we’ve moved to that contingency action, set of actions. That’s part of how we do business day in and day out.
Okay. Thank you. I guess the last question that I’ll have is for Ms. Rinaldo. Given NTIA’s role in international standards bodies can you speak to how this issue is viewed by other countries and your international counterparts.
Thank you for the question. Yes, we represent the United States at ICANN as well as we are very active in standards bodies 3GPP, ITEF, as well as others, ITU, which is the telecommunications arm for the UN. We have great allies around the world. We coordinate with them often. We coordinate with them through different conferences as well as bilats throughout the course of the year. We want to make sure that as we face threats to our infrastructure, threats to the networks that we are speaking with one voice and making sure that we are pushing back. There are more of us than them. So we want to make sure that we continue these conversations so when foreign adversaries do pose threats that we are having those lines of communication open in these fora that do occur around the world. It’s an amazing opportunity to not only exchange notes but to further deepen those bonds.
Very good, thank you. With that, Mr. Higgins is now recognized for five minutes.
[Mr. Higgins] Thank you Mr. Chairman. Mr. Wilson, if a United States Navy ship is fired upon by an identified approaching vessel, an aggressor, do we return fire?
[Mr. Wilson] There’s standard rules of engagement—
[Mr. Higgins] Yes sir.
[Mr. Wilson] So, absolutely.
If a soldier in a theater of engagement is fired upon by an identified aggressor, do we return fire?
[Mr. Wilson] Yes.
Ms. Manfra, you see the comparison. So please explain to America what the difference of our policy is when we come under cyber attack. Either our policy regarding preemptive attack or our policy regarding return fire, if the aggressor can be identified. There’s a growing consensus, and I’m part of that group, that if we can identify these guys why don’t we strike back?
Well sir, I think the Department of Defense is doing a lot of work to be well postured and to do just that. I think it’s important though to not conflate every cyber incident with, as having the same consequence as shooting on one of our sailors or soldiers.
Why not? If we come under cyber fire, why would we not return cyber fire?
Well I would say two things, cyber fire, it could often just be a, it could be a data breach. I would argue that that’s not an act of war. That’s why we focus so much on consequences—
Well let’s talk about that with America for a moment.
[Ms. Manfra] Okay, sir.
If a database, as you just referred to it as that, comes under missile attack is that an act of war? If it’s destroyed by a missile, that’s an act of war. But if it’s destroyed by cyber, that’s not? These are legitimate questions.
They’re very legitimate questions, sir, and one that a lot of people are thinking very hard about. I just, I would say from—
Let me compare it to sniper fire—
[Ms. Manfra] From my perspective, sir—
Like returning sniper fire. Very targeted return fire.
We have a long history of defining what it means to escalate and to have an act of war, and the digital sort of modernization of our economy has forced us to think differently about that. I don’t want to suggest that we’re not returning fire when we are attacked, I only mean to suggest that it’s important to understand what the consequences are that they’re achieving and that we use the right tools. It’s not always necessary to return a cyber fire as you said, sir, with a cyber gun. There are many other tools that the government has and does use, but I think one of the things that I’m proudest of is the work that we’re doing with DOD to ensure that both of us are postured and positioned to not only defend what we can domestically but so that DOD is better postured to take such actions.
Very well, that was an intelligent answer. Let me just close by saying that America’s not accustomed to hiding when we come under fire. And Americans watching right now, they think we are returning fire, and we’re largely not, not to the standards that, it’s common knowledge that if a Navy ship comes under fire, that other ship’s about to, is about to get something back. If a soldier comes under fire we’re gonna return that with superior fire and training, but a cyber attack is legitimate, it’s dangerous. It threatens our commerce, our industry, our grid, our internet infrastructure, our military, and our financial institutions. It’s certainly a legitimate threat, we’re talking about it today, and America expects us to return fire. Ladies and gentleman, sir thank you for being here today and Mr. Chairman, I yield.
I thank you gentlemen. I want to thank all of our witnesses for your testimony today. Members may have additional questions and we would ask that you’d be responsive in answering those questions and submitting them to the committee. Again, I want to thank you for the important topics we’ve discussed today, these answers, obviously this is gonna be an ongoing dialogue and something we have to pay continued attention to. I also just want to thank Chairman Lynch and Ranking Member Stefanik and Ranking Member Hice for their participation and support of this hearing. I yield to Mr. Lynch for any final comments that he’d like to make before we adjourn.
I think these witnesses have suffered enough, I think we should probably let them go.
Very good. I thank you all for being here and what you do on behalf of the country.
This meeting—
Thank you.
Stands adjourned.